VaryOnVaryOn Docs
Program Roadmap

Ethira-Ready Engineering Roadmap

Canonical engineering roadmap for delivering VaryOn's three Ethira integration products.

Last updated Mar 4, 2026

Date: 2026-03-03 Owner: Ethira x VaryOn integration workstream Status: Canonical execution roadmap for product delivery and PM tracking

1. Purpose

Define the complete engineering roadmap to deliver three integration-grade products that Ethira can adopt immediately and scale to pilot/production without reworking core contracts.

Products in scope:

  1. AI Trust Registry (Provenance + Mandate + Meridian)
  2. Contract Assurance Monitor (Fidelity + Mandate + Meridian)
  3. Runtime Alignment Monitor (Drift + Fidelity + Mandate + Meridian)

2. Current Reality (What We Have Now)

2.1 Implemented assets

  • Drift scoring engine:
    • platform/scoring-engine/src/varyon_scoring/
  • Drift pattern library + validation:
    • platform/pattern-engine/src/varyon_patterns/
    • platform/pattern-engine/library/
  • Drift API data layer, models, and migrations:
    • products/drift/api/src/drift_api/db/
    • products/drift/api/alembic/versions/

2.2 Spec/scaffold assets

  • Framework specs (active source-of-truth):
    • docs/source-of-truth/frameworks/frameworks/data/meridian.md
    • docs/source-of-truth/frameworks/frameworks/agent/provenance.md
    • docs/source-of-truth/frameworks/frameworks/agent/fidelity.md
    • docs/source-of-truth/frameworks/frameworks/agent/mandate.md
    • docs/source-of-truth/frameworks/frameworks/agent/drift.md
  • Adapter product scaffold:
    • products/ethira-assurance-adapter/

2.3 Gaps to close

  • No running adapter API service yet.
  • No implemented production-grade Provenance/Fidelity/Mandate/Meridian services.
  • Lint/type/CI still need non-interactive stabilization for deterministic delivery.
  • Adapter contracts/events need hardening to Ethira workflow payloads.

3. Product Engineering Model

Build one shared Assurance Adapter platform with three product views.

3.1 Shared platform components

  1. Assurance Adapter API service (FastAPI)
  2. Scoring connector layer (framework-specific connectors)
  3. Evidence normalization pipeline
  4. Tenant-aware persistence layer
  5. Signed webhook dispatcher
  6. Integration fixtures and replay harness
  7. Operator runbooks and release checklist

3.2 Product surfaces

AI Trust Registry

  • APIs:
    • POST /v1/assets/score
    • POST /v1/agents/score
    • GET /v1/score/{framework}/{entity_id}
  • Outputs:
    • provenance_v0, mandate_v0, meridian_v0
    • confidence, evidence completeness, remediation hints
  • Primary consumers:
    • Ethira inventory/discovery flows (steps 1 and 2)

Contract Assurance Monitor

  • APIs:
    • POST /v1/contracts/obligations/score
  • Outputs:
    • fidelity_v0, mandate_v0, meridian_v0
    • obligation trend, breach risk, stake-weighted impact
  • Primary consumers:
    • Ethira contract controls (step 3)

Runtime Alignment Monitor

  • APIs/events:
    • POST /v1/runtime/analyze
    • score.updated, threshold.crossed, runtime.risk.elevated
  • Outputs:
    • drift (real path), fidelity_v0, mandate_v0, meridian_v0
    • runtime recommendation: allow|review|degrade|block
  • Primary consumers:
    • Ethira continuous oversight and enforcement path (step 4)

4. Infrastructure Blueprint (Ethira-Ready Minimum)

4.1 Runtime environments

  1. dev: local + deterministic fixtures
  2. staging: integration test with signed webhooks
  3. pilot-prod: controlled customer pilot

4.2 Required infrastructure services

  1. API runtime for adapter service (containerized)
  2. Postgres (tenant-isolated, RLS for drift-backed data paths)
  3. Redis/queue for async scoring and webhook retries
  4. Object storage for evidence payload snapshots
  5. Secrets management for webhook signing and credentials
  6. Centralized observability (logs, metrics, traces, alerts)
  7. CI/CD with contract checks and non-interactive quality gates

4.3 Security and compliance controls

  1. HMAC webhook signatures
  2. Idempotent event delivery keys
  3. Request validation and schema versioning
  4. Tenant context enforcement and audit trail continuity
  5. Explicit score provenance fields (source, confidence, version)

5. Roadmap Phases and Gates

Phase 0: Stabilize Delivery Baseline

Goal: deterministic build/lint/test paths and Drift correctness baseline.

Scope:

  • Foundation blockers (#8 #9 #10 #12)
  • Drift/pattern correctness (#16 #18 #19 #20)

Exit gate:

  1. Root build/typecheck/lint run non-interactively.
  2. Drift scoring path returns consistent shadow-principal outputs.
  3. Pattern validation resolves schema path deterministically.

Phase 1: Ethira Integration MVP (Adapter Core)

Goal: Ethira can integrate all three product APIs and receive stable events.

Scope:

  • Adapter scaffold and contracts (#38 #43)
  • Trust Registry API path (#39)
  • Runtime path + webhooks + fixtures (#40 #42 #44)
  • Contract Assurance endpoint (#41)

Exit gate:

  1. All target endpoints available with validated schemas.
  2. Webhooks signed and replay-safe.
  3. End-to-end demo scenarios reproducible from fixtures.
  4. Drift path used in runtime monitor endpoint.

Phase 2: Pilot Hardening

Goal: move from demo-grade to pilot-grade reliability.

Scope:

  • Regression hardening (#17 #21)
  • Drift API DB/tenant integrity (#22 #23 #24 #25)
  • Deployment alignment (#29)

Exit gate:

  1. Migration upgrade/downgrade checks in CI.
  2. Tenant context safety validated for critical paths.
  3. Pattern library validation artifact generated in CI.
  4. Cloudflare deployment path documented and repeatable.

Phase 3: Post-Pilot Expansion (Same 3 Products)

Goal: deepen quality/coverage without changing product portfolio.

Scope:

  • Later-track technical debt and compliance process automation (#6 #14 #15 #26 #27 #28)
  • Increase fidelity of spec-backed connectors toward framework-native implementations.

Exit gate:

  1. Governance and compliance workflows are automation-ready.
  2. Cross-team delivery process is enforceable through templates and PR policies.
  3. Product contracts remain backward-compatible.

6. Workstreams (Detailed)

WS1. Foundation and CI

  • Finalize root quality contract and CI command parity.
  • Remove interactive lint behavior in all automation paths.
  • Keep root TS scope limited to active build surfaces.

WS2. Adapter API Implementation

  • Create service app entrypoint and route groups.
  • Enforce request/response schemas and version tags.
  • Add standard error model and correlation IDs.

WS3. Scoring Connectors

  • Drift connector: real scoring engine integration.
  • Provenance/Fidelity/Mandate/Meridian connectors: deterministic v0 policy modules with confidence metadata.
  • Standard connector response shape across frameworks.

WS4. Evidence and Data Contracts

  • Canonical entities:
    • asset, agent, contract, obligation, evidence_event, score_snapshot, enforcement_action
  • Enforce mandatory identifiers:
    • tenant_id, entity_id, contract_id, obligation_id, control_id, event_id

WS5. Eventing and Webhooks

  • HMAC signature and replay protection.
  • Retry with backoff and dead-letter routing.
  • Event payload versioning policy.

WS6. Demo and Acceptance Harness

  • Deterministic fixture suite for 4 Ethira scenarios.
  • One-command replay to generate expected webhook/API outputs.
  • Attach expected responses to integration docs.

WS7. Observability and Operations

  • API latency/error dashboards.
  • Webhook delivery success/failure metrics.
  • Drift risk event volume and false-positive review queue metrics.

WS8. Security and Governance

  • Tenant isolation verification checks.
  • Audit continuity for score/event decisions.
  • Secrets rotation and signature-key lifecycle.

7. GitHub Roadmap Mapping

7.1 Active epics

  • #33 Ethira Integration Program
  • #34 AI Trust Registry
  • #35 Contract Assurance Monitor
  • #36 Runtime Alignment Monitor

7.2 Core delivery issues

  • Adapter/contracts: #38 #43
  • Trust Registry endpoint: #39
  • Contract Assurance endpoint: #41
  • Runtime path/events/fixtures: #40 #42 #44 #47

7.3 Completed scope-alignment housekeeping

  • Closed obsolete/stale issues: #11 #13 #30 #37
  • Closed empty later milestone for runtime enforcement

7.4 Added supporting tickets

  1. #45 Adapter auth and tenant enforcement middleware
  2. #46 Adapter persistence schema for assets/contracts/evidence snapshots
  3. #47 Integration replay CLI for fixtures and webhook validation
  4. #48 Operational SLO definitions and alert thresholds for adapter service
  5. #49 Remove hardcoded Drift DB credential fallback (secure env-only config)
  6. #50 Deterministic root typecheck without .next/types artifact coupling
  7. #24 Reprioritized to Month1 hardening for integration marker and DB harness

8. Product Readiness Criteria

AI Trust Registry ready when

  1. Inventory scoring works for both tools and agents.
  2. Every response includes score + confidence + remediation metadata.
  3. Ethira can rank inventory by risk without custom transforms.

Contract Assurance Monitor ready when

  1. Obligation scoring is stable with canonical identifiers.
  2. Trend and breach metadata are emitted consistently.
  3. Evidence quality context is attached to decisions.

Runtime Alignment Monitor ready when

  1. Drift runtime analyze path is live.
  2. Risk events are signed and consumable by Ethira.
  3. Human-review path exists before hard-block actions.

9. Immediate Next Development Path

Execute in this order:

  1. Finish Phase 0 blockers (#8 #9 #10 #12 #49 #50 #45 #46 #16 #18 #19 #20).
  2. Implement adapter service skeleton and contracts (#38 #43).
  3. Deliver product APIs in sequence: #39 -> #41 -> #40.
  4. Complete eventing and fixtures (#42 #44 #47).
  5. Start Phase 2 hardening (#17 #21 #22 #23 #24 #25 #29 #48).

10. Non-Goals

  1. Building full framework-native services for all non-Drift frameworks before integration MVP.
  2. Adding new product families outside the three agreed products.
  3. Reintroducing threshold/runtime-enforcement as active delivery scope.