Skip to content
opencomplai.com Get Started

90-Day Scope (v0.1)

This document freezes scope for the first 90 days of work toward Opencomplai v0.1. It defines what is in scope, what is out of scope, and how changes are approved.

In scope for v0.1 (90 days)

  • packages/core — risk assessment engine with EU AI Act Article 6 / Annex III rules (keyword-based classifier in v0.1, upgraded to deterministic classifier in Phase 10)
  • packages/cli — all seven commands (init, validate-manifest, check, risk classify, verify-output stub, docs generate stub, sync metadata stub) with contractual exit codes 0–4
  • packages/sdk-pythonassess() function and all PRD entity models
  • services/gateway-api — Node.js/TypeScript Fastify skeleton and health endpoint
  • services/risk-engine, evidence-vault, doc-generator, egress-proxy — Python FastAPI skeletons with health endpoints
  • infra/ — directory structure with placeholder files
  • GitHub Actions CI for all three stacks (Python, Node.js, Docker)
  • Mintlify documentation: Introduction, Quickstart, architecture overview
  • Security baseline: SECURITY.md, CODE_OF_CONDUCT.md, issue templates
  • Supply-chain groundwork: AGENT_ACTION_PLAN_P13-15.md Task 14 (full implementation Phase 14)
  • 11 Architecture Decision Records (ADRs 0000–0011)
  • Brand-compliant README, docs, and CLI output

Explicitly out of scope for v0.1 (with rationale)

Item Rationale
Docker Compose reference deployment (full) Requires Phases 7–9 to implement — tracked in AGENT_ACTION_PLAN_P7-9.md
Merkle-linked Evidence Vault Requires Phase 8 — architecture defined, implementation deferred
Gateway API routes (beyond health) Requires Phase 9 — skeleton built, routes deferred
Deterministic Annex III classifier Requires Phase 10 — keyword-based placeholder in v0.1
Profiling detection and modification trap Requires Phase 10 (REQ-RISK-002, REQ-RISK-003)
HITL state machine Requires Phase 11 — Pydantic models defined, orchestration deferred
Annex IV dossier generation Requires Phase 12 — CLI stub returns POLICY_BLOCK until Phase 12
Egress proxy enforcement Requires Phase 13 — CLI stub returns POLICY_BLOCK until Phase 13
SBOM generation and image signing Requires Phase 14
OpenTelemetry instrumentation Requires Phase 15
SaaS premium dashboard Planned for commercial phase C0–C1 post-seed
NIST AI RMF rule engine Planned post-seed — architecture must not preclude it
ISO/IEC Standards rule engine Planned post-seed — architecture must not preclude it
Enterprise RBAC and SSO Planned for commercial phase C1
TypeScript/JavaScript SDK Planned post-seed
Kubernetes distribution Planned for enterprise commercial phase

Change control

Any addition to in-scope requires a written proposal with:

  • Proposed change
  • Value and risk
  • Cost estimate (engineering days)
  • Impacted milestones

Proposals go in docs/change-requests/ and must be approved by both product and technical owners before work begins.