Skip to main content
Version: MVP

Robust MVP Roadmap

8 min readFor maintainersUpdated 2026-05-19

What's in this doc

The release-readiness work that must land for 0.x.0 to ship as a "robust MVP" rather than a contract-only shell. Tracking issues are linked in each section so progress is verifiable against GitHub.

0.x.0, not 1.0.0.

1.0.0 remains a later stability signal after real-world usage, compatibility confidence, and security soak. The MVP must still include the readiness work that affects trust, release hygiene, documentation accuracy, provider support, and package publication.

MVP definition

The MVP is complete when Craik can run one real software-delivery workflow end-to-end with OIDC-authenticated operators · typed credential profiles · OpenAI, Anthropic, and Gemini provider support · policy-enforced side effects · durable receipts that name both operator and credential identity · a useful handoff · accurate documentation · package-release quality gates.

The accepted proof workflow remains Stigmem documentation and state reconciliation. It must run from a clean install, assemble a case file, use a certified provider path authorized by a credential profile, record receipts, produce a handoff, and leave memory updates or proposals with evidence.

Status classes

Class
Meaning
What ships
end-to-end
workflow
Implemented as a user-facing workflow with persistence, docs, tests, and CI coverage.
contract/helper
scaffolding
Implemented as models, evaluators, formatters, or fixtures — not as an operational workflow.
docs-only
strategy
Documented as a product decision or strategy.
deferred
post-MVP
Intentionally outside the first MVP.

Execution checklist

0. Roadmap reset and status truth

Tracking issue: #298.

  • Replace stale pre-0.1.0 language in public docs.
  • State that the first release is 0.x.0.
  • Add a surface status matrix.
  • Convert the release-readiness list into MVP and post-MVP buckets.

1. Docusaurus docs platform

Tracking issue: #299.

  • Add a Docusaurus site.
  • Mirror Stigmem's Learn / Build / Operate / Secure IA.
  • Add local search, Mermaid support, code blocks, redirects, broken-link enforcement.
  • Add generated CLI/reference docs.
  • Add docs build CI and publish-ready Pages workflow.

2. Release and package foundation

Tracking issue: #297.

  • Define 0.x.0 release cadence and tag policy.
  • Add version consistency checks.
  • Add package build verification.
  • Add PyPI publish workflow with protected environment.
  • Add changelog and release-note workflow.
  • Add security release process.

3. CI/CD parity with Stigmem

Tracking issue: #300.

  • Split CI into path-filtered jobs.
  • Add lint, type, unit, contract, docs, security, and package jobs.
  • Add coverage baseline and ratchet.
  • Add changed-file strictness checks.
  • Add conformance suites.
  • Add nightly reliability workflow.
  • Upload test, docs, coverage, and conformance artifacts.

4. Persistent state migrations

Tracking issue: #303.

  • Add local-store schema versioning.
  • Add forward migrations.
  • Add fixture databases for previous schema versions.
  • Add migration compatibility tests.
  • Add migration failure and recovery docs.

5. Provider runtime: OpenAI, Anthropic, and Gemini

Tracking issue: #304.

  • Add provider abstraction for chat, streaming, tool calls, structured output, retries, errors, and usage metadata.
  • Implement OpenAI provider adapter.
  • Implement Anthropic provider adapter.
  • Implement Gemini provider adapter.
  • Store API access through typed credential profiles, credential pools, and secret references — not raw keys.
  • Add provider receipts and redaction behavior.
  • Add certification fixtures and tests for certified providers.
  • Verify official provider docs before implementation work that depends on live API behavior.

5A. Authentication, credentials, and operator identity

Tracking issue: #464.

  • Add OIDC operator login with device-code flow and persisted sessions.
  • Add craik login, craik logout, craik whoami.
  • Add typed auth profiles with <provider_family>:<name> IDs.
  • Add credential sources: env-var API keys · local-CLI OAuth fallback · vendor CLI bridge · secret references · Stigmem-backed references · marker identity.
  • Add credential pool rotation, failover, and health tracking.
  • Add workload-identity providers and RFC 8693 token exchange.
  • Add craik auth list / add / remove / test / status / approve / grant.
  • Add credential health to craik doctor.
  • Add credential-scoped and operator-scoped receipt fields.
  • Add policy-bound operator and credential constraints.
  • Add approval-gated first live credential use.
  • Add credential expiry as case-file evidence and per-credential redaction.

6. One complete MVP runner path

Tracking issue: #302.

  • Connect case-file assembly to prompt compilation.
  • Execute one provider-backed run loop.
  • Persist normalized runner outputs.
  • Create receipts for side effects and provider calls.
  • Produce durable handoffs on completion, block, failure, and interruption.
  • Add OpenAI, Anthropic, and Gemini parity checks for the MVP task path.

7. Policy-enforced side effects

Tracking issue: #301.

  • Add shell-execution wrapper with grants and receipts.
  • Add file-write wrapper with immutable-path protection.
  • Add policy-gated Stigmem write wrapper.
  • Add guarded GitHub writes if required by the MVP proof workflow.
  • Add denial receipts for blocked side effects.
  • Add redaction regression tests for all side-effect receipts.

8. Stigmem and memory hardening

Tracking issue: #305.

  • Load Stigmem facts into case files.
  • Load recent handoffs into case files.
  • Load local contradiction reports into case files.
  • Add direct granted Stigmem writes.
  • Keep proposals as the default unprivileged path.
  • Add memory hygiene workflow.
  • Preserve provenance and source-attestation metadata.

9. Public/internal boundary and provenance docs

Tracking issue: #306.

  • Add public/internal boundary classifier.
  • Add provenance-aware documentation workflow.
  • Add generated-doc evidence links.
  • Add stale-documentation detection.
  • Add work-product classification.
  • Add decision-record suggestions.
  • Add CI checks preventing public docs from exposing secrets, private paths, or private task names.

10. MVP demo and acceptance workflow

Tracking issue: #308.

  • Build the Stigmem docs reconciliation demo as the release acceptance path.
  • Include OIDC operator authentication and provider credential profile setup in the accepted workflow.
  • Support OpenAI and Anthropic provider execution for the demo.
  • Produce case file, receipts, handoff, memory proposal/write, and graph export.
  • Add quickstart smoke CI.
  • Add Docusaurus tutorial that mirrors the executable demo exactly.

11. Hardening and failure modes

Tracking issue: #307.

  • Document limits and failure modes.
  • Add adversarial prompt-injection tests.
  • Add secret-leakage tests.
  • Add bad tool-call and policy-bypass tests.
  • Add timeout, retry, and budget tests.
  • Add contract-conformance tests for persisted payloads.

12. Post-MVP deferrals

Tracking issue: #309.

  • Mark hosted gateway dispatch and broad channel adapters as post-MVP.
  • Mark full TUI/dashboard as post-MVP.
  • Mark additional live runner adapters as post-MVP.
  • Mark companion/mobile/visual surfaces as post-MVP.
  • Mark broad marketplace/community ecosystem as post-MVP.
  • Keep contract/helper docs honest for deferred surfaces.

Eighteen readiness capabilities

These capabilities are addressed by the MVP roadmap rather than deferred to a first 1.0.0 release.

01 · Stable core schemas

02 · Persisted state migrations

03 · SemVer release process

04 · Package publication

05 · Security release process

06 · Generated CLI/reference docs

07 · Production-quality Stigmem integration

08 · Documented limits and failure modes

09 · Runnable demo

10 · Community contribution path

11 · ≥1 complete runner adapter end-to-end

12 · Policy tests in CI

13 · Public/internal boundary classifier

14 · Provenance-aware documentation

15 · Memory hygiene workflow

16 · Work product classification

17 · Decision record suggestions

18 · Learning without self-trust

MVP acceptance criteria

The release ships when every criterion below holds.

  • A clean install can run the accepted demo.
  • The accepted demo includes operator authentication and provider credential profile setup.
  • OpenAI, Anthropic, and Gemini provider paths pass certification tests.
  • Provider receipts name both operator identity and credential identity.
  • Side effects are policy-gated and receipt-backed.
  • Redaction is applied before persistence and docs publication.
  • Local-store migrations are tested against fixture states.
  • Docusaurus docs build with no broken links.
  • CI includes lint, type, unit, docs, package, security, and conformance gates.
  • Package artifacts build and can be published through a protected workflow.
  • Known limitations are accurate and visible.

What's next

SnapshotRelease readiness · v0.2.0The concrete pass/fail checklist captured against the current main.Honest scopeLimitationsWhat's end-to-end today and what's scheduled for later milestones.ReadRoadmapThe broader trajectory after the MVP ships.