Roadmap

5-stage AI Repair pipeline

Context → Generate → Sandbox → Rescan → PR. 95% fix rate, ~10s avg.

CycloneDX / SPDX / VEX SBOM export

EU CRA Annex VII PDF report

Auto-patching at scale + policy + CI webhook

org-level policy engine + GitHub webhook trigger

Chaos test harness (Toxiproxy)

Network fault injection for pipeline resilience

Reachability v2 — 25 languages (tree-sitter)

Precise call-site tracking. P=R=F1=1.00 on 97-case real-world benchmark.

Lockfile-only dep-upgrade fast path

Sandbox skip for network-free environments

Exemplar corpus 11,500+ GHSA patches

10k GHSA advisory-database + 1,500 curated

RQ worker — 15 queues

high/default/low + 10 lane-specific + scheduler

C/C++ curated symbol DB (100 libs, 2,498 symbols)

zlib, openssl, libcurl, brotli, libuv, libpq, etc.

R curated symbol DB (55 CRAN, 1,162 symbols)

ggplot2, dplyr, shiny, caret, xgboost, etc.

Vendored C/C++ header dynamic parse

tree-sitter function_declarator extraction from .h files

10 Security Lanes

CVE / Container / IaC / Secrets / SAST / Malicious Pkg / LLM Guard / ML-BOM / MCP Audit / Agent Supply Chain

LLM Guard — OWASP LLM Top 10 (17 rules)

SAST — 3,200+ rules (Semgrep + built-in)

Secrets — 1,000+ patterns (built-in + TruffleHog verified)

IaC — 1,065+ rules (Trivy/tfsec + built-in)

Malicious Package — 5 ecosystems, 41 signals, typosquat

ML-BOM (CycloneDX 1.6 mlModelInventory)

HuggingFace pickle scanner included

Row Level Security (PostgreSQL FORCE)

17 tenant tables, SET LOCAL app.current_org_id

Audit log tamper-proof hash chain

SHA256 per-row, /audit-logs/verify

Dependency confusion + typosquat detection

11,899 popular packages corpus across 8 ecosystems

Zero-day Radar (5 sources)

Huntr.dev, GHSA issues, arXiv cs.CR, OSV malicious, OSS-Fuzz

CVE feed sanitization + budget enforcement

backward/non-semver filter + org monthly cost cap

GitHub App + installation token flow

GitHub Checks API

PR status with confidence score

SCIM 2.0 provisioning (Okta / Azure AD)

RFC 7644 compliant

OpenTelemetry tracing + metrics

Outgoing webhook HMAC-SHA256 signing

Python SDK — patchguard-ai (PyPI)

pip install patchguard-ai. Sync + Async client.

CLI — patchops-cli (PyPI)

health, findings, benchmark, scan secrets, scan mlbom

VS Code extension (skeleton)

Helm air-gapped chart

Terraform 3-region active-active

Public benchmark leaderboard

7 vendors, 46 metrics, 29 features

Changelog + public roadmap pages

Stripe checkout + webhook scaffolding

Continuous Compliance docs (SOC2/FedRAMP/ISO27001 gap)

Red team checklist (20+ RT-* items)

VS Code extension wire-up

Backend 연동 + Marketplace 게시

Website rebuild — 25-language era

Landing / Guide / Roadmap / Quick Check modernization

Sandbox whitelist network mode

Allow egress to registry.npmjs.org, pypi.org only

SBOM diffing — 'this commit introduced X'

2FA TOTP / WebAuthn

License compliance (GPL/AGPL flagging + policy engine)

Attack Surface Visualizer

Org x dep x vuln graph

Security Posture Score

Org-level KPI dashboard

Threat Model auto-generation (STRIDE)

i18n (EN/KO/JA) + mobile responsive

Jira / Linear / ServiceNow sync

Slack interactive bot

Multi-region (us-east-1, eu-west-1, ap-northeast-2)

External pentest (Cure53 / Trail of Bits)

SOC 2 Type II auditor kickoff