Roadmap

Building the authorization layer for AI agents

Sanction is built in the open. Every item moves toward one goal: making autonomous agents governable, auditable, and safe to trust. You decide what comes next on the board below — shipped work shows up in the changelog.

Now

Adopt without flipping the switch

Shipped: **observe mode** runs the real decision engine on a live fleet and records exactly what it would have done — blocking nothing, moving no counters — so you watch a week of would-be denials and the dollars behind them on the Observe console, then flip each pool to enforce in one confirm-gated click, the revision chain marking when enforcement went live. The do-nothing on-ramp: adopt quietly, enforce when the numbers convince you.

Sanction Local: from runtime to install

Shipped: the air-gapped runtime (local models, fail-closed egress denial, every denied attempt in the audit trail) now has its install package — the **no-egress** policy pack (only on-box tools pass; cloud calls deny and persist) and the Audit console's signed, hash-chained evidence download an assessor verifies self-contained. Regulated practices first.

Distribution by channel

Compatibility badges, channel-shaped policy packs, and install paths for MCP hosts, coding agents, LLM gateways, agencies, and payment-agent pilots — each previewable against your real history before you apply it.

Governed in every runtime

One authorization plane, wherever the agent runs — MCP, the SDK's framework adapters (the tool executes behind the decision, shipped for TypeScript and the Vercel AI SDK), and Bedrock. Add Sanction in front of any tool server.

Tamper-evident audit exports

Shipped: the decision history exports as a signed, hash-chained document any recipient can verify self-contained — altering, dropping, or reordering a row names the broken link. Governance as cryptographic evidence.

Next

The published SDK + the Python side

@sanction/sdk is publish-ready (0.6.0, FSL, escalate-loop helpers) — run the publish-sdk workflow once the npm org is wired. Next: the adapters where Python agents live — a LiteLLM callback and LangChain/LangGraph + CrewAI bindings over the same core, each with a runnable example.

Sequential simulation, all the way down

Sequential replay shipped for per-agent budgets; next it threads pooled and subtree caps too, and the console's simulation preview grows an as-recorded vs sequential toggle.

Later

Audit chain anchors

Exports are tamper-evident today; anchoring each export's head to the next seals the history across time — evidence that outlives any single document.

Customer-managed keys + SOC 2

Bring-your-own encryption keys and the compliance attestations enterprises require.

Mandate authority (AP2 / x402)

Hold the mandate, not the rail — policy, consent, and audit in front of whichever agent-payment standard wins. First slice shipped: pay-per-crawl quotes (Cloudflare, x402-settled) governed as spend decisions via the SDK’s sanctionedFetch. Next: settlement reconciliation (crawler-charged receipts vs decisions) and mandate scopes.

You decide what's next

Submit a feature idea and upvote the ones you want most. The board is curated — we review submissions, then move them from under consideration to shipped as they land.

Have an idea?

Tell us what to build. Add your email and we'll let you know when it ships — it joins our update list too.

No published ideas yet — be the first to suggest one above.