Skip to content

Roadmap 2027 — Node.js First, Multi-language SDK Expansion #1

Description

@contexa73

Roadmap 2027 — Node.js First, Multi-language SDK Expansion

Labels: roadmap, enhancement
Assignee: @contexa73
Type: Epic

Background

Contexa today targets the JVM ecosystem (Java / Spring Boot, ~9 M developers). The Java reference implementation took roughly 12 months to reach RC quality with a single-developer team, and we want to be honest about what a similar engineering effort means for additional runtimes.

This roadmap prioritizes Node.js as the immediate next runtime because:

  • Largest single language community (~16 M developers)
  • Dominant in API gateways, BFF, and SaaS startups — exactly where post-authentication runtime control matters most
  • TypeScript type system aligns naturally with our strict contract approach (5-action enum, sealed evidence)

Phase plan (single-developer baseline)

Phase Target Period Notes
P1 Node.js SDK (Express · Fastify · Koa · NestJS · TypeScript types) 2027 (full year) Java reference took 12 months solo; Node.js expected to take 9–12 months at the same staffing level
P2 Python SDK 2028 H1 Starts after P1 v1.0 ship, or sooner if hiring closes
P3 Go Runtime Adapter (net/http · gin · echo · gRPC) 2028 H2 gRPC interceptor adds material complexity
P4 Cross-runtime parity tests Rolling, per phase Each SDK ships with the 5-action conformance suite

Why these timelines are realistic

  • The Java reference (spring-boot-starter-contexa + contexa-core + contexa-iam + contexa-identity + contexa-common) accumulated 1,941+ Java files over 12 months, all single-developer
  • Each new runtime has to re-implement the OAuth2 / JWT bridge, sealed evidence (SHA-256 8-section), 5-action HTTP/status mapping, and the decision client transport — none of which transfer mechanically across language boundaries
  • Solo engineering capacity caps parallelism at one runtime at a time. Hiring will accelerate later phases.

Acceleration scenarios

Scenario Effect on roadmap
Solo throughout 2027–2028 P1 ships end of 2027, P2 mid-2028, P3 end of 2028
1 backend hire mid-2027 P2 starts in parallel with P1 polish; P3 brought into 2028 H1
2 backend hires after Series A All three runtimes parallel by 2028

Out of scope (this roadmap)

  • C# / .NET adapter (deferred — no committed date)
  • Rust runtime adapter (deferred)
  • Mobile SDK (iOS / Android) — different threat model, separate roadmap

Success criteria (per runtime)

  • Each adapter passes the 5-action conformance suite (ALLOW · CHALLENGE · BLOCK · ESCALATE · PENDING_ANALYSIS)
  • Authentication flow integrates with the existing OAuth2 / JWT bridge (mcp-auth-server)
  • Evidence sealing (SHA-256 8-section package) consistent with the JVM core
  • Open Trust Benchmark publishes per-runtime verification results

Dependencies

Discussion welcome

Comment with your runtime priority, integration constraints we should not break, or with hiring referrals if you know strong Node.js / Python / Go engineers interested in security-domain work.

Metadata

Metadata

Assignees

Labels

roadmapStrategic direction and long-term planning

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions