# Roadmap and requirements

This document consolidates high level requirements and the public roadmap.
Implementation detail belongs in module architecture and ADRs.

System requirements (high level)
- Ingest SBOM formats: Trivy JSON, SPDX JSON, CycloneDX JSON.
- Auto detect SBOM type when missing.
- Cache and reuse layer analysis for delta scans.
- Enforce daily quota with HTTP 429 and reset at UTC midnight.
- Policy engine evaluates YAML rules and supports history.
- Hot load plugins without service restart.
- Offline first: no required internet access at runtime.

Non functional requirements (high level)
- Deterministic outputs and replayability.
- P95 cold scan and warm scan targets.
- TLS for inter service traffic.
- Observability for scan and policy metrics.

Roadmap
- Public milestones live on the project site.

Feature matrix (summary)
- Free tier includes core SBOM ingestion, policy, registry, and UI.
- Reachability DSSE and advanced attestation are staged.
- Offline update kits and sovereign crypto profiles are first class.

Related references
- docs/05_SYSTEM_REQUIREMENTS_SPEC.md
- docs/04_FEATURE_MATRIX.md
- docs/05_ROADMAP.md
- docs/03_VISION.md