Open source · roadmap to 1.0

Open source.
Read every line.

Nomos is open under Apache-2.0. The crypto, the policy engine, the SDK, and the MCP server are on npm — and the full control-plane and dashboard source is public too, so anyone can audit exactly how a decision gets made. Here is every package, and where the roadmap goes next.

what’s public today

13 packages on npm.

Every cryptographic primitive, the policy evaluator, the capability mint, and the SDK that agents call. If a decision feels wrong, you can run the same engine offline and prove it.

package
role
status
  • @auto-nomos/core
    PDP decide() engine100% cov
    on npm
  • @auto-nomos/cedar
    Cedar policy evaluator100% cov
    on npm
  • @auto-nomos/ucan
    UCAN delegation chains100% cov
    on npm
  • @auto-nomos/crypto
    DID + Ed25519 signing
    on npm
  • @auto-nomos/shared-types
    Zod schemas
    on npm
  • @auto-nomos/sdk
    TypeScript SDK
    on npm
  • @auto-nomos/mcp-server
    MCP-protocol server
    on npm
  • @auto-nomos/adapters
    YAML connector specs
    on npm
  • @auto-nomos/schema-packs
    apiCall validators
    on npm
  • @auto-nomos/policy-builder
    Visual editor (React Flow)
    on npm
  • @auto-nomos/audit-verify
    Chain verify CLI
    on npm
  • @auto-nomos/cli
    nomos CLI
    on npm
  • @auto-nomos/ucan-cli
    nomos-ucan CLI
    on npm
  • @auto-nomos/control-plane
    Hono + tRPC server
    source
  • @auto-nomos/dashboard
    Next.js operator UI
    source
roadmap

Three milestones.
One Apache-2.0 flip.

  1. v0.0.x → v0.1.x
    May 2026

    Foundation packages shipped under @auto-nomos/* on npm. PDP, Cedar, UCAN, crypto, SDK, MCP server, adapters, schema-packs all public.

  2. v0.2 (next)
    Targeting Q3 2026

    Self-host helm chart. Bring-your-own Ed25519 root signing key. First-party Docker images for control-plane + PDP.

  3. v1.0
    Targeting Q4 2026

    A stable, semver-guaranteed 1.0 API surface. An RFC process and governance doc on top of the Apache-2.0 source, CONTRIBUTING, and code of conduct already in the repo. Public roadmap on GitHub Projects.

why wait

Why not flip today?

Three reasons. The control-plane still carries a few customer-specific feature flags we’d rather extract before public review. The audit-root signing flow needs the bring-your-own-key path before self-hosters can run it without trusting us. And the first sweep of a public repo’s CONTRIBUTING is something we want to do once, not twice.

We’re moving fast. The npm-published packages are battle-tested in production today — those are the parts most worth reading first. When the rest flips, you’ll already know the engine that drives it.