ToonWebToken — modern auth tokens, post-quantum ready
ToonWebToken

Roadmap

Six tracks (A–F) covering parity, real post-quantum cryptography, hardening, compliance, and IETF standardization. Snapshot of 2026-05-15.

Closed Delivered In progress Planned

  1. Track A — Parity across SDKs

    2026-Q1
    Closed

    SecureTOONParser, SecurityLogger, RevocationService, RateLimiter, URLValidator, ConfigLoader (TWT-A5: TOML canonical, YAML soft-deprecated, TOON legacy). 6/6 production SDKs.

    • A1 — SecureTOONParser hardened across 6 SDKs
    • A2 — Native security logging & SIEM events
    • A3 — Revocation service with replay cache
    • A4 — Rate limiter + adversarial corpus (64 fuzz tests)
    • A5 — Multi-format ConfigLoader, TOML canonical

  2. Track B — Real post-quantum cryptography

    2026-Q2 → Q4
    In progress

    B3+B3.1 closed: real ML-DSA-65 (FIPS 204) keygen, sign, verify live on 14 SDKs via liboqs, circl, BouncyCastle and noble-post-quantum. B3.2 closed: real TOON wire format. B4 (PKI hierarchy) and B5 (OCSP/CRL) pending.

    • B1 — ML-DSA-65 production keying material
    • B2 — Dilithium3 cross-SDK test vectors
    • B3 — Real ML-DSA-65 on 14 SDKs (closed 2026-05-15)
    • B3.1 — Cross-SDK adversarial PQC corpus (closed 2026-05-15)
    • B3.2 — Real TOON wire format v2 (closed 2026-05-15)
    • B4 — PKI hierarchy & key rotation (pending)
    • B5 — OCSP/CRL certificate status (pending)

  3. Track C — Hardening & benchmarks

    2026-Q1
    Closed

    ConfigGuard (TWT-C3), HoneypotDetector (TWT-C4), benchmarks under 30 ms across 12 benchmarked SDKs. 108+ benchmarks, worst-case margin 5× (TypeScript).

    • C1 — Cross-SDK benchmarks under 30 ms — 108+ benches across 12 SDKs
    • C2 — Adversarial corpus (64+ fuzz tests, monthly CI cron)
    • C3 — ConfigGuard: HMAC-protected config integrity
    • C4 — HoneypotDetector: trap claims with SIEM events

  4. Track D — Compliance & audit

    2026-Q2 → Q3
    In progress

    81/81 AppSec remediation items closed (Tiers 0–6). D2 + D4 delivered. D1 (HTTP attestation) and D3 (breach workflow) pending.

    • D1 — HTTP attestation header (in progress)
    • D2 — Regulatory profile mapping: FINMA, nFADP, GDPR, EU AI Act, HIPAA (delivered)
    • D3 — Breach workflow (in progress)
    • D4 — HMAC-chained AuditTrail on 6/6 SDKs (delivered)

  5. Track E — IETF standardization

    2026-Q3
    In progress

    Internet-Draft v2 (draft-02): MLDSA65 promoted from `reserved` to `optional`. 14 implementations listed. Dual MIT/Apache-2.0 across all SDKs. IANA registries delivered.

    • E1 — Rust crate 1.5.0, dual MIT/Apache-2.0 (delivered)
    • E2 — Canonical surface alignment across 16 SDKs (delivered)
    • E3 — Internet-Draft v2 (HS256 + MLDSA65) with reproducible test vectors (delivered)
    • E4 — IANA registries; MLDSA65 promoted to optional (delivered)
    • E5 — Multi-registry publication: crates.io, npm, PyPI, Maven Central, NuGet (partial)
    • E6 — Third-party adoption & community review (pending)

  6. Track F — Forward outlook

    2027
    Planned

    Apache Software Foundation transfer, FIPS 140-3 validation, ML-based anomaly detection, macaroons, differential privacy.

    • F1 — FIPS 140-3 module validation
    • F2 — Anomaly detection on token lifecycle events
    • F3 — Macaroons (attenuation & caveats)
    • F4 — Differential privacy for audit analytics
    • F5 — Additional client SDKs (Kotlin)