Forward Vision

From MVP to Forward-Ready Platform

CueCrux starts as “answers with proof” and grows into a trust-first platform: Engine, WebCrux, FactoryCrux, SDKCrux, WatchCrux, OpsCrux, Crux Economy and (for larger customers) Private Stack planes all working together.

This document sets the forward vision for the first 12 months after V1.0 ships.

90-Day Target - V1.0 Launch

The near-term target remains the current MVP goal:

Production-ready Engine + Web app delivering fast, cited answers for content and knowledge workers.
WebCrux provides sign-in, team workspaces, saved answers, and history; the browser only ever talks to a BFF proxy, never directly to the Engine.
Each answer ships with:
- Citations (URLs, quotes, timestamps),
- A “Why trust” summary and mode badge (light / verified / audit),
- Links back to a provenance ledger and CROWN snapshot when enabled.

Success criteria at V1.0:

Usage: ≥ 200 WAU using “Ask with citations” via WebCrux.
Trust: ≥ 95% of answers carry ≥ 2 non-duplicative citations when available; contradiction rate flat or declining.
Latency: /v1/answers P95 < 2.0 s end-to-end (Engine + WebCrux).
Reliability: Availability ≥ 99.5% on a single-node stack, with restore drills documented.

Dependencies:

Stable Engine contracts: /v1/answers, /search, /v1/artifacts, /v1/embeddings.
WebCrux auth/session system and BFF integration.
Initial InfraCrux stack: Postgres, ClickHouse, Prometheus, Grafana, WatchCrux operator.

Key near-term risks and where they are documented:

Engine availability or migration issues → Engine + InfraCrux plans and PITR/DR runbooks.
Auth/session design flaws → WebCrux + Security master plans.
Data correctness or bias → ATAM & Meta-Governance plans.

Mitigations are captured in runbooks, SLOs and WatchCrux audit loops.

12-Month Narrative - After V1.0

Within the first year after V1.0:

CueCrux graduates from a single app to a “federation of planes”:
Engine (proofs), WebCrux (BFF + UX), FactoryCrux (ingestion), WatchCrux (operator), InfraCrux (infra), OpsCrux (control tower), SDKCrux (contracts) and Crux Economy (participation credits).
The trust model becomes visible everywhere:
- Every non-trivial answer exposes receipts, evidence sets, contradiction flags and snapshot freshness.
- Governance layers (Meta-Plan + OpsCrux) ensure versions and policies stay aligned across the fleet.
Data sourcing and ingestion are no longer ad-hoc:
- FactoryCrux adds policy-aware web and document ingestion with clear CRUX/£ quotes, robots/licence compliance, and domain/group coverage dashboards.
Developers integrate CueCrux like any other core dependency:
- SDKCrux unifies clients, error models, receipts and provenance verification across services, and powers external SDKs (e.g. @cuecrux/engine-client).
Operators gain a proper control tower:
- OpsCrux becomes the single pane for budgets, SLOs, endpoints, prompts, and FinOps metrics, wired into InfraCrux and WatchCrux.
Crux Economy matures from a pricing note into an operational system:
- Crux is pegged to the average cost of verified-mode queries and hot storage, updated via a Proof Cost Index (PCI) and InfraCrux dashboards.
Enterprise-grade isolation appears as “Private Stack”:
- High-sensitivity customers get their own namespaces, schemas and ledgers, with federation of proofs back to the core platform.

By the end of this year, the question “Why should I trust this?” has a concrete, inspectable answer at every layer.

Year-1 Themes

1) Trust & Evidence Backbone

Goal: Move from “cited answers” to cryptographically verifiable receipts and robust anti-manipulation.

Key building blocks:

CROWN retrieval + QUORUM (MiSES) evidence sets as the default for Engine answers (light/verified/audit modes, minimal sufficient evidence, counterfactual lane).
Provenance ledger with BLAKE3 + ed25519 signatures and append-only semantics.
ATAM controls (Auth, Trust & Anti-Manipulation) for:
- Retraction and venue risk handling,
- Prompt-injection firewalling,
- Collusion/brigading detection by down-weighting, not deleting.
Trust-first UI: Why Trust panels, mode badges, contradiction banners, and trust reports.

Outcome: Any given answer can be replayed and audited, and sources of bias or manipulation are visible and contestable.

2) Product & UX Surfaces

Goal: Turn WebCrux from a thin shell into a full workspace for individuals, teams, and support workflows.

Key steps:

Finish WebCrux history, saved answers, workspaces, orgs and plan entitlements.
Layer SupportCrux into the same auth/DB:
- In-app + email ticketing, automatic AI triage, cited AI replies, and WatchCrux-visible metrics.
Standardise trust UX patterns (badges, receipts, counterfactual chips) across WebCrux and SupportCrux.
Expose trust reports and appeals directly from the Web UI, wired into SupportCrux workflows.

Outcome: A user can ask, inspect, save, share, appeal, and support customers without ever leaving a trust-aware environment.

3) Data Sourcing & Ingestion

Goal: Provide controlled, costed ingestion for public web and document sources, and eventually for customer knowledge bases.

Key steps:

Ship FactoryCrux v1.0:
- Policy-aware fetcher (robots, X-Robots, licence, PII, conditional GETs).
- Pre-flight outlines, crawl plans, lane selection (Fast/Slow), and budget caps in CRUX/£.
- Domain + domain-group coverage and freshness dashboards.
Connect FactoryCrux to Crux Economy:
- Rewards for policy-compliant uploads and link contributions that pass QUORUM (MiSES) and receipts.
Expose ingestion control and monitoring in OpsCrux/InfraCrux:
- Jobs, budgets, failure reasons and coverage.

Outcome: Ingestion becomes a product experience, not a behind-the-scenes data job.

4) Developer & Operator Ecosystem

Goal: Make CueCrux easy to integrate, extend, and operate.

Key pieces:

SDKCrux v1.1+:
- Shared error model, DTOs, receipts verification helpers and public @cuecrux/engine-client.
OpsCrux Control Tower:
- Agent budgets & health, endpoint SLOs, prompts, change calendar, FinOps (revenue vs model/infra cost).
AgentCrux + OpsCrux wiring:
- Researcher, Triage, Planner, Budgeter, Auditor, Release agents all run under C³ budgets with receipts, visible in OpsCrux.
Cue (local operator):
- Optional local-first CLI/service that lets you run platform checks, ingestion plans and agent actions from one command, still using Engine receipts.

Outcome: Developers and operators treat CueCrux as a first-class platform, with strong contracts and a predictable operator experience.

5) Security, Meta-Governance & Private Stack

Goal: Bake security and governance into the platform’s daily reality.

Key steps:

Implement Security V1.0:
- Vault-backed secrets, Transit signing for JWTs and receipts, DR drills, and policy-aware ingestion.
Apply the Integration Master Plan:
- /healthz + /metrics contracts, circuit-breakers, no-hammer policy, canary/rollback, and DR drills across all planes.
Stand up Meta-Governance:
- RFC + ADR process, Intent Ledger, PCI, appeals, and long-term compatibility governance.
Introduce Private Stack:
- Tenant-isolated namespaces, schemas and S3 prefixes; federated proof bridge for WatchCrux; OpsCrux tenant plane.

Outcome: The platform can pass serious audits, evolve sensibly, and support high-sensitivity deployments without forking the core.

6) Crux Economy & Proof Cost Index

Goal: Turn Crux into a transparent, cost-anchored participation system.

Key points:

Crux valuation:
Crux uses a dynamic Proof Cost Index (PCI) so credits track the real average cost of verified-mode queries and storage rather than a fixed currency peg; audit queries and hot storage still burn more credits because they consume more compute and retention.
Base metrics and capacity:
- PCI uses per-mode cost metrics (tokens, latency, model/infra cost) from InfraCrux and Engine metrics to periodically re-fit the Crux ↔ £ mapping.
- As more work is served from cached or re-used evidence, the effective cost per verified query drops; PCI detects this and can lower Crux burn for the same mode, or increase rewards for high-reuse artefacts.
Earn and spend rules:
- Users earn Crux when their artefacts are used in QUORUM (MiSES) evidence sets or agent runs; they spend Crux on verified/audit queries, priority, and hot storage.
Governance:
- Crux is not a token or security; it is an internal participation credit, governed by clear non-financial terms.

Outcome: Crux directly reflects compute and storage reality, and the system can adapt pricing and rewards as the underlying hardware and usage patterns change.

🗺️ Year-1 Milestones (Indicative)

Exact dates live in PlanCrux/OpsCrux; this is the high-level arc.

Quarter 1 - MVP Hardening & Trust

Ship Engine + WebCrux V1.0; meet MVP SLOs.
Turn on C³ modes (light/verified/audit) + QUORUM (MiSES) + basic receipts.
WatchCrux v1.1 monitoring Engine + WebCrux, ingesting metrics into its own schema.
InfraCrux dev/prod stack, PITR, backups and first restore drill.

Quarter 2 - Ingestion, Support & OpsCrux

FactoryCrux v1.0 (outline → quote → plan → commit, with CRUX budgets).
SupportCrux v1.0 (triage, FAQ, cited AI answers) integrated into WebCrux.
OpsCrux slices: Agents & budgets page, Interop & Endpoints, backups view.
Security Phase A–C: Vault foundation, Transit signing, basic ATAM hooks.

Quarter 3 - Agents, SDK & Crux Economy

AgentCrux mesh (Researcher, Triage, Planner, Budgeter, Auditor, Release) with receipts and C³ budgets.
SDKCrux V1.1+ (internal packages + public @cuecrux/engine-client) used across services.
Crux Economy V1.1 live: ledgers, mints/spends, unused-decay, reuse rewards, dashboards.
Meta-Governance slices: Intent ledger, Compat Matrix, PCI wired into InfraCrux and OpsCrux.

Quarter 4 - Private Stack & Regulatory Readiness

Private Stack v1: tenant namespaces, schemas, S3 prefixes, gateway, and extension hooks.
WatchCrux federation: hash-only proof checks for tenant planes.
Full ATAM + Meta-Governance: appeals, trust-report, retraction/venue sync, collusion damping, key escrow drills.
External-facing legal and compliance pack (DPAs, retention, Crux legal position) aligned to receipts and Private Stack.

Year-1 Risks & Guardrails

Risk	Guardrail / Mitigation
Complexity creep: too many -Crux projects and master-plans.	Meta-Governance Plan Index, deprecation policy, and Plancrux v2.0 as a single source of truth for goals/tasks/services.
Version and contract drift between Engine, WebCrux, SDKs and operators.	/healthz compat fields, SDKCrux compat matrix, WatchCrux drift alerts, and Integration V1.0 gates.
Security or compliance gaps as usage grows.	Security V1.0 (Vault, Transit, DR), ATAM guardrails, Private Stack isolation and audit-ready receipts.
Economic mis-pricing of Crux vs real compute.	PCI dashboards from InfraCrux, Crux Economy policies and C³ guardrails; quarterly valuation reviews.
Operator overload (too many dashboards and alerts).	OpsCrux as single pane; WatchCrux summariser agent; daily minutes and change calendar; explicit SLOs and budgets.

“Forward-Ready” Definition - End of Year One

By the end of Year One after MVP launch, CueCrux is forward-ready if:

Every plane (Engine, WebCrux, FactoryCrux, WatchCrux, OpsCrux, InfraCrux, SDKCrux, Crux Economy, AgentCrux, Private Stack) exposes the standard /healthz + /metrics contracts, with build, compat and sdkVersion.
Receipts and trust UX are present end-to-end: any customer-visible answer can show its evidence, contradictions, and mode, with a path to appeal.
Ingestion is policy-aware and costed, with coverage dashboards and Crux-linked budgets.
Operators have a single console (OpsCrux) and independent auditor (WatchCrux) with SLOs, backups and DR drills in place.
Developers and partners integrate via stable SDKs and a documented meta-governance process, not tribal knowledge.
Crux Economy is live, cost-anchored, and legally clear, with PCI-driven tuning and transparent ledgers.

At that point, V1.0 isn’t just an MVP you shipped once; it’s a platform you can grow, audit, and defend for the long term.

GuidesTrust

GuidesWhy Trust UI Guide