Status: V1.0.0 has been released. Changes from V0 → V1 are detailed in CHANGELOG.md. This document documents the stability contract and the changes made.
V0 stability contract
What will NOT change in V1
These elements are stable and there will be no breaking changes:
- CLI commands: The 10 commands (
init,trace,changelog,fria,annex-iv,report,gaps,verify,status,connect) maintain their interface. - Exit codes:
verifywill continue returning 0/1/2. - Config schema:
.licit.yamlwill remain compatible — new fields will be optional with defaults. - Data formats:
provenance.jsonl,fria-data.json, MD/JSON/HTML reports maintain their structure. - EvidenceBundle: The 18 existing fields will not change. New fields can be added.
What MAY change in V1
- New config fields —
frameworks.nist_ai_rmf,frameworks.iso_42001will default totruewhen implemented. - New EvidenceBundle fields — To support SBOM, NIST, ISO.
- New requirements — More
ControlRequiremententries in EU AI Act and OWASP. - Plugin system — Mechanism to register custom frameworks and connectors.
- Sigstore integration —
provenance.signcould support keyless signing in addition to HMAC.
New frameworks in V1
NIST AI RMF (AI 100-1)
The NIST AI Risk Management Framework will be structured as an evaluator implementing the ComplianceFramework Protocol:
- Functions: Govern, Map, Measure, Manage
- Categories: ~20 evaluable subcategories
- Evidence: Will reuse existing
EvidenceBundle+ new fields for advanced data governance
ISO/IEC 42001
The AI management standard will be structured as an evaluator with:
- Clauses: 4-10 (Context, Leadership, Planning, Support, Operation, Evaluation, Improvement)
- Annex A controls: ~35 evaluable controls
- Evidence: Will require new fields for organizational policy and training records
Plugin system (V1)
V1 will introduce a plugin registration mechanism:
# licit-my-framework/src/my_framework/__init__.py
from licit.frameworks.base import ComplianceFramework
class MyFrameworkEvaluator:
name = "my-framework"
version = "1.0"
description = "My custom framework"
def get_requirements(self) -> list[ControlRequirement]: ...
def evaluate(self, context, evidence) -> list[ControlResult]: ...Registration via entry points in pyproject.toml:
[project.entry-points."licit.frameworks"]
my-framework = "my_framework:MyFrameworkEvaluator"Migration steps (when V1 is available)
1. Update
pip install --upgrade licit-ai-cli
licit --version
# licit, version 1.0.02. Verify config
# V1 will add new defaults. Verify that your config is valid:
licit status3. Re-evaluate
# New frameworks may detect new gaps:
licit report --format json -o v1-baseline.json
licit gaps4. Compare with V0
# Compare the V0 report with V1 to see changes:
diff v0-report.json v1-baseline.jsonEstimated timeline
| Milestone | Estimate |
|---|---|
| V0.x (session readers, PDF, GitHub Action) | 2-3 weeks post-V0 |
| V1.0-alpha (NIST AI RMF) | 4 weeks post-V0 |
| V1.0-beta (ISO 42001, plugin system) | 6 weeks post-V0 |
| V1.0 release | 8 weeks post-V0 |
Migration FAQ
Do I need to re-run licit init?
No. Your existing .licit.yaml will continue working. New fields will take default values.
Will provenance data be lost?
No. provenance.jsonl is forwards-compatible. V1 can add fields to new records without invalidating existing ones.
Is the existing FRIA still valid?
Yes. If V1 adds new questions to the FRIA, you can update it with licit fria --update.
Can V0 reports be compared with V1 reports?
Yes, if you use JSON format. The base structure (overall, frameworks[], results[]) will not change. V1 may add new fields but will not remove existing ones.