Roadmap
Shipped, live on testnet
- The core credit loop — register, prove revenue, get scored, receive an on-chain credit line, borrow, repay, lender yield. All real, all on-chain.
- A real credit-risk engine — default lifecycle with permissionless
mark_default, a first-loss reserve, shares-based loss socialization across lenders, dynamic utilization-based APR, and on-chain credit ramps. Proven with unit tests, a 1,500-step randomized invariant fuzz test, and a live adversarial default run. - A real anti-Sybil independence model — payer age, external diversity, funding-source independence, reciprocity, and concentration (HHI), replacing naive loop-detection. Proven against a synthetic attack catalog and a live on-chain circular-funding attacker.
- Persistent scale — a continuously-running Postgres payment-graph indexer and a Horizon deep-history fallback, so the moat isn't limited to the RPC's ~24h event retention.
- zkTLS off-chain revenue proofs — a Reclaim-verified off-chain revenue figure (e.g. a Stripe balance), verified on a deployed Soroban verifier contract, carrying real weight in the score.
- A real autonomous artifact — an agent (Scout) has run the entire lifecycle — earn, get underwritten, borrow, repay — completely autonomously, starting from zero capital.
- The agent SDK and onboarding kit —
@trustline-agents/agent-sdk, a testnet USDC faucet, and a runnable quickstart, so an outside builder can actually plug an agent in.
In progress
- External adoption — the SDK, faucet, and onboarding kit exist specifically to let agents that aren't ours integrate. Current real usage is still a handful of test agents, honestly.
- Public documentation — this docs site itself; still growing (an error-code/glossary page and more integration examples are next).
- Ecosystem composability — exploring integrations with other Stellar DeFi primitives so an agent's revenue can come from participating elsewhere in the ecosystem (e.g. running as a keeper/operator on another protocol), and so idle lender capital isn't sitting fully dormant between loans.
Next up
- Get the score-signing key out of plaintext config, with a documented rotation procedure — the biggest remaining centralization risk.
- API auth + rate-limiting on the underwriting endpoint, currently open to anyone.
- zkTLS proof-caching resilience — a transient proof failure shouldn't visibly downgrade an agent's tier; fall back to the last verified proof instead of zeroing it out.
- Extend deep-history to the independence engine's diversity signal, not just revenue and payer age.
- Basic CI (build + typecheck + contract tests on push) and baseline uptime monitoring.
Deliberately deferred until testnet is proven out
Real-money mainnet pilot, real LP capital, a paid security + economic audit, legal/compliance/KYC-AML work, zero-code/managed-wallet tiers, and a Python SDK. These are all real, all necessary eventually, and all explicitly not started — the strategy is to build and adversarially test everything that can be built and attacked for free on testnet first, before anything touches real money or a real adversary.
The honest gap analysis
What's genuinely built and tested (the credit loop, the risk engine, the independence model, the safety rails) is real engineering, not a demo. What's still missing is not more contract logic — it's proof under real conditions: real money, a real adversary, real external users, and a decentralized trust root. That's the actual distance between "working testnet prototype" and "production credit protocol," and it's why the near-term roadmap is about distribution and hardening, not new primitives.