2026 - 2027 Roadmap

[LokiWager]

Roadmap

This document summarizes the most promising strategic initiatives for Easegress in the AI agent ecosystem.

Priority Summary

Initiative	Priority	Why now
AI Access Gateway	P0	Enterprises need centralized control over model access, cost, quotas, and audit.
MCP Gateway	P0	MCP is becoming the standard interface for tools, but enterprise governance around it is still weak.
Kubernetes-Native Agent Policy Control Plane	P0	Agent workloads are increasingly deployed on Kubernetes, where policy, tenancy, and lifecycle must be native.
Identity-Aware Audit and Short-Lived Credentials	P0	Shared provider keys are operationally easy but fail enterprise audit and accountability requirements.
Sandbox Egress Gateway for Job Centers and Remote Execution	P1	Once agents run in sandboxes, outbound access becomes a major security and compliance problem.
Gateway API Completion for Agent Platforms	P1	Gateway API matters for cloud-native credibility and policy attachment, but it is not the first blocker.
A2A Gateway	P2	A2A is strategically relevant, but real enterprise demand is likely to trail MCP and model governance.

1. AI Access Gateway

Priority: P0

Background

Many enterprises do not want employees to use model vendors directly with unmanaged seats, unmanaged API keys, or isolated team-level billing. Instead, they want a central gateway where users authenticate with enterprise identity, request access to approved models, and run all model traffic through one governed path.

Easegress already has a strong starting point here through its existing AI Gateway work, including provider integration, semantic cache, and observability. This makes AI access governance the shortest path from current Easegress capabilities to a differentiated enterprise offering.

Why It Matters

An AI Access Gateway gives the enterprise one place to enforce:

• approved provider and model selection,
• routing and fallback policy,
• token budgets and quotas,
• cost attribution and chargeback,
• prompt and response inspection,
• and auditability at user, team, task, and sandbox levels.

This is also where pooled enterprise access becomes practical. Instead of distributing vendor credentials broadly, the company can expose governed access with clear limits and traceability.

What Easegress Can Build

• An internal model catalog with approved providers, models, and tenant-scoped defaults.
• Routing policies based on user, team, task, environment, or cost tier.
• Token-aware quotas, budgets, and chargeback metadata.
• Provider fallback and cost-aware or latency-aware model routing.
• Prompt and response policy hooks for DLP, redaction, and guardrails.
• Audit events for every model request, including user, task, sandbox, provider, model, and token usage.
• Kubernetes-native policy resources for model access and quota control.

What Easegress Needs To Develop

• A new ModelCatalog CRD and controller for providers, models, quotas, and tenant-scoped defaults.
• A new token-usage accounting module integrated with AIGatewayController, instead of request-count-only governance.
• A new AI routing filter, or an equivalent policy module in AIGatewayController, that evaluates identity, cost, latency, and provider health.
• An extension to AIGatewayProxy, or a new fallback filter, for multi-provider failover behavior.
• A new guardrail filter chain, or equivalent policy hooks, for prompt and response inspection.
• A new audit event schema and export pipeline for model access, including token usage, policy decisions, and user-task-sandbox attribution.
• New portal pages and admin APIs for model catalog management, quota status, and audit visibility.

Reference Docs

• Easegress AI Gateway tutorial: 2.9.AI-Gateway.md
• Easegress AI Gateway controller reference: 7.01.Controllers.md
• OpenAI Agents SDK docs: developers.openai.com/api/docs/guides/agents-sdk
• OpenAI Responses API background mode docs: developers.openai.com

2. MCP Gateway

Priority: P0

Background

Model Context Protocol (MCP) is quickly becoming the standard way for agents to use tools over a common interface. The protocol surface is maturing around transport, authorization, and server discovery. That solves interoperability, but it does not solve enterprise governance.

What enterprises still need is a secure gateway between agents and MCP servers:

• which MCP servers are approved,
• who can call which tools,
• how outputs are filtered,
• and how all tool activity is audited.

This is where Easegress can add clear value.

Why It Matters

Tool calls are where many of the highest-risk actions happen:

• reading source code,
• modifying tickets,
• calling internal APIs,
• accessing SaaS systems,
• or executing remote actions through automation tools.

An MCP Gateway lets Easegress sit at the control point for that activity. It can standardize auth, enforce policy, apply rate limits, redact outputs, and provide a consistent audit trail across internal and external tools.

Among all agent-adjacent opportunities, this is likely the most attractive near-term opening because the protocol is gaining adoption while the governance layer is still immature.

What Easegress Can Build

• An approved MCP server registry for enterprise-managed and third-party tools.
• MCP-aware HTTP proxying with support for streaming and session-oriented traffic patterns.
• Authentication brokering for OAuth, OIDC, API keys, service tokens, and mTLS-backed tool access.
• Tool-level allowlists and deny lists scoped by user, team, task, sandbox, or environment.
• Per-tool rate limits, quotas, and concurrency controls.
• Output filtering, redaction, and response size controls for sensitive tools.
• Structured audit logs for every MCP server and tool invocation.

What Easegress Needs To Develop

• A new MCP transport filter, or equivalent gateway module, that supports streamable HTTP patterns and session lifecycle.
• New MCPServer and MCPToolPolicy CRDs with a controller for approved server and tool metadata.
• A new tool-policy filter that maps users, teams, tasks, or sandboxes to allowed MCP servers and tools.
• A new auth-broker module or filter that translates enterprise identity into downstream MCP server auth mechanisms.
• A new response-redaction filter specialized for MCP tool output.
• A new audit schema and pipeline for tool-level logging with server, tool, caller identity, and downstream-effect metadata.
• New portal pages and APIs for MCP server onboarding, approval, and policy inspection.

Reference Docs

• MCP specification: modelcontextprotocol.io
• MCP transports: modelcontextprotocol.io/specification/2025-11-05/basic/transports
• MCP authorization: modelcontextprotocol.io/specification/2025-11-05/basic/authorization
• MCP registry overview: modelcontextprotocol.io/registry/about
• Claude Code MCP docs: code.claude.com/docs/en/mcp

3. Kubernetes-Native Agent Policy Control Plane

Priority: P0

Background

Enterprise agent systems are increasingly deployed on Kubernetes:

• model gateways,
• MCP servers,
• sandbox runtimes,
• job centers,
• internal services,
• and observability stacks.

If Easegress wants to become the governance layer for agent systems, it cannot treat Kubernetes as a packaging detail. Policy, status, tenancy, and lifecycle must be Kubernetes-native.

This means the product direction should not stop at "runs on Kubernetes." It should define native resources and operational workflows for agent governance in Kubernetes environments.

Why It Matters

Kubernetes-native control is important for several reasons:

• platform teams expect declarative APIs and reconciliation,
• namespaces and service accounts are natural boundaries for tenancy and ownership,
• policy attachment is easier when resources are first-class,
• and production adoption is much easier when deployment, observability, and rollback fit existing Kubernetes workflows.

Without this, Easegress risks looking like an external gateway that happens to support K8s, rather than a true cloud-native policy layer for agent workloads.

What Easegress Can Build

• CRDs for model access, tool access, sandbox egress, and agent trust policy.
• Namespace-aware and service-account-aware policy attachment.
• Status and conditions reporting for agent governance resources.
• Admission and validation integrations for enforcing safe defaults at deploy time.
• Helm charts and operational packaging for gateway, policy, and audit components.
• Multi-tenant policy boundaries aligned with Kubernetes namespaces and workload identity.
• Portal and API views that surface policy state, violations, and ownership in cluster terms.

What Easegress Needs To Develop

• New Kubernetes-native CRDs such as ModelAccessPolicy, ToolAccessPolicy, SandboxEgressPolicy, and AgentTrustPolicy.
• New controllers and reconcilers that translate those governance CRDs into runtime policy and data-plane configuration.
• A new identity-resolution module in the control plane that is namespace-aware and service-account-aware.
• A new admission webhook, or equivalent validation layer, for preventing unsafe or incomplete policy objects.
• Helm chart and deployment packaging updates for the new controllers, CRDs, policies, and supporting services.
• New cluster status APIs and portal views that explain policy attachment, rollout state, and violations in Kubernetes terms.
• A multi-tenant controller design for isolation across namespaces, teams, and environments.

Reference Docs

• Kubernetes overview: kubernetes.io/docs/home
• Kubernetes Service Accounts: kubernetes.io/docs/concepts/security/service-accounts
• Kubernetes projected service account tokens: kubernetes.io/docs/tasks/configure-pod-container/configure-service-account
• Kubernetes ValidatingAdmissionPolicy: kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy
• Easegress Gateway API docs: 4.2.Gateway-API.md

4. Identity-Aware Audit and Short-Lived Credentials

Priority: P0

Background

Many companies currently solve AI access with a shared provider key behind a gateway. This helps centralize spend, but by itself it does not solve enterprise accountability. If every request looks the same downstream, the organization loses the ability to prove:

• which human initiated the request,
• which task or workflow it belonged to,
• which sandbox executed it,
• and which downstream tools or models were involved.

That is the gap between central access and governed access.

Why It Matters

Identity-aware audit is the core of enterprise trust in agent systems. It is what allows security, compliance, and platform teams to answer:

• who did what,
• when they did it,
• through which agent path,
• under which approval context,
• and with which downstream effects.

Short-lived credentials are equally important. They reduce blast radius and make it possible to bind access to:

• a user,
• a team,
• a task,
• a sandbox,
• a time window,
• and a set of allowed tools or models.

Without this capability, Easegress may still proxy traffic, but it will not solve the real governance problem.

What Easegress Can Build

• A canonical identity chain that ties together user, team, task, sandbox, tool, and model metadata.
• Short-lived credential issuance or token exchange for downstream model and tool access.
• Signed task-bound and sandbox-bound access tokens.
• Correlation IDs that follow requests across gateway, tools, sandboxes, and model providers.
• Immutable audit events with export to SIEM, data lake, or compliance pipelines.
• Policy checks that require user identity and task context before allowing privileged actions.
• Centralized reporting that answers who did what, when, through which agent path.

What Easegress Needs To Develop

• A new canonical request-context model in the gateway that carries user, team, task, sandbox, and workflow identity.
• A new short-lived credential service, or token-exchange controller, for downstream provider and tool access.
• A new identity-binding module that associates sandbox workloads with the originating human and task context.
• A new correlation-ID middleware or filter that propagates tracing and audit IDs across model calls, tool calls, callbacks, and sandbox egress.
• A new durable audit pipeline with exporters for SIEM, data warehouse, or compliance systems.
• A new authorization filter, or equivalent policy primitive, that requires human identity, approval state, or task context before privileged operations are allowed.
• New reporting and query APIs, plus portal views, for identity-aware audit trails.

Reference Docs

• Kubernetes Service Accounts: kubernetes.io/docs/concepts/security/service-accounts
• Kubernetes TokenRequest API and projected tokens: kubernetes.io/docs/tasks/configure-pod-container/configure-service-account
• Kubernetes TokenReview API reference: kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-review-v1
• Easegress traffic verification docs: 2.5.Traffic-Verification.md
• Easegress filter reference for OIDC, OAuth2, JWT, and OPA: 7.02.Filters.md

5. Sandbox Egress Gateway for Job Centers and Remote Execution

Priority: P1

Background

A growing enterprise pattern is to let users submit tasks to a centralized job center, which then launches a remote sandbox to execute the task. This pattern is attractive because it centralizes compute, cost, and compliance. It also changes the risk model.

Once the sandbox is running, the critical question becomes:

What is this sandbox allowed to reach?

At that point, risk is no longer limited to model access. It includes outbound access to:

• MCP servers,
• internal services,
• Git providers,
• ticketing systems,
• package registries,
• and arbitrary external endpoints.

Why It Matters

Sandbox egress is where many of the hardest production controls are needed:

• destination allowlists,
• per-task access scopes,
• short-lived downstream credentials,
• egress audit,
• anomaly detection,
• and fast revocation.

This is a particularly strong fit for Easegress because the problem is fundamentally about policy-controlled traffic rather than task scheduling.

Easegress does not need to become the job center. It needs to become the trusted egress and governance layer around the job center.

What Easegress Can Build

• Sandbox-bound egress policies that allow only approved models, tools, and external destinations.
• Identity binding between sandbox instances and the originating user or task.
• Short-lived downstream credentials injected only for the lifetime of the job.
• Destination-aware routing and filtering for internal APIs, MCP servers, Git providers, and SaaS systems.
• Egress audit with full request attribution and policy decision logging.
• Risk controls such as anomaly detection, rate limiting, circuit breaking, and emergency revocation.
• Kubernetes deployment patterns that work with Jobs, Pods, and remote execution controllers.

What Easegress Needs To Develop

• A new SandboxIdentity or SandboxEgressPolicy CRD and controller that the gateway can trust for workload attestation.
• A new egress-policy filter or policy module for allowed destinations, tools, models, and credential scopes.
• New runtime adapters for Kubernetes Jobs, Pods, or job-center-launched workloads.
• A new credential-injection module, or token-exchange mechanism, tied to sandbox lifetime.
• A new destination-classification engine, or equivalent policy filter, for internal services, MCP servers, SaaS APIs, and public endpoints.
• A new audit schema and pipeline for sandbox egress, including policy decisions and downstream targets.
• New administrative controls for fast revocation, isolation, or incident response when a sandbox misbehaves.

Reference Docs

• Kubernetes NetworkPolicy docs: kubernetes.io/docs/concepts/services-networking/network-policies
• Kubernetes Jobs docs: kubernetes.io/docs/concepts/workloads/controllers/job
• Kubernetes Service Accounts: kubernetes.io/docs/concepts/security/service-accounts
• Easegress security filters: 7.02.Filters.md
• Easegress WAF cookbook: 3.14.WAF.md

6. Gateway API Completion for Agent Platforms

Priority: P1

Background

Gateway API is the standard Kubernetes direction for gateway and traffic policy. Easegress already supports part of this area, but current support is still centered around HTTP and HTTPS listeners.

For broader cloud-native relevance, especially in enterprise agent environments, Easegress should continue expanding its Gateway API coverage and policy attachment model.

This matters not only for public ingress. Gateway API can also become the standard surface for policy, routing, and resource ownership across agent-related traffic.

Why It Matters

Completing more of the Gateway API surface helps Easegress in several ways:

• it improves Kubernetes credibility,
• it reduces dependence on custom attachment models,
• it aligns Easegress with platform team expectations,
• and it creates a clearer story for model, tool, and sandbox traffic management in clusters.

The most relevant areas are:

• GRPCRoute,
• TLSRoute,
• TCPRoute,
• UDPRoute,
• ReferenceGrant,
• and BackendTLSPolicy.

Not every one of these needs to ship first, but the direction should be explicit.

What Easegress Can Build

• Native support for GRPCRoute, TLSRoute, TCPRoute, and UDPRoute where they are relevant to agent traffic.
• Better support for ReferenceGrant and BackendTLSPolicy to enable secure multi-namespace deployments.
• Gateway API-aligned policy attachment for model, tool, and sandbox traffic.
• Cleaner translation between Kubernetes resources and Easegress internal routing or policy objects.
• Improved status reporting, conditions, and conformance coverage for Gateway API resources.
• A stronger Kubernetes story for platform teams standardizing on Gateway API as the control surface.

What Easegress Needs To Develop

• New Gateway API translators and reconciler logic for GRPCRoute, TLSRoute, TCPRoute, and UDPRoute.
• New L4 and TLS-oriented proxy modules, or extensions to existing proxies, where data-plane support is missing.
• New support in the Kubernetes integration layer for ReferenceGrant and BackendTLSPolicy.
• A new status-and-conditions reconciliation layer for Gateway API resources.
• A new conformance and interoperability test suite for the supported Gateway API surface.
• A new mapping layer between agent-governance policies and Gateway API attachment points.
• New documentation and runnable examples showing how model, tool, and sandbox traffic can be managed with Gateway API resources.

Reference Docs

• Gateway API overview: gateway-api.sigs.k8s.io
• GRPCRoute docs: gateway-api.sigs.k8s.io/api-types/grpcroute
• TLSRoute docs: gateway-api.sigs.k8s.io/api-types/tlsroute
• TCPRoute guide: gateway-api.sigs.k8s.io/guides/tcp
• UDPRoute guide: gateway-api.sigs.k8s.io/guides/udp
• ReferenceGrant docs: gateway-api.sigs.k8s.io/api-types/referencegrant
• BackendTLSPolicy docs: gateway-api.sigs.k8s.io/api-types/backendtlspolicy
• Easegress Gateway API docs: 4.2.Gateway-API.md

7. A2A Gateway

Priority: P2

Background

Agent-to-Agent (A2A) protocols aim to standardize how agents discover each other, exchange tasks, stream results, and handle callbacks or delegated work. This is strategically relevant because enterprise agent systems will eventually need secure interoperability between different agents and vendors.

However, compared with model access and MCP tool access, this area is earlier in its operational maturity for most enterprises.

Why It Matters

Over time, A2A can become another major governance surface:

• which agents are trusted,
• which delegated actions are allowed,
• how callbacks are authenticated,
• how agent identities are mapped across domains,
• and how multi-agent task chains are audited.

Easegress can eventually become the policy and traffic layer for this interaction as well. But this should likely follow, not precede, the work on AI access, MCP, identity, and sandbox egress.

What Easegress Can Build

• A2A-aware routing for task submission, streaming responses, callbacks, and delegated work.
• Trust policies for which agents may talk to which agents across teams or domains.
• Agent identity verification and version-aware routing.
• Callback authentication and protection for long-running delegated tasks.
• Delegation audit that tracks parent task, downstream agent, and resulting actions.
• Policy enforcement for which capabilities may be delegated to external or partner agents.

What Easegress Needs To Develop

• A new A2A protocol adapter or filter for request parsing and metadata handling in the gateway.
• New AgentPeer or AgentTrustPolicy CRDs and controllers for agent identity, domain boundaries, and delegated capabilities.
• A new callback-protection filter for long-running A2A tasks and webhooks.
• A new delegated-task audit schema that links parent tasks, downstream agents, and resulting actions.
• A new async-task and streaming handler adapted to A2A interaction patterns.
• New integration tests and runnable examples for multi-agent interoperability scenarios.

Reference Docs

• A2A specification: a2a-protocol.org/latest/specification
• A2A enterprise features: a2a-protocol.org/latest/topics/enterprise-ready
• Google announcement of A2A: developers.googleblog.com

[LokiWager]

I've listed some ideas that EG can do recently. @zhao-kun @xxx7xxxx @suchen-sci

[xxx7xxxx]

Sailing to V3: AI Agent Native API Gateway

I was thinking of opening an issue until I found this discussion. This is my thought right now. I'd like to do the radical evolution.

Background

This is an early and still-raw idea for what Easegress V3 could become.

Instead of thinking about an API Gateway only as a proxy or traffic management layer, what if we rethink it as an AI Agent Native API Gateway?

Not just “an API gateway with some AI features”, but a gateway designed from the beginning for:

• AI application traffic
• LLM / tool / agent workflows
• prompt-based management and operations
• agent-friendly development, testing, and extension

This is not a finalized roadmap proposal. It is an open idea, and I’d love to hear whether the community finds it interesting.

The Core Thought

A future V3 could explore a much more ambitious direction:

• Keep the data plane deterministic, observable, and reliable
• Make the control plane far more agent-native
• Let humans and coding agents work with the gateway through higher-level intent
• Make the gateway easier to manage, monitor, debug, extend, and even prototype with natural language and code generation

In other words, V3 would not just be a gateway that forwards requests.

It could become a gateway that people and agents can actively work with.

V3 Should Be a Real User of Itself

One important idea is that Easegress V3 should not only proxy traffic, but also act like a real user of the gateway itself.

That could mean users can:

• paste client code, server code, API docs, Markdown docs, or OpenAPI specs
• ask the system to generate APIs, routes, plugin chains, and example configs
• simulate clients continuously sending requests
• simulate backend services receiving requests and returning normal or abnormal responses
• insert filters/plugins in the middle and observe what changes
• generate invalid, malicious, adversarial, or abusive requests for testing
• build a runnable playground for debugging, monitoring, development, and security validation

This would make Easegress V3 more than an API Gateway.

It could become a gateway-native environment to:

• build
• simulate
• observe
• test
• attack-test
• debug
• optimize

Large models are especially useful here because they are good at generating mock clients, mock servers, API definitions, test cases, failure cases, and even illegal traffic patterns.

A Possible First Step: egx

A practical first step might be to build an experimental prototype first, tentatively called egx.

The idea would be:

• egx is a lightweight prototype built on top of Codex-style agent workflows
• it is written in Rust
• it focuses on proving the interaction model before trying to redesign the whole project at once

For example, egx could help users:

• ingest API docs, code snippets, or service descriptions
• generate route definitions and plugin chains
• create mock clients and mock servers
• continuously replay or synthesize traffic
• generate edge cases and malicious requests
• explain what happened in the request path
• propose configuration changes and test them in a safe loop

This would let us validate whether “AI Agent Native Gateway” is actually useful in practice, instead of only discussing it in the abstract.

Why This Might Be Interesting

A lot of gateways are becoming “AI-enabled”, but very few feel truly AI Agent Native.

This direction may be interesting because it combines several things:

• infrastructure reliability
• developer productivity
• agent-friendly operations
• easier experimentation and prototyping
• better support for AI-era traffic patterns

It could also be a chance to rethink architecture, extension points, policies, configuration, observability, and developer experience from a fresh starting point.

Open Questions

There are still many open questions:

• Should this be an evolution of Easegress, or a more radical V3 direction?
• What should “AI Agent Native” mean in concrete product terms?
• Which parts must remain deterministic and traditional?
• Which parts should become prompt/agent driven?
• How far should the system go in code generation, simulation, and automated operations?
• What are the safety boundaries for agent-driven changes?
• Should the first goal be developer experience, operations, testing, or AI traffic management?

Community Discussion

I’d really like to hear what the community thinks.

• Is this direction interesting at all?
• Would you want to use something like this?
• Which use cases matter most to you?
• What would be exciting here?
• What would be dangerous or a bad idea?
• If Easegress were to explore a V3 in this direction, what should it absolutely not lose from today’s strengths?

If there is enough interest, we can keep refining this idea together and gradually turn it into something more concrete.

[LokiWager]

We should migrate this discussion to an issue.

I completely agree with your perspective. Especially in scenarios like configuration, testing, and verification, using EG can be quite cumbersome.

For an AI-native API Gateway, I think it could support natural language–driven deployment and configuration, AI + rule-based security guarantees, traffic-aware auto scaling and failover, as well as AI-powered anomaly detection and alerting.

In addition, as a gateway, I believe EG still needs to do a solid job on the cloud-native side—for example, deeper and more seamless integration with Kubernetes.

As for whether to rewrite it in Rust, I think it’s worth discussing. The current architecture is already quite mature, and rewriting existing functionality in Rust may not bring significant benefits.

[xxx7xxxx]

I agree with your opinions. I want to write the new egx as an AI-Agent interface for Easegress, rather than rewriting the core of Easegress (even though it is not a big thing in the vibe coding era, and seems promising in many ways, see https://fishshell.com/blog/rustport/)
Another big concern is that embedded etcd in Easegress. I want to remove it, but I don't have a satisfying idea yet.
And we could open an issue until we figure out a roughly big picurture for v3.