{
  "schema_version": 1,
  "artifact_id": "public-capability-matrix",
  "updated_at": "2026-06-30",
  "scope_note": "Honest public capability labels for Agent Firewall day-one launch surfaces. This artifact is the canonical source for README, docs, Omnet, and future viewer copy. It does not claim whole-machine, all-agent, tamper-proof, or enterprise fleet enforcement.",
  "maturity_labels": {
    "research": "Docs reviewed; no working local prototype.",
    "observe": "Can log some events; cannot reliably stop actions before execution.",
    "ask-block-prototype": "Ask/block works in local synthetic tests or doctor self-tests; not cleared for broad supported labeling without live validation evidence.",
    "supported": "Live validation, documented bypasses, and repair path proven for early users.",
    "enterprise-managed": "Centrally deployable under managed-device assumptions; not part of day-one personal product."
  },
  "evidence_levels": {
    "design_only": "Architecture or planning only.",
    "synthetic_hook_tests": "Adapter exercised with hand-built hook JSON payloads.",
    "synthetic_hook_tests_and_doctor_self_test": "Synthetic hook tests plus local doctor self-test on the machine.",
    "live_manual": "Recorded manual validation in the live agent app.",
    "automated_live": "Automated tests against the live agent app.",
    "design_partner_validated": "Validated with an external design partner under documented conditions."
  },
  "integrations": [
    {
      "id": "claude_code",
      "display_name": "Claude Code",
      "build_status": "built",
      "maturity_label": "ask-block-prototype",
      "evidence_level": "live_manual",
      "supported_os": ["linux", "macos"],
      "supported_agent_scope": "Claude Code sessions with Agent Firewall hooks wired in Claude Code settings for PreToolUse, PostToolUse, and PostToolUseFailure.",
      "observed_action_types": [
        "shell.command",
        "file.read",
        "file.write"
      ],
      "vendor_tool_matchers": [
        "Bash",
        "Read",
        "Write",
        "Edit",
        "MultiEdit",
        "NotebookEdit"
      ],
      "pre_action_ask_block": "yes_for_matched_pretooluse_tools",
      "post_action_audit": "yes_for_posttooluse_and_posttoolusefailure",
      "degraded_states": [
        "malformed_or_unsupported_hook_input_fails_open",
        "policy_load_or_evaluation_failure_fails_open_in_personal_mode",
        "daemon_unavailable_fails_open_in_personal_mode",
        "approval_timeout_denies_when_denial_is_supported",
        "missing_or_invalid_claude_code_settings",
        "hook_command_missing_or_unreadable"
      ],
      "known_bypasses": [
        "actions_that_never_pass_through_claude_code_hooks",
        "claude_code_modes_or_tools_outside_the_installed_hook_matcher",
        "direct_shell_or_editor_use_outside_claude_code",
        "user_removing_or_editing_hooks_manually",
        "mcp_tools_without_sufficient_default_policy_coverage"
      ],
      "support_label_gate": "Do not promote to supported until live_validation_status is complete in docs/implementation/evidence/claude-code-validation-evidence.json.",
      "validation_evidence_artifact": "docs/implementation/evidence/claude-code-validation-evidence.json",
      "live_validation_status": "partial"
    },
    {
      "id": "codex",
      "display_name": "Codex",
      "build_status": "built",
      "maturity_label": "ask-block-prototype",
      "evidence_level": "synthetic_hook_tests",
      "supported_os": ["linux", "macos"],
      "supported_agent_scope": "Codex sessions with Agent Firewall hooks wired in ~/.codex/hooks.json for PreToolUse and PostToolUse.",
      "observed_action_types": [
        "shell.command",
        "file.read",
        "file.write",
        "mcp.tool_call"
      ],
      "vendor_tool_matchers": [
        "Bash",
        "apply_patch",
        "Edit",
        "Write",
        "Read",
        "mcp__<server>__<tool>"
      ],
      "pre_action_ask_block": "yes_for_matched_pretooluse_tools_in_synthetic_tests",
      "post_action_audit": "yes_for_posttooluse_in_synthetic_tests",
      "degraded_states": [
        "malformed_or_unsupported_hook_input_fails_open",
        "apply_patch_without_extractable_path_fails_open",
        "multi_file_apply_patch_represented_by_first_target_only",
        "policy_load_or_evaluation_failure_fails_open_in_personal_mode"
      ],
      "known_bypasses": [
        "live_codex_app_hook_enforcement_not_yet_proven",
        "actions_outside_installed_codex_hook_matcher",
        "mcp_tools_not_following_mcp__server__tool_naming",
        "direct_terminal_or_editor_use_outside_codex",
        "user_removing_or_editing_hooks_manually"
      ],
      "support_label_gate": "Remain prototype until live Codex app validation proves deny/ask behavior and hook reload/trust semantics."
    }
  ],
  "planned_surfaces": [
    {
      "id": "cursor_agent",
      "display_name": "Cursor Agent",
      "build_status": "planned",
      "maturity_label": "research",
      "evidence_level": "design_only",
      "pre_action_ask_block": "unknown",
      "post_action_audit": "unknown",
      "degraded_states": [],
      "known_bypasses": [
        "ide_internal_actions_may_be_invisible_until_an_adapter_exists"
      ],
      "notes": "Research only. Do not claim hook parity with Claude Code."
    },
    {
      "id": "shell_wrapper",
      "display_name": "Generic shell wrapper",
      "build_status": "planned",
      "maturity_label": "research",
      "evidence_level": "design_only",
      "pre_action_ask_block": "candidate_only",
      "post_action_audit": "candidate_only",
      "degraded_states": [],
      "known_bypasses": [
        "easy_to_bypass_by_running_commands_outside_the_wrapper",
        "opaque_child_process_behavior_without_sandboxing"
      ],
      "notes": "Planned experimental path such as agentfirewall run -- <command>; not shipped."
    },
    {
      "id": "mcp_proxy",
      "display_name": "MCP proxy gateway",
      "build_status": "planned",
      "maturity_label": "research",
      "evidence_level": "design_only",
      "pre_action_ask_block": "candidate_only",
      "post_action_audit": "candidate_only",
      "degraded_states": [],
      "known_bypasses": [
        "only_covers_clients_configured_to_use_the_proxy"
      ],
      "notes": "Future path. Current MCP policy proof is synthetic through Codex tool-name mapping only."
    },
    {
      "id": "collaboration_app_ai",
      "display_name": "Slack / Teams / collaboration-app AI",
      "build_status": "planned",
      "maturity_label": "research",
      "evidence_level": "design_only",
      "pre_action_ask_block": "owned_boundary_only_future",
      "post_action_audit": "observe_candidate_future",
      "degraded_states": [],
      "known_bypasses": [
        "observing_chat_events_is_not_the_same_as_controlling_downstream_actions"
      ],
      "notes": "Enterprise research surface; not part of day-one personal product."
    }
  ],
  "os_enforcement": {
    "linux": {
      "mvp_claim": "Supported agent workflows can be governed at the tool-call boundary.",
      "future_sandbox_candidates": ["landlock", "seccomp", "namespaces", "bubblewrap"],
      "not_claimed": ["whole_machine_enforcement", "required_os_sandbox_for_mvp"]
    },
    "macos": {
      "mvp_claim": "Supported agent workflows can be governed at the tool-call boundary.",
      "future_managed_enforce_candidates": ["network_extension", "endpoint_security"],
      "not_claimed": ["whole_machine_enforcement", "kernel_or_driver_enforcement_in_mvp"]
    },
    "windows": {
      "mvp_claim": "Supported agent workflows can be governed only where adapters exist.",
      "future_managed_enforce_candidates": ["wfp", "minifilter"],
      "not_claimed": ["whole_machine_enforcement", "driver_based_enforcement_in_mvp"]
    }
  },
  "global_non_goals": [
    "whole_machine_protection",
    "all_agent_protection",
    "tamper_proof_local_audit",
    "complete_prompt_injection_prevention",
    "unsigned_auto_update",
    "enterprise_fleet_dashboard_in_personal_product"
  ]
}
