|
3 | 3 | ## Included |
4 | 4 |
|
5 | 5 | - In-memory Graph RAG primitives for entity/relation traversal and document retrieval. |
6 | | -- Restricted Code Mode for deterministic local data manipulation with AST allow-list validation and child-process timeout/resource guardrails. |
| 6 | +- Restricted Code Mode with AST allow-list validation running in a child-process sandbox with CPU-time, wall-clock timeout, and best-effort memory limits (RLIMIT_AS/RLIMIT_CPU via `resource`). Container/VM-level isolation is still deferred. |
7 | 7 | - Stateless MCP request/response envelopes that carry capabilities and shared state per request. |
8 | | -- Streamable HTTP transport for the MCP server with `Mcp-Session-Id` sessions, bearer-token/OAuth guardrails for non-loopback binds, and Origin allowlist (POST/GET/DELETE on `/mcp`). |
| 8 | +- Streamable HTTP transport for the MCP server with `Mcp-Session-Id` sessions, bearer-token/OAuth guardrails for non-loopback binds enforced at both the CLI and library level (`build_mcp_http_server` raises `ValueError` when bound to a non-loopback host without auth), and Origin allowlist (POST/GET/DELETE on `/mcp`). |
9 | 9 | - Managed-agent readiness checks for tool metadata, audit, budget, external state, and HITL gaps. |
10 | 10 | - Provider portability checks for tool calling, structured output, system prompt support, prompt caching, and context limits. |
11 | | -- Cross-provider live model conformance smoke checks with per-provider pass/fail/skip reporting. |
| 11 | +- Cross-provider live model conformance with layered `smoke` (non-empty response) and `contract` (exact content match, system-prompt adherence, token-budget reporting) tiers via `run_tiered_conformance`. |
12 | 12 |
|
13 | 13 | ## Still Deferred |
14 | 14 |
|
15 | 15 | - Production GraphQLite deployment, migrations, and Cypher query tuning. |
16 | | -- Strong production sandboxing for Code Mode using containers, V8 isolates, or a managed execution service. |
| 16 | +- Strong production sandboxing for Code Mode beyond the current child-process guardrails: containers, seccomp profiles, V8 isolates, or a managed execution service. |
17 | 17 | - Production hardening for OAuth 2.1 / DPoP deployments, including key rotation and external client storage. |
18 | 18 | - Actual managed runtime integration with Anthropic, OpenAI, Google ADK, or Vertex Agent Engine. |
19 | | -- Deeper cross-provider conformance for streaming, structured output, tool calling, and provider-specific safety blocks. |
| 19 | +- Extended cross-provider conformance tiers for streaming, structured output, tool calling, latency budgets, and provider-specific safety/block taxonomy. |
20 | 20 |
|
21 | 21 | ## P2 Extension Rules |
22 | 22 |
|
|
0 commit comments