Technical documentation · Detection coverage

Evidence Coverage Matrix

Versioned matrix for CISO, CTO, and procurement review. BeProof does not promise omniscient visibility — it documents what is evaluated today, what is partial, and what remains on the roadmap.

Matrix version: 2026-06-24

Coverage by evidence layer

Aligns with in-app completeness tracking across Declared, Granted, Observed, and Trust. Policy evaluation follows the same no-silent-pass model documented in Policy Pack v1.2.2.

LayerSource familyCurrent coverageLimitations
DeclaredAgent configs (Codex, Claude, Cursor, Open Claw, Windsurf, Cline, Aider, Continue), MCP, instruction filesmacOS-first baseline — Open Claw, Windsurf, Cline, Aider, and Continue adapters shippedScoped scan roots only — no implicit full-home crawl
DeclaredHomebrew, npm/pnpm global, IDE extension install recordsSupported (POL-X01)Metadata only; unreadable paths become install_inventory gaps
DeclaredManaged settings and MDM policy paths (POL-X02)Supported for Codex, Claude, Cursor, Open Claw, Windsurf, VS CodePath existence and mtime metadata only — policy values not parsed
GrantedCredential refs, keychain metadata, cloud grantsSupported / partialConsent (POL-G02), provider tokens, and admin APIs required where applicable
ObservedLocal usage scanners (10 vendors), cloud usage, cross-layer correlationsSupported / partialPer-vendor {vendor}_usage gaps when history missing; cloud depth varies by connector
MCP riskLocal commands, network endpoints, env credentialsSupportedVendor-native runtime deny workflows not complete
TrustExport manifest, journal chain, SBOM / provenanceSupported — export signing, journal chain, SBOM/provenanceverify-export-manifest + verify-journal shipped; fleet signing per tenant

This table uses prose status labels (Supported, Partial, Planned). Per-vendor symbols (✅ GA, 🟡 Partial) apply to the Supported surfaces catalog.

Expansion process

BeProof expands detection coverage along two axes: new Surface rows (vendor adapters) and moving Partial cells toward GA (deeper layers per surface). CoverageGap is not a roadmap defect — it is the honest audit outcome when evidence is missing in a specific run.

North star: One focused adapter PR per high-signal agent: declared + observed minimum, tests, docs, and a new row in the public matrix — without refactoring the policy engine.

New surface adapter checklist

Normative process for macOS provider extension (see PRD_PROVIDER_EXTENSION.md in the BeProof repository). Policy evaluation does not change — only scanners, registry entries, and matrix rows.

  1. 1.Research Document config, usage/history, and managed/MDM paths (metadata-only). Publish in managed-settings docs before claiming GA.
  2. 2.Declared InventoryScanner + SurfaceKind; surfaces appear in Agents / Surfaces tabs and export.
  3. 3.Observed *UsageScanner.swift wired into full audit + CLI; explicit {vendor}_usage CoverageGap when history is unreadable.
  4. 4.Granted / Cloud Optional: credential refs, CloudAgentProvider, grant enumeration, env token keys.
  5. 5.Install / Managed Optional: Homebrew/npm/IDE matcher; ManagedSettingsTargetRegistry entry for POL-X02 paths.
  6. 6.Correlation + UI AuditLinkEngine provider matching; AgentVendor presentation; Coverage tab matrix row.
  7. 7.Contracts + tests packages/contracts fixtures when fields change; scanner unit tests; no regression on existing vendors.
  8. 8.Public matrix Update the Supported surfaces catalog and Evidence Coverage Matrix; bump DETECTION_COVERAGE_VERSION and add a changelog entry.

Moving Partial → GA

Partial in the public matrix means capability maturity, not a failed audit. GA is claimed only when the adapter or connector path is shipped — customer setup gaps remain explicit CoverageGap records.

FromToEngineering action
Observed 🟡Observed ✅Ship or extend a local usage scanner; wire gap area {vendor}_usage with explicit reasons.
Cloud 🟡Cloud ✅CloudAgentProvider + enumerator; Local vs Cloud connector setup; org overlay requiredCloudConnectors.
Granted 🟡Granted ✅Provider tokens configured; keychain consent (POL-G02); grant scope templates (POL-X04).
Declared onlyFull surface rowFirst-class provider adapter (expansion checklist below) — not generic MCP / unknown provider inference.

Updating this matrix

  • Adapter PR merged and scanners covered by tests.
  • Row added or updated in supportedAgentSurfaces on /coverage.
  • Partial → GA only where the capability is shipped — not when a customer simply has not configured a connector.
  • DETECTION_COVERAGE_VERSION bumped; changelog appended on /docs/detection-coverage.
  • Homepage category examples updated when a vendor becomes customer-visible.

Out of scope

  • Third-party plugin marketplace or runtime SDK
  • Windows / Linux endpoint platforms (separate platform PRD — not macOS adapter expansion)
  • Network payload capture or secret value parsing
  • Auto-remediation or vendor-native runtime deny (detection-only today)
  • Parsing managed policy values (path existence metadata only for POL-X02)

Changelog

  • 2026-06-24Added Open Claw–Continue observed adapters, VS Code managed settings, and Expansion process section.
  • 2026-06-23Initial public matrix: surface catalog at /coverage, evidence layer limitations, install inventory breadth (Homebrew, npm/pnpm, IDE extensions).

Related documentation

Coverage depends on platform, scan scope, user or admin consent, and configured cloud connectors. BeProof never stores raw secrets and does not inspect network payloads.