Evidence Coverage Matrix
Versioned matrix for CISO, CTO, and procurement review. BeProof does not promise omniscient visibility — it documents what is evaluated today, what is partial, and what remains on the roadmap.
Matrix version: 2026-06-24
Coverage by evidence layer
Aligns with in-app completeness tracking across Declared, Granted, Observed, and Trust. Policy evaluation follows the same no-silent-pass model documented in Policy Pack v1.2.2.
| Layer | Source family | Current coverage | Limitations |
|---|---|---|---|
| Declared | Agent configs (Codex, Claude, Cursor, Open Claw, Windsurf, Cline, Aider, Continue), MCP, instruction files | macOS-first baseline — Open Claw, Windsurf, Cline, Aider, and Continue adapters shipped | Scoped scan roots only — no implicit full-home crawl |
| Declared | Homebrew, npm/pnpm global, IDE extension install records | Supported (POL-X01) | Metadata only; unreadable paths become install_inventory gaps |
| Declared | Managed settings and MDM policy paths (POL-X02) | Supported for Codex, Claude, Cursor, Open Claw, Windsurf, VS Code | Path existence and mtime metadata only — policy values not parsed |
| Granted | Credential refs, keychain metadata, cloud grants | Supported / partial | Consent (POL-G02), provider tokens, and admin APIs required where applicable |
| Observed | Local usage scanners (10 vendors), cloud usage, cross-layer correlations | Supported / partial | Per-vendor {vendor}_usage gaps when history missing; cloud depth varies by connector |
| MCP risk | Local commands, network endpoints, env credentials | Supported | Vendor-native runtime deny workflows not complete |
| Trust | Export manifest, journal chain, SBOM / provenance | Supported — export signing, journal chain, SBOM/provenance | verify-export-manifest + verify-journal shipped; fleet signing per tenant |
This table uses prose status labels (Supported, Partial, Planned). Per-vendor symbols (✅ GA, 🟡 Partial) apply to the Supported surfaces catalog.
Expansion process
BeProof expands detection coverage along two axes: new Surface rows (vendor adapters) and moving Partial cells toward GA (deeper layers per surface). CoverageGap is not a roadmap defect — it is the honest audit outcome when evidence is missing in a specific run.
North star: One focused adapter PR per high-signal agent: declared + observed minimum, tests, docs, and a new row in the public matrix — without refactoring the policy engine.
New surface adapter checklist
Normative process for macOS provider extension (see PRD_PROVIDER_EXTENSION.md in the BeProof repository). Policy evaluation does not change — only scanners, registry entries, and matrix rows.
- 1.Research — Document config, usage/history, and managed/MDM paths (metadata-only). Publish in managed-settings docs before claiming GA.
- 2.Declared — InventoryScanner + SurfaceKind; surfaces appear in Agents / Surfaces tabs and export.
- 3.Observed — *UsageScanner.swift wired into full audit + CLI; explicit {vendor}_usage CoverageGap when history is unreadable.
- 4.Granted / Cloud — Optional: credential refs, CloudAgentProvider, grant enumeration, env token keys.
- 5.Install / Managed — Optional: Homebrew/npm/IDE matcher; ManagedSettingsTargetRegistry entry for POL-X02 paths.
- 6.Correlation + UI — AuditLinkEngine provider matching; AgentVendor presentation; Coverage tab matrix row.
- 7.Contracts + tests — packages/contracts fixtures when fields change; scanner unit tests; no regression on existing vendors.
- 8.Public matrix — Update the Supported surfaces catalog and Evidence Coverage Matrix; bump DETECTION_COVERAGE_VERSION and add a changelog entry.
Moving Partial → GA
Partial in the public matrix means capability maturity, not a failed audit. GA is claimed only when the adapter or connector path is shipped — customer setup gaps remain explicit CoverageGap records.
| From | To | Engineering action |
|---|---|---|
| Observed 🟡 | Observed ✅ | Ship or extend a local usage scanner; wire gap area {vendor}_usage with explicit reasons. |
| Cloud 🟡 | Cloud ✅ | CloudAgentProvider + enumerator; Local vs Cloud connector setup; org overlay requiredCloudConnectors. |
| Granted 🟡 | Granted ✅ | Provider tokens configured; keychain consent (POL-G02); grant scope templates (POL-X04). |
| Declared only | Full surface row | First-class provider adapter (expansion checklist below) — not generic MCP / unknown provider inference. |
Updating this matrix
- Adapter PR merged and scanners covered by tests.
- Row added or updated in supportedAgentSurfaces on /coverage.
- Partial → GA only where the capability is shipped — not when a customer simply has not configured a connector.
- DETECTION_COVERAGE_VERSION bumped; changelog appended on /docs/detection-coverage.
- Homepage category examples updated when a vendor becomes customer-visible.
Out of scope
- Third-party plugin marketplace or runtime SDK
- Windows / Linux endpoint platforms (separate platform PRD — not macOS adapter expansion)
- Network payload capture or secret value parsing
- Auto-remediation or vendor-native runtime deny (detection-only today)
- Parsing managed policy values (path existence metadata only for POL-X02)
Changelog
- 2026-06-24 — Added Open Claw–Continue observed adapters, VS Code managed settings, and Expansion process section.
- 2026-06-23 — Initial public matrix: surface catalog at /coverage, evidence layer limitations, install inventory breadth (Homebrew, npm/pnpm, IDE extensions).
Related documentation
- Supported AI Agent Surfaces — vendor and install-signal catalog
- Policy Pack v1.2.2 — auto-evaluable rules and coverage-gap semantics
- macOS guide — in-app Coverage tab and connector setup
- Compliance mapping — SOC 2 / ISO evidence themes
Coverage depends on platform, scan scope, user or admin consent, and configured cloud connectors. BeProof never stores raw secrets and does not inspect network payloads.