Skip to content

Docs Claim Map

The docs claim map is the review checklist for claims that matter to security, platform, and pilot evaluators. A claim should stay in the public docs only when it has an implementation owner and a test, diagnostic, or explicit future label.

Status values:

  • true: implemented and covered by automated tests or deterministic diagnostics.
  • partial: implemented only for the documented scope.
  • future: roadmap item, not an implemented control.
  • remove: do not claim this as an SCC guarantee.
ClaimDocs locationImplementation ownerTest or diagnosticStatus
Org, team, and project config merge into one effective config.Config Inheritancesrc/scc_cli/application/compute_effective_config.pytests/test_config_inheritance.py, tests/test_config_explain.py, tests/e2e/test_cli_journeys.pytrue
Plugins and MCP servers accumulate when allowed, but org blocks and delegation denials remove additions.Config Inheritance, Security Modelcompute_effective_config.py, effective_config_models.pytests/test_config_explain.py, tests/test_mcp_servers.py, tests/e2e/test_cli_journeys.pytrue
Project network_policy can keep or tighten inherited policy, but cannot loosen it.Config Inheritance, Project Schema, Enterprise Pilot Blueprintmerge_restrictive_network_policy_layer() in compute_effective_config.pytests/test_effective_context_project_policy.py, tests/test_config_explain.py, tests/e2e/test_cli_journeys.pytrue
Ignored policy changes, blocked items, and denied additions are visible in text and JSON explain output.Config Inheritancesrc/scc_cli/commands/config.py, src/scc_cli/presentation/json/config_json.pytests/test_config_explain.py, tests/e2e/test_cli_journeys.pytrue
Project identity in v1 is repository/worktree work context, not a project registry.Config Inheritance, Enterprise Pilot Blueprintsrc/scc_cli/contexts.py, src/scc_cli/application/sessions/use_cases.pytests/test_contexts.py, tests/test_sessions.py, tests/test_session_provider_id.pytrue
Claude and Codex have provider-separated session identity in the same workspace.Architecture Overview, Config Inheritancesrc/scc_cli/application/sessions/use_cases.py, src/scc_cli/sessions.py, src/scc_cli/contexts.pytests/test_contexts.py, tests/test_sessions.py, tests/test_session_provider_id.pytrue
All launch paths share provider resolution, image readiness, and auth readiness preflight.Architecture Overviewsrc/scc_cli/commands/launch/preflight.py plus launch callerstests/test_launch_preflight_guardrail.py, tests/test_dashboard_provider_resume.py, tests/test_worktree_autostart.pytrue
Provider-native artifacts are adapter-owned, not core-owned.Architecture Overview, Security Modelsrc/scc_cli/ports/agent_provider.py, src/scc_cli/adapters/*_renderer.py, src/scc_cli/application/start_session.pytests/test_import_boundaries.py, tests/test_application_start_session.pytrue
web-egress-enforced uses an internal-only agent network plus proxy sidecar.Security Modelsrc/scc_cli/adapters/oci_sandbox_runtime.py, src/scc_cli/core/egress_policy.pytests/test_oci_egress_integration.py, tests/test_oci_sandbox_runtime.pypartial
The SCC proxy ACL denies loopback, private CIDRs, link-local ranges, metadata endpoints, and unlisted destinations.Security Modelsrc/scc_cli/core/egress_policy.py, src/scc_cli/core/destination_registry.pytests/test_egress_policy.py, tests/test_destination_registry.pytrue
Host proxy environment variables cannot override SCC-managed proxy settings in enforced web egress.Security Modelsrc/scc_cli/adapters/oci_sandbox_runtime.pytests/test_oci_egress_integration.pytrue
locked-down-web starts the agent container with --network=none.Security Modelsrc/scc_cli/adapters/oci_sandbox_runtime.pytests/test_oci_egress_integration.py, tests/test_real_runtime_smoke.py behind SCC_REAL_RUNTIME_SMOKE=1partial
Built-in safety wrappers cover destructive git and explicit network tools for both providers.Security Modelsrc/scc_cli/core/safety_engine.py, src/scc_cli/adapters/claude_safety_adapter.py, src/scc_cli/adapters/codex_safety_adapter.pytests/test_safety_engine.py, tests/test_safety_adapter_audit.py, tests/test_claude_safety_adapter.py, tests/test_codex_safety_adapter.pytrue
Safety policy loading fails closed.Security Modelsrc/scc_cli/core/safety_policy_loader.pytests/test_safety_policy_loader.py, tests/test_safety_eval_contract.pytrue
Support bundles include provider, runtime, policy, launch/safety audit, and work-context evidence when available.Enterprise Pilot Blueprintsrc/scc_cli/application/support_bundle.pytests/test_support_bundle.py, tests/test_launch_audit_support.py, tests/test_safety_audit.pytrue
scc support bundle --compliance adds the enterprise_audit_v1 evidence index and SHA-256 checksums for emitted redacted manifest sections. It is audit evidence, not certification, SSO/SCIM, SBOM automation, dashboard, project registry, new provider support, or Docker socket/devcontainer attachment.Admin CLI Reference, Getting Helpsrc/scc_cli/application/support_bundle.py, src/scc_cli/commands/support.pytests/test_support_bundle.py, tests/test_docs_truthfulness.pytrue
SCC can launch sibling agent containers from a devcontainer by translating the runtime mount source with SCC_WORKSPACE_PATH_MAP, and doctor reports path-map readiness.SCC vs Dev Containerssrc/scc_cli/core/runtime_mounts.py, src/scc_cli/application/start_session.py, src/scc_cli/commands/launch/render.py, src/scc_cli/doctor/checks/environment.pytests/test_runtime_mount_mapping.py, tests/test_application_start_session.py, tests/test_start_dryrun.py, tests/test_provider_machine_readable.py, tests/test_doctor_checks.py, optional tests/test_real_runtime_smoke.pypartial
scc doctor <project> --json reports read-only devcontainer/Compose bridge evidence for detected dev environment files without enabling bridge actions.SCC vs Dev Containers, Enterprise Pilot Blueprintsrc/scc_cli/doctor/checks/environment.py, src/scc_cli/doctor/core.py, src/scc_cli/doctor/serialization.pytests/test_doctor_checks.py, tests/test_doctor_provider_wiring.py, tests/e2e/test_cli_journeys.pytrue
dev_environment.commands, dev_environment.logs, and dev_environment.health_checks can define named dev-environment bridge actions with fixed argv lists. scc config explain --field dev_environment, JSON explain, and scc dev status --json show accepted, denied, and ignored actions. scc dev run <name>, scc dev logs <name>, and scc dev health <name> execute accepted actions with a pre-execution audit event, workspace-bounded cwd, timeout, and bounded stdout/stderr tails.Config Inheritance, Project Schema, Org Schema, Dev Environment CLI, SCC vs Dev Containers, Enterprise Pilot Blueprintsrc/scc_cli/ports/config_models.py, src/scc_cli/services/config_normalizer.py, src/scc_cli/application/compute_effective_config.py, src/scc_cli/application/dev_environment_bridge.py, src/scc_cli/commands/config.py, src/scc_cli/commands/dev.py, src/scc_cli/presentation/json/config_json.py, src/scc_cli/presentation/json/dev_environment_json.py, src/scc_cli/schemas/org-v1.schema.jsontests/test_config_normalization.py, tests/test_config_inheritance.py, tests/test_config_explain.py, tests/test_marketplace_schema.py, tests/test_dev_environment_bridge.py, tests/test_dev_command_cli.py, tests/test_support_bundle.py, optional tests/test_real_runtime_smoke.py, tests/test_docs_truthfulness.pytrue
ClaimDocs locationImplementation ownerTest or diagnosticStatus
Running the agent inside the existing devcontainer or attaching the SCC agent container to arbitrary devcontainer/Compose service networks.SCC vs Dev Containers, Enterprise Pilot BlueprintNone in v1Explicitly excluded by M013 S04 / D056future
OIDC SSO, SAML federation, SCIM users/groups, group-to-team/provider/admin entitlement mapping, provider credential brokering, and read-only enterprise admin visibility.Enterprise Identity Roadmap, Enterprise Pilot BlueprintNone in v1; planned M014 architectureRFC 7642/7643/7644, Entra ID, and MobilityGuard references only; no implementation or diagnostic yetfuture
Central SBOM or CycloneDX inventory generation.Enterprise Pilot BlueprintNone in v1Not implemented in M012future
Central project registry.Enterprise Pilot BlueprintNone in v1Explicitly excluded by D052 and M012future
Full policy editing, billing, chargeback, or prompt/source-code telemetry dashboard beyond the read-only M014 admin visibility plan.Enterprise Identity RoadmapNone in v1; not part of M014Explicitly excluded from the M014 roadmapfuture
Raw TCP/UDP filtering through the proxy.Security ModelNone in v1Security Model marks this out of scoperemove

When you add or change a security, network, provider, audit, or inheritance claim:

  1. Link the public docs page here.
  2. Name the implementation owner.
  3. Add or name the test, diagnostic, or manual smoke.
  4. Mark unsupported enterprise features as future, not as implemented controls.