Docs Claim Map
The docs claim map is the review checklist for claims that matter to security, platform, and pilot evaluators. A claim should stay in the public docs only when it has an implementation owner and a test, diagnostic, or explicit future label.
Status values:
true: implemented and covered by automated tests or deterministic diagnostics.partial: implemented only for the documented scope.future: roadmap item, not an implemented control.remove: do not claim this as an SCC guarantee.
Current Claims
Section titled “Current Claims”| Claim | Docs location | Implementation owner | Test or diagnostic | Status |
|---|---|---|---|---|
| Org, team, and project config merge into one effective config. | Config Inheritance | src/scc_cli/application/compute_effective_config.py | tests/test_config_inheritance.py, tests/test_config_explain.py, tests/e2e/test_cli_journeys.py | true |
| Plugins and MCP servers accumulate when allowed, but org blocks and delegation denials remove additions. | Config Inheritance, Security Model | compute_effective_config.py, effective_config_models.py | tests/test_config_explain.py, tests/test_mcp_servers.py, tests/e2e/test_cli_journeys.py | true |
Project network_policy can keep or tighten inherited policy, but cannot loosen it. | Config Inheritance, Project Schema, Enterprise Pilot Blueprint | merge_restrictive_network_policy_layer() in compute_effective_config.py | tests/test_effective_context_project_policy.py, tests/test_config_explain.py, tests/e2e/test_cli_journeys.py | true |
| Ignored policy changes, blocked items, and denied additions are visible in text and JSON explain output. | Config Inheritance | src/scc_cli/commands/config.py, src/scc_cli/presentation/json/config_json.py | tests/test_config_explain.py, tests/e2e/test_cli_journeys.py | true |
| Project identity in v1 is repository/worktree work context, not a project registry. | Config Inheritance, Enterprise Pilot Blueprint | src/scc_cli/contexts.py, src/scc_cli/application/sessions/use_cases.py | tests/test_contexts.py, tests/test_sessions.py, tests/test_session_provider_id.py | true |
| Claude and Codex have provider-separated session identity in the same workspace. | Architecture Overview, Config Inheritance | src/scc_cli/application/sessions/use_cases.py, src/scc_cli/sessions.py, src/scc_cli/contexts.py | tests/test_contexts.py, tests/test_sessions.py, tests/test_session_provider_id.py | true |
| All launch paths share provider resolution, image readiness, and auth readiness preflight. | Architecture Overview | src/scc_cli/commands/launch/preflight.py plus launch callers | tests/test_launch_preflight_guardrail.py, tests/test_dashboard_provider_resume.py, tests/test_worktree_autostart.py | true |
| Provider-native artifacts are adapter-owned, not core-owned. | Architecture Overview, Security Model | src/scc_cli/ports/agent_provider.py, src/scc_cli/adapters/*_renderer.py, src/scc_cli/application/start_session.py | tests/test_import_boundaries.py, tests/test_application_start_session.py | true |
web-egress-enforced uses an internal-only agent network plus proxy sidecar. | Security Model | src/scc_cli/adapters/oci_sandbox_runtime.py, src/scc_cli/core/egress_policy.py | tests/test_oci_egress_integration.py, tests/test_oci_sandbox_runtime.py | partial |
| The SCC proxy ACL denies loopback, private CIDRs, link-local ranges, metadata endpoints, and unlisted destinations. | Security Model | src/scc_cli/core/egress_policy.py, src/scc_cli/core/destination_registry.py | tests/test_egress_policy.py, tests/test_destination_registry.py | true |
| Host proxy environment variables cannot override SCC-managed proxy settings in enforced web egress. | Security Model | src/scc_cli/adapters/oci_sandbox_runtime.py | tests/test_oci_egress_integration.py | true |
locked-down-web starts the agent container with --network=none. | Security Model | src/scc_cli/adapters/oci_sandbox_runtime.py | tests/test_oci_egress_integration.py, tests/test_real_runtime_smoke.py behind SCC_REAL_RUNTIME_SMOKE=1 | partial |
| Built-in safety wrappers cover destructive git and explicit network tools for both providers. | Security Model | src/scc_cli/core/safety_engine.py, src/scc_cli/adapters/claude_safety_adapter.py, src/scc_cli/adapters/codex_safety_adapter.py | tests/test_safety_engine.py, tests/test_safety_adapter_audit.py, tests/test_claude_safety_adapter.py, tests/test_codex_safety_adapter.py | true |
| Safety policy loading fails closed. | Security Model | src/scc_cli/core/safety_policy_loader.py | tests/test_safety_policy_loader.py, tests/test_safety_eval_contract.py | true |
| Support bundles include provider, runtime, policy, launch/safety audit, and work-context evidence when available. | Enterprise Pilot Blueprint | src/scc_cli/application/support_bundle.py | tests/test_support_bundle.py, tests/test_launch_audit_support.py, tests/test_safety_audit.py | true |
scc support bundle --compliance adds the enterprise_audit_v1 evidence index and SHA-256 checksums for emitted redacted manifest sections. It is audit evidence, not certification, SSO/SCIM, SBOM automation, dashboard, project registry, new provider support, or Docker socket/devcontainer attachment. | Admin CLI Reference, Getting Help | src/scc_cli/application/support_bundle.py, src/scc_cli/commands/support.py | tests/test_support_bundle.py, tests/test_docs_truthfulness.py | true |
SCC can launch sibling agent containers from a devcontainer by translating the runtime mount source with SCC_WORKSPACE_PATH_MAP, and doctor reports path-map readiness. | SCC vs Dev Containers | src/scc_cli/core/runtime_mounts.py, src/scc_cli/application/start_session.py, src/scc_cli/commands/launch/render.py, src/scc_cli/doctor/checks/environment.py | tests/test_runtime_mount_mapping.py, tests/test_application_start_session.py, tests/test_start_dryrun.py, tests/test_provider_machine_readable.py, tests/test_doctor_checks.py, optional tests/test_real_runtime_smoke.py | partial |
scc doctor <project> --json reports read-only devcontainer/Compose bridge evidence for detected dev environment files without enabling bridge actions. | SCC vs Dev Containers, Enterprise Pilot Blueprint | src/scc_cli/doctor/checks/environment.py, src/scc_cli/doctor/core.py, src/scc_cli/doctor/serialization.py | tests/test_doctor_checks.py, tests/test_doctor_provider_wiring.py, tests/e2e/test_cli_journeys.py | true |
dev_environment.commands, dev_environment.logs, and dev_environment.health_checks can define named dev-environment bridge actions with fixed argv lists. scc config explain --field dev_environment, JSON explain, and scc dev status --json show accepted, denied, and ignored actions. scc dev run <name>, scc dev logs <name>, and scc dev health <name> execute accepted actions with a pre-execution audit event, workspace-bounded cwd, timeout, and bounded stdout/stderr tails. | Config Inheritance, Project Schema, Org Schema, Dev Environment CLI, SCC vs Dev Containers, Enterprise Pilot Blueprint | src/scc_cli/ports/config_models.py, src/scc_cli/services/config_normalizer.py, src/scc_cli/application/compute_effective_config.py, src/scc_cli/application/dev_environment_bridge.py, src/scc_cli/commands/config.py, src/scc_cli/commands/dev.py, src/scc_cli/presentation/json/config_json.py, src/scc_cli/presentation/json/dev_environment_json.py, src/scc_cli/schemas/org-v1.schema.json | tests/test_config_normalization.py, tests/test_config_inheritance.py, tests/test_config_explain.py, tests/test_marketplace_schema.py, tests/test_dev_environment_bridge.py, tests/test_dev_command_cli.py, tests/test_support_bundle.py, optional tests/test_real_runtime_smoke.py, tests/test_docs_truthfulness.py | true |
Future Or Removed Claims
Section titled “Future Or Removed Claims”| Claim | Docs location | Implementation owner | Test or diagnostic | Status |
|---|---|---|---|---|
| Running the agent inside the existing devcontainer or attaching the SCC agent container to arbitrary devcontainer/Compose service networks. | SCC vs Dev Containers, Enterprise Pilot Blueprint | None in v1 | Explicitly excluded by M013 S04 / D056 | future |
| OIDC SSO, SAML federation, SCIM users/groups, group-to-team/provider/admin entitlement mapping, provider credential brokering, and read-only enterprise admin visibility. | Enterprise Identity Roadmap, Enterprise Pilot Blueprint | None in v1; planned M014 architecture | RFC 7642/7643/7644, Entra ID, and MobilityGuard references only; no implementation or diagnostic yet | future |
| Central SBOM or CycloneDX inventory generation. | Enterprise Pilot Blueprint | None in v1 | Not implemented in M012 | future |
| Central project registry. | Enterprise Pilot Blueprint | None in v1 | Explicitly excluded by D052 and M012 | future |
| Full policy editing, billing, chargeback, or prompt/source-code telemetry dashboard beyond the read-only M014 admin visibility plan. | Enterprise Identity Roadmap | None in v1; not part of M014 | Explicitly excluded from the M014 roadmap | future |
| Raw TCP/UDP filtering through the proxy. | Security Model | None in v1 | Security Model marks this out of scope | remove |
Maintenance Rule
Section titled “Maintenance Rule”When you add or change a security, network, provider, audit, or inheritance claim:
- Link the public docs page here.
- Name the implementation owner.
- Add or name the test, diagnostic, or manual smoke.
- Mark unsupported enterprise features as
future, not as implemented controls.