# Working evidence log for tracked feature statuses (done/partial/missing).
# Keep this focused on audited entries in docs/feature-status.yaml.

version: "1.0"
updated_at: "2026-02-24"

features:
  - feature: "logs.tail"
    status: "verified_done"
    runtime_wiring:
      - "src/server/ws/handlers/logs.rs (LOG_BUFFER query + response)"
      - "src/logging/buffer.rs (LOG_BUFFER + LogBufferLayer)"
    tests:
      - "src/server/ws/golden_tests.rs::golden_logs_tail"
      - "src/server/ws/snapshots/carapace__server__ws__golden_tests__golden_trace__golden_logs_tail.snap"

  - feature: "skills.status"
    status: "verified_done"
    runtime_wiring:
      - "src/server/ws/handlers/skills.rs::handle_skills_status"
      - "src/server/ws/handlers/mod.rs (dispatch + READ_METHODS)"
    tests:
      - "src/server/ws/golden_tests.rs::golden_skills_status"
      - "src/server/ws/snapshots/carapace__server__ws__golden_tests__golden_trace__golden_skills_status.snap"

  - feature: "channels.telegram/discord/slack runtime wiring"
    status: "verified_done"
    runtime_wiring:
      - "src/channels/telegram.rs (TelegramChannel send_text/send_media)"
      - "src/channels/telegram_inbound.rs (Telegram webhook parsing)"
      - "src/channels/discord.rs (DiscordChannel send_text/send_media)"
      - "src/channels/discord_gateway.rs (Gateway loop + MESSAGE_CREATE handling)"
      - "src/channels/slack.rs (SlackChannel send_text/send_media)"
      - "src/channels/slack_inbound.rs (Slack signature + event parsing)"
      - "src/main.rs (register_*_channel_if_configured)"
      - "src/main.rs (spawn_discord_gateway_loop_if_configured)"
      - "src/server/http.rs (telegram_webhook_handler, slack_events_handler)"
    tests:
      - "src/channels/telegram.rs::test_telegram_get_info"
      - "src/channels/telegram_inbound.rs::test_extract_inbound_message"
      - "src/channels/discord.rs::test_discord_get_info"
      - "src/channels/slack.rs::test_slack_get_info"
      - "src/channels/slack_inbound.rs::test_verify_slack_signature"

  - feature: "channels.signal runtime wiring"
    status: "verified_done"
    runtime_wiring:
      - "src/channels/signal.rs (SignalChannel send_text/send_media)"
      - "src/channels/signal_receive.rs (signal-cli receive polling + inbound dispatch)"
      - "src/main.rs (register_signal_channel_if_configured)"
      - "src/main.rs (spawn_signal_receive_loop_if_configured)"
    tests:
      - "src/channels/signal.rs::test_signal_get_info"
      - "src/channels/signal.rs::test_signal_send_text_connection_failure"
      - "src/channels/signal_receive.rs::test_parse_inbound_message"
      - "src/channels/signal_receive.rs::test_parse_group_message"

  - feature: "channels.signal live smoke"
    status: "partial"
    notes:
      - "Evidence artifacts: docs/channel-smoke.md; .github/ISSUE_TEMPLATE/channel-smoke-report.yml"
      - "Pending published pass/fail evidence from a live signal-cli-rest-api deployment."

  - feature: "channels.slack live smoke"
    status: "partial"
    notes:
      - "Evidence artifacts: docs/channel-smoke.md; .github/ISSUE_TEMPLATE/channel-smoke-report.yml"
      - "Pending published pass/fail evidence from a live Slack Events API deployment."

  - feature: "cron.*"
    status: "verified_done"
    runtime_wiring:
      - "src/server/ws/handlers/cron.rs (cron.* handlers)"
      - "src/cron/mod.rs (CronScheduler)"
      - "src/cron/tick.rs (cron_tick_loop)"
      - "src/server/startup.rs (spawn_background_tasks cron loop)"
    tests:
      - "src/server/ws/golden_tests.rs::golden_cron_lifecycle"
      - "src/server/ws/snapshots/carapace__server__ws__golden_tests__golden_trace__cron_lifecycle_2_add.snap"
      - "src/server/ws/snapshots/carapace__server__ws__golden_tests__golden_trace__cron_lifecycle_3_list_with_job.snap"
      - "src/server/ws/snapshots/carapace__server__ws__golden_tests__golden_trace__cron_lifecycle_4_status.snap"
      - "src/cron/mod.rs (scheduler unit tests)"
      - "src/cron/tick.rs (tick loop tests)"

  - feature: "cron.at schedule"
    status: "verified_done"
    runtime_wiring:
      - "src/cron/mod.rs (CronSchedule::At + compute_next_run)"
    tests:
      - "src/cron/mod.rs::test_compute_next_run_at_schedule"

  - feature: "cron.every schedule"
    status: "verified_done"
    runtime_wiring:
      - "src/cron/mod.rs (CronSchedule::Every + compute_next_run)"
    tests:
      - "src/cron/mod.rs::test_compute_next_run_every_schedule"

  - feature: "cron.cron expression"
    status: "verified_done"
    runtime_wiring:
      - "src/cron/mod.rs (CronExpr parser + compute_next_run CronSchedule::Cron)"
    tests:
      - "src/cron/mod.rs (CronExpr parse tests)"
      - "src/cron/mod.rs::test_compute_next_run_cron_schedule"

  - feature: "cron.timezone support"
    status: "verified_done"
    runtime_wiring:
      - "src/cron/mod.rs::compute_next_run (CronSchedule::Cron with optional tz)"
      - "src/cron/mod.rs::compute_next_run_with_tz_fallback (IANA tz + DST handling)"
      - "src/server/ws/handlers/cron.rs::parse_schedule (cron.tz parse)"
    tests:
      - "src/cron/mod.rs::test_compute_next_run_cron_tz_none_unchanged"
      - "src/cron/mod.rs::test_compute_next_run_cron_tz_utc_unchanged"
      - "src/cron/mod.rs::test_compute_next_run_cron_eastern_winter"
      - "src/cron/mod.rs::test_compute_next_run_cron_eastern_summer"
      - "src/cron/mod.rs::test_compute_next_run_cron_spring_forward_skip"
      - "src/cron/mod.rs::test_compute_next_run_cron_fall_back_first_only"
      - "src/cron/mod.rs::test_compute_next_run_cron_fall_back_no_double"
      - "src/server/ws/handlers/cron.rs::test_parse_schedule_cron"

  - feature: "cron.job persistence"
    status: "verified_done"
    runtime_wiring:
      - "src/cron/mod.rs::CronScheduler::new (persist path wiring)"
      - "src/cron/mod.rs::CronScheduler::load (restore persisted jobs + clear stale running state)"
      - "src/cron/mod.rs::CronScheduler::flush (persist mutations to jobs.json)"
      - "src/server/ws/mod.rs (startup CronScheduler::new(state_dir/cron/jobs.json) + load)"
    tests:
      - "src/cron/mod.rs::test_flush_and_load_round_trip"
      - "src/cron/mod.rs::test_load_nonexistent_file"
      - "src/cron/mod.rs::test_load_corrupt_file"
      - "src/cron/mod.rs::test_remove_flushes"
      - "src/cron/mod.rs::test_update_flushes"

  - feature: "cron.job quotas"
    status: "verified_done"
    runtime_wiring:
      - "src/cron/mod.rs (CronScheduler::MAX_JOBS + LRU eviction on add)"
    tests:
      - "src/cron/mod.rs::test_cron_scheduler_job_limit"
      - "src/cron/mod.rs::test_cron_job_limit_enforced_under_concurrent_access"

  - feature: "cron.payload types"
    status: "verified_done"
    runtime_wiring:
      - "src/cron/mod.rs (CronPayload enum)"
      - "src/cron/executor.rs::execute_payload (SystemEvent + AgentTurn)"
    tests:
      - "src/cron/executor.rs::test_execute_system_event"
      - "src/cron/executor.rs::test_execute_agent_turn_no_provider"

  - feature: "cron.background tick loop"
    status: "verified_done"
    runtime_wiring:
      - "src/cron/tick.rs::cron_tick_loop"
      - "src/server/startup.rs::spawn_background_tasks (cron loop spawn)"
    tests:
      - "src/cron/tick.rs::test_tick_loop_shutdown"
      - "src/cron/tick.rs::test_tick_loop_executes_due_jobs"

  - feature: "cron.executor"
    status: "verified_done"
    runtime_wiring:
      - "src/cron/executor.rs::execute_payload"
    tests:
      - "src/cron/executor.rs::test_execute_system_event"
      - "src/cron/executor.rs::test_execute_agent_turn_no_provider"
      - "src/cron/executor.rs::test_agent_turn_applies_session_metadata"

  - feature: "devices.pairing state machine"
    status: "verified_done"
    runtime_wiring:
      - "src/devices/mod.rs (PairingState + DevicePairingRequest state transitions)"
      - "src/devices/mod.rs::DevicePairingRegistry (request_pairing/approve/reject)"
    tests:
      - "src/devices/mod.rs::test_pairing_state_transitions"
      - "src/devices/mod.rs::test_approve_request"
      - "src/devices/mod.rs::test_reject_request"

  - feature: "devices.token generation"
    status: "verified_done"
    runtime_wiring:
      - "src/devices/mod.rs::DeviceToken::new (SHA-256 hash, no plaintext storage)"
      - "src/devices/mod.rs::hash_token"
    tests:
      - "src/devices/mod.rs::test_token_verification"

  - feature: "devices.token expiry"
    status: "verified_done"
    runtime_wiring:
      - "src/devices/mod.rs (DEVICE_TOKEN_EXPIRY_MS + DeviceToken::is_valid)"
    tests:
      - "src/devices/mod.rs::test_token_verification"

  - feature: "devices.quotas"
    status: "verified_done"
    runtime_wiring:
      - "src/devices/mod.rs (MAX_PAIRED_DEVICES/MAX_PENDING_REQUESTS/MAX_DEVICE_TOKENS)"
      - "src/devices/mod.rs (pending request limit + paired device eviction)"
    tests:
      - "src/devices/mod.rs::test_max_pending_requests_limit"
      - "src/devices/mod.rs::test_paired_device_limit_evicts_oldest"

  - feature: "devices.persistent storage"
    status: "verified_done"
    runtime_wiring:
      - "src/devices/mod.rs::DevicePairingRegistry::save (atomic write via temp + rename)"
      - "src/devices/mod.rs::DevicePairingRegistry::load_or_create (JSON load + backup on corruption)"

  - feature: "discovery.mdns service registration"
    status: "verified_done"
    runtime_wiring:
      - "src/discovery/mod.rs::register_mdns_service (SERVICE_TYPE _carapace._tcp.local.)"
      - "src/discovery/mod.rs::start_mdns"
      - "src/main.rs::spawn_network_services (run_mdns_lifecycle)"
    tests:
      - "src/discovery/mod.rs::test_service_type_constant"
      - "src/discovery/mod.rs::test_start_mdns_off_returns_none"

  - feature: "discovery.txt record metadata"
    status: "verified_done"
    runtime_wiring:
      - "src/discovery/mod.rs::build_txt_properties (version/fingerprint/device)"
    tests:
      - "src/discovery/mod.rs::test_build_txt_properties_minimal"
      - "src/discovery/mod.rs::test_build_txt_properties_full"

  - feature: "discovery.modes"
    status: "verified_done"
    runtime_wiring:
      - "src/discovery/mod.rs::DiscoveryMode (Off/Minimal/Full + parse)"
      - "src/discovery/mod.rs::build_discovery_config"
    tests:
      - "src/discovery/mod.rs::test_discovery_mode_parse_off"
      - "src/discovery/mod.rs::test_discovery_mode_parse_minimal"
      - "src/discovery/mod.rs::test_discovery_mode_parse_full"
      - "src/discovery/mod.rs::test_build_discovery_config_mode_full"

  - feature: "discovery.lifecycle management"
    status: "verified_done"
    runtime_wiring:
      - "src/discovery/mod.rs::run_mdns_lifecycle (shutdown-driven cleanup)"
      - "src/discovery/mod.rs::MdnsHandle::shutdown"
      - "src/main.rs::spawn_network_services (shutdown wiring)"

  - feature: "exec.approval request creation"
    status: "verified_done"
    runtime_wiring:
      - "src/exec/mod.rs::ExecApprovalManager::create_record"
      - "src/exec/mod.rs::ExecApprovalManager::wait_for_decision (oneshot channel)"
      - "src/server/ws/handlers/exec.rs (exec.request -> wait_for_decision)"
    tests:
      - "src/exec/mod.rs::test_create_record"
      - "src/exec/mod.rs::test_resolve_pending_approval"

  - feature: "exec.approval decisions"
    status: "verified_done"
    runtime_wiring:
      - "src/exec/mod.rs::ExecApprovalDecision"
      - "src/exec/mod.rs::ExecApprovalManager::resolve"
      - "src/server/ws/handlers/exec.rs (exec.approve/exec.deny)"
    tests:
      - "src/exec/mod.rs::test_exec_approval_decision_from_str"
      - "src/exec/mod.rs::test_exec_approval_decision_as_str"
      - "src/exec/mod.rs::test_resolve_pending_approval"

  - feature: "exec.timeout support"
    status: "verified_done"
    runtime_wiring:
      - "src/exec/mod.rs::ExecApprovalManager::wait_for_decision (tokio::time::timeout)"
    tests:
      - "src/exec/mod.rs::test_approval_timeout"

  - feature: "exec.cleanup of expired entries"
    status: "verified_done"
    runtime_wiring:
      - "src/exec/mod.rs::ExecApprovalManager::cleanup_expired"
      - "src/cron/tick.rs::cron_tick_loop (cleanup_expired per tick)"

  - feature: "gateway.remote connection"
    status: "verified_done"
    runtime_wiring:
      - "src/main.rs::spawn_gateway_lifecycle (startup wiring)"
      - "src/gateway/mod.rs::run_gateway_lifecycle (connection loop)"
      - "src/gateway/mod.rs::connect_to_gateway_with_transport (direct + SSH)"
      - "src/gateway/mod.rs::setup_ssh_tunnel"
    tests:
      - "src/gateway/mod.rs::test_build_gateway_config_with_gateways"
      - "src/gateway/mod.rs::test_build_gateway_config_ssh_transport"

  - feature: "gateway.tofu fingerprint verification"
    status: "verified_done"
    runtime_wiring:
      - "src/gateway/mod.rs::verify_fingerprint"
      - "src/gateway/mod.rs::verify_stream_fingerprint (connect_to_gateway)"
      - "src/gateway/mod.rs::run_single_gateway_connection (persist pin)"
    tests:
      - "src/gateway/mod.rs::test_fingerprint_tofu_first_connect"
      - "src/gateway/mod.rs::test_fingerprint_tofu_match"
      - "src/gateway/mod.rs::test_fingerprint_tofu_mismatch"

  - feature: "gateway.mtls support"
    status: "verified_done"
    runtime_wiring:
      - "src/gateway/mod.rs::connect_to_gateway_mtls"
      - "src/gateway/mod.rs::build_gateway_config (mtls config parsing)"
      - "src/gateway/mod.rs::connect_to_gateway_with_transport (runtime selection)"
      - "src/gateway/mod.rs::run_gateway_lifecycle (startup wiring)"
    tests:
      - "src/gateway/mod.rs::test_build_gateway_config_mtls"
      - "src/gateway/mod.rs::test_build_gateway_config_mtls_defaults"

  - feature: "gateway.reconnection with backoff"
    status: "verified_done"
    runtime_wiring:
      - "src/gateway/mod.rs::run_gateway_lifecycle"
      - "src/gateway/mod.rs::handle_connection_failure (exponential backoff)"
      - "src/gateway/mod.rs::run_single_gateway_connection"

  - feature: "gateway.protocol v3"
    status: "verified_done"
    runtime_wiring:
      - "src/gateway/mod.rs::send_gateway_handshake (protocolVersion=3)"
      - "src/gateway/mod.rs::receive_handshake_response"

  - feature: "hooks.webhook endpoints"
    status: "verified_done"
    runtime_wiring:
      - "src/server/http.rs (routes: /hooks/wake, /hooks/agent, /hooks/*path)"
      - "src/server/http.rs::hooks_wake_handler"
      - "src/server/http.rs::hooks_agent_handler"
      - "src/server/http.rs::hooks_mapping_handler"
    tests:
      - "src/server/http.rs::test_hooks_wake_success"
      - "src/server/http.rs::test_hooks_agent_success"

  - feature: "hooks.hook registry"
    status: "verified_done"
    runtime_wiring:
      - "src/hooks/registry.rs::HookRegistry (register/find_match/evaluate)"
      - "src/server/http.rs::execute_hook_mapping (HookRegistry usage)"
    tests:
      - "src/hooks/registry.rs::test_evaluate_agent_mapping"
      - "src/hooks/registry.rs::test_evaluate_wake_mapping"

  - feature: "hooks.hook authentication"
    status: "verified_done"
    runtime_wiring:
      - "src/hooks/auth.rs::extract_hooks_token"
      - "src/hooks/auth.rs::validate_hooks_token"
      - "src/server/http.rs::check_hooks_auth"
    tests:
      - "src/hooks/auth.rs::test_extract_bearer_token"
      - "src/hooks/auth.rs::test_validate_hooks_token"
      - "src/server/http.rs::test_hooks_wake_unauthorized"

  - feature: "hooks.template evaluation"
    status: "verified_done"
    runtime_wiring:
      - "src/hooks/registry.rs::evaluate_template"
      - "src/hooks/registry.rs::json_escape_value"
    tests:
      - "src/hooks/registry.rs::test_evaluate_template_array_access"
      - "src/hooks/registry.rs::test_evaluate_template_header_access"
      - "src/hooks/registry.rs::test_template_builtins"

  - feature: "links.url extraction"
    status: "verified_done"
    runtime_wiring:
      - "src/links/mod.rs::LinkUnderstanding::extract_urls"
      - "src/links/mod.rs::remove_code_blocks"
    tests:
      - "src/links/mod.rs::test_extract_simple_https_url"
      - "src/links/mod.rs::test_extract_skips_inline_code"
      - "src/links/mod.rs::test_extract_skips_fenced_code_block"

  - feature: "links.html-to-text conversion"
    status: "verified_done"
    runtime_wiring:
      - "src/links/mod.rs::html_to_text"
    tests:
      - "src/links/mod.rs::test_html_to_text_simple"
      - "src/links/mod.rs::test_html_to_text_removes_script"
      - "src/links/mod.rs::test_html_to_text_decodes_entities"

  - feature: "links.ssrf-protected fetching"
    status: "verified_done"
    runtime_wiring:
      - "src/links/mod.rs::LinkUnderstanding::fetch_and_summarize (MediaFetcher)"
      - "src/media/mod.rs::MediaFetcher (SSRF protections)"

  - feature: "links.lru cache"
    status: "verified_done"
    runtime_wiring:
      - "src/links/mod.rs::LinkCache (LruCache + TTL)"
      - "src/links/mod.rs::LinkUnderstanding::fetch_and_summarize (cache get/insert)"
    tests:
      - "src/links/mod.rs::test_cache_eviction_at_capacity"
      - "src/links/mod.rs::test_cache_eviction_is_lru"
      - "src/links/mod.rs::test_cache_ttl_expiration"

  - feature: "links.title/meta extraction"
    status: "verified_done"
    runtime_wiring:
      - "src/links/mod.rs::extract_title"
      - "src/links/mod.rs::extract_meta_description"
    tests:
      - "src/links/mod.rs::test_extract_title_basic"
      - "src/links/mod.rs::test_extract_meta_description_basic"

  - feature: "links.safe utf-8 truncation"
    status: "verified_done"
    runtime_wiring:
      - "src/links/mod.rs::truncate_preview (is_char_boundary)"
    tests:
      - "src/links/mod.rs::test_truncate_at_word_boundary"

  - feature: "logging.json format"
    status: "verified_done"
    runtime_wiring:
      - "src/logging/mod.rs::init_logging (LogFormat::Json)"
    tests:
      - "src/logging/mod.rs::test_json_format_structure"

  - feature: "logging.plaintext format"
    status: "verified_done"
    runtime_wiring:
      - "src/logging/mod.rs::init_logging (LogFormat::Plaintext)"
    tests:
      - "src/logging/mod.rs::test_log_config_development"

  - feature: "logging.output destinations"
    status: "verified_done"
    runtime_wiring:
      - "src/logging/mod.rs::LogOutput (Stdout/Stderr/File)"
      - "src/logging/mod.rs::init_logging (writer selection)"
    tests:
      - "src/logging/mod.rs::test_log_output_file"

  - feature: "logging.log buffer layer"
    status: "verified_done"
    runtime_wiring:
      - "src/logging/buffer.rs::LogBufferLayer"
      - "src/logging/mod.rs::init_logging (buffer layer added)"
      - "src/server/ws/handlers/logs.rs (LOG_BUFFER queries)"
    tests:
      - "src/logging/buffer.rs (buffer tests)"

  - feature: "logging.secret masking"
    status: "verified_done"
    runtime_wiring:
      - "src/logging/redact.rs (redaction utilities)"
      - "src/logging/mod.rs::init_logging (RedactingMakeWriter)"
      - "src/logging/buffer.rs::LogBufferLayer (message/field redaction)"
    tests:
      - "src/logging/redact.rs::test_openai_key_is_redacted"
      - "src/logging/redact.rs::test_json_known_keys_redacted"
      - "src/logging/redact.rs::test_redacting_writer_redacts_lines"
    notes:
      - "Redaction applied to log output writers and logs.tail buffer"

  - feature: "logging.audit logging"
    status: "verified_done"
    runtime_wiring:
      - "src/logging/audit.rs (AuditLog + audit events)"
      - "src/agent/executor.rs (audit events for prompt guard/classifier)"
      - "src/plugins/runtime.rs (audit events for capability denial)"
      - "src/main.rs (AuditLog::init)"
      - "src/server/control.rs (ConfigChanged + TaskMutated audit events)"
    tests:
      - "src/logging/audit.rs (audit event serialization tests)"
      - "src/logging/audit.rs::test_event_name_task_mutated"
    notes:
      - "AuditLog is initialized on gateway startup; audit() emits to audit.jsonl"

  - feature: "media.ssrf protection"
    status: "verified_done"
    runtime_wiring:
      - "src/media/fetch.rs::MediaFetcher::fetch_with_config (SsrfProtection validation)"
    tests:
      - "src/media/fetch.rs::test_fetch_blocks_localhost"
      - "src/media/fetch.rs::test_fetch_blocks_private_ipv4"
      - "src/media/fetch.rs::test_fetch_blocks_cloud_metadata"

  - feature: "media.dns rebinding defense"
    status: "verified_done"
    runtime_wiring:
      - "src/media/fetch.rs::resolve_and_validate_dns (hickory_resolver + IP validation)"
      - "src/media/fetch.rs::fetch_with_config (client.resolve pinning)"

  - feature: "media.redirect blocking"
    status: "verified_done"
    runtime_wiring:
      - "src/media/fetch.rs::fetch_with_config (reqwest::redirect::Policy::none)"

  - feature: "media.streaming with size limits"
    status: "verified_done"
    runtime_wiring:
      - "src/media/fetch.rs::read_response_with_limit (streaming size enforcement)"
      - "src/media/fetch.rs::fetch_with_config (content-length guard)"

  - feature: "media.temp file storage"
    status: "verified_done"
    runtime_wiring:
      - "src/media/store.rs::MediaStore (store + cleanup + start_cleanup_task)"
      - "src/main.rs::init_media_store_cleanup (startup wiring)"
    tests:
      - "src/media/store.rs::test_cleanup_expired"
      - "src/media/store.rs::test_store_and_get"
      - "src/media/store.rs::test_cleanup_removes_sidecar"
      - "src/media/store.rs::test_load_existing_entries_on_startup"

  - feature: "media.image analysis (claude vision)"
    status: "verified_done"
    runtime_wiring:
      - "src/media/analysis.rs::AnthropicMediaAnalyzer (analyze_image)"
      - "src/agent/builtin_tools.rs::handle_media_analyze (Anthropic path)"
    tests:
      - "src/media/analysis.rs::test_anthropic_analyze_empty_image"
      - "src/media/analysis.rs::test_validate_image_mime_unsupported"

  - feature: "media.image analysis (gpt-4 vision)"
    status: "verified_done"
    runtime_wiring:
      - "src/media/analysis.rs::OpenAiMediaAnalyzer (analyze_image)"
      - "src/agent/builtin_tools.rs::handle_media_analyze (OpenAI vision path)"
    tests:
      - "src/media/analysis.rs::test_openai_analyze_empty_image"
      - "src/media/analysis.rs::test_validate_image_mime_unsupported"

  - feature: "media.audio transcription (whisper)"
    status: "verified_done"
    runtime_wiring:
      - "src/media/analysis.rs::OpenAiMediaAnalyzer::transcribe_audio"
      - "src/agent/builtin_tools.rs::handle_media_analyze (OpenAI audio path)"
    tests:
      - "src/media/analysis.rs::test_openai_transcribe_empty_audio"
      - "src/media/analysis.rs::test_openai_transcribe_wrong_mime"

  - feature: "media.analysis caching"
    status: "verified_done"
    runtime_wiring:
      - "src/media/analysis.rs::analyze (analysis_cache_path + read/write cached analysis)"
      - "src/agent/builtin_tools.rs::handle_media_analyze (analysis cache integration)"
    tests:
      - "src/media/analysis.rs::test_analysis_cache_path"
      - "src/media/analysis.rs::test_write_and_read_cached_analysis"

  - feature: "messages.outbound message pipeline"
    status: "verified_done"
    runtime_wiring:
      - "src/messages/outbound.rs::MessagePipeline (per-channel queues + idempotency)"
      - "src/server/startup.rs::spawn_background_tasks (delivery loop spawn)"
    tests:
      - "src/messages/outbound.rs::test_pipeline_queue_and_get"
      - "src/messages/outbound.rs::test_idempotency_duplicate_returns_original"

  - feature: "messages.delivery status tracking"
    status: "verified_done"
    runtime_wiring:
      - "src/messages/outbound.rs::DeliveryStatus"
      - "src/messages/outbound.rs::MessagePipeline::{mark_sending,mark_sent,mark_failed}"
    tests:
      - "src/messages/outbound.rs::test_queued_message_status_transitions"
      - "src/messages/outbound.rs::test_pipeline_mark_retry_resets_status_in_both_stores"

  - feature: "messages.retry support"
    status: "verified_done"
    runtime_wiring:
      - "src/messages/delivery.rs::handle_delivery_result (retryable failures)"
      - "src/messages/outbound.rs::MessagePipeline::mark_retry"
    tests:
      - "src/messages/outbound.rs::test_queued_message_mark_retry_resets_to_queued"
      - "src/messages/delivery.rs::test_delivery_retries_on_retryable_failure_resets_status"

  - feature: "messages.delivery loop"
    status: "verified_done"
    runtime_wiring:
      - "src/messages/delivery.rs::delivery_loop"
      - "src/server/startup.rs::spawn_background_tasks (delivery loop spawn)"
    tests:
      - "src/messages/delivery.rs::test_delivery_sends_text_message"

  - feature: "nodes.pairing state machine"
    status: "verified_done"
    runtime_wiring:
      - "src/nodes/mod.rs (PairingState + NodePairingRequest transitions)"
      - "src/server/ws/handlers/node.rs (node.pairing handlers)"
    tests:
      - "src/nodes/mod.rs::test_pairing_state_transitions"
      - "src/nodes/mod.rs::test_approve_request"
      - "src/nodes/mod.rs::test_reject_request"

  - feature: "nodes.token generation"
    status: "verified_done"
    runtime_wiring:
      - "src/nodes/mod.rs::NodeToken::new (SHA-256 hash, no plaintext storage)"
      - "src/nodes/mod.rs::hash_token"
    tests:
      - "src/nodes/mod.rs::test_token_verification"

  - feature: "nodes.token expiry"
    status: "verified_done"
    runtime_wiring:
      - "src/nodes/mod.rs (NODE_TOKEN_EXPIRY_MS + NodeToken::is_valid)"
    tests:
      - "src/nodes/mod.rs::test_token_verification"

  - feature: "nodes.quotas"
    status: "verified_done"
    runtime_wiring:
      - "src/nodes/mod.rs (MAX_PAIRED_NODES/MAX_PENDING_REQUESTS/MAX_NODE_TOKENS)"
      - "src/nodes/mod.rs (paired-node/token eviction logic)"
    tests:
      - "src/nodes/mod.rs::test_max_pending_requests_limit"
      - "src/nodes/mod.rs::test_paired_node_limit_evicts_oldest"

  - feature: "nodes.capabilities and permissions"
    status: "verified_done"
    runtime_wiring:
      - "src/nodes/mod.rs (caps + permissions fields stored on requests/paired nodes)"
      - "src/server/ws/handlers/node.rs (caps/permissions enforced for node.invoke)"
    tests:
      - "src/nodes/mod.rs::test_extended_fields_carried_to_paired_node"
      - "src/server/ws/tests.rs::test_handle_node_invoke_enforces_permissions"
      - "src/server/ws/tests.rs::test_handle_node_invoke_enforces_caps"
      - "src/server/ws/tests.rs::test_handle_node_invoke_allows_missing_paired_permission_key"

  - feature: "nodes.repair flow"
    status: "verified_done"
    runtime_wiring:
      - "src/nodes/mod.rs (is_repair flag + created_at_ms preservation)"
    tests:
      - "src/nodes/mod.rs::test_already_paired_node_can_request_repair"
      - "src/nodes/mod.rs::test_repair_preserves_created_at_ms"

  - feature: "plugins.wasm component model"
    status: "verified_done"
    runtime_wiring:
      - "Cargo.toml (wasmtime = 41 with component-model)"
      - "src/plugins/runtime.rs (wasm_component_model(true) + wasmtime::component APIs)"

  - feature: "plugins.ed25519 signature verification"
    status: "verified_done"
    runtime_wiring:
      - "src/plugins/signature.rs::verify_skill_signature"
      - "src/plugins/loader.rs (signature verification on load)"
    tests:
      - "src/plugins/signature.rs::test_verify_skill_signature_success"
      - "src/plugins/signature.rs::test_verify_skill_signature_tampered"

  - feature: "plugins.plugin loader"
    status: "verified_done"
    runtime_wiring:
      - "src/plugins/loader.rs::PluginLoader::load_all"
      - "src/plugins/loader.rs::PluginLoader::load_plugin"
    tests:
      - "src/plugins/loader.rs::test_load_all_empty_dir"
      - "src/plugins/loader.rs::test_plugin_manifest_validation"

  - feature: "plugins.credential isolation"
    status: "verified_done"
    runtime_wiring:
      - "src/plugins/capabilities.rs::CredentialEnforcer"
      - "src/plugins/host.rs (credential_get/set prefixing)"
    tests:
      - "src/plugins/capabilities.rs::test_credential_prefix_key"
      - "src/plugins/capabilities.rs::test_credential_prefix_key_sanitizes_plugin_id"

  - feature: "plugins.ssrf protection"
    status: "verified_done"
    runtime_wiring:
      - "src/plugins/capabilities.rs::SsrfProtection"
      - "src/plugins/host.rs (http_fetch/media_fetch validation)"
    tests:
      - "src/plugins/capabilities.rs::test_ssrf_blocks_localhost"
      - "src/plugins/capabilities.rs::test_ssrf_blocks_private_ipv4"

  - feature: "plugins.config access enforcement"
    status: "verified_done"
    runtime_wiring:
      - "src/plugins/capabilities.rs::ConfigEnforcer"
      - "src/plugins/host.rs (config_get scoped to plugins.<id>.*)"
    tests:
      - "src/plugins/capabilities.rs::test_config_check_access_allowed"
      - "src/plugins/capabilities.rs::test_config_check_access_denied"

  - feature: "plugins.resource limits"
    status: "verified_done"
    runtime_wiring:
      - "src/plugins/runtime.rs (Store::limiter + MAX_PLUGIN_MEMORY_BYTES)"
      - "src/plugins/runtime.rs (epoch ticker + epoch deadlines)"
      - "src/plugins/runtime.rs (fuel budget + DEFAULT_EXECUTION_TIMEOUT)"
    tests:
      - "src/plugins/runtime.rs::test_default_fuel_budget_is_reasonable"
      - "src/plugins/runtime.rs::test_engine_has_fuel_enabled"

  - feature: "plugins.http rate limiting"
    status: "verified_done"
    runtime_wiring:
      - "src/plugins/capabilities.rs::RateLimiterRegistry::check_http_request"
      - "src/plugins/host.rs (http_fetch/media_fetch rate limit)"
    tests:
      - "src/plugins/host.rs::test_http_fetch_rate_limit"

  - feature: "plugins.log rate limiting"
    status: "verified_done"
    runtime_wiring:
      - "src/plugins/capabilities.rs::RateLimiterRegistry::check_log_message"
      - "src/plugins/host.rs::log_with_limit"
    tests:
      - "src/plugins/host.rs::test_logging_rate_limit"

  - feature: "plugins.permission enforcement"
    status: "verified_done"
    runtime_wiring:
      - "src/plugins/permissions.rs (effective permissions + enforcer)"
      - "src/plugins/runtime.rs (validate_declared_permissions + compute_effective_permissions)"
      - "src/plugins/host.rs (PermissionEnforcer checks)"
    tests:
      - "src/plugins/permissions.rs::test_permission_enforcer_media_allowed"
      - "src/plugins/permissions.rs::test_permission_enforcer_media_denied"

  - feature: "plugins.tool dispatch"
    status: "verified_done"
    runtime_wiring:
      - "src/plugins/dispatch.rs::ToolDispatcher (namespacing + collision warnings)"
      - "src/plugins/runtime.rs (register_tool into PluginRegistry)"
      - "src/plugins/tools.rs (ToolDispatcher-backed plugin tool listing/invocation)"
      - "src/main.rs (shared tools registry + plugin registry wiring)"
      - "src/server/http.rs::tools_invoke_handler (uses shared ToolsRegistry)"
      - "src/agent/executor.rs::build_turn_request (agent tool listing)"
    tests:
      - "src/plugins/dispatch.rs::test_tool_dispatcher_creation"
      - "src/plugins/tests.rs::test_tool_dispatcher"

  - feature: "plugins.hook dispatch"
    status: "verified_done"
    runtime_wiring:
      - "src/plugins/dispatch.rs::HookDispatcher"
      - "src/plugins/runtime.rs (register_hook into PluginRegistry)"
      - "src/agent/executor.rs (before_agent_start/before_tool_call/tool_result_persist hooks)"
      - "src/messages/delivery.rs (message_sending/message_sent hooks)"
    tests:
      - "src/plugins/dispatch.rs::test_hook_dispatcher_creation"
      - "src/plugins/tests.rs::test_hook_dispatcher"

  - feature: "plugins.webhook dispatch"
    status: "verified_done"
    runtime_wiring:
      - "src/plugins/dispatch.rs::WebhookDispatcher"
      - "src/plugins/runtime.rs (register_webhook into PluginRegistry)"
      - "src/server/http.rs::plugins_webhook_handler (/plugins/<id>/* routing)"
    tests:
      - "src/plugins/dispatch.rs::test_webhook_dispatcher_creation"
      - "src/plugins/tests.rs::test_webhook_dispatcher"

  - feature: "plugins.builtin tools"
    status: "verified_done"
    runtime_wiring:
      - "src/plugins/tools.rs::ToolsRegistry::new (registers builtins)"
      - "src/agent/builtin_tools.rs (core tool definitions)"
    tests:
      - "src/plugins/tools.rs::test_tools_registry_default_tools"

  - feature: "server.http server"
    status: "verified_done"
    runtime_wiring:
      - "src/server/http.rs (axum Router + handlers)"
    tests:
      - "src/server/http.rs::test_tools_invoke_success"

  - feature: "server.websocket server"
    status: "verified_done"
    runtime_wiring:
      - "src/server/ws/mod.rs (JSON-RPC protocol handling)"
      - "src/server/ws/handlers/mod.rs (method dispatch)"
    tests:
      - "src/server/ws/golden_tests.rs::golden_sessions_list"

  - feature: "server.bind mode"
    status: "verified_done"
    runtime_wiring:
      - "src/server/bind.rs (BindMode + resolve_bind_address)"
      - "src/main.rs (bind config parsing)"
    tests:
      - "src/server/bind.rs::test_resolve_loopback"
      - "src/server/bind.rs::test_bind_mode_display_name"

  - feature: "server.health endpoint"
    status: "verified_done"
    runtime_wiring:
      - "src/server/http.rs (routes /health, /health/live, /health/ready)"
      - "src/server/health.rs (HealthChecker)"
    tests:
      - "src/server/http.rs::test_health_endpoint"

  - feature: "server.metrics endpoint"
    status: "verified_done"
    runtime_wiring:
      - "src/server/http.rs (route /metrics)"
      - "src/server/metrics.rs::metrics_handler"
    tests:
      - "src/server/metrics.rs::test_metrics_handler_response"

  - feature: "server.openai api compatibility"
    status: "verified_done"
    runtime_wiring:
      - "src/server/openai.rs (handlers for /v1/chat/completions and /v1/responses)"
      - "src/server/http.rs (OpenAI routes wiring)"
    tests:
      - "src/server/openai.rs::test_chat_completions_non_streaming_with_provider"

  - feature: "server.csrf protection"
    status: "verified_done"
    runtime_wiring:
      - "src/server/csrf.rs (token generation + middleware)"
      - "src/server/http.rs (csrf_middleware wiring)"
      - "src/server/http.rs (control UI CSRF bootstrap + cookie issuance)"
    tests:
      - "src/server/csrf.rs::test_token_store_generate_and_validate"
      - "src/server/csrf.rs::test_missing_origin_rejected_when_session_present"
      - "src/server/csrf.rs::test_ensure_csrf_cookies_sets_session_and_token"
      - "src/server/csrf.rs::test_missing_host_rejected_when_session_present"
    notes:
      - "Control UI injects a bootstrap script to attach X-CSRF-Token headers; CSRF enforced for /control/ when a session cookie exists"
      - "Control UI requires TLS when CSRF secure cookies are enabled"
      - "Cookie names downgrade to non-__Host variants when secure cookies are disabled"

  - feature: "server.rate limiting"
    status: "verified_done"
    runtime_wiring:
      - "src/server/ratelimit.rs (RateLimiter + middleware)"
      - "src/server/http.rs (rate_limit_middleware wiring)"
    tests:
      - "src/server/ratelimit.rs::test_rate_limiter_blocks_after_limit"

  - feature: "server.resource monitoring"
    status: "verified_done"
    runtime_wiring:
      - "src/server/resource_monitor.rs::run_monitor_loop"
      - "src/server/startup.rs::spawn_monitoring_and_retention"
    tests:
      - "src/server/resource_monitor.rs::test_sample_updates_gauges"

  - feature: "server.csp headers"
    status: "verified_done"
    runtime_wiring:
      - "src/server/headers.rs (Content-Security-Policy header)"
      - "src/server/http.rs (security_headers_middleware wiring)"
    tests:
      - "src/server/headers.rs::test_default_security_headers"

  - feature: "server.control api"
    status: "verified_done"
    runtime_wiring:
      - "src/server/control.rs (status/channels/config + task create/list/get/patch/cancel/retry/resume handlers)"
      - "src/server/http.rs (control routes including /control/tasks*)"
      - "src/tasks/mod.rs (durable queue primitives used by control handlers)"
    tests:
      - "src/server/control.rs::test_gateway_status_response_serialization"
      - "src/server/http.rs::test_control_tasks_create_list_and_get"
      - "src/server/http.rs::test_control_tasks_patch_not_found_returns_404"
      - "src/server/http.rs::test_control_tasks_resume_not_found_returns_404"
      - "src/server/http.rs::test_control_tasks_patch_updates_payload_and_policy"
      - "src/server/http.rs::test_control_tasks_cancel_and_retry"

  - feature: "tasks.durable queue + recovery"
    status: "verified_done"
    runtime_wiring:
      - "src/tasks/mod.rs (persisted task lifecycle: queued/running/blocked/retry_wait/done/failed/cancelled)"
      - "src/tasks/mod.rs::load/load_async (startup load + running->retry_wait recovery)"
      - "src/tasks/mod.rs::task_worker_loop (claim + execute + transition)"
      - "src/server/ws/mod.rs::new_persistent (async-safe cron + task startup loading)"
    tests:
      - "src/tasks/mod.rs::test_load_recovers_running_to_retry_wait"
      - "src/tasks/mod.rs::test_task_worker_loop_processes_due_tasks"
      - "src/tasks/mod.rs::test_task_worker_loop_retry_wait_outcome_branch"
      - "src/tasks/mod.rs::test_task_worker_loop_blocked_outcome_branch"
      - "src/tasks/mod.rs::test_task_worker_loop_cancelled_outcome_branch"

  - feature: "tasks.continuation policy budgets"
    status: "verified_done"
    runtime_wiring:
      - "src/tasks/mod.rs::TaskPolicy (maxAttempts/maxTotalRuntimeMs/maxTurns/maxRunTimeoutSeconds)"
      - "src/server/control.rs::resolve_task_policy(_patch) (API-level policy validation)"
      - "src/server/startup.rs::RuntimeTaskExecutor (attempt/age/timeout budget enforcement)"
    tests:
      - "src/server/http.rs::test_control_tasks_create_rejects_invalid_policy_budget"
      - "src/server/startup.rs::runtime_task_executor_rejects_attempts_over_policy_budget"
      - "src/server/startup.rs::runtime_task_executor_rejects_task_age_over_policy_budget"
      - "src/server/startup.rs::runtime_task_executor_rejects_run_timeout_over_policy_budget"

  - feature: "server.graceful shutdown"
    status: "verified_done"
    runtime_wiring:
      - "src/server/startup.rs (axum::serve with graceful shutdown)"
      - "src/main.rs (graceful_shutdown 30s)"
    tests:
      - "src/server/ws/tests.rs::test_shutdown_watch_channel_propagates"

  - feature: "ws.agent.run / agent.cancel"
    status: "verified_done"
    runtime_wiring:
      - "src/server/ws/handlers/sessions.rs::handle_chat_send (agent run)"
      - "src/server/ws/handlers/sessions.rs::handle_chat_abort (cancellation)"
      - "src/server/ws/handlers/mod.rs::canonicalize_ws_method_name (agent.run/agent.cancel aliases)"
    notes:
      - "agent.run aliases to agent; agent.cancel aliases to chat.abort"

  - feature: "ws.session management"
    status: "verified_done"
    runtime_wiring:
      - "src/server/ws/handlers/sessions.rs (sessions.create/load/fork/rename/switch/list/preview/patch/reset/delete)"
      - "src/server/ws/mod.rs (session defaults per connection)"
      - "src/server/ws/handlers/mod.rs (sessions.* methods)"
    notes:
      - "session.* aliases map to sessions.* handlers"
      - "sessions.switch stores per-connection defaults used by agent/chat"

  - feature: "ws.config.get/update/reload/validate"
    status: "verified_done"
    runtime_wiring:
      - "src/server/ws/handlers/config.rs (config.get/set/apply/patch/validate/reload)"
      - "src/server/ws/handlers/mod.rs::canonicalize_ws_method_name (config.update alias)"
    notes:
      - "config.update aliases to config.patch"

  - feature: "ws.exec.approve/deny/list"
    status: "verified_done"
    runtime_wiring:
      - "src/server/ws/handlers/exec.rs (exec.approvals.get/set, exec.approval.request/resolve)"
      - "src/server/ws/handlers/mod.rs::canonicalize_ws_method_name (exec.approve/deny/list aliases)"
    notes:
      - "exec.list aliases to exec.approvals.get; exec.approve/deny alias to exec.approval.resolve"
      - "exec.approve/deny inject default decision values (allow-once/deny) when missing"

  - feature: "ws.config.schema"
    status: "verified_done"
    runtime_wiring:
      - "src/server/ws/handlers/config.rs::handle_config_schema"
      - "src/config/schema.rs::known_top_level_keys"
      - "src/server/ws/handlers/mod.rs (config.schema dispatch)"
    tests:
      - "src/server/ws/golden_tests.rs::golden_config_schema"
      - "src/server/ws/golden_tests.rs::config_lifecycle_3_schema"

  - feature: "ws.system.last-heartbeat/set-heartbeats"
    status: "verified_done"
    runtime_wiring:
      - "src/server/ws/handlers/system.rs (handle_last_heartbeat, handle_set_heartbeats)"
      - "src/server/ws/mod.rs (heartbeat state + broadcast)"
    tests:
      - "src/server/ws/golden_tests.rs::golden_last_heartbeat"

  - feature: "ws.system.wake"
    status: "verified_done"
    runtime_wiring:
      - "src/server/ws/handlers/system.rs::handle_wake"
      - "src/server/ws/mod.rs::enqueue_system_event"

  - feature: "ws.talk.devices"
    status: "verified_done"
    runtime_wiring:
      - "src/server/ws/handlers/talk.rs::handle_talk_devices"
    tests:
      - "src/server/ws/golden_tests.rs::golden_talk_devices"

  - feature: "ws.tts.stop"
    status: "verified_done"
    runtime_wiring:
      - "src/server/ws/handlers/tts.rs::handle_tts_stop"

  - feature: "ws.voicewake.test"
    status: "verified_done"
    runtime_wiring:
      - "src/server/ws/handlers/voicewake.rs::handle_voicewake_test"

  - feature: "ws.system.info"
    status: "verified_done"
    runtime_wiring:
      - "src/server/ws/handlers/system.rs::handle_system_info"
      - "src/server/ws/handlers/mod.rs (system.info dispatch)"
      - "src/server/ws/mod.rs (system.info in method list)"
    notes:
      - "includes runtime metadata, counts, and heartbeat config"

  - feature: "tailscale.serve"
    status: "verified_done"
    runtime_wiring:
      - "src/tailscale/mod.rs::setup_serve"
      - "src/main.rs::spawn_network_services (run_tailscale_lifecycle)"
    tests:
      - "src/tailscale/mod.rs::test_build_serve_args"

  - feature: "tailscale.funnel"
    status: "verified_done"
    runtime_wiring:
      - "src/tailscale/mod.rs::setup_funnel"
      - "src/main.rs::spawn_network_services (run_tailscale_lifecycle)"
    tests:
      - "src/tailscale/mod.rs::test_build_funnel_args"

  - feature: "tailscale.cli wrapper"
    status: "verified_done"
    runtime_wiring:
      - "src/tailscale/mod.rs::run_command (async CLI execution via sandbox argv wrapper)"
      - "src/agent/sandbox.rs::build_sandboxed_tokio_command"
      - "src/agent/sandbox.rs::default_tailscale_cli_sandbox_config"
    tests:
      - "src/tailscale/mod.rs::test_build_teardown_args"
      - "src/agent/sandbox.rs::test_build_sandboxed_tokio_command_disabled_passthrough"

  - feature: "tailscale.status parsing"
    status: "verified_done"
    runtime_wiring:
      - "src/tailscale/mod.rs::parse_status"
    tests:
      - "src/tailscale/mod.rs::test_parse_status_running"

  - feature: "tailscale.lifecycle management"
    status: "verified_done"
    runtime_wiring:
      - "src/tailscale/mod.rs::run_tailscale_lifecycle"
      - "src/tailscale/mod.rs::perform_teardown_if_configured"
      - "src/main.rs::spawn_network_services"

  - feature: "tls.self-signed cert generation"
    status: "verified_done"
    runtime_wiring:
      - "src/tls/mod.rs::generate_self_signed_cert"
    tests:
      - "src/tls/mod.rs::test_generate_self_signed_cert"

  - feature: "tls.auto-generation on startup"
    status: "verified_done"
    runtime_wiring:
      - "src/tls/mod.rs::setup_tls (auto_generate paths)"
      - "src/main.rs (setup_tls on startup)"
    tests:
      - "src/tls/mod.rs::test_setup_tls_auto_generate"

  - feature: "tls.certificate loading"
    status: "verified_done"
    runtime_wiring:
      - "src/tls/mod.rs::load_certs"
      - "src/tls/mod.rs::load_private_key"
    tests:
      - "src/tls/mod.rs::test_load_generated_certs"

  - feature: "tls.sha-256 fingerprint"
    status: "verified_done"
    runtime_wiring:
      - "src/tls/mod.rs::compute_cert_fingerprint"
    tests:
      - "src/tls/mod.rs::test_compute_fingerprint"

  - feature: "tls.mtls server config"
    status: "verified_done"
    runtime_wiring:
      - "src/tls/mod.rs::setup_mtls (server config)"
    tests:
      - "src/tls/mod.rs::test_setup_mtls_with_valid_certs"

  - feature: "tls.mtls client config"
    status: "verified_done"
    runtime_wiring:
      - "src/tls/mod.rs::setup_mtls (client config)"
    tests:
      - "src/tls/mod.rs::test_setup_mtls_with_valid_certs"

  - feature: "tls.cluster ca generation"
    status: "verified_done"
    runtime_wiring:
      - "src/tls/ca.rs::ClusterCA::generate"
    tests:
      - "src/tls/ca.rs::test_generate_cluster_ca"

  - feature: "tls.node certificate issuance"
    status: "verified_done"
    runtime_wiring:
      - "src/tls/ca.rs::ClusterCA::issue_node_cert"
    tests:
      - "src/tls/ca.rs::test_issue_node_cert"

  - feature: "tls.certificate revocation (crl)"
    status: "verified_done"
    runtime_wiring:
      - "src/tls/ca.rs::CertRevocationList (revoke + persistence)"
      - "src/tls/mod.rs::CrlClientCertVerifier (mTLS handshake enforcement)"
    tests:
      - "src/tls/ca.rs::test_crl_operations"
      - "src/tls/ca.rs::test_crl_persistence"
      - "src/tls/mod.rs::test_mtls_revoked_client_cert_rejected"

  - feature: "tls.restrictive key permissions"
    status: "verified_done"
    runtime_wiring:
      - "src/tls/mod.rs (set_permissions 0600 on private key)"
      - "src/tls/ca.rs (set_permissions 0600 on CA/node keys)"
    tests:
      - "src/tls/mod.rs::test_key_file_permissions"
      - "src/tls/ca.rs::test_ca_key_permissions"

  - feature: "tts.speak / tts.voices"
    status: "verified_done"
    runtime_wiring:
      - "src/server/ws/handlers/tts.rs::handle_tts_speak"
      - "src/server/ws/handlers/tts.rs::handle_tts_voices"
    tests:
      - "src/server/ws/golden_tests.rs::golden_tts_providers"
      - "src/server/ws/golden_tests.rs::golden_tts_status"
      - "src/server/ws/handlers/tts.rs (unit tests)"

  - feature: "voicewake.get / voicewake.keywords"
    status: "verified_done"
    runtime_wiring:
      - "src/server/ws/handlers/voicewake.rs::handle_voicewake_get"
      - "src/server/ws/handlers/voicewake.rs::handle_voicewake_keywords"
    tests:
      - "src/server/ws/golden_tests.rs::golden_voicewake_get"
      - "src/server/ws/golden_tests.rs::golden_voicewake_keywords"
      - "src/server/ws/handlers/voicewake.rs (unit tests)"

  - feature: "sessions.JSONL history"
    status: "verified_done"
    runtime_wiring:
      - "src/sessions/store.rs (session_history_path uses .jsonl)"
      - "src/sessions/store.rs (append_message / append_messages)"
    tests:
      - "src/sessions/integrity.rs (JSONL HMAC tests)"
      - "src/sessions/file_lock.rs (JSONL lock tests)"

  - feature: "sessions.compaction"
    status: "verified_done"
    runtime_wiring:
      - "src/sessions/store.rs::compact_session"
      - "src/server/ws/handlers/sessions.rs::handle_sessions_compact"
    tests:
      - "src/sessions/store.rs (compaction tests)"

  - feature: "sessions.HMAC integrity"
    status: "verified_done"
    runtime_wiring:
      - "src/server/ws/mod.rs (sessions.integrity defaults + HMAC key wiring from server secret or resolved gateway auth)"
      - "src/sessions/store.rs (HMAC sidecar write + verify on load/history)"
      - "src/sessions/integrity.rs (HMAC helpers + IntegrityConfig default enabled=true/action=warn)"
    tests:
      - "src/sessions/integrity.rs (HMAC unit tests)"
      - "src/sessions/store.rs (history HMAC enforcement test)"

  - feature: "sessions.archiving + restoration"
    status: "verified_done"
    runtime_wiring:
      - "src/server/ws/handlers/sessions.rs (sessions.archive/restore/archives/delete)"
      - "src/sessions/store.rs (archive_session + restore_session)"
    tests:
      - "src/sessions/store.rs (archive/restore unit tests)"
      - "src/server/ws/handlers/sessions.rs (archive/restore handler tests)"

  - feature: "sessions.filters"
    status: "verified_done"
    runtime_wiring:
      - "src/server/ws/handlers/sessions.rs (sessions.list filters + search)"
      - "src/sessions/store.rs (SessionFilter + list_sessions)"
    tests:
      - "src/sessions/store.rs (SessionFilter tests + date range tests)"

  - feature: "sessions.file locking"
    status: "verified_done"
    runtime_wiring:
      - "src/sessions/file_lock.rs (FileLock RAII + flock)"
      - "src/sessions/store.rs (FileLock on meta/history writes)"
      - "src/sessions/store.rs::acquire_session_key_lock (per-session-key advisory lock for create/get_or_create)"
    tests:
      - "src/sessions/file_lock.rs (locking tests)"

  - feature: "sessions.retention policies"
    status: "verified_done"
    runtime_wiring:
      - "src/sessions/store.rs (cleanup_expired)"
      - "src/sessions/retention.rs (retention loop + config + spawn_blocking cleanup)"
      - "src/server/startup.rs (spawn retention cleanup)"
    tests:
      - "src/sessions/retention.rs (config + loop tests)"

  - feature: "usage.session tracking"
    status: "verified_done"
    runtime_wiring:
      - "src/usage/mod.rs::record (session totals + persistence)"
      - "src/agent/executor.rs::record_turn_usage (usage recording)"
      - "src/server/ws/handlers/usage.rs::handle_usage_session"
      - "src/server/ws/handlers/mod.rs (usage.session dispatch)"
    tests:
      - "src/server/ws/handlers/usage.rs (usage session tests)"

  - feature: "usage.cost calculation"
    status: "verified_done"
    runtime_wiring:
      - "src/usage/mod.rs (ModelPricing + default_pricing + calculate_cost)"
      - "src/agent/executor.rs::record_turn_usage (usage recording)"
    tests:
      - "src/usage/mod.rs (calculate_cost tests)"

  - feature: "usage.pricing overrides"
    status: "verified_done"
    runtime_wiring:
      - "src/usage/mod.rs::parse_pricing_config (usage.pricing.default + overrides)"
      - "src/usage/mod.rs::update_pricing_from_config (global pricing refresh)"
      - "src/config/schema.rs (usage.pricing validation)"
      - "src/config/mod.rs (pricing refresh on load/reload)"
    tests:
      - "src/usage/mod.rs::test_pricing_override_precedence"
      - "src/usage/mod.rs::test_pricing_default_fallback"

  - feature: "usage.retention and size caps"
    status: "verified_done"
    runtime_wiring:
      - "src/usage/mod.rs::prune_data_with_limits (retention windows + max entries)"
      - "src/usage/mod.rs::record (prune + bounded persistence on write path)"
    tests:
      - "src/usage/mod.rs::test_usage_prune_by_retention"
      - "src/usage/mod.rs::test_usage_prune_by_max_entries"

  - feature: "tests.integration"
    status: "verified_done"
    runtime_wiring:
      - "tests/http_endpoints_test.rs"
      - "tests/plugin_e2e.rs"
      - "tests/ssrf_test.rs"
    tests:
      - "tests/http_endpoints_test.rs"
      - "tests/plugin_e2e.rs"
      - "tests/ssrf_test.rs"

  - feature: "tests.golden snapshots"
    status: "verified_done"
    runtime_wiring:
      - "src/server/ws/golden_tests.rs (insta snapshots)"
      - "src/server/ws/snapshots/ (insta snapshots)"
    tests:
      - "src/server/ws/golden_tests.rs"

  - feature: "ci.cross-platform matrix"
    status: "verified_done"
    runtime_wiring:
      - ".github/workflows/ci.yml (test job matrix)"
    tests:
      - ".github/workflows/ci.yml"

  - feature: "ci.msrv enforcement"
    status: "verified_done"
    runtime_wiring:
      - ".github/workflows/ci.yml (msrv job)"
    tests:
      - ".github/workflows/ci.yml"

  - feature: "ci.security scanning"
    status: "verified_done"
    runtime_wiring:
      - ".github/workflows/ci.yml (audit/deny/gitleaks/trivy/geiger)"
    tests:
      - ".github/workflows/ci.yml"

  - feature: "ollama provider"
    status: "partial"
    runtime_wiring:
      - "src/agent/ollama.rs (OpenAI-compat SSE + tool use)"
      - "src/agent/factory.rs (ollama provider wiring)"
    notes:
      - "No provider-level cancellation/abort path"

  - feature: "gemini provider"
    status: "partial"
    runtime_wiring:
      - "src/agent/gemini.rs (SSE stream + tool use)"
      - "src/agent/factory.rs (gemini provider wiring)"
    notes:
      - "No provider-level cancellation/abort path"

  - feature: "bedrock provider"
    status: "verified_missing"
    runtime_wiring:
      - "src/agent/bedrock.rs (SigV4 + Converse implementation)"
    notes:
      - "Not wired in src/agent/factory.rs (credentials not read/constructed)"

  - feature: "anthropic provider"
    status: "partial"
    runtime_wiring:
      - "src/agent/anthropic.rs (SSE stream + tool use)"
      - "src/agent/factory.rs (anthropic provider wiring)"
      - "src/agent/provider.rs (MultiProvider default routing to Anthropic)"
    tests:
      - "src/agent/anthropic.rs (unit tests: build_body + SSE parsing/stream handling)"
      - "src/agent/provider.rs::test_multi_provider_select_anthropic_model"
    notes:
      - "No provider-level cancellation/abort path"

  - feature: "openai provider"
    status: "partial"
    runtime_wiring:
      - "src/agent/openai.rs (SSE stream + tool use)"
      - "src/agent/factory.rs (openai provider wiring)"
    notes:
      - "No provider-level cancellation/abort path"

  - feature: "venice provider"
    status: "partial"
    runtime_wiring:
      - "src/agent/venice.rs (OpenAI-compat wrapper + tool use)"
      - "src/agent/factory.rs (venice provider wiring)"
    notes:
      - "No provider-level cancellation/abort path"

  - feature: "exfiltration guard"
    status: "partial"
    runtime_wiring:
      - "src/agent/exfiltration.rs (exfiltration-sensitive tool set)"
      - "src/agent/tool_policy.rs (filter tools when exfiltration_guard is enabled)"
      - "src/agent/executor.rs (block dispatch for sensitive tools)"
    tests:
      - "src/agent/exfiltration.rs (unit tests)"
      - "src/agent/executor.rs (exfiltration guard tests)"
    notes:
      - "No private IP/localhost output filtering; guard only blocks exfiltration-sensitive tools"

  - feature: "OS-level process sandbox"
    status: "partial"
    runtime_wiring:
      - "src/agent/sandbox.rs (process sandbox config, rlimits, seatbelt/landlock helpers, Windows Job Object + AppContainer backend)"
      - "src/agent/executor.rs (passes process_sandbox into tool dispatch)"
      - "src/agent/tools.rs (sets sandboxed flag on ToolInvokeContext)"
      - "src/discovery/mod.rs::run_hostname_command (probe subprocess wrapper)"
      - "src/server/bind.rs::detect_lan_ip_macos / detect_lan_ip_linux / detect_tailscale_ip (runtime probe wrappers)"
      - "src/auth/mod.rs::tailscale_whois_login (tailscale whois subprocess wrapper)"
      - "src/tailscale/mod.rs::run_command (tailscale CLI subprocess wrapper)"
      - "src/gateway/mod.rs::setup_ssh_tunnel (SSH tunnel subprocess wrapper)"
    tests:
      - "src/agent/sandbox.rs (config + seatbelt/landlock helper tests)"
      - "src/agent/sandbox.rs::test_default_probe_sandbox_config_limits"
      - "src/agent/sandbox.rs::test_default_tailscale_cli_sandbox_config_limits"
      - "src/agent/sandbox.rs::test_default_ssh_tunnel_sandbox_config_limits"
      - "src/agent/sandbox.rs::test_ensure_sandbox_supported_supported_platform"
    notes:
      - "2026-02-16 local precheck: `cargo nextest run` passed (2568/2568)."
      - "wrapped subprocesses now apply in-child constraints via `src/agent/sandbox.rs::configure_sandboxed_command` (`pre_exec` + `apply_sandbox` on Unix)."
      - "runtime subprocess wrappers are now wired for probe, tailscale/whois, and SSH tunnel callsites."
      - "Windows backend now enforces `network_access=false` via suspended AppContainer launch with no network capabilities; full Job Object limits are attached before resuming child execution."
      - "Windows `network_access=true` paths use Job Object limits + allowlisted executable resolution."
      - "Windows spawned deny-network subprocesses currently fail closed (`spawn_sandboxed_tokio_command` requires `network_access=true` on Windows)."
      - "unsupported targets still fail closed via `src/agent/sandbox.rs::ensure_sandbox_supported`."

  - feature: "channel-specific tools"
    status: "partial"
    runtime_wiring:
      - "src/agent/channel_tools.rs (15 channel tool schemas + handlers)"
      - "src/agent/builtin_tools.rs::channel_specific_tools (re-export helper)"
    tests:
      - "src/agent/channel_tools.rs (gating + schema + per-tool tests)"
    notes:
      - "Tools are not registered in ToolsRegistry or injected into provider tool lists"

  - feature: "channel registry"
    status: "verified_done"
    runtime_wiring:
      - "src/channels/mod.rs (ChannelRegistry + ChannelStatus)"
      - "src/server/ws/handlers/channels.rs (channels.status / channels.logout)"
      - "src/server/control.rs (control channels status)"
      - "src/messages/delivery.rs (delivery gate checks is_connected)"
    tests:
      - "src/channels/mod.rs (registry unit tests)"

  - feature: "console channel"
    status: "verified_done"
    runtime_wiring:
      - "src/channels/console.rs (ConsoleChannel plugin)"
      - "src/main.rs::register_console_channel (plugin registry + channel registry)"
    tests:
      - "src/channels/console.rs (unit tests)"

  - feature: "telegram/discord/slack runtime wiring"
    status: "verified_done"
    runtime_wiring:
      - "src/channels/telegram.rs (TelegramChannel send_text/send_media)"
      - "src/channels/telegram_inbound.rs (Telegram webhook parsing)"
      - "src/channels/discord.rs (DiscordChannel send_text/send_media)"
      - "src/channels/discord_gateway.rs (Gateway loop + MESSAGE_CREATE handling)"
      - "src/channels/slack.rs (SlackChannel send_text/send_media)"
      - "src/channels/slack_inbound.rs (Slack signature + event parsing)"
      - "src/main.rs (register_*_channel_if_configured)"
      - "src/main.rs (spawn_discord_gateway_loop_if_configured)"
      - "src/server/http.rs (telegram_webhook_handler, slack_events_handler)"
    tests:
      - "src/channels/telegram.rs::test_telegram_get_info"
      - "src/channels/telegram_inbound.rs::test_extract_inbound_message"
      - "src/channels/discord.rs::test_discord_get_info"
      - "src/channels/slack.rs::test_slack_get_info"
      - "src/channels/slack_inbound.rs::test_verify_slack_signature"

  - feature: "start"
    status: "verified_done"
    runtime_wiring:
      - "src/main.rs (None|Start -> run_server)"
    tests:
      - "src/cli/mod.rs::test_cli_start_subcommand"

  - feature: "config show/get/set/path"
    status: "verified_done"
    runtime_wiring:
      - "src/cli/mod.rs (handle_config_show/get/set/path)"
      - "src/server/ws/mod.rs::persist_config_file (atomic write)"

  - feature: "status"
    status: "verified_done"
    runtime_wiring:
      - "src/cli/mod.rs::handle_status (/health)"
      - "src/server/http.rs (GET /health)"
    tests:
      - "src/server/http.rs::test_health_endpoint"

  - feature: "logs"
    status: "verified_done"
    runtime_wiring:
      - "src/cli/mod.rs::handle_logs (WebSocket logs.tail)"
      - "src/server/ws/handlers/logs.rs::handle_logs_tail"

  - feature: "version"
    status: "verified_done"
    runtime_wiring:
      - "src/cli/mod.rs::handle_version"
    tests:
      - "src/cli/mod.rs::test_cli_version_subcommand"

  - feature: "chat"
    status: "verified_done"
    runtime_wiring:
      - "src/main.rs (Command::Chat dispatch)"
      - "src/cli/chat.rs::handle_chat (gateway startup + session run)"
      - "src/cli/chat.rs::run_chat_session (interactive REPL flow)"
    tests:
      - "src/cli/mod.rs::test_cli_chat_defaults"
      - "src/cli/mod.rs::test_cli_chat_with_new_and_port"
      - "src/cli/chat.rs::test_parse_repl_command"

  - feature: "verify"
    status: "verified_done"
    runtime_wiring:
      - "src/main.rs (Command::Verify dispatch)"
      - "src/cli/mod.rs::handle_verify"
      - "src/cli/mod.rs::run_outcome_verifier"
      - "src/cli/mod.rs::verify_autonomy_outcome"
    tests:
      - "src/cli/mod.rs::test_cli_verify_defaults"
      - "src/cli/mod.rs::test_cli_verify_with_options"
      - "src/cli/mod.rs::test_cli_verify_autonomy_outcome"
      - "src/cli/mod.rs::test_verify_outcome_selection_autonomy_resolved"

  - feature: "cli.binary naming"
    status: "verified_done"
    runtime_wiring:
      - "src/cli/mod.rs (clap parsing uses `cara` command name)"
      - "src/cli/mod.rs::download_and_install_binary (platform asset lookup uses cara-<os>-<arch>)"
      - ".github/workflows/release.yml (release artifacts named cara-<arch>-<os>)"
    tests:
      - "src/cli/mod.rs::test_cli_no_args_defaults_to_none"
      - "src/server/ws/handlers/update.rs::test_expected_asset_name_no_exe_on_unix"
      - "src/server/ws/handlers/update.rs::test_staged_path_construction"

  - feature: "backup"
    status: "verified_done"
    runtime_wiring:
      - "src/cli/mod.rs::handle_backup (tar.gz + marker)"
    tests:
      - "src/cli/mod.rs::test_backup_creates_valid_archive"

  - feature: "restore"
    status: "verified_done"
    runtime_wiring:
      - "src/cli/mod.rs::handle_restore (restore_files_from_tar)"
    tests:
      - "src/cli/mod.rs::test_backup_restore_round_trip"
      - "src/cli/mod.rs::test_is_safe_archive_path_rejects_traversal"

  - feature: "reset"
    status: "verified_done"
    runtime_wiring:
      - "src/cli/mod.rs::handle_reset"

  - feature: "setup"
    status: "verified_done"
    runtime_wiring:
      - "src/cli/mod.rs::handle_setup (provider/auth/bind prompts + first-run outcome wiring for local chat/Discord/Telegram/hooks + optional hooks/control UI config)"
      - "src/cli/mod.rs::validate_provider_credentials_interactive"
      - "src/cli/mod.rs::validate_channel_credentials_interactive"
      - "src/cli/mod.rs::run_setup_post_checks (status/chat smoke action)"
    tests:
      - "src/cli/mod.rs::test_handle_setup_*"
      - "src/cli/mod.rs::test_parse_setup_outcome_aliases"
      - "src/cli/mod.rs::test_parse_setup_outcome_invalid"

  - feature: "wizard"
    status: "verified_done"
    runtime_wiring:
      - "src/server/ws/handlers/wizard.rs::handle_wizard_next + persist_wizard_config"
      - "src/server/ws/handlers/wizard.rs::apply_wizard_config (setup/channel/agent updates, including first-run outcome + hooks/control UI setup fields)"
      - "src/server/ws/handlers/config.rs::write_config_file (wizard persistence)"
    tests:
      - "src/server/ws/handlers/wizard.rs::test_apply_setup_wizard_updates_config"
      - "src/server/ws/handlers/wizard.rs::test_apply_setup_wizard_respects_auth_and_bind_overrides"
      - "src/server/ws/handlers/wizard.rs::test_apply_setup_wizard_hooks_outcome_enables_hooks_by_default"
      - "src/server/ws/handlers/wizard.rs::test_apply_channel_wizard_updates_config"
      - "src/server/ws/handlers/wizard.rs::test_apply_agent_wizard_updates_identity"

  - feature: "pair"
    status: "verified_done"
    runtime_wiring:
      - "src/cli/mod.rs::handle_pair (connect.challenge -> device identity handshake)"
      - "src/cli/mod.rs::build_device_identity_for_connect + load_or_create_device_identity"
      - "src/cli/mod.rs::handle_pair (WS node.pair.request + node.pair.approve)"

  - feature: "update"
    status: "verified_done"
    runtime_wiring:
      - "src/cli/mod.rs::handle_update (GitHub releases + staged update)"
      - "src/server/ws/handlers/update.rs::apply_staged_update"
      - "src/server/ws/handlers/update.rs::handle_update_install (test-build guard avoids replacing current test binary)"
    tests:
      - "src/server/ws/handlers/update.rs::test_update_install_download_failure_clears_flag"
      - "src/server/ws/handlers/update.rs::test_install_sets_installing_flag"

  - feature: "tls init-ca / issue-cert / revoke-cert / show-ca"
    status: "verified_done"
    runtime_wiring:
      - "src/cli/mod.rs::handle_tls_*"
      - "src/tls/ca.rs (ClusterCA implementation)"

  - feature: "JSON5 parsing"
    status: "verified_done"
    runtime_wiring:
      - "src/config/mod.rs::parse_json5"
    tests:
      - "src/config/mod.rs::test_parse_json5_basic"

  - feature: "$include directive"
    status: "verified_done"
    runtime_wiring:
      - "src/config/mod.rs::resolve_includes (depth + circular detection)"
    tests:
      - "src/config/mod.rs::test_include_single_file"
      - "src/config/mod.rs::test_include_multiple_files"

  - feature: "Env var substitution"
    status: "verified_done"
    runtime_wiring:
      - "src/config/mod.rs::substitute_env_vars"
    tests:
      - "src/config/mod.rs::test_env_var_substitution"

  - feature: "Config path/env naming"
    status: "verified_done"
    runtime_wiring:
      - "src/config/mod.rs::get_config_path (CARAPACE_CONFIG_PATH -> CARAPACE_STATE_DIR -> platform config dir)"
    tests:
      - "src/config/mod.rs::test_get_config_path_default"
      - "src/config/mod.rs::test_get_config_path_override"
      - "src/config/mod.rs::test_get_config_path_state_dir"

  - feature: "Config cache"
    status: "verified_done"
    runtime_wiring:
      - "src/config/mod.rs (CONFIG_CACHE + load_config TTL)"

  - feature: "Config shared snapshots"
    status: "verified_done"
    runtime_wiring:
      - "src/config/mod.rs::load_config_shared (Arc-backed cached config snapshot)"
      - "src/channels/inbound.rs::dispatch_inbound_text (shared config read)"
      - "src/channels/signal_receive.rs::dispatch_signal_inbound (shared config read)"
      - "src/agent/builtin_tools.rs::handle_media_analyze (shared config read)"

  - feature: "Hot reload"
    status: "verified_done"
    runtime_wiring:
      - "src/config/watcher.rs (ConfigWatcher)"
      - "src/config/watcher.rs::perform_reload_async (spawn_blocking reload path)"
      - "src/server/startup.rs (spawn config watcher)"
    tests:
      - "src/config/watcher.rs (ConfigWatcher tests)"

  - feature: "Schema validation"
    status: "verified_done"
    runtime_wiring:
      - "src/config/schema.rs (validate_schema)"
      - "src/main.rs::load_and_validate_config"
    tests:
      - "src/config/schema.rs (schema validation tests)"

  - feature: "Config defaults"
    status: "verified_done"
    runtime_wiring:
      - "src/config/defaults.rs::apply_defaults"
      - "src/config/mod.rs::load_config_uncached"

  - feature: "Secret encryption"
    status: "verified_done"
    runtime_wiring:
      - "src/config/secrets.rs (SecretStore + encrypt/decrypt/resolve/scrub)"
      - "src/config/mod.rs::resolve_config_secrets (decrypt on load)"
      - "src/config/mod.rs::seal_config_secrets (encrypt on write)"
      - "src/server/ws/handlers/config.rs::persist_config_file (seals before write)"
    tests:
      - "src/config/secrets.rs (encryption + scrub tests)"
      - "src/config/mod.rs::test_secret_encryption_round_trip"

  - feature: "macOS Keychain"
    status: "verified_done"
    runtime_wiring:
      - "src/credentials/macos.rs (MacOsCredentialBackend via keyring)"
      - "src/credentials/macos.rs (get/set/delete/list operations via tokio::task::spawn_blocking)"
    tests:
      - "src/credentials/macos.rs::test_error_mapping"

  - feature: "Linux Secret Service"
    status: "verified_done"
    runtime_wiring:
      - "src/credentials/linux.rs (LinuxCredentialBackend via keyring/Secret Service)"
      - "src/credentials/linux.rs (get/set/delete/list operations via tokio::task::spawn_blocking)"
    tests:
      - "src/credentials/linux.rs::test_error_mapping"

  - feature: "Windows Credential Manager"
    status: "verified_done"
    runtime_wiring:
      - "src/credentials/windows.rs (WindowsCredentialBackend via keyring)"
      - "src/credentials/windows.rs (get/set/delete/list operations via tokio::task::spawn_blocking)"
    tests:
      - "src/credentials/windows.rs::test_error_mapping"

  - feature: "Env-only fallback"
    status: "verified_done"
    runtime_wiring:
      - "src/credentials/mod.rs::CredentialStore::new (env_only_mode)"
    tests:
      - "src/credentials/mod.rs::test_env_only_mode"

  - feature: "Quotas and rate limiting"
    status: "verified_done"
    runtime_wiring:
      - "src/credentials/mod.rs::RateLimitTracker"
      - "src/credentials/mod.rs::CredentialStore::plugin_set (quota + rate limit)"
    tests:
      - "src/credentials/mod.rs::test_rate_limit_tracker"
      - "src/credentials/mod.rs::test_plugin_quota_incremented_on_new_keys"

  - feature: "Key/value size limits"
    status: "verified_done"
    runtime_wiring:
      - "src/credentials/mod.rs (MAX_KEY_LENGTH/MAX_VALUE_LENGTH checks)"
    tests:
      - "src/credentials/mod.rs::test_key_too_long_validation"
      - "src/credentials/mod.rs::test_value_too_long_validation"

  - feature: "token auth"
    status: "verified_done"
    runtime_wiring:
      - "src/auth/mod.rs::authorize_gateway_connect (token branch + timing_safe_eq)"
      - "src/server/ws/mod.rs::authorize_connection (gateway auth enforcement)"
      - "src/server/http.rs::check_gateway_auth (HTTP bearer token auth)"
    tests:
      - "src/auth/mod.rs::test_gateway_auth_token_*"

  - feature: "password auth"
    status: "verified_done"
    runtime_wiring:
      - "src/auth/mod.rs::authorize_gateway_connect (password branch + timing_safe_eq)"
      - "src/server/http.rs::check_gateway_auth (HTTP bearer password auth)"
      - "src/server/openai.rs::check_openai_auth (OpenAI endpoints password auth)"
    tests:
      - "src/auth/mod.rs::test_gateway_auth_password_*"

  - feature: "tailscale auth"
    status: "verified_done"
    runtime_wiring:
      - "src/auth/mod.rs::verify_tailscale_auth(_with_whois)"
      - "src/server/ws/mod.rs::resolve_gateway_auth_config (allow_tailscale wiring)"
      - "src/server/ws/mod.rs::authorize_connection (tailscale accepted)"
    tests:
      - "src/auth/mod.rs::test_tailscale_auth_*"

  - feature: "localhost bypass"
    status: "verified_done"
    runtime_wiring:
      - "src/auth/mod.rs::authorize_gateway_connect (AuthMode::None + local-direct)"
      - "src/auth/mod.rs::is_local_direct_request (host/proxy/loopback checks)"
      - "src/server/http.rs::check_gateway_auth (authorize_gateway_request)"
      - "src/server/control.rs::check_control_auth (authorize_gateway_request)"
      - "src/server/openai.rs::check_openai_auth (authorize_gateway_request)"
    tests:
      - "src/auth/mod.rs::test_gateway_auth_local_bypass_allows_loopback"
      - "src/auth/mod.rs::test_gateway_auth_local_bypass_rejects_remote"
      - "src/server/http.rs::test_gateway_auth_mode_none_allows_loopback"
      - "src/server/http.rs::test_gateway_auth_mode_none_loopback_requires_local_host"
      - "src/server/http.rs::test_gateway_auth_mode_none_loopback_with_proxy_headers_rejected"

  - feature: "fail-closed default"
    status: "verified_done"
    runtime_wiring:
      - "src/auth/mod.rs::authorize_gateway_connect (TokenMissingConfig/PasswordMissingConfig)"
      - "src/auth/mod.rs::authorize_gateway_request (no addr still requires auth)"
      - "src/server/http.rs::check_gateway_auth (rejects when no auth configured)"
      - "src/server/control.rs::check_control_auth (rejects when no auth configured)"
      - "src/server/openai.rs::check_openai_auth (rejects when no auth configured)"
    tests:
      - "src/auth/mod.rs::test_gateway_auth_default_config_rejects"
      - "src/server/http.rs::test_gateway_auth_no_config_loopback_rejected"
      - "src/server/http.rs::test_gateway_auth_no_config_non_loopback_rejected"
      - "src/server/http.rs::test_gateway_auth_no_config_no_addr_rejected"

  - feature: "timing-safe comparison"
    status: "verified_done"
    runtime_wiring:
      - "src/auth/mod.rs::timing_safe_eq (SHA-256 hash-then-compare)"
      - "src/server/http.rs::check_gateway_auth"
      - "src/server/control.rs::check_control_auth"
    tests:
      - "src/auth/mod.rs::test_timing_safe_eq"

  - feature: "sessions.scoping"
    status: "verified_done"
    runtime_wiring:
      - "src/sessions/scoping.rs (scope + reset policy)"
      - "src/sessions/mod.rs (scoped session resolution + reset enforcement helper)"
      - "src/channels/signal_receive.rs (scoped key + reset)"
      - "src/server/ws/handlers/sessions.rs (agent/chat scoping + reset)"
      - "src/server/http.rs (hooks/agent scoping + reset)"
    notes:
      - "Explicit sessionKey still honored; reset policy enforced on existing sessions"

  - feature: "usage.daily/monthly summaries"
    status: "verified_done"
    runtime_wiring:
      - "src/usage/mod.rs (daily + monthly aggregation)"
      - "src/server/ws/handlers/usage.rs::handle_usage_daily/handle_usage_monthly"
    tests:
      - "src/usage/mod.rs (daily summary tests)"

  - feature: "usage.provider/model breakdown"
    status: "verified_done"
    runtime_wiring:
      - "src/usage/mod.rs (by_provider + by_model aggregation)"
      - "src/server/ws/handlers/usage.rs (usage.cost byProvider/byModel)"

  - feature: "usage.persistent JSON storage"
    status: "verified_done"
    runtime_wiring:
      - "src/usage/mod.rs (UsageTracker load/save usage.json)"
      - "src/server/ws/handlers/usage.rs (handlers use persistent tracker)"

  - feature: "usage.enable/disable tracking"
    status: "verified_done"
    runtime_wiring:
      - "src/usage/mod.rs (enable/disable + save)"
      - "src/server/ws/handlers/usage.rs (enable/disable handlers)"

  - feature: "tests.unit tests"
    status: "verified_done"
    runtime_wiring:
      - "tests/ (integration-style unit tests)"
      - "src/** (#[cfg(test)] unit tests)"
    tests:
      - "cargo nextest run (large suite coverage maintained in CI/local workflows; exact count intentionally not tracked)"

  - feature: "provider auto-discovery"
    status: "verified_done"
    runtime_wiring:
      - "src/agent/factory.rs (env vars + config resolution)"
    tests:
      - "src/agent/factory.rs (fingerprint tests)"

  - feature: "provider base URL override"
    status: "verified_done"
    runtime_wiring:
      - "src/agent/anthropic.rs::with_base_url"
      - "src/agent/openai.rs::with_base_url"
      - "src/agent/gemini.rs::with_base_url"
      - "src/agent/ollama.rs::with_base_url"
      - "src/agent/venice.rs::with_base_url"
      - "src/agent/factory.rs (reads *_BASE_URL)"
    tests:
      - "src/agent/anthropic.rs (base URL tests)"
      - "src/agent/openai.rs (base URL tests)"
      - "src/agent/gemini.rs (base URL tests)"
      - "src/agent/ollama.rs (base URL tests)"
      - "src/agent/venice.rs (base URL tests)"

  - feature: "agent.execution loop"
    status: "verified_done"
    runtime_wiring:
      - "src/agent/executor.rs (execute_run loop + execute_single_turn)"
      - "src/agent/mod.rs (spawn_run supervisor)"
    tests:
      - "src/agent/executor.rs (execute_run tests)"
      - "src/agent/mod.rs (spawn_run tests)"

  - feature: "agent.supervisor"
    status: "verified_done"
    runtime_wiring:
      - "src/agent/mod.rs (spawn_run + supervisor task)"
    tests:
      - "src/agent/mod.rs (spawn_run panic recovery tests)"

  - feature: "agent.tool dispatch"
    status: "verified_done"
    runtime_wiring:
      - "src/agent/executor.rs (execute_tools_with_guards)"
      - "src/agent/tools.rs (execute_tool_call + list_provider_tools)"
      - "src/plugins/tools.rs (tool registry invoke)"
    tests:
      - "src/agent/tools.rs (tool dispatch tests)"
      - "src/agent/executor.rs (tool policy tests)"

  - feature: "agent.tool policy"
    status: "verified_done"
    runtime_wiring:
      - "src/agent/tool_policy.rs (AllowAll/AllowList/DenyList)"
      - "src/agent/executor.rs (dispatch enforcement)"
    tests:
      - "src/agent/tool_policy.rs (policy tests)"
      - "src/agent/executor.rs (policy enforcement tests)"

  - feature: "prompt guard preflight"
    status: "verified_done"
    runtime_wiring:
      - "src/agent/prompt_guard/preflight.rs (regex checks)"
      - "src/agent/executor.rs (preflight enforcement)"
    tests:
      - "src/agent/prompt_guard/preflight.rs (preflight tests)"

  - feature: "prompt guard postflight"
    status: "verified_done"
    runtime_wiring:
      - "src/agent/prompt_guard/postflight.rs (PII/credential scan)"
      - "src/agent/executor.rs (postflight enforcement)"
    tests:
      - "src/agent/prompt_guard/postflight.rs (postflight tests)"

  - feature: "inbound message classifier"
    status: "verified_done"
    runtime_wiring:
      - "src/agent/classifier.rs (classify_message + circuit breaker)"
      - "src/agent/executor.rs (classifier enforcement)"
    tests:
      - "src/agent/classifier.rs (classifier tests)"

  - feature: "output content sanitizer"
    status: "verified_done"
    runtime_wiring:
      - "src/agent/output_sanitizer.rs (sanitize_output + CSP policy)"
      - "src/agent/executor.rs (sanitize output before persisting)"
    tests:
      - "src/agent/output_sanitizer.rs (sanitizer tests)"

  - feature: "anthropic provider"
    status: "verified_done"
    runtime_wiring:
      - "src/agent/anthropic.rs::complete (cancel token + SSE streaming)"
      - "src/agent/anthropic.rs::process_sse_stream (stream parsing)"
    tests:
      - "src/agent/anthropic.rs::test_complete_stream_with_message_stop_returns_ok"

  - feature: "openai provider"
    status: "verified_done"
    runtime_wiring:
      - "src/agent/openai.rs::complete_with_body (cancel token + SSE streaming)"
      - "src/agent/openai.rs::process_sse_stream (stream parsing)"
    tests:
      - "src/agent/openai.rs::test_complete_text_stream"

  - feature: "ollama provider"
    status: "verified_done"
    runtime_wiring:
      - "src/agent/ollama.rs::complete (OpenAI-compat streaming + cancellation)"
      - "src/agent/openai.rs::process_ollama_sse_stream (shared SSE parser)"
    tests:
      - "src/agent/ollama.rs::test_build_body_with_tools"

  - feature: "gemini provider"
    status: "verified_done"
    runtime_wiring:
      - "src/agent/gemini.rs::complete (cancel token + SSE streaming)"
      - "src/agent/gemini.rs::process_gemini_sse_stream (stream parsing)"
    tests:
      - "src/agent/gemini.rs::test_build_body_with_tools"

  - feature: "venice provider"
    status: "verified_done"
    runtime_wiring:
      - "src/agent/venice.rs::complete (OpenAI-compatible streaming + cancellation)"
      - "src/agent/openai.rs::complete_with_body (shared transport)"
    tests:
      - "src/agent/venice.rs::test_venice_parameters_injected_into_body"

  - feature: "bedrock provider"
    status: "verified_done"
    runtime_wiring:
      - "src/agent/bedrock.rs::complete (SigV4 signing + event emission)"
      - "src/agent/factory.rs (bedrock config + MultiProvider wiring)"
    tests:
      - "src/agent/bedrock.rs::test_is_bedrock_model_colon_prefix"

  - feature: "exfiltration guard"
    status: "verified_done"
    runtime_wiring:
      - "src/agent/exfiltration.rs (sensitive tool registry)"
      - "src/agent/tool_policy.rs (definition filtering)"
      - "src/agent/executor.rs (dispatch blocking)"
      - "src/agent/mod.rs (config wiring)"
    tests:
      - "src/agent/executor.rs::test_exfiltration_guard_blocks_sensitive_tool"

  - feature: "channel-specific tools"
    status: "verified_done"
    runtime_wiring:
      - "src/agent/channel_tools.rs (Telegram/Discord/Slack tool schemas)"
      - "src/plugins/tools.rs::list_tools_for_channel (conditional tool listing)"
      - "src/plugins/tools.rs::invoke (channel tool dispatch)"
    tests:
      - "src/agent/channel_tools.rs::test_channel_tools_telegram_returns_five"
      - "src/agent/tools.rs::test_list_provider_tools_includes_channel_tools"