# Feature status inventory for carapace. # Single-marker status scheme. version: "3.2" source: "single-marker verification scheme (2026-01-31)" status_legend: "[ ]": "Not sure — believed done, not yet verified" "[~]": "Partial — incomplete or missing behavior" "[s]": "Stub — placeholder response only" "[-]": "Verified missing — confirmed absent" "[x]": "Verified done — confirmed working" feature_inventory_markdown: | ## Feature Inventory Working inventory of tracked features in the system, grouped by module. Markers follow the status_legend. ### Agent (`src/agent/`) - [x] **Anthropic provider** — streaming, tool use, cancellation (`anthropic.rs`) - [x] **OpenAI provider** — streaming, tool use, cancellation (`openai.rs`) - [x] **Ollama provider** — streaming, tool use, cancellation (`ollama.rs`) - [x] **Gemini provider** — streaming, tool use, cancellation (`gemini.rs`) - [x] **Bedrock provider** — SigV4 signing, tool use, streaming via emitted events (`bedrock.rs`) wired via `factory.rs` - [x] **Venice AI provider** — OpenAI-compat wrapper, model prefix stripping (`venice.rs`). Wired in factory.rs, reads VENICE_API_KEY. - [x] **Provider auto-discovery** — env vars + config resolution (`factory.rs`) - [x] **Base URL override** — custom API endpoints for all providers - [x] **Agent execution loop** — turn loop, tool dispatch, max turns/tokens, cancellation (`mod.rs`) - [x] **Agent supervisor** — panic recovery, spawn_run, timeout enforcement - [x] **Tool dispatch** — built-in tools (10) + plugin tools, policy enforcement (`tool.rs`) - [x] **Tool policy** — allow-all / allow-list / deny-list per config (`tool_policy.rs`) - [x] **Prompt guard — preflight** — regex injection/escalation/exfiltration patterns (`prompt_guard/preflight.rs`) - [x] **Prompt guard — postflight** — output content scanning with custom patterns (`prompt_guard/postflight.rs`) - [x] **Inbound message classifier** — LLM-based attack classification, circuit breaker (`classifier.rs`) - [x] **Output content sanitizer** — HTML/script/XSS stripping, CSP enforcement (`output_sanitizer.rs`) - [x] **Exfiltration guard** — filters tool definitions + blocks sensitive tools at dispatch (`exfiltration.rs`) - [~] **OS-level process sandbox** — Seatbelt (macOS), Landlock (Linux), Windows Job Objects + AppContainer, rlimits (`sandbox.rs`), subprocess wrappers wired across runtime probes/tailscale/whois/SSH tunnel; unsupported OSes fail closed and Windows spawned deny-network paths currently fail closed - [x] **Channel-specific tools** — 15 platform-specific tool schemas (`channel_tools.rs`) ### Authentication (`src/auth/`) - [x] **Token auth** — SHA-256 hashed token verification - [x] **Password auth** — timing-safe password comparison - [x] **Tailscale auth** — whois verification against tailnet ACLs - [x] **Localhost bypass** — AuthMode::None allows local-direct requests only - [x] **Fail-closed default** — denies by default when no auth configured - [x] **Timing-safe comparison** — SHA-256 hash-then-compare (no length leak) ### Channels (`src/channels/`) - [x] **Channel registry** — thread-safe channel tracking, status enum - [x] **Console channel** — built-in testing channel - [x] **Telegram/Discord/Slack runtime wiring** — outbound + inbound (Telegram webhook/long-polling, Slack Events API, Discord Gateway). - [x] **Signal runtime wiring** — outbound via signal-cli REST + inbound polling receive loop. - [~] **Signal real-world smoke** — pending reproducible pass/fail evidence from a live Signal deployment. - [~] **Slack real-world smoke** — pending reproducible pass/fail evidence from a live Slack Events API deployment. ### CLI (`src/cli/`) - [x] **start** — launch gateway server - [x] **config show/get/set/path** — configuration management - [x] **status** — gateway health check via HTTP - [x] **logs** — tail logs via WebSocket - [x] **version** — show version + build info - [x] **CLI binary naming** — executable is `cara`; release assets follow `cara--` - [x] **backup** — tar.gz archive of state directory - [x] **restore** — extract backup with path traversal protection - [x] **reset** — clear sessions/cron/usage/memory - [x] **setup** — interactive configuration wizard - [x] **pair** — device identity handshake + node pairing initiation (remote gateways supported) - [x] **update** — version check and self-update - [x] **chat** — interactive local REPL session over WebSocket - [x] **verify** — first-run outcome verification (local chat/channels/hooks/autonomy) - [x] **tls init-ca / issue-cert / revoke-cert / show-ca** — cluster CA management ### Config (`src/config/`) - [x] **JSON5 parsing** — comments, trailing commas - [x] **$include directive** — max depth 10, circular reference detection - [x] **Env var substitution** — `${VAR}` pattern replacement - [x] **Config path/env naming** — `CARAPACE_CONFIG_PATH` and `CARAPACE_STATE_DIR` precedence with platform config-dir defaults - [x] **Config cache** — 200ms TTL in-memory cache - [x] **Hot reload** — file watcher infrastructure (`watcher.rs`) - [x] **Reload on blocking thread** — reload file I/O runs via `spawn_blocking` to avoid async runtime stalls - [x] **Shared config snapshots** — `load_config_shared` cache reused by inbound dispatch and media analysis paths - [x] **Schema validation** — error/warning severity - [x] **Config defaults** — fallback values - [x] **Secret encryption** — AES-256-GCM at rest with PBKDF2 key derivation ### Credentials (`src/credentials/`) - [x] **macOS Keychain** — keyring crate integration - [x] **Linux Secret Service** — keyring-backed credential storage via D-Bus - [x] **Windows Credential Manager** — native API - [x] **Env-only fallback** — when keychain unavailable - [x] **Non-blocking credential ops** — keyring/keychain operations run on blocking threads - [x] **Quotas and rate limiting** — 100 per plugin, 10 writes/min - [x] **Key/value size limits** — 64B key, 64KB value ### Cron (`src/cron/`) - [x] **At schedule** — one-time execution at unix timestamp - [x] **Every schedule** — interval-based recurring - [x] **Cron expression** — 5-field format (min hr day mon dow) - [x] **Cron timezone support** — optional IANA timezone (`tz`) with DST-aware next-run behavior - [x] **Cron job persistence** — jobs stored at `state_dir/cron/jobs.json`, restored on startup, stale runtime state cleared on load - [x] **Job quotas** — max 500 enforced with LRU eviction when at limit - [x] **Payload types** — SystemEvent broadcast, AgentTurn spawn - [x] **Background tick loop** — async task runner - [x] **Executor** — payload execution with session/run creation (`executor.rs`) ### Devices (`src/devices/`) - [x] **Pairing state machine** — Pending/Approved/Rejected/Expired - [x] **Token generation** — SHA-256 hashed, no plaintext storage - [x] **Token expiry** — 90 days - [x] **Quotas** — 50 devices, 25 pending, 200 tokens - [x] **Persistent storage** — JSON with atomic writes ### Discovery (`src/discovery/`) - [x] **mDNS service registration** — _carapace._tcp.local. - [x] **TXT record metadata** — version, fingerprint, device name - [x] **Discovery modes** — Off/Minimal/Full - [x] **Lifecycle management** — graceful shutdown ### Exec (`src/exec/`) - [x] **Approval request creation** — async oneshot channels - [x] **Approval decisions** — AllowOnce/AllowAlways/Deny - [x] **Timeout support** — configurable approval wait - [x] **Cleanup of expired entries** ### Gateway (`src/gateway/`) — feature-gated - [x] **Remote gateway connection** — WebSocket + SSH tunnel transports - [x] **TOFU fingerprint verification** — trust-on-first-use - [x] **mTLS support** — mutual TLS with CA verification - [x] **Reconnection with backoff** — exponential backoff - [x] **Protocol v3** — JSON-RPC handshake ### Hooks (`src/hooks/`) - [x] **Webhook endpoints** — /hooks/wake, /hooks/agent, /hooks/ - [x] **Hook registry** — mapping storage and routing - [x] **Hook authentication** — token-based auth - [x] **Template evaluation** — {{expr}} replacement with JSON escaping ### Links (`src/links/`) - [x] **URL extraction** — regex-based, code block aware - [x] **HTML-to-text conversion** — custom regex-based (not html2text crate) - [x] **SSRF-protected fetching** — uses media module protections - [x] **LRU cache** — 100 entries, 1hr TTL - [x] **Title/meta extraction** — HTML metadata parsing - [x] **Safe UTF-8 truncation** — char-boundary-aware ### Logging (`src/logging/`) - [x] **JSON format** — structured production logs - [x] **Plaintext format** — human-readable dev logs - [x] **Output destinations** — stdout, stderr, file - [x] **Log buffer layer** — ring buffer for /logs endpoint - [x] **Secret masking** — redacts API keys in log output and buffer - [x] **Audit logging** — initialized at startup; events emitted for security-relevant actions, including `task_mutated` on control task actions ### Media (`src/media/`) - [x] **SSRF protection** — blocks private IPs, localhost, metadata endpoints - [x] **DNS rebinding defense** — post-resolution IP validation (hickory_resolver) - [x] **Redirect blocking** — prevents redirect-based bypass - [x] **Streaming with size limits** — configurable max size (50MB default) - [x] **Temp file storage** — TTL-based expiration with cleanup (1hr TTL) - [x] **Image analysis (Claude Vision)** — Anthropic image understanding - [x] **Image analysis (GPT-4 Vision)** — OpenAI image understanding - [x] **Audio transcription (Whisper)** — OpenAI Whisper API - [x] **Analysis caching** — .analysis.json sidecar files ### Messages (`src/messages/`) - [x] **Outbound message pipeline** — per-channel queuing, idempotency keys - [x] **Delivery status tracking** — queued/sending/sent/failed/cancelled - [x] **Retry support** — retry with error tracking - [x] **Delivery loop** — async message dispatch with notify ### Nodes (`src/nodes/`) - [x] **Node pairing state machine** — Pending/Approved/Rejected/Expired - [x] **Node token generation** — SHA-256 hashed - [x] **Token expiry** — 30 days - [x] **Quotas** — 100 nodes, 50 pending, 500 tokens (with LRU eviction) - [x] **Capabilities and permissions** — per-node feature negotiation + runtime enforcement - [x] **Repair flow** — preserves created_at on re-pairing ### Plugins (`src/plugins/`) - [x] **WASM component model** — wasmtime 41 runtime - [x] **Ed25519 signature verification** — plugin authenticity (required by default) - [x] **Plugin loader** — .wasm file loading with manifest - [x] **Credential isolation** — plugin ID prefixing - [x] **SSRF protection** — private IP/localhost blocking - [x] **Config access enforcement** — plugins..* only - [x] **Resource limits** — 64MB memory, 30s timeout, fuel-based CPU, epoch ticker - [x] **HTTP rate limiting** — 100 req/min per plugin - [x] **Log rate limiting** — 1000 msg/min per plugin - [x] **Permission enforcement** — declared + override permissions - [x] **Tool dispatch** — tool invocation routing with collision warnings - [x] **Hook dispatch** — lifecycle hook routing - [x] **Webhook dispatch** — HTTP webhook routing - [x] **Builtin tools** — 11 core tools (current_time, web_fetch, media_analyze, memory_read/write/list, message_send, session_list/read, config_read, math_eval) ### Server (`src/server/`) - [x] **HTTP server** — Axum framework - [x] **WebSocket server** — Protocol v3, JSON-RPC - [x] **Bind mode** — Loopback/LAN/WAN, localhost-only default - [x] **Health endpoint** — /health status check - [x] **Metrics endpoint** — /metrics Prometheus format - [x] **OpenAI API compatibility** — /v1/chat/completions drop-in - [x] **CSRF protection** — session-bound token validation for control endpoints - [x] **Rate limiting** — per-IP quotas - [x] **Resource monitoring** — CPU/memory tracking - [x] **Content Security Policy** — CSP headers - [x] **Control API** — status/channels/config plus task endpoints (`/control/tasks` create/list/get/patch/cancel/retry/resume) - [x] **Graceful shutdown** — 30s drain period #### WebSocket Handlers - [x] **agent.run / agent.cancel** — LLM execution + cancellation - [x] **session.create/load/list/fork/rename/delete/switch** — session management - [x] **config.get/update/reload/validate** — configuration - [x] **exec.approve/deny/list** — exec approval workflow - [x] **system.info** — system metadata + runtime stats - [x] **logs.tail** — streaming log buffer - [x] **skills.status** — skill listing - [x] **cron.*** — cron job CRUD + lifecycle - [x] **tts.speak / tts.voices** — text-to-speech - [x] **voicewake.get / voicewake.keywords** — wake word config - [x] **config.schema** — top-level schema + known keys - [x] **system.last-heartbeat / set-heartbeats** — read last heartbeat + update interval - [x] **system.wake** — enqueue wake system event - [x] **talk.devices** — list selected/default audio devices - [x] **tts.stop** — stop current playback state - [x] **voicewake.test** — validate audioData + return detection sample - [x] **wizard** — setup/channel/agent wizards apply config ### Sessions (`src/sessions/`) - [x] **JSONL format** — append-friendly history - [x] **Compaction** — truncate old messages - [x] **HMAC integrity** — SHA-256 HMAC (metadata + history), enabled by default (`warn` mode migration) - [x] **Session archiving + restoration** - [x] **Session filters** — list/search by criteria - [x] **File locking** — concurrent-safe operations (flock RAII), including per-session-key creation locks - [x] **Retention policies** — age-based cleanup - [x] **Scoping** — channel/session scope + reset policy across ingress ### Tasks (`src/tasks/`) - [x] **Durable queue persistence** — persisted task lifecycle (`queued/running/blocked/retry_wait/done/failed/cancelled`) - [x] **Startup recovery** — stale `running` tasks recover to `retry_wait` - [x] **Background worker loop** — due-task claiming + execution outcome transitions - [x] **Continuation policy budgets** — per-task `maxAttempts/maxTotalRuntimeMs/maxTurns/maxRunTimeoutSeconds` - [x] **Operator mutation primitives** — patch/cancel/retry/resume state transitions with validation guards ### Tailscale (`src/tailscale/`) - [x] **Tailscale serve** — tailnet HTTPS proxy - [x] **Tailscale funnel** — public internet exposure - [x] **CLI wrapper** — async command execution - [x] **Status parsing** — JSON status extraction - [x] **Lifecycle management** — setup / wait / teardown ### TLS (`src/tls/`) - [x] **Self-signed cert generation** — rcgen, 365-day validity - [x] **Auto-generation on startup** - [x] **TLS certificate loading** — PEM format - [x] **SHA-256 fingerprint** — TOFU verification - [x] **mTLS server config** — client cert verification - [x] **mTLS client config** — presents node certificate - [x] **Cluster CA generation** — ECDSA P-256 (`ca.rs`) - [x] **Node certificate issuance** — signed by cluster CA - [x] **Certificate revocation (CRL)** — CRL generation, updates, and enforcement in mTLS handshakes - [x] **Restrictive key permissions** — 0600 on private keys. Not explicitly verified in code. ### Usage (`src/usage/`) - [x] **Daily/monthly summaries** — aggregated usage data - [x] **Session usage tracking** — per-session totals - [x] **Provider/model breakdown** — per-provider and per-model aggregation - [x] **Cost calculation** — per-million-token pricing - [x] **Pricing overrides** — configurable per-model pricing via `usage.pricing` - [x] **Retention + size caps** — daily/monthly/session pruning keeps `usage.json` bounded - [x] **Persistent JSON storage** — pretty JSON format - [x] **Enable/disable tracking** — privacy control ### Tests & CI - [x] **Unit tests (broad coverage)** — 5,000+ tests across modules (validated via regular `cargo nextest run` in local/CI flows) - [x] **Integration tests** — tests/*.rs - [x] **Golden snapshot tests** — insta-based snapshot testing - [x] **Cross-platform CI** — Linux, macOS, Windows matrix - [x] **MSRV enforcement** — Rust 1.93 - [x] **Security scanning** — cargo-audit, cargo-deny, gitleaks, trivy, cargo-geiger