This page tracks the real shipping state of every major capability in Wayland Core v0.9.6-rc.1. It is the authoritative reference when any other page describes a feature as working; if the status here says partial or not-wired, that qualification takes precedence.
Legend:
- Shipped: present, wired to production call sites, tested.
- Partial: the code exists and runs in the described scope; the stated gap is real and not a minor edge case.
- Offline-only: runs, but only outside the live agent session (separate process, separate binary, or compile-time gate).
- Not-wired: the code exists (often well-structured) but is not yet connected to the production path it is meant to gate or enforce.
Source: code audit of wcore-* crates at v0.9.6-rc.1 and the research artifacts at .planning/core-research/CORE-TRUTH.md + .planning/readme/CAPABILITY-MATRIX.md.
| Capability | Status | Notes |
|---|
~20 providers via LlmProvider trait | Shipped | 20 ProviderType factory arms in wcore-providers/src/lib.rs. 5 native wire implementations (Anthropic, OpenAI, Bedrock, Vertex, Gemini) + ~15 OpenAI-compatible newtypes + catch-all. |
ProviderCompat declarative quirks | Shipped | wcore-config/src/compat.rs. All provider differences (field names, schema sanitization, streaming shape) are config data, not conditionals. |
| Resilience stack: retry, key-rotation, circuit breaker, failover chain | Shipped | failover.rs, retry.rs, key_rotation.rs, resilient.rs, cooldown.rs, chain.rs in wcore-providers. |
| Smart routing: Cheap / Premium tiers | Partial | RequestShape routing to Cheap/Premium tiers is wired. The code_heavy signal that would activate the Balanced tier is hardcoded 0.0 and never fires. Do not describe code-aware routing as active. |
| Provider count via routers | Shipped (with framing) | ~20 direct integrations. Several are routers (OpenRouter, Flux Router, Together, Fireworks) that front hundreds of additional models. Flux Router’s production base URL is currently a placeholder in the config. |
| Bedrock / Vertex per-model pricing | Partial | Only claude-opus-4-7 has a full Bedrock/Vertex price entry; other models fall back to Opus rates and may overcharge. |
| Capability | Status | Notes |
|---|
| ~60+ tools in the registry | Shipped | ~75 .rs files under wcore-tools/src/, registered in bootstrap.rs:426-711. |
| ~50 always-on tools | Shipped | File, shell, search, git, and core utility tools present unconditionally when the binary runs. |
| ~15 availability-gated tools | Shipped | Cloud, media, scheduling, and integration tools are absent from the tool list when their required credentials or system dependencies are not present (NO-STUBS contract). |
| Tool timeouts (per-category) | Shipped | Exec 600s, MCP 120s, Info/Edit 30s. Configured in the agent engine. |
| Capability | Status | Notes |
|---|
Linux bubblewrap (bwrap) | Shipped | Namespace isolation (PID, IPC, UTS, cgroup, user, network), --die-with-parent, --clearenv, minimal fs skeleton. Requires bwrap in PATH. |
| Linux Landlock LSM | Shipped (opt-in build) | wcore-sandbox/src/bwrap_landlock.rs, cargo feature landlock. Linux 5.13+; degrades gracefully on older kernels. Not compiled into the default binary. |
| Linux seccomp-bpf | Shipped (opt-in build) | wcore-sandbox/src/bwrap_seccomp.rs, cargo feature seccomp. SyscallPolicy::Strict only. Requires libseccomp at build time. Not compiled into the default binary. |
Linux AllowHosts DNS gate in bwrap | Not-wired | bwrap has no per-hostname network filter. The bwrap backend can deny the network namespace entirely (NetworkPolicy::Deny) but cannot allow a named-host allowlist. |
| macOS sandbox-exec | Shipped | Deny-default SBPL profile. Tahoe (macOS 26.x) zsh init fix baked in. |
macOS mach-lookup filtering | Not-wired | mach-lookup is intentionally unfiltered in the SBPL profile because the minimum set of Mach services needed for a functional shell is not yet enumerated. |
| Windows AppContainer | Partial | AppContainerBackend activates when the real-spawn probe passes. Per-path filesystem ACL grants are not yet wired; the interim posture is process-level default-deny without fine-grained path ACLs. |
| Docker backend | Shipped (opt-in) | DockerBackend, cargo feature live-docker. Activated via WAYLAND_SANDBOX=docker when the Docker socket is reachable. |
| Fail-closed default | Shipped | If no real backend is available and WAYLAND_ALLOW_NO_SANDBOX=1 is not set, the engine refuses to execute the command rather than degrading silently. |
WAYLAND_ALLOW_NO_SANDBOX double-key opt-out | Shipped | WAYLAND_SANDBOX=none alone is not sufficient; WAYLAND_ALLOW_NO_SANDBOX=1 must also be set. |
| Capability | Status | Notes |
|---|
| Egress gate on by default | Shipped | SecurityConfig::default().enabled = true (wcore-config/src/config.rs:143). install_egress_policy runs at CLI startup (main.rs:1160) and at workflow entry (workflow.rs:187). |
| 4-tier classifier (Allow / Ask / Exfil / Deny) | Shipped | wcore-agent/src/egress/classify.rs. |
| 38+ shared-platform exfil class (cannot be apex-allowlisted) | Shipped | Hardcoded in the classifier; these hosts can never be promoted to Allow regardless of user config. |
| Clippy-enforced reqwest ban | Shipped | clippy.toml disallowed-methods list. Raw reqwest::Client::new/builder fails CI workspace-wide. |
| Capability | Status | Notes |
|---|
wcore-permissions ACL, bearer tokens, learned approval policy | Not-wired | The crate is well-structured and enforced in integration tests as of M5.8. It is not yet wired to production tool-dispatch call sites. The enforcing layers that are active today are: egress gate, sandbox, tool-approval protocol, and budget caps. |
| Sandbox-to-permissions integration | Not-wired | The sandbox and permissions layers are not yet integrated with each other. |
| Tool approval protocol (ToolApprove / ToolDeny / ApprovalResume) | Shipped | wcore-protocol/src/commands.rs. ToolApprovalManager with TTL reaper (300s), tool-name-scoped Always, prefix-scoped AlwaysPrefix. |
| Capability | Status | Notes |
|---|
| MCP client: stdio / SSE / streamable-HTTP | Shipped | wcore-mcp/src/manager.rs. Full initialize + tools/list handshake, deferred loading default, per-turn top-K curation (default 15), cancellation-aware calls. |
MCP server: wayland-core mcp-serve | Partial | The server starts and accepts connections over --transport stdio or --transport sse. It advertises tool names. tools/call dispatch to the engine’s own tool catalog is not yet wired; the known stub tools return NOT_IMPLEMENTED. Wayland Core can act as an MCP server for discovery purposes; it does not yet expose a working tool catalog over MCP to calling clients. |
| MCP-bridge plugins | Shipped | Any conformant MCP binary can be wrapped as a plugin via a manifest; no adapter code required. |
| Runtime MCP injection over host protocol | Shipped | AddMcpServer command / McpReady event in wcore-protocol. |
skill:// resource auto-discovery | Shipped | Skills are auto-discovered at boot via skill:// URIs as MCP resources. |
| Capability | Status | Notes |
|---|
| ACP HTTP/SSE + stdio + WebSocket JSON-RPC 2.0 | Shipped | wcore-acp/src/{server,client,protocol,auth,turn}.rs + a2a/. acp serve CLI subcommand. |
message/send engine bridge | Shipped | The process_message stub is replaced; calls route to the real engine. Test acp_turn_streams_text_then_done passes. |
| A2A task routing | Shipped | A2A handler routes tasks to the engine. Test a2a_on_message_routes_task_to_engine passes. |
| Full session-option parity (system_prompt, complete history) | Partial | Not confirmed across all session options. Prefer --json-stream as the primary embedding surface; ACP is additional. |
| A2A task methods: 4 deferred methods | Not-wired | Four A2A task methods are deferred in the current implementation. The A2A handler echoes ack: for some paths. |
| Capability | Status | Notes |
|---|
| GEPA offline evolutionary optimizer | Offline-only | wcore-evolve binary. 4 mutators, plateau termination, graveyard, CuratorPort, PromptStore. Runs as a separate process against the eval harness, not in-session. Online evolution from live sessions is explicitly out of scope until W11+. |
| In-session skill drafter (U6) | Shipped | After 3 successful runs on the same task shape, the drafter auto-writes a skill to disk, registers it in-process, and seeds SkillRouter for the next session. Every draft has needs_review: true. |
| Capability | Status | Notes |
|---|
| Slack, Discord, Telegram, Signal, WhatsApp, SMS, Email, Matrix, iMessage | Shipped | Full send and receive for these 9 adapters. |
| MS Teams | Partial | Send-only. Inbound (receiving messages from Teams) is deferred to v0.8.3. |
| iMessage | Partial | macOS only. Not available on Linux or Windows. |
| Channel auto-registration | Shipped | wcore-channels-registry auto-registers configured adapters from ~/.wayland/channels/*.toml. |
| Capability | Status | Notes |
|---|
| 5-field cron expressions, 3 target types | Shipped | wcore-cron. Slash command, channel message, and skill targets. CLI + cronjob LLM tool + detachable daemon. |
| Integrity-tagged job store | Shipped | Per-host keyed integrity tag with three-state tamper detection (valid / no-tag-legacy / mismatch-tamper) in wcore-cron/src/store.rs. This is a dependency-free keyed hash, not a cryptographic HMAC. |
| Daemon skill/channel sinks | Partial | In standalone daemon mode (no live engine session), skill and channel targets log the trigger but do not execute. Slash-command targets work unconditionally. |
| Capability | Status | Notes |
|---|
7-axis ExecutionBudget tree, CapWarn / CapBlock | Shipped | wcore-budget. CapWarn at 80%, CapBlock at limit. |
| Budget charge integrity | Partial | charge() trusts caller-supplied USD. BearerToken uses SHA-256(secret ‖ payload), not a true HMAC. Suitable for honest cost tracking; not adversarially tamper-proof. |
| Capability | Status | Notes |
|---|
| macOS (CGEvent) | Shipped | Requires Accessibility permissions. First-time-per-app HITL approval gate. |
| Linux X11 (XTest) | Shipped | |
| Linux Wayland (wlrctl / grim) | Partial | Refuses on restricted compositors: GNOME Mutter and Hyprland do not expose the required Wayland protocols. Works on compositors that implement wlr-layer-shell. |
| Windows (UI Automation) | Shipped | |
| Capability | Status | Notes |
|---|
| Camoufox sidecar (default) | Shipped | Requires the Camoufox sidecar running at localhost:9377. WebFetch (non-interactive HTTP fetch) works without the sidecar. |
chromiumoxide CDP backend | Shipped (opt-in build) | Cargo feature chromium. Requires a Chromium binary at runtime. |
| Browserbase cloud backend | Shipped (env-gated) | Cargo feature browserbase. Requires BROWSERBASE_API_KEY + BROWSERBASE_PROJECT_ID at runtime. |
| Arbitrary JS execution | Not available by design | The browser surface is ARIA-tree-first with a defined 18-op surface. Arbitrary JavaScript execution is not exposed. |
| Capability | Status | Notes |
|---|
--login / --logout Anthropic OAuth | Not confirmed | Wired in the CLI surface (auth.rs). End-to-end backend functionality is not confirmed. Do not document as working. |
/auth google-meet OAuth | Not confirmed | Same: CLI surface exists; backend not confirmed functional. |
| Encrypted credential vault (OS keychain + Argon2id + XChaCha20-Poly1305) | Shipped | wcore-config/src/ using keyring, argon2, chacha20poly1305, rpassword. |
| Capability | Status | Notes |
|---|
--json-stream protocol | Shipped | 10 inbound commands, ~25 event types, honest retryable flag, mid-turn Stop. wcore-protocol. |
ApprovalResume command (engine side) | Shipped | Present in wcore-protocol/src/commands.rs. |
ApprovalResume command (Desktop side) | Not-wired | Wayland Desktop’s WCoreCommand union is missing this arm. HITL-gated tool calls dispatched from the Desktop GUI can hang until the Desktop-side fix lands. The engine contract is correct; the gap is in the Desktop app. |
| Capability | Status | Notes |
|---|
| 5-partition x 3-tier SQLite store, auto-memorize, decay | Shipped | wcore-memory. Auto-memorize on by default. |
Local BGE embedder (bge-small via candle) | Shipped (default on) | local-embedder cargo feature, on by default in wcore-memory. Opt-out by building without it. |
| OpenAI / Voyage cloud embedders | Shipped (env-gated) | Available when the respective API keys are present. |
| Hashed embedder (default when no provider configured) | Shipped | Used when no embedder backend is configured; functional but produces lower-quality recall. |
| Capability | Status | Notes |
|---|
| Trace schema, span sinks, 28-pattern PII scrubber | Shipped | wcore-observability. PII scrubbing on all trace output. |
| OTLP export | Shipped (opt-in build) | Cargo feature otlp in wcore-observability. Off by default; enables opentelemetry-otlp. |