Compatibility matrix
Compatibility matrix
Section titled “Compatibility matrix”The single answer to "we run X + Y + Z; what governance do I get?" Read this before architecture; it's the buyer's first question.
How to read this matrix
Section titled “How to read this matrix”TapPass governs at 5 enforcement positions:
| Position | What it isolates | Type |
|---|---|---|
| LLM gateway | LLM API calls (prompts, responses, tool emissions) | cross-cutting (between processes) |
| MCP broker | Every tool call when MCP is the bus | cross-cutting |
| Harness ring | What tool calls the agent attempts (cooperative; semantic vocabulary) | in-process |
| Kernel ring | Filesystem / network / process at OS level (compulsory; coarse) | in-process |
| Interpreter ring | Code the agent writes — codemode (narrow; hard) | in-process |
A Runtime picks one provider per ring (or marks it absent if the ecosystem doesn't support it). The matrix shows which positions each runtime covers.
Symbols:
- ✓ — full enforcement available; ship-quality v1
- partial — covered with caveats (limited config surface, restart-required updates, etc.)
- ✗ — not enforceable in this ecosystem; lean on adjacent positions
- (planned) — concept stage; on roadmap; not yet shipped
CLI agents (developer laptops + CI)
Section titled “CLI agents (developer laptops + CI)”| Runtime | LLM gateway | MCP broker | Harness | Kernel | Interpreter |
|---|---|---|---|---|---|
claude-code-laptop | ✓ Anthropic redirect | ✓ | ✓ managed settings.json | ✓ nono / sandbox-exec | ✓ monty (when codemode fires) |
claude-code-server | ✓ Anthropic redirect | ✓ | ✓ managed settings.json | ✓ OpenShell | ✓ monty |
codex-laptop (planned Q3) | ✓ OpenAI redirect | ✓ | ✓ ~/.codex/config.toml | ✓ nono / sandbox-exec | partial |
cursor-laptop (planned Q3) | ✓ OpenAI / Anthropic redirect | partial | partial (Cursor config has limited allow/deny) | ✓ nono | ✗ Cursor doesn't expose codemode hooks |
cline-laptop (planned Q3) | ✓ | ✓ | ✓ | ✓ nono | partial |
aider-laptop (planned Q4) | ✓ | partial | ✓ .aider.conf.yml | ✓ nono | partial |
gemini-cli-laptop (planned Q3) | ✓ Vertex / Gemini | ✓ | ✓ | ✓ | ✗ |
windsurf-laptop (planned Q4) | ✓ | partial | ✓ | ✓ | ✗ |
Strongest CLI runtime today: claude-code-laptop and claude-code-server (5/5 coverage).
Self-hosted servers (LibreChat, OpenWebUI, custom on K8s)
Section titled “Self-hosted servers (LibreChat, OpenWebUI, custom on K8s)”| Runtime | LLM gateway | MCP broker | Harness | Kernel | Interpreter |
|---|---|---|---|---|---|
librechat-server (planned Q3) | ✓ multi-provider via base URL | ✓ | ✓ TapPass plugin (intercepts tool calls) | ✓ OpenShell / K8s | ✓ monty (if UI exposes code execution) |
openwebui-server (planned Q4) | ✓ | partial | ✓ TapPass plugin | ✓ OpenShell / K8s | ✓ |
open-devin-server (planned Q4) | ✓ | ✓ | ✓ | ✓ | ✓ |
Sweet spot for self-hosted servers: the LLM gateway is the strong fit (UI configures custom endpoint at TapPass) and OpenShell/K8s providers cover the kernel ring. Harness ring needs a per-UI plugin.
Chat-bot deployments (Element / Slack / Discord / Teams)
Section titled “Chat-bot deployments (Element / Slack / Discord / Teams)”| Runtime | LLM gateway | MCP broker | Harness | Kernel | Interpreter |
|---|---|---|---|---|---|
element-bot (planned Q4) | ✓ multi-provider | ✓ | ✓ matrix-bot-sdk wrapper | ✓ OpenShell / K8s | partial |
slack-bot (planned Q4) | ✓ | ✓ | ✓ bolt-js wrapper | ✓ | partial |
discord-bot (planned Q4) | ✓ | ✓ | ✓ discord.py wrapper | ✓ | partial |
teams-bot (planned Q4) | ✓ | ✓ | ✓ | ✓ | partial |
Bonus governance dimension for chat-bots: channel-aware policy. "This bot in #engineering can WebFetch, in #legal cannot." New manifest dimension on top of the standard cascade.
Why Element specifically matters: Matrix is the de-facto bus for self-hosted regulated environments — governments, defence, healthcare, finance. Strong alignment with the airgapped tappass-platform deployment story.
Custom code (LangChain / CrewAI / direct SDK)
Section titled “Custom code (LangChain / CrewAI / direct SDK)”| Runtime | LLM gateway | MCP broker | Harness | Kernel | Interpreter |
|---|---|---|---|---|---|
langchain-react (canonical, via tappass-agent SDK) | ✓ | ✓ | ✓ via SDK wrap | ✓ OpenShell / nono | ✓ monty |
crewai-multiagent (planned Q4) | ✓ | ✓ | ✓ | ✓ | ✓ |
llamaindex-agent (planned Q4) | ✓ | ✓ | partial | partial | partial |
sdk-direct (raw API calls without SDK wrap) | ✓ | ✗ | ✗ | depends | ✗ |
The canonical adapter is langchain-react — full 5/5 coverage via the tappass-agent SDK. Every other custom-code agent should follow this pattern.
Direct provider API use (no agent framework)
Section titled “Direct provider API use (no agent framework)”| Runtime | LLM gateway | MCP broker | Harness | Kernel | Interpreter |
|---|---|---|---|---|---|
anthropic-direct | ✓ ANTHROPIC_BASE_URL redirect | ✗ | ✗ | ✗ | ✗ |
openai-direct | ✓ OPENAI_BASE_URL redirect | ✗ | ✗ | ✗ | ✗ |
openai-assistants-api | ✓ Assistants API redirect | ✗ (Assistants tools live at OpenAI) | ✗ | ✗ | ✗ |
n8n (planned Q4) | partial (HTTP node base URL) | ✗ | ✗ | ✗ | ✗ |
zapier (planned Q4) | partial | ✗ | ✗ | ✗ | ✗ |
The gateway-only path is real and useful. A customer with custom Python making raw OpenAI calls gets prompt/response audit, PII redaction, budget enforcement, no-train enforcement — via one env-var change. Not full coverage; still a meaningful win.
Vendor-hosted SaaS (out of scope)
Section titled “Vendor-hosted SaaS (out of scope)”| Surface | Why excluded |
|---|---|
claude.ai web UI | Runs on Anthropic infrastructure |
chatgpt.com web UI | Runs on OpenAI infrastructure |
gemini.google.com (in Workspace) | Runs on Google infrastructure |
| Microsoft Copilot | Runs on Microsoft infrastructure |
These are honestly out of scope. We cannot enforce policy on infrastructure we don't control.
Pair with vendor admin tooling (Anthropic Enterprise, Google Workspace AI admin, OpenAI Enterprise, Microsoft 365 admin) for these surfaces. Don't claim coverage we don't have.
What "✓ / partial / ✗" means concretely
Section titled “What "✓ / partial / ✗" means concretely”- ✓ — full enforcement. A policy rule applied at this position will be enforced by the runtime in question. Hot updates supported (or restart-with-state via supervisor).
- partial — covered with caveats. Either:
- Limited config surface (e.g. Cursor's harness has fewer allow/deny semantics than Claude Code's)
- Restart-required for updates (the supervisor handles this)
- Some manifest aspects honored but not others (e.g.
tools.denyworks butnetwork.deny_categoriesdoesn't)
- ✗ — not enforceable here. The ecosystem doesn't expose this position. Lean on adjacent positions (e.g. Cursor's lack of interpreter ring is mitigated by kernel-level egress allowlist; the gateway still catches LLM-side violations).
How to compose for your stack
Section titled “How to compose for your stack”Example 1: "Fintech with Claude Code on laptops + LangChain agents in K8s"
Section titled “Example 1: "Fintech with Claude Code on laptops + LangChain agents in K8s"”| Surface | Runtime | Coverage |
|---|---|---|
| Developer laptops (Claude Code) | claude-code-laptop | 5/5 |
| Production agents in K8s (LangChain) | langchain-react deployed via OpenShell | 5/5 |
Both runtimes apply the same Policy (org floor + project floor + agent overrides). Both emit audit to the same trail. CISO sees one Policy, two runtimes, complete coverage.
Example 2: "SMB with Cursor on laptops + OpenAI Assistants in production"
Section titled “Example 2: "SMB with Cursor on laptops + OpenAI Assistants in production"”| Surface | Runtime | Coverage |
|---|---|---|
| Developer laptops (Cursor) | cursor-laptop | 3/5 (partial harness, no interpreter, no kernel) |
| Production assistants | openai-assistants | 1/5 (gateway only) |
Coverage is less complete but still better than nothing. CISO understands the gaps explicitly. As Cursor and the Assistants API evolve, coverage expands automatically through provider updates.
Example 3: "Healthcare team running custom Python agents on-prem"
Section titled “Example 3: "Healthcare team running custom Python agents on-prem"”| Surface | Runtime | Coverage |
|---|---|---|
All agents (custom Python via tappass-agent SDK) | langchain-react deployed on-prem | 5/5 + airgapped Control plane via tappass-platform |
Full 5/5 enforcement. HIPAA-aligned compliance pack applied. Air-gapped via existing on-prem deployment.
Example 4: "Vendor (Collibra-style) shipping agents to its customers"
Section titled “Example 4: "Vendor (Collibra-style) shipping agents to its customers"”| Surface | Runtime | Coverage |
|---|---|---|
| Collibra Steward Agent (running on customer-managed sandbox) | collibra-steward-laptop (custom recipe: claude-code + nono + monty + tappass-anthropic gateway + mcp-broker) | 5/5 |
| Collibra Steward Agent (running in customer K8s) | collibra-steward-server (custom recipe: claude-code + OpenShell + monty + gateway + broker) | 5/5 |
Vendor-perspective use-case: Collibra ships an agent. Collibra's customers run it. Collibra wants their customers to govern it. TapPass is the substrate Collibra recommends for that governance. Same recipe; many customers; one neutral substrate.
What to ask in a buyer conversation
Section titled “What to ask in a buyer conversation”- Which agent runtimes do you currently use? → maps to runtimes above.
- Are any of those vendor-hosted SaaS? → those are out of scope; pair with vendor admin.
- For the rest, what governance positions do you currently lack? → maps directly to what TapPass adds.
- What's your compliance frame? → maps to compliance packs (EU AI Act, OWASP LLM, GDPR, PCI-DSS, HIPAA, NIS2/DORA).
This matrix is the answer to question 3.
How this matrix evolves
Section titled “How this matrix evolves”- New providers ship → new rows added; coverage shifts ✗ → partial → ✓ over quarters.
- Existing ecosystems release new features (e.g. Cursor adds an interpreter hook) → existing row updates partial → ✓.
- Strategic vendor pivots (e.g. an MCP server vendor ships native TapPass support) → bonus integration; coverage extends.
The matrix is a living document. Update on every provider release. Surface visibly in customer-facing docs.
References
Section titled “References”- TapPass Strategy Memo v3 §06 (rings & targets), §08 (mapping agent surfaces)
concept-cards/provider.md— provider taxonomyconcept-cards/runtime.md— runtime as recipeconcept-cards/keyring.md— manifest aspects mapping to enforcement positions