Status — what's shipped, what's concept, what's planned
Status — what's shipped, what's concept, what's planned
Section titled “Status — what's shipped, what's concept, what's planned”Single global view across the entire architecture. What a partner / customer / new colleague gets today vs. what's on the roadmap. Updated alongside roadmap reviews.
Status legend:
| Symbol | Meaning |
|---|---|
| ✅ shipped | Running in production today (tappass/ codebase + deployed) |
| 🟡 partial | Primitives shipped but not yet wired into the canonical architecture |
| 🔵 concept Q3 2026 | On the Q3 2026 roadmap |
| 🔷 concept Q4 2026 | On the Q4 2026 roadmap |
| 📋 planned 2027+ | Beyond H2 2026; demand-driven |
| 📅 calendar-bound | Operational work; not engineering weeks (e.g. SOC 2 audit) |
Shipped today (✅)
Section titled “Shipped today (✅)”What exists in the TapPass codebase right now and is in production use:
| Capability | Where | Notes |
|---|---|---|
| LLM Gateway — OpenAI compat | tappass/gateway/ | POST /v1/chat/completions, base-URL redirect |
| LLM Gateway — Anthropic native | tappass/gateway/ | POST /v1/messages |
| LLM Gateway — MCP server | tappass/gateway/mcp_server.py | Inbound MCP traffic from Claude Code etc. |
| LLM Gateway — Tool execute | tappass/gateway/ | POST /v1/tools/execute |
| LLM Gateway — Capability tokens (ES256) | tappass/gateway/ | Verifiable offline via JWKS |
| LLM Gateway — LiteLLM (100+ providers) | tappass/gateway/ | Cohere, Mistral, Azure OpenAI, self-hosted |
| LLM Gateway — Streaming + circuit breaker | tappass/gateway/ | Production resilience |
| 32-step pipeline | tappass/gateway/ | PII / secrets / exfil / scan_output / detect_prompt_injection |
| OpenShell sandbox | tappass/sandbox/ | Kernel-ring primitive: Landlock + L7 network + Forbidden Zones (74 paths) |
| nono capability sandbox | tappass/sandbox/ | Laptop kernel-ring primitive |
| Trust tiers (observer / worker / standard / full) | tappass/sandbox/trust_tiers.py | Coarse capability grading |
| Credential hiding | tappass/sandbox/ | inference.local proxy; agents never see real keys |
| Exfil blocklist (60+ destinations) | tappass/sandbox/ | Paste services, webhooks, cloud-storage exfil |
| Hash-chain audit | tappass/ | SHA-256 chained; verify_integrity() passes |
| ES256-signed mandates | tappass/ | Per-allow signing; offline-verifiable |
| Single trace_id propagation | tappass/ | Threaded through every governed call |
| Verify-integrity routine | tappass/ | Recomputes hash chain; flags tampering |
| Intent-to-policy authoring substrate | live on main | ~470 tests; 11 functions / 7 categories / 13 concerns / 22 capabilities / 30 tools |
| Authoring resolver (~40 LOC) | live on main | function + categories → effective pipeline |
| BYOK LLM keys | tappass/ | vault_llm_keys table; per-org AAD; KMS envelope |
tappass quickstart CLI | tappass-sdk/tappass/_cli.py | Zero-config Runtime entrypoint |
tappass run CLI | tappass-sdk/tappass/_cli.py | Wraps agent invocations |
| SSE policy push (primitive) | tappass-sdk/ | Live update notifications |
| Catalog admin Tools tab | dashboard | Read API |
| Forbidden zones (74 paths) | tappass/sandbox/ | Critical paths denied by default |
| Browser monitor + credential monitor | tappass/sandbox/ | Background daemons |
tappass-platform license server | tappass-platform/ | Airgapped on-prem option |
| GCP managed SaaS deployment | staging.tappass.ai, app.tappass.ai | Cloud Run + Terraform IaC |
| OSS license compliance gates | 4 repos | liccheck + CycloneDX SBOM in CI |
About 60% of the architecture already exists in some form. The structural gaps are the canonical Compiled Policy + provider abstraction + signed sync + 3-CLI separation — the MCS work for Q2 2026.
Partial (🟡) — primitives exist, not yet in canonical architecture
Section titled “Partial (🟡) — primitives exist, not yet in canonical architecture”| Capability | What's there | What's missing |
|---|---|---|
| Tool catalog | Read API + 30 curated tools | Per-tenant write API + per-tenant override patterns A/B/C |
| Runtime tool discovery | Capture in registry/tools.py (in-memory) | Promotion path to catalog table; review queue UI; default-deny enforcement |
| OpenShell as a Provider | OpenShell primitive shipped | Provider wrapper that consumes the Compiled Policy |
| Audit-driven tool classification | Audit captures tool calls | Classification wizard surfacing unknown tools |
Each of these has working primitives but isn't yet wired through the new architecture (Compiled Policy → Provider → Runtime → Sandbox).
Concept Q3 2026 (🔵) — the MCS quarter
Section titled “Concept Q3 2026 (🔵) — the MCS quarter”| Component | Why this quarter |
|---|---|
| Canonical Compiled Policy | MCS piece 1 — canonical IR, signed, versioned |
| Cascade merge engine | Org / project / agent merge; gates the policy compiler |
| Policy compiler (Policy → Compiled Policy) | MCS — the "Terraform plan" of TapPass |
| Live policy push channel | MCS piece 3 — push/pull/reconcile |
| Agent registry / state store | MCS piece 4 |
tappass management CLI | Operator surface |
tappass-host runtime CLI/daemon | Host surface; receives sync |
tappass-agent SDK + thin CLI | Agent surface; read-only library |
| Kernel ring provider (OpenShell + nono wrapper) | MCS piece 2 — first kernel provider |
| Harness ring provider (Claude Code) | MCS piece 2 — first harness provider |
| Codex CLI provider (parallel to MCS, post) | First post-MCS provider |
MCP-forward in gateway/ | MCP broker (cross-cutting) |
| Per-org MCP-server registry | Approved upstreams |
schema_acl + loop_guard pipeline steps | Tool-call enforcement |
| EU AI Act compliance pack | Q3 compliance v1 |
| OWASP LLM Top 10 compliance pack | Q3 compliance v1 |
| Public trust page expansion | Trust posture surface |
Q3 critical path: get MCS provable end-to-end with at least 3 reference customers.
Concept Q4 2026 (🔷) — Control v1 GA
Section titled “Concept Q4 2026 (🔷) — Control v1 GA”| Component | Why this quarter |
|---|---|
| Onboarding wizard | Visual authoring for non-engineers |
| Pre-deployment evaluator | Probe suite + CI integration |
| OWASP LLM probe library v1 | First probe library |
| Behavior drift monitor | Single-tenant runtime drift detection |
| Interpreter ring provider (Monty) | Codemode containment |
| Cursor / Cline / Aider providers | Additional CLI ecosystems |
| LibreChat plugin (server-shape harness) | First server-shape surface |
| Element / Slack / Discord / Teams bot SDKs | Chat-bot surface coverage |
| gVisor / Firecracker / K8s providers | Cloud-shape kernel coverage |
| Marketplace v1 + 3 certified policy packs | Switching-cost lock-in |
| Reconciler enhancements | Cross-fleet drift signals |
| GDPR / PCI-DSS / HIPAA packs (may slip to Q1) | Compliance v2 |
Planned 2027+ (📋)
Section titled “Planned 2027+ (📋)”| Component | Why later |
|---|---|
| Cross-customer Intelligence | Requires Q3-Q4 telemetry scale |
| MCP / skill vulnerability disclosure channel | Requires Intelligence substrate |
| Federated multi-tenant cascade | Requires multinational customer pull |
| Compliance v3 (NIS2, DORA, jurisdictional) | Demand-driven |
| ISO 27001 certification | 2027 calendar |
| SOC 2 Type 2 certification | 2027 H1 (after Type 1 closes Q4 2026) |
| n8n / Zapier / CrewAI / LlamaIndex providers | Demand-driven |
| Browser-based agent governance | Research stage |
| Custom probe authoring SDK | After core probe library proves |
Calendar-bound (📅) — operational, not engineering
Section titled “Calendar-bound (📅) — operational, not engineering”| Item | Calendar |
|---|---|
| SOC 2 Type 1 readiness assessment | Q3 2026 |
| SOC 2 Type 1 fieldwork | Q3-Q4 2026 |
| SOC 2 Type 1 report issued | Q4 2026 |
| Trust center page expansion | Q3 2026 (ongoing) |
| Sub-processor disclosure refresh | quarterly |
| External legal review of compliance packs | Q3 2026 (gating any public claim) |
| SOC 2 Type 2 prep | Q1 2027 |
| ISO 27001 prep | 2027 |
Status by buyer-question
Section titled “Status by buyer-question”When a buyer asks "can I do X today?":
| Buyer question | Today | Q3 2026 | Q4 2026 | 2027 |
|---|---|---|---|---|
| Govern Claude Code on dev laptops | partial (gateway redirect via SDK) | ✅ end-to-end via MCS | + dashboard | + drift detection |
| Govern LangChain agents in K8s | partial (SDK govern wrapper) | ✅ end-to-end | + cross-fleet view | + Intelligence |
| Govern Cursor | gateway-only | + harness provider | partial coverage | full coverage |
| Govern OpenAI Assistants API | gateway-only | gateway-only | gateway-only | gateway-only (out of scope for deeper) |
| Apply EU AI Act compliance pack | ✗ | ✅ | + auditor report | + monitoring |
| Pre-deployment evaluation | ✗ | ✗ | ✅ | + custom probes |
| Cross-customer threat intelligence | ✗ | ✗ | ✗ | ✅ |
| SOC 2 Type 1 attested | ✗ | in flight | ✅ end of Q4 | + Type 2 (Q1) |
| Govern n8n workflows | ✗ | ✗ | partial (gateway only) | depends on demand |
What changes when
Section titled “What changes when”This file is updated alongside the roadmap. Every monthly review:
- Move shipped items from concept → ✅
- Update partial items as they're wired through
- Reflect any pushed-out work (concept Q3 → concept Q4 if scope shifts)
- Add new items as roadmap evolves
References
Section titled “References”OVERVIEW.md— 1-pager with shipped-vs-concept summaryPRODUCT-ALIGNMENT.md— which product each component lives inCOMPATIBILITY-MATRIX.md— per-ecosystem coverageconcepts/minimum-credible-substrate.md— Q3 critical pathroadmap/2026-h2.md— week-level sequencingcomponents/README.md— per-component status