You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Feb 24, 2026. It is now read-only.
Copy file name to clipboardExpand all lines: docs/cli_secured_ops_baseline.md
+32Lines changed: 32 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -13,6 +13,38 @@ Use a curated bundled snapshot:
13
13
- Add authenticated operations required by current CLI wrappers.
14
14
- Exclude admin/internal endpoints from the bundled snapshot.
15
15
16
+
## Declared public API vs CLI-supported coverage baseline
17
+
18
+
-**Declared public API** is the bundled snapshot contract:
19
+
-`71` operations total (`59` public/no-security + `12` authenticated wrapper-backed operations).
20
+
- Exposed through `catalog`/`ops` and reflected in CLI command docs.
21
+
-**CLI-supported coverage baseline** is the same operation set, with one `support_scope` per operation used by harness and release review.
22
+
23
+
## Support matrix (single source of truth)
24
+
25
+
The support scope baseline is stored in `src/agenticflow_cli/public_ops_manifest.json` on each operation record:
26
+
27
+
-`support_scope`: one of `executed`, `blocked-by-policy`, or `unsupported/out-of-scope`.
28
+
-`support_rationale`: operator-facing reason this operation is in its class.
29
+
30
+
Current baseline totals:
31
+
32
+
-`34``executed`
33
+
-`17``blocked-by-policy`
34
+
-`20``unsupported/out-of-scope`
35
+
36
+
Policy semantics:
37
+
38
+
-`executed`: safe read/query/validation/public wrappers that coverage attempts as live API calls.
39
+
-`blocked-by-policy`: command intent exists, but execution is intentionally blocked in harness for safety/policy.
40
+
-`unsupported/out-of-scope`: intentionally not part of the CLI-supported public surface (internal, unsupported workflow, or unimplemented wrapper contract).
41
+
42
+
## Release interpretation of support rows
43
+
44
+
-`executed`: release as supported/available behavior. These operations are expected to remain runnable in public smoke checks.
45
+
-`blocked-by-policy`: keep listed as “declared public API, unavailable by policy” in release notes and include policy rationale.
46
+
-`unsupported/out-of-scope`: do not promote as supported features; these are intentionally outside the CLI contract even if visible in discovery.
0 commit comments