Status¶

Live status of every component shipped to the public repo. Shipped means it is in main and has tests; Not yet implemented means the surface exists but is intentionally disabled or stubbed pending sign-off.

CLI¶

Surface	Status
`agentlock detect`	Shipped
`agentlock install` (Claude Code, Codex CLI, Codex Desktop, Cursor, Gemini CLI)	Shipped — Codex Desktop uses the shared Codex `~/.codex` hook config and must be trusted from Codex CLI `/hooks`
`agentlock install` (Claude Desktop)	Shipped — wraps every MCP server entry through `agentlock mcp-proxy` so each `tools/call` goes through daemon policy. Both install paths covered: (a) manual `mcpServers` entries in `~/Library/Application Support/Claude/claude_desktop_config.json` (originals preserved under `_agentlock_original`); (b) Desktop Extensions installed via Settings → Extensions UI — each per-extension bundle manifest at `Claude Extensions/<ext-id>/manifest.json` is rewritten in place using the schema-blessed `_meta.agentlock` slot (MCPB v0.3+), with `manifest_version` bumped from 0.1/0.2 → 0.3 when needed so the slot validates. Originals stashed under `_meta.agentlock.original_` for byte-clean restore. Caveat:* Anthropic auto-updates overwrite the wrap on extension version bumps — re-run `agentlock install` after extension updates (a watcher closes this gap; tracked separately). Other surfaces remain out of scope: Computer Use, integrated terminal, native connectors (Slack/GCal), Cowork's non-MCP paths, server-side cloud features. For full local enforcement of an agent harness, use Claude Code. Tracks anthropics/claude-code#45514 for native PreToolUse parity.
`agentlock install` (OpenCode, Cline, Continue, VS Code Copilot)	Not yet implemented — detected but disabled in selector
`agentlock install` (Openclaw, Nemoclaw, Hermesagent, Pi)	Not yet implemented — roadmap; awaiting per-app hook/config investigation
`agentlock install --tier {unattested,software,totp}`	Shipped
`agentlock status`	Shipped
`agentlock doctor`	Shipped — read-only diagnostics for daemon health, ledger verification, policy/session APIs, local harness detection, hook wiring, and hook-vs-daemon URL mismatches
`agentlock signer enroll --tier totp`	Shipped
`agentlock signer enroll --tier os-keychain` (macOS, optional `--ttl`)	Shipped
`agentlock signer enroll --tier yubikey` (PIV / FIDO2)	Not yet implemented
`agentlock session create / rotate / end` (software, totp)	Shipped
`agentlock hook claude-code / codex / codex-desktop / cursor / gemini <event>` shims	Shipped
`agentlock mcp-server` (Claude Desktop MCP stdio server, read-only)	Shipped — exposes status + ledger query tools
`agentlock mcp-proxy` (Claude Desktop tools/call gate)	Shipped — sits between Desktop and each user MCP server, fail-open on daemon-down
`agentlock ledger root / verify`	Shipped
`agentlock fake-hook` (eval / scenario harness)	Shipped
`agentlock dashboard` (open local web dashboard)	Shipped
`agentlock login`	Shipped (password mode only)
`agentlock rules add / sources / sync / search / install / uninstall / remove`	Shipped — backed by openagentlock/rules

Control plane¶

Endpoint group	Status
`/v1/health`	Shipped
`/v1/gates`, `/v1/mode`	Shipped
`/v1/policy/view`, `/v1/policy/gates` (POST/PATCH/DELETE), `/v1/policy/gates/yaml`	Shipped
`/v1/install/plan`, `/v1/install/apply`, `/v1/uninstall`	Shipped
`/v1/mcp/pin/check`, `/v1/mcp/pin/accept`	Shipped
`/v1/sessions/*`, `/v1/sessions/insights`	Shipped
`/v1/ledger/root`, `/v1/ledger/proof/:seq`, `/v1/ledger/verify`	Shipped
`/v1/hooks/claude-code/*`	Shipped
`/v1/hooks/codex/*`	Shipped
`/v1/hooks/codex-desktop/*`	Shipped — probe endpoint; production Desktop coverage uses shared `/v1/hooks/codex/*`
`/v1/hooks/cursor/*`	Shipped
`/v1/hooks/gemini/*`	Shipped
`/v1/hooks/claude-desktop/*`	Shipped — called by `agentlock mcp-proxy`, not by Claude Desktop directly
`/v1/auth` (password)	Shipped
`/v1/auth` (OIDC)	Not yet implemented — stub returns mode hint
`/v1/auth` (LDAP)	Not yet implemented — stub returns mode hint
Signed-PDF report endpoint	Not yet implemented — `501 Not Implemented`
Local web dashboard at `127.0.0.1:7879`	Shipped

Ledger¶

Function	Status
`leaf_hash`	Shipped
`merkle_root` (RFC 6962 odd-tail)	Shipped
`inclusion_proof`	Shipped
`verify_proof`	Shipped
FFI staticlib for Go	Shipped
Ten regression tests in `tests/merkle.rs`	Shipped all green

Policy¶

Gate	Default verdict
`supply-chain.pkg-install`	monitor
`supply-chain.untrusted-mcp`	monitor
`rogue.secret-read`	monitor
`rogue.net-egress`	monitor
`rogue.destructive-bash`	monitor

Flip to mode: enforce at the top of your policy file when you've reviewed activity and are ready to start blocking.

Distribution¶

Channel	Status
`ghcr.io/openagentlock/agentlockd` Docker image	Shipped on tag
`@openagentlock/cli` on npm	Shipped on tag
`pip install openagentlock`	Not yet implemented — Bun-native CLI; pip wrapper is roadmap if demand surfaces

Other surfaces¶

Surface	Status
MCP observation via lifecycle hooks (Claude Code, Cursor, Cline, Gemini CLI, OpenCode)	Shipped on the hook side; OpenCode does not currently fire the pre-tool hook for MCP
MCP fingerprint pinning (`/v1/mcp/pin`)	Shipped
OIDC SSO + RBAC + LDAP	Not yet implemented
Group / scoped policy with inheritance	Shipped — filesystem-backed `group-policy.yaml`, deny-overrides, explicit priority conflict handling; OIDC group source remains under auth epic
Federated deployment (per-dev daemons + central control plane)	Not yet implemented
Signed PDF audit report	Not yet implemented