Runner capability matrix

3 min readReferenceUpdated 2026-05-19

What you'll find here

The validated capability and trust profile every runner adapter exposes. The matrix is the capability-profile input the prompt compiler consumes, and it is what governance checks consult to decide whether a side effect is supported, needs an explicit grant, or must be denied outright.

Conservative by default.

Every capability defaults to grant_required=True. Built-in matrices only relax the requirement for read-only or structured-result outputs. Adding a runner that wants broader authority must declare it explicitly — silence is denial.

Shape

The matrix is the RunnerCapabilityMatrix model (craik.runner_capability_matrix, version 0.1.0). It bundles four things:

runner

Stable RunnerMetadata snapshot — id, name, adapter, mode, declared capabilities.

trust

RunnerTrustProfile — level, boundary statement, default grant posture, receipt and redaction requirements.

capabilities

List of RunnerCapability entries, one per named capability.

policy_notes

Free-text operator guidance that travels with the matrix.

RunnerCapability entries

Field

Type

Meaning

name

str

The capability identifier — see the canonical set below.

support

"unsupported" · "prompt-handoff" · "supported"

How the runner provides this capability.

grant_required

bool

Whether use of the capability needs an explicit grant on top of the trust profile. Defaults to True.

notes

str | None

Optional per-capability rationale.

Canonical capability names

file.read

file.write

shell.execute

network.access

memory.read

memory.write

review.comment

result.structured

Provider runners additionally publish model.chat, model.streaming, model.tool_calls, model.structured_output, and model.usage_metadata to describe the live calls they perform.

Built-in matrices

default_runner_capability_matrices() ships a conservative built-in for every runner Craik knows about. get_runner_capability_matrix(runner_id) returns one by id and raises KeyError with the known set if the id is unknown.

Runner id

Mode

Default posture

codex

live

Medium trust; prompts for approval on side effects; supports the full capability set.

claude

prompt-handoff

Medium trust; deny-by-default; side effects return through Craik review and receipt flows. No shell or network.

gemini

prompt-handoff

Low trust; deny-by-default; read- and review-oriented in v0.1.0. No file writes, shell, network, or memory writes.

fixture

fixture

High trust deterministic in-process adapter for contract tests. Does not widen runtime authority.

provider_openai, provider_openai_responses, provider_openai_chat, provider_local_openai_compatible, provider_local_ollama, provider_local_lm_studio, provider_local_vllm

live

Provider runtime; medium trust; prompts for approval. Network is supported; filesystem, shell, and memory are unsupported.

provider_anthropic, provider_anthropic_messages

live

Provider runtime; medium trust; secret references and receipts required for every call.

Helpers

Function

Signature

What it returns

capability_supported

(matrix, name) -> bool

Direct support only — True when an entry has support == "supported". Prompt-handoff and unsupported both return False.

capability_requires_grant

(matrix, name) -> bool

Reads the entry's grant_required. Unknown capabilities are treated as grant-required.

Unknown capability ⇒ grant required.

capability_requires_grant returns True for any capability name the matrix does not enumerate. New capability names cannot quietly bypass the grant flow — they must be added to the matrix first.

What's next

ReferenceRunner adapter contractHow adapters consume the matrix and surface results.ReferenceRunner metadataThe stable identity snapshot embedded in every matrix.ReferencePrompt compilerThe component that compiles tasks against the runner's capability profile.ReadGovernanceWhy capability and grant decisions are receipt-backed.