{
  "assetsProtected": [
    "repository files",
    "repository writes",
    "host commands",
    "outbound network access",
    "MCP calls",
    "agent handoffs"
  ],
  "claimBoundary": "CapitalGuard Enforced Mode controls host-file access, host commands, outbound network access, MCP calls, and agent handoffs originating inside a verified OCI session by removing ambient host authority and exposing privileged operations only through an authenticated gateway broker. Processes launched outside that session and host compromise remain outside its authority.",
  "deniedAmbientAuthority": [
    "host source mount",
    "writable workspace",
    "container network",
    "Linux capabilities",
    "privileged mode",
    "Docker socket",
    "inherited host secrets"
  ],
  "failClosedConditions": [
    "missing OCI runtime",
    "unpinned image",
    "invalid manifest signature",
    "invalid broker token",
    "replayed broker sequence",
    "unsupported operation",
    "missing reviewed adapter"
  ],
  "inScopeThreats": [
    "agent attempts direct repository mutation",
    "agent attempts direct egress",
    "agent attempts broker replay",
    "agent tampers with projection",
    "agent requests an operation outside policy"
  ],
  "outOfScopeThreats": [
    "host kernel compromise",
    "OCI runtime compromise",
    "root-equivalent host attacker",
    "agent started outside Enforced Mode"
  ],
  "schemaVersion": "cg-enforced-mode-threat-model-0.2.0",
  "version": "0.2.0"
}
