Maturity matrix
Every feature, gate, and integration in Surety carries a maturity label. The label appears in the PR comment, in the evidence pack, in the docs, and in the README. Stubs cannot masquerade as enforced — that's a product invariant, not a marketing claim.
The four labels
- Enforced — Real implementation; result drives policy outcome. Policy can block.
- Advisory — Real implementation; reports without blocking.
- Experimental — Working code with limited coverage; subject to change.
- Stub — Placeholder; clearly marked; never returns false pass.
Why this matters
In a product about evidence and assurance, overclaiming what's enforced is the worst kind of lie. The maturity matrix is how Surety tells the truth about itself in-product, not just in the README.
Examples
| Capability | Today | Notes |
|---|---|---|
| Typecheck gate | Enforced | tsc --noEmit for TS repos |
| Tests gate | Enforced | Project test runner |
| Secrets scan | Enforced | Gitleaks |
| Dependency vulns | Enforced | OSV-Scanner |
| SBOM | Enforced | CycloneDX |
| SAST | Advisory | Semgrep |
| License scan | Stub | Planned for Phase 2 |
| Outcome attribution | Experimental | CI + deploy linkage shipping |
| GitHub Check Run | Draft | In Phase 2 |
| Postgres backend | Coming Soon | Phase 6 (enterprise) |