Crosswake Support Matrix
View SourceThis guide stays narrow and proof-oriented. The published iOS and Android shell claims
below are backed by the checked-in example hosts plus the generated-shell verification
hooks that now pass on the same host-owned artifact classes adopters ship.
The default non-local generator path resolves native shell cores from github.com/szTheory/crosswake-shell-core-ios
and Maven Central io.github.sztheory:crosswake-shell-core-android at the Crosswake
Hex package version; the release-time clean-room proof promotes that path after the
coordinated cut.
Status Legend
- supported
- verification required
- unsupported
Phoenix
| Target | Version | Baseline | Proof Status | Proof Hook | Boundaries | Notes |
|---|---|---|---|---|---|---|
| phoenix | ~> 1.8 | supported | supported | phase-2-proof-lane | - | Phoenix host install and manifest generation are the stable baseline. |
LiveView
| Target | Version | Baseline | Proof Status | Proof Hook | Boundaries | Notes |
|---|---|---|---|---|---|---|
| phoenix_live_view | ~> 1.1 | supported | supported | phase-2-proof-lane | View Boundaries | LiveView remains server-owned and route-first. |
iOS
| Target | Version | Baseline | Proof Status | Proof Hook | Boundaries | Notes |
|---|---|---|---|---|---|---|
| ios | 17.0 | supported | supported | script/verify_generated_ios_shell.sh | View Boundaries | Host-owned iOS shell boot is proof-backed by the checked-in example host and generated-shell verification hook. |
Android
| Target | Version | Baseline | Proof Status | Proof Hook | Boundaries | Notes |
|---|---|---|---|---|---|---|
| android | 26 | supported | supported | script/verify_generated_android_shell.sh | View Boundaries | Android shell boot is supported based strictly on JVM hermetic CI evidence. |
Shell Artifacts
| Target | Version | Baseline | Proof Status | Proof Hook | Boundaries | Notes |
|---|---|---|---|---|---|---|
| ios_shell | Hex-matched | supported | verification required | clean-room-proof-ios; script/verify_generated_ios_shell.sh | View Boundaries | Default non-local scaffolds resolve https://github.com/szTheory/crosswake-shell-core-ios.git via SwiftPM at the Crosswake package version; release-time clean-room proof confirms external resolution and swift build. |
| android_shell | Hex-matched | supported | verification required | clean-room-proof-android; script/verify_generated_android_shell.sh | View Boundaries | Default non-local scaffolds resolve io.github.sztheory:crosswake-shell-core-android via Maven Central at the Crosswake package version; release-time clean-room proof confirms external resolution and gradle build. |
Capability Families
| Family | Owner | Posture | Baseline | Proof Status | Package | Proof | Rebuild | Prerequisites | Denial | Fallback | Guide |
|---|---|---|---|---|---|---|---|---|---|---|---|
| app_info | bounded_bridge | bounded_bridge | supported | verification required | core | merge-blocking | none | declared route capability; bounded bridge support | undeclared_capability | Phoenix route continues without native app metadata | Guide |
| deep_link | activation | activation_first | supported | supported | core | merge-blocking | none | bundled or cached manifest; shell activation support; explicit route entry approval | route_unavailable | show route unavailable surface that distinguishes inactive routes from routes that reject external entry | Guide |
| document_scan | native_screen | native_screen | supported | supported | defer | advisory | companion-required | document-scan runtime; policy-heavy proof lane | unavailable_capability | defer document scan support until native and proof posture are explicit | Guide |
| entitlement_snapshot | backend_seam | backend_seam | supported | verification required | core | merge-blocking | companion-required | backend entitlement authority; reconciliation hook; freshness posture (fresh/stale/unknown) surfaced before access checks | unavailable_capability | Fail closed for access decisions when snapshot freshness is stale or unknown until refreshed backend authority is available; pending and awaiting_verification states never grant entitlement. | Guide |
| file_picker | bounded_bridge | transfer_backed | supported | verification required | core | merge-blocking | native-required | declared transfer_id; bounded bridge support; inbound native_picker transfer seam; copy-first staged handle plus transfer verification | undeclared_capability | keep the route on Phoenix-owned import guidance until a copy-first native_picker seam is declared and verified | Guide |
| haptics | bounded_bridge | bounded_bridge | supported | verification required | core | merge-blocking | none | declared route capability; bounded bridge support | undeclared_capability | Phoenix route continues without native confirmation feedback | Guide |
| media_capture | native_screen | native_screen | supported | verification required | companion | merge-blocking | native-required | native screen route; capture pack availability | pack_incompatible | fail closed instead of degrading into a bounded web upload flow | Guide |
| notification_token | bounded_bridge | provider_snapshot | supported | verification required | companion | advisory | companion-required | declared route capability; bounded bridge support; notification authorization already resolved; provider token snapshot available | unavailable_capability | treat notification token replies as provider-tagged evidence instead of backend registration truth | Guide |
| paywall_entry | backend_seam | backend_seam | supported | verification required | core | merge-blocking | companion-required | backend entitlement contract; storefront guidance | unavailable_capability | fall back to Phoenix-owned paywall guidance without device authority | Guide |
| permissions.status | bounded_bridge | alias_snapshot | supported | verification required | core | merge-blocking | none | declared route capability; bounded bridge support; notifications alias only | undeclared_capability | route continues without native notification permission snapshot authority | Guide |
| purchase_intent | backend_seam | backend_seam | supported | verification required | core | merge-blocking | companion-required | backend reconciliation; provider-specific adapter | unavailable_capability | treat purchase events as reconciliation inputs, not entitlement truth | Guide |
| reconciliation_evidence | backend_seam | backend_seam | supported | verification required | core | merge-blocking | companion-required | backend reconciliation; device callback or webhook; pending and awaiting_verification reconciliation states stay non-granting | unavailable_capability | Treat device/storefront/webhook/support evidence as non-authoritative reconciliation input; pending_purchase, pending_restore, and awaiting_verification remain non-granting until backend projection refreshes authority. | Guide |
| restore_intent | backend_seam | backend_seam | supported | verification required | core | merge-blocking | companion-required | backend reconciliation; storefront-aware adapter | unavailable_capability | keep restore flow backend-owned until adapter truth is explicit | Guide |
| scanner | native_screen | native_screen | supported | supported | defer | advisory | companion-required | scanner-native runtime; policy-heavy proof lane | unavailable_capability | defer scanner support until native and proof posture are explicit | Guide |
| share | bounded_bridge | bounded_bridge | supported | supported | core | advisory | none | truthful semantic share contract | undeclared_capability | keep content in the Phoenix-owned route until a share family is declared | Guide |
Commerce Corridors
| corridor_role | owner_posture | prerequisite_classes | prerequisites | denial_codes | fallback_behavior | proof_class | rebuild_requirement |
|---|---|---|---|---|---|---|---|
| paywall_entry | phoenix_owned | route_declaration; backend_reconciliation | route declares commerce corridor binding; backend entitlement contract available | commerce.corridor.undeclared; commerce.corridor.entry_denied; commerce.corridor.origin_denied | Keep the paywall route Phoenix-owned and return explicit declaration guidance when a corridor check fails. | merge-blocking | native_rebuild_required=false: Core route/manifest metadata only — Phoenix-owned paywall changes do not require a native shell rebuild. |
| account_management | phoenix_owned | route_declaration; backend_reconciliation | route declares commerce corridor binding; backend entitlement projection available | commerce.corridor.undeclared; commerce.corridor.policy_blocked; commerce.corridor.prerequisite_missing | Return to backend-owned account management guidance and fail closed until prerequisites are restored. | merge-blocking | native_rebuild_required=false: Core route/manifest metadata only — backend-owned account surfaces do not require a native shell rebuild. |
| purchase_intent | native_or_companion_required | native_adapter; provider_setup; backend_reconciliation | native or companion storefront corridor implemented; backend reconciliation ingest enabled | commerce.corridor.runtime_incompatible; commerce.corridor.unsupported; commerce.corridor.pack_incompatible; commerce.corridor.prerequisite_missing | Fail closed with return-to-Phoenix guidance; never grant entitlement authority from device intent alone. | merge-blocking | native_rebuild_required=true: Native adapter or provider SDK code changes require rebuilding and resubmitting the host shell. |
| restore_intent | native_or_companion_required | native_adapter; provider_setup; backend_reconciliation | native or companion restore corridor implemented; backend reconciliation ingest enabled | commerce.corridor.runtime_incompatible; commerce.corridor.unsupported; commerce.corridor.pack_incompatible; commerce.corridor.prerequisite_missing | Fail closed with restore guidance and keep entitlement truth backend-owned until evidence is reconciled. | merge-blocking | native_rebuild_required=true: Native restore choreography or provider SDK code changes require rebuilding and resubmitting the host shell. |
Packaging Ledger
crosswake remains the one primary public package. Companions are first-party-scoped typed boundaries, not plugin-market surfaces.
| Surface | Class | Why | Release Burden | Public Guide |
|---|---|---|---|---|
crosswake primary package | core | Route-policy DSL, manifest contract, compatibility axes, bounded-bridge vocabulary, shell generators, doctor, support matrix, release rules, and proof posture stay in one obvious Phoenix-first package. | Hex package SemVer moves independently, while support truth still follows manifest_schema_version, bridge_protocol_version, and native_runtime_version. | Guide |
| Phoenix-facing commerce seam vocabulary | core | paywall_entry, purchase_intent, restore_intent, entitlement_snapshot, and reconciliation_evidence stay normalized and backend-truthful in core without embedding storefront providers. | Semantics may evolve in core, but provider adapters and native storefront logic remain outside the base package. | Guide |
| Provider adapters and native-heavy integrations | companion | Storefront adapters, media/upload/capture, rollout, auth/session, notifications, and audit/operator seams carry native binary churn or backend coupling beyond core. | First-party companions declare minimum compatible ranges against core, compatibility axes, and capability-family majors. | Guide |
| Checked-in example hosts and install walkthroughs | example/docs-only | Examples, walkthroughs, reviewer playbooks, and vendor recipes teach boundaries and proof posture without becoming separate runtime packages. | Not first-class supported as package surfaces; promotion requires reclassification plus proof and support-matrix updates. | Guide |
| Standalone native shell core packages | core | The generated shell stays host-owned, while reusable native core logic resolves from SwiftPM and Maven Central packages instead of monorepo-local paths. | Native core versions move in lockstep with the Hex package through release-please linked versions; clean-room proof verifies the external install path at release time. | Guide |
Release And Versioning Policy
package versions alone do not define support truth.
| Target | Versioning | Compatibility Contract | Release Rule |
|---|---|---|---|
| core | Independent SemVer for the crosswake Hex package. | package versions alone do not define support truth; manifest_schema_version, bridge_protocol_version, and native_runtime_version stay canonical. | Manifest-major, bridge-major, and runtime-line changes must update support docs and doctor before release. |
| companion | Independent SemVer per first-party companion. | Each companion declares minimum compatible ranges for core, all three compatibility axes, and exposed capability-family majors. | Companion support cannot expand until the adapter publishes explicit compatibility ranges and fail-closed guidance. |
| ios_shell | SwiftPM core package version is lockstep with the Hex package; host app build numbers remain adopter-owned. | Breaking bridge semantics require a bridge_protocol_version major bump plus a compatible shell artifact before support widens. | Changes touching native code, entitlements, permissions, registration, or packaged runtime behavior move the native_runtime_version line and mark rebuild required. |
| android_shell | Maven Central core artifact version is lockstep with the Hex package; host app build numbers remain adopter-owned. | Breaking bridge semantics require a bridge_protocol_version major bump plus a compatible shell artifact before support widens. | Changes touching native code, entitlements, permissions, registration, or packaged runtime behavior move the native_runtime_version line and mark rebuild required. |
Change Classes
| Change Class | What Changed | Adopter Action | Compatibility Signal | Required Proof |
|---|---|---|---|---|
| docs-only | Guides, wording, examples, support notes, or advisory docs changed without changing manifest semantics, compatibility-axis values, capability versions, shell templates, companion code, or proof expectations. | Read the updated guidance and rerun docs integrity only. | No compatibility-axis or capability-version change. | docs integrity only |
| core-only/no native rebuild | Core Elixir behavior, docs generation, doctor, support rendering, or validation changed inside the already-supported schema, bridge, runtime, and capability versions. | Update the Hex package and rerun core contract + doctor/support proof without rebuilding native shells. | Existing manifest_schema_version, bridge_protocol_version, native_runtime_version, and capability majors stay in line. | core contract + doctor/support proof |
| compatibility-bump only | Compatibility declarations or package windows narrowed so some older combinations now fail closed, but a fresh binary is not automatically required for already-compatible adopters. | Check the compatibility window, confirm your shipped shell/runtime is still in range, and run fail-closed compatibility fixtures. | manifest_schema_version, bridge_protocol_version, native_runtime_version, or capability required-version declarations changed support windows. | fail-closed compatibility fixtures |
| native or companion rebuild required | Native code, generated shell projects, entitlements, permissions, platform config, native dependencies, or companion-native integration code changed. | Rebuild the affected shell or companion, publish the updated runtime line, and rerun generated-shell or companion verification lanes. | Every rebuild-required change carries explicit compatibility declarations, especially native_runtime_version, bridge_protocol_version, manifest_schema_version, and capability required-version shifts. | core proof plus generated-shell or companion verification lanes |
Action Classes
| action_class | subject | required_action | rebuild_required | reason | guide_anchor |
|---|---|---|---|---|---|
| docs_only | Public guides, examples, and support notes | Read updated guidance and rerun docs integrity checks. | false | Docs-only changes do not change manifest semantics, compatibility axes, native code, or proof expectations. | guides/support_matrix.md#action-classes |
| route_manifest | Phoenix route policy and manifest metadata | Update the Hex package, regenerate manifest truth, and run core contract plus doctor/support proof. | false | Route and manifest metadata can stay core-only when schema, bridge, runtime, and capability major versions remain compatible. | guides/support_matrix.md#action-classes |
| compatibility | Compatibility windows and required version declarations | Check compatibility windows and run fail-closed compatibility fixtures before release. | false | A narrowed support window may reject older combinations without requiring already-compatible adopters to rebuild. | guides/compatibility.md#runtime-line-rules |
| native_shell | iOS or Android shell artifacts and native runtime line | Rebuild affected shells, publish the updated runtime line, and rerun generated-shell verification lanes. | true | Native code, entitlements, permissions, platform config, and generated shell projects require host shell rebuild verification. | guides/native_shell.md#boundary-warnings--rough-edges |
| companion_native | First-party companion bindings or companion-native surfaces | Verify companion dependency health, compatibility ranges, and fail-closed fallback posture before widening support. | true | Companion-native integrations can carry native binary churn or backend coupling beyond core route metadata. | guides/companions.md#support-truth-and-proof-posture |
| provider_adapter | Storefront/provider SDK adapters | Keep provider proof advisory until adapter implementation, provider setup, backend reconciliation, docs, and promotion criteria all pass. | true | Provider SDK adapters require native/provider setup and cannot be treated as shipped support from seam-only contracts. | guides/commerce.md#provider-adapter-defers |
Promotion Rules
Promotion rules keep advisory proof visible until evidence, docs, platform, and demotion criteria are all satisfied.
| claim_id | current_state | promotes_to | evidence_class | required_evidence | minimum_consecutive_passes | freshness_window | failure_budget | required_platforms | required_docs_anchors | change_class | action_class | check_ids | demotion_trigger |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| shell.ios.generated_project | merge-blocking | supported | generated_shell | script/verify_generated_ios_shell.sh; support matrix parity | 1 | current release branch | zero merge-blocking failures | ios | guides/support_matrix.md; guides/native_shell.md | native or companion rebuild required | native_shell | diag.shell.verification_required | Demote to verification_required when generated-shell proof fails or native_runtime_version support narrows. |
| shell.android.generated_project | advisory | merge-blocking | generated_shell | script/verify_generated_android_shell.sh; Java-enabled BridgeChannel proof | 2 | current release branch | zero merge-blocking failures | android | guides/support_matrix.md; guides/native_shell.md | native or companion rebuild required | native_shell | diag.shell.verification_required | Keep or demote to verification_required when Android JVM or generated-shell proof is stale or unavailable. |
| notification_token.provider_snapshot | advisory | merge-blocking | provider_snapshot | notification_token capability contract; provider-tagged snapshot fixtures | 2 | current release branch | zero contract failures | ios; android | guides/support_matrix.md; guides/capabilities.md | native or companion rebuild required | companion_native | diag.notification.token_provider_snapshot_only | Demote when provider snapshot proof is stale, missing, or confused with Chimeway delivery support. |
| auth.sigra.session_authority | merge-blocking | merge-blocking | session_authority_handoff_step_up_auth_return_contract | auth posture route fixtures; session authority evaluator proof; step_up_required denial-code proof; single-use handoff ticket lifecycle proof; server-record redemption and audit proof; server-owned step-up intent lifecycle proof; shared Plug/LiveView ceremony proof; OAuth/passkey/native auth-return envelope proof; host-owned auth-return attempt replay proof; verified-link-first native return proof; low-cardinality auth telemetry proof; security closeout proof | 1 | current release branch | zero contract failures | ios; android | guides/support_matrix.md; guides/companions.md | native or companion rebuild required | companion_native | diag.auth.sigra_session_authority | Demote if route predicates, auth_posture, auth_return route policy, step_up_required/auth.handoff/auth.step_up_intent/auth.return denial codes, auth telemetry metadata, handoff/step-up/auth-return server-record proof, security closeout, or Sigra docs drift from support truth. |
| purchase_intent.provider.storekit | advisory | merge-blocking | provider_adapter | deterministic adapter contract proof; backend reconciliation authority proof; docs-contract parity proof; advisory storefront/provider lane evidence | 3 | current adapter release | zero entitlement-authority failures | ios | guides/support_matrix.md; guides/commerce.md | native or companion rebuild required | provider_adapter | diag.provider.storekit.advisory_proof; diag.provider.adapter_shipped_seams | Remain advisory until StoreKit adapter, provider setup, docs parity, and backend reconciliation proof all pass. |
| restore_intent.provider.storekit | advisory | merge-blocking | provider_adapter | deterministic adapter contract proof; backend reconciliation authority proof; docs-contract parity proof; advisory storefront/provider lane evidence | 3 | current adapter release | zero entitlement-authority failures | ios | guides/support_matrix.md; guides/commerce.md | native or companion rebuild required | provider_adapter | diag.provider.storekit.advisory_proof; diag.provider.adapter_shipped_seams | Remain advisory until StoreKit restore evidence stays backend-owned and proof/docs parity pass. |
| purchase_intent.provider.play_billing | advisory | merge-blocking | provider_adapter | deterministic adapter contract proof; backend reconciliation authority proof; docs-contract parity proof; advisory storefront/provider lane evidence | 3 | current adapter release | zero entitlement-authority failures | android | guides/support_matrix.md; guides/commerce.md | native or companion rebuild required | provider_adapter | diag.provider.play_billing.advisory_proof; diag.provider.adapter_shipped_seams | Remain advisory until Play Billing adapter, provider setup, docs parity, and backend reconciliation proof all pass. |
| restore_intent.provider.play_billing | advisory | merge-blocking | provider_adapter | deterministic adapter contract proof; backend reconciliation authority proof; docs-contract parity proof; advisory storefront/provider lane evidence | 3 | current adapter release | zero entitlement-authority failures | android | guides/support_matrix.md; guides/commerce.md | native or companion rebuild required | provider_adapter | diag.provider.play_billing.advisory_proof; diag.provider.adapter_shipped_seams | Remain advisory until Play Billing restore evidence stays backend-owned and proof/docs parity pass. |
| shell.android.jvm_hermetic | advisory | merge-blocking | jvm_hermetic_ci | script/verify_generated_android_shell.sh; Java-enabled JVM BridgeChannel hermetic proof; support-matrix rebuild_matrix parity; docs-contract parity for Android runtime-line | 3 | current release branch, within 30 CI runs | zero consecutive failures; single failure resets counter | android | guides/support_matrix.md; guides/native_shell.md#android-verification | native or companion rebuild required | native_shell | diag.shell.android.jvm_hermetic; diag.shell.verification_required | Demote to verification_required when Android JVM hermetic CI proof is stale, fails, or coverage drops below the freshness window. jvm_hermetic promotion MUST NOT be read as device_verified — CI-level evidence is not device/emulator evidence. |
| shell.android.device_verified | advisory | merge-blocking | device_verified | Android emulator advisory lane evidence (Phase 68); device-UAT checklist completion (Phase 68); capability-parity-locked device proof; docs-contract parity for Android device-verified runtime-line | 3 | current release branch, within 10 device-UAT runs | zero consecutive failures; single failure resets counter | android | guides/support_matrix.md; guides/native_shell.md#android-device-uat | native or companion rebuild required | native_shell | diag.shell.android.device_verified; diag.shell.verification_required | Device/emulator proof is unavailable until Phase 67 (Android shell implementation) and Phase 68 (Android verification closure and device-UAT checklist). jvm_hermetic promotion MUST NOT be read as device_verified — CI-level JVM hermetic evidence does not constitute real-device or emulator proof. Demote to verification_required if device-UAT evidence is stale or if the device lane drops below the freshness window. |
Notification Surface (v3.9)
Crosswake provides explicitly bounded support for notifications via the Chimeway companion.
Supported:
- Token binding: The
notification_tokencapability resolves local push tokens. - notification-open routing: Notification open resolved through RouteGate for manifest-known routes and route-local action allowlists.
- Route activation proof: The notification-open workflow proof is hermetic route activation proof. RouteGate and Sigra decide activation; token/open evidence is not auth authority.
- Resolution limits: Bounded bridge operations ensure requests complete predictably.
- Evidence redaction: Diagnostic output actively redacts sensitive identifiers.
Deferred (Not Supported):
- APNs/FCM delivery execution: APNs/FCM delivery is not part of this proof, and Crosswake does not act as a push delivery service.
- Push metrics: Delivery and read-receipt metrics are not tracked by the core framework.
- Deep UI native presentation: Custom native notification UI presentation is left to the host shell.
Strict Telemetry Contract:
The telemetry event structure [:crosswake, :notification, :*] exposes low-cardinality delivery status and routing outcomes. Raw payload data, device tokens, and PII are strictly forbidden and explicitly stripped from all diagnostic output.
Media Evidence Recovery Surface (v4.1)
Crosswake provides a hermetic Rindle proof for simulated media recovery.
Supported:
- Recovery proof: Rindle media/evidence recovery proof is hermetic and merge-blocking.
- Simulated degradation: Simulated network degradation is proof-only and deterministic.
- Backend authority: Local capture evidence is not availability authority; backend verification is required before media becomes available.
- Proof copy:
Capture recorded locally; media is not available yet,Device evidence recorded; backend verification still required,This proof does not use a real storage provider, andLocal capture evidence does not grant media availability.
Deferred (Not Supported):
- Real storage providers: Host applications own storage target choice and persistence.
- Native camera/media picker capture: Capture UX remains host-owned.
- Background transfer and device network toggling: These remain advisory/deferred and never gate merge.
- Generic sync: Phase 72 does not ship a broad sync engine.
Public Non-Claims And Rough Edges
- StoreKit and Play Billing provider adapter seams are shipped, but provider/storefront proof remains advisory until promotion criteria pass.
- Sigra session-authority route evaluation, Phase 55 handoff ticket/server-record contract machinery, Phase 56 step-up intent plus Plug/LiveView ceremony, Phase 57 OAuth/passkey/native auth-return boundary contracts, Phase 58 auth telemetry/security closeout, and Phase 73 auth-sensitive admin workflow proof are shipped for route predicates,
auth_posture, route-localauth_return,:step_up_required, canonicalauth.handoff.*, canonicalauth.step_up_intent.*, canonicalauth.return.*denial codes, stable[:crosswake, :auth, ...]telemetry events, low-cardinality diagnostic metadata, and proof that persistent shell session state does not grant admin access; refresh-token helpers, provider/device proof, provider templates, passkey SDK wrappers, direct shell/WebView token authority, native auth UI, and generic audit machinery remain deferred. - APNs/FCM push delivery execution, delivery metrics, and deep UI native notification presentation remain deferred; notification support focuses strictly on token binding, notification-open routing, RouteGate/Sigra route activation proof, and diagnostic telemetry.
- Standalone native shell core packages are consumed by generated host-owned wrappers through SwiftPM and Maven Central; device/emulator proof and broader native runtime claims remain deferred until separately proven.