We'd rather you read this before you sign up than find out in production. Every item below is a real gap, with our current stance and the planned fix window. If any of these break a deal, don't sign up — or email us and we'll tell you where we are.
`web_search`, `file_search`, `computer_use`, and `remote_mcp` execute inside OpenAI's infrastructure before any response reaches us. No external proxy can see them. If your agent uses those tools, assume that surface is unmonitored. Mitigation: prefer function-calling (client-side) tools where possible, or deploy a client-side equivalent (an HTTP tool that routes through us) for the same capability.
We cover the proposed-action moment first. Response content coming back from local connectors is handled conservatively in the current release. Fix window: deeper connector coverage after the current release.
Cursor changes quickly. We commit to regular re-verification and publish a compatibility matrix. Between releases, a new action shape may briefly be best-effort. Workaround: read the current compatibility note on `/integrations/cursor` before relying on it.
Some attacks spread intent across many benign-looking retrievals. The current control plane catches many instances when they become proposed actions; dedicated earlier coverage is planned for a later phase.
A later phase expands how early Sentisec can assess cognitive state. That work is explicitly scoped after the current control plane is hardened.
If an action is genuinely within the user's authorized scope and looks plausibly task-aligned — for example, the agent legitimately updates a ticket but with attacker-influenced content — no external monitor can distinguish it from a clean action without access to the user's intent at higher fidelity. This is a fundamental limit of substrate-level defenses, not a bug. We are explicit about it in every surface.
The OpenAI `codex` CLI specifically — whether it honors `OPENAI_BASE_URL` fully and whether every tool flow traverses the standard API — is a per-release spike. Current status on `/integrations/codex`. Treat any gap as a known caveat, not a silent failure.
Ollama's OpenAI-compatible endpoint varies per model. Some local models do not expose the action shape needed for full coverage. We detect and flag reduced-coverage sessions in the dashboard so you know what protection you are getting.
Every item above is visible in the dashboard when it applies to your workspace. If your stack hits one of these and you need it covered earlier than our current phase, tell us — that's how we prioritize. partners@sentisec.ch.