v0.26.0

---

version: 0.26.0
date: 2026-06-12
headline: "Minor — DOS installs as a Gemini CLI extension and earns an auto-indexed gallery listing."
themes: ["distribution"]
highlights:

• "New repo-root gemini-extension.json — gemini extensions install <repo-url> wires the MCP server + a done-claim-gating context file in one line"
• "Google's auto-indexed extensions gallery (geminicli.com/extensions) crawls the manifest and lists DOS, ranked by stars — no PR, no review queue"
• "GEMINI.md ships the extension's model context: gate your own done-claims through dos_verify / dos_commit_audit before reporting done"
• "release_bump.py keeps the manifest version on the package leash (a 7th lockstep marker)"
• "Fixes: a ruff F401 lint break in verdict_census.py and an llms-full.txt roster drift (#129)"

---

TL;DR — A Gemini CLI user can now add the whole referee with one command —
gemini extensions install https://github.com/anthony-chaudhary/dos-kernel — and
Google's auto-indexed extensions gallery lists DOS automatically off the same
in-tree manifest. One file buys a standing listing on an official surface ranked
by stars, with no PR and no review queue. An adoption surface for Gemini shops;
no kernel change.

distribution — the Gemini CLI extension manifest (#101)

• What changed — a repo-root gemini-extension.json makes DOS installable as
  a Gemini CLI extension, and crawlable by the official auto-indexed gallery.
  • Why: the gallery (geminicli.com/extensions) indexes any public repo with a
    valid manifest and ranks by stars — a distribution channel that needs no
    submission, just the file. One in-tree manifest is a permanent listing.
  • How: gemini-extension.json declares name/version/description, an
    mcpServers.dos entry launching python -m dos_mcp.server (the same shipped
    server the Claude bundle's .mcp.json names), and contextFileName →
    GEMINI.md.
• The context file gates done-claims — GEMINI.md is the instruction set
  Gemini loads with the extension: before reporting any work as done, gate the
  claim through dos_verify / dos_commit_audit, and check file-tree collisions
  with dos_arbitrate. The referee's value, stated where the model reads it.
• Version lockstep — the manifest's version joins the package leash as a
  7th bump target, so a release can never strand it at a stale version.
  • How: scripts/release_bump.py:bump_gemini_extension, pinned by
    tests/test_gemini_extension.py (JSON validity, required fields, the
    lowercase-dashes name matching the repo, version-tracks-package, the MCP
    entry launches dos_mcp.server and builds, the context file resolves).
• README — the agent-hosts section now carries the Gemini one-liner install
  block alongside the existing per-host MCP wiring.

fix — two CI-reddening defects cleared

• Lint — src/dos/verdict_census.py imported dataclasses.field and
  typing.Optional but used neither; ruff's blocking F401 was failing the
  lint & type job. Both removed.
• Docs — llms-full.txt had fallen behind a rostered docs/NN edit, failing
  tests/test_llms_full.py::test_llms_full_matches_assembly. Regenerated from the
  current roster (#129).

v0.25.0

---

version: 0.25.0
date: 2026-06-12
headline: "Minor — dos verdicts plug into Microsoft AGT's policy-backend seat with one registration line."
themes: ["drivers"]
highlights:

• "New driver: dos.drivers.agt_backend seats dos verdicts beside OPA/Cedar in AGT"
• "Two seats: verify (effect-claim oracle) and arbitrate (footprint admission)"
• "Abstain maps to AGT's skip channel; binds always return error=None"
• "Ship evidence (commit digest, graded rung) rides AGT's audit fields"
• "Verified against the published agent_os_kernel wheel, not just the clone"

---

TL;DR — A host running Microsoft's Agent Governance Toolkit (AGT) can now
register dos as an external policy backend — evaluator.add_backend(DosBackend(workspace="."))
— and get dos adjudication (the ship oracle or the lease arbiter) inside AGT's
own evaluation pipeline. Adoption surface for AGT shops; no kernel change.

drivers — the AGT ExternalPolicyBackend adapter (docs/302)

• What changed — new layer-4 driver dos.drivers.agt_backend implementing
  AGT's runtime-checkable backend protocol (name + evaluate(context)).
  • Why: AGT gives third-party policy engines a first-class seat (their
    ADR-0015); the dependency arrow means the adapter lives here, like AGT's
    own OPA/Cedar backends live there. Tracking issue
    #53.
  • How: src/dos/drivers/agt_backend.py:DosBackend — seat="verify"
    (default; dos_plan/dos_phase context keys → ship-oracle verdict) or
    seat="arbitrate" (dos_tree/path → admission verdict).
• The verdict mapping preserves both philosophies — REFUSE/unverified →
  binding deny; affirmative → binding allow; ABSTAIN or a failed dos
  evaluation → AGT's error/skip channel (fail-to-abstain, never a fabricated
  verdict). A shipped claim's commit digest rides proof_artefact
  (git:<sha>) with the graded evidence rung in verification_pointers.
• No new dependency — nothing from agent_os imports at module load; the
  decision object is duck-typed with a structural twin when the host package
  is absent (require_agt=True is the loud opt-in). Decisions are constructed
  against the fields the installed host version actually declares, so the
  published agent_os_kernel 3.7.0 (pre-evidence-fields) still binds
  correctly — verified by tests/test_agt_backend.py against the real wheel.
• Upstream contract gap filed, not worked around — AGT's evaluator skips
  any error-set decision, so its own backends' fail-closed denies can fall
  through to a default allow; reported as
  microsoft/agent-governance-toolkit#2992.

Also in this tag

• examples/serverless_rl/ — dos reward as a weave.Scorer / ART reward
  function (the serverless-RL drop), with tests.
• docs/FAQ.md — the worktree-isolation entry + the two restored tail
  entries; llms-full.txt rebuilt.
• dos_citation_resolve exposed as an MCP tool (the citation_resolve witness).
• docs/303 — the --hooks auto runtime-detection plan (design, unshipped).

v0.24.1

---

version: 0.24.1
date: 2026-06-10
headline: "Patch — dos_mcp becomes publishable to the official MCP Registry, and the bundled plugin validates clean."
themes: ["mcp", "skills", "distribution"]
highlights:

• "server.json + an OIDC publish workflow target the official MCP Registry"
• "PyPI README carries the registry's mcp-name ownership marker"
• "uvx one-liner: a dos-kernel console-script alias launches the MCP server"
• "Four plugin skills' YAML frontmatter fixed; claude plugin validate --strict green"
• "glama.json lets the owner claim the Glama directory listing"

---

TL;DR — The Tier A distribution release: everything dos_mcp needs to publish
to the official MCP Registry (which PulseMCP, Glama, and other aggregators
ingest), plus the frontmatter fix that makes the Claude Code plugin pass the
community-marketplace validation gate. No kernel behavior changes.

mcp — the MCP Registry publish surface

• server.json (repo root) — the registry manifest, schema 2025-12-11,
  named io.github.anthony-chaudhary/dos-kernel, pinning the dos-kernel
  PyPI package at this release's version.
  • Why: the official MCP Registry is the one publish that fans out — PulseMCP
    and Glama auto-ingest from it.
  • How: mcp-publisher validate green against the live registry schema.
• mcp-registry-publish.yml — a manual-dispatch GitHub Actions workflow that
  authenticates via OIDC (no stored token), validates, preflights (refuses on
  version skew or a not-yet-released / marker-less PyPI pin), publishes, and
  reads the record back out of the registry.
  • Why: the registry validates the PyPI README of the EXACT pinned version,
    so the publish must sequence after this release reaches PyPI.
• The mcp-name ownership marker — the README (assembled from
  docs/readme/95_citation-license.md) now ends with the registry's PyPI
  ownership token as a reader-invisible HTML comment.
• A dos-kernel console-script alias — the same dos_mcp.server:main
  entrypoint under the dist's own name, so uvx --from "dos-kernel[mcp]" dos-kernel (the registry's launch composition) and uvx "dos-kernel[mcp]"
  are real commands. Without the [mcp] extra it fails loudly with the same
  install hint as dos-mcp. The umbrella CLI stays dos.
• glama.json — Glama's maintainer-claim manifest at the repo root.

skills — the plugin passes the marketplace gate

• Four SKILL.md frontmatters YAML-quoted — dos-dispatch-loop,
  dos-self-improve (source pack) and dos-setup, dos-stats (authored in
  build_plugin.py) had unquoted description: scalars carrying a mid-line
  ": ", which YAML rejects; at runtime the metadata silently dropped.
  • Why: claude plugin validate — the exact gate the community-marketplace
    review pipeline runs — failed on them; it now passes --strict.
  • How: quoted scalars at the source; plugin copy regenerated by
    scripts/build_plugin.py.

Also in this tag

• The repo grew the GitHub topics + directory metadata for MCP discovery
  (no code change).

v0.24.0

---

version: 0.24.0
date: 2026-06-10
headline: "Minor — the helped rate gets a kernel-owned denominator, and SELF_MODIFY gains an operator-armed override window."
themes: ["helped", "override", "release", "hook-stats", "hygiene", "docs"]
highlights:

• "dos helped now reports of-N-adjudicated, read from a kernel-owned observation log"
• "dos override: an operator-armed, expiring SELF_MODIFY override window with status/disarm"
• "Release gate now adjudicates the committed bytes, plus a TestPyPI rehearsal before the PyPI hold"
• "Hook stats: intervention-rate headline; delegate handoffs leave the denominator"
• "Toolathlon durable replay data restored; gitignore negation hygiene pinned by test"

---

TL;DR — Two new operator surfaces land: dos helped gains an honest
denominator (every hook adjudication is now logged by the kernel itself, so the
"caught for you" rate is out of N observed calls, not an anecdote), and
dos override gives the operator a deliberate, expiring window to make T1
kernel edits without disabling the guard. Release tooling hardens around the
issue-#7 scars, and the public tree's scratch-dir handling gets audited and
pinned.

helped — the denominator is kernel-owned (docs/297)

• New kernel leaf hook_observation.py — every hook verb appends one
  observation record per adjudication, so the rollup has a denominator the
  agent never authors.
  • Why: "DOS helped you N times" is only honest as "N of M adjudicated."
  • How: src/dos/hook_observation.py; folded by src/dos/help_summary.py;
    surfaced as dos helped's of-N-adjudicated rate (src/dos/cli.py).
• Delegate handoffs leave the stats denominator — a Go-hook call that
  delegates to Python is not double-counted.
  • How: go/internal/hook/stats.go (docs/297 P4).

override — the operator-armed SELF_MODIFY window (docs/296)

• An arm-file the operator writes by hand opens a bounded override window;
  the PreToolUse hook honors it as PEP disposition, never as verdict evidence.
  • Why: T1 kernel edits previously required the out-of-repo playbook; the
    deny had no legitimate, auditable bypass.
  • How: src/dos/override_facts.py (arm-file read, expiry),
    src/dos/pretool_sensor.py (disposition), dos override status|disarm +
    a dos doctor row (src/dos/cli.py). Arming stays a by-hand act.

release — adjudicate the commit, rehearse the publish (docs/295)

• scripts/release_dry_run.py runs the release-killer witness against the
  committed bytes in a detached worktree + scratch venv — a sibling's unstaged
  hunk can no longer skew the verdict.
• publish.yml now rehearses on TestPyPI + install-smokes the artifact
  before pausing at the pypi approval hold.
• scripts/release_context.py preflights workflow parseability and the
  trunk-CI verdict on HEAD, so a doomed release is refused before any tag.

hook-stats — the intervention-rate headline

• dos-stats leads with what percent of tool calls the kernel touched;
  bundled plugin binaries rebuilt for the new fold
  (go/internal/hook/stats.go, claude-plugin/bin/).

hygiene — the public tree's scratch handling, audited

• Restored the toolathlon durable replay data (replay_all_rows.csv,
  replay_all.json, schema.md) — trailing inline comments on their
  .gitignore negations had silently untracked them, so the public seed
  shipped without them.
• Un-fused the root benchmark/_cc_* pattern from comment prose that had
  made it match nothing since the v0.22.0 seed.
• tests/test_gitignore_hygiene.py pins both failure classes: no pattern
  line carries an internal space, and every literal negation actually
  re-includes its path per git check-ignore.

Also in this tag

• Issue workflow goes mechanical: drafted issue bodies pipe through the leak
  scanner; the dispatch/replan skills capture out-of-scope findings as issues.
• README audience gradient (docs/292 P5–P7): terms defined before use, one
  install default, the build journal split out of the docs index.
• Trae mapped as the advisory-only host with no hook seam (docs/294); plans
  296/297 recorded.

v0.23.4

---

version: 0.23.4
date: 2026-06-10
headline: "Patch — the issues workflow lands (capture, triage, close-by-evidence), and releases now tag only witnessed-green SHAs."
themes: ["issues", "release", "oracle", "docs"]
highlights:

• "Issues are the backlog: capture rule, triage labels, close-by-evidence convention"
• "Releases tag after the CI verdict on the SHA, never before"
• "commit-audit: a .gitattributes-only diff can witness a ci-scoped claim"
• "dos helped --explain labels are rung-honest (WARN never reads as a block)"
• "Carries the full unreleased 0.23.x line toward PyPI"

---

TL;DR — The GitHub issue tracker joins the trust substrate: out-of-scope
findings get filed with a checkable done-condition and close only on evidence,
never narration. The release flow itself learned the v0.23.0–2 lesson and now
tags only a SHA whose CI verdict already exists. Two small verdict fixes land in
the kernel. PyPI consumers should care: this is the version intended to move the
index past 0.22.0.

issues — the tracker joins the trust substrate

• The capture rule — a finding that isn't your current task is filed as an
  issue with a done-condition, a lane guess, and provenance, instead of widening
  the commit or evaporating.
  • Where: CLAUDE.md "Out-of-scope findings", AGENTS.md Committing,
    CONTRIBUTING.md "Issues — the backlog, and how one closes".
• Triage labels — ready (done-condition present, anyone may pick it),
  design (needs a docs/NN plan first), human-only (the fleet skips it).
• Close on evidence, not narration — Fixes #N in the commit body lets the
  landing on master close the issue off ancestry. Manual closes carry their
  witnesses (the issue-verify skill).
  • Why: issue text is public output the tracked-file leak gate never scans —
    the authoring-time privacy rule is now stated where agents read it.

release — tag-after-green

• The tag waits for the verdict. /release now pushes the commit, waits for
  ci.yml to rule on that exact SHA, and tags only on green — plus a pre-tag
  test subset of the exact families that killed v0.23.0–2, and a backlog sweep
  that surfaces unapproved publish runs at every release.
  • Why: a tag is immutable and PyPI accepts each version once; three version
    numbers died in one day betting the other way (issue #7).
• Version bumps survive the generated-README era — release_bump.py
  regenerates the assembled README and the canonical-example corpus it sweeps.
• The dry-run plan — docs/295 plans the TestPyPI rehearsal and
  tag-last ordering this release already practices.
• v0.23.1/v0.23.2 notes are marked superseded; three rotted docs-index links
  retargeted.

oracle — two verdict fixes

• commit-audit: a bare dotfile like .gitattributes now counts as source,
  so a fix(ci) commit whose whole fix is a .gitattributes change is
  witnessed by its own diff instead of flagged (issue #4).
  • How: src/dos/commit_audit.py + pinning test.
• dos helped --explain: bucket labels are rung-honest — a WARN-only
  bucket can no longer read as if it blocks.
  • How: src/dos/help_summary.py + tests.

docs — contract maintenance and the first stable channel

• Write plainly — CLAUDE.md carries the operator's plain-English rule:
  simple words, short sentences, simplify wording, never facts.
• docs/ARCHITECTURE.md — the roster⇔section bijection restored (seven
  missing leaves documented, the witness family added).
• Rotted counts refreshed in the contract docs; the stale "(no plans declared)"
  reading retired for the evidence-horizon one.
• Orientation READMEs added for examples/, docs/_audits/, spikes/; the
  claude-plugin README no longer claims a JSON+markdown-only payload.
• stable/2026-06-bedrock — the first stable-channel promotion (of
  v0.23.3), with its evidence file at docs/stable-releases/2026-06-bedrock.md.

Also in this tag

Four commits landed between the release commit and the witnessed-green SHA the
tag names:

• privacy — the private-fleet bleed-through a fresh-lens audit found is
  scrubbed from three docs.
• kernel — evidence subprocesses never inherit the caller's stdin
  (docs/295), fixing a transport-pipe wedge in long-lived dos-mcp servers
  on Windows.
• hosts — Trae proved out: advisory-only binding for the host with no hook
  seam (docs/294); dos init --hooks trae fails loud instead of writing
  config nothing reads.
• arbiter — refuse-reason advice names --lane, the flag dos actually
  has (issue #11).

v0.23.3

---

version: 0.23.3
date: 2026-06-10
headline: "Patch — the hot-tree desync behind v0.23.2's red CI, fixed at the source; the demo-story lockstep gate holds."
themes: ["docs", "skills", "ci"]
highlights:

• "Bundled plugin skills resynced with their src/dos/skills sources"
• "The canonical-example lockstep gate is green on its own registry"
• "Carries the full v0.23.0 through v0.23.2 content to PyPI"

---

TL;DR — the fourth cut of the v0.23.x line. v0.23.2's CI went red on two hot-tree desyncs: a concurrently-edited skill source committed ahead of its regenerated plugin copy, and the new canonical-example lockstep gate catching its own registry's docstring. Both were fixed at the source; this tag re-cuts on the green tree. Everything in the v0.23.0, v0.23.1, and v0.23.2 notes ships under this version.

skills — the generated pair, resynced

• claude-plugin/skills/ regenerated in lockstep with src/dos/skills/ — the kindless-arbitrate captures refreshed to the honest verdict in both copies.
  • Why: the bundled copy is byte-pinned to its source by tests/test_plugin_manifest.py; a source edit committed between a regeneration and the release commit shipped the pair out of sync.

docs — the lockstep gate holds

• The demo-story registry's own docstring now spells the canonical ship stamp canonically (fix) — the new tests/test_canonical_example_lockstep.py gate caught its own registry on its first CI run.
• docs/293 Phase 2 placement revised after the kernel's own SELF_MODIFY refusal.

ci — three refusals, all correct

• The v0.23.x line took three publish refusals to land: a workflow parse error (v0.23.0), stale FTUE version literals (v0.23.1), and the hot-tree desync above (v0.23.2). Each was the ci-green witness gate declining an unwitnessed "ready" — the pipeline working as designed.

v0.23.2

---

version: 0.23.2
date: 2026-06-10
headline: "Patch — fix the stale FTUE version literals so CI can green and the v0.23.x content can finally publish."
themes: ["docs", "arbiter", "ci"]
highlights:

• "README front-door badge and verify-action pin examples now track the released version"
• "arbitrate honors a kindless --lane naming a known free cluster lane"
• "Carries the full v0.23.0 + v0.23.1 content to PyPI"

---

TL;DR — the third cut of the v0.23.x line, and the one that publishes. v0.23.0 was refused by the publish pipeline's ci-green witness gate (a workflow parse error), v0.23.1 fixed the parse but was refused again on stale doc version literals the drift guard caught. Both refusals were the gate working. Everything in the v0.23.0 and v0.23.1 notes ships under this version.

docs — the drift the guard was built for

• Three stale 0.22.0 literals fixed — the README front-door badge line and the verify-action README's pin examples (dos-version and the pre-commit rev:).
  • Why: the bump sweep is keyed old→new, so a literal added after a release (naming the then-current version) is invisible to every later sweep; tests/test_docs_version_drift.py caught all three — the verify-action leg on its first-ever CI run.
• Historical version references in FTUE prose drop the v prefix so the drift guard (anchored on v + dotted triple) pins live banners without flagging an anecdote that names an old release on purpose.

arbiter — kindless lane requests

• arbitrate honors a kindless --lane naming a known free cluster lane instead of refusing it (fix).
  • How: src/dos/arbiter.py.

ci / readme — riding along

• Release tooling tolerant-decodes gate subprocess output (fix).
• The README audience gradient closes — hand-off lines and the router back-link (docs/292 P4), plus issue #1's witnessed closure as a second self-demo anecdote.
• docs/293 planned — the design-doc plan dialect, dogfooding dos.plan_sources.

v0.23.1

---

version: 0.23.1
date: 2026-06-10
headline: "Patch — fix the ci-ok workflow parse error that kept v0.23.0's CI red and its publish refused."
themes: ["ci"]
highlights:

• "ci.yml parses again — the ci-ok green echo is now a block scalar"
• "v0.23.0's publish was refused by the ci-green witness gate, exactly as designed"
• "This tag carries the full v0.23.0 content to PyPI"

---

TL;DR — v0.23.0's tag push was refused by the publish pipeline's ci-green witness gate: the ci-ok aggregator job (added just before the release) had a YAML parse error, so no CI run on that SHA could ever green. This patch fixes the parse and re-cuts; everything in the v0.23.0 notes ships under this version.

ci — the fix

• The ci-ok "all green" step used a plain scalar containing : — YAML read the colon-space inside the echo text as a nested mapping and the whole workflow failed at parse time (0-second runs, no legs created).
  • How: .github/workflows/ci.yml — the step body is now a run: | block scalar, matching its sibling refuse step.
• The witness gate worked. publish.yml built and checked the artifacts, then refused the upload because no green ci.yml run existed on the tagged bytes — the forgeable "I tagged it" claim stopped by the unforgeable CI witness. The v0.23.0 tag stays where it is; fix-forward is the rule.

v0.23.0

---

version: 0.23.0
date: 2026-06-10
headline: "The public-repo era lands — registry-first installs, the repo-self DOS gate with a live badge, and a witness-gated publish pipeline."
themes: ["install", "gate", "publish", "readme", "quickstart", "docs"]
highlights:

• "Install flips registry-first — pip install dos-kernel is now the default everywhere"
• "Repo-self DOS gate: CI runs commit-audit + verify through the bundled verify-action"
• "README wears the live verified-by-DOS badge, and dos lint --strict reddens it on dead policy"
• "Publish pipeline gains the ci-green witness gate and a docs-aware test matrix"
• "README rebuilt for PyPI — absolute links, humanized prose, modular docs/readme/ source"
• "Quickstart demo reframed for the wider first-contact audience"

---

TL;DR — the first release cut from the public repo, on the heels of dos-kernel going live on PyPI. Every install channel now defaults to the registry, the repo verifies itself in CI with its own kernel (and wears the badge to prove it), and the publish pipeline refuses to upload any SHA without a green CI witness.

install — registry-first everywhere

• Every install channel defaults to pip install dos-kernel now that 0.22.0 is live on PyPI.
  • Why: the git+ form was the pre-publish stopgap; the registry is the honest default.
  • How: docs/INSTALL.md, README.md, install.sh/install.ps1, the plugin README, and the dos-setup skill all flipped in one sweep; the git+ form remains documented for tracking unreleased master.
• The plugin build carries the public-repo git+ prerequisite into the authored dos-setup source, so the bundled skill never points at a private path.
  • How: scripts/build_plugin.py.

gate — the repo verifies itself (docs/112 Phase 0)

• New dos-gate.yml workflow runs dos commit-audit + dos verify on every push, through the bundled verify-action — the kernel adjudicating its own repo in CI.
  • Why: "eat the dog food where the world can watch" — the badge is earned per-push, not asserted.
  • How: .github/workflows/dos-gate.yml + verify-action/action.yml.
• dos lint --strict is the gate's third leg — dead policy in dos.toml (a shadowed lane region, a dangling alias) now reddens the badge.
  • How: .github/workflows/dos-gate.yml leg 3; dos.toml gained a ci lane.
• README wears the live verified-by-DOS badge, and docs/BADGE.md documents the earn-it paths with agent examples.
• verify-action copy-paste refs retargeted at refs that actually exist (fix).

publish — the pipeline distrusts the tag

• The ci-green witness gate: publish.yml refuses to upload any SHA without a completed green ci.yml run on those exact bytes — "I tagged it" is a forgeable claim; a CI run on the bytes is not.
  • How: .github/workflows/publish.yml polls for the witness, then holds at the protected pypi environment for operator approval.
• Docs-aware CI matrix with timeouts on every job — prose-only pushes run a 2-leg matrix, code runs the full 4-leg grid plus the per-platform wheel build.
  • How: .github/workflows/ci.yml.
• ci-ok — a single aggregator job for branch protection to require, instead of enumerating every matrix leg.
  • How: .github/workflows/ci.yml.

readme — rebuilt for the registry

• README source split into modular docs/readme/ parts and assembled by scripts/build_readme.py, with the prose humanized for first contact.
  • How: twelve docs/readme/NN_*.md parts + tests/test_readme_assembly.py pinning the assembly.
• All image/link targets absolutized — PyPI renders the long description from the registry, where relative paths 404.
• The value chain surfaced — the swarm-host row, the hermes dialect, and the downstream verdict flow.

quickstart — first contact, reframed

• dos quickstart reframed for the wider audience — the 60-second caught-lie demo now reads for someone who has never met the substrate.
  • How: src/dos/cli.py + docs/CLI.md, pinned by tests/test_cli_ergonomics.py.

docs — the public-repo contract

• The private sibling renamed dos-strategy → dos-private across the living contract and every doc that names it.
• The retired anthony-chaudhary/dos slug retargeted at dos-kernel everywhere it lingered (fix).
• SECURITY.md gains the Publication gate section — the public stub for the maintainer-side leak scan.
• Commits default to no agent co-author trailer — stated in the contract, public history stays clean.
• The release skills learned the public-repo era — a push is publication, the tag is the publish trigger, the leak gate is fail-closed.
• docs/292 planned — the README audience gradient, six reader on-ramps.

v0.22.0

---

version: 0.22.0
date: 2026-06-10
headline: "Two new kernel rungs — the test-witness verdict and trailer ship stamps — plus the fleet cookbook and a launch-ready pipeline."
themes: ["testwitness", "stamp", "examples", "quickstart", "agent-view", "publish", "cli"]
highlights:

• "New test-witness verdict: dos test-witness rules whether the tests actually witnessed a change"
• "verify learns trailer-form ship stamps, so Conventional-Commits histories become verifiable"
• "Fleet-framework cookbook wires the referee into LangGraph, CrewAI, AutoGen, OpenAI Agents"
• "Quickstart demo gains the fleet act and a zero-install uvx path"
• "Agent-surface litmus tier AV1-AV6 pins the cold-clone defect classes in the suite"
• "Publication gate hardened end-to-end; the public seed cleared for the initial commit"

---

TL;DR — v0.22.0 lands two new kernel rungs (the test-witness verdict of docs/288 and
trailer-form ship stamps of docs/289), a runnable fleet-framework cookbook for adopters,
the agent-view cold-clone hardening, and the publication-pipeline pass that cleared the
public seed for launch.

testwitness — the test-witness verdict (docs/288 Phase 1)

• New kernel rung dos.testwitness + CLI verb dos test-witness — reverse-classical
  testing: did the test run actually witness the change, or pass around it?
  • Why: a green suite that never executed the changed code is consistency, not grounding.
  • How: src/dos/testwitness.py, pinned by an 18-test suite (shipped in c966591).

stamp — trailer-form ship stamps (docs/289)

• verify learns the Conventional-Commits tail — an end-of-subject (docs/NN Phase M)
  trailer now counts as a ship stamp (Phase 1, a326fcf).
• This repo declares the trailer rung in its own dos.toml — the kernel's own history
  becomes verifiable by its own truth syscall (Phase 2, 93f4656).
  • How: [stamp] trailer_stamp = true; grammar in dos.stamp.

examples — the fleet-framework cookbook

• New cookbook: wire the referee into LangGraph / CrewAI / AutoGen / OpenAI Agents at
  each framework's believe-the-agent seam (examples/fleet_frameworks/, aaadd96).
• Lifted into runnable recipes — executed seams pinned by the suite, not pasted
  output (f49e123).
• Routed from README, AGENTS.md, and the quickstart so fleet-framework adopters find
  it (6a8fb72, 8447b1f).
• Hermes hazard demos survive a WSL-launcher bash — relative sentinel + cwd fixes
  (b64ce1d, a0784c7).

quickstart — first contact gets cheaper and truer

• The default demo gains the fleet act — admit / redirect / refuse via the real
  arbiter, not a canned transcript (dad9fa2).
• Zero-install first contact — uvx runs the 60-second quickstart in one command,
  nothing left behind (8f626c4).

agent-view — the cold-clone agent surface (docs/290/291)

• Agent-surface litmus tier AV1–AV6 lands in the suite — the A/B defect classes from
  the agent-view episode, pinned as tests (d52454c, tests/test_agent_surface.py).
• Cold-clone fixes — truthful install/suite docs, the maintainer rig out of the
  committed settings (ca931a5); go-parity corpus regen keeps LF so running the suite no
  longer dirties a cold clone's tracked tree (05dc738).

publish — pipeline hardening that cleared the seed

• Authoring-time privacy routing enters the architecture contract — public-bound
  default, fail-closed report adjudication, the cross-link rule (9d48218).
• Scanner vocabulary hardened — escaping-depth-agnostic path matching (54fcab2),
  the serving-system name's case-form gap closed by a word-boundary regex + pin suite
  (b18530b), 16 residuals scrubbed and the re-gated seed cleared (a54a165, cf911b1).
• The public seed's CI is self-consistent — the leak-scan job no-ops green where the
  scanner is absent, since the seed excludes it (e5debd1); the test job sets up uv so
  the install-level tests run rather than skip (5b2b940).

cli — the operator surface reads cleaner

• Inline design prose moved out to docs/CLI.md — cli.py 10.8k → 8.9k lines, then
  13 more docstrings + 44 comment blocks (e46fdc4, 2fbd8aa).

fixes

• commit-audit — PowerShell/batch scripts count as source (d6827dc); a ci-scoped
  claim is witnessed by its CI config (be6d220).
• home index — reindex --prune is durable (compact roots.log, drop live temp
  rows, 788fb66); throwaway temp workspaces stay out of the machine-global index
  (346217c).
• paper/bench — audit passes correcting claim/provenance defects (533eac4,
  c38aee6, 93ce1bb); the F3 coordination A/B ported to Agent-Diff, two witnesses
  agree (179a4d6); classifier-comparison table regenerated deterministically (6440263).