Skip to content

0.17.0 - 2026-07-02

Choose a tag to compare

@github-actions github-actions released this 02 Jul 08:46

Release Notes

Added

  • Added the semantic-kernel recall-loss recovery loop around nose verify --recall-loss-report, including obligation rollups, deterministic diff
    tooling, checked artifacts, corpus-priority census workflows, and the new
    oracle_exclusions.by_classification rollup for distinguishing semantic
    boundary attribution, missing oracle support, path exploration budget, oracle
    cost budget, empty fingerprint, and core-span failures.
  • Added and expanded the nose.protocols.string_affix_predicates protocol pack
    across Python, Java, Rust, Swift, JavaScript, TypeScript, Go, and Ruby, with
    receiver, direction, mutation, shadowing, offset, and dynamic-affix hard
    negatives.
  • Added import-backed immutable provenance and Rust import-snapshot resolution
    for safe provider literals, selected collection factories/constructors,
    same-crate module lookup, one-hop public re-exports, residual boundary
    attribution, and relative super resolution.
  • Added corpus-driven stdlib audit and prioritization scripts for JS/TS,
    Python, Rust, Swift, Java, and Go, plus first support slices for Go
    strings.Join and Java Optional. Java Arrays/Collections, Go
    sort/slices/maps, Python HOF/runtime, Rust stdlib, Swift stdlib, and
    JS/TS builtin coverage are recorded as explicit audit artifacts.
  • Added bounded Promise recovery for safe Promise.resolve, local
    .then/.catch/.finally continuations, imported settled-value contracts,
    Node timers/promises domains and safe payloads, and literal-array
    Promise.all, Promise.allSettled, Promise.race, and Promise.any
    aggregate slices. Dynamic iterables, unsafe thenables, executor timing,
    cancellation/liveness, scheduler APIs, interval streams, and broad scheduling
    remain fail-closed.
  • Added cross-language scheduling, channel, callback, lifecycle, aggregate, and
    exception-channel obligation reporting across JS/TS, Python, Rust, Go, Java,
    Swift, and Ruby. New executable hard negatives pin Promise, timer, channel,
    async runtime, Future, task, continuation, yield, and exception boundaries.
  • Added reporting-only async/runtime coverage for Swift structured concurrency
    and try, Java CompletableFuture/Future/Executor receivers, Rust
    block_on runtime provenance, Go channel/goroutine/defer protocols, Python
    async lifecycle and generator yield, and Ruby raise/rescue, Thread/Fiber,
    and block-yield boundaries.
  • Added the #653 semantic-kernel capability vocabulary audit and obligation
    label cleanup. The current diagnostics prefer reusable capability and
    async-* obligation labels while preserving legacy aliases for historical
    artifacts.

Changed

  • Split exact-admission recall-loss attribution into capability-oriented buckets
    for callee identity, receiver domain, library API occurrence, HOF
    demand/effect, source surface, mutation/effect, unsupported runtime
    boundaries, value-fingerprint floors, import-snapshot misses, and oracle
    exclusions.
  • Renamed await, async-function, and async-block diagnostics to language-neutral
    scheduling obligations. Promise-shaped producer and continuation labels now
    describe missing Promise proof, not generic async syntax.
  • Refined runtime/protocol diagnostics so units excluded before oracle
    interpretation can still carry diagnostics-only obligation attribution under
    oracle_exclusions.by_obligation; top-level by_obligation remains limited
    to oracle-interpretable admission rejections.
  • Closed the current Promise/scheduling and semantic-admission guardrail cycles
    as measured boundaries: exact admissions are limited to checked safe slices,
    and remaining executor, cancellation, scheduler, interval, lifecycle, and
    cross-language convergence work is represented as named closed obligations.
  • Reclassified broad audit buckets that are now accounted for by source-backed
    or proof-backed rows, including Swift throws/try, Java Future/Executor type
    mentions, Java stream lifecycle rows, Python generator yield, direct
    asyncio.sleep, and Ruby raise/rescue.

Fixed

  • Updated the locked anyhow dependency to clear RUSTSEC-2026-0190 in the CI
    advisory gate.
  • Fixed repository CI ratchets by splitting overlong Rust files and updating the
    async-mirror query JSON test to assert the documented near/shared-core witness
    contract.
  • Fixed scripts/check-docs.sh for both awiki lint --root docs and awiki
    versions that lint the current wiki directory.
  • Hardened JS/TS string-affix receiver proof so wrappers, untyped receivers,
    borrowed prototype calls, custom same-name methods, offsets, shadowed names,
    and String.prototype patching stay out of primitive prefix/suffix families.
  • Fixed dataflow normalization across try boundaries so temporary inlining no
    longer moves a potentially erroring RHS from before a try into the catch
    region.
  • Fixed release-candidate runtime regressions by indexing imported-binding
    call-target evidence per file, indexing lowering-time domain evidence by anchor,
    lazily building import mutation/use indexes, and using compact Rust module
    identities instead of absolute-path suffix hashes.

Performance

  • Preserved zero false merges and zero canon-preservation violations across the
    checked local crates recall-loss gates for this cycle.
  • Kept representative product query-regression slices within budget: Java
    CompletableFuture constructor reporting measured -0.45%, Java receiver
    settlement reporting measured +0.41%, Go protocol reporting measured
    +0.08%, and the final oracle-exclusion classification report measured
    +0.34% median wall time with a +0.05% report-size increase.
  • Re-ran the hazard release refresh, full local CI, all-pinned-corpus product
    query-regression, and release-level v0.16.0..HEAD output/runtime comparison for the 0.17.0
    release candidate. The final all-120-repo query-regression run measured
    59666.48ms -> 63410.42ms aggregate median runtime (+6.27%), with product
    hash drift in 120 repos and family-count drift in 30 repos. The current
    recall-loss gate passed with 0 false merges and 0 canon-preservation
    violations; nose 0.16.0 did not yet support --recall-loss-report, so
    recall-loss diffs begin from 0.17.0 artifacts. See
    0.17.0 release evidence for details.

Install nose-cli 0.17.0

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/corca-ai/nose/releases/download/v0.17.0/nose-cli-installer.sh | sh

Install prebuilt binaries via Homebrew

brew install corca-ai/tap/nose

Download nose-cli 0.17.0

File Platform Checksum
nose-cli-aarch64-apple-darwin.tar.xz Apple Silicon macOS checksum
nose-cli-x86_64-apple-darwin.tar.xz Intel macOS checksum
nose-cli-aarch64-unknown-linux-gnu.tar.xz ARM64 Linux checksum
nose-cli-x86_64-unknown-linux-gnu.tar.xz x64 Linux checksum