Release Notes
Added
- Added the semantic-kernel recall-loss recovery loop around
nose verify --recall-loss-report, including obligation rollups, deterministic diff
tooling, checked artifacts, corpus-priority census workflows, and the new
oracle_exclusions.by_classification rollup for distinguishing semantic
boundary attribution, missing oracle support, path exploration budget, oracle
cost budget, empty fingerprint, and core-span failures.
- Added and expanded the
nose.protocols.string_affix_predicates protocol pack
across Python, Java, Rust, Swift, JavaScript, TypeScript, Go, and Ruby, with
receiver, direction, mutation, shadowing, offset, and dynamic-affix hard
negatives.
- Added import-backed immutable provenance and Rust import-snapshot resolution
for safe provider literals, selected collection factories/constructors,
same-crate module lookup, one-hop public re-exports, residual boundary
attribution, and relative super resolution.
- Added corpus-driven stdlib audit and prioritization scripts for JS/TS,
Python, Rust, Swift, Java, and Go, plus first support slices for Go
strings.Join and Java Optional. Java Arrays/Collections, Go
sort/slices/maps, Python HOF/runtime, Rust stdlib, Swift stdlib, and
JS/TS builtin coverage are recorded as explicit audit artifacts.
- Added bounded Promise recovery for safe
Promise.resolve, local
.then/.catch/.finally continuations, imported settled-value contracts,
Node timers/promises domains and safe payloads, and literal-array
Promise.all, Promise.allSettled, Promise.race, and Promise.any
aggregate slices. Dynamic iterables, unsafe thenables, executor timing,
cancellation/liveness, scheduler APIs, interval streams, and broad scheduling
remain fail-closed.
- Added cross-language scheduling, channel, callback, lifecycle, aggregate, and
exception-channel obligation reporting across JS/TS, Python, Rust, Go, Java,
Swift, and Ruby. New executable hard negatives pin Promise, timer, channel,
async runtime, Future, task, continuation, yield, and exception boundaries.
- Added reporting-only async/runtime coverage for Swift structured concurrency
and try, Java CompletableFuture/Future/Executor receivers, Rust
block_on runtime provenance, Go channel/goroutine/defer protocols, Python
async lifecycle and generator yield, and Ruby raise/rescue, Thread/Fiber,
and block-yield boundaries.
- Added the #653 semantic-kernel capability vocabulary audit and obligation
label cleanup. The current diagnostics prefer reusable capability and
async-* obligation labels while preserving legacy aliases for historical
artifacts.
Changed
- Split exact-admission recall-loss attribution into capability-oriented buckets
for callee identity, receiver domain, library API occurrence, HOF
demand/effect, source surface, mutation/effect, unsupported runtime
boundaries, value-fingerprint floors, import-snapshot misses, and oracle
exclusions.
- Renamed await, async-function, and async-block diagnostics to language-neutral
scheduling obligations. Promise-shaped producer and continuation labels now
describe missing Promise proof, not generic async syntax.
- Refined runtime/protocol diagnostics so units excluded before oracle
interpretation can still carry diagnostics-only obligation attribution under
oracle_exclusions.by_obligation; top-level by_obligation remains limited
to oracle-interpretable admission rejections.
- Closed the current Promise/scheduling and semantic-admission guardrail cycles
as measured boundaries: exact admissions are limited to checked safe slices,
and remaining executor, cancellation, scheduler, interval, lifecycle, and
cross-language convergence work is represented as named closed obligations.
- Reclassified broad audit buckets that are now accounted for by source-backed
or proof-backed rows, including Swift throws/try, Java Future/Executor type
mentions, Java stream lifecycle rows, Python generator yield, direct
asyncio.sleep, and Ruby raise/rescue.
Fixed
- Updated the locked
anyhow dependency to clear RUSTSEC-2026-0190 in the CI
advisory gate.
- Fixed repository CI ratchets by splitting overlong Rust files and updating the
async-mirror query JSON test to assert the documented near/shared-core witness
contract.
- Fixed
scripts/check-docs.sh for both awiki lint --root docs and awiki
versions that lint the current wiki directory.
- Hardened JS/TS string-affix receiver proof so wrappers, untyped receivers,
borrowed prototype calls, custom same-name methods, offsets, shadowed names,
and String.prototype patching stay out of primitive prefix/suffix families.
- Fixed dataflow normalization across
try boundaries so temporary inlining no
longer moves a potentially erroring RHS from before a try into the catch
region.
- Fixed release-candidate runtime regressions by indexing imported-binding
call-target evidence per file, indexing lowering-time domain evidence by anchor,
lazily building import mutation/use indexes, and using compact Rust module
identities instead of absolute-path suffix hashes.
Performance
- Preserved zero false merges and zero canon-preservation violations across the
checked local crates recall-loss gates for this cycle.
- Kept representative product query-regression slices within budget: Java
CompletableFuture constructor reporting measured -0.45%, Java receiver
settlement reporting measured +0.41%, Go protocol reporting measured
+0.08%, and the final oracle-exclusion classification report measured
+0.34% median wall time with a +0.05% report-size increase.
- Re-ran the hazard release refresh, full local CI, all-pinned-corpus product
query-regression, and release-level v0.16.0..HEAD output/runtime comparison for the 0.17.0
release candidate. The final all-120-repo query-regression run measured
59666.48ms -> 63410.42ms aggregate median runtime (+6.27%), with product
hash drift in 120 repos and family-count drift in 30 repos. The current
recall-loss gate passed with 0 false merges and 0 canon-preservation
violations; nose 0.16.0 did not yet support --recall-loss-report, so
recall-loss diffs begin from 0.17.0 artifacts. See
0.17.0 release evidence for details.
Install nose-cli 0.17.0
Install prebuilt binaries via shell script
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/corca-ai/nose/releases/download/v0.17.0/nose-cli-installer.sh | sh
Install prebuilt binaries via Homebrew
brew install corca-ai/tap/nose
Download nose-cli 0.17.0