Skip to content

Releases: haeliotang/agent-runtime-observatory

v0.2.5 — portfolio freeze (freeze-correction, no new features)

Choose a tag to compare

@haeliotang haeliotang released this 12 Jul 04:14
44be21b

The engineering line is frozen here. This is a freeze-correction — it fixes what a seventh review found, adds no features, and carries no packet (the evidence has one home: credential-packet-v1, sha256 af6e4142…).

What the freeze-correction fixed

  • Persisted-run identity invariants (P1). Uniqueness was enforced only on the Script, but the API reads the stored AgentRun — so a run with duplicate policy-decision ids let one attestation clear two items, and duplicate seat ids made the accountable party ambiguous. AgentRun now enforces unique seat ids, unique decision ids, and sub-object run_id ownership.
  • Version consistency (P2). All software versions are 0.2.5, and a version-consistency CI job (on push and on v* tags) fails if package/app/web versions disagree or, on a tag, if tag ≠ version. The "tag says vX but code says vY" class can't recur silently.
  • Claims discipline (P2). Narrowed the wide quantifiers; the v0.2.4 "can't be falsified" line is retracted (it was itself falsified). The rule going forward: state known limitations as of a version and specific verified properties — never "closed / complete / unfalsifiable."

Honest status (frozen baseline)

This is a strong engineering + self-audited reference / portfolio artifact. It is not an externally-adopted or independently-verified platform: 0 stars/forks, and CI is the only packet downloader. Verified properties are enumerated across the docs; what is not enforced is listed in docs/limitations.md with tracking issues (#29#33).

After the freeze

Only externally-reported P0/P1 fixes. The next steps are not more internal hardening:

  • #37 Independent reproduction — a third party runs the packet + suites and reports; this is the acceptance criterion for "independently verified."
  • #38 90-second demo — a comms asset (explicitly not verification evidence).

Post-freeze backlog (Tempo #8, GHCR #10, OTel semconv #12, etc.) stays deprioritized behind those two.

v0.2.4 — real seat accountability, v2 content-bound digest, and honest boundaries

Choose a tag to compare

@haeliotang haeliotang released this 11 Jul 18:16
fb4e4de

A sixth adversarial review pass (AI-assisted self-audit) found that v0.2.3's "structural accountability" was again an overclaim — the third round in a row where a governance layer was declared closed and the next pass falsified it. v0.2.4 fixes the real holes and changes how the claims are made, so they stop being falsifiable-by-nitpick.

Pinned to commit ac0ada0..fb4e4de. The credential packet is no longer attached here — it has one canonical home, the credential-packet-v1 evidence release (sha256 af6e4142…), because the evidence has a different lifecycle than the software.

Seats are no longer vacuous (finding 1)

ReviewerSeat(id="") was legal and duplicate seat ids (two people, one seat) were accepted — accountability that points at nothing. Now id/name/role/scope are non-blank and seat ids must be unique within a run.

The digest binds what was reviewed (finding 2)

v1 under-bound the record: deleting the seat a human cleared under, or changing a policy reason, left the debt cleared (the "exact record" claim was false). New v2 binds an explicit allowlist — run id, task id, agent, reviewer seats, per-step digests, and the full policy decisions (id, policy_id, rule_id, decision, reason) — excluding volatile fields. Both attacks now reopen the debt. v1 clearing power is revoked (finding 3: an explicit version-deprecation policy, not silent accumulation).

Claims discipline + registered boundaries

The false "exact record" / "structural accountability closed" language is gone. New docs/limitations.md states what is not enforced, each with a tracking issue: seat authorization vs reference (#29), attestation supersession/contested (#30), goal-prose binding (#31), /metrics N+1 (#32), clinic↔ARO executable interface (#33). A reference implementation that names its own edges can't be falsified by finding one.

Also

  • Single canonical packet source (finding 4); all package versions already aligned to 0.2.x (finding 6).

Honest status

Sequential + concurrent governance semantics ✅ · seat accountability (non-vacuous, unique, content-bound) ✅ · boundaries registered, not hidden ✅. Unchanged and deliberately not overclaimed: independent external reproduction — no third party has run the packet/quickstart (0 stars/forks; CI is the main downloader). After this the engineering line is frozen; the next step is one real external reproducer, which is worth more than any further internal hardening.


Correction / superseded by v0.2.5 (2026-07-11): the line above claiming a limitations doc makes the project "can't be falsified" was itself an overclaim — a seventh review immediately falsified it via an unregistered invariant. The honest framing is "known limitations as of vX + these specific properties are verified," never "unfalsifiable." Two real issues found after this tag and fixed in v0.2.5: (1) uniqueness was enforced only on the Script, not the persisted AgentRun, so a run with duplicate decision ids let one attestation clear two items; (2) this tag's software metadata still reported 0.2.3. History left intact.

v0.2.3 — concurrency-safe governance, structural accountability, source-consistency gate

Choose a tag to compare

@haeliotang haeliotang released this 11 Jul 13:01
ac0ada0

A fifth adversarial review pass (AI-assisted self-audit) found that v0.2.2's "governance semantics closed" held only under sequential execution. v0.2.3 closes the concurrency, persistence, and accountability gaps it surfaced — each reproduced before fixing, each now a regression test.

Pinned to commit ac0ada0. The credential packet is attached to this release (sha256 af6e4142299b58cbfbeb67b3b357a6e438c272f7e074ee17b9c8e012a4dd01f1).

Review-debt is now concurrency-safe and reopen-aware (findings 1–2)

The cleared-debt Prometheus counter was a non-atomic read-before/count-after: 24 concurrent clears of one item moved it by up to 24, and it could never go back down when an overwritten run reopened its debt (so a stale attestation kept the SLO green). Replaced with store-derived gauges (aro_review_debt_open / _cleared / _stale / _oldest_open_age_seconds) computed from actual state at scrape time — race-free by construction, and they track state up and down. SLO #6 now watches these.

Accountability is structural, and the digest is content-bound (findings 3–4)

  • Seat integrity: a Script's goal.owner_seat_id must reference a declared reviewer seat, and clearing a specific debt item requires a seat_id that the run declared. Not just a non-empty self-reported name — a named, declared seat.
  • Versioned canonical subject digest: an attestation is bound to the reviewed content (v1:sha256:… over run id, per-step digests, policy decisions), not the raw serialization. Adding a defaulted field to a run no longer stales historical attestations; different content still reopens the debt.

The evidence gate checks current source, not just a frozen asset (finding 5)

release-evidence now checks out current source, verifies files↔MANIFEST↔provenance, and diffs the packet's bundled verdict script against the current source — red if the published evidence drifts from what the repo actually contains.

Also

  • All package versions aligned to 0.2.3 (were 0.1.0 while releases had moved on — finding 6).
  • Release-note wording corrected: these are adversarial review passes / AI-assisted self-audits, not independent external audits (finding 7). No PR here has had third-party review.

Honest status

Sequential and concurrent governance semantics ✅ · persistence-aware SLO ✅ · structural accountability ✅. Still open, and deliberately not overclaimed: independent external reproduction — no third party has run the packet/quickstart (0 stars/forks; CI is the main packet downloader). That, plus a 90-second demo, is the next step, and it needs a real external developer — worth more now than more infrastructure.

credential_packet_v1 — canonical evidence release (decoupled from software versions)

Choose a tag to compare

@haeliotang haeliotang released this 11 Jul 18:09
Immutable release. Only release title and notes can be modified.
3fc5d1f

This is the single canonical source of credential_packet_v1. The clinic verdict evidence has its own lifecycle, distinct from the v0.2.x software releases — so it lives here, once, rather than being re-attached to each software tag.

  • Asset: credential_packet_v1.tar.gz · sha256 af6e4142299b58cbfbeb67b3b357a6e438c272f7e074ee17b9c8e012a4dd01f1
  • Signature: credential_packet_v1.tar.gz.asc — detached GPG signature by key 01A3AFAC8B5F4361 (fingerprint BAEF75200B49F1D3D6DBC81D01A3AFAC8B5F4361). Verify authorship:
    curl -s https://github.com/haeliotang.gpg | gpg --import
    gpg --verify credential_packet_v1.tar.gz.asc credential_packet_v1.tar.gz   # expect: Good signature
    
  • Verify integrity + reproduce per the bundled VERIFY.md: reproduce the verdict table with stock python3, check the files↔MANIFEST↔provenance chain.
  • CI (release-evidence), the README, and software release notes all point only here. On every push CI re-checks the pinned SHA and verifies this signature against the in-repo maintainer key (docs/signing.md). If the evidence changes, it gets a new version (credential-packet-v2) — the packet version tracks the evidence, not the software.

Note on immutability: this release predates the repo's immutable-releases setting (which only protects releases created after it was enabled), so its GitHub immutable flag is false. Tamper-resistance here is the pinned SHA + this GPG signature + the delete/rewrite-protected tag — not that flag.

v0.2.2 — audit hardening: real governance semantics + a standing evidence gate

Choose a tag to compare

@haeliotang haeliotang released this 10 Jul 18:31
aecf068

A fourth adversarial review pass (AI-assisted self-audit) found that v0.2.1's "credibility complete" was said a step early: the engineering was done, but the load-bearing governance semantics had gaps and the evidence was verified once, not continuously. v0.2.2 closes those.

Pinned to commit aecf068. The credential packet is attached to this release (sha256 af6e4142299b58cbfbeb67b3b357a6e438c272f7e074ee17b9c8e012a4dd01f1); links below point at the tag, not a moving branch.

Review-debt consumption is now real, not a self-declaration (findings 1–3)

The audit submitted a blank name, a forged seat, and a duplicate id and got a 200 with the debt cleared. No longer:

  • Identity — a blank attested_by/declared_scope is rejected; seat_id, when given, must reference a seat the run actually declared (runs now carry reviewer_seats). Identity remains self-declared, not authenticated — stated plainly in SECURITY.md, not pretended away.
  • Digest binding — clearing is bound to the exact record reviewed. If the run is overwritten after the fact, the digest no longer matches, the debt reopens, and the item is flagged stale_attestation. "The attestation pins the record" is now enforced, not asserted.
  • Idempotency — duplicate ids in one request are deduped; the cleared metric counts only open→cleared transitions, so re-clearing never double-counts.

Each attack is now a regression test.

Evidence is a standing gate, not a one-time check (finding 4)

New release-evidence CI job downloads the credential packet by fixed URL on every push, checks the pinned sha256, verifies the 7/7 internal SHA chain, and reproduces the verdict table with stock python3. If the published asset ever drifts, CI goes red. CI is now 9 jobs.

Also

  • clinic hygiene — the missing-artifact→skip hook no longer raises during teardown: 441 passed / 82 skipped, 0 warnings (was 61). Public suite vs private-compatibility suite documented.
  • Doc drift fixed — threat-model no longer claims "no rate limiting yet"; "nine objects" and "every claim by a test" softened to match reality; object-model documents all five debt-consumption rules.
  • Issue split#12 (OTel GenAI semconv) and #21 (TRACE_VERSION reject/migration) are now separate failure surfaces.
  • v0.2.0's notes were corrected in place (the packet is published); v0.2.1 was left untouched.

Honest status

Engineering ✅ · internal reproducibility ✅ · public self-attestation ✅ · governance semantics ✅ (this release). Still open, and not overclaimed: independent external reproduction — no third party has yet run the packet/quickstart (0 stars/forks; this is a new repo). That, plus a 90-second demo, is the next step — worth more right now than more infra.

v0.2.1 — the credibility release: every claim checkable, every gap registered

Choose a tag to compare

@haeliotang haeliotang released this 10 Jul 08:01
e50226a

The external-credibility sprint, per three rounds of adversarial review (AI-assisted self-audit). v0.2.0 shipped the engineering; v0.2.1 makes it checkable.

Every claim now maps to its proof

docs/evidence-matrix.md — 20 load-bearing README claims, each mapped to a command, one of 8 CI jobs, a file/artifact, or an explicit not-shipped with a tracking issue. Six gaps were registered rather than hidden; four are now closed (see below), two remain as explicit design boundaries (TRACE_VERSION migration → #12, illustrative k8s → #10).

credential_packet_v1 — the verdict demo is now outsider-reproducible

Attached to v0.2.0 as a release asset (28K):
credential_packet_v1.tar.gz · sha256 af6e4142299b58cbfbeb67b3b357a6e438c272f7e074ee17b9c8e012a4dd01f1

Self-contained: 7 recorded official-eval reports + MANIFEST.json + provenance.json + VERIFY.md. Verified end-to-end from the Release: download → sha256 → reproduce the verdict table with stock python3 (no deps) → 7/7 SHA chain closed. The clinic's intervention verdicts are no longer claims about private files.

Consumable review debt (#11) — the load-bearing wall

Attestations now bind to the specific needs_review decisions they clear (clears_decisions); debt items carry a consumable open/cleared status derived by joining decisions × attestations — the recorded run stays immutable, clearing is a new fact. A reject clears nothing (the seat stays visibly empty); run-level endorsements clear nothing; consumption counts once. Outstanding debt is measurable: sum(aro_review_debt_total) − sum(aro_review_debt_cleared_total), per-run at GET /api/runs/{id}/review-debt?status=open, with a dashboard panel + clear-items form. SLO #6 now measures actual consumption, not a count comparison.

The compose stack is CI-verified (#9)

The compose-e2e job brings up the full stack (api, worker, Postgres, Prometheus, Grafana), runs a queued policy-violation run through the Postgres queue, and asserts health, verdict=blocked with 2 denials, /metrics, and Prometheus scraping both targets — on every push.

Security posture stated, fixtures labeled

SECURITY.md: demo-grade defaults, not internet-facing, tamper-evident-not-proof, private reporting. The exfiltration example's .env fixture now carries a FAKE header. Wiki disabled.

Also in this release

  • SLOs incl. two governance SLOs (docs/slo.md) and a nine-class error taxonomy (docs/error-taxonomy.md)
  • Issue hygiene: #1#6 closed with landing commits; real next increments opened (#8 Tempo/alerts, #10 GHCR, #12 OTel GenAI semconv, #15 deterministic goldens)

Full test surface: 8 CI jobs (clinic 441 tests, lint, unit, integration, postgres service-container, golden-replay, web-build, compose-e2e), all green on main.

v0.2.0 — wutai-clinic audit harness joins the substrate

Choose a tag to compare

@haeliotang haeliotang released this 07 Jul 11:56

Adds packages/clinic (runtime-verifiable paired-intervention audit harness, 441 tests) as a first-class uv workspace member; repo-wide lint gate now covers it. Known gap (tracked): the clinic verdict demo requires an evidence packet not yet published — see upcoming credential_packet_v1.


Update (2026-07-09): credential_packet_v1.tar.gz is now attached to this release (sha256 af6e4142…01f1) and continuously re-verified by the release-evidence CI job. The "not yet published" note above reflects the state at original publish time and is left intact for history.

v0.1.0 — tracing, replay, evals, and governance for agent runs

Choose a tag to compare

@haeliotang haeliotang released this 04 Jul 17:37

First complete reference implementation.

What's in it

Runtime substrate

  • Deterministic scripted agent runtime; policy gating (allow / deny / needs_review) evaluated before every step
  • Digest-addressed JSONL traces; replay engine with per-field divergence detection (catches code drift, environment drift, and tampering)
  • Golden-task eval harness gating CI on every commit

Governance objects (field-aligned with wutai & stillmirror-review — see docs/object-model-alignment.md)

  • PolicyDecision, RiskSignal, ReviewerSeat as first-class data
  • Attestations: scoped ratification by a named human (declared_scope / excluded_scope, proposed_byattested_by), consuming recorded review debt
  • Run-level trust verdict (trusted / review_required / blocked), per-run coverage declarations

Observability

  • OTel spans with digests and policy verdicts as attributes; Prometheus metrics incl. aro_review_debt_total and aro_attestations_total
  • Pre-provisioned Grafana dashboard (screenshot in README, captured live)
  • SLOs incl. two governance SLOs (docs/slo.md), full error taxonomy (docs/error-taxonomy.md)

Infra

  • Postgres store with FOR UPDATE SKIP LOCKED queue claims (SQLite fallback); worker retry with exponential backoff, dead-lettering, deterministic chaos injection; API rate limiting
  • docker-compose stack (api, worker, Postgres, Prometheus, Grafana) with healthchecks — verified end to end; optional k8s manifests
  • CI: lint, unit, integration, Postgres service-container job, golden replay regression, web build

Surfaces: FastAPI (runs / traces / replay / attestations / queue / metrics), queue worker, React + Vite dashboard.

62 files of Python across five workspace packages, 49 tests, benchmark numbers measured not asserted (docs/benchmark.md).