Releases: haeliotang/agent-runtime-observatory
Release list
v0.2.5 — portfolio freeze (freeze-correction, no new features)
The engineering line is frozen here. This is a freeze-correction — it fixes what a seventh review found, adds no features, and carries no packet (the evidence has one home: credential-packet-v1, sha256 af6e4142…).
What the freeze-correction fixed
- Persisted-run identity invariants (P1). Uniqueness was enforced only on the
Script, but the API reads the storedAgentRun— so a run with duplicate policy-decision ids let one attestation clear two items, and duplicate seat ids made the accountable party ambiguous.AgentRunnow enforces unique seat ids, unique decision ids, and sub-objectrun_idownership. - Version consistency (P2). All software versions are
0.2.5, and aversion-consistencyCI job (on push and onv*tags) fails if package/app/web versions disagree or, on a tag, if tag ≠ version. The "tag says vX but code says vY" class can't recur silently. - Claims discipline (P2). Narrowed the wide quantifiers; the v0.2.4 "can't be falsified" line is retracted (it was itself falsified). The rule going forward: state known limitations as of a version and specific verified properties — never "closed / complete / unfalsifiable."
Honest status (frozen baseline)
This is a strong engineering + self-audited reference / portfolio artifact. It is not an externally-adopted or independently-verified platform: 0 stars/forks, and CI is the only packet downloader. Verified properties are enumerated across the docs; what is not enforced is listed in docs/limitations.md with tracking issues (#29–#33).
After the freeze
Only externally-reported P0/P1 fixes. The next steps are not more internal hardening:
- #37 Independent reproduction — a third party runs the packet + suites and reports; this is the acceptance criterion for "independently verified."
- #38 90-second demo — a comms asset (explicitly not verification evidence).
Post-freeze backlog (Tempo #8, GHCR #10, OTel semconv #12, etc.) stays deprioritized behind those two.
v0.2.4 — real seat accountability, v2 content-bound digest, and honest boundaries
A sixth adversarial review pass (AI-assisted self-audit) found that v0.2.3's "structural accountability" was again an overclaim — the third round in a row where a governance layer was declared closed and the next pass falsified it. v0.2.4 fixes the real holes and changes how the claims are made, so they stop being falsifiable-by-nitpick.
Pinned to commit ac0ada0..fb4e4de. The credential packet is no longer attached here — it has one canonical home, the credential-packet-v1 evidence release (sha256 af6e4142…), because the evidence has a different lifecycle than the software.
Seats are no longer vacuous (finding 1)
ReviewerSeat(id="") was legal and duplicate seat ids (two people, one seat) were accepted — accountability that points at nothing. Now id/name/role/scope are non-blank and seat ids must be unique within a run.
The digest binds what was reviewed (finding 2)
v1 under-bound the record: deleting the seat a human cleared under, or changing a policy reason, left the debt cleared (the "exact record" claim was false). New v2 binds an explicit allowlist — run id, task id, agent, reviewer seats, per-step digests, and the full policy decisions (id, policy_id, rule_id, decision, reason) — excluding volatile fields. Both attacks now reopen the debt. v1 clearing power is revoked (finding 3: an explicit version-deprecation policy, not silent accumulation).
Claims discipline + registered boundaries
The false "exact record" / "structural accountability closed" language is gone. New docs/limitations.md states what is not enforced, each with a tracking issue: seat authorization vs reference (#29), attestation supersession/contested (#30), goal-prose binding (#31), /metrics N+1 (#32), clinic↔ARO executable interface (#33). A reference implementation that names its own edges can't be falsified by finding one.
Also
- Single canonical packet source (finding 4); all package versions already aligned to 0.2.x (finding 6).
Honest status
Sequential + concurrent governance semantics ✅ · seat accountability (non-vacuous, unique, content-bound) ✅ · boundaries registered, not hidden ✅. Unchanged and deliberately not overclaimed: independent external reproduction — no third party has run the packet/quickstart (0 stars/forks; CI is the main downloader). After this the engineering line is frozen; the next step is one real external reproducer, which is worth more than any further internal hardening.
Correction / superseded by v0.2.5 (2026-07-11): the line above claiming a limitations doc makes the project "can't be falsified" was itself an overclaim — a seventh review immediately falsified it via an unregistered invariant. The honest framing is "known limitations as of vX + these specific properties are verified," never "unfalsifiable." Two real issues found after this tag and fixed in v0.2.5: (1) uniqueness was enforced only on the Script, not the persisted AgentRun, so a run with duplicate decision ids let one attestation clear two items; (2) this tag's software metadata still reported 0.2.3. History left intact.
v0.2.3 — concurrency-safe governance, structural accountability, source-consistency gate
A fifth adversarial review pass (AI-assisted self-audit) found that v0.2.2's "governance semantics closed" held only under sequential execution. v0.2.3 closes the concurrency, persistence, and accountability gaps it surfaced — each reproduced before fixing, each now a regression test.
Pinned to commit ac0ada0. The credential packet is attached to this release (sha256 af6e4142299b58cbfbeb67b3b357a6e438c272f7e074ee17b9c8e012a4dd01f1).
Review-debt is now concurrency-safe and reopen-aware (findings 1–2)
The cleared-debt Prometheus counter was a non-atomic read-before/count-after: 24 concurrent clears of one item moved it by up to 24, and it could never go back down when an overwritten run reopened its debt (so a stale attestation kept the SLO green). Replaced with store-derived gauges (aro_review_debt_open / _cleared / _stale / _oldest_open_age_seconds) computed from actual state at scrape time — race-free by construction, and they track state up and down. SLO #6 now watches these.
Accountability is structural, and the digest is content-bound (findings 3–4)
- Seat integrity: a
Script'sgoal.owner_seat_idmust reference a declared reviewer seat, and clearing a specific debt item requires aseat_idthat the run declared. Not just a non-empty self-reported name — a named, declared seat. - Versioned canonical subject digest: an attestation is bound to the reviewed content (
v1:sha256:…over run id, per-step digests, policy decisions), not the raw serialization. Adding a defaulted field to a run no longer stales historical attestations; different content still reopens the debt.
The evidence gate checks current source, not just a frozen asset (finding 5)
release-evidence now checks out current source, verifies files↔MANIFEST↔provenance, and diffs the packet's bundled verdict script against the current source — red if the published evidence drifts from what the repo actually contains.
Also
- All package versions aligned to
0.2.3(were0.1.0while releases had moved on — finding 6). - Release-note wording corrected: these are adversarial review passes / AI-assisted self-audits, not independent external audits (finding 7). No PR here has had third-party review.
Honest status
Sequential and concurrent governance semantics ✅ · persistence-aware SLO ✅ · structural accountability ✅. Still open, and deliberately not overclaimed: independent external reproduction — no third party has run the packet/quickstart (0 stars/forks; CI is the main packet downloader). That, plus a 90-second demo, is the next step, and it needs a real external developer — worth more now than more infrastructure.
credential_packet_v1 — canonical evidence release (decoupled from software versions)
This is the single canonical source of credential_packet_v1. The clinic verdict evidence has its own lifecycle, distinct from the v0.2.x software releases — so it lives here, once, rather than being re-attached to each software tag.
- Asset:
credential_packet_v1.tar.gz· sha256af6e4142299b58cbfbeb67b3b357a6e438c272f7e074ee17b9c8e012a4dd01f1 - Signature:
credential_packet_v1.tar.gz.asc— detached GPG signature by key01A3AFAC8B5F4361(fingerprintBAEF75200B49F1D3D6DBC81D01A3AFAC8B5F4361). Verify authorship:curl -s https://github.com/haeliotang.gpg | gpg --import gpg --verify credential_packet_v1.tar.gz.asc credential_packet_v1.tar.gz # expect: Good signature - Verify integrity + reproduce per the bundled
VERIFY.md: reproduce the verdict table with stockpython3, check the files↔MANIFEST↔provenance chain. - CI (
release-evidence), the README, and software release notes all point only here. On every push CI re-checks the pinned SHA and verifies this signature against the in-repo maintainer key (docs/signing.md). If the evidence changes, it gets a new version (credential-packet-v2) — the packet version tracks the evidence, not the software.
Note on immutability: this release predates the repo's immutable-releases setting (which only protects releases created after it was enabled), so its GitHub immutable flag is false. Tamper-resistance here is the pinned SHA + this GPG signature + the delete/rewrite-protected tag — not that flag.
v0.2.2 — audit hardening: real governance semantics + a standing evidence gate
A fourth adversarial review pass (AI-assisted self-audit) found that v0.2.1's "credibility complete" was said a step early: the engineering was done, but the load-bearing governance semantics had gaps and the evidence was verified once, not continuously. v0.2.2 closes those.
Pinned to commit aecf068. The credential packet is attached to this release (sha256 af6e4142299b58cbfbeb67b3b357a6e438c272f7e074ee17b9c8e012a4dd01f1); links below point at the tag, not a moving branch.
Review-debt consumption is now real, not a self-declaration (findings 1–3)
The audit submitted a blank name, a forged seat, and a duplicate id and got a 200 with the debt cleared. No longer:
- Identity — a blank
attested_by/declared_scopeis rejected;seat_id, when given, must reference a seat the run actually declared (runs now carryreviewer_seats). Identity remains self-declared, not authenticated — stated plainly in SECURITY.md, not pretended away. - Digest binding — clearing is bound to the exact record reviewed. If the run is overwritten after the fact, the digest no longer matches, the debt reopens, and the item is flagged
stale_attestation. "The attestation pins the record" is now enforced, not asserted. - Idempotency — duplicate ids in one request are deduped; the cleared metric counts only open→cleared transitions, so re-clearing never double-counts.
Each attack is now a regression test.
Evidence is a standing gate, not a one-time check (finding 4)
New release-evidence CI job downloads the credential packet by fixed URL on every push, checks the pinned sha256, verifies the 7/7 internal SHA chain, and reproduces the verdict table with stock python3. If the published asset ever drifts, CI goes red. CI is now 9 jobs.
Also
- clinic hygiene — the missing-artifact→skip hook no longer raises during teardown: 441 passed / 82 skipped, 0 warnings (was 61). Public suite vs private-compatibility suite documented.
- Doc drift fixed — threat-model no longer claims "no rate limiting yet"; "nine objects" and "every claim by a test" softened to match reality; object-model documents all five debt-consumption rules.
- Issue split — #12 (OTel GenAI semconv) and #21 (TRACE_VERSION reject/migration) are now separate failure surfaces.
- v0.2.0's notes were corrected in place (the packet is published); v0.2.1 was left untouched.
Honest status
Engineering ✅ · internal reproducibility ✅ · public self-attestation ✅ · governance semantics ✅ (this release). Still open, and not overclaimed: independent external reproduction — no third party has yet run the packet/quickstart (0 stars/forks; this is a new repo). That, plus a 90-second demo, is the next step — worth more right now than more infra.
v0.2.1 — the credibility release: every claim checkable, every gap registered
The external-credibility sprint, per three rounds of adversarial review (AI-assisted self-audit). v0.2.0 shipped the engineering; v0.2.1 makes it checkable.
Every claim now maps to its proof
docs/evidence-matrix.md — 20 load-bearing README claims, each mapped to a command, one of 8 CI jobs, a file/artifact, or an explicit not-shipped with a tracking issue. Six gaps were registered rather than hidden; four are now closed (see below), two remain as explicit design boundaries (TRACE_VERSION migration → #12, illustrative k8s → #10).
credential_packet_v1 — the verdict demo is now outsider-reproducible
Attached to v0.2.0 as a release asset (28K):
credential_packet_v1.tar.gz · sha256 af6e4142299b58cbfbeb67b3b357a6e438c272f7e074ee17b9c8e012a4dd01f1
Self-contained: 7 recorded official-eval reports + MANIFEST.json + provenance.json + VERIFY.md. Verified end-to-end from the Release: download → sha256 → reproduce the verdict table with stock python3 (no deps) → 7/7 SHA chain closed. The clinic's intervention verdicts are no longer claims about private files.
Consumable review debt (#11) — the load-bearing wall
Attestations now bind to the specific needs_review decisions they clear (clears_decisions); debt items carry a consumable open/cleared status derived by joining decisions × attestations — the recorded run stays immutable, clearing is a new fact. A reject clears nothing (the seat stays visibly empty); run-level endorsements clear nothing; consumption counts once. Outstanding debt is measurable: sum(aro_review_debt_total) − sum(aro_review_debt_cleared_total), per-run at GET /api/runs/{id}/review-debt?status=open, with a dashboard panel + clear-items form. SLO #6 now measures actual consumption, not a count comparison.
The compose stack is CI-verified (#9)
The compose-e2e job brings up the full stack (api, worker, Postgres, Prometheus, Grafana), runs a queued policy-violation run through the Postgres queue, and asserts health, verdict=blocked with 2 denials, /metrics, and Prometheus scraping both targets — on every push.
Security posture stated, fixtures labeled
SECURITY.md: demo-grade defaults, not internet-facing, tamper-evident-not-proof, private reporting. The exfiltration example's .env fixture now carries a FAKE header. Wiki disabled.
Also in this release
- SLOs incl. two governance SLOs (docs/slo.md) and a nine-class error taxonomy (docs/error-taxonomy.md)
- Issue hygiene: #1–#6 closed with landing commits; real next increments opened (#8 Tempo/alerts, #10 GHCR, #12 OTel GenAI semconv, #15 deterministic goldens)
Full test surface: 8 CI jobs (clinic 441 tests, lint, unit, integration, postgres service-container, golden-replay, web-build, compose-e2e), all green on main.
v0.2.0 — wutai-clinic audit harness joins the substrate
Adds packages/clinic (runtime-verifiable paired-intervention audit harness, 441 tests) as a first-class uv workspace member; repo-wide lint gate now covers it. Known gap (tracked): the clinic verdict demo requires an evidence packet not yet published — see upcoming credential_packet_v1.
Update (2026-07-09): credential_packet_v1.tar.gz is now attached to this release (sha256 af6e4142…01f1) and continuously re-verified by the release-evidence CI job. The "not yet published" note above reflects the state at original publish time and is left intact for history.
v0.1.0 — tracing, replay, evals, and governance for agent runs
First complete reference implementation.
What's in it
Runtime substrate
- Deterministic scripted agent runtime; policy gating (
allow/deny/needs_review) evaluated before every step - Digest-addressed JSONL traces; replay engine with per-field divergence detection (catches code drift, environment drift, and tampering)
- Golden-task eval harness gating CI on every commit
Governance objects (field-aligned with wutai & stillmirror-review — see docs/object-model-alignment.md)
PolicyDecision,RiskSignal,ReviewerSeatas first-class data- Attestations: scoped ratification by a named human (
declared_scope/excluded_scope,proposed_by≠attested_by), consuming recorded review debt - Run-level trust verdict (
trusted/review_required/blocked), per-run coverage declarations
Observability
- OTel spans with digests and policy verdicts as attributes; Prometheus metrics incl.
aro_review_debt_totalandaro_attestations_total - Pre-provisioned Grafana dashboard (screenshot in README, captured live)
- SLOs incl. two governance SLOs (
docs/slo.md), full error taxonomy (docs/error-taxonomy.md)
Infra
- Postgres store with
FOR UPDATE SKIP LOCKEDqueue claims (SQLite fallback); worker retry with exponential backoff, dead-lettering, deterministic chaos injection; API rate limiting - docker-compose stack (api, worker, Postgres, Prometheus, Grafana) with healthchecks — verified end to end; optional k8s manifests
- CI: lint, unit, integration, Postgres service-container job, golden replay regression, web build
Surfaces: FastAPI (runs / traces / replay / attestations / queue / metrics), queue worker, React + Vite dashboard.
62 files of Python across five workspace packages, 49 tests, benchmark numbers measured not asserted (docs/benchmark.md).