v0.39.1

What's Changed

Features

• Add ouroboros status run --json projection surface (#1133)
• Record durable workflow lifecycle events in orchestrator (#1134)
• Add on_error/on_cancel plugin observability hooks (PR E) (#1137)
• Expose MCP interview reasoning metadata (#1140)
• Prompt for required trust grants on plugin install (#1141)
• Expose Ralph-start alias while preserving runtime ownership
• Dispatch lifecycle hooks within plugin trust boundaries
• Make plugin permission waits share the typed HITL contract
• Expose projection checkpoint anchors safely
• Expose plugin manifests as harness descriptors
• Let safe-default synthesis close persisted interviews
• Surface malformed Claude tool-use turns at the provider boundary

Bug Fixes

• Defer lateral advisory side effects in interview (#1130)
• Make plugin workflow ids collision-proof
• Advise first live milestone crossing in interview
• Make auto ledger conflicts deterministic
• Preserve bounded recovery redispatch semantics
• Validate HITL timeout decisions through replayed state
• Keep safe defaults tied to persisted interviews

Testing & Hardening

• Expand workflow IR conformance harness (#1135)
• Add mechanical-evaluation projection fixture (#1132)
• Lock plugin lifecycle conformance baseline
• Lock the short-goal interview convergence matrix against regression
• Lock projection fixture evidence flow

Instrumentation & Docs

• Emit structured-log events at safe-default decision points in auto (#1138)
• Mark completed projection follow-up slots in agentos docs (#1136)
• Persist init interview HITL telemetry without coupling the renderer
• Record interview lateral-review design before implementation
• Update README

Full Changelog: v0.39.0...v0.39.1

What's Changed

• docs: define interview milestone lateral contract by @honor2030 in #1108
• feat(plugin): add hook runtime audit schema names by @shaun0927 in #1109
• fix(runtime): surface malformed tool-use turns by @shaun0927 in #1111
• feat(hitl): record init interview responses by @shaun0927 in #1112
• feat(mcp): add start ralph tool alias by @shaun0927 in #1113
• feat(hitl): validate timeout events from replay by @shaun0927 in #1114
• Document runtime delegation ownership contract by @shaun0927 in #1115
• Specify plugin permission HITL contract by @shaun0927 in #1116
• test(auto): cover #821 short-goal interview convergence matrix by @shaun0927 in #1117
• feat(plugin): dispatch v1 lifecycle hooks by @shaun0927 in #1110
• feat(plugin): expose manifest descriptor projection by @shaun0927 in #1118
• feat(auto): consume lateral recovery plans for Ralph redispatch by @shaun0927 in #1120
• feat(auto): centralize deterministic ledger conflict policy by @shaun0927 in #1121
• test(plugin): lock v0.3 lifecycle conformance by @shaun0927 in #1119
• fix(auto): close safe-defaultable interview gaps at max rounds by @shaun0927 in #1122
• test(projection): lock mechanical evaluation fixture by @shaun0927 in #1123
• feat(projection): surface context checkpoint anchors by @shaun0927 in #1124
• test(workflow): lock projection boundary fixture by @shaun0927 in #1125
• feat(plugin): classify terminal hook contract by @shaun0927 in #1127
• feat(interview): surface milestone lateral review advisories by @shaun0927 in #1128
• feat(workflow): represent plugin actions as planned nodes by @shaun0927 in #1126
• fix(auto): let safe-default synthesis close interviews by @shaun0927 in #1129
• fix(interview): defer lateral advisory side effects by @shaun0927 in #1130
• feat(plugin): prompt for required trust grants on install by @Q00 in #1141
• docs(agentos): mark completed projection follow-up slots by @shaun0927 in #1136
• test(harness): add mechanical-evaluation projection fixture by @shaun0927 in #1132
• instrument(auto): emit structured-log events at safe-default decision points by @shaun0927 in #1138
• Expose MCP interview reasoning metadata by @Q00 in #1140
• feat(cli): add ouroboros status run --json projection surface by @shaun0927 in #1133
• feat(orchestrator): record durable workflow lifecycle events by @shaun0927 in #1134
• feat(plugin): add on_error/on_cancel observability hooks (PR E) by @shaun0927 in #1137
• test(orchestrator): expand workflow IR conformance harness by @shaun0927 in #1135

Full Changelog: v0.39.0...v0.39.1

v0.39.0

Ouroboros v0.39.0

This release lands a high-severity security fix, flips ooo run to the
fat-harness execution path by default, and completes the AgentOS roadmap
wiring/baseline milestone tracked in #961.

🔒 Security

RCE via untrusted project-directory .env (high severity)

Ouroboros is run inside cloned repositories. config/loader.py loaded
./.env from the working directory into os.environ at import time with the
same trust as the home-directory ~/.ouroboros/.env. Because
OUROBOROS_*_CLI_PATH and the runtime/backend selector env vars decide which
binary the Claude Agent SDK / runtime adapters spawn, a malicious repository
could ship a .env plus an executable script and achieve arbitrary code
execution on the victim's machine as soon as they ran any command that builds
a runtime adapter (e.g. ooo, ouroboros init).

• Classification: CWE-426 (Untrusted Search Path) + CWE-15 (External
  Control of System or Configuration Setting)
• Root cause: the project-directory .env travels with whatever
  repository the user cloned and is therefore an untrusted trust boundary;
  it was conflated with the trusted home config.

Fixes:

• Denylist for untrusted .env (#1078):
  blocks the 8 OUROBOROS_*_CLI_PATH keys plus the runtime/backend selectors
  (OUROBOROS_AGENT_RUNTIME, OUROBOROS_RUNTIME, OUROBOROS_LLM_BACKEND)
  when loading an untrusted .env.
• Fail-closed default: _load_env_file now defaults to trusted=False;
  only ~/.ouroboros/.env opts into trust explicitly, so any future caller is
  safe by default.
• Defense in depth: ClaudeCodeAdapter._resolve_cli_path rejects any
  resolved CLI path inside the current working directory and falls back to the
  SDK bundled CLI — a legitimate Claude CLI is always a global install, never
  shipped inside a repo.
• Additional hardening: block PATH from untrusted project env
  (#1098) and refuse symlinked
  managed install roots (#1097).

Trusted sources — shell export, ~/.ouroboros/.env,
~/.ouroboros/config.yaml — keep full custom-CLI support, so no legitimate
workflow regresses. The fix was adversarially reviewed by a security-focused
agent over two rounds (round 2 returned APPROVED with no remaining bypasses).

🙏 Reported by @qerogram — thank you for the responsible disclosure.

🚀 AgentOS Roadmap Progress (#961)

The AgentOS substrate wiring + baseline milestone is now complete.

Track A — ooo run fat-harness

• ooo run CLI now defaults to the fat-harness execution path
• Verifier-capability, typed blocked evidence, profile-aware decomposition, and
  profile-schema wiring landed; fat-harness AC acceptance now requires verifier
  PASS with typed evidence verification
• Baseline gate evidence captured and recorded; #961 carries
  baseline-metrics-captured and the agentos-substrate-wiring milestone is
  closed
• Readable baseline-metrics rendering + semantic-miss baseline metric reporting

Track B — ooo auto self-healing

• Phase 2 typed recovery plan and Phase 3 DomainProfile merged
• Hardened auto: Seed goal-drift repair from the ledger, strict grading with
  concrete coding evidence, observation/execution acceptance-criteria
  separation, and complete-product Ralph-loop wiring

Track C — AgentOS substrate dump (#920–#960)

• Workflow IR v1 lifecycle replay, conformance fixtures, and projection
  hardening against ambiguous run identity
• Plugin lifecycle hook permission scope, v1 hook vocabulary, and bounded
  Tier 1 hook contract surface
• HITL state projection, run-snapshot projection, typed HITL resume
  validation, and cancel-confirmation routing through typed events
• Runtime transition contract validation (fail-closed on incomplete revision
  checks, malformed input rejection, secret-alias detection)
• Skill runtime guides installable for Hermes/Claude/Codex from backend metadata

✨ Features

• ooo run CLI flipped to fat-harness by default (with temporary opt-in path
  during rollout)
• CLI: read-only Workflow IR inspection and status run projection JSON
  (#1063,
  #1064)
• CLI: status health checks (#1101)
• Harness: strict projection records, project artifact/verdict records
  (#1061)
• Codex: live MCP doctor check (#1047),
  missing-MCP-extra detection (#1046),
  JSONL stdio for live MCP doctor (#1052)
• Orchestrator: workflow lifecycle conformance report
  (#1038),
  HITL state projection (#1036),
  run snapshot projection (#1037)
• Experimental Goose runtime can be enabled safely

🐛 Bug Fixes

• Orchestrator: prevent execution workers from recursively invoking auto
  (#1075), recover from invalid
  dependency stages (#1070),
  reconcile sibling ACs from execution evidence
  (#1096)
• Auto: surface execution terminal failures instead of reporting complete
  (#1076), canonicalize
  observation execution criteria (#1095),
  keep repaired Seed identifiers synchronized
  (#1071)
• Jobs: preserve runner failure over terminal evidence
  (#1094), fail stalled
  progress-accounting executions (#1085),
  wait for runner cleanup after progress-stall failure
  (#1089)
• Interview: scope completion-signal heuristic to user-prefix answers
  (#1077)
• Goose: preserve approval for default permission modes
  (#1106)
• Evidence scope hardening for observation/docs-only ACs
  (#1072,
  #1073,
  #1093)
• Bigbang: add force flag to SeedGenerator.generate, replacing the
  FORCED_SCORE_VALUE hack (#1107)

📚 Docs & Maintenance

• Clarify Windows WSL installation path
• Align contributing documentation guidance
  (#1102)
• AgentOS: sequence projection follow-up slots, clarify Workflow IR v1 boundary
• Remove legacy self-report acceptance fallback
  (#1086) and unreachable verifier
  branch

---

Full Changelog: v0.38.2...v0.39.0

What's Changed

• feat(orchestrator): add fat-harness baseline metrics report by @honor2030 in #977
• feat(plugin): define hook audit event vocabulary by @shaun0927 in #973
• feat(runtime): classify malformed tool-use turns by @shaun0927 in #972
• feat(plugin): accept optional hook declarations by @shaun0927 in #970
• docs(plugin): define lifecycle hook contract by @shaun0927 in #969
• feat(orchestrator): support typed blocked leaf evidence by @shaun0927 in #927
• feat(profiles): introduce profile YAML schema + loader by @honor2030 in #976
• feat(hitl): add typed WAIT/RESUME contract by @shaun0927 in #971
• feat(plugin): add v1 lifecycle hook contract types (#939) by @shaun0927 in #984
• feat(plugin): enforce v1 hook contract in manifest validator (#939 PR-2) by @shaun0927 in #985
• feat(plugin): add schema v0.3 with v1-only hook enum (#939 PR-3) by @shaun0927 in #986
• feat(plugin): add v1 hook lifecycle permission scope (#939 PR-4) by @shaun0927 in #987
• feat(orchestrator): add human-readable baseline metrics formatter by @shaun0927 in #988
• feat(orchestrator): record fat-harness baseline metrics evidence by @shaun0927 in #989
• feat(harness): add Run/Step/Artifact/Verdict projection records (#946 PR-1a) by @shaun0927 in #980
• feat(harness): add ProjectionBuilder over the EventStore (#946 PR-1b) by @shaun0927 in #983
• feat(harness): add journal → evidence-manifest normalizer (#978 P1) by @shaun0927 in #982
• feat(orchestrator): add typed Workflow IR schema and validator (#956 PR-1) by @shaun0927 in #981
• feat(harness): expose projection records through MCP query (#946 PR-2) by @shaun0927 in #990
• feat(orchestrator): add read-only Seed to Workflow IR adapter (#956 PR-2) by @shaun0927 in #991
• feat(orchestrator): audit profile-aware AC decomposition (#920 PR-1) by @shaun0927 in #992
• feat(harness): load AC manifests for TraceGuard deliver ga...

v0.38.2

What's Changed

Bug Fixes

• Close residual allowed_tools=[] leak in sub-CLI envelope for interview

Testing

• Lock empty allowedTools passthrough
• Cover strict empty allowed-tools envelope (#975)

Full Changelog: v0.38.1...v0.38.2

What's Changed

• fix(interview): close residual allowed_tools=[] leak in sub-CLI envelope by @Q00 in #974

Full Changelog: v0.38.1...v0.38.2

v0.38.1

What's Changed

Features

• Persist typed recovery plans after QA failure (#928)
• Let decomposition consume execution profiles (#929)
• Route verifiers by profile capability (#926)

Bug Fixes

• Mutual-agreement closure gate for interview driver (#962)

Full Changelog: v0.38.0...v0.38.1

What's Changed

• fix(auto): mutual-agreement closure gate for interview driver by @Q00 in #962
• feat(orchestrator): route verifiers by profile capability by @shaun0927 in #926
• feat(orchestrator): let decomposition consume execution profiles by @shaun0927 in #929
• feat(auto): persist typed recovery plans after QA failure by @shaun0927 in #928

Full Changelog: v0.38.0...v0.38.1

v0.38.0

What's Changed

This release wraps up the #830 Orchestrator stack (9 PRs), the #809 P3 DomainProfile rollout (coding + research profiles wired through ooo auto), and the #518 AgentProcess durability work. It also brings a major round of security/safety hardening across plugin trust, secret redaction, and subprocess bounding.

Features

Orchestrator (#830 stack, PRs 1/9 → 9/9)

• Profile YAML schema + loader (#881)
• Typed evidence schema validator (#883)
• External verifier loop (#884)
• Profile-aware decomposition params (#885)
• PRE/POST phase wrappers (#886)
• Failure taxonomy + recovery policy (#887)
• Adaptive model/tool routing (#889)
• Per-dispatch context budget (#890)
• ProfileBackedStrategy + deprecate code-executor.md (PR 9/9)

DomainProfile (#809 P3 stack)

• First built-in coding DomainProfile + parity tests (#851)
• Second built-in research DomainProfile + plurality acceptance (#850)
• 3-step DomainProfile activation in ooo auto CLI (#852)
• Route AutoAnswerer through DomainProfile (#854)
• Route safe_defaults through DomainProfile (#853)
• Recovery-loop guards (#888)

AgentProcess & Evolution (#518, #578)

• Durable pause/resume for AgentProcess via CheckpointStore (#844)
• Wrap evolve_step in AgentProcess (#846)
• Map watchdog timeouts onto Directive vocabulary (#836)
• Emit control.directive.emitted from watchdog timeouts (#838)

MCP & Auto

• ouroboros_start_evaluate fire-and-forget handler (#882)
• Unified status surface for auto + ralph (#792)

Bug Fixes

Orchestrator (#891 stack)

• Wire H3 wrappers into ProfileBackedStrategy
• Per-profile Bash activity semantics
• Direct executor through every AC, not just first
• Replace build_post_block reuse with multi-AC directive
• Preserve legacy domain guidance in system prompt
• Derive guidance tool list from profile
• Single consolidated evidence record + blocker in JSON
• Drop blocker-marker contract until H2 schema lands
• Strip deprecation banner from live code-executor prompt

MCP & Auto

• Harden start_auto session exclusivity
• Bump interview/seed phase timeouts; exempt user_preferences from shell-metachar scan (#894)
• Restore coding DomainProfile lightweight loading (#879)
• Restore coding profile lazy import boundary (#875)
• Bound encoded Seed filenames (#878)

AgentProcess durability

• Keep AgentProcess cancel durable until restart observes it (#845)
• Prevent false terminal cancellation for live AgentProcess work (#880)
• Preserve AgentProcess replay across lifecycle slices (#847)

Security & Hardening

• Redact secret-shaped event resource payloads (#866)
• Avoid persisting full Codex auth paths in failure events (#864)
• Make trust and disable transitions atomic in CLI/plugin (#868)
• Bound firewall subprocess invocation time (#858)

Other

• Preserve raw JSON success fallback in copilot (#877)
• Ignore telemetry JSON in copilot success fallback (#870)

Refactoring

• Replace hardcoded model strings with config-aware getters in PM (#893)

Testing

• Register integration pytest marker (#896)
• Full Interview→Seed→Run→Ralph→QA E2E integration test (#793)
• Isolate codex_cli profile tests from user config

Documentation

• RFC: unified runtime timeout contract (#578) (#841)
• Clarify stable Python source checkout setup (#876, #874)

Full Changelog: v0.37.0...v0.38.0

What's Changed

• test(orchestrator): isolate codex_cli profile tests from user config by @Q00 in #872
• docs(rfc): unified runtime timeout contract (#578) by @shaun0927 in #841
• feat(auto): 3-step DomainProfile activation in ooo auto CLI (#809 P3, PR 3/6) by @shaun0927 in #852
• fix(plugin): bound firewall subprocess invocation time by @shaun0927 in #858
• fix(cli/plugin): make trust and disable transitions atomic by @shaun0927 in #868
• fix(security): redact secret-shaped event resource payloads by @shaun0927 in #866
• fix(interview): avoid persisting full Codex auth paths in failure events by @shaun0927 in #864
• feat(evolution): map watchdog timeouts onto Directive vocabulary (#578) by @shaun0927 in #836
• feat(orchestrator): durable pause/resume for AgentProcess via CheckpointStore (#518) by @shaun0927 in #844
• feat(evolution): wrap evolve_step in AgentProcess (#518) by @shaun0927 in #846
• feat(orchestrator): implement AgentProcess.replay() from control directive events (#518) by @shaun0927 in #847
• feat(auto): route safe_defaults through DomainProfile (#809 P3, PR 5/6) by @shaun0927 in #853
• feat(auto+jobs): unified status surface for auto + ralph by @shaun0927 in #792
• docs: clarify source checkout Python defaults by @shaun0927 in #874
• feat(auto): second built-in research DomainProfile + plurality acceptance (#809 P3, PR 6/6) by @shaun0927 in #850
• feat(auto): route AutoAnswerer through DomainProfile (#809 P3, PR 4/6) by @shaun0927 in #854
• fix(copilot): ignore telemetry JSON in success fallback by @shaun0927 in #870
• feat(evolution): emit control.directive.emitted from watchdog timeouts (#578) by @shaun0927 in #838
• test(integration): full Interview→Seed→Run→Ralph→QA E2E by @shaun0927 in #793
• feat(auto): first built-in coding DomainProfile + parity tests (#809 P3, PR 2/6) by @shaun0927 in #851
• fix(auto): restore coding DomainProfile lightweight loading by @shaun0927 in #879
• feat(auto): recovery-loop guards (#809 P2.2b, Stack 1/2) by @Q00 in #888
• docs: clarify stable Python source checkout setup by @honor2030 in #876
• fix(copilot): preserve raw JSON success fallback by @shaun0927 in #877
• fix(auto): bound encoded Seed filenames by @shaun0927 in #878
• fix(auto): restore coding profile lazy import boundary by @shaun0927 in #875
• fix(orchestrator): keep AgentProcess cancellation owned until work exits by @shaun0927 in #880
• feat(orchestrator): profile YAML schema + loader (#830 PR 1/9) by @Q00 in #881
• feat(mcp): add ouroboros_start_evaluate fire-and-forget handler by @Q00 in #882
• feat(orchestrator): typed evidence schema validator (#830 PR 2/9) by @Q00 in #883
• feat(orchestrator): durable cancel signal for AgentProcess (#518) by @shaun0927 in #845
• feat(orchestrator): external verifier loop (#830 PR 3/9) by @Q00 in #884
• feat(orchestrator): profile-aware decomposition params (#830 PR 4/9) by @Q00 in #885
• feat(orchestrator): PRE/POST phase wrappers (#830 PR 5/9) by @Q00 in #886
• feat(orchestrator): failure taxonomy + recovery policy (#830 PR 6/9) by @Q00 in #887
• feat(orchestrator): adaptive model/tool routing (#830 PR 7/9) by @Q00 in #889
• feat(orchestrator): per-dispatch context budget (#830 PR 8/9) by @Q00 in #890
• test: register integration pytest marker by @Q00 in #896
• fix(auto): bump interview/seed phase timeouts and exempt user_preferences from shell-metachar scan by @Q00 in #894
• refactor(pm): replace hardcoded model strings with config-aware getters by @cohemm in #893
• feat(orchestrator): ProfileBackedStrategy + deprecate code-executor.md (#830 PR 9/9) by @Q00 in #891
• feat(auto): fire-and-forget ouroboros_start_auto + relax user_preferences value types by @Q00 in #895

New Contributors

• @honor2030 made their first contribution in #876

Full Changelog: v0.37.0...v0.38.0

v0.37.0

What's Changed

Features

ooo auto Pipeline

• DomainProfile and VerifiablePredicate contracts (#849, #809 P3 PR 1/6)
• UNSTUCK_LATERAL persona advisor on EVALUATE fail (#829)
• EVALUATE phase verifies run output against seed AC (#825)
• Formalize run-handoff idempotency contract (#843)
• Chain RUN→RALPH automatically with --complete-product (#791)
• user_preference source + deterministic ambiguity floor (#811)
• Top-level pipeline_timeout_seconds deadline (#790)
• Steer interviews toward open ledger gaps (#761)
• Finalize safe-default interview gaps (#763)
• Classify interview questions by intent (#762)
• Expose ledger provenance as ledger_provenance in pipeline result meta (#740)
• CI lint guard for ooo auto product boundary (#753)

Interview & Unstuck

• Debate mode for ooo lateral (#812)
• Raise prompt budget caps for richer answers
• Isolate adapter from plugin MCP servers + hardening RFC

Ralph & Evolution

• Total wall-clock budget max_total_seconds for Ralph (#789)
• Oscillation / no-progress detection in Ralph (#788)
• Pin v0 watchdog cancellation contract (#842)

Plugin & CLI

• TrustStore concurrency primitives + LockEntry subject helper + manifest tuple ordering (#807)
• UserLevel program registry: cross-axis collisions + command-name index (#747)
• argv_summary in firewall audit events (observation-only) (#805)
• ooo plugin {discover,inspect,list} read-only commands (#750)
• Warn on stderr when ooo plugin list row has unreadable trust.json (#833)
• Surface trust_read_error in ooo plugin list --json (#832)
• Route ooo publish / ooo resume-session keywords via hook (#742)

MCP

• Diagnostic event for interview response shape (#837)
• Structured envelope for interview length-guard branch (#834)

Bug Fixes

Interview

• Close parent-context leaks in sub-CLI envelope (#869)
• Close Restate gate bypass for short PATH 2 answers (#827)
• Scope strict MCP isolation
• Reserve CLI adapter prompt headroom
• Keep interview prompt budget below CLI failure ceiling
• Budget interview prompts with serialized CLI framing

Security & Plugin Firewall

• Contain auto Seed persistence paths (#865)
• Prevent argv secret leaks across firewall outputs (#857)
• Fail-closed on tampered plugin home + refuse legacy trust under subject contract (#808)
• Escape all C0/DEL chars in lockfile TOML basic strings (#795)
• Deep-copy audit event in unwrap_plugin_event (#796)
• Defensive name validation + tighten source schema (#746)
• Degrade row on corrupt trust.json instead of aborting list (#798)
• Tighten _word_boundary_match to reject hyphen as token edge (#800)

Auto / Ralph

• Bound retry on run_handoff_status="unknown" with idempotency-key (#787)
• SeedRepairer.converge() adds max_iterations + outer wait_for (#785)
• NFKC-normalize unsafe-context input before regex bank (#794)
• Exact-match the canonical key in safe-default rollback (#804)
• Per-iteration wall-clock timeout for Ralph (#784)
• Close tool envelope on max_turns=1 to stop turn starvation (#770)

Providers & Misc

• Isolate subprocess from host plugin env (#754)
• Skip symlinks in check-auto-boundary scan (#797)
• Keep Copilot completions from leaking tool events (#860)

Refactoring

• Extract material-progress taxonomy module (#839)
• max_turns=1 envelope sweep across remaining MCP sites (#786)

Testing

• Pin three-surface AgentProcess acceptance contract (#848)
• Pin watchdog resume/replay contract (#840)
• Widen test_ralph_handler_returns_job_id_and_completes_loop deadline to 60s
• End-to-end contract proof with github-pr-ops fixture (#752)
• Define interview convergence contract (#760)
• Guard interview prompt cap against CLI ceiling

Documentation

• Forward complete_product / pipeline_timeout in skills/auto SKILL.md (#820)
• Unify interview Step 9 payload schema + define Add-context retry (#828)
• Add Refine and Restate gates to interview SKILL.md (+ multiple follow-up refinements)
• Mark interview-hardening RFC as Accepted
• Broaden uv install guidance for policy-restricted environments (#768)
• Update version numbers in welcome skill (#810)

Full Changelog: v0.36.0...v0.37.0

What's Changed

• fix(providers,interview): isolate subprocess from host plugin env by @ASak1104 in #754
• feat(auto): CI lint guard for ooo auto product boundary by @shaun0927 in #753
• test(auto): define interview convergence contract by @shaun0927 in #760
• feat(auto): steer interviews toward open ledger gaps by @shaun0927 in #761
• feat(cli): ooo plugin {discover,inspect,list} (read-only) by @shaun0927 in #750
• feat(hook): route 'ooo publish' and 'ooo resume-session' keywords by @shaun0927 in #742
• feat(auto): expose ledger provenance in pipeline result meta as ledger_provenance (#640) by @shaun0927 in #740
• feat(plugin): lockfile + per-user trust store by @shaun0927 in #746
• feat(auto): classify interview questions by intent by @shaun0927 in #762
• feat(auto): finalize safe default interview gaps by @shaun0927 in #763
• feat(plugin): UserLevel program registry by @shaun0927 in #747
• docs(install): broaden uv install guidance for policy-restricted environments by @shaun0927 in #768
• fix(mcp,interview): close tool envelope on max_turns=1 to stop turn starvation by @shaun0927 in #770
• feat(plugin): add argv_summary to firewall audit events (observation-only) by @Q00 in #805
• fix(auto): exact-match the canonical key in safe-default rollback by @Q00 in #804
• fix(hook): tighten _word_boundary_match to reject hyphen as token edge by @Q00 in #800
• fix(cli/plugin): degrade row on corrupt trust.json instead of aborting list by @Q00 in #798
• fix(plugin): deep-copy audit event in unwrap_plugin_event by @Q00 in #796
• fix(auto): NFKC-normalize unsafe-context input before regex bank by @Q00 in #794
• fix(ralph): per-iteration wall-clock timeout by @shaun0927 in #784
• fix(auto): SeedRepairer.converge() add max_iterations + outer wait_for by @shaun0927 in #785
• refactor(mcp): max_turns=1 envelope sweep across remaining sites by @shaun0927 in #786
• fix(auto): bound retry on run_handoff_status="unknown" with idempotency-key by @shaun0927 in #787
• feat(ralph): oscillation / no-progress detection by @shaun0927 in #788
• feat(ralph): total wall-clock budget max_total_seconds by @shaun0927 in #789
• fix(plugin): escape all C0/DEL chars in lockfile TOML basic strings by @Q00 in #795
• fix(scripts): skip symlinks in check-auto-boundary scan by @Q00 in #797
• feat(auto): top-level pipeline_timeout_seconds deadline by @shaun0927 in #790
• test(plugin): end-to-end contract proof with github-pr-ops fixture by @shaun0927 in #752
• Fix stale welcomeVersion hardcoded in welcome skill by @adam0white in #810
• feat(plugin): TrustStore concurrency primitives + LockEntry subject helper + manifest tuple ordering by @shaun0927 in #807
• fix(plugin/firewall): fail-closed on tampered plugin home + refuse legacy trust under subject contract by @shaun0927 in #808
• feat(auto): user_preference source + deterministic ambiguity floor (#809 P1) by @Q00 in #811
• feat(auto): chain RUN→RALPH automatically with --complete-product by @shaun0927 in #791
• feat(interview): isolate adapter from plugin MCP servers + RFC by @Q00 in #822
• feat(interview): raise prompt budget caps for richer answers by @Q00 in #823
• docs(interview): add Refine and Restate gates to SKILL.md by @Q00 in #824
• docs(rfc): mark interview-hardening RFC as Accepted by @Q00 in #826
• feat(auto): EVALUATE phase verifies run output against seed AC (#809 P2.1) by @Q00 in #825
• feat(auto): UNSTUCK_LATERAL persona advisor on EVALUATE fail (#809 P2.2) by @Q00 in #829
• docs(interview): unify Step 9 payload schema and define Add context retry by @shaun0927 in #828
• feat(cli/plugin): surface trust_read_error in ooo plugin list --json (#806) by @shaun0927 in #832
• feat(mcp): structured envelope for interview length-guard branch (#831) by @shaun0927 in #834
• docs(skills/auto): forward complete_product/pipeline_timeout in SKILL.md by @shaun0927 in #820
• refactor(evolution): extract material-progress taxonomy module (#578) by @shaun0927 in #839
• test(evolution): pin watchdog resume/replay contract (#578) by @shaun0927 in https://github.com/Q...

v0.36.0

What's Changed

Features

ooo auto Pipeline

• Stream live phase trace in ooo auto CLI (#713)
• Block risky-fallback answers for regulated/destructive topics (#738)
• Surface invoked_by in pipeline result and CLI summary (#704)
• Add AutoProgressEvent callback contract (#705)
• Surface authoring vs run backend in ooo auto status (#709)
• Tag seed_origin in persisted auto state (#698)
• Persist source-tagged auto answer log (#720)
• Allowlisted gateway provenance on AutoPipelineState (#701)
• Expose MCP progress metadata
• Feed repo facts into interview answers
• Expose unknown-run handoff guidance

Plugin & Backends

• Plugin manifest loader + vendored 0.1 schemas (#745)
• Capability registry for backends (#670)
• Hermes interview driver support (#671)
• Route ooo auto to /ouroboros:auto skill via hook (#741)

Bug Fixes

• Harden Hermes background seed execution
• Limit Hermes quiet timeout opt-out to seed execution
• Cover synchronous seed cwd validation
• Truthful resume/retry semantics across surfaces (#739)
• Label authoring blockers with phase + backend (#711)
• Persist interview session id before first question generation (#723)
• Clear stale reconciliation metadata on attach; scope invalid reconcile errors (#718)
• Honor state interview-phase timeout in driver (#696)
• Preserve preferences across onboarding upgrades

Documentation

• Split PLUGIN LAYER -> Skills Registry vs UserLevel Programs (#744)
• UserLevel plugin layer RFC (#743)
• Clarify --runtime semantics and pin dispatch behavior (#722)
• Clarify --runtime phase semantics for ooo auto (#708)

Testing & Maintenance

• End-to-end dispatch-to-Seed regression for ooo auto (#700)
• Pin codex/non-opencode authoring path stays in-process (#710)
• Guard packaged auto MCP dispatch
• Make parent cancellation assertion deterministic
• Format Hermes timeout tests

Full Changelog: v0.35.0...v0.36.0

What's Changed

• fix(welcome): preserve prefs across onboarding upgrades by @shaun0927 in #663
• test(watchdog): make parent cancellation assertion deterministic by @shaun0927 in #664
• test(codex): guard packaged auto MCP dispatch by @shaun0927 in #669
• feat(auto): feed repo facts into interview answers by @shaun0927 in #666
• feat(auto): expose MCP progress metadata by @shaun0927 in #667
• fix(auto): expose unknown run handoff guidance by @shaun0927 in #668
• fix(auto): honor state interview-phase timeout in driver by @shaun0927 in #696
• fix(auto): clear stale reconciliation metadata on attach and scope invalid reconcile errors by @shaun0927 in #718
• feat(auto): allowlisted gateway provenance on AutoPipelineState (#691) [1/3] by @shaun0927 in #701
• docs(auto): clarify --runtime phase semantics for ooo auto (#690) by @shaun0927 in #708
• test(auto): pin codex/non-opencode authoring path stays in-process (#690) by @shaun0927 in #710
• feat(auto): persist source-tagged auto answer log by @shaun0927 in #720
• docs(auto): clarify --runtime semantics and pin dispatch behavior by @shaun0927 in #722
• test(auto): end-to-end dispatch-to-Seed regression for ooo auto (#637) by @shaun0927 in #700
• feat(backends): add capability registry by @Q00 in #670
• feat(auto): tag seed_origin in persisted auto state by @shaun0927 in #698
• feat(auto): surface authoring vs run backend in ooo auto (#690) by @shaun0927 in #709
• feat(auto): add AutoProgressEvent callback contract by @shaun0927 in #705
• feat(auto): surface invoked_by in pipeline result and CLI summary (#691) [3/3] by @shaun0927 in #704
• feat(auto): stream live phase trace in ooo auto CLI by @shaun0927 in #713
• fix(auto,interview): persist interview session id before first question generation by @shaun0927 in #723
• fix(auto): label authoring blockers with phase + backend (#690) by @shaun0927 in #711
• feat(providers): support hermes interview driver by @Q00 in #671
• feat(auto): block risky-fallback answers for regulated/destructive topics (#640) by @shaun0927 in #738
• fix(auto): truthful resume/retry semantics across surfaces (#688) by @shaun0927 in #739
• feat(hook): route 'ooo auto' to /ouroboros:auto skill by @shaun0927 in #741
• docs(rfc): UserLevel plugin layer by @shaun0927 in #743
• docs(architecture): split PLUGIN LAYER → Skills Registry vs UserLevel Programs by @shaun0927 in #744
• fix(mcp): harden Hermes background seed execution by @Q00 in #755
• feat(plugin): manifest loader + vendored 0.1 schemas by @shaun0927 in #745

Full Changelog: v0.35.0...v0.36.0

v0.35.0

What's Changed in v0.35.0

Features

• Codex auth-plane diagnostics + tool_started callback (#656) — surface nested Codex CLI auth failures (codex_auth failure category, structured non-secret context) and emit a new tool_started callback so external chat renderers (Hermes/Discord) can show in-flight nested MCP work before completion
• MCP doctor: Codex OAuth readiness check (#657) — backend-aware check_codex_oauth_auth distinguishes "Codex backend active but auth.json missing" from "intentional API-key Codex profile" with actionable remediation, no longer treating OPENAI_API_KEY as the primary signal
• Render started tool events in debug interviews (#658) — ouroboros init start --debug and PM debug surfaces now render the new tool_started callback alongside the existing completed-tool callback
• install.sh preserves user backend across upgrades (#654) — re-running install.sh / ouroboros setup --non-interactive now respects the persisted orchestrator.runtime_backend; new --runtime / OUROBOROS_INSTALL_RUNTIME / --reconfigure hooks for explicit control

Bug Fixes

• install.sh [all] extras drift (#660) — uv install path now mirrors pyproject.toml's full extras (added missing tui/textual, dashboard/streamlit+plotly+pandas); pin specifiers tightened to match pyproject <1.0.0 upper bounds
• Codex codex_auth classifier too broad (#661) — _looks_like_codex_auth_failure now requires both an auth phrase and a Codex/OpenAI-specific marker (api.openai.com, openai.com, or codex); generic 401s from nested tools/MCP no longer get misrouted to the wrong remediation
• MCP doctor accepts Codex API-key auth — doctor no longer fails when an intentional API-key Codex profile is in use without auth.json
• Auto resume after interview max rounds (#651) — interview_driver now in the recoverable-tool whitelist, so blocked auto sessions can resume cleanly when the rounds bound is raised; CLI bound override now honoured (raise-only invariant)
• .env directory paths no longer crash config import — config import handles directory paths at expected .env locations

Tests

• Version-pin parity for install.sh [all] (#662) — verbatim pkg>=A,<B spec match against pyproject.toml so future drift in pin ranges fails CI loudly
• kiro permission-mode isolation (#653) — fixture forces ConfigError so dev machines with custom ~/.ouroboros/config.yaml no longer fail flaky on contract-default tests
• Codex OAuth doctor tests formatting

Refactoring

• Auto goal facts preserved through Seed gating (#652) — explicit auto goal facts keep their identity across the gating boundary

Full Changelog: v0.34.0...v0.35.0

What's Changed

• fix(config): skip .env path when it's a directory by @bindon in #655
• test(kiro): isolate llm permission_mode from developer config by @Q00 in #653
• feat(install): preserve user backend across upgrades by @Q00 in #654
• Preserve explicit auto goal facts through Seed gating by @shaun0927 in #652
• Expose Codex auth-plane failures to chat bridges by @shaun0927 in #656
• Teach MCP doctor to verify Codex OAuth readiness by @shaun0927 in #657
• Render started tool events in debug interviews by @shaun0927 in #658
• fix(install): align uv [all] extras with pyproject contract by @Q00 in #660
• fix(codex): tighten codex_auth classifier; document tool_started callback by @Q00 in #661
• test(install): enforce version-pin parity between install.sh and pyproject by @Q00 in #662

New Contributors

• @bindon made their first contribution in #655

Full Changelog: v0.34.0...v0.35.0

v0.34.0

What's Changed in v0.34.0

Features

• Copilot CLI runtime (#1f07a9c8) — first-class Copilot agent runtime
• Kiro runtime backend (#2fc7a3c8) — Kiro as a first-class runtime
• Stage enum + runtime_profile.stages config (#538) — slice 1 of #519
• Agent OS runtime_profile (Codex backend) (#505) — runtime profile foundation
• AgentProcess lifecycle projection (#628) — project lifecycle state from events
• Directive emission at StepAction sites (#477464ef) — slice 1 of #472
• Auto persisted session status (ouroboros auto --status) — inspect blocked sessions

Bug Fixes

• Auto resume after interview max rounds (#651) — interview_driver now in recoverable whitelist; CLI bound override allowed when raised
• Gemini CLI permission_mode (#634) — coerce default → acceptEdits, fail fast on unknown modes
• Hermes timeouts — reject non-finite values; make stream timeouts configurable
• Codex auto doctor (#648–#650) — respect supported MCP surfaces, prevent silent fallback
• Path containment for seed-encoded paths (#631) — security hardening
• Ralph project directory boundaries (#599) — keep mutations inside requested project
• Auto MCP tool hardfail (#644) — fail closed on unavailable dispatch
• Worker-profile preservation — preserve user keys in [profiles.ouroboros-worker]

Refactoring

• Centralize Codex runtime_profile mapping (#70ae1379)
• Consolidate seed-path containment helper (#635)
• Tighten JobManager runner cleanup boundary (#633)

Documentation

• Simplified Chinese README translation (#71c49b52)
• AgentProcess lifecycle migration contract (#3203d06d)
• ControlContract / StepAction directive boundaries (#621, #623, #629)

Maintenance

• Ralph MCP loop ownership (#617, #618)
• AC verdict/execution outcome separation (#613)
• Numerous Ralph dispatch/lineage hardening commits

Full Changelog: v0.33.0...v0.34.0

What's Changed

• docs(readme): add Simplified Chinese translation by @whtis in #611
• Keep Ralph mutations inside the requested project directory by @shaun0927 in #599
• fix(interview): include initial user turn on first question by @shaun0927 in #591
• feat(orchestrator): Agent OS runtime_profile (Codex backend, supersedes #488) by @shaun0927 in #505
• fix(ralph): add --project-dir to specify explicit target for evolve_step by @fuleinist in #610
• feat(evolution): emit Directive at StepAction sites (slice 1 of #472) by @shaun0927 in #525
• feat(orchestrator): Stage enum + runtime_profile.stages config (slice 1 of #519) by @shaun0927 in #538
• test(core): add unit tests for project_paths module by @MyoungSoo7 in #612
• (feat/kiro-cli-adapter) Kiro CLI runtime backend by @BangShinChul in #606
• docs(ralph): clarify skill-driven loop contract by @shaun0927 in #616
• docs: clarify execution versus evaluation contract by @shaun0927 in #619
• fix: separate task completion from AC verdict summaries by @shaun0927 in #613
• feat(mcp): add a first-class Ralph loop job by @shaun0927 in #617
• docs(agent-process): define the lifecycle migration contract by @shaun0927 in #620
• control: document live StepAction directive boundary by @shaun0927 in #623
• control: define ControlContract schema boundary by @shaun0927 in #621
• docs: clarify legacy execution AC events by @shaun0927 in #626
• docs: describe execution monitoring as task progress by @shaun0927 in #625
• test(ralph): lock job cancellation contract by @shaun0927 in #627
• feat(agent-process): project lifecycle state from events by @shaun0927 in #628
• docs(control): map ControlContract follow-up lanes by @shaun0927 in #629
• control: preserve contract identity in lineage projection by @shaun0927 in #630
• fix(security): enforce path containment for seed-encoded paths by @Q00 in #631
• Clarify auto CLI command shape by @shaun0927 in #643
• refactor(mcp): tighten JobManager runner cleanup boundary by @Q00 in #633
• refactor(mcp): consolidate seed-path containment into a shared helper by @Q00 in #635
• fix(orchestrator): make HermesCliRuntime stream timeouts configurable by @Q00 in #636
• Expose persisted auto session status by @shaun0927 in #645
• Fail closed when auto MCP dispatch is unavailable by @shaun0927 in #644
• Ground auto runtime answers in supplied repo facts by @shaun0927 in #646
• fix(orchestrator): honour permission_mode in Gemini CLI runtime by @Q00 in #634
• reports: render worker execution as task completion by @shaun0927 in #624
• docs(ralph): route the skill through ouroboros_ralph by @shaun0927 in #618
• Fail closed for ooo auto in Codex rule surfaces by @shaun0927 in #648
• Add Codex doctor checks for ooo auto dispatch by @shaun0927 in #649
• Lock packaged ooo auto dispatch metadata by @shaun0927 in #650
• feat(copilot): live model discovery, setup wizard, full docs and tests by @rogerbarreto in #647
• fix(auto): unblock resume after interview hits max_rounds by @Q00 in #651

New Contributors

• @whtis made their first contribution in #611
• @fuleinist made their first contribution in #610
• @MyoungSoo7 made their first contribution in #612
• @BangShinChul made their first contribution in #606
• @rogerbarreto made their first contribution in #647

Full Changelog: v0.33.0...v0.34.0

v0.33.0

What's Changed

Features

• ooo auto — Autonomous workflow mode: New surface for running Ouroboros autonomously via CLI and MCP. Includes bounded supervisor loop, recovery contracts, and working-directory validation
• Codex task profiles: Apply per-task runtime profiles to Codex agent sessions (feat(codex): apply profiles to agent runtime, feat(codex): add task profile defaults)
• Usage-limit pause & replay: Sessions now gracefully pause on usage-limit failures and resume cleanly with replayed state
• Auto onboarding CLI/MCP surface: ooo auto exposed through both CLI and MCP with normalized interview envelopes

Bug Fixes

• fix(claude): force UTF-8 stdio for hook scripts (#602)
• fix(claude): resolve plugin hook scripts from plugin root (#601)
• fix(claude): fall back to python for hook executable (720161a)
• fix(claude): use partial content on max turns (#593)
• fix(mcp): serve resources from persisted state (#596)
• fix(evolution): replace fixed generation timeout with watchdog (56b4b2e)
• fix(evolution): rebuild Reflect/Wonder adapter on llm.backend config drift (#562, 9e5adb7)
• fix(codex): preserve explicit model overrides, distinguish profile fallback, sync defaults
• fix(profiles): track explicit model intent, resolve empty model sentinels
• Prevent interview prompts from seeing hidden Claude built-ins (#597)
• Keep seed extraction resilient to transient Claude CLI exits
• Stable watchdog progress timeout test; carry exact execution IDs on AC runtime events
• Resolve legacy parents in AC tree projections; fix recursive Sub-AC ownership identity
• Clear stale pause replay state on resume progress

Documentation

• Add Contract Ledger schema RFC (docs(rfc))
• Mark evolution loop bridge limitation as resolved (docs(mcp-bridge))
• Remove internal remediation report (#604)
• Document ooo auto workflow (CLI skill and MCP surface)

Maintenance

• Preserved prepositional auto flag mentions, quoted goal extensions, and literal controls across multiple merge commits
• Abort Codex setup on malformed config
• Persist absolute MCP auto working directories
• Route sentinel models and devil consensus profiles

Full Changelog: v0.32.0...v0.33.0

What's Changed

• fix(init): respect configured interview backend by @shaun0927 in #592
• fix(persistence): include sessions without started events by @shaun0927 in #590
• fix(evolution): rebuild Reflect adapter on llm.backend config drift (#562) by @minsing-jin in #563
• Replace fixed evolve-step timeout with progress-aware watchdog by @andrew-adamson in #569
• Use opaque execution node identities for recursive AC ownership by @andrew-adamson in #571
• docs(mcp-bridge): mark evolution loop bridge limitation as resolved (closes #475 partial) by @shaun0927 in #533
• Fix interview Claude tool envelope by @shaun0927 in #597
• fix(mcp): serve resources from persisted state by @Q00 in #596
• fix(claude): use partial content on max turns by @shaun0927 in #593
• docs(mcp): remove internal remediation report by @Q00 in #604
• fix(claude): resolve plugin hooks from plugin root by @Q00 in #601
• fix(claude): force UTF-8 stdio for hook scripts by @Q00 in #602
• fix(claude): fall back to python for hook executable by @Q00 in #605
• Add provider-neutral task profiles for Codex-backed Ouroboros work by @andrew-adamson in #570
• Pause sessions on usage limit failures by @andrew-adamson in #572
• docs(rfc): add Contract Ledger schema by @shaun0927 in #522
• Retry transient Claude CLI exits during seed extraction by @shaun0927 in #600
• Split ooo auto core quality primitives by @shaun0927 in #565
• Split ooo auto bounded supervisor loop by @shaun0927 in #566
• Split ooo auto CLI and MCP surface by @shaun0927 in #567
• Split ooo auto workflow documentation by @shaun0927 in #568

Full Changelog: v0.32.0...v0.33.0