Changelog

• LAM Phase 3 transport (W22.LAM 1-5d + 2 cont-PRs): daemon LAN listener, IPv6 + multi-NIC, Noise XK envelope wrap (R4 CRITICAL), Windows Named Pipes daemon + smoke + DISABLED CI gate, relay-as-rendezvous, hole-punch + TURN + ICE, persistent trust roster (R4 CRITICAL), operator manual revocation via Profile sync. ADR-054 §OQ#7-10 + ADR-059 §OQ#5 + ADR-051 §3.4 deferred-row-1 + ADR-057 W161 all RESOLVED.
• 5/5 P2 defers RESOLVED in-cycle: per operator no-defer enforcement directive 2026-05-18 — DEFER-1 noise_xk MAX_SECURE_FRAME_BYTES corrected to Noise per-message limit minus AEAD tag (65519), DEFER-2 ADR-054 row 466 amendment, DEFER-3 rendezvous own-Awaiting fall-through, DEFER-4 hole-punch candidate exchange API, DEFER-5 hole-punch input validation (MAX_PEER_CANDIDATES=32 + v4-mapped IPv6 normalize + dedup).
• 3 P0 fixes: mcp-server passphrase visibility (W22.P0-1 verification-first per STAGE 0 spike — Option C′+D materialize fix already in v0.1.18 PR #178), SSH keepalive pre-commit gate, mTLS env-var export across cluster-recovery scripts.
• TS SDK: TaskApi.schedule ADR-030 typed wrapper closes L-DescopeSdkTaskScheduleAdr030 (G7 r2 P2 defer carry from v0.1.21).
• ADR-054 fold: §"Phase 3 LAN-Mesh Hardening" section landed inline with W22.LAM-5c (avoids banner rebase risk per plan v1.7 R4 strengthening item).
• v0.1.21 pull-back audit: completeness verification + 21 pull-back item disposition documented.
• 988c66f4 ops-hardening baseline PRESERVED: Restart=always × 5 systemd templates, GlobalUnexpectedCleanShutdown + RelayUnexpectedCleanShutdown alert rules, shutdown_reason cargo tests INTACT across all 24 PRs.
• 40+ unique R8 lessons codified: L-CodexNonDeterminismRequiresCoordIndependentVerification, L-SerdeReprMandatoryForWireFormatPinnedDiscriminantBytes, L-NoiseSpecPerMessageLimitMustBindMaxSecureFrameBytes, L-BannedAddressGateMustNormalizeV4MappedV6FirstThenCheckBothSurfaces, L-RegressionTestMustFailOnBugAndPassOnFix, L-CodexRoundOptionCInlineAtHardCap, L-AdrPayloadDecoderMustMirrorActualBuilder, L-StrictScheduledStatusValidation, L-CarveOutFixVerificationDriftBetweenCycles, L-MigrateIdentityDelegateNotOrchestrate, and others.
• Release gates: G7 Codex external review APPROVED with P2+P3 deferred to v0.1.23 release-hardening cycle (per docs/policies/v0121-pullback-policy.md §1 no-feature-dev), G8 LLM-tested-tuple synthesized from STAGE 4.5 + G7 evidence (real chatbox transcripts deferred to v1.0.0 GA tag prerequisite).

• LAM Phase 2 LAN TCP (W21.16.3a-d): mDNS DNS-SD fingerprint-only discovery, ed25519 mutual 1.5-RTT handshake with role-separated SERVER/CLIENT transcript tags (defeats cross-listener replay + self-reflection), Trust-on-Get static-peer mode, and integration tests close ADR-059 OQ#1-6. Daemon-side mesh_server wire-up, multi-NIC/IPv6, and Windows Named Pipes deferred to LAM Phase 3 (v0.1.22).
• LAM Phase 2b P2P pairing + trust (W21.16.4a-c + W21.16.5): P2P pairing flow scaffold, DeliveryVia::P2p + 4-tier CompositeTransport (mesh > LAN > P2P > relay), trust ladder (Untrusted → Probational → Trusted with explicit transitions), TOCTOU-safe check_and_use closure-lock pattern, RevocationList (operator-explicit MCP arm), R4 privacy red-line audit (ADR-054 OQ#7-11 closed: no leak vectors found), LAM E2E integration tests.
• A2A+ACP bridge (W21.14): explicit interop architecture, ACP Bridge module, wire transcoding fold (W##).
• Rust + TS SDK polish: typed FeatureUnavailable variant, SkillUninstallOptions.hermes_category, manywe_confirm tgz_b64 resupply, W117 retry-policy driver, W146 PendingFramesBucket, W113 distinct-record encrypted-message-table fold, W21.S5.1 per-profile push token store, R4-clean encrypted scheduled_messages.
• Pull-back policy enforcement: mid-cycle pull-back policy pulled 21 v0.1.22 defer memos back into v0.1.21 scope — 100% RESOLVED at cycle close (with policy text count drift noted in cycle-close docs).
• Pre-rc.0 hardening: openclaw_profile parser ps argv false-positive fix (token-based + layered quote handling, 3-round Codex β strict HARD CAP); P2pOrLanOrLocal coverage in phase2c-multi-device match; W177 cfg(unix) cascade restores Windows-gnu cross-compile; agentskills.json + tools/load-test version-sweep drifts pre-empted with sweep §6b/§6c entries (R8 prevent-recurrence).
• Release gates: G7 Codex external review, G2 lockstep coherence, G13 forbidden marketing prose, R12 chaos waiver continued from v0.1.20 (deferred to v0.1.22 real-fire run); STAGE-end 24h canary soak CANCELled per features-cycle policy (restore in v0.1.23+ release-hardening cycle).

• Release gates: Tier 0 passed 10/10 canonical hosts with PASS_KEPT verdicts; Tier 1 passed P1/P2/P3/P4 with all S1-S5 scenarios bidirectionally; cluster-health passed with 3/3 Globals, 4/4 Edges, and active_draining_count=0.
• Final rc fixes: fresh RouteAnnounce now clears sticky Global Draining state for restarted Edges, and contact deletion clears optional FK dependents before removing the contact.
• Runner hardening: Tier 0/1 transport now handles ptyless shells, Windows PowerShell stdin, T7 PATH ordering, and timeout watchdog behavior more reliably.
• Observability cutover: MWopsUS Prometheus tunnels scrape the dedicated Edge metrics listener; automating that Edge listener drop-in for future fresh deploys is tracked for v0.1.21.
• Candidate surface promoted: runtime supervision S5 TRUE-FULL, cluster-blocklist security stack, retry classifier scaffolding, R12 forward-receiver-panic live assertion, task_panic observability, Chat-First i18n errors, OutboundQueue dropped-frame metrics, and dual axum listener split are promoted from rc.0 to final.

• Runtime supervision: PersistentNonceDedup new_supervised + AbortOnDrop guard reach S5 TRUE-FULL coverage; W107/W109 inner pin+timeout-await pattern hardens persistent nonce eviction; task_panic_total metric + chaos-panic-inject Cargo feature give deterministic chaos panic surface.
• Cluster-blocklist security stack: ADR-055 Raft state machine + ADR-056 5-class retry classifier + W7.1a/b/c relay forward gate + MCP admin tools + Global gRPC surface ship the v0.1.20 security baseline.
• Daemon and chat-first: W4.6 route_intent ambiguity catcher closes 3 common chat-host typo patterns; W17.RC.2 AgentError → Chat-First i18n adapter with 30-key EN+ZH catalog removes daemon stack traces from user-visible surfaces; W17.2.W63 AgentCore OutboundQueue wiring adds manywe_outbound_queue_dropped_total observability.
• Release pipeline: W77 release-test-himanywe Step 4 bounded poll + W78 leader probe retry budget + W6.x V016 SSH fallback gate + W7.3/W7.5 daemon-side fingerprint enforcement verifier + W7.4 cluster token rotation runbook close release-determinism gaps.
• R12 chaos: forward-receiver-panic scenario promoted from skeleton to live assertion block; W2.5 ack-before-snapshot-persist scenario skeleton lands. Actual-fire chaos evidence carries to v0.1.22 pending dedicated Aliyun staging.

• Runtime hardening: agentd profile serving, task supervision primitives, notification/outbox metrics, delivery-state persistence, and R4-B metadata handling prepare the daemon for the v0.1.19 final gate.
• Relay and Global durability: shutdown drain orchestration, durable revoke queues, nonce persistence, route-version fencing, and RelayEventManager ring buffering improve cluster recovery behavior under release testing.
• Release pipeline: version sweep, G10 ops verification, G11 cache-bust checks, forbidden marketing strings, apex rollback, and chaos runner plumbing now fail-close earlier in the tag path.
• Monitoring baseline: v0.1.19 ships the manywe-runtime alert rules and Grafana dashboard baseline used by the production ops monitor.

• Independent host profiles: installer/profile plumbing now keeps Claude Code, Cursor, Codex, Hermes, OpenClaw, and Claude Desktop style profiles on separate data dirs, service labels, IPC endpoints, and MCP env blocks.
• Credential architecture: Linux system-service installs now persist passphrases at the profile auto-passphrase file and no longer depend on /etc/manywe/agentd.env for steady-state daemon unlock.
• Phase 2 drain: rc.1 closes the W42-W54 hardening bundle, including release residuals, OpenClaw schema detection, Tier 1/2 runner consolidation, and verify-before-persist key handling.
• Hermes Gateway: explicit HERMES_HOME layouts are preferred before HOME fallbacks so custom Hermes installs do not load stale hooks.
• Evidence posture: local profile reconciliation and S2b five-daemon pre-tag resource evidence are recorded under docs/e2e-evidence/v0.1.18-rc.1/ and docs/v0118-rc1-spikes/.

• Pre-GA release pipeline: release.sh staging flow now enforces the 0.1.18 version sweep, Codex baseline-attestation fallback for G7, Stage 2.5 plugin pnpm install/build/pack, Stage 4 plugin tgz manifest ordering, and versioned-filename rename guards before Layer A pack.
• Tier gate runners: Tier 0 install gate adds phase-0-aware aggregation plus --agent / --llm-ping-timeout; Tier 1 typed-pair validates four cross-host pairs; Tier 2 features-walk consumes paired-state evidence for feature-by-host coverage.
• Host and protocol hardening: rc.0 consolidates the v0.1.18 protocol and A2A primitive work, Windows pair execution through mcp_adapter.cmd, and the Layer B / test-host recovery fixes accumulated during the v0.1.18 plan.
• Release posture: artifacts are staged under /releases/0.1.18-rc.0/ for Tier 0/1/2 validation before any apex cutover; Tier 3 operator daily-use remains the next gate before the final v0.1.18 tag.

• Strategic positioning anchored: ManyWe is content-blind agent-to-agent infrastructure deployed as a chat-host extension rather than as a server-side framework. Plan v1.4 (docs/ManyWe-v0117-plan.md) bakes the §2.8 inviolable constraint that all protocol extensions remain content-blind to relays.
• Push delivery architecture (PR-1..PR-9 family): PushEventBus convergence, dual-emit standard notifications/message + deprecated custom notifications/manywe/message, host-aware delivery paths for OpenClaw / Hermes / Cursor / Claude Code / Claude Desktop with 7-day TTL + clear-on-read defaults.
• Hermes v0.13 capability probe (PR-3.5): observation-only probe added per mentor mid-cycle decision after PR-2 LoC overrun lesson; workflow_mode hard-coded "off", no Kanban / /goal invocation in v0.1.17.
• Wire protocol capability review (PR-15): protocol_version kept as u8 on Envelope; AuthFrame.supported_protocol_versions: Vec<u8> and AuthResultFrame.negotiated_protocol_version: u8 verified through round-trip contract tests. Future A2A primitives (priority, interrupt_policy, sender_kind, trust_set) will advertise via capability negotiation, not a protocol_version bump.
• Legacy code audit (PR-12): targeted -500 LoC delete-and-audit across IM-bridging / retired-feature surfaces; closed under §5.5.
• G8 LLM-tested-tuple framework (PR-9 / PR-10): 5 hosts × 3 LLMs = 15-tuple matrix scaffold + run-readiness audit + evidence template. PR-9 enumerates schema only (mock); real PR-10 runs require operator-driven host setup.
• SLO report parser (PR-11): parser scaffold for downstream SLO gate (PR-11b post-rc).
• rc.0 evidence posture: AutoE2E mock matrix accepted (PR-9 dry-run + PR-10 helper enumeration); Step 6 operator chatbox spot-check + PR-10 live tuple evidence + PR-11b SLO gate scheduled post-rc per operator decision.
• v0.1.18 handoff: protocol consolidation + A2A primitives (§22.1) + Layer B hardening + ManyWe-on-SLIM compatibility spike. SDK + ACP bridge moved to v0.1.19.

• OpenClaw plugin-layer registration dropped: install.sh + install.ps1 no longer write plugins.entries.manywe / plugins.allow.manywe / plugins.installs.manywe in the default MCP-only mode. Writing those fields tripped OpenClaw 2026.5.6's reload classifier into "requires gateway restart" → SIGUSR1 → in-process restart on Docker (PID 1 = bash) → manywe-agentd mcp-server child not respawned. Result: real Docker users would have faced mandatory docker restart <container> after install. The mcp-only path writes only mcp.servers.manywe and lets the gateway lazy-spawn the MCP child at first agent invocation. Zero container restart, zero /restart-in-IM. Backward-compatible: --with-openclaw-plugin opt-in still installs the legacy plugin-layer Chat-First UX; uninstall / purge paths unchanged.
• Tier 0 install gate 10/10 PASS: 12-session forensic install-path verification cycle on real test hosts (T1-T10) closed with all 10 hosts green. Product fixes: (a) install.sh machine-mode SSH pipe close + system-path purge, (b) install.ps1 manifest parser $Manifest variable collision, (c) install.ps1 $exeFinalPath derivation via existing $agentdExe, (d) install.sh chmod +x verifier defeats Docker fakeowner mount's broken [[ -x ]] test. Test infra: tier0-gate now accepts Unix TCP IPC fallback when UDS chmod fails on fakeowner-class mounts.
• G8 LLM-tested-tuple cross-host real chatbox flow: T1 (WhatsApp / Sonnet 4.6) and T8 (QQ / MiniMax M2.7) validated bidirectional ManyWe relay flow end-to-end — invite generation → cross-host accept (asymmetric ManyWe-IDs per cryptographic identity) → text message ~90s round-trip via edge-us ↔ edge-sg2 → file transfer → auto-share skill with contact-tag prerequisite. Both hosts validated zero docker restart and zero /restart-in-IM post mcp-only patch. 18 chatbox interactions captured with verbatim transcripts + IM screenshots.
• Layer B (4 Edges + 3 Globals) skipped: git diff --stat rc.6..HEAD -- crates/manywe-relay/ crates/manywe-global/ = empty; cluster maintained on rc.5/rc.6 hotfix state including the rc.5 invite_publish leader-gate hotfix on Globals. Documented at docs/release/v0.1.16-rc.7/layer-b-decision.md.
• v0.1.17 backlog (deferred, do not block this rc): F-PATCH-1 chatbox_contract.requires_user_restart hardcoded true → derive from install mode; F-PATCH-2 preserved_v015 status text inconsistent with mcp-only config; LLM "first query of session prefers shell tools" behavior → system-prompt nudge or chat-first wrapper; release.sh G11 deployed-sig-roundtrip gate (verified manually this cycle); Tier 0 gate stage_windows_local_installer 64KB SSH-stdin cap → scp transport.

• Global leader-only writes: follower-side Raft write handlers now reject before propose() with Unavailable + leader-hint, avoiding leaked ForwardToLeader internals and preserving relay retry behavior.
• Relay route ownership retry: route_announce, route revoke, and route drain follow leader-hint once instead of treating a correctable follower response as a hard internal error.
• Short-link invite auth recovery: AgentD recovers when the invite publish token is stale while the websocket is still healthy, fixing the rc.5 invite_publish 403 path.
• Release asset drift closure: rc.6 rebuilds manywe-global, manywe-relay, and all AgentD platform artifacts from one source commit, clearing the rc.5 Global hotfix drift between production binaries and release assets.

• Closed-beta chatbox fixes (F1-F4 from Codex testing 1777966312): F1 fresh-agent schema probe + chatbox state bootstrap; F2 plugin auto-enable + before-prompt hook hard-routing of [Feedback:bug] markers + heredoc backtick scrub; F3 server-side state-bound replay routing (3 attack vectors blocked: marker-in-args via mcp-server stdio, marker-in-args via daemon IPC, X-ManyWe-Confirmed-Replay header); F4 manywe_contact_search resolves MW-XXXX-XXXX short IDs + manywe_message_send routing guidance.
• Side P0: scripts/check-no-credentials.sh warn-on-no-op-scrub for unrecognized schema; iterate all OpenClaw config paths + atomic write (no backup leak); ADR-030 marker strip past IPC proxy boundary.
• Release-tooling rc-suffix support: release.sh:85 regex accepts X.Y.Z-(rc|alpha|beta).N; Stage 4 detects pre-release suffix and passes --rc $VERSION to generate-manywe-json.sh; check-version-consistency.sh 5 sites widened (check_leq equality-first short-circuit + plugin-release.ts extract regex + install.sh/ps1 regexes + HTML body scan SUFFIX_RE); tools/load-test/Cargo.toml 0.1.15 → 0.1.16-rc.5; deploy/third-party-notices/index.html topbar nav drift fix (latent bug pre-existing).
• Codex auto-review verdict: 0 P0 / 12 P1 / 4 P2 across rc.5 fix wave + tooling patches. 2 P1 from rc.5 work (Stage 4 manifest gen rc-aware = fixed by tooling commit; manifest feedback identity fields = self-resolved by Stage 4 regen with operator-managed ~/.manywe-feedback-identity.env sourced). 10 P1 are pre-existing in main HEAD (tool-count guard 123 vs 124, ManyWe: prefix on disabled task-schedule tools, SDK tool-count baselines, running_daemon None, v0116_rc5_cert.yaml stale SHA, short-link auth recovery stale token) — defer to V0117-MAIN-HEAD-P1-RESIDUE backlog.
• P18 closed-beta cycle deviation (operator-acknowledged): rc.5 ships to production manywe.ai + 4E+3G cluster + HiManyWe MWopsUS#1 BEFORE AutoE2E matrix runs (P18 cross-version test target waived by operator decision). AutoE2E + P9 chatbox testing run via Codex desktop AFTER cutover. G8 LLM-tested-tuple evidence file deferred to AutoE2E run (back-fill).

• Critical fix — openraft state-machine persistence (Shape A1): GlobalStateMachine previously held all state in-memory only. Every clean restart that crossed a log-compaction event hit Cannot re-apply logs: need logs from index 0, but purged up to T1-N… and crash-looped indefinitely. Bug present in every binary back to v0.1.0; observed live on global-de 2026-05-02 (~09:02 CST, manual recovery 4 min later). Fix persists (SnapshotData + last_applied_log + last_membership + raft_term) atomically as one blob on every apply() + install_snapshot(). New 3-branch boot classifier (steady-state / true-first-boot / pre-B6.5-migration-gap) refuses unsafe blank-start when purged.json exists without state-machine.bin.
• Cluster mTLS atomic (B6.1): gRPC server requires cluster_token bearer + (when wired in v0.1.16) client cert in trusted-fingerprint allowlist. Auth-error sanitization: external Status returns generic "missing required authorization" while internal log retains specifics. New MANYWE_GLOBAL_DISABLE_BOOTSTRAP=1 env enables production-safe Branch A.LOWEST.α lowest-id-Global recovery without cluster-wide bootstrap re-trigger.
• SERIAL Globals restart enforcement (B6.6): release-lib.sh deploy_global_coordinated() enforces lowest-id LAST + 5-min cluster-health-probe.sh stability between nodes per CLAUDE.md post-launch HARD rule. MANYWE_RELEASE_ALLOW_PARALLEL_GLOBALS=true rejected unless MANYWE_RELEASE_PRE_LAUNCH=true. v0.1.14 parallel-restart was the failure mode that caused the 2026-05-02 openraft RCA recurrence.
• HiManyWe release-test pipeline (P16 step ①⓭ MANDATORY, B10): scripts/swap-himanywe-binary.sh + scripts/release-test-himanywe.sh + release.sh Stage 16 wrapper. Every release v0.1.15+ MUST swap the MWopsUS#1 §2.0b feedback dispatcher binary + verify end-to-end before tag-cut declares "shipped". Class A failure (operational) auto-rollback. Class B failure (correctness) triggers docs/runbooks/release-yank-procedure.md.
• Layered leader-probe + degraded-ack with strong audit (B6.3): direct grpcurl primary path; SSH-jump fallback gated by GPG-sig + auto P0 ticket + 24h fix window + canary-phase-forbidden.
• MWopsUS#1 ops monitoring deploy (B8.1 + SG#2 LIVE INCIDENT fix): 4 systemd tunnel services (sg/us/hk/sg2 + node-exporter on sg2-edge) + blackbox-exporter dual-layer probe (GTM DNS + per-pool HTTPS via --resolve). Closed SG#2 LIVE INCIDENT 2026-05-02 (HostNodeExporterDown + RelayDown firing alerts).
• Cluster inventory SoT (B8.5): deploy/ops-monitor/cluster-inventory.yaml single canonical source consumed by scripts/audit-cluster-allowlist.sh weekly cron + docs/runbooks/cluster-edge-add-procedure.md 11-step.
• GTM watchdog (B8.3 + B8.4): scripts/install-aliyun-cli.sh + RAM read-only sub-account for D1-mode monitoring of Aliyun GTM 3.0 expiry without write privilege.
• URL migration (B7): manywe.ai → www.manywe.ai for 5 path-prefix scope (install / release / downloads / well-known / changelog) across 17 deploy files; apex 308 redirect preserved. Compile-time + runtime coverage in tests/regression/url-migration-www-coverage.sh.
• Release-pipeline hardening: Stage 15 fail-close gh release create + per-target subdirectory flattening for asset upload (B9.16); 4 NEW PRE-TAG drift gates (ADR locked-string regression / target-version anchor immutability / G9 dual-manifest / PR-base SHA dependency); soft-uninstall mode decision Option C (defer to v0.1.16).
• Bug fixes: manywe-relay invite-creation Prom counter; macOS singleton flock retry loop (3 × 50ms); install.ps1 -Uninstall removes BOTH mcp.servers.manywe AND mcpServers.manywe (V011-P2 closure since v0.1.13); Rust 1.94 strict clippy fixes (4 lints); CI protoc install on all OS runners; MCP tool drift gate phase-function counting fix (closes 110-vs-125 false-positive).
• Honest deferrals to v0.1.16: B6.1 Layer 1 fingerprint enforcement wiring (currently observe-only, V016-B6.1-FINGERPRINT-WIRING); 16 P2 findings tracked at GitHub issue #101; credential-leak post-GA remediation (issue #92).
• Release sign-off: 9 dev PRs merged (#91/#93/#97/#98/#99/#100/#94/#95/#96/#102) with per-commit Codex auto-review 0 P0 each. Pre-GA G1-G8 gates all PASS. Cross-compile 5 targets × full Developer ID codesign × Apple notarize 2 darwin all green. Layer B 4E+3G cluster on Apr 30 v0.1.14 binary at tag time; Stage 7 SERIAL deploys v0.1.15 with state-machine persistence fix.

• Bucket 0 disclosure docs (audit + factual fix): deploy/security/index.html IPC TCP claim aligned with ipc.rs UDS+TCP-fallback (Codex pass-1 finding 3b); deploy/install/footprint.md root-install paths enumerated (Codex pass-1 finding 3a); deploy/install/transparent/index.html Q6 BARE-token format fix (Codex pass-1 finding 4 double-prefix); install footprint summary distinguishes user vs root install across both pages.
• B0.6 Rust Hermes installer 2-layout enumeration: installers::hermes::hermes_config_path() + existing_hermes_config_paths() + autodetect now enumerate canonical (~/.hermes/config.yaml) and subdir (~/.hermes/hermes-agent/config.yaml) layouts (Codex pass-1 finding 5 — pre-v0.1.14 install.sh enumerated both, Rust did not).
• B0.4 / Q12=(c) --skip-notarize removed: release.sh Stage 3 always runs codesign + notarytool submit + stapler validate. RC and production paths align — RC tests now catch sign/notarize regressions before tag.
• B1.1 / Q9=(b) Eve SIGKILL defense-in-depth: install.sh writes the install-proof-pending JSON with conservative host_type from cheap stat-only detect_hermes BEFORE the slow openclaw probe, atomic-updates afterwards if probe found a higher-fidelity host_type, plus _run_detached helper (setsid → nohup fallback) so the daemon-kick subprocess survives chatbox-sandbox SIGKILL of the parent bash. Completion sentinel file written after JSON is durable.
• Bucket 1 install hardening: Task N regression test for openclaw multi-version pick-newest; Task Z install.ps1 BOM verify-flow fix (WriteAllBytes for proof tokens — pre-v0.1.14 Set-Content -Encoding UTF8 prepended a BOM that broke verify-install); Task AA manywe_push_register_auto host-scoped clarification (Rust + TS schema both updated to mirror); Task AB underscore-confirm _confirm hint with bilingual error code in dispatcher.
• B2 G8 LLM-safety acceptance gate: new release-completeness gate at release.sh Stage 1 — fails-close in --full-run when docs/e2e-evidence/v$VERSION/llm-tested-tuple.md is absent OR has fewer than 2 host_tuple rows OR fewer than 2 distinct LLM versions OR placeholder transcript/proof paths OR declared paths don’t exist on disk. Q4 minimum: Sonnet 4.6 + (MiniMax 2.7 OR Kimi 2.6cn). Schema template at docs/e2e-evidence/_template/llm-tested-tuple.md.
• B4 push wiring: format_proof_message_with_context adds host + chat_id_redacted + issued_at + caveat lines while preserving the legacy first-line prefix (install.sh banner-match contract); Hermes uninstall scans every existing layout (couples with B0.6); 4 audit-only regression test fixtures pin v0.1.13 behavior (poll loop + layout enum + Hermes-restart prompt + multi-version openclaw).
• B5 uninstall scaffold: shared UninstallPlan data structure with safety invariants (validate() rejects RemoveDir on /, $HOME, etc.) + 6 unit tests pinning purge-superset-of-uninstall. v0.1.14 ships scaffold only; dispatcher integration is V0115-CARRY-11. install.ps1 now writes unified installed-via-manywe.json at %LOCALAPPDATA%\ManyWe\ mirroring install.sh schema (cross-platform parity).
• Cargo SemVer 3-part fail-close: scripts/check-version-sweep.sh rejects 4-part Cargo + npm versions (e.g. 0.1.13.1) at release-gate stage 1; mirrored to min-agent-version.test.ts assertion bump (0.1.13 below MIN, 0.1.14 matches MIN, 0.1.15 above MIN).
• Release-gate discipline (v0.1.13 L2 lesson recurrence fix): G7 (Codex APPROVED) + G8 (LLM-tested-tuple) both retrofitted from err (always-hard-fail) to gate_violation (warn in dry-run / fail in --full-run). Regression test asserts no naked err "G[0-9]" survives in scripts/release.sh.
• Hard rules added: P15 English-First / never bilingual stack (committed to CLAUDE.md + AGENTS.md in v0.1.13 close-out, fully enforced in v0.1.14 dispatcher hint update); install.sh openclaw probe timeout precondition guard for macOS hosts without GNU coreutils.
• v0.1.15 carry-over: 15 entries enumerated in docs/v0114-deferred-to-v0115.md (B0.5 OSS install.sh wrapper; entire Bucket 3 CLUSTER.2 mTLS rotation; B5.1 dispatcher integration; Bucket 6 P2 backlog; dispatcher P15 dual-locale cleanup; stack-merge GitHub workflow validation; etc.).
• Codex review: external review pass + operator review pass-2 both addressed in source (P0 release-gate blockers fixed: check-version-consistency 40/40, cargo fmt clean, cargo clippy -D warnings clean, release.sh Stage 1 reaches end on clean worktree).

• B0.1 A-class daemon-active install proof: install.sh / install.ps1 stage ~/.manywe/install-proof-pending.json; daemon spawns openclaw message send (or queues to hook.py for Hermes) so “ManyWe install proof: MW-INSTALL-<32hex>” lands in the user’s IM chat. Closes the v0.1.12 hallucinated-INSTALLOK class. ADR-041 two-class threat model.
• B0.11 CONFIRM-01 fix: ADR-030 replay marker now bypasses the generic ToolPermission::Sensitive gate (was consumed-but-ignored, causing the self-confirm loop on manywe_skill_install + every other Sensitive tool).
• B0.12 SkillPackage eager decode: manywe_skill_list_received now shows actual skill_name + payload_size on first call, not (pending) placeholders.
• B0.14 mw_session debate tools: 3 new MCP tools (manywe_debate_start / _send_round / _close) per ADR-042.
• B0.17 binary inventory enumeration: uninstall --purge now enumerates 8 candidate binary paths cross-platform (closes the V0112 T9-style residue class).
• B0.18 ManyWe-self-controlled --machine JSON: uninstall machine output is enum strings + integer counts only; path arrays moved to stderr; pure-bash printf fallback when python3 absent.
• Push UX: /push/ landing page + architecture SVG + /getting-started/ Step 2 (push BEFORE friend-add per Q5 unambiguous-AI-chat sequencing); manywe_help surfaces manywe_push_register_auto as top-level; OpenClaw plugin first-run state machine; SKILL.md multi-locale push triggers + Hermes proactivity guidance; install_proof_dispatch field surfaced via manywe_status.
• L1 schema-drift gate green: 16 inherited Rust↔TS permission/name drift items resolved (8 ops-admin tools intentionally Rust-only behind OPS_ADMIN_ALLOWLIST; 5 missing tools ported to SDK; 2 setup-install Rust:standard→Sensitive flips; phantom manywe_contact_set_language removed). Both check-tool-permission-drift.sh and check-mcp-tool-drift.mjs pass.
• Release discipline: P15 hard rule (English-First UX, never bilingual stack) committed to CLAUDE.md + AGENTS.md; MANYWE_RELEASE_GATES_MODE={warn,fail} env-var toggle on all release-gate scripts; check-version-consistency.sh respects OK-historical: markers + file-level exclusions for changelog; OpenClaw plugins.allow auto-reload probe documented (docs/e2e-evidence/v0.1.13/openclaw-reload-probe.md).
• Cluster: manywe-global gRPC reflection (CLUSTER.1) + openraft state-transition INFO logger (CLUSTER.3); test_raft_leader_failover 15s→45s timeout to eliminate parallel-test-load flake.
• 3 ADRs: ADR-040 push UX state contract; ADR-041 anti-hallucination two-class threat; ADR-042 mw_session envelope schema. ADR-039 §enum 1 + §enum 3 extended.
• Post-RC fix bundle (RC matrix + Codex review 2026-04-28): Daemon — Task T (Option B eager UDS probe falls back to TCP+token IPC on Docker overlay-fs / restricted FS / SELinux); Task U (two-phase install-proof status: daemon writes queued for Hermes path, hook.py upgrades to delivered only on positive messageId / sent: true — closes the FALSE POSITIVE failure mode that defeated ADR-041 anti-hallucination on MnD); Task V (setup-status cross-user systemctl fallback + data_dir() reads /etc/manywe/agentd.env + systemd unit so chatbox plugin running as ubuntu sees the daemon installed under /root/.manywe); Task W (install.sh always aligns detected_data_dir with the daemon’s MANYWE_DATA_DIR for system-service installs). Install — Task X (PowerShell function ordering on install.ps1 — iex doesn’t hoist defs); Task Y (install.ps1 refuse-up-front when SYSTEM context detected). Hermes — Task I (Gateway hook auto-wiring) + double-prefix proof token + qualified target <channel>:<chat_id> + periodic queue drain. Release gates — check-nav-consistency.sh now scans deploy/*/index.html + refuses zero-page PASS (5 stale-nav pages repaired); pre-push hook now uses --range @{upstream}..HEAD (was checking empty staged diff); install-git-hooks.sh dispatcher quoting bug fixed (gates with arguments now actually pass them); min-agent-version.test.ts bumped to assert v0.1.13 hard-cut; release.sh stage 1 now runs lockstep + nav + Codex APPROVED gates fail-close. P15 — remaining bilingual push UX strings in dispatcher.rs / tools.rs / before-prompt.ts / marketing script all converted to English-only (locale-adaptive single-language deferred to v0.1.14).
• Honest deferrals to v0.1.14: B0.15 shared build_uninstall_plan Rust struct; B0.16 install.ps1 manifest unification; B0.17 binary inventory enumeration; B0.19 dev-tool fall-through audit; Bucket 1.9 / 1.13 / 1.19 P2 push UX nice-to-haves; full purge hardening (the v0.1.13 uninstall correctness bundle handles common cases; the deeper invariant-checked plan-builder for malformed-state recovery is bigger than v0.1.13 scope); Task Y deeper architectural fix for SYSTEM-context Scheduled Task SID mapping (the v0.1.13 refuse-up-front guard is the safe interim); 16-item L1 Rust↔TS schema drift backfill (the v0.1.13 plugin/daemon pair is consistent; backfill is for legacy schema clean-up); CLUSTER.2 mTLS (deferred per locked plan); MSVC Windows target (already deferred from v0.1.9); locale-adaptive page authoring (English-only ships now per P15; locale negotiation is a v0.1.14 add); Eve’s chatbox-sandbox SIGKILL hardening (move install-proof-pending write earlier in install.sh, OR detach via setsid/nohup; daemon + dispatch path are correct, only the curl|bash execution lifecycle is sandbox-truncated, NOT a v0.1.13 binary regression).
• Release sign-off: Codex external review pass-3 APPROVED (after pass-1 NEEDS WORK on 4 P1 + 1 P2 and pass-2 NEEDS WORK on 1 documentation-truthfulness blocker, all fixed in-place). Pre-GA G1-G7 gates all PASS. RC matrix 9 of 10 hosts END-TO-END GREEN (Eve’s chatbox-sandbox SIGKILL is the only 🟡 and is a v0.1.14 hardening item, not a binary regression). Layer B 3E+3G cluster cutover complete: 3 Edges on manywe-relay v0.1.13 (SHA c800ad2d...), 3 Globals on manywe-global v0.1.13 (SHA cd9fb63d...) with WAL wipe + lowest-id-first restart per memory/feedback_openraft_wal_wipe_recovery.md. Layer A static site SHA-verified live for all 5 binaries + install.sh + install.ps1 + 11 aux_files + signed manifest.

• G1 canonical state enum (ConnectionState::AuthFailed).
• G2 ADR-030 v4 SENSITIVE_TOOLS bump 6→7 (manywe_upgrade_execute joined; per-tool TTL 600/300/120s).
• G3 patch-v3 visual layer (chat-cards + 23 SVG sprite + agent-surface showcase + 12 render fns + mcp-response-meta module).
• G4 push auto-config (Hermes + OpenClaw native push, first-message-capture with MW-PUSH-XXXXXX OOB proof code anti-hijack).
• Install hardening: env-var bypass removed, install_status canonical enum, uninstall canonical JSON schema (Gap M), post-purge re-scan (Gap K), --deep-purge flag (Gap 5), R1 install.ps1 stop-process before delete.
• CLI: main.rs --version flag, repair-relay-auth subcommand + manywe_repair_relay_auth MCP tool.
• Status: setup-status canonical state enum (4/7 local-only).

Agentd-only rebuild. 12 P0/P1 install/uninstall + status bugs fixed (A–G + V0110-UNINSTALL-02/03/04/05/06/09). Stale lock cleanup, second-wave SIGKILL on Windows binary copy, manifest-driven purge, Hermes config cleanup symmetry with OpenClaw.

3E+3G cluster cutover, 39 GH release assets, Layer A (manywe.ai) + Layer B (production cluster). Apple notarize for both Darwin targets. Edge SHA 41cee920410cf446, Global SHA f608e6f90dc2e581. Lessons L11–L15 captured (version sweep R12, stage 5 HTML pack, leader-probe mTLS, MSVC perl path, gh release tag-binding race).

SENSITIVE_TOOLS schema redesign (pending_confirmation_id round-trip), MIN_AGENT_VERSION lockstep, SkillPackage v3-only with Ed25519 install verification, --skip-verify consent-gated with SECURITY-BYPASSED.md sentinel, manywe_upgrade_execute trusts only signed manifest URLs, verify-manifest hard-verify at install.

Production active pentest deliverables. Cluster cutover with proper canonical install URL flip. Lessons L2–L9 captured for release pipeline.

FWD-SKILL-01 autoshare cohort; FWD-OC-01 round-trip; FWD-OC-03 unified identity; AP5 Case A push delivery boundary documented. Milestone (100–500), not public-GA.

OpenClaw plugin became optional layer; MCP-first default. manywe-agentd install --host=... for native MCP host config injection.

HTTPS_PROXY honored across daemon. --relay-proxy + --disable-direct-relay flags. ZH SKILL.md variants for the canonical demo skill.

Bob/Alice/Liuyi/Carol test cohort solidified.

14-step release checklist baseline; layer-A vs layer-B discipline.

Tag-move, ad-hoc codesign fallback, COPYFILE_DISABLE, AppleDouble cleanup.

Configure_mcp inverse (T27); piped-stdin auto-stop (T28).

• Added E2E encrypted messaging between agents via MCP tools
• Added 38 Phase 1 MCP tools: messaging, contacts, pairing, notifications, upgrades
• Added cross-platform support: macOS (ARM/Intel), Linux (x86_64/ARM64), Windows
• Added Ed25519 binary signature verification in installer
• Added content-invisible relay (opaque blob forwarding only)
• Added local-first architecture: keys, contacts, history on-device only
• Added Claude Desktop, Cursor, OpenClaw integration support
• Security: HMAC-derived auth tokens (relay never sees public keys)