Changelog

• RFC 0103 — Localized Content Surface (Accepted). Graduated 2026-06-17 on dual non-steward host evidence — the openwop-app reference host (HOST-1 i18n.md annex + HOST-2 content surface) and the MyndHyve witness (Layer 1 + Layer 2), both serving GET /v1/content/pages/{slug} against the verbatim wire shapes. A capability-gated surface for durable, authored, structured localized content (pages → sections) that reuses the Stable i18n.md annex's Accept-Language/Content-Language negotiation verbatim (no second locale mechanism, no ?locale=) and adds only the content data model + a per-section field merge. A section is one record — a base data payload + a sparse localizations map (BCP-47 keys, never the base locale); the negotiated locale's body is resolved by the normative resolveSection merge (exact → language-family → base, shallow overlay). New core spec spec/v1/localized-content.md; four schemas (localized-content-{section,page,language-settings,page-response}.schema.json); a new content capability block (requires i18n.supported; baseLocale == i18n.defaultLocale; ({baseLocale} ∪ supportedLocales) ⊆ i18n.supportedLocales; base ∉ supported); api/openapi.yaml public-delivery + admin-CRUD paths; one capability-gated conformance scenario (localized-content-delivery.test.ts, @openwop/openwop-conformance@1.27.0, suite 349 → 350). Three protocol-tier SECURITY invariants (content-published-cache-no-draft, content-response-tenant-scoped, content-no-cross-tenant-enumeration); SECURITY invariants 130 → 133 (102 → 105 protocol-tier). additive per COMPATIBILITY.md §2.1. Tenant resolution on the anonymous public path is a host-defined carve-out (localized-content.md §F / register G11); cross-host portability is scoped to a resolved (tenant, locale) pair.
• RFC 0102 — A2UI agent-authored interface surfaces (Accepted). Graduated 2026-06-15 on dual live evidence vs @openwop/openwop-conformance@1.26.0 — the openwop-app reference host (rev 00204-v75) and the MyndHyve non-steward witness, both advertising ui.a2ui-surface (supportedEnvelopes + schemaVersions[…]=1), serving the byte-identical core schema (sha256 68f977c1…), and passing the five capability-gated scenarios non-vacuously under OPENWOP_REQUIRE_BEHAVIOR=true; both steward-curl-verified. The kind: the optional, advertised, core envelope kind ui.a2ui-surface — a declarative interactive UI surface beside the media. content-primitive family (ai-envelope.md §"A2UI surfaces"). A consumer renders an agent-authored A2UI surface with native widgets and routes user actions back without executing agent-supplied code; the surface is a closed component tree (anyOf + single-string-enum discriminator — never oneOf), the target catalog is a host-enumerated catalogVersion, and actions are confined to interrupt-resume / conversation-exchange. New core schema schemas/envelopes/ui.a2ui-surface.schema.json; advertisement rides the existing supportedEnvelopes/schemaVersions surface (no new capability block, no OpenAPI/AsyncAPI change). A carve-out clause in ai-envelope.md §"Vendor-namespaced kinds" scopes the existing "MUST be vendor-namespaced" rule to domain kinds and names the reserved core content-primitive families (media., ui.) — a clarification, not a relaxation (additive per COMPATIBILITY.md §2.1). Five SECURITY invariants (a2ui-surface-no-code-exec, a2ui-action-confinement, a2ui-surface-no-network-egress, a2ui-surface-no-secret-rendering, a2ui-untrusted-blocks-approval) + a threat-model-prompt-injection.md §4.8 section for the new agent→user render surface. Five capability-gated conformance scenarios (a2ui-surface-{shape,degrades,version-refusal,replay} + a2ui-untrusted-blocks-approval). SECURITY invariants 125 → 130 (99 → 102 protocol-tier). (Note: RFC 0102 was briefly amended to a vendor-namespaced kind (#715) on a blind first review, then reverted to the core kind on re-review with the RFC in hand — cross-host portability is the property the core kind delivers and a vendor namespace would defeat; see the RFC's amendment note.)*

Ships the structural repo split and a dense two-week graduation cycle. The spec corpus now publishes exactly one artifact — @openwop/openwop-conformance — and everything else (SDKs, packs/registry, reference hosts/examples, the reference app, the CLI) moved to sibling repos. Twelve RFCs reached Accepted and two new ones (0099/0100) landed their normative floor. All wire shapes additive per COMPATIBILITY.md §2.1; no conformance pass invalidated.

• Repository split (non-normative). The monorepo was decomposed with full history into sibling repos: SDKs → openwop/openwop-sdks (TS @openwop/openwop, Python openwop-client, Go), packs + published registry → openwop/openwop-registry, reference hosts + runnable examples → openwop/openwop-examples, the reference app → openwop/openwop-app (app.openwop.dev), and the CLI → openwop/openwop-cli. This repo now publishes one artifact: @openwop/openwop-conformance. ⚠️ Consumer-facing: the Go module path changed to github.com/openwop/openwop-sdks/go (re-pin required); npm + PyPI names unchanged. The pack-manifest schemas stay normative here. A coordinated v* spec release must be matched by SDK tags in openwop-sdks.
• RFC 0099 — external-event trigger ingestion Accepted. Floor + graduation: the content-free TriggerEvent envelope (ctx.triggerData), the TriggerSubscriptionRegistration create contract served by POST /v1/trigger-subscriptions, the additive triggerBridge.ingestion capability sub-block, and SECURITY invariants trigger-ingestion-ssrf + trigger-ingestion-content-redaction. Graduated on dual live evidence vs suite 1.25.0 (reference openwop-app 00177-75t + non-steward MyndHyve 00271-cj5, both steward-curl-verified, trigger-ingestion.test.ts non-vacuous).
• RFC 0100 — async / durable A2A tasks (Active; floor landed). New a2a capability block ({supported, agentCardUrl, streaming?, pushNotifications?, durableTasks?}) + the persisted A2ATaskState projection (taskId==runId, lowercase-hyphen state) + a2a-integration.md §"Async / durable Tasks" + SECURITY invariant a2a-push-egress-ssrf. Reference leg fully proven (openwop-app a2a-task-roundtrip 10/10 non-vacuous); stays Active pending a non-steward a2a witness.
• RFCs 0096 / 0097 / 0098 — reviewable-learning proposals · standing goals · agent-platform portability Accepted. Floor + dual-live-evidence graduation: agents.proposals (inert proposal.schema.json), agents.goals (judge-based goal.schema.json), the top-level portability block (export-bundle.schema.json, refs-only, dryRun:true when import:true), 5 protocol-tier SECURITY invariants, 5 content-free events. openwop-app reference (00174-6m6, portability.import:true) + MyndHyve non-steward (00269-ljm, honest import:false opt-out).
• RFC 0095 — connection packs Accepted. New kind:"connection" pack (portable signed provider definition the RFC 0045/0047 provider string resolves against) + connection-pack-manifest.schema.json + standalone spec/v1/connection-packs.md + the connection-pack-no-credential-material protocol-tier invariant. Dual evidence (MyndHyve 00268-x9l + openwop-app 00160-kjq).
• RFCs 0093 / 0094 — protocol hardening + wire-shape reconciliation Accepted. 0093 pins four security/correctness gaps (webhook delivery-time egress re-validation + the protocol-tier webhook-cross-tenant-isolation invariant; signed interrupt-token lifecycle; retryable responses MUST NOT replay from the dedup cache; approval-gate timeout auto-rejects). 0094 repairs published-artifact defects (the unsatisfiable createRun schema → unevaluatedProperties:false + a satisfiability probe; cancelling status; vendor-event anyOf closure; single-sourced ai.message.chunk; completed InterruptPayload.kind union; capabilities.grpc + limits.maxRequestBodyBytes).
• RFCs 0090 / 0091 / 0092 Accepted. 0090 — agent verifier turn (agent.verified event, verifier capability, multiAgent.executionModel.version: 6, verifier-no-content-leak); 0091 — multimodal perception input on ctx.callAI (content: string | ContentPart[], gated on aiProviders.input.modalities[]); 0092 — agent-level requiresCapabilities[] projecting to the RFC 0072 degraded[] field.
• RFC 0089 — conformance certification bundle Accepted. The openwop-conformance --certify generator captures discovery (canonical-JSON SHA-256), derives claimedProfiles, records each scenario's terminal state, and never lists a vacuously-run scenario in results.passed; a real reference-host bundle is committed + round-trip-verified.
• Conformance suite — @openwop/openwop-conformance 1.18.1 → 1.25.0 across the cycle (independently versioned, published on its own openwop-conformance/v* tags). Carries the RFC 0089–0100 scenario additions (trigger-ingestion, the async a2a-task-roundtrip subtests, proposal/goal/export-bundle, the five connection-pack scenarios, verifier-gating, callai-multimodal, agent-capability-degraded-projection, webhook-tenant-isolation, version-fold, stream-text-fixture, i18n-negotiation, grpc-transport).
• SECURITY invariants — 114 → 125 total (99 protocol-tier). New across the cycle: verifier-no-content-leak, webhook-cross-tenant-isolation, connection-pack-no-credential-material, the five proposal/goal/export invariants, trigger-ingestion-ssrf, trigger-ingestion-content-redaction, a2a-push-egress-ssrf.
• Reference app (now openwop/openwop-app). Before extraction, the app landed a governed agent-Workforce surface (seeded entity + deterministic synthetic history + metrics/governance/migration-wizard, all under /v1/host/sample/workforces, experimental x-host-openwop-workforce), the white-label foundation batch (deploy-posture gating, brand stamping, .env leak guards, an explicit-?tenantId=* fix that closed a latent cross-tenant GET /v1/agents visibility leak), and a board-rename + guided autonomy level. Operator surface only — no wire change.
• Docs + editorial. Full post-split + post-graduation drift sweeps: status-label normalization onto the Stable / Stabilizing / Draft / Experimental legend, SECURITY/RFC count reconciliation, per-host conformance-evidence suite-version syncs, the INTEROP-MATRIX.md rewrite into a lean public matrix + the GOVERNANCE.md "Acceptance evidence tiers" taxonomy, and post-split path requalification across README/ROADMAP/PUBLISHING. interrupt.md documents suspend as the accepted alias of interrupt (additive, host SHOULD expose both).

---

The largest graduation cycle since v1.0. The entire agent-platform program plus the bulk of the Active-RFC backlog graduated Active → Accepted on a non-steward host (MyndHyve), closing RFC counts to Accepted 85 / Active 1 / Draft 2. All wire shapes additive per COMPATIBILITY.md §2.1 — no schema, event, endpoint, or MUST change. This coordinated release also publishes the agent-platform read surface to the Python and Go SDKs (which had lagged the OpenAPI surface by 17 methods) and a TypeScript SDK minor. The header is 1.1.7 because 1.1.6 was consumed by an earlier TS-SDK-only npm patch. Full per-RFC history is in each RFC's Updated field, INTEROP-MATRIX.md, and the generated docs/PROTOCOL-STATUS.md.

• Agent-platform program Accepted end-to-end (the capstone). RFC 0085 (openwop-agent-platform meta-profile) Accepted, certifying MyndHyve a _full_ agent platform; with 0077/0086/0087/0083 (live manifest dispatch / standing roster / org-chart / durable trigger-bridge) and 0081/0082 (eval suite / deployment lifecycle), the whole program is Accepted on a non-steward host.
• Tool-egress, budget, and memory batches Accepted. RFCs 0078/0079 (portable tool catalog + credential-provenance/egress policy), 0084 (budget/quota/cost), and 0068/0080 (memory consolidation + capability reconciliation) graduated on green, non-vacuous gated behavioral scenarios.
• Enterprise + provider + UX RFCs Accepted. 0050 (SAML/SCIM — a real XML-DSig ACS the steward drove over the live wire for all 7 §A variants incl. signature-wrapping, plus SCIM fail-closed), 0067 (provider-catalog auth-modes), and 0066 (x-openwop-form) + 0065 (outputRole) on genuine reference-frontend consumption.
• Steward-side mechanism-codifications (amended criteria, architect-gated). 0069 (exec-class carve-out — RFC 0054 amendment precedent), 0080 (degraded-memory keystone), and 0042 (experimental capability tier) graduated steward-side, where a non-steward advertisement is structurally impossible or would be a false claim on the wire.
• Core Standard Profile (0088) + capability document-root layout (0073) Accepted. 0088 freezes the black-box-proven stable Core floor (0029 prompt-resolution chain + 0059 workspace isolation graduated into the black-box set); 0073 makes the conformance suite _enforce_ the document-root capability layout.
• Earlier-window graduations. RFC 0076 (pack runtime.requires[] + host ctx.http.safeFetch, §A + §B), 0072 (agent inventory + dispatch normative surface), 0054 (run diff & execution comparison), 0036 (multi-region idempotency + cross-engine ordering), 0025 (test-mode registry namespace), and 0056 (run feedback & annotations) all reached Accepted.
• Real-isolation WASM sandbox reference host (RFC 0035). New examples/hosts/wasm-sandbox/ executes pack-loaded typeIds as WebAssembly; all 7 testable node-pack-sandbox-* SECURITY invariants graduated reference-impl → protocol. RFC 0035 itself stays Active (gated on non-steward adoption by a host that runs untrusted packs).
• Conformance suite hardened + advanced to @openwop/openwop-conformance@1.18.1 (published per-package across this window): the agent-platform behavioral gates hardened against vacuous passes (1.17.0), the gated scenarios for every graduated RFC authored + published, the OTel collector-side BYOK-canary inspector + RFC 0041 §C replay-observable assertions landed, and the SAML behavioral leg expanded to the full 7-variant set.
• External-audit remediation. The corpus gate now blocks on open high/critical external-audit findings; the 2026-05-31 re-review's seven-item bar was mapped to the gap-closure program; multiple stale docs/KNOWN-LIMITS.md rows were retired against landed evidence (multi-region simulation harness, cross-engine CF-8, sandbox-timeout, the open-RFC table).
• New normative read surfaces (deferred Accepted-track). OpenAPI + AsyncAPI + TS SDK surface for the roster/org-chart (0086/0087) and eval/deployment (0081/0082) endpoints; AgentOrgChart Department/Role/Member published as named $defs.
• SDK parity completed across all three reference SDKs + machine-enforced. A parity audit found those agent-platform read surfaces — plus RFC 0078 tool catalog, run diff, and prompt-template CRUD — had reached only the TypeScript SDK. Ported the 17 missing helpers to openwop-client (Python) and the Go SDK, and added tools.list/tools.get + getArtifact across all three. New sdk/parity-expectations.json declares a per-SDK status (typed / excluded) for every OpenAPI operation, and scripts/check-sdk-parity.mjs (openwop:check step 7) fails on any undeclared route or typed-surface regression. sdk/PARITY.md's stale "34/34/34 as of 2026-05-15" headline corrected to 44 typed / 4 excluded (the four packs-test write-mirror operations — a server-side conformance affordance, not a client surface). This release publishes that surface: openwop-client 1.1.7 (PyPI) + github.com/openwop/openwop/sdk/go v1.1.7 finally carry the 17 agent-platform methods, and @openwop/openwop 1.2.0 (npm — a minor, not a patch, because client.prompts.get now returns PromptTemplate | null to match the other get-by-id helpers + the Python/Go SDKs: a 404 resolves to the null sentinel while a 400 prompt_ref_ambiguous still throws, so callers can distinguish "not found" from "ambiguous"). The conformance suite stays at 1.18.1 (no new scenarios). The parity gate also gained a word-boundary per-method symbols check so it catches a single method being deleted from a shared path family.
• Reference-app + host-sample. Agents tab + chat mention-symbol surface, durable read-through host-extension stores, cross-instance Kanban SSE fan-out, and a run of code-review / UX-review follow-ups. Rate-limit 429 envelope conformance (CF-6): the sample host now emits details.scope from the canonical closed enum ("tenant" | "route" | "global" | "key") per rest-endpoints.md §429 instead of internal limiter names (which moved to a non-normative details.reason), and honors OPENWOP_FORCE_RATE_LIMIT=true so the conformance harness can deterministically induce a 429 (rate-limit-envelope.test.ts).
• Registry + packs. core.openwop.http@2.0.0 (RFC 0076 §B safe-fetch consumer) signed + published to the in-tree mirror; tarball-signature gate added + unsigned tarballs yanked; agent-pack source-schema $id bumps.
• Release infrastructure + doc hygiene. Publish jobs are now idempotent — a corpus v* tag skips already-published package versions rather than partial-failing (PUBLISHING.md documents the property). generate-protocol-status.mjs --write self-heals the README corpus counts, retiring the giant-status-line merge bottleneck. The [1.1.6 — unreleased] changelog block was collapsed to release-notes shape + renamed 1.1.7 (1.1.6 was consumed by the TS SDK patch); the committed public/ site was rebuilt + deployed to openwop.dev to surface the graduations; and the INTEROP-MATRIX.md pass-rate header was corrected to mark 1.15.0 as the _last_ re-measurement (the published suite has since advanced to 1.18.1; a full re-measurement is pending).
• OpenAPI agent-path disambiguation (audit response). /v1/agents/{agentId} and /v1/agents/{agentId}/deployments now constrain agentId with pattern: '^(?!roster$|org-chart$).+$', so it can never collide with the sibling collection routes /v1/agents/roster/{rosterId} + /v1/agents/org-chart/{departmentId} (the path the third-party auditor flagged: /v1/agents/roster/deployments was structurally two-way). redocly's purely-structural no-ambiguous-paths rule (which can't see the pattern) is scoped off for exactly those two paths in api/.redocly.lint-ignore.yaml with a documented rationale — the rule stays enabled globally. Non-breaking: roster/org-chart were already reserved/ambiguous as literal agentIds.
• README published-artifact versions corrected. The "v1.x published artifacts" line pinned all four packages at v1.1.0; updated to the actual published versions — @openwop/openwop 1.1.6, @openwop/openwop-conformance 1.18.1, openwop-client (PyPI) 1.1.5, Go modules v1.1.5 — and clarified that the three SDKs hold feature parity even though patch versions diverge (the TS SDK took a 1.1.6 patch for the agent-platform helper surface) and the conformance suite versions independently.
• CLI agent-platform surfaces (@openwop/cli 0.1.2 → 0.2.0). The CLI now drives every demo-app protocol surface it previously lacked: \roster\ (RFC 0086), \org-chart\ (RFC 0087), \kanban\ boards + cards (with an SSE \watch\), \orgs\ orgs/teams/groups/roles/members RBAC + effective-access (RFC 0049), \workspace\ files (RFC 0059 §C real CRUD; the cross-owner test seam is deliberately not exposed), \byok\ secret refs (values never returned), and user-defined-agent \create\/\update\/\delete\ on the \agents\ group. All read commands support \--json\; all destructive commands require \--yes\. Also fixed the stale \--version\ constant (reported 0.1.0 on the 0.1.x package) and the pre-existing \agents run\ flag-parsing bug where \--task-json\/\--no-validate\ never took effect (option keys are camelCased).

Ships the first public release of the OpenWOP CLI to npm, brings channel messaging (Signal · iMessage · WhatsApp · Discord) to feature parity with the in-app AI chat, and closes the agent-manifest-runtime arc end-to-end on a non-steward host. All wire shapes additive per COMPATIBILITY.md §2.1.

• OpenWOP CLI v0.1.0 ships to npm. npm install -g @openwop/cli — a control-plane CLI for any OpenWOP-compatible host (auth onboarding, capabilities, runs + SSE streaming, prompts · memory · agents · interrupts, channel-relay daemons). Operator-side, independently versioned on its own cli/v* SemVer line; published through the existing OIDC publish pipeline with provenance (a new publish-cli job mirrors publish-ts-client). The 4085-line TypeScript bundle runs under strict + noImplicitAny: true; 149 node --test cases gate every release. A new /cli route in the demo app surfaces install + command catalog; a new homepage card on openwop.dev (§01.5 "Try it from your terminal") links the public to it.
• TypeScript + Python + Go SDKs bump 1.1.4 → 1.1.5 in lockstep. Conformance suite moved 1.7.0 → 1.10.0 mid-cycle across 12 net-new scenario files (artifact-type-pack-install, artifact-schema-compile-bounded, chat-card-pack-{execution,manifest-validation}, agent-manifest-runtime, byok-auth-modes, commitment-fired, exec-not-protocol-tier, memory-consolidation-{shape,idempotent}, artifact-type-store-without-render). No wire-shape changes.
• Messaging → AI-chat parity end-to-end. The relay-gateway lands routing enforcement (channel + peer → workflow OR agent), conversation-history threading (OPENWOP_MESSAGING_HISTORY_LIMIT-bounded turn replay), policy + pairing + allowlist + requireMention enforcement, direct agent dispatch as a routing target (with OPENWOP_MESSAGING_AGENT_DISPATCH_TIMEOUT_MS abort guard), and cross-channel identity unification. A code-review hardening sweep added tenant-scoped pairing/allowlist routes, CSPRNG pairing codes, a requireMention deny-all tripwire, defense-in-depth tenant scoping on listMessagingTurns, and a ?limit clamp on the delivery-log route. Postgres migrations 9-13 land on live Cloud SQL via the deploy ladder.
• RFC 0070 + 0072 + 0074 agent-runtime arc closes end-to-end. 0070 (agent-manifest runtime — agents.manifestRuntime) graduated Active → Accepted on MyndHyve production rev workflow-runtime-00394-jun (inventory + dispatch seam wired with toolSurface allowlist filter + attributed agent.reasoned/agent.decided). 0072 (normative GET /v1/agents) shipped. 0074 (tenant-scoped manifest-agent inventory — additive installScope: 'host' | 'tenant') graduated on multi-tenant rev workflow-runtime-00398-vup with steward-curl-verified A→1 agent, B→empty + cross-tenant 404. The 31 agent manifests on the workflow-engine host become runnable via agents.manifestRuntime + AgentRegistry + loader + dispatch.
• RFC 0071 (artifact-type packs + chat card packs) Accepted overall. Phase 1 graduated on MyndHyve Phase-1 adoption (16 → 7 reconciled types served as validated: true, validation: "open", registrationSource: "host"). Phase 2 graduated on Slice-B rev workflow-runtime-00402-bey — the real core.chat.cardExecute → ctx.aiEnvelope.generate binding with host.aiEnvelope advertised + contentTrust: "untrusted" on card-input-derived prompt segments. artifact-type-packs.md + chat-card-packs.md promoted DRAFT → FINAL. Two new SECURITY invariants: artifact-schema-compile-bounded + chat-card-input-trust-boundary.
• RFC 0073 (capability families are document-root properties of /.well-known/openwop) reconciles a contradictory discovery layout. The schema rooted agents / secrets / etc. at the doc root (no capabilities wrapper), but ~40 conformance scenarios + 4 reference hosts read nested — no host satisfied both. RFC 0073 lands a normative MUST + root-first conformance accessor; Phases 1-3 migrate 78/78 capability-gated scenarios; all 4 reference hosts (in-memory, sqlite, postgres, python) emit root + a deprecated-mirror via spread. Phase 4 (drop the wrapper-fallback + nested mirrors) defers to a future minor.
• RFC promotions Draft → Active. 0054 (run-diff — GET /v1/runs/{runId}:diff endpoint + canonical-comparison exclusion list pinned). 0073 (capability-root layout). 0074 (tenant-scoped agent inventory, amends 0072). 0075 (artifact-type-packs real-world adoption amendment, amends 0071 Phase 1 — host-native registration tier, additionalProperties: false MUST → SHOULD, per-type capability facets). Plus RFC 0071 Phase 2 (chat card packs) before its same-cycle promotion to Accepted.
• NEW Draft RFCs filed. 0067 (provider-catalog conventions — additive aiProviders.authModes + provider-name vocabulary). 0068 (memory consolidation + standing commitments — agents.memoryConsolidation / agents.commitments + content-free agent.memory.consolidated / commitment.fired events). 0069 (host-extension safety contract for exec-class tools — normative MUST-NOT carving exec out of protocol-tier + the exec-must-not-be-protocol-tier invariant). All additive.
• Registry hardening. Three published core.openwop.agents.* packs republished as @1.0.1 with their systemPromptRef bodies now bundled — the bundler dropped prompts/ from the tarball at @1.0.0 and an RFC 0003 §C fail-loud host (MyndHyve) correctly rejected them. New scripts/check-pack-prompt-refs.mjs (wired into openwop:check step 7) fails CI at build time if any source pack's systemPromptRef doesn't resolve to a bundlable prompts/ file. Separately: 81 pack-version index.json files corrected to declare the real publisher signing keys (openwop-team-1, myndhyve-internal-1, community-demo) instead of the stale openwop-registry-root default; check-registry-signer-consistency guard added.
• Reference workflow-engine: /readiness reports managed-provider health. When providers.json advertises a managed: true tier (e.g., openwop-free) but its server-held key was never seeded, /readiness returns 503 { status: "degraded", checks: { managedProviders: [...] } } with a per-provider detail naming the env var to set. Catches a dropped/unmounted-secret class of outage at deploy time instead of waiting for the first failed run.
• Honest deferrals + corrections. RFC 0054 (run-diff) stays Active — graduation to Accepted awaits a non-steward host advertising the endpoint. RFC 0072 graduation awaits a second cross-language host. The RFC 0073 wrapper-fallback removal (Phase 4) defers to a future minor. The v1.1.4 tag from 2026-05-26 silently did not trigger the publish workflow (no run record); this v1.1.5 corpus-aligned tag catches the TS SDK / Python / Go / conformance up. DEPLOY.md §6 corrected — the from-scratch --env-vars-file + --set-secrets form was a footgun for live redeploys; safe-redeploy recipe documented separately.
• Site updates. Homepage §01.5 "Try it from your terminal" card on openwop.dev introduces @openwop/cli with a dark-bg install snippet + capabilities list + deep-link to the in-app /cli command catalog. PUBLISHING.md artifact table gains the CLI row noting independent SemVer + cli/v* tag pattern.

Closes the first full week of post-1.1.3 cross-host adoption: the 8-RFC MyndHyve protocol-extension cohort + the 5-RFC autonomous-agent-runtime cohort all reach Accepted on production non-steward implementations, the multi-agent execution-model version: 1-4 ladder closes end-to-end, and three rounds of MyndHyve advertisement land RFCs 0028 / 0029 / 0040 / 0041 / 0055 / 0057. All wire shapes additive per COMPATIBILITY.md §2.1.

• TypeScript SDK 1.1.4 (@openwop/openwop) publishes the RFC 0057 memory.written typed event helper + the round-2 SDK-migration finishers (runsClient / interruptsClient / promptsClient / streamsClient on the published SDK, debug-bundle reverted to SDK after 1.1.3's regression). Python (openwop-client) and Go (openwopclient) bump in lockstep. No wire-shape changes.
• Conformance suite @openwop/openwop-conformance 1.5.0 → 1.6.0 → 1.6.1 → 1.7.0. 1.6.0 ships the 28 RFC 0045–0054 cohort scenarios; 1.6.1 patches a stale secrets.scopes allowlist in redaction.test.ts; 1.7.0 lands the autonomous-agent-runtime cohort coverage (+1 net-new scenario file plus per-RFC behavioral additions). Bundled synthetic SAML IdP fixture lands closing the RFC 0050 deferred conformance gap.
• MyndHyve protocol-extension cohort live in production (8 RFCs Draft → Accepted in one day). RFCs 0045 (connector pack manifest), 0046 (host.credentials), 0047 (host.oauth), 0048 (tenant·workspace·principal identity model), 0049 (RBAC scopes + authorization.decided), 0051 (approval & deployment-gate primitive), 0052 (scheduling & time-based triggers), 0053 (dead-letter routing) all graduated on MyndHyve workflow-runtime revision 00211-69w against @openwop/openwop-conformance@1.6.0 — 28 PASS / 0 FAIL (commit 85275cdf on the MyndHyve side). RFC 0050 (SAML/SCIM) + 0054 (run-diff) stay Draft per documented MyndHyve opt-outs.
• MyndHyve round-3 graduations (3 RFCs Active → Accepted 2026-05-26). Revision workflow-runtime-00217-q7c advertises capabilities.prompts.agentBindings: true (RFC 0029), aiProviders.maxInlineMediaBytes: 10485760 + modelCapabilities.advertised: ['vision-input', 'image-output'] (RFC 0055), and capabilities.memory.attribution.{supported: true, emitsWriteEvents: true} with canonical memory.written event dual-emitted alongside vendor x-host-myndhyve-memory-written (RFC 0057). Curl-verified on https://workflow-runtime-gjw5bcse7a-uc.a.run.app/.well-known/openwop.
• Multi-agent execution-model roadmap CLOSED end-to-end on a non-steward host. RFC 0040 (Phase 3 cross-host causation) + RFC 0041 (Phase 4 replay determinism) graduated Active → Accepted on MyndHyve's multiAgent.executionModel.version: 4 advertisement + replayDeterminism.{supported: true, llmCacheKeyRecipe: "spec-rfc-0041", refusalDivergenceEmission: true} block. The version: 1-4 ladder is fully production-validated; version: 5 (RFC 0061) opens the autonomous-agent-runtime extension.
• Autonomous-agent-runtime cohort (7 RFCs filed + 5 graduated). RFCs 0058 (run-execution bounds), 0059 (agent workspace), 0060 (host.heartbeat), 0061 (stateful agent-loop lifecycle, executionModel.version: 5), 0062 (memory.distillation "dreams"), 0063 (core.subWorkflow.outputAttestation), 0064 (host.toolHooks) filed Draft with Phase-0 architect-decision-batch clearance. Within the cycle: 0059/0060/0062/0063/0064 graduated Draft → Active → Accepted via in-memory reference-host M2 enforcement (each ships the documented POST /v1/host/sample/* seam + all scenarios green); 0058 + 0061 graduated to Active pending second-host M2 enforcement.
• RFC 0028 Tier-2 post-promotion strengthening. Workspace-membership normative + canonical workspace_membership_required 403 envelope error code + 2 new protocol-tier SECURITY invariants (prompt-mutation-workspace-membership-enforced, prompt-read-workspace-membership-enforced), filed in response to a self-disclosed adopter Admin-SDK-bypasses-DB-rules vulnerability — workspace gating now uniformly enforced across write + read paths.
• Reference-host milestones across all four hosts. in-memory: 5 M2 host surfaces (RFC 0059/0060/0062/0063/0064). Postgres: RFC 0026 cost-attribution + RFC 0031 model-capability gate + RFC 0040 Phase 3 cross-host causation + RFC 0056 feedback + RFC 0057 memory.written + RFC 0058 runTimeoutMs enforcement. SQLite: ports RFC 0022 dispatch/subWorkflow + 0026 + 0031 + 0056 + 0057 + 0058 from Postgres. Reference workflow-engine advertises capabilities.memory.attribution.emitsWriteEvents: true + emits on run-summary write. RFC 0031 model-capability gate-decision test seam lands on Postgres flipping the synthetic assertions live.
• Reference-app — 6 plan items closed end-to-end. Items #12 (pre-flight workflow validation against advertised engine limits), #13 (dedicated audit-log viewer page at /runs/:runId/audit), #15 (multi-turn conversation panel consuming conversation.{opened,exchanged,closed} events), #16 (A2A peer placeholder, forward-compat), #20 (Publish-to-registry helper banner), #25 (sticky-note canvas annotations via new clientOnly: true NodeCatalogEntry flag). The app-buildable plan closes at 23 ✅ / 2 🟡 / 0 ❌; the two 🟡 items are structurally unblockable from the openwop side and tracked in docs/myndhyve-round-2-handoff.md. Multimodal renderer (RFC 0055 §C consumer), media-emitting demo node, persistent HITL artifact cards, notification-system rewrite (Web Push + OS notifications + preferences + quiet hours + flagged review queue) all ship in the same cycle.
• vendor.myndhyve.brand@1.1.0 — first non-steward x-openwop-form pack (PR #232). Pilot annotation on brand.persona.discover.config.json adds provider-picker + model-picker { dependsOn: ["provider"] } (RFC 0066 normative cascade-clear). Path-to-Accepted for RFC 0066 unlocks once MyndHyve re-pins the new manifestHash. Bonus: scripts/emit-pin-json.cjs emits the 7-hash pin-block JSON for any registered pack version.
• +8 protocol-tier SECURITY invariants (94 → 102 total; 68 → 70 protocol-tier graduated to gate-verified). New: authorization-fail-closed (RFC 0049), prompt-{mutation,read}-workspace-membership-enforced (RFC 0028 Tier-2 — paired with a self-disclosed adopter vulnerability close-out), media-asset-url-tenant-scoped (RFC 0055), memory-attribution-{no-content,tenant-scoped} (RFC 0057), workspace-cross-tenant-isolation (RFC 0059 M2), subrun-merge-approval-fail-closed (RFC 0063 M2). Every protocol-tier MUST-NOT has at least one public test in conformance/src/scenarios/.
• NEW Draft RFCs filed (12). 0050 (SAML/SCIM enterprise identity profiles), 0054 (run-diff & execution comparison), 0055 (multimodal envelope variants), 0056 (run feedback & annotations), 0057 (memory write-attribution), 0058–0064 autonomous-agent-runtime cohort (run-execution bounds / agent workspace / heartbeat / stateful agent-loop / memory.distillation / subWorkflow attestation / host.toolHooks), 0065 (workflow node primary-output annotation — advisory outputRole: "primary" | "secondary" for chat-surface deterministic-artifact picking), 0066 (x-openwop-form vendor extension on pack configSchema).
• Honest non-graduations + opt-outs. RFC 0058 wall-clock arm took two rounds — MyndHyve initially advertised maxNodeExecutions in error, honestly retracted via docs/openwop-adoption/rfc-0058-round-3-retraction.md, then landed the real arm on 2026-05-26 (limits.maxRunDurationMs: 600000 now advertised; maxLoopIterations: null honestly absent — host attests run-create clamping + canonical cap.breached { kind: 'run-duration' } emission). RFC 0058 stays Active pending second-host adoption. RFC 0035 (sandbox), 0036 (multi-region), 0050 (SAML), 0054 (run-diff) opt-outs documented at docs/openwop-adoption/round-3-closure-2026-05-26.md with re-evaluation criteria. RFC 0058 round-3 closure agreement loop documented at docs/openwop-adoption/rfc-0058-round-3-retraction.md.
• Multi-agent "Phase N" → version-tagged rename + site regenerated. External-facing prose drops internal "Phase N" labels for the multi-agent execution model in favor of the wire-shape version: N identifier (per the 2026-05-24 external-reader feedback). Site openwop.dev/spec/v1/* regenerated to pick up RFC 0045–0057 + cohort promotions + 404 page (PR #164). Reference-app SDK migration finished — runsClient / interruptsClient / promptsClient / streamsClient all on the published SDK (cookie-mode SSE stays on native EventSource pending an SDK credentials: 'include' hook).

Closes the workflow-engine reference-host pass-rate inflation that the 2026-05-22 external standards-readiness review flagged, lands first non-steward host adoption of four RFCs, and ships the Phase 4 behavioral harness end-to-end. All wire shapes additive per COMPATIBILITY.md §2.1.

• TypeScript SDK 1.1.3 (@openwop/openwop) publishes coordinated parseRefusal() + buildReasoningDirective() helpers. Python (openwop-client) and Go (openwopclient) bump in lockstep. No wire-shape changes.
• Workflow-engine reference host pass-rate 80.9% → 95.5% via two bundled-path bugfixes (envelopeAcceptor.ts schema lookup + promptStore.ts/promptCompose.ts fixtures lookup) — both cases of __dirname + '..' × N overshooting under the esbuild-bundled tree. New shared _repoPath.ts::locateRepoDir() helper + 5-test regression guard. The inflated 129-failure number was a cascade from a single ENOENT crash, not 129 real conformance gaps.
• RFC 0041 §B Phase 4 closes — replay-divergence-at-refusal executor wiring lands the last it.todo from the 5-track audit harness. The workflow-engine's :fork mode: replay path now emits replay.divergedAtRefusal and fails with error.code: 'replay_diverged_at_refusal' when an envelope kind diverges between source and replay (both directions). Gated on OPENWOP_MULTI_AGENT_EXECUTION_MODEL_PHASE_4=true. RFC 0041 path-to-Accepted opens (gate: second host advertising multiAgent.executionModel.version: 4).
• Phase 4 behavioral harness — Tracks 1/2/5/6/7 + RFC 0042 close. Three new HTTP test-seam endpoint families on the reference workflow-engine drive five new conformance scenarios: multi-region partition simulator, cross-engine append-ordering harness, sandbox MVP (7-of-8 RFC 0035 §B invariants), secret-leakage OTel-attribute coverage, RFC 0042 experimental-tier shape probe. Suite scenario count 205 → 210. NEW spec/v1/host-sample-test-seams.md §6–§8 documents the new seams normatively.
• First non-steward cross-host adoption. MyndHyve (api.myndhyve.ai) ships Tier-1 advertisements for RFC 0021 (envelope), RFC 0027 (prompt templates with observability: 'full'), RFC 0028 (read-only prompt library), RFC 0029 (override hierarchy, node layer), RFC 0034 (OTel test seam, empty-buffer Tier-1), RFC 0039 Half B (memory lifecycle MAE-2 + MAE-3, crossChildMemoryConcurrency: 'strict'), RFC 0040 Sub-5b (MCP API-key auth). Verified live against /.well-known/openwop.
• RFC promotions Active → Accepted (5 total this release): 0027 (prompt templates) — first non-steward prompts.supported: true + observability: 'full'; 0034 (OTel collector test seam) — first non-steward Tier-1 seam-shape adoption; 0037 Phase 1 (multi-agent execution model) — first vendor-neutral validation signal; 0039 Half A (multi-agent confidence + memory lifecycle) — cross-host evidence via MyndHyve commit c4342b5b against suite v1.5.0; 0044 (confidence-escalation interrupt-kind advertisement, clarification to RFC 0039 §A).
• NEW Draft RFCs. 0042 (experimental capability tier — tier ∈ {stable, experimental} + experimentalUntil ≤ 12-month sunset + derived openwop-experimental profile + conformance soft-skip routing under default mode). 0043 (registry + extension policy + IPR posture — consolidates DCO + Apache-2.0 + CC-BY-4.0 + namespace reservation rules).
• Vendor-namespace pattern locked. MyndHyve picked Option 1 (x-host-myndhyve-memory-written) per host-extensions.md §"Canonical prefixes" for host-private SR-1 audit events. Preserves wire-shape compat with strict RunEventType validators; the canonicalize-via-RFC path stays open for any second host that wants the same shape.
• Honest correction — registerHostSampleRoutes wire-up bug. MyndHyve's /v1/host/sample/* routes were deployed for days but never wired into the runtime (404 in production until commit 60b569de). Four seams affected (RFC 0027 §E compose, RFC 0041 §A cache-key, RFC 0021 envelope-accept, RFC 0034 OTel scrape). All four now exercisable end-to-end; RFC 0027 status stays Accepted (the advertisement was real; the bug was wire-up, not logic).
• Audit response artifacts. NEW docs/AUDIT-RESPONSE-2026-05.md (point-by-point reply to the 2026-05-22 external review with calendar tripwires). NEW docs/CONFORMANCE-RUNS-2026-05.md (re-measurement of all 4 reference hosts against @openwop/openwop-conformance@1.4.0 + per-failure taxonomy). NEW docs/PHASE-4-PROGRESS.md (Phase 4 close-out accountability with closing-commit citations).
• Conformance suite 1.4.0 → 1.5.0. RFC 0044 vendor-kind routing relaxation splits one strict-equality assertion into discrete it() blocks (+6 tests, +6 passes). Postgres 1473/1564 (94.2%), SQLite 1486/1564 (95.0%), in-memory 1445/1564 (92.4%), Python 1387/1564 (88.7% total / 100% of applicable).
• Reference workflow-engine + sample-app polish. Real-LLM default in the builder (vendor.openwop-sample.chat-responder replaces the deterministic mock-ai node + managed openwop-free credential tile by default); Copy/Export buttons on the event-stream view; Cloud Run deploy-plumbing close-out (vendored schemas/ + dual-mount conformance-fixtures/ so the bundled host resolves sibling-repo paths under /app/lib); .gitignore for harness runtime state (.db-shm/.db-wal, .byok-master-key, host-fs/).
• Site shipped at openwop.dev (2026-05-21). 13 new content pages + REST API explorer (Redoc) + AsyncAPI + gRPC transport explorers + JSON-LD TechArticle structured data on every spec doc. Star-on-GitHub CTA in the marketing footer.

---

The first patch release after v1.1.1 closes every gap from the 2026-05-19 → 2026-05-21 batch covering the envelope LLM-contract-hardening RFCs, the prompt-library track, the dispatch primitives, the multi-agent execution model, the agent-pack catalog, and the marketing-site launch at openwop.dev. All wire shapes additive per COMPATIBILITY.md §2.1.

• TypeScript SDK 1.1.2 (@openwop/openwop), Python (openwop-client), Go (openwopclient) all bump in lockstep. Conformance suite @openwop/openwop-conformance 1.1.1 → 1.4.0 over the release window (1.2.0 / 1.3.0 / 1.4.0 minor bumps for new behavioral scenario families).
• Marketing site shipped to openwop.dev (2026-05-21). First public surface for the protocol. Multi-page spec corpus rendered from spec/v1/*.md, demo card, Star-on-GitHub CTA. Companion app.openwop.dev workflow-engine sample app deployed in parallel.
• spec/v1/ai-envelope.md DRAFT → FINAL v1.1 (2026-05-18). Closes the AI Envelope specification gap that was the largest remaining v1.0-era hole. Normative for envelope-acceptor wire shape, refusal kinds, capability stacking, and SR-1 secret redaction.
• Envelope-hardening track (RFCs 0030–0033) filed + promoted Draft → Active → Accepted in 4 days (2026-05-20 → 2026-05-21). 0030 envelope reasoning field + Tier-1 structured-output subset. 0031 envelope variant discrimination + model-capability declarations. 0032 envelope-reliability run-event vocabulary. 0033 envelope-completion contract (truncation vs schema-violation retry routing). Reference-host emission landed in dispatchStructured(); conformance scenarios cover all four RFCs end-to-end.
• Prompt-library track (RFCs 0027 / 0028 / 0029) filed Draft + promoted Active (2026-05-19 → 2026-05-20). RFC 0027 (prompt templates) reference-host implementation + Phase A wire shape + 4-kind dispatch wiring + slotIndex correctness. RFC 0028 (prompt library endpoints) reference-host /v1/prompts* endpoints + PromptStore + example prompt pack. RFC 0029 (prompt override hierarchy) four-layer resolver + /v1/host/sample/prompt/resolve seam. RFC 0027 §F shared divergencePoint schema diff.
• Multi-agent track filed Draft. RFC 0035 (sandbox execution contract), RFC 0036 (multi-region + cross-engine), RFC 0037 (multi-agent execution model Phase 1 — first vendor-neutral validation tripwire), RFC 0039 (multi-agent Phase 2 confidence-floor escalation + memory lifecycle MAE-2/MAE-3), RFC 0040 (Phase 3 cross-host causation), RFC 0041 (Phase 4 replay determinism under nondeterministic models). RFC 0037 Phase 1 promoted Draft → Active same day with reference-host wiring + behavioral conformance.
• RFC 0034 (OTel collector test seam) filed Draft → Active (2026-05-21). Replaces the failed POST-based shape with a GET-based scrape after the standards-readiness review surfaced the POST→GET reconciliation gap.
• RFC promotion cohort Active → Accepted (15 RFCs): 0013 (workflow-chain packs — Draft → Active → Accepted same day on Phase 4 in-tree example landing); 0014–0021 graduation cohort (8 capability RFCs — behavioral conformance via opt-in test seam); 0022 (core.dispatch + core.subWorkflow runtime variable mapping — Postgres reference impl + dispatch trio); 0023 (conformance agent-event emitters); 0024 (streaming agent.reasoned deltas + SDK typed-helper rollout); 0026 (provider.usage event — filed Draft → Active → Accepted same day); 0030 / 0031 / 0032 / 0033 envelope-hardening track promoted Active → Accepted at the close of the release window.
• 5 new Draft RFCs filed against the 2026-05-21 standards-readiness review findings. Each maps to a specific audit finding; full close-out lands in 1.1.3's Phase 4 harness work.
• Agent pack catalog (4 tiers, 28 packs total). Phase 1 — Tier 0/1 foundations (9 packs). Phase 2 — Tier 2 productivity skills (5 packs). Phase 3 — Tier 3 vertical agents (10 packs). Phase 4 — Tier 4 crews + skills-bridge (4 packs). Catalog seeded with reference manifests + signing material for downstream registry publication.
• **17 core.openwop.* packs published to packs.openwop.dev** under steward-internal pre-audit (2026-05-17). First non-trivial registry population. Includes pre-publication triage finding: core.openwop.http@1.1.2 (idempotency-key generator made deterministic), core.openwop.data@1.2.1 + core.openwop.crypto@1.0.2 (correctness fix for nodes mis-declared as pure), core.openwop.ai@1.1.1 + core.openwop.crypto@1.0.3 (defensive parsing of model output + JWT shapes), core.openwop.ai@1.1.2 + core.openwop.mcp@1.1.1 (UNTRUSTED-marker discipline on ctx.trustBoundary='untrusted' runs), core.openwop.agents@1.0.1 (raw-JS tool handler — closes OPENWOP-AUDIT-2026-003). Old core.openwop.ai@1.1.1 + core.openwop.mcp@1.1.0 marked deprecated.
• Pack patches: SSRF + JWT alg-confusion fixes (P0.1) (2026-05-17). Yank-and-republish on the affected versions.
• Workflow-chain packs (RFC 0013) — Phases 1–4 land in sequence. Reference example at examples/branching-workflow/. Phase 4 in-tree example demonstrates chain-pack composition end-to-end.
• apps/workflow-engine@P3 — Firebase Auth signup + Cloud SQL persistence + KMS-encrypted BYOK (2026-05-17). Production rollout fixes (post-mortem) (2026-05-18). First fully-managed reference deployment serving as the app.openwop.dev surface.
• Workflow-engine sample app — 30+ feature commits covering: BYOK canary echo node + provisioning, core.channelWrite + append-with-TTL reducer, capability_not_provided refusal contract, idempotency body-hash mismatch, quorum-aware approval gate, recursionLimit + conversationPrimitive refusal, core.subWorkflow executor + variable mutation seam, JSON content negotiation, getWorkflow endpoint + strict streamMode validation, bulk-cancel endpoint + idempotency replay header, MCP discovery shape + approval resume validation, fixture input-port → variable resolution, credential-shape redaction, cache hit semantics + debug-bundle endpoint, fs absolute-path rejection + kv.cas canonical shape, events/poll lastSequence + SSE bufferMs aggregation, prompt-library UI staging, managed "Try it free" provider tile, RFC 0022 dispatch cluster, parent/child cancel-cascade interrupt profile, external-event interrupt support, AI chat viewport-lock + Lucide thumbs icons.
• Storage adapter parity harness — SQLite vs Postgres via pg-mem (2026-05-18) + real Postgres via @testcontainers/postgresql for end-to-end behavioral fidelity. Closes the storage-adapter parity gap from the v1.1.0 close-out.
• Conformance close-outs: 7 aiEnvelope. scenarios graduated from shape probes to behavioral assertions (2026-05-18); agent.toolReturned causationId pairing tightened; envelope-track it.todo placeholders drained (sub-tracks E + E2 + A.reasoning-redaction); OPENWOP_REQUIRE_BEHAVIOR wired across the prompt-\ scenario family; soak-gate close-out (opt-out axes + SQLite artifact stub).
• Untrusted-content propagation, persisted envelope-correlation dedup, downstream-LLM untrusted-content wrap, envelope-contract capability stacking refusal, approval-gate trust-boundary refusal — five protocol-tier behavioral hardening rows close in the sample-host (2026-05-19).

---

Six additive commits landed on main after the v1.1.0 release tag. None changes a wire shape; all ship in a 1.1.1 patch when the registry SDKs are next published. Two close adopter-experience footnotes (lockfile demo + community pack re-sign), one closes a conformance-probe scope limit (MCP transports), and three close the RFC-process self-acceptance loop (0008 promotion + node-packs §WASM cross-link, 0001 promotion + CHANGELOG status drift fix).

• Workspace lockfile demo (daeaef5) — examples/core-packs-lockfile/openwop-pack-lockfile.json + README pins the 4 audit-gated core packs (core.openwop.{ai,http,mcp,triggers}@1.0.0) using the pack-lockfile schema. Demonstrates SRI integrity + Ed25519 signature material for offline / air-gapped resolution. Closes the controllable half of the "build + sign + lockfile in-tree" Phase E task; the audit-blocked half (publication to packs.openwop.dev) remains gated on SECURITY/external-audit-engagement.md §2.1.
• community.openwop-team.demo re-signed (0bf08cc) — Option-B reconciliation of a 3-way signing-identity drift. The demo pack now ships signed by community-openwop-team-demo-1 (over canonical pack.json) instead of openwop-registry-root (over tarball), matching PACKS-MVP-PLAN.md §211's per-tier-key intent and illustrating the per-publisher-identity pattern. New registry/keys/community-openwop-team-demo-1.pub + signingKeys[] entry in registry/.well-known/openwop-registry.json (namespace-scoped to community.openwop-team.demo only — cannot sign for core. or vendor.). Canonical verifier (registry/scripts/verify-signatures.mjs) passes 29/29.
• MCP probe scope-limit footnote closed (beb5ae6) — all three MCP transports now verified end-to-end against @modelcontextprotocol/sdk@1.29.0. SSE-streamed responses verified via the same SDK without enableJsonResponse (probe's existing readSseUntilId correlates frames by JSON-RPC id). Stdio transport — HTTP-incompatible by design — exercised via the new examples/mcp-stdio-bridge/ shim that wraps any newline-delimited-JSON-RPC stdio server as HTTP for the probe (bundled echo-stdio-server.mjs + per-session-id child-process lifecycle; 2/2 pass). INTEROP-MATRIX.md §"Composition partners" MCP row + spec/v1/mcp-integration.md §"Conformance + interop" + docs/PROTOCOL-GAP-CLOSURE-PLAN.md Track 6 all updated to retire the previous scope-limit language.
• RFC 0008 (WASM ABI) promoted Active → Accepted (6118cce, 2026-05-13) — all 8 acceptance-criteria items satisfied. The one previously-stuck gap (spec/v1/node-packs.md §"WASM runtime" cross-link) landed in the same commit with a 6-scenario coverage table mapping each wasm-pack-*.test.ts to its RFC 0008 anchor. The previously-stale Open spec gaps row NP1 — WASM ABI for language: wasm packs flipped to ✅ closed. README + CHANGELOG status banners refreshed to reflect 0008/0009/0010/0011 all Accepted.
• RFC 0001 (RFC process) promoted Active → Accepted (20e0d1c, 2026-05-13) — closes the meta-RFC's self-acceptance loop. All 6 acceptance-criteria items confirmed: RFCS/README.md + 0000-template.md + this file shipped together; GOVERNANCE.md cross-references RFCS/ at five locations; CHANGELOG.md records the RFC process landing; rfc PR label created in the public repo (#5319e7 purple, description references the process RFC). Subsequent normative additions land under standard RFC review rather than the bootstrap waiver pattern. Same commit fixed CHANGELOG status drift for RFCs 0009/0010/0011 (had been stale at Active even though all three were promoted to Accepted 2026-05-12).
• Final RFC ladder state (2026-05-13): RFCs 0001–0011 all Accepted (11 total). 0000 is the template scaffold; 0012 (memory compaction) is parallel-session Draft. Every RFC with a satisfied acceptance checklist is now promoted.
• RFC 0012 (Memory Compaction Profile) Active → Accepted (2026-05-15) — comment window waived per CONTRIBUTING.md §"Bootstrap-phase notes" (sole-steward repo, no non-steward maintainer of record, no external commenters during the 48h the window was open). All 6 acceptance criteria satisfied at promotion time. RFC ladder state: 0001–0012 all Accepted (12 total). 0000 is the template scaffold. Future RFCs revert to the canonical 7-day comment window once MAINTAINERS.md lists a non-steward maintainer.
• RFC 0012 (Memory Compaction Profile) Phase 3 prep landed 2026-05-14 (promoted to Accepted 2026-05-15 under the bootstrap waiver above):

- Reference host — examples/hosts/postgres/src/memory-adapter.ts gains runCompaction + applyCompactionRedaction + REFERENCE_COMPACTION_CAPABILITY. Server.ts conditionally advertises capabilities.memory.compaction when OPENWOP_MEMORY_COMPACTION=true and exposes the test seam at POST /v1/test/memory/{seed,compact} when OPENWOP_TEST_TRIGGER_COMPACTION=true. SR-1 carry-forward (RFC 0012 §D) honored by re-substituting [BYOK:...] form-leaks + non-canonical <REDACTED:...> markers with [REDACTED:carry-forward-<n>] BEFORE the derived entry persists. Output entries carry the compacted-from:<id> provenance tag per §C. - 3 conformance scenarios — memory-compaction-event-emitted.test.ts (canonical §B payload shape), memory-compaction-sr1-carry-forward.test.ts (load-bearing §D — replaces the Phase 2 it.todo() stub), memory-compaction-provenance-tag.test.ts (soft assertion on §C). All three gate on capabilities.memory.compaction.supported + test seam reachability. 3/3 pass live against the Postgres reference host. - Host smoke — examples/hosts/postgres/test/memory-compaction.test.ts verifies 7 paths end-to-end (advertisement + seed + compact + outputId readability + SR-1 §D + provenance + empty-noop).

• RFC 0012 (Memory Compaction Profile) Draft → Active (2026-05-13) — opens the 7-day public comment window (closes 2026-05-20). New optional capabilities.memory.compaction advertisement + memory.compacted canonical event + SR-1 carry-forward invariant for any host that distills short-lived MemoryEntry rows into longer-lived ones. Additive per COMPATIBILITY.md §2.1.
• Tarball-fetch + signature-verify roundtrip vs packs.openwop.dev (2026-05-13) — conformance/src/scenarios/registry-public.test.ts gains a 4th describe block that fetches core.openwop.examples@1.0.0's tarball + .sig + publisher public key from the live registry, asserts SRI integrity matches a fresh SHA-256 of the tarball bytes, and runs Ed25519 verification per node-packs.md §"Signing recipe" (method=ed25519 signs the whole tarball). Closes coverage.md row 34's "Remaining: tarball-fetch + signature-verify roundtrip" gap. 6/6 tests pass against live packs.openwop.dev.
• Strict-mode opt-out signaling (2026-05-13) — new OPENWOP_OPTED_OUT_PROFILES=name1,name2 env var consumed by conformance/src/lib/behavior-gate.ts distinguishes "host opted out (honest minimal posture)" from "host claims but doesn't deliver (bug)". Strict mode (OPENWOP_REQUIRE_BEHAVIOR=true) skips opted-out profiles with a "honest opt-out" log line instead of failing. SQLite + Python reference hosts can now achieve strict-mode green without falsifying capability claims. Advertise + opt-out conflict surfaces a loud warning so typos don't mask real bugs.
• Batch A — adopter-facing prose refresh (2026-05-13):

- examples/hosts/postgres/conformance-full.md + INTEROP-MATRIX.md re-measured against suite v1.1.0 with conditional-profile env vars: 781/850 (91.9% total, 95.2% of non-todo, 96.4% of applicable) — up from 728/797 the prior measurement. +53 scenarios + +53 passes net of Phase H/I capability surfaces + 9 stage5 vendor packs. One failure remains: documented webhook-signed-delivery flake (passes in isolation; full-suite timing collision). - docs/migration/v1.0-to-v1.1.md — new adopter-facing "what's new" guide. Documents v1.1 as purely additive per COMPATIBILITY.md §2.1: every v1.0 conformance pass remains valid, no code changes required for v1.0 implementations. Per-capability sections walk through Phase H (BYOK / AI providers / MCP / HTTP / cap-breach kinds) + Phase I (memory / agents / auth profiles) + Phase G (spec-corpus close-out) with cross-links to RFCs + conformance scenarios. Linked from README.md §"Document index". - ROADMAP.md §"v1.2 outlook (projected)" — new gate-conditioned projection of v1.2 candidates: RFC 0012 memory compaction, WASM Component Model sub-RFC, Rust SDK v0.1 (demand-gated), 4 audit-gated core.openwop.* packs, cross-host SSE replay, mTLS termination on Postgres, multi-region idempotency end-to-end fixture. Each item carries its specific gate (RFC comment window / external audit / capability flag / adopter ask) — no fixed calendar; items move to next minor or Withdrawn if no signal. - sdk/python/QUICKSTART.md + sdk/go/QUICKSTART.md — new 5-minute end-to-end walkthroughs that boot the in-memory reference host on your laptop, run a workflow against it, and read the event log. Both READMEs link to the new quickstarts.

• Batch C — conformance coverage close-outs (2026-05-13):

- Multi-region idempotency convergence-rule resolver (Track 13) — new examples/hosts/postgres/src/multi-region.ts ships the canonical algorithm for idempotency.md §"Multi-region idempotency" §"Convergence rule": lex-min(runId) wins, losers get run.cancelled { reason: 'cross_region_dedup_loss' }, every region's cache redirects to the winning runId. Pure function — same inputs → same outcome regardless of caller order, region, or wall clock; two regions running the resolver independently arrive at the same survivor without coordination. Smoke test (test/multi-region-idempotency.test.ts) verifies 6 paths including label-determinism for the operator-tier openwop.idempotency.cross_region_conflicts_total counter. Conformance scenario (multi-region-idempotency.test.ts) extended to also verify that hosts claiming crossRegion: 'best-effort' or 'strict' advertise the operator metric per §"Operator surface". The Postgres reference host stays single-region (crossRegion: 'single-region'); the resolver is operator-adoption-ready for any future multi-region host. - Cross-host trace-context propagation across core.subWorkflow (Track 11 remaining row) — new conformance/src/scenarios/otel-trace-propagation-subworkflow.test.ts closes the previously-partial gap on coverage.md row 52. Asserts: when a parent run is started with an inbound traceparent and contains a core.subWorkflow node, the dispatched child run's spans MUST share the parent's traceId. Distributed traces stitch across the dispatch boundary without operator-side correlation hacks. Gates on capabilities.observability + conformance-subworkflow-parent fixture advertisement + OPENWOP_OTEL_COLLECTOR=true. coverage.md Observability row + per-scenario row both flipped to A (full coverage).

• Batch B — Postgres reference host additive surfaces (2026-05-13):

- Phase I.2 reasoning-event emission wiring — Postgres host's core.llm.chat / core.llm.completion executors now emit agent.reasoned (verbosity-gated per RunOptions.configurable.reasoningVerbosity → host default fallback "summary" with 512-token cap) + agent.decided (confidence ∈ [0,1]) after a successful AI-proxy call. core.mcp.toolCall emits agent.toolCalled BEFORE the call (carrying argumentsSha256) and agent.toolReturned AFTER (paired via shared callId, with outcome.{resultSha256,resultLength,isError,durationMs} on success or error.{code,message} on failure). SR-1 + MCP-1 preserved end-to-end: only SHA-256 digests + lengths + outcome flags appear on payloads — never raw tool arguments or result content. Verified by examples/hosts/postgres/test/reasoning-event-emission.test.ts via two new host-private fixtures (loaded through the OPENWOP_EXTRA_FIXTURES_DIR test seam — these typeIds are implementation-specific and not yet protocol-normative). - Phase I.7 mTLS termination — Postgres host now claims openwop-auth-mtls end-to-end when OPENWOP_MTLS_CERT_PATH + OPENWOP_MTLS_KEY_PATH are set. HTTP listener switches to node:https.createServer({ requestCert: true, rejectUnauthorized: OPENWOP_MTLS_REQUIRED !== 'false' }); OPENWOP_MTLS_CA_PATH is optional (when present, only client certs signed by that CA bundle pass the handshake). Discovery emits capabilities.auth.mtls.{supported: true, required: <bool>, subjectMapping: 'cn'} only when configured (honesty principle). Verified end-to-end by test/mtls.test.ts (advertisement shape + valid-cert 201 + no-cert TLS handshake rejection). The existing conformance/src/scenarios/auth-mtls.test.ts now flips from "Not claimed" to a verified positive path when the Postgres host is launched with OPENWOP_MTLS_* configured.

---

The close-out release for v1.0. The protocol contract was frozen on 2026-05-08 (see the spec-freeze entry below) and first published as v1.0.0 on 2026-05-11 (see entry below). This 1.1.0 release closes every controllable gap from the 2026-05-10 deep-dive review and the 2026-05-12 architectural re-evaluation, hardens the Postgres reference host to production-runtime parity, and lands 18 additive feature surfaces (Phase H launch-blockers + Phase I enterprise-blockers).

All changes in this release are additive per COMPATIBILITY.md §2.1 — no existing required fields changed type or optionality, no event-type shape changed, no endpoint contract relaxed, no existing MUST weakened. Hosts that were v1.0.0-compliant remain v1.x-compliant; this release just adds new capability surfaces that hosts may now advertise + new conformance scenarios that gate on those advertisements.

Per-track closure status is tracked in docs/PROTOCOL-GAP-CLOSURE-PLAN.md (archived 2026-05-12); per-host conformance evidence lives in examples/hosts/*/conformance.md + INTEROP-MATRIX.md.

Spec corpus state

• 29 prose specs at Status: FINAL v1. Zero DRAFT / STUB / OUTLINE tags remain. New additions since 2026-05-08 freeze: auth-profiles.md, capabilities-change-detection.md, grpc-transport.md, i18n.md, compliance.md, host-capabilities.md, production-profile.md, replay.md retention/expiry annex, node-packs.md lockfile + Component-Model annexes.
• 22 first-class JSON Schemas under schemas/, all JSON Schema 2020-12 with $id at https://openwop.dev/spec/v1/<name>.schema.json and additionalProperties: false on every object. New: agent-manifest, agent-ref, memory-entry, memory-list-options, audit-verify-result, pack-lockfile, orchestrator-decision, dispatch-config.
• OpenAPI 3.1 (api/openapi.yaml) — every endpoint has operationId + tags + ≥ 1 error response; every schema referenced via cross-file $ref. Lints clean under redocly lint. New operations: verifyAuditLog, bulkCancelRuns.
• AsyncAPI 3.1 (api/asyncapi.yaml) — every channel binds to a message + payload schema reference. Lints clean under asyncapi validate.
• gRPC transport profile (api/grpc/openwop.proto + spec/v1/grpc-transport.md) — canonical openwop.v1.Engine service; profile-gated via capabilities.supportedTransports: ["grpc"].

RFCs landed

• RFC 0001 — RFC process itself (Accepted).
• RFC 0002 — Agent identity + reasoning events (Accepted).
• RFC 0003 — Agent packs (Accepted).
• RFC 0004 — Memory layer + MemoryAdapter contract (Accepted).
• RFC 0005 — Conversation as run primitive (Accepted).
• RFC 0006 — Orchestrator-supervisor role (Accepted).
• RFC 0007 — core.dispatch core node (Accepted).
• RFC 0008 — WASM ABI (Accepted 2026-05-13) + Component-Model variant annex.
• RFC 0009 — Production-profile conformance (Accepted 2026-05-12).
• RFC 0010 — Auth-profile conformance + v1.0 closure umbrella (Accepted 2026-05-12).
• RFC 0011 — Auth-scoped discovery (Accepted 2026-05-12).

Multi-Agent Shift (RFCs 0002–0007 + RFC 0008)

• Phase 1 — AgentRef wire shape; agent.reasoned / agent.toolCalled / agent.toolReturned / agent.handoff / agent.decided events; confidence escalation contract (CP-1); message reducer.
• Phase 2 — Agent capability discovery on /.well-known/openwop; pack.json agents[] extension; agent-pack manifests.
• Phase 3 — Agent memory layer: memoryRef resolution + redaction (SR-1) + cross-tenant isolation (CTI-1) + host MemoryAdapter contract.
• Phase 4 — Conversation as run primitive: conversation.start / conversation.exchange / conversation.close suspend variants.
• Phase 5 — Orchestrator-supervisor: core.orchestrator.supervisor typeId + OrchestratorDecision schema + runOrchestrator.decided event.
• Phase 6 — core.dispatch core node: conservative dynamic graph mutation (CP-2); causationId propagation per RFC 0007 §E.
• WASM ABI — RFC 0008 Active; reference Rust pack at examples/packs/rust-hello/ (28 KiB wasm32); Wasmtime-free loader at examples/hosts/in-memory/src/wasm-loader.ts; six conformance scenarios; deliberately-misbehaving packs for memory-cap (examples/packs/rust-misbehaving-memory/) and ABI-mismatch (examples/packs/rust-misbehaving-abi/) positive-path testing. Schema extension: capBreached.kind enum gained wasm-memory, wasm-fuel, wasm-execution-time (RFC 0008 §K). New optional capability capabilities.nodePackRuntimes.wasm.loadedPacks[] surfaces accepted pack names; rejected packs (declared ABI not in abiVersions[]) MUST be absent — drives the conformance positive path since rejection happens at load time before any node-invoke surface.
• OTLP/gRPC collector (Track 11 closure) — conformance/src/lib/grpc-framing.ts (hand-rolled length-prefixed gRPC HTTP/2 framing, zero npm deps) + OtelCollector.startGrpc() (parallel node:http2 server, shared spans/metrics store). New optional capability capabilities.observability.otel.exportProtocols[] advertises the supported OTLP transports (http/json, http/protobuf, grpc); spec/v1/observability.md gains a §"Export protocols" normative section. New conformance scenario otel-emission-grpc.test.ts gates on the array. Opt-in via OPENWOP_OTEL_COLLECTOR_GRPC=true (default port 4317).

Capability surfaces

Hosts advertise optional behaviors at /.well-known/openwop. New capability blocks added between 2026-05-08 and 2026-05-12:

• capabilities.runs.{pauseResume, bulkCancel} — pause/resume + bulk-cancel endpoints.
• capabilities.webhooks.{supported, signatureAlgorithms} — HMAC v1 signing ({timestamp}.{rawBody}).
• capabilities.secrets.{supported, scopes, resolution} — BYOK secret resolution (host-managed).
• capabilities.aiProviders.{supported, byok, policies} — AI provider routing with 4-mode policy enforcement (disabled / optional / required / restricted).
• capabilities.mcpClient.{supported, transports, trustBoundary} — MCP tool invocation; trustBoundary: "untrusted" per threat-model-prompt-injection.md §UNTRUSTED.
• capabilities.httpClient.{supported, methods, ssrfGuard, maxResponseBodyBytes} — universal core.http.request typeId with SSRF guard.
• capabilities.memory.{supported, maxEntrySizeBytes, ttlSupported} — MemoryAdapter read-side contract per RFC 0004.
• capabilities.agents.{supported, profile, modelClasses, orchestratorPattern, memoryBackends, orchestrator, dispatch, reasoning} — Multi-Agent Shift Phase 1–6 advertisement.
• capabilities.auth.{profiles[], rotation, oauth2, oidc, auditLogIntegrity} — auth-profile advertisement (rotation; OAuth2-CC; OIDC user-bearer; audit-log integrity).
• capabilities.discovery.authScoped.{supported, mode} — RFC 0011 same-endpoint auth-scoped discovery.
• capabilities.production.{supported, backpressure, retention, debugBundle} — production-profile claim (RFC 0009).
• capabilities.observability.{otel, metrics} — OTel emission with openwop.{run.backlog, queue.depth, run.duration} metrics; OTLP/HTTP-JSON + OTLP/HTTP-protobuf encodings supported.

Reference SDKs at 1.1.0

• @openwop/openwop (TypeScript, npm) — first-class methods on OpenwopClient for every OpenAPI endpoint; HTTP_ERROR_CODES catalog with 40+ canonical codes; RunEventDoc type + isTerminalRunStatus helper; new typed exports added in 1.1.0: MemoryEntry, MemoryListOptions, AgentRef, AgentsCapability, AuthProfileClaim, AICredentialRef, McpToolCallNodeConfig, HttpRequestNodeConfig.
• openwop-client (Python, PyPI) — stdlib-only port preserving the same surface; HTTP_ERROR_CODES frozenset; matching wire types.
• github.com/openwop/openwop/sdk/go (Go modules) — same surface; HTTPErrorCodes slice; doc comments on every exported symbol; go vet clean.
• Rust SDK — foundation demand-gated; conformance suite is language-agnostic black-box, so future Rust client tests against the same wire contract.

Reference hosts

Four reference implementations live under examples/hosts/. Conformance evidence per host in INTEROP-MATRIX.md:

• In-memory (TypeScript, examples/hosts/in-memory/) — local-dev fastest-boot; no persistence; claims openwop-core + stream profiles.
• SQLite (TypeScript, examples/hosts/sqlite/) — single-machine durability; 669/731 (91.5%) conformance pass rate; claims audit-log-integrity + 4 interrupt profiles + auth-api-key-rotation + discovery-auth-scoped.
• Python in-memory (Python 3.11 stdlib-only, examples/hosts/python/) — cross-language portability proof; 700/788 (100% of applicable, ZERO failures) conformance pass rate.
• Postgres (TypeScript, examples/hosts/postgres/) — production durability path; first host claiming openwop-production; 730/799 (91.4%) conformance pass rate. Ships with BYOK + 4-mode AI policy + MCP client + HTTP client (SSRF-guarded) + MemoryAdapter + agents capability + API-key rotation + auth-scoped discovery + OAuth2-CC + OIDC user-bearer JWT validators (RS256 + ES256 with JWKS cache + alg: "none" rejection) + cap-breach enforcement + per-workflow configurableSchema validation + subworkflow outputMapping + parent linkage.

Conformance suite at 1.1.0

• @openwop/openwop-conformance — 103 scenario files under conformance/src/scenarios/. New since the 1.0.0 publish: production-profile (backpressure + retention-expiry), auth profiles (api-key-rotation + OAuth2-CC + OIDC + mTLS shape), audit-log integrity, BYOK roundtrip, MCP/A2A real-impl interop (verified against @modelcontextprotocol/server-everything + A2A 0.3 JSON-RPC reference), agent memory (roundtrip + cross-tenant + redaction + TTL), webhook signed delivery, stream-modes (buffer + mixed-mode), bulk-cancel, MCP-toolcall redaction, HTTP-client SSRF, WASM pack ABI-version-rejection + memory-cap positive-path, configurableSchema positive overlay, pause-resume race + drain semantics.
• Two execution modes: npm test (parallel files, ~95s) and npm run test:strict (--no-file-parallelism for production-backpressure + OTel envelope coverage).
• Behavior-gated: OPENWOP_REQUIRE_BEHAVIOR=true flips capability-gated scenarios from skip to fail when the host doesn't advertise the profile.

SECURITY invariants

• 68 invariants tracked (SECURITY/invariants.yaml):

- 35 protocol-tier (all with public conformance tests; CI-gated via scripts/check-security-invariants.sh). - 32 reference-impl tier (verified by each reference impl's own CI). - 1 advisory (defense-in-depth, no hard MUST).

• New protocol-tier invariants added between freeze and release: mcp-toolcall-payload-redaction, http-client-ssrf-guard, agent-memory-cti-1, agent-memory-sr-1-redaction, auth-key-rotation-no-canary-echo.
• Threat-model docs at SECURITY/threat-model-*.md (secret-leakage, prompt-injection, provider-policy, node-packs, auth-profiles).
• CNA registration + bug-bounty program annex at SECURITY/cna.md + SECURITY/bug-bounty.md.

Wire-shape stability

The wire contract remains frozen at v1 per COMPATIBILITY.md §2 — additive changes only inside v1.x, safety-fix only when correctness or CVE-class issues require it. Breaking changes wait for v2. This 1.1.0 release adds new optional capability surfaces; hosts that advertised the 1.0.0 capability set remain v1.x-compliant without change.

Domain and package naming

• Canonical domain: openwop.dev
• Registry: packs.openwop.dev (TLS cert provisioned; live)
• Package names: @openwop/openwop, @openwop/openwop-conformance, openwop-client, github.com/openwop/openwop/sdk/go — stable through any v1.x release per PUBLISHING.md.

Verification

npm run openwop:check — the 8-step pre-merge gate — passes for every commit on main:

1. TypeScript reference SDK builds + emits dist/ 2. Conformance suite typechecks + server-free scenarios pass 3. Python reference SDK syntax + import smoke clean 4. Go reference SDK go vet + tests clean 5. OpenAPI 3.1 redocly lint clean 6. AsyncAPI 3.1 asyncapi validate clean 7. Publish-metadata + npm-pack-contents + Python/Go release-surface clean 8. SECURITY invariants — every protocol-tier MUST-NOT has a public test

---

First publication of the openwop spec corpus to the package registries. Captures everything that was in scope at the v1 spec freeze (2026-05-08) plus three days of pre-publish hardening: SQLite host conformance fixes, registry TLS provisioning, audit-log integrity profile shipped end-to-end on SQLite, CI gate hardening (NPM_CACHE / GOCACHE cross-platform), recruitment artifacts for first non-steward host + pack-author.

Published artifacts

• npm: @openwop/openwop@1.0.0 (TypeScript SDK), @openwop/openwop-conformance@1.0.0 (conformance suite). Published 2026-05-11 05:06–05:09 UTC.
• PyPI: openwop-client@1.0.0 (Python SDK).
• Go modules: tagged sdk/go/v1.0.0 on origin.
• Tag: v1.0.0 on origin at commit 6a637f1.

Scope at 1.0.0

• Spec freeze content per [1.0] — 2026-05-08 entry below — 26 prose specs at FINAL v1; 17 first-class JSON Schemas; OpenAPI 3.1 + AsyncAPI 3.1; three reference SDKs (TS/Python/Go); conformance suite v1.0.0.
• Phase A conformance behavior closure — SQLite host pass rate 91.5% under OPENWOP_REQUIRE_BEHAVIOR=true.
• Phase B spec corpus completion — all DRAFT/STUB/OUTLINE tags retired; host-capabilities.md promoted; i18n.md + compliance.md annexes shipped.
• Phase C round 1 — three reference hosts (in-memory, sqlite, python) advertising their respective capability surfaces.
• Phase F — MCP + A2A probe extensions (synthetic fakes).
• Registry — packs.openwop.dev live with TLS; 3+ packs published with Ed25519 chains.
• CI — npm run openwop:check 8-step gate green.

Known gaps at 1.0.0 (closed in 1.1.0)

• Postgres reference host had not yet shipped the BYOK / MCP / HTTP / agent-memory / OAuth2-CC / OIDC / API-key-rotation / auth-scoped-discovery surfaces.
• 11 conformance scenarios were shape-graded (not behavior-graded).
• Phase F real-impl interop (against @modelcontextprotocol/server-everything + A2A 0.3 reference) was not yet wired.
• Phase H launch-blockers + Phase I enterprise-blockers from the 2026-05-12 architectural re-evaluation were not yet identified.

---

Protocol contract locked. The spec corpus, schemas, API definitions, reference SDKs, and conformance suite all reach 1.0 artifact versions. This date marks the freeze — no breaking wire-shape changes after this point inside v1.x.

The 4-day window between this freeze and the 2026-05-12 release closes every controllable gap from the deep-dive review and hardens reference hosts to production-runtime parity. See the [1.0.0] release entry above for the consolidated record.

What's locked at freeze

• Prose specs — 26 docs at Status: FINAL v1: auth.md, capabilities.md, channels-and-reducers.md, idempotency.md, interrupt.md, node-packs.md, observability.md, replay.md, rest-endpoints.md, run-options.md, stream-modes.md, version-negotiation.md, profiles.md, scale-profiles.md, debug-bundle.md, host-extensions.md, a2a-integration.md, mcp-integration.md, and the v1 profile/addendum docs.
• JSON Schemas — 17 first-class schemas including agent-ref, agent-manifest, memory-entry, memory-list-options, conversation-turn, conversation-event, and dispatch-config schemas.
• API definitions — OpenAPI 3.1 (api/openapi.yaml) + AsyncAPI 3.1 (api/asyncapi.yaml).
• Reference SDKs at 1.0 — @openwop/openwop (TypeScript), openwop-client (Python), openwopclient (Go).
• Conformance suite at 1.0 — @openwop/openwop-conformance.
• CI gating — scripts/openwop-check.sh + .github/workflows/openwop-spec.yml.
• Governance — CONTRIBUTING.md, GOVERNANCE.md, MAINTAINERS.md, COMPATIBILITY.md, SECURITY.md.

Multi-Agent Shift (Phases 1-6 landed by freeze)

• Phase 1 (RFC 0002) — Agent identity (AgentRef), agent reasoning + tool + handoff event family, confidence-escalation contract, message reducer.
• Phase 2 (RFC 0003) — Agent capability discovery on /.well-known/openwop + pack.json agents[] extension.
• Phase 3 (RFC 0004) — Agent memory layer — memoryRef resolution, redaction guarantees, host MemoryAdapter contract.
• Phase 4 (RFC 0005) — Conversation as run primitive — conversation.start / conversation.exchange / conversation.close.
• Phase 5 (RFC 0006) — Orchestrator-supervisor role — core.orchestrator.supervisor node type.
• Phase 6 (RFC 0007) — core.dispatch core node — conservative dynamic graph mutation.

Domain and package naming

• Canonical domain: openwop.dev
• Registry: packs.openwop.dev
• Package names: @openwop/openwop, @openwop/openwop-conformance, openwop-client, openwopclient