Roadmap

APS canonical-bytes path on src/core/bilateral-receipt.ts (canonicalize(body), sorted-keys JSON; RFC 8785 JCS for the v2/accountability bundle module) verifies 5/5 against desiorac's bilateral receipt fixture in corpollc/qntm v0.3.1. This is third-party byte-match independent of the Wave 1 cross-language scenarios published Apr 30 to May 02 (Python 2.4.0a1 ports across 27 fixture scenarios). Mirror offered into aeoess/aps-conformance-suite as a regression test ahead of desiorac's qntm v0.3.2 mid-May publish; desiorac is a substantive bilateral-receipt contributor distinct from the broader vessenes thread.

• qntm #15 byte-match reply
• APS bilateral-receipt module

Phase 4.1 of the SDK published to npm (agent-passport-system@2.6.0-alpha.2), PyPI (agent-passport-system==2.4.0a2), ClawHub (agent-passport skill 5.9.0), and the MCP server on npm (agent-passport-system-mcp@3.2.0). Three architecture decisions merged earlier in the day: Q1 (rail receipts as accountability evidence with claim_type, scope_of_claim, and timestamp fields), P12 (DID URI signing with rotation-aware verifier walking RotatableDIDDocument.verificationMethod and respecting retiredAt markers), Q2 (optional PaymentObligationRef and cross-receipt link fields for hybrid Option C settlement binding). Test count moved 2,711 to 2,884 across the three branches.

• SDK 2.6.0-alpha.2 on npm
• Python 2.4.0a2 on PyPI
• MCP 3.2.0 on npm

Python SDK 2.4.0a1 ports the full Wave 1 governance surface from TS SDK 2.6.0-alpha.0: v2/accountability/* (action, authority-boundary, bundle, custody, contestability), v2/cognitive_attestation/*, v2/instruction_provenance/*. Plus the four evidentiary type safety primitives (claim_evidence_types, claim_verifier, downstream_taint, minimal cascade ContestabilityReceipt) ported earlier in the day as 2.4.0a0. Cross-impl byte-parity verified across 27 test scenarios: 15 evidentiary type safety (9 verifier + 6 cascade) plus 12 Wave 1 (5 accountability fixtures shipped from TS SDK at src/v2/accountability/fixtures/*.fixture.json plus 7 generated for cognitive_attestation and instruction_provenance via tests/v2/fixtures/wave1/_generate.mjs pinned to agent-passport-system@2.6.0-alpha.0). Python canonical-JSON output and sha256 hashes match TS-generated fixtures byte-for-byte across all 27 scenarios. Test count 398 to 518.

• Python 2.4.0a1 on PyPI
• TS SDK on npm
• Wave 1 port commit

Four new v2 modules: claim_evidence_types registry with BATCH_ATTESTED and EVIDENCE_CUSTODY_HELD extensions (Module 1 + Module 1a), claim_verifier (Module 2), contestation cascade with verifier hook (Module 4). Plus path-scoped cycle detection and dedupe in mergeTaints (resolves cross-chain skip case caught in property test). Compliance-complete failure scenario added for EFFECT_SAFETY_ATTESTED. Postpublish wrapper fixed to surface real errors instead of masking them. Test count 2,545 to 2,586 across the day.

• npm
• release commit

Two cleanup PRs landed in the agent-governance-vocabulary repo. PR #74 removed RNWY from behavioral_trust and wallet_intelligence after verification couldn't confirm those signals are issued in production. PR #75 marked passport_grade with status: proposed (downgrade from canonical) because APS is currently the sole production issuer and the canonical-promotion rule requires two independent implementations. Single-source-of-truth discipline maintained. Vocabulary registry now reflects only verified production attributions.

• PR #74
• PR #75

Four-layer structural backstop against private-context drift into public repos. Layer 1: pre-commit hook scanning staged content against hard-block and soft-warn pattern lists. Layer 2: GitHub Actions workflow running the same pattern check on every push. Layer 3: standardized .gitignore block excluding categories that should never enter version control. Layer 4: final scan inside scripts/propagate.mjs runs the same check before any cross-surface update touches the file system. Installed across agent-passport-system, agent-passport-mcp, agent-passport-python, aeoess_web, agent-governance-vocabulary, aps-conformance-suite, agent-ecosystem-map, intent-network-api. Seventeen commits.

• CI workflow (SDK)
• propagate.mjs

Two improvements to scripts/validate-crosswalks.js. Improvement 1: walks descriptor_dimensions blocks nested under signal_types.<key> entries, catching stale dimension values inside per-signal-type descriptor overrides that the previous validator skipped. Improvement 2: legacy whitelist file at scripts/legacy-descriptor-overrides.yaml preserves three pre-#57-resolution descriptor uses (dcp-ai active today, jep and fidelity-spec latent until those maintainers reformat) without warning maintainers, with resolution_issue annotation. Validator state post-hardening: 5 errors, 11 warnings across 26 crosswalks. Regression-tested with nested-descriptor fixture using deprecated value (errors as expected, baseline restored).

• validator
• legacy overrides

VeritasActa Knowledge Unit bundle with sidecar-anchored APS DecisionLineageReceipt verifies end-to-end against a sidecar JWKS. Ten access receipts, all hash-matched across both layers (KU layer and APS layer); APS signature valid against sidecar JWKS kid:aps-ku-cross-verify-v1. Tamper-detection holds across both layers when individual receipts are altered. The integration demonstrates that APS DecisionLineageReceipts can ride alongside an external knowledge-attestation format without either layer needing to absorb the other; the sidecar JWKS pattern lets the consumer verify both layers independently and cross-check at action time.

• verify PR #7

Edison Munoz Duran's Agent-DID crosswalk lands as the second co-drafted-with-aeoess crosswalk in the vocabulary. The first was the original AAIF entity_continuity work; this is the second public collaboration where aeoess and a co-author share the spec branch. The A2A composition contract co-drafting now runs on a shared spec branch with Edison; APS pushed the canonical spec to edisonduran/agent-did spec/a2a-composition-contract branch (commit 3fc3838); Edison confirmed pull. The pattern: external project authors a crosswalk, aeoess merges, then both projects co-draft the next interop primitive on a shared branch. Ecosystem hospitality compounding.

• PR #66 (merged)
• shared spec branch

Wave 1 accountability surface added to SDK v2.5.0-alpha at src/v2/accountability/. Five signed receipt types: ActionReceipt (aps:action:v1), AuthorityBoundaryReceipt (aps:authority_boundary:v1), CustodyReceipt (aps:custody:v1, eight event types and seven purposes), ContestabilityReceipt (aps:contestability:v1, affected-party challenge with controller response), APSBundle (aps:bundle:v1, signed aggregation envelope with balanced Merkle commitment). All RFC 8785 JCS canonicalized, all Ed25519 signed, all content-addressed. Design principle: verbal confessions, not brain scans. Every receipt declares scope_of_claim with explicit does_not_assert; honest scope is mandatory and part of the cryptographic integrity surface. 57 new tests across six suites (action 8, authority-boundary 7, bundle 12, custody 15, contestability 10, fixtures 5). Full SDK suite 2,536/2,537 pass, 0 fail, 1 pre-existing skip. Cross-impl byte-match anchor: five deterministic JSON fixtures using fixed Ed25519 private keys and timestamp 2026-04-30T00:00:00.000Z. Ships toward EU AI Act Article 12/14, GDPR Article 22, FRE 902(13)/(14). MCP v3.1.1 picks up the dependency, Python v2.3.0 ships for parity, ClawHub skill v5.8.0 carries the new surface.

• PR #22 (squash-merged to main)
• SDK v2.5.0-alpha on npm
• module README
• Wave 1 spec

ORCID profile populated as Independent Researcher / Founder of APS. All 8 papers indexed via DOI lookup. Five featured: Agent Social Contract, Physics-Enforced Delegation, Cognitive Attestation, Monotonic Narrowing, Behavioral Derivation Rights. The Evidence-Safety Gap paper added on the same day as publication. Bio frames the protocol scope without the cross-disciplinary career narrative. Websites: APS, Personal, GitHub (APS), APS SDK on npm. Keywords mirror paper-level keywords scoped broader: AI agents, multi-agent governance, cryptographic identity, delegation, Ed25519, agent attestation, governance protocols, mechanistic interpretability, accountability, open protocols.

• ORCID

The Evidence-Safety Gap in Cryptographic Agent Governance: Compliance-Complete Failures and the Limits of Receipt-Based Accountability published on Zenodo (DOI 10.5281/zenodo.19914628). Defines compliance-complete failure as the simultaneous condition of procedural validity and unsafe effect. Names five omitted-variable classes (semantic, population, trust, pipeline, temporal state). Constructs explicit defeat traces against receipt-chain forensic signals in an open-source reference implementation. Two design implications follow: claim-scoped receipts and authorization-effect separation. Neither closes the gap; both make it visible and auditable. The minimal contribution is the formal separation of procedural validity from effect safety in receipt-based agent accountability — a vocabulary for the failure class the protocol's own success creates.

• Paper 8 on Zenodo

PDR validator for behavioral-fingerprint-drift detection. 309 LOC pure-Node, zero deps, 32-test suite, four reference fixture vectors. Complementary to continuity-analyzer's structural fixture, addressing the namespace decision settled on Day 67. Co-authorship with @nanookclaw declared on PR per their explicit Apr 26 11:47 concurrence on the original issue.

• PR #52 (merged)

lawcontinue's epoch added to validity_temporal enum: observer-relative ticks on substantive state transitions, distinct from sequence's event-relative counts. Issue #58 settled with @lawcontinue's endorsement after three-way independent convergence (lawcontinue, kenneives, srotzin) on Day 71. Vendor-neutrality fix applied during review (commit 9cf2a1db).

• PR #61 (merged)

governance_attestation.refusal_authority brought into formal enum compliance: structurally_impossible_to_violate → issuer. One-line correction; the original value wasn't enum-valid anyway. @lowkey-divine concurred on issue #57 before merge.

• PR #62 (merged)

kevinkaylie merged Step 2 of the four-signal compose test for Interop Week 1. AgentNexus governance attestation as the second link in the chain after AgentID's trust_verification (PR #38). JWS Ed25519 signatures verified end-to-end. prior_signal_digest matches Step 1's compound_digest byte-exact (621d40f1701521f9af084a08476a2deebd49f02ff0b9d7e7808b6a05c6fcad91). Squash-merged at 16:22:42Z. Step 3 (continuity-analyzer) and Step 4 (composition-behavioral-trust.json by nanookclaw, blocked on middle-issuer alternative) follow.

• PR #53 (merged)
• Interop Week 1 (#36)

lktron00 (Danilo Naranjo Emparanza, ORCID 0009-0003-7520-8527) merged the DCP-AI (Digital Citizenship Protocol for AI Agents) crosswalk. 570 lines. Composite Ed25519 + ML-DSA-65 (FIPS 204 level 3) signatures shipped from day one across four reference SDKs (TypeScript, Python, Go, Rust + WASM). Real production deps: @noble/post-quantum + tweetnacl in npm. 72KB interop test vectors, 11.8KB normative canonicalization profile (dcp-jcs-v1). Calibration discipline strong: passport_grade declared non_equivalent_similar_label with 'do not treat tiers as trust grades' note, 8 explicit no_mapping entries each naming the production issuer for the gap. Version-discrepancy disclosure (npm 2.1.1 vs PyPI/crates 2.8.1) honest and explained. Identity verified: dcp-ai.org, getocular.ai, ocularsolution.com all live, 6-year GitHub account. Cross-implementation round-trip is the bar before issuers_in_production addition; lktron00 committed to running it against APS, Nobulex, or SINT this week.

• PR #59 (merged)
• DCP-AI

Packaged corpus of byte-identical test vectors for Agent Passport System cross-implementation conformance. 37 fixture vectors across 4 categories: bilateral-delegation (10 vectors), inference-session (7 vectors), instruction-provenance (10 vectors), aivss-scenarios (10 vectors covering OWASP AIVSS §3.6.1 through §3.6.10). TS reference runner. .well-known endpoint mirror following the agentgraph.co/.well-known/cte-test-vectors.json pattern. All vectors deterministically reproducible from a fixed Ed25519 seed, JCS-canonicalized, signature-verified. Apache-2.0. Spec refs: 8 papers (Zenodo) + draft-pidlisnyi-aps-00.

• repo

GitHub Actions workflow installed on agent-passport-system, agent-passport-mcp, agent-governance-vocabulary. Pinned to AGT v3.3.0 (commit 15e001f9b53f). Profile + credential checks run on opened PRs and issues from external contributors. Cluster detection opt-in via workflow_dispatch (API-heavy). Risk threshold set to HIGH for the calibration window so only HIGH-risk events trigger public PR comment + label. Excluded actors: dependabot[bot], github-actions[bot], copilot-swe-agent[bot], aeoess. Validation runs: lawcontinue scored LOW (legit dev), mrperfectness-sketch scored MEDIUM (canary), aeoess scored HIGH (three signals fired: recent_repo_burst 41 repos in 90 days, cross_repo_spray 72 repos in 7 days, credential_laundering across 5 repos).

• workflow (agent-passport-system)
• AGT contributor-check (source)

Public Discussion opened in aeoess/agent-passport-system on substance evaluation as the layer above pattern detection. Endorses Imran's contributor-check tool, names that most active contributors in agent-governance today are human + AI systems (including aeoess), draws the substance-vs-pattern line. Names internal Model Citizen mode framing publicly. Includes the actual HIGH score and three signals fired against the aeoess account when run through contributor-check, framing the cross-repo activity as independent convergence rather than coordination. Companion comment on microsoft/agent-governance-toolkit#1473 linking back to the discussion.

• Discussion #20
• companion comment on #1473

in-toto Statement predicate binding agent authority-to-act: delegation chain root, principal signature, scope narrowing invariants, Values Floor attestation hash. Predicate type URI https://aeoess.com/attestation/governance/v0.1. JWS + Ed25519. Sibling to nobulex's Decision Receipt PR (in-toto/attestation#549). Composition: Decision Receipts reference GovernanceAttestation by digest in subject.digest.sha256, walking the chain proves both axes. 5 fixture vectors deterministically reproducible (minimal-tier-1-self-delegation, multi-hop-delegation-tier-2, expired-window, monotonic-narrowing-violated, chain-root-mismatch). 29 tests pass including a composition test that exercises the full round-trip with tampering detection. Public notice posted on in-toto/attestation#549 with @arian-gogani tagged for the Apr 30 cross-impl round-trip.

• repo
• in-toto #549 follow-up

lawcontinue shipped a seven-vector test pack for the CTEF inference-session category at fixtures/inference-session/. Each vector covers a different shape of session attribution: clean handoff, mid-inference rotation, distributed cross-node, sequence-bounded validity, parent-chain Merkle anchoring, replay defense, and a negative case where the session_id does not match the canonical JCS hash. Every signature is RFC 8785 JCS-canonicalized and Ed25519-signed. Two structural fixes flagged in review (a session_ids array shape mismatch and a missing parent_receipt_hash wiring on one vector); lawcontinue pushed corrections at commits 95c1ca9c and 73d52c08 in twenty-two minutes. Second time this week he has turned a structural review around inside half an hour. The inference-session pack composes with the existing rotation-attestation fixtures published Apr 24 at aeoess.com/fixtures/rotation-attestation/, giving the SDK two distinct CTEF v0.3.1 fixture surfaces (rotation events plus inference-session attribution). Both lock through the same RFC 8785 JCS canonicalization.

• PR #19 (merged)

piiiico's crosswalk/agentlair.yaml merged after one round of structural revision. First iteration mapped AgentLair's TrustProfile to peer_review as primary signal type. The full v0.2 review against piiiico's live envelope and the canonical vocab definitions found that primary mismatched: peer_review is task-completion attestation signed by a delegating agent after a service agent completes work; AgentLair's TrustProfile is aggregate behavioral scoring across events with no task binding. Fix was to promote behavioral_trust to primary with match: exact and demote peer_review to no_mapping with a note explaining the definitional gap. piiiico turned that around in fifteen hours. Same commit added AgentLair to behavioral_trust.issuers_in_production at vocabulary.yaml line ~340, which now lists three independent issuers (RNWY, Logpose, AgentLair) producing real signal data against the same canonical type. That is the production-signal evidence behavioral_trust needs to remain canonical with multi-issuer coverage. Direct commit 0653c1b added AgentLair to issuers_in_production list.

• PR #46 (merged)
• commit 0653c1b — issuers_in_production

madeinplutofabio's crosswalk/pic.yaml merged at midmorning PT, mapping the PIC Standard's verification-pattern primitive to the vocabulary's canonical signal types. The crosswalk models action-boundary verification as a parallel surface to visa-layer issuance rather than a sub-field beneath it: visa-layer primitives like APS, AgentNexus, and MolTrust handle issuance-side identity and delegation tokens carried by the agent; PIC handles receiver-side fail-closed verification at the action boundary, consuming trust roots that may include visa-layer issuers but owning the verdict primitive itself. Both compose; neither contains the other. The crosswalk landed describing PIC in PIC's own terms first, with the composition pattern documented in the notes block. PIC became the twenty-third crosswalk in the vocabulary registry. Resolution of the visa-vs-verification-gate taxonomy debate that had been open on aeoess/agent-governance-vocabulary#48 for two days.

• PR #49 (merged)

Second external contributor on the repo after EchoOfDawn's MoltBridge lane opening, and the first security-class PR. Previous _lookup_issuer_key implementation had a silent fallback: if the declared kid did not match any key in the issuer's JWKS, it would accept the first Ed25519 key in the keyset anyway, producing a silent binding failure rather than a rejection. This is precisely the class of implicit-trust hazard the composition-rule discipline in CTEF v0.3.1 §6.3 is designed to prevent. PR tightens to strict kid-match and raises UnknownKeyIdError on mismatch. 16/16 tests green post-merge. Good signal that kid/alg registry discipline (which we have been arguing for in the A2A Agent Cards and CTEF threads) is showing up as concrete patch-level work from independent contributors, not just spec-level advocacy.

• PR #1 (merged)

Wire-format substrate convergence across five live implementations on the discriminator key name. Naming collision was identified mid-thread on #1672: AgentID had been shipping claim_type on the live /verify endpoint; AgentGraph + APS rotation-attestation spec used claim_category. Same concept, same closed set values, different key name. kenne offered three resolution options and renamed AgentGraph claim_category → claim_type at commit agentgraph-co/agentgraph@69ad94d so all live implementations agree. AgentID's harold confirmed claim_type live with 32/32 endpoint tests pass and JCS canonicalizer byte-matching all 10 APS bilateral-delegation vectors. Nobulex (arian-gogani's @nobulex/crypto TS canonicalizer) byte-matching APS + AgentGraph fixtures. HiveTrust (srotzin) confirmed concur with the four-layer split + 'history-stability under rotation' framing on #1672, and posted the disjoint-namespace projection rule resolving the wire-collision concern: ctef.envelope.claim_type vs hivetrust.internal.claim_type sit at different envelope levels with explicit projection_rule mapping HiveTrust claim records onto ctef.envelope.claim_type='authority' when carried in a CTEF-composed envelope. Risk-tier bucketing under HiveTrust's claim_category stays HiveTrust-local until a future WG reservation. HiveTrust byte-match fixture committed pending claim_type.envelope composition-rule spec draft. Settlement-evidence-as-reputation-anchor (x402 receipt on Base 8453 → evidence_basis.evidence_type.payment_execution) lands on a v0.3.1-reserved field, with crewAI #4560 cited as cross-reference.

• #1672 thread
• #1786 proposal

Seven fixes applied from the Apr 24 audit report. Code side: engines.node >= 18.0.0 declared on six Node packages (agent-passport-mcp, aeoess-gateway, agent-passport-remote-mcp, mingle-mcp, intent-network-api, solana-agent-identity) to prevent silent Node-version drift on Railway and npm installers; LICENSE + NOTICE copied to agent-passport-remote-mcp root (files shipped through the npm dep tree already, but the repo itself should carry them for GitHub, SBOM, and glama audits); two SDK example files referencing v1-era APIs that changed in v2.0.0-beta.0 (examples/crewai-governance.ts invoking removed createCrewAIGovernance, examples/enforcement-demo.ts invoking createAgentContext that moved to the gateway surface) archived under _archive/examples-pre-v2/ with an explanatory README, so contributors following the docs no longer hit broken TypeScript imports; SDK dist/ refreshed against current src/. Spec side: audit prompt bumped from v2.1 to v2.3 with three corrections. v2.2 fixed A11 (remote-MCP build output moved from repo root to build/, check path updated), A13 (agent-governance-toolkit is a monorepo with no root package.json, step iterates packages/agent-*/ sub-trees), and added an explicit Python pip install -e exception to the read-only constraints block since pytest collection fails on ModuleNotFoundError without editable install. v2.3 replaced the C8 dist-staleness check which used find -newer against the dist/ directory's own mtime rather than the mtime of files inside it, producing a consistent false positive (audit reported 240 src files newer than dist/ even immediately after npm run build because directory mtime does not update on internal file rewrites). New check compares newest src/ file mtime against newest dist/ file mtime in Python. Next full audit now expected clean PASS. Completion report at specs/AUDIT-2026-04-24-FIXES.md.

• Completion report
• Audit spec v2.3

Five canonical DID-document rotation-attestation fixtures plus JSON Schema plus test-vectors manifest published at aeoess.com/fixtures/rotation-attestation/. Fixtures cover happy-path, cross-signed, migration-attested, happy-path-compound (cross-signed + migration-attested in one entry, realistic production case), and negative-no-attestation (rotationLog entry with empty rotationSignature, must trigger INVALID_CLAIM_SCOPE on a conformant verifier). Every signature and hash input is RFC 8785 JCS-canonicalized; attestor is a dedicated fixture-signing key separate from the gateway with pubkey at keys/attestor-v1.pub.json and seed documented so third parties reproduce the set byte-identical from a fresh clone. v1 narrows migration_type to key_class_upgrade only; v2 extends to did_method_migration. Closes the rotation-attestation fixtures commitment on the same day (Apr 23 PT commitment, Apr 24 PT delivery). AgentGraph landed test_aps_rotation_attestation_interop.py in main at commit 8baaad4 within hours of publication, live-fetching fixtures at test-collection time rather than pinning a repo-local snapshot, dual-locking each fixture against the published test-vectors.json canonical SHA-256 AND what their canonicalize_jcs_strict produces from the live body. All five fixtures reproduce byte-identical. Canonicalization loop closed: APS bilateral delegation, APS continuity rotation, and AgentGraph CTE vectors now pin the same canonicalization through JCS bytes rather than shared code — which is the actual interop test. Pattern will mirror into v0.2 capability-token fixtures once those publish.

• test-vectors manifest
• Spec
• A2A #1672 closure exchange

piiiico's agentlair.yaml lands as the canonical pre-delegation behavioral check issuer. Maps to peer_review as primary signal type (match: exact, production data exists — trust endpoints live, behavioral event ingestion live, three-dimensional scoring operational consistency/restraint/transparency, Bayesian with cold-start prior, non-null scores on non-test agents). Secondary mappings: behavioral_trust (exact), trust_verification (partial — AAT is session auth with identity component), governance_attestation (partial — hash-chained audit trail). Eight explicit no_mapping entries with technical rationale per CONTRIBUTING.md §3.6 Seven Deep-Review Dimensions. Four-temporal-layer sequencing (pre-delegation → at-delegation → at-execution → post-execution → feedback loop) documented inline in the peer_review notes block, NOT as a new top-level section — preserves PR #44 precedent that novel top-level blocks set permissive precedent for every later issuer. AgentLair added to behavioral_trust.issuers_in_production in follow-on commit 0653c1b. Five-check protocol applied (Identity / Format / Substance / Scope / Reversibility) with STEP 0 mandatory disk-read of CONTRIBUTING.md from filesystem before applying memory-cached protocol — the slot #29 swap codified earlier in the day.

• PR #46
• agentlair.yaml

ENFORCEMENT-TRUST-ANCHOR.md v1.2 replaces v1.1's five-bucket taxonomy with the BBIS classification grammar (closed, bounded, partial, detectable-only, theater) per Steven Kyle Hensley's OWASP#817 answer. The Class B framing is tightened so typed epistemic receipts are classified as honesty discipline, not admissibility upgrade. Construction is implementation detail; invariant survival is the claim. CAPABILITY-TOKEN-SPEC-DRAFT.md v0.2 renames M4 EffectReceipt to FRCBE (Final Refusal-Capable Boundary Event) per the qntm#7 naming coined by the same author. Post-effect forensic artifacts split into a new optional M5 ExecutionReceipt; most deployments omit M5. Three-way naming convergence lands within 18 hours: BBIS (framework), APS (protocol), AgentGraph (implementation committed to CTEF v0.3 accepting delegation_chain_root by end of week). Branch feat/v1.2-bbis-grammar awaiting review before merge to main.

• ENFORCEMENT-TRUST-ANCHOR.md v1.2
• CAPABILITY-TOKEN-SPEC-DRAFT.md v0.2
• qntm#7 FRCBE lock + AgentGraph deliverables
• OWASP#817 BBIS classification grammar adopted

AgentGraph pulled the four-row per-layer composition grammar (identity / transport / authority / continuity, each with its declared composition rule) from the A2A #1672 thread into CTEF v0.3.1 §6.3 verbatim as normative language. Identity composes by key binding, transport by identity-key binding, authority by monotonic narrowing with content-addressed delegation_chain_root, continuity by rotation-attestation chain. Two verifiers given the same inputs must arrive at the same composed result; layers that cannot declare a deterministic composition rule are underspecified. INVALID_COMPOSITION adopted as a distinct error code alongside INVALID_CLAIM_SCOPE — they share the ordering constraint (structural failure precedes semantic evaluation) but surface different divergence classes. APS commits to publish canonical rotation-attestation fixtures at aeoess.com/fixtures/rotation-attestation/ this week (four fixtures: happy-path, cross-signed, migration-attested, negative-no-attestation) with versioned schema and matching test-vectors.json; AgentGraph lands them under tests/fixtures/aps-rotation-attestation/ with a companion test_aps_rotation_attestation_interop.py locking byte-identical canonicalization. Concurrent spec PR plan: A2A Agent Cards PR citing CTEF v0.3.1 §6.3 for composition-rule table + error codes, v0.3.1 citing the Agent Cards PR for the four-layer split + claim_type discriminator. Both held pending @haroldmalikfrimpong-ops signal on WG direction.

• A2A #1672 thread

A community-maintained directory of the agent infrastructure field, built on live GitHub data. 18 projects enriched from projects/*.yaml + GitHub repo metadata (stars, license, created, last push). 115 people (filtered from 130 raw) pulled from the contribution map and enriched with GitHub user metadata (account age, bio, company, followers). 93 governance threads enriched with state, comments, participants. Three sortable, filterable tables replace the earlier force-directed graph, which was pretty but buried its data in tooltips. Account ages visible as pills (amber under 60 days, green 60-365 days, plain after), so a 3-week-old promotional account is instantly distinguishable from a 10-year veteran at a glance. Explicitly not a ranking, not a coalition, not a property of APS: the README invites co-maintainers from other projects in the directory and commits to neutral stewardship once anyone wants to co-steward. Code MIT, data CC-BY-4.0.

• Live directory
• Source + contribute

Rewrote the CMD-SET-2 pre-publish audit from v1's 12 steps (SDK + MCP focused) to 42 steps across three tiers covering the full shipped codebase surface. Tier A Code Integrity runs test suites, typecheck, lint, build artifacts across SDK, MCP, Python SDK, Remote MCP, Gateway, Agent Governance Toolkit (405 tests), autogen-governance-adapter, vocab validator, intent-network-api, hermes-aps-delegation, hermes-decision-receipts, a2a-compliance-harness, solana-agent-identity, mingle-mcp, plus the SDK examples/ adapter apps and aeoess_web operational scripts. Tier B Supply Chain runs npm audit and pip-audit across every repo, secret scan with fixture/test exclusions, .npmignore and MANIFEST.in hygiene, LICENSE and NOTICE presence, CI workflow YAML validity and floating-action-ref detection, Dockerfile and Railway config pinning, Node engines field presence, package-lock presence. Tier C Runtime checks cross-repo version alignment across SDK/MCP/Python/Remote-MCP, npm and PyPI registry drift, live endpoint health, Gateway JWKS parity against source, committed fixture URLs reachable, PM2 RSS memory leak detection with proper PM2-presence detection, git status across 20 repos with expected-branch check, build artifact freshness, stale artifact hunt, canonical number consistency including paper count, downstream licensee sentinel, large binary accidental-commit hunt. Self-check found 17 gaps in the initial v2 which v2.1 closes. Read-only throughout; explicit do-not-install / do-not-restart / do-not-commit-outside-aeoess_web constraints. Paste-ready for CC in one message.

• Audit v2.1 prompt

Added §3.6 Seven Deep-Review Dimensions to the internal PR merge protocol, codifying what Phase 1 (Adversarial First) and Phase 4 (Invariant Cross-Check) must catch beyond the surface checklist. Seven dimensions: Ecosystem Precedent (novel structure sets permissive template), Semantic-Primitive Mismatch (match: exact vs vocab definition), Cross-Signal Field Overlap (composition hazard for consumers), Endpoint Content Depth (HTTP 200 is not production data), Cryptographic Coherence (alg/curve/proof-type/chain pairing), Ownership &amp; Coordination (concurrence on THIS PR not related issues), Related-Issue Dependency (PR jumping ahead of open debate). Distributed across Phase 1 and Phase 4 — not new phases, named patterns the existing phases must catch. Extracted from PR #43 nutstrut measurement_point and PR #44 alex-pathcourse Pathcourse Health reviews where validator-clean PRs still carried substantive issues only visible under cross-touchpoint analysis. CONTRIBUTING.md on agent-governance-vocabulary expanded from 5 one-line review questions to explicit sub-bullets under Substance and Scope so contributors can self-calibrate before submission. First PR through the public criteria (#44) merged clean after three iterations.

• CONTRIBUTING.md
• PR #44 Pathcourse Health (merged)

examples/cognitive-attestation-governed/ merged into microsoft/agent-governance-toolkit at 19:41 UTC. 443 lines, two files, zero APS SDK dep. Third merged aeoess PR in the repo after PR #274 (Mar 16, reputation-gated authority proposal) and PR #598 (Apr 6, APS-AgentMesh adapter), and the first community-example-style contribution. Layering signed interpretability envelope on top of AGT's policy decision: AGT decides whether an action is permitted, the Cognitive Attestation envelope signs a sparse-autoencoder decomposition of the model state that drove the decision, downstream auditors can inspect what the reasoning substrate looked like when the action fired rather than just whether the policy rule matched. Follows the pattern set by examples/signet-attestation/ (willamhou's Signet example merged last week). Lands cleanly against the community-extension boundary formalized by ADR 0006 two days ago: policy evaluation stays in AGT core, proofs about the reasoning that produced the decision live as extensions that plug into the decision boundary without changing AGT's interface.

• PR #1328 (merged)

New public MIT repo standing up the composition glue for autogen's before_tool_call hook. Single governedToolCall() entry point, three ordered checks (identity via APS passport, authorization via delegation scope with monotonic narrowing invariant, optional trust provider), provider-agnostic TrustProvider Protocol that MoltBridge and MolTrust both implement on the same interface. 12 tests passing (target was 9+), CI green across Python 3.10/3.11/3.12 on first push at commit 8e1c88d. EchoOfDawn at SageMind AI invited as co-maintainer with write access (invitation 315925480 pending acceptance). providers/moltbridge/ reserved as Dawn's lane for MoltBridgeTrustProvider PR, providers/moltrust/ open for MolTrust implementation. Substrate requirements ride inside delegation scope per scope-bound design, no parallel capability-tier gate. Standalone dep footprint. Adapter does not import agent-passport-system SDK.

• Repo
• Origin thread autogen#7525

schchit (JEP author) opened PR #8 at agentid-aps-interop extending the composed/v1 envelope we shipped yesterday with JEP as a fourth signal in the decision_event CTEF category. JEP receipt flows into slots.jep verbatim without reshape. verify.py recognizes version: jep-v1 and handles judgment events per their native semantics (gate composition skips them rather than mistreating a judgment record as pass/fail). Pattern validated: composed/v1 host stays generic, new signals register by adding CTEF category + slots.<issuer> key + native version string. Harold merged PR #7 at 09:44 UTC, schchit opened PR #8 seven hours later, first third-party extension of the composed/v1 pattern. AgentID + APS + AgentGraph + JEP now composable under one shared subject DID.

Depends on: d65-agentid-aps-interop-5-kenne

• PR #8 JEP fixtures

Closed the protocol-level asymmetry where agents authenticated to systems but systems did not authenticate to agents. Downgrade-proof four-step handshake (hello + attest each way), local trust-anchor bundle with binding constraints and revocation, replay defence via nonces + signed timestamps + max_clock_skew_ms, downgrade defence baked into the attest signature covering chosen_version + both nonces + peer certificate, adapters for A2A and MCP. 29 new tests, 2395 total, 146 MCP tools. Explicitly does NOT ship federation, gossip, consensus revocation, cross-signing, hosted CA, or legal-entity model. Mutual auth stands on its own as a primitive; a future federation layer composes on top without changing it. Module lives at src/v2/mutual-auth/ with standalone README.

• Module README
• npm v2.2.0

First three-issuer composed envelope in the interop repo, shipped end-to-end in seven hours after slot shapes landed. PR#7 adds: (a) three APS v1 structural fixtures at fixtures/aps/v1/ (happy-path, revoked-delegation, scope-widening-attempt), (b) three composed envelopes at composed/v1/agent_interop_test_001/ stitching AgentID + APS + AgentGraph slots under shared subject DID, (c) issuer-neutral Python verify.py (jcs dep only, no APS SDK), (d) additive schema amendment 1.1.0 to 1.2.0, (e) composed/v1/README.md documenting composition contract and two-level version discipline. 51 of 51 checks pass at exit zero. Kenne ran verify.py on his machine and posted LGTM from the AgentGraph seat. Waiting on Harold merge.

Depends on: d65-harold-signing-alignment

• Issue #5
• APS coordination reply

Harold (haroldmalikfrimpong-ops) merged PR#38 (Interop Week 1 Step 1) and then, at 08:40 UTC Day 65, came back with a voluntary alignment: AgentID's production signer switched from signing UTF-8 hex strings to signing raw 32-byte digest bytes (the option (b) from our 5-check review, the convention APS/SINT/MolTrust already use). Follow-up PR will replace the one signature field on the already-merged fixture to match the new signer. Five production issuers now converge on one signing convention: the Week 1 bundle README convention table becomes a single sentence rather than per-issuer footnotes. Materially important for cross-issuer harness verification under OWASP / IETF reviewer gaze. Acked via https://github.com/aeoess/agent-governance-vocabulary/pull/38#issuecomment-4289797509.

Depends on: harold-canonical-repo

• vocab PR#38

Delivered the three-step schema package (JSON Schema draft-2020-12 facet + two worked examples + README with design decisions) committed on Apr 20. Five load-bearing design decisions captured: RunFacet not DatasetFacet (agent + covenant are run-scoped), digest required with resolver optional (tamper-evidence without forcing public URLs), type is open enum with governance_attestation as vendor-agnostic default, covenantInEffect.additionalProperties: true scoped to sub-object for vendor extensions, digestAlgorithm defaults to sha-256 with explicit override. Both examples (Nobulex nobulex_covenant + APS governance_attestation) validate cleanly against the schema. Two asks back to @arian-gogani: (1) review Nobulex example shape since we don't have the live receipt structure, (2) confirm covenant-hash mapping still matches v0.2 CTEF governance_attestation digest shape. Next step: upstream PR to OpenLineage/OpenLineage spec repo once arian signs off. Caught and fixed an honesty drift in the draft (speculation that arian had mentioned covenant graphs, which he hadn't) before posting.

Depends on: openlineage-4409-facet-schema

• Schema delivery comment

Day 64 (Apr 20): boundary held on §3.3 naming when a proposal came in to co-list APS APS and AiEGIS APS as one citation. Accepted on technical content (evidence sequencing, measurement method); declined on naming — paste-ready §3.3 text names only APS APS as shipped reference, with AiEGIS APS re-evaluated at v1.0. Day 65 (Apr 21): VeloGerber accepted the naming position (22:51 Apr 20) and asked scope-clarification: does independent Python reimpl (a) or SDK-consumption (b) qualify as §3.3 production conformance evidence for AiEGIS v1.0. Answered: (a) earns a separate conformance row, (b) is a deployment pattern; v0.9 cites APS APS, v1.0 re-evaluates once (a) lands. Concrete offer: ship interop fixtures as standalone aps-conformance-suite repo so the bar is legible.

Depends on: d64-owasp-aars32-boundary

• AARS#32

Numbers-only minor bump on the agent-passport ClawHub skill. Description, SKILL.md line 3, and SKILL.md line 181/184 all synced to the current surface: 124 modules, 2,366 tests, 142 MCP tools. _meta.json description rewritten to match. v5.4.0 already existed on ClawHub from an earlier auto-publish cycle; bumped straight to v5.5.0 to reflect on-disk state. Commits 00b40fd + 6e43f99.

Depends on: d64-v210-cognitive-attestation

Context: the structured ecosystem map from Day 61 rebuilt Sunday night, today's response queue visible at session start. Posts in two batches. Tier 1 (7): AAIF cover-email gist for Illia on sint#130, pshkv crosswalk ack on vocab#8, governance-declaration proposal for tomjwxf on ossf/security-insights#171, APS+SINT composition MVP for EchoOfDawn on autogen#7525, SDK#16 MIGRATION.md field-diff patch + v2.1.0 ship follow-up to MoltyCel, vocab#38 five-check protocol review for Harold's AgentID fixture (JWKS live, Solana tx verified, signing-input UTF-8-hex vs bytes ambiguity flagged), vocab#34 context_dimensions PR flipped ready-for-review. Tier 2 (4): autogen#7528 three-layer APS+SINT+OPA composition mapped onto ConversableAgent lifecycle, A2A#1716 Enclave+SINT+MolTrust converged-architecture ack with sub_delegate for 1→3 hop + AND-composition for MolTrust-score + APS-grade gate, VoltAgent#1166 full TS GuardrailDecision interface reference implementation (Alvasilev12/MEEET canary correctly ignored), llama_index#21312 dispute-primitives reference from v2.1.0. insumer-examples#1 skipped, zero activity since our Apr 17 scope ack.

Depends on: d61-ecosystem-engagement

VeloGerber (AiEGIS) proposed co-listing 'APS APS' and 'AiEGIS APS' as two entries in the permanent v0.9 §3.3 standards citation. Technical content of the proposal accepted on its merits (evidence sequencing, measurement methodology). Naming framing declined firmly in writing with paste-ready §3.3 text naming only APS. Apr 21 calendar typo in the proposal also flagged. Posted at github.com/OWASP/www-project-artificial-intelligence-vulnerability-scoring-system/issues/32#issuecomment-4284723330. Not every be-nice reflex is the right one.

• OWASP AARS#32

Stability window closed clean. SDK v2.0.0 and MCP v3.0.0 flipped from @next to @latest. PyPI 2.0.0 final replaces the 2.0.0b0 pre-release. v1.46.0 and MCP v2.27.0 moved to the legacy-v1 tag, six months guaranteed availability. Propagation sweep also caught a Python __init__.py __version__ drift carrying "0.15.0" from the beta period, if a caller imported agent_passport.__version__ at runtime, they would have seen 0.15.0 while pyproject.toml and the wheel said 2.0.0b0. Fixed to 2.0.0 during the promotion sweep.

Depends on: v2-promotion-decision

• SDK v2.0.0 @latest
• Blog

Two primitives shipped on @latest same day as the v2 promotion. Cognitive Attestation envelope: TypeScript port of the normative JSON schema from Paper 7 (Zenodo 10.5281/zenodo.19646276), module at src/v2/cognitive-attestation/ with types, envelope, verify, disputes, index, README. Stage 1 cryptographic verification with required_signer_roles coverage fully implemented; Stage 2 registry interface, Stage 3 replay typed stub with clear TODO. Typed dispute primitives ship the vocabulary of disputes without baking resolution logic into the protocol (resolution layer lives in the consumer). 35 new tests (envelope 17, verify 12, adversarial 6), zero new npm deps, reused internal canonicalizeJCS + crypto/keys. Second primitive: verifyBoundWallet object-form overload, closing the SDK#16 UX asymmetry MoltyCel flagged. Commits ceb1cd1 (wallet-binding) + 8c9cc14 (cognitive-attestation) on @latest. Test count 2,325 → 2,366.

Depends on: d64-v2-promoted-latest

• Paper 7 on Zenodo
• SDK v2.1.0

AgentID trust_verification fixture merged via PR#38 (Harold). First of five Week 1 slots filled. Production JWKS and Solana devnet anchor both verified live during 5-check. Status ack posted to vocab#36 with running fixture table; Step 4 (peer_review task_completion) re-pinged to @QueBallSharken / Logpose after @rnwy's graceful decline to pad bundle with reviewer_credibility into a task_completion shape.

Depends on: d63-interop-week-1-opened

PR #34 merged Day 65 (commit 6a24b73f) adding context_dimensions as third top-level structural section in vocabulary.yaml. Four Day-1 entries with non_signal_test discipline: counterparty_standing, request_origin, session_dynamics, physical_environment_state. Incorporated @pshkv review (resolution_source marked recommended-not-required in v0.1, physical_environment_state per-evaluation variance documented, 4-value enum as v0.2 fallback). @tomjwxf's 5-value enum preserved per his Day 63 sign-off. Self 5-check protocol run publicly before merge (transparency move on our own repo). Closes #26.

Depends on: d61-aeoess-aps-crosswalk

• vocab PR#34

Stability-window Sunday. Exactly one partner compat test ran through agent-passport-system@2.0.0-beta.0 and MCP v3.0.0, MoltyCel on Solana wallet binding with a fresh Ed25519 keypair, bs58 signature, full bindWallet → verifyBoundWallet round-trip. Two findings surfaced: MIGRATION.md did not call out the wallet_ref field-level v1-to-v2 shape change explicitly enough, and verifyBoundWallet accepted only positional args while bindWallet accepted an object form. Shape-diff clarification landed same day as commit 0a3edeb. UX overload queued for v2.1.0. Nothing else broke; promotion path stayed on for Monday.

Depends on: d61-v2-architecture-separation

• SDK#16 compat test

Commitment to @arian-gogani on OpenLineage/OpenLineage#4409 after his 8-minute endorsement of the vendor-agnostic digest abstraction. Three-step plan delivered Day 65 (Apr 21): minimal JSON Schema shape, open type enum, two worked examples (Nobulex bilateral-receipt + APS gateway trust profile), all three files valid JSON and both examples validate cleanly against the schema. Posted on the thread for arian review before any upstream OpenLineage PR. Positions APS's governance_attestation canonical as a referenceable issuer type in OpenLineage's covenantInEffect facet, multi-day audit exchange compresses to single verification step. Committed inside the week window as promised on Apr 20. Waiting on arian sign-off before the upstream PR to OpenLineage/OpenLineage.

Depends on: d61-aeoess-aps-crosswalk

• Schema delivery comment
• Schema + examples

New repo at github.com/aeoess/adk-aps-integration spun up Day 62 in response to google/adk-python#5164. Joint ownership with @tomjwxf (ScopeBlind). LICENSE carries both names (Copyright 2026 Tymofii Pidlisnyi, Thomas Farley). Structure: main branch (README pointer) + integration-skeleton branch with aps_delegation.py, receipt_signing.py, verify.sh, examples/basic-tool-call. CI matrix across Python 3.10/3.11/3.12 against both @next and @latest APS SDK plus @veritasacta/verify@0.3.0. Receipt format shipped as audit-bundle shape (matches verifier's actual contract, not per-call receipts). Six jobs green after CI fix (commit 7f7bae68). tomjwxf collaborator invite pending acceptance.

Depends on: d61-v2-architecture-separation

• adk-aps-integration
• adk-python#5164

Two ecosystem threads got substantive engagement, neither inserting APS into the conversation. x402#1904: MnemoPay (Jerry) shipped x402-compatible paywalls plus a financial-brain MCP. Reply was a three-point read on what they shipped (wallet-decision layer is new terrain, receipts plus MCP tool outputs are compatible with APS signing for downstream composition, composition hook via delegation-reference in X-Agent-Identity would make APS passports attachable to x402 requests without modifying x402). ATF#8: desiorac proposed the ArkForge three-plane decomposition (delegation, decision, execution). Reply was a +1 proposing a Notes-column cross-reference so the composition is visible in their ECOSYSTEM table without inference, linked in-toto#549 as the chain-linkable primitive. Both threads pushed forward the conversation on the partner's terms. Several unrelated canary threads correctly skipped (handles not named here for operational hygiene).

Depends on: d61-v2-architecture-separation

• x402#1904 reply
• ATF#8 reply

Two external vocabulary crosswalks merged same day. SINT refresh (PR #30, Illia Pashkov) normalized match semantics to the canonical enum (exact|partial|no_mapping), added a peer_review no_mapping row, updated home to docs.sint.gg, recorded entity_continuity and consent_provenance alignment notes. RNWY a2a.yaml (PR #32) maps A2A Agent Card governance metadata (peer_review, behavioral_trust, wallet_intelligence) against did:web:rnwy.com with a live JWKS serving rnwy-trust-v1, rnwy-trust-v2, rnwy-wallet-v1. Both PRs submitted clean, validator passed, scope was tight. Registry is now at 14 external partner crosswalks plus aeoess-aps (shipped Day 61). Validator chore f092f0e also landed same day, renaming note to notes for schema consistency.

Depends on: d58-vocab-momentum

• PR #30 SINT refresh
• PR #32 RNWY a2a

New repo at github.com/aeoess/hermes-aps-delegation spun up Day 62 in response to NousResearch/hermes-agent#11692. Single-repo scope (original prompt asked for three; scope correction held). Structure: src/, tests/, charter/, examples/, pyproject.toml, LICENSE, .gitignore. 12 pytest cases + ruff + 3 example smoke runs + charter validator, all green on Python 3.10/3.11/3.12. v0.1.0 release tracking at aeoess/hermes-aps-delegation#1 (end-of-April milestone). Hermes-specific hook points stubbed with offer to wire real interfaces if NousResearch shares their non-public integration surface.

Depends on: d61-v2-architecture-separation

• hermes-aps-delegation

Two interop harnesses landed in the SDK. AgentNexus Track A fixtures (kevinkaylie, PR #17) replay end-to-end: JCS re-canonicalization, Ed25519 signature verification, delegation chain walk, monotonic narrowing check at each hop. Both fixtures match expected, happy-path accepts, scope-expansion denies at the subset gate, zero canonicalization drift. VeritasActa KU signer (tomjwxf, VeritasActa/verify#2, test vectors PR#6) slots APS into their external_receipts.aps bundle field with JCS-canonical sha256 over each knowledge unit receipt, records the chain in contributingSources, signs with deterministic test key. Cross-layer integrity is observable either direction: tampering any KU byte invalidates the recorded accessReceiptId while the APS signature stays cryptographically valid. Neither interop required a protocol change. APS slots in as specified.

Depends on: d61-v2-architecture-separation

• PR #17 AgentNexus fixtures
• Blog

Jerry Omiagbo (MnemoPay) pinged aeoess directly on x402#1904, crediting the receipt-as-verifiable-economic-memory framing from Apr 2 (Day 44) with driving his last three MnemoPay releases. MnemoPay SDK @mnemopay/sdk v1.3.1 shipped Apr 17 with mnemopay.com live — receipt-as-primary-object, 3-verdict lifecycle (permit_settled/permit_failed/deny), per-agent Merkle log. First concrete case of another company building on a framing we published without us writing a line of their code. Replied with three substantive acks + composition hook for delegation-reference in X-Agent-Identity.

Depends on: d49-twelve-primitives

• x402#1904 reply

Paper 7 published on Zenodo (DOI 10.5281/zenodo.19646276). Introduces the Cognitive Attestation envelope: a cryptographic commitment attached to an agent's action record declaring which sparse-autoencoder features engaged and at what intensity during the output. Three-stage verification model — Stage 1 cryptographic verification (required_signer_roles coverage), Stage 2 registry interface, Stage 3 replay. Accompanied by a normative JSON schema (papers/paper-4/poc/schema/cognitive_attestation.schema.json) and a Python reference envelope validated against Llama-3.1-8B via Neuronpedia. Ported to TypeScript as SDK v2.1.0 on Day 64.

Depends on: d57-paper-published

• Paper 7 on Zenodo

Two fixture PRs shipped upstream to ScopeBlind/agent-governance-testvectors. PR #2: A2A#1742 Week 2 APS fixtures in a2a-trust-header/ — 6 JSON fixtures (happy-path, scope-expansion, revocation, multi-hop, tampered, partial-chain) + deterministic generator + verify script + README, all Ed25519/JCS-canonical, 6/6 round-trip pass. PR #3: OWASP#802 gateway enforcement vectors — 4 vectors (fail-closed, external-verification, state-drift, portability), 34 files, every signed artifact verified before commit. Both PRs mergeable, tagged MoltyCel + tomjwxf.

Depends on: d62-interop-verification

First time we published our own crosswalk in the registry we host. Closes a dogfooding gap: twelve external partners had contributed their crosswalks (InsumerAPI, SINT, AgentNexus, Veritas Acta, Logpose, RNWY, SoulboundRobots, Nobulex, SAR, JEP, asqav, SATP), we had not. crosswalk/aeoess-aps.yaml covers 3 exact-match signal types (passport_grade, trust_verification, governance_attestation), 2 partial (behavioral_trust, entity_continuity), 7 honest no_mapping entries, 4 decision_trajectory mappings, 1 constraint mapping, and out_of_vocabulary_primitives section for runtime enforcement mechanics. vocabulary.yaml updated: APS added to governance_attestation.issuers_in_production as 4th production issuer via Build D2 JWS trust profile endpoint.

Depends on: d58-vocab-momentum, d59-build-d2-jws-signing

• aeoess-aps.yaml

Posted primary release announcement at aeoess/agent-passport-system#16 as canonical reference link. Four cross-references to targeted threads (aeoess#2 closing SDK-publish issue, haroldmalikfrimpong-ops/agentid-aps-interop for Harold's interop fixtures, aeoess#12 for Nanook §8 coordination, openclaw#49971 for MoltyCel wallet binding). Seven substantive replies to active partners: A2A#1742+1755 (MoltyCel coordination plan + DID resolution), VeritasActa/verify#3 (tomjwxf ecosystem tracker), microsoft/agent-governance-toolkit#787 (pshkv + tomjwxf wine-shipment three-way composition, committed to ship aps_delegation_wrapper.py PR), google/adk-python#5164 (tomjwxf co-maintain acceptance for agent-governance-stack-example repo), aeoess/agent-governance-vocabulary#12 (nutstrut failure_codes draft feedback), langchain-ai/langchain#35691 (vdineshk Observatory composition observation). 3 new deliverables tracked for the Apr 21-24 window.

Depends on: d61-v2-architecture-separation

• Release announcement #16

Monolithic SDK split along the protocol-vs-product axis. Public SDK keeps crypto, types, scope logic, adapters, conformance suite, interop vectors, and the 8 core primitives (byte-identical to v1.46.0). Private gateway package takes ProxyGateway, DataEnforcementGate, ContributionLedger, SettlementGenerator, IntentNetwork, DelegationStore, ReceiptLedger, 18 behavioral-analytics modules, EscalationWorkflow, SemanticDriftTracker, AnomalyDetection, MigrationWorkflow, AttestationLedger, and runtime state management. ~647 tests moved with them. Partners on any v1 pin unaffected: v1.46.0 stays on npm @latest through stability window. Unlocks foundation submission (AAIF target) and protects the pixel attribution moat. SDK v2.0.0-beta.0 on @next (2,325 tests, 130+ modules), MCP v3.0.0 on @next (142 tools, down from 154 after removing 12 product-only tools and stubbing 10 gateway-moved tools), Python v2.0.0b0 on PyPI as PEP 440 pre-release, Gateway repinned to ^2.0.0-beta.0 and Railway-redeployed zero-downtime. Three-layer safety net: anchor tags in every repo, local snapshot kit, private archive repo (aeoess/v2-swap-archive-2026-04-17).

Depends on: d59-build-a-shipped

• SDK @next v2.0.0
• MCP @next v3.0.0
• PyPI v2.0.0b0
• Release notes
• Blog

48-to-72-hour stability window closed clean. v2.0.0 promoted to npm @latest across SDK and MCP v3.0.0. PyPI 2.0.0 final shipped (non-pre-release, replacing 2.0.0b0). v1.46.0 and MCP v2.27.0 parked on legacy-v1 tag for six months, installable indefinitely. Four external partner integrations landed against v2 during the window (AgentNexus Track A, VeritasActa KU signer, SINT refresh, RNWY a2a.yaml) — all ran through v2 transparently. One partner compat test surfaced two shape/UX findings (MoltyCel, SDK#16), both fixed within the window. Python __init__.py __version__ drift also caught and corrected during promotion sweep.

Depends on: d61-v2-architecture-separation

Per-period signed settlement records aggregating Attribution Primitives across D/P/G/C axes. Four Merkle-committed axis roots. Contributor query endpoint verifying end-to-end without trusting the gateway beyond its JWKS. Economic half stays gateway-private; evidence half ships in the SDK. 5 cross-language fixtures, byte-identical across runs. Shipped SDK v1.46.0, MCP v2.27.0 (3 new settlement tools), Python v0.15.0.

Depends on: build-b-fractional-weights

Role-based fractional weight formulas for D and C axes. Merkle tree composition. Sum-to-one property tests. Shipped SDK v1.45.0.

Depends on: build-a-attribution-primitive

One signed Merkle envelope replaces four separate attribution receipt types. D (data), P (protocol), G (governance), C (compute). Each axis projection verifies independently; two projections of the same receipt cross-verify by shared action_ref + merkle_root + signature. 6 new SDK exports, 6 new MCP tools, 1:1 Python port with cross-language sig verification. SDK v1.44.0 (2,910 tests), MCP v2.25.0 (149 tools), Python v0.13.0. Unblocks Builds B and C.

Depends on: build-a-attribution-primitive

• SDK v1.44.0
• Blog

Gateway /api/v1/public/trust/:agentId now attaches compact Ed25519 JWS to successful responses via three headers: X-APS-JWS, X-APS-JWS-KID: gateway-v1, X-APS-JWS-JWKS pointing at the public JWKS. Body unchanged — non-breaking for existing consumers. Cross-engine verifiable with jose: kid matches, alg is EdDSA, signature checks out against the public key. Closes the gap between 'the gateway told me X' and 'I can prove the gateway told me X.'

• Gateway JWKS

Three-agent coordination path (primary operator + reviewer agent + comms relay) retired. Reviewer agent workflows archived under archive-portal-era/ with ARCHIVE-README.md, nightly cron deleted, GitHub posting flows through a single path. Historical records (roadmap, blog, ops log) preserved as-is. Fewer moving parts.

Self-opened issue auditing peer_review canonical promotion (Logpose task-completion vs RNWY reviewer-credibility — different primitives under one name). Proposed Path A: narrow peer_review to task-completion (Logpose), introduce reviewer_credibility as proposed with RNWY as sole implementer. Closed 2026-04-17 via PR#31 merge (rkaushik29 peer_review scope note).

Depends on: d58-vocab-momentum

• Issue #29

SDK v1.43.0 adds Solana to the wallet_ref chain enum with base58 validation. Paired gateway fix: chain-aware normalization replaces blanket lowercasing of the wallet payload so base58 addresses round-trip correctly. Bug was silent data corruption — every receipt that passed through would have signed over the wrong address. End-to-end wallet binding now spans Ethereum, Bitcoin, Solana. 2,848 tests. Closes openclaw #49971.

Depends on: d57-boundary-primitives

• SDK v1.43.0
• openclaw #49971

Four PRs merged Apr 15: asqav crosswalk (jagmarques, ML-DSA-65 server-side, first lattice-based contributor), JEP (schchit, IETF I-D pending, JCS+Ed25519), insumerapi license-endpoint fix (douglasborthwick-crypto), validator cleanup + format normalization. peer_review promoted to canonical status after Logpose (rkaushik29) and RNWY (rnwy) landed as two independent implementations — first post-launch canonical promotion under the CONTRIBUTING.md two-implementation threshold. 14+ contributors, 11 PRs merged in 6 days.

Depends on: vocab-contributing-lands

• agent-governance-vocabulary

rnwy opened PR#28 adding SBR crosswalk for entity_continuity. Merged 2026-04-17.

Depends on: d58-vocab-momentum

• PR #28

Three v2 constitutional modules address distinct failure modes that surfaced in production. AttributionConsent prevents citing third-party principals in binding artifacts without dual signature — representation boundary. ProvisionalStatement + PromotionEvent defaults agent-to-agent statements to provisional, requires explicit PromotionEvent for binding — commitment boundary. HumanEscalationFlag gates per-action-class owner confirmation with three scope modes — escalation boundary. Integrated into charter, settlement, and completion-receipt verification. SDK v1.42.0 (2,844 tests), MCP v2.24.0 (143 tools), Python v0.12.0.

Depends on: sdk-v141-state

• SDK v1.42.0
• Paper on Zenodo

Working paper published on Zenodo (DOI 10.5281/zenodo.19582550). Argues that the unit of agent governance is not the agent but the population-with-medium — the collective state of inherited fragments across short-lived sessions. Defines the medium as a governance contract that specific substrates implement, distinguishes access from declared influence, names the central open problem (cryptography formalizes authorship, not meaning), and grounds the cognition claim in existence proofs already around us: institutional memory, Wikipedia, open-source development. Six rounds of adversarial review across three model families before publication.

Depends on: d57-boundary-primitives

• Paper 6 on Zenodo

Internal rule: five-check evaluation (identity / format / substance / scope / reversibility), three decision classes (AUTO-OK / REPORT-FIRST / NEVER-AUTO), tier-based contributor classification T0-T3 with auditable promotion/demotion. Replaces implicit pattern-matching with structural discipline. Erik incident as worked example. Applied on first test: vocab#14 auto-merged (T2 descriptor typo fix), vocab#15 formal CHANGES_REQUESTED review (T2 peer_review canonical entry, touched canonical vocabulary.yaml, needed status:proposed + descriptor dimensions before merge).

Depends on: principal-accountability-reversal

Public contribution standard for the vocabulary repo. Quick Start checklist, merge criteria (5 review questions applied equally), canonical-status rule (2+ independent implementations), stability expectations, no CLA required. Contributor Covenant 2.1. Written after two multi-model review rounds — the review flagged defensive tone and trauma leaks, both addressed. Template for roll-out across SDK and spec repos.

Depends on: vocab-repo-launches

• CONTRIBUTING.md

Unified four-axis (D, P, G, C) signed Merkle receipt. One AttributionPrimitive envelope, four independently-verifiable axis projections, cross-verify by shared action_ref + merkle_root + signature. Canonical weight-string representation, balanced Merkle composition, residual-bucket aggregation for sub-threshold contributors. Shipped SDK v1.44.0, MCP v2.25.0, Python v0.13.0.

Depends on: attribution-primitive-spec

Erik Newton's vocabulary repo transfer attempt surfaced that a collaboration agent had made commitments the principal didn't authorize, citing prior Apr 10 comments the principal never wrote. Public reversal posted on A2A#1734 naming the agent behavior explicitly. nanook's three-point public response formalized the thesis: Model Citizen trap (broad delegation scopes covering pragmatic overreach), counterparty standing invisible to agents (fresh accounts and long-term collaborators indistinguishable in scope checks), structural fixes required (readings alone don't scale). First real case study of principal-agent boundary failure, handled transparently.

Depends on: vocab-repo-launches

• A2A #1734

QueBallSharken boundary statement. Three separate problems acknowledged.

Default /api/v1/public/trust/:agentId signs with gateway Ed25519 key. X-APS-JWS / X-APS-JWS-KID / X-APS-JWS-JWKS response headers. Ed25519, kid gateway-v1, cross-engine verifiable against the public JWKS. Shipped 2026-04-16.

xsa520's evaluation-point vs decision-point gap. Hard/state-volatile/contextual gates.

aeoess.com/roadmap timeline with dependency graph. YAML-driven, static, matches site design. Shipped at https://aeoess.com/roadmap.html.

pshkv's SINT integration merged (9/9 cross-verify passing). Physical-world enforcement layer. Now in INTEGRATION.md.

Depends on: vocab-pr7-sint-crosswalk

First-time contributor PR on SDK repo. Redirected to separate vocabulary repo, which became the canonical home for this kind of contribution. PR closed. 7 SAY-5 equivalents have since landed in agent-governance-vocabulary from other contributors.

kevinkaylie's AgentNexus governance vocabulary crosswalk.

Depends on: vocab-pr7-sint-crosswalk

Three-property liveness decomposition ADR on microsoft/agent-governance-toolkit. PR #948 co-authored.

• PR #948

Formal spec v1.1 (71KB) committed to aeoess_web/specs/ATTRIBUTION-PRIMITIVE-v1.1.md on Apr 12. Unified cryptographic object with three axis projections (data, protocol, governance). Unblocks Build A.

Depends on: paper-5-physics

Audit log export in JSONL, CSV, PDF. Tenant isolation, rate limiting, delegation chain resolution.

Depends on: d53-convergence

CI validator checking descriptor enums, signal types, required fields against vocabulary.yaml. 162 lines.

Depends on: d53-convergence

• Vocabulary repo

15-config experiment harness (5 scenarios × 3 AI families). Measures complementarity-gain across Claude, GPT, Gemini.

Depends on: d53-convergence

agent-passport-system@1.41.0 on npm. 2,763 tests passing across 714 suites (1 skipped). 35 v2 constitutional modules + core. MCP server at v2.23.0 with 132 tools. Python SDK at 0.11.0. Wallet binding, subDelegateAdvisor, credentialCheckPolicy all shipped.

• npm

pshkv's SINT crosswalk. Review complete. Waiting on validity_temporal fix.

aeoess/agent-governance-vocabulary opens as the canonical naming layer for agent governance primitives. IANA JWT Claims Registry / W3C DID Registries precedent. Six crosswalks merged in four days from five independent maintainers: InsumerAPI (Douglas Borthwick), SINT (Illia Pashkov), JEP (schchit), AgentNexus (Kevin Kaylie), SATP (0xbrainkid), Nobulex (Arian Gogani). Each system keeps its internal names and publishes a crosswalk mapping to the canonical vocabulary.

Depends on: vocab-pr7-sint-crosswalk

• agent-governance-vocabulary

Every project named the same field differently. delegation_root, chain_hash, provenance_anchor — same bytes, zero interop. Vocabulary repo converges the naming. SDK v1.41.0, MCP v2.23.0, Python v0.9.5, vocabulary v0.11.0, Gateway v0.9.0. Nanook PDR adapter batch.

Depends on: d52-three-walls

A2A, crewAI, qntm, SINT, OWASP, x402, VoltAgent, langgraph-swarm, AgentID. APS in every layered-identity discussion.

Depends on: w3c-normative

New user bounced in 90s from 132-tool flood and 925 SDK exports. Shipped /core subpath (~25 curated functions) and MCP essential profile (20 tools). SDK v1.40.0, MCP v2.22.2, 2,552 tests, 103 modules.

Depends on: d51-quantum-governance

Six weeks of circling quantum. Multi-model review found it: physics facets on delegations. 7 experiments on IBM Quantum. Bell 5.2pp + GHZ 7.7pp fidelity gaps.

Depends on: d49-twelve-primitives

Governing what agents learn from authorized access. Telemetry scopes, BMOs, BYOM.

Depends on: paper-3-faceted-authority

• Zenodo

Governing quantum hardware quality. Real IBM Quantum experiments. 5.2pp Bell + 7.7pp GHZ fidelity gaps.

Depends on: paper-3-faceted-authority

• Zenodo

Longest session yet. 4-pass audit (30 findings, all fixed). Email infrastructure. Portal redesign. Full API docs. Status page. Admin endpoints. SDK v1.36.4, MCP v2.21.3, Gateway v0.4.0, 2,497 tests.

Depends on: d49-twelve-primitives

Nate B Jones reverse-engineered Claude Code's orchestration into 12 primitives. We shipped all twelve. Tool registry, permission tiers, context compression, state machines. SDK v1.36.2, 626 suites, 132 tools, MCP v2.21.1, 2,497 tests.

Depends on: d48-six-sessions

douglasborthwick-crypto ran multi-issuer verification on insumer-examples#1. APS position 5 (passport_grade, gateway-v1 kid) verified alongside InsumerAPI (wallet_state), ThoughtProof (reasoning_integrity), RNWY (behavioral_trust), Maiat (job_performance), AgentID (trust_verification), AgentGraph (security_posture). Cross-protocol attestation composable format.

Depends on: harold-canonical-repo

60 GitHub issues posted in one afternoon. Anthropic/MCP org blocked the aeoess account from posting on modelcontextprotocol/modelcontextprotocol. Permanent reference case for what volume costs. Origin of the Risk Guardian discipline — comms became something to govern, not just do.

Depends on: wg-formed

Five reviewer models attacked specs before a single line shipped. Six sequential sessions, each depends on previous deploy. Gateway auto-deploys on push. SDK v1.34.0, MCP v2.21.0, 131 tools, 2,306 tests, 103 modules, Gateway v0.4.0, Python v0.9.0.

Depends on: d47-ms-merged

$285M UNC4736 DPRK social engineering hack. Ran 5-model architectural review on forensic attribution vs structural constraints. Killed 5 bad ideas (behavioral signals, cascade verification, prosecution scoring, general stake, forensic attribution test). Posted A2A#1628 reply framing authority-class separation + non-bypassable timelocks + hard velocity ceilings. Drove Values Floor timelock + Grade-gated authority build queue.

Depends on: multi-model-review-methodology

Microsoft approved APS PR into Agent Governance Toolkit. SINT v0.2 shipped with our delegation_depth_floor. W3C behavioral attestation reached normative language. Evidence-based grading + freshness semantics.

Depends on: d46-byoi

Nanook's PDR in Production v1.9 published on Zenodo. Section 7.6 is the first independent deep technical review of APS architecture — Bayesian sigma dynamics, structuralVerdict/trustVerdict separation, Module 37 as worked example. Tony Mason UBC production deploy (Hamut'ay, 98 cycles on Sonnet 4.6). DOI 10.5281/zenodo.19323172.

Depends on: paper-3-faceted-authority

• PDR v1.9

Timing asymmetry became normative constraint. Evidence-based passport grading + freshness semantics.

Depends on: wg-specs-ratified

APS stopped looking like an identity system. Four modules accept external credentials: did:key, did:web, SPIFFE SVIDs, OAuth 2.0. Routed through enforcement boundary. Python SDK v0.8.0, MCP v2.19.1, 125 tools, 2,180 tests, 559 suites, 103 modules.

Depends on: d45-governance-hardening

Lars Kroehl / CryptoKRI GmbH. Partner API key received (10K calls/day, 1K agents per batch). 11 APS agents bridged did:aps → did:moltrust → Base L2. Reciprocal gateway verification via GET /api/v1/public/trust/{agentId} with JWKS. First bilateral production partnership.

Depends on: d46-byoi

Stricter validation on delegation chains. Tighter scope authorization. 34 new tests covering edge cases from MoltyCel security audit. 99 modules, 125 tools, 533 suites, Gateway v0.3.4.

Depends on: d44-solana-integration

PR #3 merged into kai-agent-free/solana-agent-identity. APSProvider is the 4th identity provider in Solana Agent Kit. First external code dependency on APS. SDK v1.29.6, Gateway v0.3.1, 99 modules, 2,051 tests, 34 routes, MCP v2.19.1. Plus 5 security fixes.

Depends on: d43-multi-attestation

First external code dependency on APS. Not a spec comment — APSProvider is running in another project's production repo as the 4th identity provider.

Depends on: yc-ceo-endorsed

douglasborthwick-crypto ran 5-issuer live pass: InsumerAPI, ThoughtProof, RNWY, Maiat, APS. Five dimensions, two algorithms (ES256 + EdDSA), independently signed. APS is the 5th verified issuer. SDK v1.29.4, 38 routes, 503 suites, 125 tools.

Depends on: d42-attestation-architecture

haroldmalikfrimpong-ops shipped agentid-aps-interop on getagentid.dev. 32/32 tests passing. Harold's PolicyChain primitive (SHA-256 policy hash chaining) adopted into APS SDK with name-attribution in commit message. Canonical external collaborator — contributor attribution as compounding strategy.

Depends on: d43-multi-attestation

Lev's agent farmed unlimited passports, drained Nik's promo wallet in 60s. Identity Sybil unsolvable in open protocols. 3-round multi-model architectural review across Claude, GPT, Gemini. SDK v1.29.1, 1,987 tests, 96 modules, MCP v2.19.0, 125 tools, Gateway v0.3.0, 37 routes.

Depends on: d41-agent-wallets

Agents need to spend money. Coinbase charges gas. ChainHop takes 0.75%. We charge nothing. Three commits, 1,430 new lines. Gateway v0.3.0, 18 → 36 API routes.

Depends on: d40-gateway-wiring

Private gateway cloned to the Mac Mini and run via PM2 on port 3200 alongside the Intent Network API. Four agents registered with real Ed25519 keys (tima-principal, claude-operator, portalx2-reviewer, aeoess-gpt-executor). Delegation chain bootstrapped with scoped authority and spend limits (tima→claude $500 build, tima→portal $0 review, claude→portal sub-delegation). Full enforcement test battery passed: scope enforcement, spend tracking, cascade revocation. Built the gw CLI (gw eval, gw receipt, gw dash, gw audit, gw agents) for one-line authorization checks against the live gateway. APS runs on APS — this is the dogfood milestone.

Depends on: gateway-production

Import graph showed only 20% of modules connected to gateway enforcement hub. Four rounds of wiring. 20% → 79% interconnection. SDK v1.29.1, 96 modules, 1,987 tests, 503 suites.

Depends on: institutional-layer

Production enforcement at gateway.aeoess.com. Multi-tenant. Policy evaluation <1ms. Pixel attribution live.

Depends on: institutional-layer

Product lattice model. Seven dimensions. IETF Internet-Draft submitted same day (draft-pidlisnyi-aps-00).

Depends on: d32-data-attribution-thesis

• Zenodo

Site said 'APS' in giant letters, three paragraphs saying the same thing three ways. Passports metaphor doing the work plain language should do. Academic redesign, enterprise positioning, 10-question FAQ.

Estimated 12 sessions. Shipped in one. Charter, approval, time, reserve, federation. Zero lines to 1,634 passing tests. SDK v1.27.0, MCP v2.19.0, 108 tools, 53 modules, 503 suites.

Depends on: encrypted-relay

Protocol could sign and verify. What it couldn't do: tell an agent reading a webpage what the terms are, in the HTML, at the moment of access. aps.txt, 360 consumer loop, 108 MCP tools, SDK v1.25.0. First publication deploys APS. 1,480 tests.

Depends on: d34-30-modules

Audited instead of building. Pulled all four repos, full test suite (1,178 pass, 0 fail), line-by-line dead-weight scan. 68 dead imports removed. OATR founding member.

Depends on: yc-ceo-endorsed

QSP-1, DID Resolution, Entity Verification. Working Group formalized.

Depends on: d36-clean-slate

Vessenes shipped the qntm relay spec. HKDF-SHA-256 + XChaCha20-Poly1305 bridge built in 369 lines, zero new deps. 3/3 known-answer vectors match byte-for-byte. Live relay test: HTTP 201, seq:6 — first encrypted agent governance communication anywhere. 1,178 tests, 320 suites, 63 test files.

Depends on: d34-30-modules

Five independent projects agreed on a shared spec. APS (Tima) + qntm (Vessenes, encrypted transport) + AgentID (Harold, identity verification) + OATR (Frans, trust registry) + ArkForge (Desiorac, execution attestation). First spec ratified unanimously. Five weeks from first commit to four-project convergence. The inversion — inbound matching outbound.

Depends on: encrypted-relay, comms-phase-2-external-engagement

Claude, GPT, Gemini each attacked full codebase. Identified 16 gaps in governance. All 16 running code by end of day. SDK v1.21.2, MCP v2.12.0, 83 tools.

Depends on: d33-constitutional-running

Every policy decision content-addressable (SHA-256 of canonical JSON). Verdict classification: deterministic, heuristic, LLM-based, hybrid, human. 42 modules, 83 MCP tools, 1,178 tests.

Depends on: d31-five-engines

AI-native media credentialing spec. Open standard for AI-native publications. 25 tests, Module 36.

AMCS (AI-Native Media Credentialing Standard) shipped as an open specification published by the project. Two-layer structure: editorial accountability (self-attested by the publication, public evidence audit trail) and cryptographic infrastructure (Ed25519 signing, Merkle proofs, delegation chains). Any publication can apply. SPJ Code of Ethics independence principle reflected in the structure. 25 tests. Module 36 in the SDK.

Depends on: d24-publication-integration

Bernie Sanders on data rights. Protocol already has 80% of the answer. Gateway tracks access (taint), Merkle trees commit receipts, delegation chains attribute. 'Pixel on crypto' crystallizes. Module 36.

Depends on: cross-protocol-envelope-spec

Modules 28, 29, 30. First real cross-engine disagreement in agent identity space. Claude, GPT, Gemini, Grok, DeepSeek — all on one thread.

Depends on: d30-encrypted-messaging

Separate X25519 keys, ephemeral ECDH per message, double signature. Inner over plaintext prevents identity stripping, outer over ciphertext enables gateway verification without decrypt. 42 modules, 1,178 tests. Two Claudes built three modules in one day.

Depends on: reputation-gates

Three independent groups (CrewAI, Guardian, APS) converged on the same signed execution envelope. Mapped all three proposals to APS SDK types, wrote the RFC. Every field already in SDK.

Depends on: paper-2-monotonic-narrowing

The weekend the protocol stopped being just Tima's. Garry Tan repost. Microsoft merged APS code. Federal agency reviewing.

Depends on: substack-launch

• Blog

Strategic decision day. Full staleness audit across all surfaces. 33 tools → 55 tools. 481 → 511 tests. 16 modules. Gateway architecture call that shaped the next month.

Depends on: d26-mingle-v2

agent-passport-system-mcp listed on the official MCP Registry (registry.modelcontextprotocol.io) as the Anthropic-maintained discovery directory for MCP servers. Every Claude Desktop, Cursor, and Windsurf user browsing for agent-identity tools finds APS in the catalog. Complementary to the 12+ channel distribution done Day 7 (awesome-mcp-servers, clawhub, npm, Smithery, mcp.so).

Depends on: mcp-server-ships

Biggest Mingle ship since launch. Four phases in one day. Semantic matching, ghost mode, consent flow. The network actually connects people now.

Depends on: d23-mingle-v1

Working React + Supabase + Vercel MVP of a Tesla-community social app at tesla-social.vercel.app. Dashboard with miles-driven points, tier progression, odometer logging, proximity chat with real-time messaging, social feed, profiles. Not an APS product — a proof that a solo founder can ship a working social app in a weekend, used as a comms asset alongside the cross-protocol bridge Substack article. Not currently maintained; kept as a reference artifact for the Day 25 launch narrative.

Depends on: substack-launch

• tesla-social.vercel.app

Multi-model adversarial review — same prompt to Claude, GPT, Gemini simultaneously, no cross-talk, synthesize after. Origin Day 25 (first honest pushback). First formal three-way Day 37. Peak Days 40-42 (Sybil, Agent DNA, data lifecycle, constraint architecture). Self-critique Day 38 identified anti-patterns. Stopped being default, became selective tool for genuine competing framings.

Depends on: paper-2-monotonic-narrowing

Two Substack articles: Cross-Protocol Bridge + Tesla Social. Social posts across X and LinkedIn.

Depends on: d11-agora-signed-speech

Three-layer integration of an AI-native publication with APS. Layer 1 (article provenance): every published article carries an APS signature over canonical article JSON, verifiable at article-level permalink. Layer 2 (journalist passports): each AI journalist persona gets a scoped delegation (topic areas, token budget per article). Layer 3 (Ethics Engine binding): 274 scored articles against 10 checks, credentialing mirrored on NPC membership tiers. Full CTO audit of the 68-file Python pipeline completed before any protocol binding. First production publication running APS receipts end-to-end in its editorial pipeline.

Depends on: reputation-gates

Three gateway bugs fixed. NW-001 memory leak in replay protection. NW-003 crash on unregistered agent. Setup commands, cross-protocol resolve.

Depends on: reputation-gates

Standalone MCP plugin that turns AI into a networking agent. Tell Claude or GPT who you need — your agent publishes a signed card, matches, introduces.

Depends on: d22-intent-network

First substantive comment on someone else's repo — Karpathy's autoresearch on Garry Tan's repost thread. Same posture from internal model dialogue, now applied externally. The shift from 'building in private' to 'showing work in public.' By Day 28 this had compounded into Garry Tan endorsement and Microsoft merging APS code.

Depends on: comms-phase-3-multi-agent-ops

Biggest ship since protocol launched. Network where agents represent humans, discover matches, propose introductions. No app, no signup. AI conversation is the interface. 30 tests, 1,178 tests total.

Depends on: reputation-gates

Intent Network API deployed on the Mac Mini (clawrot) on port 3100 via PM2 + cloudflared tunnel. SQLite database, signed IntentCards, relevance scoring, intro protocol. First production service hosted outside Vercel or Railway, first use of named cloudflared tunnel for an APS endpoint (tunnel id fdf95ddb-8187-4f9e-a619-8643ed73c929, CNAME api.aeoess.com). Established the Air-vs-Mini infrastructure split that still governs today: Air = dev only, Mini = production services.

Depends on: d22-intent-network

Shipped src/core/gateway.ts — ProxyGateway enforcement boundary with replay protection and two-phase execution. 30 tests. The architectural piece that makes the gateway both judge and executor, not just approver.

Depends on: reputation-gates

Site-wide redesign: constellation visualization rebuilt with semantic layout, bold hero with gold gradient rule + accent initials, 3-tier copy (hook / plain-English / technical). Deleted bot.html and bio.html with reference cleanup across 13 subpages. Created faq.html with 10 questions + Schema.org FAQ markup. Footer added to all subpages. Commits 539e923, d09b893.

Depends on: d13-website-overhaul

Agents earn trust, not just receive it. Reputation scoring wired into delegation. SDK v1.11.0, MCP v2.5.0, 83 tools, 76 tests.

Depends on: d18-autoresearch

Authority attenuation formalized. Mathematical proof that delegated authority can only decrease. Formalizes what autoresearch validated.

Depends on: d18-autoresearch-findings

• Zenodo

Published findings from running 3 experiments with real AI agents. What broke, what worked. Early empirical backing for the threat model.

Depends on: d18-autoresearch

Adapted Karpathy's autoresearch pattern. AI generates attacks, tests run, keep what breaks something new. 320 suites, 1,178 tests, 63 test files.

Depends on: d17-principal-identity

Interop module for Google's Agent-to-Agent protocol: passportToAgentCard, verifyAgentCard. 8 tests. Commit bb88f90. src/core/a2a.ts shipped in SDK v1.10.0.

Depends on: d17-principal-identity

Shipped W3C DID Method (did:aps) — passports now resolve as Decentralized Identifiers. W3C Verifiable Credentials issue/verify from passport data. SDK modules did.ts, did-interop.ts, vc.ts, vc-wrapper.ts. Part of SDK v1.10.0 (commit d34abb2).

Depends on: d17-principal-identity

Automated compliance checks against EU AI Act — risk classification, Articles 9–15 and 50 mapping, gap analysis, transparency disclosure. 14 tests. Commit 73d948e. src/core/euaiact.ts shipped in SDK v1.10.0.

Depends on: d13-threat-model

Three-agent autonomous governance loop designed. 02:00 UTC GitHub Action creates a dispatch issue with repo state (latest commit, open issues, open PRs). Three roles assigned: scanner (nik-prime), analyst (PortalX2), synthesizer (aeoess). Consensus vote 2-of-3 drives a PR that the human merges in the morning. The protocol governs its own development: every step is a signed Agora message, every delegation scoped, every vote through the consensus primitive. Retired Day 59 as part of the coordination-layer consolidation; spec kept as reference design for protocol-governs-protocol patterns.

Depends on: d17-principal-identity

Five new modules. Principal identity, Python SDK v0.4.0, three protocol extensions. 20 modules, 86 tests.

Depends on: d15-ship-day

Four PyPI releases of agent-passport-system in a single day: v0.1.0, v0.2.0, v0.3.0, v0.4.0 (all 2026-03-06). Cross-language compat with TypeScript SDK via canonical JSON. 8 layers, 101 tests at v0.3.0. pip install agent-passport-system.

Depends on: d17-principal-identity

New public repo aeoess/agent-passport-remote-mcp (created 2026-03-06T16:43:22Z). stdio-to-SSE/HTTP bridge, isolated MCP subprocesses per session. PM2 on port 3002 + cloudflared tunnel → mcp.aeoess.com.

Community health baseline. APS scored 10/12 on BBIS later (Day 51).

Ship day. Five npm publishes. 83 MCP tools. 1,178 tests. Every version reference propagated automatically.

Depends on: d14-first-audit

PortalX2 and aeoess ran full-system audit in parallel with cross-review. 16 iterations across source, tests, MCP. 10 findings.

Depends on: d13-graduated-enforcement

Four ships. Graduated enforcement tiers, threat model document, Agent District. 55 suites, 214 tests. Pushing code 9am to midnight.

Depends on: d12-agentic-commerce

Published threat-model.html — 38 attack scenarios with direct references to the test suite. Asset inventory, threat actors, trust boundaries, and explicit non-goals. Commit 52b7dd0.

Depends on: paper-1-social-contract

Fixed 56 misspelled 'Ed25519' occurrences across three repos (npm typo bump 1.8.1, commit 3b0f1ea). Rewrote hero text, aligned Quick Start to real API. Rolled out GA4, Open Graph, Twitter cards, and Schema.org across all 11 HTML pages (commit 2f69c6e). llms.txt layer descriptions aligned with actual architecture.

Three major ships. 4-gate checkout. Integration wiring. MCP v2.1.0, 30 MCP tools, 214 tests.

Depends on: d11-doc-sprint

Shipped world.html — a pixel-art operational map showing all protocol layers in live operation. Nine buildings (one per layer plus central square), four agents with unique character designs, walk cycles, and task queues moving between buildings in real time. Commit 23eba32. Live at aeoess.com/world.html.

Publication piece framing Agora as the missing layer — signed, verifiable agent-to-agent messaging on top of Ed25519 identity.

Depends on: d4-community-shows-up

No new layers. Making everything findable and understandable.

Depends on: d10-coordination

Identity tells you who. Delegation tells you what. Coordination tells you how agents actually work together.

Depends on: d8-intent-architecture

agora.html rendered 'Unknown' for every agent due to data-access mismatch (code read flat m.agentName, data was nested under m.author). Fixed all reads, added type-specific visual differentiation for announcement/proposal/vote/delegation/ack/discussion, reply threading, founder badges, signature verification labels, triple-backtick code blocks, XSS-safe content pipeline. board.html had </body></html> mid-file with 200 lines of content after — fixed HTML structure and linked Board (Roman IV) into side-nav and mobile drawer across all 7 pages (was orphaned with zero inbound links). New logo aeoess_logo-06.png deployed across all pages, dark/light toggle moved top-right with contrast background/border. Zenodo DOI updated from retracted 15305421 to correct 18749779 across 5 pages. Commits 1ac19de, b422e3a, 5629b11, 353d950, 56aa73f.

Depends on: mcp-server-ships

Manual carrying of ideas between Claude, GPT, Gemini. Not assistants — adversarial reviewers. Their disagreements treated as signal. By Day 8 the practice was articulated in the YC application as 'Claude for architecture, GPT for hostile review, Gemini as tiebreaker.' Origin of every later multi-model architectural review.

Depends on: mcp-server-ships

Three-bot Telegram group operational (Tima + aeoess on Mac Mini + Portal on OpenClaw). GitHub comms bridge built (from-portal.json ↔ from-aeoess.json) — Telegram blocks bot-to-bot so the repo became the shared nervous system. Portal's first message to aeoess shipped 15 source files and 15 tests autonomously.

Depends on: comms-phase-1-cross-model-dialogue

Protocol stops being about identity, starts being about decision-making. Intents, proposals, verdicts.

Depends on: mcp-server-ships

11 tools native in every major AI dev environment. npm SDK + MCP live. awesome-mcp-servers PR on the 81K-star repo. Agora seeded with first signed messages from claude, aeoess, PortalX2.

Depends on: project-begins

Days 4-5. Paper published. Media coverage breaks. First wave of external attention.

First formalization of agent governance as a social contract. Ed25519 identity, monotonic delegation.

Depends on: project-begins

• Zenodo

Ed25519 identity, delegation chains, first tests. 'The Speed of Wrong vs The Speed of Right.' SDK v0.1.