Ninety-six days. In the open.

An independent Internet-Draft of the action_ref primitive (giskard09/draft-giskard-aeoess-action-ref) picked up an AgentGraph conformance set built with its own RFC 8785 path in Python and Node, reproducing Appendix A Vector 1 byte for byte (fdd7f810...3d89f5a) and covering the empty-scope-vs-absent and did:key edges. Reviewed and accepted as a distinct author-set rather than merged into the reference vectors, since the cross-lineage agreement only holds while the derivation paths stay visibly separate. Proposed the Appendix A.1 wording, including the normative boundary that an action_ref match is not evidence of execution. Independent re-derivation is the interoperability evidence that was previously missing.

• Conformance set PR #1

A ClickHouse maintainer on mcp-clickhouse #155 asked for a runnable example of the delegation layer on top of their UserPassthroughMiddleware credential sketch. Shipped aeoess/aps-clickhouse-mcp-delegation: an agent holds a scoped, time-bound delegation instead of the user's full access, each tool call writes a signed authority-boundary receipt into a table next to the query log, an out-of-scope drop is denied and recorded as a signed outside receipt, and a tamper test edits a stored row by hand and verification fails on that exact row. Installs from PyPI, runs in one command against a local server. Self-contained: no dependency on any AEOESS-hosted service.

• mcp-clickhouse #155
• Example repo

pip install agent-passport-system now resolves to 2.4.0 rather than an older line. The release carries the Wave 1 accountability primitives the ClickHouse example depends on: scoped delegation, the authority-boundary receipt, and the scope-of-claim field that records what a receipt does not assert. Verified end to end from a cold clone: fresh venv, unpinned install from PyPI, example runs green. Post-release audit and full-fix pass: README de-staled from 2.3.0/alpha framing, classifier set to Production/Stable, datetime modernized while preserving signed canonical-byte format, cross-language parity confirmed intact (568 passed in full environment).

Session identity inside the issuer versus delegation chains and receipts after handoff, stated with explicit what-each-layer-does-not-claim sections and a three-claim bridge (jti, al_nid, al_trust). Live at agent-passport.org/aat-aps-boundary.html. The bootstrap AAT pair was ingested and signature-checked against the issuer JWKS; weekly live+expired pairs begin 2026-06-17, with vectors carrying verification_time so the corpus stays replayable.

• Boundary reference

Fourteen vectors built to the argentum-core conformance conventions: five positives double-derived (shipping computeExternalActionRefV1 plus an independent stdlib path, byte-equal), nine negatives across four drift families (field order, timestamp form, casing, payload) where every claimed ref is a real digest of its stated drifted bytes. The runner has a single canonical recompute path; fail-closed-before-invocation is structural. Mirrored under fixtures/cross-stack/action-ref-v1-negatives with provenance.

• argentum-core PR #12

Six repo descriptions rewritten purpose-first; vocabulary README rebuilt problem-first with a real crosswalk row and a three-layer diagram; org profile rewritten around the receipts line with a protocol diagram; SDK README gains narrowing-chain and gateway-boundary diagrams; stats aligned to 2.6.0 stable across SDK, Python, and conformance surfaces.

The canonical domain now serves its own signed machine-readable governance declaration at /.well-known/aps.txt: fresh Ed25519 domain keypair, terms mirroring the original aeoess.com declaration, verified offline against the live bytes. Closes a site-migration drift where the path served a placeholder while being cited as live.

• Live declaration

The cache-as-place laundering hole raised on A2A #1829 resolved by definition rather than a fourth enum value: cache means previously verified via an allowlisted path and pinned, with the population event (source + timestamp) auditable from signed evidence. The CTEF author folded the definition into CTEF key_source and the v0.4 transactional receipt.

• A2A #1829

The (a) half of the envelope-authenticity split agreed in issue #43, contributed by the Cycles maintainer: the supplied evidence envelope's own Ed25519 signature verified against its named key under the spec's signature derivation, distinct fail-closed reason, and a result field reporting which guarantee actually held. Includes a boundary test asserting a self-consistent attacker forgery still passes with only the weaker tag, documenting the (b) gap as executable honesty. Merge result: 3,792 tests, 0 failures.

• PR #45

Both Day-105 gates closed same day: decision_id redefined as a domain-separated content hash over the record's identity fields (offline-recomputable, path-independent by construction, normative field taxonomy added to the spec), and batch/single parity proven byte-identical in the production binding under a pinned clock. Full Wave 2 surface, CPA v0.1, action_ref v1 conformance, and the payment-rail layer now install without a dist-tag. 3,791 tests, 0 failures on the publish tree.

• npm latest

Four-field preimage with the timestamp pinned to one exact RFC 3339 UTC millisecond byte form, hashed as opaque bytes. Conformance suite ships negative vectors rejecting every non-canonical timestamp form and two accept vectors that byte-match independently published ecosystem hashes. Two verifiers: stdlib-only Python (vendored minimal RFC 8785, zero project dependency) and Node importing the shipping computeExternalActionRefV1, pinning vectors to running code. Non-goals stated in-spec: a pass proves derivation agreement only.

• Spec page

Key-resolution provenance now travels inside the signed evidence envelope rather than verifier logs, making the trust posture reconstructable offline from the evidence itself. Producer-attestation commitment kind links the Day 107 context-custody layer (CPA) into the evidence chain with the same stated boundary: custody of the declared basis, not truth of it.

CPA v0.1 exported from the public API in agent-passport-system 2.6.0-alpha.10. A signed partitioned-Merkle commitment to a declared context basis across eight frozen structural-origin channels (system-config, developer, user-socket, retrieval-store, tool-result, external, memory, quarantine). The channel is a partitioning key, not a trust label, and sits in the leaf preimage so it cannot be relabeled without breaking the root. Domain-separated hashing with distinct leaf, node, and sign tags, RFC 6962 odd-promotion closing CVE-2012-2459, two disclosure modes (full-set completeness proven, inclusion not), mutual cpa_ref and action_ref binding, offline fail-closed verifier with structured reason codes. Proves custody of the declared basis as of producer-stated time, tamper-evidence, and replay resistance. Does not prove faithful capture, that the declared basis equals what the model conditioned on, which is the named open vector deferred to an independent capture boundary. Flight recorder, not seatbelt.

• npm (alpha tag)

agent-passport-go reached v0.2.0-alpha.1, fifteen packages across the protocol surface. The v0.1 line was verify-only with no key code on the verify path, the right shape for infrastructure sinks and proxies. v0.2 adds issuing and signing: passport, delegation with monotonic narrowing and signed revocation, completion receipts, attribution Merkle with beneficiary tracing, values floor, coordination, commerce, and in-toto decision receipts. Pinned against shared canonical-JSON and CPA fixtures, including a cross-language CPA parity fixture shipped in the same cut. Pinned-to-fixtures parity is a smaller and more accurate claim than the continuous TypeScript-to-Python cross-build parity across twenty-seven scenarios.

• agent-passport-go

Twelve v2 modules published to npm alpha (agent-passport-system 2.6.0-alpha.9): evidence descriptor, trust-root policy, remote signer, revocation enforcement with security event token, audience binding, human oversight, hash-and-pointer selective disclosure, scope-dimension registry, and an offline verifier with conformance runner. The evidence descriptor is verifier-derived rather than issuer-asserted: it records mechanical signer facts, signer independence from the key graph, and a four-valued corroboration status, and refuses to emit a scalar assurance score (a test feeds a spurious assurance field and asserts it never reaches output). Stays on alpha, not latest (2.2.0), pending a content-derived decision identifier and a native batch-verify parity lane that runs green rather than environment-gated.

• npm (alpha tag)

Composition note on a2aproject/A2A#1463 (OID4VP for in-task authorization): OID4VP proves who and qualified-to-act; scoped delegation with monotonic narrowing plus gateway enforcement answers whether the requested action was within policy. The credential and the delegation envelope reference each other by content hash. Contributor confirmed the same attenuation model.

• A2A #1463

The Cycles payment-rail permit receipt now records delegation revocation and expiry state at admission time, signed into the receipt body rather than deferred to a separate lookup. An offline verifier sees the authority state the gateway saw at admission. The Cycles adapter contributor ran a verb-shape pass over crosswalk/budget_reservation.yaml confirming reserve, permit, release, and refund shapes match the Cycles surface.

• aps #25

New landing section between the open-source case and the integration grid. The grid lists real connections without inflation: payment-rail bindings (x402, AP2, ACP, Stripe issuing), the agent-protocol surface (MCP tools, A2A adapter), the gitagent-protocol merged cryptographic-identity layer, and framework adapters (LangChain, CrewAI, AutoGen). Closing line frames the bindings as connective tissue, not a dependency claim. Remaining pages moved onto the dark theme with one canonical nav and footer.

• agent-passport.org

Consolidated trust.signals[] extension posted on a2aproject/A2A#1628 into one signal-type specification rather than per-vendor scattered fields, giving downstream verifiers a single shape to route on.

• A2A #1628

Identity Trust Framework roadmap (v1.0 to v2.0) posted on a2aproject/A2A#1850. Keeps the native draft-pidlisnyi-aps-01 section 4.1 action_ref as the primitive APS receipts sign while emitting or carrying the shared external action-ref-v1 correlation key, so APS receipts retain their own preimage and still interoperate on the shared key.

• A2A #1850

New signal_type with a window-snapshot envelope bundling N constituent attestation hashes across a declared time window, plus caller-supplied metric placeholders: decision_count, class_distribution, optional confidence_mean and confidence_stddev, optional baseline_ref paired with divergence_score. The SDK validates internal shape consistency only (decision_count matches array length, class_distribution sums match, baseline pairing complete, confidence range bounded). The SDK does not compute drift. Drift analytics stay in @aeoess/gateway per the public-private boundary that landed in April. Complementary to the existing streaming drift family in SDK v1.41.0+ (divergence_signal, baseline_revision, observation_window, trust_velocity, decision_lineage, ScopedReputation ring buffer, DecisionLineageReceipt) co-issued with the PDR project per Nanook PDR v2.19 §6.6. 26 tests, twelve documented edge cases. Commit 6b09ccc on feat/v2-behavioral-drift-window, merged via --no-ff.

• src/v2/behavioral_drift_window

New signal_type with a composer-signed bundle of references to N constituent attestation envelopes, where each constituent can be from a different issuer and a different signal_type. The composer signature attaches the composer to that specific bundle; tampering with any constituent reference invalidates the composer signature. Validation enforces unique constituent hashes, max 280-character composition_purpose, ID and timestamp format. Downstream verifies each constituent independently. Cross-protocol composition between APS and AIIF is a separate artifact deferred to a position paper. 10 tests with explicit duplicate-hash and reorder coverage. Commit c2ee817 on feat/v2-cross-issuer-attestation, merged via --no-ff.

• src/v2/cross_issuer_attestation

New signal_type with a signed envelope tracing a memory entry back to a trusted source under a declared reduction_map_ref. Fields: memory_ref, source.{issuer_id, issued_at, source_ref, reduction_map_ref}, ingester_id, ingested_at, signature over JCS-canonical bytes. The SDK validates Ed25519 signature and envelope shape only; verification of original source content against source_ref and validation of the reduction map against a registered transformation stay with the consumer. 20 tests, six structured failure reasons. Commit 8616b3f on feat/v2-memory-provenance, merged to main via --no-ff merge commit.

• src/v2/memory_provenance

Three new v2 substrate modules added to the SDK as reference TypeScript implementations of three new signal_type values, each scoped to v0.1 and each with a signed Ed25519 envelope, validation rules, structured failure reasons, and a dedicated test file. memory_provenance (646 LoC, 20 tests, OWASP ASI06 substrate), cross_issuer_attestation (673 LoC, 10 tests, federation primitive), behavioral_drift_window (970 LoC, 26 tests, window-snapshot complement to the existing streaming drift family). Test count moved from 3,008 to 3,064. All three branches merged via three --no-ff merge commits preserving branch history. SDK 2.6.0-alpha.6 published to npm with dist-tag alpha. Five repos pushed clean (SDK, MCP, Python SDK, aps-web, org profile). The postpublish auto-propagate fix from earlier today held under first real validation.

• npm 2.6.0-alpha.6
• A2A #1734

Intake post on the A2A #1734 substrate-window thread acknowledging four of five Candidates as substrate-landed (Candidates 2/3/4/5) with Candidate 1 (discrimination-tuple injectivity formalism) still pending. Originating-contribution + submitted-substrate attribution discipline applied to the synthesis-matrix attribution schema, with Open Ambiguity as a third column for rows where lineage diverges across sources. Doctrine note on disk at synthesis-attribution-schema.md.

• A2A #1734

Two external fixture PRs (#5, #6) on aeoess/aps-conformance-suite received REQUEST CHANGES with a single structural ask: contributor deployments are credited as named targets inside generic fixture categories, not granted top-level fixture-directory namespaces. The suite names canonical properties; implementers are targets, not owners. This precedent applies regardless of technical merit and protects the conformance vocabulary from category capture as more implementers submit fixtures.

• PR #5
• PR #6

spendguard-sdk 0.4.0 published to PyPI at 19:04 UTC with release_reservation() matching the proposed verb names in crosswalk/budget_reservation.yaml. Third production implementer joins Cycles and goodmeta, satisfying the file's promotion-path threshold of three implementers. release and refund both reach two implementers each. PR #99 opened at aeoess/agent-governance-vocabulary brings the reservation lifecycle state machine from Agent Spend Protocol Draft-01 §3.3 upstream before canonical promotion: six states, (reservation_id, idempotency_key) dedup contract with three required outcome branches, ttl_grace window with recommended_max 5 minutes matching ASP Draft-01 §3.2 phrasing. Review requested one structural amendment before merge: explicit normative-force framing on the lifecycle block.

• PR #99
• Issue #98 convergence
• spendguard-sdk 0.4.0

Full canonical scope cleared on the three environments named in spec §13: Apple Silicon developer reference (Mac M3), AWS c7i.2xlarge cloud reference (Intel Sapphire Rapids), and bare-metal Linux canonical (AMD EPYC 7313P via Latitude.sh). L4 p50: 305µs Mac M3, 1.07ms AWS c7i, 822µs bare-metal EPYC 7313P. The ~250µs gap between AWS and bare-metal at L4 is the hypervisor-removal effect. Result JSONs reproducible from benchmarks/prototype-1/results/ at commit 6e258f4. CLAIMS.md upgraded with a cpu_model pin rule for bare-metal claims since Latitude.sh ships variable EPYC SKUs under the c3-large-x86 plan. PRs #36 and #38 merged.

• PR #36
• PR #38

Protocol surface and company surface now separate. agent-passport.org carries the canonical protocol website, research, blog, roadmap, IETF Internet-Draft references, and the open contribution doctrine that PR #29 shipped the same day. aeoess.com continues to serve the infrastructure subdomains (mcp.aeoess.com, gateway.aeoess.com, api.aeoess.com) and a secondary website mirror.

Open contribution path, governance surfaces, and contributor scaffold merged into agent-passport-system.

• PR #29

The -01 revision adds two sections to the protocol core. Signed Receipts specifies the receipt a permitted or denied action produces and what a third party can check without trusting the runtime that produced it. Key Rotation specifies how an identity rotates its signing key without invalidating delegation chains already issued under the old one. The draft also carries a visible scope marker for the attribution axes, so the boundary between what the protocol specifies and what it does not is explicit in the text itself. Seventeen pages, idnits clean on the Datatracker run.

• IETF Datatracker

v0.1 follow-up landed on aivss-enforcement-effectiveness: VeloGerber's accepted edits, Q1/Q2/Q4 amendments, four new sections, and enforcement_locus added as the seventh canonical receipt field inside the signed set. Status posted to AIVSS#31.

• OWASP AIVSS #31

Composition round-trip verified against ScopeBlind's published signer v0.1.0-alpha.1, both paths, all integrity checks passing. Coordination posted to NousResearch/hermes-agent #11692. The fixture validates APS delegation-receipt wrapping over a third-party signer without modifying either side's wire format, the same composition-as-substrate pattern documented in the conformance suite's composition class.

• hermes-agent #11692

jep.yaml crosswalk updated to the JEP draft-06 boundary, with an Experimental Internet-Draft status marker added as a fast-follow.

• PR #95

Revision -01 of the APS Internet-Draft submitted. Adds Signed Receipts (section 5) and Key Rotation (section 2.3) as new normative content. idnits clean, 17 pages, sole author, expires 2026-11-15.

• draft-pidlisnyi-aps (Datatracker)

The protocol site moved to its own repo and domain. agent-passport.org now carries the canonical protocol surface (blog, worklog, roadmap, docs, research); aeoess.com is the company surface. Content pages, the canonical blog and the updates feed were migrated and the design system aligned across both.

• agent-passport.org

Scaffold plus four CTEF v0.3.2 §A negative-path conformance vectors merged at aps-conformance-suite, all passing lib.ts.

• aps-conformance-suite #4

Our RFC proposing an optional cryptographic identity layer for gitagent manifests was merged into open-gitagent/gitagent-protocol by the maintainer. The layer is optional, not a required dependency.

• gitagent-protocol #73

invariant-survival descriptor documentation merged at the vocabulary repo, a re-land of the earlier #51.

• PR #67

budget_reservation crosswalk v0.1 merged at the vocabulary repo, with validator support for a domain_incubation crosswalk_type carrying a three-concurrent cap and 90-day sunset, maintainer-only.

• PR #91

Cycles budget-authority signal-type rows merged as crosswalk/cycles.yaml v0.1, contributed by amavashev.

• PR #92

TrailRecord byte-contract adoption merged as crosswalk/mycelium-trails.yaml v0.1, with giskard09's confirmed values folded in.

• PR #96

Renamed the budget_authority namespace to budget_reservation across vocabulary.yaml and the validator to avoid semantic collision with APS delegation authority. reserve and query_* verbs downgraded from candidate to proposed. Landed via PR #91.

• PR #91

Three substantive maintainer posts landed on A2A#1829 the same evening. jschoemaker (Envoys SDK) independently byte-match verified our envoys-rfc9421 composition fixture against §13 Vector 2, confirmed the §13 keypair is cross-impl-deliberate, and endorsed Hippo (lawcontinue/hippo-auth) landing as a sibling at aps-conformance-suite/fixtures/composition/hippo-rfc9421/. kenneives (AgentGraph PDR/CTEF) committed to hosting the v0.3.3 shared working doc at agentgraph-co/agentgraph/docs/standards/v0.3.3-working-doc.md with three artifact slots (envelope-shape diff, unified error enum, cross-extension fixture matrix). arian-gogani (Nobulex) confirmed the canonicalization stance: JCS + numeric profile, no floats in canonical hash scope, semantic equivalence at tool-version layer not chain layer. APS reply landed same evening acking all three, refining the five-layer composition framing to per-receipt-type layer attribution (delegation_receipt at authority, bilateral_receipt at envelope, rotation-attestation at continuity). spending_authorization claim subtype response committed for May 18.

• A2A#1829

Pre-press-launch expansion of /media.html with five additional sections matching the existing contact-row design pattern. Problem we solve (one-paragraph framing of the verifiability gap APS closes). Recent coverage (State of Agent Security 2026 reference with embargoed-quotes contact). Standards body work (IETF Internet-Draft, AAIF #14 in Linux Foundation CA review, A2A #1786 + #1829, OWASP AIVSS #31, agent-governance-vocabulary, OpenSSF / ACP / DIF). Business model (open protocol + commercial gateway, Team tier $99/mo pointer). Recent milestones (nine dated milestones from May 3-12, 2026). Total page now 12 sections, 262 lines. og-default.png verified live at 1200×630 HTTP 200. All numbers verified against current canonical values.

• Press kit

First-ever budget-authority crosswalk file landed at aeoess/agent-governance-vocabulary as PR #91 with six canonical verbs (reserve, commit, release, refund, query_budget, query_reservation) and per-verb candidate/proposed status convention aligned to vocabulary.yaml. Three commits on feat/budget-authority-crosswalk-v0.1 branch: 9db901a validator patch (+5 lines, parallel domain_incubation exemption to rfc_category_reverse), efa8d39 crosswalk yaml (+160 lines), ed0fdb6 amavashev review corrections. Cycles maintainer @amavashev reviewed against runcycles/client.py:97-110 + cycles-protocol-v0.yaml, flagged two corrections (query_budget + query_reservation distinct verbs not multiplexed, refund cycles row admin-plane operations note), then APPROVED. Track B review pass complete with three-engine independent review and adversarial phase. Public Track B promotion threshold (two production implementations) satisfied for four of six verbs after amavashev signoff. @Ectsang signoff on goodmeta column still open. v0.2 forward-watch flagged on Cycles /v1/decide pre-check verb pending goodmeta analog confirmation.

• PR #91
• ACP#231 public commitment

Pre-press-launch audit caught drift between closed-work tracking and roadmap status fields. Commit 6b739db flipped five items to done (coinbase-crewai cross-pollination, vocab system_attributes wave, A2A#1786 byte-match ack, A2A#1786 CAI extension proposal, openclaw#49971 integration surface) plus one to dropped (MoltyCel harness#1 resolver adapter per Day 77 CTO call). Commit a436374 flipped two more done (SSRN five-paper approval, vocab #58 epoch enum) plus one to dropped (in-toto SVR PR #549 closed unmerged April 28, no aeoess activity in 30 days). Counts moved from 194/19/0 to 201/11/2 across done/in_progress/dropped. Closes the 'filed at audit-time, never updated at ship-time' drift pattern.

• First cleanup commit
• Second cleanup commit

Five APS research papers cleared SSRN review and entered the academic indexing pipeline with DISTRIBUTED status. Paper 1 The Agent Social Contract (abstract 6677378, DOI 10.2139/ssrn.6677378), Paper 2 Monotonic Narrowing for Agent Authority (abstract 6415678, DOI 10.2139/ssrn.6415678), Paper 5 Physics-Enforced Delegation (abstract 6677418, DOI 10.2139/ssrn.6677418), Paper 7 Cognitive Attestation (abstract 6677441, DOI 10.2139/ssrn.6677441), Paper 8 The Evidence-Safety Gap (abstract 6684401, DOI 10.2139/ssrn.6684401). Each routed to five-to-six CS networks where reviewer audiences read (Artificial Intelligence eJournal, AI Law Policy & Ethics, Cybersecurity Privacy & Networks, Theoretical Computer Science, Quantum Information, Generative AI). Author page at ssrn.com/author=10731856. Crossref also requested permission to auto-update ORCID 0009-0002-4700-3594 with DOI cross-references for the published works. aeoess.com/research stays canonical.

• SSRN Author Page
• Research index

The review covered the Q1 to Q4 open questions, proposed five section edits and four new sections, and flagged four threat-model gaps. All decisions accepted with two strengthening amendments: a signed published-scheme artifact for Q1 and a mandatory constraint_set_sha at v0.1 for Q4. The v0.1 follow-up shipped Day 89.

• OWASP AIVSS #31

Shipped to the conformance suite at commit c16aa049. Three deterministic vectors over jschoemaker's @envoys/sdk v1.4.0 keypair: a plain RFC 9421 wire signature, the same wrapped in a bilateral_receipt, and that embedded as the final delegatee in a three-link APS delegation chain. SHA-256 byte identities recorded, three back-to-back byte-identical runs. kenneives endorsed it on A2A#1829 and committed to cross-link it from CTEF v0.3.2.

• A2A#1829

Libria, lead author of the A2A#1496 base identity framework, posted three coordinated confirmations across A2A#1575, #1786, and #1829. The four-layer composition was codified: wire signature, identity framework, identity claims, delegation and continuity. APS delegation_receipt references #1496 chain entries as an inner cryptographic hop rather than forking the primitive. Three independent endorsements now sit on the standalone-section promotion, the production-implementer threshold for normative status.

• A2A#1786

Patch landed direct to main at commit 0b78498 within twelve hours of VeloGerber's v0.1 review. Two HIGH plus six MED-LOW findings resolved across the substrate-count discriminator, condition-set syntax, evidence-set proof signing, and the per-condition attestation question.

• OWASP AIVSS #31

giskard09 published argentum RFC 001 at Active status on the feat/mycelium-trails branch, genesis records committed the same day. argentum consumes the APS receipt fields payment_hash, rail, amount, timestamp; stake computation reads scope through receipt.delegation_ref into the delegation chain, keeping receipt and delegation as separate layers.

• vocab repo

vocab #36 reply confirmed nanookclaw's dedicated PDR attestation key. Week 1 interop locks to two signals, AgentID chain root paired with PDR continuity closing via a recompute property over evidence_inputs. Full four-signal compose with the Nobulex byte-match verifier from arian-gogani is scheduled for Week 2.

• vocab #36

VeloGerber published the canonical race-test fixture for the time-to-enforce dimension at race-test-fixtures/audit-pack-signing-v0.5/. Three additive files: spec.md (140 lines, sha-256 c5f62c9fce6e08b55dab6dfbc8caa0196af61db1eddd0046b43dfa21c9261f28 byte-matches the WORKING-TEXT.md citation at five locations), race_test_runner.py (211 lines pure-stdlib portable runner), README.md. Fresh-checkout reproduction landed 6004 requests, 12 ACCEPTs after revoke commit, P99 4.57ms within the 50ms spec bound. PR-MERGE-PROTOCOL Track A discipline applied: phase 0 classification, phase 1 adversarial first read, phase 2 claim extraction, phase 2.5 contributor profile, phase 3 executable verification, phase 4 live invariants cross-check, phase 5 charitable read, phase 6 escalation triggers. Audit memo retained internally. AIVSS#31 follow-up posted granting redacted-incident-receipt path under race-test-fixtures/multi-tenant-isolation-precondition/.

• PR #1 merged
• OWASP AIVSS#31 thread

Two-commit pass on aeoess_web before May 12 AgentGraph 'State of Agent Security 2026' press launch. Path A (commit 8e6474f) hand-fixed seven public files: .well-known/security.txt critical fixes (publicly-visible internal note dropped, Policy header repointed from deleted /security.html to /contact.html#security), .well-known/mcp.json full version + count + date refresh (parsed by MCP discovery clients), llms.txt + llms-full.txt + README.md version bumps and dead-link cleanup, .well-known/agents.json + protocol-registry.json date refresh (65/39 days stale). Path B (commit 59ef764) extended propagate.mjs: PYTHON_VERSION case added entirely (was read from project-state.json since Day 76 but never propagated, letting alpha.0 -> alpha.3 survive three publishes), SDK_VERSION + MCP_VERSION extended with npm @-syntax patterns and prose forms, .well-known/security.txt enrolled in target list. og-default.png 1200x630 social card shipped (commit 4a4582f) with meta tags swept across 27 pages. /media.html press kit page rebuilt from redirect stub (commit 884ec79) with 10 sections of verifiable-only claims, /contact.html Press row added.

• Path A freshness commit
• Path B propagate.mjs extension

Two substantive ecosystem engagements landed today. (1) coinbase/agentkit#1091: replied to Aigen-Protocol's SafeRouter pitch with a two-layer composition reading. APS as the pre-execution authorization-receipt layer; SafeRouter (atomic-revert via TokenUnsafe custom error on Base mainnet) as the on-chain target-safety layer. Five payment-rail binding adapters in v2 cited (ACP, AP2, x402, Stripe-Issuing, MPP); SafeRouter could slot in as a sixth via vocab crosswalk. (2) crewAIInc/crewAI#4877: proposed a common GuardrailDecision audit-metadata shape (verdict, namespaced reason_code, decision_id, policy_id, timestamp, provider-specific metadata bag) responding to @0pen7ech's question. Two providers converged on the shape so far (APS + AgentID via @haroldmalikfrimpong-ops, who corrected L0-L3 and folded in concrete reason_codes). Vocab crosswalk merge 9aef69a anchors the GuardrailDecision-deny semantic at the canonical-vocabulary layer.

• coinbase/agentkit#1091
• crewAI #4877

Three independent persistence surfaces (APS, Base mainnet via Mycelium, RFC 3161 + OpenTimestamps via Asqav) aligned on the existing PaymentReceipt shape with zero new types. Permit/revocation/re-issue lifecycle fixture landed in src/v2/payment-rails/stripe-issuing/fixtures/. Mycelium companion PR #24 merged with anchoring framing tightened post-hostile-review (Base mainnet anchoring queued, not yet live). Posted on stripe/ai#356 thread.

• Cross-rail fixture (commit 0291b16)
• Mycelium companion PR #24
• stripe/ai#356

argentum verify endpoint returns dual-chain anchors per receipt-id under anchors.arbitrum (chain_id 42161) and anchors.base (chain_id 8453), with real block numbers and tx_hashes for all three cross-rail fixture trail_ids (permit / revocation / re-issue). Three-surface alignment operational with on-chain commitment: APS receipt structure (Ed25519 + JCS + SHA-256, cross-language byte-parity TS plus Python), Mycelium TrailRecord dual-chain anchored, Asqav protectmcp:lifecycle (RFC 3161 timestamp + OpenTimestamps async). CLAIMS.md entry marked RESOLVED. Cross-rail fixture metadata updated in lock-step with the deterministic generator at SDK commit 24f5bdd (receipt IDs unchanged; metadata only).

• PR #24
• stripe/ai#356

VeloGerber concurred on all four points and proposed a four-axis dimension structure for v1.0: structural enforcement (binary, multiplier), empirical block-rate (continuous via RMF receipts), time-to-enforce (tiered with rail-anchored thresholds), enforcement_locus (enum, vendor-trust dependency). Co-authorship accepted with scoping that keeps the artifact tight: a working document on the enforcement_effectiveness dimension family, separable from the broader AIVSS v1.0 rubric. Inviting #32 contributors into the same working text since the structural-axis-dominance argument depends on the §3.2 cryptographic-enforcement multiplier they pinned. Cadence proposed: v0.1 to v0.2 cycle, v0.2 to include any third-implementation reproduction (Nobulex, asqav, Mycelium, AgentID candidates).

• OWASP AIVSS #31

Open-source race-test runner against APS SDK's RevocationStorage primitive landed at SDK commit 20de7e9. Same methodology shape as VeloGerber's audit-pack-signing v0.5 fixture (4 workers, 500 qps, 3 seconds, 3 runs, 18,000 requests; revocation fires at run midpoint; measure time from revocation commit to last ACCEPT for the revoked delegation). Day 80 baseline: 18,000 requests, 0 ACCEPTs after revocation commit, P50/P95/P99/MAX = 0.00ms across all percentiles. Identical headline numbers across two independent substrates (in-process Map vs SQLite WAL multi-process). Methodology portability empirically established. Public-commitment closed within 12 hours of being made on a formal standards-body surface.

• Race-test runner

Team tier ($99/month, 14-day trial) actually purchasable end-to-end. Stripe payment link wired to /welcome.html on success. Cloudflare Worker at hook.aeoess.com receives Stripe webhook events (checkout.session.completed, customer.subscription.deleted, invoice.payment_failed), verifies HMAC-SHA256 signature, sends notification email to signal@aeoess.com via Resend, and sends welcome email to the customer with 24-hour manual-provisioning posture. Three internal updates landed: CLAIMS.md RESOLVED on Mycelium dual-chain framing, new memory rule for standards-body vs major-company-observer signature forms, orphan $499/mo Enterprise price archived to keep the page sales-led.

• Pricing page
• Welcome page

Three vocab merges and two new opens against the system_attributes enum from #77. PR #78 (nutstrut SAR system_attributes) and #79 (nutstrut continuity-analyzer system_attributes) merged Track A with conformant values (classical, jcs-rfc-8785, sha-256) after maintainer-edit fixed schema-conformance drift. PR #86 (validator enum enforcement) merged so future drift bounces at CI. Issue #87 opened on temporal-correctness gap (system_attributes lacks maintenance-status binding); recommended Option C (punt to v0.4, revisit on first cross-impl byte-match divergence) endorsed by AgentID maintainer @haroldmalikfrimpong-ops. PR #88 (validator soft-fail warnings on non-string values + unknown attribute names) opened. PR #89 (kenneives AgentGraph crosswalk, +403 lines, closes #82 hygiene gap) under hostile review with all live claims verified (5 URLs, JWKS to DID cryptographic chain, CTEF spec_anchor commit, vocabulary.yaml issuers_in_production cross-reference).

• Vocab #78
• Vocab #86
• Vocab #87

PR #86 opened on agent-governance-vocabulary. CI validator now rejects any signal that lists a third-party issuer in production without a corresponding registry entry at maturity:in_production. Structural prevention of the failure class surfaced by the Day 76 audit (RNWY listed in behavioral_trust and wallet_intelligence without registry presence, three additional phantom issuers downgraded to proposed). Validator added to scripts/validate-crosswalks.js as validateSystemAttributes(). Same session: #84 (asqav step-2 fixture) and #85 (AgentID crosswalk file) merged, #68 (Cursor Hooks crosswalk) merged, #50 (alexchenai SWORN crosswalk parked) closed for good, #78/#79 schema-mismatched values corrected via maintainer-edit awaiting nutstrut ack.

• PR #86 validator enforcement
• PR #84 merged
• PR #85 merged

Footer rewritten to 4-column commercial structure (Product / Resources / Community / Contact) and propagated across 30 deployed HTML pages with single canonical hash. contact.html replaced (14K-line bloated version with a ~150-line standalone). board.html removed. opensource.html theme toggle added. Comprehensive gitleaks sweep across 6 public repos found and redacted a Cloudflare tunnel ID leak in roadmap.html via filter-repo history scrub; .gitleaksignore committed in 3 affected repos. Drift-check infrastructure extended with shape-only regex patterns (literal values held in private).

• Live site

kenneives (AgentGraph) replied substantively at 2026-05-06 05:55 UTC on vocab #81 with concurrence on three positions. (1) bilateral_receipt as the canonical name, preferred over mutual_receipt because reciprocal is not bilateral, and over acknowledgment_receipt as too vague. (2) Hybrid-registry pattern for purpose discriminator: canonical primitive shape with registered_purposes enum, matching the CTEF v0.3.2 §4.5.4 substrate-vs-primitive layering. Avoids the proliferation failure mode (delegation_bilateral_receipt / covenant_bilateral_receipt) and the divergence failure mode (purpose stays implicit, downstream verifiers cannot route). (3) issued_at promoted to normative: TTL semantics need a signed timestamp anchor or fresh-vs-replay cannot distinguish. Track B PR queued behind one open question: arian-gogani (Nobulex) purpose-name preference between covenant_handshake, covenant_completion, and lifecycle_attestation. Schema YAML committed to vocab #81 thread.

• Vocab #81
• Reply with locked schema

Three substantive vocab threads progressed within a 24-hour window on 2026-05-05. Vocab #36 (four-signal compose test): jagmarques offered an asqav fixture for step 2 (action authorization) using previous_hash = sha256(JCS(prior_receipt)) chained-receipt digest discipline matching RNWY's middle-slot fixture, plus a one-line PR adding authors: field to crosswalk/asqav.yaml. Reply confirmed both. Vocab #76 (red-team adversarial verdicts): msaleme opened with the question of where adversarial-verdict signals fit in a vocab canonicalizing positive-framed signal types. Reply proposed adversarial_verdict as a new signal_type with concrete schema (subject, test_class, attack_vector enum, verdict, severity, test_run_id, issued_at, signed_by) and polarity at signal-type level rather than as a property field on existing types, citing the closed enum work on error_code and refusal_authority as precedent. Threshold for lock: second production issuer. Vocab #81 documented separately above.

• Vocab #36 reply
• Vocab #76 reply

55-test harness committed at b505c22 against agent-passport-system payment-rails surface, raising the conformance suite to 2,911 total tests. Validates that every binding adapter claiming to honor bilateral receipts produces byte-equivalent envelope output when fed the same canonical input. Test surface includes happy-path bilateral confirm, partial-acknowledgment refusal, replay rejection on duplicate action_ref, and JCS-canonicalization equivalence across three adapter implementations. Closes the Tier-2 binding adapter conformance commitment (Day 76 internal tracker).

• Commit b505c22

ship tag now renders P.green (was falling through to ink4 gray). Most updates are ship entries so the panel was reading as monochrome. Link colors brightened in both palettes for readability against dark and light surfaces (light #1a4fa0 to #2563eb, dark #7cacde to #93c5fd). Applied to deployed index.html plus six JSX sources that define kindColor locally (opensource.jsx, restrained.jsx) and the palette source-of-truth (tokens.jsx). v1/v2 destructure the shared window.kindColor and pick up the fix automatically. subpages-1.jsx already had ship: P.green; tier2.jsx uses a different vocabulary unrelated to the Updates panel. Commit 8534ca1.

• Commit 8534ca1

Six commits land the v4 redesign on aeoess.com: 33-page restrained design language, per-page SEO meta with JSON-LD Organization schema, removed Updates rail from the homepage to recover hero focus, working desktop dropdown menus without React, fully wired navigation and footer (every href points to a real page), APS logo clickable, '8 papers' linked to ORCID 0009-0002-4700-3594, draft-pidlisnyi-aps-00 linked to IETF datatracker, agent-discovery <link rel='alternate'> tags in <head> on all pages (llms.txt, llms-full.txt, AGENTS.md, .well-known/mcp.json, .well-known/aps.txt), new /sitemap.html overview catching the 17 secondary pages no nav reaches, and a runtime dark/light theme toggle. Footer tagline updated from 'Open protocol for governing AI agents' to 'Open-source enforcement protocol for AI agents'.

• Live site
• Sitemap overview

APS canonical-bytes path on src/core/bilateral-receipt.ts (canonicalize(body), sorted-keys JSON; RFC 8785 JCS for the v2/accountability bundle module) verifies 5/5 against desiorac's bilateral receipt fixture in corpollc/qntm v0.3.1. This is third-party byte-match independent of the Wave 1 cross-language scenarios published Apr 30 to May 02 (Python 2.4.0a1 ports across 27 fixture scenarios). Mirror offered into aeoess/aps-conformance-suite as a regression test ahead of desiorac's qntm v0.3.2 mid-May publish; desiorac is a substantive bilateral-receipt contributor distinct from the broader vessenes thread.

• qntm #15 byte-match reply
• APS bilateral-receipt module

Phase 4.1 of the SDK published to npm (agent-passport-system@2.6.0-alpha.2), PyPI (agent-passport-system==2.4.0a2), ClawHub (agent-passport skill 5.9.0), and the MCP server on npm (agent-passport-system-mcp@3.2.0). Three architecture decisions merged earlier in the day: Q1 (rail receipts as accountability evidence with claim_type, scope_of_claim, and timestamp fields), P12 (DID URI signing with rotation-aware verifier walking RotatableDIDDocument.verificationMethod and respecting retiredAt markers), Q2 (optional PaymentObligationRef and cross-receipt link fields for hybrid Option C settlement binding). Test count moved 2,711 to 2,884 across the three branches.

• SDK 2.6.0-alpha.2 on npm
• Python 2.4.0a2 on PyPI
• MCP 3.2.0 on npm

Python SDK 2.4.0a1 ports the full Wave 1 governance surface from TS SDK 2.6.0-alpha.0: v2/accountability/* (action, authority-boundary, bundle, custody, contestability), v2/cognitive_attestation/*, v2/instruction_provenance/*. Plus the four evidentiary type safety primitives (claim_evidence_types, claim_verifier, downstream_taint, minimal cascade ContestabilityReceipt) ported earlier in the day as 2.4.0a0. Cross-impl byte-parity verified across 27 test scenarios: 15 evidentiary type safety (9 verifier + 6 cascade) plus 12 Wave 1 (5 accountability fixtures shipped from TS SDK at src/v2/accountability/fixtures/*.fixture.json plus 7 generated for cognitive_attestation and instruction_provenance via tests/v2/fixtures/wave1/_generate.mjs pinned to agent-passport-system@2.6.0-alpha.0). Python canonical-JSON output and sha256 hashes match TS-generated fixtures byte-for-byte across all 27 scenarios. Test count 398 to 518.

• Python 2.4.0a1 on PyPI
• TS SDK on npm
• Wave 1 port commit

Four new v2 modules: claim_evidence_types registry with BATCH_ATTESTED and EVIDENCE_CUSTODY_HELD extensions (Module 1 + Module 1a), claim_verifier (Module 2), contestation cascade with verifier hook (Module 4). Plus path-scoped cycle detection and dedupe in mergeTaints (resolves cross-chain skip case caught in property test). Compliance-complete failure scenario added for EFFECT_SAFETY_ATTESTED. Postpublish wrapper fixed to surface real errors instead of masking them. Test count 2,545 to 2,586 across the day.

• npm
• release commit

Two cleanup PRs landed in the agent-governance-vocabulary repo. PR #74 removed RNWY from behavioral_trust and wallet_intelligence after verification couldn't confirm those signals are issued in production. PR #75 marked passport_grade with status: proposed (downgrade from canonical) because APS is currently the sole production issuer and the canonical-promotion rule requires two independent implementations. Single-source-of-truth discipline maintained. Vocabulary registry now reflects only verified production attributions.

• PR #74
• PR #75

Four-layer structural backstop against private-context drift into public repos. Layer 1: pre-commit hook scanning staged content against hard-block and soft-warn pattern lists. Layer 2: GitHub Actions workflow running the same pattern check on every push. Layer 3: standardized .gitignore block excluding categories that should never enter version control. Layer 4: final scan inside scripts/propagate.mjs runs the same check before any cross-surface update touches the file system. Installed across agent-passport-system, agent-passport-mcp, agent-passport-python, aeoess_web, agent-governance-vocabulary, aps-conformance-suite, agent-ecosystem-map, intent-network-api. Seventeen commits.

• CI workflow (SDK)
• propagate.mjs

Two improvements to scripts/validate-crosswalks.js. Improvement 1: walks descriptor_dimensions blocks nested under signal_types.<key> entries, catching stale dimension values inside per-signal-type descriptor overrides that the previous validator skipped. Improvement 2: legacy whitelist file at scripts/legacy-descriptor-overrides.yaml preserves three pre-#57-resolution descriptor uses (dcp-ai active today, jep and fidelity-spec latent until those maintainers reformat) without warning maintainers, with resolution_issue annotation. Validator state post-hardening: 5 errors, 11 warnings across 26 crosswalks. Regression-tested with nested-descriptor fixture using deprecated value (errors as expected, baseline restored).

• validator
• legacy overrides

arian-gogani (Nobulex) shipped reciprocal byte-match verifier scripts at github.com/arian-gogani/nobulex/tree/main/scripts: verify-aps-byte-match.mjs and verify-ctef-byte-match.mjs. Acknowledgment posted to A2A #1786 thread. Reciprocal verification queued for Day 75 morning: run Nobulex's scripts against APS fixtures, post receipt artifacts to thread, link both verifier scripts from APS fixture README. Pattern: APS publishes fixtures, peer publishes reciprocal verifier, APS publishes counter-verification, the loop closes byte-by-byte. This is the ninth way of verifying APS fixtures.

• acknowledgment
• Nobulex verifier scripts

VeritasActa Knowledge Unit bundle with sidecar-anchored APS DecisionLineageReceipt verifies end-to-end against a sidecar JWKS. Ten access receipts, all hash-matched across both layers (KU layer and APS layer); APS signature valid against sidecar JWKS kid:aps-ku-cross-verify-v1. Tamper-detection holds across both layers when individual receipts are altered. The integration demonstrates that APS DecisionLineageReceipts can ride alongside an external knowledge-attestation format without either layer needing to absorb the other; the sidecar JWKS pattern lets the consumer verify both layers independently and cross-check at action time.

• verify PR #7

Edison Munoz Duran's Agent-DID crosswalk lands as the second co-drafted-with-aeoess crosswalk in the vocabulary. The first was the original AAIF entity_continuity work; this is the second public collaboration where aeoess and a co-author share the spec branch. The A2A composition contract co-drafting now runs on a shared spec branch with Edison; APS pushed the canonical spec to edisonduran/agent-did spec/a2a-composition-contract branch (commit 3fc3838); Edison confirmed pull. The pattern: external project authors a crosswalk, aeoess merges, then both projects co-draft the next interop primitive on a shared branch. Ecosystem hospitality compounding.

• PR #66 (merged)
• shared spec branch

Wave 1 accountability surface added to SDK v2.5.0-alpha at src/v2/accountability/. Five signed receipt types: ActionReceipt (aps:action:v1), AuthorityBoundaryReceipt (aps:authority_boundary:v1), CustodyReceipt (aps:custody:v1, eight event types and seven purposes), ContestabilityReceipt (aps:contestability:v1, affected-party challenge with controller response), APSBundle (aps:bundle:v1, signed aggregation envelope with balanced Merkle commitment). All RFC 8785 JCS canonicalized, all Ed25519 signed, all content-addressed. Design principle: verbal confessions, not brain scans. Every receipt declares scope_of_claim with explicit does_not_assert; honest scope is mandatory and part of the cryptographic integrity surface. 57 new tests across six suites (action 8, authority-boundary 7, bundle 12, custody 15, contestability 10, fixtures 5). Full SDK suite 2,536/2,537 pass, 0 fail, 1 pre-existing skip. Cross-impl byte-match anchor: five deterministic JSON fixtures using fixed Ed25519 private keys and timestamp 2026-04-30T00:00:00.000Z. Ships toward EU AI Act Article 12/14, GDPR Article 22, FRE 902(13)/(14). MCP v3.1.1 picks up the dependency, Python v2.3.0 ships for parity, ClawHub skill v5.8.0 carries the new surface.

• PR #22 (squash-merged to main)
• SDK v2.5.0-alpha on npm
• module README
• Wave 1 spec

ORCID profile populated as Independent Researcher / Founder of APS. All 8 papers indexed via DOI lookup. Five featured: Agent Social Contract, Physics-Enforced Delegation, Cognitive Attestation, Monotonic Narrowing, Behavioral Derivation Rights. The Evidence-Safety Gap paper added on the same day as publication. Bio frames the protocol scope without the cross-disciplinary career narrative. Websites: APS, Personal, GitHub (APS), APS SDK on npm. Keywords mirror paper-level keywords scoped broader: AI agents, multi-agent governance, cryptographic identity, delegation, Ed25519, agent attestation, governance protocols, mechanistic interpretability, accountability, open protocols.

• ORCID

The Evidence-Safety Gap in Cryptographic Agent Governance: Compliance-Complete Failures and the Limits of Receipt-Based Accountability published on Zenodo (DOI 10.5281/zenodo.19914628). Defines compliance-complete failure as the simultaneous condition of procedural validity and unsafe effect. Names five omitted-variable classes (semantic, population, trust, pipeline, temporal state). Constructs explicit defeat traces against receipt-chain forensic signals in an open-source reference implementation. Two design implications follow: claim-scoped receipts and authorization-effect separation. Neither closes the gap; both make it visible and auditable. The minimal contribution is the formal separation of procedural validity from effect safety in receipt-based agent accountability — a vocabulary for the failure class the protocol's own success creates.

• Paper 8 on Zenodo

Agent Social Contract (Paper 1, z.18749779), Physics-Enforced Delegation (Paper 5, z.19478584), and Cognitive Attestation (Paper 7, z.19646276) entering SSRN today. Each paper classified into five-to-six CS networks where the actual reviewer audience reads — Artificial Intelligence eJournal for the broad AI audience, Artificial Intelligence Law Policy & Ethics for auditability and governance angles, Cybersecurity Privacy & Networks for cryptographic primitives, Theoretical Computer Science for cryptography and distributed computation, Quantum Information for the IBM hardware experiment, Generative AI for the Llama-3.1 sparse autoencoder work. Classifications are routing decisions, not decoration. Author affiliation: Independent Researcher (corrected from auto-pulled GitHub Inc). Declaration of interest statements explicit about IBM Quantum and Neuronpedia third-party infrastructure use with no funding role. [APPROVED 2026-05-11: SSRN approved 5 papers per email notification.]

PDR validator for behavioral-fingerprint-drift detection. 309 LOC pure-Node, zero deps, 32-test suite, four reference fixture vectors. Complementary to continuity-analyzer's structural fixture, addressing the namespace decision settled on Day 67. Co-authorship with @nanookclaw declared on PR per their explicit Apr 26 11:47 concurrence on the original issue.

• PR #52 (merged)

lawcontinue's epoch added to validity_temporal enum: observer-relative ticks on substantive state transitions, distinct from sequence's event-relative counts. Issue #58 settled with @lawcontinue's endorsement after three-way independent convergence (lawcontinue, kenneives, srotzin) on Day 71. Vendor-neutrality fix applied during review (commit 9cf2a1db).

• PR #61 (merged)

governance_attestation.refusal_authority brought into formal enum compliance: structurally_impossible_to_violate → issuer. One-line correction; the original value wasn't enum-valid anyway. @lowkey-divine concurred on issue #57 before merge.

• PR #62 (merged)

Proposal to add epoch as the sixth value in the validity_temporal enum (alongside immediate, decay_window, refresh_required, expires_at, condition_satisfied). The semantic gap epoch fills: distinguishing observer-relative event sequencing from substantive state transitions, where two verifiers of the same wall-clock window may reasonably count different numbers of events but agree on coarser substantive transitions. Three independent endorsements landed: lawcontinue (distributed inference setup, 50-token generation produces 50 sequence ticks but zero state transitions), kenneives (AgentGraph CTEF v0.3.1 session_epoch maps onto epoch verbatim once the enum lands), srotzin (HiveTrust + cont_epoch on continuity layer, plus substantive-transition lower bound clause for the PR description: epoch ticks MUST be coarser than per-call I/O). Direction locked, PR followed and issue closed 2026-04-29.

• #58
• A2A #1786 (parallel thread)

kevinkaylie merged Step 2 of the four-signal compose test for Interop Week 1. AgentNexus governance attestation as the second link in the chain after AgentID's trust_verification (PR #38). JWS Ed25519 signatures verified end-to-end. prior_signal_digest matches Step 1's compound_digest byte-exact (621d40f1701521f9af084a08476a2deebd49f02ff0b9d7e7808b6a05c6fcad91). Squash-merged at 16:22:42Z. Step 3 (continuity-analyzer) and Step 4 (composition-behavioral-trust.json by nanookclaw, blocked on middle-issuer alternative) follow.

• PR #53 (merged)
• Interop Week 1 (#36)

lktron00 (Danilo Naranjo Emparanza, ORCID 0009-0003-7520-8527) merged the DCP-AI (Digital Citizenship Protocol for AI Agents) crosswalk. 570 lines. Composite Ed25519 + ML-DSA-65 (FIPS 204 level 3) signatures shipped from day one across four reference SDKs (TypeScript, Python, Go, Rust + WASM). Real production deps: @noble/post-quantum + tweetnacl in npm. 72KB interop test vectors, 11.8KB normative canonicalization profile (dcp-jcs-v1). Calibration discipline strong: passport_grade declared non_equivalent_similar_label with 'do not treat tiers as trust grades' note, 8 explicit no_mapping entries each naming the production issuer for the gap. Version-discrepancy disclosure (npm 2.1.1 vs PyPI/crates 2.8.1) honest and explained. Identity verified: dcp-ai.org, getocular.ai, ocularsolution.com all live, 6-year GitHub account. Cross-implementation round-trip is the bar before issuers_in_production addition; lktron00 committed to running it against APS, Nobulex, or SINT this week.

• PR #59 (merged)
• DCP-AI

Packaged corpus of byte-identical test vectors for Agent Passport System cross-implementation conformance. 37 fixture vectors across 4 categories: bilateral-delegation (10 vectors), inference-session (7 vectors), instruction-provenance (10 vectors), aivss-scenarios (10 vectors covering OWASP AIVSS §3.6.1 through §3.6.10). TS reference runner. .well-known endpoint mirror following the agentgraph.co/.well-known/cte-test-vectors.json pattern. All vectors deterministically reproducible from a fixed Ed25519 seed, JCS-canonicalized, signature-verified. Apache-2.0. Spec refs: 8 papers (Zenodo) + draft-pidlisnyi-aps-00.

• repo

GitHub Actions workflow installed on agent-passport-system, agent-passport-mcp, agent-governance-vocabulary. Pinned to AGT v3.3.0 (commit 15e001f9b53f). Profile + credential checks run on opened PRs and issues from external contributors. Cluster detection opt-in via workflow_dispatch (API-heavy). Risk threshold set to HIGH for the calibration window so only HIGH-risk events trigger public PR comment + label. Excluded actors: dependabot[bot], github-actions[bot], copilot-swe-agent[bot], aeoess. Validation runs: lawcontinue scored LOW (legit dev), mrperfectness-sketch scored MEDIUM (canary), aeoess scored HIGH (three signals fired: recent_repo_burst 41 repos in 90 days, cross_repo_spray 72 repos in 7 days, credential_laundering across 5 repos).

• workflow (agent-passport-system)
• AGT contributor-check (source)

Public Discussion opened in aeoess/agent-passport-system on substance evaluation as the layer above pattern detection. Endorses Imran's contributor-check tool, names that most active contributors in agent-governance today are human + AI systems (including aeoess), draws the substance-vs-pattern line. Names internal Model Citizen mode framing publicly. Includes the actual HIGH score and three signals fired against the aeoess account when run through contributor-check, framing the cross-repo activity as independent convergence rather than coordination. Companion comment on microsoft/agent-governance-toolkit#1473 linking back to the discussion.

• Discussion #20
• companion comment on #1473

in-toto Statement predicate binding agent authority-to-act: delegation chain root, principal signature, scope narrowing invariants, Values Floor attestation hash. Predicate type URI https://aeoess.com/attestation/governance/v0.1. JWS + Ed25519. Sibling to nobulex's Decision Receipt PR (in-toto/attestation#549). Composition: Decision Receipts reference GovernanceAttestation by digest in subject.digest.sha256, walking the chain proves both axes. 5 fixture vectors deterministically reproducible (minimal-tier-1-self-delegation, multi-hop-delegation-tier-2, expired-window, monotonic-narrowing-violated, chain-root-mismatch). 29 tests pass including a composition test that exercises the full round-trip with tampering detection. Public notice posted on in-toto/attestation#549 with @arian-gogani tagged for the Apr 30 cross-impl round-trip.

• repo
• in-toto #549 follow-up

lawcontinue shipped a seven-vector test pack for the CTEF inference-session category at fixtures/inference-session/. Each vector covers a different shape of session attribution: clean handoff, mid-inference rotation, distributed cross-node, sequence-bounded validity, parent-chain Merkle anchoring, replay defense, and a negative case where the session_id does not match the canonical JCS hash. Every signature is RFC 8785 JCS-canonicalized and Ed25519-signed. Two structural fixes flagged in review (a session_ids array shape mismatch and a missing parent_receipt_hash wiring on one vector); lawcontinue pushed corrections at commits 95c1ca9c and 73d52c08 in twenty-two minutes. Second time this week he has turned a structural review around inside half an hour. The inference-session pack composes with the existing rotation-attestation fixtures published Apr 24 at aeoess.com/fixtures/rotation-attestation/, giving the SDK two distinct CTEF v0.3.1 fixture surfaces (rotation events plus inference-session attribution). Both lock through the same RFC 8785 JCS canonicalization.

• PR #19 (merged)

piiiico's crosswalk/agentlair.yaml merged after one round of structural revision. First iteration mapped AgentLair's TrustProfile to peer_review as primary signal type. The full v0.2 review against piiiico's live envelope and the canonical vocab definitions found that primary mismatched: peer_review is task-completion attestation signed by a delegating agent after a service agent completes work; AgentLair's TrustProfile is aggregate behavioral scoring across events with no task binding. Fix was to promote behavioral_trust to primary with match: exact and demote peer_review to no_mapping with a note explaining the definitional gap. piiiico turned that around in fifteen hours. Same commit added AgentLair to behavioral_trust.issuers_in_production at vocabulary.yaml line ~340, which now lists three independent issuers (RNWY, Logpose, AgentLair) producing real signal data against the same canonical type. That is the production-signal evidence behavioral_trust needs to remain canonical with multi-issuer coverage. Direct commit 0653c1b added AgentLair to issuers_in_production list.

• PR #46 (merged)
• commit 0653c1b — issuers_in_production

madeinplutofabio's crosswalk/pic.yaml merged at midmorning PT, mapping the PIC Standard's verification-pattern primitive to the vocabulary's canonical signal types. The crosswalk models action-boundary verification as a parallel surface to visa-layer issuance rather than a sub-field beneath it: visa-layer primitives like APS, AgentNexus, and MolTrust handle issuance-side identity and delegation tokens carried by the agent; PIC handles receiver-side fail-closed verification at the action boundary, consuming trust roots that may include visa-layer issuers but owning the verdict primitive itself. Both compose; neither contains the other. The crosswalk landed describing PIC in PIC's own terms first, with the composition pattern documented in the notes block. PIC became the twenty-third crosswalk in the vocabulary registry. Resolution of the visa-vs-verification-gate taxonomy debate that had been open on aeoess/agent-governance-vocabulary#48 for two days.

• PR #49 (merged)

Single docs-only PR adding docs/descriptor-dimensions/invariant-survival.md, with QueBallSharken (Logpose / BBIS) as Co-authored-by: on the commit. The doc names the BBIS canonical language explicitly at three structural points so the vocabulary references the same vocabulary BBIS uses, not a parallel coinage. Closes the loop on the Apr 23 BBIS-classification-grammar adoption (ENFORCEMENT-TRUST-ANCHOR.md v1.2 from Day 67) by anchoring the same vocabulary in the descriptor-dimensions registry. Awaiting QueBallSharken review.

• PR #51

Validator built directly from nanookclaw's slope-computation spec posted earlier the same evening on issue #36. 309 lines of pure-Node validator (scripts/validators/entity-continuity-pdr.js) with no dependencies, a 32-test suite all passing (scripts/validators/test-entity-continuity-pdr.js, 300 lines), four reference vectors at fixtures/validator-vectors/ covering stable, drifting, improving, and out-of-range agent behavior, and a long-form docs file at docs/descriptor-dimensions/entity-continuity-pdr.md (184 lines). Slope formula from nanookclaw's spec: L2 distance over four normalized fingerprint dimensions, OLS over a window of twelve sessions, max divergence of sqrt(4)=2.0, max possible slope of 2.0/(N-2), score clamped to [0.0, 1.0]. Verified scores: stable=1.0, drifting=0.9212, improving=1.0 (clamped), invalid=exit-1. nanookclaw posted the spec at 21:34Z; the validator opened at 22:52Z. Co-authored-by: Nanook on commit 069ef9a. Closes the Nanook §8 commitment. Complementary to nutstrut's structural continuity-analyzer (vocab PR #42). Awaiting nanookclaw review.

• PR #52
• Issue #36 (slope spec source)

Proposal-phase issue opened at a2aproject/A2A per the documented extension-and-binding-governance.md Proposal Phase, requesting maintainer sponsorship to create the corresponding experimental-ext-* repository. Aligned to CTEF v0.3.1 substrate (frozen at agentgraph-co/agentgraph@69ad94d, normative endpoint at agentgraph.co/.well-known/cte-test-vectors.json). Declares claim_type discriminator over the closed set {identity, transport, authority, continuity} with envelope reserved, structural-before-semantic error codes (INVALID_CLAIM_SCOPE, INVALID_COMPOSITION), and uses A2A's existing AgentExtension mechanism (Section 4.4.4) with params carrying per-claim payload — no proto schema changes proposed. Reference URI experimental-ext prefixed: a2a-protocol.org/extensions/cryptographic-agent-identity/v0.3.1. Three correction loops before opening: 9KB extension manifesto rejected for size + wrong process (PR vs issue first), 100-line topic doc rejected for wrong surface (docs/topics/ is core protocol concepts not extension specs) and skipping proposal phase, third draft caught a 404 references link to the rotation-attestation directory before posting (test-vectors.json direct link replaced the 404 path). kenneives posted co-normative AgentGraph endorsement at the top of the thread within 4 minutes of opening including a four-way byte-match harness table. lawcontinue posted substantive question on validity_window for long-running inference sessions; reply confirmed APS already implements sequence_bound continuity, accepted contribution offer for distributed-inference test fixture against APS bilateral-delegation regression.

• Proposal issue #1786
• #1672 design discussion
• CTEF v0.3.1 normative endpoint

Second external contributor on the repo after EchoOfDawn's MoltBridge lane opening, and the first security-class PR. Previous _lookup_issuer_key implementation had a silent fallback: if the declared kid did not match any key in the issuer's JWKS, it would accept the first Ed25519 key in the keyset anyway, producing a silent binding failure rather than a rejection. This is precisely the class of implicit-trust hazard the composition-rule discipline in CTEF v0.3.1 §6.3 is designed to prevent. PR tightens to strict kid-match and raises UnknownKeyIdError on mismatch. 16/16 tests green post-merge. Good signal that kid/alg registry discipline (which we have been arguing for in the A2A Agent Cards and CTEF threads) is showing up as concrete patch-level work from independent contributors, not just spec-level advocacy.

• PR #1 (merged)

Wire-format substrate convergence across five live implementations on the discriminator key name. Naming collision was identified mid-thread on #1672: AgentID had been shipping claim_type on the live /verify endpoint; AgentGraph + APS rotation-attestation spec used claim_category. Same concept, same closed set values, different key name. kenne offered three resolution options and renamed AgentGraph claim_category → claim_type at commit agentgraph-co/agentgraph@69ad94d so all live implementations agree. AgentID's harold confirmed claim_type live with 32/32 endpoint tests pass and JCS canonicalizer byte-matching all 10 APS bilateral-delegation vectors. Nobulex (arian-gogani's @nobulex/crypto TS canonicalizer) byte-matching APS + AgentGraph fixtures. HiveTrust (srotzin) confirmed concur with the four-layer split + 'history-stability under rotation' framing on #1672, and posted the disjoint-namespace projection rule resolving the wire-collision concern: ctef.envelope.claim_type vs hivetrust.internal.claim_type sit at different envelope levels with explicit projection_rule mapping HiveTrust claim records onto ctef.envelope.claim_type='authority' when carried in a CTEF-composed envelope. Risk-tier bucketing under HiveTrust's claim_category stays HiveTrust-local until a future WG reservation. HiveTrust byte-match fixture committed pending claim_type.envelope composition-rule spec draft. Settlement-evidence-as-reputation-anchor (x402 receipt on Base 8453 → evidence_basis.evidence_type.payment_execution) lands on a v0.3.1-reserved field, with crewAI #4560 cited as cross-reference.

• #1672 thread
• #1786 proposal

Seven fixes applied from the Apr 24 audit report. Code side: engines.node >= 18.0.0 declared on six Node packages (agent-passport-mcp, aeoess-gateway, agent-passport-remote-mcp, mingle-mcp, intent-network-api, solana-agent-identity) to prevent silent Node-version drift on Railway and npm installers; LICENSE + NOTICE copied to agent-passport-remote-mcp root (files shipped through the npm dep tree already, but the repo itself should carry them for GitHub, SBOM, and glama audits); two SDK example files referencing v1-era APIs that changed in v2.0.0-beta.0 (examples/crewai-governance.ts invoking removed createCrewAIGovernance, examples/enforcement-demo.ts invoking createAgentContext that moved to the gateway surface) archived under _archive/examples-pre-v2/ with an explanatory README, so contributors following the docs no longer hit broken TypeScript imports; SDK dist/ refreshed against current src/. Spec side: audit prompt bumped from v2.1 to v2.3 with three corrections. v2.2 fixed A11 (remote-MCP build output moved from repo root to build/, check path updated), A13 (agent-governance-toolkit is a monorepo with no root package.json, step iterates packages/agent-*/ sub-trees), and added an explicit Python pip install -e exception to the read-only constraints block since pytest collection fails on ModuleNotFoundError without editable install. v2.3 replaced the C8 dist-staleness check which used find -newer against the dist/ directory's own mtime rather than the mtime of files inside it, producing a consistent false positive (audit reported 240 src files newer than dist/ even immediately after npm run build because directory mtime does not update on internal file rewrites). New check compares newest src/ file mtime against newest dist/ file mtime in Python. Next full audit now expected clean PASS. Completion report at specs/AUDIT-2026-04-24-FIXES.md.

• Completion report
• Audit spec v2.3

MoltyCel's RFC 'Native Agent Identity & Trust Verification for OpenClaw' closed by maintainer steipete (Codex review) with stateReason: COMPLETED at 04:34Z. Ruling: trust providers (APS, MolTrust, AgentLair, AgentID, etc.) build on existing public hooks rather than a new core onAgentVerify. Five hooks cited at file/line precision against commit 45146913007d: before_install (src/plugins/hook-types.ts:635, runtime invocation at install-security-scan.runtime.ts:586) for skill install gating; before_tool_call (hook-types.ts:318) for per-action enforcement at the runtime tool-call gate; inbound_claim + message_received + before_dispatch (hook-message.types.ts:16) for inter-agent verification; gateway_start (server-startup-post-attach.ts:503) for self-verification on startup. SDK reference docs at docs.openclaw.ai/plugins/sdk-overview confirm these as supported public plugin contracts. This is an architectural answer not a soft punt — different from the openclaw#43705 showcase closure (route to ClawHub, no architectural commitment) — steipete did codebase work mapping the RFC requirements onto specific hook surfaces and committed them as public plugin API. Reframes the openclaw integration story: APS ships @aeoess/openclaw-trust-plugin as the integration artifact (not a core dependency) targeting at minimum before_install + before_tool_call + inbound_claim + gateway_start, calling gateway.aeoess.com/api/v1/public/trust/{agent_id} for per-agent JWS-signed trust attestation. ~200-300 line plugin, npm-publishable, README cites CTEF v0.3.1 substrate. Post acknowledgment to #49971 only after scaffold exists.

• #49971 closure
• OpenClaw plugin SDK reference

Five canonical DID-document rotation-attestation fixtures plus JSON Schema plus test-vectors manifest published at aeoess.com/fixtures/rotation-attestation/. Fixtures cover happy-path, cross-signed, migration-attested, happy-path-compound (cross-signed + migration-attested in one entry, realistic production case), and negative-no-attestation (rotationLog entry with empty rotationSignature, must trigger INVALID_CLAIM_SCOPE on a conformant verifier). Every signature and hash input is RFC 8785 JCS-canonicalized; attestor is a dedicated fixture-signing key separate from the gateway with pubkey at keys/attestor-v1.pub.json and seed documented so third parties reproduce the set byte-identical from a fresh clone. v1 narrows migration_type to key_class_upgrade only; v2 extends to did_method_migration. Closes the rotation-attestation fixtures commitment on the same day (Apr 23 PT commitment, Apr 24 PT delivery). AgentGraph landed test_aps_rotation_attestation_interop.py in main at commit 8baaad4 within hours of publication, live-fetching fixtures at test-collection time rather than pinning a repo-local snapshot, dual-locking each fixture against the published test-vectors.json canonical SHA-256 AND what their canonicalize_jcs_strict produces from the live body. All five fixtures reproduce byte-identical. Canonicalization loop closed: APS bilateral delegation, APS continuity rotation, and AgentGraph CTE vectors now pin the same canonicalization through JCS bytes rather than shared code — which is the actual interop test. Pattern will mirror into v0.2 capability-token fixtures once those publish.

• test-vectors manifest
• Spec
• A2A #1672 closure exchange

piiiico's agentlair.yaml lands as the canonical pre-delegation behavioral check issuer. Maps to peer_review as primary signal type (match: exact, production data exists — trust endpoints live, behavioral event ingestion live, three-dimensional scoring operational consistency/restraint/transparency, Bayesian with cold-start prior, non-null scores on non-test agents). Secondary mappings: behavioral_trust (exact), trust_verification (partial — AAT is session auth with identity component), governance_attestation (partial — hash-chained audit trail). Eight explicit no_mapping entries with technical rationale per CONTRIBUTING.md §3.6 Seven Deep-Review Dimensions. Four-temporal-layer sequencing (pre-delegation → at-delegation → at-execution → post-execution → feedback loop) documented inline in the peer_review notes block, NOT as a new top-level section — preserves PR #44 precedent that novel top-level blocks set permissive precedent for every later issuer. AgentLair added to behavioral_trust.issuers_in_production in follow-on commit 0653c1b. Five-check protocol applied (Identity / Format / Substance / Scope / Reversibility) with STEP 0 mandatory disk-read of CONTRIBUTING.md from filesystem before applying memory-cached protocol — the slot #29 swap codified earlier in the day.

• PR #46
• agentlair.yaml

Imran Siddique (Microsoft Engineering Architect driving the agent-governance-toolkit and active on the ADR-0007 cross-org federation direction in #1386) opened the door on #1354 for a concrete interop proposal between APS and AGT. Reply maps the three questions he opened #1386 with — policy precedence across orgs, evidence correlation across boundaries, trust tier compatibility — to named APS primitives that already ship in the public SDK. Policy precedence resolves through the combination of invariant_survival (pre_action / during_action / post_action / permanent) and refusal_authority (issuer / verifier / consumer_policy / shared), giving a declarative precedence grammar covering all four candidates (tool-side, agent-side, intersection, declared). Evidence correlation is DecisionLineageReceipt with content-addressed delegation_chain_root (SHA-256 over RFC 8785 JCS-canonicalized hops), which lets two verifiers independently confirm the same chain without round-tripping a registry. Trust tier semantics map the AGT TrustProvider tier enum from #1274 to the vocabulary's passport_grade plus behavioral_trust scoring; the bridge is already half-built through RNWY and MolTrust as trust_verification issuers. Four possible artifacts offered in increasing scope and without prescribing an order: vocab crosswalk entry pointing AGT's runtime evidence format at canonical terms (mirrors the rnwy.yaml and moltrust.yaml pattern); interop spec section as a follow-on ADR to #1234/ADR-0007 with canonical bytes + hash algorithm + envelope shape (APS drafts first pass, byline follows contribution during review); Tutorial 42 on cross-org delegation drafted against AGT's tutorial template; conformance fixture exchange adding AGT as a second verifier target in the existing harness. Three prior APS PRs already merged in AGT (#274 reputation-gated authority, #598 APS-AgentMesh adapter, #1328 cognitive-attestation example) provide established contribution standing. Posted 22:22 PT; response pending.

• Reply on #1354
• AGT #1386 federation thread

ENFORCEMENT-TRUST-ANCHOR.md v1.2 replaces v1.1's five-bucket taxonomy with the BBIS classification grammar (closed, bounded, partial, detectable-only, theater) per Steven Kyle Hensley's OWASP#817 answer. The Class B framing is tightened so typed epistemic receipts are classified as honesty discipline, not admissibility upgrade. Construction is implementation detail; invariant survival is the claim. CAPABILITY-TOKEN-SPEC-DRAFT.md v0.2 renames M4 EffectReceipt to FRCBE (Final Refusal-Capable Boundary Event) per the qntm#7 naming coined by the same author. Post-effect forensic artifacts split into a new optional M5 ExecutionReceipt; most deployments omit M5. Three-way naming convergence lands within 18 hours: BBIS (framework), APS (protocol), AgentGraph (implementation committed to CTEF v0.3 accepting delegation_chain_root by end of week). Branch feat/v1.2-bbis-grammar awaiting review before merge to main.

• ENFORCEMENT-TRUST-ANCHOR.md v1.2
• CAPABILITY-TOKEN-SPEC-DRAFT.md v0.2
• qntm#7 FRCBE lock + AgentGraph deliverables
• OWASP#817 BBIS classification grammar adopted

AgentGraph pulled the four-row per-layer composition grammar (identity / transport / authority / continuity, each with its declared composition rule) from the A2A #1672 thread into CTEF v0.3.1 §6.3 verbatim as normative language. Identity composes by key binding, transport by identity-key binding, authority by monotonic narrowing with content-addressed delegation_chain_root, continuity by rotation-attestation chain. Two verifiers given the same inputs must arrive at the same composed result; layers that cannot declare a deterministic composition rule are underspecified. INVALID_COMPOSITION adopted as a distinct error code alongside INVALID_CLAIM_SCOPE — they share the ordering constraint (structural failure precedes semantic evaluation) but surface different divergence classes. APS commits to publish canonical rotation-attestation fixtures at aeoess.com/fixtures/rotation-attestation/ this week (four fixtures: happy-path, cross-signed, migration-attested, negative-no-attestation) with versioned schema and matching test-vectors.json; AgentGraph lands them under tests/fixtures/aps-rotation-attestation/ with a companion test_aps_rotation_attestation_interop.py locking byte-identical canonicalization. Concurrent spec PR plan: A2A Agent Cards PR citing CTEF v0.3.1 §6.3 for composition-rule table + error codes, v0.3.1 citing the Agent Cards PR for the four-layer split + claim_type discriminator. Both held pending @haroldmalikfrimpong-ops signal on WG direction.

• A2A #1672 thread

A community-maintained directory of the agent infrastructure field, built on live GitHub data. 18 projects enriched from projects/*.yaml + GitHub repo metadata (stars, license, created, last push). 115 people (filtered from 130 raw) pulled from the contribution map and enriched with GitHub user metadata (account age, bio, company, followers). 93 governance threads enriched with state, comments, participants. Three sortable, filterable tables replace the earlier force-directed graph, which was pretty but buried its data in tooltips. Account ages visible as pills (amber under 60 days, green 60-365 days, plain after), so a 3-week-old promotional account is instantly distinguishable from a 10-year veteran at a glance. Explicitly not a ranking, not a coalition, not a property of APS: the README invites co-maintainers from other projects in the directory and commits to neutral stewardship once anyone wants to co-steward. Code MIT, data CC-BY-4.0.

• Live directory
• Source + contribute

Rewrote the CMD-SET-2 pre-publish audit from v1's 12 steps (SDK + MCP focused) to 42 steps across three tiers covering the full shipped codebase surface. Tier A Code Integrity runs test suites, typecheck, lint, build artifacts across SDK, MCP, Python SDK, Remote MCP, Gateway, Agent Governance Toolkit (405 tests), autogen-governance-adapter, vocab validator, intent-network-api, hermes-aps-delegation, hermes-decision-receipts, a2a-compliance-harness, solana-agent-identity, mingle-mcp, plus the SDK examples/ adapter apps and aeoess_web operational scripts. Tier B Supply Chain runs npm audit and pip-audit across every repo, secret scan with fixture/test exclusions, .npmignore and MANIFEST.in hygiene, LICENSE and NOTICE presence, CI workflow YAML validity and floating-action-ref detection, Dockerfile and Railway config pinning, Node engines field presence, package-lock presence. Tier C Runtime checks cross-repo version alignment across SDK/MCP/Python/Remote-MCP, npm and PyPI registry drift, live endpoint health, Gateway JWKS parity against source, committed fixture URLs reachable, PM2 RSS memory leak detection with proper PM2-presence detection, git status across 20 repos with expected-branch check, build artifact freshness, stale artifact hunt, canonical number consistency including paper count, downstream licensee sentinel, large binary accidental-commit hunt. Self-check found 17 gaps in the initial v2 which v2.1 closes. Read-only throughout; explicit do-not-install / do-not-restart / do-not-commit-outside-aeoess_web constraints. Paste-ready for CC in one message.

• Audit v2.1 prompt

Added §3.6 Seven Deep-Review Dimensions to the internal PR merge protocol, codifying what Phase 1 (Adversarial First) and Phase 4 (Invariant Cross-Check) must catch beyond the surface checklist. Seven dimensions: Ecosystem Precedent (novel structure sets permissive template), Semantic-Primitive Mismatch (match: exact vs vocab definition), Cross-Signal Field Overlap (composition hazard for consumers), Endpoint Content Depth (HTTP 200 is not production data), Cryptographic Coherence (alg/curve/proof-type/chain pairing), Ownership &amp; Coordination (concurrence on THIS PR not related issues), Related-Issue Dependency (PR jumping ahead of open debate). Distributed across Phase 1 and Phase 4 — not new phases, named patterns the existing phases must catch. Extracted from PR #43 nutstrut measurement_point and PR #44 alex-pathcourse Pathcourse Health reviews where validator-clean PRs still carried substantive issues only visible under cross-touchpoint analysis. CONTRIBUTING.md on agent-governance-vocabulary expanded from 5 one-line review questions to explicit sub-bullets under Substance and Scope so contributors can self-calibrate before submission. First PR through the public criteria (#44) merged clean after three iterations.

• CONTRIBUTING.md
• PR #44 Pathcourse Health (merged)

examples/cognitive-attestation-governed/ merged into microsoft/agent-governance-toolkit at 19:41 UTC. 443 lines, two files, zero APS SDK dep. Third merged aeoess PR in the repo after PR #274 (Mar 16, reputation-gated authority proposal) and PR #598 (Apr 6, APS-AgentMesh adapter), and the first community-example-style contribution. Layering signed interpretability envelope on top of AGT's policy decision: AGT decides whether an action is permitted, the Cognitive Attestation envelope signs a sparse-autoencoder decomposition of the model state that drove the decision, downstream auditors can inspect what the reasoning substrate looked like when the action fired rather than just whether the policy rule matched. Follows the pattern set by examples/signet-attestation/ (willamhou's Signet example merged last week). Lands cleanly against the community-extension boundary formalized by ADR 0006 two days ago: policy evaluation stays in AGT core, proofs about the reasoning that produced the decision live as extensions that plug into the decision boundary without changing AGT's interface.

• PR #1328 (merged)

New public MIT repo standing up the composition glue for autogen's before_tool_call hook. Single governedToolCall() entry point, three ordered checks (identity via APS passport, authorization via delegation scope with monotonic narrowing invariant, optional trust provider), provider-agnostic TrustProvider Protocol that MoltBridge and MolTrust both implement on the same interface. 12 tests passing (target was 9+), CI green across Python 3.10/3.11/3.12 on first push at commit 8e1c88d. EchoOfDawn at SageMind AI invited as co-maintainer with write access (invitation 315925480 pending acceptance). providers/moltbridge/ reserved as Dawn's lane for MoltBridgeTrustProvider PR, providers/moltrust/ open for MolTrust implementation. Substrate requirements ride inside delegation scope per scope-bound design, no parallel capability-tier gate. Standalone dep footprint. Adapter does not import agent-passport-system SDK.

• Repo
• Origin thread autogen#7525

schchit (JEP author) opened PR #8 at agentid-aps-interop extending the composed/v1 envelope we shipped yesterday with JEP as a fourth signal in the decision_event CTEF category. JEP receipt flows into slots.jep verbatim without reshape. verify.py recognizes version: jep-v1 and handles judgment events per their native semantics (gate composition skips them rather than mistreating a judgment record as pass/fail). Pattern validated: composed/v1 host stays generic, new signals register by adding CTEF category + slots.<issuer> key + native version string. Harold merged PR #7 at 09:44 UTC, schchit opened PR #8 seven hours later, first third-party extension of the composed/v1 pattern. AgentID + APS + AgentGraph + JEP now composable under one shared subject DID.

Depends on: d65-agentid-aps-interop-5-kenne

• PR #8 JEP fixtures

Closed the protocol-level asymmetry where agents authenticated to systems but systems did not authenticate to agents. Downgrade-proof four-step handshake (hello + attest each way), local trust-anchor bundle with binding constraints and revocation, replay defence via nonces + signed timestamps + max_clock_skew_ms, downgrade defence baked into the attest signature covering chosen_version + both nonces + peer certificate, adapters for A2A and MCP. 29 new tests, 2395 total, 146 MCP tools. Explicitly does NOT ship federation, gossip, consensus revocation, cross-signing, hosted CA, or legal-entity model. Mutual auth stands on its own as a primitive; a future federation layer composes on top without changing it. Module lives at src/v2/mutual-auth/ with standalone README.

• Module README
• npm v2.2.0

First three-issuer composed envelope in the interop repo, shipped end-to-end in seven hours after slot shapes landed. PR#7 adds: (a) three APS v1 structural fixtures at fixtures/aps/v1/ (happy-path, revoked-delegation, scope-widening-attempt), (b) three composed envelopes at composed/v1/agent_interop_test_001/ stitching AgentID + APS + AgentGraph slots under shared subject DID, (c) issuer-neutral Python verify.py (jcs dep only, no APS SDK), (d) additive schema amendment 1.1.0 to 1.2.0, (e) composed/v1/README.md documenting composition contract and two-level version discipline. 51 of 51 checks pass at exit zero. Kenne ran verify.py on his machine and posted LGTM from the AgentGraph seat. Waiting on Harold merge.

Depends on: d65-harold-signing-alignment

• Issue #5
• APS coordination reply

Harold (haroldmalikfrimpong-ops) merged PR#38 (Interop Week 1 Step 1) and then, at 08:40 UTC Day 65, came back with a voluntary alignment: AgentID's production signer switched from signing UTF-8 hex strings to signing raw 32-byte digest bytes (the option (b) from our 5-check review, the convention APS/SINT/MolTrust already use). Follow-up PR will replace the one signature field on the already-merged fixture to match the new signer. Five production issuers now converge on one signing convention: the Week 1 bundle README convention table becomes a single sentence rather than per-issuer footnotes. Materially important for cross-issuer harness verification under OWASP / IETF reviewer gaze. Acked via https://github.com/aeoess/agent-governance-vocabulary/pull/38#issuecomment-4289797509.

Depends on: harold-canonical-repo

• vocab PR#38

Delivered the three-step schema package (JSON Schema draft-2020-12 facet + two worked examples + README with design decisions) committed on Apr 20. Five load-bearing design decisions captured: RunFacet not DatasetFacet (agent + covenant are run-scoped), digest required with resolver optional (tamper-evidence without forcing public URLs), type is open enum with governance_attestation as vendor-agnostic default, covenantInEffect.additionalProperties: true scoped to sub-object for vendor extensions, digestAlgorithm defaults to sha-256 with explicit override. Both examples (Nobulex nobulex_covenant + APS governance_attestation) validate cleanly against the schema. Two asks back to @arian-gogani: (1) review Nobulex example shape since we don't have the live receipt structure, (2) confirm covenant-hash mapping still matches v0.2 CTEF governance_attestation digest shape. Next step: upstream PR to OpenLineage/OpenLineage spec repo once arian signs off. Caught and fixed an honesty drift in the draft (speculation that arian had mentioned covenant graphs, which he hadn't) before posting.

Depends on: openlineage-4409-facet-schema

• Schema delivery comment

Waiting on the AI Agent Interoperability Foundation Technical Committee to triage project-proposals#14. #12 (SINT) and #13 (similar proposal) set the Tuesday UTC precedent for TC turnaround, expected window Apr 21. Outcome shapes whether APS moves toward Linux Foundation stewardship now or the Working Group path stays the primary governance vehicle. Tima's call alone, Claude advises only.

Depends on: d64-aaif-submission

• aaif#14

Day 64 (Apr 20): boundary held on §3.3 naming when a proposal came in to co-list APS APS and AiEGIS APS as one citation. Accepted on technical content (evidence sequencing, measurement method); declined on naming — paste-ready §3.3 text names only APS APS as shipped reference, with AiEGIS APS re-evaluated at v1.0. Day 65 (Apr 21): VeloGerber accepted the naming position (22:51 Apr 20) and asked scope-clarification: does independent Python reimpl (a) or SDK-consumption (b) qualify as §3.3 production conformance evidence for AiEGIS v1.0. Answered: (a) earns a separate conformance row, (b) is a deployment pattern; v0.9 cites APS APS, v1.0 re-evaluates once (a) lands. Concrete offer: ship interop fixtures as standalone aps-conformance-suite repo so the bar is legible.

Depends on: d64-owasp-aars32-boundary

• AARS#32

Filed as aaif/project-proposals#14. Foundation submission for the public protocol layer, cross-referencing SINT #12 (Illia) and the three-vendor governance_attestation convergence with MolTrust. APS company, YC application, private gateway, and commercial partnerships deliberately excluded, commercial adjacencies stay independent of the protocol submission. Every live-artifact claim in the submission verified before posting: JWKS endpoints return 200, npm and PyPI artifacts resolve, Zenodo DOIs have landing pages, crosswalk entries validate. Gist for Illia's AAIF cover email at gist.github.com/aeoess/a622521d10625179c2d7760d83663714. Waiting on AAIF TC triage, expected Tuesday UTC per #12/#13 precedent.

Depends on: d61-v2-architecture-separation

• aaif#14

Numbers-only minor bump on the agent-passport ClawHub skill. Description, SKILL.md line 3, and SKILL.md line 181/184 all synced to the current surface: 124 modules, 2,366 tests, 142 MCP tools. _meta.json description rewritten to match. v5.4.0 already existed on ClawHub from an earlier auto-publish cycle; bumped straight to v5.5.0 to reflect on-disk state. Commits 00b40fd + 6e43f99.

Depends on: d64-v210-cognitive-attestation

Context: the structured ecosystem map from Day 61 rebuilt Sunday night, today's response queue visible at session start. Posts in two batches. Tier 1 (7): AAIF cover-email gist for Illia on sint#130, pshkv crosswalk ack on vocab#8, governance-declaration proposal for tomjwxf on ossf/security-insights#171, APS+SINT composition MVP for EchoOfDawn on autogen#7525, SDK#16 MIGRATION.md field-diff patch + v2.1.0 ship follow-up to MoltyCel, vocab#38 five-check protocol review for Harold's AgentID fixture (JWKS live, Solana tx verified, signing-input UTF-8-hex vs bytes ambiguity flagged), vocab#34 context_dimensions PR flipped ready-for-review. Tier 2 (4): autogen#7528 three-layer APS+SINT+OPA composition mapped onto ConversableAgent lifecycle, A2A#1716 Enclave+SINT+MolTrust converged-architecture ack with sub_delegate for 1→3 hop + AND-composition for MolTrust-score + APS-grade gate, VoltAgent#1166 full TS GuardrailDecision interface reference implementation (Alvasilev12/MEEET canary correctly ignored), llama_index#21312 dispute-primitives reference from v2.1.0. insumer-examples#1 skipped, zero activity since our Apr 17 scope ack.

Depends on: d61-ecosystem-engagement

VeloGerber (AiEGIS) proposed co-listing 'APS APS' and 'AiEGIS APS' as two entries in the permanent v0.9 §3.3 standards citation. Technical content of the proposal accepted on its merits (evidence sequencing, measurement methodology). Naming framing declined firmly in writing with paste-ready §3.3 text naming only APS. Apr 21 calendar typo in the proposal also flagged. Posted at github.com/OWASP/www-project-artificial-intelligence-vulnerability-scoring-system/issues/32#issuecomment-4284723330. Not every be-nice reflex is the right one.

• OWASP AARS#32

Stability window closed clean. SDK v2.0.0 and MCP v3.0.0 flipped from @next to @latest. PyPI 2.0.0 final replaces the 2.0.0b0 pre-release. v1.46.0 and MCP v2.27.0 moved to the legacy-v1 tag, six months guaranteed availability. Propagation sweep also caught a Python __init__.py __version__ drift carrying "0.15.0" from the beta period, if a caller imported agent_passport.__version__ at runtime, they would have seen 0.15.0 while pyproject.toml and the wheel said 2.0.0b0. Fixed to 2.0.0 during the promotion sweep.

Depends on: v2-promotion-decision

• SDK v2.0.0 @latest
• Blog

Two primitives shipped on @latest same day as the v2 promotion. Cognitive Attestation envelope: TypeScript port of the normative JSON schema from Paper 7 (Zenodo 10.5281/zenodo.19646276), module at src/v2/cognitive-attestation/ with types, envelope, verify, disputes, index, README. Stage 1 cryptographic verification with required_signer_roles coverage fully implemented; Stage 2 registry interface, Stage 3 replay typed stub with clear TODO. Typed dispute primitives ship the vocabulary of disputes without baking resolution logic into the protocol (resolution layer lives in the consumer). 35 new tests (envelope 17, verify 12, adversarial 6), zero new npm deps, reused internal canonicalizeJCS + crypto/keys. Second primitive: verifyBoundWallet object-form overload, closing the SDK#16 UX asymmetry MoltyCel flagged. Commits ceb1cd1 (wallet-binding) + 8c9cc14 (cognitive-attestation) on @latest. Test count 2,325 → 2,366.

Depends on: d64-v2-promoted-latest

• Paper 7 on Zenodo
• SDK v2.1.0

AgentID trust_verification fixture merged via PR#38 (Harold). First of five Week 1 slots filled. Production JWKS and Solana devnet anchor both verified live during 5-check. Status ack posted to vocab#36 with running fixture table; Step 4 (peer_review task_completion) re-pinged to @QueBallSharken / Logpose after @rnwy's graceful decline to pad bundle with reviewer_credibility into a task_completion shape.

Depends on: d63-interop-week-1-opened

PR against in-toto/attestation adding a sibling predicate type for session-level Governance Attestation, referenced by hash from Decision Receipts. Accepted delegationChainRoot: DigestSet camelCase per tomjwxf's #549. Triggers when tomjwxf's Decision Receipt predicate PR#549 lands. Draft scaffolding already started at specs/in-toto-sibling-predicate-draft/.

Depends on: d61-ecosystem-engagement

• in-toto#549

PR #34 merged Day 65 (commit 6a24b73f) adding context_dimensions as third top-level structural section in vocabulary.yaml. Four Day-1 entries with non_signal_test discipline: counterparty_standing, request_origin, session_dynamics, physical_environment_state. Incorporated @pshkv review (resolution_source marked recommended-not-required in v0.1, physical_environment_state per-evaluation variance documented, 4-value enum as v0.2 fallback). @tomjwxf's 5-value enum preserved per his Day 63 sign-off. Self 5-check protocol run publicly before merge (transparency move on our own repo). Closes #26.

Depends on: d61-aeoess-aps-crosswalk

• vocab PR#34

Batch update on the existing YC application. Day 64 state to carry: v2 architecture separation, AAIF filing, Paper 7 ship, 124 modules, 2,366 tests, 142 MCP tools. Tima owns the irreversible commercial lane, Claude drafts the update diff only. Deadline May 4.

Depends on: yc-application

Stability-window Sunday. Exactly one partner compat test ran through agent-passport-system@2.0.0-beta.0 and MCP v3.0.0, MoltyCel on Solana wallet binding with a fresh Ed25519 keypair, bs58 signature, full bindWallet → verifyBoundWallet round-trip. Two findings surfaced: MIGRATION.md did not call out the wallet_ref field-level v1-to-v2 shape change explicitly enough, and verifyBoundWallet accepted only positional args while bindWallet accepted an object form. Shape-diff clarification landed same day as commit 0a3edeb. UX overload queued for v2.1.0. Nothing else broke; promotion path stayed on for Monday.

Depends on: d61-v2-architecture-separation

• SDK#16 compat test

Commitment to @arian-gogani on OpenLineage/OpenLineage#4409 after his 8-minute endorsement of the vendor-agnostic digest abstraction. Three-step plan delivered Day 65 (Apr 21): minimal JSON Schema shape, open type enum, two worked examples (Nobulex bilateral-receipt + APS gateway trust profile), all three files valid JSON and both examples validate cleanly against the schema. Posted on the thread for arian review before any upstream OpenLineage PR. Positions APS's governance_attestation canonical as a referenceable issuer type in OpenLineage's covenantInEffect facet, multi-day audit exchange compresses to single verification step. Committed inside the week window as promised on Apr 20. Waiting on arian sign-off before the upstream PR to OpenLineage/OpenLineage.

Depends on: d61-aeoess-aps-crosswalk

• Schema delivery comment
• Schema + examples

New repo at github.com/aeoess/adk-aps-integration spun up Day 62 in response to google/adk-python#5164. Joint ownership with @tomjwxf (ScopeBlind). LICENSE carries both names (Copyright 2026 Tymofii Pidlisnyi, Thomas Farley). Structure: main branch (README pointer) + integration-skeleton branch with aps_delegation.py, receipt_signing.py, verify.sh, examples/basic-tool-call. CI matrix across Python 3.10/3.11/3.12 against both @next and @latest APS SDK plus @veritasacta/verify@0.3.0. Receipt format shipped as audit-bundle shape (matches verifier's actual contract, not per-call receipts). Six jobs green after CI fix (commit 7f7bae68). tomjwxf collaborator invite pending acceptance.

Depends on: d61-v2-architecture-separation

• adk-aps-integration
• adk-python#5164

Two ecosystem threads got substantive engagement, neither inserting APS into the conversation. x402#1904: MnemoPay (Jerry) shipped x402-compatible paywalls plus a financial-brain MCP. Reply was a three-point read on what they shipped (wallet-decision layer is new terrain, receipts plus MCP tool outputs are compatible with APS signing for downstream composition, composition hook via delegation-reference in X-Agent-Identity would make APS passports attachable to x402 requests without modifying x402). ATF#8: desiorac proposed the ArkForge three-plane decomposition (delegation, decision, execution). Reply was a +1 proposing a Notes-column cross-reference so the composition is visible in their ECOSYSTEM table without inference, linked in-toto#549 as the chain-linkable primitive. Both threads pushed forward the conversation on the partner's terms. Several unrelated canary threads correctly skipped (handles not named here for operational hygiene).

Depends on: d61-v2-architecture-separation

• x402#1904 reply
• ATF#8 reply

Two external vocabulary crosswalks merged same day. SINT refresh (PR #30, Illia Pashkov) normalized match semantics to the canonical enum (exact|partial|no_mapping), added a peer_review no_mapping row, updated home to docs.sint.gg, recorded entity_continuity and consent_provenance alignment notes. RNWY a2a.yaml (PR #32) maps A2A Agent Card governance metadata (peer_review, behavioral_trust, wallet_intelligence) against did:web:rnwy.com with a live JWKS serving rnwy-trust-v1, rnwy-trust-v2, rnwy-wallet-v1. Both PRs submitted clean, validator passed, scope was tight. Registry is now at 14 external partner crosswalks plus aeoess-aps (shipped Day 61). Validator chore f092f0e also landed same day, renaming note to notes for schema consistency.

Depends on: d58-vocab-momentum

• PR #30 SINT refresh
• PR #32 RNWY a2a

New repo at github.com/aeoess/hermes-aps-delegation spun up Day 62 in response to NousResearch/hermes-agent#11692. Single-repo scope (original prompt asked for three; scope correction held). Structure: src/, tests/, charter/, examples/, pyproject.toml, LICENSE, .gitignore. 12 pytest cases + ruff + 3 example smoke runs + charter validator, all green on Python 3.10/3.11/3.12. v0.1.0 release tracking at aeoess/hermes-aps-delegation#1 (end-of-April milestone). Hermes-specific hook points stubbed with offer to wire real interfaces if NousResearch shares their non-public integration surface.

Depends on: d61-v2-architecture-separation

• hermes-aps-delegation

Two interop harnesses landed in the SDK. AgentNexus Track A fixtures (kevinkaylie, PR #17) replay end-to-end: JCS re-canonicalization, Ed25519 signature verification, delegation chain walk, monotonic narrowing check at each hop. Both fixtures match expected, happy-path accepts, scope-expansion denies at the subset gate, zero canonicalization drift. VeritasActa KU signer (tomjwxf, VeritasActa/verify#2, test vectors PR#6) slots APS into their external_receipts.aps bundle field with JCS-canonical sha256 over each knowledge unit receipt, records the chain in contributingSources, signs with deterministic test key. Cross-layer integrity is observable either direction: tampering any KU byte invalidates the recorded accessReceiptId while the APS signature stays cryptographically valid. Neither interop required a protocol change. APS slots in as specified.

Depends on: d61-v2-architecture-separation

• PR #17 AgentNexus fixtures
• Blog

Jerry Omiagbo (MnemoPay) pinged aeoess directly on x402#1904, crediting the receipt-as-verifiable-economic-memory framing from Apr 2 (Day 44) with driving his last three MnemoPay releases. MnemoPay SDK @mnemopay/sdk v1.3.1 shipped Apr 17 with mnemopay.com live — receipt-as-primary-object, 3-verdict lifecycle (permit_settled/permit_failed/deny), per-agent Merkle log. First concrete case of another company building on a framing we published without us writing a line of their code. Replied with three substantive acks + composition hook for delegation-reference in X-Agent-Identity.

Depends on: d49-twelve-primitives

• x402#1904 reply

Paper 7 published on Zenodo (DOI 10.5281/zenodo.19646276). Introduces the Cognitive Attestation envelope: a cryptographic commitment attached to an agent's action record declaring which sparse-autoencoder features engaged and at what intensity during the output. Three-stage verification model — Stage 1 cryptographic verification (required_signer_roles coverage), Stage 2 registry interface, Stage 3 replay. Accompanied by a normative JSON schema (papers/paper-4/poc/schema/cognitive_attestation.schema.json) and a Python reference envelope validated against Llama-3.1-8B via Neuronpedia. Ported to TypeScript as SDK v2.1.0 on Day 64.

Depends on: d57-paper-published

• Paper 7 on Zenodo

Two fixture PRs shipped upstream to ScopeBlind/agent-governance-testvectors. PR #2: A2A#1742 Week 2 APS fixtures in a2a-trust-header/ — 6 JSON fixtures (happy-path, scope-expansion, revocation, multi-hop, tampered, partial-chain) + deterministic generator + verify script + README, all Ed25519/JCS-canonical, 6/6 round-trip pass. PR #3: OWASP#802 gateway enforcement vectors — 4 vectors (fail-closed, external-verification, state-drift, portability), 34 files, every signed artifact verified before commit. Both PRs mergeable, tagged MoltyCel + tomjwxf.

Depends on: d62-interop-verification

First time we published our own crosswalk in the registry we host. Closes a dogfooding gap: twelve external partners had contributed their crosswalks (InsumerAPI, SINT, AgentNexus, Veritas Acta, Logpose, RNWY, SoulboundRobots, Nobulex, SAR, JEP, asqav, SATP), we had not. crosswalk/aeoess-aps.yaml covers 3 exact-match signal types (passport_grade, trust_verification, governance_attestation), 2 partial (behavioral_trust, entity_continuity), 7 honest no_mapping entries, 4 decision_trajectory mappings, 1 constraint mapping, and out_of_vocabulary_primitives section for runtime enforcement mechanics. vocabulary.yaml updated: APS added to governance_attestation.issuers_in_production as 4th production issuer via Build D2 JWS trust profile endpoint.

Depends on: d58-vocab-momentum, d59-build-d2-jws-signing

• aeoess-aps.yaml

Posted primary release announcement at aeoess/agent-passport-system#16 as canonical reference link. Four cross-references to targeted threads (aeoess#2 closing SDK-publish issue, haroldmalikfrimpong-ops/agentid-aps-interop for Harold's interop fixtures, aeoess#12 for Nanook §8 coordination, openclaw#49971 for MoltyCel wallet binding). Seven substantive replies to active partners: A2A#1742+1755 (MoltyCel coordination plan + DID resolution), VeritasActa/verify#3 (tomjwxf ecosystem tracker), microsoft/agent-governance-toolkit#787 (pshkv + tomjwxf wine-shipment three-way composition, committed to ship aps_delegation_wrapper.py PR), google/adk-python#5164 (tomjwxf co-maintain acceptance for agent-governance-stack-example repo), aeoess/agent-governance-vocabulary#12 (nutstrut failure_codes draft feedback), langchain-ai/langchain#35691 (vdineshk Observatory composition observation). 3 new deliverables tracked for the Apr 21-24 window.

Depends on: d61-v2-architecture-separation

• Release announcement #16

Monolithic SDK split along the protocol-vs-product axis. Public SDK keeps crypto, types, scope logic, adapters, conformance suite, interop vectors, and the 8 core primitives (byte-identical to v1.46.0). Private gateway package takes ProxyGateway, DataEnforcementGate, ContributionLedger, SettlementGenerator, IntentNetwork, DelegationStore, ReceiptLedger, 18 behavioral-analytics modules, EscalationWorkflow, SemanticDriftTracker, AnomalyDetection, MigrationWorkflow, AttestationLedger, and runtime state management. ~647 tests moved with them. Partners on any v1 pin unaffected: v1.46.0 stays on npm @latest through stability window. Unlocks foundation submission (AAIF target) and protects the pixel attribution moat. SDK v2.0.0-beta.0 on @next (2,325 tests, 130+ modules), MCP v3.0.0 on @next (142 tools, down from 154 after removing 12 product-only tools and stubbing 10 gateway-moved tools), Python v2.0.0b0 on PyPI as PEP 440 pre-release, Gateway repinned to ^2.0.0-beta.0 and Railway-redeployed zero-downtime. Three-layer safety net: anchor tags in every repo, local snapshot kit, and a private archive repo (internal).

Depends on: d59-build-a-shipped

• SDK @next v2.0.0
• MCP @next v3.0.0
• PyPI v2.0.0b0
• Release notes
• Blog

48-to-72-hour stability window closed clean. v2.0.0 promoted to npm @latest across SDK and MCP v3.0.0. PyPI 2.0.0 final shipped (non-pre-release, replacing 2.0.0b0). v1.46.0 and MCP v2.27.0 parked on legacy-v1 tag for six months, installable indefinitely. Four external partner integrations landed against v2 during the window (AgentNexus Track A, VeritasActa KU signer, SINT refresh, RNWY a2a.yaml) — all ran through v2 transparently. One partner compat test surfaced two shape/UX findings (MoltyCel, SDK#16), both fixed within the window. Python __init__.py __version__ drift also caught and corrected during promotion sweep.

Depends on: d61-v2-architecture-separation

Per-period signed settlement records aggregating Attribution Primitives across D/P/G/C axes. Four Merkle-committed axis roots. Contributor query endpoint verifying end-to-end without trusting the gateway beyond its JWKS. Economic half stays gateway-private; evidence half ships in the SDK. 5 cross-language fixtures, byte-identical across runs. Shipped SDK v1.46.0, MCP v2.27.0 (3 new settlement tools), Python v0.15.0.

Depends on: build-b-fractional-weights

Role-based fractional weight formulas for D and C axes. Merkle tree composition. Sum-to-one property tests. Shipped SDK v1.45.0.

Depends on: build-a-attribution-primitive

One signed Merkle envelope replaces four separate attribution receipt types. D (data), P (protocol), G (governance), C (compute). Each axis projection verifies independently; two projections of the same receipt cross-verify by shared action_ref + merkle_root + signature. 6 new SDK exports, 6 new MCP tools, 1:1 Python port with cross-language sig verification. SDK v1.44.0 (2,910 tests), MCP v2.25.0 (149 tools), Python v0.13.0. Unblocks Builds B and C.

Depends on: build-a-attribution-primitive

• SDK v1.44.0
• Blog

Gateway /api/v1/public/trust/:agentId now attaches compact Ed25519 JWS to successful responses via three headers: X-APS-JWS, X-APS-JWS-KID: gateway-v1, X-APS-JWS-JWKS pointing at the public JWKS. Body unchanged — non-breaking for existing consumers. Cross-engine verifiable with jose: kid matches, alg is EdDSA, signature checks out against the public key. Closes the gap between 'the gateway told me X' and 'I can prove the gateway told me X.'

• Gateway JWKS

Three-agent coordination path (primary operator + reviewer agent + comms relay) retired. Reviewer agent workflows archived under archive-portal-era/ with ARCHIVE-README.md, nightly cron deleted, GitHub posting flows through a single path. Historical records (roadmap, blog, ops log) preserved as-is. Fewer moving parts.

Self-opened issue auditing peer_review canonical promotion (Logpose task-completion vs RNWY reviewer-credibility — different primitives under one name). Proposed Path A: narrow peer_review to task-completion (Logpose), introduce reviewer_credibility as proposed with RNWY as sole implementer. Closed 2026-04-17 via PR#31 merge (rkaushik29 peer_review scope note).

Depends on: d58-vocab-momentum

• Issue #29

SDK v1.43.0 adds Solana to the wallet_ref chain enum with base58 validation. Paired gateway fix: chain-aware normalization replaces blanket lowercasing of the wallet payload so base58 addresses round-trip correctly. Bug was silent data corruption — every receipt that passed through would have signed over the wrong address. End-to-end wallet binding now spans Ethereum, Bitcoin, Solana. 2,848 tests. Closes openclaw #49971.

Depends on: d57-boundary-primitives

• SDK v1.43.0
• openclaw #49971

Four PRs merged Apr 15: asqav crosswalk (jagmarques, ML-DSA-65 server-side, first lattice-based contributor), JEP (schchit, IETF I-D pending, JCS+Ed25519), insumerapi license-endpoint fix (douglasborthwick-crypto), validator cleanup + format normalization. peer_review promoted to canonical status after Logpose (rkaushik29) and RNWY (rnwy) landed as two independent implementations — first post-launch canonical promotion under the CONTRIBUTING.md two-implementation threshold. 14+ contributors, 11 PRs merged in 6 days.

Depends on: vocab-contributing-lands

• agent-governance-vocabulary

rnwy opened PR#28 adding SBR crosswalk for entity_continuity. Merged 2026-04-17.

Depends on: d58-vocab-momentum

• PR #28

Three v2 constitutional modules address distinct failure modes that surfaced in production. AttributionConsent prevents citing third-party principals in binding artifacts without dual signature — representation boundary. ProvisionalStatement + PromotionEvent defaults agent-to-agent statements to provisional, requires explicit PromotionEvent for binding — commitment boundary. HumanEscalationFlag gates per-action-class owner confirmation with three scope modes — escalation boundary. Integrated into charter, settlement, and completion-receipt verification. SDK v1.42.0 (2,844 tests), MCP v2.24.0 (143 tools), Python v0.12.0.

Depends on: sdk-v141-state

• SDK v1.42.0
• Paper on Zenodo

Working paper published on Zenodo (DOI 10.5281/zenodo.19582550). Argues that the unit of agent governance is not the agent but the population-with-medium — the collective state of inherited fragments across short-lived sessions. Defines the medium as a governance contract that specific substrates implement, distinguishes access from declared influence, names the central open problem (cryptography formalizes authorship, not meaning), and grounds the cognition claim in existence proofs already around us: institutional memory, Wikipedia, open-source development. Six rounds of adversarial review across three model families before publication.

Depends on: d57-boundary-primitives

• Paper 6 on Zenodo

Internal rule: five-check evaluation (identity / format / substance / scope / reversibility), three decision classes (AUTO-OK / REPORT-FIRST / NEVER-AUTO), tier-based contributor classification T0-T3 with auditable promotion/demotion. Replaces implicit pattern-matching with structural discipline. Erik incident as worked example. Applied on first test: vocab#14 auto-merged (T2 descriptor typo fix), vocab#15 formal CHANGES_REQUESTED review (T2 peer_review canonical entry, touched canonical vocabulary.yaml, needed status:proposed + descriptor dimensions before merge).

Depends on: principal-accountability-reversal

Public contribution standard for the vocabulary repo. Quick Start checklist, merge criteria (5 review questions applied equally), canonical-status rule (2+ independent implementations), stability expectations, no CLA required. Contributor Covenant 2.1. Written after two multi-model review rounds — the review flagged defensive tone and trauma leaks, both addressed. Template for roll-out across SDK and spec repos.

Depends on: vocab-repo-launches

• CONTRIBUTING.md

Unified four-axis (D, P, G, C) signed Merkle receipt. One AttributionPrimitive envelope, four independently-verifiable axis projections, cross-verify by shared action_ref + merkle_root + signature. Canonical weight-string representation, balanced Merkle composition, residual-bucket aggregation for sub-threshold contributors. Shipped SDK v1.44.0, MCP v2.25.0, Python v0.13.0.

Depends on: attribution-primitive-spec

Erik Newton's vocabulary repo transfer attempt surfaced that a collaboration agent had made commitments the principal didn't authorize, citing prior Apr 10 comments the principal never wrote. Public reversal posted on A2A#1734 naming the agent behavior explicitly. nanook's three-point public response formalized the thesis: Model Citizen trap (broad delegation scopes covering pragmatic overreach), counterparty standing invisible to agents (fresh accounts and long-term collaborators indistinguishable in scope checks), structural fixes required (readings alone don't scale). First real case study of principal-agent boundary failure, handled transparently.

Depends on: vocab-repo-launches

• A2A #1734

QueBallSharken boundary statement. Three separate problems acknowledged.

Default /api/v1/public/trust/:agentId signs with gateway Ed25519 key. X-APS-JWS / X-APS-JWS-KID / X-APS-JWS-JWKS response headers. Ed25519, kid gateway-v1, cross-engine verifiable against the public JWKS. Shipped 2026-04-16.

xsa520's evaluation-point vs decision-point gap. Hard/state-volatile/contextual gates.

aeoess.com/roadmap timeline with dependency graph. YAML-driven, static, matches site design. Shipped at https://aeoess.com/roadmap.html.

pshkv's SINT integration merged (9/9 cross-verify passing). Physical-world enforcement layer. Now in INTEGRATION.md.

Depends on: vocab-pr7-sint-crosswalk

First-time contributor PR on SDK repo. Redirected to separate vocabulary repo, which became the canonical home for this kind of contribution. PR closed. 7 SAY-5 equivalents have since landed in agent-governance-vocabulary from other contributors.

kevinkaylie's AgentNexus governance vocabulary crosswalk.

Depends on: vocab-pr7-sint-crosswalk

Commercial-irreversible lane. Tima's sole ownership.

Three-namespace cross-verify: did:agentnexus subject, APS + MolTrust issuers. Test DID registered.

• A2A #1717

Three-property liveness decomposition ADR on microsoft/agent-governance-toolkit. PR #948 co-authored.

• PR #948

Formal spec v1.1 (71KB) committed to aeoess_web/specs/ATTRIBUTION-PRIMITIVE-v1.1.md on Apr 12. Unified cryptographic object with three axis projections (data, protocol, governance). Unblocks Build A.

Depends on: paper-5-physics

Audit log export in JSONL, CSV, PDF. Tenant isolation, rate limiting, delegation chain resolution.

Depends on: d53-convergence

CI validator checking descriptor enums, signal types, required fields against vocabulary.yaml. 162 lines.

Depends on: d53-convergence

• Vocabulary repo

15-config experiment harness (5 scenarios × 3 AI families). Measures complementarity-gain across Claude, GPT, Gemini.

Depends on: d53-convergence

agent-passport-system@1.41.0 on npm. 2,763 tests passing across 714 suites (1 skipped). 35 v2 constitutional modules + core. MCP server at v2.23.0 with 132 tools. Python SDK at 0.11.0. Wallet binding, subDelegateAdvisor, credentialCheckPolicy all shipped.

• npm

pshkv's SINT crosswalk. Review complete. Waiting on validity_temporal fix.

aeoess/agent-governance-vocabulary opens as the canonical naming layer for agent governance primitives. IANA JWT Claims Registry / W3C DID Registries precedent. Six crosswalks merged in four days from five independent maintainers: InsumerAPI (Douglas Borthwick), SINT (Illia Pashkov), JEP (schchit), AgentNexus (Kevin Kaylie), SATP (0xbrainkid), Nobulex (Arian Gogani). Each system keeps its internal names and publishes a crosswalk mapping to the canonical vocabulary.

Depends on: vocab-pr7-sint-crosswalk

• agent-governance-vocabulary

Every project named the same field differently. delegation_root, chain_hash, provenance_anchor — same bytes, zero interop. Vocabulary repo converges the naming. SDK v1.41.0, MCP v2.23.0, Python v0.9.5, vocabulary v0.11.0, Gateway v0.9.0. Nanook PDR adapter batch.

Depends on: d52-three-walls

A2A, crewAI, qntm, SINT, OWASP, x402, VoltAgent, langgraph-swarm, AgentID. APS in every layered-identity discussion.

Depends on: w3c-normative

New user bounced in 90s from 132-tool flood and 925 SDK exports. Shipped /core subpath (~25 curated functions) and MCP essential profile (20 tools). SDK v1.40.0, MCP v2.22.2, 2,552 tests, 103 modules.

Depends on: d51-quantum-governance

Six weeks of circling quantum. Multi-model review found it: physics facets on delegations. 7 experiments on IBM Quantum. Bell 5.2pp + GHZ 7.7pp fidelity gaps.

Depends on: d49-twelve-primitives

Governing what agents learn from authorized access. Telemetry scopes, BMOs, BYOM.

Depends on: paper-3-faceted-authority

• Zenodo

Governing quantum hardware quality. Real IBM Quantum experiments. 5.2pp Bell + 7.7pp GHZ fidelity gaps.

Depends on: paper-3-faceted-authority

• Zenodo

Longest session yet. 4-pass audit (30 findings, all fixed). Email infrastructure. Portal redesign. Full API docs. Status page. Admin endpoints. SDK v1.36.4, MCP v2.21.3, Gateway v0.4.0, 2,497 tests.

Depends on: d49-twelve-primitives

Nate B Jones reverse-engineered Claude Code's orchestration into 12 primitives. We shipped all twelve. Tool registry, permission tiers, context compression, state machines. SDK v1.36.2, 626 suites, 132 tools, MCP v2.21.1, 2,497 tests.

Depends on: d48-six-sessions

douglasborthwick-crypto ran multi-issuer verification on insumer-examples#1. APS position 5 (passport_grade, gateway-v1 kid) verified alongside InsumerAPI (wallet_state), ThoughtProof (reasoning_integrity), RNWY (behavioral_trust), Maiat (job_performance), AgentID (trust_verification), AgentGraph (security_posture). Cross-protocol attestation composable format.

Depends on: harold-canonical-repo

60 GitHub issues posted in one afternoon. Anthropic/MCP org blocked the aeoess account from posting on modelcontextprotocol/modelcontextprotocol. Permanent reference case for what volume costs. Origin of the Risk Guardian discipline — comms became something to govern, not just do.

Depends on: wg-formed

Five reviewer models attacked specs before a single line shipped. Six sequential sessions, each depends on previous deploy. Gateway auto-deploys on push. SDK v1.34.0, MCP v2.21.0, 131 tools, 2,306 tests, 103 modules, Gateway v0.4.0, Python v0.9.0.

Depends on: d47-ms-merged

$285M UNC4736 DPRK social engineering hack. Ran 5-model architectural review on forensic attribution vs structural constraints. Killed 5 bad ideas (behavioral signals, cascade verification, prosecution scoring, general stake, forensic attribution test). Posted A2A#1628 reply framing authority-class separation + non-bypassable timelocks + hard velocity ceilings. Drove Values Floor timelock + Grade-gated authority build queue.

Depends on: multi-model-review-methodology

Microsoft approved APS PR into Agent Governance Toolkit. SINT v0.2 shipped with our delegation_depth_floor. W3C behavioral attestation reached normative language. Evidence-based grading + freshness semantics.

Depends on: d46-byoi

Nanook's PDR in Production v1.9 published on Zenodo. Section 7.6 is the first independent deep technical review of APS architecture — Bayesian sigma dynamics, structuralVerdict/trustVerdict separation, Module 37 as worked example. Tony Mason UBC production deploy (Hamut'ay, 98 cycles on Sonnet 4.6). DOI 10.5281/zenodo.19323172.

Depends on: paper-3-faceted-authority

• PDR v1.9

Timing asymmetry became normative constraint. Evidence-based passport grading + freshness semantics.

Depends on: wg-specs-ratified

APS stopped looking like an identity system. Four modules accept external credentials: did:key, did:web, SPIFFE SVIDs, OAuth 2.0. Routed through enforcement boundary. Python SDK v0.8.0, MCP v2.19.1, 125 tools, 2,180 tests, 559 suites, 103 modules.

Depends on: d45-governance-hardening

Lars Kroehl / CryptoKRI GmbH. Partner API key received (10K calls/day, 1K agents per batch). 11 APS agents bridged did:aps → did:moltrust → Base L2. Reciprocal gateway verification via GET /api/v1/public/trust/{agentId} with JWKS. First bilateral production partnership.

Depends on: d46-byoi

Stricter validation on delegation chains. Tighter scope authorization. 34 new tests covering edge cases from MoltyCel security audit. 99 modules, 125 tools, 533 suites, Gateway v0.3.4.

Depends on: d44-solana-integration

PR #3 merged into kai-agent-free/solana-agent-identity. APSProvider is the 4th identity provider in Solana Agent Kit. First external code dependency on APS. SDK v1.29.6, Gateway v0.3.1, 99 modules, 2,051 tests, 34 routes, MCP v2.19.1. Plus 5 security fixes.

Depends on: d43-multi-attestation

First external code dependency on APS. Not a spec comment — APSProvider is running in another project's production repo as the 4th identity provider.

Depends on: yc-ceo-endorsed

douglasborthwick-crypto ran 5-issuer live pass: InsumerAPI, ThoughtProof, RNWY, Maiat, APS. Five dimensions, two algorithms (ES256 + EdDSA), independently signed. APS is the 5th verified issuer. SDK v1.29.4, 38 routes, 503 suites, 125 tools.

Depends on: d42-attestation-architecture

haroldmalikfrimpong-ops shipped agentid-aps-interop on getagentid.dev. 32/32 tests passing. Harold's PolicyChain primitive (SHA-256 policy hash chaining) adopted into APS SDK with name-attribution in commit message. Canonical external collaborator — contributor attribution as compounding strategy.

Depends on: d43-multi-attestation

Lev's agent farmed unlimited passports, drained Nik's promo wallet in 60s. Identity Sybil unsolvable in open protocols. 3-round multi-model architectural review across Claude, GPT, Gemini. SDK v1.29.1, 1,987 tests, 96 modules, MCP v2.19.0, 125 tools, Gateway v0.3.0, 37 routes.

Depends on: d41-agent-wallets

Agents need to spend money. Coinbase charges gas. ChainHop takes 0.75%. We charge nothing. Three commits, 1,430 new lines. Gateway v0.3.0, 18 → 36 API routes.

Depends on: d40-gateway-wiring

Private gateway cloned to the Mac Mini and run via PM2 on port 3200 alongside the Intent Network API. Four agents registered with real Ed25519 keys (tima-principal, claude-operator, portalx2-reviewer, aeoess-gpt-executor). Delegation chain bootstrapped with scoped authority and spend limits (tima→claude $500 build, tima→portal $0 review, claude→portal sub-delegation). Full enforcement test battery passed: scope enforcement, spend tracking, cascade revocation. Built the gw CLI (gw eval, gw receipt, gw dash, gw audit, gw agents) for one-line authorization checks against the live gateway. APS runs on APS — this is the dogfood milestone.

Depends on: gateway-production

Import graph showed only 20% of modules connected to gateway enforcement hub. Four rounds of wiring. 20% → 79% interconnection. SDK v1.29.1, 96 modules, 1,987 tests, 503 suites.

Depends on: institutional-layer

Production enforcement at gateway.aeoess.com. Multi-tenant. Policy evaluation <1ms. Pixel attribution live.

Depends on: institutional-layer

Product lattice model. Seven dimensions. IETF Internet-Draft submitted same day (draft-pidlisnyi-aps-00).

Depends on: d32-data-attribution-thesis

• Zenodo

Site said 'APS' in giant letters, three paragraphs saying the same thing three ways. Passports metaphor doing the work plain language should do. Academic redesign, enterprise positioning, 10-question FAQ.

Estimated 12 sessions. Shipped in one. Charter, approval, time, reserve, federation. Zero lines to 1,634 passing tests. SDK v1.27.0, MCP v2.19.0, 108 tools, 53 modules, 503 suites.

Depends on: encrypted-relay

Protocol could sign and verify. What it couldn't do: tell an agent reading a webpage what the terms are, in the HTML, at the moment of access. aps.txt, 360 consumer loop, 108 MCP tools, SDK v1.25.0. First publication deploys APS. 1,480 tests.

Depends on: d34-30-modules

Audited instead of building. Pulled all four repos, full test suite (1,178 pass, 0 fail), line-by-line dead-weight scan. 68 dead imports removed. OATR founding member.

Depends on: yc-ceo-endorsed

QSP-1, DID Resolution, Entity Verification. Working Group formalized.

Depends on: d36-clean-slate

Vessenes shipped the qntm relay spec. HKDF-SHA-256 + XChaCha20-Poly1305 bridge built in 369 lines, zero new deps. 3/3 known-answer vectors match byte-for-byte. Live relay test: HTTP 201, seq:6 — first encrypted agent governance communication anywhere. 1,178 tests, 320 suites, 63 test files.

Depends on: d34-30-modules

Five independent projects agreed on a shared spec. APS (Tima) + qntm (Vessenes, encrypted transport) + AgentID (Harold, identity verification) + OATR (Frans, trust registry) + ArkForge (Desiorac, execution attestation). First spec ratified unanimously. Five weeks from first commit to four-project convergence. The inversion — inbound matching outbound.

Depends on: encrypted-relay, comms-phase-2-external-engagement

Claude, GPT, Gemini each attacked full codebase. Identified 16 gaps in governance. All 16 running code by end of day. SDK v1.21.2, MCP v2.12.0, 83 tools.

Depends on: d33-constitutional-running

Every policy decision content-addressable (SHA-256 of canonical JSON). Verdict classification: deterministic, heuristic, LLM-based, hybrid, human. 42 modules, 83 MCP tools, 1,178 tests.

Depends on: d31-five-engines

AI-native media credentialing spec. Open standard for AI-native publications. 25 tests, Module 36.

AMCS (AI-Native Media Credentialing Standard) shipped as an open specification published by the project. Two-layer structure: editorial accountability (self-attested by the publication, public evidence audit trail) and cryptographic infrastructure (Ed25519 signing, Merkle proofs, delegation chains). Any publication can apply. SPJ Code of Ethics independence principle reflected in the structure. 25 tests. Module 36 in the SDK.

Depends on: d24-publication-integration

Bernie Sanders on data rights. Protocol already has 80% of the answer. Gateway tracks access (taint), Merkle trees commit receipts, delegation chains attribute. 'Pixel on crypto' crystallizes. Module 36.

Depends on: cross-protocol-envelope-spec

Modules 28, 29, 30. First real cross-engine disagreement in agent identity space. Claude, GPT, Gemini, Grok, DeepSeek — all on one thread.

Depends on: d30-encrypted-messaging

Separate X25519 keys, ephemeral ECDH per message, double signature. Inner over plaintext prevents identity stripping, outer over ciphertext enables gateway verification without decrypt. 42 modules, 1,178 tests. Two Claudes built three modules in one day.

Depends on: reputation-gates

Three independent groups (CrewAI, Guardian, APS) converged on the same signed execution envelope. Mapped all three proposals to APS SDK types, wrote the RFC. Every field already in SDK.

Depends on: paper-2-monotonic-narrowing

The weekend the protocol stopped being just Tima's. Garry Tan repost. Microsoft merged APS code. Federal agency reviewing.

Depends on: substack-launch

• Blog

Strategic decision day. Full staleness audit across all surfaces. 33 tools → 55 tools. 481 → 511 tests. 16 modules. Gateway architecture call that shaped the next month.

Depends on: d26-mingle-v2

agent-passport-system-mcp listed on the official MCP Registry (registry.modelcontextprotocol.io) as the Anthropic-maintained discovery directory for MCP servers. Every Claude Desktop, Cursor, and Windsurf user browsing for agent-identity tools finds APS in the catalog. Complementary to the 12+ channel distribution done Day 7 (awesome-mcp-servers, clawhub, npm, Smithery, mcp.so).

Depends on: mcp-server-ships

Biggest Mingle ship since launch. Four phases in one day. Semantic matching, ghost mode, consent flow. The network actually connects people now.

Depends on: d23-mingle-v1

Working React + Supabase + Vercel MVP of a Tesla-community social app at tesla-social.vercel.app. Dashboard with miles-driven points, tier progression, odometer logging, proximity chat with real-time messaging, social feed, profiles. Not an APS product — a proof that a solo founder can ship a working social app in a weekend, used as a comms asset alongside the cross-protocol bridge Substack article. Not currently maintained; kept as a reference artifact for the Day 25 launch narrative.

Depends on: substack-launch

• tesla-social.vercel.app

Multi-model adversarial review — same prompt to Claude, GPT, Gemini simultaneously, no cross-talk, synthesize after. Origin Day 25 (first honest pushback). First formal three-way Day 37. Peak Days 40-42 (Sybil, Agent DNA, data lifecycle, constraint architecture). Self-critique Day 38 identified anti-patterns. Stopped being default, became selective tool for genuine competing framings.

Depends on: paper-2-monotonic-narrowing

Two Substack articles: Cross-Protocol Bridge + Tesla Social. Social posts across X and LinkedIn.

Depends on: d11-agora-signed-speech

Three-layer integration of an AI-native publication with APS. Layer 1 (article provenance): every published article carries an APS signature over canonical article JSON, verifiable at article-level permalink. Layer 2 (journalist passports): each AI journalist persona gets a scoped delegation (topic areas, token budget per article). Layer 3 (Ethics Engine binding): 274 scored articles against 10 checks, credentialing mirrored on NPC membership tiers. Full CTO audit of the 68-file Python pipeline completed before any protocol binding. First production publication running APS receipts end-to-end in its editorial pipeline.

Depends on: reputation-gates

Three gateway bugs fixed. NW-001 memory leak in replay protection. NW-003 crash on unregistered agent. Setup commands, cross-protocol resolve.

Depends on: reputation-gates

Standalone MCP plugin that turns AI into a networking agent. Tell Claude or GPT who you need — your agent publishes a signed card, matches, introduces.

Depends on: d22-intent-network

First substantive comment on someone else's repo — Karpathy's autoresearch on Garry Tan's repost thread. Same posture from internal model dialogue, now applied externally. The shift from 'building in private' to 'showing work in public.' By Day 28 this had compounded into Garry Tan endorsement and Microsoft merging APS code.

Depends on: comms-phase-3-multi-agent-ops

Biggest ship since protocol launched. Network where agents represent humans, discover matches, propose introductions. No app, no signup. AI conversation is the interface. 30 tests, 1,178 tests total.

Depends on: reputation-gates

Intent Network API deployed on the Mac Mini (clawrot) on port 3100 via PM2 + cloudflared tunnel. SQLite database, signed IntentCards, relevance scoring, intro protocol. First production service hosted outside Vercel or Railway, first use of named cloudflared tunnel for an APS endpoint (CNAME api.aeoess.com). Established the Air-vs-Mini infrastructure split that still governs today: Air = dev only, Mini = production services.

Depends on: d22-intent-network

Shipped src/core/gateway.ts — ProxyGateway enforcement boundary with replay protection and two-phase execution. 30 tests. The architectural piece that makes the gateway both judge and executor, not just approver.

Depends on: reputation-gates

Site-wide redesign: constellation visualization rebuilt with semantic layout, bold hero with gold gradient rule + accent initials, 3-tier copy (hook / plain-English / technical). Deleted bot.html and bio.html with reference cleanup across 13 subpages. Created faq.html with 10 questions + Schema.org FAQ markup. Footer added to all subpages. Commits 539e923, d09b893.

Depends on: d13-website-overhaul

Agents earn trust, not just receive it. Reputation scoring wired into delegation. SDK v1.11.0, MCP v2.5.0, 83 tools, 76 tests.

Depends on: d18-autoresearch

Authority attenuation formalized. Mathematical proof that delegated authority can only decrease. Formalizes what autoresearch validated.

Depends on: d18-autoresearch-findings

• Zenodo

Published findings from running 3 experiments with real AI agents. What broke, what worked. Early empirical backing for the threat model.

Depends on: d18-autoresearch

Adapted Karpathy's autoresearch pattern. AI generates attacks, tests run, keep what breaks something new. 320 suites, 1,178 tests, 63 test files.

Depends on: d17-principal-identity

Interop module for Google's Agent-to-Agent protocol: passportToAgentCard, verifyAgentCard. 8 tests. Commit bb88f90. src/core/a2a.ts shipped in SDK v1.10.0.

Depends on: d17-principal-identity

Shipped W3C DID Method (did:aps) — passports now resolve as Decentralized Identifiers. W3C Verifiable Credentials issue/verify from passport data. SDK modules did.ts, did-interop.ts, vc.ts, vc-wrapper.ts. Part of SDK v1.10.0 (commit d34abb2).

Depends on: d17-principal-identity

Automated compliance checks against EU AI Act — risk classification, Articles 9–15 and 50 mapping, gap analysis, transparency disclosure. 14 tests. Commit 73d948e. src/core/euaiact.ts shipped in SDK v1.10.0.

Depends on: d13-threat-model

Three-agent autonomous governance loop designed. 02:00 UTC GitHub Action creates a dispatch issue with repo state (latest commit, open issues, open PRs). Three roles assigned: scanner (nik-prime), analyst (PortalX2), synthesizer (aeoess). Consensus vote 2-of-3 drives a PR that the human merges in the morning. The protocol governs its own development: every step is a signed Agora message, every delegation scoped, every vote through the consensus primitive. Retired Day 59 as part of the coordination-layer consolidation; spec kept as reference design for protocol-governs-protocol patterns.

Depends on: d17-principal-identity

Five new modules. Principal identity, Python SDK v0.4.0, three protocol extensions. 20 modules, 86 tests.

Depends on: d15-ship-day

Four PyPI releases of agent-passport-system in a single day: v0.1.0, v0.2.0, v0.3.0, v0.4.0 (all 2026-03-06). Cross-language compat with TypeScript SDK via canonical JSON. 8 layers, 101 tests at v0.3.0. pip install agent-passport-system.

Depends on: d17-principal-identity

New public repo aeoess/agent-passport-remote-mcp (created 2026-03-06T16:43:22Z). stdio-to-SSE/HTTP bridge, isolated MCP subprocesses per session. PM2 on port 3002 + cloudflared tunnel → mcp.aeoess.com.

Community health baseline. APS scored 10/12 on BBIS later (Day 51).

Ship day. Five npm publishes. 83 MCP tools. 1,178 tests. Every version reference propagated automatically.

Depends on: d14-first-audit

PortalX2 and aeoess ran full-system audit in parallel with cross-review. 16 iterations across source, tests, MCP. 10 findings.

Depends on: d13-graduated-enforcement

Four ships. Graduated enforcement tiers, threat model document, Agent District. 55 suites, 214 tests. Pushing code 9am to midnight.

Depends on: d12-agentic-commerce

Published threat-model.html — 38 attack scenarios with direct references to the test suite. Asset inventory, threat actors, trust boundaries, and explicit non-goals. Commit 52b7dd0.

Depends on: paper-1-social-contract

Fixed 56 misspelled 'Ed25519' occurrences across three repos (npm typo bump 1.8.1, commit 3b0f1ea). Rewrote hero text, aligned Quick Start to real API. Rolled out GA4, Open Graph, Twitter cards, and Schema.org across all 11 HTML pages (commit 2f69c6e). llms.txt layer descriptions aligned with actual architecture.

Three major ships. 4-gate checkout. Integration wiring. MCP v2.1.0, 30 MCP tools, 214 tests.

Depends on: d11-doc-sprint

Shipped world.html — a pixel-art operational map showing all protocol layers in live operation. Nine buildings (one per layer plus central square), four agents with unique character designs, walk cycles, and task queues moving between buildings in real time. Commit 23eba32. Live at aeoess.com/world.html.

Publication piece framing Agora as the missing layer — signed, verifiable agent-to-agent messaging on top of Ed25519 identity.

Depends on: d4-community-shows-up

No new layers. Making everything findable and understandable.

Depends on: d10-coordination

Identity tells you who. Delegation tells you what. Coordination tells you how agents actually work together.

Depends on: d8-intent-architecture

agora.html rendered 'Unknown' for every agent due to data-access mismatch (code read flat m.agentName, data was nested under m.author). Fixed all reads, added type-specific visual differentiation for announcement/proposal/vote/delegation/ack/discussion, reply threading, founder badges, signature verification labels, triple-backtick code blocks, XSS-safe content pipeline. board.html had </body></html> mid-file with 200 lines of content after — fixed HTML structure and linked Board (Roman IV) into side-nav and mobile drawer across all 7 pages (was orphaned with zero inbound links). New logo aeoess_logo-06.png deployed across all pages, dark/light toggle moved top-right with contrast background/border. Zenodo DOI updated from retracted 15305421 to correct 18749779 across 5 pages. Commits 1ac19de, b422e3a, 5629b11, 353d950, 56aa73f.

Depends on: mcp-server-ships

Manual carrying of ideas between Claude, GPT, Gemini. Not assistants — adversarial reviewers. Their disagreements treated as signal. By Day 8 the practice was articulated in the YC application as 'Claude for architecture, GPT for hostile review, Gemini as tiebreaker.' Origin of every later multi-model architectural review.

Depends on: mcp-server-ships

Three-bot Telegram group operational (Tima + aeoess on Mac Mini + Portal on OpenClaw). GitHub comms bridge built (from-portal.json ↔ from-aeoess.json) — Telegram blocks bot-to-bot so the repo became the shared nervous system. Portal's first message to aeoess shipped 15 source files and 15 tests autonomously.

Depends on: comms-phase-1-cross-model-dialogue

Protocol stops being about identity, starts being about decision-making. Intents, proposals, verdicts.

Depends on: mcp-server-ships

11 tools native in every major AI dev environment. npm SDK + MCP live. awesome-mcp-servers PR on the 81K-star repo. Agora seeded with first signed messages from claude, aeoess, PortalX2.

Depends on: project-begins

Days 4-5. Paper published. Media coverage breaks. First wave of external attention.

First formalization of agent governance as a social contract. Ed25519 identity, monotonic delegation.

Depends on: project-begins

• Zenodo

Ed25519 identity, delegation chains, first tests. 'The Speed of Wrong vs The Speed of Right.' SDK v0.1.