v2.6.0

[2026-06-23]

The 2.6.0 release — a large dev → main merge spanning several weeks (68 commits).
Headline changes below; the granular per-merge history is in the dated sections that follow.

Added

• Compass v2 — devpulse-owned SQLite/FTS5 rated-decision engine + /compass
  human-triggered capture (separate from @memory; DB gitignored).
• Decentralized daemon scheduler — each branch owns .daemon/schedule.json;
  the daemon discovers and fires.
• Telegram skill — the Dev-Pass bridge ported to a self-contained AIPass skill
  that consumes services as opt-in imports.
• Tiered prompt injection — Tier 0 kernel every turn + Tier 1 navmap by cadence,
  replacing the single always-on global prompt.
• seedgo HARDCODED_PATH standard (#37) — flags hardcoded home paths in source
  and docstrings.

Changed

• @backup fully restored — aipass.backup.* namespace, 9-stage Rich CLI,
  versioned baseline + per-file diff engine, Google Drive sync + restore.
• Memory subsystem unified — single-source config limits, char-limit edit-gate,
  unified entry schema, rollover safety + the silent-rollover repair.
• Legacy global prompt retired across every runtime — Claude (cadence) and Codex
  (SessionStart) read the same tier files.
• @daemon / @commons / @skills revived to working citizens.
• Public source genericized — Patrick → user (private memories stay gitignored).

Fixed

• Secrets hardening — no secret value reaches stdout (cleared CodeQL #86-88,
  py/clear-text-logging-sensitive-data).
• Memory rollover was silently dead — the PreCompact hook now delegates to
  drone @memory rollover; the v1 line-count / 600-line fallback removed entirely.
• Hardcoded home paths removed (seedgo #37). @memory symbolic.py builds its
  8 dash-encoded branch-path names at runtime (was a literal -home-patrick-);
  @prax branch_detector.py docstrings genericized. Both back to 100%
  Hardcoded_Path.
• Green-CI fixes across Linux / Windows / macOS; dispatch_monitor PID-429
  substring bug; git post-merge friction (FF-only realign).

v2.5.3

[2026-06-11]

Fixed

• seedgo audit local↔CI parity (FPLAN-0261). The local seedgo audit could
  silently diverge from CI, breaking the "pass locally first, then ship" gate.
  Three independent causes, all closed without coupling any checker to git
  (.gitignore is git's concern, not the audit's): (1) usage-scanning checkers
  (unused_function, dead_code, +4) rglob'd gitignored output dirs
  (artifacts/, dropbox/), so a stray local file could mark a function "used"
  that a clean checkout correctly flags — every per-checker skip list hoisted to
  one shared SOURCE_SKIP_DIRS (output dirs simply aren't source). (2) The
  diagnostics standard shelled out to bare python3 -m pyright (system python,
  no pyright) and, on the resulting JSON-parse failure, returned 0 errors = clean
  — a silent false-green; now uses sys.executable and fails loud. (3) pyright
  resolved imports against PATH-python, so results flipped with .venv activation
  — pinned via --pythonpath sys.executable. The audit is now deterministic
  local == CI (proven all-13-branches-100% in an unactivated shell). Also: drone
  bypasses the test-only broker start_background (intentional API, not dead code).
• windows-setup CI: guard Linux-only sandbox tests. The kernel-sandbox build
  is Linux-only (bwrap, AF_UNIX sockets, openat2); the code already guards on
  sys.platform, but four test surfaces ran unconditionally and failed on
  windows-latest. Module-level pytestmark = pytest.mark.skipif(sys.platform != "linux", …) on drone/tests/test_broker.py and hooks/tests/test_sandbox.py;
  scoped guards on the remaining AF_UNIX broker-socket tests —
  ai_mail/.../test_dispatch_monitor.py::TestBrokerRealE2E (class) and
  aipass/.../test_sandbox_check.py::TestCheckBrokerAlive socket-connect tests
  (method-level, so the graceful no-broker paths still run on Windows). All skip on
  Windows and run unchanged on Linux. windows-setup was green pre-sandbox-merge
  (00edd8b) and red since (0b4ba63); this closes it.
• Broker start_background connect-before-bind race. drone's out-of-sandbox
  broker daemon started via start_background(), which returned before the
  AF_UNIX socket was bound — callers then raced the bind, and on a slower machine
  create_identified_connection() hit FileNotFoundError (socket not yet present).
  Deterministic locally (test_delete_nested_file 0/5), green in CI only by timing
  luck — latent flakiness. Fixed with a threading.Event set right after listen();
  start_background(timeout=5.0) now blocks on it and raises if the socket never
  binds, so callers never guess a sleep. Removed the 4 blind time.sleep(0.15)
  waits from the broker tests. Verified 55/55 broker tests, formerly-failing test 10/10.

Added

• aipass init detects missing Claude Code. Stage 6 (CLI choice) now checks
  shutil.which("claude") when the picked CLI is Claude Code. If absent: interactive
  runs prompt Install now? [Y/n] and run the canonical installer on yes (native
  claude.ai/install.sh, PowerShell on Windows, npm fallback, 300s timeout, loud on
  failure); non-interactive runs warn and continue. The whole system routes through
  Claude Code (hook bridge, dispatch, prompt injection), so init no longer silently
  assumes the runtime is present. Only fires when the chosen CLI is claude.

• Kernel filesystem boundary for agent containment (DPLAN-0202 / FPLAN-0250).
  Every autonomous agent can now launch inside a kernel-enforced mount namespace
  (@anthropic-ai/sandbox-runtime → bwrap+seccomp) where reads stay fully open
  (the shared live filesystem is preserved — a bind-mount, not isolation: own-tree
  writes land live on the real FS instantly) but deletes/overwrites of protected
  paths (.git, sibling branch trees) fail at the kernel no matter how the call is
  phrased — rm, python os.remove, find -delete, Write tool all hit EROFS.
  /tmp and the agent's own tree stay writable; .git is RW for devpulse, RO for
  builders. A per-role policy generator (@hooks build_policy) derives each branch's
  writable/RO map from its passport. Privileged deletes route through an
  out-of-sandbox drone-broker daemon: identity-scoped allowlist, openat2
  RESOLVE_BENEATH path re-resolution (confused-deputy proof), HMAC identity handshake
  over a pre-connected inherited fd, JSONL audit. aipass doctor gained a Sandbox
  check group (bwrap present+functional, node, srt, rg, broker socket) that is LOUD
  when the flag is on and a prereq is missing — never a silent unsandboxed launch.
  Proven by a live 16-check red-team suite. Inert by default — gated behind
  AIPASS_SANDBOX_ENABLED (off); flag-off is byte-identical to the old dispatch path.

• rm_gate demoted to guardrail. Now framed honestly as early-feedback that
  catches the accidental rm -rf and teaches drone rm — belt-and-suspenders, with
  the kernel sandbox as the actual filesystem boundary.

• Prompt-injection cadence — fire the big loaders every Nth turn. The global
  and branch prompts are large and were re-injected on every turn even though a
  prior copy stays in the conversation. They now fire together every 5th turn
  (config-tunable via hooks_json/custom_config/cadence_config.json), with a
  per-session turn counter that resets on a new session and after compaction so
  context is always rebuilt when it's actually needed. Identity and the mail flag
  stay every-turn (tiny, want freshness). Cuts recurring per-turn context cost.

• Hook fire/skip observability. Cadence emits a structured
  [HOOKS] cadence fired|skipped loader= turn= period= offset= line; the prax
  monitor renders hook events distinctly so the cadence is visible live.

• Slim global prompt — context-on-demand. The always-injected global prompt
  was rewritten from a ~13.8KB encyclopedia into a ~7.8KB navigation map
  (DPLAN-0201): drone pinned as the router, the framework tree, all 13 agents
  as short bios, and one drilled reflex — run drone @agent --help before using
  a branch. Detail now lives in each agent's --help, fetched on demand. This
  also dissolves the harness ~10k-char truncation that was silently dropping the
  old prompt's tail; the slim prompt injects whole. Backup retained alongside.

Changed

• Shared leaf library re-homed: aipass.common → aipass.aipass.shared (FPLAN-0260).
  src/aipass/common/ was the only non-citizen directory in the agent namespace —
  a shared lib (json_handler / json_ops / registry_discovery, extracted in
  TDPLAN-0006 P2) parked as a sibling to the agents with no owner. Per @seedgo
  design review it now lives inside its steward at src/aipass/aipass/shared/,
  owned by @aipass; @Spawn imports across (same blessed shared-infra category as
  aipass.prax/aipass.cli). Content byte-identical; ~9 import/doc sites updated
  across aipass+spawn. A new subprocess guard test pins the bootstrap-safety
  invariant: importing shared/ loads zero branch dependencies, so aipass init
  keeps working pre-drone on fresh machines. Note: aipass.common shipped in the
  v2.5.2 wheel; it was internal plumbing — no deprecation shim.
• Action-gated hook sound. Piper now speaks only when a hook actually does
  something — handlers return a sound key the engine plays, instead of
  announcing on every invocation. Skipped loaders are silent. Quieter and honest.
• README: hardcoded metrics → live badges + qualitative. Version is now a
  live PyPI badge, test/PR counts replaced with a codecov coverage badge (75%
  minimum) and qualitative wording — no more stale numbers to hand-maintain.

Fixed

• Cadence counter separate-process race. Each UserPromptSubmit hook runs as
  its own OS process, so a module-level turn cache double-incremented and the
  loaders leapfrogged (firing erratically instead of together). Fixed with an
  mtime debounce + transcript-size token + flock so the counter advances exactly
  once per real turn, verified against the live execution model.
• auto_fix ran no diagnostics. A leftover speak() call (its import removed
  in the sound refactor) raised NameError on every edit, swallowed by the
  handler's broad except — so auto-fix silently surfaced nothing on any
  .py/.json edit. Removed the dead call; diagnostics run again.
• Hook events never colored in the monitor. The prax log-watcher's
  _HOOK_PATTERN required an action= field that cadence never emits (it logs
  the action as the bare second word, fired/skipped), so extraction failed
  and events fell through to plain rendering instead of the styled
  bold-green ⚡ / dim · treatment. Fixed the regex to capture the bare action
  word and enriched the event detail (period, offset, short session id).

Security

• Least-privilege token on the e2e-wheel workflow. e2e-wheel.yml was the
  one CI workflow missing a top-level permissions: block (it was added during
  the cross-OS work after PR #624 hardened the others), so it ran with the
  default broad GITHUB_TOKEN scopes — dropping the OpenSSF Scorecard
  Token-Permissions check to 0. Added permissions: contents: read; the
  workflow only reads the repo to build and smoke-test the wheel.
• Signed GitHub Releases via Sigstore (keyless). The release workflow now
  signs the built wheel + sdist with sigstore/gh-action-sigstore-python
  (keyless OIDC — no signing key is generated, stored, or held by anyone) and
  attaches the resulting .sigstore.json bundles to the GitHub Release. PyPI
  uploads were already attested via Trusted Publishing; this extends verifiable
  provenance to artifacts pulled from GitHub Releases and satisfies the OpenSSF
  Scorecard Signed-Releases check. First proof lands on the next v* tag.

v2.5.2

[2026.W24] - 2026-06-08

Security

• Least-privilege token on the e2e-wheel workflow. e2e-wheel.yml was the
  one CI workflow missing a top-level permissions: block (it was added during
  the cross-OS work after PR #624 hardened the others), so it ran with the
  default broad GITHUB_TOKEN scopes — dropping the OpenSSF Scorecard
  Token-Permissions check to 0. Added permissions: contents: read; the
  workflow only reads the repo to build and smoke-test the wheel.
• Signed GitHub Releases via Sigstore (keyless). The release workflow now
  signs the built wheel + sdist with sigstore/gh-action-sigstore-python
  (keyless OIDC — no signing key is generated, stored, or held by anyone) and
  attaches the resulting .sigstore.json bundles to the GitHub Release. PyPI
  uploads were already attested via Trusted Publishing; this extends verifiable
  provenance to artifacts pulled from GitHub Releases and satisfies the OpenSSF
  Scorecard Signed-Releases check. First proof lands on the next v* tag.

v2.5.1

[2026.W23] - 2026-06-02

Fixed

• aipass init scaffold correctness. A fresh aipass init now generates a
  project-specific AGENTS.md (new agents_md() generator) instead of falling
  back to copying AIPass's own repo-root AGENTS.md boilerplate — Codex users
  were getting the wrong file. Project README.md quick-start/structure paths
  now reflect the real src/<package>/<agent>/ layout.
• First-agent default name my-agent → my_agent. aipass init seeded its
  default agent with a hyphen, the lone source of a long-standing dir-vs-module
  mismatch (the directory kept the hyphen while the importable module, @address
  and registry name all normalize to underscore). Defaulting to my_agent makes
  directory, module, @address and the README example all consistent.
• Dead citizenship.registry_path removed from spawn templates. The field
  pointed at a non-existent .aipass/registry.json; it was never read anywhere
  (registry is located by find_registry() glob), so it's dropped from the
  builder and birthright passport templates.

Removed

• The entire STATUS flow is decommissioned (TDPLAN-0007). The per-branch
  hand-maintained STATUS.local.md beacon and the auto-aggregated central
  STATUS.md (853 lines / 70 KB nobody read) are gone — deleted from disk
  across all 13 branches and scrubbed from every prompt, doc, startup protocol,
  /prep + /memo skill, the compact-recovery hook, the email footer, and
  aipass init / spawn scaffolding. Live branch state was already fully covered
  by DASHBOARD.local.json (prax) and history by .trinity/local.json. The
  status-sync engine is kept intact but inert — made dormant by unwiring its
  3-line trigger registration (trigger registry.py), so the code stays
  revivable. The one thing STATUS uniquely gave us — a quick scratch todo — is
  replaced by an operational todos[] section in .trinity/local.json
  (@memory-owned schema, capped, never vectorized by rollover), pushed to all 13
  branches and surfaced as a todo_count on the dashboard. Shipped as one
  coordinated cross-branch change (memory, prax, trigger, aipass, spawn, hooks,
  ai_mail, seedgo + devpulse).

Changed

• All 13 branches at seedgo 100% under the new introspection standard.
  Wrapped print_introspection() output in Rich markup across ai_mail, drone,
  spawn, trigger, prax and devpulse (the rest were already compliant) —
  presentation only, no logic change — so drone @branch with no args renders
  consistent styled output everywhere.
• CLI polish for human-facing output. drone @hooks --help rewritten (Rich,
  with hooksound on/off/status now surfaced); drone @spawn repair help
  clarified as distinct from update and showing the preview/--apply flow;
  drone restores Rich colour on human-facing routed output (--help,
  introspection, status) via the inherit path.
• Spawn backups land in one namespace .spawn/.recovery/ (TDPLAN-0006 P4).
  Spawn's pre-merge JSON backups previously dropped a .recovery/ directory at
  each branch root (which had accumulated 242 stale auto-generated DASHBOARD
  backups across 10 branches). aipass.common.json_ops.backup_json gained an
  optional backup_dir parameter (default unchanged), and spawn's update engine
  now directs backups to {branch}/.spawn/.recovery/ — tucked under the
  spawn-managed .spawn/ dir instead of cluttering the branch root. Memory stays
  in the safety net (the engine simply never touches .trinity//DASHBOARD on
  update, so it never needs to back them up). Stale .recovery/ backups cleaned
  up. (315 tests, seedgo 100%.)
• No more cross-branch engine imports — aipass init update calls spawn via
  subprocess (TDPLAN-0006 P3). init_flow.py previously did
  from aipass.spawn.apps.modules.sync_registry import sync_registry — the one
  place aipass reached directly into spawn's Python. Replaced with a subprocess
  call to the already-existing drone @spawn sync-registry --fix (same pattern as
  aipass init agent → drone @spawn create), preserving graceful degradation
  (a missing drone, non-zero exit, or timeout is silently skipped — registry
  sync never hard-fails an update). The aipass branch now has zero direct
  imports of another branch's engine code; the remaining cross-branch imports are
  shared service layers only (cli Rich UI, prax logging, trigger events). (438
  tests, seedgo 100%.)
• aipass.common shared library — dedup spawn/aipass scaffold machinery
  (TDPLAN-0006 P2). @spawn and @aipass each carried their own copy of the
  JSON merge/handler utilities and registry discovery. Extracted them into a new
  branch-free package src/aipass/common/ (json_ops = deep_merge +
  backup_json; json_handler.JsonHandler; registry_discovery.find_registry)
  that both branches now import. aipass.common imports zero branch code, so
  aipass/bootstrap.py (which runs before the drone runtime exists) can depend on
  it without breaking the pre-infrastructure constraint. The duplicated copies are
  deleted (spawn keeps a thin re-export shim; aipass's json_handler shrank
  254 → 88 lines). The save_json contract is unified to raise ValueError
  on invalid structure across both branches. (313 spawn + 434 aipass tests, both
  seedgo 100%.)

Fixed

• Flow plan-type self-serve UX — register override, help, orphan cleanup.
  Explicit drone @flow register <dir> <PREFIX> now overrides an auto-derived
  prefix instead of silently failing (guarded — refuses if the auto-registered
  type already holds plans), so custom prefixes are settable when adding a new
  plan type. create/templates --help rewritten to dynamically list registered
  types + templates and document the add-a-new-type workflow. Stale orphan plan
  registries removed; dead prefix_exists() dropped. (728 tests, seedgo 100%.)
• drone @spawn update no longer scrambles branches (#636, critical — TDPLAN-0006
  P0+P1). The update engine compared a freshly-created branch against the class
  template by content hash with rename-detection, and because the CREATE path
  regenerated template-registry IDs in filesystem-walk order (≠ the master's
  hand-crafted IDs), a branch created seconds earlier produced 30 proposed renames
  that rotated identity/memory dirs into each other
  (apps→.trinity→.seedgo→.claude→.archive→.aipass), turned README into
  DASHBOARD, and deep-merged stale template into live .trinity/ memory —
  update <class> --all would have destroyed every citizen in one command. Rebuilt
  update_ops.py (v2.0) on an explicit named-managed-files + path-based model:
  .trinity/*, DASHBOARD.local.json, artifacts/birth_certificate.json and
  .seedgo/bypass.json are delivered on create only and never touched on update;
  the create==update invariant now yields 0 renames / 0 merges on a fresh branch.
  The old ID-based engine (change_detection.py, reconcile.py) is deleted.
• Destructive spawn ops are now dry-run by default (TDPLAN-0006 P0). drone @spawn update and drone @spawn repair preview by default and require an explicit
  --apply to write — forgetting a flag is now a safe no-op instead of irreversible
  damage (--dry-run kept as an alias). aipass doctor repair suggestions emit the
  matching --apply form.

Added

• Introspection Rich-formatting standard (seedgo). New
  check_introspection_rich_formatting checker enforces that each branch's
  print_introspection() output uses Rich markup (delegation-aware — it walks
  _-prefixed helper functions), keeping no-arg drone @branch output styled and
  consistent. Documented in introspection.md; all 13 branches brought into
  compliance (see Changed).
• Playbook plan type (PBPLAN) — reusable SOP checklists (flow). A new
  playbook_plans template family for throwaway, vectorize-on-close operational
  runbooks (first SOP: the Sunday merge). Drop a .md under
  templates/playbook_plans/, register once, then
  drone @flow create . "subject" <sop> stamps a run to tick through and close.
• Memory-pool auto-processing (TDPLAN-0005) — dropped files in
  memory/memory_pool/ are now vectorized and archived automatically on
  session-start and pre-compact, instead of requiring a manual
  drone @memory pool process. A 3-branch build: @memory gains an intake
  handler + pool module (processes then empties the pool, keep_recent=0),
  @hooks adds a lifecycle/auto_process handler (session-guarded via
  CLAUDE_CODE_SESSION_ID, since Claude Code has no SessionStart hook), and
  @trigger gains event #15 (memory_pool_auto_processed) with a Medic error
  path. Runtime pool dirs (memory_pool/, memory_pool_archive/) are now
  gitignored.
• HVTracker badge added to the README badge cluster, linking to the public
  agent profile at hvtracker.net (closes #628).
• git_gate read-verb allowlist — raw read-only git for every branch. The
  PreToolUse git_gate previously blocked all raw git (forcing drone @git
  even for harmless reads), which left agents unable to inspect what git ships —
  the exact forensics needed to diagnose the audit gap above. It now allows 22
  read-only verbs raw (ls-files, ls-tree, show, cat-file, rev-parse,
  rev-list, log, status, diff, blame, archive, grep, …) while
  write operations stay drone-gated. Global options (-C, -c, --git-dir,
  …) are skipped when extracting the verb, and chained commands are split on
  &&/||/;/| so a read piped into a write still blocks the whole line.
  (81 tests)
• Cross-OS end-to-end WIRING test (tests/e2e/, e2e-wheel.yml) — the first
  CI gate that proves real AIPass wiring (not units-with-mocks) by building the
  wheel, installing it into a clean venv, and asserting a 4-tier ladder: package
  install + console scripts (T0), aipass init ...

v2.5.0

[2026.W22] - 2026-05-30

Added

• drone @hooks status — read-only viewer for a project's hook config:
  master switch, every hook's enabled state per event group, matchers, and an
  enabled/total summary. Resolves the project's .aipass/hooks.json by walking
  up from CWD. (DPLAN-0190 Phase B)
• Hooks activate in every project — aipass init now writes
  .aipass/hooks.json, so new projects fire the hook engine out of the box
  (previously: no config shipped, 0 hooks fired). aipass init update
  union-merges the template, preserving any per-hook on/off choices the user
  made. aipass doctor now checks for the config's presence. Dead hook-script
  shipping (_ship_hooks) removed. (DPLAN-0190 Phase A)
• README logo — centered logo image replaces plain # AIPass header.
  New assets/logo.png added to the repo.
• OpenSSF Scorecard — .github/workflows/scorecard.yml runs the official
  OSSF Scorecard action on push to main and weekly. Publishes a public security
  health score at scorecard.dev with a README badge. Actions pinned by SHA.
• GitHub Releases — publish.yml now cuts a GitHub Release on each v* tag,
  with notes pulled from the top CHANGELOG section and the built dist attached.
  PyPI publish + GitHub Release now fire from the same tag.
• Registry descriptions — all 13 branches now have one-liner descriptions
  in AIPASS_REGISTRY.json. drone systems shows what each agent does
  instead of blank lines. Closes #607.

Changed

• Security gates fully project-aware — both the edit gate and the
  subagent stop gate now derive the package name dynamically from CWD instead
  of hardcoding src/aipass/. Cross-branch write protection and branch
  detection work for any src/<package>/<branch>/ project; previously the
  subagent gate silently no-opped outside AIPass. 9 new external-project tests.
  Closes #605.
• Hooks branch promoted to service — registry profile changed from
  "AIPass Workshop" to "library" so it appears in drone systems alongside
  the other 12 services.
• Hooks branch hardened to 100% seedgo — the @hooks citizen took full
  ownership of its branch: every handler verified wired + firing, README
  rewritten (two-tier provider/project model, dynamic-dispatch design, event
  table), 2 stale tests resolved (253 pass). Dead-code/unused-function flags
  documented as architectural bypasses — the 15 handlers are invoked
  dynamically via importlib from hooks.json paths, never statically
  imported. (DPLAN-0191)

Release

• Version 2.5.0 published to PyPI. Trusted publishing via GitHub Actions
  (publish.yml triggers on v* tags — no manual twine upload needed). The
  same tag now also cuts a GitHub Release with these notes attached.

Removed

• Gemini CLI full removal — deleted .gemini/ directory (5 files) and
  GEMINI.md. Stripped all references from setup.sh (~50 lines),
  README.md, bug-report.yml, aipass init (bootstrap/scaffold/test),
  hooks (README/prompt/passport), and prax monitoring (~300 lines). 21 files
  changed, -927 lines. Closes
  #608.