recursive delegation foundations behind a feature flag
dynamic specialist generation for connected MCP servers
reusable workflow definitions that can activate across native tools, skills, specialists, and connected MCP capabilities
cockpit-native operator surface for workflow availability, tools, skills, starter packs, MCP server state, blocked-state reasons, and live runtime-policy visibility
first starter-pack bundles for recommended default skills and workflows
first workflow-runs history surface with boundary-aware replay metadata and artifact lineage
searchable capability command palette for tools, skills, workflows, starter packs, MCP actions, repair actions, and installable catalog items
denser operator terminal with recommendations, runbooks, repair actions, installable catalog entries, and deeper workflow timeline visibility
guided repair and install flows for blocked skills, workflows, tools, and MCP servers instead of only static blocked-state reasons
policy-aware starter-pack repair guidance, live operator-feed status, saved runbook macros, and approval-aware workflow timeline actions in the cockpit
capability preflight and autorepair payloads for workflows, starter packs, and runbooks before execution
bounded capability bootstrap that can apply low-risk local workflow or runbook repair actions from the cockpit while leaving policy lifts, external server enables, installs, and starter-pack activation as explicit operator decisions, with starter-pack install flows now prechecking the same lifecycle approvals as direct catalog installs
workflow diagnostics that expose stored load errors plus richer step timing, error summaries, and recovery hints for extension debugging
threaded operator timeline surfaces for workflow runs, approvals, notifications, queued continuity, recent interventions, and surfaced failures
separate activity-ledger surfaces for workflow runs, approvals, notifications, queued continuity, recent interventions, surfaced failures, and attributed LLM spend instead of leaving autonomous work opaque
cockpit-native extension studio for workflows, skills, and MCP configs with validation, diagnostics, save flows, and repair handoff
first workflow branch/resume control with checkpoint candidates, lineage metadata, approval-gated resume plans, and resume drafts tied to existing inputs
typed artifact-input handoff plus checkpoint-truthful branch actions in the cockpit, so follow-on workflow drafts now respect declared artifact compatibility and failed-step controls only appear when the runtime persisted reusable checkpoint state
workflow cockpit surfaces now derive parent/peer/child branch families from persisted lineage, letting operators inspect related runs and continue the latest branch directly from the workflow surface instead of reconstructing branches manually
cockpit workflow surfaces now promote step-focus debugging, direct step/output handoff actions, bundled family next-step planning drafts, denser ancestor/peer/failure-lineage follow-through, direct family-row checkpoint drill-in, direct family-row retry/repair controls, and active-triage workflow quick actions including failure-context reuse, direct best-continuation control, direct recovery actions, and keyboard-first best-continuation/comparison follow-through, so operators can act on the hottest failed or recoverable workflow step without reconstructing that context from raw history
workflow operating surfaces now also include workspace-level multi-session orchestration grouped by thread, with lead-run step focus, recoverability, and direct open-thread/continue/failure-context or next-step control instead of tying long-running workflow supervision only to the active thread
workflow operating surfaces now also compact long-running orchestration into explicit state capsules with visible-versus-compacted step counts, artifact totals, recent-step labels, and preserved retry/checkpoint/repair paths instead of leaving durable recovery state implicit in long raw step lists
workflow operating surfaces now also expose queue-state supervision, denser step-repair or branch or stalled attention summaries, related-output debugger context, latest-branch open/compare controls, and explicit long-horizon workflow eval proof instead of leaving multi-session recovery density implicit across workflow history and branch-family rows
workflow operating proof now also includes a replayable live-workflow endurance canary: /api/operator/live-workflow-endurance-canary and live_workflow_endurance_canary show multi-session delegated ownership, checkpoint branching, injected failure, repair, artifact comparison, approval preservation, trust-boundary drift blocking, and audit receipts while keeping durable workflow execution in the future-work boundary
cockpit artifact surfaces now preserve verified source-run lineage when it is uniquely visible, related family outputs, and direct artifact follow-on control, so typed artifact-to-workflow chaining is visible as an operator workflow graph instead of only a one-off draft button
Hermes runtime-parity primitives including execute_code, delegate_task, clarify, todo, session_search, stronger scheduled execution, and tighter runtime security controls
packaged browser providers, messaging connectors, automation triggers, node adapters, canvas outputs, workflow runtimes, and channel routing through the extension platform instead of ad hoc side paths
operator-surface imported reach, extension governance, and LLM spend attribution by runtime path and capability family
provider-neutral source capability inventory that exposes typed public-web tools, managed authenticated connectors, explicit raw-MCP gaps, and one reusable source-evidence review skill instead of forcing provider-specific workflow glue
first adapter-backed source-evidence runtime that turns typed public-web contracts into normalized evidence bundles, exposes degraded managed-connector truth instead of implied access, and gives Seraph one reusable collect_source_evidence path for public discovery, explicit pages, and existing browser-session snapshots
first connector-backed authenticated source-read bridge that binds a managed connector to a live MCP runtime when the connector is enabled and configured, so typed source contracts can execute normalized repository.read, work_items.read, and code_activity.read evidence reads instead of staying permanently degraded
reusable connector-first source review planning and bundled source-review routines, so daily review, progress review, and goal-alignment review can compose provider-neutral mixed-source plans with explicit degraded-step truth instead of spawning bespoke provider pipelines
first connector-backed authenticated source-action path that can execute bounded work_items.write plus code_activity.write actions through managed adapters, expose action-scoped approval and audit metadata, carry fixed-argument bounded execution for PR-native review flows, and compose provider-neutral report publication flows instead of falling back to bespoke provider-specific write pipelines
first governed self-evolution substrate for declarative capability assets, including /api/evolution, the propose_capability_evolution native tool, bounded review-candidate generation for skills/runbooks/starter packs/prompt packs, persisted eval receipts inside the managed workspace package, and hard blocks on tool-scope, target-surface, install-scope, and privileged prompt-instruction expansion
backend CI now also weights historically slow backend suites, runs ten isolated backend shards in GitHub Actions, and pins the real shard-runner executable contract instead of letting long-tail runtime skew dominate workflow delivery
extension lifecycle, catalog, and capability surfaces now expose package version lines, compatibility truth, publisher metadata, and diagnostics summaries together, while the cockpit operator surface now summarizes extension health, governance, and update/studio actions instead of forcing package triage through raw studio or catalog lists
capability-overview and cockpit operator surfaces now also compose starter packs, extension packs, and packaged runbooks into operator-readable marketplace flows with readiness counts, blocking reasons, install/update actions, and draft follow-through instead of leaving marketplace composition split across separate inventories
the deterministic m9_governed_ecosystem benchmark suite and /api/operator/m9-governed-ecosystem-benchmark now pin local manifest governance, lifecycle review gates, managed-connector degradation truth, marketplace governance flow, diagnostics/update triage, and operator-visible claim boundaries without claiming competitor superiority or production marketplace security
Batch CA now layers marketplace lifecycle maturity on top of M9 and pack-hardening proof with marketplace_grade_capability_lifecycle, governed_capability_lifecycle_v2, capability_rollback_failure_diagnostics, and /api/operator/marketplace-lifecycle-maturity receipts for install/update/downgrade/disable/rollback/review/quarantine/diagnostics/staged rollout, permission and risk deltas, cross-family coverage, failed-update recovery, quarantine re-entry, diagnostics, and package-count claim blocking without claiming production marketplace security or ecosystem superiority
Batch CG now layers recorded-live third-party marketplace attestation and operations proof on top of Batch CA with third_party_marketplace_attestation, marketplace_operations_incident_drill, publisher_review_and_package_trust, and /api/operator/live-marketplace-attestation-proof receipts for package provenance, signatures, publisher verification, compatibility, dependency and vulnerability attestation, install/update/downgrade/rollback/quarantine/re-entry operations, failed-update diagnostics, publisher review freshness, trust explanations, and package-count claim blocking without claiming production marketplace security, solved package security, full marketplace parity, or ecosystem superiority
Batch CO and Batch CX then add bounded package-security, package-network, registry-corpus, continuous-monitoring, publisher-operation, rollback/quarantine, and redacted safe-receipt evidence through /api/operator/production-marketplace-security and /api/operator/marketplace-security-corpus without claiming production-secure marketplace, solved third-party package security, full marketplace parity, package-count superiority, or ecosystem superiority
Batch DF now layers bounded marketplace/package-security evidence on top of CA/CG/CO/CX with production_secure_marketplace_v1, third_party_package_security_certification_v1, marketplace_live_corpus_operations_v2, hostile_package_lifecycle_gauntlet_v1, and /api/operator/production-secure-marketplace receipts for larger corpus quality, fail-closed promotion gates, external review/certification-scope records, lifecycle operations, expanded hostile package drills, redacted safe receipt handles, and blocked claims without lifting production-secure marketplace, solved package-security, formal certification, full-marketplace-parity, or superiority wording
Batch DV now layers post-DP marketplace lifecycle gap-closure on top of DN and DR with post_dp_capability_marketplace_lifecycle_gap_closure_v1, marketplace_lifecycle_operations_v3, package_review_waiver_policy_v2, marketplace_vulnerability_monitoring_v2, hostile_package_lifecycle_gauntlet_v3, marketplace_rollback_quarantine_diagnostics_v2, marketplace_secure_host_audit_integration_v1, marketplace_lifecycle_false_claim_scan_v2, and /api/operator/post-dp-marketplace-lifecycle-gap-closure receipts for lifecycle operations, waiver denial, vulnerability monitoring, hostile lifecycle, rollback/quarantine diagnostics, secure-host/audit integration, and blocked claims without lifting production-secure marketplace, solved package-security, formal certification, full-marketplace-parity, or superiority wording
backend CI now also applies per-file watchdog timeouts for the historically heaviest backend suites instead of letting test_workflows.py or test_eval_harness.py consume an entire shard window when they hang on hosted runners
backend CI now also gives the historically slow approvals/context suites explicit shard weights and timeout headroom instead of letting those long-tail trust-boundary tests destabilize the backend matrix
extension-backed memory providers now also expose operator-readable freshness/writeback quality controls, a provider-neutral adapter model with per-capability sync contracts, a canonical-memory/provenance contract, usefulness-ranked retrieval diagnostics, query-matched canonical project hints for provider-backed user modeling, explicit canonical-memory reconciliation diagnostics through the memory API and guardian state, guarded additive writeback semantics that suppress project-scoped memories without an explicit project anchor, and a stricter pre-context quality_declaration plus per-hit quality gate for provenance, confidence, privacy, freshness, conflict, suppression, and evidence IDs instead of acting like opaque “connected or not” external memory seams
this workstream shipped the first operator workflow-control slice through workflow-control-and-artifact-roundtrips-v1
this workstream partnered on cockpit-workflow-views-v1
this workstream now ships artifact-evidence-roundtrip-v2
this workstream now ships extension-operator-surface-v1
this workstream now ships capability-discovery-and-activation-v1, starter-skill-and-workflow-packs-v1, workflow-history-and-replay-v1, and extension-debugging-and-recovery-v1
this workstream now also ships capability-preflight-and-autorepair-v1, threaded-operator-timeline-v1, and workflow-runbooks-and-parameterized-replay-v1
this workstream now also ships extension-ecosystem-maturity-and-marketplace-depth-v2, including richer lifecycle/catalog diagnostics truth, operator-facing extension health triage, and heavier-suite CI shard watchdogs
this workstream now also ships deterministic M9 governed-ecosystem proof for the local extension and connector governance foundations, including the dedicated operator benchmark report and benchmark-proof posture
this workstream now also ships the first adapter-backed-authenticated-operations-and-report-workflows-v1 Batch AM aggregate, including executable connector-backed source actions, provider-neutral source report publication, structured mutation audit visibility, and backend shard stabilization for the heaviest approvals/context suites
this workstream now also ships the first Batch AW aggregate, including broader authenticated adapter operations, PR-native code_activity.write create or review actions, fixed-argument bounded action contracts, and report publication that can intentionally target work-item or pull-request activity surfaces
this workstream now also ships governed-self-evolution-for-skills-prompts-and-runbooks-v1, including the evolution API/tool surface, bounded review-candidate persistence, and deterministic guardrail/eval coverage
local review findings fixed while landing adapter-backed-authenticated-operations-and-report-workflows-v1:
report publication was initially pinned to the adapter chosen for a work_items.read review step, which prevented fallback to another ready work_items.write adapter and made mixed-source report publication unnecessarily unavailable
report publication initially surfaced approval_required even when target_reference was empty, which implied an executable publish path even though mutation execution would fail target parsing immediately
single-action authenticated write routes initially omitted mutation_action_kind from approval and audit payloads when the caller relied on implicit action selection, which weakened action-scoped explainability for the common one-action case
the final subagent re-review reported no remaining material findings after those fixes and the follow-up CI shard assertions landed
local review findings fixed while landing Batch AW:
report publication initially stayed pinned to work_items.write, which meant pull-request review publication could not use the new code_activity.write contract even when the adapter advertised it
PR-native review routes initially did not preserve fixed action arguments through the public route, approval-scope, and execution surfaces, which weakened the bounded-external-action contract for add_review_to_pr
the final subagent re-review reported no remaining material findings after those fixes and the follow-up eval coverage landed
this workstream now hands the queue forward to the full extension-platform transition program rather than isolated extension UX slices
the first extension-platform foundation slices now cover terminology cleanup, canonical manifests, the transitional registry seam, and structured doctor diagnostics
the extension-platform foundation now also pins one canonical on-disk package layout and package-boundary resolution rules for contribution files
the authoring path now includes first local scaffold and validation commands for capability-pack package creation instead of forcing hand-authored manifests
the authoring path now also includes first-class public docs for extension overview, package creation, manifest fields, contribution types, validation, and migration instead of leaving the new architecture trapped in research docs
the authoring path now includes one canonical in-repo example package that is validated in tests and pinned to current scaffold output so contributors and docs share the same golden reference
the runtime now loads manifest-backed skill contributions through the extension registry while still preserving legacy loose-skill compatibility during the coexistence window
the runtime now also loads manifest-backed workflow contributions through the same registry seam, including packaged workflow diagnostics and manifest-preferred duplicate resolution during the coexistence window
the runtime now also exposes a first adapter-first source-capability surface, so Seraph can inspect available typed source contracts before composing evidence-collection routines instead of assuming GitHub- or browser-specific paths
the runtime now also loads manifest-backed starter packs and explicit runbooks through the same registry seam, and the capabilities surface now publishes packaged starter-pack metadata plus extension-backed runbook entries instead of treating both surfaces as legacy-only inventory
startup/runtime loading now serves bundled default skills, workflows, starter packs, and explicit runbooks from a real seraph.core-capabilities package under backend/src/defaults/extensions/, with workspace extension packs taking precedence over bundled defaults while install/bootstrap/catalog flows and legacy loose-file coexistence are still being migrated
the backend now ships one /api/extensions lifecycle surface for list, inspect, validate, install, enable, disable, configure, and remove so automation no longer has to talk directly to per-surface skill/workflow/package seams even though the workspace UI still needs to adopt that API and the current configure step is metadata-only until typed runtime config contracts land
extension studio is now manifest-aware for installed packages, with package manifests and package-backed workflow/skill sources loaded and saved through /api/extensions/{id}/source instead of always collapsing edits back into loose managed-file save paths
new authored skills/workflows now land in the managed workspace/extensions/workspace-capabilities/ package, while bundled catalog skill installs now land as manifest-backed extension packages under workspace/extensions/; old loose loaders remain read-only compatibility during the final cleanup window
the trusted-code-plugins RFC is now closed for the current architecture with an explicit negative decision: Seraph continues with typed extension packs, MCP, managed connectors, and bundled native tools, not a general arbitrary-code plugin runtime
the five-wave Hermes/OpenClaw capability import program is now complete on develop, including packaged reach parity, selective OpenClaw imports, operator-surface governance, benchmark refresh, and deterministic eval proof
workflow-autonomy-supervision-and-artifact-control-v1 now ships reusable checkpoint-backed workflow recovery, truthful unsupported-checkpoint fallback in the runs API, declared-type artifact handoff in the cockpit, and operator-visible branch-family supervision instead of generic retry-only copy
adapter-first-capability-contracts-v1 now ships provider-neutral source contracts, managed-connector inventory, explicit raw-MCP disclosure, and one reusable source-evidence review skill instead of forcing provider-specific reporting glue
adapter-backed-authenticated-source-operations-v1 now ships source-adapter inventory, normalized evidence bundles, executable public-web read contracts, explicit degraded managed-connector semantics, and one reusable collect_source_evidence tool/API path instead of leaving source routines to stitch raw surface metadata together
adapter-backed-authenticated-source-operations-v3 now ships reusable plan_source_review planning, bundled daily/progress/goal-alignment source-review starter packs and runbooks, explicit mixed-source review fallback truth, and backend CI sharding for the growing test surface
artifact-lineage-and-follow-on-control-v1 now ships verified artifact source-run provenance with explicit unresolved-state fallback, related family outputs, richer follow-on workflow rows, and artifact-specific planning shortcuts instead of leaving typed artifact chaining buried inside workflow-only inspector actions
artifact-lineage-and-long-running-control-v2 now ships artifact source-run open/continue plus source-failure and related-output comparison shortcuts across evidence, outputs, and inspector panes, while the backend CI surface now uses weighted shard assignment and ten backend shards to keep the growing test matrix stable
operator-control-plane-and-workflow-supervision-v1 now ships a dedicated operator-terminal workflow-supervision lane with history, lineage, and recovery summaries across recent runs, plus specialized test_tools_api.py CI sharding so the heaviest control-plane suite stops timing out as one monolithic backend bucket
ecosystem-and-marketplace-depth-v3 now ships marketplace-flow composition across starter packs, extension packs, and packaged runbooks, adds cockpit-side marketplace follow-through with activate/update/repair/draft actions, stops /api/tools from instantiating full specialists for metadata-only listings, and hardens tools-policy wrapper walks so mock/tool metadata inspection cannot explode into synthetic wrapper chains
local regression fixed while landing workflow-autonomy-and-artifact-control-v1:
GET /api/workflows/runs could return 409 for degraded later-step runs whose parent run did not persist reusable checkpoint state, because the list endpoint eagerly selected resume_from_step even when that checkpoint candidate was already marked unsupported
fixed by suppressing implicit resume-plan selection for unsupported checkpoints while keeping explicit resume-plan requests fail-closed with 409
review pass:
targeted review of checkpoint resume truthfulness, runs-API fallback behavior, cockpit artifact compatibility, and stale test assumptions found no remaining material issues after the list-endpoint fix and regression coverage updates
local regression fixed while landing adapter-first-capability-contracts-v1:
the first browser-session inventory note described every discovered provider as configured, which could overstate staged or disabled providers
fixed by describing them as known providers instead of configured providers
review pass:
direct diff review of source contract truthfulness, managed-connector readiness, raw-MCP disclosure, and skill guidance found no remaining material issues after the provider-note fix
Copernicus review was started for a second pass on bugs, regressions, and hallucinated assumptions, but it did not return findings before validation completed, so the PR validation should claim only the concrete local review result
local review finding fixed while landing adapter-backed-authenticated-source-operations-v1:
typed managed connectors could advertise work-item or repository contracts without any executable runtime path, which risked implying authenticated access that did not exist yet
fixed by adding explicit adapter-state and degraded-reason surfaces plus next-best fallback guidance instead of treating inventory metadata as execution truth
local review finding fixed while landing adapter-backed-authenticated-source-operations-v2:
the first authenticated adapter grading treated an unimplemented write route as if it invalidated the whole authenticated read adapter, which would have kept GitHub degraded even when every read contract was executable
fixed by grading managed-connector readiness against executable read coverage while still exposing unbound write routes as non-executable operations
local review finding fixed while landing adapter-backed-authenticated-source-operations-v3:
the first source-review planner over-warned whenever a preferred typed source could not satisfy every contract in a mixed-source routine, which would have made valid connector-first review plans look broken
fixed by treating the preferred source as a contract-scoped preference and falling back silently to the next ready typed adapter for the contracts it does not advertise
review pass:
targeted review of source-review planner truthfulness, bundled source-review routine loading, eval coverage, and backend CI timeout handling found no remaining material issues after the preferred-source warning fix and shard-script regression coverage
bundled capability-pack auto-install and stronger policy/dependency repair beyond the current install/recommendation, preflight/autorepair, policy-aware recovery, catalog-install, and bounded bootstrap flow
richer extension health/test surfaces, deeper marketplace curation, formal external-scale marketplace security proof, stronger package-security certification evidence, and production-grade connector hardening beyond the current lifecycle API, governance queue, diagnostics summaries, operator health triage, marketplace-flow composition, M9 governed-ecosystem proof, Batch CA lifecycle proof, Batch CG recorded-live attestation/operations proof, Batch CO/CX package-security and corpus proof, Batch DF bounded marketplace/package-security evidence receipts, and deterministic eval coverage
deeper step-level branch/resume/repair control and broader cross-surface workflow operating surfaces beyond the current cockpit timeline, workspace-level orchestration lane with compacted state capsules, typed artifact handoff, artifact source/family follow-through, step records, branch-family supervision, workflow-supervision rows, branch comparison, family-output reuse, output-comparison drafts, family-row checkpoint drill-in, family-row retry/repair controls, explicit output/checkpoint/lineage workflow history rows, checkpoint branch actions, replay guardrails, workflow runtimes, canvas outputs, and operator terminal
clearer extension ergonomics for third-party and user-authored capabilities beyond the current operator surface, repair actions, live logs, runbooks, preflight surfaces, diagnostics, extension studio, and skill-registry loop
better leverage of delegation without making the product harder to trust or reason about
every numbered item below is an internal PR-sized slice, even if multiple slices are later batched into one GitHub PR
each slice must end with a subagent review pass for bugs, missing tests, design drift, and hallucinated assumptions before it is marked complete
public docs, scaffolding scripts, validation tooling, and a canonical example pack are part of the architecture transition itself, not follow-up polish
built-in declarative capabilities must migrate onto the same packaged extension model as user-authored capabilities before this program is considered complete
trusted arbitrary-code plugins are not part of the implementation path unless the final RFC explicitly approves them
the roadmap preserves the completed transition program and strategic ownership; this workstream doc summarizes the same program by phase so the implementation record does not drift across docs
active extension work should be tracked through GitHub issues, PRs, and the GitHub Project instead of a doc-owned task tracker
the result of each mandatory subagent review pass must be rolled into the eventual GitHub PR Validation section before any slice is marked complete in the implementation docs
manifest-aware extension studio with package manifest plus package-backed workflow/skill source editing
unified workspace lifecycle UI for install, validate, health, enablement, configuration, and removal, including approval-aware lifecycle recovery through Pending approvals and the inspector
connector manifests and health hooks, including one normalized connector-health contract plus extension-native connector list/test endpoints
MCP packaging and install flow inside the extension platform, including package-owned MCP runtime metadata, extension-native connector enable/disable control, cockpit routing for packaged MCP test/toggle actions, raw /api/mcp mutation paths now blocked for extension-owned servers, and package-owned MCP definitions now read-only in Extension Studio until package-backed MCP source editing lands
managed connectors for curated high-trust integrations, including bundled managed connector packs plus config-aware enable/disable routed through the shared extension lifecycle instead of staying passive metadata
observer-source extensions, including lifecycle-backed enable/disable for observer_definitions, runtime selector overrides wired into observer refresh, and connector health that now distinguishes active, disabled, invalid, and overridden packaged observer sources
channel-adapter extensions, including lifecycle-backed enable/disable for channel_adapters, delivery transport selector overrides wired into proactive delivery, connector health that now distinguishes active, degraded, disabled, invalid, and overridden packaged channel transports, and an explicit boundary that the concrete websocket/native delivery implementations remain core-owned even though packaged adapters now drive selector state
legacy loader cleanup for primary authoring/install paths
trusted-code-plugins RFC concluded that privileged third-party code plugins stay out of scope for the current platform unless a future RFC reopens the decision under a much higher safety bar
public extension overview that explains typed contributions, trust tiers, and what stays core
step-by-step guide for creating a new capability pack
manifest reference with every supported field documented
contribution-type reference for skills, workflows, runbooks, starter packs, presets, connectors, and later observer/channel adapters
validation and doctor guide for package errors and repair flows
migration guide from loose skills/workflows/MCP configs to packaged extensions
local scaffold tool for generating a new extension package
local validation tool for checking a package before install
canonical example package in-repo that docs, tests, and contributors can all rely on; it should be schema-valid immediately and become runtime-backed once the packaging slices land