Skip to main content

20. Seraph Agent Parity And Exceedance Goals

Purpose

Set the high-level feature target for bringing Seraph to parity with Hermes, OpenClaw, and IronClaw, then exceeding them without abandoning Seraph's guardian-workspace vision.

This document is a strategic goal document, not a live queue. Active work still belongs in the GitHub Project, issues, and PRs.

Evidence And Review Posture

Snapshot date: June 11, 2026.

Internal source trail:

External sources checked for this refresh:

Source note:

  • X post 2063645563241844823 is retained only as an access-caveat receipt. X oEmbed showed a June 7, 2026 YanXbt post with only https://t.co/nmM5JJuuqI; that short URL resolved to X article 2063630561466265600, which returned X's unauthenticated "Nothing to see here" page during this review. A transient fxtwitter API payload was viewed on June 9, 2026, but that payload is not archived in this repository. This document does not use the X article as factual competitor evidence, does not lift any claim from it, and treats any benchmark claim from that article as unverified unless an independent benchmark artifact is provided.

Current Source Refresh

Primary-source refresh completed on June 11, 2026:

  • Hermes still presents a broad agent platform rather than a narrow chat agent: the current feature overview lists toolsets, skills, persistent memory, checkpoints, scheduled tasks, subagent delegation, code execution, voice, browser automation, multimodal image/vision support, MCP, provider routing, fallback providers, credential pools, memory providers, API server, IDE integration, and plugins.
  • Hermes' tools page still supports the parity pressure from broad built-in tools: web search/extract, terminal/process/file tools, browser text/vision, multimodal media tools, todo, clarify, execute_code, delegate_task, memory, session_search, cronjob, send_message, MCP tools, and container/SSH/cloud execution backends.
  • OpenClaw still presents the raw reach/control-plane benchmark: the current overview frames OpenClaw as an any-OS gateway across Discord, Google Chat, iMessage, Matrix, Microsoft Teams, Signal, Slack, Telegram, WhatsApp, Zalo, WebChat, and mobile nodes, with the Gateway as source of truth for sessions, routing, and channel connections.
  • OpenClaw's current Control UI docs show a real operator surface with pairing, browser-local identity, runtime config endpoint, chat/history behavior, PWA/web push, auth/device-identity constraints, content security policy, authenticated avatar/media routes, and debugging/testing flows.
  • OpenClaw's browser docs still support the browser-mode pressure: OpenClaw documents openclaw-managed profiles, remote CDP profiles, and existing-session attachment through Chrome DevTools MCP, with remote CDP token handling called out as a secret-bearing path.
  • OpenClaw's plugin docs still support ecosystem breadth pressure: plugins can extend channels, model providers, agent harnesses, tools, skills, speech, realtime transcription, voice, media understanding/generation, web fetch, web search, and other runtime capabilities.
  • IronClaw's current official site still supports treating IronClaw as the secure-capability-host pressure point: it advertises encrypted vaults, host-boundary credential injection only for approved endpoints, per-tool Wasm containers with capability-based permissions and strict resource limits, TEE deployment on NEAR AI Cloud, leak detection, Rust implementation, and network allowlisting.
  • IronClaw's current GitHub README and feature parity matrix still support treating IronClaw as a real runtime competitor, not only a security wrapper: the repository frames IronClaw as a secure personal AI assistant, and the parity matrix lists WebSocket control plane, Control UI endpoints, web dashboard with chat/memory/jobs/logs/extensions, channels, session management, HTTP API, diagnostics, TUI, webhooks, and WASM channels.

Refresh disposition:

  • The existing Hermes/OpenClaw/IronClaw pressure summaries remain valid.
  • No new public superiority or parity claim is introduced here.
  • Future public wording still needs a fresh source check because these systems are active and source-stable claims can age quickly.

Claim boundary:

  • This document may say Seraph has a scoped advantage where repo evidence supports it.
  • It must not say Seraph is broadly superior, best, secure, production-ready, or fully at parity.
  • Stronger claims must pass the claim rules in 19. Strategy Claim Ledger.

June 18, 2026 Feature-First Correction

The next parity goal is feature-first, not proof-first. The completed proof and claim-readiness trains are useful history, but they are not the remaining product work. Until the feature-parity train has shipped, new parity batches must improve concrete user/operator capability: screens, commands, APIs, workflows, controls, recovery paths, channels, memory behavior, security behavior, marketplace flows, or browser/computer-use behavior.

During this feature-first phase:

  • do not create proof-only successor batches while material parity capabilities remain unimplemented
  • do not pair every feature with a new minimal proof companion task
  • do not add new claim-lift gates, benchmark suites, proof-only operator endpoints, or expanded claim-ledger work as the main batch output
  • keep only the small local sanity checks needed to avoid shipping broken feature code
  • defer receipts, source refreshes, broad docs reconciliation, claim-ledger updates, and false-completion scans to one separate claim-readiness phase after the feature train is complete

Claim discipline still applies. This correction changes execution order, not truth standards: proof gates remain mandatory claim and safety controls, not the product strategy itself. Seraph still must not claim full parity, production readiness, superiority, safe autonomous browser/computer-use, secure/private-by-default execution, memory superiority, solved operator control, or reference-system exceedance until the final claim-readiness phase permits exact wording.

Post-PR 473 Reconciliation

Verified on June 9, 2026: PR #473 merged the aggregate agent-parity proof train into develop.

That merge changes the claim posture in four separate ways:

  • Strategy artifact completion: this document is complete as the strategic parity/exceedance target. It maps competitor pressure to feature areas, feature acceptance, issue anchors, and claim boundaries.
  • Proof-train completion: the current aggregate proof train is complete. It landed deterministic receipts for replay, cockpit efficiency, memory-provider quality, workflow endurance, one-channel reach, minimal durable workflow state, guardian arbitration, governed capability-pack hardening, and guardian-safe multimodal/voice proof.
  • Parity floors reached: Seraph has reached the named proof floors that train was scoped to prove. Those are evidence-backed floor claims, not broad product parity claims.
  • Remaining gaps: full parity and targeted exceedance are still not complete. Batch DP closed a post-DI-DO bounded release-gate audit, Batches DQ-DW narrow durable orchestration, secure-host, selected reach/channel, guardian learning/memory, operator debugging/recovery-control, marketplace lifecycle, and browser/computer-use reliability implementation gaps, Batch DX adds the post-DQ-DW claim-readiness release gate, Batch DY adds post-DX live durable orchestration parity-proof receipts, Batch DZ adds post-DX formal secure runtime isolation proof receipts, Batch EA adds post-DX reach/voice-media parity-proof receipts, Batch EB adds guardian learning/memory live controls, Batch EC adds live workflow controls, Batch ED adds marketplace lifecycle controls, Batch EE adds browser/computer-use live reliability and recovery controls, and Batch EF adds the bounded post-DX final parity and exceedance claim-lift gate. They still do not lift production-ready, fully-at-parity, solved-learning, memory-superiority, solved operator-control, best/world-class cockpit, safe browser automation, full browser parity, or exceedance claims. The real remaining gaps are product capabilities before proof: more durable operator-facing orchestration, stronger usable secure-host behavior, better selected reach and voice/media flows, more effective guardian learning and memory controls, denser cockpit recovery/debugging, safer marketplace lifecycle operation, and more reliable browser/computer-use workbench behavior. Stronger evidence and claim lifting come after those capabilities ship.

Allowed short wording after PR #473: "The strategy artifact and aggregate proof train are complete; named parity proof floors are reached; full production-grade parity/exceedance remains open."

Forbidden short wording after PR #473: "Seraph is fully at parity", "Seraph is production-ready", "Seraph has IronClaw-class secure execution", or "Seraph has solved durable workflows/reach/operator control."

Post-Batch DH Reconciliation

Batch DH is the final reconciliation and claim-boundary gate for the current DA-DG production-evidence train. It adds operator-visible receipts for manual current Hermes/OpenClaw/IronClaw source checks, DA-DG issue/PR/board reconciliation, seven-area production-readiness soak-readiness reconciliation, exact SCL-043 through SCL-050 claim-lift decisions, stale PR closure evidence, false-completion scans, and Critic/Contrarian dispositions.

This changes the proof posture, not the broad public claim posture:

  • Seraph can point to a bounded final production-parity reconciliation gate for the current train.
  • Seraph still cannot claim product-wide full parity, production readiness, broad superiority, secure/private-by-default execution, OpenClaw-class reach, IronClaw-class secure execution, solved operator control, solved learning, production-secure marketplace, safe autonomous browser/computer-use, full browser parity, or exceeded reference systems unless the claim ledger permits exact wording.
  • Future source-backed public comparisons still need fresh source checks because Hermes, OpenClaw, and IronClaw are active projects.

Seraph Vision Boundary

Seraph should not become a generic gateway, plugin farm, or terminal-only coding shell.

The enduring product shape is:

  • a workspace-first guardian that remembers, watches, and acts
  • capability-first, but governed by memory, trust, supervision, and restraint
  • proactive, but measured by intervention quality rather than notification volume
  • extensible, but with capability contracts, manifests, trust levels, lifecycle gates, and operator-visible receipts
  • broad enough to act across the user's work surfaces, but selective about reach so every new channel improves continuity or safety

Competitor Pressure Summary

Seraph has already completed a five-wave Hermes/OpenClaw capability import program through core runtime primitives, packaged reach surfaces, selective browser/channel/automation imports, operator-surface governance, and deterministic proof. PR #473 then landed the aggregate parity proof train for the current feature set.

The remaining question is no longer "did Seraph import those ideas at all?" or "does Seraph have proof anchors for the named parity floors?" The sharper question is whether those proof-backed surfaces are production-grade, broad enough, live enough, and guardian-integrated enough to stand beside the strongest reviewed public agent platforms. Today the honest answer is mixed: Seraph has deterministic parity-floor proof across the target areas, but full product parity and targeted exceedance remain open.

IronClaw is different. The repo treats IronClaw as a benchmark and security gauntlet, not as an imported package family. There is no equivalent seraph.ironclaw-* catalog family today, so IronClaw parity should be planned as a secure-capability-host program rather than a naming or packaging exercise.

Hermes

Hermes now pressures Seraph on broad operator runtime capability. Current Hermes docs describe toolsets, persistent memory, skills, checkpoints, cron jobs, subagent delegation, code execution, voice, browser automation, MCP, and provider routing.

Main pressure on Seraph:

  • match tool/runtime breadth
  • improve skill growth and install ergonomics
  • keep memory provider extensibility first-class
  • strengthen scheduled/background work and subagent workflows
  • improve dense CLI or command ergonomics without losing the cockpit

OpenClaw

OpenClaw pressures Seraph on channel and control-plane breadth. Current OpenClaw docs frame it as a self-hosted gateway across many chat apps, WebChat, mobile nodes, a web control UI, multi-agent routing, plugins, skills, automation, browser modes, and node/device surfaces.

Main pressure on Seraph:

  • match practical channel reach where it matters
  • deepen cockpit/control-plane density
  • improve plugin and package breadth without copying unsafe trust assumptions
  • expand browser, node, webhook, poll, pub/sub, and automation surfaces
  • improve multi-agent and workflow runtime ergonomics

IronClaw

IronClaw pressures Seraph on security posture. Current IronClaw materials emphasize TEE/CVM deployment on NEAR AI Cloud, encrypted vaults, per-tool Wasm isolation, endpoint allowlists, leak detection, Rust implementation, local deployment, and a real runtime surface.

Main pressure on Seraph:

  • narrow privileged execution seams
  • add stronger host/tool isolation
  • make secret handling architecturally enforced, not only policy-enforced
  • add endpoint allowlists and network egress receipts
  • prove trust boundaries with repeatable security-path benchmarks

Seraph's Scoped Differentiators Today

Guardian-shaped product intent

Seraph has a clearer guardian-specific product thesis than the reviewed competitor materials. The repo frames Seraph as a system that remembers, watches, and acts, with a power-user guardian workspace rather than a generic gateway or chat-only assistant shell.

This is a scoped differentiator, not a broad superiority claim. It only matters if guardian state changes real decisions.

Policy-time guardian memory and intervention scaffolding

Seraph's strongest current differentiator is not just memory storage. It is the connection between structured memory, world-model synthesis, observer signals, intervention policy, feedback, and restraint.

Seraph should preserve this as the differentiator while matching competitor breadth. The win condition is not "more memory"; it is memory that changes when Seraph acts, defers, bundles, asks approval, asks for clarification, or stays silent.

Benchmark and claim discipline

Seraph has unusually explicit internal claim discipline: benchmark docs, implementation mirrors, named proof surfaces, and a strategy claim ledger. This creates a strong foundation for honest progress, but it does not prove category superiority.

That foundation should become operator-visible product quality: every major action, failure, recovery, memory decision, and safety boundary needs a receipt the user can inspect.

Governed extension shape

Seraph's bundled Hermes/OpenClaw-inspired catalog extensions already show the right import style: capability packs, connector packs, permissions, execution boundaries, data access, mutation rights, audit events, and trust metadata.

The differentiator is not raw package count. It is an ecosystem shape where extension power is subordinate to Seraph's guardian and trust model.

Where Seraph Needs Improvement

Raw execution and tool breadth

Hermes still sets a high floor for built-in operator tools, toolsets, code execution, delegation, cron, browser automation, messaging delivery, and provider routing.

Seraph now has capability inventory, runtime primitives, packaged surfaces, and deterministic proof receipts, but it must keep broadening the live runtime surface. Every new tool must declare ownership, permissions, trust boundaries, audit behavior, and recovery states.

Channel reach and always-available operation

OpenClaw and Hermes are ahead on raw messaging/channel reach. Seraph now has a native-notification reach canary with pairing, revocation, retry, continuity, approval handoff, degraded-state UI, and audit receipts, but not yet broad daily-life availability across the user's real work and communication surfaces.

Seraph should not chase every channel equally. It should first make one or two reach channels excellent, safe, continuous, and guardian-aware.

IronClaw-class execution isolation

Seraph has trust foundations and deterministic secure-host choke-point proof, but IronClaw raises the bar for architectural enforcement: per-tool Wasm or container isolation, encrypted credential handling, endpoint allowlists, leak detection, and TEE/CVM-style deployment options.

This is the sharpest gap because Seraph's guardian value depends on being trusted with sensitive context and real actions.

Workflow endurance and operator control

Seraph ships meaningful workflow foundations, branch-family supervision, activity ledgers, checkpoints, recovery controls, a live endurance canary, and a minimal durable workflow state kernel. The gap is now production-grade endurance: long-running, multi-session, multi-agent, failure-repair work that remains easy to inspect and steer under real interruption, scheduler, concurrency, and crash conditions.

The next layer should make Seraph feel calmer under long work, not merely more powerful.

Ecosystem maturity and installation ergonomics

Seraph's extension governance is promising and now has local governed-ecosystem plus pack-hardening receipts, but Hermes and OpenClaw pressure it on discoverability, install flows, skills, plugin inventories, third-party package maturity, and practical package breadth.

Seraph needs a marketplace-quality local flow before it can credibly scale third-party capability.

Browser and computer-use reliability

Hermes and OpenClaw both document richer browser backends or browser-control modes than Seraph's current practical surface. Seraph now has replayable browser/desktop receipts, browser-provider packaging, and computer-use benchmark coverage, but still needs live remote/managed reliability, deeper website/task breadth, login/session partitioning proof, and failure recovery under real browser-state drift before computer-use claims become strong.

Voice, media, and multimodal operation

Hermes and OpenClaw now make voice, media, image, and browser-vision surfaces part of the reviewed platform pressure. Seraph now has guardian-safe voice/media governance proof and packaged multimodal review foundations, but still lacks live broad voice runtime, production STT/TTS, and full multimodal parity.

Goal Feature Set

The goal is to reach parity floors first, then exceed through guardian-specific integration.

Feature areaParity floorExceedance targetCurrent feature posture
Capability kernelToolsets, skills, workflows, MCP, browser, files, shell, cron, delegation, code execution, messaging, media, and provider routing are inventoried with clear enablement.Every capability is guardian-governed: memory-aware, trust-scoped, policy-routed, auditable, recoverable, and visible in the cockpit.Deterministic inventory and governance proof exists; live breadth and ecosystem maturity remain gated by M1/M2/M9 receipts.
Secure capability hostTools and connectors have stronger isolation, secret handling, endpoint allowlists, network egress controls, and replay/resume boundary checks.Seraph exceeds by combining isolation with guardian restraint, operator receipts, and automatic refusal or clarification when context is unsafe.Deterministic secure-host receipts exist; Batch BW adds production_secure_host_hardening, secure_capability_host_live_isolation_v2, and /api/operator/secure-capability-host-hardening receipts for privileged-path hardening; Batch CT adds container_grade_capability_isolation, external_security_validation_v1, secret_egress_certification_drill, and /api/operator/container-grade-secure-host validation receipts; Batch DB adds runtime_isolation_implementation_v1, credential_broker_egress_enforcement_v1, external_security_certification_v1, hostile_runtime_escape_gauntlet_v1, /api/operator/certified-secure-host, scoped secret refs, MCP private-network/DNS endpoint blocking, and bounded process network-marker denial receipts; Batch DJ adds production_grade_secure_capability_host_evidence_v1, secure_host_cross_surface_attack_chain_v1, credential_broker_egress_soak_v1, runtime_isolation_attestation_matrix_v1, secure_host_operator_recovery_authority_v1, secure_host_false_claim_scan_v1, and /api/operator/production-grade-secure-capability-host receipts for cross-surface hostile chains, credential egress, runtime-attestation matrices, operator recovery authority, false-claim scans, and blocked claims; Batch DR adds post_dp_secure_capability_host_gap_closure_v1, runtime_profile_selection_v2, deny_default_credential_egress_v2, hostile_capability_chain_quarantine_v2, secure_host_recovery_authority_v2, secure_host_false_claim_scan_v2, and /api/operator/post-dp-secure-capability-host receipts for explicit runtime profile selection, deny-by-default credential egress, scoped credential refs, hostile cross-surface quarantine, operator-owned recovery authority, safe redacted receipts, and aggregate benchmark-proof visibility, while IronClaw-class, production-security-solved, secure/private-by-default, formal security certification, and hardware-backed runtime-isolation wording remain blocked.
Guardian memoryCanonical memory plus additive provider adapters reach parity with external memory-provider ecosystems.Memory changes behavior: action choice, timing, channel, restraint, clarification, recovery, and follow-through improve from grounded recall.Deterministic M6 and provider-quality proofs exist; Batch CM adds dimension-scoped memory_provider_parity_matrix receipts, and Batch CV adds named_baseline_memory_comparison plus learning_safety_monitor_v2 longitudinal operation receipts, while full memory-provider parity and memory superiority remain blocked.
Intervention intelligenceProactive delivery uses salience, confidence, interruption cost, feedback, and user-model signals.Seraph exceeds by acting less but with higher intervention quality: timely, restrained, context-aware interventions that learn from outcomes.Deterministic act/defer/bundle/clarify/approval/stay-silent receipts exist; Batch CF adds recorded-live causal receipts, Batch CM adds independent cohort plus task-scoped causal receipts, and Batch CV adds longitudinal_guardian_outcome_study plus learning_safety_monitor_v2 receipts, while solved learning and generalized live-human-outcome superiority remain blocked.
Workflow enduranceLong-running workflows support steps, artifacts, checkpoints, branch/resume, repair, comparison, and background continuation.Seraph exceeds by making long work legible: anticipatory repair, backup branches, cross-session continuity, operator handoff, and guardian-aware follow-through.Endurance canary and minimal durable-state kernel exist; production long-running workflow-engine parity remains open.
Operator cockpitCockpit exposes capabilities, workflows, approvals, artifacts, activity, routing, spend, failures, recovery, and guardian state.Seraph exceeds through calm dense supervision: fastest path from "what happened?" to "what should I do next?"Scripted cockpit legibility and efficiency proof exists; Batch CH adds bounded recorded-live multi-operator usability receipts; Batch CN adds dense recovery-control receipts; Batch CW adds mission-control population/SLO receipts; Batch DE adds bounded certification receipts; Batch DM adds bounded production-certification receipts; Batch DU adds post_dp_operator_debugging_recovery_control_v1, dense_long_work_debugging_v2, operator_recovery_slo_v3, operator_effort_reduction_v2, authority_transfer_integrity_v2, operator_audit_accessibility_v2, operator_control_false_claim_scan_v2, and /api/operator/post-dp-operator-debugging-recovery-control receipts for root-cause/artifact/recovery visibility, required controls, stale-approval and broadened-scope fail-closed behavior, safe denial, authority-transfer integrity, keyboard/accessibility audit receipts, real claim-scan command evidence, and blocked claims. Best/world-class cockpit, formal certification, tamper-proof audit, approval-transfer solved, and solved-control claims remain blocked.
Selective reachAt least one non-browser channel and one native/browser computer-use lane are excellent, not merely configured.Reach is guardian-aware: continuity, approvals, memory, thread identity, and action safety survive channel shifts.Native-notification canary and browser/native continuity proof exist; Batch CL, Batch CU, Batch DC, and Batch DK add bounded broad-channel, mobile-continuity, provider/channel field-operation, selected-channel campaign, live/degraded operational-window, incident-response, voice/media quality-operation/runtime/candidate, redacted receipt, reach-SLO, cross-surface continuity, and degraded-recovery receipts; Batch DS adds bounded post-DP gap-closure receipts for the proven selected native_notification and websocket runtime surfaces, degraded recovery, guardian-aware timing/restraint continuity, voice/media privacy fallback, staged channel gaps, and false-claim scans; Batch EA adds bounded post-DX reach/voice-media parity-proof receipts for selected and candidate multi-channel reliability, quality/latency, abuse recovery, continuity, coverage gaps, and false-claim scans; OpenClaw-class reach, complete channel coverage, always-available operation, and voice/media parity remain open.
Browser/computer useLocal browser, remote CDP, managed browser, session replay, snapshot, vision, and failure recovery are available behind clear trust boundaries.Seraph exceeds by linking browser work to guardian state, workflow artifacts, approval scopes, and safe credential/session partitions.Replayable browser/desktop receipts and provider packaging exist; Batch CH adds bounded local/managed/remote provider attestation, session/credential/download/upload boundaries, and recovery drills; Batch CP adds bounded browser safety receipts; Batch CY adds bounded task breadth/auth partition/site-drift receipts; Batch DG adds bounded parity-evidence receipts; Batch DO adds bounded production-safety receipts; Batch DW adds bounded reliability receipts; Batch EE adds live browser/computer-use controls for owner-scoped sessions, explicit provider degradation, no-silent-fallback replay acknowledgement, partition reset, boundary-decision visibility, redacted provenance, and cockpit/operator quarantine, recover, reset, replay, and close actions, while blanket safe browser automation and full browser parity wording remain claim-ledger gated.
Ecosystem and marketplaceSkills, packs, connectors, runbooks, starter packs, and workflow runtimes have install/update/disable/diagnostic flows.Seraph exceeds with governed evolution: compatibility checks, trust tiers, review gates, canary rollout, rollback receipts, semantic-drift prevention, independent package-security receipts, hostile package drills, package-network incident receipts, publisher/vulnerability freshness evidence, registry-corpus receipts, continuous scanner monitoring, rollback/quarantine diagnostics, proof-bound certification-scope records, larger corpus-quality receipts, and Batch DN certification-track supply-chain/hostile-lifecycle/publisher-vulnerability operation receipts.Local governed-ecosystem, pack-hardening, lifecycle, recorded-live attestation, Batch CO bounded package-security/package-network proof, Batch CX bounded registry-corpus/continuous-monitoring/publisher-operation proof, Batch DF bounded marketplace/package-security evidence receipts, and Batch DN bounded marketplace production-security certification-track receipts exist; production-secure marketplace, solved third-party package security, formal package-security certification, full marketplace parity, package-count superiority, and ecosystem superiority remain blocked.
Multimodal and voiceVoice, TTS/STT, browser vision, image/media analysis, and media delivery exist as governed capability families.Seraph exceeds by using voice/media only where they improve guardian timing, accessibility, or situational awareness.Guardian-safe voice/media governance proof exists; Batch DK adds STT/TTS/voice-command/media-analysis/media-delivery production parity-candidate receipts with quality, latency, correction, deletion, privacy, consent, provider-regression, and fallback evidence; Batch EA adds bounded voice/media quality and latency v3 receipts with privacy, correction/deletion, fallback, and unsafe-action denial; voice/media parity, full multimodal runtime parity, and production STT/TTS solved claims remain open.

Execution Mapping

This document does not create a live queue. It maps the parity floors to existing milestone anchors, feature acceptance, and minimal honesty guardrails so future execution can move without another strategic translation pass.

Feature areaMilestone and issue scopeFeature acceptance / minimal guardrail
Capability kernelM1 capability contract #425, M2 execution surface #427, and M9 governed ecosystem #432.Capability inventory and cockpit capability panes must show source, owner, trust level, provenance, permissions, boundary, health, dependencies, actions, and receipts before a capability counts as parity-ready.
Secure capability hostM3 secure capability host #428, IronClaw-class security gauntlet #435, Batch BW secure-host hardening #477, Batch CT container-grade validation #524, Batch DB certified secure-host covered-path evidence #541, Batch DJ certification-track secure runtime isolation #558, and Batch DR post-DP secure capability-host gap closure #574.trust_boundary_and_safety_receipts, secure_capability_host, production_secure_host_hardening, secure_capability_host_live_isolation_v2, container_grade_capability_isolation, external_security_validation_v1, secret_egress_certification_drill, runtime_isolation_implementation_v1, credential_broker_egress_enforcement_v1, external_security_certification_v1, hostile_runtime_escape_gauntlet_v1, production_grade_secure_capability_host_evidence_v1, secure_host_cross_surface_attack_chain_v1, credential_broker_egress_soak_v1, runtime_isolation_attestation_matrix_v1, secure_host_operator_recovery_authority_v1, secure_host_false_claim_scan_v1, post_dp_secure_capability_host_gap_closure_v1, runtime_profile_selection_v2, deny_default_credential_egress_v2, hostile_capability_chain_quarantine_v2, secure_host_recovery_authority_v2, and secure_host_false_claim_scan_v2 suites plus /api/operator/secure-capability-host-hardening, /api/operator/container-grade-secure-host, /api/operator/certified-secure-host, /api/operator/production-grade-secure-capability-host, and /api/operator/post-dp-secure-capability-host must cover secret exfiltration, credential boundary leaks, SSRF/private IP access, shell injection, plugin permission creep, replay approval drift, prompt injection through external content, delegated/background execution privilege drift, runtime profile selection, deny-default egress, scoped credential refs, cross-surface hostile-chain quarantine, allow/deny/recover receipts, hardware-backed substitute boundaries, and operator-readable claim boundaries.
Guardian memoryM6 memory superiority and behavior-changing recall #433, memory-provider quality gate #441, Batch CM memory-provider parity matrix #507, and Batch CV longitudinal memory-provider outcome operations #526.guardian_memory_quality, provider-quality proofs, memory_provider_parity_matrix, named_baseline_memory_comparison, and learning_safety_monitor_v2 receipts must show long-horizon recall, contradiction handling, stale-memory override, source trust/privacy boundaries, provider usefulness, suppression of noisy provider evidence, canonical/advisory provider comparison, named baseline source/version/limitations as pressure-only evidence, privacy-regression quarantine, delete/export propagation, reinstatement review, safe redacted receipts, and receipts showing memory changed behavior without allowing full provider-parity or memory-superiority claims.
Intervention intelligenceM8 guardian brain #431, guardian intervention benchmark #437, Batch CM independent outcome/causal proof #507, and Batch CV longitudinal outcome operations #526.M8 intervention-quality scenarios plus independent_outcome_cohort_review, task_scoped_causal_learning, longitudinal_guardian_outcome_study, and learning_safety_monitor_v2 receipts must prove act, defer, bundle, clarify, approval, and stay-silent choices across ambiguous evidence, stale memory, conflicting commitments, interruption cost, channel choice, risky capability use, no-action cases, independent evaluator metadata, sample and power rationale, consent/withdrawal/anonymization, adverse-event review, bounded outcome claims, task-scoped causal attribution, longer-horizon windows, safety-monitor blocks, confounder boundaries, rollback authority, and safe redacted receipts.
Workflow enduranceM5 jobs/routines/workflows/delegation #429 plus live workflow endurance canary #440.workflow_endurance_and_repair and live_workflow_endurance_canary proof must cover multi-session work, delegated ownership, checkpoint/branch, failure injection, recovery, artifact comparison, approval preservation, trust-boundary drift blocking, and a final audit trail visible from the cockpit.
Operator cockpitM7 cockpit legibility #430, cockpit operator efficiency benchmark #439, Batch CN dense operator recovery #508, Batch CW dense operator mission control #527, Batch DE operator-control certification #544, Batch DM operator-control production certification #562, and Batch DU post-DP operator debugging/recovery-control gap closure #577.M7/CN/CW/DE/DM/DU cockpit proof must measure inspect, approve, deny, pause, resume, retry, repair, branch, compare, revoke, quarantine, rollback, audit, search, replay, runbook, handoff, timeline search, log/diff replay, root-cause/artifact/recovery drill-down, stale-approval and broadened-scope fail-closed behavior, safe denial, authority-transfer integrity, time/SLO budgets, click/keystroke/latency/recovery/effort telemetry, keyboard paths, error detectability, accessibility receipts, population-study receipts, named baseline limitations, redacted receipt handles, real claim-scan command evidence, and operator-visible claim boundaries.
Selective reachM4 channels/presence/device pairing #426, one excellent reach channel canary #438, Batch CL production reach/voice/mobile #493, Batch CU broad reach field operations #525, Batch DC selected-channel reach/media campaign #542, Batch DK reach/voice production operations #557, Batch DS post-DP reach/channel gap closure #575, and Batch EA post-DX reach/voice-media parity proof #592.always_available_reach_live_ops_v1, voice_media_production_parity_candidate_v1, channel_incident_response_v1, cross_surface_reach_continuity_v2, reach_media_false_claim_scan_v1, post_dp_reach_channel_gap_closure_v1, selected_reach_surface_readiness_v2, channel_degraded_recovery_v2, guardian_reach_continuity_v2, voice_media_privacy_fallback_v2, reach_channel_false_claim_scan_v2, post_dx_reach_voice_media_parity_proof_v1, multi_channel_reach_reliability_v3, voice_media_quality_latency_v3, reach_abuse_recovery_v3, cross_surface_reach_continuity_v3, and reach_voice_media_false_claim_scan_v3 plus /api/operator/reach-voice-production-ops, /api/operator/post-dp-reach-channel-gap-closure, and /api/operator/post-dx-reach-voice-media-parity-proof must show pairing, revocation, provider identity, health, retry, thread continuity, memory/context continuity, audit receipts, approval handoff, degraded-state UI, live/degraded selected-channel windows, selected and candidate runtime readiness, staged channel gaps, false/missed delivery metrics, provider outage/fallback, operator repair actions, guardian timing/restraint continuity, cross-surface continuity, redacted receipt handles, and explicit coverage gaps without allowing OpenClaw-class reach, complete coverage, always-available operation, or voice/media parity claims.
Browser/computer useM2 execution #427, M3 trust boundaries #428, M4 selective reach #426, Batch BY reach/browser/voice hardening #479, Batch CH browser provider/usability proof #496, Batch CP browser/computer-use safety boundary #511, Batch CY browser/computer-use parity depth #529, Batch DG browser/computer-use parity evidence #546, Batch DO browser/computer-use production safety #561, Batch DW browser/computer-use reliability gap closure #579, and Batch EE browser/computer-use live controls #595.computer_use_browser_desktop, browser_computer_use_reliability_v2, managed_browser_provider_attestation, live_multi_operator_usability_study, browser_computer_use_recovery_drill, live_browser_task_depth, browser_session_partitioning_security, browser_task_breadth_matrix, browser_auth_partition_operations, site_drift_recovery_slo, safe_autonomous_browser_runtime_v1, full_browser_parity_matrix_v1, real_site_drift_recovery_v2, browser_session_partition_certification_v1, browser_computer_use_production_safety_v1, safe_browser_automation_live_ops_v1, credentialed_site_recovery_v1, browser_provider_parity_candidate_v1, browser_session_partition_attestation_v2, browser_false_claim_scan_v1, post_dp_browser_computer_use_reliability_v1, browser_live_provider_reliability_v2, browser_session_boundary_enforcement_v3, browser_credentialed_recovery_v2, browser_site_drift_recovery_v3, browser_hostile_page_safety_v2, browser_provider_degradation_v2, browser_computer_use_false_claim_scan_v2, and Batch EE live-control contracts plus /api/operator/browser-computer-use-control must show replayable browser receipts, provider identity/evidence mode, provider execution caveats, blocked existing-session attachment, login/session partitioning, cookie and credential boundary behavior, download/upload/filesystem/clipboard/network/private-data boundaries, hostile-browser negative cases, dangerous-action blocking, safe-target task breadth, credentialed recovery, provider degradation, partition attestation, artifact provenance, owner-scoped session controls, no-silent-fallback replay acknowledgement, quarantine/recover/reset/replay/close actions, redacted safe receipts, and operator-visible blocked claims.
Ecosystem and marketplaceM9 governed ecosystem #432, with capability kernel dependencies on M1 #425, Batch CA lifecycle maturity #481, Batch CG recorded-live marketplace attestation #495, Batch CO marketplace security #510, Batch CX marketplace corpus operations #528, Batch DF marketplace/package-security evidence #545, and Batch DN marketplace security certification-track operations #564.m9_governed_ecosystem, marketplace_grade_capability_lifecycle, governed_capability_lifecycle_v2, capability_rollback_failure_diagnostics, third_party_marketplace_attestation, marketplace_operations_incident_drill, publisher_review_and_package_trust, independent_package_security_review, hostile_ecosystem_package_drills, marketplace_security_corpus_v1, continuous_vulnerability_monitoring, publisher_trust_operations, production_secure_marketplace_v1, third_party_package_security_certification_v1, marketplace_live_corpus_operations_v2, hostile_package_lifecycle_gauntlet_v1, marketplace_security_certification_track_v1, production_secure_marketplace_live_ops_v2, ecosystem_supply_chain_operations_v1, hostile_package_lifecycle_gauntlet_v2, publisher_trust_vulnerability_ops_v1, and marketplace_false_claim_scan_v1 proof plus /api/operator/marketplace-production-security must show manifest governance, lifecycle review gates, managed-connector degradation truth, marketplace composition, diagnostics/update triage, compatibility checks, rollback posture, provenance/signature/SBOM/dependency evidence, external review/certification-scope records, larger corpus quality, hostile package lifecycle denial, redacted safe receipts, false-claim scan receipts, and operator claim boundaries.
Multimodal and voiceM4 reach #426, M8 guardian brain #431, M9 governed packs #432, dedicated guardian-safe multimodal/voice proof #467, Batch DK reach/voice production operations #557, and Batch EA post-DX reach/voice-media parity proof #592.Multimodal/voice proof must show transcript/audit capture, privacy and channel boundaries, speech/media package governance, user correction or revocation, quality/latency gates, provider-regression fallback, deletion paths, and a demonstrated guardian-value reason for voice/media use rather than raw feature presence; Batch DK and Batch EA keep voice/media parity and production STT/TTS solved claims blocked.

IronClaw Secure-Capability-Host Plan

IronClaw parity is a secure-capability-host program. It should not become an ironclaw-* branding/import wave unless Seraph later needs a compatibility adapter.

Parity floor

Seraph reaches the IronClaw pressure floor when M3 plus the IronClaw-class gauntlet prove:

  • per-capability isolation strategy for shell, browser, connector, workflow, delegation, background process, filesystem, provider fallback, and extension paths
  • secret references that resolve only at declared injection-safe host boundaries
  • endpoint allowlists or equivalent egress controls for secret-bearing connectors and browser/tool sessions
  • network-egress receipts that explain where data could leave the host
  • prompt-injection and hostile-content checks before external content can steer privileged actions
  • replay/resume approval drift blocking when the capability boundary changes
  • extension permission creep detection and lifecycle gating
  • operator-visible receipts for what ran, where, with what data, why it was allowed, and how it failed closed

Batch BW narrows this gap with the production_secure_host_hardening and secure_capability_host_live_isolation_v2 proof gates plus /api/operator/secure-capability-host-hardening. It does not prove full host/container isolation, TEE/Wasm/CVM isolation, secure/private-by-default posture, production-ready execution, or IronClaw-class secure execution.

Exceedance target

Seraph exceeds the IronClaw pressure by combining host-level containment with guardian judgment:

  • the guardian state can lower action posture, request clarification, or require approval when memory, observer confidence, source provenance, or user-model evidence makes a capability unsafe
  • the cockpit explains both the mechanical boundary and the guardian reason for restraint
  • recovery actions preserve memory, workflow, approval, and audit context instead of forcing the operator to reconstruct state
  • secure execution is benchmarked as a user-facing trust surface, not only an internal runtime property

Proof gates

The secure-capability-host program is complete for this strategy document only when:

  • #428 owns the milestone-level trust-boundary contract
  • #435 owns the IronClaw-class gauntlet cases
  • the named M3 suite emits cockpit-readable safety receipts
  • the claim ledger still blocks secure, private, production-ready, or IronClaw-class secure execution wording unless those exact paths pass
  • any future TEE/Wasm/container work is treated as implementation means, not a substitute for permission, egress, replay, prompt-injection, and operator-receipt proof

Strategic Delivery Order

  1. Normalize the capability kernel and proof ledger.
  2. Close secure capability-host gaps before expanding high-risk reach.
  3. Make one reach channel and one browser/computer-use lane excellent.
  4. Deepen workflow endurance and repair for real multi-session work.
  5. Deepen guardian memory and intervention quality over the broadened substrate.
  6. Mature ecosystem installation, diagnostics, review, and rollback.
  7. Add voice/media only after trust, receipts, and channel continuity are solid.

Non-goals

Seraph should not:

  • copy OpenClaw's gateway-first identity
  • copy unrestricted in-process plugin execution as the default extension model
  • optimize for raw channel count over guardian continuity
  • claim IronClaw-class security until isolation and secret-boundary proofs exist
  • claim memory superiority from storage volume or provider count alone
  • claim workflow superiority before endurance and repair are proven
  • turn docs into a live queue or PR tracker

Acceptance Standard

This goal document is complete as a strategy artifact when:

  • each parity floor maps to an implementation milestone, issue scope, and named proof path
  • each exceedance target preserves the guardian-workspace vision
  • competitor claims have a current primary-source refresh date and source trail
  • IronClaw parity is defined as a secure-capability-host program rather than an imported package family
  • the claim ledger permits any stronger language before it is used
  • the cockpit remains the receipt target for inspecting what Seraph did, why, with what authority, and how to recover

Post-PR #473 and post-EF status: this strategy artifact is complete, and the aggregate proof/claim-readiness trains are historical support, not the next main work. The active execution layer under parent issue #475 must now prioritize a post-EF feature-parity train. The remaining work is to ship user-facing capability first; only after that train lands should Seraph run a separate claim-readiness pass for receipts, source refresh, docs reconciliation, tests, board reconciliation, and exact claim-ledger wording. The prior receipt trains are not proof that broad product parity or superiority has shipped.

Batch CO names the marketplace security receipts as independent_package_security_review, hostile_ecosystem_package_drills, package_network_incident_operations, publisher_trust_vulnerability_handling, and marketplace_rollback_quarantine_diagnostics plus /api/operator/production-marketplace-security; Batch CX extends that with marketplace_security_corpus_v1, continuous_vulnerability_monitoring, and publisher_trust_operations plus /api/operator/marketplace-security-corpus; Batch DF extends it again with production_secure_marketplace_v1, third_party_package_security_certification_v1, marketplace_live_corpus_operations_v2, and hostile_package_lifecycle_gauntlet_v1 plus /api/operator/production-secure-marketplace; Batch DN extends it again with marketplace_security_certification_track_v1, production_secure_marketplace_live_ops_v2, ecosystem_supply_chain_operations_v1, hostile_package_lifecycle_gauntlet_v2, publisher_trust_vulnerability_ops_v1, and marketplace_false_claim_scan_v1 plus /api/operator/marketplace-production-security. These rows still block production-secure marketplace, solved third-party package-security, formal package-security certification, ecosystem superiority, package-count superiority, full marketplace parity, production readiness, full parity, and exceeded-reference-system claims.

Batch DO names the browser/computer-use production-safety receipts as browser_computer_use_production_safety_v1, safe_browser_automation_live_ops_v1, credentialed_site_recovery_v1, browser_provider_parity_candidate_v1, browser_session_partition_attestation_v2, and browser_false_claim_scan_v1 plus /api/operator/browser-computer-use-production. Batch DW extends that with post_dp_browser_computer_use_reliability_v1, browser_live_provider_reliability_v2, browser_session_boundary_enforcement_v3, browser_credentialed_recovery_v2, browser_site_drift_recovery_v3, browser_hostile_page_safety_v2, browser_provider_degradation_v2, and browser_computer_use_false_claim_scan_v2 plus /api/operator/post-dp-browser-computer-use-reliability. Batch EE moves the same browser/computer-use residual into live controls through owner-scoped browser sessions, explicit provider degradation, no-silent-fallback replay acknowledgement, partition reset, quarantine/recover/reset/replay/close actions, redacted provenance, and cockpit inspection via /api/operator/browser-computer-use-control. Together they narrow the browser/computer-use residual through provider identity/support-state receipts, production boundary matrices, hostile-page fail-closed cases, dangerous-action policy, recorded-live safe-target operations, credentialed test-account recovery, provider degradation, existing-session blocks, partition attestation, non-duplication deltas, artifact provenance, redacted safe receipts, false-claim scans, and live recovery controls. They still block safe browser automation, safe autonomous computer use, OpenClaw-class browser reach, full browser parity, arbitrary credentialed browsing safety, production readiness, full parity, and exceeded-reference-system claims.

Batch CY names the browser/computer-use depth receipts as browser_task_breadth_matrix, browser_auth_partition_operations, and site_drift_recovery_slo plus /api/operator/browser-computer-use-parity-depth, backed by safe-target task breadth, provider identity, reliability windows, auth/session partition operations, profile/cookie/credential/download/upload/filesystem/network boundaries, dangerous-action blocking, site-drift recovery SLOs, prior CP safety-boundary linkage, aggregate benchmark-proof visibility, and blocked claims. Batch DG extends this with safe_autonomous_browser_runtime_v1, full_browser_parity_matrix_v1, real_site_drift_recovery_v2, and browser_session_partition_certification_v1 plus /api/operator/full-browser-parity, backed by provider execution caveats, blocked existing-session attachment, profile/cookie/credential/download/upload/filesystem/clipboard/network/private-data boundary matrices, deterministic safe-target drift fixture recovery v2, hostile-browser negative cases, certification-scope partition records, redacted safe receipts, aggregate benchmark-proof visibility, and blocked claims. Batch CZ names the post-CQ audit receipts as post_cq_claim_ledger_reconciliation, reference_system_source_refresh_v2, and false_completion_scan_v2 plus /api/operator/post-cq-claim-readiness, backed by static 2026-06-11 Hermes/OpenClaw/IronClaw source receipts with external Critic/Contrarian reachability review, CR-CY issue/PR/operator snapshot reconciliation with live GitHub Project verification required in the PR workflow, SCL-034 through SCL-041 claim-ledger receipts, clean local false-completion scans, an external GitHub PR/issue false-completion scan gate, and accepted Critic/Contrarian fixes.

Batch DA names the production workflow-guarantees receipts as production_workflow_state_machine_v1, crash_proof_orchestration_fault_campaign, and external_side_effect_reconciliation_v3 plus /api/operator/production-workflow-guarantees; it narrows the orchestration residual while still blocking unconditional exactly-once scheduling, crash-proof orchestration, solved durable workflows, full distributed-workflow parity, production readiness, full parity, and exceeded-reference-system wording. Batch DB names the certified secure-host covered-path receipts as runtime_isolation_implementation_v1, credential_broker_egress_enforcement_v1, external_security_certification_v1, and hostile_runtime_escape_gauntlet_v1 plus /api/operator/certified-secure-host; it narrows the secure-host residual while still blocking secure/private-by-default execution, production security solved, IronClaw-class secure execution, formal security certification, hardware-backed runtime isolation, production readiness, full parity, and exceeded-reference-system wording.

Batch DC names the reach/media campaign receipts as always_available_reach_operations_v1, voice_media_parity_runtime_v1, mobile_cross_surface_continuity_v1, and reach_degraded_recovery_field_campaign plus /api/operator/always-available-reach-media; it narrows the reach/media residual while still blocking OpenClaw-class reach, complete channel coverage, always-available operation, voice/media parity, production readiness, full parity, and exceeded-reference-system wording. Batch DD names the generalized guardian-outcome and memory-provider receipts as generalized_guardian_outcome_study_v1, full_memory_provider_parity_matrix_v1, causal_learning_outcome_thresholds_v1, and memory_baseline_comparison_v1 plus /api/operator/generalized-guardian-outcomes; it narrows the guardian/memory residual while still blocking guardian intelligence superiority, solved learning, live-human-outcome superiority, memory superiority, full memory-provider parity, named baseline wins, production readiness, full parity, and exceeded-reference-system wording.

Batch DS names the post-DP reach/channel gap-closure receipts as post_dp_reach_channel_gap_closure_v1, selected_reach_surface_readiness_v2, channel_degraded_recovery_v2, guardian_reach_continuity_v2, voice_media_privacy_fallback_v2, and reach_channel_false_claim_scan_v2 plus /api/operator/post-dp-reach-channel-gap-closure. It narrows the reach residual by proving the selected native_notification and websocket runtime surfaces with consent, pairing, revocation, provider health, degraded recovery, operator repair, guardian-aware timing/restraint continuity, thread/memory/approval continuity, voice/media privacy fallback, staged mobile/messaging/voice channel gaps, safe redacted receipt handles, aggregate benchmark-proof visibility, and false-claim scans. It still blocks OpenClaw-class reach, complete channel coverage, always-available operation, voice/media parity, production readiness, full parity, and exceeded-reference-system claims.

Batch DY names the post-DX live durable orchestration parity-proof receipts as post_dx_live_durable_orchestration_v1, recorded_live_orchestration_window_v1, crash_restart_failover_drill_v3, multi_agent_handoff_durability_v2, side_effect_reconciliation_v6, operator_recovery_control_v4, and orchestration_false_claim_scan_v3 plus /api/operator/post-dx-live-durable-orchestration. It narrows the orchestration residual beyond DQ/DX by making recorded-live and accelerated windows, scheduler/provider jitter, failover drills, replay authority, handoff durability, idempotency and duplicate suppression, side-effect reconciliation, operator recovery controls, residual-risk markers, aggregate benchmark-proof visibility, and false-claim scans operator-visible. It still blocks unconditional exactly-once scheduling, crash-proof orchestration, solved durable workflows, LangGraph-class workflow parity, production readiness, full parity, and exceeded-reference-system claims.

Batch DZ names the post-DX formal secure runtime isolation proof receipts as post_dx_formal_secure_runtime_isolation_v1, runtime_isolation_attestation_evidence_v2, credential_broker_egress_enforcement_v3, hostile_chain_containment_v4, external_security_review_certification_track_v2, secure_runtime_recovery_authority_v3, and secure_runtime_false_claim_scan_v3 plus /api/operator/post-dx-formal-secure-runtime-isolation. It narrows the secure-runtime residual beyond DB/DJ/DR by making runtime-boundary attestations, credential-broker egress enforcement, hostile-chain containment, external review/certification-track records, operator recovery authority, unsupported-boundary markers, aggregate benchmark-proof visibility, and false-claim scans operator-visible. It still blocks secure/private-by-default, production-security-solved, IronClaw-class secure execution, hardware-backed isolation, TEE/CVM/Wasm/container runtime-isolation, formal security certification, certified-isolation, safe autonomous computer use, production readiness, full parity, and exceeded-reference-system claims.

Batch EA names the post-DX reach and voice/media parity-proof receipts as post_dx_reach_voice_media_parity_proof_v1, multi_channel_reach_reliability_v3, voice_media_quality_latency_v3, reach_abuse_recovery_v3, cross_surface_reach_continuity_v3, and reach_voice_media_false_claim_scan_v3 plus /api/operator/post-dx-reach-voice-media-parity-proof. It narrows the reach/voice-media residual beyond DK/DS by making selected and candidate multi-channel reliability, provider identity, consent, pairing, revocation, false/missed delivery metrics, rate limits, abuse handling, degraded/offline recovery, voice/media quality and latency gates, correction/deletion/privacy controls, provider-regression fallback, cross-surface continuity, coverage-gap, aggregate benchmark-proof visibility, and false-claim scan receipts operator-visible. It still blocks OpenClaw-class reach, complete channel coverage, always-available operation, voice/media parity, multimodal parity, production mobile execution solved, production readiness, full parity, and exceeded-reference-system claims.

Batch DT names the post-DP guardian learning and memory gap-closure receipts as post_dp_guardian_learning_memory_gap_closure_v1, long_horizon_learning_quality_v2, memory_behavior_ablation_v2, memory_provider_operation_v2, learning_safety_regression_v2, and guardian_memory_false_claim_scan_v2 plus /api/operator/post-dp-guardian-learning-memory-gap-closure. It narrows the guardian/memory residual by proving consented long-horizon cohorts, withdrawal/anonymization/adverse review, memory-enabled versus memory-limited decision ablations, reversible learning deltas, stale-evidence decay, rollback authority, provider quarantine/reinstatement, delete/export propagation, learning-safety negative cases, safe redacted receipt handles, aggregate benchmark-proof visibility, and real false-claim scan command evidence. It still blocks guardian intelligence superiority, solved learning, live-human-outcome superiority, generalized outcome superiority, memory superiority, full memory-provider parity, production readiness, full parity, and exceeded-reference-system claims.

Batch DE names the operator-control certification receipts as operator_control_certification_v1, mission_control_population_study_v2, long_work_recovery_slo_v2, and operator_error_detectability_v1 plus /api/operator/operator-control-certification; Batch DM extends that with production-certification receipts; Batch DU extends it again with post_dp_operator_debugging_recovery_control_v1, dense_long_work_debugging_v2, operator_recovery_slo_v3, operator_effort_reduction_v2, authority_transfer_integrity_v2, operator_audit_accessibility_v2, and operator_control_false_claim_scan_v2 plus /api/operator/post-dp-operator-debugging-recovery-control. These narrow the cockpit/control residual while still blocking formal certification, best/world-class cockpit, solved operator control, approval-transfer solved, tamper-proof audit, production readiness, full parity, and exceeded-reference-system wording. Batch CQ is closed by merged PR #521 and completes the final source-backed claim-lift reconciliation for bounded proof-train wording only; Batch CZ permits only the exact SCL-041 bounded claim-readiness wording, Batch DA permits only the exact SCL-043 bounded workflow-guarantees wording, Batch DB permits only the exact SCL-044 bounded certified secure-host covered-path wording, Batch DC permits only the exact SCL-045 bounded reach/media campaign wording, Batch DD permits only the exact SCL-046 bounded generalized outcome/provider-matrix wording, Batch DE permits only the exact SCL-047 bounded operator-control certification wording, Batch DF permits only the exact SCL-048 bounded marketplace/package-security wording, Batch DG permits only the exact SCL-049 bounded browser/computer-use parity evidence wording, Batch DH permits only the exact SCL-050 bounded final-reconciliation wording, Batch DM permits only the exact SCL-055 bounded operator-control production-certification wording, Batch DN permits only the exact SCL-056 bounded marketplace production-security certification-track wording, Batch DO permits only the exact SCL-057 bounded browser/computer-use production-safety wording, Batch DP permits only the exact SCL-058 bounded post-DI-DO release-gate audit wording, Batch DQ permits only the exact SCL-059 bounded post-DP durable-orchestration wording, Batch DR permits only the exact SCL-060 bounded post-DP secure-host gap-closure wording, Batch DS permits only the exact SCL-061 bounded post-DP reach/channel wording, Batch DT permits only the exact SCL-062 bounded post-DP guardian learning/memory gap-closure wording, Batch DU permits only the exact SCL-063 bounded post-DP operator debugging/recovery-control wording, Batch DV permits only the exact SCL-064 bounded post-DP marketplace lifecycle wording, Batch DW permits only the exact SCL-065 bounded post-DP browser/computer-use reliability wording, Batch DX permits only the exact SCL-066 bounded post-DQ-DW claim-readiness release-gate wording, Batch DY permits only the exact SCL-067 bounded post-DX live durable orchestration parity-proof wording, Batch DZ permits only the exact SCL-068 bounded post-DX formal secure runtime isolation proof wording, Batch EA permits only the exact SCL-069 bounded post-DX reach and voice/media parity-proof wording, Batch EE permits only the exact SCL-070 bounded browser/computer-use live-control wording, Batch EB permits only the exact SCL-071 bounded guardian learning/memory live-control wording, and Batch EF permits only the exact SCL-072 bounded post-DX final-gate wording.

The remaining product ambition still includes production-secure marketplace and solved third-party package-security claims beyond Batch DN bounded marketplace production-security certification-track receipts, unconditional exactly-once/crash-proof workflow guarantees beyond Batch DA/DI/DQ/DY bounded receipts, blanket safe browser automation and full browser parity wording beyond Batch DO/DW/EE bounded browser/computer-use production-safety, reliability, and live-control work, generalized live-human-outcome superiority and memory superiority beyond Batch DL/DT bounded guardian-memory receipts, best/world-class cockpit and solved operator-control claims beyond Batch DM/DU bounded operator-control receipts, full always-available reach and voice/media parity beyond Batch DK/DS/EA bounded reach/channel receipts, formal hardware-backed runtime isolation and formal security certification beyond Batch DB/DJ/DR/DZ bounded covered-path and review-track receipts, full parity, production readiness, and production superiority evidence.

Production-Grade Execution Roadmap

The GitHub Project tracks the production-grade parity train through parent issue #475, completed huge batch issues #476-#482, completed follow-on issues #491-#497, completed full-completion residual-gap issues #505-#512, post-CQ production-evidence issues #522-#530, post-DA parity-completion issues #540-#547, completed DI-DP bounded evidence and DP release-gate issues #557-#564, completed post-DP implementation gap-closure issues #573-#580, and post-DX stronger-proof issues #590-#597. Batch DP recorded the bounded release-gate audit; DQ-DW narrow durable orchestration, secure-host, selected reach/channel, guardian learning/memory, operator debugging/recovery-control, marketplace lifecycle, and browser/computer-use reliability gaps; DX records the final post-DQ-DW claim-readiness release gate; DY adds live durable-orchestration parity-proof receipts; DZ adds formal secure runtime isolation proof receipts; EA adds reach/voice-media parity-proof receipts; EB adds guardian learning/memory live controls; EC adds live workflow controls; ED adds marketplace lifecycle controls; EE adds browser/computer-use live reliability and recovery controls; and EF adds the bounded post-DX final parity and exceedance claim-lift gate. That board-backed roadmap remains evidence and execution tracking, not proof that production parity, production readiness, safe browser automation, full browser parity, or reference-system exceedance has shipped.

The batch order is:

  1. readiness, claim gates, and integration proof harness
  2. secure-host architectural isolation and privileged-path hardening
  3. production durable orchestration and multi-agent workflow control
  4. broad live reach, browser reliability, and voice/media runtime hardening
  5. live guardian learning, intervention quality, and memory-provider outcome proof
  6. marketplace-grade capability lifecycle, review, rollback, and ecosystem maturity
  7. production operator cockpit control and end-to-end parity verification
  8. follow-on recorded-live orchestration, isolation, reach/media, human-outcome, marketplace, browser-provider/usability, and final source-backed parity audit proof
  9. full-completion residual-gap closure: orchestration SLA/effectively-once recovery, independent security/isolation review, broad reach plus production voice/media/mobile execution, independent guardian-learning outcome proof, dense operator debugging/recovery control, bounded production marketplace-security/package-network receipts, bounded browser/computer-use safety receipts, and final claim-lift audit
  10. post-CQ production-evidence train: shipped-truth reconciliation, continuous orchestration SLOs, container-grade secure-host validation, broad reach and voice/media field operations, longitudinal learning/memory operations, dense operator mission control, marketplace registry/corpus operations, managed browser/computer-use reliability, final post-evidence claim audit, and bounded production workflow-guarantees receipts

Batch CI adds the final source-backed parity readiness audit surface through final_source_backed_parity_audit, final_claim_ledger_reconciliation, operator_final_parity_readiness_report, and /api/operator/final-parity-readiness-report. It reconciles current Hermes/OpenClaw/IronClaw source receipts, production-train PR and Project evidence, claim-ledger boundaries, residual gaps, and Critic/Contrarian dispositions. It does not permit full parity, production-ready, superiority, OpenClaw-class reach, IronClaw-class secure execution, safe browser automation, full browser parity, production-secure marketplace, or solved guardian-intelligence wording.

Batch CJ narrows the orchestration residual through production_sla_orchestration, exactly_once_recovery_evidence, duplicate_side_effect_audit, and /api/operator/production-sla-orchestration. It exposes provider windows, jitter budgets, replay windows, failure-injection methods, idempotency scopes, side-effect boundaries, duplicate suppression, reconciliation, operator recovery controls, final-audit linkage, and blocked claims. Batch CS continues that path through continuous_orchestration_slo_monitor, crash_failover_soak_v1, side_effect_reconciliation_v2, and /api/operator/continuous-orchestration-slo, adding deterministic runtime observation state, rolling monitor windows, scheduler/provider health, retry and jitter budgets, crash/failover events, replay authority, idempotency keys, duplicate suppression, irreversible side-effect boundaries, manual recovery state, and operator controls. Batch DA continues it again through production_workflow_state_machine_v1, crash_proof_orchestration_fault_campaign, external_side_effect_reconciliation_v3, and /api/operator/production-workflow-guarantees, adding DA-specific persisted authority state, fault-campaign coverage, side-effect reconciliation v3, missing-live-evidence reporting, and operator-visible recovery decisions. These batches still do not permit unconditional exactly-once scheduling, crash-proof orchestration, a full distributed workflow engine, production-ready, full parity, or exceeded-reference-system wording.

Batch CK narrows the independent security residual through independent_secure_host_review, live_hostile_isolation_drills, secure_host_recovery_authority, and /api/operator/independent-secure-host-review. It exposes reviewer scope, finding remediation, live hostile drill receipts, isolation evidence matrices, operator recovery authority, final-audit linkage, and blocked claims. It does not permit secure/private-by-default execution, production security solved, IronClaw-class secure execution, TEE/CVM/Wasm/container isolation implemented, production-ready, full parity, or exceeded-reference-system wording.

Batch CT narrows the container-grade secure-host validation residual through container_grade_capability_isolation, external_security_validation_v1, secret_egress_certification_drill, and /api/operator/container-grade-secure-host. It exposes capability-class isolation decision records, signed tool roots, credential broker and network-boundary checks, external review scope, finding remediation or waiver records, secret-egress certification drills, recovery authority, final-audit linkage, unsupported hardware-backed/runtime-isolation boundaries, and blocked claims. It does not permit secure/private-by-default execution, production security solved, IronClaw-class secure execution, hardware-backed/TEE/CVM/Wasm/container isolation implemented, production-ready, full parity, or exceeded-reference-system wording.

Batch DB narrows the secure-host implementation residual through runtime_isolation_implementation_v1, credential_broker_egress_enforcement_v1, external_security_certification_v1, hostile_runtime_escape_gauntlet_v1, and /api/operator/certified-secure-host. It exposes covered-path capability policy hooks, runtime isolation profiles, tool/field/destination-scoped secret refs, endpoint/private-network/DNS/revocation denial receipts, MCP site-policy endpoint blocking, process-runtime network-client marker denial, external review/certification-scope records, finding retest and waiver expiry, hostile prompt/SSRF/DNS/filesystem/cookie/package/credential/replay drills, hardware-backed substitute boundaries, and blocked claims. It does not permit secure/private-by-default execution, production security solved, IronClaw-class secure execution, hardware-backed/TEE/CVM/Wasm/container isolation, formal security certification, production-ready, full parity, or exceeded-reference-system wording.

Batch DJ narrows the certification-track secure-runtime residual through production_grade_secure_capability_host_evidence_v1, secure_host_cross_surface_attack_chain_v1, credential_broker_egress_soak_v1, runtime_isolation_attestation_matrix_v1, secure_host_operator_recovery_authority_v1, secure_host_false_claim_scan_v1, and /api/operator/production-grade-secure-capability-host. It exposes secure-host surface matrices, cross-surface hostile-chain receipts, credential-broker egress soak fixtures, runtime-attestation matrices, operator recovery authority, false-claim scans, redacted receipt digests, aggregate benchmark-proof visibility, and blocked claims. It does not permit secure/private-by-default execution, production security solved, IronClaw-class secure execution, hardware-backed/TEE/CVM/Wasm/container isolation, formal security certification, safe autonomous computer use, production-ready, full parity, or exceeded-reference-system wording.

Batch DR narrows the post-DP secure capability-host residual through post_dp_secure_capability_host_gap_closure_v1, runtime_profile_selection_v2, deny_default_credential_egress_v2, hostile_capability_chain_quarantine_v2, secure_host_recovery_authority_v2, secure_host_false_claim_scan_v2, and /api/operator/post-dp-secure-capability-host. It exposes explicit runtime profile selection, deny-by-default credential egress, field/destination-scoped credential refs, hostile cross-surface quarantine, operator-owned recovery authority, safe redacted receipts, aggregate benchmark-proof visibility, and blocked claims beyond Batch DJ. It does not permit secure/private-by-default execution, production security solved, IronClaw-class secure execution, hardware-backed/TEE/CVM/Wasm/container isolation, formal security certification, safe autonomous computer use, production-ready, full parity, or exceeded-reference-system wording.

Batch DK narrows the reach/voice production-operations residual through always_available_reach_live_ops_v1, voice_media_production_parity_candidate_v1, channel_incident_response_v1, cross_surface_reach_continuity_v2, reach_media_false_claim_scan_v1, and /api/operator/reach-voice-production-ops. It exposes selected live/degraded operational windows across mobile, messaging, native, browser, and web surfaces; provider identity; consent, pairing, and revocation receipts; rate-limit and abuse handling; provider outage/fallback drills; offline recovery; false/missed delivery metrics; operator repair actions; STT/TTS/voice/media quality and latency candidates; correction/deletion/privacy controls; cross-surface thread, memory, approval, notification, and operator-handoff continuity; redacted receipt handles; aggregate benchmark-proof visibility; and blocked claims. It does not permit OpenClaw-class reach, complete channel coverage, always-available operation, voice/media parity, production-ready, full parity, or exceeded-reference-system wording.

Batch DL narrows the guardian-learning and memory-provider field-validation residual through live_long_horizon_guardian_learning_field_study_v1, memory_behavior_change_ablation_v1, live_memory_provider_parity_operations_v1, independent_guardian_outcome_candidate_review_v1, longitudinal_learning_safety_monitor_v3, guardian_memory_false_claim_scan_v1, and /api/operator/live-guardian-memory-field-program. It exposes pre-registered field windows, consent, withdrawal, anonymization, cohort boundaries, fixture-vs-live markers, behavior-change ablations against memory-disabled or memory-limited counterfactuals, canonical/advisory/degraded/stale/conflicting/privacy-limited provider operations, delete/export propagation, quarantine, reinstatement, independent longitudinal review, learning safety negative cases, false-claim scan receipts, redacted receipt handles, aggregate benchmark-proof visibility, and blocked claims. It does not permit guardian intelligence superiority, solved learning, live-human-outcome superiority, memory superiority, full memory-provider parity, production-ready, full parity, or exceeded-reference-system wording.

Batch DM narrows the operator-control and audit-evidence residual through operator_control_certification_v2, operator_control_live_population_v1, tamper_evident_audit_candidate_v1, authority_transfer_recovery_v1, operator_control_false_claim_scan_v1, and /api/operator/operator-control-production-certification. It exposes dense required controls, stale-approval blocking, safe denial, recovery correctness, operator takeover, recorded-live plus fixture population telemetry, keyboard/accessibility floors, digest-linked tamper-evident audit candidate receipts, unauthorized mutation denial, authority-transfer scope renewal, replay/runbook boundaries, redacted safe receipt handles, aggregate benchmark-proof visibility, false-claim scans, and blocked claims. It does not permit solved operator control, best/world-class cockpit, approval-transfer solved, tamper-proof audit, formal certification, production-ready, full parity, or exceeded-reference-system wording.

Batch CL narrows the reach/media/mobile residual through broad_channel_sla_operations, production_voice_media_quality_gates, mobile_execution_continuity, and /api/operator/production-reach-voice-mobile. It exposes provider-window behavior, rate limits, abuse handling, degraded recovery, coverage-gap claim boundaries, STT/TTS/media quality and latency gates, correction/deletion privacy boundaries, provider-regression fallback, notification approval handoff, mobile action continuity, thread/memory recovery, offline recovery, revocation fail-closed behavior, final-audit linkage, and blocked claims. It does not permit OpenClaw-class reach, complete channel coverage, voice parity, multimodal parity, always-available operation, production-ready, full parity, or exceeded-reference-system wording.

Batch CU narrows the reach/media field-operation residual beyond Batch CL through broad_reach_field_operations, voice_media_quality_operations, always_available_reach_slo, and /api/operator/broad-reach-field-ops. It exposes provider/channel field matrices, consent and revocation fail-closed checks, rate-limit and abuse drills, degraded recovery, cross-surface continuity IDs, metadata-only redacted receipt boundaries, voice/media quality and latency gates, correction/deletion/privacy controls, bounded SLO windows, provider-failure and offline recovery, operator recovery actions, coverage gaps, final-audit linkage, and blocked claims. It does not permit OpenClaw-class reach, complete channel coverage, voice parity, multimodal parity, always-available operation, production-ready, full parity, or exceeded-reference-system wording.

Batch DC narrows the reach/media operational-campaign residual beyond Batch CU through always_available_reach_operations_v1, voice_media_parity_runtime_v1, mobile_cross_surface_continuity_v1, reach_degraded_recovery_field_campaign, and /api/operator/always-available-reach-media. It exposes selected mobile, messaging, native, browser, and web channel campaign receipts, pairing/revocation, rate-limit and abuse recovery, 14-day equivalent degraded-recovery windows, STT/TTS/voice/media latency and quality receipts, correction/deletion/privacy controls, provider-regression fallback, cross-surface thread/memory/approval/notification/operator-handoff continuity, false and missed delivery metrics, operator repair actions, redacted receipt boundaries, aggregate benchmark-proof visibility, and blocked claims. It does not permit OpenClaw-class reach, complete channel coverage, always-available operation, voice parity, multimodal parity, production-ready, full parity, or exceeded-reference-system wording.

Batch DD narrows the generalized guardian-outcome and memory-provider parity residual beyond Batch CM/CV through generalized_guardian_outcome_study_v1, full_memory_provider_parity_matrix_v1, causal_learning_outcome_thresholds_v1, memory_baseline_comparison_v1, and /api/operator/generalized-guardian-outcomes. It exposes predeclared act, defer, bundle, clarify, approval, stay-silent, recovery, and follow-through outcome protocols; independent evaluator metadata; consent, withdrawal, anonymization, fairness, and adverse-event review; expanded canonical/advisory memory-provider dimension matrices; privacy/delete/export/stale-recall/quarantine/reinstatement receipts; counterfactual causal thresholds; rollback authority; current-source-limited pressure baselines; redacted receipt boundaries; aggregate benchmark-proof visibility; and blocked claims. It does not permit guardian-intelligence superiority, solved live learning, solved long-term learning, live-human-outcome superiority, generalized outcome superiority, memory superiority, full memory-provider parity, named baseline wins, production-ready, full parity, or exceeded-reference-system wording.

Batch CM narrows the independent learning and memory-provider residual through independent_outcome_cohort_review, task_scoped_causal_learning, memory_provider_parity_matrix, and /api/operator/independent-learning-memory-parity. It exposes independent evaluator metadata, sample and power rationale, consent/anonymization, adverse-event review, bounded outcome claims, task-scoped counterfactual causal receipts, confounder boundaries, rollback authority, canonical/advisory memory-provider comparison, privacy-regression quarantine, delete/export receipts, final-audit linkage, and blocked claims. It does not permit guardian-intelligence superiority, solved live learning, live-human-outcome superiority, memory superiority, full memory-provider parity, production-ready, full parity, or exceeded-reference-system wording.

Batch CV narrows the longitudinal learning and memory-provider operations residual beyond Batch CM through longitudinal_guardian_outcome_study, named_baseline_memory_comparison, learning_safety_monitor_v2, and /api/operator/longitudinal-guardian-outcomes. It exposes 60-plus day outcome windows, task families, named baseline source/version/limitations, pressure-only baseline comparison, independent evaluator protocol, consent/withdrawal/anonymization, adverse-event review, reversible learning-policy deltas, rollback authority, canonical/advisory provider comparison, stale-behavior blocking, privacy-regression quarantine, delete/export propagation, provider reinstatement review, safe redacted receipts, final-audit linkage, and blocked claims. It does not permit guardian-intelligence superiority, solved live learning, solved long-term learning, live-human-outcome superiority, memory superiority, full memory-provider parity, named baseline wins, production-ready, full parity, or exceeded-reference-system wording.

Batch CN narrows the operator-control residual through long_work_debugging_recovery, operator_control_density, independent_operator_usability_accessibility, and /api/operator/dense-operator-recovery-control. It exposes failed-workflow diagnosis, branch/output comparison, interruption resume, cross-batch residual-risk inspection, pause/resume/retry/repair/branch/compare/revoke/quarantine/handoff/rollback/audit controls, task-relative operator effort, independent usability/accessibility evidence, keyboard-only paths, recovery correctness, final-audit linkage, and blocked claims. It does not permit best/world-class cockpit, solved operator control, production-ready, full parity, or exceeded-reference-system wording.

Batch CW narrows the dense mission-control residual beyond Batch CN through operator_control_population_study, named_baseline_cockpit_comparison, long_work_debugging_slo, and /api/operator/operator-control-population-study. It exposes population-study metrics, pressure-only named cockpit baselines, searchable timeline/log-diff/replay/runbook/handoff surfaces, long-work debugging SLOs, redacted receipt handles, receiver scope-renewal handoff, read-only replay/runbook boundaries, final-audit linkage, and blocked claims. It does not permit best/world-class cockpit, solved operator control, approval-transfer, tamper-proof audit, production-ready, full parity, or exceeded-reference-system wording.

Batch DE narrows the operator-control certification residual beyond Batch CW through operator_control_certification_v1, mission_control_population_study_v2, long_work_recovery_slo_v2, operator_error_detectability_v1, and /api/operator/operator-control-certification. It exposes required inspect, approve, deny, pause, resume, retry, repair, branch, compare, revoke, quarantine, handoff, rollback, audit, search, replay, and runbook controls; click, keystroke, latency, recovery, and effort telemetry; accessibility and keyboard-only paths; stale approval blocking; safe denial; confidence calibration; recovery correctness; pressure-only named baselines; redacted tamper-evident receipt handles; aggregate benchmark-proof visibility; and blocked claims. It does not permit formal certification, best/world-class cockpit, solved operator control, approval-transfer solved, tamper-proof audit, production-ready, full parity, or exceeded-reference-system wording.

Batch CX narrows the marketplace corpus and continuous operations residual beyond Batch CO through marketplace_security_corpus_v1, continuous_vulnerability_monitoring, publisher_trust_operations, and /api/operator/marketplace-security-corpus. It exposes registry package families, provenance, signatures, publisher keys, SBOM/dependency graph digests, compatibility, review state, scanner-source freshness, waiver expiry, remediation SLA, critical/high denial decisions, install/update/downgrade/rollback/quarantine/re-entry diagnostics, package-network/secret/workspace denial receipts, safe redacted handles, aggregate benchmark-proof visibility, and blocked claims. It does not permit production-secure marketplace, solved third-party package security, ecosystem superiority, package-count superiority, full marketplace parity, production-ready, full parity, or exceeded-reference-system wording.

Batch DF narrows the marketplace/package-security residual beyond Batch CX through production_secure_marketplace_v1, third_party_package_security_certification_v1, marketplace_live_corpus_operations_v2, hostile_package_lifecycle_gauntlet_v1, and /api/operator/production-secure-marketplace. It exposes larger live-corpus provenance, signatures, publisher verification, SBOM and dependency graph evidence, scanner freshness, waiver and remediation policy, proof-bound external review/certification-scope records, fail-closed lifecycle operations, expanded hostile package lifecycle drills, redacted safe receipt digests, aggregate benchmark-proof visibility, and blocked claims. It does not permit production-secure marketplace, solved third-party package security, formal package-security certification, ecosystem superiority, package-count superiority, full marketplace parity, production-ready, full parity, or exceeded-reference-system wording.

Batch DN narrows the marketplace/package-security residual beyond Batch DF through marketplace_security_certification_track_v1, production_secure_marketplace_live_ops_v2, ecosystem_supply_chain_operations_v1, hostile_package_lifecycle_gauntlet_v2, publisher_trust_vulnerability_ops_v1, marketplace_false_claim_scan_v1, and /api/operator/marketplace-production-security. It exposes certification-track review scope, finding/retest/waiver expiry, provenance/signature/publisher-key/SBOM/dependency evidence, computed scanner freshness, install/update/downgrade/rollback/quarantine/re-entry operations, hostile lifecycle v2 network/secret/workspace/rollback/quarantine denial receipts, publisher trust and vulnerability operations, capability-host permission/audit boundaries, redacted safe receipt handles, aggregate benchmark-proof visibility, false-claim scans, and blocked claims. It does not permit production-secure marketplace, solved third-party package security, formal package-security certification, ecosystem superiority, package-count superiority, full marketplace parity, production-ready, full parity, or exceeded-reference-system wording.

Batch DO narrows the browser/computer-use residual beyond Batch DG through browser_computer_use_production_safety_v1, safe_browser_automation_live_ops_v1, credentialed_site_recovery_v1, browser_provider_parity_candidate_v1, browser_session_partition_attestation_v2, browser_false_claim_scan_v1, and /api/operator/browser-computer-use-production. It exposes provider identity and support states, session/profile/cookie/credential/download/upload/filesystem/clipboard/network/private-data boundaries, hostile-page fail-closed cases, dangerous-action default blocks, recorded-live safe-target operations, credentialed test-account recovery, provider degradation, existing-session blocks, partition attestation v2, redacted safe receipt handles, aggregate benchmark-proof visibility, false-claim scans, and blocked claims. It does not permit safe browser automation, safe autonomous computer use, OpenClaw-class browser reach, full browser parity, production-ready, full parity, or exceeded-reference-system wording.

Batch DP added the final post-DI-DO release-gate audit through full_parity_claim_lift_audit_v1, production_readiness_reconciliation_v2, reference_system_source_refresh_v4, post_di_do_board_pr_issue_reconciliation_v1, false_completion_scan_v4, final_critic_contrarian_no_block_v1, and /api/operator/full-parity-release-gate. It exposes current June 11, 2026 Hermes/OpenClaw/IronClaw pressure-only source receipts, DI-DO issue/PR/Project reconciliation, stale issue-body caveats, seven-area production-readiness reconciliation receipts, exact SCL-051 through SCL-058 claim decisions, false-completion scans, Critic/Contrarian no-block receipts, and aggregate benchmark-proof visibility. It does not permit production-ready, product-wide full parity, exceeded-reference-system, secure/private-by-default, safe autonomous browser/computer-use, solved operator-control, guardian-superiority, memory-superiority, or ecosystem-superiority wording.

Batch CY narrows the managed browser/computer-use reliability and parity-depth residual beyond Batch CP through browser_task_breadth_matrix, browser_auth_partition_operations, site_drift_recovery_slo, and /api/operator/browser-computer-use-parity-depth. It exposes safe-target task breadth, provider identity, reliability windows, auth/session partition operations, profile/cookie/credential/download/upload/filesystem/network boundaries, dangerous-action blocking, site-drift recovery SLOs, independent depth usability receipts, prior CP safety-boundary linkage, aggregate benchmark-proof visibility, and blocked claims. It does not permit safe browser automation, safe autonomous computer-use, full browser parity, production-ready, full parity, or exceeded-reference-system wording.

Batch CQ closed the bounded proof-train claim-lift audit after CP. It permits only the exact bounded proof-train wording recorded in the claim ledger and keeps full parity and exceedance blocked. Batches CR-CY add the post-CQ production-evidence train, and Batch CZ adds the post-CQ claim-readiness audit surface; broad full parity, production readiness, superiority, and reference-system exceedance remain blocked unless later claim-ledger wording permits them exactly.

This roadmap preserves the Seraph vision boundary: Seraph should exceed reference agents through guardian memory, restraint, trust, operator legibility, and recovery rather than by becoming an unrestricted plugin farm, raw channel gateway, or terminal-only coding shell.

Team Review Record

Lead plan:

  • Explorer pass Avicenna: Seraph vision, shipped truth, and non-negotiables.
  • Capability import pass Linnaeus: Hermes/OpenClaw/IronClaw references and catalog-extension status.
  • Critic/Contrarian pass Boole: claim strength, stale source risk, proof gaps, and scope drift.
  • Execution mapping pass Lovelace: mapped every feature area to milestone, issue, and proof anchors; identified multimodal/voice as the only genuine missing dedicated issue.
  • Follow-up Critic/Contrarian pass Cicero: confirmed the multimodal/voice issue was not duplicated, accepted creation after narrowing it to a proof/governance anchor, and requested the wording/source-map revisions now reflected above.

Critic disposition: accepted. The broad "better today" language was weakened to scoped differentiators, IronClaw security wording was narrowed to source-backed TEE/CVM/vault/Wasm/allowlist language, OpenClaw browser/control docs were added to the source trail, proof gates now name milestone families, the acceptance standard now applies to execution-batch readiness, and the sidebar ordering follows the dependency chain.

Follow-up disposition: accepted. The current-source refresh, execution mapping table, and IronClaw secure-capability-host plan now complete the original "still to do after this PR" items. Dedicated issue #467 was created for guardian-safe multimodal and voice proof, added to the Seraph Execution project with required queue/lane/priority/size/status/review fields, and linked back into this document.

Post-merge disposition: accepted. PR #473 merged the aggregate proof train, so this document now separates strategy completion and proof-train completion from the remaining product gaps. The stale reach PR #462 was closed as superseded, and proof-slice issues #438, #467, #470, #471, and #472 were closed with explicit claim-boundary comments. The X article is used only through the accessible fxtwitter retrieval and only for bounded Hermes-pressure claims; its benchmark claim remains unverified.