Skip to main content

Seraph Development Status

Seraph is an AI guardian that remembers, watches, and acts. This page is the fastest answer to what is real on develop right now.

For a shorter reader-facing overview of the current app, start with Current App Guide. This status page remains the dense shipped-state record.

Legend

  • [x] shipped on develop
  • [ ] not fully shipped on develop
  • in-flight branch work should be tracked in open PRs, not in this file

When this file is updated on an open feature branch, it reflects the intended post-merge develop state for that branch. Until merge, the open PR and its validation are the live integration truth.

High-risk strategic wording in this status page remains governed by 19. Strategy Claim Ledger.

Current Snapshot

  • Seraph is usable today as a real guardian workspace with a browser cockpit, memory, screen awareness, proactive behavior, and a real action layer.
  • Public docs target the v2026.6.30 app era; the published GitHub Pages site updates only after a main push touches docs/** and the Pages workflow succeeds.
  • The live truth surface is now docs/research/ plus docs/implementation/, while the GitHub Project, issues, and PRs carry active execution state.
  • Trust Boundaries, Execution Plane, and Runtime Reliability have strong foundations on develop.
  • The target product shape is now a power-user guardian workspace, not a village-first shell.
  • The guardian workspace is the only supported browser shell; the village/editor line is removed from the active repo path and should not be revived.
  • The workspace now exposes capability discovery, starter packs, workflow history, step records, typed artifact-to-workflow handoff, truthful checkpoint branch control, branch-family supervision with latest-branch continue/open-parent controls, parameterized replay, reload continuity, a searchable capability palette, capability preflight/autorepair, a separate Activity Ledger window, a denser operator terminal, live operator feed, saved runbook macros, active triage, evidence shortcuts, workflow step-focus rows with direct step/output handoff, branch-origin and failure-lineage debugger rows with best-continuation control, family-history comparison plus family-output reuse/output-comparison rows, denser ancestor/peer/failure-lineage follow-through actions, direct family-row checkpoint drill-in and family-row step-recovery controls on best-continuation and related family rows, explicit workflow output-history plus checkpoint-history plus lineage-event debugger rows, verified artifact source-run plus related-output follow-through with explicit unresolved-state fallback, artifact source-run open/continue plus source-failure or related-output comparison shortcuts across evidence/output/inspector panes, direct triage failure-context and recovery controls, keyboard-first inspect or approve or continue or redirect or failure/recovery/workflow/output/best-continuation/comparison plus artifact inspect/plan/source/failure flows, and explicit continue/open-thread controls instead of leaving those as implicit operator knowledge.
  • Seraph now also has a first adapter-backed external evidence path: typed source adapters, normalized evidence bundles, executable public-web discovery/page/session reads, and explicit degraded managed-connector truth instead of leaving source routines to infer execution from inventory alone.
  • Seraph now also has a first connector-backed authenticated source-mutation planning path: typed write contracts, scoped approval metadata, and a native mutation-plan tool can explain privileged source writes without pretending every configured connector already has an executable runtime route.
  • Seraph now also has a first connector-backed authenticated source-read path: when a managed connector is enabled, configured, and matched to a live MCP runtime, Seraph can normalize repository, work-item, and code-activity evidence through the same source-evidence contract instead of leaving authenticated providers permanently stuck in inventory-only degraded mode.
  • Seraph now also has reusable connector-first source review routines: plan_source_review, bundled daily/progress/goal-alignment starter packs and runbooks, mixed-source review plans that stay provider-neutral, and explicit degraded-step truth instead of forcing each external review flow into bespoke provider glue.
  • Seraph now also has a first connector-backed authenticated source-action and report workflow path: managed adapters can execute bounded work_items.write plus code_activity.write actions with action-scoped approval and audit metadata, including PR-native create or review flows with fixed-argument guardrails, and plan_source_report can compose provider-neutral review plus publication flows against work-item or pull-request activity contracts instead of forcing bespoke provider-specific report pipelines.
  • Seraph now also fails closed on field-scoped secret-reference injection and connector-backed authenticated mutation payloads: tool metadata surfaces explicit secret_ref_fields, runtime secret refs only resolve on declared injection-safe fields, and managed write actions reject undeclared payload keys instead of forwarding arbitrary connector arguments.
  • Seraph now also binds managed background-process recovery to the originating session: process list, output-read, and stop surfaces fail closed outside that session instead of leaving long-running helper recovery broadly discoverable.
  • Seraph now also runs direct command and managed background-process execution inside disposable worker roots outside the workspace, requires explicit credential-egress allowlists before secret-bearing MCP execution can cross a connector boundary, and keeps delegated/workflow/operator trust receipts truthful about connector-egress plus branch-handoff partitions instead of flattening them back to a generic session surface.
  • docs/implementation/11-world-class-strategy-delivery.md now translates the world-class strategy into delivery rules, while active execution remains in the GitHub Project, issues, and PRs.
  • Seraph now also has a governed self-evolution loop for declarative capability assets: /api/evolution plus propose_capability_evolution can generate eval-scored review candidates for skills, runbooks, starter packs, and prompt packs, persist review receipts inside the managed workspace package, and block semantic drift or privileged prompt-surface expansion before anything reaches human PR review.
  • Governed self-evolution receipts now also carry explicit change summaries and review-risk notes, so saved candidates and PR drafts explain why a variant still needs human review instead of only returning raw blocked/pass constraints.
  • Governed self-improvement now also blocks obvious preference-collapse drift, carries explicit canary-only and rollback-ready benchmark-gate receipts on saved candidates, and exposes recent saved proposal receipts through the operator benchmark surface instead of treating candidate generation alone as proof.
  • Seraph now also exposes a benchmark-proof surface: deterministic benchmark suites for memory/workflow continuity, browser or desktop execution, planning or retrieval reporting, trust boundaries and safety receipts, M7 operator-cockpit legibility, and governed improvement are grouped into one operator-readable report, and governed self-evolution receipts now carry explicit benchmark-gate posture instead of relying on implicit eval-score interpretation.
  • Seraph now also exposes a dedicated guardian-memory benchmark surface: reasoning-heavy engineering-memory retrieval over workflow, approval, audit, artifact, and repo or PR continuity bundles, contradiction-aware ranking, selective-forgetting diagnostics, and operator-visible memory failure reporting now live in a named guardian_memory_quality suite instead of staying buried in flat runtime scenario lists.
  • Seraph now also has a first operator team control plane: the cockpit and operator API synthesize workspace governance modes, role inventory, usage rollups, runtime posture, review receipts, and approval/workflow handoff state instead of leaving team operations spread across settings, activity, workflow, extension, and continuity surfaces.
  • Seraph now also has a named M7 cockpit legibility proof lane: m7_operator_cockpit_legibility verifies readable operator receipts, control-mode-labeled approval/workflow/continuity controls, control-plane handoff legibility, trust-boundary reasons before recovery, and the /api/operator/m7-cockpit-legibility-benchmark report without claiming live usability superiority.
  • Seraph now also has a named cockpit operator-efficiency proof lane: cockpit_operator_efficiency_benchmark verifies thresholded inspect, approve, deny, pause, resume, retry, repair, branch, compare, revoke, and audit fixtures with action/time budgets, receipt coverage, baseline/no-regression policy, confidence-affordance proxy boundaries, and the /api/operator/cockpit-efficiency-benchmark report without claiming live usability or competitor superiority.
  • Seraph now also has a long-running workflow operating layer: the operator API and cockpit group active workflow supervision by thread, surface lead-run step focus and recoverability across multiple sessions, compact long-running state into explicit capsules, expose queue-state recovery guidance plus repair-ready or branch-ready or stalled or debugger-ready attention summaries, keep inspect/continue/failure-context/open-thread or next-step control available outside the currently inspected run, and add direct repair/open-branch/compare-output debugger follow-through with explicit runtime-eval proof.
  • Seraph now also has a first workspace-level background-session substrate: the operator API joins session-owned managed processes, workflow branch-handoff bundles, and session continuity snippets so long-running work can be resumed from one continuity surface instead of reconstructing state from process logs, workflow rows, and recent chat separately.
  • Seraph now also has a first searchable engineering-memory surface for repositories and pull requests: the operator API groups workflow continuity, approval targets, audit receipts, artifact paths, and matched session snippets by shared reference instead of leaving engineering context fragmented across session search, workflow history, and source-action audit rows.
  • Seraph now also has an explicit operator continuity graph: the operator API links sessions, workflows, approvals, artifacts, notifications, deferred guardian items, and interventions through one evidence-backed graph instead of leaving those relationships implicit across background-session, timeline, and observer surfaces.
  • Seraph now also has a first background-continuity supervision surface in the cockpit: the operator terminal composes background sessions, engineering-memory bundles, and the continuity graph into one direct continue/open-thread/use-output/latest-branch/next-step lane instead of forcing long-running handoff across separate operator APIs.
  • Seraph now also has a first explicit guardian user-model substrate: the canonical world model infers interruption, communication, thread, and cadence preferences, carries grounded-versus-partial user-model confidence, and exposes evidence-backed preference-inference diagnostics instead of leaving those judgments implicit in raw memory plus learning bias text.
  • Seraph now also carries an explicit guardian restraint contract: guardian state exposes action posture, restraint reasons, user-model evidence facets, and user-model benchmark diagnostics; the operator API and cockpit surface that contract directly; and a named guardian_user_model_restraint suite proves continuity-aware user modeling, ambiguity-aware clarification, and restraint-before-action behavior.
  • Seraph now also has an operator-visible guardian-state surface: the operator API and cockpit expose synthesized confidence, intent resolution, judgment proof, judgment risk, and next-step guidance from the canonical guardian state instead of mirroring only raw observer fields.
  • Seraph now also has an explicit workflow-endurance benchmark surface: a named workflow_endurance_and_repair suite proves anticipatory repair planning, condensation-fidelity reporting, backup-branch visibility, multi-session endurance, and operator-readable failure taxonomy instead of leaving long-running workflow quality implicit in generic runtime evals.
  • Seraph now also has a live workflow-endurance canary surface: live_workflow_endurance_canary and /api/operator/live-workflow-endurance-canary provide a replayable, audit-projected receipt for multi-session workflow handoff across delegated ownership, checkpoint branching, injected failure, repair, artifact comparison, approval preservation, trust-boundary drift blocking, and final audit trail while preserving the claim boundary that this is not a durable workflow engine.
  • Seraph now also has a minimal durable workflow state kernel: workflow runs, steps, safe checkpoint context, and retry or repair state persist into dedicated state tables with redaction for unsafe secret or authenticated checkpoint payloads; repository support and deterministic fixtures cover heartbeat and delegated artifact-review lifecycle receipt shapes; checkpoint resume reads durable state before audit projection; and durable_workflow_engine_v1 plus /api/operator/durable-workflow-engine expose the bounded proof without claiming production crash recovery or a full distributed workflow engine.
  • Seraph now also has Batch BX durable-orchestration v2 receipts on top of that kernel: production_durable_orchestration, durable_workflow_engine_v2, and /api/operator/durable-workflow-engine-v2 expose durable lease ownership, revision-guarded idempotent transitions, trigger dedupe, unsafe-resume recovery blocks, delegated-artifact adoption gates, and aggregate benchmark-proof visibility while preserving the boundary that this is not LangGraph-class durability, exactly-once external scheduling, crash-proof orchestration, or solved workflow parity.
  • Seraph now also has Batch CC recorded-live external-orchestration and crash-study receipts on top of the v2 durable-orchestration proof: live_external_orchestration_attestation, orchestration_crash_recovery_study, and /api/operator/live-external-orchestration expose provider identity, evidence mode, replay windows, idempotency keys, side-effect boundaries, delivery semantics, injected crash/restart studies, resume authority, duplicate-replay suppression, and operator recovery controls while preserving the boundary that this is not exactly-once scheduling, crash-proof orchestration, a full distributed workflow engine, production readiness, or full parity.
  • Seraph now also has Batch CJ production SLA orchestration receipts on top of the recorded-live external-orchestration proof: production_sla_orchestration, exactly_once_recovery_evidence, duplicate_side_effect_audit, and /api/operator/production-sla-orchestration expose provider windows, jitter budgets, replay windows, failure-injection methods, idempotency scopes, side-effect boundaries, duplicate suppression, reconciliation, operator recovery controls, final-audit linkage, and aggregate benchmark-proof visibility while preserving the boundary that this is not unconditional exactly-once scheduling, crash-proof orchestration, a full distributed workflow engine, production readiness, or full parity.
  • Seraph now also has Batch CS continuous orchestration SLO receipts on top of the Batch CJ SLA/effectively-once proof: continuous_orchestration_slo_monitor, crash_failover_soak_v1, side_effect_reconciliation_v2, and /api/operator/continuous-orchestration-slo expose a deterministic runtime ledger for monitor, failover, and side-effect reconciliation observations, rolling monitor windows, scheduler/provider health, retry and jitter budgets, crash/failover events, replay authority, idempotency keys, duplicate suppression, irreversible side-effect boundaries, manual recovery state, operator controls, blocked claims, and aggregate benchmark-proof visibility while preserving the boundary that this is not unconditional exactly-once scheduling, crash-proof orchestration, a full distributed workflow engine, production readiness, or full parity.
  • Seraph now also has Batch CD production-isolation and security-incident receipts on top of the secure-host hardening proof: production_isolation_hardening_v2, privileged_path_red_team_gauntlet_v2, security_incident_recovery_drill, and /api/operator/production-isolation-hardening expose worker-root, browser-profile, connector-credential, extension-quarantine, workflow trust-guard, privileged-path red-team, incident recovery, credential-rotation, operator-notification, operator-control, blocked-claim, and aggregate benchmark-proof visibility while preserving the boundary that this is not secure/private-by-default execution, IronClaw-class security, full host/container/TEE/CVM/Wasm isolation, production readiness, safe autonomous computer use, or full parity.
  • Seraph now also has Batch CE live broad reach and production voice/media receipts on top of the Batch BY reach/browser/voice proof: live_broad_reach_channel_attestation, production_voice_media_provider_runtime, cross_surface_continuity_recovery, and /api/operator/live-reach-media-proof expose mobile-push and messaging provider identity, evidence mode, consent, pairing, revocation, rate limits, abuse handling, approval handoff, STT/TTS/media-analysis capture boundaries, correction/deletion, provider-failure fallback, cross-surface thread/memory/approval continuity, degraded recovery, blocked claims, and aggregate benchmark-proof visibility while preserving the boundary that this is not broad reach, complete channel coverage, OpenClaw-class reach, voice parity, multimodal parity, production STT/TTS solved, production mobile execution solved, always-available operation, production readiness, or full parity.
  • Seraph now also has a live long-horizon replay proof surface: the named live_long_horizon_eval_replay_v1 suite uses fixed-time fake-provider fixtures, cross-surface failure taxonomy, and operator-visible receipts across memory, workflow, reach, security, and cockpit surfaces while preserving the claim boundary that this is deterministic live-ish replay, not live human-outcome superiority or production provider attestation.
  • Seraph now also has an explicit trust-boundary benchmark surface: a named trust_boundary_and_safety_receipts suite proves secret-egress containment, delegation/background partitioning, workflow replay drift blocking, and operator-visible safety receipts instead of leaving trust hardening spread across isolated approval and runtime APIs.
  • Seraph now also has Batch BO secure capability-host proof: secure_capability_host covers host-isolation strategy, browser cookie/session partition strategy, workspace escape blocking, hostile-provider replay blocking, a capability/trust regression matrix, and receipt-surface completeness while preserving the claim boundary that this is deterministic choke-point proof, not full production container or browser credential isolation.
  • Seraph now also has an explicit computer-use benchmark surface: the named computer_use_browser_desktop suite plus the operator computer-use benchmark surface prove replayable browser task receipts, desktop notification action replay, shared browser/native continuity, and operator-visible computer-use failure taxonomy instead of leaving browser/desktop execution proof at the catalog-summary seam.
  • Seraph now also has anticipatory workflow repair and backup-branch supervision: the operator API and cockpit surface pre-repair drafts, backup-branch candidates, condensation-fidelity state, and queue-level anticipatory risk summaries for long-running workflow threads instead of only showing post-failure recovery density.
  • Seraph now also has synthesized cross-surface recovery state: observer continuity groups pending follow-through by thread, summarizes degraded reach and pending recovery in one payload, and drives cockpit presence plus desktop-shell recovery actions instead of leaving those surfaces to infer state from raw notifications, queued items, and route rows.
  • Seraph now also carries imported capability-family attention and typed source-adapter degradation through that same observer continuity path, so broader reach problems show up in cockpit presence, desktop-shell recovery, and active triage instead of hiding in separate operator inventories.
  • The same broader reach continuity contract now also feeds the threaded operator timeline and Activity Ledger, so typed source-adapter and imported-reach recovery remains visible outside the raw observer endpoint and cockpit shell.
  • The same broader reach continuity contract now also carries explicit presence-surface inventory across messaging connectors, channel adapters, node adapters, and observer definitions, with ready-versus-attention summaries plus repair/follow-up actions visible in cockpit triage, the desktop shell, the threaded operator timeline, and the Activity Ledger.
  • That same broader reach continuity contract now also carries inventory-backed browser-provider and node-adapter surfaces with selected-versus-fallback state plus daemon/network prerequisites, so packaged browser reach and companion/device recovery no longer disappear behind separate operator inventories.
  • Seraph now also has a one-channel reach canary: native notifications are the selected canary channel, with deterministic receipts for pairing, revocation, health, bounded retry/fallback, same-thread continuity, memory/context continuity, approval handoff, audit trail, degraded-state UI, and explicit no-sprawl boundaries for Slack, Discord, Telegram, mobile, voice, and other future channels.
  • Backend CI now also weights historically slow backend suites, runs ten isolated backend shards in GitHub Actions, and pins the real shard-runner executable contract instead of letting runner skew and stale local assumptions dominate the current backend matrix.
  • Runtime routing now also exposes richer provider-planning comparison details, including capability-gap penalties, live-feedback penalties, retained-primary-versus-planning-winner summaries, best-alternate route margins, and the same comparison contract across runtime audit, operator, and activity surfaces.
  • The extension platform now also exposes package version lines, compatibility truth, publisher metadata, and diagnostics summaries consistently across lifecycle, catalog, and capability surfaces, while the cockpit operator surface summarizes extension health plus update/studio actions instead of leaving package triage buried in separate inventories.
  • M9 governed ecosystem foundations now have deterministic local proof: m9_governed_ecosystem plus /api/operator/m9-governed-ecosystem-benchmark cover manifest governance, lifecycle review gates, managed-connector degradation truth, marketplace governance flow, diagnostics/update triage, benchmark-proof posture, and the claim boundary that this is not competitor superiority or production marketplace security proof.
  • Backend CI now also applies per-file watchdog timeouts for the heaviest backend suites, so hung test_workflows.py or test_eval_harness.py files stop consuming an entire shard budget on hosted runners.
  • The additive memory-provider surface now also exposes a provider-neutral adapter model with per-capability sync-policy contracts, a machine-readable canonical-memory contract, explicit provenance taxonomy, guardian-visible provider provenance lines, ranked usefulness diagnostics, stale-versus-irrelevant suppression counts, query-matched canonical project hints that can selectively activate provider-backed user-model augmentation when live recent-project state is sparse, explicit canonical-memory reconciliation diagnostics through the memory API and guardian state, and post-canonical writeback guardrails that suppress duplicate, low-quality, or project-anchorless project-scoped canonical memories before they are mirrored into external providers.
  • The benchmark-proof and memory APIs now also expose that same guardian-memory quality contract directly: contradiction-aware recall diagnostics, selective-forgetting policy, reconciliation failure reports, and CI-gated memory benchmark posture are operator-visible instead of implicit.
  • M6 memory superiority now has a dedicated deterministic benchmark suite and operator report for long-horizon recall, contradiction handling, stale-memory override, source trust/privacy boundaries, provider-quality diagnostics, and behavior-change receipts.
  • Memory providers now also have a deterministic quality gate: provider manifests expose quality declarations, provider hits need evidence IDs plus confidence/provenance/privacy/freshness/conflict/suppression metadata before entering guardian context, noisy/stale/private/credential/authority-drifting evidence is suppressed with receipts, provider-returned secret echoes are redacted, and /api/operator/memory-provider-quality-gate exposes the claim-bounded proof.
  • Onboarding can now inspect an explicitly user-linked webpage during the current onboarding turn, so Seraph can derive profile or workspace context from a real source without widening onboarding into general browsing.
  • The workspace window system now uses flatter terminal-style chrome with close controls, a Windows visibility menu, and per-pane hide/show state instead of only static rounded dashboard cards.
  • The capability import program is now complete through all five waves, including Hermes-style runtime primitives, packaged reach surfaces, selective OpenClaw imports, operator-surface visibility, and deterministic proof for the imported capability families.
  • The agent-parity strategy artifact is complete as a target, proof-gate, and claim-boundary map.
  • The aggregate agent-parity proof train landed on develop through merged PR #473, completing deterministic proof-floor coverage for replay, cockpit efficiency, memory-provider quality, workflow endurance, durable workflow state v1, one reach canary, guardian arbitration, governed capability-pack hardening, and guardian-safe multimodal/voice.
  • The named parity proof floors are reached as deterministic receipts, not as broad production parity or superiority claims.
  • The production-grade parity execution roadmap is now board-backed through parent issue #475, original huge batch issues #476-#482, follow-on huge batch issues #491-#497, full-completion batch issues #505-#512, post-CQ production-evidence batch issues #522-#530, completed DI-DP bounded evidence and DP release-gate batches #557-#564, and active post-DP implementation gap-closure batches #573-#580.
  • The production-grade parity train now has a named readiness proof gate: production_parity_readiness plus /api/operator/production-parity-readiness expose batch proof paths, Project-field contract requirements, duplicate-scope guardrails, negative-case requirements, receipt-schema fields, current-source gating for competitor-dependent claims, validation classes, and blocked claim boundaries before later batches claim implementation readiness.
  • Batch BW now adds a named secure-host hardening proof gate: production_secure_host_hardening, secure_capability_host_live_isolation_v2, and /api/operator/secure-capability-host-hardening expose privileged-path receipt schema, secret replay and redaction checks, browser recovery partitioning, private-network egress denial, extension revocation cutoff, workflow/provider replay trust-drift receipts, blocked claims, and recovery actions. This remains hardening proof, not secure/private-by-default, production-ready, IronClaw-class secure execution, or full parity wording.
  • Batch BX now adds named durable-orchestration v2 receipts: production_durable_orchestration, durable_workflow_engine_v2, and /api/operator/durable-workflow-engine-v2 expose lease ownership, idempotent transitions, trigger dedupe, unsafe-resume blocking, delegated-artifact adoption gates, blocked claims, and recovery actions. This remains production-oriented orchestration proof, not LangGraph-class durability, exactly-once scheduling, crash-proof orchestration, or solved workflow parity.
  • Batch BY now adds named production reach/browser/voice receipts: production_reach_channel_hardening, browser_computer_use_reliability_v2, guardian_safe_voice_media_runtime, and /api/operator/production-reach-browser-voice expose paired external messaging identity, revocation, approval handoff, privacy redaction, degraded recovery, browser provider truth, session partitioning, crash recovery, page-drift replay blocking, and guarded voice/media correction/deletion/revocation paths. This remains deterministic hardening proof, not broad reach, complete channel coverage, voice parity, multimodal parity, safe browser automation, or full browser parity.
  • Batch BZ now adds named live guardian-learning and memory-provider outcome receipts: live_guardian_learning_quality, guardian_intervention_outcome_cohorts, memory_provider_ecosystem_maturity_v1, canonical_memory_reconciliation_v2, provider_usefulness_regression, and /api/operator/live-guardian-learning-quality expose typed accepted/ignored/corrected/deferred/harmful/helpful/channel-shifted/follow-through outcome cohorts, false-positive and false-negative learning receipts, stale-evidence decay, provider usefulness/degradation/quarantine receipts, canonical-memory precedence, advisory writeback, deletion/export receipts, and provider usefulness regressions. This remains deterministic outcome and provider-maturity proof, not guardian intelligence superiority, solved long-term learning, memory superiority, memory-provider parity, or live human-outcome superiority.
  • Batch CA now adds named marketplace lifecycle maturity receipts: marketplace_grade_capability_lifecycle, governed_capability_lifecycle_v2, capability_rollback_failure_diagnostics, and /api/operator/marketplace-lifecycle-maturity expose install/update/downgrade/disable/rollback/review/quarantine/diagnostics/staged-rollout receipts, permission and risk deltas, cross-family lifecycle coverage, failed-update recovery, quarantine re-entry, package-count claim blocking, and aggregate benchmark-proof visibility. This remains deterministic lifecycle proof, not production marketplace security, third-party package security proof, ecosystem superiority, package-count superiority, or full marketplace parity.
  • Batch CB now adds named production operator-control and parity-train verification receipts: production_operator_control_parity, production_parity_train, and /api/operator/production-operator-control-parity expose long-work control receipts across durable orchestration, secure-host hardening, reach/browser/voice recovery, learning and memory explanations, marketplace lifecycle events, approvals, audit, prior production-train PRs, residual risks, board receipts, and final critic/audit requirements. This remains deterministic operator-control/train proof, not full parity, best cockpit, solved operator control, production readiness, or exceeded-reference-system wording.
  • Batch CC now adds named recorded-live external-orchestration and crash-study receipts: live_external_orchestration_attestation, orchestration_crash_recovery_study, and /api/operator/live-external-orchestration expose external scheduler/provider identity receipts, idempotency and side-effect boundaries, replay suppression, injected crash/restart drills, resume authority, recovery controls, blocked claims, and aggregate benchmark-proof visibility. This remains bounded recorded-live and deterministic proof, not exactly-once production scheduling, crash-proof orchestration, a full distributed workflow engine, production readiness, or full parity.
  • Batch CD now adds named production-isolation and security-incident receipts: production_isolation_hardening_v2, privileged_path_red_team_gauntlet_v2, security_incident_recovery_drill, and /api/operator/production-isolation-hardening expose deterministic and recorded-live proof for worker roots, browser profile partitioning, credential proxy boundaries, extension quarantine, workflow trust guards, privileged-path red-team blocks, incident recovery, credential rotation, operator notification, and blocked claims. This remains bounded proof, not full host/container/TEE/CVM/Wasm isolation, secure/private-by-default execution, production security solved, IronClaw-class secure execution, safe autonomous computer use, production readiness, or full parity.
  • Batch CE now adds named live broad reach and production voice/media receipts: live_broad_reach_channel_attestation, production_voice_media_provider_runtime, cross_surface_continuity_recovery, and /api/operator/live-reach-media-proof expose live/recorded-live proof for mobile push, external messaging, STT, TTS, media analysis, consent, pairing, revocation, rate limits, abuse handling, approval handoff, provider failure, correction/deletion, cross-surface thread/memory/approval continuity, degraded recovery, and blocked claims. This remains bounded proof, not broad reach, complete channel coverage, OpenClaw-class reach, voice parity, multimodal parity, production STT/TTS solved, production mobile execution solved, always-available operation, production readiness, or full parity.
  • Batch CF now adds named recorded-live human-outcome and causal guardian-learning receipts: live_human_outcome_quality_study, guardian_learning_causal_attribution, memory_provider_live_regression_monitor, and /api/operator/live-human-outcome-learning-proof expose consent-aware anonymized outcome cohorts, correction/harm/follow-through receipts, residual bias and coverage limitations, counterfactual causal attribution, reversible learning changes, stale-evidence decay, provider usefulness deltas, privacy regression monitoring, quarantine, and blocked claims. This remains bounded proof, not guardian intelligence superiority, solved live learning, live human-outcome superiority, memory superiority, memory-provider parity, production readiness, or full parity.
  • Batch CG now adds named recorded-live third-party marketplace attestation and operations receipts: third_party_marketplace_attestation, marketplace_operations_incident_drill, publisher_review_and_package_trust, and /api/operator/live-marketplace-attestation-proof expose package provenance, signatures, publisher verification, compatibility, dependency and vulnerability attestation, install/update/downgrade/rollback/quarantine/re-entry operations, failed-update diagnostics, publisher review freshness, trust explanations, package-count claim blocking, and aggregate benchmark-proof visibility. This remains bounded proof, not production-secure marketplace, third-party package security solved, ecosystem superiority, package-count superiority, full marketplace parity, production readiness, or full parity.
  • Batch CH now adds named browser-provider attestation and multi-operator usability receipts: managed_browser_provider_attestation, live_multi_operator_usability_study, browser_computer_use_recovery_drill, and /api/operator/browser-provider-usability-proof expose local/managed/remote browser provider identity, evidence mode, session partitioning, credential boundaries, download/upload boundaries, provider degradation, recorded-live multi-operator inspect/recover/approval/handoff/audit/keyboard/accessibility/error-rate metrics, fail-closed provider crash/page drift/credential/download-upload recovery, blocked claims, and aggregate benchmark-proof visibility. This remains bounded proof, not safe browser automation, full browser parity, best cockpit, solved operator control, production readiness, or full parity.
  • Batch CI now adds named final source-backed parity readiness receipts: final_source_backed_parity_audit, final_claim_ledger_reconciliation, operator_final_parity_readiness_report, and /api/operator/final-parity-readiness-report expose current Hermes/OpenClaw/IronClaw source receipts, pressure-axis mapping, production-train issue/PR/Project reconciliation, claim-ledger wording gates, residual gaps, accepted Critic/Contrarian findings, and no-false-completion proof. This remains a final audit gate, not full parity, reference-system exceedance, production readiness, secure/private-by-default, IronClaw-class security, OpenClaw-class reach, safe browser automation, full browser parity, or production-secure marketplace wording.
  • Batch CJ now adds named production SLA orchestration and scoped recovery receipts: production_sla_orchestration, exactly_once_recovery_evidence, duplicate_side_effect_audit, and /api/operator/production-sla-orchestration expose provider windows, jitter budgets, replay windows, failure-injection methods, idempotency scopes, side-effect boundaries, duplicate suppression, reconciliation, operator recovery controls, final-audit linkage, blocked claims, and aggregate benchmark-proof visibility. This remains bounded SLA/effectively-once proof, not unconditional exactly-once scheduling, crash-proof orchestration, a full distributed workflow engine, production readiness, or full parity.
  • Batch CS now adds named continuous orchestration SLO and recovery-operations receipts: continuous_orchestration_slo_monitor, crash_failover_soak_v1, side_effect_reconciliation_v2, and /api/operator/continuous-orchestration-slo expose deterministic runtime observation state, rolling monitor windows, scheduler/provider health, retries, jitter budgets, crash/failover soak drills, replay authority, idempotency keys, duplicate suppression, irreversible side-effect boundaries, manual recovery state, operator controls, blocked claims, and aggregate benchmark-proof visibility. This remains bounded continuous-operations proof, not unconditional exactly-once scheduling, crash-proof orchestration, a full distributed workflow engine, production readiness, or full parity.
  • Batch CK now adds named independent secure-host review and isolation-hardening receipts: independent_secure_host_review, live_hostile_isolation_drills, secure_host_recovery_authority, and /api/operator/independent-secure-host-review expose reviewer scope, finding remediation, hostile prompt/SSRF/filesystem/credential/extension/replay/browser drills, isolation evidence matrices, recovery authority, blocked claims, and aggregate benchmark-proof visibility. This remains bounded security proof, not secure/private-by-default execution, production security solved, IronClaw-class secure execution, hardware-backed/container-grade isolation implementation, production readiness, or full parity.
  • Batch CT now adds named container-grade secure-host validation receipts: container_grade_capability_isolation, external_security_validation_v1, secret_egress_certification_drill, and /api/operator/container-grade-secure-host expose capability-class isolation decision records, signed tool roots, credential broker and network-boundary checks, external review scope, finding remediation or waiver records, secret-egress certification drills, recovery authority, unsupported hardware-backed/runtime-isolation boundaries, blocked claims, and aggregate benchmark-proof visibility. This remains bounded validation proof, not secure/private-by-default execution, production security solved, IronClaw-class secure execution, hardware-backed/TEE/CVM/Wasm/container isolation implementation, production readiness, or full parity.
  • Batch CL now adds named broad-channel SLA, production voice/media quality-gate, and mobile-execution continuity receipts: broad_channel_sla_operations, production_voice_media_quality_gates, mobile_execution_continuity, and /api/operator/production-reach-voice-mobile expose provider-window behavior, rate-limit and abuse handling, degraded delivery recovery, coverage-gap claim boundaries, STT/TTS/media quality and latency gates, correction/deletion privacy boundaries, provider-regression fallback, notification approval handoff, mobile action continuity, thread/memory recovery, offline recovery, revocation fail-closed behavior, blocked claims, and aggregate benchmark-proof visibility. This remains bounded reach/voice/mobile proof, not OpenClaw-class reach, voice parity, multimodal parity, always-available operation, production readiness, or full parity.
  • Batch CU now adds named broad-reach field-operation, voice/media quality-operation, and bounded reach-SLO receipts: broad_reach_field_operations, voice_media_quality_operations, always_available_reach_slo, and /api/operator/broad-reach-field-ops expose provider/channel field matrices, consent and revocation fail-closed checks, rate-limit and abuse drills, degraded recovery, cross-surface continuity IDs, metadata-only redacted receipt boundaries, voice/media quality and latency gates, correction/deletion/privacy controls, offline/provider-failure recovery, coverage gaps, blocked claims, and aggregate benchmark-proof visibility. This remains bounded field-operations proof, not OpenClaw-class reach, complete channel coverage, voice parity, multimodal parity, always-available operation, production readiness, or full parity.
  • Batch CM now adds named independent guardian-learning outcome and memory-provider parity-matrix receipts: independent_outcome_cohort_review, task_scoped_causal_learning, memory_provider_parity_matrix, and /api/operator/independent-learning-memory-parity expose independent evaluator metadata, sample and power rationale, consent/anonymization, adverse-event review, bounded outcome claims, task-scoped counterfactual causal receipts, confounder boundaries, rollback authority, canonical/advisory memory-provider comparison, provider privacy-regression quarantine, delete/export receipts, blocked claims, and aggregate benchmark-proof visibility. This remains bounded independent learning and memory-provider matrix proof, not guardian intelligence superiority, solved live learning, live human-outcome superiority, memory superiority, full memory-provider parity, production readiness, or full parity.
  • Batch CV now adds named bounded longitudinal guardian-learning and memory-provider outcome-operations receipts: longitudinal_guardian_outcome_study, named_baseline_memory_comparison, learning_safety_monitor_v2, and /api/operator/longitudinal-guardian-outcomes expose 60-plus day outcome windows, task families, named baseline source/version/limitations, pressure-only baseline comparison, independent evaluator protocol, consent/withdrawal/anonymization, adverse-event review, reversible learning-policy deltas, rollback authority, canonical/advisory provider comparison, stale-behavior blocking, privacy-regression quarantine, delete/export propagation, provider reinstatement review, safe redacted receipts, blocked claims, and aggregate benchmark-proof visibility. This remains bounded longitudinal operations proof, not guardian intelligence superiority, solved live learning, solved long-term learning, live human-outcome superiority, memory superiority, full memory-provider parity, named baseline wins, production readiness, full parity, or exceeded-reference-system wording.
  • Batch CN now adds named dense long-work operator debugging and recovery-control receipts: long_work_debugging_recovery, operator_control_density, independent_operator_usability_accessibility, and /api/operator/dense-operator-recovery-control expose failed-workflow diagnosis, branch/output comparison, interruption resume, cross-batch residual-risk inspection, pause/resume/retry/repair/branch/compare/revoke/quarantine/handoff/rollback/audit controls, task-relative operator-effort receipts, independent usability/accessibility evidence, keyboard-only paths, recovery correctness checks, blocked claims, and aggregate benchmark-proof visibility. This remains bounded operator-control proof, not best/world-class cockpit, solved operator control, production readiness, full parity, or exceeded-reference-system wording.
  • Batch CW now adds named dense operator mission-control population receipts: operator_control_population_study, named_baseline_cockpit_comparison, long_work_debugging_slo, and /api/operator/operator-control-population-study expose population-study metrics, pressure-only named cockpit baselines, searchable timeline/log-diff/replay/runbook/handoff surfaces, long-work debugging SLOs, redacted safe receipt handles, receiver scope-renewal handoff, read-only replay/runbook boundaries, blocked claims, and aggregate benchmark-proof visibility. This remains bounded mission-control proof, not best/world-class cockpit, solved operator control, approval-transfer, tamper-proof audit, production readiness, full parity, or exceeded-reference-system wording.
  • Batch CO now adds named bounded production marketplace-security and package-network receipts: independent_package_security_review, hostile_ecosystem_package_drills, package_network_incident_operations, publisher_trust_vulnerability_handling, marketplace_rollback_quarantine_diagnostics, and /api/operator/production-marketplace-security expose reviewer independence, package digest/signature/key trust, SBOM/dependency graph digests, vulnerability source/database freshness, severity/remediation/waiver policy, hostile package fail-closed drills, private-network/SSRF/secret/workspace denial decisions, rollback snapshots, quarantine/re-entry state, operator notification, raw receipt paths, blocked claims, and aggregate benchmark-proof visibility. This remains bounded marketplace-security proof, not production-secure marketplace, solved third-party package security, ecosystem superiority, full marketplace parity, production readiness, full parity, or exceeded-reference-system wording.
  • Batch CX now adds named marketplace registry-corpus and continuous security-operation receipts: marketplace_security_corpus_v1, continuous_vulnerability_monitoring, publisher_trust_operations, and /api/operator/marketplace-security-corpus expose package families, provenance, signatures, publisher keys, SBOM/dependency graphs, compatibility, review state, scanner-source freshness, waiver expiry, remediation SLA, critical/high denial decisions, install/update/downgrade/rollback/quarantine/re-entry diagnostics, package-network/secret/workspace denial receipts, redacted safe handles, blocked claims, and aggregate benchmark-proof visibility. This remains bounded corpus/operation proof, not a production-secure marketplace, solved third-party package security, ecosystem superiority, package-count superiority, full marketplace parity, production readiness, full parity, or exceeded-reference-system wording.
  • Batch CP now adds named bounded redacted browser/computer-use safety receipt evidence: live_browser_task_depth, autonomous_browser_safety_controls, browser_session_partitioning_security, site_specific_recovery_drills, browser_provider_reliability_matrix, independent_browser_usability_review, and /api/operator/safe-autonomous-browser-computer-use expose safe-target task-depth receipt evidence, approval-scoped browser action controls, dangerous-action default blocks, session/profile/cookie/credential/download/upload/network boundaries, site-specific recovery, provider reliability, independent usability summaries, redacted receipt evidence-body digests, blocked claims, and aggregate benchmark-proof visibility. This remains bounded browser proof, not blanket safe browser automation, safe autonomous computer use, full browser parity, production readiness, full parity, or exceeded-reference-system wording.
  • Batch CY now adds named managed browser/computer-use production-depth receipts: browser_task_breadth_matrix, browser_auth_partition_operations, site_drift_recovery_slo, and /api/operator/browser-computer-use-parity-depth expose safe-target task breadth, provider identity, reliability windows, auth/session partition operations, profile/cookie/credential/download/upload/filesystem/network boundaries, dangerous-action blocking, site-drift recovery SLOs, prior CP safety-boundary linkage, blocked claims, and aggregate benchmark-proof visibility. This remains bounded browser-depth proof, not blanket safe browser automation, safe autonomous computer use, full browser parity, production readiness, full parity, or exceeded-reference-system wording.
  • Batch DG now adds bounded browser/computer-use parity evidence receipts: safe_autonomous_browser_runtime_v1, full_browser_parity_matrix_v1, real_site_drift_recovery_v2, browser_session_partition_certification_v1, and /api/operator/full-browser-parity expose safe-target runtime task evidence, provider execution caveats, blocked existing-session attachment, profile/cookie/credential/download/upload/filesystem/clipboard/network/private-data boundary matrices, deterministic safe-target drift fixture recovery v2, hostile-browser negative cases, partition certification-scope receipts, redacted safe receipts, blocked claims, and aggregate benchmark-proof visibility. This remains bounded evidence, not blanket safe browser automation, safe autonomous computer use, full browser parity, production readiness, full parity, or exceeded-reference-system wording.
  • Batch CQ is closed by merged PR #521, and /api/operator/final-parity-readiness-report now treats #512 as Done with PR Merged and Code Review Passed. The exact bounded wording now allowed is: "Seraph has completed a board-backed parity proof train and final claim-lift audit with bounded receipts."
  • Batch DA now adds bounded production workflow-guarantees receipts: production_workflow_state_machine_v1, crash_proof_orchestration_fault_campaign, external_side_effect_reconciliation_v3, and /api/operator/production-workflow-guarantees expose DA-specific persisted authority state, workflow leases, worker ownership, replay windows, recovery authority, declared fault-campaign coverage, side-effect reconciliation v3, missing-live-evidence reporting, blocked claims, and aggregate benchmark-proof visibility. This remains bounded workflow-guarantees proof, not unconditional exactly-once scheduling, crash-proof orchestration, solved durable workflows, full distributed workflow parity, production readiness, full parity, or exceeded-reference-system wording.
  • Batch DB now adds bounded certified secure-host covered-path receipts: runtime_isolation_implementation_v1, credential_broker_egress_enforcement_v1, external_security_certification_v1, hostile_runtime_escape_gauntlet_v1, and /api/operator/certified-secure-host expose covered-path capability policy hooks, runtime isolation profiles, tool/field/destination-scoped secret refs, endpoint/private-network/DNS/revocation denial receipts, MCP site-policy endpoint blocking, process-runtime network-client marker denial, external review/certification-scope records, finding retest and waiver expiry, hostile prompt/SSRF/DNS/filesystem/cookie/package/credential/replay drills, hardware-backed substitute boundaries, blocked claims, and aggregate benchmark-proof visibility. This remains bounded covered-path enforcement/review proof, not secure/private-by-default execution, production security solved, IronClaw-class secure execution, hardware-backed/TEE/CVM/Wasm/container isolation, formal security certification, production readiness, full parity, or exceeded-reference-system wording.
  • Batch DC now adds bounded selected-channel reach/media campaign receipts: always_available_reach_operations_v1, voice_media_parity_runtime_v1, mobile_cross_surface_continuity_v1, reach_degraded_recovery_field_campaign, and /api/operator/always-available-reach-media expose selected mobile/messaging/native/browser/web campaign windows, pairing/revocation, rate-limit and abuse recovery, 14-day equivalent degraded-recovery metrics, STT/TTS/voice/media quality and latency receipts, correction/deletion/privacy controls, provider-regression fallback, cross-surface continuity, false/missed delivery metrics, operator repair, redacted receipts, blocked claims, and aggregate benchmark-proof visibility. This remains bounded campaign proof, not OpenClaw-class reach, complete channel coverage, always-available operation, voice/media parity, production readiness, full parity, or exceeded-reference-system wording.
  • Batch DD now adds bounded generalized guardian-outcome and memory-provider parity receipts: generalized_guardian_outcome_study_v1, full_memory_provider_parity_matrix_v1, causal_learning_outcome_thresholds_v1, memory_baseline_comparison_v1, and /api/operator/generalized-guardian-outcomes expose predeclared multi-decision outcome protocols, independent evaluator metadata, consent/withdrawal/anonymization, fairness and adverse-event review, expanded provider dimension matrices, causal threshold gates, current-source-limited pressure baselines, redacted receipts, blocked claims, and aggregate benchmark-proof visibility. This remains bounded generalized outcome/provider-matrix proof, not guardian intelligence superiority, solved live learning, solved long-term learning, live-human-outcome superiority, memory superiority, full memory-provider parity, named baseline wins, production readiness, full parity, or exceeded-reference-system wording.
  • Batch DE now adds bounded operator-control certification receipts: operator_control_certification_v1, mission_control_population_study_v2, long_work_recovery_slo_v2, operator_error_detectability_v1, and /api/operator/operator-control-certification expose full required-control coverage, click/keystroke/latency/recovery/effort telemetry, accessibility and keyboard-only paths, stale approval blocking, safe denial, confidence calibration, recovery correctness, pressure-only named baselines, redacted tamper-evident receipts, blocked claims, and aggregate benchmark-proof visibility. This remains bounded operator-control proof, not formal certification, best/world-class cockpit, solved operator control, approval-transfer solved, tamper-proof audit, production readiness, full parity, or exceeded-reference-system wording.
  • Batch DF now adds bounded marketplace and third-party package-security evidence receipts: production_secure_marketplace_v1, third_party_package_security_certification_v1, marketplace_live_corpus_operations_v2, hostile_package_lifecycle_gauntlet_v1, and /api/operator/production-secure-marketplace expose larger live-corpus provenance, signatures, publisher verification, SBOM/dependency evidence, scanner freshness, waiver/remediation policy, fail-closed lifecycle operations, hostile package drills, external review/certification-scope records, redacted safe receipts, blocked claims, and aggregate benchmark-proof visibility. This remains bounded marketplace/package-security proof, not production-secure marketplace, solved third-party package security, formal package-security certification, ecosystem superiority, package-count superiority, full marketplace parity, production readiness, full parity, or exceeded-reference-system wording.
  • Batch DH now adds bounded final production-parity reconciliation receipts: production_readiness_soak_v1, final_full_parity_claim_lift_v1, reference_system_source_refresh_v3, false_completion_scan_v3, board_pr_issue_reconciliation_v3, and /api/operator/final-production-parity expose DA-DG issue/PR/board reconciliation, June 11, 2026 manual Hermes/OpenClaw/IronClaw source-review receipts, seven-area soak-readiness reconciliation, SCL-043 through SCL-050 claim-lift decisions, stale PR closure evidence, false-completion scan receipts, and Critic/Contrarian dispositions. This remains bounded reconciliation proof, not production readiness, full parity, superiority, secure/private-by-default execution, OpenClaw-class reach, IronClaw-class execution, solved operator control, solved learning, or exceeded-reference-system wording.
  • Batch DI now adds bounded production orchestration hard-guarantee evidence receipts: production_orchestration_hard_guarantees_v1, distributed_workflow_recovery_operations_v1, external_side_effect_correctness_v4, scheduler_failover_soak_v1, orchestration_false_claim_scan_v1, and /api/operator/production-orchestration-hard-guarantees expose durable queue/scheduler leases, worker failover, replay authority, distributed recovery, side-effect correctness v4, accelerated fixture soak receipts with missing-live-window markers, operator recovery controls, false-claim scans, blocked claims, and aggregate benchmark-proof visibility. This remains bounded hard-guarantee evidence, not unconditional exactly-once scheduling, crash-proof orchestration, continuous live-soak completion, solved durable workflows, production readiness, full parity, or exceeded-reference-system wording.
  • Batch DJ now adds bounded certification-track secure runtime isolation receipts: production_grade_secure_capability_host_evidence_v1, secure_host_cross_surface_attack_chain_v1, credential_broker_egress_soak_v1, runtime_isolation_attestation_matrix_v1, secure_host_operator_recovery_authority_v1, secure_host_false_claim_scan_v1, and /api/operator/production-grade-secure-capability-host expose cross-surface hostile chains, credential egress, runtime-attestation matrices, operator recovery authority, safe redacted digests, false-claim scans, blocked claims, and aggregate benchmark-proof visibility. This remains bounded certification-track proof, not secure/private-by-default execution, production security solved, IronClaw-class secure execution, hardware-backed isolation, TEE/CVM/Wasm/container runtime-isolation, formal security certification, production readiness, full parity, or exceeded-reference-system wording.
  • Batch DK now adds bounded reach/voice production-operations receipts: always_available_reach_live_ops_v1, voice_media_production_parity_candidate_v1, channel_incident_response_v1, cross_surface_reach_continuity_v2, reach_media_false_claim_scan_v1, and /api/operator/reach-voice-production-ops expose selected live/degraded channel windows, provider identity, consent, pairing, revocation, rate-limit and abuse handling, provider outage/fallback drills, offline recovery, false/missed delivery metrics, operator repair actions, STT/TTS/voice/media quality and latency candidates, correction/deletion/privacy controls, cross-surface thread/memory/approval/notification/operator-handoff continuity, safe redacted receipt handles, blocked claims, and aggregate benchmark-proof visibility. This remains bounded operations evidence, not OpenClaw-class reach, complete channel coverage, always-available operation, voice/media parity, production readiness, full parity, or exceeded-reference-system wording.
  • Batch DS now adds bounded post-DP reach/channel gap-closure receipts: post_dp_reach_channel_gap_closure_v1, selected_reach_surface_readiness_v2, channel_degraded_recovery_v2, guardian_reach_continuity_v2, voice_media_privacy_fallback_v2, reach_channel_false_claim_scan_v2, and /api/operator/post-dp-reach-channel-gap-closure expose selected native_notification and websocket readiness, consent, pairing, revocation, provider health, degraded recovery, operator repair, guardian-aware timing/restraint continuity, thread/memory/approval continuity, voice/media privacy fallback, staged mobile/messaging/voice channel gaps, safe redacted receipt handles, false-claim scan receipts, blocked claims, and aggregate benchmark-proof visibility. This remains bounded gap-closure evidence, not OpenClaw-class reach, complete channel coverage, always-available operation, voice/media parity, production readiness, full parity, or exceeded-reference-system wording.
  • Batch DL now adds bounded live guardian-memory field-program receipts: live_long_horizon_guardian_learning_field_study_v1, memory_behavior_change_ablation_v1, live_memory_provider_parity_operations_v1, independent_guardian_outcome_candidate_review_v1, longitudinal_learning_safety_monitor_v3, guardian_memory_false_claim_scan_v1, and /api/operator/live-guardian-memory-field-program expose pre-registered field windows, consent/withdrawal/anonymization, fixture-vs-live markers, memory-enabled behavior changes against memory-disabled or memory-limited counterfactuals, canonical/advisory/degraded/stale/conflicting/privacy-limited provider operations, delete/export propagation, quarantine, reinstatement, independent review, learning safety negative cases, safe redacted receipt handles, false-claim scan receipts, blocked claims, and aggregate benchmark-proof visibility. This remains bounded field-program evidence, not guardian intelligence superiority, solved learning, live-human-outcome superiority, memory superiority, full memory-provider parity, production readiness, full parity, or exceeded-reference-system wording.
  • Batch DM now adds bounded operator-control production-certification receipts: operator_control_certification_v2, operator_control_live_population_v1, tamper_evident_audit_candidate_v1, authority_transfer_recovery_v1, operator_control_false_claim_scan_v1, and /api/operator/operator-control-production-certification expose required dense long-work controls, stale-approval blocking, safe denial, recovery correctness, operator takeover, recorded-live plus fixture population telemetry, keyboard/accessibility floors, digest-linked tamper-evident audit candidate receipts, unauthorized mutation denial, authority-transfer scope renewal, replay/runbook boundaries, redacted safe receipt handles, false-claim scan receipts, blocked claims, and aggregate benchmark-proof visibility. This remains bounded production-certification evidence, not solved operator control, best/world-class cockpit, approval-transfer solved, tamper-proof audit, formal certification, production readiness, full parity, or exceeded-reference-system wording.
  • Batch DN now adds bounded marketplace production-security certification-track receipts: marketplace_security_certification_track_v1, production_secure_marketplace_live_ops_v2, ecosystem_supply_chain_operations_v1, hostile_package_lifecycle_gauntlet_v2, publisher_trust_vulnerability_ops_v1, marketplace_false_claim_scan_v1, and /api/operator/marketplace-production-security expose certification-track review scope, finding/retest/waiver expiry, install/update/downgrade/rollback/quarantine/re-entry operations, provenance/signature/publisher-key/SBOM/dependency evidence, scanner freshness, hostile package lifecycle v2 denials, publisher trust and vulnerability operations, redacted safe receipt handles, false-claim scan receipts, blocked claims, and aggregate benchmark-proof visibility. This remains bounded marketplace production-security evidence, not production-secure marketplace, solved third-party package security, formal package-security certification, ecosystem superiority, full marketplace parity, production readiness, full parity, or exceeded-reference-system wording.
  • Batch DO now adds bounded browser/computer-use production-safety receipts: browser_computer_use_production_safety_v1, safe_browser_automation_live_ops_v1, credentialed_site_recovery_v1, browser_provider_parity_candidate_v1, browser_session_partition_attestation_v2, browser_false_claim_scan_v1, and /api/operator/browser-computer-use-production expose provider identity and support states, session/profile/cookie/credential/download/upload/filesystem/clipboard/network/private-data boundaries, hostile-page fail-closed cases, dangerous-action policy, recorded-live safe-target operations, credentialed test-account recovery, provider degradation, existing-session blocks, redacted safe receipts, false-claim scans, blocked claims, and aggregate benchmark-proof visibility. This remains bounded production-safety evidence, not safe browser automation, safe autonomous computer use, OpenClaw-class browser reach, full browser parity, production readiness, full parity, or exceeded-reference-system wording.
  • Batch DW now adds bounded post-DP browser/computer-use reliability gap-closure receipts: post_dp_browser_computer_use_reliability_v1, browser_live_provider_reliability_v2, browser_session_boundary_enforcement_v3, browser_credentialed_recovery_v2, browser_site_drift_recovery_v3, browser_hostile_page_safety_v2, browser_provider_degradation_v2, browser_computer_use_false_claim_scan_v2, and /api/operator/post-dp-browser-computer-use-reliability expose non-duplicate successor evidence beyond CH/CP/CY/DG/DO/DP, selected provider degradation, no-silent-fallback behavior, recovery-pressure session boundaries, credentialed test-account recovery, site drift, hostile-page fail-closed behavior, artifact provenance, negative proof validators, redacted receipts, blocked claims, and aggregate benchmark-proof visibility. This remains bounded reliability evidence, not safe browser automation, safe autonomous computer use, OpenClaw-class browser reach, full browser parity, arbitrary credentialed browsing safety, production readiness, full parity, or exceeded-reference-system wording.
  • Batch DX now adds the final bounded post-DQ-DW claim-readiness release-gate receipts: post_dq_dw_board_pr_issue_reconciliation_v1, post_dq_dw_claim_ledger_reconciliation_v1, reference_system_source_refresh_v5, false_completion_scan_v5, post_dq_dw_critic_contrarian_no_block_v1, and /api/operator/post-dq-dw-claim-readiness expose DQ-DX Done/Merged/Passed board receipts, PR #589 merge state, SCL-059 through SCL-066 reconciliation, 2026-06-12 Hermes/OpenClaw/IronClaw stored source-refresh receipts, X article access caveat, false-completion scans, Critic/Contrarian receipts, blocked claims, and aggregate benchmark-proof visibility. This permits only exact bounded release-gate wording, not production readiness, full parity, reference-system exceedance, secure/private-by-default, safe browser automation, full browser parity, solved operator-control, solved learning, production-secure marketplace, or broad superiority wording.
  • Batch DY now adds bounded post-DX live durable orchestration parity-proof receipts: post_dx_live_durable_orchestration_v1, recorded_live_orchestration_window_v1, crash_restart_failover_drill_v3, multi_agent_handoff_durability_v2, side_effect_reconciliation_v6, operator_recovery_control_v4, orchestration_false_claim_scan_v3, and /api/operator/post-dx-live-durable-orchestration expose recorded-live and accelerated orchestration windows, scheduler/provider jitter, crash/restart/failover drills, replay authority, duplicate suppression, side-effect reconciliation, multi-agent handoff durability, operator recovery controls, residual-risk markers, false-claim scans, blocked claims, and aggregate benchmark-proof visibility. This remains bounded parity-proof evidence, not unconditional exactly-once scheduling, crash-proof orchestration, solved durable workflows, LangGraph-class parity, production readiness, full parity, or exceeded-reference-system wording.
  • Batch DZ now adds bounded post-DX formal secure runtime isolation proof receipts: post_dx_formal_secure_runtime_isolation_v1, runtime_isolation_attestation_evidence_v2, credential_broker_egress_enforcement_v3, hostile_chain_containment_v4, external_security_review_certification_track_v2, secure_runtime_recovery_authority_v3, secure_runtime_false_claim_scan_v3, and /api/operator/post-dx-formal-secure-runtime-isolation expose runtime-attestation evidence, credential-broker egress enforcement, hostile-chain containment, external review/certification-track records, operator recovery authority, unsupported hardware-backed and TEE/CVM/Wasm/container markers, command-backed false-claim scans, blocked claims, and aggregate benchmark-proof visibility. This remains bounded proof, not secure/private-by-default execution, production security solved, IronClaw-class execution, hardware-backed isolation, TEE/CVM/Wasm/container runtime-isolation, formal certification, production readiness, full parity, or exceeded-reference-system wording.
  • Batch EA now adds bounded post-DX reach and voice/media parity-proof receipts: post_dx_reach_voice_media_parity_proof_v1, multi_channel_reach_reliability_v3, voice_media_quality_latency_v3, reach_abuse_recovery_v3, cross_surface_reach_continuity_v3, reach_voice_media_false_claim_scan_v3, and /api/operator/post-dx-reach-voice-media-parity-proof expose selected and candidate multi-channel reliability, provider identity, consent, pairing, revocation, false/missed delivery metrics, rate limits, abuse handling, degraded/offline recovery, voice/media quality and latency gates, correction/deletion/privacy controls, provider-regression fallback, cross-surface continuity, coverage gaps, safe redacted receipts, false-claim scans, blocked claims, and aggregate benchmark-proof visibility. This remains bounded parity-proof evidence, not OpenClaw-class reach, complete channel coverage, always-available operation, voice/media parity, production mobile execution solved, production readiness, full parity, or exceeded-reference-system wording.
  • Batch EB now adds bounded guardian learning and memory live controls: /api/memory/live-controls, /api/memory/guardian-memory-live-control, /api/operator/memory-live-controls, /api/operator/guardian-memory-live-control, and the cockpit expose learning-impact review, stale-evidence decay, provider quarantine and reinstatement, provider usefulness triage, rollback authority, delete/export propagation visibility, fail-closed privacy-boundary validation, trusted memory-control provenance, and safe provider recovery. This is live operator control over existing guardian-learning and memory-provider operations, not solved learning, guardian intelligence superiority, live-human-outcome superiority, generalized outcome superiority, memory superiority, best-in-class memory, full memory-provider parity, production readiness, full parity, or reference-system exceedance.
  • Batch EC now adds bounded live workflow controls: /api/workflows/runs/{run_identity}/control exposes pause, resume, cancel, retry, redirect, recover, and replay-aware operator controls with lease, scope, resume-plan, receipt, and audit boundaries. This is live intervention control for existing workflow runs, not solved durable workflows, exactly-once scheduling, crash-proof orchestration, LangGraph-class parity, solved operator-control, production readiness, full parity, or reference-system exceedance.
  • Batch ED now adds bounded marketplace lifecycle controls: extension review, quarantine, re-entry, rollback, install, and update surfaces expose lifecycle decision receipts, permission deltas, provenance boundaries, rollback authority, and operator-visible recovery state. This is live ecosystem control for existing governed-extension flows, not production-secure marketplace, solved third-party package security, formal package-security certification, full marketplace parity, ecosystem superiority, production readiness, full parity, or reference-system exceedance.
  • Batch EE now adds bounded browser/computer-use live reliability and recovery controls: /api/browser/sessions, /api/browser/sessions/{session_id}/snapshot, /api/browser/sessions/{session_id}/control, /api/operator/browser-computer-use-control, and the cockpit expose owner-scoped browser sessions, explicit provider degradation, no-silent-fallback replay acknowledgement, partition revision and reset controls, boundary-decision visibility, redacted artifact provenance, and quarantine/recover/reset/replay/close actions. This remains bounded live control, not safe browser automation, safe autonomous computer use, OpenClaw-class browser reach, full browser parity, arbitrary credentialed browsing safety, production readiness, full parity, or exceeded-reference-system wording.
  • Batch EF now adds the bounded post-DX final parity and exceedance claim-lift gate: post_dx_final_board_pr_issue_reconciliation_v1, post_dx_final_claim_ledger_reconciliation_v1, reference_system_source_refresh_v6, false_completion_scan_v6, post_dx_final_critic_contrarian_no_block_v1, and /api/operator/post-dx-final-parity-claim-lift reconcile DY-EE feature-control batches, issue #594, SCL-067 through SCL-072, June 18, 2026 Hermes/OpenClaw/IronClaw source pressure, X article access caveat, false-completion scans, Critic/Contrarian receipts, aggregate benchmark-proof visibility, and blocked claims. This permits only exact SCL-072 bounded final-gate wording, not production readiness, full parity, reference-system exceedance, secure/private-by-default, safe browser automation, full browser parity, solved operator-control, solved learning, production-secure marketplace, or broad superiority wording.
  • Post-DX stronger-proof/control roadmap issues #590-#597 extend parent #475 without creating a duplicate parent. DY, DZ, EA, EB, EC, ED, EE, and EF are represented as huge PR-sized batches for live durable orchestration, formal secure runtime isolation, always-available reach/voice-media, guardian learning and memory live controls, dense operator control, marketplace package-security and lifecycle controls, browser/computer-use safety/parity controls, and the final post-DX claim-lift gate. These issues are roadmap execution anchors only; broad full-parity, production-ready, secure/private-by-default, safe-browser, marketplace, operator-control, learning, memory, and superiority wording remains blocked unless claim-ledger rows permit exact wording.
  • Batch DP now adds bounded post-DI-DO release-gate receipts: full_parity_claim_lift_audit_v1, production_readiness_reconciliation_v2, reference_system_source_refresh_v4, post_di_do_board_pr_issue_reconciliation_v1, false_completion_scan_v4, final_critic_contrarian_no_block_v1, and /api/operator/full-parity-release-gate expose current 2026-06-11 Hermes/OpenClaw/IronClaw pressure-only source receipts, DI-DO issue/PR/Project reconciliation, stale issue-body caveats, seven-area production-readiness reconciliation receipts, exact SCL-051 through SCL-058 claim decisions, false-completion scans, Critic/Contrarian no-block receipts, and aggregate benchmark-proof visibility. This remains a bounded release-gate audit, not production readiness, product-wide full parity, reference-system exceedance, secure/private-by-default, safe autonomous browser/computer-use, solved operator-control, guardian-superiority, memory-superiority, or ecosystem-superiority wording.
  • Batch DQ now adds bounded post-DP durable-orchestration gap-closure receipts: post_dp_durable_orchestration_v1, multi_agent_handoff_recovery_v1, scheduler_crash_restart_recovery_v1, side_effect_reconciliation_v5, orchestration_false_claim_scan_v2, and /api/operator/post-dp-durable-orchestration expose persisted recovery packets, restart metadata preservation, lease-guarded recovery authority, multi-agent handoff blocking, trigger record-only semantics, side-effect reconciliation, guardian restraint, safe redacted operator projections, false-claim scans, and aggregate benchmark-proof visibility. Workflow runtime writes now fail closed before tool side effects when required durable state cannot be recorded. This remains bounded orchestration recovery evidence, not exactly-once scheduling, crash-proof orchestration, solved durable workflows, LangGraph-class parity, production readiness, full parity, or exceeded-reference-system wording.
  • Batch DR now adds bounded post-DP secure capability-host gap-closure receipts: post_dp_secure_capability_host_gap_closure_v1, runtime_profile_selection_v2, deny_default_credential_egress_v2, hostile_capability_chain_quarantine_v2, secure_host_recovery_authority_v2, secure_host_false_claim_scan_v2, and /api/operator/post-dp-secure-capability-host expose explicit runtime profile selection, deny-by-default egress, scoped credential refs, hostile cross-surface quarantine, operator-owned recovery authority, safe redacted receipts, false-claim scans, blocked claims, and aggregate benchmark-proof visibility. This remains bounded gap-closure evidence, not secure/private-by-default execution, production security solved, IronClaw-class secure execution, hardware-backed isolation, TEE/CVM/Wasm/container runtime-isolation, formal security certification, production readiness, full parity, or exceeded-reference-system wording.
  • Full parity and targeted exceedance are not complete; after Batches DQ-EF, every stronger public claim still requires exact claim-ledger permission plus stronger underlying evidence. Full always-available reach and full voice/media parity, generalized outcome superiority and memory superiority, best/world-class cockpit and solved operator-control claims, production-secure marketplace and solved third-party package-security claims, blanket safe browser automation and full browser parity, production readiness, full parity, security superiority, OpenClaw-class reach, exactly-once/crash-proof orchestration, LangGraph-class parity, solved learning, full memory-provider parity, and broad superiority evidence remain blocked except for exact SCL-067/SCL-068/SCL-069/SCL-070/SCL-071/SCL-072 bounded wording.
  • No workstream is complete yet.
  • Seraph is not yet the finished guardian product described in the research docs.

Docs Contract

  • docs/research/00-synthesis.md defines what Seraph is trying to become.
  • docs/research/10-competitive-benchmark.md owns the comparative judgment.
  • docs/research/11-superiority-program.md owns the design-level superiority program.
  • this file owns the fastest shipped snapshot on develop.
  • docs/implementation/00-master-roadmap.md owns the strategic implementation program and completed-program record.
  • docs/implementation/08-docs-contract.md, docs/implementation/09-benchmark-status.md, docs/implementation/10-superiority-delivery.md, docs/implementation/11-world-class-strategy-delivery.md, and docs/implementation/16-agent-parity-execution-roadmap.md are the implementation-side mirrors of the research evidence, benchmark, program, cross-cutting strategy, and agent parity goal layers.
  • docs/implementation/01 through 07 remain the workstream docs; 08 through 11 and 16 are meta mirrors, not extra workstreams.
  • the GitHub Project, issues, and PRs own active execution and review state.

Current Focus On develop

  • The extension-platform transition and five-wave capability import program are now represented in the shipped state on develop.
  • Seraph now ships Hermes-style runtime primitives (execute_code, delegate_task, clarify, todo, session_search) plus packaged browser, messaging, automation, node, canvas, and workflow-runtime surfaces through the extension architecture.
  • The workspace now makes imported capability reach, extension governance, and runtime-path/capability-family spend attribution visible inside the operator surface instead of leaving the new breadth opaque.
  • The runtime now exposes provider-neutral source contracts and source inventory for public-web tools, managed authenticated connectors, and raw MCP gaps, so Seraph can compose source-aware routines without hardcoding one provider pipeline per use case.
  • The runtime now also exposes reusable source-review planning for daily review, progress review, and goal-alignment review, so source routines can stay connector-first and provider-neutral even when one preferred adapter cannot satisfy every review step.
  • The runtime now also exposes executable adapter-backed source actions plus provider-neutral report-publication planning, so authenticated connector workflows can move from evidence gathering into bounded write/report follow-through without inventing provider-specific action paths.
  • Authenticated MCP-backed sources now keep their source context through runtime wrappers, so operator metadata, approval context, and workflow checkpoint gating can distinguish generic external MCP from authenticated external-source execution.
  • The extension ecosystem now exposes one operator-readable package-health layer across catalog, lifecycle, and cockpit surfaces, including compatibility, diagnostics, governance signals, and direct update-versus-studio follow-through for installed packages.
  • The capability and cockpit operator surfaces now also compose starter packs, extension packs, and packaged runbooks into one marketplace-flow layer with readiness counts, blocking reasons, install/update actions, and draft follow-through instead of scattering marketplace composition across separate inventories.
  • Guardian memory now exposes a deeper additive memory-provider surface: extension-backed provider inventory, lifecycle-managed provider config/toggle state, capability-state governance, additive retrieval, additive user/project modeling augmentation, stale-provider-evidence suppression, advisory post-canonical provider writeback, and explicit canonical-memory precedence when external providers are configured or unavailable.
  • Guardian learning now also explains when live outcomes and procedural guidance disagree, when fresh live evidence is overruling older durable guidance, and when competing project anchors plus negative intervention trends should force conservative judgment.
  • The cockpit now exposes denser workflow-operating control through step-focus summaries, direct failed-step context handoff, direct output reuse and output-comparison drafts from workflow family rows, explicit branch-origin and failure-lineage debugging, family-history comparison, best-continuation controls, denser ancestor/peer/failure-lineage follow-through actions, direct family-row checkpoint drill-in, direct family-row retry/repair controls, bundled family next-step planning drafts, richer verified artifact source/family follow-through with unresolved-state fallback, direct artifact source-run open/continue plus source-failure/related-output comparison shortcuts, explicit candidate-source rows for ambiguous lineage, and active-triage workflow quick actions including failure-context reuse, direct best-continuation control, direct recovery controls, and keyboard-first best-continuation/comparison plus artifact next-step/source follow-through instead of leaving those actions buried in the inspector.
  • The cockpit now also exposes workspace-level workflow orchestration grouped by thread, with long-running session selection, lead-run step focus, recoverability summaries, and direct open-thread/continue/failure-context or next-step actions instead of tying workflow supervision only to one active session.
  • The cockpit desktop shell and presence pane now also surface continuity health, grouped thread follow-through, top recovery actions, and recommended focus across browser/native reach instead of only raw route rows and continuity item lists.
  • The cockpit desktop shell, presence pane, and active triage now also surface degraded typed source adapters and imported capability-family attention from the observer continuity contract, so broader reach issues are actionable from the same operator flow as route failures and queued follow-through.
  • The cockpit desktop shell, presence pane, and active triage now also surface explicit presence-surface ready/attention summaries plus direct repair/follow-up drafts for messaging, adapter, and observer surfaces, so broader non-browser reach no longer hides behind route-only health or catalog inventory views.
  • Runtime Reliability now has deterministic proof for activity-ledger attribution, imported capability surfaces, and simulation-grade route-planning visibility in addition to the earlier guardian/runtime contracts.
  • The repo-wide strategic program is tracked in docs/implementation/00-master-roadmap.md, while active execution is tracked in the GitHub Project, issues, and PRs.
  • The cross-cutting world-class strategy translation is tracked in docs/implementation/11-world-class-strategy-delivery.md.
  • The board-backed full-completion train has completed bounded CJ-CQ implementation and audit receipts, and PR #521 permits only the exact bounded proof-train wording. This does not ship broad parity/exceedance permission; it records exact bounded proof-train wording and continued blocked claims.

Current Target Shape

  • dense guardian workspace as the primary operator surface
  • first clear capability discovery, activation, preflight, and repair for tools, skills, workflows, MCP surfaces, starter packs, installable catalog items, and runbooks from inside that cockpit
  • bounded capability bootstrap that can apply low-risk local enable or repair actions from the operator surface while leaving policy lifts, external server enables, installs, and starter-pack activation as explicit operator repair steps, with multi-step privileged repair bundles now gated behind step-by-step execution instead of one-click chaining
  • cockpit-native extension authoring and validation for workflows, skills, and MCP configs with diagnostics, save, and repair handoff
  • first browser reload and reconnect continuity for the active thread, with explicit fresh-thread semantics and background-activity badges
  • explicit cross-surface thread model that links approvals, workflow runs, notifications, queued interventions, and recent interventions back to browser threads
  • runtime reach snapshots now show whether browser websocket and native delivery are actually reachable, which route is falling back, and how queued/native continuity should resume instead of leaving reach health implicit
  • activity-ledger routing summaries, native thread metadata, and LLM spend attribution that make both live continuation state and day-scale budget use easier to inspect
  • packaged browser providers, messaging connectors, automation triggers, node adapters, canvas outputs, workflow runtimes, and channel-routing surfaces that stay visible and governed through the same extension lifecycle
  • typed longitudinal memory and explicit guardian state
  • additive external memory-provider retrieval, user/project augmentation, query-hinted provider-backed project recall, and provider governance inventory that can augment recall and live modeling without replacing canonical guardian memory
  • policy-driven interventions with clear defer / bundle / act / request-approval decisions
  • non-browser presence through a first coherent desktop surface, notifications, native reach, and action-card continuation payloads
  • reusable workflow composition plus explicit feedback capture and future improvement loops
  • workflow diagnostics with stored load errors, step timestamps and durations, error summaries, and recovery hints
  • first branch/resume workflow control with checkpoint candidates, lineage metadata, persisted reusable checkpoint state, truthful unsupported-checkpoint fallback, branch-family supervision in the cockpit, resume drafts based on existing inputs, and safer approval-gated resume plans

Shipped On develop

Core guardian platform

  • browser-based guardian workspace as the only supported browser shell
  • FastAPI backend with chat, WebSocket, goals, tools, observer, settings, audit, approvals, vault, skills, and MCP APIs
  • native macOS observer daemon for screen/window ingest
  • screen analysis provider choice now includes local Apple Vision, local Codex CLI parsing, and explicit OpenRouter cloud OCR, with local Codex temp-image cleanup documented and optional durable local image/output/analysis artifacts available through localhost-only observer inspection endpoints
  • persistent guardian record, vector memory, sessions, and goal storage

Trust and control

  • tool policy modes for safe, balanced, and full
  • MCP policy modes for disabled, approval, and full
  • approval-gated high-risk actions in chat and WebSocket flows
  • explicit execution-boundary metadata and approval behavior surfaced for tools and reusable workflows
  • structured audit logging for approval, tool, and runtime events
  • secret redaction and scoped secret-reference handling
  • secret-reference resolution now stays limited to explicit injection-safe surfaces instead of resolving into arbitrary tool calls
  • delegation now keeps generic memory handling separate from vault-backed secret management, with explicit secret/vault routing into a dedicated privileged specialist and deterministic eval coverage for that boundary
  • authenticated MCP-backed tools now carry source-aware boundary context through approval/audit wrapping, and workflow checkpoint reuse blocks authenticated external-source runs instead of treating them like generic MCP replay
  • background process control now exposes explicit session-partition and background-execution trust metadata, and start_process requires confirmation even when global approval mode is off so persistent runtime work no longer rides on the generic high-risk approval path

Execution and integrations

  • 17 built-in tool capabilities in the registry
  • first capability-overview API that aggregates tools, skills, workflows, MCP servers, blocked-state reasons, and starter packs for one cockpit-readable surface
  • capability-overview now also exposes installable catalog items, repair/install actions, recommendations, reusable runbooks, policy-aware starter-pack repair guidance, and machine-readable preflight/autorepair metadata for cockpit/operator use
  • shell execution via sandboxed tool path
  • browser automation foundation
  • filesystem, guardian-record, goals, vault, and web-search tool foundations
  • MCP server management and runtime-managed server configuration, with manual bearer-token updates now landing in vault-backed placeholders instead of raw config headers and MCP connect/test audit surfacing the credential source
  • execute-code, clarify, todo, session-search, and first-class delegation runtime primitives for deeper Hermes-style operator work
  • visible tool execution streaming in chat and agent flows
  • first-class reusable workflows loaded from defaults and workspace files, exposed through a workflows API and workflow_runner specialist
  • starter packs that bundle default skills and workflows into directly activatable operator-facing packages
  • skill registry flows, optional skill packs, packaged browser providers, messaging connectors, automation triggers, node adapters, canvas outputs, workflow runtimes, and channel-routing-managed reach through the extension platform
  • forced approval wrapping for high-risk and approval-mode MCP workflow paths
  • first operator workflow-control layer with workflow list/toggle/reload plus draft-to-cockpit support
  • workflow loader/runtime metadata now derive from actual step tools and reject underdeclared workflow definitions
  • workflow audit now surfaces structured workflow-run details for cockpit/operator views, including artifact-path lineage and degraded-step visibility
  • workflow history endpoint now exposes run arguments, risk level, execution boundaries, approval counts, secret-ref acceptance, and artifact lineage for replay and operator inspection
  • workflow history endpoint now also exposes timeline events, replay guardrails, parameterized replay drafts, approval-recovery messaging, pending-approval details, and explicit thread metadata for replay/open-thread control
  • workflow approvals and workflow history now persist approval-context snapshots plus context-aware run fingerprints, so replay/resume and approval reuse fail closed when the privileged workflow surface changes
  • workflow runtime and history now persist reusable checkpoint context for safe branches, record structured failed-step payloads, and surface checkpoint availability truthfully so the runs API stops advertising retry paths the runtime cannot actually resume
  • cockpit workflow supervision now derives parent/peer/child branch families from persisted lineage, so operators can inspect branch families and continue the latest branch directly from the workflow surface instead of reconstructing lineage manually
  • operator timeline API now unifies workflow runs, approvals, notifications, queued insights, recent interventions, and surfaced failures into one threaded live operator feed
  • activity ledger API now projects workflow runs, approvals, guardian events, audit activity, tool steps, and attributed LLM call spend into one separate accountability feed for the browser workspace
  • catalog/install surfaces for skills and MCP servers

Runtime and observability

  • shared provider-agnostic LLM runtime settings
  • ordered fallback chains across completion and agent-model paths
  • health-aware rerouting away from recently failed targets
  • runtime-path-specific profile preference chains across completion and agent-model paths
  • wildcard runtime-path routing rules, with exact-path overrides taking precedence
  • runtime-path-specific primary model overrides
  • runtime-path-specific fallback-chain overrides
  • first-class local runtime routing for helper, all current scheduled completion jobs, core agent, delegation, and connected MCP-specialist paths
  • strict runtime-path provider safeguards for required capability intents plus cost, latency, task-class, and budget guardrails, with explicit degrade-open audit semantics when no compliant target exists
  • first simulation-grade provider planning pass that scores candidate routes before execution, makes budget steering explicit, carries per-target live feedback plus production-readiness state into route choice, and surfaces route scores plus simulated-route explanations through runtime audit, operator timeline, and activity-ledger views
  • runtime audit visibility across chat, WebSocket, session-bound helper LLM traces, scheduler including daily-briefing, activity-digest, and evening-review degraded-input fallback paths, strategist, proactive delivery transport, MCP lifecycle and manual test API flows, skills toggle/reload flows, observer plus screen observation summary/cleanup boundaries, embedding, vector store, guardian-record file, vault repository, filesystem, browser, sandbox, and web search flows
  • deterministic runtime eval harness for fallback, routing, core chat behavior, observer refresh and delivery behavior, session consolidation behavior, tool/MCP policy guardrails, proactive flow behavior, delegated workflow behavior, workflow composition behavior, storage, observer, and integration seam contracts, including vault repository, the MCP test API, skills API, screen repository boundaries, and daily-briefing, activity-digest, plus evening-review degraded-input audit behavior
  • deterministic runtime eval coverage for activity-ledger attribution and imported capability surfaces, so runtime-path spend, packaged reach visibility, and extension-governance surfaces stay pinned on develop
  • deterministic runtime eval coverage now also pins cross-surface continuity through observer, operator, and Activity Ledger together, and backend CI now runs isolated per-file shard execution instead of one shard-wide pytest process.

Guardian intelligence and proactive behavior

  • guardian-record-backed persistent identity
  • vector memory retrieval and consolidation
  • hierarchical goals and progress APIs
  • explicit guardian-state synthesis for chat, WebSocket, and strategist paths
  • guardian world model now includes active projects, active constraints, recurring patterns, active routines, collaborators, recurring obligations, project timelines, memory signals, continuity threads, recent execution pressure from degraded workflow/tool outcomes, focus provenance, and judgment risks, not only focus, commitments, open loops or pressure, alignment, and receptivity
  • observer salience, confidence, and interruption-cost scoring for observer refresh, guardian state, and proactive policy
  • explicit intervention-policy decisions for proactive delivery, including act / bundle / defer / request-approval / stay-silent classifications
  • persisted guardian intervention outcome tracking plus explicit feedback capture, including notification acknowledgement and feedback API flows
  • evidence-weighted guardian learning that now resolves the strongest live guidance across global, thread, project, and thread-plus-project scopes before arbitrating with durable procedural memory at policy time, can prefer direct delivery or reduce interruptions from weighted delivery evidence, strengthens timing/channel/blocked-state lessons from actual routing outcomes, and emits grounded channel, escalation, timing, suppression, and blocked-state guidance back into guardian state and intervention policy while leaving phrasing/cadence/thread neutral until runtime records those variants explicitly
  • guardian state now also emits explicit diagnostics when live outcomes and procedural memory disagree, including whether live evidence is winning, whether durable memory is still overriding live outcomes, and when review-first adaptation is warranted
  • long-horizon guardian learning now also treats stale collaborator/obligation/timeline recall and stale execution pressure as contradiction sources against the live project anchor, promotes execution pressure into blocker/open-loop synthesis, tracks multi-day and scheduled outcome spread, and lowers receptivity further when those conflicts line up with negative intervention trends while surfacing explicit goal-alignment, routine, and collaborator watchpoints
  • long-horizon guardian learning now also drives abstention policy directly: repeated negative outcome spread can bundle or defer low-urgency guidance, unstable scheduled outcomes can defer routine reviews, and guardian diagnostics surface those abstention pressures explicitly
  • guardian world-model synthesis now also arbitrates between competing projects across observer, recent-session, memory, and execution evidence, carries richer canonical project labels forward, and exposes project-anchor ambiguity or drift risk when cross-source evidence stays split
  • guardian world-model synthesis now also adds a conservative ambiguity guardrail when competing project anchors overlap with sustained negative intervention trends, so the operator can see when judgment should stay review-first instead of forcing a confident project pick
  • guardian world-model synthesis now also carries explicit user-model confidence plus evidence-backed preference-inference diagnostics for interruption, communication, thread, and cadence posture inside the canonical guardian state
  • guardian state now also emits explicit intent-uncertainty diagnostics with clarify, proceed_with_caution, or defer_or_clarify guidance when ambiguous referents, split project anchors, split preference evidence, or degraded observer confidence make a confident intervention unsafe
  • guardian state now also emits explicit judgment-proof lines for split project evidence, split interaction-style evidence, ambiguous referents, and degraded observer grounding so the canonical guardian prompt carries compact proof of why a judgment stays conservative
  • guardian world-model synthesis now also carries live-project cross-thread commitments forward from recent sessions and turns matching execution setbacks into explicit follow-through risk on the same live project instead of leaving that linkage trapped in separate recent-session and audit surfaces
  • second-layer salience calibration that promotes aligned active-work signals and allows grounded high-salience nudges to cut through generic high-interruption bundling outside focus mode
  • deterministic guardian behavioral proof that grounded high-salience observer state can still deliver through high interruption cost while degraded observer confidence defers before transport
  • deterministic guardian behavioral proof that strategist tick can use learned direct/native-delivery bias and still surface the resulting intervention through continuity state
  • strategist agent and strategist scheduler tick
  • daily briefing, evening review, activity digest, end-of-day goal report, and weekly review surfaces
  • observer refresh across time, calendar, git, goals, and screen context
  • proactive delivery gating and queued-bundle behavior
  • first coherent desktop presence surface with daemon status, capture-mode visibility, pending native-notification state, a safe test-notification path, native-notification fallback delivery when browser sockets are unavailable but the daemon is connected, browser-side inspect/dismiss controls for queued desktop notifications, runtime route-health visibility for ready/fallback/unavailable delivery, a unified continuity snapshot for daemon state, queued bundle items, route reachability, and recent interventions, and an actionable cockpit desktop-shell card for follow-up, dismiss, continue, and fallback inspection flows
  • queued native bundles now preserve same-thread resume when every deferred item shares one session, and queued continuity keeps the stored session_id even when the matching intervention is no longer in the recent-intervention window

Current interface surface

  • workspace-first browser guardian shell with session rail, guardian-state panel, workflow-run views, interventions feed, audit surface, trace view, pending approvals, recent outputs, operations inspector, artifact round-trip into the command bar, a fixed composer, and live send fallback
  • cockpit workflow and artifact inspectors can now draft compatible follow-on workflows directly from existing artifact paths by declared artifact-input type, preserve verified source-run provenance when the lineage window can prove it, surface explicit unresolved-state fallback when it cannot, and compare against related family outputs instead of only inserting generic file-context commands
  • cockpit workflow controls now show checkpoint-state visibility plus real branch/retry actions driven by persisted checkpoint candidates instead of generic retry copy
  • workflow rows and inspectors can now carry attached approval decisions directly, so operators can approve, deny, continue, or open the relevant thread from the workflow surface instead of jumping to a separate approval pane first
  • workflow rows and inspectors now also surface branch-family supervision with parent/peer/child run inspection plus latest-branch continue/open-parent actions instead of leaving branch lineage buried in raw metadata
  • grid-snapped draggable panes plus packed persisted default / focus / review layouts with keyboard switching, per-layout save, and per-layout reset now define the main cockpit workspace
  • the pane workspace now also supports per-pane close/hide controls, a dedicated Windows menu for visibility and focus, and flatter Godel-style window chrome
  • the cockpit now includes a first desktop-shell rail for pending native notifications, queued bundle items, and recent interventions with direct follow-up, continue, and dismiss controls
  • cockpit desktop-shell and settings surfaces now also expose shared route-health summaries and continuation metadata for queued/native delivery instead of reconstructing fallback state per surface
  • the cockpit now includes a first operator surface for tool/MCP policy state, workflow availability, tools, skills, starter packs, and MCP server visibility with direct reload and activation controls
  • the cockpit now also includes a searchable capability palette plus a denser operator terminal for recommendations, repair actions, installable items, reusable runbooks, capability preflight, live operator-feed status, and saved runbook macros
  • the workspace now includes a separate Activity Ledger window that links workflow runs, approvals, queued continuity, recent interventions, surfaced failures, tool steps, and attributed LLM calls back to one browser thread model
  • activity ledger rows now group request-scoped work into compact parent rows with emoji/icon scanability, child tool or routing rows, and completion summaries so operators can skim what Seraph did without opening raw trace panes
  • the operator terminal now also surfaces imported capability reach and extension-governance state, while the activity ledger now shows top runtime-path and capability-family spend buckets for attributed LLM use
  • the operator terminal now also surfaces active triage for approvals, workflow branch families, queued guardian items, and degraded reach plus evidence shortcuts for approval context, artifact lineage, and recent trace, with keyboard-first inspect, approve, continue, open-thread, and redirect control over the highest-priority items
  • the operator terminal now also surfaces a dedicated workflow-supervision lane with history, lineage, branch-debug, and recovery summaries plus direct continue/use-output/failure/retry/repair/best-continuation actions, and keyboard-first top-supervision inspect control
  • the operator terminal now also surfaces a workspace-level workflow-orchestration lane that groups long-running work by session, keeps ambient workflows visible, and lets operators jump back into the correct thread or next-step draft without first opening a specific workflow inspector
  • the operator terminal now also surfaces a dedicated team control-plane lane with governance, role, usage, runtime-posture, review-receipt, and approval/workflow handoff summaries so team operations stay inspectable without leaving the cockpit
  • the tools metadata surface now lists delegation specialists through lightweight descriptors instead of instantiating full specialist agents/models, and tools-policy source-context walks now follow only explicit wrapper attributes so metadata inspection and tests fail closed instead of synthesizing unbounded mock wrapper chains
  • the cockpit now restores the last active session on reload, preserves explicit fresh-thread semantics, and marks background thread activity instead of silently resetting to an empty conversation
  • larger more readable settings and priorities overlays now support the guardian workspace directly
  • capability state, workflow history, the activity ledger, and live status are now visible in the current cockpit surface
  • settings and management surfaces for tools, MCP, and system state
  • macOS daemon-backed desktop presence card plus browser-side inspect/dismiss controls for native notifications and notification fallback for non-browser proactive reach

Ecosystem foundations

  • SKILL.md support and runtime skill loading
  • MCP-powered extension surface
  • recursive delegation foundations behind a flag
  • reusable workflow runtime with tool, skill, specialist, and MCP-aware gating
  • governed self-evolution for declarative capability assets with bounded variant generation, persisted eval receipts, and review-candidate save paths that stay outside live in-session mutation

Still To Do On develop

The remaining parity work is feature-first. Do not treat this section as a request for more proof-only endpoints, benchmark suites, or claim-lift gates. Ship the missing user-facing capabilities first; run receipts, claim-ledger updates, source refreshes, broader docs reconciliation, and false-completion scans only in a later claim-readiness phase.

Runtime and execution

  • broader user-facing live-provider and long-running integration behavior beyond the shipped deterministic REST, WebSocket, observer, delivery, activity-ledger, imported-capability, tool/MCP guardrail, delegated workflow, workflow-composition, and provider-planning contracts
  • stronger usable execution isolation and privileged-path recovery beyond the current workflow/tool, browser-mode, and connector-boundary pass
  • richer capability installation, recommendation, update, rollback, diagnostics, and recovery flows beyond the shipped catalog/install, runbook preflight, bounded bootstrap flow, extension studio, and imported-reach governance surfaces

Guardian intelligence

  • stronger learning and feedback loops beyond the current evidence-weighted delivery/channel/timing/blocked-state/suppression layer, the new multi-day and scheduled-outcome watchpoint pass, the first live-versus-durable procedural arbitration pass, and the new inspectable learning-diagnostics layer
  • deeper guardian world modeling, learning loops, and stronger intervention quality beyond the new project/routine/collaborator/obligation-aware world-model layer, explicit project-ranking diagnostics, stale-signal arbitration, the first explicit user-model preference-inference substrate, the first goal-alignment plus routine/collaborator watchpoint pass, the first additive provider-backed user/project augmentation pass, and the first focus-provenance plus contradiction-aware confidence pass
  • stronger salience calibration and confidence quality beyond the first aligned-work/high-salience pass

Interface and presence

  • broader operator-facing usability, recovery, debugging, and control improvements beyond Batch CB deterministic operator-control receipts, Batch CH recorded-live multi-operator usability receipts, Batch CN bounded task-matrix usability/accessibility receipts, and the current workflow, workflow-supervision, activity-ledger, imported-reach, governance, active-triage, evidence-shortcut, artifact follow-through, broader artifact-source control, and keyboard-first command surfaces
  • richer cross-surface continuity and broader non-browser presence beyond the current desktop presence shell, runtime route-health snapshot, channel routing, messaging connectors, browser mode matrix, automation triggers, node adapters, and canvas outputs
  • stronger explicit threading between ambient observation, workflow runs, native notifications, approvals, and deliberate interaction beyond the new shared thread metadata and continue/open-thread layer

Workflow and leverage

  • deeper operator-facing multi-session workflow control beyond the new workflow-runs API, typed artifact handoff, artifact source/family follow-through, output/checkpoint/lineage workflow history rows, checkpoint branch controls, replay guardrails, workflow-supervision rows, timeline events, and cockpit workflow timeline
  • stronger extension ergonomics around reusable capabilities and workflows beyond the new cockpit operator surface, starter packs, repair flows, and runbooks

Practical Summary

  • Seraph already has a serious guardian core: memory, observer loop, strategy, tools, approvals, runtime audit, and deterministic evals.
  • The strongest current moat is guardian-oriented state plus proactive scaffolding, not the UI.
  • Execution hardening now also covers scoped extension mutation approvals, connector-backed authenticated mutation planning plus executable bounded adapter actions, explicit trust-boundary payloads across workflow/operator/activity surfaces, operator-visible approval scope metadata, and heavier CI stabilization for long-tail backend/frontend suites instead of only replay blocking plus generic pending-approval rows.
  • Batch DT adds bounded post-DP guardian learning and memory gap-closure receipts with post_dp_guardian_learning_memory_gap_closure_v1, long_horizon_learning_quality_v2, memory_behavior_ablation_v2, memory_provider_operation_v2, learning_safety_regression_v2, guardian_memory_false_claim_scan_v2, and /api/operator/post-dp-guardian-learning-memory-gap-closure, while solved learning, live-human-outcome superiority, generalized outcome superiority, memory superiority, full memory-provider parity, production-ready, full-parity, and exceeded-reference-system wording remain blocked.
  • Batch DU adds bounded post-DP operator debugging and recovery-control receipts with post_dp_operator_debugging_recovery_control_v1, dense_long_work_debugging_v2, operator_recovery_slo_v3, operator_effort_reduction_v2, authority_transfer_integrity_v2, operator_audit_accessibility_v2, operator_control_false_claim_scan_v2, and /api/operator/post-dp-operator-debugging-recovery-control, while solved operator-control, best/world-class cockpit, approval-transfer solved, tamper-proof audit, formal-certification, production-ready, full-parity, and exceeded-reference-system wording remain blocked.
  • Batch DV adds bounded post-DP capability marketplace lifecycle gap-closure receipts with post_dp_capability_marketplace_lifecycle_gap_closure_v1, marketplace_lifecycle_operations_v3, package_review_waiver_policy_v2, marketplace_vulnerability_monitoring_v2, hostile_package_lifecycle_gauntlet_v3, marketplace_rollback_quarantine_diagnostics_v2, marketplace_secure_host_audit_integration_v1, marketplace_lifecycle_false_claim_scan_v2, and /api/operator/post-dp-marketplace-lifecycle-gap-closure, while production-secure marketplace, solved third-party package security, formal package-security certification, full marketplace parity, ecosystem superiority, production-ready, full-parity, and exceeded-reference-system wording remain blocked.
  • The biggest gaps against the reference systems are now missing or immature user-facing capabilities, not another proof layer. Durable orchestration still needs calmer multi-session resume/recovery behavior. Secure capability-host isolation still needs stronger usable boundary controls and recovery. Reach and voice/media still need selected daily-use channel flows that survive outage, consent, abuse, and continuity pressure. Guardian learning and memory still need visible behavior improvement, correction, rollback, and provider-conflict handling. Operator debugging and recovery still need cockpit controls that feel like a real mission-control surface. Marketplace lifecycle still needs understandable install/update/rollback/quarantine/diagnostics flows. Browser/computer-use still needs a stronger workbench, session journal, credential/session boundaries, and site-drift recovery behavior. Broad parity, production-ready, superiority, safe browser automation, full browser parity, solved operator-control, secure/private-by-default, memory-superiority, and reference-system-exceedance wording remains blocked until those feature batches ship and a later claim-readiness phase permits exact wording.
  • The board-backed post-DP and post-DX trains through EF are closed bounded history under parent #475. Post-EF work must be a feature-first parity train, not a stronger-proof/control train, until the user-facing parity gaps above are materially implemented.

Workstream View

  • Workstream 01: Trust Boundaries is only partially complete
  • Workstream 02: Execution Plane is only partially complete
  • Workstream 03: Runtime Reliability is only partially complete
  • Workstream 04: Presence And Reach is only partially complete
  • Workstream 05: Guardian Intelligence is only partially complete
  • Workstream 06: Embodied Interface is only partially complete
  • Workstream 07: Ecosystem And Delegation is only partially complete