Where AOSIQ is going.

JWT capability tokens with intersection-narrowing delegation. Verification fires before every tool call, every memory operation, every spawn.

Per-session SHA-256 hash chain with anchor objects in independently-credentialed object storage. Mid-chain tampering detectable.

Tools registered reversible=False require explicit operator approval bound to (tool, args_hash). Single-use, replay-safe.

LangGraph thread state, agent control block, and working memory captured atomically. Worker heartbeat + orphan reaper handle worker crashes.

Per-call recording with model, tokens, and computed USD. Configurable session ceilings raise exceptions before the API call.

enforced / warn / disabled via env var. Production deployments require enforced; dev runs in warn with a response header tripwire.

Anthropic, AWS Bedrock, OpenAI, Google Gemini (AI Studio), local Ollama, Claude Code CLI shim — selected at construction via factory. Each backend lazy-imports its optional dependency; Gemini ships with the [google_genai] extra.

allowed_backends per agent class. Mismatches raise at construction; an Ollama-only class cannot accidentally route to Anthropic.

Schema-bound tool calls, Pydantic validation, audit-row evidence verification, evidence stamps, loop guards, force-investigate gate, abandonment after refusal.

Untrusted-content delimiters around every tool result, plus pattern detection for tool-call syntax, role prefixes, and known injection phrases.

Parent agents fan out one child per declared persona, each running with persona-overlay system prompts; structured aggregation across children's proposals.

BugHunt, CodeReview, ArchitectureDecision, FeatureDesign, ReleaseReadiness. All read-only; all produce structured proposals via BaseProposal.

pgvector-backed document store with HNSW index, semantic search, and audit-evidence integration. Operator-loaded corpora.

Eleven AOSIQ governance operations exposed as MCP tools so any MCP client (Claude Code, Cursor, Cline) can dispatch governed swarms.

Agents reach external knowledge bases, internal APIs, and consumer services through MCP. Bridged tools inherit capability, audit, and approval.

Metadata filtering, hybrid vector + keyword search via pgvector and PostgreSQL tsvector, markdown-aware chunking with stable citation anchors (heading_path, heading_anchor, position_in_doc), incremental ingestion via content-hash, corpus introspection, and source-URI-prefix delete. Migrations 017–020. Closes the gap between minimum-viable retrieval and production-grade RAG.

Container-isolated Python with no network, ephemeral filesystem, hard resource limits, non-root, and a curated package set. Replaces over-broad bash grants for the common case. Reversible by construction. Factored so additional sandboxed languages (e.g. bash_sandboxed, item 55) plug in as language-specific subdirectories — the language-agnostic invoker stays unchanged. Compute-time attribution via a new cost_model field on the handler registry, billed through the same ledger that records LLM token cost. Execution surface for both reasoning agents and deterministic actors that need isolated compute.

First-class governed entity for non-reasoning automation — scheduled jobs, monitoring scripts, ETL pipelines. Registered Python functions dispatched through a sibling runner to AgentRunner, sharing the same scheduler, capability tokens, audit chain, approval gate, and cost ledger. New compute_ms cost type bills wall-clock execution. Idempotency-up-to-first-irreversible-call is the contract; the function re-runs from the top after a human approves. Completes the runtime's actor model so governance properties extend to all automation, not just LLM-backed agents.

First domain vertical built on the runtime's full surface. A reasoning agent diagnoses operational incidents across six named scenarios (job queue backlog, disk space exhaustion, DB connection pool exhaustion, configuration drift, recurring error spike, performance regression) by spawning a pack of deterministic diagnostic actors — log query, threshold evaluation, configuration introspection. The actors gather and structure data; the advisor forms hypotheses and emits a single structured proposal humans review. Read-only by capability; remediation is a separate downstream agent. Out-of-scope is a first-class outcome — the advisor refuses honestly when an incident doesn't match the six scenarios, schema-enforced to carry no proposed actions. Locks in the canonical pattern every subsequent vertical will follow: reasoning advisor over deterministic actor pack, structured proposal as terminal output.

The prompt-injection-pattern scanner that runs on tool results at read time now runs on ingested chunks at write time too. Every chunk passing through DocumentStore.add_documents is scanned before embedding; the result is stamped into chunk metadata regardless of match outcome, so operators can distinguish "scanned and clean" from "pre-scanner row" by querying the JSONB field. Two policies: warn (default — ingest proceeds, the chunk's metadata records the patterns, an audit event fires per flagged chunk, and kb_search later surfaces an inline warning when the chunk is returned) and reject (the whole source document is refused atomically before any embed or DB write). A backfill scanner remediates corpora ingested before this shipped — one CLI invocation brings a pre-scanner corpus up to the new contract. The read-side and write-side share the same pattern set, so future improvements to the detector benefit both directions uniformly. Closes the most visible "deliberately partial mitigation" claim in the threat-model document; KB-mediated injection moves from "operators should vet ingested corpora" to "scanned at ingest with operator-configurable enforcement."

Completes the operational-advice workflow from "diagnose" to "act." A deterministic dispatcher consumes an operator-approved OperationalAdviceProposal and walks proposed_actions in proposal order, spawning a per-action handler with capability narrowed to one tool. No reasoning at execution time — the proposal IS the plan; an LLM on the execution path would compound the advisor's accuracy gaps. Four v1 handlers cover the common action shapes (restart workers, scale pool, rotate logs, revert config); each is idempotent by construction so re-run-on-resume is safe. The per-action approval gate fires on every irreversible handler tool call through the existing review queue — a wrong proposal becomes a not-executed wrong proposal, not a wrong action. Every audit row carries the originating proposal's invocation_id via a new indexed column, so the operator's "show me everything this proposal triggered" forensic query is one filter, not a JSONB scan. Operator initiates via an explicit "Remediate" button — separate consent from "approved the diagnosis." The dispatch + handler pattern shipped here is the template every future vertical's execution arm will follow.

Proves the canonical AOSIQ pattern generalizes beyond operational incidents. A second reasoning advisor diagnoses compliance findings across six named scenarios (control failure, regulatory deviation, audit-trail gap, segregation-of-duties violation, retention violation, evidence-collection gap) over three frameworks (SOC2, HIPAA, ISO27001) by spawning a pack of deterministic diagnostic actors — control-state check, structured rule evaluation, evidence-vault lookup. Same shape as the first vertical: reasoning advisor over deterministic actor pack, structured proposal as terminal output, out-of-scope as a first-class refusal. The infrastructure investment amortizes — scheduler, audit chain, capability tokens, approval gate, telemetry capture, replay harness, reinforcement worker, dashboard, and remediation dispatcher are all shared between the two verticals with zero per-vertical duplication. The cross-vertical RemediationAgent dispatcher reads the proposal's vertical and selects the right handler pack at runtime; four compliance handlers (evidence backfill, policy correction, control remediation, compliance-officer notification) plug into the same approval-gated execution path the operational handlers use. The dashboard surfaces per-vertical pass rates side-by-side; the replay harness defaults to walking both corpora and prints a per-vertical breakdown so "the pattern generalizes" is one report away. Adding the third vertical now reduces to one advisor module + one actor pack + one corpus + entries in two registration tables — no new infrastructure.

Turns the "every vertical follows the same shape" claim from rhetorical to structural. The reasoning advisor's LangGraph machinery — node sequence, system-prompt loading, tool dispatch, evidence-marker rewriting, telemetry capture, cost accounting — extracts into a parameterized base class; each shipped vertical (operational, compliance) becomes a thin configuration carrying its scenario list, actor pack, proposal subclass, and two small adapters for the proposal fields that genuinely differ across domains. The operational module shrinks from ~1000 lines to under 400; the compliance module to under 350. Three additional reference families ship alongside — a read-only reviewer that produces findings + recommendation, a guardrail that consults the centralized approval-policy resolver and emits a per-action decision record, a verifier that compares expected against actual evidence and reports succeeded / failed / partially-succeeded / needs-more-info. Each family carries a corresponding role-based capability template (read-only-reviewer, advisor, guardrail, executor-scoped, verifier, reporter) operators compose with a vertical-specific overlay at capability-mint time — separating the role contract from the domain identity. The audit chain gains five new event types linked through a new proposal-lifecycle UUID column so an operator's "show me everything that happened on this proposal" query reads one indexed column instead of scanning JSONB payloads. The tool registry gains explicit risk-level metadata so the approval gate routes high-risk reversible actions to human review without an operator having to label every tool ad-hoc. Reuse cost for the next advisor vertical drops to roughly one configuration class plus a registration helper — comparable in size to writing a new dataclass rather than a new module.

Proves the framework's "next vertical fits in a configuration class plus a registration helper" claim with new code rather than retrofitted code. The third vertical reviews code artifacts a human is about to ship — a pasted snippet, or a unified diff piped from git diff main...HEAD — and emits a structured proposal with categorized findings + a recommendation. Reviewer-family pattern (not advisor): the agent doesn't dispatch diagnostic actors, it looks at the artifact and classifies. Each finding is tagged with one of seven categories — security issue, likely bug, correctness concern, style violation, performance concern, missing test, or out of scope — and one of four severities chosen against an explicit anti-inflation rubric. The default recommendation derives from finding severities (any critical → block, any other finding → revise, no findings → approve), with an override path for cases like style-only diffs that shouldn't gate the merge. Honest refusal is first-class: when the artifact isn't reviewable (binary content, generated code, vendored dependencies), the reviewer emits a single out-of-scope finding rather than fabricating issues. Customer profile is the dogfood loop — the operator running Claude Code on their workstation pipes the diff through AOS and gets a governance surface for the review. The third vertical's module is roughly 330 lines (the framework's claim was about 150-200 for a thin vertical; the residual is genuine domain content — the seven categories, the rubric, the parse-failure path). The cost of vertical four is now expected to land closer to the framework's projection as more shared machinery shakes out.

Closes the loop between proposals the advisor emits and the calibration signal it learns from. Every advisor invocation writes a structured telemetry row (vertical, scenario, confidence, severity, evidence count, operator outcome) — captured at proposal time, completed when the operator acts. The operator-facing surface is three buttons on every proposal: approved, edited, rejected — bound to the proposal's audit row so the feedback is the same shape regardless of which vertical surfaced the proposal. A reinforcement worker reads the feedback stream and updates experiential memory: rejected proposals weaken the underlying recall pattern, approved proposals strengthen it. Two materialized views aggregate the telemetry — a daily metrics rollup for the operator dashboard and a calibration view that exposes per-scenario confidence-vs-accuracy drift over the trailing window. The dashboard surfaces both views as the advisor-trends page; the per-vertical filter lets an operator compare operational vs compliance calibration side-by-side. A telemetry-to-corpus exporter promotes operator-confirmed incidents into the replay corpus with the operator's response and any scenario correction preserved as YAML, so production feedback extends the regression set over time without manual curation.

Validates verticals against curated historical scenarios before promotion. Cross-vertical: walks both operational and compliance corpora by default; per-vertical pass rates surface in one report. Pass-rate measurement is structural — five binary axes per incident (scenario, severity, confidence, actions, evidence) with all five required to pass, so "almost right" never inflates the headline number. Multi-backend baselines published per model: the air-gapped local-LLM tier (mistral-small:22b on Ollama, 80% pass rate) is at parity with API backends (Gemini Flash 78%, OpenAI gpt-4o-mini 76%, Claude Haiku 70%) for operator deployments that cannot route sensitive incident data to a third-party API. Corpus oracles are versioned per case: when an audit identifies an expectation as mis-calibrated (too strict or too lenient on a specific case), revisions bump the case's oracle version, the prior baseline file stays in git byte-for-byte, and an offline rescore tool reproduces the historical number against the prior corpus state without paying for another LLM run. The contract is that every baseline number is well-defined under its specific oracle version — no silent drift, no destroyed history, no manual archaeology required to answer "which oracle was this scored against."

Closes the lifecycle the framework had left half-open: after an advisor proposes and a guardrail gates, the executor changes state, a verifier confirms, and a reporter summarizes for the operator's runbook. Promotes two reserved family slots — executor and reporter — to shipped, taking the family catalog from four shipped + three reserved to six shipped + one reserved (triage remains, awaiting the customer-triage vertical). The executor family is the first write-side member: a deterministic dispatcher that walks an operator-approved proposal's actions in order, capability-narrows per action against a base template that ships zero tools (every authority comes from the per-action overlay), records an idempotency cursor for crash-recovery, and routes failure modes through dedicated audit events. No LLM at execution time — the proposal is the plan, and an LLM at the dispatch boundary would compound the advisor's accuracy gaps without adding value. The existing RemediationAgent refactored onto the generic dispatcher, shrinking from roughly 390 lines to 240 while preserving its public surface bit-identically: a depth-β change that proves the framework absorbs write-side verticals the same way it absorbed read-side ones. The reporter family closes the chain: it consumes the verifier's structured result and the audit chain for the proposal's lifecycle, then emits a runbook-ready summary plus a list of concrete next steps. Status mirrors the verifier by default — a chipper summary on a failed verification is the failure mode this family exists to prevent — and only the reporter's own parse-fallback path downgrades to needs-more-info, distinguishing reporter trouble from underlying remediation outcomes. End-to-end lineage threads through one indexed proposal-id column on the audit log so a single SQL filter returns every event in the lifecycle without payload scanning. Six smoke cases (three executor + three reporter, pass/fail/edge per family) plus a cross-handler capability-isolation matrix (eight handlers, fifty-six pairs) pin the safety properties; sixty-plus pre-existing remediation tests still pass against the refactored dispatcher.

Closes the last forensic gap in the audit chain. Until this sprint the runtime recorded every tool call with its arguments, results, capability token, and timing — but the LLM's reasoning that produced each tool call was discarded after dispatch. Operators reviewing a bad decision could see the action; they could not read why the model chose it. The sprint adds a new audit event type (LLM_TURN) emitted once per reasoning step, capturing the full assistant message text. The text itself lives in object storage under the existing audit-anchor bucket so the primary audit table stays lean even for agents that produce hundreds of reasoning steps; only the canonical-JSON SHA-256 plus the object key land on the audit row, giving operators an integrity proof without bloating the hot path. Every subsequent tool-call audit row sets a causation pointer back to the reasoning turn that produced it. The reasoning → action chain becomes a single SQL JOIN over two partial indexes, indexed both ways: for an agent's full timeline, and for a specific tool call's originating reasoning step. The same data flows through three operator surfaces: a Reasoning Trace section on the agent detail page with collapsible per-turn cards linking each turn to the tool calls it dispatched; a server-sent-event stream that pushes a 200-character preview of each turn as the agent reasons; and a pair of REST endpoints (list-without-content plus per-turn-content fetch) backed by an MCP tool for programmatic post-hoc forensic review. The scope is helper-first: emission is wired into the two reasoning paths that cover every shipped vertical today (the generic agent substrate and the parameterized advisor base that drives both shipped advisor verticals), with a documented one-line adoption pattern for reviewer-family and swarm reasoning paths to opt in as those workflows need it. The MinIO upload at write time falls back to a sentinel rather than failing the audit append, so the chain stays unbroken even when object storage is degraded.

Closes the three coupled problems that made prompt iteration painful. First, prompts lived in Python source — the same tool-call protocol existed in two files with two different contents, and updating either required a code change plus a deploy. Second, the model-selection knob was the transport (api / cli / ollama) rather than the model itself, so every model on a given transport got identical instructions despite known differences in verbosity tolerance, thinking-mode handling, and formatting preference. Third, pass-rate changes had no record of which prompt version produced them, so cause and effect could not be separated. This sprint extracts every prompt into a versioned Markdown file declared in a single manifest, routes resolution through a singleton that picks the right variant by model profile, and threads the resolved prompt's identity onto every reasoning-step audit row so a forensic SQL filter can attribute pass-rate diffs to a prompt change or a model change with the same query. Three style profiles ship: terse for small local models, verbose for API-grade models, and a no-think profile that prepends the directive structurally for thinking-mode models so prompt authors do not need to know which models require it. The resolver enforces the manifest at server startup, surfacing every missing-file gap in one consolidated error rather than as a confusing first-spawn failure. An AST-based CI guard walks production source and rejects any multi-line string that looks like a prompt — the rule survives future PRs that try to land an inline prompt back into Python source. The mechanical refactor lands without changing what any model actually reads; the deferred follow-up writes terse-variant rewrites for the three shipped advisor families and lands the variant-comparison corpus eval tool alongside, so style changes can be measured against the baseline cleanly.

Closes the residual gap that the earlier ingest-time scanner left open. The regex pre-filter catches injection-shaped syntax synchronously at ingest with zero latency — but the regex layer cannot judge whether a prose paragraph is instructing the agent to leak its capability token, bypass the approval gate, or mirror every proposal to an attacker-controlled URL. This sprint adds a second stage: an LLM classifier fires asynchronously per chunk after commit, stamps a supplementary verdict onto the same chunk metadata, and degrades fail-closed when the classifier backend is unavailable so an outage cannot block ingest. The same sprint adds an entailment judge on every proposal emission — before a proposal is recorded the judge reconstructs the cited evidence and verifies that the proposal's claim actually follows from it. For proposals carrying a high or critical risk level the check is synchronous: a verdict of entails-false (or confidence below an operator-configurable threshold, default 0.75) raises a typed gate error and the proposal is refused at the audit-engine boundary, forcing the agent to re-cite or narrow the claim. Lower-risk proposals get the same verdict written as a fire-and-forget audit event so operators can run forensic queries against the baseline of "claims that drifted past their evidence" without paying the gate's latency. Operators get a per-chunk quarantine surface: any flagged chunk can be hidden from default search results via a bearer-auth-gated endpoint or a per-chunk-CSRF-protected dashboard button, and released chunks return to the flagged state rather than clean so the regex flag stands even after operator review. An adversarial corpus of twenty-four cases (ten syntactic, eight semantic, six benign with one documented false-positive) ships alongside as the regression target — the probe emits a confusion matrix and pins the regex layer's TP/FN/FP/TN. Closes the largest remaining "deliberately partial mitigation" entry in the threat-model document; reasoning-redirection injection moves from "judge-model pattern deferred to a future sprint" to "structural surface in place, judge accuracy continues to evolve with the underlying model."

Closes the substrate gap the workflow primitive's incident-postmortem template opened — agents that detect a critical condition can now page humans, not just surface a proposal on a dashboard nobody is watching. Four outbound channels (Slack, email, PagerDuty, generic webhook) ship as native tool handlers; every tool is reversible=False so the approval gate fires before any message leaves the system. An agent cannot spam operators — a human must approve each individual send, and the gate's args-hash binding means replay-by-re-submission is blocked. Credentials never sit in plaintext. Operators declare channels in a YAML file with environment-variable interpolation, the loader resolves the variables at lifespan startup, and an AES-256-GCM ciphertext lands in a new notification_channels table. Agents pass a channel-id slug they read from the operator's documented surface; they never see webhook URLs, SMTP credentials, or PagerDuty routing keys. The HTTP transport retries once on a 5xx or transport error; a 4xx returns an explicit failure rather than raising, so the agent's evidence chain captures the failure context. Channel-type mismatches refuse pre-send (an agent calling send_slack_message against a type=email channel gets a structured refusal rather than a wrong-channel post). A composable with_notifications capability template grants the four tools with memory-ops:read and no child agents — notification is a leaf operation, fan-out composes at the workflow level. Closes the postmortem cycle's last loose end: the workflow primitive's incident-postmortem template now wires its publication phase directly to these tools, fanning out one send per registered channel and recording each outcome on the workflow's payload so operators can read partial-failure detail without grepping the audit chain. Engine actions skip the per-call approval gate because the workflow template was already operator-approved at instantiation; the agent-driven path still routes through the gate.

The shell sibling of run_python. Same Docker isolation contract — no network by default, read-only rootfs, non-root uid, dropped capabilities, resource caps, hard wall-clock — and a curated CLI toolset baked into the image (jq, gawk, yq, curl, kubectl, postgresql-client, bc, coreutils). No apt-get at runtime; the image is the supply-chain surface and operators rebuild it when a new tool is needed. Closes the gap where the unrestricted bash grant was the only path for an agent that legitimately needs jq on a log payload or kubectl against a cluster API. The host-filesystem case (scanning /var/log/*) deliberately stays on the unrestricted bash grant — the sandbox cannot reach the host filesystem by construction, which is the whole point. Network access is per-agent-class opt-in via a new RegistryEntry.sandbox_network_mode field; the only documented non-default value is bridge, and every AGENT_SPAWN audit payload records the elected mode so a regulator-visible filter answers "which spawns elected outbound reachability" in one SQL query. Agents pass a script/stdin_data/env shape; the env dict is filtered against an operator-managed allow-list before the envelope leaves the host, so an LLM that smuggles a sensitive key into env sees it dropped pre-flight. The with_bash_sandbox capability template grants exactly the run_bash tool plus read/write memory ops — composable with any vertical overlay. Second instance of the sandboxed-execution primitive family the runtime is converging on; future sandboxed languages (Node, Ruby, …) plug in as sibling directories under aos/tools/sandbox/ without touching the language-agnostic invoker.

Closes the temporal-reasoning failure mode that bites every shipped vertical. LLMs fail predictably on date arithmetic, timezone conversion, elapsed-time, and day-of-week reasoning — and the failures appear in proposals (a compliance agent miscalculates a retention deadline, a postmortem renders a timestamp in the wrong timezone). Five pure-stdlib tools delegate every computation to Python's datetime, zoneinfo, and calendar: get_current_time (UTC and optional IANA timezone), parse_date (string → ISO 8601 with explicit refusal for ambiguous slash-formatted inputs rather than guessing), date_diff (days/weeks/months/years with correct month-length and leap-year handling), format_date (long/short/relative styles), and convert_timezone (IANA-to-IANA, naive inputs interpreted in from_tz). All five register reversible=True; inputs and outputs are ISO 8601 strings throughout; every response carries a display field for the operator-facing surface. The with_time_tools capability template grants all five in one template (splitting them is registry surface without security benefit). Composes with any vertical overlay — a compliance audit asking "is this evidence in window" reads the computed value rather than the model's guess.

Sibling sprint to the time/date tools, killing a different systemic LLM failure mode: format fabrication. Agents asked "is this a valid email" or "does this JSON match the schema" will sometimes assert validity when the answer is no — the downstream cost is proposals with invalid data that operators rubber-stamp or systems reject. Six pure-Python tools delegate the question to deterministic code: validate_json_schema (draft-7 with dotted-path error messages), validate_regex (returns the match plus capture groups on success), validate_url (format only — no reachability — with an optional require_https guard), validate_email (RFC 5322 format with no SMTP or DNS lookup), validate_format (named-format dispatcher covering UUID, ISO 8601 date and datetime, IBAN with the ISO 13616 mod-97 checksum, and E.164 phone numbers), and validate_json (parse-only check with the failing line and column). All six register reversible=True and return a uniform {valid, errors, match_groups} shape; error messages are human-readable strings rather than codes so the agent's reasoning trail carries the failure directly. The with_validation capability template grants all six in one template, composable with any vertical overlay. The explicit boundary on validate_url and validate_email is documented on the operator surface: format checks only, no network calls — mixing them would collapse two distinct concerns into one ambiguous tool.

Adds a third channel for agent-emitted trace, sitting between the immutable forensic audit chain and ephemeral stdout. Operational commentary — "scanning 47 matching files in QSYSOPR", "evidence vault returned 4 controls without timestamp metadata, falling back to created_at", "primary log backend returned 503; switching to secondary" — belongs in neither: it isn't legally evidentiary, but operators want to read it while the session runs. The new log_observation(level, message, context) tool writes to a dedicated agent_observations table with no hash chain and no MinIO anchor, so rows are rotatable without affecting forensic integrity. The level field is part of the args (debug / info / warn / error) rather than a tool-family split, matching Python's stdlib logging convention. The syscall layer injects session_id, agent_id, and agent_class from the calling ACB — agents cannot smuggle writes into another session's log via the args dict. A live-polled /observations dashboard surfaces the table with filters for session, agent, and level; color-coded level badges; and collapsible context JSON. The operator-facing surface explicitly documents the audit-chain-vs-observation distinction so a vertical author picks the right channel without re-reading the sprint spec. Composes with any vertical overlay via the with_observation_log capability template.

Read-only structured database access with per-connection capability scoping. Operators declare connections in a YAML file with environment-variable interpolated DSNs; agents pass a connection-id slug and never see credentials. Two tools: db_query for SELECT-only execution and db_schema for column-name introspection. Six defense-in-depth layers: the LLM only sees the broad tool names; the syscall capability verify checks the broad grant; the handler then decodes the agent's token and refuses unless db_query@<connection_id> is ALSO present for the specific call (the per-connection grants are added at token-mint time on top of the template, narrowing the agent's blast radius to exactly the connections it needs); the handler strips SQL comments, walks past leading parens, and rejects anything that isn't SELECT or WITH ... SELECT; per-connection row and timeout caps clamp the result size and wall-clock budget; and operators are expected to back each DSN with a SELECT-only database user as a final layer. Postgres connections use the existing psycopg pool family; DB2 is supported via a thin shim around the lazy-imported ibm_db_dbi library. Non-JSON-native column types (uuid, timestamp, decimal, bytes) are coerced to strings so the agent receives a uniform shape regardless of column types. Writes are explicitly v2 — they require approval-gate integration per call and an operator opt-in per grant, modeled separately as a future db_write tool.

Replaces the prior ungoverned outbound HTTP path — agents could previously call any URL through the in-line http_get with no rate limit, no response size cap, no domain allow-list, no HTTPS enforcement. The new version registers domains in a YAML allow-list with per-domain config (rate limit RPS, max response bytes, optional TTL cache, path-prefix allow-list, HTTPS enforcement). Calling an unregistered host returns ok:false BEFORE the network sees the call. Two tools ship: http_get is reversible=true and cached per the domain's TTL; http_post is reversible=false so the approval gate fires before every call and the reviewing operator sees the exact URL, headers, and body. Six defense-in-depth layers: domain allowlist, scheme check (require_https), path-prefix membership, async token-bucket rate limit, response size cap with explicit truncated flag, optional per-URL TTL LRU cache. Non-2xx responses return ok=true with the actual status code — some APIs treat 404 or 409 as valid signals, and the handler doesn't force a verdict. Binary content types come back as base64 strings so the agent always receives JSON-safe content. Breaking change for the two capability templates that grant the old http_get (with_log_query_diagnostic and with_threshold_diagnostic) — their target domains must be added to config/http_domains.yaml before existing deployments resume working.

Closes a capability gap with no prior path — agents could not read binary or rich-text documents at all. A PDF evidence attachment returned raw bytes; a DOCX contract was unreadable; an XLSX metrics export was opaque. The new fetch_document(source) tool reads a URL or local path, detects the format (Content-Type header for URLs with extension fallback), dispatches to a per-format extractor, and returns a uniform DocumentResult with title, body text, metadata, and any extracted tables. Five formats ship in v1: PDF via pymupdf (first 200 pages, metadata preserved), DOCX via python-docx (paragraphs as body plus native tables), HTML via BeautifulSoup with main/article preference and nav/footer/script noise stripped, CSV via the stdlib (single table, first row as headers), and XLSX via openpyxl (one table per sheet, sheet name carried through). Each extractor is lazy-imported so the package loads cleanly even when an optional library is missing — a call into an unavailable extractor returns ok:false with the install command rather than crashing at import. Size caps are explicit and operator-visible: 50 MB per document (pre-flight via Content-Length on URLs, streamed-bytes total tracked too so a lying server doesn't sneak through), 100,000 characters of body text, configurable per-table row cap (default 500, ceiling 2000), 200 PDF pages with the actual count preserved on metadata so an auditor can see both numbers. The truncated field fires whenever any cap activates, so operators reviewing a proposal that rests on partial document content can spot the elision from one field. The with_document_reader capability template grants the tool with read+write memory ops (so an agent can stash a long extracted body into working memory without re-fetching) and a larger token budget than the other utility tools because document body content flows directly into the reasoning context. Explicit non-goals: OCR for scanned PDFs (use a vision model), PowerPoint, document diff, MinIO evidence anchoring, encrypted documents.

Second vertical class. Produces structured change descriptions for developer review — affected programs, current code, proposed approach, test plan. Read-only; never writes code.

Tree-sitter-aware extraction returning symbol graphs rather than raw text. Three reversible-by-contract tools — one returns the symbol graph for a file with bodies opt-in, one searches symbols by name pattern and kind across a registered codebase, one returns the body of a specific symbol. First call per codebase builds an in-memory index in a few seconds; later calls hit the cache and return in well under a tenth of a second. The cache invalidates on file change via mtime hashing. Four languages parse out of the box: Python, JavaScript, Go, and SQL. An agent can navigate a 50-thousand-line codebase in a handful of tool calls instead of burning the budget on raw file reads. Codebases are operator-registered; the registry is deploy-time-immutable. Pairs naturally with the non-self-modifying runtime principle — agents can read project source freely under capability grant, but the write_file path-prefix denylist still refuses any attempt to mutate those same trees.

Structured diffs as first-class proposal artifacts. Three read-side tools — one computes a unified diff between two text strings, one parses a unified diff into structured metadata, one validates that a diff would apply cleanly against a target's current content. The agent reads the file's symbol graph through the source-code reader, mentally applies its proposed edit, computes the diff between original and modified, validates the diff against the current file content, and carries the diff in its proposal body for human review. No apply_patch — writing a patched file is an irreversible operation that belongs in an executor vertical behind the approval gate, and the write_file path-prefix denylist still refuses writes into protected trees regardless. The diff is the proposal; patch application happens through standard change-control, not the agent. Validation surfaces the first mismatched line by number so an operator reading the proposal can locate exactly what shifted in the target since the diff was generated.

Operator-defined command allow-list as defense-in-depth over capability checks. Bash with grep, find, git log, kubectl get — but not arbitrary commands.

aos-replay re-runs a recorded session against a different LLM backend or different prompt and compares outcomes. Critical for evaluating model upgrades.

Walks registered tools, agent classes, and production tokens; reports unused capabilities and over-broad grants. Helps operators tighten capabilities over time.

Queryable rollups across sessions by agent class, time window, and operator. For finance and capacity planning, not per-session inspection.

Daily and weekly export of pending and resolved approvals for compliance teams: every destructive action an agent attempted in a window, with outcome.

Strategy-based LLM selection per agent class: economy (cheapest model above a configurable quality floor), quality (highest pass rate), local_first (air-gapped by default, escalate only on explicit opt-in). Cascade mode runs the economy model first and escalates to a higher-quality model when response confidence falls below a threshold — achieving near-quality-tier results at economy-tier cost for the majority of calls. Scores seeded from corpus baselines; operator updates them as model quality evolves. Per-agent-class strategy declaration in RegistryEntry.

When bash_sandboxed runs with network_mode="bridge", all outbound destinations are currently permitted. The egress allowlist restricts outbound connections to a named set declared in the agent's RegistryEntry — so kubectl can reach the cluster API but not arbitrary internet hosts. Enforced via iptables rules inserted before container start. Allowlist visible in AGENT_SPAWN audit payload.

Published p50/p99 latency, soak test results, capacity planning under realistic concurrency. Required for first-customer production deployment at scale.

Per-caller bearer tokens, independent audit attribution, rotation without downtime. Resolves the residual exposure noted in the threat model.

Federated identity for API callers and mutual-TLS as alternative bearer-token mechanism. Targets enterprise deployments where bearer tokens alone are insufficient.

High-severity proposals routed to a second LLM call with only the proposal and evidence. Closes the largest open category in prompt-injection threat surface, but the architecture has significant ergonomic and cost implications.

Adversaries who place content across many tool calls steering reasoning gradually evade single-result pattern detection. No good general defense exists today; we're tracking the research literature.

Detect JWT-shaped or API-key-shaped strings in tool output and redact before LLM exposure. Prevents agents being convinced to leak their own credentials.

Currently sandbox limits are global env vars. Per-class overrides through capability-token claims would let critical agents get more resources than experimental ones, but the audit shape needs design work.

Beyond the generic incident-response cookbook, full reference implementations for specific verticals. Which verticals first depends on customer signal.

An actor with a deterministic main execution path and a reasoning hop at one or more specific decision points. Common shape: a deterministic monitor that calls an LLM only to classify ambiguous signals. Cost-efficient and architecturally cleaner than forcing every actor into one camp; needs design work on capability scoping and audit semantics across the hop.

The default model (qwen2.5:7b) passes 52% of corpus cases in a fully air-gapped deployment — below the 70% threshold for unassisted production use. Research question: how much of the gap closes through prompt engineering (terse variants) and cascade configuration versus requiring a larger model? Categorize the failure modes in the remaining 48%, calibrate the corpus oracle against human judgment, and publish a minimum-VRAM recommendation for each quality tier (70%, 80%). Output: a recommendation, not a feature.

The field-test feedback loop (item 29) captures operator approve/reject/edit signals. Those signals are not currently used to extend the replay corpus automatically. Without auto-promotion, the corpus distribution drifts from production incident distribution and pass rates become optimistic over time. Research question: what is the minimum-viable corpus-candidate schema, how do we prevent contamination (model output ≠ ground truth), and what sampling rate keeps the corpus manageable? Output: a workflow design for the implementation sprint.

The runtime is currently silent between dashboard opens. No signal fires when the review queue has been pending 30 minutes, the cost budget is 80% exhausted, or the anchor sweep has fallen behind. Research question: what are the SLOs worth defining, what are calibrated thresholds grounded in baseline data (not guesses), and does alerting require the notification dispatcher (item 22) first? Output: 4–6 SLOs with thresholds, runbooks for each, and a dependency decision.

LangGraph checkpoints are written after each node; the resume path is not implemented. When the server restarts, in-flight agents are orphaned and the work is lost. The checkpoint table also grows forever. Research question: what is the correct resume semantic (auto for read-only, operator-consent for agents with irreversible tools remaining), how does a new AGENT_RESUME event type maintain audit chain integrity across the restart gap, and what is the checkpoint pruning policy? Output: design spec and implementation plan.

Multi-persona swarms pass all authored tests but have no documented failure taxonomy, no tested recovery path, and no operator runbook. Three failure modes to characterize: persona-level crash (one of five personas errors mid-investigation), contested memory state (two personas write conflicting conclusions), and aggregation failure (parent receives partial results). Research question: what is the correct policy for each failure mode, what does contested memory resolution look like as an operator workflow, and what is the safe swarm size upper bound? Output: failure taxonomy, runbooks, and implementation spec for recovery paths.

All agents currently share one database, one audit log, one cost ledger, and one capability JWT root. No isolation boundary exists between callers or teams. Research question: what is the minimum tenant concept (caller-based partitioning, row-level security, or separate deployments), what does the JWT capability model need for a tenant_id claim, and what is the smallest change that opens the multi-tenancy path without a big-bang schema migration? Output: isolation architecture recommendation and first-sprint implementation scope.

The scheduler preempts between LangGraph node boundaries, not inside an LLM call. True mid-inference preemption requires model-side cooperation that doesn't exist; we won't pretend otherwise.

If an attacker holds both PostgreSQL and audit-anchor credentials, the chain can be rewritten. Mitigation requires external append-only audit, which is the operator's responsibility, not ours.

AOSIQ authenticates API callers via bearer tokens. User identity, single sign-on, and role-based access at the application layer are the host application's responsibility, not the runtime's.

Temporal, DBOS, Restate, and Inngest serve this category. AOSIQ includes durability as one property among many; we don't compete with specialists on durability alone.

Python and sandboxed shell (bash_sandboxed, item 55) cover the immediate execution surface. Node and Ruby are straightforward to add with the same invoker pattern but each requires its own threat model and security review. Deferred until a real customer workflow demands it.

Operators define the curated package set in the Dockerfile. Agent-controlled pip install is a supply-chain attack surface we deliberately do not open.

AOSIQ governs actors; it does not implement them. Bring your own LangGraph agent definitions, your own deterministic scripts, your own business logic. The runtime provides the substrate for governed action; the application is yours.