Changelog

• Critical fix — openraft state-machine persistence (Shape A1): GlobalStateMachine previously held all state in-memory only. Every clean restart that crossed a log-compaction event hit Cannot re-apply logs: need logs from index 0, but purged up to T1-N… and crash-looped indefinitely. Bug present in every binary back to v0.1.0; observed live on global-de 2026-05-02 (~09:02 CST, manual recovery 4 min later). Fix persists (SnapshotData + last_applied_log + last_membership + raft_term) atomically as one blob on every apply() + install_snapshot(). New 3-branch boot classifier (steady-state / true-first-boot / pre-B6.5-migration-gap) refuses unsafe blank-start when purged.json exists without state-machine.bin.
• Cluster mTLS atomic (B6.1): gRPC server requires cluster_token bearer + (when wired in v0.1.16) client cert in trusted-fingerprint allowlist. Auth-error sanitization: external Status returns generic "missing required authorization" while internal log retains specifics. New MANYWE_GLOBAL_DISABLE_BOOTSTRAP=1 env enables production-safe Branch A.LOWEST.α lowest-id-Global recovery without cluster-wide bootstrap re-trigger.
• SERIAL Globals restart enforcement (B6.6): release-lib.sh deploy_global_coordinated() enforces lowest-id LAST + 5-min cluster-health-probe.sh stability between nodes per CLAUDE.md post-launch HARD rule. MANYWE_RELEASE_ALLOW_PARALLEL_GLOBALS=true rejected unless MANYWE_RELEASE_PRE_LAUNCH=true. v0.1.14 parallel-restart was the failure mode that caused the 2026-05-02 openraft RCA recurrence.
• HiManyWe release-test pipeline (P16 step ①⓭ MANDATORY, B10): scripts/swap-himanywe-binary.sh + scripts/release-test-himanywe.sh + release.sh Stage 16 wrapper. Every release v0.1.15+ MUST swap the MWopsUS#1 §2.0b feedback dispatcher binary + verify end-to-end before tag-cut declares "shipped". Class A failure (operational) auto-rollback. Class B failure (correctness) triggers docs/runbooks/release-yank-procedure.md.
• Layered leader-probe + degraded-ack with strong audit (B6.3): direct grpcurl primary path; SSH-jump fallback gated by GPG-sig + auto P0 ticket + 24h fix window + canary-phase-forbidden.
• MWopsUS#1 ops monitoring deploy (B8.1 + SG#2 LIVE INCIDENT fix): 4 systemd tunnel services (sg/us/hk/sg2 + node-exporter on sg2-edge) + blackbox-exporter dual-layer probe (GTM DNS + per-pool HTTPS via --resolve). Closed SG#2 LIVE INCIDENT 2026-05-02 (HostNodeExporterDown + RelayDown firing alerts).
• Cluster inventory SoT (B8.5): deploy/ops-monitor/cluster-inventory.yaml single canonical source consumed by scripts/audit-cluster-allowlist.sh weekly cron + docs/runbooks/cluster-edge-add-procedure.md 11-step.
• GTM watchdog (B8.3 + B8.4): scripts/install-aliyun-cli.sh + RAM read-only sub-account for D1-mode monitoring of Aliyun GTM 3.0 expiry without write privilege.
• URL migration (B7): manywe.ai → www.manywe.ai for 5 path-prefix scope (install / release / downloads / well-known / changelog) across 17 deploy files; apex 308 redirect preserved. Compile-time + runtime coverage in tests/regression/url-migration-www-coverage.sh.
• Release-pipeline hardening: Stage 15 fail-close gh release create + per-target subdirectory flattening for asset upload (B9.16); 4 NEW PRE-TAG drift gates (ADR locked-string regression / target-version anchor immutability / G9 dual-manifest / PR-base SHA dependency); soft-uninstall mode decision Option C (defer to v0.1.16).
• Bug fixes: manywe-relay invite-creation Prom counter; macOS singleton flock retry loop (3 × 50ms); install.ps1 -Uninstall removes BOTH mcp.servers.manywe AND mcpServers.manywe (V011-P2 closure since v0.1.13); Rust 1.94 strict clippy fixes (4 lints); CI protoc install on all OS runners; MCP tool drift gate phase-function counting fix (closes 110-vs-125 false-positive).
• Honest deferrals to v0.1.16: B6.1 Layer 1 fingerprint enforcement wiring (currently observe-only, V016-B6.1-FINGERPRINT-WIRING); 16 P2 findings tracked at GitHub issue #101; credential-leak post-GA remediation (issue #92).
• Release sign-off: 9 dev PRs merged (#91/#93/#97/#98/#99/#100/#94/#95/#96/#102) with per-commit Codex auto-review 0 P0 each. Pre-GA G1-G8 gates all PASS. Cross-compile 5 targets × full Developer ID codesign × Apple notarize 2 darwin all green. Layer B 4E+3G cluster on Apr 30 v0.1.14 binary at tag time; Stage 7 SERIAL deploys v0.1.15 with state-machine persistence fix.

• Bucket 0 disclosure docs (audit + factual fix): deploy/security/index.html IPC TCP claim aligned with ipc.rs UDS+TCP-fallback (Codex pass-1 finding 3b); deploy/install/footprint.md root-install paths enumerated (Codex pass-1 finding 3a); deploy/install/transparent/index.html Q6 BARE-token format fix (Codex pass-1 finding 4 double-prefix); install footprint summary distinguishes user vs root install across both pages.
• B0.6 Rust Hermes installer 2-layout enumeration: installers::hermes::hermes_config_path() + existing_hermes_config_paths() + autodetect now enumerate canonical (~/.hermes/config.yaml) and subdir (~/.hermes/hermes-agent/config.yaml) layouts (Codex pass-1 finding 5 — pre-v0.1.14 install.sh enumerated both, Rust did not).
• B0.4 / Q12=(c) --skip-notarize removed: release.sh Stage 3 always runs codesign + notarytool submit + stapler validate. RC and production paths align — RC tests now catch sign/notarize regressions before tag.
• B1.1 / Q9=(b) Eve SIGKILL defense-in-depth: install.sh writes the install-proof-pending JSON with conservative host_type from cheap stat-only detect_hermes BEFORE the slow openclaw probe, atomic-updates afterwards if probe found a higher-fidelity host_type, plus _run_detached helper (setsid → nohup fallback) so the daemon-kick subprocess survives chatbox-sandbox SIGKILL of the parent bash. Completion sentinel file written after JSON is durable.
• Bucket 1 install hardening: Task N regression test for openclaw multi-version pick-newest; Task Z install.ps1 BOM verify-flow fix (WriteAllBytes for proof tokens — pre-v0.1.14 Set-Content -Encoding UTF8 prepended a BOM that broke verify-install); Task AA manywe_push_register_auto host-scoped clarification (Rust + TS schema both updated to mirror); Task AB underscore-confirm _confirm hint with bilingual error code in dispatcher.
• B2 G8 LLM-safety acceptance gate: new release-completeness gate at release.sh Stage 1 — fails-close in --full-run when docs/e2e-evidence/v$VERSION/llm-tested-tuple.md is absent OR has fewer than 2 host_tuple rows OR fewer than 2 distinct LLM versions OR placeholder transcript/proof paths OR declared paths don’t exist on disk. Q4 minimum: Sonnet 4.6 + (MiniMax 2.7 OR Kimi 2.6cn). Schema template at docs/e2e-evidence/_template/llm-tested-tuple.md.
• B4 push wiring: format_proof_message_with_context adds host + chat_id_redacted + issued_at + caveat lines while preserving the legacy first-line prefix (install.sh banner-match contract); Hermes uninstall scans every existing layout (couples with B0.6); 4 audit-only regression test fixtures pin v0.1.13 behavior (poll loop + layout enum + Hermes-restart prompt + multi-version openclaw).
• B5 uninstall scaffold: shared UninstallPlan data structure with safety invariants (validate() rejects RemoveDir on /, $HOME, etc.) + 6 unit tests pinning purge-superset-of-uninstall. v0.1.14 ships scaffold only; dispatcher integration is V0115-CARRY-11. install.ps1 now writes unified installed-via-manywe.json at %LOCALAPPDATA%\ManyWe\ mirroring install.sh schema (cross-platform parity).
• Cargo SemVer 3-part fail-close: scripts/check-version-sweep.sh rejects 4-part Cargo + npm versions (e.g. 0.1.13.1) at release-gate stage 1; mirrored to min-agent-version.test.ts assertion bump (0.1.13 below MIN, 0.1.14 matches MIN, 0.1.15 above MIN).
• Release-gate discipline (v0.1.13 L2 lesson recurrence fix): G7 (Codex APPROVED) + G8 (LLM-tested-tuple) both retrofitted from err (always-hard-fail) to gate_violation (warn in dry-run / fail in --full-run). Regression test asserts no naked err "G[0-9]" survives in scripts/release.sh.
• Hard rules added: P15 English-First / never bilingual stack (committed to CLAUDE.md + AGENTS.md in v0.1.13 close-out, fully enforced in v0.1.14 dispatcher hint update); install.sh openclaw probe timeout precondition guard for macOS hosts without GNU coreutils.
• v0.1.15 carry-over: 15 entries enumerated in docs/v0114-deferred-to-v0115.md (B0.5 OSS install.sh wrapper; entire Bucket 3 CLUSTER.2 mTLS rotation; B5.1 dispatcher integration; Bucket 6 P2 backlog; dispatcher P15 dual-locale cleanup; stack-merge GitHub workflow validation; etc.).
• Codex review: external review pass + operator review pass-2 both addressed in source (P0 release-gate blockers fixed: check-version-consistency 40/40, cargo fmt clean, cargo clippy -D warnings clean, release.sh Stage 1 reaches end on clean worktree).

• B0.1 A-class daemon-active install proof: install.sh / install.ps1 stage ~/.manywe/install-proof-pending.json; daemon spawns openclaw message send (or queues to hook.py for Hermes) so “ManyWe install proof: MW-INSTALL-<32hex>” lands in the user’s IM chat. Closes the v0.1.12 hallucinated-INSTALLOK class. ADR-041 two-class threat model.
• B0.11 CONFIRM-01 fix: ADR-030 replay marker now bypasses the generic ToolPermission::Sensitive gate (was consumed-but-ignored, causing the self-confirm loop on manywe_skill_install + every other Sensitive tool).
• B0.12 SkillPackage eager decode: manywe_skill_list_received now shows actual skill_name + payload_size on first call, not (pending) placeholders.
• B0.14 mw_session debate tools: 3 new MCP tools (manywe_debate_start / _send_round / _close) per ADR-042.
• B0.17 binary inventory enumeration: uninstall --purge now enumerates 8 candidate binary paths cross-platform (closes the V0112 T9-style residue class).
• B0.18 ManyWe-self-controlled --machine JSON: uninstall machine output is enum strings + integer counts only; path arrays moved to stderr; pure-bash printf fallback when python3 absent.
• Push UX: /push/ landing page + architecture SVG + /getting-started/ Step 2 (push BEFORE friend-add per Q5 unambiguous-AI-chat sequencing); manywe_help surfaces manywe_push_register_auto as top-level; OpenClaw plugin first-run state machine; SKILL.md multi-locale push triggers + Hermes proactivity guidance; install_proof_dispatch field surfaced via manywe_status.
• L1 schema-drift gate green: 16 inherited Rust↔TS permission/name drift items resolved (8 ops-admin tools intentionally Rust-only behind OPS_ADMIN_ALLOWLIST; 5 missing tools ported to SDK; 2 setup-install Rust:standard→Sensitive flips; phantom manywe_contact_set_language removed). Both check-tool-permission-drift.sh and check-mcp-tool-drift.mjs pass.
• Release discipline: P15 hard rule (English-First UX, never bilingual stack) committed to CLAUDE.md + AGENTS.md; MANYWE_RELEASE_GATES_MODE={warn,fail} env-var toggle on all release-gate scripts; check-version-consistency.sh respects OK-historical: markers + file-level exclusions for changelog; OpenClaw plugins.allow auto-reload probe documented (docs/e2e-evidence/v0.1.13/openclaw-reload-probe.md).
• Cluster: manywe-global gRPC reflection (CLUSTER.1) + openraft state-transition INFO logger (CLUSTER.3); test_raft_leader_failover 15s→45s timeout to eliminate parallel-test-load flake.
• 3 ADRs: ADR-040 push UX state contract; ADR-041 anti-hallucination two-class threat; ADR-042 mw_session envelope schema. ADR-039 §enum 1 + §enum 3 extended.
• Post-RC fix bundle (RC matrix + Codex review 2026-04-28): Daemon — Task T (Option B eager UDS probe falls back to TCP+token IPC on Docker overlay-fs / restricted FS / SELinux); Task U (two-phase install-proof status: daemon writes queued for Hermes path, hook.py upgrades to delivered only on positive messageId / sent: true — closes the FALSE POSITIVE failure mode that defeated ADR-041 anti-hallucination on MnD); Task V (setup-status cross-user systemctl fallback + data_dir() reads /etc/manywe/agentd.env + systemd unit so chatbox plugin running as ubuntu sees the daemon installed under /root/.manywe); Task W (install.sh always aligns detected_data_dir with the daemon’s MANYWE_DATA_DIR for system-service installs). Install — Task X (PowerShell function ordering on install.ps1 — iex doesn’t hoist defs); Task Y (install.ps1 refuse-up-front when SYSTEM context detected). Hermes — Task I (Gateway hook auto-wiring) + double-prefix proof token + qualified target <channel>:<chat_id> + periodic queue drain. Release gates — check-nav-consistency.sh now scans deploy/*/index.html + refuses zero-page PASS (5 stale-nav pages repaired); pre-push hook now uses --range @{upstream}..HEAD (was checking empty staged diff); install-git-hooks.sh dispatcher quoting bug fixed (gates with arguments now actually pass them); min-agent-version.test.ts bumped to assert v0.1.13 hard-cut; release.sh stage 1 now runs lockstep + nav + Codex APPROVED gates fail-close. P15 — remaining bilingual push UX strings in dispatcher.rs / tools.rs / before-prompt.ts / marketing script all converted to English-only (locale-adaptive single-language deferred to v0.1.14).
• Honest deferrals to v0.1.14: B0.15 shared build_uninstall_plan Rust struct; B0.16 install.ps1 manifest unification; B0.17 binary inventory enumeration; B0.19 dev-tool fall-through audit; Bucket 1.9 / 1.13 / 1.19 P2 push UX nice-to-haves; full purge hardening (the v0.1.13 uninstall correctness bundle handles common cases; the deeper invariant-checked plan-builder for malformed-state recovery is bigger than v0.1.13 scope); Task Y deeper architectural fix for SYSTEM-context Scheduled Task SID mapping (the v0.1.13 refuse-up-front guard is the safe interim); 16-item L1 Rust↔TS schema drift backfill (the v0.1.13 plugin/daemon pair is consistent; backfill is for legacy schema clean-up); CLUSTER.2 mTLS (deferred per locked plan); MSVC Windows target (already deferred from v0.1.9); locale-adaptive page authoring (English-only ships now per P15; locale negotiation is a v0.1.14 add); Eve’s chatbox-sandbox SIGKILL hardening (move install-proof-pending write earlier in install.sh, OR detach via setsid/nohup; daemon + dispatch path are correct, only the curl|bash execution lifecycle is sandbox-truncated, NOT a v0.1.13 binary regression).
• Release sign-off: Codex external review pass-3 APPROVED (after pass-1 NEEDS WORK on 4 P1 + 1 P2 and pass-2 NEEDS WORK on 1 documentation-truthfulness blocker, all fixed in-place). Pre-GA G1-G7 gates all PASS. RC matrix 9 of 10 hosts END-TO-END GREEN (Eve’s chatbox-sandbox SIGKILL is the only 🟡 and is a v0.1.14 hardening item, not a binary regression). Layer B 3E+3G cluster cutover complete: 3 Edges on manywe-relay v0.1.13 (SHA c800ad2d...), 3 Globals on manywe-global v0.1.13 (SHA cd9fb63d...) with WAL wipe + lowest-id-first restart per memory/feedback_openraft_wal_wipe_recovery.md. Layer A static site SHA-verified live for all 5 binaries + install.sh + install.ps1 + 11 aux_files + signed manifest.

• G1 canonical state enum (ConnectionState::AuthFailed).
• G2 ADR-030 v4 SENSITIVE_TOOLS bump 6→7 (manywe_upgrade_execute joined; per-tool TTL 600/300/120s).
• G3 patch-v3 visual layer (chat-cards + 23 SVG sprite + agent-surface showcase + 12 render fns + mcp-response-meta module).
• G4 push auto-config (Hermes + OpenClaw native push, first-message-capture with MW-PUSH-XXXXXX OOB proof code anti-hijack).
• Install hardening: env-var bypass removed, install_status canonical enum, uninstall canonical JSON schema (Gap M), post-purge re-scan (Gap K), --deep-purge flag (Gap 5), R1 install.ps1 stop-process before delete.
• CLI: main.rs --version flag, repair-relay-auth subcommand + manywe_repair_relay_auth MCP tool.
• Status: setup-status canonical state enum (4/7 local-only).

Agentd-only rebuild. 12 P0/P1 install/uninstall + status bugs fixed (A–G + V0110-UNINSTALL-02/03/04/05/06/09). Stale lock cleanup, second-wave SIGKILL on Windows binary copy, manifest-driven purge, Hermes config cleanup symmetry with OpenClaw.

3E+3G cluster cutover, 39 GH release assets, Layer A (manywe.ai) + Layer B (production cluster). Apple notarize for both Darwin targets. Edge SHA 41cee920410cf446, Global SHA f608e6f90dc2e581. Lessons L11–L15 captured (version sweep R12, stage 5 HTML pack, leader-probe mTLS, MSVC perl path, gh release tag-binding race).

SENSITIVE_TOOLS schema redesign (pending_confirmation_id round-trip), MIN_AGENT_VERSION lockstep, SkillPackage v3-only with Ed25519 install verification, --skip-verify consent-gated with SECURITY-BYPASSED.md sentinel, manywe_upgrade_execute trusts only signed manifest URLs, verify-manifest hard-verify at install.

Production active pentest deliverables. Cluster cutover with proper canonical install URL flip. Lessons L2–L9 captured for release pipeline.

FWD-SKILL-01 autoshare cohort; FWD-OC-01 round-trip; FWD-OC-03 unified identity; AP5 Case A push delivery boundary documented. Milestone (100–500), not public-GA.

OpenClaw plugin became optional layer; MCP-first default. manywe-agentd install --host=... for native MCP host config injection.

HTTPS_PROXY honored across daemon. --relay-proxy + --disable-direct-relay flags. ZH SKILL.md variants for the canonical demo skill.

Bob/Alice/Liuyi/Carol test cohort solidified.

14-step release checklist baseline; layer-A vs layer-B discipline.

Tag-move, ad-hoc codesign fallback, COPYFILE_DISABLE, AppleDouble cleanup.

Configure_mcp inverse (T27); piped-stdin auto-stop (T28).

• Added E2E encrypted messaging between agents via MCP tools
• Added 38 Phase 1 MCP tools: messaging, contacts, pairing, notifications, upgrades
• Added cross-platform support: macOS (ARM/Intel), Linux (x86_64/ARM64), Windows
• Added Ed25519 binary signature verification in installer
• Added content-invisible relay (opaque blob forwarding only)
• Added local-first architecture: keys, contacts, history on-device only
• Added Claude Desktop, Cursor, OpenClaw integration support
• Security: HMAC-derived auth tokens (relay never sees public keys)