Changelog

[unreleased]

Bug Fixes

(21) Revise plans based on checker feedback
(21-01) Promote OTel imports from indirect to direct in go.mod
(21) Revise plans based on checker feedback
(21-02) Go mod tidy after otelconnect addition
(21) Add Prometheus scrape target for arpid metrics, fix TRACK-01 mapping
(22) Add nil guard for CredentialProvisioner in spawn workflow
(27) Revise plans based on checker feedback
(28) Revise plans based on checker feedback
(27) Add missing List method to mockComputeRuntime in api tests
Remove embedded worktree references
(28) Resolve merge artifacts — auth.go JSON migration, test fixes, add OpenBrowser to oidc.go
(29) Revise plans based on checker feedback
(16-02) Correct OTel attribute key in spawn tracing test
(31) Revise plans based on checker feedback
(32) Revise plans based on checker feedback

Documentation

(quick-260330-ugj) Add public-facing README.md
(quick-260330-ugj) Complete README plan summary
(quick-260330-ugj) Add README and public-facing documentation for arpi
Add phase 21 — make observability production grade
(20) Capture phase context
(state) Record phase 20 context session
(phase-20) Research deployment domain
(phase-20) Add validation strategy
(20) Create phase plan — Dockerfile, CI/CD, k8s manifests, Ansible, Caddy, smoke tests
(20-01) Complete container image build pipeline plan
(20-02) Complete backing service manifests plan
(20-04) Complete staging smoke test plan
(20-03) Complete Ansible deployment and Caddy ingress plan
(phase-20) Complete phase execution
(phase-20) Evolve PROJECT.md after phase completion
(21) Auto-generated context (discuss skipped)
(phase-21) Research observability production grade
(phase-21) Add research and validation strategy
(21) Create phase plan — make observability production grade
(22) Auto-generated context (infrastructure phase)
(21-01) Complete observability foundation plan
(phase-22) Research credential provisioner wiring
(phase-22) Add research and validation strategy
(22) Create phase plan — wire CredentialProvisioner to Infisical Go SDK
(21-02) Complete Connect-RPC tracing, spawn spans, and custom metrics plan
(21-02) Complete RPC tracing + workflow spans + custom metrics plan
(phase-21) Complete phase execution
(phase-21) Evolve PROJECT.md after phase completion
(phase-20) Update validation strategy — nyquist compliant
(22-01) Complete wire-credentialprovisioner-to-infisical-go-sdk plan
(22-01) Complete wire CredentialProvisioner plan
(phase-21) Complete phase execution
(phase-22) Complete phase execution, fix TRACK requirement mappings
(26) Capture phase context
(state) Record phase 26 context session
(phase-23) Repurpose from redundant OTel phase to Tempo trace backend
(23) Auto-generated context (discuss skipped — infrastructure phase)
(phase-22) Complete phase execution
(23) Create phase plan for Tempo trace backend deployment
(phase-27) Research Cedar authorization engine
(23-01) Complete deploy-trace-backend-tempo plan
(phase-27) Add research and validation strategy
(phase-23) Complete phase execution
(24) Auto-generated context (discuss skipped — infrastructure phase)
(27) Create phase plan — Cedar authorization engine
(24) Create phase plan — collapse HTTP and Connect-RPC to single port
(28) Capture phase context — Zitadel authN swap
(24-01) Complete collapse HTTP and Connect-RPC to single port
(state) Record phase 28 context session
(phase-24) Complete phase execution
(25) Auto-generated context (discuss skipped — infrastructure phase)
(25) Create phase plan for warm pool recovery
(27-01) Complete Cedar authorization engine core plan
(phase-28) Research authn provider swap to Zitadel
(phase-28) Add validation strategy
(25-01) Complete warm pool recovery plan
(phase-25) Complete phase execution
(27-02) Complete authorization middleware plan
(27-03) Complete domain-layer authorization plan
(28) Create phase plan — AuthN provider swap (Zitadel)
(27-04) Complete hybrid policy store + hot reload plan
(phase-27) Complete phase execution
(workstream) Complete credential-auth workstream
(29) Capture phase context
(state) Record phase 29 context session
(28-01) Complete OIDC auth flows plan
(phase-29) UI design contract for Space web dashboard surface
(phase-29) Fix UI-SPEC typography and accessibility issues
(28-02) Complete CLI commands OIDC integration plan
(state) Record phase 29 UI-SPEC session
(29) Research phase domain
(29) Add validation strategy
(29) Create phase plan
(28) Create gap closure plans for lost merge changes
(30) Capture phase context
(state) Record phase 30 context session
(28-05) Update auth-stack ADR and web docs for Zitadel OIDC
(phase-28) Complete phase execution and verification
(31) Research phase domain
(phase-30) Research Zot OCI registry pull-through cache deployment
(phase-30) Add research and validation strategy
Cross-AI review for phase 29
(30) Create phase plan — Zot OCI pull-through cache + Spegel
Start milestone v5.0 Work
Start milestone v7.0 Learn (workstream v7-learn)
Start milestone v6.0 Observe
(31) Create phase plan
Define milestone v6.0 Observe requirements
(29) Revise plans based on cross-AI review feedback
(16-02) Complete proto contract and spawn workflow plan
(v6-observe) Complete research synthesis
(v5-work) Research synthesis for Work module
Complete project research
(32) Research phase domain
(32) Add research and validation strategy
(phase-16) Complete verification — 12/12 must-haves, human testing pending
(phase-16) Mark phase complete
(30-02) Complete k3s mirror config + Spegel plan
(30-01) Complete Zot OCI registry cache plan
(phase-30) Complete phase execution
(32) Create phase plan
(31-01) Complete OIDC auth foundation plan
Create milestone v6.0 Observe roadmap (2 phases)
(v6-observe) Define milestone v6.0 requirements
(v5-work) Define milestone v5.0 requirements (22 REQs)
Define milestone v7.0 Learn requirements (28 requirements, 5 categories)
(31-02) Complete auth interceptor and user menu plan
(v5-work) Create milestone v5.0 roadmap (9 phases)
(v6-observe) Create milestone v6.0 roadmap (4 phases)
Create milestone v7.0 Learn roadmap (5 phases, 28 requirements)
(29-01) Complete surface foundation plan
(phase-31) Complete phase execution and verification
(32) Auto-generated context (infrastructure phase)
(29-02) Complete Live Graph plan
(32) Capture phase context
(state) Record phase 32 context session
(29-03) Complete Space Work module plan
(29-04) Complete knowledge module plan
(32) Rewrite phase plans with CONTEXT.md decisions
(32) Create phase plans for service scaffold + proto contracts
(32-01) Complete docs site scaffold plan

Features

(20-01) Create multi-stage Dockerfile for arpid
(20-01) Create GitHub Actions CI/CD workflow for arpid image
(20-02) Add Postgres StatefulSet manifest for arpid
(20-02) Add Restate server Deployment manifest
(20-04) Add staging smoke test script
(20-03) Create Ansible deploy-arpid.yaml playbook
(20-03) Add Caddy arpid route and wire site.yaml
(21-01) Migrate arpid main.go to slog + OTel TracerProvider
(21-01) Add traces pipeline to OTEL Collector + GoFr env vars to k8s deployment
(21-02) Add otelconnect interceptor, otelhttp wrapper, and custom metrics
(21-02) Instrument spawn workflow with OTel spans and trace correlation
(22-01) Wire credentials.Orchestrator into arpid main.go
(23-01) Add Tempo trace backend and wire OTEL Collector
(23-01) Add Tempo to Ansible deploy playbook
(24-01) Mount Connect-RPC into GoFr HTTP server via middleware
(27-01) Cedar authorization engine core with RBAC policies
(27-02) Implement authZ middleware for HTTP, Connect-RPC, gRPC
(27-03) Add ownership filtering to ListWorkers and wire into handler
(25-01) Implement warm pool recovery on arpid restart
(27-03) Add capability gating to spawn workflow
(27-04) Hybrid policy store with base+DB merge and migration
(27-04) SIGHUP/admin hot reload, wire PolicyStore into authorizer and main
(28-01) Add OIDC auth flows (PKCE + device code) replacing WorkOS
(28-01) Add AuthTransport with OIDC refresh
(28-02) Rewrite login command for dual-flow OIDC auth
(28-02) Update whoami provider string to zitadel
(28) Delete workos.go and workos_test.go (D-07 big-bang swap)
(28-04) Rename WORKOS env vars to OIDC across CLI, server, config, and staging manifest
(28-04) Add Zitadel v4.13.0 to docker-compose reusing arpi-postgres (D-01, D-02)
(30-02) Create k3s registries.yaml and enable Spegel
(30-02) Enable Spegel and deploy registries.yaml via Ansible
(30-01) Create Zot OCI registry k8s manifest
(31-01) Install OIDC deps and create auth config with shared UserManager
(31-01) Add AuthProvider, _authenticated guard, login page, and shell routes
(31-02) Add auth interceptor to Connect-RPC transport
(31-02) Add UserMenu component with profile display and logout
(29-01) SurfaceProvider, STATUS_MAP, shell components, Space routes
(29-02) Add useForceLayout hook, WorkerNode, and MessageEdge components
(29-02) Add LiveGraph, WorkerDetailSheet, and wire live.tsx route
(29-03) WorkerCard, WorkerCardGrid, and workers route
(29-03) KanbanBoard, KanbanCard, board route, inbox test
(29-04) Knowledge store, TipTap wiki editor, and wiki route
(29-04) Lexicon browser, resource links, and route wiring
(32-01) Scaffold Starlight docs site with Scalar API reference and OpenAPI generation
(32-01) Create learn/ service scaffold with FastAPI, config, and tests

Miscellaneous

(29-01) Install Phase 29 npm dependencies
(29-01) Add node_modules to gitignore
(32-01) Configure git-cliff for changelog generation

Testing

(20) Persist human verification items as UAT
(21-02) Add TestRunStepsTracing to verify OTel span creation
(22-01) Add compile-time interface checks and graceful degradation test
(24-01) Update tests and infra for single-port Connect-RPC
(27-01) Add failing tests for Cedar authorization engine
(27-02) Add failing middleware tests for HTTP, Connect-RPC, gRPC authZ
(25-01) Add failing tests for warm pool recovery
(29-01) Add failing tests for SurfaceProvider and STATUS_MAP
(29-03) Add failing tests for WorkerCard and friendlyStatus coverage
(29-03) Add failing tests for KanbanBoard and inbox (DASH-05)

Merge

Resolve Wave 1 conflicts (28-01 iam layer takes precedence)
Include 28-03 SUMMARY from worktree
Integrate Wave 2 (28-02 CLI commands)

[2.0] - 2026-03-30

Bug Fixes

(13) Revise plan 13-02 based on checker feedback
(16) Wire Restate SDK server startup for spawn workflow
(17) Handle SandboxImage/SandboxTimeout in template Compose

Documentation

(12-01) Complete proto toolchain and error package plan
(12-02) Write infrastructure evaluation for workstations lab fork
(12-02) Complete infrastructure fork plan summary
Start milestone v2.0 Platform Core
Complete project research
Define milestone v2.0 requirements
Create milestone v2.0 roadmap (8 phases)
(12) Capture phase context
(state) Record phase 12 context session
(12) Research phase domain - GoFr, Connect-RPC, proto-first architecture
(phase-12) Add validation strategy
(12) Create phase plan — 3 plans in 2 waves
(12-03) Complete status endpoint and dual-serve server plan
(phase-12) Complete phase execution and verification
(13) Smart discuss context
(13) Research authentication phase domain
(phase-13) Add validation strategy
(13) Create phase plan
Complete project research
(13-01) Complete JWT authentication middleware plan
(13-02) Complete CLI device auth flow plan
(phase-13) Complete phase execution and verification
Define v3.0 Experience Layer requirements (35 requirements)
(14) Smart discuss context
Create v3.0 Experience Layer roadmap (10 phases, 40 requirements)
(14) Research registry service domain
(phase-14) Add validation strategy
(14-registry-service) Create phase plan
(14-01) Complete registry domain layer plan
(14-02) Complete registry API layer plan
(phase-14) Complete phase execution and verification
(15) Smart discuss context
(15) Research credential inference and provisioning domain
(phase-15) Add validation strategy
(15) Create phase plan — credential inference + provisioning
(15-01) Complete credential domain types, resolver, and compose plan
(15-02) Complete credential provisioning engine plan
(15-03) Complete credential API + compose API plan
(phase-15) Complete phase execution and verification (CRED-02 injection deferred to Phase 17)
(16) Smart discuss context
(16) Research spawn orchestrator + session API domain
(16) Create phase plan — worker domain, spawn workflow, API handlers
(16-01) Complete worker domain model plan
(16-02) Complete worker proto + spawn workflow plan
(16-03) Complete worker API handlers + server wiring plan
(phase-16) Complete phase execution and verification
(17) Smart discuss context
(17) Research compute domain — OpenSandbox integration
(17) Create phase plan — 3 plans across 3 waves
(18,19) Auto-generate context for remaining phases
(17-01) Complete compute types and OpenSandbox client plan
(17-02) Complete spawn workflow sandbox provisioning plan
(17-03) Complete worker-scoped compute API and k8s manifest plan
(phase-17) Complete phase execution and verification
(phase-17) Evolve PROJECT.md after phase completion
(18) Research streaming and advanced compute domain
(phase-18) Add validation strategy
(18) Create phase plan — 4 plans across 2 waves
(18) Address plan checker warnings — fix must_have truth and VALIDATION.md mappings
(18-03) Complete credential proxy sidecar plan
(18-02) Complete warm pool and egress compiler plan
(18-01) Complete SSE-to-WebSocket streaming bridge plan
(18-04) Complete server integration wiring plan
(phase-18) Complete phase execution and verification
(phase-18) Evolve PROJECT.md after phase completion
(19) Research CLI thin client domain
(phase-19) Add validation strategy
(19) Create phase plan — 2 plans across 2 waves
(quick-260330-plt) Complete wire-provisioner-revoke-into-worker-stop plan
(quick-260330-plt) Wire Provisioner.Revoke into worker stop/delete path
(19-01) Complete API client package plan
(19-01) Complete API client package plan
(19-02) Complete CLI command rewrites plan
(phase-19) Complete phase execution and verification
(phase-19) Evolve PROJECT.md — all v2.0 phases complete
(v2.0) Milestone audit — 19/20 requirements, CRED-04 partial

Features

(12-01) Proto toolchain, server module, and code generation pipeline
(12-01) Implement RFC 9457 error package with HTTP and gRPC transport
(12-02) Fork workstations lab infrastructure into infra/
(12-03) Implement health probes and status handler
(12-03) Dual-serve main.go with Connect-RPC sidecar and graceful shutdown
(13-01) Implement identity package with JWT validation and middleware
(13-01) Wire JWT auth middleware into arpid server
(13-02) WorkOS device auth package, JSON token store, identity migration
(13-02) Rewrite login/whoami for WorkOS device auth flow
(13-02) AuthTransport round-tripper with auto-refresh, ADR update
(14-01) Proto definition, Go types, test fixtures, and error codes
(14-01) Loader and store with search, filter, versioning, pagination
(14-02) Convention map and registry API handlers
(14-02) Wire registry into server startup and Connect mux
(15-01) Implement credential resolver and template compose
(15-02) Add Infisical SDK, provisioner interfaces, and orchestrator
(15-02) Implement provisioner strategies, access checker, and orchestrator tests
(15-03) Proto definitions and code generation for credential and compose services
(15-03) Implement credential and compose API handlers with Connect-RPC wiring
(16-01) Implement worker domain types and FSM
(16-01) Implement Postgres store, migration runner, and SQL schema
(16-02) WorkerService proto with 5 RPCs and generated Go/gRPC/Connect code
(16-02) Restate spawn workflow with durable 4-step pipeline and tests
(16-03) WorkerServer API handlers with idempotency and pagination
(16-03) Connect-RPC adapter, server wiring, and dev docker-compose
(17-01) Compute types and SandboxRuntime interface
(17-01) OpenSandbox REST client with full test coverage
(17-02) Extend worker model with sandbox_id and add compute error codes
(17-02) Implement sandbox provisioning step in spawn workflow
(17-03) Add ComputeService proto, API handlers, and tests
(17-03) Wire Connect-RPC adapter, server routes, sandbox provisioner, k8s manifest
(18-03) Implement credential proxy handler with token auth and audit logging
(18-03) Add credential proxy main.go entry point with env config
(18-02) Implement egress compiler and convention map egress_domains
(18-02) Implement warm pool with channel-based claiming and background replenishment
(18-01) Implement ExecStream SSE streaming on compute.Client
(18-01) Implement WebSocket log streaming handler with heartbeat
(18-04) Extend spawn workflow with egress policy and credential proxy deployment
(18-04) Wire WebSocket, warm pool, egress compiler into arpid server
(quick-260330-plt) Add credential bundle metadata persistence to worker store
(quick-260330-plt) Wire credential revocation into worker stop path
(19-01) API client core — types, errors, client with GoFr envelope unwrapping
(19-01) Worker CRUD methods and WebSocket log streaming
(19-02) Rewrite CLI commands as thin API clients

Miscellaneous

(12-01) Add server .gitignore for compiled binary
Track auth-stack ADR
Complete v2.0 Platform Core milestone

Testing

(12-01) Add failing tests for RFC 9457 error package
(12-03) Add failing tests for health probes and status handler
(13-02) Add failing tests for WorkOS device auth, JSON token store, and identity
(13-02) Add failing tests for AuthTransport round-tripper
(14-01) Add failing tests for loader and store
(14-02) Add failing tests for convention map and registry handlers
(15-01) Add failing tests for credential resolver and template compose
(15-02) Add failing tests for provisioner strategies, access checker, and orchestrator
(15-03) Add failing tests for credential and compose API handlers
(16-01) Add failing tests for worker domain types and FSM
(16-01) Add failing tests for store, migration, and pgx dependency
(17-01) Add failing tests for OpenSandbox REST client
(17-02) Add failing tests for sandbox provisioning step in spawn workflow
(18-03) Add failing tests for credential proxy sidecar
(18-02) Add failing tests for egress compiler and convention egress domains
(18-02) Add failing tests for warm pool with channel-based claiming
(18-01) Add failing tests for ExecStream SSE streaming
(18-01) Add failing tests for WebSocket log streaming handler
(quick-260330-plt) Add failing tests for credential bundle metadata persistence
(quick-260330-plt) Add failing tests for credential revocation in stop path
(19-02) Update CLI tests for API client pattern

[1.0] - 2026-03-30

Bug Fixes

(04) Revise plan 02 — add spawn_test.go with flag resolution tests
(09) Wire CreateSandboxNetwork into runSpawnSandbox (SAND-03)
(11) Revise plans based on checker feedback
(11-02) Correct Bifrost failover chain bedrock -> azure -> lmstudio

Documentation

Initialize project
Complete project research
Define v1 requirements
Create roadmap (9 phases)
(01) Capture phase context
(state) Record phase 1 context session
(phase-1) Research definition loading and CLI surface
(phase-1) Add validation strategy
(01) Create phase plan — 4 plans in 3 waves for definition loading and CLI surface
(01-01) Complete definition loading foundation plan
(01-03) Complete CLI write commands plan
(02) Capture phase context
(state) Record phase 2 context session
(02) Research assembly engine phase domain
(phase-2) Add validation strategy
(02) Create phase plan — 3 plans in 2 waves for assembly engine
(phase-02) Evolve PROJECT.md after phase completion
(03) Capture phase context
(phase-3) Add research and validation strategy
(03) Create phase plan — 2 plans in 2 waves for bare-mode spawn
(state) Record phase 3 planning session
(03-02) Complete spawn wiring plan (work done in 03-01)
(03) Phase verification — gaps found
(03) Create gap closure plans for verification gaps
(state) Record phase 3 gap planning session
(03) Phase verification passed — all gaps closed
(phase-03) Evolve PROJECT.md after phase completion
(04) Capture phase context
(04) Research worktree mode phase
(04-01) Complete worktree-package plan
(04-02) Complete spawn worktree integration plan
(04) Create gap closure plan for arpi stop command (WORK-06)
(04-03) Complete arpi stop plan
(05) Create phase 5 session and lifecycle plan
(05-02) Complete arpi logs stub command plan
(05-01) Complete arpi status plan — session stale detection and status command
(06) Research phase identity-and-iam
(06) Create phase 6 identity and IAM plan
(06-01) Complete auth CRUD layer and audit log plan
(06-02) Complete Infisical SDK wrapper and identity resolution plan
(06-03) Complete login, whoami, spawn —as plan
(07) Create phase plan for credential tiers 1-2
(07-01) Complete Tier 1 ephemeral credential package plan
(07-02) Complete PrepareVirtualKey virtual key config plan
(07-03) Complete spawn integration and session state plan
(08) Research gateway integration phase
(08) Create phase plan
(08-01) Complete gateway package plan — SUMMARY, STATE, ROADMAP updated
(08-02) Complete harness gateway fields plan
(08-03) Complete spawn+stop gateway wiring plan
(08-04) Complete doctor gateway plan — SUMMARY, STATE, ROADMAP updated
(09) Research phase domain — sandbox mode (Wall 2)
(09) Create phase plan
(09-01) Complete sandbox package plan — DockerBackend + SandboxRuntime interface
(09-02) Complete spawn/stop/logs sandbox wiring plan
(10) Research gap closure and polish phase
(10) Add research and validation strategy for gap closure phase
(10) Create phase plan for gap closure and polish
(10-02) Correct REQUIREMENTS.md traceability for 6 completed requirements
(10-02) Update VERIFICATION.md gap entries with resolution notes
(10-02) Complete documentation traceability correction plan
(10-01) Complete gap closure plan — NetworkID wiring and CRED-02 virtual key
(phase-10) Complete phase execution — all gaps closed, verification passed
(v1.0) Milestone audit — 58/62 requirements satisfied, 2 unverified phases
(roadmap) Add Phase 11 audit gap closure, simplify spawn/stop code
(phase-11) Add research and validation strategy for ADR gap closure
(11-03) Retroactive VERIFICATION.md for Phases 1 and 7
(11-02) Complete quick-fixes plan — Bifrost chain, secrets cleanup, otel settings
(11-01) Complete VK constraints plan — SUMMARY and STATE updated
(11-03) Update REQUIREMENTS.md traceability — 4 requirements marked Complete
(11-03) Complete retroactive verification docs plan
(11-04) Complete credential lifecycle plan
(11-05) Complete platform+OTEL plan — PlatformFor and otel-collector.yaml
(11-06) Complete daemon/attach/E2E plan — all gaps closed
Add ADR for daemon harness architecture
Accept agent-messaging ADR with NATS + A2A protocol
Add template-schema ADR, product spec, and updated project context
Update existing ADRs with superseded status and cross-references

Features

Bring CLI and harnesses code into arpi/arpi repo
(04-01) Create worktree package with pure logic and tests
(04-01) Add Branch field to SpawnedAgent and extend state tests
(04-02) Register workspace override flags and add resolveWorkspace
(04-03) Add RemoveWorktree and DeleteBranch to worktree package
(04-03) Create arpi stop command with worktree and bare session cleanup
(05-01) Add IsStale() and PruneStale() to state package
(05-02) Add arpi logs stub command
(05-01) Add arpi status command with stale session pruning
(06-01) Add AuthToken CRUD layer and install IAM dependencies
(06-01) Add audit log writer with append-only JSON lines
(06-02) Add Infisical Login wrapper with injectable AuthFn
(06-02) Update ResolveUID to use auth.toml as primary identity source
(06-03) Implement login and whoami commands
(06-03) Add —as flag to spawn with escalation and audit logging
(07-01) Add credential type contracts (credentials.go)
(07-01) Implement GenerateEphemeral
(07-02) Implement PrepareVirtualKey
(07-03) Add CredentialID field to SpawnedAgent
(07-03) Implement prepareCredentials and wire into spawn paths
(08-02) Add GatewaySection to Definition struct
(08-01) Implement gateway package with Client, Detect, and VK CRUD
(08-02) Export GatewayMCPTransform for Bifrost MCP routing
(08-03) Add GatewayVKID to SpawnedAgent and AssembleWithGateway
(08-03) Wire gateway into spawn and stop commands
(08-04) Add CheckHealth to gateway and Gateway section to arpi doctor
(09-01) Install Docker SDK and define sandbox package contracts
(09-01) Implement DockerBackend, network helper, and secret fetcher
(09-02) Wire sandbox into spawn — Platform field, —platform/—host flags, runSpawnSandbox
(09-02) TDD GREEN — sandbox case in stop.go, real implementation in logs.go
(10-01) NetworkID field in SpawnedAgent, populate at spawn, destroy on stop (SAND-03)
(10-01) Wire PrepareVirtualKey into prepareCredentials for sandbox mode (CRED-02)
(11-01) Add buildVKRequest helper with ProviderConfigs and MCPConfigs
(11-02) Rename otel settings file and wire into all definitions
(11-04) Session-scoped Infisical token lifecycle
(11-05) Add PlatformFor method and thread platform through assembly
(11-05) Add OTEL Collector configuration with OTLP and Prometheus receivers
(11-06) Add Docker exec interface methods and DaemonSocket to state
(11-06) Wire daemon exec and agent auto-launch into sandbox spawn
(11-06) Add arpi attach command for sandbox daemon JSON-RPC (Gap 7)
(11-06) Add E2E QA script for spawn/assembly/status/stop (Gap 12)
Add skill stubs for all definitions-referenced skills
Add agents.md instruction files for all definitions
(audit) Expand audit trail to all significant CLI actions
(sandbox) Add network filtering and update CLI/harness ADRs

Miscellaneous

Add project config
(06-01) Tidy go.mod - testify direct, infisical sdk retained
(11-02) Delete orphaned legacy secrets code
Delete cli/iam/profiles.yaml — IAM comes from provider
Delete legacy cli/contexts/*.yaml and *.claude.md files
(planning) Add phase 11 ADR gap closure plans and verification
Archive v1.0 CLI Prototype milestone

Refactor

Restructure arpi repo to match ontology

Testing

(04-02) Add unit tests for workspace flag resolution logic
(06-03) Add failing tests for login and whoami commands
(07-01) Failing tests for GenerateEphemeral
(07-02) Failing tests for PrepareVirtualKey
(07-03) Add failing tests for prepareCredentials
(08-01) Add failing tests for gateway package
(08-04) Add failing tests for CheckHealth and doctor gateway section
(09-01) Add failing tests for DockerBackend security, env injection, network isolation, secret scoping
(09-02) TDD RED — failing tests for sandbox stop/logs wiring
(10-01) TDD RED — failing tests for NetworkID field, DestroyNetwork cleanup, PrepareVirtualKey wiring
(10-01) Add TestPrepareCredentials_SandboxCallsVirtualKey regression guard (CRED-02)
(11-01) Add TestBuildVKRequest unit tests
(11-05) Add failing TestPlatformFor tests for PlatformFor method