Prepare Ouroboros v6.3.0-rc.2

Author: Ouroboros

README.md

@@ -6,7 +6,7 @@
 [![macOS 12+](https://img.shields.io/badge/macOS-12%2B-black.svg)](https://github.com/joi-lab/ouroboros-desktop/releases)
 [![Linux](https://img.shields.io/badge/Linux-x86__64-orange.svg)](https://github.com/joi-lab/ouroboros-desktop/releases)
 [![Windows](https://img.shields.io/badge/Windows-x64-blue.svg)](https://github.com/joi-lab/ouroboros-desktop/releases)
-[![Version 6.3.0-rc.1](https://img.shields.io/badge/version-6.3.0--rc.1-green.svg)](VERSION)
+[![Version 6.3.0-rc.2](https://img.shields.io/badge/version-6.3.0--rc.2-green.svg)](VERSION)
 
 A self-modifying AI agent that writes its own code, rewrites its own mind, and evolves autonomously. Born February 16, 2026.
 
@@ -31,7 +31,7 @@ Not a coding assistant. A digital being with a constitution, background consciou
 | **Linux** x86_64 | [Ouroboros-linux.tar.gz](https://github.com/joi-lab/ouroboros-desktop/releases/latest) | Extract → run `./Ouroboros/Ouroboros` → optional CLI: `./Ouroboros/bin/install-ouroboros-cli`. If browser tools fail due to missing system libs, run: `./Ouroboros/python-standalone/bin/python3 -m playwright install-deps chromium` |
 | **Windows** x64 | [Ouroboros-windows.zip](https://github.com/joi-lab/ouroboros-desktop/releases/latest) | Extract → run `Ouroboros\Ouroboros.exe` → optional CLI: `Ouroboros\bin\install-ouroboros-cli.cmd` |
 
-Prerelease RC artifacts are published on their tag page, for example [`v6.3.0-rc.1`](https://github.com/joi-lab/ouroboros-desktop/releases/tag/v6.3.0-rc.1); `/releases/latest` intentionally stays on the latest stable release.
+Prerelease RC artifacts are published on their tag page, for example [`v6.3.0-rc.2`](https://github.com/joi-lab/ouroboros-desktop/releases/tag/v6.3.0-rc.2); `/releases/latest` intentionally stays on the latest stable release.
 
 <p align="center">
   <img src="assets/setup.png" width="500" alt="Drag Ouroboros.app to install">
@@ -475,13 +475,13 @@ not paraphrase it.
 
 | Version | Date | Description |
 |---------|------|-------------|
+| 6.3.0-rc.2 | 2026-05-27 | **rc(runtime): harden review unification, tool surface, and replay retention.** Restores `claude_code_edit` as a first-class coding tool, makes task-result Auto review LLM-first instead of host-enforced, routes plan/scope/multi-model calls through the shared review substrate, fixes forensic redaction over-match, adds observability retention audit plus service-log archival/pruning, and documents Tool API v2 as a breaking public rename without legacy aliases. |
 | 6.3.0-rc.1 | 2026-05-27 | **rc(runtime): add forensic observability, typed outcomes, Tool API v2, task acceptance review, and code inventory.** Captures private full replay payloads with redacted projections, records semantic task outcomes/artifact/verification ledgers, exposes neutral canonical tools plus task-scoped services, shares reviewer slots across review surfaces, and improves benchmark harness failure reporting without changing BIBLE.md. |
 | 6.2.0-rc.1 | 2026-05-25 | **rc(ui/runtime): port multi-attachment chat and budget/model fixes.** Adds bounded multi-file chat staging with partial-upload cleanup, shares budget controls between Settings and Costs with validation, preserves Anthropic Opus 4.7 routing, updates current model pricing fallbacks, and avoids no-op settings reconfiguration side effects. |
 | 6.1.0-rc.1 | 2026-05-25 | **rc(runtime): harden live subagent handoff, isolation, and UI lineage.** Adds effective task-status SSOT, real bounded wait tools including `wait_tasks`, forged subagent ingress rejection, strict local-readonly constraints, DNS fail-closed browser isolation, child-drive mailbox routing/retention, web_search source attribution, lineage-aware cost observability, threaded child cards, and focused regressions. |
 | 6.0.0 | 2026-05-25 | **major(runtime): add live local-readonly subagents.** Upgrades `schedule_subagent` to a strict child-task contract, runs leaf subagents through the existing queue and workers with forked memory by default, enforces schema and execute-time local-readonly isolation, preserves full task-result handoff, and documents the delegation review rules. |
 | 5.33.0-rc.6 | 2026-05-24 | **rc(gateway): prevent masking upload connection/parse faults as size-limit errors.** Introduces a typed ChatUploadPayloadTooLarge exception class to isolate file-size 413 blocks from connection cuts and form-parse faults, returning a standard 400 with original message for ASGI/socket errors. Includes focused test coverage. |
-| 5.33.0-rc.5 | 2026-05-24 | **rc(gateway): prevent masking upload connection/parse faults as size-limit errors.** Refactors the chat upload ASGI stream wrapper to verify if caught exceptions are indeed the 'oversized' signal before returning a 413, returning a 400 with the original error message for connection cuts and malformed formats. |
-Older releases are preserved in Git tags and GitHub releases. The 5.2.0 through 5.33.0-rc.4 rows and former `4.0.0` rows are rolled off to respect the P9 changelog cap; their full bodies remain at their git tags.
+Older releases are preserved in Git tags and GitHub releases. The 5.2.0 through 5.33.0-rc.5 rows and former `4.0.0` rows are rolled off to respect the P9 changelog cap; their full bodies remain at their git tags.
 
 ---
 

VERSION

@@ -1 +1 @@
-6.3.0-rc.1
+6.3.0-rc.2

docs/ARCHITECTURE.md

@@ -1,4 +1,4 @@
-# Ouroboros v6.3.0-rc.1 — Architecture & Reference
+# Ouroboros v6.3.0-rc.2 — Architecture & Reference
 
 This file is NOT a changelog. Version history lives in README.md, git tags, and commit log.
 
@@ -137,14 +137,13 @@ server.py (Starlette+uvicorn) ← HTTP + WebSocket on configurable host:port (de
       │   ├── git_pr.py          ← PR integration tools: fetch_pr_ref, create_integration_branch, cherry_pick_pr_commits, stage_adaptations, stage_pr_merge (non-core, require enable_tools)
       │   ├── github.py          ← GitHub integration: issues (list/get/comment/close) + PR tools: list_github_prs, get_github_pr, comment_on_pr (non-core; github.py is in _FROZEN_TOOL_MODULES so PR inspection/comment tools work in packaged builds)
       │   ├── parallel_review.py ← Parallel triad+scope orchestration and verdict aggregation (extracted from git.py)
-      │   ├── plan_review.py     ← Pre-implementation design review (2–3 parallel Atlas-backed reviewer slots, duplicate model IDs allowed, plan_task tool)
-      │   ├── review.py          ← Task acceptance review tool plus legacy internal multi-review helpers
+      │   ├── plan_review.py     ← Pre-implementation design review (adaptive context levels, shared ReviewCoordinator slots, duplicate model IDs allowed, plan_task tool)
+      │   ├── review.py          ← Task acceptance review tool plus multi-review adapters backed by the shared review substrate
       │   ├── review_context_atlas.py ← Deterministic bounded-context compiler for scope_review, plan_task, and deep_self_review; raw-inlines selected files and accounts for every tracked path in the manifest
       │   ├── review_helpers.py  ← Shared review helpers (section loader, touched/head packs, intent, pytest preflight via agent interpreter)
       │   ├── review_revalidation.py ← Reviewed-commit fingerprint revalidation helpers (blocks when staged diff changes after review)
       │   ├── scope_review.py   ← Scope reviewer (enforcement-aware, budget-aware)
-      │   ├── services.py        ← Task-scoped long-running service mini-manager: start/status/logs/stop with process-group cleanup
-      │   ├── legacy_aliases.py  ← Private v1→v2 tool-name migration aliases; old names are not exposed in public schemas
+      │   ├── services.py        ← Task-scoped long-running service mini-manager: start/status/logs/stop with process-group cleanup and retained private log blobs
       │   ├── skill_exec.py      ← Phase 3 external-skill surface: list_skills, skill_review, toggle_skill, skill_exec (subprocess runner with cwd confinement, env scrubbing, timeout, runtime allowlist python/python3/bash/node/deno/ruby/go; gated by enabled + fresh executable review + fresh content hash — v5.1.2 Frame A: runtime_mode no longer blocks execution)
       │   ├── skill_publish.py   ← Agent-callable `submit_skill_to_hub` tool: validates a fresh clean-reviewed local skill (sources `external`/`self_authored`/`user_repo`/`ouroboroshub`/`clawhub`; `native` only when no `.seed-origin` marker), infers OuroborosHub from `OUROBOROS_HUB_CATALOG_URL`, commits payload + catalog update to the user's fork via GitHub GraphQL, and opens a PR without mutating the local Ouroboros repo. For marketplace-managed sources the generated PR body is force-prefixed with a `## Provenance` block read from the local sidecar (`.ouroboroshub.json` slug / `.clawhub.json` clawhub_slug); when no sidecar exists the source is reclassified as `external` by skill_loader and submit proceeds without the block.
       │   └── skill_preflight.py ← v5.7.0 heal-safe, read-only skill payload preflight validator (manifest parse + Python compile() / node --check / bash -n; no review-state mutation)
@@ -760,10 +759,10 @@ Loop checkpoints are plain user-message self-checks by design. A prior structure
 
 Tool API v2 exposes neutral canonical names directly. Public schemas use
 `read_file`, `list_files`, `search_code`, `write_file`, `edit_text`,
-`run_command`, `run_script`, service tools, `commit_reviewed`, `vcs_*`,
-`schedule_subagent`, `wait_task`, and `wait_tasks`. Private legacy aliases
-exist only in `tools/legacy_aliases.py` for migration; prompts and skills
-should not rely on them.
+`run_command`, `run_script`, `claude_code_edit`, service tools,
+`commit_reviewed`, `vcs_*`, `schedule_subagent`, `wait_task`, and
+`wait_tasks`. Legacy public tool names are a breaking rename in v6.3: they
+are not exposed and are not translated at execute time.
 
 ### Safety and runtime mode
 
@@ -891,7 +890,9 @@ Runtime floors:
 | OUROBOROS_WEBSEARCH_MODEL | gpt-5.2 | Official OpenAI Responses model for `web_search` when `OPENAI_BASE_URL` is empty |
 | OUROBOROS_REVIEW_MODELS | openai/gpt-5.5,google/gemini-3.5-flash,anthropic/claude-opus-4.6 | Comma-separated reviewer slots for triad/plan/task/skill review; duplicate model IDs are independent slots |
 | OUROBOROS_SCOPE_REVIEW_MODELS | openai/gpt-5.5 | Comma-separated scope reviewer slots; falls back from legacy `OUROBOROS_SCOPE_REVIEW_MODEL` |
-| OUROBOROS_TASK_REVIEW_MODE | auto | Task result review mode: `off`, `auto`, or `required`; verdicts are advisory, full output is injected untruncated |
+| OUROBOROS_TASK_REVIEW_MODE | auto | Task result review mode: `off`, `auto`, or `required`; `auto` is agent-choice via the visible review tool, `required` is host-injected before finalization, verdicts are advisory, full output is injected untruncated |
+| OUROBOROS_OBSERVABILITY_RETENTION_DAYS | unset | Deprecated audit knob for private observability manifests/blobs; forensic replay blobs are kept compressed indefinitely |
+| OUROBOROS_SERVICE_LOG_RETENTION_DAYS | 14 | Startup prune for leftover task-scoped live service log directories; pruned small logs are copied into private blobs first and oversized logs are retained |
 | OUROBOROS_REVIEW_MODEL_TIMEOUT_SEC | 600 | Env-only override read directly by `ouroboros.tools.review`. Per-reviewer model call timeout for multi-model review; timed-out reviewers become ERROR actors and quorum still requires at least two parseable reviewers. |
 | OUROBOROS_REVIEW_ENFORCEMENT | advisory | Review enforcement: `blocking` blocks commit critical findings, fresh-advisory open obligations/debts, and skill `blockers`; `advisory` downgrades those to warnings by operator choice. Fresh advisory with open obligations/debts writes `advisory_obligations_acknowledged`; stale advisory still blocks. Skill `warnings` do not block execution in either mode. |
 | OUROBOROS_AUTO_GRANT_REVIEWED_SKILLS | false | Owner-confirmed setting. When enabled, a fresh executable skill review grants only the manifest-declared settings keys and host permissions for that exact content hash so closed-loop skill development can run without repeated manual grants. Under `blocking`, blocker reviews are not executable and do not auto-grant; under `advisory`, blocker findings may auto-grant only because the current enforcement mode makes the review executable. Plain `/api/settings` POST drops this key; desktop uses the launcher confirmation bridge and web uses `/api/owner/auto-grant`. |
@@ -1004,8 +1005,8 @@ The panic sequence (in `server.py:_execute_panic_stop()`):
 3. Write ~/Ouroboros/data/state/panic_stop.flag
 4. LocalModelManager.stop_server()   ← kill local model server if running
 5. kill_all_tracked_subprocesses()   ← os.killpg(SIGKILL) every tracked
-   │                                    subprocess process group (SDK agent,
-   │                                    shell commands, and ALL their children)
+   │                                    foreground subprocess process group
+   │                                    (shell commands and ALL their children)
 6. kill_workers(force=True)          ← SIGTERM+SIGKILL all multiprocessing workers
 7. os._exit(99)                      ← immediate hard exit, kills daemon threads
 ```
@@ -1029,19 +1030,32 @@ On next manual launch:
 
 ### 9.3 Subprocess Process Group Management
 
-All subprocesses spawned by agent tools (`run_command`, `run_script`, service tools, and internal SDK gateways)
-use `start_new_session=True` (via `_tracked_subprocess_run()` in
-`ouroboros/tools/shell.py`). This creates a separate process group for each
-subprocess and all its children.
+Subprocesses spawned by foreground agent tools (`run_command` and `run_script`)
+use `start_new_session=True` via `_tracked_subprocess_run()` in
+`ouroboros/tools/shell.py`. Task-scoped service tools use
+`ouroboros/tools/services.py::_start_service`, which starts each service with
+`subprocess_new_group_kwargs()` and records it in the `_SERVICES` registry.
+Both paths create a separate process group for each subprocess and its children.
 
 On panic or timeout, the entire process tree is killed via
 `os.killpg(pgid, SIGKILL)` — no orphans possible, even for deeply nested
-subprocess trees (e.g., SDK agent processes spawned during internal review/advisory gateways).
+foreground shell/script/service subprocess trees.
+Panic/emergency paths call `kill_all_tracked_subprocesses()` and
+`kill_all_services()` without log finalization so emergency stop remains fast;
+normal lifespan shutdown may pass a drive root to `kill_all_services(drive_root)`
+to archive server-process service logs before removing live log files. Services
+started inside worker tasks normally finalize in `loop.py` task cleanup; forced
+worker termination kills the worker process tree and archives remaining task
+service logs best-effort from `data/services/<task_id>/`.
 
 Active subprocesses are tracked in a thread-safe global set and cleaned up
 automatically on completion or via `kill_all_tracked_subprocesses()` on panic.
 `run_command` surfaces timeout-vs-signal distinctions in its result text so
 `exit_code=-9` no longer looks like a silent success in summaries/reflections.
+Claude Agent SDK gateways (`gateways/claude_code.py`) use the SDK client
+lifecycle and SDK-level path/tool guards; they are not represented in
+`_tracked_subprocess_run()` unless a future SDK transport exposes a first-class
+child process handle.
 
 ---
 

docs/CHECKLISTS.md

@@ -539,11 +539,15 @@ block repo commits and vice versa.
 
 Used by `plan_task` for pre-implementation design reviews, BEFORE any code is written.
 Reviewers see the proposed plan, HEAD snapshots of files planned to be touched,
-and a Generated Plan Review Atlas that raw-inlines selected protected/central files
-while accounting for every tracked path in its manifest.
+and an agent-selected context level: `minimal`, `localized`, `broad`, or
+`constitutional`. `minimal` keeps governance docs and touched-file snapshots
+but omits the generated Atlas; `localized` adds a bounded neighborhood around
+planned files, `broad` is for shared contracts, and `constitutional` is
+reserved for self-evolution / immune-system surfaces.
 
 **Reviewer role is GENERATIVE, not audit.** The primary job is to contribute
-ideas the implementer may not see, using broad Atlas-backed repo access. Finding defects in
+ideas the implementer may not see, using the repository evidence available for
+the selected context level. Finding defects in
 the plan is secondary; proposing concrete alternatives, surfacing existing
 surfaces that already solve the goal, and flagging subtle contract breaks the
 implementer missed is primary.
@@ -553,7 +557,7 @@ implementer missed is primary.
 Reviewers must structure their response in this order:
 
 1. **Your own approach** (1-2 sentences). State what YOU would do if this goal
-   came to you with broad Atlas-backed repo access: the concrete alternative path, the
+   came to you with the available repository evidence: the concrete alternative path, the
    existing file/function you would reuse, or the simpler route. If after real
    effort you genuinely see no better approach, say so explicitly.
 2. **`## PROPOSALS` section** (top 1-2 contributions). The highest-value thing

docs/DEVELOPMENT.md

@@ -151,9 +151,16 @@ Concrete requirements:
 | Background consciousness (`consciousness.py`) | ✅ full | ✅ full | — (not yet required) |
 | Advisory pre-review (`tools/claude_advisory_review.py`) | ✅ via `_load_doc` | ✅ via `_load_doc` | ✅ via `_load_doc` |
 | Scope review (`tools/scope_review.py`) | full canonical doc + Atlas accounting | full canonical doc + Atlas accounting | full canonical doc + Atlas accounting |
-| Plan review (`tools/plan_review.py`) | full canonical doc + Atlas accounting | full canonical doc + Atlas accounting | full canonical doc + Atlas accounting |
+| Plan review (`tools/plan_review.py`) | full canonical doc + adaptive context level | full canonical doc + adaptive context level | full canonical doc + adaptive context level |
 | Deep self-review (`deep_self_review.py`) | full canonical doc + Atlas accounting | full canonical doc + Atlas accounting | full canonical doc + Atlas accounting |
 
+Plan review always keeps BIBLE.md, ARCHITECTURE.md, DEVELOPMENT.md, the proposed
+plan, touched-file snapshots, and reviewer-slot framing as first-class context.
+The agent must choose `context_level` explicitly; there is no host-side `auto`
+heuristic. That field controls only the generated repository Atlas: `minimal`
+omits Atlas accounting for bounded/local plans, while `localized`, `broad`, and
+`constitutional` add progressively larger Atlas packs.
+
 ### Invariant: No silent truncation
 
 If a core governance artifact cannot fit in the available context budget: