All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
WebhookInvocationRequest— Caller-supplied payload accepted by the HTTP Input endpoint:promptormessage(user text), optionalsystem_prompt(capped at 4096 bytes by the runtime, truncated on a UTF-8 character boundary), plus pass-through of additional fields.WebhookToolRun— Per-tool ORGA execution preview (tool,input,output_preview).output_previewis UTF-8 safe and truncated to at most 500 bytes by the runtime.WebhookExecutionStartedResponse— Returned when the target agent is in theRunningstate and the request is dispatched on the communication bus (status: "execution_started"withagent_id,message_id,latency_ms,timestamp).WebhookCompletedResponse— Returned when the agent is not running and the request is served by the on-demand LLM invocation path, which runs an ORGA tool-calling loop against ToolClad manifests (status: "completed"withresponse,tool_runs,model,provider,latency_ms,timestamp).WebhookInvocationResponse— Discriminated union alias (Union[WebhookExecutionStartedResponse, WebhookCompletedResponse]).WebhookInvocationStatus— String enum withEXECUTION_STARTEDandCOMPLETED.
- Version alignment with Symbiont runtime v1.10.0.
- Package version bumped to 1.10.0 in
setup.pyandsymbiont.__version__.
- Symbiont v1.9.0 and v1.9.1 introduced ToolClad v0.4.0 runtime features
(session / browser execution modes, HTTP and MCP proxy backends, output
parsers, custom types, secrets injection, W3C
traceparentpropagation, bounded channels, rate limiting, optional LanceDB feature flag). These changes are runtime-side; existing SDK models (ToolManifestInfo,ToolExecutionResult, etc.) remain backward compatible. Thebackendstring onToolManifestInfonow accepts"http","mcp","session", and"browser"in addition to previously documented values.
- ToolCladClient — Full client for ToolClad manifest operations via
client.toolcladlist_tools()— List all discovered.clad.tomlmanifestsvalidate_manifest()— Validate a manifest filetest_tool()— Dry-run a tool (no execution)get_schema()— Get MCP-compatible JSON schema for a toolexecute_tool()— Execute a tool with validated arguments, returns evidence envelopeget_tool_info()— Get detailed tool manifest informationreload_tools()— Trigger hot-reload of tool manifests
- Pydantic models:
ToolManifestInfo,ToolValidationResult,ToolTestResult,ToolExecutionResult
list_communication_rules()— List all communication policy rulesadd_communication_rule()— Add a policy rule (allow/deny between agents)remove_communication_rule()— Remove a rule by IDevaluate_communication()— Evaluate whether a communication is allowed- Pydantic models:
CommunicationRule,CommunicationEvaluation
delete_agent()— Delete an agent and its metadatare_execute_agent()— Re-execute an agent with optional new input (resets ORGA loop)
reasoning.get_tool_profiles()— Tool execution timing statistics and success ratesreasoning.get_loop_diagnostics()— Stuck-loop detection, iteration history, adaptive parameters
- Version alignment with Symbiont runtime v1.8.1
- ReasoningClient — Full ORGA (Observe–Reason–Ground–Act) cycle client with 15 methods
- Cedar policy evaluation, journal system, circuit breakers, knowledge bridge
- Pydantic models with enums for all reasoning types
- Version alignment with Symbiont runtime v1.6.1
- MarkdownMemoryStore — File-based agent context persistence using markdown format
save_context()/load_context()— Atomic save with daily log filesdelete_context()/list_agent_contexts()— Context lifecycle managementcompact()— Remove log files older than retention periodget_storage_stats()— Storage statistics across all agents
- HmacVerifier — HMAC-SHA256 webhook signature verification with prefix stripping
- JwtVerifier — JWT-based webhook verification with optional issuer validation
- WebhookProvider — Pre-configured providers (GitHub, Stripe, Slack, Custom) with factory method
- SignatureVerifier ABC for custom verifier implementations
- SkillScanner — Security scanning with 10 built-in ClawHavoc rules and custom rule support
- Detects pipe-to-shell, wget-pipe-to-shell, env file references, SOUL.md/memory.md tampering, eval+fetch, base64-decode-exec, rm-rf, chmod-777
- SkillLoader — Skill discovery and loading from configured paths
- YAML frontmatter parsing for skill metadata
- Optional SchemaPin signature verification (soft dependency)
- Configurable scan-on-load behavior
- MetricsClient — Sub-client for runtime metrics API (
GET /metrics/snapshot, etc.) - FileMetricsExporter — Atomic JSON file export with compact mode
- OtlpExporter — OTLP export stub (requires
opentelemetry-api) - CompositeExporter — Fan-out to multiple export backends
- MetricsCollector — Background thread for periodic metrics export
- MetricsSnapshot — Serializable snapshot with scheduler, task manager, load balancer, and system metrics
WebhookVerificationError,SkillLoadError,SkillScanError,MetricsExportError,MetricsConfigError
- Webhook:
WebhookProviderType,WebhookVerificationConfig - Skills:
SignatureStatusType,ScanSeverityType,ScanFindingModel,ScanResultModel,SkillMetadataModel,LoadedSkillModel,SkillsConfig - Metrics:
OtlpProtocol,OtlpConfig,FileMetricsConfig,MetricsConfig,SchedulerMetricsSnapshot,TaskManagerMetricsSnapshot,LoadBalancerMetricsSnapshot,SystemResourceMetricsSnapshot,MetricsSnapshot
skillsextra:schemapin>=0.2.0metricsextra:opentelemetry-api,opentelemetry-sdk,opentelemetry-exporter-otlp
- Aligned with Symbiont Runtime v1.4.0
Client.metrics_clientproperty — Lazy-loadedMetricsClientsub-client- All new types exported from
symbiontpackage
- AgentPinClient — Client-side credential verification, discovery, and trust bundle support via
agentpinPyPI package (v0.2.0)client.agentpin.verify_credential()— Full 12-step online verificationclient.agentpin.verify_credential_offline()— Offline verification with pre-fetched documentsclient.agentpin.verify_credential_with_bundle()— Trust bundle-based verification (no network)client.agentpin.fetch_discovery_document()— Fetch.well-known/agent-identity.jsonclient.agentpin.issue_credential()— Issue ES256 JWT credentialsclient.agentpin.generate_key_pair()— P-256 key generation- Key pinning (TOFU) and JWK utilities
Client.agentpinproperty — Lazy-loadedAgentPinClientaccessible directly from the mainClientinstance- AgentPinClient export in
symbiontpackage
- Aligned with Symbiont v1.0.1 release
- Fixed
setup.pyversion drift (was stuck at 0.2.0, now matches__version__)
- SchedulerHealthResponse — New dataclass for the 13-field
GET /health/schedulerendpoint get_scheduler_health()— New method onScheduleClientto query scheduler healthClient.schedulesproperty — Lazy-loadedScheduleClientaccessible directly from the mainClientinstance- Schedule type exports — All schedule dataclasses now exported from
symbiontpackage (CreateScheduleRequest,ScheduleSummary,ScheduleDetail,SchedulerHealthResponse, etc.)
- ScheduleClient tests — 18 test cases covering all 11 methods (list, create, get, update, delete, pause, resume, trigger, history, next-runs, scheduler-health) plus edge cases
- ScheduleClient for cron schedule management API
- Test compatibility fixes for enhanced Client class
See previous releases for historical changes.