ota-run/ota](https:

fixed Windows-only test support utility compilation in provisioning command tests by centralizing shim executable setup, keeping executable behavior correct on Unix and avoiding brittle permission mutation on non-Unix platforms

stabilized release-gate behavior by ensuring the same fix ships with existing test fixtures and contract validations so release automation can complete without platform-specific failures

refreshed the shipped example contracts and public execution templates to the current execution-context and typed-service-manager model, including the adoption starter, container/remote templates, and the in-repo advanced examples

expanded the topology guide with a service-scoped requirements comparison so users can distinguish contract-wide runtimes/tools from service-owned lifecycle and readiness concerns

added a docs decision guide that compares top-level requirements, execution-context requirements, service managers, task prerequisites, and execution modes, and linked it from the docs home page so users can choose the right contract shape faster

fixed requires_services enforcement so task service prerequisites fail on any readiness/healthcheck finding, including warning-severity service checks

fixed requires_services runner behavior so readiness is re-checked for every task or hook that declares a service, while service start commands still dedupe within a run

added requires_services to the published ota tasks --json and ota workspace tasks --json schemas, with matching docs/reference examples so valid output no longer fails schema validation

added task-level requires_services so tasks can declare canonical services that must be ready before the task body runs, and surfaced that requirement in task text/JSON output plus the execution-topology docs and site examples

surfaced resolved execution context names directly in ota run failure cards and ota up
phase/blocker cards, so the primary human-facing error path now matches the execution-topology
truth already present in receipts and summaries

made legacy execution.preferred/... contracts honor the branch’s single-context compatibility
model by surfacing the implicit workload context app in ota run / ota up receipts and
post-setup diagnosis, instead of dropping context names whenever the repo had not been upgraded
to explicit execution.default_context / execution.contexts

restore visible run progress indicators after the repo moved to container-first execution:
interactive ota run <task> once again relies on the run command's own streaming loaders, and
runs now show a short preflight loader while resolving execution backends before task spawn

made grouped policy findings in ota doctor, ota up, and the shared JSON summaries read like operator guidance instead of policy declarations, using active labels such as Review active policy surfaces, normalized item text like Approved provisioning sources are configured, and next steps that point into ota policy review when users need the active policy boundary.

made single version-policy findings in ota doctor and ota policy review use the same operator-facing wording and next-step path into ota policy review, instead of leaving the card as a raw declared-policy summary with generic guidance.

redesigned ota policy review output so policy findings no longer point back to ota policy review itself; the command now leads with a Policy context block, uses action-shaped summaries like Approved provisioning and bootstrap surfaces are configured, and points Next: at changing the repo contract, using approved sources, or updating .ota/org-policy.yaml.

made shared policy-surface findings point into explicit ota policy review <repo> follow-ups in receipt JSON, so external-repo adoption flows no longer fall back to generic “use this policy surface” wording for approved provisioning and bootstrap guidance.

redesigned blocked ota up provisioning output so it now surfaces a single primary Reason: and Next: path, demotes policy/host notes into Additional context, uses BLOCKED consistently when setup cannot clear prerequisites, suppresses leaked setup command framing on that path, and omits synthetic ephemeral container targets from the human UP SUMMARY.

added an Execution Topology design spec draft that proposes execution contexts, typed service managers, context-scoped endpoints, context-scoped readiness, and context-scoped requirements for mixed host/container service repos.

added the first execution-topology foundation slice: contracts can now declare execution.default_context, execution.contexts, and tasks.<name>.context, and ota run / ota up setup now resolve their execution backend from the bound task context instead of only the repo-wide default.

added the next execution-topology service slice: services can now declare typed managers for both manager.kind: compose and manager.kind: host, ota up / ota doctor derive Compose start and healthcheck commands from the Compose manager while host managers keep readiness on the host without fake derived lifecycle commands, and ota services now surfaces manager-backed service control in text and JSON output.

added the next execution-topology topology slice: services can now declare context-scoped endpoints plus readiness.from, ota doctor evaluates contextual readiness from the declared execution context, container task contexts now attach to declared Compose networks, and ota services exposes the projected service topology in text and JSON output.

made execution-context requirements real in readiness flows: ota doctor, ota up, and backend-scoped policy guidance now resolve runtime/tool requirements from the relevant execution contexts instead of only the legacy repo-wide runtimes / tools maps, and container-mode diagnosis now also includes host control-plane requirements when typed Compose managers are in play.

receipts, previews, and execution summaries now expose named execution contexts directly: ota run, ota up, and receipt-diff surfaces report which context executed the work, and ota doctor / other declared-execution summaries now show the default context plus the declared context topology instead of only flat backend metadata.

made contextual service readiness diagnosis honest when the declared readiness context is not executable: ota doctor now emits an explicit topology blocker with the projected endpoint and backend-resolution failure instead of collapsing that case into a generic “service readiness failed” result.

expanded ota doctor --mode remote: remote mode now probes executable remote contexts directly for runtime/tool versions, detects the remote target OS for policy-backed provisioning selection, diagnoses remote provisioning/installability failures through the same canonical provisioning path, emits approved version/provisioning policy surfaces per remote context, and blocks explicitly when a named remote context or remote OS probe is not executable.

made remote-topology diagnosis explicit in native doctor mode: when a repo depends on remote execution contexts, ota doctor now emits a partial-evaluation note instead of silently implying that local runtime/tool checks represent the remote environment too.

stopped ota up from silently remapping remote setup contexts onto native diagnosis: repos whose setup task resolves to a remote context now fail fast with an explicit blocker in normal and --dry-run flows instead of pretending host preconditions and post-setup diagnosis are authoritative.