ota-run/ota](https:

v1.6.10 Feature

This release adds 3 notable features for engineering teams evaluating rollout.

Published 23d Developer Productivity

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

cli configuration contracts developer-tools infrastructure ota

+5 more

productivity repo-readiness rust validation workspace

Affected surfaces

auth rbac deps

Summary

AI summary

Hardened Windows native prerequisite activation for Visual Studio Developer Shell and added first‑class file checks, tool acquisition metadata, and workflow inventory commands.

Full changelog

hardened Windows native prerequisite activation so visual_studio_dev_shell now applies to the
real native task bodies selected by ota run and ota up, ota up --dry-run only advertises
that activation on native workflow paths, conflicting task-level native activations are rejected,
and the public docs/site now describe the same execution behavior the runner uses
fixed container-mode workspace mounts on Windows so Docker no longer receives verbatim
\\?\\... repo paths from canonicalized worktrees, and clarified container readiness output so
ota doctor / ota up now say explicitly that container validation covers the selected
execution image and container path while leaving host-only checks to native diagnosis
added ota proof runtime as the native runtime-proof surface: ota can now validate one
selected runtime path, capture the canonical execution topology, doctor, and up artifacts
under .ota/proof/, and tear the runtime back down without repo-local glue scripts
extended Ota-owned repo artifact hygiene to cover .ota/proof/ alongside .ota/state/ and
.ota/receipts/, so doctor warnings, doctor fixes, and starter gitignore writes stay aligned
split and published the dedicated ota execution topology --json schema, expanded
ota assist wire-setup so it can author action.kind: copy_if_missing setup tasks directly,
taught starter init/detect to attach detected env-template copy actions to setup, and added
first-class Windows native prerequisite activation guidance for Visual Studio Developer Shell
workflows
added first-class file checks and native setup actions: contracts can now use kind: file
checks for repo-relative file/directory state and action.kind: copy_if_missing for
cross-platform template materialization instead of POSIX test / cp snippets; ota doctor,
ota run, ota tasks --json, workspace task inventory, schemas, and docs now expose the new
action/check surface
added first-class tool acquisition metadata under tools.<name>.acquisition, with
Corepack-managed and explicit shell-command activation as shipped providers: selected
workflow/task requirement surfaces can now declare one honest acquisition lane per tool, ota doctor explains missing acquisition providers through the selected prerequisite path instead of
repo-global guesswork, and ota up can activate only the selected tools before setup without
pulling unrelated quickstart or Docker prerequisites into the same lane
tightened the first-run command/help/docs path so root help now privileges
doctor -> detect/init -> validate -> up -> run/proof, and the public docs/site describe the
same narrower adoption lane instead of leading with the broader advanced command surface
added a dedicated Windows native proof workflow that exercises
visual_studio_dev_shell through ota doctor, ota up, and ota proof runtime on a clean
GitHub-hosted Windows runner and uploads the proof artifacts for review
added task-scoped prerequisite surfaces under tasks.<name>.requirements: workflows can now
scope runtime, tool, env, and precondition-check diagnosis to the selected setup/run dependency
closure instead of treating every front door in a multi-path repo as repo-global truth; ota doctor
and ota up now honor that selected closure directly, ota check additively includes explicit
task-scoped prerequisite checks when declared, and the flagship plus n8n case-study contracts
now demonstrate contributor, quickstart, and packaged-runtime prerequisite scoping explicitly
fixed scoped prerequisite diagnosis so runtime probes no longer short-circuit selected tool
findings: native/container ota doctor now always diagnoses both runtime and tool surfaces for
the selected workflow/task closure, and remote prerequisite diagnosis now honors the same scoped
task requirement surface instead of falling back to unrelated repo-global truth
tightened the workflow prerequisite boundary so an explicitly selected workflow without
setup.task no longer inherits legacy tasks.setup, and selected task paths with scoped
requirements no longer run unrelated top-level precondition checks unless those checks are
referenced from requirements.checks
clarified the reusable surfaces docs so object-form attachment overrides now say explicitly that
runtime.surfaces.<name> still references the declared top-level reusable surface, while
bind means the runtime-local listener and project.host means the host-facing projected
endpoint ota reports, checks, and exposes
hardened the Windows PowerShell installer wrapper so downloaded bootstrap.ps1 is staged in a
private temp directory, cleaned up after execution, and used for normal release installs even
when a stale bootstrap.ps1 happens to exist beside a downloaded install.ps1; repo-local
-FromSource installs still use the checked-out bootstrap, and bootstrap failures now propagate
the correct installer exit code
updated the published detect/init JSON schema contract so inferred annotations now admit the
additive metadata Ota emits today: type, signal, and task-scoped agent_safe /
agent_signal; schema regressions now cover the richer shared inference shape directly so
machine consumers validating ota detect --json or ota init --json do not reject valid
annotation output
tightened inferred annotation metadata into explicit machine-facing enums: detect/init now emit
stable enum-backed type, signal, agent_safe, and agent_signal values instead of free-form
strings, and the command/json reference pages now call out the exact shipped value sets
fixed PowerShell repo detection so ota detect / detector-led ota init now infer runtimes.pwsh for pwsh-based script repos instead of emitting the legacy runtimes.powershell key that caused ota doctor to probe Windows PowerShell incorrectly
made starter-agent inference explicit in ota detect --dry-run and detector-led ota init --dry-run: both previews now render an Agent boundary outcome (Inferred, Partially inferred, or Omitted) so repos without a safe inferred task see why the starter omits agent instead of having to reverse-engineer that omission from the YAML preview
added first-class task launch sources: tasks can now declare structured launch in addition to
shell run and script, with kind: command for inspectable packaged-command entrypoints and
a narrow kind: container slice for packaged service runtimes that still preserve
runtime.surfaces as the canonical publication truth; ota tasks, ota workflows,
ota execution topology, workspace task inventory output, receipts, and JSON surfaces now carry
launch details additively instead of forcing common runtime front doors into opaque shell strings
hardened container launch execution for production use: named launch containers are replaced
only when Ota ownership labels prove they belong to the current repo/task, attached container
launches now observe readiness while the packaged service is still running, service launch
lifecycle semantics are documented as persistent/Ota-managed for this slice, and the published
execution/workspace JSON schemas now admit workflow/task launch summaries emitted by the CLI
extended reusable runtime surfaces additively: surfaces now support optional UX metadata
(label, purpose, visibility), kind: https now maps cleanly onto the existing HTTPS
listener/readiness model, and ota execution topology --json now exposes additive
surface_attachments intent alongside normalized listener truth
consolidated the modern workflow/surface authoring story across examples and docs: the
examples/full-contract/ota.yaml contract now demonstrates listener shorthand for one host-only
service, reusable top-level surfaces, attachment overrides for container publication, and
workflow readiness.surfaces / { surface: ... } exposes in one canonical example, while the
execution-topology docs now explain the declared-surface plus normalized-listener split directly
and the JSON output reference now documents ota workflows --json
added ota workflows as a read-only workflow inventory command: repo contracts can now list
declared workflows directly, inspect the default workflow and each workflow's setup/run tasks,
readiness surfaces, probes, checks, and resolved exposes without falling back to the full task
inventory surface
added first-class top-level surfaces as reusable runtime endpoint definitions: repo contracts can now declare one surfaces.<name> block for shared HTTP/TCP endpoint truth, attach those surfaces to service-task runtimes through tasks.<name>.runtime.surfaces, and use either list-form default attachments or object-form publication overrides for bind/project shaping and primary selection without creating a second listener system; workflow readiness and workflow exposes can reference surfaces directly, ota execution topology shows both declared surfaces and normalized attached listener shape, surface attachment is validated strictly, and derived runtime readiness now follows a single attached surface or the primary attached surface when one runtime publishes multiple surfaces
added listener shorthand as authoring sugar for common local listeners: listeners.<name>.http: <port> and listeners.<name>.tcp: <port> now normalize into the existing verbose listener
model with conservative 127.0.0.1 bind/host defaults, topology JSON still reports the normal
expanded listener shape, and mixed shorthand/verbose forms are rejected clearly at parse time
added first-class reusable readiness probes under readiness.probes: checks can now reference
probe instead of duplicating shell commands, workflows can now declare readiness.probes, and
repo readiness no longer has to restate HTTP readiness as inline helper commands just to keep
doctor, check, and workflow-scoped diagnosis aligned; task runtime readiness and
services.<name>.readiness can now also reuse those same named HTTP probes instead of
duplicating transport fields inline
fixed named runtime probe endpoint selection so tasks.<name>.runtime.readiness.probe may now
keep readiness.listener as an explicit non-default listener selector, and ota validates that
selected listener as the real HTTP service surface instead of rejecting the field or silently
collapsing back to the primary listener
added topology-derived readiness probes on top-level readiness.probes: probes can now resolve
from declared task listeners or service endpoints instead of copying host/port URLs, while
ota execution topology now also surfaces the task-probe reachability plane explicitly as
target.resolution_plane: command_host so machine consumers can distinguish the shipped
command-plane host-view slice from broader task-target semantics
literal url probes remain supported for external endpoints and quick-start adoption
extended task-target readiness probes with first-class observer-task resolution: top-level
probes may now declare target.observer.kind: task plus target.observer.task so host,
topology, and internal task views resolve exactly from that named task's effective backend
plane instead of pretending the invoking host process sees every topology the same way
tightened observer-backed probe reuse and timeout behavior: contract-level reusable probe
resolution now preserves observer-backed task probe contracts without forcing host-view endpoint
resolution, rejects unknown observer tasks/listeners/service endpoints even on the contract-only
path, and observer-backed backend probe commands now return deterministic timeout status instead
of collapsing Python fallback timeouts into generic failures; the generated Python probe branches
now preserve that timeout classification instead of short-circuiting it through unconditional
shell success/failure glue
tightened reusable probe validation so readiness.probes.<name>.target.observer is now rejected
for target.kind: service instead of being silently accepted and ignored
tightened topology-derived task-probe validation so ota validate now rejects task targets that
name one host-view listener without a real project.host, a fixed projected host port, or
protocol: http when the probe itself is kind: http, instead of deferring those failures to
runtime resolution
aligned reusable HTTP probes with the canonical readiness request model: readiness.probes
now supports method, headers, success.status, and body.contains in addition to the
older single-status shorthand, so literal and topology-derived probes can own the full HTTP
readiness contract instead of collapsing to path-plus-status only
extended ota execution topology with first-class readiness_probes output so the declared
machine-facing graph now exposes reusable probe definitions directly, including literal-vs-target
source details and the declared HTTP/TCP request contract, instead of forcing consumers to infer
probe truth indirectly from runtime/workflow references
clarified probe authoring guidance so docs now say explicitly that Ota supports all three HTTP
success styles: omit both fields for default 200, use expect_status as the one-status
shorthand, or use success.status when the fuller status-list model is clearer
added a dedicated workflows concept page so the docs now explain what repo workflows are, when to add them, why they exist beyond tasks, and how they relate to ota up, ota doctor, and agent.default_task
clarified workflow summary text so repo command output now labels the surfaced workflow neutrally as Name instead of incorrectly calling an explicitly selected --workflow <name> path the repo Default
fixed workflow-scoped readiness semantics so ota up --workflow <name> and workspace repos.<name>.workflow now keep the final service and post-up diagnosis scoped to the selected workflow instead of falling back to repo-wide blockers, and workflow run selection no longer substitutes agent.default_task / agent.entrypoint when a workflow omits run.task
taught workspace orchestration about per-repo workflow selection: ota.workspace.yaml can now declare repos.<name>.workflow, workspace validation now rejects unknown repo workflow names against the referenced repo contract, workspace check / doctor / up / status now target that selected workflow instead of silently assuming the repo default path, workspace list now reports readiness against the pinned workflow when present, and workspace JSON surfaces now expose the selected workflow name per repo
extended execution planning to the same canonical workflow model: ota execution plan now supports --workflow <name> and resolves through the selected workflow's setup or run task instead of guessing from repo-wide execution defaults, while ota workspace execution plan now honors repos.<name>.workflow and exposes additive per-repo workflow / task in text and JSON output
added first-class repo workflows with workflows.default as the canonical operational path: ota doctor, ota check, ota tasks, and generated AGENTS.md now surface the default workflow, ota up now targets workflow setup/run/services instead of hard-coding repo-wide setup, and workflow-declared service/runtime readiness is now the long-term source of truth with legacy tasks.setup and repo-level required services preserved only as compatibility fallbacks
added canonical workspace producer ownership on services.<name>.producer: required services can now point at a producer task in another repo declared under ota.workspace.yaml, ota doctor / ota up / ota run now surface and honor that ownership through the producer repo contract, and ota assist declare-service can now author the producer-owned service shape directly; the shipped cross-repo service slice stays intentionally explicit by supporting producer.address_view: host only and requiring one fixed project.host endpoint on the producer listener
added first-class workspace repo producer refs under tasks.<name>.targets.<target>.service.repo: consumer tasks can now resolve another repo declared in ota.workspace.yaml through its host-projected service endpoint, and host-view activation.mode can now reuse or start that producer through the owning repo contract before the consumer runs; the shipped cross-repo slice stays explicit by supporting address_view: host only and requiring one fixed project.host endpoint on the producer listener
taught Ota to diagnose task mutation of managed isolated attachment paths end-to-end: ota validate and ota doctor now warn when an obvious task body cleanup like rm -rf .next targets a declared execution.contexts.*.attachments.isolated_paths path, and ota run now upgrades matching resource busy task failures into a product-level Task mutated managed isolated path blocker instead of leaking only the raw runtime error
hardened native service bind env projection so tasks can keep container-friendly bind.address: 0.0.0.0 while native runs prefer the declared local project.host.address for app-facing aliases like HOST and SERVER_ADDRESS
improved installer ASCII fallback branding so PowerShell and shell install scripts now render a real ota wordmark instead of collapsing to a bare ota line when Unicode output is unavailable

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track ota-run/ota](https:

Get notified when new releases ship.

About ota-run/ota](https:

All releases →

Related context

Related tools

Earlier breaking changes

v1.6.16 Enforce `metadata.ota.minimum_version` at contract load time across all commands.