Skip to content

ota-run/ota](https:

v1.6.3 Feature

This release adds 3 notable features for engineering teams evaluating rollout.

Published 1mo Developer Productivity
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

cli configuration contracts developer-tools infrastructure ota
+5 more
productivity repo-readiness rust validation workspace

Affected surfaces

auth rbac breaking_upgrade

Summary

AI summary

Fixed address_view: host binding resolution for container callers to translate loopback addresses into caller‑reachable aliases.

Full changelog
  • fixed address_view: host target binding resolution for container callers so loopback-only producer host projections (127.0.0.1 / localhost) are translated into caller-reachable host aliases (host.docker.internal / host.containers.internal) based on the caller container backend, instead of leaking container-local loopback addresses that break cross-backend reachability
  • added policy-governed shared-backend environment resolution for execution.local_backends.<name>.environment (profile / image_alias / image), including policy-backed profile and alias approval, allowed/denied source and registry enforcement, deterministic effective image selection on the run path, and declared-vs-effective environment evidence surfaced in run summaries and receipt.steps[*].shared_local_backend.environment
  • added backend-scoped run-path fulfillment for shared local backends: ota now computes deterministic runtime/tool requirement unions for the resolved backend unit, honors execution.local_backends.<name>.fulfillment (none/run), attempts approved provisioning on the actual run path when enabled, and reports distinct missing-requirements vs fulfillment-failed outcomes with structured receipt evidence
  • made run receipts and summaries fully backend-resolution truthful for shared backends: backend/context/lifecycle/image/memory now derive from resolved execution backend bindings, step-level backend fulfillment evidence is preserved, and dependency/hook steps retain machine-readable target_resolutions provenance
  • tightened host-view target binding resolution to fail on conflicting root-vs-mode or mode-vs-mode host projections, while still allowing mixed-backend consumers when the producer host projection is unambiguous
  • added first-class task target bindings under tasks.<name>.targets.<target> with typed service identity (service.task, service.listener, service.address_view) and optional override_input operator channels
  • added strict target-binding validation for unknown service tasks/listeners, non-service targets, missing override_input declarations, and ambiguous duplicate override-input mappings across targets
  • added run-time target resolution precedence: explicit override input > resolved target binding > compatibility literal input default, plus explicit run-time failures when requested address views cannot be resolved truthfully in current topology support
  • added declared-versus-effective target evidence in run receipts and JSON under receipt.steps[*].target_resolutions, and surfaced resolved target bindings in run summary output
  • resolved task target bindings for dependency/hook tasks as well as requested tasks, while preserving existing required-input enforcement behavior for non-requested relations
  • preserved per-step target-resolution evidence in receipts for dependency/hook steps so machine-readable provenance remains truthful beyond the requested task step
  • exported resolved target bindings without override_input as OTA_TARGET_<TARGET> so first-class targets remain operational without legacy input shims
  • allowed address_view: host to resolve service listeners independently of caller backend when the producer listener declaration is unambiguous
  • added first-class shared local backend declarations under execution.local_backends.<name> and task opt-in bindings via tasks.<name>.runtime.backend_binding so multiple long-running tasks can intentionally share one ota-managed local backend boundary
  • added strict shared-backend validation for unknown bindings, backend-family mismatches, context/lifecycle conflicts, and multi-context bound groups without explicit execution.local_backends.<name>.context
  • wired container backend resolution to honor shared local backend identity for lifecycle/context/publication shape reconciliation, deterministic persistent create/reuse/recreate semantics, and ota clean discovery/removal of shared-backend persistent containers
  • expanded address_view: topology truthfulness for container callers: topology resolution now succeeds only when caller and producer share the same declared local backend binding, and still fails clearly for unresolved/non-shared/internal cases without host bridge guessing
  • added declared-versus-effective shared-backend receipt evidence per executed step under receipt.steps[*].shared_local_backend, and surfaced requested-task shared-backend identity/reuse state in run summary output
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track ota-run/ota](https:

Get notified when new releases ship.

Sign up free

About ota-run/ota](https:

All releases →

Related context

Earlier breaking changes

  • v1.6.16 Enforce `metadata.ota.minimum_version` at contract load time across all commands.

Beta — feedback welcome: [email protected]