Skip to content

v0.1.0a1 — 2026-04-24

First usable alpha. The engine runs end-to-end — seed roadmap, dispatch claude against worktrees, watch the PR, auto-merge (if the operator opts in), and report through a localhost dashboard.

Headline

oxi-core 0.1.0a1 and oxi-adapter-reference 0.1.0a1 on PyPI. Tagged v0.1.0a1 on GitHub. Pre-alpha security audit complete (#41). Auto-merge off by default — operators opt in after they trust their fork's critic.

What shipped

Engine

  • Roadmap ingestion (v3.ingest_roadmap) with tier-aware parsing and diff-based change detection.
  • Dispatch pool (v3.dispatch_pool) with per-host concurrency caps, start_new_session process-group isolation, and atomic last_progress_at stamping to prevent orphan-reap thrash.
  • Argv-form claude -p invocation (v3.dispatch_invoke). No shell=True anywhere. Env whitelist strips everything not in PATH, HOME, USER, LANG, TMPDIR, ANTHROPIC_API_KEY, plus caller-supplied additions.
  • Budget hard-cap (v3.budget) refusing to spend past adapter.budget().daily_hard_cap.
  • PR watcher (v3.pr_watcher) and auto-merge (v3.auto_merge) with terminal-state discipline — MERGED PRs never get reprocessed.
  • CTO verdict critic (v3.cto_verdict) — optional second-model review of diffs before merge.
  • Deadman, kill-switch, heartbeat, orphan-reap, tail-dispatch — full supervisor lifecycle.
  • Rolling handoff snapshots (v3.handoff) with per-worktree retention and identifier safety.
  • Localhost-only HTTP dashboard (v3.dashboard) at 127.0.0.1:8765. HTML-escapes every user-controlled field. 404s everything except /.

Adapter protocol

  • 10-method Adapter Protocol (adapter.py): naming, paths, budget, github_repo, roadmap_location, branch_prefixes, dispatch_hosts, promote_recipe, plan_tier, policy.
  • 7 frozen config dataclasses (NamingConfig, PathsConfig, BudgetCaps, DispatchHost, DispatchPolicy, PromoteRecipe, SkillRef).
  • register_adapter / clear_adapter / current_adapter lifecycle.
  • Reference adapter (oxi-adapter-reference) drives the throwaway sample-project fixture and is the template forks copy.

CLI

  • oxi init — wizard that writes an adapter skeleton into the caller's project.
  • oxi v3 tick — single engine tick; --real-claude flag for live dispatch, --times N for repeat runs.
  • oxi v3 dashboard — starts the localhost dashboard.
  • oxi v3 status — prints task table snapshot.

Security

Pre-alpha audit addressed in #41. See SECURITY.md for the full threat model and security rails. Highlights:

  • Argv-form subprocess only (no shell injection surface).
  • Env whitelist (cloud credentials don't reach worker sessions).
  • Parameterized SQL (no injection on task identifiers, event payloads, status values).
  • HTML escaping on every dashboard field (including pr_number cast to str).
  • Path-traversal defense in handoff snapshot filenames (regex-validated identifiers).
  • Process-group isolation (worker Bash-tool timeout cannot SIGTERM the supervisor).
  • CI additions: gitleaks secret scanning, pip-audit CVE scanning, SHA-pinned actions, Dependabot for weekly pip + action updates.
  • Forbidden-string CI gate scanning for identifiers from prior work.

CI

  • Python 3.11 + 3.12 matrix: ruff + pytest for both packages.
  • gitleaks (secret patterns), pip-audit (dependency CVEs), lint-for-leaks (forbidden strings).
  • All third-party actions pinned to full commit SHAs (supply-chain defense).
  • Dependabot weekly updates for pip + github-actions ecosystems.

Tests

531 passing across oxi-core + reference adapter. Core tests use a fake_claude.py binary and FakeGitHubClient — no real API contact in CI.

Known limitations

See SECURITY.md for the full list. Summary:

  • Prompt injection from roadmap or diffs — fundamental tension of every autonomous agent. Mitigation: critic reviews diff before merge. Treat roadmap files with source-code trust.
  • SQLite is the trust boundary. Keep oxi.db mode 0600, single-user.
  • Dashboard has no built-in auth. Localhost-only by default. Widening the bind requires a reverse proxy with auth.
  • pr_overlap fails open on GitHub API errors (conscious decision — the critic + CI are the real gates).

Install

pip install oxi-core==0.1.0a1
pip install oxi-adapter-reference==0.1.0a1  # only if you want the reference fixture

Forks implement their own adapter against the Protocol in oxi_core.adapter; they do not need oxi-adapter-reference in production.

Next

0.1.0a2 — dogfooding-driven polish. Open items tracked in docs/roadmap.md. Priorities: install runbook rewrite, oxi status --json, rollback runbook, CI issue filer, ANSI colors in CLI output.

Contribution path stays closed until dogfooding settles (Phase 5 in docs/PLAN.md).