All notable changes to Spanda are documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
vX.Y.Z); spanda control-center
--version and status report it; GET /v1/version and /v1/instance expose
control_center_ui_version. Auto release bumps the desktop stream and pushes desktop-v*
when a labeled PR changes Control Center paths. Guide:
docs/control-center-versioning.md. Updated
desktop-release-runbook.md,
versioning.md, CONTRIBUTING.md,
control-center.md, and related docs.Entity.attention snapshot on EntityAutonomyProfile; domain SDK clients (ReflexClient,
HomeostasisClient, AttentionClient, FusionClient, ImmunityClient, MemoryClient) in Rust,
TypeScript, and Python; REST GET /v1/autonomy/fusion and /v1/autonomy/memory.crates/spanda-autonomy/tests/cognitive_resilience_integration.rs — reflex+homeostasis,
fusion+readiness, immunity+trust, attention+recovery, memory+replay, damage risk+mission, adaptive
recovery+orchestrator.GetAutonomyFusion and GetAutonomyMemory;
cross-interface and smoke scripts cover domain SDK clients.GrpcClient autonomy RPCs: list_autonomy_reflexes, get_autonomy_fusion,
get_autonomy_memory, and related methods; SDK guides updated (sdk-rust.md,
sdk-typescript.md, sdk-python.md).sensor_readings_from_entity),
enriched operational memory refs + OperationalMemoryModel on /v1/autonomy/memory; promotion
tiers documented in cognitive-resilience-maturity.md;
platform-maintenance.md domain guide;
scripts/cognitive_resilience_smoke.sh CI alias.main smokes/golden paths), CI Nightly
(promotion gates, ROS2, audit) — ci-architecture.md; local
./scripts/ci-fast.sh, optional .githooks/pre-push, scripts/check_cross_surface.sh.spanda-autonomy crate: core types, entity autonomy profile integration, CLI commands
(reflex, fusion, confidence, homeostasis, immunity, alerts, recovery confidence),
REST /v1/autonomy/* and /v1/entities/{id}/autonomy, SDK AutonomyClient, Control Center
Resilient Autonomy tab (live REST panels).homeostasis_policy /
attention_policy in .sd; scripts/bio_inspired_autonomy_smoke.sh.homeostasis_policy /
attention_policy in .sd; scheduler telemetry homeostasis; tamper→quarantine registry overlay;
file-backed reflex traces; gRPC autonomy RPCs (proto 1.0.13); cross-interface autonomy checks; CI
job bio-inspired-autonomy; field soak clock documented (started 2026-06-29).GET /v1/programs/source, POST /v1/programs/contract/verify,
POST /v1/programs/explain, POST /v1/programs/audit/decisions — CLI parity for mission
contracts, explainability, and decision audit trail.POST /v1/programs/assure and
/diagnose; Traceability loads capability matrix from API; Playground loads server program via
/v1/programs/source.[spanda] stderr warnings when AI or live transport
falls back to mock/in-memory paths; program-aware notices before run/sim; SPANDA_QUIET=1
suppresses them.crates/spanda-api/tests/cross_interface_live.rs compares REST
and gRPC health + recovery plan in scripts/cross_interface_consistency.sh..github/workflows/ci.yml with CI Fast (PR required),
CI Integration (main after merge), and CI Nightly (cron + manual). Auto-release now
waits for CI Integration. cargo audit moved to nightly.GET
/v1/version; Cognitive & Resilience naming replaces bio-inspired primary links across guides;
gRPC reflection note corrected; tier and maturity docs aligned —
entity-apis.md, control-center.md,
known-limitations.md./v1/recovery/* and gRPC marked covered by cross-interface smoke;
phase set to Next horizon — release-readiness.md.compile.ts fallback Program stub includes decisionTrees and
offlinePolicies.wasmtime dependency for spanda-plugin WASM loader
from 28.x to 36.x (≥ 36.0.7) — resolves 26 open GitHub Dependabot alerts (CVE-2026-34987 and
related April 2026 Wasmtime advisories).tests/readme_commands/), cross-interface consistency
(scripts/cross_interface_consistency.sh), security regressions
(plugin/package/decision/recovery), property-style parser/manifest/config/policy/capability tests,
CI job release-hardening, and docs: scope-control.md,
release-blockers.md,
release-readiness.md.spanda demo rover package install: prefer monorepo registry/ over incomplete CLI bundle;
fall back to on-disk packages/registry/<name> when resolving registry packages.previous/advance no longer overflow when the token cursor is at
the start (found by property tests).spanda recovery plan targets program
robots; empty plans report Passed: false with operator guidance (RB-008 / #52).verify_v3_decision_signature requires outer
decision fields to match the signed payload.packages/registry/<name> packages no longer
warn as missing from LOCAL_REGISTRY.--config.spanda-governance crate — autonomy levels (0–5),
deployment maturity, certification lifecycle (independent from health), deployment profiles (19
built-in contexts), operational risk model, governance policies (signed assignments + audit
trail), standards profile packages (spanda-standards-*), human accountability, and operational
constraints. Entity model extensions (EntityGovernanceMeta on EntityRecord). Auto-load
spanda.governance.toml (or [config] governance = …). Runtime influence on readiness, trust,
deployment gates, decisions, and recovery. REST: /v1/governance, /v1/compliance,
/v1/certifications, /v1/deployment-profiles, /v1/risk, /v1/certifications/report,
/v1/deployment/verify, /v1/governance/policies, /v1/governance/audit,
/v1/governance/accountability. gRPC proto 1.0.12. CLI: compliance check, governance
validate|report, certification list|inspect|report, deployment profile|verify, risk report.
SDK clients (Rust/Python/TypeScript). Control Center Governance tab (profiles, maturity,
owners, policies, audit, risk). Docs + examples/governance/.--config / --program
mix-and-match examples in control-center.md.GET /admin/oauth/oidc/callback and
/admin/oauth/slack/callback landing pages with postMessage auto-complete; OIDC PKCE (S256);
crates/spanda-api/tests/admin_oauth_tests.rs.spawn_control_center_api; saved connection profile switcher; Discovery transport wizards; OIDC
authorization-code OAuth and Slack app OAuth v2 wizards. REST: /v1/fleet/map,
/v1/config/history, /v1/deploy/gate, /v1/admin/oidc/*, /v1/admin/slack/*, /v1/chaos/*,
/v1/plugins/control-center/{plugin}/bundle. gRPC server reflection enabled.spanda control-center serve at / now serves the React sidebar
shell (built from @davalgi-spanda/web); regenerate with
scripts/sync_control_center_embedded_ui.sh. Legacy HTML remains as fallback when the bundle is
missing.control-center-recovery.json);
REST/gRPC predictive, recoverable-entities, and recommend endpoints (proto 1.0.11); SDK
0.5.6 (getRecoveryPredictive, listRecoverableEntities, recommendRecovery); Recovery
panel graph UI; example [recovery.extensions] plugin;
scripts/recovery_orchestrator_field_soak_init.sh; recovery stable promotion CI job;
recovery-validation-report.md; OpenAPI parity for new
routes.pip
install spanda-sdk; cargo add --package when adding Rust SDK from the monorepo root;
cross-links from sdk.md, sdk-python.md, and
getting-started.md.SPANDA_HSM_SIGN_SCRIPT /
SPANDA_TPM2_SIGN_SCRIPT; per-robot fleet mesh vote posting; Control Center fleet mesh status
panel; split-brain-mesh attack simulation; API proxy GET /v1/decisions/mesh./v1/fleet/decisions/vote/ingest, /v1/fleet/decisions/conflicts); shared multi-node nonce
registry (/v1/fleet/decisions/nonce/register); pluggable signing backend
(SPANDA_CRYPTO_BACKEND, SPANDA_DECISION_SIGNING_KEY_ID) for decision trees, offline policies,
and v3 envelopes./v1/decisions/escalate, /v1/decisions/escalations), Ed25519 decision tree signing
(spanda decision sign-tree), persisted nonce registry, v3 envelope signatures; Control Center
escalation approve;
stable-hardening-distributed-decisions.md;
promoted to Stable in feature-status.rule_enforcement,
attack_simulations); live spanda decision simulate-attack with JSON evidence; GPS loss
recovery flagship demo (examples/showcase/distributed_decisions/gps_loss_recovery/); v3 trace
proof fields; distributed-decisions CI job;
distributed-decision-security.md,
distributed-decision-demo.md.Administration tab — API key CRUD, user directory
(/v1/admin/users), alert channel config (PUT /v1/admin/alert-channels), secrets metadata,
report schedules, integrations summary. Simulation and Replay tabs with program sim
execute, trace library (GET /v1/programs/traces), deterministic replay and playback. Desktop/web
RBAC parity (token banner, role tabs, permission-gated actions). gRPC proto 1.0.9 adds 17
administration/mission/replay RPCs. Embedded HTML UI parity; OpenAPI documents new admin routes;
JSON-RPC gateway routes admin RPCs with RBAC context.listAdminApiKeys, listOperatorMissions, listProgramTraces, etc.).scripts/recovery_orchestrator_smoke.sh,
scripts/recovery_orchestrator_stable_promotion_gate.sh; wired into scripts/showcase_smoke.sh;
stable-hardening-recovery-orchestrator.md.control-center-twins.json; survive Control Center
restart.list_twins, get_twin, sync_twin, push_twin_snapshot in
Rust/Python/TypeScript SDKs./v1/twins).sync and import-replay; OpenAPI completeness; registry spanda-twin-cloud + import
twin.cloud; Administration panel twin registry; SDK 0.5.5 (get_twin_history,
import_twin_replay, gRPC twins); scripts/twin_cloud_unified_path.sh, stable promotion gate +
field soak; hosted-twin-cloud.md,
stable-hardening-twin-cloud-saas.md.deploy/twin-cloud-hosted/), tenant
onboarding runbook, scripts/hosted_twin_cloud_smoke.sh, scripts/publish_sdk_release.sh for SDK
0.5.5 tags.twin.cloud runtime dispatch; verify_sdk_published.sh + CI job.spanda-recovery platform service — planning,
simulation, validation, evidence, learning, recovery graph, playbooks, predictive indicators, and
escalation levels 0–8; integrates with assurance, entity model, readiness, trust, and mission
continuity without breaking spanda heal or POST /v1/programs/recovery/heal.spanda recovery
plan|simulate|dry-run|execute|validate|history|metrics|graph|playbooks|explain.GET/POST /v1/recovery/* endpoints for plans, history, simulate, execute,
validate, playbooks, metrics, graph, policies, explain.planRecovery, simulateRecovery, executeRecovery, validateRecovery,
listRecoveryPolicies, listRecoveryPlaybooks, getRecoveryHistory, getRecoveryMetrics in
Rust, Python, and TypeScript clients./v1/recovery/* routes, REST API tests, Recovery tab
in @davalgi-spanda/web Control Center panel; doc index and getting-started links.ControlCenter RPCs mirroring /v1/recovery/*; Rust
GrpcClient recovery methods (spanda-sdk grpc feature).Recovery plugin wiring: [recovery.extensions] in spanda.plugin.toml;
RecoveryPluginRegistry loaded from enabled plugins; on_recovery_completed hook after execute.
scripts/later_differentiation_stable_promotion_gate.sh, scripts/later_field_soak_init.sh, CI
job later-differentiation-stable-gates.spanda trust,
/v1/trust/program, gRPC GetTrustProgram); scripts/trust_framework_stable_promotion_gate.sh,
field soak + audit prep scripts, CI job trust-framework-stable-gate./v1/analytics/{mission-twin,certification-pack,time-travel,human-teaming,governance}; gRPC
GetAnalytics* LATER RPCs (proto 1.0.7); Analytics tab extended in embedded UI and
ControlCenterPanel; scripts/later_analytics_smoke.sh.spanda-twin-cloud crate; Control Center /v1/twins/*
backend; spanda twin cloud push|pull|list; scripts/twin_cloud_saas_smoke.sh; registry package
spanda-twin-cloud; docs/twin-cloud.md.Content-Length (fixes flaky twin cloud push
and other large mutations).GET /v1/instance returns bind address, config/program paths,
tenant, and pool summary; spanda control-center status [--json] [--url <base>] [--discover]
queries a running server (or scans local spanda listeners with --discover).spanda control-center stop [--json] [--url <base>] [--force] stops
verified local control-center serve listeners; smoke scripts use
scripts/lib/control_center_smoke_lib.sh to kill by bind port on EXIT/INT/TERM (avoids orphaned
cargo run children).localStorage (opt-in, origin-scoped) with server verification on save and Forget token to
clear; docs cover storage key format, troubleshooting, and manual test-plan check.GET /v1/rbac/me;
per-role tab visibility, dashboard workspace, and mutation action buttons for all seven RBAC
roles.SPANDA_DECISION_TRACE=1 or --record; spanda-runtime::decision_trace
helpers.safety.validate rejection), live decision_tree evaluation on sim health faults and scheduler
ticks, fleet mesh consensus recording, DecisionRuntime bridge (DecisionBackedRuntime),
collect_decision_diagnostics in check JSON, TypeScript parser/diagnostics mirror for
decision_tree / offline_policy.enter
degraded_mode, pause_mission, emergency stop); integration tests in
crates/spanda-interpreter/tests/decision_runtime.rs; scripts/distributed_decisions_smoke.sh.requires_central_approval enforcement at tree
action dispatch; escalation pending traces; fleet agent decision_runtime injection; enriched v3
trace security envelope; GET /v1/decisions/traces; gRPC ListDecisions / ListDecisionTraces
parity; Control Center live trace panel.list_decision_traces in Rust/Python/TS SDKs; gRPC decision
endpoint tests; Control Center v3 trace timeline table; fixed distributed-decisions sub-showcase
parser syntax.offline_policy policy_version, signature, and
expires_at fields; runtime trust gate via SPANDA_DECISION_REQUIRE_SIGNED_OFFLINE_POLICY and
SPANDA_DECISION_POLICY_TRUST_KEY; API integration test for /v1/decisions/traces.spanda decision sign-policy emits signatures;
.spanda/decision-policy-cache.json persistence (SPANDA_DECISION_POLICY_CACHE); runtime merges
cached signatures; Control Center live trace polling toggle.spanda decision cache show|sync|clear; GET
/v1/decision-policy-cache; POST /v1/programs/simulation decision_trace / record_trace
flags; Control Center Run sim with traces button with auto live polling.ListDecisionPolicyCache gRPC + SDK
list_decision_policy_cache; spanda demo distributed-decisions; showcase gps.read() typecheck
fixes; hardened distributed_decisions_smoke.sh.examples/showcase/differentiation/decision_trail/
wired into spanda demo differentiation and differentiation_smoke.sh (audit decisions + explain
decision on v3 trace).spanda-whatif crate; spanda what-if CLI with --scenario /
--all; showcase examples/showcase/what_if/gps_failure.sd; scripts/what_if_smoke.sh.spanda-risk crate; spanda risk CLI; showcase
examples/showcase/risk/deployment_risk.sd; scripts/risk_smoke.sh.spanda-graph; spanda trust-graph
CLI; showcase examples/showcase/trust_graph/rover.sd; scripts/trust_graph_smoke.sh.examples/showcase/scorecard/executive.sd; spanda demo scorecard; extended
scripts/scorecard_smoke.sh.spanda readiness forecast composes current readiness, history
trends, and degradation heuristics; showcase examples/showcase/forecast/degradation.sd;
scripts/readiness_forecast_smoke.sh; NEXT smokes wired into differentiation_smoke.sh./v1/analytics/{what-if,mission-risk,readiness-forecast,trust-graph} and Analytics tab in
ControlCenterPanel.GetAnalyticsWhatIf, GetAnalyticsMissionRisk,
GetAnalyticsReadinessForecast, GetAnalyticsTrustGraph on tonic ControlCenter; proto semver
1.0.6; grpc_tests.rs analytics coverage.spanda replay --at /
--inspect); digital mission twin (spanda twin mission); certification packs (spanda certify
pack --bundle); human/robot teaming (spanda team verify); autonomous governance (spanda
governance); showcases under
examples/showcase/{mission_twin,certify/deployment_bundle,human_robot,governance}/;
scripts/later_differentiation_smoke.sh; spanda demo later.main.trace.scripts/differentiation_promotion_gate.sh validates all 15
pillars (showcase parse, topic guides, golden trace); CI job differentiation-promotion-gate.scripts/what_if_stable_promotion_gate.sh,
docs/stable-hardening-what-if.md, topic guide +
roadmap/feature-status sync; CI job what-if-stable-promotion-gate.next-differentiation-stable-gates.spanda-decision — four decision layers (reflex, local entity, fleet/group, control center),
DecisionAuthority / DecisionPolicy / escalation / consensus / conflict resolution, local
decision trees (decision_tree), offline policies (offline_policy), entity
local_decision_authority and requires_central_approval; CLI spanda decision
list|inspect|simulate|trace|explain|policy|security-audit|threat-model|simulate-attack; REST GET
/v1/decisions, GET /v1/entities/{id}/decisions, POST /v1/decisions/simulate, POST
/v1/decisions/escalate, GET /v1/decision-policies; SDK methods; Control Center Decisions
tab; docs in docs/distributed-decisions.md and related guides; examples under
examples/showcase/distributed_decisions/.spanda-plugin crate with versioned spanda.plugin.toml manifests,
capability-controlled host API, registry trust tiers
(official/verified/community/experimental/deprecated/blocked), sandboxed WASM loading
(wasm-loader feature), lifecycle hooks, and CLI (spanda plugin
search|install|uninstall|inspect|trust|enable|disable|list). Six examples under
examples/plugins/; docs in docs/plugins.md and related guides. Complements existing packages
and providers without replacing them.PluginApiHost connects readiness/health/trust/telemetry APIs; registry tarball install
and namespaced CLI dispatch (spanda healthcare readiness); Control Center GET /v1/plugins and
/v1/plugins/control-center; provider-type plugins merge into ProviderRegistry official package
list; audit log persistence; report export dispatches on_report_requested.ControlCenter Smart Spaces RPCs including extended panels
(ListSmartSpacesDevices, GetFacilityHealth, GetFacilitySecurity, GetFacilityFloorMap,
GetZoneEnvironment, GetEnergySystem, ListSmartSpacesGateways); proto semver 1.0.5, 96
RPCs; grpc_tests.rs extended panel coverage.iot_live.rs with Python bridge mock handlers; scripts/smart_spaces_live_iot_smoke.sh; golden
trace fixtures gateway_failover, power_loss_island, water_leak_basement; demo replay wiring.spanda.readiness.toml (gateways,
devices, sensors, emergency); robots/wearables/trust panels in Control Center UI; spanda
control-center smart-spaces CLI; REST/gRPC SDK wrappers (smart_spaces_summary,
facility_readiness, …).smart_spaces_stable_init.sh and smart_spaces_security_self_audit.sh.smart-spaces-promotion-gate CI job; promotion gate
auto-builds release spanda when SPANDA_BIN unset; blueprint certify + safety blocks and
fleet orchestrator robots; KNX package bridge docs parity with BACnet.spanda_python_bridge.py with
mock fallback; package read_point / read_group scripts and optional requirements-*.txt;
hardware smoke via SPANDA_LIVE_IOT_HARDWARE=1.live-building feature on spanda-cli /
spanda-providers routes BACnet/KNX reads through registry package scripts before the Python
bridge; env SPANDA_ROOT, SPANDA_BACNET_READ_SCRIPT, SPANDA_KNX_READ_SCRIPT.spanda_python_bridge.py;
spanda-home-assistant get_state.py / get_state.sh;
smart-space-bms-bridge.md;
scripts/smart_spaces_bms_sidecar_smoke.sh.feature-status.md, ROADMAP.md, and stable-hardening runbooks; per-blueprint field soak and
security audit sign-off remain organizational gates.desktop-v0.4.2
production releases and Stable enterprise ops tier.@spanda/control-center-desktop bumped to 0.4.2;
desktop-v0.4.2 tag triggers macOS bundle build, GitHub Release, and workflow artifacts;
scripts/verify_desktop_release_ready.sh checks version sync before tagging.entityReadiness, entityRelationships, gRPC
entity_health/entity_trust); tags crates-sdk-v0.4.2, sdk-python-v0.4.2, npm-sdk-v0.4.2.docs/feature-status.md, ROADMAP.md, and
enterprise-operations-roadmap.md after implementation
promotion gate; organizational field soak and third-party audit tracked separately.HealthChanged only when
status changes (from/to/reason payload); repeated evaluations with the same status are
suppressed via an in-process cache.ReadinessChanged, ReadinessGateFailed, and
entity-health DegradedModeEntered now emit on state transitions only (readiness snapshot,
mission-ready gate entry, degraded diagnostic entry).SpoofingDetected; API/gRPC RBAC emits
AuthFailed; managed vault rotation emits SecretRotated; fleet registry deregister/replace
emits FleetMemberLeft; interpreter error paths emit MissionAborted; spanda
install/verify-adapter/remove emit PackageInstalled/PackageVerified/PackageRemoved.HealthChanged/HealthCheckFailed; runtime recovery emits
RecoveryTriggered/RecoveryCompleted/RecoveryFailed; mission pause and degraded operating
modes emit MissionPaused/DegradedModeEntered; provider bootstrap emits PackageInstalled.PlatformEventRuntime + publish_platform_event in
spanda-runtime, telemetry-store bridge, and CLI registration. Wired
TrustUpdated/TrustGateFailed, TamperDetected, ReadinessGateFailed, FleetMemberJoined,
and OtaRolloutStarted/OtaRolloutCompleted emitters in trust, tamper, readiness, fleet, and OTA
crates.lean-core/architecture pipeline descriptions, and regenerated api-reference.md for
zero-waiver baseline, spanda-core::hardware_verify, and spanda-ota deploy plan ownership.TS-ARCH-* waivers (0 TypeScript
layer violations). Added compiler-layer type modules (comm/decls, ast/assurance-decls,
readiness-types, types/sensor-types), CheckerHost injection for the type checker, CLI
bridges for readiness/certify/hardware-verify, and reclassified connectivity-positioning to
language runtime.src/cli/run-program.ts);
inject TelemetrySink, SecurityRuntime, ProviderRuntime, and AdapterRuntime at the CLI
boundary with platform-service bridges; closed architecture waivers TS-ARCH-002–TS-ARCH-006
and TS-ARCH-021–TS-ARCH-028.docs/feature-status.md and ROADMAP.md
Pillar 0 updated; SDKs 0.4.1 already published on crates.io, PyPI, and npm
(crates-sdk-v0.4.1, sdk-python-v0.4.1, npm-sdk-v0.4.1).spanda-certify from spanda-driver;
certification proof summaries live in spanda-ota::build_deploy_plan; runtime gate moved to
spanda-assurance (certify-runtime feature) invoked from spanda-interpreter; strict verify
certification merged in spanda-config::verify_with_system_config. Waivers ARCH-001 and
ARCH-C01 removed.spanda-runtime; RuntimeHooks injected from CLI for certification; removed spanda-policy and
spanda-tamper interpreter dependencies (waivers ARCH-011, ARCH-012). Recovery/continuity
types and AST primitives moved to spanda-runtime; interpreter uses injectable AssuranceRuntime
with AssuranceBackedRuntime from CLI/fleet (waiver ARCH-005 removed). Health evaluation,
telemetry persistence, provider dispatch, and fault scanning decoupled via spanda-runtime traits
(TelemetrySink, ProviderRuntime, FaultRuntime) with CLI bridges; removed spanda-config,
spanda-capability, spanda-telemetry-store, spanda-providers, and spanda-runtime-faults
from interpreter (waivers ARCH-004, ARCH-007, ARCH-008, ARCH-010; interpreter→capability
health edge closed). Security and transport decoupled via SecurityRuntime and CommBusHost
traits with SecurityBackedRuntime and RoutingCommBus bridges from CLI/fleet; removed
spanda-security, spanda-transport, and spanda-transport-routing from interpreter (waivers
ARCH-006, ARCH-009, ARCH-214 closed). Live transport feature flags re-exported at CLI via
spanda-transport-routing.validate_architecture.py now builds the crate graph
from production [dependencies] only (excludes dev/build deps). Production graph is acyclic;
removed waivers ARCH-SCC-001, ARCH-C02, ARCH-C03, and ARCH-213 (fleet recovery tests moved
to spanda-fleet).spanda-runtime from spanda-error;
RuntimeError → SpandaError conversion now lives in spanda-runtime (closed ARCH-208).
Removed dev-only orphan waivers ARCH-013–ARCH-014, ARCH-018, and ARCH-212. Rust upward
waivers 26 → 25.WireCryptoSession to spanda-runtime;
transport crates now use security_types from runtime instead of spanda-security (closed
ARCH-217–ARCH-221). Decoupled spanda-providers from spanda-audit and
spanda-telemetry-store via DeviceTelemetrySink injection and an inline ledger stub (closed
ARCH-025–ARCH-026). Rust upward waivers 25 → 19.spanda-ast::comm_decl (closed
ARCH-211); parser uses spanda-connectivity foundation types (closed ARCH-017); config owns
human-health gate and snapshot wire crypto (closed ARCH-202). Rust upward waivers 19 → 16.spanda-codegen drives lexer→parser directly (ARCH-201);
HardwareProfile/CompatItem moved to spanda-connectivity foundation, connectivity validation
moved to connectivity-runtime (ARCH-203); spanda-core removes security production dep
(ARCH-204); spanda-docs accepts injected TypeCheckHost and library list, removing
lib-registry/runtime-host deps (ARCH-205/206); spanda-fleet fully decoupled from assurance,
readiness, tamper, and telemetry-store via OnceLock runtime injection
(ARCH-021/022/209/210); spanda-ota uses readiness and telemetry runtimes (ARCH-024/216);
spanda-runtime-host uses typecheck-embedded capability and import catalogs (ARCH-019/020);
spanda-llvm keeps driver in dev-deps only (ARCH-215). Bridge implementations added in
spanda-assurance, spanda-readiness, spanda-tamper, and spanda-telemetry-store. Orphan
manifest entries ARCH-002/015/016/023/027-036 removed.spanda-telemetry-store::record_platform_event appends
TelemetryEvent::Platform envelopes; wired from entity mutations, readiness evaluation, and
interpreter mission lifecycle hooks when persistence is enabled.dist plan: sync WiX installer product name to spanda; exclude maintainer utility
binaries (spanda-compliance, spanda-package) from cargo-dist packaging.@davalgi-spanda/web PR CI: validate publish tarball with npm pack --dry-run instead of
npm publish --dry-run (fails when the registry version already exists).tonic-build a required build-dependency so cargo
package verifies without the grpc feature.stop_if false E-stop: RunOptions::default() now sets lidar_range = 10.0 m (was 0.0
from derived Default, forcing nearest_distance = 0.01 m and spurious stop_if triggers in
spanda sim / spanda run).loop every in behaviors now emits behavior_tick mission
trace frames when --record is enabled (ADAS highway_drive.trace replays deterministically).SPANDA_CONFIG_SNAPSHOT_KEY races between snapshot_encryption and config_snapshots unit
tests.smart-spaces-smoke GitHub Actions job; provider dispatch for
nine Smart Spaces packages; package .sd module stubs; registry index rebuilt with new packages;
example syntax fixes so smoke passes.fixtures/fire_panel_activation.trace; ten Smart Spaces registry packages
in offline bundled-registry; SPANDA_SMART_SPACES_SKIP_SMOKE on promotion gate./v1/facilities,
/v1/facilities/{id}/readiness, /v1/zones/{id}/occupancy, /v1/energy/systems,
/v1/emergency/status, /v1/smart-spaces/summary); static HTML and React Control Center Smart
Spaces tab with buildings, gateways, zones, energy, and continuity panels; spanda demo
smart-spaces; bundled examples sync; Grafana dashboard control-center-smart-spaces.json;
provider bootstrap and iot_hub stubs for BACnet/KNX/Thread/Z-Wave/Home
Assistant/energy/building/locks/environment; OpenAPI spec parity; promotion gate
scripts/smart_spaces_promotion_gate.sh; registry package smoke tests.docs/solutions/smart-spaces.md, topic guides (building-automation,
ambient-intelligence, energy-management, smart-space-security, smart-space-readiness,
smart-space-device-tree, smart-space-packages), example tree
examples/solutions/smart-spaces/ (six application scaffolds), nine optional registry package
stubs (spanda-thread, spanda-zwave, spanda-home-assistant, spanda-bacnet, spanda-knx,
spanda-energy, spanda-building, spanda-smart-locks, spanda-environment), Control Center
Smart Spaces dashboard spec, website blueprint page, roadmap entry #15, and
scripts/smart_spaces_smoke.sh.entityReadiness / entityRelationships; Rust gRPC
entity_health / entity_trust wrappers.ReadinessChanged, MissionStarted, and MissionCompleted
platform events from readiness evaluation and interpreter orchestration (when audit runtime is
active).PlatformEvent envelopes
(EntityCreated, EntityTagged, …) via AuditRuntime::record_platform_event.validate_blueprints.py),
PlatformEvent envelope in spanda-audit, waiver burn-down plan
architecture-waiver-burn-down.md.examples/entity/ (graph,
query, relationships, health, readiness, trust, traceability, verify) with type-checked .sd
sources.VerifyEntity: proto semver 1.0.3, 83 RPCs; GrpcClient::entity_verify parity
with POST /v1/entities/{id}/verify.evaluate_entity_readiness,
evaluate_entity_health, and evaluate_entity_trust route operational engines through
EntityRegistry; enriched GET /v1/entities/{id}/health|readiness|trust with report payloads;
CLI evaluation parity; guides entity-readiness.md,
entity-health.md, entity-trust.md,
entity-best-practices.md,
entity-migration-guide.md.verify_entity engine in
spanda-readiness routes hardware, mission, fleet, device pool, quarantine, and config validation
through EntityRegistry; POST /v1/entities/{id}/verify; spanda entity CLI (list, inspect,
graph, relationships, traceability, readiness, health, trust, verify, query,
search); SDK entity_verify / verifyEntity; docs
entity-verification.md and
entity-integration-report.md; examples/entity/ samples.ControlCenter RPCs — GetEntityGraph,
GetEntityTraceability, QueryEntities, GetEntityRelationships, GetEntityReadiness,
RegisterEntity, TagEntity, RelateEntities, SyncEntities (proto semver 1.0.2, 82 RPCs);
JSON-RPC gateway read paths for graph/traceability/query/relationships/readiness; GrpcClient
helpers with SPANDA_API_KEY Bearer on mutations; warehouse fixture tests in grpc_tests.rs.entity_graph, entity_traceability, query_entities,
register_entity, tag_entity, relate_entities, sync_entities — parity with TypeScript and
Rust SDKs; covered in scripts/entity_model_smoke.sh.entity_traceability: query helper for GET /v1/entities/traceability.scripts/agriculture_smoke.sh validates
examples/solutions/agriculture/field_patrol.sd (agriculture-smoke job).examples/solutions/environmental-monitoring/sensor_mesh.sd,
examples/solutions/maritime/harbor_patrol.sd; consolidated
scripts/solution_blueprints_smoke.sh (agriculture, environmental, maritime).spray_mission.sd, harvest_convoy.sd, gateway_bridge.sd,
convoy_escort.sd, docking_assist.sd in solution blueprint smoke.entity_model_stable_promotion_gate.sh, Rust SDK in
entity_model_smoke.sh, Python SDK 0.4.1 with entity_relationships / entity_readiness;
runbook entity-model-stable-promotion.md; CI
entity-model-promotion-gate.scripts/entity_model_smoke.sh CI job covering graph,
traceability, query, and mutation APIs; Control Center Entities tab write UI (register, tag,
relate, sync); TypeScript SDK entity mutation helpers (registerEntity, tagEntity,
relateEntities, syncEntities, entityGraph, entityTraceability, queryEntities).POST /v1/entities/register,
{id}/tags, relationships, and sync; audit events; TOML sync to facilities/overrides
fragments; SDK helpers.vehicle entity kind + compliance metadata, flat hazard zones and spatial sessions, package
entity_kinds manifest section, and spanda.facilities.toml config fragment.spanda-graph dependency nodes with entity
IDs (entity_id metadata); merge digital-thread device links and program-graph edges into the
entity relationship store via apply_traceability_overlay; unified GET
/v1/entities/traceability query across entity registry, program graph, and digital thread.MissionRuntime from loaded programs and
approval seeds into /v1/entities; participates_in relationships and mission readiness payloads
on /v1/entities/{id}/readiness.EntityRecord, EntityRegistry, EntityGraph,
and EntityQuery in spanda-config; expanded /v1/entities/* API (graph, relationships,
readiness, query); Control Center Entities tab; SDK entity helpers; docs in
docs/entity-model.md (+ registry, graph, relationships, query language
guides) and ROADMAP.md Pillar 0.@spanda/web for npm org parity; publish via
npm-web-v* with ControlCenterPanel exports.crates-sdk-v0.4.1.spanda-sdk on crates.io (v0.4.0), PyPI (v0.4.0), and
@davalgi-spanda/sdk on npm (v0.4.1); README and docs updated with install commands and token
rotation table.@davalgi-spanda/sdk (npm org
@davalgi-spanda; @spanda scope unavailable on npm).crates-sdk-v* tag).assure, run_simulation, replay, get_entity, list_devices on
optional grpc feature.sdk_ops_tests."execute": true
(sim) or "deterministic" / "playback" (replay); optional Rust grpc feature on spanda-sdk;
PyPI/npm publish workflows for sdk/python and @spanda/sdk.crates/spanda-sdk (Rust), sdk/python (pip install spanda-sdk),
sdk/typescript (@spanda/sdk); program-level REST endpoints on spanda-api for CLI parity
(/v1/programs/*, /v1/entities/*); matching gRPC RPCs (EvaluateProgramReadiness,
ListEntities, …); docs in docs/sdk.md,
docs/control-center-api.md.scripts/sdk_smoke.sh exercises program REST endpoints; JSON-RPC
gateway maps Control Center SDK methods; rpc() on all SDK clients.spanda-grafana-dashboards template control-center-adas.json for
fleet health, safety alerts, and mission trace volume.lane_keeping/lane_keeping.trace (20 behavior_tick frames)
replayed in adas_smoke.sh.spanda-radar, spanda-lidar, spanda-ultrasonic,
spanda-automotive-ethernet, spanda-lin, spanda-uds, spanda-v2x (experimental stubs); ADAS
device trees use dedicated radar/LiDAR providers; traffic sign and pedestrian detection examples.ros2_automotive/automotive_nav.sd with spanda-ros2 /cmd_vel publish.scripts/adas_stable_promotion_gate.sh, soak/audit init scripts,
stable-hardening-adas.md; ultrasonic nodes in parking device
trees.ADAS live sensor bridges: automotive_hub provider dispatch with SPANDA_LIVE_RADAR /
SPANDA_LIVE_LIDAR / SPANDA_LIVE_ULTRASONIC and SPANDA_*_CMD env probes;
scripts/adas_automotive_sensors_smoke.sh.
Control Center API key generator: spanda control-center api-key generate [--export]; startup
warning when no keys configured; embedded UI auth banner with paste field; docs updated in
control-center.md.
Control Center auth docs: control-center.md documents UI access
paths, API key setup (SPANDA_API_KEY, SPANDA_API_KEYS_FILE), role matrix, and which endpoints
require Bearer auth; getting-started.md cross-links the guide.
H6 HRI depth (experimental): vendor live backends (SPANDA_LIVE_HEALTHKIT,
SPANDA_LIVE_HOLOLENS); [[twins]] and [[mission_approvals]] config; GET /v1/humans/twins,
GET /v1/operator/mission/approvals; mission approval queue persistence; Humans tab mission
approval UI; hri_field_soak_init.sh and hri_security_audit_prep.sh for Stable promotion ops.
H5 HRI engineering expansion (experimental): [[hazard_zones]] config; GET
/v1/humans/readiness team rollup; GET /v1/hri/collaboration participant graph; GET
/v1/hri/context hazard and location snapshot; Control Center Humans tab panels for team
readiness, collaboration, and context awareness.
HRI stable promotion gate: scripts/hri_stable_promotion_gate.sh and
stable-hardening-human-interaction.md; @spanda/web
ControlCenterPanel Humans tab parity with embedded Control Center.
H4 Control Center human UI (experimental): Humans tab in Control Center; GET /v1/humans,
/v1/wearables, /v1/human-health/policy; HumanHealthGate opt-in
(SPANDA_HUMAN_HEALTH_ENABLED + [security.human_health]); VR training continuity example.
H3 HRI & collaboration (experimental): spanda-voice, spanda-gesture, spanda-eye-tracking
registry packages; HriInputProvider and OverlayProvider wiring; [[spatial_sessions]] config;
Control Center /v1/hri/sessions API; collaborative continuity in spatial-computing blueprint
examples.
packages/registry/<name> tree; path/git overrides of official names no longer wire built-in
providers; official_provenance validation warning; OfficialProvenance API in
spanda-package::official.Production deploy gates: spanda deploy gate --policy production hard-fails on
official_provenance (official name path/git squatting) and registry_signatures
(SPANDA_REGISTRY_REQUIRE_SIGNATURE=1 plus verified lockfile registry signatures);
spanda-package::provenance_gate helpers.
H2 Wearables & AR (experimental): nine registry packages (spanda-smartwatch,
spanda-industrial-wearables, spanda-bodycam, spanda-hololens, spanda-arkit,
spanda-arcore, spanda-vision-pro, spanda-magic-leap, spanda-openxr);
WearableTelemetryProvider and SpatialSessionProvider traits; provider dispatch and package
stubs; spatial-computing blueprint device tree wired to H2 providers.
H1 Human Interaction (experimental): HumanRegistry and fleet device tree nodes for humans,
wearables, AR/VR/drones; operator capability registry; human_collaboration readiness profile and
compliance template; spanda demo spatial; ./scripts/spatial_computing_smoke.sh.
examples/solutions/spatial-computing/ with
six reference workflows (warehouse AR, remote maintenance, VR training, SAR AR, wearable health,
operator approval); device tree with humans, wearables, AR/VR nodes.Master roadmap updated with Human Interaction & Spatial Computing platform pillar.
adas-smoke job; bundled spanda demo adas; application variants
(shuttle, mining, delivery, agricultural, construction); scenario trace fixtures; diagnose/explain
in smoke.spanda-canbus dependency; providers catalog update.spanda-opencv,
spanda-slam, spanda-gps, spanda-fusion, spanda-canbus, spanda-mqtt); consolidated
vehicle CAN gateway; hardware_profile = "JetsonAutomotive" matches program deploy target so
spanda verify and spanda config validate pass with [config] devices.sim_record/lane_keep_task golden trace (20 scheduler frames); smoke covers all nine application
device trees.Control Center ADAS tab and website/solutions.html Official Solution Blueprints page.
iso13849 and
iec61508; showcase programs automotive_rover.sd, machinery_rover.sd, iec61508_rover.sd;
Control Center compliance tab profile selector; readiness scoring in compliance verify uses deploy
target.spanda compliance list (built-in + signed catalog); spanda demo
compliance runs all five profile showcases.SPANDA_WS_MAX_PENDING_FRAMES, SPANDA_WS_HEARTBEAT_INTERVAL_MS).GET /v1/audit/mutations/export?format=cef|jsonl; registry
package spanda-audit-siem.spanda-alert-escalation with tier routing
guidance.device_pool_scale) +
scripts/device_pool_perf_bench.sh.openapi.json for all /v1/*
routes; openapi_routes.rs registry + openapi_parity_tests.rs CI guard.SPANDA_DRIFT_SCAN_INTERVAL_SECS), GET
/v1/drift/scans, POST /v1/drift/scan, ConfigDrift alerts with critical auto-incidents; CLI
control-center drift scan|scans.grpc_policy.rs, proto semver 1.0.0 on control_center.proto,
GET /v1/version → grpc block; Health status includes proto semver and RPC count.rollback_on_readiness_fail on POST /v1/ota/execute (env
SPANDA_OTA_ROLLBACK_ON_READINESS_FAIL); auto-rollback deploy agents when post-deploy readiness
fails.required_approvals on submit +
SPANDA_CONFIG_APPROVALS_REQUIRED; distinct approver votes with quorum metadata;
publish-on-approve when quorum met.scripts/ota_fleet_soak.sh — multi-agent version bumps and canary→full
progression tests.control_center_openapi_parity.rs verifies CLI routes exist in
REST_V1_ROUTES.encrypt on POST /v1/config/snapshots
or SPANDA_CONFIG_SNAPSHOT_ENCRYPT=1 + SPANDA_CONFIG_SNAPSHOT_KEY.scripts/failover_drill_smoke.sh validates redundant chain selection
and recovery actions.burn_rate object on GET /v1/sre/summary with fast_burn when fault
alert rate exceeds budget (SPANDA_SRE_BURN_RATE_FAST, SPANDA_SRE_BURN_WINDOW_HOURS).SPANDA_SRE_BURN_SCAN_INTERVAL_SECS) with deduplicated HealthCritical alerts.POST /v1/integrations/pagerduty/webhook (ack/resolve
→ incidents); outbound ack/resolve events on incident workflow; incident_id in PD custom
details.GET /v1/digital-thread/query (lifecycle_phase filter, lifecycle_rows / lifecycle_summary);
lifecycle layout in graph UI.spanda-grafana-dashboards (SRE + OTA JSON
dashboards).packages/sdk-python/VERSIONING.md, sdk-python-v* tag
workflow, version 0.4.0.@spanda/web publish scaffold: PUBLISHING.md, npm-web-v* tag workflow with PR dry-run.scripts/field_soak_gate.sh +
docs/field-soak-gate.md.SPANDA_OTA_REQUIRE_CERTIFY /
SPANDA_PRODUCTION_POLICY=production enforce certification proof on POST /v1/ota/plan and
/v1/ota/execute.GET
/v1/compliance/profiles; cargo run -p spanda-compliance --bin sign_catalog.GET/POST /v1/reports/schedules with webhook delivery
(SPANDA_REPORT_SCHEDULE_INTERVAL_SECS).SPANDA_DISCOVERY_REQUIRE_TLS, SPANDA_DISCOVERY_TLS_CA_BUNDLE,
registry package spanda-discovery-tls; tls summary on discovery responses.scripts/security_audit_prep.sh, registry package
spanda-security-audit, docs/security-audit-third-party.md..github/workflows/desktop-release.yml),
env-gated Tauri updater (TAURI_UPDATER_PUBKEY, SPANDA_DESKTOP_UPDATER_ACTIVE),
docs/desktop-release-runbook.md.scripts/verify_sdk_publish_ready.sh for PyPI/npm readiness checks.ControlCenterPanel and embedded Control
Center HTML — filter by capability/device, click-to-highlight neighbors.--config is set.ListConfigApprovals, SubmitConfigApproval, ApproveConfigApproval,
RejectConfigApproval, ListComplianceEvidence (60 RPCs total).GET/POST /v1/config/approvals, approve/reject subpaths; RBAC-gated
publish workflow..spanda/evidence-append.jsonl on export; GET
/v1/compliance/evidence.SPANDA_ALERT_PAGERDUTY_*,
SPANDA_ALERT_TEAMS_URL); registry packages spanda-alert-slack, spanda-alert-pagerduty,
spanda-alert-teams.mtbf_hint_ms, health_trends, and readiness_trends on GET
/v1/sre/summary; critical alerts auto-open incidents.ControlCenterPanel.mmcli probe; SPANDA_DISCOVERY_NO_STUB to skip transport stubs.SPANDA_SRE_SLO_PERCENT and slo object on GET /v1/sre/summary.@spanda/web ControlCenterPanel.list_incidents, create_incident, ack_incident, resolve_incident.scripts/sign_tauri_macos.sh with optional CI secrets.DriftDimension::Policy and Safety route firmware,
attestation, and assurance findings into all seven by_dimension buckets.IncidentStore in spanda-ops; GET/POST /v1/sre/incidents,
ack/resolve subpaths; HA persistence; gRPC
ListSreIncidents/CreateSreIncident/AckSreIncident/ResolveSreIncident; MTTR hint on
/v1/sre/summary.spanda-discovery-wifi, spanda-discovery-cellular,
spanda-discovery-serial packages; BLE/USB registry wrap; host probes via env overrides.build.rs injects TAURI_UPDATER_PUBKEY; macOS CI uploads
bundle artifacts.SPANDA_TENANT_ID scopes Control Center instances; API keys carry
tenant_id (SPANDA_API_KEYS_FILE JSON); GET /v1/tenant; gRPC GetTenant; 403 on tenant
mismatch for authenticated requests..spanda/
(SPANDA_CONTROL_CENTER_STATE_DIR); survives restarts for operator dashboards.spanda-otel-collector;
SPANDA_OTEL_COLLECTOR_URL; GET /v1/observability/backend; gRPC GetObservabilityBackend.tauri-plugin-updater in @spanda/control-center-desktop
(inactive until signing pubkey is configured).spanda-audit;
GET /v1/audit/mutations; JSONL persist at .spanda/control-center-mutations.jsonl
(SPANDA_MUTATION_AUDIT_PATH); gRPC ListAuditMutations.GET /v1/version; X-Spanda-Api-Version: v1 header enforcement on
REST and gRPC.SPANDA_DEPLOY_AGENTS registry path for POST /v1/ota/execute;
scripts/ota_fleet_execute_smoke.sh.GetDeviceTree, GetDeviceReports, GetFailoverChains,
ListSecrets, GetRbacMatrix, GetAnalyticsReadiness, ExportReports,
GetObservabilityTraces, GetOtlpTraces, ExportOtlpTraces, ExportOtlpMetrics RPCs (39
total).DiscoverDevices, RunDiscovery, ProvisionDevice,
PlanOta, ExecuteOta, ListRobots, ListFleets, ListAlerts, ListConfigSnapshots,
OperatorQuarantine, OperatorMissionApprove, ExportCompliance RPCs (28 total);
Bearer/x-api-key metadata for mutation RBAC.discovery_registry wraps installed spanda-discovery-mdns,
spanda-discovery-ble, and spanda-discovery-usb transports; installed_packages on discovery
API responses.OTA fleet execute: POST /v1/ota/execute runs remote rollout via deploy agents
(execute_remote_rollout); dry-run parity with plan.
GetHealthSummary, GetAssuranceSummary, GetDiagnosisSummary,
GetExecutiveScorecard, QueryDigitalThread, GetOtaStatus, GetOtlpMetrics RPCs (16 total).OTLP metrics (Control Center): spanda-ops::otlp_metrics, GET
/v1/observability/otlp/metrics, POST /v1/observability/otlp/export-metrics; enterprise ops
smoke probe.
ListDevices, ListFleetAgents, EvaluateReadiness, GetSreSummary,
GetTrustPackage, GetOpenApi RPCs on tonic ControlCenter; REST parity helpers in handlers;
live probe grpc_live_probe.rs; scripts/enterprise_ops_smoke.sh gRPC section.control-center-desktop job (Linux compile check); control-center-desktop-bundle
job (TAURI_BUILD=1 on macOS main pushes).Fleet agent interpreter recovery (Stable): scripts/fleet_agent_recovery_smoke.sh; wired into
scripts/fleet_field_validation.sh; mesh integration test coverage.
run/sim via
try_invoke_recovery_for_event and issue_to_recovery_issue; approval polling every trigger
maintenance tick with deferred retry; fleet mesh failure events (fleet_mesh_recovery_failed);
mission health-critical recovery hook; tests recovery_auto_triggers_during_run_on_health_fault;
extended scripts/self_healing_smoke.sh.--grpc-bind, ControlCenter service with
Health/GetDashboard/DetectDrift); full operational drift (detect_operational_drift_full with
program + agent findings, GET /v1/drift); Tauri desktop build script
(scripts/build_control_center_desktop.sh, TAURI_BUILD=1 for installers); gRPC test
crates/spanda-api/tests/grpc_tests.rs.Field validation: scripts/fleet_field_validation.sh — multi-process fleet agents, mesh
orchestrate, recovery/continuity mesh tests; wired into scripts/showcase_smoke.sh; golden-path
robot names aligned (ScoutA/ScoutB).
Policy engine readiness integration: spanda readiness --policy <name> merges operational
policy evaluation into readiness scoring (OperationalPolicy factor, violation issues,
mission_ready gating); spanda deploy gate --operational-policy <name> adds an operational policy
deployment gate; evaluate_policy_with_options shares readiness options with
min_readiness_score rules; scripts/policy_smoke.sh extended; docs
policy-engine.md, readiness.md,
deployment-gates.md, test-plan.md,
roadmap.md, README.md.
Enterprise operations roadmap expansion: docs/enterprise-operations-roadmap.md — platform context (§0), 20-pillar classification with Control Center module map, Device Pool lifecycle, discovery transport matrix (WiFi/LTE/5G/DNS-SD/Serial/Modbus RTU), Package Trust scoring criteria, SDK surfaces (CLI/REST/gRPC/WebSocket/Python), Compliance/APIs/Observability specs, lifecycle coverage map, and stable-hardening matrix; docs/roadmap.md — Complete Autonomous Systems Platform table, enterprise integration spine diagram, deliverable index; docs/feature-status.md — 20-pillar enterprise operations matrix; docs/platform-overview.md — Enterprise Operations layer.
spanda-config with Active
lifecycle state, health/calibration readiness gates (device_health), quarantine policy
(device_quarantine), pool operations (assign/unassign/quarantine/retire/trust),
identity anomaly detection, host-backed multi-transport discovery (discovery_live for
mDNS/BLE/USB/CAN/MQTT/ROS2 with stub fallback), discovery pool ingestion
(ingest_discovery_matches), device report bundle, config persistence (device_config_persist),
failover chains (device_failover) integrated with recovery via
enrich_recovery_plan_with_failover; CLI spanda device
provision|assign|unassign|quarantine|trust|retire with --write; Control Center API GET
/v1/devices/{id}, POST /v1/devices/discover, per-device provision/assign/quarantine/trust, GET
/v1/robots|fleets|device-tree|failover/chains|device-reports, POST /v1/readiness/run; expanded
@spanda/web Control Center panel with trust/provision/assign/quarantine actions and robot
selector; registry package spanda-discovery-mdns; docs device-pool.md,
device-provisioning.md,
device-discovery.md,
device-quarantine.md, calibration.md.
OTLP/JSON trace export to Jaeger (GET /v1/observability/otlp/traces, POST
/v1/observability/otlp/export, SPANDA_OTLP_TRACES_ENDPOINT, SPANDA_OTLP_TRACE_AUTO_PUSH);
WebSocket live telemetry stream (WS /v1/stream/telemetry); Python TelemetryStream (pip
install spanda-sdk[stream]); smoke probes scripts/mock_otlp_traces_collector.py,
scripts/ws_telemetry_probe.py.@spanda/control-center-desktop wraps ControlCenterPanel in
a Tauri v2 shell; npm run control-center:desktop:dev; compile smoke
scripts/control_center_desktop_smoke.sh.GET /v1/reports/export?format=pdf returns base64-encoded PDF via
spanda-ops::render_text_pdf.query_digital_thread, GET
/v1/digital-thread/query); compliance accreditation export (GET|POST /v1/compliance/export);
executive scorecard (GET /v1/executive/scorecard); readiness analytics (GET
/v1/analytics/readiness); executive report composer (GET /v1/reports/export); Control Center
--program flag; Audit, Digital Thread, and Executive UI tabs; extended
scripts/enterprise_ops_smoke.sh.detect_operational_drift, GET
/v1/drift?baseline_id=); OTA rollout planning (POST /v1/ota/plan with canary/staged/blue_green,
GET /v1/ota/status); package trust API (GET /v1/trust/package); SRE summary and observability
trace log (GET /v1/sre/summary, GET /v1/observability/traces); operator workflows (POST
/v1/operator/quarantine, POST /v1/operator/mission/approve); gRPC-compatible JSON gateway
(POST /v1/rpc); OpenAPI 3.1 spec (GET /v1/openapi.json); X-Correlation-ID request tracing;
Control Center UI tabs for Drift, OTA, Security, SRE, Operator; Python SDK
(packages/sdk-python); RolloutStrategy::BlueGreen in spanda-ota; extended
scripts/enterprise_ops_smoke.sh.run_provision_workflow, POST
/v1/provision) with readiness-failure alerting and quarantine; configuration snapshots
(.spanda/config-snapshots/, GET|POST /v1/config/snapshots); discovery transport contract
(DeviceDiscoveryTransport, subnet + mock mDNS); GET /v1/health|assurance|diagnosis/summary;
Control Center UI tabs for Health, Assurance, Diagnosis, Provision, Config; Slack webhook payload
formatting in spanda-ops; registry stub spanda-discovery-mdns; extended
scripts/enterprise_ops_smoke.sh.spanda-api crate (REST /v1/*,
embedded Control Center HTML UI); spanda control-center serve [--bind] [--config]; spanda-ops
alerting core (webhook, email dry-run, log channel); Device Pool lifecycle in spanda-config
(DeviceLifecycleState, DevicePoolEntry, pool_summary, set_lifecycle); RBAC v1 in
spanda-security (Role, ApiKeyStore, RbacAction, SPANDA_API_KEY); ManagedSecretVault
secret store contract with rotation metadata; Control Center view in @spanda/web
(ControlCenterPanel); scripts/enterprise_ops_smoke.sh.spanda-api backend architecture; integration map with Readiness, Assurance, Diagnosis,
Recovery, Trust, Health, Device Registry, Configuration, Traceability, Audit, Security, Packages;
phased implementation (E1–E4); risks and mitigation; priority horizons NOW/NEXT/LATER.spanda-config crate with SpandaManifest,
ConfigResolver, ResolvedSystemConfig, DeviceTree, LogicalPhysicalMap, and
ConfigValidationReport; root spanda.toml [project] / [config] / [extends] / [merge]
sections; fragment files (spanda.devices.toml, spanda.providers.toml, etc.); JSON config
compatibility; CLI spanda config resolve|validate|graph|diff|report, spanda device-tree
inspect|graph, spanda map verify; spanda readiness --config; docs
configuration.md, cascading-config.md,
device-tree.md, config-validation.md; updated
spanda-toml.md.ResolvedSystemConfig wired into run/sim/fleet
run/verify/readiness/assure/diagnose/heal/recover/replay; shared
resolve_for_source; lockfile- and device-tree-aligned provider bootstrap; readiness policy and
per-robot [health] fault injection from config; assurance/mission/recovery thresholds from
[assurance]/[mission]/[recovery]; TypeScript CLI delegation with cargo run and lightweight
fallback for config validate|resolve.[[devices]] registry with network/bus identity fields (ip, mac,
serial, endpoint, protocol, can_id, trust_level, …); DeviceRegistry on
ResolvedSystemConfig; duplicate IP/MAC/serial validation; redundant failover rules; CLI spanda
device discover|inspect, spanda network scan, spanda config report --network; readiness
connectivity issues from device identity gaps; assurance/diagnosis traceability when --config is
set.detect_config_drift / ConfigDriftReport in spanda-config;
CLI spanda drift and spanda config drift with --baseline and --agent; agent /v1/status
fields (program_hash, hardware_profile, firmware_version, packages); spanda readiness
--baseline and spanda readiness --agent for config and attestation drift gates; docs
drift-detection.md.spanda-graph crate; CLI spanda graph <file.sd> with --format
json|mermaid|dot|text; composes capability traceability and resolved config; docs
dependency-graphs.md.evaluate_deployment_gates in spanda-readiness; CLI spanda deploy gate
with --policy default|production; docs deployment-gates.md.evaluate_package_trust in spanda-package; CLI spanda trust <package> with
--version, --project, --json; package trust gate in deployment gates when --config
declares packages; docs package-trust.md.spanda-trust crate with evaluate_composite_trust; CLI spanda
trust <file.sd> with --json and --format markdown; weighted categories (package, device,
firmware, configuration, identity, safety); secure-boot import detection (trust.jetson /
trust.pi); scripts/trust_program_smoke.sh; docs trust-framework.md.spanda-tamper::secure_boot scores trust.jetson /
trust.pi in tamper-check and integrity; optional SPANDA_ATTESTATION_ENDPOINT live
attestation; optional SPANDA_TPM_BACKEND backends including vendor SDK adapters, tpm2-tools
PCR quote with tpm2_checkquote verification, remote AK cert chain validation
(SPANDA_ATTESTATION_TRUST_STORE), and SPANDA_TPM2_PCR0_EXPECT policy; bundled trust registry
for offline demos; deploy agent /v1/status attestation fields; drift detection for attestation
posture; examples/showcase/secure_boot/; scripts/secure_boot_smoke.sh,
scripts/attestation_smoke.sh, scripts/gaps_smoke.sh, scripts/lib/registry_env.sh; docs
hardware-attestation.md.spanda deploy gate adds composite_trust and
secure_boot gates; scorecard security pillar blends threat risk, composite trust, and
secure-boot coverage; spanda explain includes composite_trust and secure_boot sections;
spanda demo maturity runs program trust.spanda explain <file.sd> supports --config and --baseline for
configuration validation, deployment gates preview, package trust, and drift sections; docs
explainability.md.spanda demo maturity runs graph, explain, trust, and deploy gate on
examples/showcase/readiness/rover.sd; scripts/maturity_smoke.sh (wired into
scripts/showcase_smoke.sh).spanda-threat crate with analyze_threat_model; CLI spanda
threat-model <file.sd> [--json]; docs threat-modeling.md.spanda-diff crate with diff_programs; CLI `spanda diff spanda-score crate with evaluate_scorecard; CLI spanda score <file.sd>
[--json] [--format markdown]; docs scorecards.md.policy { } declarations in AST/parser; new spanda-policy
crate with evaluate_policy; CLI spanda verify --policy <Name> [--json]; showcase
examples/showcase/policy/warehouse.sd; scripts/policy_smoke.sh; docs
policy-engine.md.spanda-chaos crate with run_chaos_experiment; CLI `spanda chaos
spanda-readiness (record_readiness_snapshot,
analyze_readiness_trends); CLI spanda readiness --record and `spanda readiness trends
spanda-estimate crate with estimate_mission; CLI spanda
estimate <file.sd> [--target <profile>] [--json]; scripts/estimate_smoke.sh; docs
resource-estimation.md.spanda-compliance crate with built-in industry templates; CLI
spanda verify --profile <name> and spanda readiness --profile <name>; spanda compliance
report <file.sd> --profile <name> accreditation export bundles with evidence checklist and audit
export ID; defense/medical secure-boot contract requirements; defense showcase at
examples/showcase/compliance/defense_rover.sd; scripts/compliance_smoke.sh; docs
compliance-profiles.md.spanda-adr crate with generate_adrs; CLI `spanda adr
spanda-tamper crate with generate_tamper_check; CLI
spanda tamper-check <file.sd> [--json]; scripts/tamper_smoke.sh; docs
tamper-detection.md.generate_runtime_tamper_check in spanda-tamper; spanda
tamper-check <file.trace> [--runtime]; trust showcase examples/showcase/runtime_intrusion/;
scripts/trust_showcase_smoke.sh.diagnose_tamper_trace in spanda-tamper; CLI `spanda diagnose tamper
correlate_fleet_tamper in spanda-tamper; CLI spanda
tamper-check --fleet <manifest.json>; showcase examples/showcase/fleet_tamper/;
scripts/fleet_tamper_smoke.sh.generate_security_assurance in spanda-tamper; CLI spanda
security assurance <file.sd>; scripts/security_assurance_smoke.sh.tamper_policy blocks in .sd programs; spanda-tamper::policy
matching; runtime dispatch via recovery actions; showcase examples/showcase/tamper_policy/;
scripts/tamper_policy_smoke.sh.POST /v1/fleet/tamper/ingest, GET /v1/fleet/tamper; CLI spanda
tamper-check --mesh-url <url>; runtime ingest via SPANDA_FLEET_MESH_URL;
scripts/fleet_mesh_tamper_smoke.sh.SPANDA_SPOOFING_ML_ENDPOINT HTTP merge plus
SPANDA_SPOOFING_ML_BACKEND stub backends (mock, file, script) and
SPANDA_SPOOFING_ML_MIN_CONFIDENCE filtering for trace spoof-check; global
SPANDA_SPOOFING_MIN_CONFIDENCE trace filter and operator confirmation gates for High/Critical
alerts.spanda-trust-jetson, spanda-trust-pi attestation contracts in
hosted registry index.tamper_policy; Critical tamper actions require operator approval.spanda demo gaps walkthrough; secure_boot_status_line in
explain and deploy gates; attestation and compliance smokes extended for vendor TPM and AK chain
validation.examples/showcase/package_tampering/, mission_tampering/,
runtime_intrusion/ with tamper and integrity workflows; spanda demo trust one-command
walkthrough; bundled registry slice (trust + gps/fusion packages) in CLI crate via
scripts/sync_bundled_registry.sh; CLI defaults SPANDA_REGISTRY_URL to bundled registry when
unset; scripts/bundled_trust_smoke.sh.generate_integrity_report in spanda-tamper; CLI
spanda integrity <file.sd> [--baseline <file.sd>] [--agent <Robot@Hardware>] [--json];
scripts/integrity_smoke.sh; docs integrity-verification.md.spanda explain decision <mission.trace> [--json] with
evidence, safety checks, and rejected alternatives; scripts/decision_explain_smoke.sh.spanda-policy runtime monitor with max_speed and
operation_hours gates; spanda run|sim --enforce-policy <name>;
scripts/policy_runtime_smoke.sh.spanda-generate crate with template scaffolds and
suggest_program; CLI spanda generate mission|robot|health-policy and `spanda suggest
spanda-spoofing crate with program coverage and trace plausibility
analysis; CLI spanda spoof-check <file.sd|file.trace> [--json]; showcase
examples/showcase/gps_spoofing/; spanda demo spoof focused walkthrough;
scripts/spoof_smoke.sh; package backends in spanda-gps and spanda-fusion;
scripts/package_spoofing_smoke.sh; docs spoofing-detection.md.spanda-runtime-faults crate with RuntimeFault, CrashEvent,
RebootEvent, MemoryLeakEvent, OOMEvent, WatchdogTimeout, DeadlockEvent, RestartLoop,
ResourcePressure, HeartbeatStatus, ProcessHealth, RuntimeHealth, FaultEvidence, and
FaultTimeline types; AST declarations (heartbeat, memory_watch, resource_watch,
restart_policy, on runtime crash triggers); CLI spanda fault scan|report, spanda runtime
health|diagnose, and spanda replay --show-faults; readiness/assurance/diagnosis/recovery/replay
integration; showcase examples under examples/showcase/runtime_faults/; docs
runtime-fault-detection.md,
crash-detection.md, reboot-detection.md,
memory-leak-detection.md,
runtime-health.md. spanda-contract, spanda-explain,
spanda-decision crates; CLI spanda contract verify, spanda explain, spanda audit
decisions, spanda safety-coverage, spanda recovery-coverage; spanda demo differentiation;
examples/showcase/differentiation/warehouse.sd; scripts/differentiation_smoke.sh (wired into
showcase_smoke.sh).spanda-assurance continuity module with
MissionContinuityManager, MissionDelegationManager, TakeoverCoordinator,
SuccessionPlanner, MissionCheckpointManager, MissionStateTransferManager,
MissionRecoveryPlanner, and ContinuationDecisionEngine; takeover modes (resume, restart,
partial restart, shadow/hot/cold/human); state transfer models; successor ranking with
trust/readiness gates.spanda continuity, spanda takeover, spanda delegate, spanda succession
with --failed, --progress, --trigger, --scope, and report formats.continuity_policy syntax: parser, AST, and takeover mode inference from declared actions;
TypeScript parser parity.spanda demo continuity: showcase demo and scripts/continuity_smoke.sh (wired into
showcase_smoke.sh).execute_continuity_on_program, fleet agent
/v1/continuity/execute, mesh POST /v1/fleet/continuity, fleet_takeover peer topic.collect_continuity_diagnostics in spanda-assurance and
src/continuity-diagnostics.ts; merged into spanda check --readiness-json and LSP readiness
diagnostics.spanda-mission-continuity (assurance.continuity).reassign mission actions also relay continuity
takeover when SPANDA_FLEET_MESH_URL is set.spanda man continuity; README and getting-started continuity
section; roadmap/feature-status sync.continuitypolicy and recoverypolicy.continuity_policy, LSP completions/hover, robot-aware approval quick-fixes, package count sync
(38).continuity:mission diagnostic: warns when resume/checkpoint actions lack mission_plan;
continuity-policies.md policy guide; continuity_policy promoted
to Stable in roadmap..spanda/mission-checkpoints.json), swarm --failed handoff in spanda swarm coordinate,
operations dashboard continuity panel, interpreter/CLI/TS tests; runtime promoted to Stable.run/sim on health faults and
recovery; parser action spacing fix; TS checkpoint disk I/O; spanda-mission-continuity provider
exports; swarm+mesh integration test.examples/showcase/continuity/, takeover/, delegation/,
swarm_takeover/, fleet_succession/.spanda telemetry serve); OTLP/JSON export
and spanda telemetry push to remote collectors (SPANDA_OTLP_ENDPOINT); spanda telemetry
push --watch and SPANDA_OTLP_AUTO_PUSH session-end auto-push; spanda telemetry
fleet-push with fleet mesh ingest (/v1/fleet/telemetry/ingest, merged GET
/v1/fleet/telemetry) and SPANDA_FLEET_TELEMETRY_AUTO_INGEST session-end agent ingest;
per-event session_id tagging; Prometheus export; SQLite backend with JSONL migration; sessions
/ replay --session; telemetry info; TypeScript parity for sessions, metrics, retention, SQLite
(Node 22+), serve, push, fleet-push, replay inspect/playback/deterministic verify, and Rust
trace JSON normalization; vitest coverage in tests/telemetry-store.test.ts,
tests/telemetry-replay.test.ts, tests/telemetry-push.test.ts, and
tests/telemetry-fleet.test.ts; TS runtime_metrics aligned with Rust RuntimeTelemetry
(scheduler, task, execution, pipeline, watchdog, trigger, topic, provider maps); topic QoS
deadline tracking and provider-call metrics in the TS interpreter; in-memory telemetry store
(memory module) with WASM bindings (wasm_telemetry_clear|append|stats|prometheus|otlp) with
web playground telemetry panel; optional sqlite feature on spanda-telemetry-store for
wasm32 builds; CI wasm32 cargo check for spanda-wasm and spanda-telemetry-store (no
default features) plus scripts/telemetry_store_golden_path.sh job; TS interpreter routes
official package imports through dispatchOfficialPackageCall; event handler trigger
metrics; wasm_run auto-appends runtime_metrics to the in-memory buffer; TypeScript
TriggerRegistry with timer/when/while/state/system triggers, storm limits, missed-deadline
metrics, and scheduler integrationscripts/validate_documentation.py, add_structured_api_docs.py, and
migrate_legacy_inline_docs.py enforce and bulk-apply the format; CI emits warnings
(non-blocking) on pull requests.spanda doc, spanda
man, and docs/language-reference/; feature-status matrix updated for docgen and man pages./// doc comments in .sd files (parsed into AST); spanda doc
--html, spanda doc examples/, spanda man; expanded man pages with EXIT STATUS and FILES;
docs/language-reference/ topic index; mdBook site sections; CI gates for cargo doc, spanda
doc, and mdBook build.spanda-recovery), CLI overview, fleet-distributed recovery
HTTP APIs, verification/readiness diagnostic categories, feature-status matrix, and deploy-http
fleet_recovery module docs. validated recovery actions execute at runtime (mode transitions,
speed caps, connectivity restart, mission pause, fleet coordination) with assurance gating..spanda/recovery_knowledge.json records outcomes;
planner and evaluate_recovery use merged knowledge when policies are absent; spanda recovery
knowledge inspects the store.SPANDA_OPERATOR_APPROVAL, SPANDA_GRANT_RECOVERY_APPROVAL,
Approval comm-topic polling, RunOptions.inbound_comm_messages test hook, and mission requires
approval Operator runtime gating for high-risk recovery and mission steps.Fleet recovery mesh signal: runtime publishes /fleet/recovery Command messages and relays to
fleet mesh (POST /v1/fleet/recovery) when SPANDA_FLEET_MESH_URL is set; mesh coordinator fans
out fleet_recovery peer deliveries to registered agents; agents expose recovery_active on
/v1/status.
spanda-assurance recovery module with RecoveryPlan,
RecoveryPlanner, failure classification, recovery levels (0–4), safe mode transitions,
self-correction actions, validation gates (safety, hardware, capability, readiness), human
approval integration, recovery audit/traceability, fleet recovery, recovery knowledge base, and
assurance metrics.recovery_policy Name { on condition { actions; } } declarations.spanda heal, spanda recover, spanda recovery-report, spanda recovery
plan|knowledge; spanda sim --inject-failure <kind>; spanda analyze-failure --with-recovery.examples/showcase/self_healing/, self_correction/, fleet_recovery/,
recovery_assurance/.spanda-assurance crate with core interfaces (knowledge
model, state estimation, anomaly detection, diagnosis, prognostics, mitigation, mode management,
mission planning, resilience, assurance evidence) and static analysis integrated with readiness,
health, traceability, and hardware verification.knowledge_model, state_estimator, anomaly_detector, on
anomaly, prognostics, mitigation, operating_mode, mission_plan, resilience_policy, and
assurance_case declarations.spanda assure, spanda anomaly scan, spanda prognostics, spanda
mission verify, and spanda resilience check; enhanced spanda diagnose for traces and
programs.spanda-assurance, spanda-knowledge-model, spanda-anomaly,
spanda-diagnosis, spanda-prognostics, spanda-mission-planning, spanda-mission-continuity,
spanda-resilience, spanda-fusion.examples/assurance/, examples/anomaly/, examples/diagnostics/,
examples/prognostics/, examples/resilience/, examples/mission/.learned backend <module>; on anomaly_detector; anomaly scan
reports include learned model metadata.spanda state estimate reports estimators and belief state; included in
spanda assure summary.state_estimator inputs reduce Assurance factor score with
span-aware IDE diagnostics.spanda demo assurance runs the full mission assurance CLI suite on
examples/showcase/assurance/rover.sd.spanda demo self-healing runs heal, recover, recovery knowledge, sim
inject-failure, and fleet recovery showcase paths.scripts/self_healing_smoke.sh exercises recovery CLI, runtime tests,
diagnostics, and demo.fleet_recovery peer commands and POST /v1/recovery/execute; status reports
recovery_validation.execute_recovery_on_program) for mode transitions, speed caps, and mission pause;
recovery_engine on /v1/status reports interpreter vs assurance fallback.src/recovery-diagnostics.ts mirrors Rust
collect_recovery_diagnostics for LSP/readiness JSON fallbacks.assurance.anomaly::scan_learned for
detectors with learned backend; package stub scores observations below 0.85 as anomalies.spanda state estimate use type-weighted confidence;
fusion.read() exposes sources and state_estimate.scan_learned for drift detection.spanda-fusion package: assurance.fusion import path with weight_for_sensor and
confidence_for_types provider dispatch (extends lean-core weighted fusion).SPANDA_ANOMALY_ONNX_MODEL_PATH (or SPANDA_ONNX_MODEL_PATH) enables
ONNX-backed scan_learned via Python bridge; showcase rover links learned anomaly + fusion
packages.docs/overview/.Roadmap audit (2026-06-24): docs/roadmap.md — v0.5 beta milestone, post-v0.4.0 continuity/telemetry notes, differentiation docs-vs-code honesty, tooling/web updates; roadmap-codebase-audit-2026-06.md refreshed; feature-status.md telemetry OTLP/fleet row.
Trust import typecheck: trust.jetson and trust.pi resolve in spanda check / spanda
verify via framework package import paths.
Package trust signatures: evaluate_package_trust verifies Ed25519 registry signatures using
the embedded index public key when SPANDA_REGISTRY_TRUST_KEY is unset (matches install-time
verification).
Readiness polish: CI smoke (scripts/readiness_smoke.sh), agent /v1/readiness integration
tests, spanda deploy|fleet agent readiness CLI, TypeScript fallbacks for all operational
commands (src/operational.ts), span-aware LSP readiness diagnostics, POST /v1/program on
deploy agents, bundled root_cause_analysis example, and fleet dashboard aggregates in the web
Operations panel.
--target, --runtime, --inject-health-faults, and
--agent-json on spanda readiness; spanda check --readiness-json for IDE diagnostics; spanda
demo readiness; bundled showcase examples synced to the CLI crate.GET /v1/readiness on deploy and fleet agents (?runtime=true,
?inject_health_faults=true); TypeScript CLI fallback via src/readiness.ts when the native
binary is unavailable.packages/web Operations view with local readiness scoring and live
agent fetch.LSP readiness diagnostics: readiness issues surface in the language server via native CLI or TypeScript fallback.
spanda-readiness crate composing hardware, capability,
health, connectivity, safety, and mission gates into weighted ReadinessReport with spanda
readiness <file.sd> (--json, --markdown, --html).spanda verify mission, spanda analyze-failure, spanda
safety-report, spanda diagnose, spanda audit, spanda verify-fleet, spanda
verify-approval, spanda fleet readiness, spanda twin readiness.requires approval <Actor> for: <action> in mission blocks for
human-in-the-loop verification.examples/showcase/readiness/, mission_verification/,
failure_analysis/, safety_report/, fleet_readiness/, root_cause_analysis/.spanda demo rover ships examples/showcase/autonomous_rover/ source in
the crate (install fetches registry deps).packages/registry/* scaffolds indexed in registry/index.json.phase30_gaps.rs for health polling during trigger loops.spanda-docs; regenerated spanda-reference.md and docs/man/.website/index.html; VS Code extension icon from assets/image/app_favicon.png.examples/features/live_openai.sd.span_from now uses an exclusive end offset so spanda fmt preserves
closing braces on span-backed declarations (hardware, assurance, health, kill switch).max_speed rules no longer duplicate velocity units when the value
is already a unit literal.state_estimator declarations register SensorFusion bindings at
robot setup; a single estimator aliases fusion.learned_models() detects assurance.anomaly imports for
package-backed detectors.SPANDA_*_STATE env overrides;
stale deployment fields reset when loaded identity mismatches startup; HTTPS agents use read
timeouts and connection shutdown; HTTP 400 responses shut down cleanly; TypeScript agent servers
serialize concurrent requests; remote/mesh clients use 30s fetch timeouts; spanda fleet mesh
start routes through the native CLI; integration test spawns use per-identity state files.spanda deploy --target native links LLVM binaries (same pipeline as
compile-native); guide native-deploy.md.spanda ros2 check [--json] validates ROS_DISTRO, rclpy, and bridge script
before live transport.--remote
orchestration, agent registry, and OTA rollout.live-iot-golden-path job runs scripts/live_iot_golden_path.sh.spanda (cargo install --path crates/spanda-cli
installs binary spanda); spanda --version; bundled showcase examples ship in the crate for
spanda demo without a full clone; scripts/sync_bundled_examples.sh.spanda demo {rover,safety,verify,fleet,health};
showcase directories under examples/showcase/; scripts/install.sh, scripts/benchmark.sh,
scripts/showcase_smoke.sh; docs benchmarks.md,
known-limitations.md, demo-script.md,
diagrams/; README trust table; improved SafeAction type errors with hints; VS
Code snippets; CI showcase-smoke job.ActionProposal, SafeAction, safety.validate,
deploy, health_check, kill_switch; SafeAction quick-fix code action.cargo build -p spanda (package rename from spanda-cli).spanda
fleet run works when the last robot lacks member actuators (e.g. coordinator-only programs).features/kill_switch.sd, fleet_health_require.sd,
typed_handler_returns.sd, agent_can_deny.sd, live_openai.sd, live_anthropic.sd,
live_onnx.sd, security/remote_signed_kill_switch.sd, integration/debugger_every.sd,
basics/12_compile_fail_tests.sd, iot/modbus_dispatch/, packages/publish_mirror_project/.expect_compile_error { } blocks in test bodies — validated at
test-run time; module function return type enforcement in the typechecker; TypeScript parser
mirror for Phase 27 syntax (kill_switch, health_check, health_policy, requires_capability,
hardware components, robot uses hardware / exposes capabilities); IoT protocol package stubs
(spanda-opcua, spanda-modbus, spanda-zigbee, spanda-lora, spanda-matter,
spanda-canbus); integration tests in p1_features.rs and tests/capability-parser.test.ts.spanda check
--verification-json; LSP integration; runtime health evaluation wired to HardwareMonitor;
kill-switch and health-fault sim integration tests.suggested_fix hints on verification diagnostics; LSP quick-fix
code actions; continuous runtime health polling during trigger maintenance; debugger pause events
for kill switch (kill_switch_activated) and critical health (health_critical).health_policy enforcement; behavior -> Type return
validation; agent plan SafeAction return checks; IoT package dispatch stubs; agent capability
audit logging; DAP output events for health/kill-switch.can[]
default-deny; VS Code VSIX verify script.-> Type return validation; live Modbus TCP and
OPC-UA bridge IoT paths; live OpenAI provider for ai_model when OPENAI_API_KEY is set.remote_signed
runtime enforcement and on kill_switch handlers; VS Code extension CI; IoT protocol dispatch
stubs; live Anthropic provider; fleet/swarm health runtime coordination.require runtime; ONNX provider; registry mirror publish;
kill-switch verify errors; debugger every entry.spanda-capability crate — capability registry, hardware/robot
capability inference, traceability matrices, minimum-hardware safety checks, health-check
analysis; CLI commands spanda trace {hardware|capabilities|health}, spanda health robot,
spanda hardware capabilities, spanda robot capabilities, spanda safety check --capabilities;
verify flags --traceability, --capabilities, --health, --minimum-capabilities; hardened
spanda test with file paths, --json, --filter, --compile-fail; language syntax for
kill_switch, health_check, health_policy, requires_capability, uses hardware, exposes
capabilities; sim flags --trigger-kill-switch, --inject-health-faults; IoT provider contracts
in spanda-runtime; spanda-iot-core package stub; mdBook site at docs-site/ + GitHub Pages
workflow; guides for kill switch, health, capabilities, traceability, IoT, agentic programming,
debugger. (dispatch_official_package_call); connectivity provider stubs for Wi-Fi/BLE/cellular;
--trace-providers observability flag; spanda update command; flagship demo at
examples/showcase/autonomous_rover/; guides how-packages-work.md,
how-providers-work.md,
how-runtime-resolution-works.md.provider_call mission-trace frames; aligned provider capabilities in
validation/security; TS package_dispatch.ts mirror; project-aware module registry for
check/build/test/run/verify.--remote in golden_path_deploy.sh; live MQTT Mosquitto job
(scripts/mqtt_golden_path.sh, examples/communication/mqtt_live.sd); twin cloud upload job
(scripts/twin_cloud_golden_path.sh); LLVM job (scripts/llvm_golden_path.sh); live-mqtt /
live-transport Cargo features on spanda-cli.world_model { } parser + observe→fusion belief hook; ledger community
scaffold (packages/community/, scripts/ledger_golden_path.sh); cpp-native and self-host lexer
golden paths; Phase 23 marked complete in roadmap.ci_verify_golden_path.sh,
python_native_golden_path.sh; python-native feature on spanda-cli; Phase 26 on roadmap. —
killer_demo_golden_path.sh, live_ai_golden_path.sh, ros2_golden_path.sh,
registry_golden_path.sh; CI jobs;
ros2_cmd_vel_ping.sd; VS Code vsce publish on
release when VSCE_PAT is set; P0 status table in
tier-3-priority-plan.md.cargo fmt drift; TypeScript build parity (lexer tokens, compile stub, package
dispatch); release workflow VSCE_PAT guard without invalid secrets in if.Phase 24 (complete): world_model_patrol.sd showcase; fleet_field_trial.sd three-agent
layout; tier-3-golden-paths.md index; world-model-golden-path CI;
typechecker support for world_model.belief() / update() / export();
mqtt-nav2-reference-architecture.md;
llvm-embedded-benchmark.md + llvm-embedded-golden-path CI; TS
mirror parser/checker parity for world_model { }.
Tier 3 priority plan: tier-3-priority-plan.md documents P0–P4 ordering (v0.5 beta → Phase 23 hardening → v1.0 optional → post-v1.0 production); Phase 23 planned in lean-core-roadmap.md.
world_model.update/belief/export),
ledger provider wired to MockLedgerBackend, cloud upload via SPANDA_CLOUD_UPLOAD_URL, LLVM
golden path script, self-host bootstrap example, and
tier-3-experimental.md.Phase 18 P2/P3 closure: performance (slim CLI, bridge timeouts, cargo audit) and
observability (pipeline benchmark) marked complete in docs.
registry-index-maintain binary updates checksums and
Ed25519 version_signatures in registry/index.json; CI verifies against registry/TRUST_KEY;
scripts/update_registry_checksums.py delegates to the Rust tool.Phase 21 embedder slimming: optional certify and bridge features on spanda-core
(default-features = false omits certification and FFI shims; full remains default).
Automated version bumps: scripts/bump_version.py bumps Cargo.toml, npm packages, and
finalizes CHANGELOG.md. Auto release runs after CI on main when a merged PR has
release:major, release:minor, or release:patch; Bump version (manual Actions workflow)
is available for ad-hoc releases. Both push v* tags that trigger cargo-dist Release builds.
spanda-package; deploy/fleet/mesh agents require --token on non-loopback binds;
bridge subprocess timeouts; cargo audit CI job; slim CLI build (--no-default-features
--features slim); pipeline benchmark test;
phase-18-security-hardening.md.version_signatures on publish/install via
SPANDA_REGISTRY_SIGN_KEY / SPANDA_REGISTRY_TRUST_KEY.spanda_core::transport* modules; spanda-core no
longer depends on transport adapter crates directly.Phase 20 test distribution + embedder features: OTA, fleet, provider, and certify integration
tests moved to owning crates; spanda-core exposes optional ota / fleet features (default =
["full"]; --no-default-features for minimal embedder builds).
spanda-interpreter runtime tree, one-way spanda-core → spanda-interpreter dependency, and
CoreRuntimeHost wiring (see lean-core-roadmap.md).registry/index.json and tarballs for all official packages
under packages/registry/; ./scripts/build-registry.sh auto-discovers package scaffolds;
registry.md curated table updated.examples/showcase/killer_demo.sd with walkthrough in
killer-demo.md (check → verify → sim narrative).crates/spanda-package/tests/hosted_registry.rs guards 20-package
index, tarballs, and file:// fetch; killer_demo.sd added to golden manifest.triggers, telemetry, replay, twin, events,
state_machine, reliability_runtime, and serialize into spanda-runtime with thin
spanda-core shims; interpreter runtime routes imports through workspace crates; RuntimeError
implements Display.spanda-comm crate: extracts CommBus, InMemoryCommBus, comm safety chain, and bandwidth
helpers from spanda-core with a thin shim; interpreter runtime imports spanda_comm::CommBus
directly.spanda-safety crate: extracts SafetyMonitor, zones, Pose2d, and motion validation from
spanda-core with a thin shim; interpreter runtime imports spanda_safety directly.spanda-hal crate: extracts HAL simulation backend, SoC profiles, and hardware health
monitoring from spanda-core with thin shims; interpreter runtime imports spanda_hal directly.spanda-transport routing: moves wire-frame encode/decode into spanda-transport and
RoutingCommBus into new spanda-transport-routing (avoids adapter-backend cycle); thin
transport / transport_wire shims; interpreter runtime imports
spanda_transport_routing::RoutingCommBus directly.spanda-error crate: extracts SpandaError and diagnostic helpers from spanda-core;
interpreter runtime imports spanda_error::SpandaError directly; RunOptions / RunResult
remain in core.spanda-ai crate: extracts AI model registry, agent runtime, memory store, and mock inference
helpers from spanda-core with a thin shim; interpreter runtime imports spanda_ai directly.spanda-providers crate: extracts official package bootstrap, stubs, and transport adapter
wiring; interpreter imports spanda_providers for registry bootstrap and comm-bus sync.spanda-concurrency crate: extracts cooperative channels, spawn handles, and select; thin
core shim; interpreter imports spanda_concurrency directly.spanda-debug crate: extracts debugger controller, breakpoints, and stmt_line; interpreter
imports spanda_debug directly.spanda-regex-lang, spanda-lib-registry,
spanda-connectivity-runtime, spanda-runtime-host, and spanda-ffi extracted with thin shims;
interpreter runtime has zero crate:: imports.spanda-sir crate owns AST lowering to typed intermediate
representation; spanda-core re-exports via thin shim.spanda-certify and spanda-bridge extracted; spanda-driver::run
owns compile + certify gate + FFI defaults + interpreter execution; spanda-core re-exports the
public API.spanda-hardware (full verify + adapter verify + connectivity
validators), spanda-format, spanda-lint, spanda-codegen, spanda-modules, and spanda-docs
extracted with thin core shims; spanda-security::validate owns static security audit;
spanda-driver::debug_session owns the debugger machine; spanda-fleet::swarm_coordinator owns
swarm coordination; connectivity-runtime re-exports hardware validators to preserve the public
API.spanda-driver now owns verify, SIR lowering, replay/playback,
debug run, deploy plan (with certify proof), and type-check host wiring; spanda-ota::plan
extracts deploy assignments from the AST; reliability validators live in spanda-typecheck;
spanda-core re-exports the public API without local pipeline bodies.transport_live RuntimeValue hooks live in
spanda-transport-routing; lexer tokenize error mapping and FFI bridge alias moved to
spanda-driver / spanda-bridge; providers/ collapsed to a single facade module.spanda-cli and spanda-node import workspace crates directly
(spanda-driver, OTA/fleet/deploy-http, tooling crates); MQTT/DDS/WebSocket RuntimeValue live
bridges consolidated in spanda-transport-routing::live_bridges with thin core shims retained for
API stability.spanda-llvm, spanda-wasm, and spanda-dap no longer depend on
spanda-core; only the spanda-core facade crate itself pulls the full workspace graph for
external API stability.spanda_core::transport_mqtt, transport_dds,
transport_websocket, and transport_live; use spanda-transport-routing or
spanda-transport-* workspace crates directly.examples/README.md, examples/packages/README.md, updated
tutorial indexes and learning paths); API doc hierarchy
(api-documentation.md, grouped
api-reference.md with facade→crate mapping).mission (named steps + lifecycle), program-level fleet, safety_zone, and certify metadata
(optional level block), extended observe/fusion.read() with confidence and state_estimate,
std.navigation / std.fusion / std.slam namespaces, navigation runtime helpers; program-level
safety zone speed caps (motion allowed in cap zones); TypeScript parser/type-checker and interpreter
parity; Nav2 golden-path publish on navigation.navigate() when /cmd_vel is declared; OTA deploy
CLI (spanda deploy plan|rollout|rollback|status with canary/staged strategies); fleet
orchestrator (spanda fleet orchestrate); verify warning when deploy targets lack certification
metadata; examples in examples/robotics/; tests in crates/spanda-core/tests/ and
tests/robotics-platform.test.tsspanda deploy plan|rollout|rollback|status and spanda fleet orchestrate in the Node CLI
without requiring the Rust binary; hardware verify warns on deploy-without-certify in the TS
fallbacknavigate { goal: ... } statement sugar (Rust +
TS); spanda verify reports framework adapter mappings for imports like navigation.nav2;
registry entries for spanda-nav2, spanda-cartographer, and spanda-rtabmap; example package
examples/packages/nav2_adapter_package/spanda deploy agent start), agent
registry (.spanda/deploy-agents.json), spanda deploy rollout|rollback --remote; SLAM stub
runtime (slam.localize() / slam.map()); fleet orchestrator peer-aware modeprogram_hash; remote
rollouts send hash to agents; optional --require-hash on agents; HTTPS agent URLs and
--tls-cert / --tls-key for deploy agents (Rust rustls + Node https); fleet peer handoff
messages during orchestration; SLAM adapter example packages (cartographer_adapter_package,
rtabmap_adapter_package); examples/robotics/fleet_peer_missions.sd--sign-key, --bundle-out); agents verify signatures with --require-signature --trust-key;
fleet orchestrator delivers peer mission steps over the in-process comm mesh (peer_mesh_mission)spanda fleet
agent start|register|list, .spanda/fleet-agents.json); spanda fleet orchestrate --remote
relays peer mission steps to registered agents (distributed_peer_mesh); spanda verify
--strict-certify treats missing deploy certification, ISO13849 level gaps, and deployed-robot
mission/safety metadata as errors; adapter registry metadata for Nav2/Cartographer/RTabMap
packagesspanda fleet mesh
start centralizes multi-host peer relay (--mesh-url); fleet agents forward peer deliveries to
downstream robots; spanda run --enforce-certify / SPANDA_ENFORCE_CERTIFY=1 blocks uncertified
deploy programs at runtime; spanda verify-adapter validates package [adapter] sections;
optional SPANDA_NAV2_CMD / SPANDA_SLAM_CMD subprocess bridges for production Nav2/SLAM
backendsspanda certify prove [--strict]
[--out proof.json] emits structured checklist reports with program_hash; TypeScript interpreter
invokes Nav2/SLAM subprocess bridges and enforces --enforce-certify on run; reference bridge
scripts in examples/adapters/spanda deploy
rollout --require-certify blocks OTA when strict proof fails; deploy agents accept
--require-certify to reject rollouts missing strict proof in the payload; TypeScript
deploy-service and verify-adapter Node fallback mirror Rust behaviorswarm declarations with round_robin,
broadcast, and leader_follow policies; spanda swarm coordinate runtime with persistent
round-robin cursors in .spanda/swarm-state.json; TypeScript parser/checker/coordinator parityexamples/robotics/golden_path_deploy.sh now covers certify,
deploy, verify-adapter, fleet orchestrate, and swarm coordinatespanda swarm coordinate --mesh-url relays leader-follow peer deliveries
through the fleet mesh coordinator; CI robotics-golden-path job runs the golden-path script
against the release CLIspanda fleet mesh start now receives the correct subcommand args
(was treating mesh as the subcommand and exiting with usage)SPANDA_FLEET_AGENTS on each relay
request instead of snapshotting at startup; fleet agents honor the same env for downstream
forwardingsecure_comm policy, trust_boundary declarations, secrets blocks (env/file),
extended secure { } blocks with encryption/authentication/trusted sources,
EncryptedMessage/VerifiedMessage types (AES-256-GCM), production transport wire frames with
source_id, spanda security check|audit, --secure and --inject-security-faults CLI flags;
docs in docs/secure-communication.md, docs/identity.md, docs/secrets.md,
docs/trust-boundaries.md; examples in examples/security/RoutingCommBus wire encryption, secure_comm configure
fail-fast, inbound source_id, trust-boundary registry, static security check|audit, and
integration tests in tests/security-comm.test.tslive-mqtt Cargo feature with rumqttc bridge; enable with
SPANDA_LIVE_MQTT=1live-websocket / live-dds Cargo features (or
live-transport bundle); enable with SPANDA_LIVE_WEBSOCKET=1 / SPANDA_LIVE_DDS=1SPANDA_MTLS_REQUIRED=1 fails hard; TypeScript mirror with SPANDA_MTLS_HANDSHAKE=1url: field on bus { } blocks and SPANDA_BROKER_URL env fallback for live
transport and mTLSsecure_topic.publish / actuator.execute.safe capability
parsing, timed fault … at T+10s offsets, inbound trusted-source checks on receive/poll,
TypeScript parser mirror for secure_comm, trust_boundary, secrets, bus blocks, and full
secure { } fields.sd examples (regex, security, robotics, packages,
hardware/modules); scripts/check_all_examples.sh resolves relative SPANDA_BIN from repo root
for package checks — 162 pass, 2 expected-fail, 0 skipsspanda-core/src/transport_live.rs into spanda-transport-ros2 and spanda-transport-mqtt; core
retains a thin RuntimeValue shim with lean_core_shims guard testsTransportAdapter implementations moved from
spanda-core/src/transport.rs into spanda-transport-{ros2,mqtt,dds,websocket}; ROS2 rclrs
consolidated in spanda-transport-ros2; Nav2/SLAM subprocess bridge moved to
spanda-connectivity::adapter_bridge; unused TLS deps removed from spanda-core (TLS remains in
spanda-transport and deploy crates)ProviderRegistry and provider trait contracts moved to
spanda-runtime; new spanda-transport crate for adapter traits and wire security;
spanda-interpreter staging crate; fleet orchestration moved to spanda-fleetspanda-core::connectivity_positioning to spanda-connectivity::runtime_sim; core keeps
compatibility wrappers for AST/runtime value conversionsspanda-runtime::RuntimeHost with
connectivity/geofence/GPS-fault hooks and routed spanda-core::runtime trigger/failover/geofence
callsites through host methods to reduce direct core couplingInterpreter now stores an injectable RuntimeHost
(InterpreterOptions::runtime_host); remaining GPS reading and SIM identity paths route through
host hooks; spanda-interpreter re-exports RuntimeHostruntime.rs into runtime_connectivity.rs as a staging step toward spanda-interpreterruntime_navigation.rs), robot methods
(runtime_robot.rs), and trigger dispatch (runtime_triggers.rs) split out of runtime.rs with
lean_core guard testsruntime_robotics.rs),
sensor fusion (runtime_sensors.rs), and digital twin (runtime_twin.rs) extracted from
runtime.rs (~580 lines); runtime.rs down to ~7670 linesruntime_builtins.rs),
audit/ledger (runtime_audit.rs), actuator motion (runtime_actuators.rs), and shared helpers
(runtime_helpers.rs) extracted; runtime.rs down to ~6640 linesruntime_eval.rs; runtime.rs down to ~5750 linesruntime_spawn.rs; runtime.rs down to ~5480 linesruntime_execute.rs), scheduling/contracts
(runtime_scheduler.rs), robot setup (runtime_setup.rs), reliability
(runtime_reliability.rs), declarations (runtime_declarations.rs), program/trigger glue
(runtime_program.rs), and security helpers (runtime_security.rs) extracted; orchestrator down
to ~1790 linesspanda-interpreter: all runtime_*.rs modules and orchestrator.rs
now live under crates/spanda-interpreter/src/runtime/; spanda-core/src/runtime.rs is a thin
#[path] include shim; smoke tests moved to runtime_smoke.rscargo update bumps log 0.4.33 and quote 1.0.46; npm upgrades
vitest to 3.2.6 (critical Dependabot) with vite override to 6.4.3 (npm audit clean); removed
unused TLS crates from spanda-core AES-256-GCM wire frames (spanda/wire/v1:),
TransportWireFrame with source_id, TLS session negotiation from cert/key secrets, rustls PEM
validation when cert files exist, broker URL TLS scheme auto-upgrade (mqtts://, wss://),
session-key derivation from robot secrets for EncryptedMessage, and production wire crypto
(replacing mock-session stubs)pyo3 from 0.23 to 0.29 and migrated bridge
GIL entrypoint to Python::attach; fixed embedded Python runner script syntax for native bridge
testsspanda-transport-mqtt now uses rumqttc 0.25.1 with
default-features = false + use-native-tls, removing the old rustls-webpki <0.103.13 path
from the MQTT transport dependency grapheditor/vscode/)registry/index.json + spanda-openai / spanda-ros2 tarballs;
default SPANDA_REGISTRY_URLdocs/live-ai-provider.md,
examples/ffi_openai_live.sdspanda twin export and --twin-export on run/simpackages/web/)docs/debugging.md — step through task every in VS Codedocs/adoption-path.md (one-sprint Python + ROS2 wrap), docs/ci-verify.md
(GitHub Actions / GitLab + --json), docs/ros2-golden-path.md (rclpy bridge golden path)examples/showcase/README.md — three evaluator entry points (safety,
verify, sim); README trimmed to matchexamples/end_to_end/)examples/features/ (16 focused demos) plus coverage index mapping every
capability to a runnable filedocs/tutorials/README.md (all learning paths, topic
guides, examples)docs/spanda-for-dummies/ (cheat sheet, glossary,
common mistakes)docs/spanda-101/ (hello robot through end-to-end
patrol)examples/basics/ (11 progressive tutorials), examples/integration/, and
examples/end_to_end/ (safe patrol package + replay mission)deadline, jitter <=, priority, isolatedpipeline name budget Nms { … }mode blocks, recover from, retry/fallbackRegex type, string methods, triggers, subscribe filters, validate
rulesspanda replay, --record, --trace-realtime, --metrics-jsonPipelineMetrics, WatchdogMetricsdocs/realtime.md, docs/reliability.md, docs/watchdogs.md, docs/degraded-modes.md,
docs/replay.md, docs/regex.mdspanda reference, docs/spanda-reference.md (JavaDoc-style std.*,
builtins, types), docs/man/ (man-page CLI docs)docs/api-reference.md (Rust/TypeScript modules and public functions)examples/realtime/ and examples/regex/requires_connectivity, hardware
connectivity [ … ], WGS84 geofence, connectivity_policy, Bluetooth/BLE blocks, connectivity
triggers (on gps.lost, on network.disconnected, on gps.spoofed), std.positioning /
std.connectivity namespaces; TypeScript parser/runtime mirror with TS verify fallback and
transport rebinding on failover; u-blox NEO-M8N UART GNSS stub in lib_registry; docs in
docs/positioning.md, docs/connectivity.md, docs/geofencing.md, docs/bluetooth.md,
docs/cellular.md; examples in examples/connectivity/GpsSpoofing offsets coordinates and degrades fix quality;
GpsDrift accumulates positional drift over sim time; applied to GPS sensor reads and geofence
checks in Rust and TypeScript; triggers on gps.spoofed and on gps.driftsimulate_compatibility fault injection when Rust CLI is unavailableconnectivity_policy switches links; inactive stub adapters
disconnectSimIdentity type and robot.sim_identity() return
ICCID/carrier/eSIM/attested fields; gated by cellular.connect under strict permissionsSatellite connectivity token maps to websocket transport;
SatelliteOutage fault and emergency: satellite failover policies; example in
examples/connectivity/satellite_backup.sdNetworkOutage, LteOutage, etc.),
runtime escalates to emergency link in the same step.gitignore allows committed golden mission traces under examples/ and tests/golden/ while
ignoring other runtime .trace filessujaydavalgi/Spanda); docs and package metadata URLs updated accordinglyrun_pipeline, retry/fallback on injected
faults, recovery handlers, jitter telemetry, and mission trace recording (--record writes
<file>.trace)mode blocks execute on enter; topic QoS deadline violations are detected at runtimespanda replay --deterministic re-runs the traced program and verifies frame parity--wall-clock; frame-by-frame mission playback via spanda replay
--playbackFirst public alpha release. Spanda is ready for community evaluation.
Language & runtime
.sd) with robot-centric syntax: sensors, actuators, safety, agents, tasksm, s, rad, m/s, compound units)ai_model, goal, memory, and mock LLM/Vision providersActionProposal → safety.validate() → SafeAction compile-time and runtime gateverify { } assertionsmessage, topic, service, actiondeploy targets, and requires_hardware / requires_networkmodule, struct, enum, trait, match, generics, trait objectstask every Nms) with resource budgetsobserve { } and fusion.read()Tooling
check, verify, run, sim, fmt, lint, doc, debug, ir--target, --all-targets, --simulate, --jsoninit, build, test, install, add, remove@spanda/lsp): diagnostics, completion, hover, rename, format@spanda/web) with WASM bindingsspanda-dap)llvm-ir, compile-nativeSecurity & audit
Examples
.sd programs including examples/showcase/ curated demosexamples/packages/Documentation
docs/getting-started.md, docs/architecture.md, docs/vision.mddocs/feature-status.md with v0.1.0-alpha support matrixdocs/website-content.md for future siteCommunity
CONTRIBUTING.md, CODE_OF_CONDUCT.mdcargo fmt, cargo clippy, LSP, WASM, ROS2 rclrs native
(Ubuntu 22.04 + Humble)OPENAI_API_KEY, ANTHROPIC_API_KEY, or
SPANDA_ONNX_MODEL_PATH for live callsspanda publish mirrors to registry/packages/; hosted index lists 20 curated packages until
./scripts/build-registry.sh is runVSCE_PATPost-alpha improvements on main (2026-06-20).
Triggers & concurrency
when/while), state,
safety, hardware, AI, verification, and twin triggersTriggerRegistry with priority ordering, per-tick storm limits, and TriggerMetrics telemetry--trace-triggers, --trace-events on run, sim, and fleet runspawn, join, parallel, channels, select, per-task budget
{ }spanda fleet run for in-process multi-robot fleet simulation with deploy/peer wiring outputTaskMetrics, SchedulerMetrics, ExecutionMetrics in RunResult.metricsexamples/triggers_demo.sd, examples/concurrency.sd,
examples/communication/multi_robot_fleet.sdROS 2
spanda-ros2-rclrs-native cdylib for in-process ROS 2 I/OSPANDA_ROS2_RCLRS)ros2-rclrs-native on Ubuntu 22.04 with ROS HumbleDeveloper experience
scripts/add_inline_docs.py, scripts/add_logic_block_docs.py,
scripts/normalize_inline_docs.pyeditor/vscode) with packaging workflowspanda installcargo fmt compliance)ros-tooling/setup-ros@v0.7 (invalid @v2 reference)if block in type checker (clippy needless_ifs)