← Back to blog
Release essay2026-07-06 13:20 UTC

Ota v1.6.23 Now Available: Machine-Readable Execution Governance

Ota v1.6.23 strengthens machine-readable execution governance with explicit merge gates, stage-family output, crossing evidence, agent-safe enforcement, and broader first-class setup/orchestrator ownership.

Ota — software execution governance for humans and AI agents

Idea

v1.6.23 is a machine-readable governance release.

The pressure behind this version is straightforward: if Ota asks humans, CI, and AI agents to share one execution contract, then governance cannot stay partly implicit.

It has to be emitted as structured truth.

This release pushes exactly that boundary. Ota now publishes clearer governance posture before execution, clearer evidence after execution, and clearer drift ownership when contracts diverge from external repo sources.

At the same time, v1.6.23 widens first-class contract ownership for setup, orchestrator mediation, and deterministic Git materialization so more repos can stay out of shell glue.

Feature

v1.6.23 is broad, but the release is coherent. It strengthens six connected execution-governance surfaces.

1. Governance output is now significantly more machine-readable

This release adds and widens core machine output that CI systems and agent harnesses can consume directly:

  • additive governance summaries on ota run --dry-run --json and ota up --json
  • additive governance.merge_gate and governance.required_verification_lanes on ota doctor --json
  • additive metadata.governance.merge_check_id for stable merge-lane identity
  • additive capability_profile on ota tasks --json and ota workflows --json
  • additive artifact_routing[] across dry-run, receipt, proof, repo up, and workspace lanes
  • additive stage_family and phase signals across receipts, proof JSON, and workspace progress streams

The practical effect is important: external consumers can now read governance posture, execution lane identity, and follow-up artifact routing without scraping terminal prose or reverse-engineering semantics from mixed fields.

2. Agent safety moved from guidance toward enforced runtime behavior

v1.6.23 hardens agent-mode governance in two ways.

First, ota run --agent and ota up --agent now enforce execution-boundary safety at preflight time, with explicit refusal behavior and structured blocked receipts/results.

Second, governance evidence now carries clearer phase semantics (not_run_reason, crossing_record_state) so non-executed lanes are no longer ambiguous in machine output.

This is the right direction for serious agent operations: safety has to be enforceable and inspectable, not only documented.

3. Crossing and merge governance became explicit

This release introduces the first audited crossing-evidence slice for heavier lanes:

  • additive --reason <text> support on ota run and ota up
  • optional receipt.crossing on repo-target execution receipts
  • mirrored governance.crossing on ota up --json where applicable

In parallel, merge-oriented governance output gets stronger with projected-vs-drift-aware merge gates and required verification lane projection.

Together, these changes make Ota much better at answering two high-value questions in machine-readable form:

  • should this lane run under this governance posture?
  • what exact verification identity should merge consumers trust?

4. Source-governance and detect pressure widened substantially

v1.6.23 also expands V11.2 detector-source governance and drift review pressure across real repo-owned sources:

  • mise.toml, .devcontainer/devcontainer.json (including JSONC), devbox.json, and devenv.nix
  • structured external AGENTS.md / CLAUDE.md boundaries and bounded command-table lanes
  • Taskfile/justfile and GitHub Actions verification-lane recovery and drift warnings

The key product move is not “detect more things.”

It is that Ota now treats source provenance and source-class confidence as first-class governance signals, and warns when manual contract truth drifts from stronger external evidence.

That helps keep contracts honest as repos evolve.

5. First-class setup and action ownership widened again

This release also removes more setup-shell pressure by widening structural ownership:

  • prepare.kind: tool_bootstrap now includes prepare.tool: cypress_browsers
  • prepare.kind: dependency_hydration now supports source.kind: composer
  • action.kind: ensure_git_template added for template materialization with fresh init
  • action.kind: ensure_git_checkouts added for multi-checkout bootstrap
  • ensure_git_checkout/ensure_git_checkouts widened with remote wiring and workspace-relative targets
  • first-class effects.workspace_writes for explicit sibling/workspace mutation ownership
  • compose.build: true and compose.service_ports: true on compose.kind: run

This continues Ota's core posture: if the behavior is real and repeatable, it should be modeled structurally in contract truth.

6. Orchestrator ownership became broader and more usable

v1.6.23 widens orchestrator mediation beyond earlier slices:

  • first-class devbox and devenv orchestrator kinds
  • mediated command previews across task, exec, and subcommand
  • orchestrator-mediated prepare execution for command-backed hydration/bootstrap via execution.orchestrator.mode: exec
  • native activation ordering fix for command-acquired tools used by orchestrated lanes
  • ota doctor --fix widening to deterministic command-acquired tool activation

This closes a common real-world gap: repos can now keep orchestrator truth in contract-owned execution lanes without pretending host PATH ownership or dropping back to wrapper scripts.

Docs

If you want to adopt these capabilities directly, use the live docs:

  • Get Started: Install Ota and begin with ota doctor
  • Governance model: Governance for merge posture, safety posture, and machine-readable governance truth
  • Architecture loop: Execution Governance Loop for how contract, execution, proof, and governance fit together
  • Contract reference: Contract for tasks, workflows, setup, actions, and governance fields
  • Command reference: Commands for ota doctor, ota tasks, ota workflows, ota run, and ota up
  • JSON output: JSON output reference for governance, receipt, proof, and artifact-routing output
  • Workflow modeling: Workflows for verification lanes, workflow intent, and execution boundaries

Release

v1.6.23 is live here: https://ota.run/releases/v1.6.23

If you already use Ota, upgrade and verify:

VERIFYbash
ota upgradeota --versionota validateota doctor --jsonota tasks --safe --useota run <task> --dry-run --json

v1.6.23 keeps Ota on its core path: one declared contract, one governed execution model, and machine-readable evidence that lets humans and agents trust the same operational truth.