This log consolidates material product and architecture decisions that shape the current Traverse roadmap. It is intentionally higher level than the governing specs: specs define what must be built, while this log records why the direction was chosen.
All current implementation specs listed in specs/governance/approved-specs.json are approved for implementation unless a later approved spec or ADR supersedes them.
- Date: 2026-05-27
- Status: Accepted
- Governing specs:
033-http-json-api,035-multi-agent-isolation,029-integrated-observability - Related issues:
#300,#387,#390,#391,#392,#393,#394,#395,#396
Downstream apps such as youaskm3, browser clients, local agents, and non-Rust tools need to consume Traverse without shelling out to human-readable CLI commands.
Expose traverse-cli serve with stable HTTP+JSON endpoints, local discovery through .traverse/server.json, structured errors, explicit API versioning, CORS behavior, and synchronous plus asynchronous execution flows.
- Keep CLI-only execution and add JSON flags later.
- Expose only a Rust SDK.
- Start with WebSocket or Server-Sent Events before a stable request/response API exists.
HTTP+JSON becomes the first stable external runtime surface. CLI remains useful for humans and CI, but applications should target the HTTP API for app integration.
- Date: 2026-05-27
- Status: Accepted
- Governing specs:
033-http-json-api,035-multi-agent-isolation - Related issues:
#387
Local browser apps and agents need a deterministic way to find a running Traverse server even when the default port is unavailable.
traverse-cli serve writes .traverse/server.json with base_url, health_url, workspace_default, pid, started_at, auth_mode, and local token metadata when applicable. Clients must verify GET /healthz before trusting the file.
- Require every app to pass the port explicitly.
- Use an OS-level service registry.
- Use a global config file outside the repo.
Local discovery is repo-scoped, testable, and suitable for both humans and coding agents.
- Date: 2026-05-27
- Status: Accepted
- Governing specs:
042-mcp-library-surface,015-capability-discovery-mcp,023-browser-hosted-mcp-consumer-model - Related issues:
#310,#366
youaskm3 needs MCP support, and agents should not have to reimplement the MCP wire protocol over stdin/stdout when they are already running in Rust or embedding Traverse.
Keep the stdio MCP server path, and expose the core MCP operations as a public Rust library surface with deterministic request/response types.
- Keep MCP only as a stdio binary.
- Make downstream apps reimplement Traverse MCP behavior.
- Delay MCP library support until after the HTTP API.
Traverse owns MCP execution and discovery behavior. Downstream apps can choose stdio integration or direct library integration without coupling to private crate internals.
- Date: 2026-05-27
- Status: Accepted
- Governing specs:
034-programmatic-registration,035-multi-agent-isolation,040-contractual-enforcement-gate - Related issues:
#302,#397,#398,#399,#400
Agents and app runtimes need to register capabilities, bundles, manifests, and related artifacts without writing ad hoc files and invoking the CLI as a subprocess.
Define a programmatic registration API with stable request models, idempotency behavior, conflict handling, validation evidence, and audit requirements.
- Keep bundle registration as CLI-only.
- Expose low-level registry structs directly.
- Permit dynamic registration without validation and audit evidence.
Registration becomes app-consumable while preserving contract validation, workspace boundaries, and governance evidence.
- Date: 2026-05-27
- Status: Accepted
- Governing specs:
030-security-identity-model,035-multi-agent-isolation,033-http-json-api - Related issues:
#303,#372,#401,#402,#403
Concurrent agents cannot safely share one mutable registry without identity, authorization, workspace boundaries, and auditable operations.
Use workspace-scoped registry/runtime operations, bearer auth for non-loopback bindings, operation-specific scopes, dev-loopback local tokens, runtime grants, and workspace-local audit logs.
- Document Traverse as single-agent-only.
- Add authentication later after exposing mutable APIs.
- Trust caller-supplied identity fields.
Multi-agent behavior is part of the governed runtime model. Local development remains ergonomic through dev-loopback mode, but production and non-loopback access must be authenticated.
- Date: 2026-05-27
- Status: Accepted
- Governing specs:
038-wasi-host-insulation,025-wasm-executor-adapter,027-expedition-wasm-port - Related issues:
#369
Traverse modules should not couple directly to a specific WASI implementation or unstable host imports.
Introduce a stable Traverse Host ABI v1 as the sanctioned boundary between WASM modules and the runtime host, with load-time import validation and a governed Component Model migration path.
- Let modules import host/WASI functions directly.
- Treat the current WASI layer as the public contract.
- Delay ABI governance until after more module examples exist.
WASM modules gain a stable portability boundary, and host/runtime upgrades can happen without casually breaking module authors.
- Date: 2026-05-27
- Status: Accepted
- Governing specs:
039-connector-plugin-architecture,032-universal-data-access - Related issues:
#370,#371
Capabilities need external data and resource access, but embedding resource-specific logic into capabilities or runtime core would weaken portability and governance.
Use connector plugins as the extension point for external integrations, with declared dependencies, registration validation, governed discovery, and reference connectors for v0.
- Put all resource access into runtime core.
- Let each capability bundle its own connector logic without governance.
- Treat connectors as informal examples rather than a governed surface.
External integrations can grow without turning the runtime into an integration monolith or coupling capabilities to one host.
- Date: 2026-05-27
- Status: Accepted
- Governing specs:
043-module-dependency-management,037-semver-range-resolution,041-workflow-composition-api - Related issues:
#338,#374
As capabilities, agents, and WASM modules compose, dependency drift and unsatisfied version requirements become runtime risks.
Govern dependency declaration, semver-compatible resolution, lock evidence, digest checks, and circular dependency rejection before relying on complex inter-capability composition.
- Resolve dependencies dynamically at execution time only.
- Require exact versions everywhere.
- Defer dependency governance until after app integration.
Registration and execution can produce deterministic dependency evidence, and downstream apps can rely on stable composition behavior.
- Date: 2026-05-27
- Status: Accepted
- Governing specs:
029-integrated-observability,012-execution-trace-tiered,010-runtime-state-machine - Related issues:
#362
Traverse runtime decisions must be explainable to humans, agents, CI, and downstream apps. Plain logs are not enough for deterministic validation or UI presentation.
Instrument runtime execution with structured trace evidence, OpenTelemetry-compatible spans, trace context propagation, deterministic test mode, and Traverse-specific semantic attributes.
- Keep only internal logs.
- Emit ad hoc JSON traces without OTel compatibility.
- Add observability after app integration.
Execution evidence becomes a first-class integration surface for debugging, UI feedback, and release validation.
- Date: 2026-05-27
- Status: Accepted
- Governing specs:
031-supply-chain-hardening,030-security-identity-model,038-wasi-host-insulation - Related issues:
#373
Downstream consumers such as youaskm3 need runtime and MCP artifacts they can verify, not just source code they can build locally.
Add checksum, SBOM, signature/provenance, and CI verification gates for published artifacts, using Ed25519 as the baseline signing path and Sigstore for published artifacts.
- Publish packages first and add provenance later.
- Rely only on GitHub release tags.
- Treat SBOM and signatures as enterprise-only follow-up work.
Artifact publication is tied to verifiable provenance and release evidence, which supports real downstream adoption.
- Date: 2026-05-27
- Status: Accepted
- Governing specs:
019-downstream-consumer-contract,023-browser-hosted-mcp-consumer-model,033-http-json-api,042-mcp-library-surface - Related issues: downstream validation and consumer package tickets
youaskm3 should use Traverse for runtime, state, MCP, capability execution, and governed business logic, while keeping product UI and chat experience in its own app.
Traverse exposes app-facing runtime and MCP surfaces. It does not own the youaskm3 UI, chat UX, layout, source presentation, or product behavior outside runtime/MCP execution.
- Build the
youaskm3webapp inside Traverse. - Make
youaskm3call private Traverse internals. - Keep Traverse as demos only and let
youaskm3reimplement runtime/MCP behavior.
Traverse remains a reusable runtime project, and youaskm3 becomes the first serious downstream consumer rather than a forked product shell.
- Date: 2026-05-27
- Status: Accepted
- Governing specs:
019-downstream-consumer-contract,028-schema-alignment-gate-v02,031-supply-chain-hardening - Related issues: package and release-readiness tickets
Traverse has a public v0.1.0 release, but downstream apps need clear expectations for compatibility, package artifacts, and first-release readiness.
Follow semantic versioning, keep public surfaces explicitly versioned, and require release checklists plus validation artifacts before declaring app-consumable releases ready.
- Use informal release labels only.
- Treat release notes as the only compatibility statement.
- Version crates and artifacts independently without a release-readiness checklist.
Release readiness is auditable, and downstream users can reason about compatibility from specs, package artifacts, and release evidence.
- Date: 2026-07-12
- Status: Accepted
- Governing spec:
063-registry-contract-materialization - Related issues:
#551,#552
Public records will publish immutable contract URL/digest metadata alongside
artifact metadata. Consumers will verify both, cache by digest, register
atomically, reject local public scope, and permit private shadows with
machine-readable evidence.
- Date: 2026-07-12
- Status: Accepted
- Governing spec:
064-production-artifact-execution - Related issue:
#583
The runtime will route resolved WASM and explicitly host-registered native artifacts through one production executor boundary. The production server uses that router by default; the example executor is explicit-only.
- Date: 2026-07-12
- Status: Accepted
- Governing spec:
065-sigstore-bundle-verification - Related issue:
#589
Traverse will use a narrow Rust Sigstore verifier interface. Production verification consumes self-contained bundles offline, validates pinned trust roots and publisher identity, and never accepts a string-prefix placeholder as verification evidence.
- Date: 2026-07-12
- Status: Accepted
- Governing spec:
066-durable-identity-event-delivery - Related issues:
#591,#593
The runtime will emit identity-bearing events through a canonical sink. The first durable store uses fsynced append-only journals, opaque persisted cursors, and bounded retention; future tickets will evaluate its measured limits and evolution path.