Reviews the two announcement gists:
- v0.7 — https://gist.github.com/jfarcand/561e1eb12e39baadf0e255d117c4514e
- v0.8 — https://gist.github.com/jfarcand/bfe31239238f1435e2105614bfefca41
…against the last 20 commits on Atmosphere/atmosphere@main (HEAD 9490afc5ae, tag atmosphere-4.0.38).
No cheerleading.
- 8 primitive source files exist (
AgentState,AgentWorkspace,ProtocolBridge,AiGateway,AgentIdentity,ToolExtensibilityPoint,Sandbox,AgentResumeHandle). OpenAiCompatibleClientdoes emittool_callson assistant messages andname/tool_call_idon tool messages (OpenAiCompatibleClient.java:679, 718).ChatMessageSerializationTestpins the wire shape. Real fix.coding-agentdoes usesession.send()(CodingAgent.java:79‑135), confirming the second "regression fix" is real.- 7 runtimes do exist (Built‑in, ADK, Spring AI, LangChain4j, Semantic Kernel, Koog, Embabel — Koog/Embabel via Kotlin).
DockerSandboxProvideractually enforcesNetworkPolicyvia--network=none|bridgeargs.InProcessSandboxProvideris now gated behindatmosphere.sandbox.insecure(commit05ec0290c1).
v0.7 says "DurableSessionInterceptor reattaches." It does not. DurableSessionInterceptor.java:117‑129 literally documents "We do not consult the registry here" and only stashes the header as a request attribute. Nothing in modules/*/src/main/java reads RUN_ID_ATTRIBUTE or talks to RunRegistry outside the resume/ package itself and its own tests. Primitive #8 is a published API with no production consumer. Calling it "shipped" is misleading.
v0.7 lists it as a primitive that works "across the seven hosted runtimes." Grepping Spring AI, LangChain4j, ADK runtimes for AiGateway returns zero hits. v0.8 quietly admits this in the "What's next" footnote ("currently mandatory on Built‑in only"), but v0.7 doesn't, and the headline matrix in v0.8 still credits AiGateway as a strong point against Barrier #40. The choke point only chokes one of seven paths.
3. PermissionMode / @RequiresApproval "annotated live in the personal-assistant sample" (v0.8) is a stretch
Both strings appear only inside markdown system prompts (agent-workspace/AGENTS.md, prompts/primary-assistant.md) instructing the LLM how to behave. There is no @RequiresApproval annotation and no PermissionMode.PLAN reference in the sample's Java code. The sample even comments "all three are safe to auto-approve" — i.e., the approval primitive is not exercised. v0.8 sells this as a Gate #40 / Barrier #45 "direct hit"; the demo doesn't actually demonstrate it.
Commit ece4a161cc keeps ai-cancel, semantic-kernel-chat, admin-coverage, orchestration-primitives unmapped in Playwright "until their latent bugs are fixed." Green only because broken specs are excluded. That's precisely the flaky/quarantine pattern the repo's own AGENTS.md forbids without owner+expiry+tracking issue.
This commit landed after the v0.7 announcement and reads like a confessional. In a single 1,512‑line squash it:
- Closes the
InProcessSandboxProviderfoot-gun (was returningisAvailable=trueby default → LLM-driven tool loop in fallback mode could exec on the host JVM with no isolation). - Bounds
PerUserRateLimiter's tracked-users map (was unbounded → trivial OOM/DoS by sending random user ids). - HMACs
CredentialStoreidentifiers (was storing them in cleartext on disk). - Kills two
ThreadLocalshims (one inAgentRuntimeResolver, one inJournalingAgentFleet) that v0.7 already advertised as primitives. - Cancels sibling tasks before
parallel().join()inDefaultAgentFleet(previously leaked work after first failure).
Each one of these maps to a Correctness Invariant in AGENTS.md (Ownership, Backpressure, Boundary safety, Terminal-path completeness). v0.7's "shipped" + "CI fully green" + "production-ready primitives" framing was premature — five blocking bugs found in two weeks is not a polish, it's the second half of the implementation.
- v0.7 mentions
4.0.39-SNAPSHOTand "Target releaseatmosphere-ai 4.0.39," but the released tag in this window is 4.0.38. The real 4.0.39 will ship the foundation; readers will infer it already did. - The
OpenAiCompatibleClientfile is now 1,132 lines. Whatever its merits, it's the size at which "additive change" warrants a re-review for state-machine correctness in the streaming/tool-loop. Neither gist mentions that. - Stale
application.propertieswas left behind by the prior squash (9490afc5ae). Minor, but it means the v0.7 sample code the gist walks readers through was running with two overlapping config sources for some period. - v0.8's two "❌ Gap" rows (Business-objective alignment, Ethics/fairness/bias) are honest. The four "✅ Strong" rows lean on primitives that are either (a) wired into one runtime only (
AiGateway) or (b) not exercised by the proof samples (@RequiresApproval,PermissionMode). The "5/9 strong" / "5/6 strong" scorecards are inflated by counting SPI presence as runtime presence.
- The
tool_callsserialization fix +ChatMessageSerializationTestis the right shape: behavior + a wire-shape regression test pinning it. - Sandbox network policy is end-to-end (record → docker args).
- The hardening commit's tests (
PerUserRateLimiterTest,CredentialStoreIdentifierTest,DefaultAgentFleetTest,JournalingAgentFleetCoordinationIdTest) are appropriately scoped to the regressions they fix. - v0.8 explicitly calls drift/anomaly and ethics out as gaps and lists "AiGateway wire-in across all seven runtimes" as known follow-up — the right kind of honesty, just buried under a self-congratulatory headline.
The branch is closer to "v0.7-rc + a critical hotfix squash" than to "shipped foundation." The single biggest credibility hit is Primitive #8 (AgentResumeHandle) being unwired while the gist describes its reattach path in detail; the second is AiGateway being one-of-seven while marketed as a unified choke point.
Fix one of:
- Wire
RunRegistryinto a real handler before the next gist, or - Downgrade the primitive's status to "API + InMemory ref impl, integration pending."
Same treatment for AiGateway.