VCO Release v3.0.3

Highlights

Promoted the latest governed repository state after v3.0.2 instead of leaving the newer runtime, install, and bootstrap work stranded behind the public line. This cut packages the current maintained source at 537db3f.
Added explicit host-global bootstrap lifecycle support for supported instruction-file hosts. Codex, Claude Code, and OpenCode can now carry a short managed $vibe / /vibe bootstrap block that is install-safe, idempotent, doctor-visible, and uninstall-safe instead of relying only on ambient user guidance.
Tightened specialist decision truth and delivery-acceptance reporting. The runtime now records explicit specialist-decision sidecars and disclosure outcomes so repo-asset fallback, no-match resolution, and degraded-but-traceable specialist paths remain reviewable instead of being implied behavior.
Continued hardening upgrade and installed-runtime behavior. Self-upgrade metadata now has an authoritative repo URL/default branch path, gitless installs degrade cleanly, and installed runtime payloads now include the governed dependency surfaces, verification gates, and bootstrap-doctor assets that the shipped runtime actually consumes.
Bounded optional external install behavior during bootstrap. Optional npm and git probes now fail with timeouts and warnings instead of hanging indefinitely or crashing the CLI on malformed environment input.

v3.0.2 moved the public line forward to the then-latest main source at c2f98b5, carrying upgrade reminder plumbing, workspace memory, artifact review governance, and specialist lifecycle disclosure.
v3.0.3 continues that 3.0.x line with the next maintained source after the v3.0.2 cut:
- PR #164 added host-global bootstrap lifecycle support with managed-block install/check/uninstall safety.
- PR #165 hardened self-upgrade metadata so installed runtimes can recover authoritative repo information instead of relying on blank cached git metadata.
- PR #166 added explicit specialist decision fallback governance and delivery-acceptance truth around repo-asset fallback.
- PR #168 restored installed runtime payload coverage for issue #167, then tightened the follow-up review fixes around timeout parsing, git command timeouts, and governed dependency surface coverage.
- The intervening README refresh PRs (#156 through #163) simplified install, capability, routing, and memory guidance so the public docs better match the current runtime model.
The practical result is that the public line now exposes a more truthful hosted-bootstrap surface, a stronger specialist-decision contract, and a less fragile installed-runtime / upgrade path.

This is a 3.0.x continuation release, not a new major baseline.
The release is centered on closure and truthfulness rather than on a brand-new product lane: bootstrap entry surfaces, specialist fallback truth, upgrade metadata, and installed-runtime payload completeness now align more tightly with the governed runtime the repo already ships.
As with v3.0.2, package metadata is still governed by the repository's current release practice; the meaningful public version signal for this cut is the governed release surface at v3.0.3.

pwsh -NoProfile -ExecutionPolicy Bypass -File ./scripts/governance/release-cut.ps1 -Version 3.0.3 -Updated 2026-04-15 -Preview -RunGates -> preview succeeded.
pwsh -NoProfile -ExecutionPolicy Bypass -File ./scripts/governance/release-cut.ps1 -Version 3.0.3 -Updated 2026-04-15 -RunGates -> release cut complete.
python3 -m pytest -q tests/integration/test_release_cut_gate_contract_cutover.py tests/integration/test_dist_manifest_generation.py tests/runtime_neutral/test_release_notes_quality.py tests/runtime_neutral/test_release_cut_operator.py -> 14 passed in 5.53s.
pwsh -NoProfile -File scripts/verify/vibe-version-consistency-gate.ps1 -> PASS (10/10 assertions).
pwsh -NoProfile -File scripts/verify/vibe-dist-manifest-gate.ps1 -> PASS.
pwsh -NoProfile -File scripts/verify/vibe-version-packaging-gate.ps1 -> PASS (9/9 assertions).
pwsh -NoProfile -File scripts/verify/vibe-release-notes-quality-gate.ps1 -> PASS.
git diff --check -> PASS.

Operators upgrading from v3.0.2 should expect the installed runtime to carry more of the governed dependency surfaces that skills/vibe already references. This is a correctness release for shipped runtime completeness, not just a local test adjustment.
If you rely on hosted instruction-file entry surfaces, this is the first public cut where the managed $vibe / /vibe bootstrap block lifecycle is part of the release line rather than only local branch work.
If you consume upgrade reminders or self-upgrade flows from installed runtimes, this release is safer in gitless or partially degraded environments because authoritative repo metadata is now recoverable from governance surfaces.
If you review governed execution receipts, expect stronger specialist-decision truth around repo-asset fallback and degraded specialist paths instead of weaker implied fallback behavior.