Skip to content

0.12.9

Choose a tag to compare

View all tags
@jithinraj jithinraj released this 11 Apr 15:02
· 63 commits to main since this release
v0.12.9
c11fc9a
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Summary

  • @peac/adapter-managed-agents (new Layer 4 package): vendor-neutral managed runtime event export with six event families under org.peacprotocol/managed-agent-*. Caller-supplied provider, zero runtime vendor SDK dependencies, decode-only buildSessionSummary().
  • Reference verifier content negotiation (POST /v1/verify): three response formats via Accept header (application/json byte-identical to v0.12.8, application/peac-report+json extended, text/plain human-readable). PEAC-Report-Id header (UUID v4) on every response. OpenAPI 3.1 spec updated with ExtendedVerifyReport and FailureReason schemas and an OpenAPI drift test gate that fails the build if the code and spec diverge.
  • Reference issuer health probe (GET /v1/issuer-health): query-parameter API, SSRF-safe via shared @peac/jwks-cache validateUrl() and isMetadataIp(), independent rate limiter (10 req/min per IP), cache-key canonicalization, 60-second TTL.
  • MCP Streamable HTTP quickstart (examples/mcp-http-quickstart/): server.json declares both stdio and streamable-http transports with the required url field per MCP Registry schema 2025-12-11. Merge-blocking gate (scripts/verify-mcp-quickstart.sh) boots the local workspace @peac/mcp-server, initializes an MCP JSON-RPC session, propagates Mcp-Session-Id, and asserts peac_verify over HTTP. Local fallback is not accepted as proof.
  • RFC 9728 Protected Resource Metadata strict compliance tests: five new MCP-server tests verifying Content-Type: application/json, exact field-count, multi-authorization-server serialization, non-HTTPS non-loopback rejection, and HTTP loopback allowance for development.
  • External pilot kit (examples/external-pilot/, docs/pilots/PILOT_KIT.md): self-contained pilot for independent external organizations, runtime-generated Ed25519 keypair, local and reference-verifier verification paths, formal JSON Schema (draft-07) validation via ajv + ajv-formats, merge-blocking engineering gate (scripts/verify-pilot-output.sh).
  • Conformance registration: formally register 25 previously pending requirement IDs across 6 namespaces (X402V2-*, DID-RES-*, GRPC-META-*, PKCE-*, RURL-*, SC-*). Total requirement IDs: 192 → 217 across 18 → 24 sections. New scripts/conformance/build-extension-registry.mjs as the formal canonical source of truth for non-WIRE02 requirements. Zero temporary registration exemptions remain.
  • x402 scheme coverage clarification: § 3.0 Payment Schemes in docs/specs/X402-PROFILE.md states the adapter's scheme-agnostic posture for both exact and upto. New docs/compatibility/x402-scheme-coverage.md keeps three truth surfaces explicitly distinct (upstream x402 protocol, upstream facilitator surfaces, PEAC-tested). Two new fixtures and eight overclaim-guard tests assert scheme is term-matched as a byte-equal required string and never interpreted for scheme-specific invariants.
  • Release-state stamping script (scripts/stamp-release-state.mjs): deterministic, idempotent script for stamping mutable release metadata (release_date, updated, dist_tag) post-tag and post-promotion. Exposed via pnpm release:stamp:publish / :promote / :check:publish / :check:promote. Covered by 13 smoke tests.

Changed

  • REPO_SURFACE_STATUS.json: 0.12.8 → 0.12.9; published_packages 35 → 36
  • Conformance matrix regenerated with 217 requirement IDs across 24 sections
  • x402 conformance fixture manifest version 0.12.7 → 0.12.9
  • Security audit allowlist: added GHSA-q4gf-8mx6-v5v3 (next.js Server Components DoS, dev-only via surfaces/nextjs, 90-day expiry)

Security

  • hono 4.12.12 and @hono/node-server 1.19.13 (from 4.12.7 / 1.19.11): covers 5 moderate hono CVEs plus GHSA-92pp-h63x-v22m. pnpm.overrides enforces the minimums across transitive paths.
  • Issuer health probe uses fetch with redirect: 'error' to prevent SSRF via redirect chains to private IPs or cloud-metadata endpoints.

Deferred

  • Reference verifier exporter scheme-label additions for x402
  • SVM upto scheme support (upstream RFC x402-foundation/x402#1642 unresolved)
  • Commerce-lifecycle mapping, max-vs-actual delta audit, reserve/lock evidence
  • Facilitator attestation handling (upstream RFC #1921 open)
  • Payment Identifier extension, gas sponsoring, Bazaar discovery, SIWX
  • Runnable x402-upto-evidence example

Metrics

  • 36 published packages
  • 7336 tests across 290 test files
  • 217 conformance requirement IDs across 24 sections
  • 100 build targets
  • Wire format: Interaction Record (interaction-record+jwt, stable since v0.12.0)
  • Legacy Wire 0.1 (peac-receipt/0.1) frozen until v1.0

See CHANGELOG.md for full details.

PEAC Protocol is an open-source project stewarded by Originary and community.

Assets 2
Loading