Skip to main content
Version: v0.12.11

Releases

All PEAC Protocol releases follow semantic versioning. Every release is published to npm under the @peac scope, and all packages in the monorepo share the same version number.

v0.14.4 (May 19, 2026)

Composition Surfaces

  • Runtime governance composition recipe: docs/SOLUTIONS/agt-peac-composition.md — generic normalizeRuntimeGovernanceEvent API, vendor-neutral (not tied to one platform); canonical line "Harnesses control execution. PEAC records bounded work. Logs stay local; PEAC records travel."
  • Runnable runtime-composition-records example: end-to-end vendor-neutral demo using @peac/adapter-runtime-governance; smoke test verifies round-trip
  • Edge verification recipe: docs/SOLUTIONS/verify-at-the-edge.md — generic pattern first, Cloudflare + Docker in stability-class table; cites docs/specs/RESOURCE-LIMITS.md for 256 KiB body cap, 5,000 ms JWKS timeout, 100 keys cap, TTL bounds 60..86,400 s
  • Evaluation and harness record recipes: docs/SOLUTIONS/eval-platform-records.md + docs/SOLUTIONS/harness-records-quickstart.md — three recipe commands verified exit 0 with valid interaction-record+jwt JWS
  • MCP composition guide: docs/SOLUTIONS/mcp-composition.md — cites merged SEPs 2468, 2484, 2577, 2106; 30 doc-truth assertions; explicit "PEAC does NOT" boundary block (8 items)
  • .NET quickstart verifier: committed-fixture offline verifier for Ed25519 records (net10.0, NSec.Cryptography); NOT a .NET SDK or NuGet package
  • Go middleware chi adapter parity: sdks/go/middleware/chi/chi_test.go + README.md — brings chi to parity with echo/gin/nethttp adapters
  • 36 published packages, 107 build targets, 19 extension groups, 61 receipt types, 10,838 tests, 290 conformance requirement IDs, 32 sections

v0.14.3 (May 17, 2026)

Agent Action, Commerce Mandate, and Gateway Export Records

  • Agent Action Records: org.peacprotocol/agent-action (17th extension group) — 6 type URIs for agent decision and action evidence; Section 32 (AGENT-ACT series)
  • Commerce Mandate Records: org.peacprotocol/commerce-mandate (18th extension group) — 7 type URIs covering mandate-grant and 6 lifecycle states (authorization, capture, void, refund, settlement, budget); 16 stable error codes in commerce.mandate.* namespace; Section 33 (COMM-MAN-001..010)
  • Gateway Export Records: org.peacprotocol/gateway-export (19th extension group) — 8 gateway-*-observed type URIs covering x402 payment-settlement state machine; Section 34 (GATE-EXP-001..010)
  • ACP mapper boundary fix: enforces amount_minor: string and explicit finality (assertExplicitFinality doctrine) in @peac/mappings-acp
  • protobufjs override: workspace override to 8.0.2 + @protobufjs/utf8 1.1.1 closes 8 Dependabot alerts (private-example reachability only)
  • NonNegativeAmountMinorStringSchema refine wrapper for mandate scope (preserves AmountMinorStringSchema semantics elsewhere)
  • 36 published packages, 106 build targets, 19 extension groups, 61 receipt types, 10,635 tests, 290 conformance requirement IDs, 32 sections

v0.14.2 (May 11, 2026)

Provisioning Lifecycle Records

  • New extension group: org.peacprotocol/provisioning-lifecycle (16th extension group)
  • 10 *-observed type URIs covering credential issuance, secret rotation, service authorization, key lifecycle, access grants and revocations, service binding, and lifecycle completion
  • validateProvisioningLifecycle() in @peac/schema with recursive credential-material scanner that rejects inline secrets at any nesting depth
  • 21 stable error codes in the provisioning.* family
  • Conformance Section 31 (PROV-LIFE-001..010) -- 260 total conformance requirement IDs across 29 sections
  • Opaque reference grammar required for all *_ref fields (urn:, ref:, did:, sha256:, https:)
  • storage_surface object with 7 abstract kind values (no vendor-specific enums in core)
  • Standards Ledger Section J: RFC 9700 BCP 240 / RFC 6749 / draft-ietf-oauth-v2-1-15 / draft-ietf-oauth-security-topics-update
  • 36 published packages, 103 build targets, 16 extension groups, 40 receipt types, 10,078 tests

v0.14.1

Agent Execution and Lifecycle Records

  • CLI Execution Records: peac observe command (unsigned JSON observation) and peac record command (signed Wire 0.2 execution record) -- org.peacprotocol/cli-execution extension group
  • Lifecycle Observation Records: peac emit lifecycle for approval, evaluation, experiment, and workflow transition events -- org.peacprotocol/lifecycle-observation extension group (9 type URIs)
  • A2A Handoff Records: Signed handoff observation records for Agent-to-Agent Protocol v1.0 task delegation events -- org.peacprotocol/a2a-handoff extension group (10 type URIs); Microsoft AGT and AAIF compatible
  • CLI security defaults: argv hashed by default, stdin none by default, raw capture requires explicit double opt-in
  • Lifecycle no-inline-value invariant: 20 forbidden top-level keys, opaque reference grammar for all *_ref fields
  • A2A v0.3.0 support removed; v1.0 only
  • First npm latest flip in the v0.13.x-v0.14.x window (npm latest was stuck at 0.13.0 since April 2026)
  • 36 published packages, 102 build targets, 15 extension groups, 30 receipt types, 9,782 tests, 250 conformance IDs

v0.14.0

Bounded Validation Gate

  • Wire 0.2 issuance (issue()) and local verification (verifyLocal()) now route through the bounded validation gate by default
  • Internal rollback flag (PEAC_INTERNAL_LEGACY_PATH) is now meaningful: both flag values exercise different internal admission paths with byte-equivalent public outputs
  • 4-cell rollback-path matrix verified at publish time (Node 22 + 24 LTS x rollback flag 0/1)
  • New production wrapper runBoundedValidationGate at packages/protocol/src/_internal/record-core/validation-gate.ts; runBoundedValidatorShadow reserved for shadow/corpus/parity-harness only
  • Operator runbook at docs/diagnostics/ROLLBACK-v0.14.0.md; release-neutral runbook at docs/diagnostics/ROLLBACK-PATH.md
  • Public API: unchanged. Wire format: unchanged. Package surface: unchanged. Extension keys: unchanged. Default observable behavior: unchanged.
  • 36 packages on npm next, 9,214 tests, 224 conformance requirement IDs, 102 build targets

v0.13.4

Validation Readiness and Runtime Invariants

  • Seven canonical-composed validators added to shadow mode: schema-parse, jose-typ-strictness, iat-not-yet-valid, policy-binding, unknown-extension-grammar, type-extension-enforcement, signature
  • Canonical-vs-candidate differential test against 230 fixtures with byte-equality assertions
  • Rollback-path matrix promoted to a release gate: 4-cell CI (Node 22 + 24 LTS x rollback flag 0/1)
  • publish.yml release_gate_rollback_matrix preflight hard-blocks publish on any failure
  • scripts/verify-trust-artifacts.mjs extended to cover all docs/specs/RESOURCE-LIMITS.md invariant tables
  • docs/STABILITY-CONTRACT.md internal-only flags table gains row for the rollback flag
  • 36 packages, 9,197 tests, 224 conformance requirement IDs

v0.13.3

Diagnostic Readiness and Release Validation

  • Internal rollback-path flag plumbed: PEAC_INTERNAL_LEGACY_PATH env and options._internal.legacyPath programmatic option (behavior-preserving: both flag values use the same protocol path in this release)
  • Operator runbook at docs/diagnostics/ROLLBACK-PATH.md
  • docs/specs/RESOURCE-LIMITS.md clarified: Layered network limits subsection, Timeout classes subsection (5,000 ms verifier / 10,000 ms issuer-config / 30,000 ms unrestricted), Header-carrier surfaces clarification
  • Stale documentation citations corrected to current kernel constants
  • Diagnostic parity taxonomy: verdictKeyErrorClass error-class multiset comparator in parity-corpus.ts
  • 36 packages, 8,930 tests, 224 conformance requirement IDs

v0.13.2

Diagnostic Foundations and Compatibility Contracts

  • Workspace-private @peac/resolver-http composition layer over published primitives (@peac/net-node, @peac/jwks-cache, @peac/kernel, @peac/crypto)
  • Shadow-mode pointer-fetch foundation in apps/api (internal only, default OFF; PEAC_INTERNAL_SHADOW_RESOLVER flag)
  • Hosted Verify body-size boundary coverage: exact-byte tests at MAX_BODY_SIZE (256 KiB) on /v1/verify and /v1/issue
  • Workspace-private compat reader, writer, and validator finalized; serializeArchivalBundle returns deterministic JSON
  • Release validation diagnostics: docs/diagnostics/SHADOW-MISMATCHES.md and docs/diagnostics/RELEASE-EXERCISE-v0.13.2.md
  • All 16 open Dependabot alerts closed
  • 36 packages, 8,889 tests, 224 conformance requirement IDs

v0.13.1

Validation Assurance Foundations

  • @peac/disc retired to archive/discovery/; publish-manifest count 37 to 36
  • @peac/registries workspace-private facade; @peac/kernel compat barrel preserves every previously public import path
  • Internal validator parity foundation with observation-only scheduler alongside the canonical Zod path
  • Adversarial redaction coverage for all registered secret classes (compact JWS, PEM, Bearer, Authorization, Cookie, API key, AWS access key, email, phone)
  • Deterministic mutation oracle: every byte-level mutation of a valid Wire 0.2 JWS rejected with a registered E_* error code
  • Resource-limit tests pinned at-bound-pass and at-bound-plus-one-fail vectors per docs/specs/RESOURCE-LIMITS.md
  • docs/STABILITY-CONTRACT.md gains Internal-only flags section and Shadow-mode timeout guarantee class section
  • 36 packages, 7,721 tests, 224 conformance requirement IDs

v0.13.0

Public Surface Stabilization

  • Records-first doctrine across all active front-door surfaces; "receipt" preserved as the per-artifact noun and PEAC-Receipt header name
  • ProofMethodSchema and PROOF_METHODS removed from @peac/schema; transport-binding values inlined on AgentProofSchema.method
  • A2A v0.3.0 compatibility removed from @peac/mappings-a2a; v1.0.0 supportedInterfaces[] is required
  • @peac/core archived to archive/0.9.0-0.9.14/packages-core/; historical npm versions <=0.9.14 remain installable
  • @peac/pref archived to archive/pref/; migration target: @peac/mappings-content-signals
  • Legacy POST /verify removed from active OpenAPI contract; runtime alias continues to POST /v1/verify through Sunset 2026-11-01 with Deprecation, Sunset, and Link headers
  • New docs/specs/RESOURCE-LIMITS.md normative invariant table
  • New docs/STANDARDS_LEDGER.md RFC/FIPS/W3C/ISO catalogue
  • docs/baselines/BASELINE-v0.13.0.md released-package surface snapshot
  • 37 packages on npm latest, 7,672 tests, 224 conformance requirement IDs, 99 build targets
Breaking Changes
  • ProofMethodSchema and PROOF_METHODS removed from @peac/schema
  • A2A v0.3.0 compatibility removed from @peac/mappings-a2a
  • POST /verify removed from active OpenAPI contract (runtime alias continues through Sunset)
  • @peac/core no longer in active publish manifest

v0.12.14

Policy Binding and Privacy-Aware Verification

  • computeJsonDocumentDigestJcs, computeTextDocumentDigestUtf8, computeDocumentDigest for document binding (docs/specs/DOCUMENT-BINDING.md normative)
  • Verifier report bindings shape (report-only, not stamped into emitted record)
  • Five privacy docs under docs/privacy/: DATA-CLASSIFICATION, RETENTION-AND-DELETION, DEPLOYMENT-ROLES, DATA-SUBJECT-RIGHTS, DPIA-STARTER
  • Configurable retention caps, deletion hooks, no_raw_personal_data report mode, pseudonymous-ID fixtures
  • Runnable examples/cf-policy-x402-terms/ demo and docs/SOLUTIONS/cloudflare-x402-peac.md operator recipe
  • docs/specs/AIPREF-COMPOSITION.md and docs/specs/SCITT-COMPOSITION.md informative specs
  • scripts/verify-no-semantic-widening.mjs 11-check hard gate
  • 37 packages, 7,680 tests, 224 conformance requirement IDs, 106 build targets

v0.12.13

Compliance Mappings and Verifier Contract Alignment

  • ISO 42001 Clause 8 and EU AI Act Annex IV compliance mapping docs with scripts/verify-compliance-mappings.mjs
  • Canonical contract alignment for reference verifier with scripts/verify-openapi-drift.mjs extended over 5 downstream surfaces
  • docs/HOSTED_VERIFY_CONTRACT.md authority statement
  • Echo and net/http Go middleware adapters; shared sdks/go/middleware/paritytest/ harness
  • Observational groupByLifecycle() export in @peac/audit
  • Regression-aware Go benchmark gate; 6-vector extended JCS parity corpus (TypeScript + Go byte-identical)
  • scripts/verify-release-closeout.mjs 7-row post-release truth reconciler
  • 37 packages, 7,600 tests, 224 conformance requirement IDs

v0.12.12

SLOs, Threat Model, and Stability Contract

  • docs/SLO.md with release-prep baseline stamps for issue(), verifyLocal(), reference-verifier /v1/verify, MCP tool-call round-trip
  • docs/STABILITY-CONTRACT.md and consolidated docs/THREAT_MODEL.md with per-threat test-coverage links
  • docs/TRUST-ARTIFACTS.md trust artifact index
  • Operator mental-model docs: HOW-IT-WORKS.md, ARTIFACTS.md, WHERE-IT-FITS.md, WHAT-PEAC-STANDARDIZES.md
  • Five docs/SOLUTIONS/ recipes and reference-verifier deployment recipes under surfaces/reference-verifier/
  • docs/RELEASING.md two-mode release policy (Mode 1 single-step latest / Mode 2 two-step next to latest)
  • OpenAPI 3.1.1 with application/interaction-record+jwt examples, RFC 9457 Problem Details, RFC 9745 Deprecation, RFC 8594 Sunset on legacy /verify
  • scripts/verify-trust-artifacts.mjs and scripts/verify-public-surface-names.mjs wired in CI
  • 37 packages on npm latest, 224 conformance requirement IDs

v0.12.11

Commerce Evidence and Deployment Surfaces

  • Mapper-boundary finality guard: assertExplicitFinality, MapperBoundaryError, stable code commerce.finality_synthesis_blocked
  • ACP delegated-payment observation mapper with artifact_kind discriminator
  • MPP payment-attempt and settlement mappers (fromMPPPaymentAttempt, fromMPPSettlement)
  • x402 settlement proof extractor with dual-header precedence (PEAC-Receipt > PAYMENT-RESPONSE > X-PAYMENT-RESPONSE)
  • Go middleware production hardening: panic recovery, bounded token-bucket rate limiter, Logger/Metrics interfaces, safer DefaultConfig
  • IDE plugin packs: Cursor, Codex, Claude Code, VS Code (pinned @peac/mcp-server@0.12.11)
  • Canonical Smithery config at packages/mcp-server/smithery.yaml
  • peac doctor offline-default CLI with opt-in --online --issuer <url>
  • Single-file offline verify dashboard (tools/verify-dashboard/index.html, no CDN, no telemetry)
  • Conformance Section 26: 20 commerce fixtures
  • 37 packages on npm, 7,392 tests, 224 conformance requirement IDs, 105 build targets

v0.12.10

Managed Runtime Evidence Floor

  • Generic @peac/adapter-runtime-governance surface with AGT as first mapper
  • 6 observation-specific type URIs with discriminated union payloads
  • Hosted verify record profile detection (registry-driven)
  • Conformance Section 27: RTGOV-001 through RTGOV-007
  • Benchmark SLO publication with regression-based gate for verifyLocal
  • 37 packages on npm, 7,392 tests, 224 conformance requirement IDs

v0.12.9

Reference Deployments

  • @peac/adapter-managed-agents: Claude Managed Agents session evidence adapter
  • MCP Streamable HTTP transport reference deployment
  • Content negotiation: Accept: application/peac-receipt+jwt support
  • Pilot kit: self-contained onboarding archive
  • Release-state stamping discipline: scripts/stamp-release-state.mjs
  • 217 conformance requirement IDs across 24 sections

v0.12.8

Hosted Issue, Go SDK, Python API-First Proof

  • Hosted Issue alpha: BYO-key provisional issuance (disabled by default)
  • Go 1.26 SDK with Wire 0.2 parity
  • Python API-First Proof
  • Managed Agents session evidence summary demo
  • Pre-release hardening: Hosted Issue, perf SLO, Smithery CI
  • 35 packages on npm, 7,241 tests, 219 conformance requirement IDs, 97 build targets

v0.12.7

Coherence, Trust, and Installability

  • pnpm verify:distribution: distribution surface verification gate (44 checks, tarball packaging smoke)
  • pnpm verify:release: release facts verification gate (22 checks)
  • pnpm verify:docs-examples: documentation code block type-checking
  • docs/releases/facts.json: canonical source of truth for release metrics
  • Enterprise trust posture, security posture, and reference architecture documentation
  • Compatibility matrix, migration guide, deprecation policy, standards compliance, supported environments
  • Hosted Verify API contract (DD-210): design artifact for /v1/verify and /v1/issue
  • REPO_SURFACE_STATUS.json: machine-readable surface classification (74 surfaces)
  • Coherence gate: 9 blocking checks preventing docs/code divergence
  • Legacy Wire 0.1 defaults quarantined across 12 spec and guide files
  • RFC 8594 deprecation headers on legacy /verify endpoint
  • @peac/sdk (sdk-js) and apps/bridge archived
  • GitHub Actions: all tracked workflows pinned to immutable commit SHAs
  • Security policy: supported versions updated to >= 0.12.7
  • 35 packages on npm, 7,241 tests, 219 conformance requirement IDs, 96 build targets

v0.12.6

x402 V2, DID Resolution, A2A OAuth, gRPC Transport, Supply-Chain Mappings

  • @peac/adapter-did: did:key and did:web resolution with caching
  • @peac/transport-grpc: gRPC carrier adapter (8 KiB metadata default)
  • @peac/mappings-intoto: in-toto v1.0 provenance mapping
  • @peac/mappings-slsa: SLSA v1.2 provenance mapping
  • A2A v1.0 OAuth: PKCE S256, Device Code types, auth evidence mapping
  • x402 V2 transport: version detection, normalization, mapping, verification
  • Receipt URL resolution middleware in @peac/net-node
  • 35 packages on npm, 7,241 tests, 219 conformance requirement IDs

v0.12.5

Commerce Hardening + Interop Proofs

  • Per-rail conformance parity: 40 execution-backed fixtures across 4 commerce rails
  • Cross-rail settlement equivalence tests
  • AmountMinorStringSchema + isValidAmountMinor() edge-case hardening
  • 59 package READMEs with kernel template
  • 29 packages on npm, 6,915 tests

v0.12.4

Commerce Evidence + Integration Depth

  • New package: @peac/mappings-paymentauth (envelope-first HTTP Payment scheme parsing, carrier adapter, JSON-RPC/MCP helpers)
  • x402 v2 dual-header read with upstream artifact separation
  • ACP session lifecycle evidence: two-function boundary (session vs payment observation)
  • Stripe SPT delegation evidence with explicit payment state requirement
  • UCP order-vs-payment semantic separation with payment_state_source marker
  • Experimental commerce bundle (peac.commerce-bundle/0.1-experimental)
  • Commerce pillar profile and 2 normative specifications
  • 3 integration kits (paymentauth, ACP, x402) and 6 runnable examples
  • 21 cross-boundary commerce conformance tests
  • 35 packages on npm at v0.12.6, 219 conformance requirement IDs, 95 build targets

v0.12.3

Truth, Adoption, and A2A v1.0 Readiness

  • A2A v1.0 transition normalizer: dual-version Agent Card, TaskState, Parts with backward compatibility (v0.3.0 deprecated, removal at v0.13.0)
  • AIPREF version constants export pinned to vocab-05
  • MCP Registry published: io.github.peacprotocol/peac v0.12.3
  • Canonical Start Here page with 4 evaluator paths
  • Persona-specific quickstarts: API Provider, Agent Operator
  • A2A and MCP integration kits
  • 28 packages on npm at v0.12.3

v0.12.2

Profile-Defined Types + Extension Groups

  • 12 typed extension groups: 7 new pillar groups (consent, privacy, safety, compliance, provenance, attribution, purpose) joining the 5 core groups
  • 10 type-to-extension mappings with strict/interop enforcement
  • 9 pillar usage profiles with schema-vs-profile field tables, non-goals, and strict-mode demos
  • Commerce event field: 6-value closed enum (observational metadata only)
  • ProofMethodSchema deprecated (transport-binding cleanup, removal not-before v0.13.0)
  • AST no-network audit and API contract extraction
  • 192 conformance requirements (up from 146)
  • 28 packages on npm at v0.12.2

v0.12.1

x402 Upstream Wire Sync + Security + Tooling

  • x402 adapter sync: four-layer adapter architecture (A1/A2/B/C), discriminated signed artifact unions, 5-layer verification API with opt-in crypto, privacy-minimal receipt model
  • Conformance fixture rewrite and X402-PROFILE.md
  • Security: undici CVE-2025-22150, hono CVE-2025-51798 patches, audit gate
  • Vitest 4.1.0 upgrade with coverage badge
  • README rewrite
  • Upstream: x402 PR #935 (Offer/Receipt Extension) merged
  • 28 packages on npm at v0.12.1

v0.12.0

Interaction Record Format 0.2 Stable

  • Interaction Record Format 0.2 promoted to stable on npm latest (28 packages via OIDC trusted publishing)
  • 146 normative requirement IDs across 18 spec sections with machine-readable registry and drift detection
  • Property and fuzz testing: 12+ property tests across schema, crypto, protocol with zero-crash guarantee
  • Performance benchmarks: Vitest bench suite for issuance, verification, policy binding with Node 24 baseline
  • SSRF and security hardening: expanded test vectors, security posture documentation
  • API surface lock for 9 critical packages with pack-install smoke tests
  • Doc-example execution gate: automated validation of 25 code blocks in 5 spec documents
  • OIDC trusted publishing: 45 packages configured, provenance attestations on every publish
  • Node 24 Active LTS canonical baseline, Node 22 Maintenance LTS compatibility lane
  • Committed release manifest (docs/releases/current.json) with versioned gate reports
  • All 6 stable gates wired and passing (20/20)
  • 28 packages on npm at v0.12.0

v0.11.3

Zero Trust + Agent Identity + Key Rotation + Reconcile CLI

  • Zero Trust Profile Pack: 7 sub-profiles as documentation overlays (Access, Toolcall, Decision, Risk Signal, Sync, Tracing, ZT Extensions); no new wire fields, all ZT data in ext[] with reverse-DNS keys
  • Agent Identity expansion: 8 proof types (ed25519-cert-chain, eat-passport, eat-background-check, sigstore-oidc, did, spiffe, x509-pki, custom), ActorBindingSchema with origin-only enforcement, MVIS 5-field validation (validateMVIS())
  • Key Rotation lifecycle: PENDING/ACTIVE/DEPRECATED/RETIRED/REVOKED FSM, 30-day normative overlap (upgraded from 7-day RECOMMENDED), tiered kid reuse detection (stateful MUST reject, stateless SHOULD warn), revoked_keys[] in issuer config, NIST SP 800-57 aligned
  • Reconciliation CLI: peac reconcile <bundle1> <bundle2> with composite (iss, jti) conflict key, deterministic JSON output, --fail-on-conflict for CI gating
  • Treaty extension: 4-level commitment_class (informational, operational, financial, legal) at org.peacprotocol/treaty
  • ZT extension schemas: credential-event, tool-registry, control-action in packages/schema/src/extensions/; URL scheme allowlist (HTTPS + URN only) for SSRF prevention
  • FingerprintRef conversion functions: opaque format (sha256:<hex64> or hmac-sha256:<hex64>), pure string manipulation in @peac/schema
  • Governance framework alignment: 8 mapping documents (NIST AI RMF, EU AI Act, OWASP ASI, ISO 42001, IEEE 7001, OECD AI, Singapore MGFAA, AWS RAI)
  • Multi-tenant guidance: 3-tier isolation model (Shared, Scoped with kid prefix, Isolated with per-tenant JWKS)
  • NIST submission pack: self-contained evidence package for NIST CAISI RFI, release-gate-0.11.3.sh with 10 checks
  • New examples: edge-markdown-content-signals, a2a-gateway-pattern
  • 28 packages on npm at v0.11.3

v0.11.2

Content Signals + Evidence Locators

  • New package: @peac/mappings-content-signals -- observe content use policy signals from robots.txt (RFC 9309), AIPREF Content-Usage headers, and tdmrep.json (W3C TDM Reservation Protocol)
  • New package: @peac/adapter-openai-compatible -- hash-first interaction evidence for OpenAI-compatible chat completion APIs; SHA-256 digests only, no raw text stored
  • Error recovery next_action hints on every ErrorDefinition: closed vocabulary of 7 agent-actionable recovery hints (retry_after_delay, retry_with_different_key, retry_with_different_input, refresh_attestation, contact_issuer, abort, none)
  • retryable canonical rename (from retriable)
  • receipt_url locator hint on PeacEvidenceCarrier: optional HTTPS-only URL, max 2048 chars, no implicit fetch
  • Plugin Pack: Claude Code skill and Cursor rules for AI-assisted development
  • Distribution surface files: server.json (MCP Registry), smithery.yaml, llms.txt, .mcp.json
  • 28 packages on npm at v0.11.2

v0.11.1

Evidence Carrier Contract + A2A Mapping

  • Evidence Carrier Contract: PeacEvidenceCarrier type and CarrierAdapter<TInput, TOutput> pattern in @peac/kernel (Layer 0, zero runtime deps)
  • Zod schemas and computeReceiptRef() in @peac/schema (Layer 1)
  • New package: @peac/mappings-a2a -- carry evidence through A2A metadata in TaskStatus, Message, and Artifact
  • Agent Card discovery: capabilities.extensions[] with https://www.peacprotocol.org/ext/traceability/v1
  • MCP carrier format: _meta keys org.peacprotocol/receipt_ref and org.peacprotocol/receipt_jws
  • ACP/UCP carrier adoption via @peac/mappings-acp and @peac/mappings-ucp
  • x402 carrier via @peac/adapter-x402
  • Transport size limits: MCP/A2A/UCP 64 KB embed, ACP/x402/HTTP 8 KB headers
  • receipt_ref integrity: sha256(receipt_jws) verified at extraction
  • Discovery profile: 3-step (Agent Card, well-known, header probe)
  • 4 normative specifications: Evidence Carrier Contract, A2A Mapping, Discovery Profile, JWKS Resolver

v0.11.0

Zod 4 + MCP Streamable HTTP + Kernel Constraints

  • Zod 4 migration (^4.3.6) across all packages with pnpm.overrides enforcement
  • MCP Streamable HTTP transport: session-isolated McpServer per client (CVE-2026-25536 defense)
  • Kernel constraint enforcement pipeline: fail-closed in issue() and verify() paths
  • New package: @peac/integrator-kit -- bootstrap + conformance harness for third-party implementations
  • OWASP ASI-01 through ASI-10 alignment across all packages
  • CORS deny-all, localhost-only bind, rate limiting, and size limits for MCP HTTP

v0.10.14

Fixture Versioning + Kernel Constraints Formalization

  • Conformance fixture versioning: schema_version field across all JSON fixture files
  • Kernel constraints specification (KERNEL-CONSTRAINTS.md) with normative rules
  • Editorial hygiene sweep across specs and documentation
  • Zod 4 preparation: compatibility audit and migration plan

v0.10.13

MCP Server

  • New package: @peac/mcp-server -- MCP server exposing 5 tools for AI agent integration
    • Pure tools: peac_verify, peac_inspect, peac_decode (no key material required)
    • Privileged tools: peac_issue, peac_create_bundle (require signing key)
  • Handler-transport separation for transport-neutral core
  • Static policy configuration via allowlist file
  • Structured _meta on all tool responses (serverVersion, policyHash, protocolVersion)
  • SSRF prevention by design -- no ambient key discovery
  • 226 tests across 22 test files

v0.10.12

OpenClaw + RFC 9421

  • New package: @peac/capture-node -- FileSpoolStore and FileDedupeIndex for durable, file-system-backed receipt storage
  • OpenClaw activate() one-call setup with generateSigningKey() for zero-config onboarding
  • peac-keygen CLI for Ed25519 key generation
  • Structured counters (scanned/exported/skipped) for export and query operations
  • Dual-representation check in verifier -- detects auth/evidence vs _jws mismatch
  • RFC 9421 proof capture normative profile with 5 conformance vectors
  • Profiles taxonomy: Transport, Proof Capture, Wire Format categories

v0.10.11

Runtime Dependencies + Stripe x402

  • Upgraded @noble/ed25519 to v3 (signAsync/verifyAsync/getPublicKeyAsync API)
  • Upgraded @opentelemetry/sdk-metrics to v2
  • New: fromCryptoPaymentIntent() in @peac/rails-stripe for Stripe crypto payments
  • Registry v0.3.0: org.peacprotocol/interaction@0.1 extension key
  • Advisory registries: toolcall_op_types, toolcall_resource_types
  • Supply chain hardening: SECURITY.md, audit gate, lockfile drift check in guard.sh

v0.10.10

Dev Toolchain

  • Migrated build system to tsup with dual ESM/CJS output (.mjs/.cjs)
  • tsc for type declarations only
  • Turbo pipeline optimization across 75 build targets
  • Stale artifact detection in guard.sh

v0.10.9

Foundation Release

  • Wire format peac-receipt/0.1 stable
  • 22 npm packages published under @peac scope
  • Express middleware (@peac/middleware-express) for automatic receipt issuance
  • 4 payment rail adapters: x402 (Coinbase), Stripe, Razorpay, Card networks
  • Evidence bundle creation and verification (.peac.tar.gz)
  • Conformance test suite with 200+ vectors

v0.9.0 (July 18, 2025)

First Public Release

  • Production-ready open-source implementation
  • Machine-readable peac.txt and .well-known/peac-issuer.json
  • Core modules, Node.js SDK, CLI, schema
  • Ed25519 signature enforcement
  • x402 and Stripe compatibility

Versioning policy

Breaking changes

PEAC Protocol is currently in the v0.x series. During this phase:

  • Breaking changes are allowed between minor versions, with migration guidance in the changelog
  • The wire format (peac-receipt/0.1) is stable across all v0.x releases
  • All packages share the monorepo version -- when one package updates, they all update

At v1.0 (earned, not scheduled):

  • Wire format changes to peac-receipt/1.0
  • Public API surface freezes with full backward compatibility commitment