Skip to main content
Version: v0.12.11

Releases

All PEAC Protocol releases follow semantic versioning. Every release is published to npm under the @peac scope, and all packages in the monorepo share the same version number.

v0.12.11 (April 15, 2026)

Commerce Evidence and Deployment Surfaces

  • Mapper-boundary finality guard: assertExplicitFinality, MapperBoundaryError, stable code commerce.finality_synthesis_blocked
  • ACP delegated-payment observation mapper with artifact_kind discriminator
  • MPP payment-attempt and settlement mappers (fromMPPPaymentAttempt, fromMPPSettlement)
  • x402 settlement proof extractor with dual-header precedence (PEAC-Receipt > PAYMENT-RESPONSE > X-PAYMENT-RESPONSE)
  • Go middleware production hardening: panic recovery, bounded token-bucket rate limiter, Logger/Metrics interfaces, safer DefaultConfig
  • IDE plugin packs: Cursor, Codex, Claude Code, VS Code (pinned @peac/mcp-server@0.12.11)
  • Canonical Smithery config at packages/mcp-server/smithery.yaml
  • peac doctor offline-default CLI with opt-in --online --issuer <url>
  • Single-file offline verify dashboard (tools/verify-dashboard/index.html, no CDN, no telemetry)
  • Conformance Section 26: 20 commerce fixtures
  • 37 packages on npm, 7,392 tests, 224 conformance requirement IDs, 105 build targets

v0.12.10

Managed Runtime Evidence Floor

  • Generic @peac/adapter-runtime-governance surface with AGT as first mapper
  • 6 observation-specific type URIs with discriminated union payloads
  • Hosted verify record profile detection (registry-driven)
  • Conformance Section 27: RTGOV-001 through RTGOV-007
  • Benchmark SLO publication with regression-based gate for verifyLocal
  • 37 packages on npm, 7,392 tests, 224 conformance requirement IDs

v0.12.9

Reference Deployments

  • @peac/adapter-managed-agents: Claude Managed Agents session evidence adapter
  • MCP Streamable HTTP transport reference deployment
  • Content negotiation: Accept: application/peac-receipt+jwt support
  • Pilot kit: self-contained onboarding archive
  • Release-state stamping discipline: scripts/stamp-release-state.mjs
  • 217 conformance requirement IDs across 24 sections

v0.12.8

Hosted Issue, Go SDK, Python API-First Proof

  • Hosted Issue alpha: BYO-key provisional issuance (disabled by default)
  • Go 1.26 SDK with Wire 0.2 parity
  • Python API-First Proof
  • Managed Agents session evidence summary demo
  • Pre-release hardening: Hosted Issue, perf SLO, Smithery CI
  • 35 packages on npm, 7,241 tests, 219 conformance requirement IDs, 97 build targets

v0.12.7 (April 8, 2026)

Coherence, Trust, and Installability

  • pnpm verify:distribution: distribution surface verification gate (44 checks, tarball packaging smoke)
  • pnpm verify:release: release facts verification gate (22 checks)
  • pnpm verify:docs-examples: documentation code block type-checking
  • docs/releases/facts.json: canonical source of truth for release metrics
  • Enterprise trust posture, security posture, and reference architecture documentation
  • Compatibility matrix, migration guide, deprecation policy, standards compliance, supported environments
  • Hosted Verify API contract (DD-210): design artifact for /v1/verify and /v1/issue
  • REPO_SURFACE_STATUS.json: machine-readable surface classification (74 surfaces)
  • Coherence gate: 9 blocking checks preventing docs/code divergence
  • Legacy Wire 0.1 defaults quarantined across 12 spec and guide files
  • RFC 8594 deprecation headers on legacy /verify endpoint
  • @peac/sdk (sdk-js) and apps/bridge archived
  • GitHub Actions: all tracked workflows pinned to immutable commit SHAs
  • Security policy: supported versions updated to >= 0.12.7
  • 35 packages on npm, 7,241 tests, 219 conformance requirement IDs, 96 build targets

v0.12.6 (April 1, 2026)

x402 V2, DID Resolution, A2A OAuth, gRPC Transport, Supply-Chain Mappings

  • @peac/adapter-did: did:key and did:web resolution with caching
  • @peac/transport-grpc: gRPC carrier adapter (8 KiB metadata default)
  • @peac/mappings-intoto: in-toto v1.0 provenance mapping
  • @peac/mappings-slsa: SLSA v1.2 provenance mapping
  • A2A v1.0 OAuth: PKCE S256, Device Code types, auth evidence mapping
  • x402 V2 transport: version detection, normalization, mapping, verification
  • Receipt URL resolution middleware in @peac/net-node
  • 35 packages on npm, 7,241 tests, 219 conformance requirement IDs

v0.12.5 (March 27, 2026)

Commerce Hardening + Interop Proofs

  • Per-rail conformance parity: 40 execution-backed fixtures across 4 commerce rails
  • Cross-rail settlement equivalence tests
  • AmountMinorStringSchema + isValidAmountMinor() edge-case hardening
  • 59 package READMEs with kernel template
  • 29 packages on npm, 6,915 tests

v0.12.4 (March 25, 2026)

Commerce Evidence + Integration Depth

  • New package: @peac/mappings-paymentauth (envelope-first HTTP Payment scheme parsing, carrier adapter, JSON-RPC/MCP helpers)
  • x402 v2 dual-header read with upstream artifact separation
  • ACP session lifecycle evidence: two-function boundary (session vs payment observation)
  • Stripe SPT delegation evidence with explicit payment state requirement
  • UCP order-vs-payment semantic separation with payment_state_source marker
  • Experimental commerce bundle (peac.commerce-bundle/0.1-experimental)
  • Commerce pillar profile and 2 normative specifications
  • 3 integration kits (paymentauth, ACP, x402) and 6 runnable examples
  • 21 cross-boundary commerce conformance tests
  • 35 packages on npm at v0.12.6, 219 conformance requirement IDs, 95 build targets

v0.12.3 (March 17, 2026)

Truth, Adoption, and A2A v1.0 Readiness

  • A2A v1.0 transition normalizer: dual-version Agent Card, TaskState, Parts with backward compatibility (v0.3.0 deprecated, removal at v0.13.0)
  • AIPREF version constants export pinned to vocab-05
  • MCP Registry published: io.github.peacprotocol/peac v0.12.3
  • Canonical Start Here page with 4 evaluator paths
  • Persona-specific quickstarts: API Provider, Agent Operator
  • A2A and MCP integration kits
  • 28 packages on npm at v0.12.3

v0.12.2 (March 16, 2026)

Profile-Defined Types + Extension Groups

  • 12 typed extension groups: 7 new pillar groups (consent, privacy, safety, compliance, provenance, attribution, purpose) joining the 5 core groups
  • 10 type-to-extension mappings with strict/interop enforcement
  • 9 pillar usage profiles with schema-vs-profile field tables, non-goals, and strict-mode demos
  • Commerce event field: 6-value closed enum (observational metadata only)
  • ProofMethodSchema deprecated (transport-binding cleanup, removal not-before v0.13.0)
  • AST no-network audit and API contract extraction
  • 192 conformance requirements (up from 146)
  • 28 packages on npm at v0.12.2

v0.12.1 (March 14, 2026)

x402 Upstream Wire Sync + Security + Tooling

  • x402 adapter sync: four-layer adapter architecture (A1/A2/B/C), discriminated signed artifact unions, 5-layer verification API with opt-in crypto, privacy-minimal receipt model
  • Conformance fixture rewrite and X402-PROFILE.md
  • Security: undici CVE-2025-22150, hono CVE-2025-51798 patches, audit gate
  • Vitest 4.1.0 upgrade with coverage badge
  • README rewrite
  • Upstream: x402 PR #935 (Offer/Receipt Extension) merged
  • 28 packages on npm at v0.12.1

v0.12.0

Interaction Record Format 0.2 Stable

  • Interaction Record Format 0.2 promoted to stable on npm latest (28 packages via OIDC trusted publishing)
  • 146 normative requirement IDs across 18 spec sections with machine-readable registry and drift detection
  • Property and fuzz testing: 12+ property tests across schema, crypto, protocol with zero-crash guarantee
  • Performance benchmarks: Vitest bench suite for issuance, verification, policy binding with Node 24 baseline
  • SSRF and security hardening: expanded test vectors, security posture documentation
  • API surface lock for 9 critical packages with pack-install smoke tests
  • Doc-example execution gate: automated validation of 25 code blocks in 5 spec documents
  • OIDC trusted publishing: 45 packages configured, provenance attestations on every publish
  • Node 24 Active LTS canonical baseline, Node 22 Maintenance LTS compatibility lane
  • Committed release manifest (docs/releases/current.json) with versioned gate reports
  • All 6 stable gates wired and passing (20/20)
  • 28 packages on npm at v0.12.0

v0.11.3 (March 2, 2026)

Zero Trust + Agent Identity + Key Rotation + Reconcile CLI

  • Zero Trust Profile Pack: 7 sub-profiles as documentation overlays (Access, Toolcall, Decision, Risk Signal, Sync, Tracing, ZT Extensions); no new wire fields, all ZT data in ext[] with reverse-DNS keys
  • Agent Identity expansion: 8 proof types (ed25519-cert-chain, eat-passport, eat-background-check, sigstore-oidc, did, spiffe, x509-pki, custom), ActorBindingSchema with origin-only enforcement, MVIS 5-field validation (validateMVIS())
  • Key Rotation lifecycle: PENDING/ACTIVE/DEPRECATED/RETIRED/REVOKED FSM, 30-day normative overlap (upgraded from 7-day RECOMMENDED), tiered kid reuse detection (stateful MUST reject, stateless SHOULD warn), revoked_keys[] in issuer config, NIST SP 800-57 aligned
  • Reconciliation CLI: peac reconcile <bundle1> <bundle2> with composite (iss, jti) conflict key, deterministic JSON output, --fail-on-conflict for CI gating
  • Treaty extension: 4-level commitment_class (informational, operational, financial, legal) at org.peacprotocol/treaty
  • ZT extension schemas: credential-event, tool-registry, control-action in packages/schema/src/extensions/; URL scheme allowlist (HTTPS + URN only) for SSRF prevention
  • FingerprintRef conversion functions: opaque format (sha256:<hex64> or hmac-sha256:<hex64>), pure string manipulation in @peac/schema
  • Governance framework alignment: 8 mapping documents (NIST AI RMF, EU AI Act, OWASP ASI, ISO 42001, IEEE 7001, OECD AI, Singapore MGFAA, AWS RAI)
  • Multi-tenant guidance: 3-tier isolation model (Shared, Scoped with kid prefix, Isolated with per-tenant JWKS)
  • NIST submission pack: self-contained evidence package for NIST CAISI RFI, release-gate-0.11.3.sh with 10 checks
  • New examples: edge-markdown-content-signals, a2a-gateway-pattern
  • 28 packages on npm at v0.11.3

v0.11.2 (February 25, 2026)

Content Signals + Evidence Locators

  • New package: @peac/mappings-content-signals -- observe content use policy signals from robots.txt (RFC 9309), AIPREF Content-Usage headers, and tdmrep.json (W3C TDM Reservation Protocol)
  • New package: @peac/adapter-openai-compatible -- hash-first interaction evidence for OpenAI-compatible chat completion APIs; SHA-256 digests only, no raw text stored
  • Error recovery next_action hints on every ErrorDefinition: closed vocabulary of 7 agent-actionable recovery hints (retry_after_delay, retry_with_different_key, retry_with_different_input, refresh_attestation, contact_issuer, abort, none)
  • retryable canonical rename (from retriable)
  • receipt_url locator hint on PeacEvidenceCarrier: optional HTTPS-only URL, max 2048 chars, no implicit fetch
  • Plugin Pack: Claude Code skill and Cursor rules for AI-assisted development
  • Distribution surface files: server.json (MCP Registry), smithery.yaml, llms.txt, .mcp.json
  • 28 packages on npm at v0.11.2

v0.11.1

Evidence Carrier Contract + A2A Mapping

  • Evidence Carrier Contract: PeacEvidenceCarrier type and CarrierAdapter<TInput, TOutput> pattern in @peac/kernel (Layer 0, zero runtime deps)
  • Zod schemas and computeReceiptRef() in @peac/schema (Layer 1)
  • New package: @peac/mappings-a2a -- carry evidence through A2A metadata in TaskStatus, Message, and Artifact
  • Agent Card discovery: capabilities.extensions[] with https://www.peacprotocol.org/ext/traceability/v1
  • MCP carrier format: _meta keys org.peacprotocol/receipt_ref and org.peacprotocol/receipt_jws
  • ACP/UCP carrier adoption via @peac/mappings-acp and @peac/mappings-ucp
  • x402 carrier via @peac/adapter-x402
  • Transport size limits: MCP/A2A/UCP 64 KB embed, ACP/x402/HTTP 8 KB headers
  • receipt_ref integrity: sha256(receipt_jws) verified at extraction
  • Discovery profile: 3-step (Agent Card, well-known, header probe)
  • 4 normative specifications: Evidence Carrier Contract, A2A Mapping, Discovery Profile, JWKS Resolver

v0.11.0

Zod 4 + MCP Streamable HTTP + Kernel Constraints

  • Zod 4 migration (^4.3.6) across all packages with pnpm.overrides enforcement
  • MCP Streamable HTTP transport: session-isolated McpServer per client (CVE-2026-25536 defense)
  • Kernel constraint enforcement pipeline: fail-closed in issue() and verify() paths
  • New package: @peac/integrator-kit -- bootstrap + conformance harness for third-party implementations
  • OWASP ASI-01 through ASI-10 alignment across all packages
  • CORS deny-all, localhost-only bind, rate limiting, and size limits for MCP HTTP

v0.10.14

Fixture Versioning + Kernel Constraints Formalization

  • Conformance fixture versioning: schema_version field across all JSON fixture files
  • Kernel constraints specification (KERNEL-CONSTRAINTS.md) with normative rules
  • Editorial hygiene sweep across specs and documentation
  • Zod 4 preparation: compatibility audit and migration plan

v0.10.13

MCP Server

  • New package: @peac/mcp-server -- MCP server exposing 5 tools for AI agent integration
    • Pure tools: peac_verify, peac_inspect, peac_decode (no key material required)
    • Privileged tools: peac_issue, peac_create_bundle (require signing key)
  • Handler-transport separation for transport-neutral core
  • Static policy configuration via allowlist file
  • Structured _meta on all tool responses (serverVersion, policyHash, protocolVersion)
  • SSRF prevention by design -- no ambient key discovery
  • 226 tests across 22 test files

v0.10.12

OpenClaw + RFC 9421

  • New package: @peac/capture-node -- FileSpoolStore and FileDedupeIndex for durable, file-system-backed receipt storage
  • OpenClaw activate() one-call setup with generateSigningKey() for zero-config onboarding
  • peac-keygen CLI for Ed25519 key generation
  • Structured counters (scanned/exported/skipped) for export and query operations
  • Dual-representation check in verifier -- detects auth/evidence vs _jws mismatch
  • RFC 9421 proof capture normative profile with 5 conformance vectors
  • Profiles taxonomy: Transport, Proof Capture, Wire Format categories

v0.10.11

Runtime Dependencies + Stripe x402

  • Upgraded @noble/ed25519 to v3 (signAsync/verifyAsync/getPublicKeyAsync API)
  • Upgraded @opentelemetry/sdk-metrics to v2
  • New: fromCryptoPaymentIntent() in @peac/rails-stripe for Stripe crypto payments
  • Registry v0.3.0: org.peacprotocol/interaction@0.1 extension key
  • Advisory registries: toolcall_op_types, toolcall_resource_types
  • Supply chain hardening: SECURITY.md, audit gate, lockfile drift check in guard.sh

v0.10.10

Dev Toolchain

  • Migrated build system to tsup with dual ESM/CJS output (.mjs/.cjs)
  • tsc for type declarations only
  • Turbo pipeline optimization across 75 build targets
  • Stale artifact detection in guard.sh

v0.10.9

Foundation Release

  • Wire format peac-receipt/0.1 stable
  • 22 npm packages published under @peac scope
  • Express middleware (@peac/middleware-express) for automatic receipt issuance
  • 4 payment rail adapters: x402 (Coinbase), Stripe, Razorpay, Card networks
  • Evidence bundle creation and verification (.peac.tar.gz)
  • Conformance test suite with 200+ vectors

v0.9.0 (July 18, 2025)

First Public Release

  • Production-ready open-source implementation
  • Machine-readable peac.txt and .well-known/peac-issuer.json
  • Core modules, Node.js SDK, CLI, schema
  • Ed25519 signature enforcement
  • x402 and Stripe compatibility

Versioning policy

Breaking changes

PEAC Protocol is currently in the v0.x series. During this phase:

  • Breaking changes are allowed between minor versions, with migration guidance in the changelog
  • The wire format (peac-receipt/0.1) is stable across all v0.x releases
  • All packages share the monorepo version -- when one package updates, they all update

At v1.0 (earned, not scheduled):

  • Wire format changes to peac-receipt/1.0
  • Public API surface freezes with full backward compatibility commitment