Skip to main content
Version: v0.12.4

Releases

All PEAC Protocol releases follow semantic versioning. Every release is published to npm under the @peac scope, and all packages in the monorepo share the same version number.

v0.12.4 (March 25, 2026)

Commerce Evidence + Integration Depth

  • New package: @peac/mappings-paymentauth (envelope-first HTTP Payment scheme parsing, carrier adapter, JSON-RPC/MCP helpers)
  • x402 v2 dual-header read with upstream artifact separation
  • ACP session lifecycle evidence: two-function boundary (session vs payment observation)
  • Stripe SPT delegation evidence with explicit payment state requirement
  • UCP order-vs-payment semantic separation with payment_state_source marker
  • Experimental commerce bundle (peac.commerce-bundle/0.1-experimental)
  • Commerce pillar profile and 2 normative specifications
  • 3 integration kits (paymentauth, ACP, x402) and 6 runnable examples
  • 21 cross-boundary commerce conformance tests
  • 35 packages on npm at v0.12.6, 219 conformance requirement IDs, 95 build targets

v0.12.3 (March 17, 2026)

Truth, Adoption, and A2A v1.0 Readiness

  • A2A v1.0 transition normalizer: dual-version Agent Card, TaskState, Parts with backward compatibility (v0.3.0 deprecated, removal at v0.13.0)
  • AIPREF version constants export pinned to vocab-05
  • MCP Registry published: io.github.peacprotocol/peac v0.12.3
  • Canonical Start Here page with 4 evaluator paths
  • Persona-specific quickstarts: API Provider, Agent Operator
  • A2A and MCP integration kits
  • 28 packages on npm at v0.12.3

v0.12.2 (March 16, 2026)

Profile-Defined Types + Extension Groups

  • 12 typed extension groups: 7 new pillar groups (consent, privacy, safety, compliance, provenance, attribution, purpose) joining the 5 core groups
  • 10 type-to-extension mappings with strict/interop enforcement
  • 9 pillar usage profiles with schema-vs-profile field tables, non-goals, and strict-mode demos
  • Commerce event field: 6-value closed enum (observational metadata only)
  • ProofMethodSchema deprecated (transport-binding cleanup, removal not-before v0.13.0)
  • AST no-network audit and API contract extraction
  • 192 conformance requirements (up from 146)
  • 28 packages on npm at v0.12.2

v0.12.1 (March 14, 2026)

x402 Upstream Wire Sync + Security + Tooling

  • x402 adapter sync: four-layer adapter architecture (A1/A2/B/C), discriminated signed artifact unions, 5-layer verification API with opt-in crypto, privacy-minimal receipt model
  • Conformance fixture rewrite and X402-PROFILE.md
  • Security: undici CVE-2025-22150, hono CVE-2025-51798 patches, audit gate
  • Vitest 4.1.0 upgrade with coverage badge
  • README rewrite
  • Upstream: x402 PR #935 (Offer/Receipt Extension) merged
  • 28 packages on npm at v0.12.1

v0.12.0

Interaction Record Format 0.2 Stable

  • Interaction Record Format 0.2 promoted to stable on npm latest (28 packages via OIDC trusted publishing)
  • 146 normative requirement IDs across 18 spec sections with machine-readable registry and drift detection
  • Property and fuzz testing: 12+ property tests across schema, crypto, protocol with zero-crash guarantee
  • Performance benchmarks: Vitest bench suite for issuance, verification, policy binding with Node 24 baseline
  • SSRF and security hardening: expanded test vectors, security posture documentation
  • API surface lock for 9 critical packages with pack-install smoke tests
  • Doc-example execution gate: automated validation of 25 code blocks in 5 spec documents
  • OIDC trusted publishing: 45 packages configured, provenance attestations on every publish
  • Node 24 Active LTS canonical baseline, Node 22 Maintenance LTS compatibility lane
  • Committed release manifest (docs/releases/current.json) with versioned gate reports
  • All 6 stable gates wired and passing (20/20)
  • 28 packages on npm at v0.12.0

v0.11.3 (March 2, 2026)

Zero Trust + Agent Identity + Key Rotation + Reconcile CLI

  • Zero Trust Profile Pack: 7 sub-profiles as documentation overlays (Access, Toolcall, Decision, Risk Signal, Sync, Tracing, ZT Extensions); no new wire fields, all ZT data in ext[] with reverse-DNS keys
  • Agent Identity expansion: 8 proof types (ed25519-cert-chain, eat-passport, eat-background-check, sigstore-oidc, did, spiffe, x509-pki, custom), ActorBindingSchema with origin-only enforcement, MVIS 5-field validation (validateMVIS())
  • Key Rotation lifecycle: PENDING/ACTIVE/DEPRECATED/RETIRED/REVOKED FSM, 30-day normative overlap (upgraded from 7-day RECOMMENDED), tiered kid reuse detection (stateful MUST reject, stateless SHOULD warn), revoked_keys[] in issuer config, NIST SP 800-57 aligned
  • Reconciliation CLI: peac reconcile <bundle1> <bundle2> with composite (iss, jti) conflict key, deterministic JSON output, --fail-on-conflict for CI gating
  • Treaty extension: 4-level commitment_class (informational, operational, financial, legal) at org.peacprotocol/treaty
  • ZT extension schemas: credential-event, tool-registry, control-action in packages/schema/src/extensions/; URL scheme allowlist (HTTPS + URN only) for SSRF prevention
  • FingerprintRef conversion functions: opaque format (sha256:<hex64> or hmac-sha256:<hex64>), pure string manipulation in @peac/schema
  • Governance framework alignment: 8 mapping documents (NIST AI RMF, EU AI Act, OWASP ASI, ISO 42001, IEEE 7001, OECD AI, Singapore MGFAA, AWS RAI)
  • Multi-tenant guidance: 3-tier isolation model (Shared, Scoped with kid prefix, Isolated with per-tenant JWKS)
  • NIST submission pack: self-contained evidence package for NIST CAISI RFI, release-gate-0.11.3.sh with 10 checks
  • New examples: edge-markdown-content-signals, a2a-gateway-pattern
  • 28 packages on npm at v0.11.3

v0.11.2 (February 25, 2026)

Content Signals + Evidence Locators

  • New package: @peac/mappings-content-signals -- observe content use policy signals from robots.txt (RFC 9309), AIPREF Content-Usage headers, and tdmrep.json (W3C TDM Reservation Protocol)
  • New package: @peac/adapter-openai-compatible -- hash-first interaction evidence for OpenAI-compatible chat completion APIs; SHA-256 digests only, no raw text stored
  • Error recovery next_action hints on every ErrorDefinition: closed vocabulary of 7 agent-actionable recovery hints (retry_after_delay, retry_with_different_key, retry_with_different_input, refresh_attestation, contact_issuer, abort, none)
  • retryable canonical rename (from retriable)
  • receipt_url locator hint on PeacEvidenceCarrier: optional HTTPS-only URL, max 2048 chars, no implicit fetch
  • Plugin Pack: Claude Code skill and Cursor rules for AI-assisted development
  • Distribution surface files: server.json (MCP Registry), smithery.yaml, llms.txt, .mcp.json
  • 28 packages on npm at v0.11.2

v0.11.1

Evidence Carrier Contract + A2A Mapping

  • Evidence Carrier Contract: PeacEvidenceCarrier type and CarrierAdapter<TInput, TOutput> pattern in @peac/kernel (Layer 0, zero runtime deps)
  • Zod schemas and computeReceiptRef() in @peac/schema (Layer 1)
  • New package: @peac/mappings-a2a -- carry evidence through A2A metadata in TaskStatus, Message, and Artifact
  • Agent Card discovery: capabilities.extensions[] with https://www.peacprotocol.org/ext/traceability/v1
  • MCP carrier format: _meta keys org.peacprotocol/receipt_ref and org.peacprotocol/receipt_jws
  • ACP/UCP carrier adoption via @peac/mappings-acp and @peac/mappings-ucp
  • x402 carrier via @peac/adapter-x402
  • Transport size limits: MCP/A2A/UCP 64 KB embed, ACP/x402/HTTP 8 KB headers
  • receipt_ref integrity: sha256(receipt_jws) verified at extraction
  • Discovery profile: 3-step (Agent Card, well-known, header probe)
  • 4 normative specifications: Evidence Carrier Contract, A2A Mapping, Discovery Profile, JWKS Resolver

v0.11.0

Zod 4 + MCP Streamable HTTP + Kernel Constraints

  • Zod 4 migration (^4.3.6) across all packages with pnpm.overrides enforcement
  • MCP Streamable HTTP transport: session-isolated McpServer per client (CVE-2026-25536 defense)
  • Kernel constraint enforcement pipeline: fail-closed in issue() and verify() paths
  • New package: @peac/integrator-kit -- bootstrap + conformance harness for third-party implementations
  • OWASP ASI-01 through ASI-10 alignment across all packages
  • CORS deny-all, localhost-only bind, rate limiting, and size limits for MCP HTTP

v0.10.14

Fixture Versioning + Kernel Constraints Formalization

  • Conformance fixture versioning: schema_version field across all JSON fixture files
  • Kernel constraints specification (KERNEL-CONSTRAINTS.md) with normative rules
  • Editorial hygiene sweep across specs and documentation
  • Zod 4 preparation: compatibility audit and migration plan

v0.10.13

MCP Server

  • New package: @peac/mcp-server -- MCP server exposing 5 tools for AI agent integration
    • Pure tools: peac_verify, peac_inspect, peac_decode (no key material required)
    • Privileged tools: peac_issue, peac_create_bundle (require signing key)
  • Handler-transport separation for transport-neutral core
  • Static policy configuration via allowlist file
  • Structured _meta on all tool responses (serverVersion, policyHash, protocolVersion)
  • SSRF prevention by design -- no ambient key discovery
  • 226 tests across 22 test files

v0.10.12

OpenClaw + RFC 9421

  • New package: @peac/capture-node -- FileSpoolStore and FileDedupeIndex for durable, file-system-backed receipt storage
  • OpenClaw activate() one-call setup with generateSigningKey() for zero-config onboarding
  • peac-keygen CLI for Ed25519 key generation
  • Structured counters (scanned/exported/skipped) for export and query operations
  • Dual-representation check in verifier -- detects auth/evidence vs _jws mismatch
  • RFC 9421 proof capture normative profile with 5 conformance vectors
  • Profiles taxonomy: Transport, Proof Capture, Wire Format categories

v0.10.11

Runtime Dependencies + Stripe x402

  • Upgraded @noble/ed25519 to v3 (signAsync/verifyAsync/getPublicKeyAsync API)
  • Upgraded @opentelemetry/sdk-metrics to v2
  • New: fromCryptoPaymentIntent() in @peac/rails-stripe for Stripe crypto payments
  • Registry v0.3.0: org.peacprotocol/interaction@0.1 extension key
  • Advisory registries: toolcall_op_types, toolcall_resource_types
  • Supply chain hardening: SECURITY.md, audit gate, lockfile drift check in guard.sh

v0.10.10

Dev Toolchain

  • Migrated build system to tsup with dual ESM/CJS output (.mjs/.cjs)
  • tsc for type declarations only
  • Turbo pipeline optimization across 75 build targets
  • Stale artifact detection in guard.sh

v0.10.9

Foundation Release

  • Wire format peac-receipt/0.1 stable
  • 22 npm packages published under @peac scope
  • Express middleware (@peac/middleware-express) for automatic receipt issuance
  • 4 payment rail adapters: x402 (Coinbase), Stripe, Razorpay, Card networks
  • Evidence bundle creation and verification (.peac.tar.gz)
  • Conformance test suite with 200+ vectors

v0.9.0 (July 18, 2025)

First Public Release

  • Production-ready open-source implementation
  • Machine-readable peac.txt and .well-known/peac-issuer.json
  • Core modules, Node.js SDK, CLI, schema
  • Ed25519 signature enforcement
  • x402 and Stripe compatibility

Versioning policy

Breaking changes

PEAC Protocol is currently in the v0.x series. During this phase:

  • Breaking changes are allowed between minor versions, with migration guidance in the changelog
  • The wire format (peac-receipt/0.1) is stable across all v0.x releases
  • All packages share the monorepo version -- when one package updates, they all update

At v1.0 (earned, not scheduled):

  • Wire format changes to peac-receipt/1.0
  • Public API surface freezes with full backward compatibility commitment