Active Developmentv0.12.11

Releases

Release history, current truth, and what changed in each version. For full release notes and tags, see GitHub for full release notes.

v0.12.11Current

April 15, 2026

Commerce Evidence and Deployment Surfaces

+Commerce mapper-boundary finality guard (assertExplicitFinality, MapperBoundaryError)
+ACP delegated-payment profile
+MPP and x402 payment-attempt and settlement mappings
+Go middleware production hardening
+Cursor, Codex, Claude Code, and VS Code plugin packs
+Canonical Smithery config
+GitHub Copilot compatibility checks
+Offline verify dashboard
+peac doctor CLI
+37 packages · 7,392 tests · 224 conformance IDs · 105 build targets

v0.12.10

Managed Runtime Evidence Floor

+@peac/adapter-runtime-governance (generic surface, AGT as first mapper)
+Runtime governance profile and coverage matrix
+Hosted Verify record profile detection
+Conformance Section 27 for runtime governance (RTGOV-001-007)
+Benchmark SLO publication
+Runnable example with pinned fixtures
+37 packages · 7,392 tests · 224 conformance IDs · 102 build targets

v0.12.9

Reference Deployments and Managed Runtime Adapters

+@peac/adapter-managed-agents
+MCP Streamable HTTP quickstart
+Reference verifier content negotiation
+Issuer health probe
+External pilot kit
+Release-state stamping discipline
+36 packages · 7,336 tests · 217 conformance IDs · 100 build targets

v0.12.8

Hosted Verify and API-First Proof

+Hosted Issue alpha: BYO-key provisional issuance (disabled by default)
+Go 1.26 SDK with Wire 0.2 parity
+Python API-First Proof
+Managed Agents session evidence summary demo
+Pre-release hardening: Hosted Issue, perf SLO, Smithery CI
+35 packages · 7,241 tests · 219 conformance IDs · 97 build targets

v0.12.7

+Distribution surface verification gate (44 checks, tarball packaging smoke)
+Release facts verification gate (22 checks)
+Documentation code block type-checking in CI
+Canonical release metrics file (docs/releases/facts.json)
+Enterprise trust posture, security posture, and reference architecture docs
+Compatibility matrix, migration guide, deprecation policy, standards compliance
+Hosted Verify API design artifact for /v1/verify and /v1/issue
+Machine-readable surface classification (74 surfaces)
+Coherence gate with 9 blocking checks
+Legacy Wire 0.1 defaults quarantined across specs and guides
+RFC 8594 deprecation headers on legacy /verify endpoint
+GitHub Actions pinned to immutable commit SHAs
+35 packages, 7,241 tests, 219 conformance requirement IDs, 96 build targets

Breaking Changes

@peac/sdk (sdk-js) archived; use @peac/protocol directly

apps/bridge archived

Security policy: only >= 0.12.7 supported

v0.12.6

x402 V2, DID Resolution, A2A OAuth, gRPC Transport, Supply-Chain Mappings

+New package: @peac/adapter-did for did:key (Ed25519, zero I/O) and did:web (SSRF-hardened, domain allowlist, caching) resolution
+New package: @peac/transport-grpc for gRPC carrier adapter (8 KiB metadata default, binary rejection, HTTP/gRPC status parity)
+New packages: @peac/mappings-intoto (in-toto v1.0) and @peac/mappings-slsa (SLSA v1.2) provenance mappings
+A2A v1.0 OAuth auth surface: PKCE S256, Device Code types, auth evidence observation, google.rpc.Status error modeling
+x402 V2 transport: version detection, normalization, mapping (toPeacRecordV2), strict/interop verification with fail-closed default
+Receipt URL resolution middleware: carrier-shaped API with semaphore concurrency control
+receipt_ref span attribute in OpenTelemetry telemetry stack
+ERC-8128 conformance fixtures for RFC 9421 HTTP Message Signatures
+4 new spec profiles: x402 V2, DID resolution, A2A auth, gRPC transport
+35 packages on npm, 7241 tests, 219 conformance requirement IDs, 95 build targets

v0.12.5

Commerce Hardening + Interop Proofs

+Per-rail conformance parity: 40 execution-backed fixtures, 4 manifests, registry-derived coverage gate
+Cross-rail settlement equivalence and asymmetric safety invariant
+AmountMinorStringSchema and isValidAmountMinor() for commerce amount validation
+59 package READMEs with kernel template and curated keywords
+29 packages via OIDC, 6915 tests, 361 conformance, 92 build targets

v0.12.4

Commerce Evidence + Integration Depth

+New package: @peac/mappings-paymentauth for HTTP Payment authentication scheme (envelope-first parsing, carrier adapter, JSON-RPC/MCP helpers)
+x402 v2 dual-header read: extractReceiptArtifactFromHeaders() with upstream artifact separation (PEAC-Receipt, PAYMENT-RESPONSE v2, X-PAYMENT-RESPONSE v1)
+ACP session lifecycle evidence: two-function boundary (fromACPSessionLifecycleEvent for access, fromACPPaymentObservation for commerce with explicit observed_payment_state)
+Stripe SPT delegation evidence: delegation vocabulary (granted, presented, deactivated) with fromStripePaymentIntentObservation() for explicit payment state
+UCP order-vs-payment semantic separation: payment_state_source marker (explicit vs derived_order_fallback)
+Experimental commerce bundle: peac.commerce-bundle/0.1-experimental with recursive stable serializer
+Commerce pillar profile and 2 normative specifications (COMMERCE-EVIDENCE.md, COMMERCE-SEMANTICS.md)
+3 integration kits (paymentauth, ACP, x402) and 6 runnable examples
+21 cross-boundary commerce conformance tests
+29 packages via OIDC, 6664 tests (260 files), 361 conformance, 91 build targets

v0.12.3

Truth, Adoption, and A2A v1.0 Readiness

+A2A v1.0 transition normalizer: dual-version Agent Card, TaskState, Parts with backward compatibility for v0.3.0 (deprecated, removal at v0.13.0)
+AIPREF version constants export pinned to vocab-05
+MCP Registry published: io.github.peacprotocol/peac v0.12.3 (discoverable)
+Canonical Start Here page with 4 evaluator paths (API provider, receipt verifier, MCP server, A2A builder)
+Persona-specific quickstarts: API Provider and Agent Operator
+A2A and MCP integration kits
+Public surface reconciliation and metadata sync

v0.12.2

Profile-Defined Types + Extension Groups

+12 typed extension groups: 7 new pillar groups (consent, privacy, safety, compliance, provenance, attribution, purpose) joining the 5 core groups
+10 type-to-extension mappings with strict/interop enforcement: registered first-party evidence types require their mapped extension group in strict mode
+9 pillar usage profiles with schema-vs-profile field tables, non-goals, and strict-mode demos
+Commerce event field: 6-value closed enum (observational metadata only)
+ProofMethodSchema deprecated (transport-binding cleanup, removal not-before v0.13.0)
+AST no-network audit and API contract extraction
+Extension regression benchmarks and byte-budget boundary coverage
+Codegen pipeline: registries.json to registries.generated.ts
+192 conformance requirements (up from 146)

v0.12.1

x402 Upstream Wire Sync + Security + Tooling

+x402 adapter sync: four-layer adapter architecture (A1/A2/B/C), discriminated signed artifact unions, 5-layer verification API with opt-in crypto, privacy-minimal receipt model
+Conformance fixture rewrite and X402-PROFILE.md
+Security: undici CVE-2025-22150, hono CVE-2025-51798 patches, audit gate
+Vitest 4.1.0 upgrade with coverage badge
+README rewrite
+Upstream: x402 PR #935 (Offer/Receipt Extension) merged

v0.12.0

Interaction Record Format 0.2 Stable: Conformance, Property Tests, Benchmarks, OIDC Publishing

+Interaction Record Format 0.2 promoted to stable on npm latest (28 packages via OIDC trusted publishing)
+146 normative requirement IDs across 18 spec sections with machine-readable registry and drift detection (DD-164, DD-167)
+Property and fuzz testing: 12+ property tests across schema, crypto, protocol with zero-crash guarantee (DD-158)
+Performance benchmarks: Vitest bench suite for issuance, verification, policy binding with Node 24 baseline (DD-159)
+SSRF and security hardening: expanded test vectors, security posture documentation (DD-160)
+API surface lock for 9 critical packages with pack-install smoke tests (DD-162, DD-163)
+Doc-example execution gate: automated validation of 25 code blocks in 5 spec documents (DD-163)
+OIDC trusted publishing: 45 packages configured, provenance attestations on every publish (DD-162)
+Node 24 Active LTS canonical baseline (DD-161), Node 22 Maintenance LTS compatibility lane
+Committed release manifest (docs/releases/current.json) with versioned gate reports
+All 6 DD-90 stable gates wired and passing (20/20)

v0.12.0-preview.1Archive

Interaction Record Format 0.2 Preview: Structured Kinds + Typed Extensions + Policy Binding

+Interaction Record format envelope: typ: interaction-record+jwt, 2 structural kinds (evidence/challenge), open semantic type (reverse-DNS or URI), multi-valued pillars (10-pillar taxonomy) (DD-156)
+Typed extension groups: 5 core groups (commerce, access, challenge, identity, correlation) with strict schemas, unknown-key preservation with warnings, prototype-pollution-hardened accessors (DD-153)
+Policy binding: JCS (RFC 8785) + SHA-256 digest, 3-state result (verified/failed/unavailable), computePolicyDigestJcs() for deterministic canonicalization (DD-155)
+JOSE hardening: reject embedded keys (jwk/x5c/x5u/jku), crit, b64:false, zip; kid required (max 256 chars); JWS size cap (256 KB) (DD-150)
+Issuer canonical form: https:// (ASCII, RFC 3986) and did: (DID Core) only; all others hard error (DD-151)
+Representation fields: sha256-only content_hash, conservative MIME content_type, finite content_length guards
+Dual-stack verification: verifyLocal() auto-detects wire version, returns wireVersion 0.1 or 0.2
+Strictness profiles: strict (default) and interop for typ checking
+Warning plumbing: 4 warning codes with RFC 6901 pointers, sorted by (pointer, code)
+Format 0.2 conformance suite: 59 fixtures (valid/invalid/warnings), raw JWS sign helper, deterministic test runner
+Normative spec: docs/specs/WIRE-0.2.md
+Release gate: 14 explicit checks

v0.11.3

Zero Trust + Agent Identity + Key Rotation + Reconcile CLI

+Zero Trust Profile Pack: 7 sub-profiles as documentation overlays for Zero Trust deployment scenarios (DD-145)
+Agent Identity expansion: 8 proof types (ed25519-cert-chain, eat-passport, sigstore-oidc, did, spiffe, x509-pki, custom), ActorBinding schema with origin-only enforcement, MVIS 5-field validation (DD-142, DD-143, DD-144)
+Key Rotation lifecycle: PENDING/ACTIVE/DEPRECATED/RETIRED/REVOKED FSM, 30-day normative overlap, tiered kid reuse detection, revoked_keys[] in issuer config, NIST SP 800-57 aligned (DD-148)
+Reconciliation CLI: peac reconcile command with (iss, jti) conflict detection, deterministic JSON output, --fail-on-conflict for CI gating (DD-148)
+Treaty extension: 4-level commitment_class (informational/operational/financial/legal) (DD-147)
+ZT extension schemas: credential-event, tool-registry, control-action with SSRF-safe URL scheme allowlist
+FingerprintRef: opaque fingerprint reference format with string/object conversion functions (DD-146)
+Governance framework alignment: 8 mapping documents (NIST AI RMF, EU AI Act, OWASP ASI, ISO 42001, IEEE 7001, OECD, Singapore MGFAA, AWS RAI)
+Multi-tenant guidance: 3-tier isolation model (Shared/Scoped/Isolated) (DD-149)
+NIST submission pack and release gate (10 checks)
+New examples: edge-markdown-content-signals, a2a-gateway-pattern

v0.11.2

Content Signals + Evidence Locators

+Agent-actionable error recovery hints: 7-value next_action vocabulary on every error (DD-132, DD-133)
+receipt_url locator hint on PeacEvidenceCarrier: HTTPS-only, SSRF-hardened resolver in @peac/net-node (DD-135)
+@peac/mappings-content-signals: robots.txt (RFC 9309), Content-Usage (AIPREF), tdmrep.json (EU Directive 2019/790) parsing with three-state resolution (DD-136, DD-137)
+@peac/adapter-openai-compatible: hash-first inference receipts for any OpenAI-compatible provider (DD-138)
+MCP Registry manifest (server.json), Smithery config, llms.txt, Plugin Pack for Claude Code and Cursor (DD-139, DD-140)
+Clean rename: retriable to retryable across all error definitions (DD-134)
+Schema layer validation-only invariant formalized (DD-141)

@peac/mappings-content-signals@peac/adapter-openai-compatible

v0.11.1

Evidence Carrier Contract + A2A Mapping

+Evidence Carrier Contract: PeacEvidenceCarrier + CarrierAdapter<TInput, TOutput> universal carry interface (DD-124 through DD-131)
+@peac/mappings-a2a: Google Agent-to-Agent protocol evidence carrier
+ACP and UCP carrier adapter adoption for Agentforce and Universal Commerce Protocol
+x402 carrier adapter with challenge type mapping
+MCP _meta carrier format with reserved key guard
+Content-addressed receipt references: computeReceiptRef(jws) = sha256(receipt_jws)
+Discovery Profile spec and JWKS resolver
+4 normative specs: Evidence Carrier Contract, PEAC-ISSUER, PEAC-TXT, Discovery Profile

@peac/mappings-a2a@peac/mappings-acp@peac/mappings-ucp@peac/adapter-x402

v0.11.0

Zod 4 + MCP Streamable HTTP + Kernel Constraints

+Zod 4 migration (^4.3.6) across all packages with pnpm.overrides enforcement
+MCP Streamable HTTP transport: session-isolated McpServer per client (CVE-2026-25536 defense)
+Kernel constraint enforcement pipeline: fail-closed in issue() and verify() paths
+Integrator kit bootstrap with conformance harness for third-party implementations
+OWASP ASI-01 through ASI-10 alignment across all packages
+CORS deny-all, localhost-only bind, rate limiting, and size limits for MCP HTTP

@peac/integrator-kit

v0.10.14

Fixture Versioning + Kernel Constraints Formalization

+Conformance fixture versioning: schema_version field across all JSON fixture files
+Kernel constraints specification (KERNEL-CONSTRAINTS.md) with normative rules
+Editorial hygiene sweep across specs and documentation
+Zod 4 preparation: compatibility audit and migration plan

v0.10.13

MCP Server for AI Agents

+@peac/mcp-server: 5 MCP tools for Claude Desktop, Cursor, and MCP hosts
+3 pure tools: peac_verify, peac_inspect, peac_decode
+2 privileged tools: peac_issue, peac_create_bundle (capability-gated)
+Handler-transport separation for reuse in any MCP host
+Static policy loading with canonical hash for reproducibility
+Structured outputs with _meta: { serverVersion, policyHash, protocolVersion }
+SSRF prevention by design: no ambient key discovery
+226 tests across 22 test files

@peac/mcp-server

v0.10.12

OpenClaw Activation + RFC 9421 Proof Capture Profile

+@peac/capture-node: FileSpoolStore and FileDedupeIndex (durable fs-backed stores)
+OpenClaw activate(): one-call setup with generateSigningKey() and peac-keygen CLI
+Structured counters: scanned/exported/skipped breakdowns for export and query
+Dual-representation check: verifier detects auth/evidence vs _jws mismatch
+RFC 9421 proof capture normative profile with extension schema
+5 conformance vectors for proof capture validation
+Profiles taxonomy: Transport, Proof Capture, Wire Format categories

@peac/capture-node@peac/adapter-openclaw

v0.10.11

Runtime Dependencies + Stripe x402

+Upgrade @noble/ed25519 to v3 (signAsync/verifyAsync API)
+Upgrade @opentelemetry/sdk-metrics to v2
+@peac/rails-stripe fromCryptoPaymentIntent() for x402 bridge
+Registry v0.3.0: org.peacprotocol/interaction@0.1 extension key
+Supply chain hardening: SECURITY.md, audit-gate.mjs, lockfile drift check
+Version management: bump-version.mjs, check-version-sync.mjs
+Release process: RELEASING.md rewritten, dependabot ignore rules

@peac/rails-stripe@peac/crypto@peac/telemetry-otel

v0.10.10

Dev Toolchain Modernization

+tsup build system (dual ESM/CJS: .mjs/.cjs) replacing raw tsc
+tsc for declarations only: faster builds, smaller output
+Turbo pipeline with per-package overrides
+Dependency-cruiser layer enforcement updates for new packages
+All 22 packages on npm at latest dist-tag

v0.10.9

Foundation Hardening: Architecture, CI, and Server Reliability

+Unified receipt parser (parseReceiptClaims): single entry point for commerce and attestation receipt validation
+Dependency-cruiser layer enforcement: 14 pattern-based rules encoding full layer structure (L0 through L6)
+Publish-manifest closure check: traverses all manifest packages runtime dependencies
+JWKS stale-if-error (@peac/jwks-cache): expired cache entries retained for fallback with 48h hard cap
+Bounded rate-limit store (@peac/middleware-core): LRU eviction with configurable maxKeys
+Graceful shutdown for sandbox-issuer and API apps (SIGTERM/SIGINT with 10s forced timeout)
+verifyLocal() returns discriminated union branching on variant: commerce | attestation
+Telemetry decoupled from protocol: fire-and-forget TelemetryHook options injection

@peac/schema@peac/protocol@peac/jwks-cache@peac/middleware-core

v0.10.8

Adoption Release: Middleware, Conformance, and Infrastructure (tag only, no GitHub Release)

+@peac/middleware-core: Framework-agnostic middleware primitives for PEAC receipt issuance
+@peac/middleware-express: Express.js middleware for automatic receipt issuance (Express 4.x and 5.x)
+Conformance runner (`peac conformance run`) with JSON, text, markdown output and category filtering
+Sample receipts (`peac samples list`, `peac samples show`, `peac samples generate`)
+Sandbox issuer app with discovery, stable key management, and rate limiting
+Browser verifier app: pure static Vite site with offline mode and drag-drop verification
+Verify API with RFC 9457 Problem Details, rate limiting, and trusted issuer allowlist

@peac/middleware-core@peac/middleware-express@peac/adapter-openclaw@peac/cli

v0.10.7

InteractionEvidence Extension + OpenClaw Adapter

+InteractionEvidence extension schema at evidence.extensions["org.peacprotocol/interaction@0.1"]
+@peac/capture-core - Runtime-neutral capture pipeline with deterministic timestamps and tamper-evident chain
+@peac/adapter-openclaw - Full OpenClaw plugin with two-stage pipeline (sync capture + async emit)
+Protocol-grade verification: Algorithm allowlist, key validation, DoS protection, JOSE compliance
+6 new E_CAPTURE_* error codes for capture pipeline

@peac/capture-core@peac/adapter-openclaw@peac/schema@peac/kernel

v0.10.6

ERC-8004 Mapping

+@peac/mappings-erc8004 - ERC-8004 Trustless Agent reputation signal mapping
+Reputation score normalization to PEAC evidence format
+Agent identity binding with ERC-8004 attestations
+Integration with Ethereum attestation ecosystem

@peac/mappings-erc8004

v0.10.5

npm Publish Hardening + Latest Dist-Tag

+13 packages published to npm with `latest` dist-tag via OIDC Trusted Publishing
+Manifest-only publishing with validity guard for safer releases
+Removed --strict from workflow for incremental OIDC rollout
+Clear separation: manifest = allowlist of packages to publish

@peac/kernel@peac/schema@peac/crypto@peac/protocol@peac/control

v0.10.4

GitHub Actions npm Publish with OIDC

+OIDC Trusted Publishing - no long-lived npm tokens required
+SHA-pinned actions for supply chain security
+Protected environment `npm-production` with required reviewers
+Dry-run validation job before production publish
+Publish manifest as single source of truth for package order

v0.10.3

x402 Adapter v0.2 Hardening

+Profile rename: peac-x402-offer-receipt/0.1
+DoS guards: 128 entries max, 256 KiB total, per-field byte limits
+CAIP-2 network validation with split parser
+termMatching first-class field (always present, deterministic)
+Vendor neutrality: payTo (x402) -> payee (neutral) at adapter boundary
+19 conformance vectors (3 valid + 13 invalid + 3 edge-cases)

@peac/adapter-x402

v0.10.2

Workflow Correlation

+WorkflowContext extension for multi-agent orchestration (MCP, A2A, CrewAI, LangGraph)
+DAG verification with cycle detection and parent validation
+External ID interop: OTel, Temporal, Airflow, Prefect, Dagster, Argo
+WorkflowSummaryAttestation for proof-of-run artifacts
+8 new E_WORKFLOW_* error codes

v0.10.1

SSRF-Safe Network Utilities

+@peac/net-node - SSRF-safe network utilities with DNS resolution pinning
+RFC 6890 special-use IP blocking
+Redirect policy with host-change validation
+Three-tier evidence redaction (public/tenant/private)
+RFC 8785 JCS canonicalization for evidence digests
+284 tests covering security, audit, and edge cases

@peac/net-node

v0.10.0

Wire Format Normalization (v0.1 Baseline)

+Wire format normalized: peac-receipt/0.1 (hyphenated, decoupled from repo version)
+Schema namespace updated: peacprotocol.org/schemas/wire/0.1/
+JWS constant alignment: jws.DefaultReceiptTyp updated
+Consistent artifact naming across SDK implementations

@peac/protocol@peac/schema@peac/crypto

v0.9.31

UCP Mapping + Strategic Positioning

+@peac/mappings-ucp - Google Universal Commerce Protocol webhook signature verification
+RFC 7797 detached JWS with ES256/ES384/ES512 support
+UCP order to PEAC receipt mapping with amounts in minor units
+Dispute evidence generation for @peac/audit bundles
+17 UCP error codes (E_UCP_*) in specs/kernel/errors.json
+Security hardening: JOSE crit semantics, strict header validation
+UCP webhook example (examples/ucp-webhook-express/)
+70+ tests covering all verification paths

@peac/mappings-ucp

v0.9.30

Dispute Bundle + Deterministic Verification

+Dispute Bundle format (@peac/audit) - ZIP-based archive for offline verification
+createDisputeBundle(), readDisputeBundle(), verifyBundle() functions
+VerificationReport type with deterministic JCS canonicalization
+CLI bundle commands: peac bundle create|verify|info
+Error codegen from specs/kernel/errors.json
+Crypto testkit with generateKeypairFromSeed() for deterministic tests
+8 conformance fixtures (2 valid, 6 invalid) with expected report hashes
+9 bundle error codes (E_BUNDLE_*)

@peac/audit

v0.9.29

Go SDK Parity (Issue + Policy + Verify)

+peac.Issue() - Create signed PEAC receipts in Go
+peac.Verify() - Receipt verification with Ed25519 + JWS + JWKS
+peac.Policy() - Policy rule evaluation
+Go middleware: middleware/chi and middleware/gin with context-based claims
+Full JWKS discovery and caching
+Cross-language conformance with TypeScript SDK
+150+ tests including fuzz tests
+Go module tags: sdks/go@v0.9.29, sdks/go/middleware/chi@v0.9.29

v0.9.28

Edge + Scale + Hardening

+@peac/contracts - Single source of truth for error codes, MODE_BEHAVIOR, WWW-Authenticate
+@peac/worker-core - Runtime-neutral TAP verification handler with security hardening
+Edge deployment guides (Cloudflare Workers, Fastly Compute, Akamai EdgeWorkers)
+RFC 6648 compliant headers (PEAC-* not X-PEAC-*)
+Default mode changed to tap_only (BREAKING from receipt_or_tap)
+LRU replay protection with true access-order updates
+Error message sanitization by default (UNSAFE_DEV_MODE gate)
+Documentation quality guardrails CI workflow

@peac/contracts@peac/worker-core

Breaking Changes

Default verification mode changed to tap_only (returns 401 when TAP missing)

v0.9.27

Dispute & Audit

+DisputeAttestation type for formal contestation of receipts, attributions, identity claims
+13 grounds codes across evidence, attribution, identity, and policy categories
+13 dispute error codes (E_DISPUTE_*) for validation and lifecycle
+Case bundle format with W3C Trace Context correlation
+Dispute lifecycle states: filed, acknowledged, under_review, escalated, resolved, appealed, final
+@peac/audit package for audit log generation and trace correlation
+50 conformance fixtures for dispute validation

@peac/audit

v0.9.26

Attribution & Conformance

+AttributionAttestation type for content provenance tracking
+ContentHash type with SHA-256 + base64url encoding
+Attribution chains with cycle detection (max 100 sources, depth 8)
+@peac/attribution package with computeContentHash, verifyContentHash, resolveChain
+CC Signals obligations extension (credit, contribution requirements)
+12 attribution error codes (E_ATTRIBUTION_*)
+15 conformance fixtures for attribution validation

@peac/attribution

v0.9.25

Agent Identity & Go Verifier

+AgentIdentityAttestation type with peac/agent-identity attestation
+Key lifecycle states: PENDING, ACTIVE, DEPRECATED, RETIRED, REVOKED
+Go SDK with Ed25519 + JWS + JWKS verification (sdks/go/)
+HTTP message signature bridge (RFC 9421 compatible)
+13 identity error codes (E_IDENTITY_*)
+MCP integration with reverse-DNS keys (org.peacprotocol/*)
+Golden vectors for cross-language conformance

v0.9.24

Purpose on Wire

+PEAC-Purpose, PEAC-Purpose-Applied, PEAC-Purpose-Reason HTTP headers
+Receipt claims: purpose_declared, purpose_enforced, purpose_reason
+Enforcement profiles: strict, balanced (default), open
+@peac/mappings-aipref package for IETF AIPREF vocabulary mapping
+28 golden vectors for purpose parsing and validation
+robotsToPeacStarter() function for robots.txt bridge

@peac/mappings-aipref@peac/pref

v0.9.23

Publisher Playbooks

+Policy Kit profiles for common publisher scenarios
+Pre-built templates for news sites, blogs, APIs, and research portals
+Streamlined policy generation with sensible defaults
+Publisher-specific attribution formats and licensing modes

@peac/policy-kit

v0.9.22

Telemetry & Observability

+@peac/telemetry - Core telemetry interfaces and no-op provider
+@peac/telemetry-otel - OpenTelemetry adapter with 90 tests
+Privacy modes: strict (hash all), balanced (include rail/amounts), custom (allowlist)
+Protocol hooks in issue() and verify() for telemetry emission
+W3C Trace Context support via OpenTelemetry spans
+Metrics: counters for receipts issued/verified, histograms for operation duration

@peac/telemetry@peac/telemetry-otel

v0.9.21

Wire Spec & Conformance

+JSON-safe evidence validation (JsonValue type, z.number().finite())
+Iterative JSON validator with cycle detection (WeakSet)
+DoS protection caps: maxDepth, maxArrayLength, maxObjectKeys, maxStringLength, maxTotalNodes
+Wire spec with JSON Schema definitions (Ajv 2020-12)
+Conformance harness with golden vectors
+Generic Attestation and Extensions types

@peac/adapter-core

v0.9.20

Privacy & Multi-CDN

+@peac/privacy - Privacy-preserving hashing with required salt
+@peac/rails-card - Card billing bridge with billing_snapshot
+@peac/transport-grpc - gRPC StatusCode parity with HTTP
+x402 adapters: Daydreams, Fluora, Pinata
+Edge workers: Fastly, Akamai
+PaymentEvidence.facilitator field for vendor identification

@peac/privacy@peac/rails-card@peac/transport-grpc

Breaking Changes

Adapter package names: @peac/rails-x402-* changed to @peac/adapter-x402-*

v0.9.19

India Payments & MCP Budget

+@peac/rails-razorpay - India payment adapter (UPI, cards, netbanking)
+MCP/ACP budget utilities with bigint minor units
+x402 payment reference header parsing
+5 flagship examples: x402-node-server, pay-per-inference, pay-per-crawl, rsl-collective, mcp-tool-call

@peac/rails-razorpay

v0.9.18

TAP & Edge Distribution

+@peac/http-signatures - RFC 9421 HTTP Message Signatures
+@peac/jwks-cache - Edge-safe JWKS fetch with SSRF protection
+@peac/mappings-tap - Visa TAP protocol mapping
+Cloudflare Worker and Next.js Edge middleware
+Fail-closed security defaults

@peac/http-signatures@peac/jwks-cache@peac/mappings-tap

Breaking Changes

Removed ai_search ControlPurpose (use ai_index or ai_input)

v0.9.17

AI Policy Kit & x402 v2

+x402 v2 adapter with v1 fallback (X402Dialect config)
+RSL 1.0 alignment with extended ControlPurpose
+@peac/policy-kit v0.1 for deterministic policy evaluation
+CLI commands: peac policy init, validate, explain, generate
+Subject profile binding on AuthContext

@peac/policy-kit

Breaking Changes

issue() now returns IssueResult { jws, subject_snapshot? } instead of string

v0.9.16

Control Abstraction Layer

+ControlPurpose enumeration (crawl, index, train, inference)
+Licensing modes (subscription, pay_per_crawl, pay_per_inference)
+PaymentEvidence with aggregator and splits[]
+Subject profile types (human, org, agent)

v0.9.15

Kernel-First Architecture

+Specialized packages: @peac/kernel, @peac/schema, @peac/crypto, @peac/protocol
+Layered dependency DAG (L0 kernel -> L6 applications)
+@peac/core deprecated
+HTTP 402 profile support

Breaking Changes

Replace @peac/core imports with specialized packages

v0.9.14

Wire Format Stabilization

+Self-describing JWS receipts with peac.receipt/0.9
+Standardized JOSE conventions
+Domain policy enforcement

v0.9.13Archive

Schema Refinement

+Receipt schema hardening
+Improved validation error messages
+Test coverage expansion

v0.9.11Archive

SDK Improvements

+Enhanced SDK ergonomics
+Better TypeScript types
+Documentation updates

v0.9.9Archive

Payment Rail Abstractions

+x402 and Stripe rail support
+Payment evidence structures
+Receipt verification improvements

v0.9.7Archive

Agreement Core

+Core agreement flow implementation
+Negotiation protocol basics
+Webhook integration patterns

v0.9.5Archive

Policy Discovery

+peac.txt and .well-known support
+Machine-readable policy files
+Agent discovery protocol

v0.9.2Archive

SDK Foundations

+Node.js SDK refinements
+CLI tool basics
+Example integrations

v0.9.1Archive

Multi-Platform SDKs

+Node.js and Python SDKs
+HTTP 402 Payment Required handler
+WordPress and Shopify plugin stubs
+Privacy and anonymization layer

v0.9.0Archive

July 18, 2025

First Public Release

+Production-ready OSS implementation
+Machine-readable pricing.txt and .well-known/peac.json
+Core modules, Node.js SDK, CLI, schema
+Attribution and EIP-712 signature enforcement
+x402 and Stripe compatibility

Version Policy

Current record format: interaction-record+jwt (Interaction Record format, stable). Legacy format peac-receipt/0.1 is frozen.
Library APIs may change between minor versions when it improves correctness or standards alignment
Breaking changes are documented with clear migration paths

Resources

GitHub Releases

Full release notes and tags

CHANGELOG.md

Detailed change history

Back to home