v0.12.0Current
March 9, 2026
Interaction Record Format 0.2 Stable: Conformance, Property Tests, Benchmarks, OIDC Publishing
- +Interaction Record Format 0.2 promoted to stable on npm latest (28 packages via OIDC trusted publishing)
- +146 normative requirement IDs across 18 spec sections with machine-readable registry and drift detection (DD-164, DD-167)
- +Property and fuzz testing: 12+ property tests across schema, crypto, protocol with zero-crash guarantee (DD-158)
- +Performance benchmarks: Vitest bench suite for issuance, verification, policy binding with Node 24 baseline (DD-159)
- +SSRF and security hardening: expanded test vectors, security posture documentation (DD-160)
- +API surface lock for 9 critical packages with pack-install smoke tests (DD-162, DD-163)
- +Doc-example execution gate: automated validation of 25 code blocks in 5 spec documents (DD-163)
- +OIDC trusted publishing: 45 packages configured, provenance attestations on every publish (DD-162)
- +Node 24 Active LTS canonical baseline (DD-161), Node 22 Maintenance LTS compatibility lane
- +Committed release manifest (docs/releases/current.json) with versioned gate reports
- +All 6 DD-90 stable gates wired and passing (20/20)
v0.12.0-preview.1Archive
March 3, 2026
Interaction Record Format 0.2 Preview: Structured Kinds + Typed Extensions + Policy Binding
- +Interaction Record Format 0.2 envelope: typ: interaction-record+jwt, 2 structural kinds (evidence/challenge), open semantic type (reverse-DNS or URI), multi-valued pillars (10-pillar taxonomy) (DD-156)
- +Typed extension groups: 5 core groups (commerce, access, challenge, identity, correlation) with strict schemas, unknown-key preservation with warnings, prototype-pollution-hardened accessors (DD-153)
- +Policy binding: JCS (RFC 8785) + SHA-256 digest, 3-state result (verified/failed/unavailable), computePolicyDigestJcs() for deterministic canonicalization (DD-155)
- +JOSE hardening: reject embedded keys (jwk/x5c/x5u/jku), crit, b64:false, zip; kid required (max 256 chars); JWS size cap (256 KB) (DD-150)
- +Issuer canonical form: https:// (ASCII, RFC 3986) and did: (DID Core) only; all others hard error (DD-151)
- +Representation fields: sha256-only content_hash, conservative MIME content_type, finite content_length guards
- +Dual-stack verification: verifyLocal() auto-detects wire version, returns wireVersion 0.1 or 0.2
- +Strictness profiles: strict (default) and interop for typ checking
- +Warning plumbing: 4 warning codes with RFC 6901 pointers, sorted by (pointer, code)
- +Format 0.2 conformance suite: 59 fixtures (valid/invalid/warnings), raw JWS sign helper, deterministic test runner
- +Normative spec: docs/specs/WIRE-0.2.md
- +Release gate: 14 explicit checks
v0.11.3
March 2, 2026
Zero Trust + Agent Identity + Key Rotation + Reconcile CLI
- +Zero Trust Profile Pack: 7 sub-profiles as documentation overlays for Zero Trust deployment scenarios (DD-145)
- +Agent Identity expansion: 8 proof types (ed25519-cert-chain, eat-passport, sigstore-oidc, did, spiffe, x509-pki, custom), ActorBinding schema with origin-only enforcement, MVIS 5-field validation (DD-142, DD-143, DD-144)
- +Key Rotation lifecycle: PENDING/ACTIVE/DEPRECATED/RETIRED/REVOKED FSM, 30-day normative overlap, tiered kid reuse detection, revoked_keys[] in issuer config, NIST SP 800-57 aligned (DD-148)
- +Reconciliation CLI: peac reconcile command with (iss, jti) conflict detection, deterministic JSON output, --fail-on-conflict for CI gating (DD-148)
- +Treaty extension: 4-level commitment_class (informational/operational/financial/legal) (DD-147)
- +ZT extension schemas: credential-event, tool-registry, control-action with SSRF-safe URL scheme allowlist
- +FingerprintRef: opaque fingerprint reference format with string/object conversion functions (DD-146)
- +Governance framework alignment: 8 mapping documents (NIST AI RMF, EU AI Act, OWASP ASI, ISO 42001, IEEE 7001, OECD, Singapore MGFAA, AWS RAI)
- +Multi-tenant guidance: 3-tier isolation model (Shared/Scoped/Isolated) (DD-149)
- +NIST submission pack and release gate (10 checks)
- +New examples: edge-markdown-content-signals, a2a-gateway-pattern
v0.11.2
February 25, 2026
Content Signals + Evidence Locators
- +Agent-actionable error recovery hints: 7-value next_action vocabulary on every error (DD-132, DD-133)
- +receipt_url locator hint on PeacEvidenceCarrier: HTTPS-only, SSRF-hardened resolver in @peac/net-node (DD-135)
- +@peac/mappings-content-signals: robots.txt (RFC 9309), Content-Usage (AIPREF), tdmrep.json (EU Directive 2019/790) parsing with three-state resolution (DD-136, DD-137)
- +@peac/adapter-openai-compatible: hash-first inference receipts for any OpenAI-compatible provider (DD-138)
- +MCP Registry manifest (server.json), Smithery config, llms.txt, Plugin Pack for Claude Code and Cursor (DD-139, DD-140)
- +Clean rename: retriable to retryable across all error definitions (DD-134)
- +Schema layer validation-only invariant formalized (DD-141)
@peac/mappings-content-signals@peac/adapter-openai-compatible
v0.11.1
February 24, 2026
Evidence Carrier Contract + A2A Mapping
- +Evidence Carrier Contract: PeacEvidenceCarrier + CarrierAdapter<TInput, TOutput> universal carry interface (DD-124 through DD-131)
- +@peac/mappings-a2a: Google Agent-to-Agent protocol evidence carrier
- +ACP and UCP carrier adapter adoption for Agentforce and Universal Commerce Protocol
- +x402 carrier adapter with challenge type mapping
- +MCP _meta carrier format with reserved key guard
- +Content-addressed receipt references: computeReceiptRef(jws) = sha256(receipt_jws)
- +Discovery Profile spec and JWKS resolver
- +4 normative specs: Evidence Carrier Contract, PEAC-ISSUER, PEAC-TXT, Discovery Profile
@peac/mappings-a2a@peac/mappings-acp@peac/mappings-ucp@peac/adapter-x402
v0.11.0
February 23, 2026
Zod 4 + MCP Streamable HTTP + Kernel Constraints
- +Zod 4 migration (^4.3.6) across all packages with pnpm.overrides enforcement
- +MCP Streamable HTTP transport: session-isolated McpServer per client (CVE-2026-25536 defense)
- +Kernel constraint enforcement pipeline: fail-closed in issue() and verify() paths
- +Integrator kit bootstrap with conformance harness for third-party implementations
- +OWASP ASI-01 through ASI-10 alignment across all packages
- +CORS deny-all, localhost-only bind, rate limiting, and size limits for MCP HTTP
@peac/integrator-kit
v0.10.14
Fixture Versioning + Kernel Constraints Formalization
- +Conformance fixture versioning: schema_version field across all JSON fixture files
- +Kernel constraints specification (KERNEL-CONSTRAINTS.md) with normative rules
- +Editorial hygiene sweep across specs and documentation
- +Zod 4 preparation: compatibility audit and migration plan
v0.10.13
MCP Server for AI Agents
- +@peac/mcp-server: 5 MCP tools for Claude Desktop, Cursor, and MCP hosts
- +3 pure tools: peac_verify, peac_inspect, peac_decode
- +2 privileged tools: peac_issue, peac_create_bundle (capability-gated)
- +Handler-transport separation for reuse in any MCP host
- +Static policy loading with canonical hash for reproducibility
- +Structured outputs with _meta: { serverVersion, policyHash, protocolVersion }
- +SSRF prevention by design: no ambient key discovery
- +226 tests across 22 test files
@peac/mcp-server
v0.10.12
OpenClaw Activation + RFC 9421 Proof Capture Profile
- +@peac/capture-node: FileSpoolStore and FileDedupeIndex (durable fs-backed stores)
- +OpenClaw activate(): one-call setup with generateSigningKey() and peac-keygen CLI
- +Structured counters: scanned/exported/skipped breakdowns for export and query
- +Dual-representation check: verifier detects auth/evidence vs _jws mismatch
- +RFC 9421 proof capture normative profile with extension schema
- +5 conformance vectors for proof capture validation
- +Profiles taxonomy: Transport, Proof Capture, Wire Format categories
@peac/capture-node@peac/adapter-openclaw
v0.10.11
Runtime Dependencies + Stripe x402
- +Upgrade @noble/ed25519 to v3 (signAsync/verifyAsync API)
- +Upgrade @opentelemetry/sdk-metrics to v2
- +@peac/rails-stripe fromCryptoPaymentIntent() for x402 bridge
- +Registry v0.3.0: org.peacprotocol/interaction@0.1 extension key
- +Supply chain hardening: SECURITY.md, audit-gate.mjs, lockfile drift check
- +Version management: bump-version.mjs, check-version-sync.mjs
- +Release process: RELEASING.md rewritten, dependabot ignore rules
@peac/rails-stripe@peac/crypto@peac/telemetry-otel
v0.10.10
Dev Toolchain Modernization
- +tsup build system (dual ESM/CJS: .mjs/.cjs) replacing raw tsc
- +tsc for declarations only: faster builds, smaller output
- +Turbo pipeline with per-package overrides
- +Dependency-cruiser layer enforcement updates for new packages
- +All 22 packages on npm at latest dist-tag
v0.10.9
Foundation Hardening: Architecture, CI, and Server Reliability
- +Unified receipt parser (parseReceiptClaims): single entry point for commerce and attestation receipt validation
- +Dependency-cruiser layer enforcement: 14 pattern-based rules encoding full layer structure (L0 through L6)
- +Publish-manifest closure check: traverses all manifest packages runtime dependencies
- +JWKS stale-if-error (@peac/jwks-cache): expired cache entries retained for fallback with 48h hard cap
- +Bounded rate-limit store (@peac/middleware-core): LRU eviction with configurable maxKeys
- +Graceful shutdown for sandbox-issuer and API apps (SIGTERM/SIGINT with 10s forced timeout)
- +verifyLocal() returns discriminated union branching on variant: commerce | attestation
- +Telemetry decoupled from protocol: fire-and-forget TelemetryHook options injection
@peac/schema@peac/protocol@peac/jwks-cache@peac/middleware-core
v0.10.8
Adoption Release: Middleware, Conformance, and Infrastructure (tag only, no GitHub Release)
- +@peac/middleware-core: Framework-agnostic middleware primitives for PEAC receipt issuance
- +@peac/middleware-express: Express.js middleware for automatic receipt issuance (Express 4.x and 5.x)
- +Conformance runner (`peac conformance run`) with JSON, text, markdown output and category filtering
- +Sample receipts (`peac samples list`, `peac samples show`, `peac samples generate`)
- +Sandbox issuer app with discovery, stable key management, and rate limiting
- +Browser verifier app: pure static Vite site with offline mode and drag-drop verification
- +Verify API with RFC 9457 Problem Details, rate limiting, and trusted issuer allowlist
@peac/middleware-core@peac/middleware-express@peac/adapter-openclaw@peac/cli
v0.10.7
InteractionEvidence Extension + OpenClaw Adapter
- +InteractionEvidence extension schema at evidence.extensions["org.peacprotocol/interaction@0.1"]
- +@peac/capture-core - Runtime-neutral capture pipeline with deterministic timestamps and tamper-evident chain
- +@peac/adapter-openclaw - Full OpenClaw plugin with two-stage pipeline (sync capture + async emit)
- +Protocol-grade verification: Algorithm allowlist, key validation, DoS protection, JOSE compliance
- +6 new E_CAPTURE_* error codes for capture pipeline
@peac/capture-core@peac/adapter-openclaw@peac/schema@peac/kernel
v0.10.6
ERC-8004 Mapping
- +@peac/mappings-erc8004 - ERC-8004 Trustless Agent reputation signal mapping
- +Reputation score normalization to PEAC evidence format
- +Agent identity binding with ERC-8004 attestations
- +Integration with Ethereum attestation ecosystem
@peac/mappings-erc8004
v0.10.5
npm Publish Hardening + Latest Dist-Tag
- +13 packages published to npm with `latest` dist-tag via OIDC Trusted Publishing
- +Manifest-only publishing with validity guard for safer releases
- +Removed --strict from workflow for incremental OIDC rollout
- +Clear separation: manifest = allowlist of packages to publish
@peac/kernel@peac/schema@peac/crypto@peac/protocol@peac/control
v0.10.4
GitHub Actions npm Publish with OIDC
- +OIDC Trusted Publishing - no long-lived npm tokens required
- +SHA-pinned actions for supply chain security
- +Protected environment `npm-production` with required reviewers
- +Dry-run validation job before production publish
- +Publish manifest as single source of truth for package order
v0.10.3
x402 Adapter v0.2 Hardening
- +Profile rename: peac-x402-offer-receipt/0.1
- +DoS guards: 128 entries max, 256 KiB total, per-field byte limits
- +CAIP-2 network validation with split parser
- +termMatching first-class field (always present, deterministic)
- +Vendor neutrality: payTo (x402) -> payee (neutral) at adapter boundary
- +19 conformance vectors (3 valid + 13 invalid + 3 edge-cases)
@peac/adapter-x402
v0.10.2
Workflow Correlation
- +WorkflowContext extension for multi-agent orchestration (MCP, A2A, CrewAI, LangGraph)
- +DAG verification with cycle detection and parent validation
- +External ID interop: OTel, Temporal, Airflow, Prefect, Dagster, Argo
- +WorkflowSummaryAttestation for proof-of-run artifacts
- +8 new E_WORKFLOW_* error codes
v0.10.1
SSRF-Safe Network Utilities
- +@peac/net-node - SSRF-safe network utilities with DNS resolution pinning
- +RFC 6890 special-use IP blocking
- +Redirect policy with host-change validation
- +Three-tier evidence redaction (public/tenant/private)
- +RFC 8785 JCS canonicalization for evidence digests
- +284 tests covering security, audit, and edge cases
@peac/net-node
v0.10.0
Wire Format Normalization (v0.1 Baseline)
- +Wire format normalized: peac-receipt/0.1 (hyphenated, decoupled from repo version)
- +Schema namespace updated: peacprotocol.org/schemas/wire/0.1/
- +Go SDK alignment: jws.DefaultReceiptTyp constant updated
- +Consistent artifact naming across TypeScript and Go SDKs
@peac/protocol@peac/schema@peac/crypto
v0.9.31
UCP Mapping + Strategic Positioning
- +@peac/mappings-ucp - Google Universal Commerce Protocol webhook signature verification
- +RFC 7797 detached JWS with ES256/ES384/ES512 support
- +UCP order to PEAC receipt mapping with amounts in minor units
- +Dispute evidence generation for @peac/audit bundles
- +17 UCP error codes (E_UCP_*) in specs/kernel/errors.json
- +Security hardening: JOSE crit semantics, strict header validation
- +UCP webhook example (examples/ucp-webhook-express/)
- +70+ tests covering all verification paths
@peac/mappings-ucp
v0.9.30
Dispute Bundle + Deterministic Verification
- +Dispute Bundle format (@peac/audit) - ZIP-based archive for offline verification
- +createDisputeBundle(), readDisputeBundle(), verifyBundle() functions
- +VerificationReport type with deterministic JCS canonicalization
- +CLI bundle commands: peac bundle create|verify|info
- +Error codegen from specs/kernel/errors.json
- +Crypto testkit with generateKeypairFromSeed() for deterministic tests
- +8 conformance fixtures (2 valid, 6 invalid) with expected report hashes
- +9 bundle error codes (E_BUNDLE_*)
@peac/audit
v0.9.29
Go SDK Parity (Issue + Policy + Verify)
- +peac.Issue() - Create signed PEAC receipts in Go
- +peac.Verify() - Receipt verification with Ed25519 + JWS + JWKS
- +peac.Policy() - Policy rule evaluation
- +Go middleware: middleware/chi and middleware/gin with context-based claims
- +Full JWKS discovery and caching
- +Cross-language conformance with TypeScript SDK
- +150+ tests including fuzz tests
- +Go module tags: sdks/go@v0.9.29, sdks/go/middleware/chi@v0.9.29
v0.9.28
Edge + Scale + Hardening
- +@peac/contracts - Single source of truth for error codes, MODE_BEHAVIOR, WWW-Authenticate
- +@peac/worker-core - Runtime-neutral TAP verification handler with security hardening
- +Edge deployment guides (Cloudflare Workers, Fastly Compute, Akamai EdgeWorkers)
- +RFC 6648 compliant headers (PEAC-* not X-PEAC-*)
- +Default mode changed to tap_only (BREAKING from receipt_or_tap)
- +LRU replay protection with true access-order updates
- +Error message sanitization by default (UNSAFE_DEV_MODE gate)
- +Documentation quality guardrails CI workflow
@peac/contracts@peac/worker-core
Breaking Changes
Default verification mode changed to tap_only (returns 401 when TAP missing)
v0.9.27
Dispute & Audit
- +DisputeAttestation type for formal contestation of receipts, attributions, identity claims
- +13 grounds codes across evidence, attribution, identity, and policy categories
- +13 dispute error codes (E_DISPUTE_*) for validation and lifecycle
- +Case bundle format with W3C Trace Context correlation
- +Dispute lifecycle states: filed, acknowledged, under_review, escalated, resolved, appealed, final
- +@peac/audit package for audit log generation and trace correlation
- +50 conformance fixtures for dispute validation
@peac/audit
v0.9.26
Attribution & Conformance
- +AttributionAttestation type for content provenance tracking
- +ContentHash type with SHA-256 + base64url encoding
- +Attribution chains with cycle detection (max 100 sources, depth 8)
- +@peac/attribution package with computeContentHash, verifyContentHash, resolveChain
- +CC Signals obligations extension (credit, contribution requirements)
- +12 attribution error codes (E_ATTRIBUTION_*)
- +15 conformance fixtures for attribution validation
@peac/attribution
v0.9.25
Agent Identity & Go Verifier
- +AgentIdentityAttestation type with peac/agent-identity attestation
- +Key lifecycle states: PENDING, ACTIVE, DEPRECATED, RETIRED, REVOKED
- +Go SDK with Ed25519 + JWS + JWKS verification (sdks/go/)
- +HTTP message signature bridge (RFC 9421 compatible)
- +13 identity error codes (E_IDENTITY_*)
- +MCP integration with reverse-DNS keys (org.peacprotocol/*)
- +Golden vectors for cross-language conformance
v0.9.24
Purpose on Wire
- +PEAC-Purpose, PEAC-Purpose-Applied, PEAC-Purpose-Reason HTTP headers
- +Receipt claims: purpose_declared, purpose_enforced, purpose_reason
- +Enforcement profiles: strict, balanced (default), open
- +@peac/mappings-aipref package for IETF AIPREF vocabulary mapping
- +28 golden vectors for purpose parsing and validation
- +robotsToPeacStarter() function for robots.txt bridge
@peac/mappings-aipref@peac/pref
v0.9.23
Publisher Playbooks
- +Policy Kit profiles for common publisher scenarios
- +Pre-built templates for news sites, blogs, APIs, and research portals
- +Streamlined policy generation with sensible defaults
- +Publisher-specific attribution formats and licensing modes
@peac/policy-kit
v0.9.22
Telemetry & Observability
- +@peac/telemetry - Core telemetry interfaces and no-op provider
- +@peac/telemetry-otel - OpenTelemetry adapter with 90 tests
- +Privacy modes: strict (hash all), balanced (include rail/amounts), custom (allowlist)
- +Protocol hooks in issue() and verify() for telemetry emission
- +W3C Trace Context support via OpenTelemetry spans
- +Metrics: counters for receipts issued/verified, histograms for operation duration
@peac/telemetry@peac/telemetry-otel
v0.9.21
Wire Spec & Conformance
- +JSON-safe evidence validation (JsonValue type, z.number().finite())
- +Iterative JSON validator with cycle detection (WeakSet)
- +DoS protection caps: maxDepth, maxArrayLength, maxObjectKeys, maxStringLength, maxTotalNodes
- +Wire spec with JSON Schema definitions (Ajv 2020-12)
- +Conformance harness with golden vectors
- +Generic Attestation and Extensions types
@peac/adapter-core
v0.9.20
Privacy & Multi-CDN
- +@peac/privacy - Privacy-preserving hashing with required salt
- +@peac/rails-card - Card billing bridge with billing_snapshot
- +@peac/transport-grpc - gRPC StatusCode parity with HTTP
- +x402 adapters: Daydreams, Fluora, Pinata
- +Edge workers: Fastly, Akamai
- +PaymentEvidence.facilitator field for vendor identification
@peac/privacy@peac/rails-card@peac/transport-grpc
Breaking Changes
Adapter package names: @peac/rails-x402-* changed to @peac/adapter-x402-*
v0.9.19
India Payments & MCP Budget
- +@peac/rails-razorpay - India payment adapter (UPI, cards, netbanking)
- +MCP/ACP budget utilities with bigint minor units
- +x402 payment reference header parsing
- +5 flagship examples: x402-node-server, pay-per-inference, pay-per-crawl, rsl-collective, mcp-tool-call
@peac/rails-razorpay
v0.9.18
TAP & Edge Distribution
- +@peac/http-signatures - RFC 9421 HTTP Message Signatures
- +@peac/jwks-cache - Edge-safe JWKS fetch with SSRF protection
- +@peac/mappings-tap - Visa TAP protocol mapping
- +Cloudflare Worker and Next.js Edge middleware
- +Fail-closed security defaults
@peac/http-signatures@peac/jwks-cache@peac/mappings-tap
Breaking Changes
Removed ai_search ControlPurpose (use ai_index or ai_input)
v0.9.17
AI Policy Kit & x402 v2
- +x402 v2 adapter with v1 fallback (X402Dialect config)
- +RSL 1.0 alignment with extended ControlPurpose
- +@peac/policy-kit v0.1 for deterministic policy evaluation
- +CLI commands: peac policy init, validate, explain, generate
- +Subject profile binding on AuthContext
@peac/policy-kit
Breaking Changes
issue() now returns IssueResult { jws, subject_snapshot? } instead of string
v0.9.16
Control Abstraction Layer
- +ControlPurpose enumeration (crawl, index, train, inference)
- +Licensing modes (subscription, pay_per_crawl, pay_per_inference)
- +PaymentEvidence with aggregator and splits[]
- +Subject profile types (human, org, agent)
v0.9.15
Kernel-First Architecture
- +Specialized packages: @peac/kernel, @peac/schema, @peac/crypto, @peac/protocol
- +Layered dependency DAG (L0 kernel -> L6 applications)
- +@peac/core deprecated
- +HTTP 402 profile support
Breaking Changes
Replace @peac/core imports with specialized packages
v0.9.14
Wire Format Stabilization
- +Self-describing JWS receipts with peac.receipt/0.9
- +Standardized JOSE conventions
- +Domain policy enforcement
v0.9.13Archive
Schema Refinement
- +Receipt schema hardening
- +Improved validation error messages
- +Test coverage expansion
v0.9.11Archive
SDK Improvements
- +Enhanced SDK ergonomics
- +Better TypeScript types
- +Documentation updates
v0.9.9Archive
Payment Rail Abstractions
- +x402 and Stripe rail support
- +Payment evidence structures
- +Receipt verification improvements
v0.9.7Archive
Agreement Core
- +Core agreement flow implementation
- +Negotiation protocol basics
- +Webhook integration patterns
v0.9.5Archive
Policy Discovery
- +peac.txt and .well-known support
- +Machine-readable policy files
- +Agent discovery protocol
v0.9.2Archive
SDK Foundations
- +Node.js SDK refinements
- +CLI tool basics
- +Example integrations
v0.9.1Archive
Multi-Platform SDKs
- +Node.js and Python SDKs
- +HTTP 402 Payment Required handler
- +WordPress and Shopify plugin stubs
- +Privacy and anonymization layer
v0.9.0Archive
July 18, 2025
First Public Release
- +Production-ready OSS implementation
- +Machine-readable pricing.txt and .well-known/peac.json
- +Core modules, Node.js SDK, CLI, schema
- +Attribution and EIP-712 signature enforcement
- +x402 and Stripe compatibility
Version Policy
- Record formats:
peac-receipt/0.1(frozen legacy) andinteraction-record+jwt(Interaction Record Format 0.2, stable) - Library APIs may change between minor versions when it improves correctness or standards alignment
- Breaking changes are documented with clear migration paths