0.9.26

Summary

Release v0.9.26: Attribution + Obligations + Conformance

What's New

• @peac/attribution package: Full implementation for provenance tracking

  • computeContentHash(): SHA-256 content hashing with base64url encoding
  • verifyContentHash(): Verify content matches expected hash
  • buildAttributionChain(): Construct attribution chains from source receipts
  • verifyAttributionChain(): Verify chain integrity and signatures

• Attribution Schema (@peac/schema):

  • AttributionAttestation: Core attestation type for content provenance
  • AttributionEvidence: source_receipt_ref, content_hash, usage_type, excerpts
  • UsageType: training_input, rag_context, direct_reference, synthesis_source, embedding_source

• Obligations Extension:

  • CC Signals-aligned credit and contribution requirements
  • CreditRequirement: required, recommended, optional with citation_url
  • ContributionRequirement: direct, ecosystem, open contribution types

• Infrastructure:

  • 16 attribution_* error codes in specs/kernel/errors.json
  • HTTP helpers in @peac/kernel (VARY_HEADERS, applyPurposeVary)
  • Attribution conformance suite (15 fixtures)
  • RFC 6648 compliance (PEAC-* headers, no X-PEAC-*)

Files Changed

• 41 package.json files bumped to 0.9.26
• CHANGELOG.md updated

PEAC Protocol is an open-source project stewarded by Originary.

0.9.25

Summary

PEAC v0.9.25 release: Agent Identity + Go Verifier SDK (Infrastructure Wedge)

What's New

Agent Identity Attestation (@peac/schema)

• AgentIdentityAttestation type extending generic Attestation framework
• ControlType: operator (verified bots) vs user-delegated (user agents)
• AgentProof with proof methods: http-message-signature, dpop, mtls, jwk-thumbprint
• IdentityBinding type for cryptographic request-receipt binding
• Validation helpers and factory functions

Identity Error Codes (specs/kernel/errors.json)

• 13 new identity_* error codes with HTTP status mappings
• All codes registered with retriability semantics

Go Verifier SDK (sdks/go/)

• Verify() function for Ed25519 receipt verification
• JWS parsing and header validation
• JWKS fetching with timeout and size limits
• Thread-safe cache with TTL and stale-while-revalidate
• 21 error codes with HTTP status mapping

Go net/http Middleware (sdks/go/middleware/)

• RequireReceipt() and OptionalReceipt() helper constructors
• RFC 9457 Problem Details error responses
• Framework integration examples (gorilla/mux, chi, gin)

Normative Specification (docs/specs/AGENT-IDENTITY.md)

• Binding message construction algorithm
• Verification algorithm (VERIFY_IDENTITY pseudocode)
• Key rotation semantics (PENDING/ACTIVE/DEPRECATED/REVOKED)
• Error taxonomy with HTTP status mappings
• AAIF/MCP/A2A interop patterns (informative)

Example (examples/agent-identity/)

• TypeScript: publisher and agent implementation
• Go: verifier example using Go SDK

Test plan

• pnpm lint passes
• pnpm build passes
• pnpm typecheck:core passes
• Agent identity schema tests pass
• Golden vector conformance tests pass
• Version bumps verified (all packages at 0.9.25)

PEAC Protocol is an open-source project stewarded by Originary.

0.9.24

Purpose on wire:

• PEAC-Purpose request header for agent intent
• purpose_declared, purpose_enforced, purpose_reason claims
• Canonical purposes: train, search, user_action, inference, index

New packages:

• @peac/mappings-aipref: IETF AIPREF vocabulary alignment

Features:

• Purpose type hierarchy (PurposeToken, CanonicalPurpose, PurposeReason)
• Enforcement profiles (strict, balanced, open)
• robotsToPeacStarter() migration helper
• Purpose conformance suite (28 golden vectors)

Security:

• undeclared is internal-only (never valid on wire)
• Unknown tokens preserved without enforcement bypass

Fixes:

• getPurposeStatusCode: 402 reserved for payment (review -> 403)
• Renamed getPurposeDecisionStatusCode for low-level use

All packages bumped to 0.9.24.

PEAC Protocol is an open-source project stewarded by Originary.

0.9.23

Summary

Profiles:

• 4 pre-built profiles: news-media, api-provider, open-source, saas-docs
• Build-time YAML→TypeScript compilation (no runtime fs/YAML deps)
• Prettier-stable generated code with CI drift check

API:

• listProfiles(), loadProfile(), validateProfileParams(), customizeProfile()
• PROFILES and PROFILE_IDS constants

Enforcement:

• enforceDecision() with strict review semantics (only receiptVerified)
• enforceForHttp() for HTTP response details
• HTTP 402 with WWW-Authenticate: PEAC realm="receipt" challenge

CLI:

• peac policy list-profiles, peac policy show-profile
• --profile flag for peac policy init
• Automation flags: --json, --yes, --strict, --out -

Testing:

• 197 policy-kit tests
• Tarball smoke test (pnpm --filter @peac/policy-kit test:smoke)
• Generator golden tests with CI gate

PEAC Protocol is an open-source project stewarded by Originary.

0.9.22

Summary

• @peac/telemetry: Core telemetry interfaces and no-op implementation
• @peac/telemetry-otel: OpenTelemetry adapter with privacy modes (90 tests)
• Protocol telemetry hooks in issue() and verify()
• Evidence lane rules documentation

Privacy modes:

• strict: Hash all identifiers, minimal data (production default)
• balanced: Hash identifiers, include rail/amount (debugging)
• custom: Allowlist-based filtering

W3C Trace Context support for receipt-to-trace correlation.

Wire format: peac.receipt/0.9 (unchanged)

PEAC Protocol is an open-source project stewarded by Originary.

0.9.21

0.9.21

Summary

• Wire spec: 6 JSON Schema 2020-12 files for peac.receipt/0.9
• Generic Attestations: issuer, type, issued_at, expires_at, ref, evidence
• Namespaced Extensions: domain/key pattern on auth, control, evidence blocks
• Conformance harness: 8 fixtures (valid, invalid, edge cases)
• Property-based tests: fast-check integration (23 tests)

Details

• Complete JSON Schema 2020-12 definitions for peac.receipt/0.9

• 6 schema files: auth-context, control-block, evidence-block, payment-evidence, subject-profile, root envelope

• VERSION.json for schema_set_version tracking (independent of npm versions)

• Extension policy documented (additionalProperties: false by default, designated surfaces for extensibility)

• Generic Attestation type: issuer, type, issued_at, expires_at, ref, evidence

• Namespaced Extensions pattern: domain/key format (e.g., io.vendor/metadata)

• Extensions on auth, control, and evidence blocks

• 8 conformance fixtures (valid, invalid, edge cases)

• Comprehensive test suite: schema validation, protocol compliance, rail parity

• Property-based testing with fast-check (23 tests)

• 1036 total tests passing

Wire format: peac.receipt/0.9 (unchanged)
Schema set version: 0.9.21

PEAC Protocol is an open-source project stewarded by Originary.

0.9.20

0.9.20

Added

• Adapter taxonomy: x402 vendor packages moved from packages/rails/ to packages/adapters/x402/
• @peac/adapter-x402-daydreams: AI inference event normalizer
• @peac/adapter-x402-fluora: MCP marketplace event normalizer
• @peac/adapter-x402-pinata: Private IPFS objects event normalizer
• PaymentEvidence.facilitator: New optional field to identify the platform/vendor operating on a payment rail
• Separates protocol (rail: "x402") from vendor (facilitator: "daydreams")
• Allows querying by protocol while knowing specific facilitator
• CI unicode security scan: Dedicated step for Trojan Source attack prevention (CVE-2021-42574)
• Private packages (not published):
• @peac/rails-card: Card payment rail foundation
• @peac/transport-grpc: gRPC transport bindings
• @peac/worker-fastly: Fastly Compute@Edge worker
• @peac/worker-akamai: Akamai EdgeWorkers support
• @peac/privacy: Privacy primitives for k-anonymity and data minimization
• Breaking Changes
• Adapter package names changed from @peac/rails-x402-* to @peac/adapter-x402-*
• Adapter rail field now set to "x402" (was "x402.")
• x402 adapters now set facilitator field to vendor name

Migration

// Before (v0.9.19)
{ rail: "x402.daydreams", ... }

// After (v0.9.20)
{ rail: "x402", facilitator: "daydreams", ... }

Notes

• The 3 adapter packages were never published to npm, so the rename has no migration impact for external consumers
• 26 public packages in total (3 new adapters added)

PEAC Protocol is an open-source project stewarded by Originary.

0.9.19

v0.9.19 (Dec 24, 2025)

Added

• MCP/ACP budget utilities: bigint minor unit calculations with currency enforcement
• x402 payment header detection: Headers-only payment detection in rails-x402
• India payments foundation: rails-razorpay adapter for UPI, cards, netbanking (internal)
• Flagship examples: 5 CI-blocking examples with build/typecheck scripts
• Unicode scanner: Enhanced with --fix mode and NBSP detection

Security

• Razorpay webhook: raw bytes + constant-time signature verification
• VPA hashed by default with HMAC (privacy-first)
• Amount enforced as safe integer minor units

Notes

• 22 public packages published with dist-tag next
• rails-razorpay is private (not published to npm)

Full Changelog: v0.9.18.1...v0.9.19

PEAC Protocol is an open-source project stewarded by Originary.

0.9.18

What's New in v0.9.18

TAP, HTTP Signatures, Surfaces

Added

• @peac/http-signatures: RFC 9421 HTTP Message Signatures parsing and verification (22 tests)
• @peac/jwks-cache: Edge-safe JWKS fetch with SSRF protection and caching (19 tests)
• @peac/mappings-tap: Visa Trusted Agent Protocol (TAP) to control evidence mapping (29 tests)
• Cloudflare Worker TAP verifier: Reference surface at surfaces/workers/cloudflare/ (34 tests)
• Next.js Edge middleware: Reference surface at surfaces/nextjs/middleware/ (21 tests)
• Schema normalization: toCoreClaims() projection function for cross-mapping parity
• Canonical flow examples at examples/: pay-per-inference, pay-per-crawl, rsl-collective

Fixed

• TAP terminology: "Trusted Agent Protocol" (was incorrectly "Token Authentication Protocol")
• RSL 1.0 Token Vocabulary: Corrected RSL token mapping (ai-index, not ai-search)
• Registry sync: specs/kernel/registries.json now includes tap and rsl control engines

Security Defaults (v0.9.18 Surfaces)

• Fail-closed issuer allowlist: ISSUER_ALLOWLIST required; 500 error if empty
• Fail-closed unknown tags: Unknown TAP tags rejected; 400 error
• Replay protection required: 401 error if nonce present but no replay store
• 402 reserved for payment: Only RECEIPT_MISSING/INVALID/EXPIRED use 402

Breaking Change

• BREAKING: Removed ai_search ControlPurpose (use ai_index or ai_input instead)

See CHANGELOG.md for full details.

PEAC Protocol is an open-source project stewarded by Originary.

0.9.17

What's in v0.9.17

• x402 v2 Adapter: Full x402 v2 compatibility with v1 fallback (X402Dialect = 'v1' | 'v2' | 'auto')
• RSL 1.0 Alignment: Extended ControlPurpose with RSL tokens (ai_input, ai_search, search), new @peac/mappings-rsl package
• Subject Binding: Optional subject_snapshot on AuthContext for identity context at issuance
• issueJws(): Convenience wrapper returning just the JWS string for header-centric flows
• Policy Kit v0.1: New @peac/policy-kit package for deterministic CAL policy evaluation
  • YAML/JSON policy format with first-match-wins rule semantics
  • Compile to deployment artifacts: peac.txt, robots-ai-snippet.txt, aipref-headers.json, ai-policy.md
  • Configurable receipts (required | optional | omit) with sensible defaults
• CLI Policy Commands: peac policy init, peac policy validate, peac policy explain, peac policy generate
  • --dry-run for safe preview without writing files
  • --well-known to output peac.txt to .well-known/ subdirectory

Breaking Changes

• issue() now returns IssueResult { jws, subject_snapshot? } instead of string
• Migration path documented in CHANGELOG.md

Test plan

• pnpm lint passes
• pnpm build passes
• pnpm typecheck:core passes
• pnpm test:core passes (122 tests)
• pnpm format:check passes

PEAC Protocol is an open-source project stewarded by Originary.