@adastracomputing/ink 0.1.7 → 0.3.0

package/CHANGELOG.md

@@ -4,9 +4,15 @@ All notable changes to INK are recorded
 here. Pre-1.0 releases follow `0.Y.Z` semantics, see
 [`docs/maturity.md`](docs/maturity.md) for the versioning policy.
 
-## Unreleased
+## 0.2.0, version-keyed body-signature domain
 
-No unreleased changes.
+Version-keyed body-signature domain. The body message signature is now domain-separated by protocol version. ink/0.1 messages, and any object with no explicit ink/0.2 protocol, keep the legacy `tulpa/sign` domain so every signature produced to date still verifies. ink/0.2 messages are signed and verified under the neutral `ink/sign` domain. The verifier selects exactly one domain from the signed `protocol` field and never tries an alternate, so a signature made under one version's domain cannot be replayed under another.
+
+This change is receiver-first and backward compatible. Verifiers accept both versions and `MessageEnvelopeSchema` now accepts ink/0.1 and ink/0.2 as a strict enum, rejecting any unknown version. Senders still emit ink/0.1 by default. The HTTP transport-auth signature is unchanged.
+
+New vectors in `test-vectors/body-signature.json` pin the version-keyed domain including the cross-version and tamper cases. The standalone Python interop client verifies them identically.
+
+Per the pre-1.0 policy this release publishes under the `next` dist-tag.
 
 ## 0.1.7, expose per-intent payload schemas and getPayloadSchema from the package root
 
@@ -79,7 +85,7 @@ Fixes the v0.1.1 erratum: the Python `examples/interop-cli/` shipped in v0.1.1 e
 
 **CLI now builds `connection_request` envelopes.** `ink-interop send/build --intent-type connection_request` (or the alias `connection`) constructs a `ConnectionRequestPayloadSchema`-conformant payload (`method`, `context`, `profileSnapshot`). This is the bootstrap intent for first contact between strangers: receivers that opt in to foreign senders verify the body signature against the inline key extracted from the sender's `did:key` (trust-on-first-use). Other intent types (`intro_request`, `ask`, `follow_up`) presume the sender is already a known contact and remain reserved for established relationships.
 
-Verified end-to-end against `https://api.tulpa.network/ink/v1/<agentId>/intent`: a `did:key:` `connection_request` from `ink-interop send` lands as a pending action in the recipient's inbox (`status: 200`, `accepted: true`, `pendingActionId: 01KT…`). Coverage spans schema validation, body + transport signature verification, replay/freshness, identity resolution, routing, the foreign-DID policy gate, and shield risk-scoring. Tests pinned to the canonical shape (`tests/test_envelope.py`) prevent regression. The npm library itself is unchanged from v0.1.1.
+Verified end-to-end against `https://api.tulpa.network/ink/v1/<agentId>/intent`: a `did:key:` `connection_request` from `ink-interop send` lands as a pending action in the recipient's inbox (`status: 200`, `accepted: true`, `pendingActionId: 01KT…`). Coverage spans schema validation, body + transport signature verification, replay/freshness, identity resolution, routing, and the foreign-DID policy gate. Tests pinned to the canonical shape (`tests/test_envelope.py`) prevent regression. The npm library itself is unchanged from v0.1.1.
 
 **Example-helper API break.** `examples/interop-cli/`'s Python helper `build_intent_envelope()` now requires `keypair`, replaces `intent_type`/`purpose`/`timestamp` with canonical args (`target`, `reason`, `created_at`, etc.), and removes the `extra=` kwarg. Adopters who imported the old helper directly will need to update their calls — the previous signature emitted invalid wire data so no callable interop existed there to preserve. This is an example-only change; the npm library (`@adastracomputing/ink`) exports are unchanged.
 

package/README.md

@@ -4,7 +4,9 @@
 
 An open protocol for AI agents that need to send each other typed, signed messages on the public web. Built for scheduling, introductions, receipts, and other coordination flows where a user delegates an agent to act on their behalf.
 
-**Status: v0.1, experimental.** Wire formats, trust semantics, and APIs may change without backward-compatible migration before v1.0.
+**Status: experimental; current defined wire version `ink/0.2`.** Wire formats, trust semantics, and APIs may change without backward-compatible migration before v1.0. On npm, `latest` is `0.1.2` and `0.2.0` is published on the `next` tag; senders still emit `ink/0.1` by default unless explicitly configured.
+
+`ink/0.2` is the recommended target for new receiver implementations. It is a backward-compatible minor over `ink/0.1`, changing only the body-signature domain: the neutral `ink/sign` in place of the legacy `tulpa/sign`, selected from the signed `protocol` field. `ink/0.1` remains fully supported: both are major version 0, and conformant major-0 receivers accept either. There is no plan to drop `ink/0.1` within major 0; any future version sunset follows the [compatibility policy](specs/ink-compatibility-policy.md).
 
 | | |
 |---|---|
@@ -23,7 +25,7 @@ An open protocol for AI agents that need to send each other typed, signed messag
 - [Agent-assisted implementation](#agent-assisted-implementation)
 - [Tests](#tests)
 - [Layout](#layout)
-- [What's stable in v0.1](#whats-stable-in-v01)
+- [What's stable](#whats-stable)
 - [Naming](#naming)
 - [Relationship to Tulpa](#relationship-to-tulpa)
 - [Interoperability](#interoperability)
@@ -130,9 +132,9 @@ test/          vitest unit + integration tests
 
 The library runs on any runtime providing standard Web Crypto and `fetch`: Node 24+, Deno, Bun, Cloudflare Workers, browsers. The timestamp freshness window is enforced inside `verifyInkAuth`; nonce single-use is enforced when a `NonceStore` is passed (otherwise `checkReplay` must be called separately). Nonce backing storage and its TTL policy are the integrator's choice.
 
-## What's stable in v0.1
+## What's stable
 
-Reliable to depend on:
+These hold across major version 0 (both `ink/0.1` and `ink/0.2`). Reliable to depend on:
 
 - Envelope structure and signing base
 - Authorization: signed intent plus Agent Card key set

package/dist/crypto/keys.d.ts

@@ -30,13 +30,26 @@ export declare function decodePublicKeyMultibase(multibase: string): Uint8Array;
  * Returns the raw 32-byte public key.
  */
 export declare function decodeEncryptionKeyMultibase(multibase: string): Uint8Array;
+/**
+ * agentId method prefixes that carry the same key-derived identity. Both encode
+ * the identical multibase public key, so they denote the same actor. `tulpa:`
+ * is canonical for emission (see deriveAgentId); `ink:` is an accepted inbound
+ * alias introduced in ink/0.4. Accept both, emit one.
+ */
+export declare const AGENT_ID_KEY_PREFIXES: readonly ["tulpa:", "ink:"];
 /**
  * Derive agent ID from a public key.
- * Format: tulpa:<multibase-encoded-public-key>
+ * Format: tulpa:<multibase-encoded-public-key> (canonical emission).
  */
 export declare function deriveAgentId(publicKey: Uint8Array): string;
 /**
  * Extract the public key from an agent ID.
  * Only used for initial key exchange — after that, always resolve via identity store.
+ *
+ * Accepts either the canonical `tulpa:` prefix or the `ink:` alias (ink/0.4):
+ * both carry the identical multibase key, so a signature made with that key
+ * verifies regardless of which accepted prefix carried it. The prefix is
+ * identity syntax, not signing authority. The multibase tail is decoded the
+ * same way for both, so a malformed tail is rejected identically.
  */
 export declare function extractPublicKeyFromAgentId(agentId: string): Uint8Array;

package/dist/crypto/keys.js

@@ -156,9 +156,16 @@ export function decodeEncryptionKeyMultibase(multibase) {
     }
     return key;
 }
+/**
+ * agentId method prefixes that carry the same key-derived identity. Both encode
+ * the identical multibase public key, so they denote the same actor. `tulpa:`
+ * is canonical for emission (see deriveAgentId); `ink:` is an accepted inbound
+ * alias introduced in ink/0.4. Accept both, emit one.
+ */
+export const AGENT_ID_KEY_PREFIXES = Object.freeze(["tulpa:", "ink:"]);
 /**
  * Derive agent ID from a public key.
- * Format: tulpa:<multibase-encoded-public-key>
+ * Format: tulpa:<multibase-encoded-public-key> (canonical emission).
  */
 export function deriveAgentId(publicKey) {
     return `tulpa:${encodePublicKeyMultibase(publicKey)}`;
@@ -166,13 +173,19 @@ export function deriveAgentId(publicKey) {
 /**
  * Extract the public key from an agent ID.
  * Only used for initial key exchange — after that, always resolve via identity store.
+ *
+ * Accepts either the canonical `tulpa:` prefix or the `ink:` alias (ink/0.4):
+ * both carry the identical multibase key, so a signature made with that key
+ * verifies regardless of which accepted prefix carried it. The prefix is
+ * identity syntax, not signing authority. The multibase tail is decoded the
+ * same way for both, so a malformed tail is rejected identically.
  */
 export function extractPublicKeyFromAgentId(agentId) {
     if (typeof agentId !== "string" || agentId.length === 0 || agentId.length > 512) {
         throw new Error("Invalid agent ID");
     }
-    const prefix = "tulpa:";
-    if (!agentId.startsWith(prefix)) {
+    const prefix = AGENT_ID_KEY_PREFIXES.find((p) => agentId.startsWith(p));
+    if (!prefix) {
         throw new Error("Invalid agent ID format");
     }
     return decodePublicKeyMultibase(agentId.slice(prefix.length));

package/dist/crypto/sign.d.ts

@@ -3,7 +3,7 @@
  *
  * 1. Remove `signature` field if present
  * 2. JCS canonicalize (RFC 8785) via `canonicalize` library
- * 3. Sign canonical bytes directly with Ed25519
+ * 3. Sign domain-prefixed canonical bytes directly with Ed25519
  * 4. Return base64url-encoded signature (no padding)
  */
 export declare function signMessage(message: Record<string, unknown>, privateKey: Uint8Array): Promise<string>;

package/dist/crypto/sign.js

@@ -54,12 +54,39 @@ function isWithinBounds(value) {
     }
     return walk(value, 0);
 }
+/**
+ * Body-signature domain-separation prefix, keyed off the message's
+ * declared `protocol` version.
+ *
+ * - `ink/0.2` -> `ink/sign\n` (neutral, current).
+ * - everything else (`ink/0.1`, or any object with no explicit
+ *   `ink/0.2` protocol) -> `tulpa/sign\n`, the legacy domain, kept
+ *   forever so every signature ever produced still verifies.
+ *
+ * The prefix is derived from the `protocol` field that is part of the
+ * signed body, so a verifier selects exactly one domain and tampering
+ * with `protocol` after signing breaks the signature (an `ink/0.2` body
+ * re-labelled `ink/0.1` is verified under `tulpa/sign\n` against a
+ * signature made over `ink/sign\n`, and fails). Only the exact string
+ * `"ink/0.2"` switches domains, so no other value can smuggle one in.
+ *
+ * This raw signer stays permissive on purpose: it is a general-purpose
+ * Ed25519 message signer (receipts, arbitrary objects), not envelope-
+ * specific. Strict "reject unknown protocol version" lives at the
+ * envelope schema layer, which validates `protocol` against the allowed
+ * set before this function is reached.
+ */
+const LEGACY_SIGN_DOMAIN = "tulpa/sign\n";
+const V02_SIGN_DOMAIN = "ink/sign\n";
+function bodySignatureDomain(unsigned) {
+    return unsigned.protocol === "ink/0.2" ? V02_SIGN_DOMAIN : LEGACY_SIGN_DOMAIN;
+}
 /**
  * Sign a message object using Ed25519.
  *
  * 1. Remove `signature` field if present
  * 2. JCS canonicalize (RFC 8785) via `canonicalize` library
- * 3. Sign canonical bytes directly with Ed25519
+ * 3. Sign domain-prefixed canonical bytes directly with Ed25519
  * 4. Return base64url-encoded signature (no padding)
  */
 export async function signMessage(message, privateKey) {
@@ -83,8 +110,10 @@ export async function signMessage(message, privateKey) {
     if (canonical.length > MAX_MESSAGE_CANONICAL_BYTES) {
         throw new Error("Canonicalized message exceeds maximum allowed size");
     }
-    // Domain-separated signing to prevent cross-protocol signature replay
-    const prefixed = `tulpa/sign\n${canonical}`;
+    // Domain-separated signing to prevent cross-protocol signature replay.
+    // Domain is keyed off the (signed) protocol version; see
+    // bodySignatureDomain. Legacy ink/0.1 keeps the tulpa/sign domain.
+    const prefixed = `${bodySignatureDomain(unsigned)}${canonical}`;
     const bytes = new TextEncoder().encode(prefixed);
     const sig = await ed.signAsync(bytes, privateKey);
     return base64urlEncode(sig);
@@ -124,9 +153,12 @@ export async function verifyMessage(message, publicKey) {
     if (canonical.length > MAX_MESSAGE_CANONICAL_BYTES) {
         return false;
     }
-    // Domain-prefixed verification only — legacy unprefixed signatures are no longer accepted.
-    // signMessage() has always used `tulpa/sign\n` prefix; no callers produce unprefixed signatures.
-    const prefixed = `tulpa/sign\n${canonical}`;
+    // Domain-prefixed verification only. The domain is selected from the
+    // signed `protocol` field (see bodySignatureDomain); a verifier never
+    // tries an alternate prefix, so a signature made under one version's
+    // domain cannot be replayed under another. Legacy unprefixed
+    // signatures are not accepted.
+    const prefixed = `${bodySignatureDomain(unsigned)}${canonical}`;
     const prefixedBytes = new TextEncoder().encode(prefixed);
     try {
         const sig = base64urlDecode(signature);

package/dist/index.d.ts

@@ -1,7 +1,7 @@
 export { signInkMessage, verifyInkSignature, buildSignatureBase, buildAuthHeader, computeMessageHash, computeEventHash, computeAuditMerkleLeafHash, signAuditEvent, verifyAuditEventSignature, signAuditResponse, verifyAuditResponseSignature, verifyAuditEventChain, signAuditQueryResponse, verifyAuditQueryResponseSignature, encryptInkPayload, decryptInkPayload, checkReplay, base64urlEncode, base64urlDecode, hexToBytes, bytesToHex, jcsCanonicalize, MAX_TIMESTAMP_AGE_MS, MAX_FUTURE_TIMESTAMP_MS, } from "./crypto/ink.js";
 export { signMessage, verifyMessage } from "./crypto/sign.js";
 export { verifyInkSignatureWithKeys } from "./crypto/multi-key-verify.js";
-export { generateKeypair, generateEncryptionKeypair, deriveAgentId, encodePublicKeyMultibase, encodeEncryptionKeyMultibase, decodePublicKeyMultibase, decodeEncryptionKeyMultibase, extractPublicKeyFromAgentId, } from "./crypto/keys.js";
+export { generateKeypair, generateEncryptionKeypair, deriveAgentId, encodePublicKeyMultibase, encodeEncryptionKeyMultibase, decodePublicKeyMultibase, decodeEncryptionKeyMultibase, extractPublicKeyFromAgentId, AGENT_ID_KEY_PREFIXES, } from "./crypto/keys.js";
 export { fetchAgentCard, extractCandidateKeys, resolveBaseUrl, } from "./discovery/agent-card.js";
 export { verifyInkAuth, type NonceStore } from "./middleware/ink-auth.js";
 export { verifyInclusionReceipt, verifyAuditQueryResponse, type InclusionReceipt, type InclusionReceiptVerifyResult, type AuditQueryResponse, type AuditQueryResponseVerifyResult, type VerifyStep, } from "./audit/inclusion-receipt.js";
@@ -16,12 +16,12 @@ export type { InkAuditEventType, InkAuditEvent, InkAuditInclusion, InkReceipt, I
 export { InkChallengeSchema, InkRejectionSchema, InkResolutionSchema, InkTransportSchema, } from "./models/ink-handshake.js";
 export type { AgentCardVisibility, InkChallenge, InkRejection, InkResolution, InkTransport, } from "./models/ink-handshake.js";
 export { AgentCardSchema } from "./models/agent-card.js";
-export { validateMessage, getPayloadSchema, MessageEnvelopeSchema, IntentTypeSchema, ScheduleMeetingPayloadSchema, ScheduleMeetingResponsePayloadSchema, IntroRequestPayloadSchema, IntroResponsePayloadSchema, OpportunityPayloadSchema, OpportunityResponsePayloadSchema, ConnectionRequestPayloadSchema, ConnectionResponsePayloadSchema, FollowUpPayloadSchema, AskPayloadSchema, AskResponsePayloadSchema, PingPayloadSchema, RetractPayloadSchema, ContextSharePayloadSchema, MultiPartySyncPayloadSchema, } from "./models/intent.js";
-export type { MessageEnvelope, IntentType, } from "./models/intent.js";
+export { validateMessage, getPayloadSchema, MessageEnvelopeSchema, ProtocolVersionSchema, INK_PROTOCOL_VERSIONS, IntentTypeSchema, ScheduleMeetingPayloadSchema, ScheduleMeetingResponsePayloadSchema, IntroRequestPayloadSchema, IntroResponsePayloadSchema, OpportunityPayloadSchema, OpportunityResponsePayloadSchema, ConnectionRequestPayloadSchema, ConnectionResponsePayloadSchema, FollowUpPayloadSchema, AskPayloadSchema, AskResponsePayloadSchema, PingPayloadSchema, RetractPayloadSchema, ContextSharePayloadSchema, MultiPartySyncPayloadSchema, } from "./models/intent.js";
+export type { MessageEnvelope, ProtocolVersion, IntentType, } from "./models/intent.js";
 export { KeyStatusSchema, KeyRoleSchema, KeyEntrySchema, } from "./models/key-entry.js";
 export type { KeyStatus, KeyRole, KeyEntry, StoredKey, } from "./models/key-entry.js";
 export type { InkSignInput } from "./crypto/ink.js";
 export type { CandidateKey } from "./models/key-entry.js";
-export { resolveAgentInbox } from "./models/agent-card.js";
+export { resolveAgentInbox, agentSupportedProtocolVersions } from "./models/agent-card.js";
 export type { AgentCard } from "./models/agent-card.js";
 export type { BudgetCheckResult, HandshakeBudgetConfig, } from "./ink/handshake-budget.js";

package/dist/index.js

@@ -4,7 +4,7 @@
 export { signInkMessage, verifyInkSignature, buildSignatureBase, buildAuthHeader, computeMessageHash, computeEventHash, computeAuditMerkleLeafHash, signAuditEvent, verifyAuditEventSignature, signAuditResponse, verifyAuditResponseSignature, verifyAuditEventChain, signAuditQueryResponse, verifyAuditQueryResponseSignature, encryptInkPayload, decryptInkPayload, checkReplay, base64urlEncode, base64urlDecode, hexToBytes, bytesToHex, jcsCanonicalize, MAX_TIMESTAMP_AGE_MS, MAX_FUTURE_TIMESTAMP_MS, } from "./crypto/ink.js";
 export { signMessage, verifyMessage } from "./crypto/sign.js";
 export { verifyInkSignatureWithKeys } from "./crypto/multi-key-verify.js";
-export { generateKeypair, generateEncryptionKeypair, deriveAgentId, encodePublicKeyMultibase, encodeEncryptionKeyMultibase, decodePublicKeyMultibase, decodeEncryptionKeyMultibase, extractPublicKeyFromAgentId, } from "./crypto/keys.js";
+export { generateKeypair, generateEncryptionKeypair, deriveAgentId, encodePublicKeyMultibase, encodeEncryptionKeyMultibase, decodePublicKeyMultibase, decodeEncryptionKeyMultibase, extractPublicKeyFromAgentId, AGENT_ID_KEY_PREFIXES, } from "./crypto/keys.js";
 // Discovery: Agent Card fetch + candidate-key extraction
 export { fetchAgentCard, extractCandidateKeys, resolveBaseUrl, } from "./discovery/agent-card.js";
 // Middleware: transport-level INK auth
@@ -32,9 +32,9 @@ export { AgentCardSchema } from "./models/agent-card.js";
 // reject malformed envelopes before signature verification; without
 // it they have to re-implement the schema check or import from a
 // non-public path.
-export { validateMessage, getPayloadSchema, MessageEnvelopeSchema, IntentTypeSchema, ScheduleMeetingPayloadSchema, ScheduleMeetingResponsePayloadSchema, IntroRequestPayloadSchema, IntroResponsePayloadSchema, OpportunityPayloadSchema, OpportunityResponsePayloadSchema, ConnectionRequestPayloadSchema, ConnectionResponsePayloadSchema, FollowUpPayloadSchema, AskPayloadSchema, AskResponsePayloadSchema, PingPayloadSchema, RetractPayloadSchema, ContextSharePayloadSchema, MultiPartySyncPayloadSchema, } from "./models/intent.js";
+export { validateMessage, getPayloadSchema, MessageEnvelopeSchema, ProtocolVersionSchema, INK_PROTOCOL_VERSIONS, IntentTypeSchema, ScheduleMeetingPayloadSchema, ScheduleMeetingResponsePayloadSchema, IntroRequestPayloadSchema, IntroResponsePayloadSchema, OpportunityPayloadSchema, OpportunityResponsePayloadSchema, ConnectionRequestPayloadSchema, ConnectionResponsePayloadSchema, FollowUpPayloadSchema, AskPayloadSchema, AskResponsePayloadSchema, PingPayloadSchema, RetractPayloadSchema, ContextSharePayloadSchema, MultiPartySyncPayloadSchema, } from "./models/intent.js";
 // Key-entry types and schemas for adopters wiring their own key-set
 // storage and rotation. `CandidateKey` was already root-exported via
 // the verifier surface; this batch adds the persistence shapes.
 export { KeyStatusSchema, KeyRoleSchema, KeyEntrySchema, } from "./models/key-entry.js";
-export { resolveAgentInbox } from "./models/agent-card.js";
+export { resolveAgentInbox, agentSupportedProtocolVersions } from "./models/agent-card.js";

package/dist/ink/discovery-gating.d.ts

@@ -202,6 +202,7 @@ export declare const AgentCardResponseSchema: z.ZodObject<{
         currentSigningKeyId: z.ZodOptional<z.ZodString>;
         currentEncryptionKeyId: z.ZodOptional<z.ZodString>;
         keySetVersion: z.ZodOptional<z.ZodNumber>;
+        supportedProtocolVersions: z.ZodOptional<z.ZodArray<z.ZodString>>;
         visibility: z.ZodOptional<z.ZodEnum<{
             public: "public";
             network_only: "network_only";

package/dist/models/agent-card.d.ts

@@ -129,6 +129,7 @@ export declare const AgentCardSchema: z.ZodObject<{
     currentSigningKeyId: z.ZodOptional<z.ZodString>;
     currentEncryptionKeyId: z.ZodOptional<z.ZodString>;
     keySetVersion: z.ZodOptional<z.ZodNumber>;
+    supportedProtocolVersions: z.ZodOptional<z.ZodArray<z.ZodString>>;
     visibility: z.ZodOptional<z.ZodEnum<{
         public: "public";
         network_only: "network_only";
@@ -153,6 +154,12 @@ export declare const AgentCardSchema: z.ZodObject<{
     }, z.core.$strip>>;
 }, z.core.$strip>;
 export type AgentCard = z.infer<typeof AgentCardSchema>;
+/**
+ * The message protocol versions a card's receiver can verify. Falls back
+ * to ink/0.1 when the card does not advertise the field, so a sender
+ * defaults to the original version for any card that predates it.
+ */
+export declare function agentSupportedProtocolVersions(card: Pick<AgentCard, "supportedProtocolVersions">): string[];
 /**
  * Return the inbound message URL for an Agent Card.
  *

package/dist/models/agent-card.js

@@ -58,6 +58,18 @@ export const AgentCardSchema = z.object({
     currentSigningKeyId: z.string().optional(),
     currentEncryptionKeyId: z.string().optional(),
     keySetVersion: z.number().int().positive().optional(),
+    // Message protocol versions this agent's receiver can verify on the
+    // body signature. When absent, assume ink/0.1 only. A sender MUST NOT
+    // emit a newer version to a card that does not advertise it; advertising
+    // a version here is necessary but not sufficient for a sender to use it.
+    //
+    // The entries are advisory hints, so they are accepted as bounded
+    // strings rather than the strict version enum: a newer peer may
+    // advertise a version this build does not know yet, and that must not
+    // make its whole card unparseable. A sender intersects this list with
+    // the versions it can actually emit. The strict enum lives on the
+    // envelope (MessageEnvelopeSchema), where an unknown version is rejected.
+    supportedProtocolVersions: z.array(z.string().max(16)).max(8).optional(),
     // Containment extension (Phase 1)
     visibility: AgentCardVisibilitySchema.optional(),
     governance: z.object({
@@ -83,6 +95,15 @@ export const AgentCardSchema = z.object({
         });
     }
 });
+/**
+ * The message protocol versions a card's receiver can verify. Falls back
+ * to ink/0.1 when the card does not advertise the field, so a sender
+ * defaults to the original version for any card that predates it.
+ */
+export function agentSupportedProtocolVersions(card) {
+    const advertised = card.supportedProtocolVersions;
+    return advertised && advertised.length > 0 ? advertised : ["ink/0.1"];
+}
 /**
  * Return the inbound message URL for an Agent Card.
  *

package/dist/models/intent.d.ts

@@ -214,8 +214,24 @@ export declare const MessageProvenanceSchema: z.ZodOptional<z.ZodObject<{
     extensionId: z.ZodString;
     installationId: z.ZodString;
 }, z.core.$strict>>;
+/**
+ * INK protocol versions a receiver accepts. ink/0.1 is the original wire
+ * version; ink/0.2 differs only in the body-signature domain (see
+ * src/crypto/sign.ts). The enum is strict: an unknown version is rejected
+ * at schema validation, never inferred. Senders still emit ink/0.1 by
+ * default; emitting ink/0.2 is a later, negotiated step.
+ */
+export declare const INK_PROTOCOL_VERSIONS: readonly ["ink/0.1", "ink/0.2"];
+export declare const ProtocolVersionSchema: z.ZodEnum<{
+    "ink/0.1": "ink/0.1";
+    "ink/0.2": "ink/0.2";
+}>;
+export type ProtocolVersion = z.infer<typeof ProtocolVersionSchema>;
 export declare const MessageEnvelopeSchema: z.ZodObject<{
-    protocol: z.ZodLiteral<"ink/0.1">;
+    protocol: z.ZodEnum<{
+        "ink/0.1": "ink/0.1";
+        "ink/0.2": "ink/0.2";
+    }>;
     id: z.ZodString;
     correlationId: z.ZodString;
     createdAt: z.ZodString;

package/dist/models/intent.js

@@ -155,8 +155,17 @@ export const MessageProvenanceSchema = z.object({
     extensionId: z.string().max(ID_MAX),
     installationId: z.string().uuid(),
 }).strict().optional();
+/**
+ * INK protocol versions a receiver accepts. ink/0.1 is the original wire
+ * version; ink/0.2 differs only in the body-signature domain (see
+ * src/crypto/sign.ts). The enum is strict: an unknown version is rejected
+ * at schema validation, never inferred. Senders still emit ink/0.1 by
+ * default; emitting ink/0.2 is a later, negotiated step.
+ */
+export const INK_PROTOCOL_VERSIONS = ["ink/0.1", "ink/0.2"];
+export const ProtocolVersionSchema = z.enum(INK_PROTOCOL_VERSIONS);
 export const MessageEnvelopeSchema = z.object({
-    protocol: z.literal("ink/0.1"),
+    protocol: ProtocolVersionSchema,
     id: z.string().max(ID_MAX),
     correlationId: z.string().max(ID_MAX),
     createdAt: z.string().max(TIMESTAMP_MAX),

package/docs/maturity.md

@@ -1,8 +1,10 @@
 # Maturity Notice
 
-> INK v0.1 is **experimental**. Wire formats, trust semantics and APIs
-> may change without backward-compatible migration before v1.0. Do not
-> use for load-bearing production traffic without your own review.
+> INK is **experimental**. The current defined wire version is `ink/0.2`, a
+> backward-compatible minor over `ink/0.1` (both major version 0). Wire formats,
+> trust semantics and APIs may change without backward-compatible migration
+> before v1.0. Do not use for load-bearing production traffic without your own
+> review.
 
 ## What "experimental" means here
 
@@ -12,8 +14,8 @@
   agent-card fetch, and DoS-amplification surfaces. Internal review is
   not a substitute for a third-party audit, treat the security
   posture accordingly.
-- Interop vectors (`../test-vectors/`) are authoritative for v0.1 but may
-  be added to or revised between v0.1 patch releases. Mismatched
+- Interop vectors (`../test-vectors/`) are authoritative for the current wire
+  version but may be added to or revised between patch releases. Mismatched
   implementations should report discrepancies as issues.
 - The protocol is in use by one production integrator (Tulpa). That is
   one data point, not a guarantee of robustness at scale.
@@ -22,7 +24,9 @@
   Bun, and edge runtimes. Browser use is feasible but not exercised by
   the maintainers.
 
-## What is stable in v0.1
+## What is stable
+
+These hold across major version 0 (`ink/0.1` and `ink/0.2`):
 
 - Envelope structure (fields, canonicalization with JCS / RFC 8785)
 - Ed25519 signing base: `ink/0.1\nMETHOD\nPATH\nrecipientDid\nJCS(body)\ntimestamp`

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adastracomputing/ink",
-  "version": "0.1.7",
+  "version": "0.3.0",
   "description": "Library and specification for the INK (Inter-agent Networking Kernel) protocol",
   "license": "MIT OR Apache-2.0",
   "author": "Ad Astra Computing Inc.",
@@ -49,6 +49,7 @@
     "lint": "eslint src/ test/ scripts/",
     "check:surface": "tsx scripts/check-public-surface.ts",
     "check:pack": "./scripts/check-pack.sh",
+    "gen:body-vectors": "tsx scripts/gen-body-signature-vectors.ts",
     "prepack": "npm run build",
     "prepublishOnly": "npm run build"
   },
@@ -60,12 +61,12 @@
     "zod": "^4.4.3"
   },
   "devDependencies": {
-    "@cloudflare/workers-types": "^4.20260418.1",
+    "@cloudflare/workers-types": "^4.20260604.1",
     "@types/node": "^24.12.4",
-    "@typescript-eslint/eslint-plugin": "^8.60.0",
+    "@typescript-eslint/eslint-plugin": "^8.60.1",
     "@typescript-eslint/parser": "^8.60.0",
-    "eslint": "^10.4.0",
-    "tsx": "^4.22.3",
+    "eslint": "^10.4.1",
+    "tsx": "^4.22.4",
     "typescript": "^6.0.3",
     "vitest": "^4.1.7"
   },

package/specs/ink-agent-containment-and-governance-extension-spec.md

@@ -1,7 +1,8 @@
 # INK Agent Containment and Governance Extension v0.1
 
-## Status
-Draft
+**Status:** Draft
+**Authors:** Ad Astra Computing
+**Last updated:** 2026-05-24
 
 ## Purpose
 

package/specs/ink-auditability.md

@@ -2,7 +2,7 @@
 
 **Status:** Draft
 **Authors:** Ad Astra Computing
-**Date:** 2026-03-19
+**Last updated:** 2026-06-01
 
 ## Problem
 

package/specs/ink-authorization-chain.md

@@ -2,7 +2,7 @@
 
 **Status:** Draft
 **Authors:** Ad Astra Computing
-**Date:** 2026-03-19
+**Last updated:** 2026-05-24
 
 ## Problem
 

package/specs/ink-compatibility-policy.md

@@ -1,7 +1,8 @@
 # INK Compatibility and Versioning Policy
 
-## Status
-Draft, v1 stabilization
+**Status:** Draft, v1 stabilization
+**Authors:** Ad Astra Computing
+**Last updated:** 2026-05-24
 
 ## Purpose
 
@@ -15,7 +16,7 @@ This is the normative compatibility contract. Any change to the INK wire format
 
 INK uses a single protocol version string in every message envelope, receipt, audit event and handshake message.
 
-Current version: `ink/0.1`
+Defined versions: `ink/0.1` (default) and `ink/0.2` (negotiated). See [§1.4](#14-defined-wire-versions).
 
 The version string appears in the `protocol` field of every top-level INK object and in the first line of every signature base.
 
@@ -48,6 +49,17 @@ prefix (e.g. `network.ink.*`) and define a transition policy. Until then,
 conforming implementations MUST emit and accept `network.tulpa.*` types as
 specified.
 
+### 1.4 Defined wire versions
+
+Two wire versions are defined:
+
+- `ink/0.1`, the original version. A sender emits it by default unless it has positively negotiated otherwise.
+- `ink/0.2`, a backward-compatible minor that changes only the body-signature domain separator, from the legacy `tulpa/sign\n` to the neutral `ink/sign\n`. Everything else, the transport-auth signature base, the envelope shape, the encryption and audit sub-protocols and every `network.tulpa.*` type, is identical to `ink/0.1`.
+
+`ink/0.2` is receiver-first. A receiver advertises the versions it verifies in its Agent Card `supportedProtocolVersions` array; when that field is absent a sender MUST assume `ink/0.1` only, and a sender MUST NOT emit `ink/0.2` to a receiver that has not advertised it. The negotiation is what keeps the change compatible: an `ink/0.1`-only receiver never receives `ink/0.2` traffic, so it is never asked to verify a domain it does not implement. An `ink/0.2` receiver selects the body-signature domain from the signed `protocol` field and verifies both versions, and because `protocol` is inside the signed body a relabelled message fails verification.
+
+This satisfies §1.1. The minor bump adds a capability without breaking deployed `ink/0.1` implementations, because the body-signature domain is negotiated rather than assumed.
+
 ---
 
 ## 2. Compatibility Rules

package/specs/ink-compliance-checklist.md

@@ -1,7 +1,8 @@
 # INK v0.1 Compliance Checklist and Implementation Matrix
 
-## Status
-Draft, v0.1 alpha conformance
+**Status:** Draft, v0.1 alpha conformance
+**Authors:** Ad Astra Computing
+**Last updated:** 2026-05-27
 
 ## Purpose
 

package/specs/ink-containment-phase1-implementation-spec.md

@@ -1,7 +1,8 @@
 # INK Containment Phase 1, Implementation Spec
 
-## Status
-Draft
+**Status:** Draft
+**Authors:** Ad Astra Computing
+**Last updated:** 2026-06-01
 
 ## Purpose
 

package/specs/ink-introduction-receipts-extension.md

@@ -1,10 +1,8 @@
 # INK Introduction Receipts Extension v0.1
 
-## Status
-Draft
-
-## Last Updated
-23 March 2026
+**Status:** Draft
+**Authors:** Ad Astra Computing
+**Last updated:** 2026-05-24
 
 ## Purpose
 

package/specs/ink-key-rotation-spec.md

@@ -1,7 +1,8 @@
 # INK Key Rotation Specification v0.1
 
-## Status
-Draft
+**Status:** Draft
+**Authors:** Ad Astra Computing
+**Last updated:** 2026-05-24
 
 ## Purpose
 

package/test-vectors/README.md

@@ -7,16 +7,17 @@ Reference test vectors for INK v0.1 signing, encryption, replay protection, hand
 | File | Covers | Vector count |
 |------|--------|-------------|
 | `keys.json` | Fixed Ed25519 and X25519 key pairs for Alice and Bob (hex-encoded) |, |
-| `signing.json` | Signature generation and verification (§3.3) | 3 |
+| `signing.json` | Transport-auth signature generation and verification (§3.3) | 3 |
+| `body-signature.json` | Version-keyed body message signature: legacy vs ink/0.2 domain, plus cross-version and tamper cases | 9 |
 | `encryption.json` | ECIES encryption/decryption (§3.4) | 2 |
-| `jcs.json` | JCS canonicalization (RFC 8785) | 4 |
+| `jcs.json` | JCS canonicalization (RFC 8785) | 2 |
 | `replay.json` | Replay protection acceptance/rejection (§3.5) | 6 |
 | `receipts-and-audit.json` | Receipt signatures, audit query signatures, hash-chained audit events and fork detection (Auditability §1–§3) | 4 |
 | `handshake.json` | Challenge (Stage 2a), rejection (Stage 2b) and resolution (Stage 3), valid signatures, path/recipient/body binding failures, replay protection | 22 |
 | `witness.json` | Audit submit and query with INK transport auth, plus cross-service interop cases | 15 |
 | `key-rotation.json` | Auth header keyId format, rotated-key verification, historical verification, revoked-key rejection, refresh-on-miss, keyId precedence, unknown keyId fallthrough, audit event signingKeyId tracking | 8 |
 
-**Total: 64 deterministic vectors across 9 families**
+**Total: 71 deterministic vectors across 10 families**
 
 ## Vector categories
 

package/test-vectors/body-signature.json

@@ -0,0 +1,201 @@
+{
+  "description": "INK body message signature: domain is keyed off the signed protocol field (ink/0.2 -> ink/sign, else tulpa/sign). Verify each body with the signer public key; signatureVerifies is the expected verifyMessage result.",
+  "vectors": [
+    {
+      "description": "ink/0.1 body signed under the legacy tulpa/sign domain verifies",
+      "input": {
+        "body": {
+          "protocol": "ink/0.1",
+          "id": "01HVECTORID0000000000000000",
+          "from": "did:key:zAlice",
+          "to": "did:key:zBob",
+          "intent": "connection_request",
+          "payload": {
+            "method": "discovery"
+          },
+          "timestamp": "2026-06-03T00:00:00Z",
+          "nonce": "ZmtmaXhlZG5vbmNl",
+          "signature": "W44kkGyQFg348NADetWQPq5Ogi7rL_72CwjmK-XVn2hL8sXYuSM7cFaDVidGV5LeK3dmmqW6iu5QiWkm6qboAQ"
+        },
+        "signerPublicKeyHex": "79b5562e8fe654f94078b112e8a98ba7901f853ae695bed7e0e3910bad049664"
+      },
+      "expected": {
+        "signatureVerifies": true
+      }
+    },
+    {
+      "description": "ink/0.2 body signed under the ink/sign domain verifies",
+      "input": {
+        "body": {
+          "protocol": "ink/0.2",
+          "id": "01HVECTORID0000000000000000",
+          "from": "did:key:zAlice",
+          "to": "did:key:zBob",
+          "intent": "connection_request",
+          "payload": {
+            "method": "discovery"
+          },
+          "timestamp": "2026-06-03T00:00:00Z",
+          "nonce": "ZmtmaXhlZG5vbmNl",
+          "signature": "UAITw3Qqcg96s4r5tmxHXGpuHCfzJBgxihVRPdR8FYcQKk2nYcYxrV8fRFUH3NB_-z-006tFWgZfzJbFILw4Bg"
+        },
+        "signerPublicKeyHex": "79b5562e8fe654f94078b112e8a98ba7901f853ae695bed7e0e3910bad049664"
+      },
+      "expected": {
+        "signatureVerifies": true
+      }
+    },
+    {
+      "description": "protocol-less body signed under the legacy domain verifies",
+      "input": {
+        "body": {
+          "id": "01HVECTORID0000000000000000",
+          "from": "did:key:zAlice",
+          "to": "did:key:zBob",
+          "intent": "connection_request",
+          "payload": {
+            "method": "discovery"
+          },
+          "timestamp": "2026-06-03T00:00:00Z",
+          "nonce": "ZmtmaXhlZG5vbmNl",
+          "signature": "qP1oxHKCEImzkYT8Iz00N4Crqi5prbKRguKj_zg8YlLyCrE4CmElrNWECEBWBe-8XV_rNB4oMc1wReXwHqOFCA"
+        },
+        "signerPublicKeyHex": "79b5562e8fe654f94078b112e8a98ba7901f853ae695bed7e0e3910bad049664"
+      },
+      "expected": {
+        "signatureVerifies": true
+      }
+    },
+    {
+      "description": "ink/0.2 body relabelled ink/0.1 (domain mismatch) does not verify",
+      "input": {
+        "body": {
+          "protocol": "ink/0.1",
+          "id": "01HVECTORID0000000000000000",
+          "from": "did:key:zAlice",
+          "to": "did:key:zBob",
+          "intent": "connection_request",
+          "payload": {
+            "method": "discovery"
+          },
+          "timestamp": "2026-06-03T00:00:00Z",
+          "nonce": "ZmtmaXhlZG5vbmNl",
+          "signature": "UAITw3Qqcg96s4r5tmxHXGpuHCfzJBgxihVRPdR8FYcQKk2nYcYxrV8fRFUH3NB_-z-006tFWgZfzJbFILw4Bg"
+        },
+        "signerPublicKeyHex": "79b5562e8fe654f94078b112e8a98ba7901f853ae695bed7e0e3910bad049664"
+      },
+      "expected": {
+        "signatureVerifies": false
+      }
+    },
+    {
+      "description": "ink/0.1 body relabelled ink/0.2 (domain mismatch) does not verify",
+      "input": {
+        "body": {
+          "protocol": "ink/0.2",
+          "id": "01HVECTORID0000000000000000",
+          "from": "did:key:zAlice",
+          "to": "did:key:zBob",
+          "intent": "connection_request",
+          "payload": {
+            "method": "discovery"
+          },
+          "timestamp": "2026-06-03T00:00:00Z",
+          "nonce": "ZmtmaXhlZG5vbmNl",
+          "signature": "W44kkGyQFg348NADetWQPq5Ogi7rL_72CwjmK-XVn2hL8sXYuSM7cFaDVidGV5LeK3dmmqW6iu5QiWkm6qboAQ"
+        },
+        "signerPublicKeyHex": "79b5562e8fe654f94078b112e8a98ba7901f853ae695bed7e0e3910bad049664"
+      },
+      "expected": {
+        "signatureVerifies": false
+      }
+    },
+    {
+      "description": "ink/0.2 body with protocol removed (falls back to legacy domain) does not verify",
+      "input": {
+        "body": {
+          "id": "01HVECTORID0000000000000000",
+          "from": "did:key:zAlice",
+          "to": "did:key:zBob",
+          "intent": "connection_request",
+          "payload": {
+            "method": "discovery"
+          },
+          "timestamp": "2026-06-03T00:00:00Z",
+          "nonce": "ZmtmaXhlZG5vbmNl",
+          "signature": "UAITw3Qqcg96s4r5tmxHXGpuHCfzJBgxihVRPdR8FYcQKk2nYcYxrV8fRFUH3NB_-z-006tFWgZfzJbFILw4Bg"
+        },
+        "signerPublicKeyHex": "79b5562e8fe654f94078b112e8a98ba7901f853ae695bed7e0e3910bad049664"
+      },
+      "expected": {
+        "signatureVerifies": false
+      }
+    },
+    {
+      "description": "ink/0.1 body with a flipped payload field does not verify",
+      "input": {
+        "body": {
+          "protocol": "ink/0.1",
+          "id": "01HVECTORID0000000000000000",
+          "from": "did:key:zAlice",
+          "to": "did:key:zBob",
+          "intent": "connection_request",
+          "payload": {
+            "method": "qr"
+          },
+          "timestamp": "2026-06-03T00:00:00Z",
+          "nonce": "ZmtmaXhlZG5vbmNl",
+          "signature": "W44kkGyQFg348NADetWQPq5Ogi7rL_72CwjmK-XVn2hL8sXYuSM7cFaDVidGV5LeK3dmmqW6iu5QiWkm6qboAQ"
+        },
+        "signerPublicKeyHex": "79b5562e8fe654f94078b112e8a98ba7901f853ae695bed7e0e3910bad049664"
+      },
+      "expected": {
+        "signatureVerifies": false
+      }
+    },
+    {
+      "description": "ink/0.2 body signed under the legacy domain does not verify (a verifier must not try both domains)",
+      "input": {
+        "body": {
+          "protocol": "ink/0.2",
+          "id": "01HVECTORID0000000000000000",
+          "from": "did:key:zAlice",
+          "to": "did:key:zBob",
+          "intent": "connection_request",
+          "payload": {
+            "method": "discovery"
+          },
+          "timestamp": "2026-06-03T00:00:00Z",
+          "nonce": "ZmtmaXhlZG5vbmNl",
+          "signature": "axpZvQqF8KPG-Mh1q3hnfZhnaSUHbYfToUz-wA_WD7PV0qKOnVHpuTu8DTaR0OTtGBVHoqpoQFlfMVskELfgDg"
+        },
+        "signerPublicKeyHex": "79b5562e8fe654f94078b112e8a98ba7901f853ae695bed7e0e3910bad049664"
+      },
+      "expected": {
+        "signatureVerifies": false
+      }
+    },
+    {
+      "description": "unknown protocol string uses the legacy body-signature domain and verifies",
+      "input": {
+        "body": {
+          "protocol": "ink/0.3",
+          "id": "01HVECTORID0000000000000000",
+          "from": "did:key:zAlice",
+          "to": "did:key:zBob",
+          "intent": "connection_request",
+          "payload": {
+            "method": "discovery"
+          },
+          "timestamp": "2026-06-03T00:00:00Z",
+          "nonce": "ZmtmaXhlZG5vbmNl",
+          "signature": "I3JIzt0kg9zncGvRU9nSZ2ldVrE4L9JnolDJAgW4kNUAqmp6bLAfPptfbYttqp1nTX4OB3oCCOOBPFCA7Fw4Cw"
+        },
+        "signerPublicKeyHex": "79b5562e8fe654f94078b112e8a98ba7901f853ae695bed7e0e3910bad049664"
+      },
+      "expected": {
+        "signatureVerifies": true
+      }
+    }
+  ]
+}