asap-protocol 2.2.0__tar.gz → 2.2.1__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (179) hide show
  1. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/.gitignore +2 -0
  2. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/CHANGELOG.md +108 -1
  3. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/PKG-INFO +28 -15
  4. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/README.md +21 -10
  5. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/pyproject.toml +15 -8
  6. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/__init__.py +1 -1
  7. asap_protocol-2.2.1/src/asap/auth/self_auth.py +276 -0
  8. asap_protocol-2.2.1/src/asap/auth/webauthn.py +473 -0
  9. asap_protocol-2.2.0/src/asap/cli.py → asap_protocol-2.2.1/src/asap/cli/__init__.py +7 -0
  10. asap_protocol-2.2.1/src/asap/cli/audit_export.py +194 -0
  11. asap_protocol-2.2.1/src/asap/cli/compliance_check.py +108 -0
  12. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/client/http_client.py +4 -2
  13. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/client/market.py +27 -7
  14. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/discovery/dnssd.py +2 -1
  15. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/economics/audit.py +8 -0
  16. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/economics/delegation_storage.py +44 -44
  17. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/economics/hooks.py +15 -13
  18. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/economics/sla.py +2 -2
  19. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/economics/sla_storage.py +20 -22
  20. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/economics/storage.py +63 -48
  21. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/integrations/a2h.py +2 -2
  22. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/state/stores/sqlite.py +30 -32
  23. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/testing/__init__.py +4 -0
  24. asap_protocol-2.2.1/src/asap/testing/asgi_factory.py +32 -0
  25. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/testing/assertions.py +33 -21
  26. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/testing/compliance.py +74 -22
  27. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/agent_routes.py +28 -16
  28. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/client.py +10 -4
  29. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/rate_limit.py +1 -1
  30. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/server.py +39 -42
  31. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/validators.py +5 -2
  32. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/webhook.py +4 -1
  33. asap_protocol-2.2.0/src/asap/auth/self_auth.py +0 -144
  34. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/LICENSE +0 -0
  35. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/entities/agent.schema.json +0 -0
  36. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/entities/artifact.schema.json +0 -0
  37. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/entities/conversation.schema.json +0 -0
  38. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/entities/manifest.schema.json +0 -0
  39. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/entities/message.schema.json +0 -0
  40. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/entities/state_snapshot.schema.json +0 -0
  41. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/entities/task.schema.json +0 -0
  42. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/envelope.schema.json +0 -0
  43. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/parts/data_part.schema.json +0 -0
  44. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/parts/file_part.schema.json +0 -0
  45. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/parts/resource_part.schema.json +0 -0
  46. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/parts/template_part.schema.json +0 -0
  47. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/parts/text_part.schema.json +0 -0
  48. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/payloads/artifact_notify.schema.json +0 -0
  49. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/payloads/mcp_resource_data.schema.json +0 -0
  50. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/payloads/mcp_resource_fetch.schema.json +0 -0
  51. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/payloads/mcp_tool_call.schema.json +0 -0
  52. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/payloads/mcp_tool_result.schema.json +0 -0
  53. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/payloads/message_send.schema.json +0 -0
  54. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/payloads/state_query.schema.json +0 -0
  55. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/payloads/state_restore.schema.json +0 -0
  56. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/payloads/task_cancel.schema.json +0 -0
  57. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/payloads/task_request.schema.json +0 -0
  58. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/payloads/task_response.schema.json +0 -0
  59. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/payloads/task_update.schema.json +0 -0
  60. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/auth/__init__.py +0 -0
  61. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/auth/agent_jwt.py +0 -0
  62. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/auth/approval.py +0 -0
  63. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/auth/capabilities.py +0 -0
  64. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/auth/identity.py +0 -0
  65. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/auth/introspection.py +0 -0
  66. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/auth/jwks.py +0 -0
  67. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/auth/lifecycle.py +0 -0
  68. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/auth/middleware.py +0 -0
  69. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/auth/oauth2.py +0 -0
  70. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/auth/oidc.py +0 -0
  71. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/auth/scopes.py +0 -0
  72. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/auth/utils.py +0 -0
  73. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/client/__init__.py +0 -0
  74. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/client/cache.py +0 -0
  75. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/client/revocation.py +0 -0
  76. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/client/trust.py +0 -0
  77. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/crypto/__init__.py +0 -0
  78. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/crypto/keys.py +0 -0
  79. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/crypto/models.py +0 -0
  80. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/crypto/signing.py +0 -0
  81. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/crypto/trust.py +0 -0
  82. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/crypto/trust_levels.py +0 -0
  83. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/discovery/__init__.py +0 -0
  84. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/discovery/health.py +0 -0
  85. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/discovery/registry.py +0 -0
  86. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/discovery/validation.py +0 -0
  87. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/discovery/wellknown.py +0 -0
  88. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/economics/__init__.py +0 -0
  89. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/economics/delegation.py +0 -0
  90. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/economics/metering.py +0 -0
  91. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/errors.py +0 -0
  92. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/README.md +0 -0
  93. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/__init__.py +0 -0
  94. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/a2h_approval.py +0 -0
  95. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/agent_failover.py +0 -0
  96. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/auth_patterns.py +0 -0
  97. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/coordinator.py +0 -0
  98. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/echo_agent.py +0 -0
  99. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/error_recovery.py +0 -0
  100. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/long_running.py +0 -0
  101. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/mcp_client_demo.py +0 -0
  102. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/mcp_integration.py +0 -0
  103. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/multi_step_workflow.py +0 -0
  104. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/orchestration.py +0 -0
  105. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/rate_limiting.py +0 -0
  106. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/run_demo.py +0 -0
  107. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/secure_agent.py +0 -0
  108. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/secure_handler.py +0 -0
  109. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/state_migration.py +0 -0
  110. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/storage_backends.py +0 -0
  111. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/streaming_agent.py +0 -0
  112. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/streaming_response.py +0 -0
  113. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/v1_3_0_showcase.py +0 -0
  114. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/v1_4_0_showcase.py +0 -0
  115. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/websocket_concept.py +0 -0
  116. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/handlers/__init__.py +0 -0
  117. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/handlers/hitl.py +0 -0
  118. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/integrations/__init__.py +0 -0
  119. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/integrations/crewai.py +0 -0
  120. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/integrations/langchain.py +0 -0
  121. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/integrations/llamaindex.py +0 -0
  122. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/integrations/openclaw.py +0 -0
  123. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/integrations/pydanticai.py +0 -0
  124. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/integrations/smolagents.py +0 -0
  125. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/integrations/vercel_ai.py +0 -0
  126. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/mcp/__init__.py +0 -0
  127. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/mcp/client.py +0 -0
  128. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/mcp/protocol.py +0 -0
  129. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/mcp/serve.py +0 -0
  130. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/mcp/server.py +0 -0
  131. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/mcp/server_runner.py +0 -0
  132. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/models/__init__.py +0 -0
  133. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/models/base.py +0 -0
  134. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/models/constants.py +0 -0
  135. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/models/entities.py +0 -0
  136. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/models/enums.py +0 -0
  137. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/models/envelope.py +0 -0
  138. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/models/ids.py +0 -0
  139. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/models/parts.py +0 -0
  140. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/models/payloads.py +0 -0
  141. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/models/types.py +0 -0
  142. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/models/validators.py +0 -0
  143. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/observability/__init__.py +0 -0
  144. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/observability/dashboards/README.md +0 -0
  145. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/observability/dashboards/asap-detailed.json +0 -0
  146. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/observability/dashboards/asap-red.json +0 -0
  147. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/observability/logging.py +0 -0
  148. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/observability/metrics.py +0 -0
  149. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/observability/trace_parser.py +0 -0
  150. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/observability/trace_ui.py +0 -0
  151. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/observability/tracing.py +0 -0
  152. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/schemas.py +0 -0
  153. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/state/__init__.py +0 -0
  154. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/state/machine.py +0 -0
  155. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/state/metering.py +0 -0
  156. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/state/snapshot.py +0 -0
  157. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/state/stores/__init__.py +0 -0
  158. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/state/stores/memory.py +0 -0
  159. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/testing/fixtures.py +0 -0
  160. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/testing/mocks.py +0 -0
  161. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/__init__.py +0 -0
  162. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/_auth_helpers.py +0 -0
  163. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/cache.py +0 -0
  164. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/capability_routes.py +0 -0
  165. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/circuit_breaker.py +0 -0
  166. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/codecs/__init__.py +0 -0
  167. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/codecs/lambda_codec.py +0 -0
  168. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/compression.py +0 -0
  169. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/delegation_api.py +0 -0
  170. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/executors.py +0 -0
  171. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/handlers.py +0 -0
  172. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/jsonrpc.py +0 -0
  173. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/middleware.py +0 -0
  174. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/mtls.py +0 -0
  175. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/sla_api.py +0 -0
  176. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/usage_api.py +0 -0
  177. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/websocket.py +0 -0
  178. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/utils/__init__.py +0 -0
  179. {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/utils/sanitization.py +0 -0
@@ -194,3 +194,5 @@ node_modules/
194
194
 
195
195
  # ESLint report (generated)
196
196
  eslint-report.json
197
+ .vercel
198
+ .env*.local
@@ -7,8 +7,115 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
7
7
 
8
8
  ## [Unreleased]
9
9
 
10
+ ---
11
+
12
+ ## [2.2.1] - 2026-04-21
13
+
14
+ Patch release: optional WebAuthn verification, compliance and audit CLIs, docs,
15
+ and CI baselines.
16
+
10
17
  ### Added
11
- - Future changes will be documented here.
18
+
19
+ - **WebAuthn (optional extra)**: `asap-protocol[webauthn]` enables real
20
+ registration/assertion verification when `ASAP_WEBAUTHN_RP_ID` and
21
+ `ASAP_WEBAUTHN_ORIGIN` are set; otherwise behavior matches v2.2.0. See
22
+ [v2.2.0 → v2.2.1 migration](docs/migration.md#upgrading-from-v220-to-v221).
23
+ - **`asap compliance-check`**: Runs Compliance Harness v2 against an agent
24
+ `HTTP(S)` base URL; `--output {text,json}`, `--exit-on-fail`, `--timeout`,
25
+ `--asap-version`. Documented in [docs/cli.md](docs/cli.md) and
26
+ [docs/ci-compliance.md](docs/ci-compliance.md) (Actions example with
27
+ `--exit-on-fail`).
28
+ - **`asap audit export`**: Exports hash-chained audit rows from SQLite or an
29
+ in-memory store; `--verify-chain` fails on tampering. Documented in
30
+ [docs/cli.md](docs/cli.md#asap-audit-export) and [docs/audit.md](docs/audit.md).
31
+ - **`apps/example-agent`**: Minimal installable example; CI runs Harness v2 and
32
+ fails on score < 1.0 (regression guard).
33
+
34
+ ### Security
35
+
36
+ - **`python-dotenv`**: `tool.uv.override-dependencies` pins **≥ 1.2.2** (CVE-2026-28684)
37
+ on transitive installs.
38
+ - **`apps/web`**: Dependency updates closing npm audit findings (Next.js 16.2.4;
39
+ `micromatch` subtree forced to `picomatch` ≥ 2.3.2).
40
+
41
+ ### Changed
42
+
43
+ - **CLI package layout**: Typer subcommands live under `asap.cli` / `src/asap/cli/`
44
+ (replacing the monolithic `cli.py` module); `asap` console script unchanged.
45
+ - **`ResolvedAgent.run()`**: Tightens the contract from "tri-branch dict[str, Any]" to
46
+ "the TaskResponse.result dict, or empty dict if result is None". A protocol violation
47
+ (server responds with anything other than a TaskResponse envelope) now raises
48
+ `TypeError` so it surfaces at the call site instead of silently coercing into a dict.
49
+ Return type annotation remains `dict[str, Any]`; no caller API change. Closes the
50
+ deferred follow-up from v2.1 PR-73 review.
51
+ - **Dependency pins**: `cryptography`, `authlib`, `joserfc`, `pyjwt`, `webauthn` (extra),
52
+ and `pydantic` now carry explicit upper bounds to the next major version so breaking
53
+ upstream releases can't auto-install. Policy + bump procedure documented in
54
+ [SECURITY.md §Dependency policy](SECURITY.md#dependency-policy).
55
+ - **ID generation**: `asap.state.stores.sqlite`, `asap.economics.storage`,
56
+ `asap.economics.sla`, and `asap.integrations.a2h` now generate entity IDs through
57
+ `asap.models.ids.generate_id()` (ULID) instead of ad-hoc `uuid.uuid4()`. The
58
+ slowapi storage-URI suffix in `asap.transport.rate_limit` remains `uuid.uuid4().hex`
59
+ because it is a backend namespace, not a domain identifier; an inline comment
60
+ documents the distinction.
61
+ - **`asap.economics.storage` aggregate dispatch**: The six-branch `cast(list[UsageAggregate], ...)`
62
+ clusters in `InMemoryMeteringStorage.aggregate` and `SQLiteMeteringStorage.aggregate` are
63
+ consolidated into a single `_dispatch_aggregate(events, group_by)` helper. Eight
64
+ scattered casts become three, all documented in one place.
65
+ - **`asap.transport.server` helper types**: `_validate_envelope` and `_dispatch_to_handler`
66
+ now return a discriminable `EnvelopeOrError = JSONResponse | tuple[Envelope, str]`
67
+ union instead of `tuple[Envelope | None, JSONResponse | str]`. Callers narrow via
68
+ `isinstance(result, JSONResponse)` and no longer need `cast()` at the three call
69
+ sites. Internal-only refactor; public API unchanged.
70
+ - **`WebAuthnVerifierImpl.start_webauthn_*`**: Returns the full
71
+ `PublicKeyCredentialCreation/RequestOptions` dict from
72
+ `webauthn.helpers.options_to_json_dict` (previously a bare base64url
73
+ challenge). Integrators building a browser adapter get `rp`, `user`,
74
+ `pubKeyCredParams`, `allowCredentials`, and `userVerification` out of the
75
+ box and no longer need to hand-assemble the options envelope.
76
+ - **`default_webauthn_verifier()`**: The returned verifier is now cached
77
+ per-process (keyed by `extra_installed / rp_id / origin`). Pending
78
+ WebAuthn challenges persist across requests when the defensive fallback in
79
+ `agent_routes._webauthn_verifier` is hit — previously each fallback call
80
+ rebuilt an empty `InMemoryWebAuthnCredentialStore`, silently discarding
81
+ any `start_webauthn_assertion` state. Tests can reset the cache with
82
+ `asap.auth.self_auth.reset_default_webauthn_verifier_cache()`.
83
+
84
+ ### Fixed
85
+
86
+ - **Swallowed exceptions in `finish_webauthn_assertion`**: Bare
87
+ `except Exception:` blocks now catch the specific
88
+ `InvalidAuthenticationResponse` / `ValueError` / `TypeError` classes and
89
+ emit structured warnings (`asap.webauthn.assertion.invalid`,
90
+ `.malformed_challenge`, `.challenge_mismatch`, `.unknown_credential`)
91
+ via `asap.observability.get_logger` so SIEM rules can detect
92
+ cloned-authenticator and replay patterns.
93
+ - **`WebAuthnCeremonyError` payload**: Public `detail` is now a stable,
94
+ PII-free identifier (`webauthn_registration_state_missing`,
95
+ `webauthn_registration_verification_failed`). `host_id` and the upstream
96
+ library reason are logged internally instead of leaking into the error
97
+ surface.
98
+ - **`audit export --verify-chain`**: Replaces fragile string-matching on
99
+ `"AUDIT_CHAIN_BROKEN"` with a dedicated `asap.economics.audit.AuditChainBroken`
100
+ exception. Invalid `--since` / `--until` ISO-8601 values now surface as
101
+ `typer.BadParameter` instead of an unhandled traceback.
102
+ - **CSV export determinism**: `asap audit export --format csv` now writes
103
+ rows with `lineterminator="\n"` for reproducible diffs on Linux CI.
104
+ - **Test fixtures**: `tests/cli/test_compliance_check.py` uvicorn fixtures
105
+ now stop the server cooperatively via `server.should_exit = True` +
106
+ `thread.join`, preventing the leaked-socket flakes flagged under
107
+ `pytest-xdist` on long suites.
108
+
109
+ ### Known limitations
110
+
111
+ - **No reference HTTP enrollment route** for the WebAuthn registration
112
+ ceremony. `WebAuthnVerifierImpl.start_webauthn_registration` /
113
+ `.finish_webauthn_registration` are Python-only helpers in v2.2.1;
114
+ integrators must expose their own adapter route (see
115
+ [docs/security/self-authorization-prevention.md](docs/security/self-authorization-prevention.md#known-limitation-no-reference-http-enrollment-route-in-v221)).
116
+ A first-class `POST /asap/agent/webauthn/register/{begin,finish}` is
117
+ tracked for v2.3 (Adoption Multiplier), where new endpoint surface area
118
+ is permitted.
12
119
 
13
120
  ---
14
121
 
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.4
2
2
  Name: asap-protocol
3
- Version: 2.2.0
3
+ Version: 2.2.1
4
4
  Summary: Async Simple Agent Protocol - A streamlined protocol for agent-to-agent communication
5
5
  Project-URL: Homepage, https://github.com/adriannoes/asap-protocol
6
6
  Project-URL: Documentation, https://adriannoes.github.io/asap-protocol
@@ -21,13 +21,13 @@ Classifier: Topic :: System :: Distributed Computing
21
21
  Classifier: Typing :: Typed
22
22
  Requires-Python: >=3.13
23
23
  Requires-Dist: aiosqlite>=0.20
24
- Requires-Dist: authlib>=1.6.9
24
+ Requires-Dist: authlib<2,>=1.6.11
25
25
  Requires-Dist: brotli>=1.2.0
26
- Requires-Dist: cryptography>=46.0.7
26
+ Requires-Dist: cryptography<47,>=46.0.7
27
27
  Requires-Dist: fastapi>=0.128.0
28
28
  Requires-Dist: httpx[http2]>=0.28.1
29
29
  Requires-Dist: jcs>=0.2.0
30
- Requires-Dist: joserfc>=1.6.3
30
+ Requires-Dist: joserfc<2,>=1.6.3
31
31
  Requires-Dist: jsonschema>=4.23.0
32
32
  Requires-Dist: limits>=3.0
33
33
  Requires-Dist: opentelemetry-api>=1.20
@@ -36,7 +36,7 @@ Requires-Dist: opentelemetry-instrumentation-fastapi>=0.41
36
36
  Requires-Dist: opentelemetry-instrumentation-httpx>=0.41
37
37
  Requires-Dist: opentelemetry-sdk>=1.20
38
38
  Requires-Dist: packaging>=25.0
39
- Requires-Dist: pydantic>=2.12.5
39
+ Requires-Dist: pydantic<3,>=2.12.5
40
40
  Requires-Dist: python-ulid>=3.0
41
41
  Requires-Dist: structlog>=24.1
42
42
  Requires-Dist: typer>=0.21.1
@@ -77,6 +77,8 @@ Provides-Extra: redis
77
77
  Requires-Dist: redis>=5.0.0; extra == 'redis'
78
78
  Provides-Extra: smolagents
79
79
  Requires-Dist: smolagents>=1.0; extra == 'smolagents'
80
+ Provides-Extra: webauthn
81
+ Requires-Dist: webauthn<3,>=2.6; extra == 'webauthn'
80
82
  Description-Content-Type: text/markdown
81
83
 
82
84
  # ASAP: Async Simple Agent Protocol
@@ -88,9 +90,9 @@ Description-Content-Type: text/markdown
88
90
 
89
91
  > A production-ready protocol for agent-to-agent communication and task coordination.
90
92
 
91
- **Quick Info**: `v2.1.1` | `Apache 2.0` | `Python 3.13+` | [Documentation](https://github.com/adriannoes/asap-protocol/blob/main/docs/index.md) | [PyPI](https://pypi.org/project/asap-protocol/) | [Changelog](https://github.com/adriannoes/asap-protocol/blob/main/CHANGELOG.md)
93
+ **Quick Info**: `v2.2.1` | `Apache 2.0` | `Python 3.13+` | [Documentation](https://github.com/adriannoes/asap-protocol/blob/main/docs/index.md) | [PyPI](https://pypi.org/project/asap-protocol/) | [Changelog](https://github.com/adriannoes/asap-protocol/blob/main/CHANGELOG.md)
92
94
 
93
- > 🚀 **Live now** our [**agentic marketplace**](https://asap-protocol.vercel.app/) — Browse agents, register yours, request verification.
95
+ > 🚀 **Live now** our [**agentic marketplace**](https://asap-protocol.vercel.app/) — browse agents, register yours, request verification.
94
96
 
95
97
  ## Why ASAP?
96
98
 
@@ -111,6 +113,8 @@ For simple point-to-point communication, a basic HTTP API might suffice; ASAP sh
111
113
  - **MCP integration** — Tool execution and coordination in a single envelope.
112
114
  - **Observable** — `trace_id` and `correlation_id` for debugging.
113
115
  - **Security** — Bearer auth, OAuth2/JWT, Ed25519 signed manifests, optional mTLS, replay prevention, HTTPS, rate limiting. [Security Model](https://github.com/adriannoes/asap-protocol/blob/main/docs/security/v1.1-security-model.md) (trust limits, Custom Claims).
116
+ - **Identity & capabilities (v2.2, WebAuthn real in v2.2.1)** — Per-runtime Host/Agent JWTs, capability grants with constraints (`max`, `min`, `in`, `not_in`), approval flows (device authorization / CIBA-style), real WebAuthn attestation/assertion for high-risk registration (opt-in via `asap-protocol[webauthn]`).
117
+ - **Streaming & wire protocol (v2.2)** — `POST /asap/stream` (SSE / `TaskStream`), JSON-RPC 2.0 batch on `POST /asap`, `ASAP-Version` negotiation, tamper-evident audit logging, Compliance Harness v2.
114
118
  - **Economics** — Usage metering, delegation tokens, SLA framework with breach alerts.
115
119
 
116
120
  ### 🆕 Framework Ecosystem
@@ -184,7 +188,7 @@ See [Compliance Testing Guide](https://github.com/adriannoes/asap-protocol/blob/
184
188
  - [Observability](https://github.com/adriannoes/asap-protocol/blob/main/docs/observability.md) | [Testing](https://github.com/adriannoes/asap-protocol/blob/main/docs/testing.md)
185
189
 
186
190
  **Decisions & Operations**
187
- - [ADRs](https://github.com/adriannoes/asap-protocol/tree/main/docs/adr) — 17 Architecture Decision Records
191
+ - [ADRs](https://github.com/adriannoes/asap-protocol/tree/main/docs/adr) — 19 Architecture Decision Records
188
192
  - [Tech Stack](https://github.com/adriannoes/asap-protocol/blob/main/.cursor/dev-planning/architecture/tech-stack-decisions.md) — Rationale for Python, Pydantic, Next.js choices
189
193
  - [Deployment](https://github.com/adriannoes/asap-protocol/blob/main/docs/deployment/kubernetes.md) | [Troubleshooting](https://github.com/adriannoes/asap-protocol/blob/main/docs/troubleshooting.md)
190
194
 
@@ -193,23 +197,32 @@ See [Compliance Testing Guide](https://github.com/adriannoes/asap-protocol/blob/
193
197
 
194
198
  ## CLI
195
199
 
196
- - **v1.1** adds OAuth2, WebSocket, Discovery (well-known + Lite Registry), State Storage (SQLite) and Webhooks.
197
- - **v1.2** adds Ed25519 signed manifests, trust levels, optional mTLS and the [Compliance Harness](https://github.com/adriannoes/asap-protocol/blob/main/asap-compliance/README.md).
198
- - **v1.3** adds delegation commands (`asap delegation create`, `asap delegation revoke`).
199
-
200
200
  ```bash
201
201
  asap --version # Show version
202
202
  asap list-schemas # List all available schemas
203
203
  asap export-schemas # Export JSON schemas to file
204
+ asap compliance-check --url https://agent.example # Compliance Harness v2 (HTTP(S))
205
+ asap audit export --store memory --format json # Export audit log (stdout)
204
206
  asap keys generate -o key.pem # Generate Ed25519 keypair
205
207
  asap manifest sign -k key.pem manifest.json # Sign manifest
206
208
  asap manifest verify signed.json # Verify signature
207
209
  asap manifest info signed.json # Show trust level
208
210
  ```
209
211
 
210
- See [CLI reference](https://github.com/adriannoes/asap-protocol/blob/main/docs/guides/identity-signing.md) or run `asap --help`.
212
+ See the [CLI reference](docs/cli.md) for `compliance-check` and `audit export` flag details, the [CI compliance gate](docs/ci-compliance.md) for wiring `compliance-check` into GitHub Actions, the [audit export guide](docs/audit.md), [Identity Signing](docs/guides/identity-signing.md), or run `asap --help` for the full command surface.
213
+
214
+ ## Version History
215
+
216
+ - **v1.1** adds OAuth2, WebSocket, Discovery (well-known + Lite Registry), State Storage (SQLite) and Webhooks.
217
+ - **v1.2** adds Ed25519 signed manifests, trust levels, optional mTLS and the [Compliance Harness](https://github.com/adriannoes/asap-protocol/blob/main/asap-compliance/README.md).
218
+ - **v1.3** adds delegation commands (`asap delegation create`, `asap delegation revoke`).
219
+ - **v2.0** adds the Lean Marketplace Web App (Next.js), Lite Registry on GitHub Pages, IssueOps registration, OAuth sign-in for developers, and Verified Badge flow.
220
+ - **v2.1** adds the Consumer SDK (`MarketClient`), optional framework extras (LangChain, CrewAI, LlamaIndex, SmolAgents, OpenClaw, …), and registry UX improvements on PyPI.
221
+ - **v2.1.1** is a patch release: JWT algorithm allowlist, SQLite async bridging, optional Redis-backed rate limits, SSRF hardening in the web app, and related reliability fixes (see [Changelog](https://github.com/adriannoes/asap-protocol/blob/main/CHANGELOG.md)).
222
+ - **v2.2** adds per-runtime agent identity, capability-based authorization, SSE streaming (`POST /asap/stream`), `ASAP-Version` negotiation, JSON-RPC batch requests, tamper-evident audit logging, async state stores, and Compliance Harness v2.
223
+ - **v2.2.1** closes the SELF-002 follow-up with **real WebAuthn** attestation/assertion via the opt-in `asap-protocol[webauthn]` extra, ships the `asap compliance-check` and `asap audit export` CLIs, promotes the client SDK `ResolvedAgent.run()` to a typed contract (raises `TypeError` on protocol violation), introduces the `asap.economics.audit.AuditChainBroken` exception for scripted tamper handling, and pins upper bounds on security-sensitive deps (`cryptography`, `authlib`, `joserfc`, `pyjwt`, `webauthn`, `pydantic`) — see [dependency policy](https://github.com/adriannoes/asap-protocol/blob/main/SECURITY.md#dependency-policy) and full notes in the [Changelog](https://github.com/adriannoes/asap-protocol/blob/main/CHANGELOG.md).
211
224
 
212
- See [docs index](https://github.com/adriannoes/asap-protocol/blob/main/docs/index.md#v11-features-api-reference--guides) and [Identity Signing](https://github.com/adriannoes/asap-protocol/blob/main/docs/guides/identity-signing.md) for details.
225
+ For a structured index of per-version features, see the [docs index](https://github.com/adriannoes/asap-protocol/blob/main/docs/index.md#v11-features-api-reference--guides).
213
226
 
214
227
  ## 🔭 What's Next?
215
228
 
@@ -229,4 +242,4 @@ This project is licensed under the Apache 2.0 License - see the [license](https:
229
242
 
230
243
  ---
231
244
 
232
- **Built with [Cursor](https://cursor.com/)** using Composer 1.5, Claude Opus 4.6, Gemini 3.1 Pro and Kimi K2.5.
245
+ **Built with [Cursor](https://cursor.com/) and [Claude Code](https://claude.com/claude-code)** — primarily Claude Opus 4.7 (1M context) with Cursor Composer 1.5, Gemini 3.1 Pro, and Kimi K2.5 as collaborators.
@@ -7,9 +7,9 @@
7
7
 
8
8
  > A production-ready protocol for agent-to-agent communication and task coordination.
9
9
 
10
- **Quick Info**: `v2.1.1` | `Apache 2.0` | `Python 3.13+` | [Documentation](https://github.com/adriannoes/asap-protocol/blob/main/docs/index.md) | [PyPI](https://pypi.org/project/asap-protocol/) | [Changelog](https://github.com/adriannoes/asap-protocol/blob/main/CHANGELOG.md)
10
+ **Quick Info**: `v2.2.1` | `Apache 2.0` | `Python 3.13+` | [Documentation](https://github.com/adriannoes/asap-protocol/blob/main/docs/index.md) | [PyPI](https://pypi.org/project/asap-protocol/) | [Changelog](https://github.com/adriannoes/asap-protocol/blob/main/CHANGELOG.md)
11
11
 
12
- > 🚀 **Live now** our [**agentic marketplace**](https://asap-protocol.vercel.app/) — Browse agents, register yours, request verification.
12
+ > 🚀 **Live now** our [**agentic marketplace**](https://asap-protocol.vercel.app/) — browse agents, register yours, request verification.
13
13
 
14
14
  ## Why ASAP?
15
15
 
@@ -30,6 +30,8 @@ For simple point-to-point communication, a basic HTTP API might suffice; ASAP sh
30
30
  - **MCP integration** — Tool execution and coordination in a single envelope.
31
31
  - **Observable** — `trace_id` and `correlation_id` for debugging.
32
32
  - **Security** — Bearer auth, OAuth2/JWT, Ed25519 signed manifests, optional mTLS, replay prevention, HTTPS, rate limiting. [Security Model](https://github.com/adriannoes/asap-protocol/blob/main/docs/security/v1.1-security-model.md) (trust limits, Custom Claims).
33
+ - **Identity & capabilities (v2.2, WebAuthn real in v2.2.1)** — Per-runtime Host/Agent JWTs, capability grants with constraints (`max`, `min`, `in`, `not_in`), approval flows (device authorization / CIBA-style), real WebAuthn attestation/assertion for high-risk registration (opt-in via `asap-protocol[webauthn]`).
34
+ - **Streaming & wire protocol (v2.2)** — `POST /asap/stream` (SSE / `TaskStream`), JSON-RPC 2.0 batch on `POST /asap`, `ASAP-Version` negotiation, tamper-evident audit logging, Compliance Harness v2.
33
35
  - **Economics** — Usage metering, delegation tokens, SLA framework with breach alerts.
34
36
 
35
37
  ### 🆕 Framework Ecosystem
@@ -103,7 +105,7 @@ See [Compliance Testing Guide](https://github.com/adriannoes/asap-protocol/blob/
103
105
  - [Observability](https://github.com/adriannoes/asap-protocol/blob/main/docs/observability.md) | [Testing](https://github.com/adriannoes/asap-protocol/blob/main/docs/testing.md)
104
106
 
105
107
  **Decisions & Operations**
106
- - [ADRs](https://github.com/adriannoes/asap-protocol/tree/main/docs/adr) — 17 Architecture Decision Records
108
+ - [ADRs](https://github.com/adriannoes/asap-protocol/tree/main/docs/adr) — 19 Architecture Decision Records
107
109
  - [Tech Stack](https://github.com/adriannoes/asap-protocol/blob/main/.cursor/dev-planning/architecture/tech-stack-decisions.md) — Rationale for Python, Pydantic, Next.js choices
108
110
  - [Deployment](https://github.com/adriannoes/asap-protocol/blob/main/docs/deployment/kubernetes.md) | [Troubleshooting](https://github.com/adriannoes/asap-protocol/blob/main/docs/troubleshooting.md)
109
111
 
@@ -112,23 +114,32 @@ See [Compliance Testing Guide](https://github.com/adriannoes/asap-protocol/blob/
112
114
 
113
115
  ## CLI
114
116
 
115
- - **v1.1** adds OAuth2, WebSocket, Discovery (well-known + Lite Registry), State Storage (SQLite) and Webhooks.
116
- - **v1.2** adds Ed25519 signed manifests, trust levels, optional mTLS and the [Compliance Harness](https://github.com/adriannoes/asap-protocol/blob/main/asap-compliance/README.md).
117
- - **v1.3** adds delegation commands (`asap delegation create`, `asap delegation revoke`).
118
-
119
117
  ```bash
120
118
  asap --version # Show version
121
119
  asap list-schemas # List all available schemas
122
120
  asap export-schemas # Export JSON schemas to file
121
+ asap compliance-check --url https://agent.example # Compliance Harness v2 (HTTP(S))
122
+ asap audit export --store memory --format json # Export audit log (stdout)
123
123
  asap keys generate -o key.pem # Generate Ed25519 keypair
124
124
  asap manifest sign -k key.pem manifest.json # Sign manifest
125
125
  asap manifest verify signed.json # Verify signature
126
126
  asap manifest info signed.json # Show trust level
127
127
  ```
128
128
 
129
- See [CLI reference](https://github.com/adriannoes/asap-protocol/blob/main/docs/guides/identity-signing.md) or run `asap --help`.
129
+ See the [CLI reference](docs/cli.md) for `compliance-check` and `audit export` flag details, the [CI compliance gate](docs/ci-compliance.md) for wiring `compliance-check` into GitHub Actions, the [audit export guide](docs/audit.md), [Identity Signing](docs/guides/identity-signing.md), or run `asap --help` for the full command surface.
130
+
131
+ ## Version History
132
+
133
+ - **v1.1** adds OAuth2, WebSocket, Discovery (well-known + Lite Registry), State Storage (SQLite) and Webhooks.
134
+ - **v1.2** adds Ed25519 signed manifests, trust levels, optional mTLS and the [Compliance Harness](https://github.com/adriannoes/asap-protocol/blob/main/asap-compliance/README.md).
135
+ - **v1.3** adds delegation commands (`asap delegation create`, `asap delegation revoke`).
136
+ - **v2.0** adds the Lean Marketplace Web App (Next.js), Lite Registry on GitHub Pages, IssueOps registration, OAuth sign-in for developers, and Verified Badge flow.
137
+ - **v2.1** adds the Consumer SDK (`MarketClient`), optional framework extras (LangChain, CrewAI, LlamaIndex, SmolAgents, OpenClaw, …), and registry UX improvements on PyPI.
138
+ - **v2.1.1** is a patch release: JWT algorithm allowlist, SQLite async bridging, optional Redis-backed rate limits, SSRF hardening in the web app, and related reliability fixes (see [Changelog](https://github.com/adriannoes/asap-protocol/blob/main/CHANGELOG.md)).
139
+ - **v2.2** adds per-runtime agent identity, capability-based authorization, SSE streaming (`POST /asap/stream`), `ASAP-Version` negotiation, JSON-RPC batch requests, tamper-evident audit logging, async state stores, and Compliance Harness v2.
140
+ - **v2.2.1** closes the SELF-002 follow-up with **real WebAuthn** attestation/assertion via the opt-in `asap-protocol[webauthn]` extra, ships the `asap compliance-check` and `asap audit export` CLIs, promotes the client SDK `ResolvedAgent.run()` to a typed contract (raises `TypeError` on protocol violation), introduces the `asap.economics.audit.AuditChainBroken` exception for scripted tamper handling, and pins upper bounds on security-sensitive deps (`cryptography`, `authlib`, `joserfc`, `pyjwt`, `webauthn`, `pydantic`) — see [dependency policy](https://github.com/adriannoes/asap-protocol/blob/main/SECURITY.md#dependency-policy) and full notes in the [Changelog](https://github.com/adriannoes/asap-protocol/blob/main/CHANGELOG.md).
130
141
 
131
- See [docs index](https://github.com/adriannoes/asap-protocol/blob/main/docs/index.md#v11-features-api-reference--guides) and [Identity Signing](https://github.com/adriannoes/asap-protocol/blob/main/docs/guides/identity-signing.md) for details.
142
+ For a structured index of per-version features, see the [docs index](https://github.com/adriannoes/asap-protocol/blob/main/docs/index.md#v11-features-api-reference--guides).
132
143
 
133
144
  ## 🔭 What's Next?
134
145
 
@@ -148,4 +159,4 @@ This project is licensed under the Apache 2.0 License - see the [license](https:
148
159
 
149
160
  ---
150
161
 
151
- **Built with [Cursor](https://cursor.com/)** using Composer 1.5, Claude Opus 4.6, Gemini 3.1 Pro and Kimi K2.5.
162
+ **Built with [Cursor](https://cursor.com/) and [Claude Code](https://claude.com/claude-code)** — primarily Claude Opus 4.7 (1M context) with Cursor Composer 1.5, Gemini 3.1 Pro, and Kimi K2.5 as collaborators.
@@ -1,6 +1,6 @@
1
1
  [project]
2
2
  name = "asap-protocol"
3
- version = "2.2.0"
3
+ version = "2.2.1"
4
4
  description = "Async Simple Agent Protocol - A streamlined protocol for agent-to-agent communication"
5
5
  authors = [
6
6
  {name = "ASAP Protocol Contributors"}
@@ -22,14 +22,15 @@ classifiers = [
22
22
 
23
23
  dependencies = [
24
24
  "aiosqlite>=0.20",
25
- "cryptography>=46.0.7",
25
+ # Upper-bound majors per SECURITY.md dependency policy.
26
+ "cryptography>=46.0.7,<47",
26
27
  "jcs>=0.2.0",
27
28
  "jsonschema>=4.23.0",
28
- "pydantic>=2.12.5",
29
+ "pydantic>=2.12.5,<3",
29
30
  "fastapi>=0.128.0",
30
31
  "httpx[http2]>=0.28.1",
31
- "authlib>=1.6.9",
32
- "joserfc>=1.6.3",
32
+ "authlib>=1.6.11,<2",
33
+ "joserfc>=1.6.3,<2",
33
34
  "uvicorn>=0.34",
34
35
  "python-ulid>=3.0",
35
36
  "packaging>=25.0",
@@ -72,6 +73,10 @@ dns-sd = [
72
73
  redis = [
73
74
  "redis>=5.0.0",
74
75
  ]
76
+ # Optional WebAuthn (real attestation/assertion when extra installed).
77
+ webauthn = [
78
+ "webauthn>=2.6,<3",
79
+ ]
75
80
  # Framework integrations (Sprint E3 — PKG-003).
76
81
  mcp = [
77
82
  "mcp>=1.0.0",
@@ -113,18 +118,20 @@ Issues = "https://github.com/adriannoes/asap-protocol/issues"
113
118
  # - python-multipart>=0.0.26 for CVE-2026-40347 (FastAPI stack)
114
119
  # - pygments>=2.20.0 for CVE-2026-4539
115
120
  # - langsmith>=0.7.31 for GHSA-rr7j-v2q5-chgv
121
+ # - python-dotenv>=1.2.2 for CVE-2026-28684 (transitive, e.g. pydantic-settings / uvicorn stacks)
116
122
  [tool.uv]
117
123
  override-dependencies = [
118
- "pyjwt>=2.12.0",
124
+ "pyjwt>=2.12.0,<3",
119
125
  "pyasn1>=0.6.3",
120
126
  "tinytag>=2.2.1",
121
- "cryptography>=46.0.7",
127
+ "cryptography>=46.0.7,<47",
122
128
  "requests>=2.33.0",
123
129
  "pillow>=12.2.0",
124
130
  "pytest>=9.0.3",
125
131
  "python-multipart>=0.0.26",
126
132
  "pygments>=2.20.0",
127
133
  "langsmith>=0.7.31",
134
+ "python-dotenv>=1.2.2",
128
135
  ]
129
136
 
130
137
  [project.scripts]
@@ -183,7 +190,7 @@ ignore = [
183
190
  "src/asap/transport/usage_api.py" = ["B008"]
184
191
  "src/asap/transport/delegation_api.py" = ["B008"]
185
192
  "src/asap/transport/sla_api.py" = ["B008"]
186
- "src/asap/cli.py" = ["B008"]
193
+ "src/asap/cli/__init__.py" = ["B008"]
187
194
 
188
195
  [tool.ruff.format]
189
196
  quote-style = "double"
@@ -4,6 +4,6 @@ A streamlined, scalable, asynchronous protocol for agent-to-agent communication
4
4
  and task coordination.
5
5
  """
6
6
 
7
- __version__ = "2.2.0"
7
+ __version__ = "2.2.1"
8
8
 
9
9
  __all__ = ["__version__"]