asap-protocol 2.2.0__tar.gz → 2.2.1__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/.gitignore +2 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/CHANGELOG.md +108 -1
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/PKG-INFO +28 -15
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/README.md +21 -10
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/pyproject.toml +15 -8
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/__init__.py +1 -1
- asap_protocol-2.2.1/src/asap/auth/self_auth.py +276 -0
- asap_protocol-2.2.1/src/asap/auth/webauthn.py +473 -0
- asap_protocol-2.2.0/src/asap/cli.py → asap_protocol-2.2.1/src/asap/cli/__init__.py +7 -0
- asap_protocol-2.2.1/src/asap/cli/audit_export.py +194 -0
- asap_protocol-2.2.1/src/asap/cli/compliance_check.py +108 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/client/http_client.py +4 -2
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/client/market.py +27 -7
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/discovery/dnssd.py +2 -1
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/economics/audit.py +8 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/economics/delegation_storage.py +44 -44
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/economics/hooks.py +15 -13
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/economics/sla.py +2 -2
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/economics/sla_storage.py +20 -22
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/economics/storage.py +63 -48
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/integrations/a2h.py +2 -2
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/state/stores/sqlite.py +30 -32
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/testing/__init__.py +4 -0
- asap_protocol-2.2.1/src/asap/testing/asgi_factory.py +32 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/testing/assertions.py +33 -21
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/testing/compliance.py +74 -22
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/agent_routes.py +28 -16
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/client.py +10 -4
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/rate_limit.py +1 -1
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/server.py +39 -42
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/validators.py +5 -2
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/webhook.py +4 -1
- asap_protocol-2.2.0/src/asap/auth/self_auth.py +0 -144
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/LICENSE +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/entities/agent.schema.json +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/entities/artifact.schema.json +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/entities/conversation.schema.json +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/entities/manifest.schema.json +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/entities/message.schema.json +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/entities/state_snapshot.schema.json +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/entities/task.schema.json +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/envelope.schema.json +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/parts/data_part.schema.json +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/parts/file_part.schema.json +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/parts/resource_part.schema.json +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/parts/template_part.schema.json +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/parts/text_part.schema.json +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/payloads/artifact_notify.schema.json +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/payloads/mcp_resource_data.schema.json +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/payloads/mcp_resource_fetch.schema.json +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/payloads/mcp_tool_call.schema.json +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/payloads/mcp_tool_result.schema.json +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/payloads/message_send.schema.json +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/payloads/state_query.schema.json +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/payloads/state_restore.schema.json +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/payloads/task_cancel.schema.json +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/payloads/task_request.schema.json +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/payloads/task_response.schema.json +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/schemas/payloads/task_update.schema.json +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/auth/__init__.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/auth/agent_jwt.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/auth/approval.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/auth/capabilities.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/auth/identity.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/auth/introspection.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/auth/jwks.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/auth/lifecycle.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/auth/middleware.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/auth/oauth2.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/auth/oidc.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/auth/scopes.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/auth/utils.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/client/__init__.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/client/cache.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/client/revocation.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/client/trust.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/crypto/__init__.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/crypto/keys.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/crypto/models.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/crypto/signing.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/crypto/trust.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/crypto/trust_levels.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/discovery/__init__.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/discovery/health.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/discovery/registry.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/discovery/validation.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/discovery/wellknown.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/economics/__init__.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/economics/delegation.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/economics/metering.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/errors.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/README.md +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/__init__.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/a2h_approval.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/agent_failover.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/auth_patterns.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/coordinator.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/echo_agent.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/error_recovery.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/long_running.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/mcp_client_demo.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/mcp_integration.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/multi_step_workflow.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/orchestration.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/rate_limiting.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/run_demo.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/secure_agent.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/secure_handler.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/state_migration.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/storage_backends.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/streaming_agent.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/streaming_response.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/v1_3_0_showcase.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/v1_4_0_showcase.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/examples/websocket_concept.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/handlers/__init__.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/handlers/hitl.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/integrations/__init__.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/integrations/crewai.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/integrations/langchain.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/integrations/llamaindex.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/integrations/openclaw.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/integrations/pydanticai.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/integrations/smolagents.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/integrations/vercel_ai.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/mcp/__init__.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/mcp/client.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/mcp/protocol.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/mcp/serve.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/mcp/server.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/mcp/server_runner.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/models/__init__.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/models/base.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/models/constants.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/models/entities.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/models/enums.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/models/envelope.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/models/ids.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/models/parts.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/models/payloads.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/models/types.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/models/validators.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/observability/__init__.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/observability/dashboards/README.md +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/observability/dashboards/asap-detailed.json +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/observability/dashboards/asap-red.json +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/observability/logging.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/observability/metrics.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/observability/trace_parser.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/observability/trace_ui.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/observability/tracing.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/schemas.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/state/__init__.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/state/machine.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/state/metering.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/state/snapshot.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/state/stores/__init__.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/state/stores/memory.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/testing/fixtures.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/testing/mocks.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/__init__.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/_auth_helpers.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/cache.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/capability_routes.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/circuit_breaker.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/codecs/__init__.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/codecs/lambda_codec.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/compression.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/delegation_api.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/executors.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/handlers.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/jsonrpc.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/middleware.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/mtls.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/sla_api.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/usage_api.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/transport/websocket.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/utils/__init__.py +0 -0
- {asap_protocol-2.2.0 → asap_protocol-2.2.1}/src/asap/utils/sanitization.py +0 -0
|
@@ -7,8 +7,115 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
7
7
|
|
|
8
8
|
## [Unreleased]
|
|
9
9
|
|
|
10
|
+
---
|
|
11
|
+
|
|
12
|
+
## [2.2.1] - 2026-04-21
|
|
13
|
+
|
|
14
|
+
Patch release: optional WebAuthn verification, compliance and audit CLIs, docs,
|
|
15
|
+
and CI baselines.
|
|
16
|
+
|
|
10
17
|
### Added
|
|
11
|
-
|
|
18
|
+
|
|
19
|
+
- **WebAuthn (optional extra)**: `asap-protocol[webauthn]` enables real
|
|
20
|
+
registration/assertion verification when `ASAP_WEBAUTHN_RP_ID` and
|
|
21
|
+
`ASAP_WEBAUTHN_ORIGIN` are set; otherwise behavior matches v2.2.0. See
|
|
22
|
+
[v2.2.0 → v2.2.1 migration](docs/migration.md#upgrading-from-v220-to-v221).
|
|
23
|
+
- **`asap compliance-check`**: Runs Compliance Harness v2 against an agent
|
|
24
|
+
`HTTP(S)` base URL; `--output {text,json}`, `--exit-on-fail`, `--timeout`,
|
|
25
|
+
`--asap-version`. Documented in [docs/cli.md](docs/cli.md) and
|
|
26
|
+
[docs/ci-compliance.md](docs/ci-compliance.md) (Actions example with
|
|
27
|
+
`--exit-on-fail`).
|
|
28
|
+
- **`asap audit export`**: Exports hash-chained audit rows from SQLite or an
|
|
29
|
+
in-memory store; `--verify-chain` fails on tampering. Documented in
|
|
30
|
+
[docs/cli.md](docs/cli.md#asap-audit-export) and [docs/audit.md](docs/audit.md).
|
|
31
|
+
- **`apps/example-agent`**: Minimal installable example; CI runs Harness v2 and
|
|
32
|
+
fails on score < 1.0 (regression guard).
|
|
33
|
+
|
|
34
|
+
### Security
|
|
35
|
+
|
|
36
|
+
- **`python-dotenv`**: `tool.uv.override-dependencies` pins **≥ 1.2.2** (CVE-2026-28684)
|
|
37
|
+
on transitive installs.
|
|
38
|
+
- **`apps/web`**: Dependency updates closing npm audit findings (Next.js 16.2.4;
|
|
39
|
+
`micromatch` subtree forced to `picomatch` ≥ 2.3.2).
|
|
40
|
+
|
|
41
|
+
### Changed
|
|
42
|
+
|
|
43
|
+
- **CLI package layout**: Typer subcommands live under `asap.cli` / `src/asap/cli/`
|
|
44
|
+
(replacing the monolithic `cli.py` module); `asap` console script unchanged.
|
|
45
|
+
- **`ResolvedAgent.run()`**: Tightens the contract from "tri-branch dict[str, Any]" to
|
|
46
|
+
"the TaskResponse.result dict, or empty dict if result is None". A protocol violation
|
|
47
|
+
(server responds with anything other than a TaskResponse envelope) now raises
|
|
48
|
+
`TypeError` so it surfaces at the call site instead of silently coercing into a dict.
|
|
49
|
+
Return type annotation remains `dict[str, Any]`; no caller API change. Closes the
|
|
50
|
+
deferred follow-up from v2.1 PR-73 review.
|
|
51
|
+
- **Dependency pins**: `cryptography`, `authlib`, `joserfc`, `pyjwt`, `webauthn` (extra),
|
|
52
|
+
and `pydantic` now carry explicit upper bounds to the next major version so breaking
|
|
53
|
+
upstream releases can't auto-install. Policy + bump procedure documented in
|
|
54
|
+
[SECURITY.md §Dependency policy](SECURITY.md#dependency-policy).
|
|
55
|
+
- **ID generation**: `asap.state.stores.sqlite`, `asap.economics.storage`,
|
|
56
|
+
`asap.economics.sla`, and `asap.integrations.a2h` now generate entity IDs through
|
|
57
|
+
`asap.models.ids.generate_id()` (ULID) instead of ad-hoc `uuid.uuid4()`. The
|
|
58
|
+
slowapi storage-URI suffix in `asap.transport.rate_limit` remains `uuid.uuid4().hex`
|
|
59
|
+
because it is a backend namespace, not a domain identifier; an inline comment
|
|
60
|
+
documents the distinction.
|
|
61
|
+
- **`asap.economics.storage` aggregate dispatch**: The six-branch `cast(list[UsageAggregate], ...)`
|
|
62
|
+
clusters in `InMemoryMeteringStorage.aggregate` and `SQLiteMeteringStorage.aggregate` are
|
|
63
|
+
consolidated into a single `_dispatch_aggregate(events, group_by)` helper. Eight
|
|
64
|
+
scattered casts become three, all documented in one place.
|
|
65
|
+
- **`asap.transport.server` helper types**: `_validate_envelope` and `_dispatch_to_handler`
|
|
66
|
+
now return a discriminable `EnvelopeOrError = JSONResponse | tuple[Envelope, str]`
|
|
67
|
+
union instead of `tuple[Envelope | None, JSONResponse | str]`. Callers narrow via
|
|
68
|
+
`isinstance(result, JSONResponse)` and no longer need `cast()` at the three call
|
|
69
|
+
sites. Internal-only refactor; public API unchanged.
|
|
70
|
+
- **`WebAuthnVerifierImpl.start_webauthn_*`**: Returns the full
|
|
71
|
+
`PublicKeyCredentialCreation/RequestOptions` dict from
|
|
72
|
+
`webauthn.helpers.options_to_json_dict` (previously a bare base64url
|
|
73
|
+
challenge). Integrators building a browser adapter get `rp`, `user`,
|
|
74
|
+
`pubKeyCredParams`, `allowCredentials`, and `userVerification` out of the
|
|
75
|
+
box and no longer need to hand-assemble the options envelope.
|
|
76
|
+
- **`default_webauthn_verifier()`**: The returned verifier is now cached
|
|
77
|
+
per-process (keyed by `extra_installed / rp_id / origin`). Pending
|
|
78
|
+
WebAuthn challenges persist across requests when the defensive fallback in
|
|
79
|
+
`agent_routes._webauthn_verifier` is hit — previously each fallback call
|
|
80
|
+
rebuilt an empty `InMemoryWebAuthnCredentialStore`, silently discarding
|
|
81
|
+
any `start_webauthn_assertion` state. Tests can reset the cache with
|
|
82
|
+
`asap.auth.self_auth.reset_default_webauthn_verifier_cache()`.
|
|
83
|
+
|
|
84
|
+
### Fixed
|
|
85
|
+
|
|
86
|
+
- **Swallowed exceptions in `finish_webauthn_assertion`**: Bare
|
|
87
|
+
`except Exception:` blocks now catch the specific
|
|
88
|
+
`InvalidAuthenticationResponse` / `ValueError` / `TypeError` classes and
|
|
89
|
+
emit structured warnings (`asap.webauthn.assertion.invalid`,
|
|
90
|
+
`.malformed_challenge`, `.challenge_mismatch`, `.unknown_credential`)
|
|
91
|
+
via `asap.observability.get_logger` so SIEM rules can detect
|
|
92
|
+
cloned-authenticator and replay patterns.
|
|
93
|
+
- **`WebAuthnCeremonyError` payload**: Public `detail` is now a stable,
|
|
94
|
+
PII-free identifier (`webauthn_registration_state_missing`,
|
|
95
|
+
`webauthn_registration_verification_failed`). `host_id` and the upstream
|
|
96
|
+
library reason are logged internally instead of leaking into the error
|
|
97
|
+
surface.
|
|
98
|
+
- **`audit export --verify-chain`**: Replaces fragile string-matching on
|
|
99
|
+
`"AUDIT_CHAIN_BROKEN"` with a dedicated `asap.economics.audit.AuditChainBroken`
|
|
100
|
+
exception. Invalid `--since` / `--until` ISO-8601 values now surface as
|
|
101
|
+
`typer.BadParameter` instead of an unhandled traceback.
|
|
102
|
+
- **CSV export determinism**: `asap audit export --format csv` now writes
|
|
103
|
+
rows with `lineterminator="\n"` for reproducible diffs on Linux CI.
|
|
104
|
+
- **Test fixtures**: `tests/cli/test_compliance_check.py` uvicorn fixtures
|
|
105
|
+
now stop the server cooperatively via `server.should_exit = True` +
|
|
106
|
+
`thread.join`, preventing the leaked-socket flakes flagged under
|
|
107
|
+
`pytest-xdist` on long suites.
|
|
108
|
+
|
|
109
|
+
### Known limitations
|
|
110
|
+
|
|
111
|
+
- **No reference HTTP enrollment route** for the WebAuthn registration
|
|
112
|
+
ceremony. `WebAuthnVerifierImpl.start_webauthn_registration` /
|
|
113
|
+
`.finish_webauthn_registration` are Python-only helpers in v2.2.1;
|
|
114
|
+
integrators must expose their own adapter route (see
|
|
115
|
+
[docs/security/self-authorization-prevention.md](docs/security/self-authorization-prevention.md#known-limitation-no-reference-http-enrollment-route-in-v221)).
|
|
116
|
+
A first-class `POST /asap/agent/webauthn/register/{begin,finish}` is
|
|
117
|
+
tracked for v2.3 (Adoption Multiplier), where new endpoint surface area
|
|
118
|
+
is permitted.
|
|
12
119
|
|
|
13
120
|
---
|
|
14
121
|
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
Metadata-Version: 2.4
|
|
2
2
|
Name: asap-protocol
|
|
3
|
-
Version: 2.2.
|
|
3
|
+
Version: 2.2.1
|
|
4
4
|
Summary: Async Simple Agent Protocol - A streamlined protocol for agent-to-agent communication
|
|
5
5
|
Project-URL: Homepage, https://github.com/adriannoes/asap-protocol
|
|
6
6
|
Project-URL: Documentation, https://adriannoes.github.io/asap-protocol
|
|
@@ -21,13 +21,13 @@ Classifier: Topic :: System :: Distributed Computing
|
|
|
21
21
|
Classifier: Typing :: Typed
|
|
22
22
|
Requires-Python: >=3.13
|
|
23
23
|
Requires-Dist: aiosqlite>=0.20
|
|
24
|
-
Requires-Dist: authlib
|
|
24
|
+
Requires-Dist: authlib<2,>=1.6.11
|
|
25
25
|
Requires-Dist: brotli>=1.2.0
|
|
26
|
-
Requires-Dist: cryptography
|
|
26
|
+
Requires-Dist: cryptography<47,>=46.0.7
|
|
27
27
|
Requires-Dist: fastapi>=0.128.0
|
|
28
28
|
Requires-Dist: httpx[http2]>=0.28.1
|
|
29
29
|
Requires-Dist: jcs>=0.2.0
|
|
30
|
-
Requires-Dist: joserfc
|
|
30
|
+
Requires-Dist: joserfc<2,>=1.6.3
|
|
31
31
|
Requires-Dist: jsonschema>=4.23.0
|
|
32
32
|
Requires-Dist: limits>=3.0
|
|
33
33
|
Requires-Dist: opentelemetry-api>=1.20
|
|
@@ -36,7 +36,7 @@ Requires-Dist: opentelemetry-instrumentation-fastapi>=0.41
|
|
|
36
36
|
Requires-Dist: opentelemetry-instrumentation-httpx>=0.41
|
|
37
37
|
Requires-Dist: opentelemetry-sdk>=1.20
|
|
38
38
|
Requires-Dist: packaging>=25.0
|
|
39
|
-
Requires-Dist: pydantic
|
|
39
|
+
Requires-Dist: pydantic<3,>=2.12.5
|
|
40
40
|
Requires-Dist: python-ulid>=3.0
|
|
41
41
|
Requires-Dist: structlog>=24.1
|
|
42
42
|
Requires-Dist: typer>=0.21.1
|
|
@@ -77,6 +77,8 @@ Provides-Extra: redis
|
|
|
77
77
|
Requires-Dist: redis>=5.0.0; extra == 'redis'
|
|
78
78
|
Provides-Extra: smolagents
|
|
79
79
|
Requires-Dist: smolagents>=1.0; extra == 'smolagents'
|
|
80
|
+
Provides-Extra: webauthn
|
|
81
|
+
Requires-Dist: webauthn<3,>=2.6; extra == 'webauthn'
|
|
80
82
|
Description-Content-Type: text/markdown
|
|
81
83
|
|
|
82
84
|
# ASAP: Async Simple Agent Protocol
|
|
@@ -88,9 +90,9 @@ Description-Content-Type: text/markdown
|
|
|
88
90
|
|
|
89
91
|
> A production-ready protocol for agent-to-agent communication and task coordination.
|
|
90
92
|
|
|
91
|
-
**Quick Info**: `v2.
|
|
93
|
+
**Quick Info**: `v2.2.1` | `Apache 2.0` | `Python 3.13+` | [Documentation](https://github.com/adriannoes/asap-protocol/blob/main/docs/index.md) | [PyPI](https://pypi.org/project/asap-protocol/) | [Changelog](https://github.com/adriannoes/asap-protocol/blob/main/CHANGELOG.md)
|
|
92
94
|
|
|
93
|
-
> 🚀 **Live now** our [**agentic marketplace**](https://asap-protocol.vercel.app/) —
|
|
95
|
+
> 🚀 **Live now** our [**agentic marketplace**](https://asap-protocol.vercel.app/) — browse agents, register yours, request verification.
|
|
94
96
|
|
|
95
97
|
## Why ASAP?
|
|
96
98
|
|
|
@@ -111,6 +113,8 @@ For simple point-to-point communication, a basic HTTP API might suffice; ASAP sh
|
|
|
111
113
|
- **MCP integration** — Tool execution and coordination in a single envelope.
|
|
112
114
|
- **Observable** — `trace_id` and `correlation_id` for debugging.
|
|
113
115
|
- **Security** — Bearer auth, OAuth2/JWT, Ed25519 signed manifests, optional mTLS, replay prevention, HTTPS, rate limiting. [Security Model](https://github.com/adriannoes/asap-protocol/blob/main/docs/security/v1.1-security-model.md) (trust limits, Custom Claims).
|
|
116
|
+
- **Identity & capabilities (v2.2, WebAuthn real in v2.2.1)** — Per-runtime Host/Agent JWTs, capability grants with constraints (`max`, `min`, `in`, `not_in`), approval flows (device authorization / CIBA-style), real WebAuthn attestation/assertion for high-risk registration (opt-in via `asap-protocol[webauthn]`).
|
|
117
|
+
- **Streaming & wire protocol (v2.2)** — `POST /asap/stream` (SSE / `TaskStream`), JSON-RPC 2.0 batch on `POST /asap`, `ASAP-Version` negotiation, tamper-evident audit logging, Compliance Harness v2.
|
|
114
118
|
- **Economics** — Usage metering, delegation tokens, SLA framework with breach alerts.
|
|
115
119
|
|
|
116
120
|
### 🆕 Framework Ecosystem
|
|
@@ -184,7 +188,7 @@ See [Compliance Testing Guide](https://github.com/adriannoes/asap-protocol/blob/
|
|
|
184
188
|
- [Observability](https://github.com/adriannoes/asap-protocol/blob/main/docs/observability.md) | [Testing](https://github.com/adriannoes/asap-protocol/blob/main/docs/testing.md)
|
|
185
189
|
|
|
186
190
|
**Decisions & Operations**
|
|
187
|
-
- [ADRs](https://github.com/adriannoes/asap-protocol/tree/main/docs/adr) —
|
|
191
|
+
- [ADRs](https://github.com/adriannoes/asap-protocol/tree/main/docs/adr) — 19 Architecture Decision Records
|
|
188
192
|
- [Tech Stack](https://github.com/adriannoes/asap-protocol/blob/main/.cursor/dev-planning/architecture/tech-stack-decisions.md) — Rationale for Python, Pydantic, Next.js choices
|
|
189
193
|
- [Deployment](https://github.com/adriannoes/asap-protocol/blob/main/docs/deployment/kubernetes.md) | [Troubleshooting](https://github.com/adriannoes/asap-protocol/blob/main/docs/troubleshooting.md)
|
|
190
194
|
|
|
@@ -193,23 +197,32 @@ See [Compliance Testing Guide](https://github.com/adriannoes/asap-protocol/blob/
|
|
|
193
197
|
|
|
194
198
|
## CLI
|
|
195
199
|
|
|
196
|
-
- **v1.1** adds OAuth2, WebSocket, Discovery (well-known + Lite Registry), State Storage (SQLite) and Webhooks.
|
|
197
|
-
- **v1.2** adds Ed25519 signed manifests, trust levels, optional mTLS and the [Compliance Harness](https://github.com/adriannoes/asap-protocol/blob/main/asap-compliance/README.md).
|
|
198
|
-
- **v1.3** adds delegation commands (`asap delegation create`, `asap delegation revoke`).
|
|
199
|
-
|
|
200
200
|
```bash
|
|
201
201
|
asap --version # Show version
|
|
202
202
|
asap list-schemas # List all available schemas
|
|
203
203
|
asap export-schemas # Export JSON schemas to file
|
|
204
|
+
asap compliance-check --url https://agent.example # Compliance Harness v2 (HTTP(S))
|
|
205
|
+
asap audit export --store memory --format json # Export audit log (stdout)
|
|
204
206
|
asap keys generate -o key.pem # Generate Ed25519 keypair
|
|
205
207
|
asap manifest sign -k key.pem manifest.json # Sign manifest
|
|
206
208
|
asap manifest verify signed.json # Verify signature
|
|
207
209
|
asap manifest info signed.json # Show trust level
|
|
208
210
|
```
|
|
209
211
|
|
|
210
|
-
See [CLI reference](
|
|
212
|
+
See the [CLI reference](docs/cli.md) for `compliance-check` and `audit export` flag details, the [CI compliance gate](docs/ci-compliance.md) for wiring `compliance-check` into GitHub Actions, the [audit export guide](docs/audit.md), [Identity Signing](docs/guides/identity-signing.md), or run `asap --help` for the full command surface.
|
|
213
|
+
|
|
214
|
+
## Version History
|
|
215
|
+
|
|
216
|
+
- **v1.1** adds OAuth2, WebSocket, Discovery (well-known + Lite Registry), State Storage (SQLite) and Webhooks.
|
|
217
|
+
- **v1.2** adds Ed25519 signed manifests, trust levels, optional mTLS and the [Compliance Harness](https://github.com/adriannoes/asap-protocol/blob/main/asap-compliance/README.md).
|
|
218
|
+
- **v1.3** adds delegation commands (`asap delegation create`, `asap delegation revoke`).
|
|
219
|
+
- **v2.0** adds the Lean Marketplace Web App (Next.js), Lite Registry on GitHub Pages, IssueOps registration, OAuth sign-in for developers, and Verified Badge flow.
|
|
220
|
+
- **v2.1** adds the Consumer SDK (`MarketClient`), optional framework extras (LangChain, CrewAI, LlamaIndex, SmolAgents, OpenClaw, …), and registry UX improvements on PyPI.
|
|
221
|
+
- **v2.1.1** is a patch release: JWT algorithm allowlist, SQLite async bridging, optional Redis-backed rate limits, SSRF hardening in the web app, and related reliability fixes (see [Changelog](https://github.com/adriannoes/asap-protocol/blob/main/CHANGELOG.md)).
|
|
222
|
+
- **v2.2** adds per-runtime agent identity, capability-based authorization, SSE streaming (`POST /asap/stream`), `ASAP-Version` negotiation, JSON-RPC batch requests, tamper-evident audit logging, async state stores, and Compliance Harness v2.
|
|
223
|
+
- **v2.2.1** closes the SELF-002 follow-up with **real WebAuthn** attestation/assertion via the opt-in `asap-protocol[webauthn]` extra, ships the `asap compliance-check` and `asap audit export` CLIs, promotes the client SDK `ResolvedAgent.run()` to a typed contract (raises `TypeError` on protocol violation), introduces the `asap.economics.audit.AuditChainBroken` exception for scripted tamper handling, and pins upper bounds on security-sensitive deps (`cryptography`, `authlib`, `joserfc`, `pyjwt`, `webauthn`, `pydantic`) — see [dependency policy](https://github.com/adriannoes/asap-protocol/blob/main/SECURITY.md#dependency-policy) and full notes in the [Changelog](https://github.com/adriannoes/asap-protocol/blob/main/CHANGELOG.md).
|
|
211
224
|
|
|
212
|
-
|
|
225
|
+
For a structured index of per-version features, see the [docs index](https://github.com/adriannoes/asap-protocol/blob/main/docs/index.md#v11-features-api-reference--guides).
|
|
213
226
|
|
|
214
227
|
## 🔭 What's Next?
|
|
215
228
|
|
|
@@ -229,4 +242,4 @@ This project is licensed under the Apache 2.0 License - see the [license](https:
|
|
|
229
242
|
|
|
230
243
|
---
|
|
231
244
|
|
|
232
|
-
**Built with [Cursor](https://cursor.com/)
|
|
245
|
+
**Built with [Cursor](https://cursor.com/) and [Claude Code](https://claude.com/claude-code)** — primarily Claude Opus 4.7 (1M context) with Cursor Composer 1.5, Gemini 3.1 Pro, and Kimi K2.5 as collaborators.
|
|
@@ -7,9 +7,9 @@
|
|
|
7
7
|
|
|
8
8
|
> A production-ready protocol for agent-to-agent communication and task coordination.
|
|
9
9
|
|
|
10
|
-
**Quick Info**: `v2.
|
|
10
|
+
**Quick Info**: `v2.2.1` | `Apache 2.0` | `Python 3.13+` | [Documentation](https://github.com/adriannoes/asap-protocol/blob/main/docs/index.md) | [PyPI](https://pypi.org/project/asap-protocol/) | [Changelog](https://github.com/adriannoes/asap-protocol/blob/main/CHANGELOG.md)
|
|
11
11
|
|
|
12
|
-
> 🚀 **Live now** our [**agentic marketplace**](https://asap-protocol.vercel.app/) —
|
|
12
|
+
> 🚀 **Live now** our [**agentic marketplace**](https://asap-protocol.vercel.app/) — browse agents, register yours, request verification.
|
|
13
13
|
|
|
14
14
|
## Why ASAP?
|
|
15
15
|
|
|
@@ -30,6 +30,8 @@ For simple point-to-point communication, a basic HTTP API might suffice; ASAP sh
|
|
|
30
30
|
- **MCP integration** — Tool execution and coordination in a single envelope.
|
|
31
31
|
- **Observable** — `trace_id` and `correlation_id` for debugging.
|
|
32
32
|
- **Security** — Bearer auth, OAuth2/JWT, Ed25519 signed manifests, optional mTLS, replay prevention, HTTPS, rate limiting. [Security Model](https://github.com/adriannoes/asap-protocol/blob/main/docs/security/v1.1-security-model.md) (trust limits, Custom Claims).
|
|
33
|
+
- **Identity & capabilities (v2.2, WebAuthn real in v2.2.1)** — Per-runtime Host/Agent JWTs, capability grants with constraints (`max`, `min`, `in`, `not_in`), approval flows (device authorization / CIBA-style), real WebAuthn attestation/assertion for high-risk registration (opt-in via `asap-protocol[webauthn]`).
|
|
34
|
+
- **Streaming & wire protocol (v2.2)** — `POST /asap/stream` (SSE / `TaskStream`), JSON-RPC 2.0 batch on `POST /asap`, `ASAP-Version` negotiation, tamper-evident audit logging, Compliance Harness v2.
|
|
33
35
|
- **Economics** — Usage metering, delegation tokens, SLA framework with breach alerts.
|
|
34
36
|
|
|
35
37
|
### 🆕 Framework Ecosystem
|
|
@@ -103,7 +105,7 @@ See [Compliance Testing Guide](https://github.com/adriannoes/asap-protocol/blob/
|
|
|
103
105
|
- [Observability](https://github.com/adriannoes/asap-protocol/blob/main/docs/observability.md) | [Testing](https://github.com/adriannoes/asap-protocol/blob/main/docs/testing.md)
|
|
104
106
|
|
|
105
107
|
**Decisions & Operations**
|
|
106
|
-
- [ADRs](https://github.com/adriannoes/asap-protocol/tree/main/docs/adr) —
|
|
108
|
+
- [ADRs](https://github.com/adriannoes/asap-protocol/tree/main/docs/adr) — 19 Architecture Decision Records
|
|
107
109
|
- [Tech Stack](https://github.com/adriannoes/asap-protocol/blob/main/.cursor/dev-planning/architecture/tech-stack-decisions.md) — Rationale for Python, Pydantic, Next.js choices
|
|
108
110
|
- [Deployment](https://github.com/adriannoes/asap-protocol/blob/main/docs/deployment/kubernetes.md) | [Troubleshooting](https://github.com/adriannoes/asap-protocol/blob/main/docs/troubleshooting.md)
|
|
109
111
|
|
|
@@ -112,23 +114,32 @@ See [Compliance Testing Guide](https://github.com/adriannoes/asap-protocol/blob/
|
|
|
112
114
|
|
|
113
115
|
## CLI
|
|
114
116
|
|
|
115
|
-
- **v1.1** adds OAuth2, WebSocket, Discovery (well-known + Lite Registry), State Storage (SQLite) and Webhooks.
|
|
116
|
-
- **v1.2** adds Ed25519 signed manifests, trust levels, optional mTLS and the [Compliance Harness](https://github.com/adriannoes/asap-protocol/blob/main/asap-compliance/README.md).
|
|
117
|
-
- **v1.3** adds delegation commands (`asap delegation create`, `asap delegation revoke`).
|
|
118
|
-
|
|
119
117
|
```bash
|
|
120
118
|
asap --version # Show version
|
|
121
119
|
asap list-schemas # List all available schemas
|
|
122
120
|
asap export-schemas # Export JSON schemas to file
|
|
121
|
+
asap compliance-check --url https://agent.example # Compliance Harness v2 (HTTP(S))
|
|
122
|
+
asap audit export --store memory --format json # Export audit log (stdout)
|
|
123
123
|
asap keys generate -o key.pem # Generate Ed25519 keypair
|
|
124
124
|
asap manifest sign -k key.pem manifest.json # Sign manifest
|
|
125
125
|
asap manifest verify signed.json # Verify signature
|
|
126
126
|
asap manifest info signed.json # Show trust level
|
|
127
127
|
```
|
|
128
128
|
|
|
129
|
-
See [CLI reference](
|
|
129
|
+
See the [CLI reference](docs/cli.md) for `compliance-check` and `audit export` flag details, the [CI compliance gate](docs/ci-compliance.md) for wiring `compliance-check` into GitHub Actions, the [audit export guide](docs/audit.md), [Identity Signing](docs/guides/identity-signing.md), or run `asap --help` for the full command surface.
|
|
130
|
+
|
|
131
|
+
## Version History
|
|
132
|
+
|
|
133
|
+
- **v1.1** adds OAuth2, WebSocket, Discovery (well-known + Lite Registry), State Storage (SQLite) and Webhooks.
|
|
134
|
+
- **v1.2** adds Ed25519 signed manifests, trust levels, optional mTLS and the [Compliance Harness](https://github.com/adriannoes/asap-protocol/blob/main/asap-compliance/README.md).
|
|
135
|
+
- **v1.3** adds delegation commands (`asap delegation create`, `asap delegation revoke`).
|
|
136
|
+
- **v2.0** adds the Lean Marketplace Web App (Next.js), Lite Registry on GitHub Pages, IssueOps registration, OAuth sign-in for developers, and Verified Badge flow.
|
|
137
|
+
- **v2.1** adds the Consumer SDK (`MarketClient`), optional framework extras (LangChain, CrewAI, LlamaIndex, SmolAgents, OpenClaw, …), and registry UX improvements on PyPI.
|
|
138
|
+
- **v2.1.1** is a patch release: JWT algorithm allowlist, SQLite async bridging, optional Redis-backed rate limits, SSRF hardening in the web app, and related reliability fixes (see [Changelog](https://github.com/adriannoes/asap-protocol/blob/main/CHANGELOG.md)).
|
|
139
|
+
- **v2.2** adds per-runtime agent identity, capability-based authorization, SSE streaming (`POST /asap/stream`), `ASAP-Version` negotiation, JSON-RPC batch requests, tamper-evident audit logging, async state stores, and Compliance Harness v2.
|
|
140
|
+
- **v2.2.1** closes the SELF-002 follow-up with **real WebAuthn** attestation/assertion via the opt-in `asap-protocol[webauthn]` extra, ships the `asap compliance-check` and `asap audit export` CLIs, promotes the client SDK `ResolvedAgent.run()` to a typed contract (raises `TypeError` on protocol violation), introduces the `asap.economics.audit.AuditChainBroken` exception for scripted tamper handling, and pins upper bounds on security-sensitive deps (`cryptography`, `authlib`, `joserfc`, `pyjwt`, `webauthn`, `pydantic`) — see [dependency policy](https://github.com/adriannoes/asap-protocol/blob/main/SECURITY.md#dependency-policy) and full notes in the [Changelog](https://github.com/adriannoes/asap-protocol/blob/main/CHANGELOG.md).
|
|
130
141
|
|
|
131
|
-
|
|
142
|
+
For a structured index of per-version features, see the [docs index](https://github.com/adriannoes/asap-protocol/blob/main/docs/index.md#v11-features-api-reference--guides).
|
|
132
143
|
|
|
133
144
|
## 🔭 What's Next?
|
|
134
145
|
|
|
@@ -148,4 +159,4 @@ This project is licensed under the Apache 2.0 License - see the [license](https:
|
|
|
148
159
|
|
|
149
160
|
---
|
|
150
161
|
|
|
151
|
-
**Built with [Cursor](https://cursor.com/)
|
|
162
|
+
**Built with [Cursor](https://cursor.com/) and [Claude Code](https://claude.com/claude-code)** — primarily Claude Opus 4.7 (1M context) with Cursor Composer 1.5, Gemini 3.1 Pro, and Kimi K2.5 as collaborators.
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
[project]
|
|
2
2
|
name = "asap-protocol"
|
|
3
|
-
version = "2.2.
|
|
3
|
+
version = "2.2.1"
|
|
4
4
|
description = "Async Simple Agent Protocol - A streamlined protocol for agent-to-agent communication"
|
|
5
5
|
authors = [
|
|
6
6
|
{name = "ASAP Protocol Contributors"}
|
|
@@ -22,14 +22,15 @@ classifiers = [
|
|
|
22
22
|
|
|
23
23
|
dependencies = [
|
|
24
24
|
"aiosqlite>=0.20",
|
|
25
|
-
|
|
25
|
+
# Upper-bound majors per SECURITY.md dependency policy.
|
|
26
|
+
"cryptography>=46.0.7,<47",
|
|
26
27
|
"jcs>=0.2.0",
|
|
27
28
|
"jsonschema>=4.23.0",
|
|
28
|
-
"pydantic>=2.12.5",
|
|
29
|
+
"pydantic>=2.12.5,<3",
|
|
29
30
|
"fastapi>=0.128.0",
|
|
30
31
|
"httpx[http2]>=0.28.1",
|
|
31
|
-
"authlib>=1.6.
|
|
32
|
-
"joserfc>=1.6.3",
|
|
32
|
+
"authlib>=1.6.11,<2",
|
|
33
|
+
"joserfc>=1.6.3,<2",
|
|
33
34
|
"uvicorn>=0.34",
|
|
34
35
|
"python-ulid>=3.0",
|
|
35
36
|
"packaging>=25.0",
|
|
@@ -72,6 +73,10 @@ dns-sd = [
|
|
|
72
73
|
redis = [
|
|
73
74
|
"redis>=5.0.0",
|
|
74
75
|
]
|
|
76
|
+
# Optional WebAuthn (real attestation/assertion when extra installed).
|
|
77
|
+
webauthn = [
|
|
78
|
+
"webauthn>=2.6,<3",
|
|
79
|
+
]
|
|
75
80
|
# Framework integrations (Sprint E3 — PKG-003).
|
|
76
81
|
mcp = [
|
|
77
82
|
"mcp>=1.0.0",
|
|
@@ -113,18 +118,20 @@ Issues = "https://github.com/adriannoes/asap-protocol/issues"
|
|
|
113
118
|
# - python-multipart>=0.0.26 for CVE-2026-40347 (FastAPI stack)
|
|
114
119
|
# - pygments>=2.20.0 for CVE-2026-4539
|
|
115
120
|
# - langsmith>=0.7.31 for GHSA-rr7j-v2q5-chgv
|
|
121
|
+
# - python-dotenv>=1.2.2 for CVE-2026-28684 (transitive, e.g. pydantic-settings / uvicorn stacks)
|
|
116
122
|
[tool.uv]
|
|
117
123
|
override-dependencies = [
|
|
118
|
-
"pyjwt>=2.12.0",
|
|
124
|
+
"pyjwt>=2.12.0,<3",
|
|
119
125
|
"pyasn1>=0.6.3",
|
|
120
126
|
"tinytag>=2.2.1",
|
|
121
|
-
"cryptography>=46.0.7",
|
|
127
|
+
"cryptography>=46.0.7,<47",
|
|
122
128
|
"requests>=2.33.0",
|
|
123
129
|
"pillow>=12.2.0",
|
|
124
130
|
"pytest>=9.0.3",
|
|
125
131
|
"python-multipart>=0.0.26",
|
|
126
132
|
"pygments>=2.20.0",
|
|
127
133
|
"langsmith>=0.7.31",
|
|
134
|
+
"python-dotenv>=1.2.2",
|
|
128
135
|
]
|
|
129
136
|
|
|
130
137
|
[project.scripts]
|
|
@@ -183,7 +190,7 @@ ignore = [
|
|
|
183
190
|
"src/asap/transport/usage_api.py" = ["B008"]
|
|
184
191
|
"src/asap/transport/delegation_api.py" = ["B008"]
|
|
185
192
|
"src/asap/transport/sla_api.py" = ["B008"]
|
|
186
|
-
"src/asap/cli.py" = ["B008"]
|
|
193
|
+
"src/asap/cli/__init__.py" = ["B008"]
|
|
187
194
|
|
|
188
195
|
[tool.ruff.format]
|
|
189
196
|
quote-style = "double"
|