asap-protocol 2.2.0__tar.gz → 2.3.0__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (194) hide show
  1. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/.gitignore +23 -2
  2. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/CHANGELOG.md +146 -1
  3. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/PKG-INFO +56 -20
  4. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/README.md +47 -15
  5. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/pyproject.toml +20 -8
  6. asap_protocol-2.3.0/src/asap/__init__.py +22 -0
  7. asap_protocol-2.3.0/src/asap/adapters/__init__.py +1 -0
  8. asap_protocol-2.3.0/src/asap/adapters/openapi/__init__.py +19 -0
  9. asap_protocol-2.3.0/src/asap/adapters/openapi/approval.py +107 -0
  10. asap_protocol-2.3.0/src/asap/adapters/openapi/capability_mapper.py +499 -0
  11. asap_protocol-2.3.0/src/asap/adapters/openapi/factory.py +243 -0
  12. asap_protocol-2.3.0/src/asap/adapters/openapi/handler.py +525 -0
  13. asap_protocol-2.3.0/src/asap/adapters/openapi/spec_loader.py +154 -0
  14. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/auth/approval.py +25 -1
  15. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/auth/capabilities.py +41 -0
  16. asap_protocol-2.3.0/src/asap/auth/self_auth.py +276 -0
  17. asap_protocol-2.3.0/src/asap/auth/webauthn.py +473 -0
  18. asap_protocol-2.2.0/src/asap/cli.py → asap_protocol-2.3.0/src/asap/cli/__init__.py +7 -0
  19. asap_protocol-2.3.0/src/asap/cli/audit_export.py +194 -0
  20. asap_protocol-2.3.0/src/asap/cli/compliance_check.py +108 -0
  21. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/client/http_client.py +4 -2
  22. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/client/market.py +27 -7
  23. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/discovery/dnssd.py +2 -1
  24. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/economics/audit.py +8 -0
  25. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/economics/delegation_storage.py +44 -44
  26. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/economics/hooks.py +15 -13
  27. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/economics/sla.py +2 -2
  28. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/economics/sla_storage.py +20 -22
  29. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/economics/storage.py +63 -48
  30. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/integrations/a2h.py +2 -2
  31. asap_protocol-2.3.0/src/asap/registry/__init__.py +19 -0
  32. asap_protocol-2.3.0/src/asap/registry/anti_spam.py +20 -0
  33. asap_protocol-2.3.0/src/asap/registry/auto_registration.py +291 -0
  34. asap_protocol-2.3.0/src/asap/registry/bot_pr.py +336 -0
  35. asap_protocol-2.3.0/src/asap/registry/receipt_cache.py +96 -0
  36. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/state/stores/sqlite.py +30 -32
  37. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/testing/__init__.py +4 -0
  38. asap_protocol-2.3.0/src/asap/testing/asgi_factory.py +32 -0
  39. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/testing/assertions.py +33 -21
  40. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/testing/compliance.py +74 -22
  41. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/transport/agent_routes.py +69 -28
  42. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/transport/capability_routes.py +25 -5
  43. asap_protocol-2.3.0/src/asap/transport/challenge.py +119 -0
  44. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/transport/client.py +157 -4
  45. asap_protocol-2.3.0/src/asap/transport/escalation_routes.py +199 -0
  46. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/transport/rate_limit.py +34 -1
  47. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/transport/server.py +97 -43
  48. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/transport/validators.py +5 -2
  49. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/transport/webhook.py +4 -1
  50. asap_protocol-2.2.0/src/asap/__init__.py +0 -9
  51. asap_protocol-2.2.0/src/asap/auth/self_auth.py +0 -144
  52. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/LICENSE +0 -0
  53. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/schemas/entities/agent.schema.json +0 -0
  54. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/schemas/entities/artifact.schema.json +0 -0
  55. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/schemas/entities/conversation.schema.json +0 -0
  56. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/schemas/entities/manifest.schema.json +0 -0
  57. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/schemas/entities/message.schema.json +0 -0
  58. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/schemas/entities/state_snapshot.schema.json +0 -0
  59. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/schemas/entities/task.schema.json +0 -0
  60. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/schemas/envelope.schema.json +0 -0
  61. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/schemas/parts/data_part.schema.json +0 -0
  62. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/schemas/parts/file_part.schema.json +0 -0
  63. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/schemas/parts/resource_part.schema.json +0 -0
  64. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/schemas/parts/template_part.schema.json +0 -0
  65. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/schemas/parts/text_part.schema.json +0 -0
  66. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/schemas/payloads/artifact_notify.schema.json +0 -0
  67. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/schemas/payloads/mcp_resource_data.schema.json +0 -0
  68. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/schemas/payloads/mcp_resource_fetch.schema.json +0 -0
  69. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/schemas/payloads/mcp_tool_call.schema.json +0 -0
  70. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/schemas/payloads/mcp_tool_result.schema.json +0 -0
  71. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/schemas/payloads/message_send.schema.json +0 -0
  72. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/schemas/payloads/state_query.schema.json +0 -0
  73. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/schemas/payloads/state_restore.schema.json +0 -0
  74. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/schemas/payloads/task_cancel.schema.json +0 -0
  75. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/schemas/payloads/task_request.schema.json +0 -0
  76. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/schemas/payloads/task_response.schema.json +0 -0
  77. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/schemas/payloads/task_update.schema.json +0 -0
  78. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/auth/__init__.py +0 -0
  79. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/auth/agent_jwt.py +0 -0
  80. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/auth/identity.py +0 -0
  81. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/auth/introspection.py +0 -0
  82. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/auth/jwks.py +0 -0
  83. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/auth/lifecycle.py +0 -0
  84. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/auth/middleware.py +0 -0
  85. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/auth/oauth2.py +0 -0
  86. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/auth/oidc.py +0 -0
  87. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/auth/scopes.py +0 -0
  88. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/auth/utils.py +0 -0
  89. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/client/__init__.py +0 -0
  90. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/client/cache.py +0 -0
  91. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/client/revocation.py +0 -0
  92. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/client/trust.py +0 -0
  93. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/crypto/__init__.py +0 -0
  94. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/crypto/keys.py +0 -0
  95. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/crypto/models.py +0 -0
  96. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/crypto/signing.py +0 -0
  97. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/crypto/trust.py +0 -0
  98. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/crypto/trust_levels.py +0 -0
  99. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/discovery/__init__.py +0 -0
  100. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/discovery/health.py +0 -0
  101. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/discovery/registry.py +0 -0
  102. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/discovery/validation.py +0 -0
  103. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/discovery/wellknown.py +0 -0
  104. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/economics/__init__.py +0 -0
  105. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/economics/delegation.py +0 -0
  106. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/economics/metering.py +0 -0
  107. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/errors.py +0 -0
  108. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/examples/README.md +0 -0
  109. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/examples/__init__.py +0 -0
  110. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/examples/a2h_approval.py +0 -0
  111. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/examples/agent_failover.py +0 -0
  112. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/examples/auth_patterns.py +0 -0
  113. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/examples/coordinator.py +0 -0
  114. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/examples/echo_agent.py +0 -0
  115. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/examples/error_recovery.py +0 -0
  116. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/examples/long_running.py +0 -0
  117. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/examples/mcp_client_demo.py +0 -0
  118. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/examples/mcp_integration.py +0 -0
  119. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/examples/multi_step_workflow.py +0 -0
  120. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/examples/orchestration.py +0 -0
  121. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/examples/rate_limiting.py +0 -0
  122. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/examples/run_demo.py +0 -0
  123. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/examples/secure_agent.py +0 -0
  124. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/examples/secure_handler.py +0 -0
  125. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/examples/state_migration.py +0 -0
  126. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/examples/storage_backends.py +0 -0
  127. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/examples/streaming_agent.py +0 -0
  128. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/examples/streaming_response.py +0 -0
  129. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/examples/v1_3_0_showcase.py +0 -0
  130. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/examples/v1_4_0_showcase.py +0 -0
  131. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/examples/websocket_concept.py +0 -0
  132. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/handlers/__init__.py +0 -0
  133. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/handlers/hitl.py +0 -0
  134. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/integrations/__init__.py +0 -0
  135. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/integrations/crewai.py +0 -0
  136. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/integrations/langchain.py +0 -0
  137. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/integrations/llamaindex.py +0 -0
  138. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/integrations/openclaw.py +0 -0
  139. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/integrations/pydanticai.py +0 -0
  140. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/integrations/smolagents.py +0 -0
  141. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/integrations/vercel_ai.py +0 -0
  142. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/mcp/__init__.py +0 -0
  143. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/mcp/client.py +0 -0
  144. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/mcp/protocol.py +0 -0
  145. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/mcp/serve.py +0 -0
  146. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/mcp/server.py +0 -0
  147. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/mcp/server_runner.py +0 -0
  148. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/models/__init__.py +0 -0
  149. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/models/base.py +0 -0
  150. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/models/constants.py +0 -0
  151. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/models/entities.py +0 -0
  152. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/models/enums.py +0 -0
  153. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/models/envelope.py +0 -0
  154. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/models/ids.py +0 -0
  155. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/models/parts.py +0 -0
  156. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/models/payloads.py +0 -0
  157. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/models/types.py +0 -0
  158. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/models/validators.py +0 -0
  159. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/observability/__init__.py +0 -0
  160. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/observability/dashboards/README.md +0 -0
  161. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/observability/dashboards/asap-detailed.json +0 -0
  162. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/observability/dashboards/asap-red.json +0 -0
  163. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/observability/logging.py +0 -0
  164. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/observability/metrics.py +0 -0
  165. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/observability/trace_parser.py +0 -0
  166. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/observability/trace_ui.py +0 -0
  167. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/observability/tracing.py +0 -0
  168. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/schemas.py +0 -0
  169. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/state/__init__.py +0 -0
  170. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/state/machine.py +0 -0
  171. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/state/metering.py +0 -0
  172. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/state/snapshot.py +0 -0
  173. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/state/stores/__init__.py +0 -0
  174. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/state/stores/memory.py +0 -0
  175. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/testing/fixtures.py +0 -0
  176. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/testing/mocks.py +0 -0
  177. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/transport/__init__.py +0 -0
  178. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/transport/_auth_helpers.py +0 -0
  179. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/transport/cache.py +0 -0
  180. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/transport/circuit_breaker.py +0 -0
  181. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/transport/codecs/__init__.py +0 -0
  182. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/transport/codecs/lambda_codec.py +0 -0
  183. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/transport/compression.py +0 -0
  184. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/transport/delegation_api.py +0 -0
  185. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/transport/executors.py +0 -0
  186. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/transport/handlers.py +0 -0
  187. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/transport/jsonrpc.py +0 -0
  188. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/transport/middleware.py +0 -0
  189. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/transport/mtls.py +0 -0
  190. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/transport/sla_api.py +0 -0
  191. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/transport/usage_api.py +0 -0
  192. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/transport/websocket.py +0 -0
  193. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/utils/__init__.py +0 -0
  194. {asap_protocol-2.2.0 → asap_protocol-2.3.0}/src/asap/utils/sanitization.py +0 -0
@@ -178,9 +178,25 @@ cython_debug/
178
178
  # Project specific
179
179
  !/.cursor/
180
180
  /drafts/
181
- # Strategy docs (private — do not commit)
182
- .cursor/product-specs/strategy/
181
+ /.claude/
182
+ # Local agent state / tooling (ignore everywhere, not only repo root)
183
+ .agents/
184
+ # Strategic and commercial planning (private - do not commit)
185
+ product/strategy/
186
+ product/private/
187
+ product/private-roadmap/
188
+ product/prd/private/
189
+ # Tactical PRDs outside private/ (patch train); single-digit and double-digit patch (e.g. v2.3.10)
190
+ product/prd/prd-v2.3.[1-9]-*.md
191
+ product/prd/prd-v2.3.[1-9][0-9]-*.md
192
+ engineering/private/
193
+ engineering/tasks/private/
194
+ engineering/tasks/v2.3.[1-9]*/
183
195
  node_modules/
196
+ # Next.js build output (examples and apps)
197
+ .next/
198
+ # tshy generated tsconfig fragments (regenerated on build)
199
+ .tshy/
184
200
  .pnpm-store/
185
201
  .github/wiki/
186
202
 
@@ -192,5 +208,10 @@ node_modules/
192
208
  .benchmarks/
193
209
  .uv-cache/
194
210
 
211
+ # TypeScript incremental build info (local / IDE)
212
+ *.tsbuildinfo
213
+
195
214
  # ESLint report (generated)
196
215
  eslint-report.json
216
+ .vercel
217
+ .env*.local
@@ -7,8 +7,153 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
7
7
 
8
8
  ## [Unreleased]
9
9
 
10
+ ---
11
+
12
+ ## [2.3.0] - 2026-05-04
13
+
14
+ **Adoption Multiplier** — OpenAPI-derived agents, first-class TypeScript, lean
15
+ registry auto-registration, runtime capability escalation, and opt-in
16
+ `WWW-Authenticate: ASAP` discovery challenges. Wire JSON-RPC and envelope
17
+ schemas remain backward compatible with v2.2.x.
18
+
10
19
  ### Added
11
- - Future changes will be documented here.
20
+
21
+ - **OpenAPI Adapter (Python)**: `asap.adapters.openapi.create_from_openapi` maps
22
+ OpenAPI 3.x operations to ASAP capabilities; optional `[openapi]` extra.
23
+ See [docs/adapters/openapi.md](docs/adapters/openapi.md).
24
+ - **Official TypeScript client**: npm package `@asap-protocol/client` with
25
+ discovery, capability helpers, streaming consumer, and optional adapters for
26
+ Vercel AI SDK, OpenAI, and Anthropic (`packages/typescript/client/`).
27
+ - **Auto-Registration**: `POST /registry/agents` for Compliance Harness–gated
28
+ Lite Registry submissions (optional `registry_auto_registration` on
29
+ `create_app`). See [docs/registry/auto-registration.md](docs/registry/auto-registration.md).
30
+ - **Capability escalation**: `POST /asap/agent/request-capability` plus Python
31
+ `ASAPClient.request_capability` / TypeScript client support for approval
32
+ flows without re-registering the agent.
33
+ - **ASAP HTTP challenge**: `WWW-Authenticate: ASAP` with `discovery=` manifest
34
+ URL on selected 401/403 responses; clients can record discovery metadata from
35
+ the challenge header.
36
+
37
+ ### Changed
38
+
39
+ - **Reference server**: New optional routers and middleware wiring are
40
+ **opt-in** behind constructor flags — existing deployments keep v2.2.x
41
+ behavior until they enable OpenAPI surfaces, auto-registration, escalation
42
+ routes, or challenge middleware.
43
+
44
+ ### Security
45
+
46
+ - **Dependency sweep (pre-tag)**: `uv run pip-audit --ignore-vuln CVE-2026-4539 --ignore-vuln CVE-2026-3219` (after `uv sync` per [SECURITY.md](SECURITY.md)) reported **no known vulnerabilities** (same ignores as CI). **`apps/web`**: `npm audit` (2026-05-04) still reports **moderate** `postcss` via `next@16.2.4` (GHSA-qx2v-qp2m-jg93); upstream fix may require a newer Next.js line — track before treating web audits as fully clean.
47
+
48
+ ---
49
+
50
+ ## [2.2.1] - 2026-04-21
51
+
52
+ Patch release: optional WebAuthn verification, compliance and audit CLIs, docs,
53
+ and CI baselines.
54
+
55
+ ### Added
56
+
57
+ - **WebAuthn (optional extra)**: `asap-protocol[webauthn]` enables real
58
+ registration/assertion verification when `ASAP_WEBAUTHN_RP_ID` and
59
+ `ASAP_WEBAUTHN_ORIGIN` are set; otherwise behavior matches v2.2.0. See
60
+ [v2.2.0 → v2.2.1 migration](docs/migration.md#upgrading-from-v220-to-v221).
61
+ - **`asap compliance-check`**: Runs Compliance Harness v2 against an agent
62
+ `HTTP(S)` base URL; `--output {text,json}`, `--exit-on-fail`, `--timeout`,
63
+ `--asap-version`. Documented in [docs/cli.md](docs/cli.md) and
64
+ [docs/ci-compliance.md](docs/ci-compliance.md) (Actions example with
65
+ `--exit-on-fail`).
66
+ - **`asap audit export`**: Exports hash-chained audit rows from SQLite or an
67
+ in-memory store; `--verify-chain` fails on tampering. Documented in
68
+ [docs/cli.md](docs/cli.md#asap-audit-export) and [docs/audit.md](docs/audit.md).
69
+ - **`apps/example-agent`**: Minimal installable example; CI runs Harness v2 and
70
+ fails on score < 1.0 (regression guard).
71
+
72
+ ### Security
73
+
74
+ - **`python-dotenv`**: `tool.uv.override-dependencies` pins **≥ 1.2.2** (CVE-2026-28684)
75
+ on transitive installs.
76
+ - **`apps/web`**: Dependency updates closing npm audit findings (Next.js 16.2.4;
77
+ `micromatch` subtree forced to `picomatch` ≥ 2.3.2).
78
+
79
+ ### Changed
80
+
81
+ - **CLI package layout**: Typer subcommands live under `asap.cli` / `src/asap/cli/`
82
+ (replacing the monolithic `cli.py` module); `asap` console script unchanged.
83
+ - **`ResolvedAgent.run()`**: Tightens the contract from "tri-branch dict[str, Any]" to
84
+ "the TaskResponse.result dict, or empty dict if result is None". A protocol violation
85
+ (server responds with anything other than a TaskResponse envelope) now raises
86
+ `TypeError` so it surfaces at the call site instead of silently coercing into a dict.
87
+ Return type annotation remains `dict[str, Any]`; no caller API change. Closes the
88
+ deferred follow-up from v2.1 PR-73 review.
89
+ - **Dependency pins**: `cryptography`, `authlib`, `joserfc`, `pyjwt`, `webauthn` (extra),
90
+ and `pydantic` now carry explicit upper bounds to the next major version so breaking
91
+ upstream releases can't auto-install. Policy + bump procedure documented in
92
+ [SECURITY.md §Dependency policy](SECURITY.md#dependency-policy).
93
+ - **ID generation**: `asap.state.stores.sqlite`, `asap.economics.storage`,
94
+ `asap.economics.sla`, and `asap.integrations.a2h` now generate entity IDs through
95
+ `asap.models.ids.generate_id()` (ULID) instead of ad-hoc `uuid.uuid4()`. The
96
+ slowapi storage-URI suffix in `asap.transport.rate_limit` remains `uuid.uuid4().hex`
97
+ because it is a backend namespace, not a domain identifier; an inline comment
98
+ documents the distinction.
99
+ - **`asap.economics.storage` aggregate dispatch**: The six-branch `cast(list[UsageAggregate], ...)`
100
+ clusters in `InMemoryMeteringStorage.aggregate` and `SQLiteMeteringStorage.aggregate` are
101
+ consolidated into a single `_dispatch_aggregate(events, group_by)` helper. Eight
102
+ scattered casts become three, all documented in one place.
103
+ - **`asap.transport.server` helper types**: `_validate_envelope` and `_dispatch_to_handler`
104
+ now return a discriminable `EnvelopeOrError = JSONResponse | tuple[Envelope, str]`
105
+ union instead of `tuple[Envelope | None, JSONResponse | str]`. Callers narrow via
106
+ `isinstance(result, JSONResponse)` and no longer need `cast()` at the three call
107
+ sites. Internal-only refactor; public API unchanged.
108
+ - **`WebAuthnVerifierImpl.start_webauthn_*`**: Returns the full
109
+ `PublicKeyCredentialCreation/RequestOptions` dict from
110
+ `webauthn.helpers.options_to_json_dict` (previously a bare base64url
111
+ challenge). Integrators building a browser adapter get `rp`, `user`,
112
+ `pubKeyCredParams`, `allowCredentials`, and `userVerification` out of the
113
+ box and no longer need to hand-assemble the options envelope.
114
+ - **`default_webauthn_verifier()`**: The returned verifier is now cached
115
+ per-process (keyed by `extra_installed / rp_id / origin`). Pending
116
+ WebAuthn challenges persist across requests when the defensive fallback in
117
+ `agent_routes._webauthn_verifier` is hit — previously each fallback call
118
+ rebuilt an empty `InMemoryWebAuthnCredentialStore`, silently discarding
119
+ any `start_webauthn_assertion` state. Tests can reset the cache with
120
+ `asap.auth.self_auth.reset_default_webauthn_verifier_cache()`.
121
+
122
+ ### Fixed
123
+
124
+ - **Swallowed exceptions in `finish_webauthn_assertion`**: Bare
125
+ `except Exception:` blocks now catch the specific
126
+ `InvalidAuthenticationResponse` / `ValueError` / `TypeError` classes and
127
+ emit structured warnings (`asap.webauthn.assertion.invalid`,
128
+ `.malformed_challenge`, `.challenge_mismatch`, `.unknown_credential`)
129
+ via `asap.observability.get_logger` so SIEM rules can detect
130
+ cloned-authenticator and replay patterns.
131
+ - **`WebAuthnCeremonyError` payload**: Public `detail` is now a stable,
132
+ PII-free identifier (`webauthn_registration_state_missing`,
133
+ `webauthn_registration_verification_failed`). `host_id` and the upstream
134
+ library reason are logged internally instead of leaking into the error
135
+ surface.
136
+ - **`audit export --verify-chain`**: Replaces fragile string-matching on
137
+ `"AUDIT_CHAIN_BROKEN"` with a dedicated `asap.economics.audit.AuditChainBroken`
138
+ exception. Invalid `--since` / `--until` ISO-8601 values now surface as
139
+ `typer.BadParameter` instead of an unhandled traceback.
140
+ - **CSV export determinism**: `asap audit export --format csv` now writes
141
+ rows with `lineterminator="\n"` for reproducible diffs on Linux CI.
142
+ - **Test fixtures**: `tests/cli/test_compliance_check.py` uvicorn fixtures
143
+ now stop the server cooperatively via `server.should_exit = True` +
144
+ `thread.join`, preventing the leaked-socket flakes flagged under
145
+ `pytest-xdist` on long suites.
146
+
147
+ ### Known limitations
148
+
149
+ - **No reference HTTP enrollment route** for the WebAuthn registration
150
+ ceremony. `WebAuthnVerifierImpl.start_webauthn_registration` /
151
+ `.finish_webauthn_registration` are Python-only helpers in v2.2.1;
152
+ integrators must expose their own adapter route (see
153
+ [docs/security/self-authorization-prevention.md](docs/security/self-authorization-prevention.md#known-limitation-no-reference-http-enrollment-route-in-v221)).
154
+ A first-class `POST /asap/agent/webauthn/register/{begin,finish}` is
155
+ tracked for v2.3 (Adoption Multiplier), where new endpoint surface area
156
+ is permitted.
12
157
 
13
158
  ---
14
159
 
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.4
2
2
  Name: asap-protocol
3
- Version: 2.2.0
3
+ Version: 2.3.0
4
4
  Summary: Async Simple Agent Protocol - A streamlined protocol for agent-to-agent communication
5
5
  Project-URL: Homepage, https://github.com/adriannoes/asap-protocol
6
6
  Project-URL: Documentation, https://adriannoes.github.io/asap-protocol
@@ -21,13 +21,13 @@ Classifier: Topic :: System :: Distributed Computing
21
21
  Classifier: Typing :: Typed
22
22
  Requires-Python: >=3.13
23
23
  Requires-Dist: aiosqlite>=0.20
24
- Requires-Dist: authlib>=1.6.9
24
+ Requires-Dist: authlib<2,>=1.6.11
25
25
  Requires-Dist: brotli>=1.2.0
26
- Requires-Dist: cryptography>=46.0.7
26
+ Requires-Dist: cryptography<47,>=46.0.7
27
27
  Requires-Dist: fastapi>=0.128.0
28
28
  Requires-Dist: httpx[http2]>=0.28.1
29
29
  Requires-Dist: jcs>=0.2.0
30
- Requires-Dist: joserfc>=1.6.3
30
+ Requires-Dist: joserfc<2,>=1.6.3
31
31
  Requires-Dist: jsonschema>=4.23.0
32
32
  Requires-Dist: limits>=3.0
33
33
  Requires-Dist: opentelemetry-api>=1.20
@@ -36,7 +36,7 @@ Requires-Dist: opentelemetry-instrumentation-fastapi>=0.41
36
36
  Requires-Dist: opentelemetry-instrumentation-httpx>=0.41
37
37
  Requires-Dist: opentelemetry-sdk>=1.20
38
38
  Requires-Dist: packaging>=25.0
39
- Requires-Dist: pydantic>=2.12.5
39
+ Requires-Dist: pydantic<3,>=2.12.5
40
40
  Requires-Dist: python-ulid>=3.0
41
41
  Requires-Dist: structlog>=24.1
42
42
  Requires-Dist: typer>=0.21.1
@@ -69,6 +69,8 @@ Provides-Extra: llamaindex
69
69
  Requires-Dist: llama-index-core>=0.10; extra == 'llamaindex'
70
70
  Provides-Extra: mcp
71
71
  Requires-Dist: mcp>=1.0.0; extra == 'mcp'
72
+ Provides-Extra: openapi
73
+ Requires-Dist: openapi-pydantic>=0.5; extra == 'openapi'
72
74
  Provides-Extra: openclaw
73
75
  Requires-Dist: openclaw-sdk>=2.0; extra == 'openclaw'
74
76
  Provides-Extra: pydanticai
@@ -77,6 +79,8 @@ Provides-Extra: redis
77
79
  Requires-Dist: redis>=5.0.0; extra == 'redis'
78
80
  Provides-Extra: smolagents
79
81
  Requires-Dist: smolagents>=1.0; extra == 'smolagents'
82
+ Provides-Extra: webauthn
83
+ Requires-Dist: webauthn<3,>=2.6; extra == 'webauthn'
80
84
  Description-Content-Type: text/markdown
81
85
 
82
86
  # ASAP: Async Simple Agent Protocol
@@ -88,9 +92,11 @@ Description-Content-Type: text/markdown
88
92
 
89
93
  > A production-ready protocol for agent-to-agent communication and task coordination.
90
94
 
91
- **Quick Info**: `v2.1.1` | `Apache 2.0` | `Python 3.13+` | [Documentation](https://github.com/adriannoes/asap-protocol/blob/main/docs/index.md) | [PyPI](https://pypi.org/project/asap-protocol/) | [Changelog](https://github.com/adriannoes/asap-protocol/blob/main/CHANGELOG.md)
95
+ **Quick Info**: `v2.3.0` | `Apache 2.0` | `Python 3.13+` | [Documentation](https://github.com/adriannoes/asap-protocol/blob/main/docs/index.md) | **[PyPI `asap-protocol`](https://pypi.org/project/asap-protocol/)** | **[npm `@asap-protocol/client`](https://www.npmjs.com/package/@asap-protocol/client)** | [Changelog](https://github.com/adriannoes/asap-protocol/blob/main/CHANGELOG.md)
92
96
 
93
- > 🚀 **Live now** our [**agentic marketplace**](https://asap-protocol.vercel.app/)Browse agents, register yours, request verification.
97
+ > 📦 Install the ASAP **Python SDK / protocol** from **`https://pypi.org/project/asap-protocol/`**package name **`asap-protocol`** on [PyPI](https://pypi.org/project/asap-protocol/).
98
+
99
+ > 🚀 **Live now** our [**agentic marketplace**](https://asap-protocol.com/) — browse agents, register yours, request verification.
94
100
 
95
101
  ## Why ASAP?
96
102
 
@@ -101,7 +107,7 @@ Building multi-agent systems today suffers from three core technical challenges
101
107
 
102
108
  **ASAP** provides a production-ready communication layer that simplifies these complexities. It's ideal for **multi-agent orchestration**, **stateful workflows** (persistence, resumability), **MCP support** and **production systems** requiring high-performance, type-safe agent communication.
103
109
 
104
- For simple point-to-point communication, a basic HTTP API might suffice; ASAP shines when you need orchestration, state management and multi-agent coordination. See the [spec](https://github.com/adriannoes/asap-protocol/blob/main/.cursor/product-specs/strategy/v0-original-specs.md) for details.
110
+ For simple point-to-point communication, a basic HTTP API might suffice; ASAP shines when you need orchestration, state management and multi-agent coordination. See the [documentation](https://github.com/adriannoes/asap-protocol/blob/main/docs/index.md) for the current protocol overview and features.
105
111
 
106
112
  ### Key Features
107
113
 
@@ -111,6 +117,9 @@ For simple point-to-point communication, a basic HTTP API might suffice; ASAP sh
111
117
  - **MCP integration** — Tool execution and coordination in a single envelope.
112
118
  - **Observable** — `trace_id` and `correlation_id` for debugging.
113
119
  - **Security** — Bearer auth, OAuth2/JWT, Ed25519 signed manifests, optional mTLS, replay prevention, HTTPS, rate limiting. [Security Model](https://github.com/adriannoes/asap-protocol/blob/main/docs/security/v1.1-security-model.md) (trust limits, Custom Claims).
120
+ - **Identity & capabilities (v2.2, WebAuthn real in v2.2.1)** — Per-runtime Host/Agent JWTs, capability grants with constraints (`max`, `min`, `in`, `not_in`), approval flows (device authorization / CIBA-style), real WebAuthn attestation/assertion for high-risk registration (opt-in via `asap-protocol[webauthn]`).
121
+ - **Streaming & wire protocol (v2.2)** — `POST /asap/stream` (SSE / `TaskStream`), JSON-RPC 2.0 batch on `POST /asap`, `ASAP-Version` negotiation, tamper-evident audit logging, Compliance Harness v2.
122
+ - **Adoption Multiplier (v2.3.0)** — OpenAPI → ASAP via `create_from_openapi` (`[openapi]` extra), official **`@asap-protocol/client`** on npm (Vercel AI / OpenAI / Anthropic adapters), optional **Auto-Registration** (`POST /registry/agents`), **capability escalation**, and **ASAP `WWW-Authenticate`** discovery challenges. All opt-in; wire protocol unchanged. See [docs/index.md](docs/index.md) and [docs/migration.md](docs/migration.md).
114
123
  - **Economics** — Usage metering, delegation tokens, SLA framework with breach alerts.
115
124
 
116
125
  ### 🆕 Framework Ecosystem
@@ -130,7 +139,13 @@ Or with pip:
130
139
  pip install asap-protocol
131
140
  ```
132
141
 
133
- 📦 **Available on [PyPI](https://pypi.org/project/asap-protocol/)** — for reproducible environments, prefer `uv` when possible.
142
+ **npm** (TypeScript / JavaScript — [`@asap-protocol/client`](https://www.npmjs.com/package/@asap-protocol/client), aligned with protocol **v2.3.0**):
143
+
144
+ ```bash
145
+ npm install @asap-protocol/client
146
+ ```
147
+
148
+ 📦 **Canonical listing:** **[https://pypi.org/project/asap-protocol/](https://pypi.org/project/asap-protocol/)** — package **`asap-protocol`** (`pip install asap-protocol`). Prefer `uv` for reproducible environments when possible.
134
149
 
135
150
  ## Quick Start
136
151
 
@@ -173,6 +188,7 @@ See [Compliance Testing Guide](https://github.com/adriannoes/asap-protocol/blob/
173
188
 
174
189
  **Learn**
175
190
  - [Docs](https://github.com/adriannoes/asap-protocol/blob/main/docs/index.md) | [API Reference](https://github.com/adriannoes/asap-protocol/blob/main/docs/api-reference.md)
191
+ - [TypeScript client SDK](https://github.com/adriannoes/asap-protocol/blob/main/docs/sdks/typescript.md) — `@asap-protocol/client` (identity, capabilities, streaming, adapters)
176
192
  - [Tutorials](https://github.com/adriannoes/asap-protocol/tree/main/docs/tutorials) — First agent to production checklist
177
193
  - [Migration from A2A/MCP](https://github.com/adriannoes/asap-protocol/blob/main/docs/migration.md)
178
194
  - [Raw Fetch (non-Python)](https://github.com/adriannoes/asap-protocol/blob/main/docs/raw-fetch.md) — Fetch registry.json and revoked_agents.json with curl/fetch; implement your own client.
@@ -184,36 +200,48 @@ See [Compliance Testing Guide](https://github.com/adriannoes/asap-protocol/blob/
184
200
  - [Observability](https://github.com/adriannoes/asap-protocol/blob/main/docs/observability.md) | [Testing](https://github.com/adriannoes/asap-protocol/blob/main/docs/testing.md)
185
201
 
186
202
  **Decisions & Operations**
187
- - [ADRs](https://github.com/adriannoes/asap-protocol/tree/main/docs/adr) — 17 Architecture Decision Records
188
- - [Tech Stack](https://github.com/adriannoes/asap-protocol/blob/main/.cursor/dev-planning/architecture/tech-stack-decisions.md) — Rationale for Python, Pydantic, Next.js choices
203
+ - [ADRs](https://github.com/adriannoes/asap-protocol/tree/main/docs/adr) — 19 Architecture Decision Records
204
+ - [Tech Stack](https://github.com/adriannoes/asap-protocol/blob/main/engineering/architecture/tech-stack-decisions.md) — Rationale for Python, Pydantic, Next.js choices
189
205
  - [Deployment](https://github.com/adriannoes/asap-protocol/blob/main/docs/deployment/kubernetes.md) | [Troubleshooting](https://github.com/adriannoes/asap-protocol/blob/main/docs/troubleshooting.md)
190
206
 
191
207
  **Release**
192
- - [Changelog](https://github.com/adriannoes/asap-protocol/blob/main/CHANGELOG.md) | [PyPI](https://pypi.org/project/asap-protocol/)
208
+ - [Changelog](https://github.com/adriannoes/asap-protocol/blob/main/CHANGELOG.md) | **[PyPI listing](https://pypi.org/project/asap-protocol/)** — `https://pypi.org/project/asap-protocol/` (install: `pip install asap-protocol`)
193
209
 
194
210
  ## CLI
195
211
 
196
- - **v1.1** adds OAuth2, WebSocket, Discovery (well-known + Lite Registry), State Storage (SQLite) and Webhooks.
197
- - **v1.2** adds Ed25519 signed manifests, trust levels, optional mTLS and the [Compliance Harness](https://github.com/adriannoes/asap-protocol/blob/main/asap-compliance/README.md).
198
- - **v1.3** adds delegation commands (`asap delegation create`, `asap delegation revoke`).
199
-
200
212
  ```bash
201
213
  asap --version # Show version
202
214
  asap list-schemas # List all available schemas
203
215
  asap export-schemas # Export JSON schemas to file
216
+ asap compliance-check --url https://agent.example # Compliance Harness v2 (HTTP(S))
217
+ asap audit export --store memory --format json # Export audit log (stdout)
204
218
  asap keys generate -o key.pem # Generate Ed25519 keypair
205
219
  asap manifest sign -k key.pem manifest.json # Sign manifest
206
220
  asap manifest verify signed.json # Verify signature
207
221
  asap manifest info signed.json # Show trust level
208
222
  ```
209
223
 
210
- See [CLI reference](https://github.com/adriannoes/asap-protocol/blob/main/docs/guides/identity-signing.md) or run `asap --help`.
224
+ See the [CLI reference](docs/cli.md) for `compliance-check` and `audit export` flag details, the [CI compliance gate](docs/ci-compliance.md) for wiring `compliance-check` into GitHub Actions, the [audit export guide](docs/audit.md), [Identity Signing](docs/guides/identity-signing.md), or run `asap --help` for the full command surface.
211
225
 
212
- See [docs index](https://github.com/adriannoes/asap-protocol/blob/main/docs/index.md#v11-features-api-reference--guides) and [Identity Signing](https://github.com/adriannoes/asap-protocol/blob/main/docs/guides/identity-signing.md) for details.
226
+ ## Version History
227
+
228
+ High-level only — see **[Changelog](https://github.com/adriannoes/asap-protocol/blob/main/CHANGELOG.md)** and the **[docs index](https://github.com/adriannoes/asap-protocol/blob/main/docs/index.md#v11-features-api-reference--guides)** for full notes.
229
+
230
+ | Version | What shipped |
231
+ | :-- | :-- |
232
+ | **v2.3.0** | **OpenAPI Adapter** (`[openapi]`) · **TypeScript client** (`@asap-protocol/client`) · **Auto-Registration** · **Capability escalation** · **ASAP HTTP challenge** — see [CHANGELOG](https://github.com/adriannoes/asap-protocol/blob/main/CHANGELOG.md#230---2026-05-04) and [Migration](https://github.com/adriannoes/asap-protocol/blob/main/docs/migration.md#upgrading-from-v22x-to-v230) |
233
+ | **v2.2.1** | Opt-in **WebAuthn** (`asap-protocol[webauthn]`) · `asap compliance-check` & `asap audit export` · stricter `ResolvedAgent.run()` · `AuditChainBroken` · [pinned security deps](https://github.com/adriannoes/asap-protocol/blob/main/SECURITY.md#dependency-policy) |
234
+ | **v2.2** | Per-runtime identity & capability auth · SSE `POST /asap/stream` · `ASAP-Version` · JSON-RPC batch · tamper-evident audit · async state stores · Compliance Harness v2 |
235
+ | **v2.1.1** | Patch: JWT allowlist · SQLite async bridge · optional Redis rate limits · web SSRF hardening |
236
+ | **v2.1** | `MarketClient` · framework extras (LangChain, CrewAI, LlamaIndex, …) · registry UX |
237
+ | **v2.0** | Marketplace web app · Lite Registry (GitHub Pages) · IssueOps · OAuth · verification flow |
238
+ | **v1.3** | `asap delegation create` / `revoke` |
239
+ | **v1.2** | Ed25519 manifests · trust levels · optional mTLS · [Compliance Harness](https://github.com/adriannoes/asap-protocol/blob/main/asap-compliance/README.md) |
240
+ | **v1.1** | OAuth2 · WebSocket · discovery (well-known + Lite Registry) · SQLite state · webhooks |
213
241
 
214
242
  ## 🔭 What's Next?
215
243
 
216
- ASAP is evolving toward an **Agent Marketplace** — an open ecosystem where AI agents discover, trust and collaborate autonomously. See our [vision document](https://github.com/adriannoes/asap-protocol/blob/main/.cursor/product-specs/strategy/vision-agent-marketplace.md) for the full roadmap.
244
+ ASAP is evolving toward an **Agent Marketplace** — an open ecosystem where AI agents discover, trust and collaborate autonomously. See the [ADR index](https://github.com/adriannoes/asap-protocol/blob/main/product/decision-records/README.md) and [v2.0 roadmap PRD](https://github.com/adriannoes/asap-protocol/blob/main/product/prd/prd-v2.0-roadmap.md). Detailed long-term strategy narratives are maintained privately (not shipped in this repository).
217
245
 
218
246
  ## Contributing
219
247
 
@@ -223,10 +251,18 @@ Every contribution, from bug reports to feature suggestions, documentation impro
223
251
 
224
252
  Check out our [contributing guidelines](https://github.com/adriannoes/asap-protocol/blob/main/CONTRIBUTING.md) to get started. It's easier than you think! 🚀
225
253
 
254
+ ## Contact
255
+
256
+ For **general questions** about the protocol, the marketplace, partnerships, or press (not security vulnerabilities — use [SECURITY.md](https://github.com/adriannoes/asap-protocol/blob/main/SECURITY.md) for those):
257
+
258
+ - **Email:** [info@asap-protocol.com](mailto:info@asap-protocol.com)
259
+
260
+ You can also use [GitHub Discussions](https://github.com/adriannoes/asap-protocol/discussions) or [Issues](https://github.com/adriannoes/asap-protocol/issues) for public project topics.
261
+
226
262
  ## License
227
263
 
228
264
  This project is licensed under the Apache 2.0 License - see the [license](https://github.com/adriannoes/asap-protocol/blob/main/LICENSE) file for details.
229
265
 
230
266
  ---
231
267
 
232
- **Built with [Cursor](https://cursor.com/)** using Composer 1.5, Claude Opus 4.6, Gemini 3.1 Pro and Kimi K2.5.
268
+ **Built with [Cursor](https://cursor.com/)** using Opus 4.6/4.7, Composer 1.5/2.0, Gemini 3.1 Pro and Kimi K2.5.
@@ -7,9 +7,11 @@
7
7
 
8
8
  > A production-ready protocol for agent-to-agent communication and task coordination.
9
9
 
10
- **Quick Info**: `v2.1.1` | `Apache 2.0` | `Python 3.13+` | [Documentation](https://github.com/adriannoes/asap-protocol/blob/main/docs/index.md) | [PyPI](https://pypi.org/project/asap-protocol/) | [Changelog](https://github.com/adriannoes/asap-protocol/blob/main/CHANGELOG.md)
10
+ **Quick Info**: `v2.3.0` | `Apache 2.0` | `Python 3.13+` | [Documentation](https://github.com/adriannoes/asap-protocol/blob/main/docs/index.md) | **[PyPI `asap-protocol`](https://pypi.org/project/asap-protocol/)** | **[npm `@asap-protocol/client`](https://www.npmjs.com/package/@asap-protocol/client)** | [Changelog](https://github.com/adriannoes/asap-protocol/blob/main/CHANGELOG.md)
11
11
 
12
- > 🚀 **Live now** our [**agentic marketplace**](https://asap-protocol.vercel.app/)Browse agents, register yours, request verification.
12
+ > 📦 Install the ASAP **Python SDK / protocol** from **`https://pypi.org/project/asap-protocol/`**package name **`asap-protocol`** on [PyPI](https://pypi.org/project/asap-protocol/).
13
+
14
+ > 🚀 **Live now** our [**agentic marketplace**](https://asap-protocol.com/) — browse agents, register yours, request verification.
13
15
 
14
16
  ## Why ASAP?
15
17
 
@@ -20,7 +22,7 @@ Building multi-agent systems today suffers from three core technical challenges
20
22
 
21
23
  **ASAP** provides a production-ready communication layer that simplifies these complexities. It's ideal for **multi-agent orchestration**, **stateful workflows** (persistence, resumability), **MCP support** and **production systems** requiring high-performance, type-safe agent communication.
22
24
 
23
- For simple point-to-point communication, a basic HTTP API might suffice; ASAP shines when you need orchestration, state management and multi-agent coordination. See the [spec](https://github.com/adriannoes/asap-protocol/blob/main/.cursor/product-specs/strategy/v0-original-specs.md) for details.
25
+ For simple point-to-point communication, a basic HTTP API might suffice; ASAP shines when you need orchestration, state management and multi-agent coordination. See the [documentation](https://github.com/adriannoes/asap-protocol/blob/main/docs/index.md) for the current protocol overview and features.
24
26
 
25
27
  ### Key Features
26
28
 
@@ -30,6 +32,9 @@ For simple point-to-point communication, a basic HTTP API might suffice; ASAP sh
30
32
  - **MCP integration** — Tool execution and coordination in a single envelope.
31
33
  - **Observable** — `trace_id` and `correlation_id` for debugging.
32
34
  - **Security** — Bearer auth, OAuth2/JWT, Ed25519 signed manifests, optional mTLS, replay prevention, HTTPS, rate limiting. [Security Model](https://github.com/adriannoes/asap-protocol/blob/main/docs/security/v1.1-security-model.md) (trust limits, Custom Claims).
35
+ - **Identity & capabilities (v2.2, WebAuthn real in v2.2.1)** — Per-runtime Host/Agent JWTs, capability grants with constraints (`max`, `min`, `in`, `not_in`), approval flows (device authorization / CIBA-style), real WebAuthn attestation/assertion for high-risk registration (opt-in via `asap-protocol[webauthn]`).
36
+ - **Streaming & wire protocol (v2.2)** — `POST /asap/stream` (SSE / `TaskStream`), JSON-RPC 2.0 batch on `POST /asap`, `ASAP-Version` negotiation, tamper-evident audit logging, Compliance Harness v2.
37
+ - **Adoption Multiplier (v2.3.0)** — OpenAPI → ASAP via `create_from_openapi` (`[openapi]` extra), official **`@asap-protocol/client`** on npm (Vercel AI / OpenAI / Anthropic adapters), optional **Auto-Registration** (`POST /registry/agents`), **capability escalation**, and **ASAP `WWW-Authenticate`** discovery challenges. All opt-in; wire protocol unchanged. See [docs/index.md](docs/index.md) and [docs/migration.md](docs/migration.md).
33
38
  - **Economics** — Usage metering, delegation tokens, SLA framework with breach alerts.
34
39
 
35
40
  ### 🆕 Framework Ecosystem
@@ -49,7 +54,13 @@ Or with pip:
49
54
  pip install asap-protocol
50
55
  ```
51
56
 
52
- 📦 **Available on [PyPI](https://pypi.org/project/asap-protocol/)** — for reproducible environments, prefer `uv` when possible.
57
+ **npm** (TypeScript / JavaScript — [`@asap-protocol/client`](https://www.npmjs.com/package/@asap-protocol/client), aligned with protocol **v2.3.0**):
58
+
59
+ ```bash
60
+ npm install @asap-protocol/client
61
+ ```
62
+
63
+ 📦 **Canonical listing:** **[https://pypi.org/project/asap-protocol/](https://pypi.org/project/asap-protocol/)** — package **`asap-protocol`** (`pip install asap-protocol`). Prefer `uv` for reproducible environments when possible.
53
64
 
54
65
  ## Quick Start
55
66
 
@@ -92,6 +103,7 @@ See [Compliance Testing Guide](https://github.com/adriannoes/asap-protocol/blob/
92
103
 
93
104
  **Learn**
94
105
  - [Docs](https://github.com/adriannoes/asap-protocol/blob/main/docs/index.md) | [API Reference](https://github.com/adriannoes/asap-protocol/blob/main/docs/api-reference.md)
106
+ - [TypeScript client SDK](https://github.com/adriannoes/asap-protocol/blob/main/docs/sdks/typescript.md) — `@asap-protocol/client` (identity, capabilities, streaming, adapters)
95
107
  - [Tutorials](https://github.com/adriannoes/asap-protocol/tree/main/docs/tutorials) — First agent to production checklist
96
108
  - [Migration from A2A/MCP](https://github.com/adriannoes/asap-protocol/blob/main/docs/migration.md)
97
109
  - [Raw Fetch (non-Python)](https://github.com/adriannoes/asap-protocol/blob/main/docs/raw-fetch.md) — Fetch registry.json and revoked_agents.json with curl/fetch; implement your own client.
@@ -103,36 +115,48 @@ See [Compliance Testing Guide](https://github.com/adriannoes/asap-protocol/blob/
103
115
  - [Observability](https://github.com/adriannoes/asap-protocol/blob/main/docs/observability.md) | [Testing](https://github.com/adriannoes/asap-protocol/blob/main/docs/testing.md)
104
116
 
105
117
  **Decisions & Operations**
106
- - [ADRs](https://github.com/adriannoes/asap-protocol/tree/main/docs/adr) — 17 Architecture Decision Records
107
- - [Tech Stack](https://github.com/adriannoes/asap-protocol/blob/main/.cursor/dev-planning/architecture/tech-stack-decisions.md) — Rationale for Python, Pydantic, Next.js choices
118
+ - [ADRs](https://github.com/adriannoes/asap-protocol/tree/main/docs/adr) — 19 Architecture Decision Records
119
+ - [Tech Stack](https://github.com/adriannoes/asap-protocol/blob/main/engineering/architecture/tech-stack-decisions.md) — Rationale for Python, Pydantic, Next.js choices
108
120
  - [Deployment](https://github.com/adriannoes/asap-protocol/blob/main/docs/deployment/kubernetes.md) | [Troubleshooting](https://github.com/adriannoes/asap-protocol/blob/main/docs/troubleshooting.md)
109
121
 
110
122
  **Release**
111
- - [Changelog](https://github.com/adriannoes/asap-protocol/blob/main/CHANGELOG.md) | [PyPI](https://pypi.org/project/asap-protocol/)
123
+ - [Changelog](https://github.com/adriannoes/asap-protocol/blob/main/CHANGELOG.md) | **[PyPI listing](https://pypi.org/project/asap-protocol/)** — `https://pypi.org/project/asap-protocol/` (install: `pip install asap-protocol`)
112
124
 
113
125
  ## CLI
114
126
 
115
- - **v1.1** adds OAuth2, WebSocket, Discovery (well-known + Lite Registry), State Storage (SQLite) and Webhooks.
116
- - **v1.2** adds Ed25519 signed manifests, trust levels, optional mTLS and the [Compliance Harness](https://github.com/adriannoes/asap-protocol/blob/main/asap-compliance/README.md).
117
- - **v1.3** adds delegation commands (`asap delegation create`, `asap delegation revoke`).
118
-
119
127
  ```bash
120
128
  asap --version # Show version
121
129
  asap list-schemas # List all available schemas
122
130
  asap export-schemas # Export JSON schemas to file
131
+ asap compliance-check --url https://agent.example # Compliance Harness v2 (HTTP(S))
132
+ asap audit export --store memory --format json # Export audit log (stdout)
123
133
  asap keys generate -o key.pem # Generate Ed25519 keypair
124
134
  asap manifest sign -k key.pem manifest.json # Sign manifest
125
135
  asap manifest verify signed.json # Verify signature
126
136
  asap manifest info signed.json # Show trust level
127
137
  ```
128
138
 
129
- See [CLI reference](https://github.com/adriannoes/asap-protocol/blob/main/docs/guides/identity-signing.md) or run `asap --help`.
139
+ See the [CLI reference](docs/cli.md) for `compliance-check` and `audit export` flag details, the [CI compliance gate](docs/ci-compliance.md) for wiring `compliance-check` into GitHub Actions, the [audit export guide](docs/audit.md), [Identity Signing](docs/guides/identity-signing.md), or run `asap --help` for the full command surface.
130
140
 
131
- See [docs index](https://github.com/adriannoes/asap-protocol/blob/main/docs/index.md#v11-features-api-reference--guides) and [Identity Signing](https://github.com/adriannoes/asap-protocol/blob/main/docs/guides/identity-signing.md) for details.
141
+ ## Version History
142
+
143
+ High-level only — see **[Changelog](https://github.com/adriannoes/asap-protocol/blob/main/CHANGELOG.md)** and the **[docs index](https://github.com/adriannoes/asap-protocol/blob/main/docs/index.md#v11-features-api-reference--guides)** for full notes.
144
+
145
+ | Version | What shipped |
146
+ | :-- | :-- |
147
+ | **v2.3.0** | **OpenAPI Adapter** (`[openapi]`) · **TypeScript client** (`@asap-protocol/client`) · **Auto-Registration** · **Capability escalation** · **ASAP HTTP challenge** — see [CHANGELOG](https://github.com/adriannoes/asap-protocol/blob/main/CHANGELOG.md#230---2026-05-04) and [Migration](https://github.com/adriannoes/asap-protocol/blob/main/docs/migration.md#upgrading-from-v22x-to-v230) |
148
+ | **v2.2.1** | Opt-in **WebAuthn** (`asap-protocol[webauthn]`) · `asap compliance-check` & `asap audit export` · stricter `ResolvedAgent.run()` · `AuditChainBroken` · [pinned security deps](https://github.com/adriannoes/asap-protocol/blob/main/SECURITY.md#dependency-policy) |
149
+ | **v2.2** | Per-runtime identity & capability auth · SSE `POST /asap/stream` · `ASAP-Version` · JSON-RPC batch · tamper-evident audit · async state stores · Compliance Harness v2 |
150
+ | **v2.1.1** | Patch: JWT allowlist · SQLite async bridge · optional Redis rate limits · web SSRF hardening |
151
+ | **v2.1** | `MarketClient` · framework extras (LangChain, CrewAI, LlamaIndex, …) · registry UX |
152
+ | **v2.0** | Marketplace web app · Lite Registry (GitHub Pages) · IssueOps · OAuth · verification flow |
153
+ | **v1.3** | `asap delegation create` / `revoke` |
154
+ | **v1.2** | Ed25519 manifests · trust levels · optional mTLS · [Compliance Harness](https://github.com/adriannoes/asap-protocol/blob/main/asap-compliance/README.md) |
155
+ | **v1.1** | OAuth2 · WebSocket · discovery (well-known + Lite Registry) · SQLite state · webhooks |
132
156
 
133
157
  ## 🔭 What's Next?
134
158
 
135
- ASAP is evolving toward an **Agent Marketplace** — an open ecosystem where AI agents discover, trust and collaborate autonomously. See our [vision document](https://github.com/adriannoes/asap-protocol/blob/main/.cursor/product-specs/strategy/vision-agent-marketplace.md) for the full roadmap.
159
+ ASAP is evolving toward an **Agent Marketplace** — an open ecosystem where AI agents discover, trust and collaborate autonomously. See the [ADR index](https://github.com/adriannoes/asap-protocol/blob/main/product/decision-records/README.md) and [v2.0 roadmap PRD](https://github.com/adriannoes/asap-protocol/blob/main/product/prd/prd-v2.0-roadmap.md). Detailed long-term strategy narratives are maintained privately (not shipped in this repository).
136
160
 
137
161
  ## Contributing
138
162
 
@@ -142,10 +166,18 @@ Every contribution, from bug reports to feature suggestions, documentation impro
142
166
 
143
167
  Check out our [contributing guidelines](https://github.com/adriannoes/asap-protocol/blob/main/CONTRIBUTING.md) to get started. It's easier than you think! 🚀
144
168
 
169
+ ## Contact
170
+
171
+ For **general questions** about the protocol, the marketplace, partnerships, or press (not security vulnerabilities — use [SECURITY.md](https://github.com/adriannoes/asap-protocol/blob/main/SECURITY.md) for those):
172
+
173
+ - **Email:** [info@asap-protocol.com](mailto:info@asap-protocol.com)
174
+
175
+ You can also use [GitHub Discussions](https://github.com/adriannoes/asap-protocol/discussions) or [Issues](https://github.com/adriannoes/asap-protocol/issues) for public project topics.
176
+
145
177
  ## License
146
178
 
147
179
  This project is licensed under the Apache 2.0 License - see the [license](https://github.com/adriannoes/asap-protocol/blob/main/LICENSE) file for details.
148
180
 
149
181
  ---
150
182
 
151
- **Built with [Cursor](https://cursor.com/)** using Composer 1.5, Claude Opus 4.6, Gemini 3.1 Pro and Kimi K2.5.
183
+ **Built with [Cursor](https://cursor.com/)** using Opus 4.6/4.7, Composer 1.5/2.0, Gemini 3.1 Pro and Kimi K2.5.
@@ -1,6 +1,6 @@
1
1
  [project]
2
2
  name = "asap-protocol"
3
- version = "2.2.0"
3
+ version = "2.3.0"
4
4
  description = "Async Simple Agent Protocol - A streamlined protocol for agent-to-agent communication"
5
5
  authors = [
6
6
  {name = "ASAP Protocol Contributors"}
@@ -22,14 +22,15 @@ classifiers = [
22
22
 
23
23
  dependencies = [
24
24
  "aiosqlite>=0.20",
25
- "cryptography>=46.0.7",
25
+ # Upper-bound majors per SECURITY.md dependency policy.
26
+ "cryptography>=46.0.7,<47",
26
27
  "jcs>=0.2.0",
27
28
  "jsonschema>=4.23.0",
28
- "pydantic>=2.12.5",
29
+ "pydantic>=2.12.5,<3",
29
30
  "fastapi>=0.128.0",
30
31
  "httpx[http2]>=0.28.1",
31
- "authlib>=1.6.9",
32
- "joserfc>=1.6.3",
32
+ "authlib>=1.6.11,<2",
33
+ "joserfc>=1.6.3,<2",
33
34
  "uvicorn>=0.34",
34
35
  "python-ulid>=3.0",
35
36
  "packaging>=25.0",
@@ -72,6 +73,10 @@ dns-sd = [
72
73
  redis = [
73
74
  "redis>=5.0.0",
74
75
  ]
76
+ # Optional WebAuthn (real attestation/assertion when extra installed).
77
+ webauthn = [
78
+ "webauthn>=2.6,<3",
79
+ ]
75
80
  # Framework integrations (Sprint E3 — PKG-003).
76
81
  mcp = [
77
82
  "mcp>=1.0.0",
@@ -94,6 +99,10 @@ pydanticai = [
94
99
  openclaw = [
95
100
  "openclaw-sdk>=2.0",
96
101
  ]
102
+ # OpenAPI 3.x spec parsing for asap.adapters.openapi (Sprint S1).
103
+ openapi = [
104
+ "openapi-pydantic>=0.5",
105
+ ]
97
106
 
98
107
  [project.urls]
99
108
  Homepage = "https://github.com/adriannoes/asap-protocol"
@@ -113,18 +122,20 @@ Issues = "https://github.com/adriannoes/asap-protocol/issues"
113
122
  # - python-multipart>=0.0.26 for CVE-2026-40347 (FastAPI stack)
114
123
  # - pygments>=2.20.0 for CVE-2026-4539
115
124
  # - langsmith>=0.7.31 for GHSA-rr7j-v2q5-chgv
125
+ # - python-dotenv>=1.2.2 for CVE-2026-28684 (transitive, e.g. pydantic-settings / uvicorn stacks)
116
126
  [tool.uv]
117
127
  override-dependencies = [
118
- "pyjwt>=2.12.0",
128
+ "pyjwt>=2.12.0,<3",
119
129
  "pyasn1>=0.6.3",
120
130
  "tinytag>=2.2.1",
121
- "cryptography>=46.0.7",
131
+ "cryptography>=46.0.7,<47",
122
132
  "requests>=2.33.0",
123
133
  "pillow>=12.2.0",
124
134
  "pytest>=9.0.3",
125
135
  "python-multipart>=0.0.26",
126
136
  "pygments>=2.20.0",
127
137
  "langsmith>=0.7.31",
138
+ "python-dotenv>=1.2.2",
128
139
  ]
129
140
 
130
141
  [project.scripts]
@@ -178,12 +189,13 @@ ignore = [
178
189
  [tool.ruff.lint.per-file-ignores]
179
190
  "scripts/**" = ["T201"]
180
191
  "src/asap/examples/**" = ["T201", "ASYNC210"]
192
+ "examples/**" = ["T201"]
181
193
  "benchmarks/**" = ["T201"]
182
194
  "tests/**" = ["B008"]
183
195
  "src/asap/transport/usage_api.py" = ["B008"]
184
196
  "src/asap/transport/delegation_api.py" = ["B008"]
185
197
  "src/asap/transport/sla_api.py" = ["B008"]
186
- "src/asap/cli.py" = ["B008"]
198
+ "src/asap/cli/__init__.py" = ["B008"]
187
199
 
188
200
  [tool.ruff.format]
189
201
  quote-style = "double"
@@ -0,0 +1,22 @@
1
+ """ASAP: Async Simple Agent Protocol.
2
+
3
+ A streamlined, scalable, asynchronous protocol for agent-to-agent communication
4
+ and task coordination.
5
+ """
6
+
7
+ from __future__ import annotations
8
+
9
+ from typing import Any
10
+
11
+ __version__ = "2.3.0"
12
+
13
+ __all__ = ["__version__", "create_from_openapi"]
14
+
15
+
16
+ def __getattr__(name: str) -> Any:
17
+ if name == "create_from_openapi":
18
+ from asap.adapters.openapi import create_from_openapi as exported
19
+
20
+ return exported
21
+ msg = f"module {__name__!r} has no attribute {name!r}"
22
+ raise AttributeError(msg)
@@ -0,0 +1 @@
1
+ """ASAP protocol adapters (third-party wire formats → ASAP capabilities)."""