asap-protocol 2.5.1__tar.gz → 2.5.2__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (239) hide show
  1. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/CHANGELOG.md +67 -5
  2. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/PKG-INFO +35 -22
  3. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/README.md +28 -19
  4. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/pyproject.toml +13 -3
  5. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/schemas/entities/conversation.schema.json +1 -1
  6. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/schemas/entities/manifest.schema.json +170 -111
  7. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/schemas/envelope.schema.json +51 -1
  8. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/schemas/payloads/task_request.schema.json +1 -1
  9. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/__init__.py +1 -1
  10. asap_protocol-2.5.2/src/asap/auth/_scope_parse.py +39 -0
  11. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/auth/agent_jwt.py +24 -3
  12. asap_protocol-2.5.2/src/asap/auth/jti_replay_cache.py +109 -0
  13. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/auth/middleware.py +52 -10
  14. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/auth/scopes.py +9 -25
  15. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/cli/__init__.py +1 -14
  16. asap_protocol-2.5.2/src/asap/cli/_compat.py +24 -0
  17. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/mcp/auth/config.py +2 -2
  18. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/models/entities.py +2 -4
  19. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/models/envelope.py +9 -3
  20. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/models/payloads.py +1 -3
  21. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/registry/auto_registration.py +11 -3
  22. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/state/stores/_sqlite_base.py +32 -5
  23. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/_auth_helpers.py +7 -3
  24. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/agent_routes.py +12 -5
  25. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/capability_routes.py +7 -4
  26. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/client/_send.py +14 -3
  27. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/errors.py +51 -11
  28. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/routes/audit.py +16 -5
  29. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/server.py +94 -30
  30. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/sla_api.py +14 -6
  31. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/usage_api.py +17 -5
  32. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/ws/client.py +7 -1
  33. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/.gitignore +0 -0
  34. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/LICENSE +0 -0
  35. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/schemas/entities/agent.schema.json +0 -0
  36. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/schemas/entities/artifact.schema.json +0 -0
  37. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/schemas/entities/message.schema.json +0 -0
  38. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/schemas/entities/state_snapshot.schema.json +0 -0
  39. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/schemas/entities/task.schema.json +0 -0
  40. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/schemas/examples/shellclaw-jetson-capabilities.json +0 -0
  41. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/schemas/parts/data_part.schema.json +0 -0
  42. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/schemas/parts/file_part.schema.json +0 -0
  43. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/schemas/parts/resource_part.schema.json +0 -0
  44. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/schemas/parts/template_part.schema.json +0 -0
  45. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/schemas/parts/text_part.schema.json +0 -0
  46. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/schemas/payloads/artifact_notify.schema.json +0 -0
  47. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/schemas/payloads/mcp_resource_data.schema.json +0 -0
  48. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/schemas/payloads/mcp_resource_fetch.schema.json +0 -0
  49. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/schemas/payloads/mcp_tool_call.schema.json +0 -0
  50. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/schemas/payloads/mcp_tool_result.schema.json +0 -0
  51. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/schemas/payloads/message_send.schema.json +0 -0
  52. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/schemas/payloads/state_query.schema.json +0 -0
  53. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/schemas/payloads/state_restore.schema.json +0 -0
  54. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/schemas/payloads/task_cancel.schema.json +0 -0
  55. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/schemas/payloads/task_response.schema.json +0 -0
  56. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/schemas/payloads/task_update.schema.json +0 -0
  57. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/adapters/__init__.py +0 -0
  58. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/adapters/mcp/__init__.py +0 -0
  59. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/adapters/mcp/auth_middleware.py +0 -0
  60. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/adapters/mcp/capability_map.py +0 -0
  61. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/adapters/mcp/config.py +0 -0
  62. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/adapters/mcp/errors.py +0 -0
  63. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/adapters/mcp/jwt_extractor.py +0 -0
  64. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/adapters/mcp/protected_server.py +0 -0
  65. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/adapters/openapi/__init__.py +0 -0
  66. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/adapters/openapi/approval.py +0 -0
  67. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/adapters/openapi/capability_mapper.py +0 -0
  68. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/adapters/openapi/factory.py +0 -0
  69. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/adapters/openapi/handler.py +0 -0
  70. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/adapters/openapi/spec_loader.py +0 -0
  71. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/auth/__init__.py +0 -0
  72. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/auth/approval.py +0 -0
  73. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/auth/capabilities.py +0 -0
  74. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/auth/identity.py +0 -0
  75. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/auth/introspection.py +0 -0
  76. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/auth/jwks.py +0 -0
  77. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/auth/oauth2.py +0 -0
  78. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/auth/oidc.py +0 -0
  79. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/auth/self_auth.py +0 -0
  80. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/auth/webauthn.py +0 -0
  81. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/auth/webauthn_store.py +0 -0
  82. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/cli/audit_export.py +0 -0
  83. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/cli/compliance_check.py +0 -0
  84. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/cli/delegation.py +0 -0
  85. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/cli/keys.py +0 -0
  86. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/cli/manifest.py +0 -0
  87. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/cli/repl.py +0 -0
  88. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/cli/schemas.py +0 -0
  89. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/cli/trace.py +0 -0
  90. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/client/__init__.py +0 -0
  91. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/client/cache.py +0 -0
  92. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/client/http_client.py +0 -0
  93. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/client/market.py +0 -0
  94. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/client/revocation.py +0 -0
  95. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/client/trust.py +0 -0
  96. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/crypto/__init__.py +0 -0
  97. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/crypto/keys.py +0 -0
  98. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/crypto/models.py +0 -0
  99. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/crypto/signing.py +0 -0
  100. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/crypto/trust.py +0 -0
  101. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/crypto/trust_levels.py +0 -0
  102. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/discovery/__init__.py +0 -0
  103. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/discovery/dnssd.py +0 -0
  104. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/discovery/health.py +0 -0
  105. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/discovery/registry.py +0 -0
  106. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/discovery/validation.py +0 -0
  107. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/discovery/wellknown.py +0 -0
  108. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/economics/__init__.py +0 -0
  109. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/economics/audit.py +0 -0
  110. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/economics/delegation.py +0 -0
  111. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/economics/delegation_storage.py +0 -0
  112. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/economics/hooks.py +0 -0
  113. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/economics/metering.py +0 -0
  114. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/economics/sla.py +0 -0
  115. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/economics/sla_storage.py +0 -0
  116. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/economics/storage.py +0 -0
  117. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/errors.py +0 -0
  118. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/examples/README.md +0 -0
  119. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/examples/__init__.py +0 -0
  120. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/examples/a2h_approval.py +0 -0
  121. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/examples/agent_failover.py +0 -0
  122. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/examples/auth_patterns.py +0 -0
  123. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/examples/coordinator.py +0 -0
  124. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/examples/echo_agent.py +0 -0
  125. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/examples/error_recovery.py +0 -0
  126. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/examples/long_running.py +0 -0
  127. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/examples/mcp_client_demo.py +0 -0
  128. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/examples/mcp_integration.py +0 -0
  129. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/examples/multi_step_workflow.py +0 -0
  130. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/examples/orchestration.py +0 -0
  131. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/examples/rate_limiting.py +0 -0
  132. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/examples/run_demo.py +0 -0
  133. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/examples/secure_agent.py +0 -0
  134. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/examples/secure_handler.py +0 -0
  135. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/examples/state_migration.py +0 -0
  136. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/examples/storage_backends.py +0 -0
  137. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/examples/streaming_agent.py +0 -0
  138. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/examples/streaming_response.py +0 -0
  139. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/examples/v1_3_0_showcase.py +0 -0
  140. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/examples/v1_4_0_showcase.py +0 -0
  141. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/examples/websocket_concept.py +0 -0
  142. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/handlers/__init__.py +0 -0
  143. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/handlers/hitl.py +0 -0
  144. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/integrations/__init__.py +0 -0
  145. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/integrations/_base.py +0 -0
  146. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/integrations/a2h.py +0 -0
  147. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/integrations/crewai.py +0 -0
  148. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/integrations/langchain.py +0 -0
  149. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/integrations/llamaindex.py +0 -0
  150. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/integrations/openclaw.py +0 -0
  151. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/integrations/pydanticai.py +0 -0
  152. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/integrations/smolagents.py +0 -0
  153. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/integrations/vercel_ai.py +0 -0
  154. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/mcp/__init__.py +0 -0
  155. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/mcp/auth/__init__.py +0 -0
  156. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/mcp/auth/auth_middleware.py +0 -0
  157. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/mcp/auth/capability_map.py +0 -0
  158. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/mcp/auth/errors.py +0 -0
  159. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/mcp/auth/jwt_extractor.py +0 -0
  160. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/mcp/auth/protected_server.py +0 -0
  161. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/mcp/client.py +0 -0
  162. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/mcp/protocol.py +0 -0
  163. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/mcp/serve.py +0 -0
  164. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/mcp/server.py +0 -0
  165. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/mcp/server_runner.py +0 -0
  166. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/models/__init__.py +0 -0
  167. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/models/base.py +0 -0
  168. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/models/constants.py +0 -0
  169. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/models/enums.py +0 -0
  170. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/models/ids.py +0 -0
  171. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/models/parts.py +0 -0
  172. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/models/types.py +0 -0
  173. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/models/validators.py +0 -0
  174. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/observability/__init__.py +0 -0
  175. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/observability/dashboards/README.md +0 -0
  176. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/observability/dashboards/asap-detailed.json +0 -0
  177. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/observability/dashboards/asap-red.json +0 -0
  178. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/observability/logging.py +0 -0
  179. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/observability/metrics.py +0 -0
  180. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/observability/trace_parser.py +0 -0
  181. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/observability/trace_ui.py +0 -0
  182. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/observability/tracing.py +0 -0
  183. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/registry/__init__.py +0 -0
  184. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/registry/anti_spam.py +0 -0
  185. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/registry/bot_pr.py +0 -0
  186. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/registry/receipt_cache.py +0 -0
  187. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/schemas.py +0 -0
  188. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/state/__init__.py +0 -0
  189. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/state/machine.py +0 -0
  190. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/state/metering.py +0 -0
  191. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/state/snapshot.py +0 -0
  192. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/state/stores/__init__.py +0 -0
  193. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/state/stores/_sync_bridge.py +0 -0
  194. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/state/stores/memory.py +0 -0
  195. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/state/stores/sqlite.py +0 -0
  196. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/testing/__init__.py +0 -0
  197. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/testing/asgi_factory.py +0 -0
  198. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/testing/assertions.py +0 -0
  199. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/testing/compliance.py +0 -0
  200. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/testing/fixtures.py +0 -0
  201. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/testing/mocks.py +0 -0
  202. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/__init__.py +0 -0
  203. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/_request_handler.py +0 -0
  204. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/_state_deps.py +0 -0
  205. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/cache.py +0 -0
  206. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/challenge.py +0 -0
  207. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/circuit_breaker.py +0 -0
  208. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/client/__init__.py +0 -0
  209. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/client/_core.py +0 -0
  210. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/client/_discovery.py +0 -0
  211. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/client/_helpers.py +0 -0
  212. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/compression.py +0 -0
  213. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/delegation_api.py +0 -0
  214. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/escalation_routes.py +0 -0
  215. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/executors.py +0 -0
  216. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/handlers.py +0 -0
  217. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/jsonrpc.py +0 -0
  218. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/lambda_codec.py +0 -0
  219. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/middleware.py +0 -0
  220. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/mtls.py +0 -0
  221. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/rate_limit.py +0 -0
  222. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/routes/__init__.py +0 -0
  223. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/routes/health.py +0 -0
  224. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/routes/jsonrpc.py +0 -0
  225. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/routes/websocket.py +0 -0
  226. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/validators.py +0 -0
  227. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/webhook.py +0 -0
  228. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/websocket.py +0 -0
  229. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/ws/__init__.py +0 -0
  230. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/ws/_ack.py +0 -0
  231. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/ws/_actions.py +0 -0
  232. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/ws/_dispatch.py +0 -0
  233. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/ws/_errors.py +0 -0
  234. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/ws/_recv.py +0 -0
  235. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/ws/codecs.py +0 -0
  236. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/ws/pool.py +0 -0
  237. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/transport/ws/server.py +0 -0
  238. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/utils/__init__.py +0 -0
  239. {asap_protocol-2.5.1 → asap_protocol-2.5.2}/src/asap/utils/sanitization.py +0 -0
@@ -7,18 +7,77 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
7
7
 
8
8
  ## [Unreleased]
9
9
 
10
- ### Follow-up (not in v2.5.1)
10
+ ### Follow-up (planned v2.5.3+)
11
11
 
12
- - **Adapter Lab II** — new framework adapters (separate PRD: [prd-v2.5.1-adapter-lab-ii.md](product/prd/prd-v2.5.1-adapter-lab-ii.md)).
13
- - `extra="forbid"` on ingress payload models (`TaskRequestConfig`, `CommonMetadata`).
14
- - Opt-in protection for operator APIs (`/usage`, `/sla`, `/audit`).
15
- - Redis-backed `JtiReplayCache` and distributed Next.js rate limits.
12
+ - **Adapter Lab II** — enterprise/workflow adapters ([prd-v2.5.3-adapter-lab-ii.md](product/prd/prd-v2.5.3-adapter-lab-ii.md)).
13
+ - **Distribution Loop** homepage, templates, metrics ([prd-v2.5.4-distribution-loop.md](product/prd/prd-v2.5.4-distribution-loop.md)).
14
+ - **Formal Spec & Interop** RFC spec, introspection, privacy ([prd-v2.5.5-formal-spec-interop.md](product/prd/prd-v2.5.5-formal-spec-interop.md)).
16
15
  - `@asap-protocol/mcp-auth` HTTP/SSE middleware (deferred from v2.5.0 — see [2.5.0] TypeScript note and [typescript-mcp-auth-spike.md](engineering/tasks/v2.5.0/typescript-mcp-auth-spike.md)).
17
16
  - Collapse the dual `UsageMetrics`/`InMemoryMeteringStore` pair retained in S1 for API stability.
18
17
  - Reduce the `asap.transport.client` package aggregate LOC below the S2 target.
19
18
 
20
19
  ---
21
20
 
21
+ ## [2.5.2] - 2026-07-08
22
+
23
+ **Security & correctness follow-up** — operator API auth, tighter ingress
24
+ validation, Redis JTI replay, web distributed rate limits, v2.5.1 CR follow-ups,
25
+ and registry fixes. Scope: [prd-v2.5.2-security-follow-up.md](product/prd/prd-v2.5.2-security-follow-up.md).
26
+ Wire protocol and manifest schema are unchanged aside from rejecting unknown
27
+ `config` / `metadata` keys (see Migration).
28
+
29
+ ### Added
30
+
31
+ - **Opt-in operator API auth (#209)**: `create_app(require_operator_auth=True)`
32
+ requires an OAuth2 Bearer JWT with scope ``asap:admin`` on ``/usage``,
33
+ ``/sla``, and ``/audit``. Default remains open (local/operator ergonomics)
34
+ with the existing startup warnings. Requires ``oauth2_config``.
35
+ - **Redis-backed JTI replay cache (#209)**: Optional
36
+ :class:`~asap.auth.jti_replay_cache.RedisJtiReplayCache` for multi-worker
37
+ Host/Agent JWT replay protection. Default remains in-memory
38
+ :class:`~asap.auth.agent_jwt.JtiReplayCache`. Requires
39
+ ``pip install 'asap-protocol[redis]'``. Inject via
40
+ ``create_app(identity_jti_cache=...)`` or ``MCPAuthConfig.jti_replay_cache``.
41
+
42
+ ### Changed
43
+
44
+ - **Ingress validation (#209)**: `TaskRequestConfig` and `CommonMetadata` now reject
45
+ unknown fields (`extra="forbid"`, inherited from `ASAPBaseModel`). Previously these
46
+ models allowed arbitrary extension keys; clients sending custom `config` or
47
+ `metadata` properties must use known fields only or nest extensions under
48
+ `TaskRequest.input` / envelope `extensions`. See
49
+ [migration guide](docs/migration.md#upgrading-from-v251).
50
+ - **CLI legacy imports (#242)**: `DEFAULT_SCHEMAS_DIR`, `export_all_schemas`, and
51
+ `_repl_namespace` are no longer re-exported from `asap.cli` root. Import from
52
+ `asap.cli._compat` (shim) or the owning submodules (`asap.cli.schemas`,
53
+ `asap.schemas`, `asap.cli.repl`). The `_compat` shim is removed in v2.6.0
54
+ ([#275](https://github.com/adriannoes/asap-protocol/issues/275)).
55
+ See [migration guide](docs/migration.md#upgrading-from-v251).
56
+ - **Web app (`apps/web`)**: Optional distributed rate limits via Upstash Redis
57
+ or Vercel KV when `UPSTASH_REDIS_REST_URL` + `UPSTASH_REDIS_REST_TOKEN` (or
58
+ `KV_REST_API_URL` + `KV_REST_API_TOKEN`) are set; local dev without Redis
59
+ keeps the existing in-memory per-instance limiter
60
+ ([#209](https://github.com/adriannoes/asap-protocol/issues/209)).
61
+ - **Auth scope parsing (#243)**: `parse_scope` lives in `asap.auth._scope_parse` so
62
+ `OAuth2Middleware` no longer needs an inline import to break a cycle.
63
+
64
+ ### Fixed
65
+
66
+ - **CI security (`pip-audit`)**: Raised `joserfc` to `>=1.6.7,<2` (CVE-2026-48990) and added overrides for `python-engineio>=4.13.2` (CVE-2026-48802 / CVE-2026-48809) and `python-socketio>=5.16.2` (CVE-2026-48804). See [SECURITY.md](SECURITY.md).
67
+ - **Streaming correlation binding (#247)**: SSE and WebSocket streaming now require `TaskStream` chunks to echo the request envelope `id` (not an arbitrary request `correlation_id`), and streamed response payloads reject missing or mismatched `correlation_id` values.
68
+ - **SQLite write serialization (#245)**: `AsyncSqliteRepository.execute()` now holds the same `asyncio.Lock` as other write paths so concurrent writers cannot interleave on a shared connection.
69
+ - **Agent status JTI replay (#249)**: `GET /asap/agent/status` now records JWT `jti` in the replay cache (same hardening as other identity routes).
70
+ - **Registry signed manifests (#224)**: Registration paths accept signed manifest envelopes (unwrap before validation).
71
+ - **Registry validation errors (#227)**: Auto-registration maps `ManifestValidationError` to HTTP 400 instead of a 500.
72
+
73
+ ### Migration
74
+
75
+ - **v2.5.1 → v2.5.2**: See [migration guide](docs/migration.md#upgrading-from-v251).
76
+ Breaking for clients that sent unknown keys on `TaskRequest.config` /
77
+ `CommonMetadata`. Operator auth and Redis JTI remain opt-in.
78
+
79
+ ---
80
+
22
81
  ## [2.5.1] - 2026-06-25
23
82
 
24
83
  **Code quality patch** — behavior-preserving refactor of the transport, storage,
@@ -59,6 +118,9 @@ Deprecated import paths keep working via shims until v2.6.0.
59
118
 
60
119
  ### Deprecated (remove in v2.6.0)
61
120
 
121
+ - `from asap.cli._compat import ...` — use `asap.cli.schemas`, `asap.schemas`, or
122
+ `asap.cli.repl` directly ([#242](https://github.com/adriannoes/asap-protocol/issues/242);
123
+ removal tracked in [#275](https://github.com/adriannoes/asap-protocol/issues/275)).
62
124
  - `from asap.transport.websocket import ...` — use `asap.transport.ws` directly.
63
125
  - `from asap.adapters.mcp import ...` — use `asap.mcp.auth` directly.
64
126
  - `RemoteFatalRPCError` / `RemoteRecoverableRPCError` — use `RemoteRPCError` + `is_recoverable`.
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.4
2
2
  Name: asap-protocol
3
- Version: 2.5.1
3
+ Version: 2.5.2
4
4
  Summary: Async Simple Agent Protocol - A streamlined protocol for agent-to-agent communication
5
5
  Project-URL: Homepage, https://github.com/adriannoes/asap-protocol
6
6
  Project-URL: Documentation, https://adriannoes.github.io/asap-protocol
@@ -27,7 +27,7 @@ Requires-Dist: cryptography<49,>=48.0.1
27
27
  Requires-Dist: fastapi>=0.136.1
28
28
  Requires-Dist: httpx[http2]>=0.28.1
29
29
  Requires-Dist: jcs>=0.2.0
30
- Requires-Dist: joserfc<2,>=1.6.3
30
+ Requires-Dist: joserfc<2,>=1.6.7
31
31
  Requires-Dist: jsonschema>=4.23.0
32
32
  Requires-Dist: limits>=3.0
33
33
  Requires-Dist: opentelemetry-api>=1.20
@@ -48,6 +48,7 @@ Requires-Dist: crewai>=0.80; extra == 'crewai'
48
48
  Provides-Extra: dev
49
49
  Requires-Dist: asgi-lifespan>=2.1.0; extra == 'dev'
50
50
  Requires-Dist: brotli>=1.1.0; extra == 'dev'
51
+ Requires-Dist: fakeredis>=2.26.0; extra == 'dev'
51
52
  Requires-Dist: mypy>=1.19.1; extra == 'dev'
52
53
  Requires-Dist: pip-audit>=2.7; extra == 'dev'
53
54
  Requires-Dist: pytest-asyncio>=0.24; extra == 'dev'
@@ -61,9 +62,12 @@ Provides-Extra: dns-sd
61
62
  Requires-Dist: zeroconf>=0.149.5; extra == 'dns-sd'
62
63
  Provides-Extra: docs
63
64
  Requires-Dist: ghp-import>=2.1.0; extra == 'docs'
65
+ Requires-Dist: joserfc<2,>=1.6.7; extra == 'docs'
64
66
  Requires-Dist: mkdocs-material>=9.5; extra == 'docs'
65
67
  Requires-Dist: mkdocstrings[python]>=0.27; extra == 'docs'
66
68
  Requires-Dist: pymdown-extensions>=10.21.3; extra == 'docs'
69
+ Requires-Dist: python-engineio>=4.13.2; extra == 'docs'
70
+ Requires-Dist: python-socketio>=5.16.2; extra == 'docs'
67
71
  Provides-Extra: langchain
68
72
  Requires-Dist: langchain-core>=1.3.3; extra == 'langchain'
69
73
  Provides-Extra: llamaindex
@@ -83,7 +87,7 @@ Requires-Dist: smolagents>=1.24.0; extra == 'smolagents'
83
87
  Provides-Extra: telemetry
84
88
  Requires-Dist: pypistats>=1.11.0; extra == 'telemetry'
85
89
  Provides-Extra: webauthn
86
- Requires-Dist: webauthn<3,>=2.6; extra == 'webauthn'
90
+ Requires-Dist: webauthn<4,>=2.6; extra == 'webauthn'
87
91
  Description-Content-Type: text/markdown
88
92
 
89
93
  # ASAP: Async Simple Agent Protocol
@@ -95,9 +99,9 @@ Description-Content-Type: text/markdown
95
99
 
96
100
  > A production-ready protocol for agent-to-agent communication and task coordination.
97
101
 
98
- **Quick Info**: [`v2.5.1`](https://github.com/adriannoes/asap-protocol/releases/tag/v2.5.1) | `Apache 2.0` | `Python 3.13+` | [Documentation](docs/index.md) | [Changelog](CHANGELOG.md)
102
+ **Quick Info**: [`v2.5.2`](https://github.com/adriannoes/asap-protocol/releases/tag/v2.5.2) | `Apache 2.0` | `Python 3.13+` | [Documentation](docs/index.md) | [Changelog](CHANGELOG.md)
99
103
 
100
- > 📦 **Install** the Python SDK ([`asap-protocol` on PyPI](https://pypi.org/project/asap-protocol/)) or the TypeScript client ([`@asap-protocol/client` on npm](https://www.npmjs.com/package/@asap-protocol/client) — **2.4.1**; `@asap-protocol/mcp-auth` npm middleware still deferred).
104
+ > 📦 **Install** [`asap-protocol` on PyPI](https://pypi.org/project/asap-protocol/) (Python) · [`@asap-protocol/client` on npm](https://www.npmjs.com/package/@asap-protocol/client) (TypeScript)
101
105
 
102
106
  🚀 **Live now** our [**agentic marketplace**](https://asap-protocol.com/) — browse agents, register yours, request verification.
103
107
 
@@ -126,13 +130,13 @@ Plain HTTP between two agents is enough for the simplest cases. ASAP is built fo
126
130
  | Schema-first | Pydantic v2 + JSON Schema for cross-agent interchange | [API reference](docs/api-reference.md) |
127
131
  | Async-native | `asyncio` + `httpx`; sync and async handlers | [Transport](docs/transport.md) |
128
132
  | MCP integration | Tool execution and coordination in one envelope (Mode B) | [MCP integration](docs/mcp-integration.md) |
129
- | MCP Auth Bridge (v2.5.0+) | Opt-in Agent JWT + capability grants on native stdio MCP `tools/call` (Mode A) | [MCP Auth Bridge](docs/adapters/mcp-auth-bridge.md) |
133
+ | MCP Auth Bridge | Opt-in Agent JWT + capability grants on native stdio MCP `tools/call` (Mode A) | [MCP Auth Bridge](docs/adapters/mcp-auth-bridge.md) |
130
134
  | Observability | `trace_id` and `correlation_id` for debugging | [Observability](docs/observability.md) |
131
135
  | Security | OAuth2/JWT, Ed25519 manifests, mTLS, rate limiting | [Security](docs/security.md) |
132
- | Identity & capabilities (v2.2+) | Host/Agent JWTs, constrained grants, approval flows, opt-in WebAuthn | [Capabilities](docs/capabilities/index.md) |
133
- | Streaming & wire protocol (v2.2+) | SSE `/asap/stream`, JSON-RPC batch, `ASAP-Version` negotiation | [Transport](docs/transport.md) |
134
- | Adoption tools (v2.3.0+) | OpenAPI adapter, `@asap-protocol/client`, auto-registration, escalation | [Migration (v2.2 → v2.3)](docs/migration.md#upgrading-from-v22x-to-v230) |
135
- | Edge-AI discovery (v2.4.0+) | Hardware/inference manifests, registry mirror, marketplace filters | [ShellClaw guide](docs/guides/shellclaw-registry.md) |
136
+ | Identity & capabilities | Host/Agent JWTs, constrained grants, approval flows, opt-in WebAuthn | [Capabilities](docs/capabilities/index.md) |
137
+ | Streaming & wire protocol | SSE `/asap/stream`, JSON-RPC batch, `ASAP-Version` negotiation | [Transport](docs/transport.md) |
138
+ | Adoption tools | OpenAPI adapter, `@asap-protocol/client`, auto-registration, escalation | [Migration (v2.2 → v2.3)](docs/migration.md#upgrading-from-v22x-to-v230) |
139
+ | Edge-AI discovery | Hardware/inference manifests, registry mirror, marketplace filters | [ShellClaw guide](docs/guides/shellclaw-registry.md) |
136
140
  | Framework adapters (npm) | `@asap-protocol/mastra` and `@asap-protocol/openai-agents` tool bridges | [Mastra](docs/integrations/mastra.md) · [OpenAI Agents](docs/integrations/openai-agents.md) |
137
141
  | Economics | Usage metering, delegation tokens, SLA breach alerts | [Audit log](docs/audit.md) |
138
142
 
@@ -161,7 +165,7 @@ Or with pip:
161
165
  pip install asap-protocol
162
166
  ```
163
167
 
164
- **TypeScript** (npm, **`2.4.1`** — unchanged for v2.5.1; `@asap-protocol/mcp-auth` HTTP middleware still deferred):
168
+ **TypeScript** (npm, **`2.4.1`** — unchanged for v2.5.2; `@asap-protocol/mcp-auth` HTTP middleware still deferred):
165
169
 
166
170
  - [`@asap-protocol/client`](https://www.npmjs.com/package/@asap-protocol/client) — [SDK docs](docs/sdks/typescript.md)
167
171
  - [`@asap-protocol/mastra`](https://www.npmjs.com/package/@asap-protocol/mastra) — [docs](docs/integrations/mastra.md) · [demo](apps/example-mastra/README.md)
@@ -173,7 +177,7 @@ npm install @asap-protocol/mastra@2.4.1 @asap-protocol/client @mastra/core zod
173
177
  npm install @asap-protocol/openai-agents@2.4.1 @asap-protocol/client @openai/agents zod
174
178
  ```
175
179
 
176
- **Python v2.5.1** (code quality patch): `uv add asap-protocol` or `pip install asap-protocol==2.5.1` — see [Migration (v2.5.0 → v2.5.1)](docs/migration.md#upgrading-from-v250-to-v251).
180
+ **Python v2.5.2** (security follow-up): `uv add asap-protocol` or `pip install asap-protocol==2.5.2` — see [Migration (v2.5.1 → v2.5.2)](docs/migration.md#upgrading-from-v251).
177
181
 
178
182
  ## Quick Start
179
183
 
@@ -242,17 +246,18 @@ See [Compliance Testing Guide](https://github.com/adriannoes/asap-protocol/blob/
242
246
 
243
247
  ```bash
244
248
  asap --version # Show version
245
- asap list-schemas # List all available schemas
246
- asap export-schemas # Export JSON schemas to file
247
- asap compliance-check --url https://agent.example # Compliance Harness v2 (HTTP(S))
249
+ asap list-schemas # List JSON schemas
250
+ asap export-schemas # Export schemas to disk
251
+ asap validate-schema payload.json # Validate JSON against a schema
252
+ asap compliance-check --url https://agent.example # Remote Compliance Harness v2
248
253
  asap audit export --store memory --format json # Export audit log (stdout)
249
- asap keys generate -o key.pem # Generate Ed25519 keypair
250
- asap manifest sign -k key.pem manifest.json # Sign manifest
251
- asap manifest verify signed.json # Verify signature
252
- asap manifest info signed.json # Show trust level
254
+ asap keys generate -o key.pem # Ed25519 keypair
255
+ asap manifest sign -k key.pem manifest.json # Sign agent manifest
256
+ asap delegation create -d <urn> -s read -k key.pem --delegator <urn>
257
+ asap trace <trace-id> --log-file asap.log # Visualize request flow from logs
253
258
  ```
254
259
 
255
- See the [CLI reference](docs/cli.md) for `compliance-check` and `audit export` flag details, the [CI compliance gate](docs/ci-compliance.md) for wiring `compliance-check` into GitHub Actions, the [audit export guide](docs/audit.md), [Identity Signing](docs/guides/identity-signing.md), or run `asap --help` for the full command surface.
260
+ See [docs/cli.md](docs/cli.md) for delegation tokens, schema validation, trace visualization, REPL, and full flag reference. Run `asap --help` for your installed version.
256
261
 
257
262
  ## Version History
258
263
 
@@ -260,6 +265,7 @@ High-level only — see **[Changelog](https://github.com/adriannoes/asap-protoco
260
265
 
261
266
  | Version | What shipped |
262
267
  | :-- | :-- |
268
+ | **v2.5.2** | **Security & correctness follow-up** — opt-in operator API auth, `extra="forbid"` ingress, Redis JTI replay, web distributed rate limits, v2.5.1 CR follow-ups (#245–#249), registry signed-manifest/400 fixes. See [CHANGELOG](CHANGELOG.md#252---2026-07-08), [PRD](product/prd/prd-v2.5.2-security-follow-up.md), and [Migration (v2.5.1 → v2.5.2)](docs/migration.md#upgrading-from-v251) |
263
269
  | **v2.5.1** | **Code quality patch** — behavior-preserving refactor (transport/server, client, websocket, SQLite storage, auth, integrations) + six correctness/security fixes (atomic `revoke_cascade`, `usage_events` DDL, unified Host-JWT verifier, **WS now enforces OAuth2**, OpenAPI handler cleanup, client `correlation_id` binding). Deprecated import paths removed in v2.6.0. See [CHANGELOG](CHANGELOG.md#251---2026-06-25) and [Migration (v2.5.0 → v2.5.1)](docs/migration.md#upgrading-from-v250-to-v251) |
264
270
  | **v2.5.0.1** | **Compliance publish** — **[GitHub Release `v2.5.0.1`](https://github.com/adriannoes/asap-protocol/releases/tag/v2.5.0.1)** · PyPI **`asap-compliance` 1.3.0** (`mcp-auth-bridge` profile; requires `asap-protocol>=2.5.0`). No `asap-protocol` API change. See [CHANGELOG](CHANGELOG.md#2501---2026-06-24) |
265
271
  | **v2.5.0** | **MCP Auth Bridge** — **[GitHub Release `v2.5.0`](https://github.com/adriannoes/asap-protocol/releases/tag/v2.5.0)** · opt-in `protect_server` for stdio MCP; Agent JWT + capability grants; reference example `examples/mcp_auth_bridge/`. See [CHANGELOG](CHANGELOG.md#250---2026-06-24) and [Migration (v2.4.1 → v2.5.0)](docs/migration.md#upgrading-from-v241-to-v250) |
@@ -278,7 +284,14 @@ High-level only — see **[Changelog](https://github.com/adriannoes/asap-protoco
278
284
 
279
285
  ## 🔭 What's Next?
280
286
 
281
- ASAP is evolving toward an **Agent Marketplace** — an open ecosystem where AI agents discover, trust and collaborate autonomously. See the [ADR index](https://github.com/adriannoes/asap-protocol/blob/main/product/decision-records/README.md) and [v2.0 roadmap PRD](https://github.com/adriannoes/asap-protocol/blob/main/product/prd/prd-v2.0-roadmap.md). Detailed long-term strategy narratives are maintained privately (not shipped in this repository).
287
+ The [agentic marketplace](https://asap-protocol.com/) and Lite Registry are live. The **v2.5.x train** focuses on interop and adoption:
288
+
289
+ - **v2.5.3** — enterprise/workflow adapter spikes (Adapter Lab II)
290
+ - **v2.5.4** — distribution loop (homepage templates, starter kits, adoption metrics)
291
+ - **`@asap-protocol/mcp-auth`** (npm) — HTTP/SSE MCP middleware
292
+ - **Formal spec track** (v2.5.5) — introspection, privacy, cross-protocol interop on the path to v3.0 economy
293
+
294
+ See the [v2.5 roadmap PRD](https://github.com/adriannoes/asap-protocol/blob/main/product/prd/prd-v2.5-roadmap.md) and [ADR index](https://github.com/adriannoes/asap-protocol/blob/main/product/decision-records/README.md).
282
295
 
283
296
  ## Contributing
284
297
 
@@ -306,4 +319,4 @@ This project is licensed under the Apache 2.0 License - see the [license](https:
306
319
 
307
320
  ---
308
321
 
309
- **Built with [Cursor](https://cursor.com/)** using Opus 4.6/4.7, Composer 1.5/2.0, Gemini 3.1 Pro and Kimi K2.5.
322
+ **Built with [Cursor](https://cursor.com/)**, with Composer, Opus, Gemini, Kimi and more.
@@ -7,9 +7,9 @@
7
7
 
8
8
  > A production-ready protocol for agent-to-agent communication and task coordination.
9
9
 
10
- **Quick Info**: [`v2.5.1`](https://github.com/adriannoes/asap-protocol/releases/tag/v2.5.1) | `Apache 2.0` | `Python 3.13+` | [Documentation](docs/index.md) | [Changelog](CHANGELOG.md)
10
+ **Quick Info**: [`v2.5.2`](https://github.com/adriannoes/asap-protocol/releases/tag/v2.5.2) | `Apache 2.0` | `Python 3.13+` | [Documentation](docs/index.md) | [Changelog](CHANGELOG.md)
11
11
 
12
- > 📦 **Install** the Python SDK ([`asap-protocol` on PyPI](https://pypi.org/project/asap-protocol/)) or the TypeScript client ([`@asap-protocol/client` on npm](https://www.npmjs.com/package/@asap-protocol/client) — **2.4.1**; `@asap-protocol/mcp-auth` npm middleware still deferred).
12
+ > 📦 **Install** [`asap-protocol` on PyPI](https://pypi.org/project/asap-protocol/) (Python) · [`@asap-protocol/client` on npm](https://www.npmjs.com/package/@asap-protocol/client) (TypeScript)
13
13
 
14
14
  🚀 **Live now** our [**agentic marketplace**](https://asap-protocol.com/) — browse agents, register yours, request verification.
15
15
 
@@ -38,13 +38,13 @@ Plain HTTP between two agents is enough for the simplest cases. ASAP is built fo
38
38
  | Schema-first | Pydantic v2 + JSON Schema for cross-agent interchange | [API reference](docs/api-reference.md) |
39
39
  | Async-native | `asyncio` + `httpx`; sync and async handlers | [Transport](docs/transport.md) |
40
40
  | MCP integration | Tool execution and coordination in one envelope (Mode B) | [MCP integration](docs/mcp-integration.md) |
41
- | MCP Auth Bridge (v2.5.0+) | Opt-in Agent JWT + capability grants on native stdio MCP `tools/call` (Mode A) | [MCP Auth Bridge](docs/adapters/mcp-auth-bridge.md) |
41
+ | MCP Auth Bridge | Opt-in Agent JWT + capability grants on native stdio MCP `tools/call` (Mode A) | [MCP Auth Bridge](docs/adapters/mcp-auth-bridge.md) |
42
42
  | Observability | `trace_id` and `correlation_id` for debugging | [Observability](docs/observability.md) |
43
43
  | Security | OAuth2/JWT, Ed25519 manifests, mTLS, rate limiting | [Security](docs/security.md) |
44
- | Identity & capabilities (v2.2+) | Host/Agent JWTs, constrained grants, approval flows, opt-in WebAuthn | [Capabilities](docs/capabilities/index.md) |
45
- | Streaming & wire protocol (v2.2+) | SSE `/asap/stream`, JSON-RPC batch, `ASAP-Version` negotiation | [Transport](docs/transport.md) |
46
- | Adoption tools (v2.3.0+) | OpenAPI adapter, `@asap-protocol/client`, auto-registration, escalation | [Migration (v2.2 → v2.3)](docs/migration.md#upgrading-from-v22x-to-v230) |
47
- | Edge-AI discovery (v2.4.0+) | Hardware/inference manifests, registry mirror, marketplace filters | [ShellClaw guide](docs/guides/shellclaw-registry.md) |
44
+ | Identity & capabilities | Host/Agent JWTs, constrained grants, approval flows, opt-in WebAuthn | [Capabilities](docs/capabilities/index.md) |
45
+ | Streaming & wire protocol | SSE `/asap/stream`, JSON-RPC batch, `ASAP-Version` negotiation | [Transport](docs/transport.md) |
46
+ | Adoption tools | OpenAPI adapter, `@asap-protocol/client`, auto-registration, escalation | [Migration (v2.2 → v2.3)](docs/migration.md#upgrading-from-v22x-to-v230) |
47
+ | Edge-AI discovery | Hardware/inference manifests, registry mirror, marketplace filters | [ShellClaw guide](docs/guides/shellclaw-registry.md) |
48
48
  | Framework adapters (npm) | `@asap-protocol/mastra` and `@asap-protocol/openai-agents` tool bridges | [Mastra](docs/integrations/mastra.md) · [OpenAI Agents](docs/integrations/openai-agents.md) |
49
49
  | Economics | Usage metering, delegation tokens, SLA breach alerts | [Audit log](docs/audit.md) |
50
50
 
@@ -73,7 +73,7 @@ Or with pip:
73
73
  pip install asap-protocol
74
74
  ```
75
75
 
76
- **TypeScript** (npm, **`2.4.1`** — unchanged for v2.5.1; `@asap-protocol/mcp-auth` HTTP middleware still deferred):
76
+ **TypeScript** (npm, **`2.4.1`** — unchanged for v2.5.2; `@asap-protocol/mcp-auth` HTTP middleware still deferred):
77
77
 
78
78
  - [`@asap-protocol/client`](https://www.npmjs.com/package/@asap-protocol/client) — [SDK docs](docs/sdks/typescript.md)
79
79
  - [`@asap-protocol/mastra`](https://www.npmjs.com/package/@asap-protocol/mastra) — [docs](docs/integrations/mastra.md) · [demo](apps/example-mastra/README.md)
@@ -85,7 +85,7 @@ npm install @asap-protocol/mastra@2.4.1 @asap-protocol/client @mastra/core zod
85
85
  npm install @asap-protocol/openai-agents@2.4.1 @asap-protocol/client @openai/agents zod
86
86
  ```
87
87
 
88
- **Python v2.5.1** (code quality patch): `uv add asap-protocol` or `pip install asap-protocol==2.5.1` — see [Migration (v2.5.0 → v2.5.1)](docs/migration.md#upgrading-from-v250-to-v251).
88
+ **Python v2.5.2** (security follow-up): `uv add asap-protocol` or `pip install asap-protocol==2.5.2` — see [Migration (v2.5.1 → v2.5.2)](docs/migration.md#upgrading-from-v251).
89
89
 
90
90
  ## Quick Start
91
91
 
@@ -154,17 +154,18 @@ See [Compliance Testing Guide](https://github.com/adriannoes/asap-protocol/blob/
154
154
 
155
155
  ```bash
156
156
  asap --version # Show version
157
- asap list-schemas # List all available schemas
158
- asap export-schemas # Export JSON schemas to file
159
- asap compliance-check --url https://agent.example # Compliance Harness v2 (HTTP(S))
157
+ asap list-schemas # List JSON schemas
158
+ asap export-schemas # Export schemas to disk
159
+ asap validate-schema payload.json # Validate JSON against a schema
160
+ asap compliance-check --url https://agent.example # Remote Compliance Harness v2
160
161
  asap audit export --store memory --format json # Export audit log (stdout)
161
- asap keys generate -o key.pem # Generate Ed25519 keypair
162
- asap manifest sign -k key.pem manifest.json # Sign manifest
163
- asap manifest verify signed.json # Verify signature
164
- asap manifest info signed.json # Show trust level
162
+ asap keys generate -o key.pem # Ed25519 keypair
163
+ asap manifest sign -k key.pem manifest.json # Sign agent manifest
164
+ asap delegation create -d <urn> -s read -k key.pem --delegator <urn>
165
+ asap trace <trace-id> --log-file asap.log # Visualize request flow from logs
165
166
  ```
166
167
 
167
- See the [CLI reference](docs/cli.md) for `compliance-check` and `audit export` flag details, the [CI compliance gate](docs/ci-compliance.md) for wiring `compliance-check` into GitHub Actions, the [audit export guide](docs/audit.md), [Identity Signing](docs/guides/identity-signing.md), or run `asap --help` for the full command surface.
168
+ See [docs/cli.md](docs/cli.md) for delegation tokens, schema validation, trace visualization, REPL, and full flag reference. Run `asap --help` for your installed version.
168
169
 
169
170
  ## Version History
170
171
 
@@ -172,6 +173,7 @@ High-level only — see **[Changelog](https://github.com/adriannoes/asap-protoco
172
173
 
173
174
  | Version | What shipped |
174
175
  | :-- | :-- |
176
+ | **v2.5.2** | **Security & correctness follow-up** — opt-in operator API auth, `extra="forbid"` ingress, Redis JTI replay, web distributed rate limits, v2.5.1 CR follow-ups (#245–#249), registry signed-manifest/400 fixes. See [CHANGELOG](CHANGELOG.md#252---2026-07-08), [PRD](product/prd/prd-v2.5.2-security-follow-up.md), and [Migration (v2.5.1 → v2.5.2)](docs/migration.md#upgrading-from-v251) |
175
177
  | **v2.5.1** | **Code quality patch** — behavior-preserving refactor (transport/server, client, websocket, SQLite storage, auth, integrations) + six correctness/security fixes (atomic `revoke_cascade`, `usage_events` DDL, unified Host-JWT verifier, **WS now enforces OAuth2**, OpenAPI handler cleanup, client `correlation_id` binding). Deprecated import paths removed in v2.6.0. See [CHANGELOG](CHANGELOG.md#251---2026-06-25) and [Migration (v2.5.0 → v2.5.1)](docs/migration.md#upgrading-from-v250-to-v251) |
176
178
  | **v2.5.0.1** | **Compliance publish** — **[GitHub Release `v2.5.0.1`](https://github.com/adriannoes/asap-protocol/releases/tag/v2.5.0.1)** · PyPI **`asap-compliance` 1.3.0** (`mcp-auth-bridge` profile; requires `asap-protocol>=2.5.0`). No `asap-protocol` API change. See [CHANGELOG](CHANGELOG.md#2501---2026-06-24) |
177
179
  | **v2.5.0** | **MCP Auth Bridge** — **[GitHub Release `v2.5.0`](https://github.com/adriannoes/asap-protocol/releases/tag/v2.5.0)** · opt-in `protect_server` for stdio MCP; Agent JWT + capability grants; reference example `examples/mcp_auth_bridge/`. See [CHANGELOG](CHANGELOG.md#250---2026-06-24) and [Migration (v2.4.1 → v2.5.0)](docs/migration.md#upgrading-from-v241-to-v250) |
@@ -190,7 +192,14 @@ High-level only — see **[Changelog](https://github.com/adriannoes/asap-protoco
190
192
 
191
193
  ## 🔭 What's Next?
192
194
 
193
- ASAP is evolving toward an **Agent Marketplace** — an open ecosystem where AI agents discover, trust and collaborate autonomously. See the [ADR index](https://github.com/adriannoes/asap-protocol/blob/main/product/decision-records/README.md) and [v2.0 roadmap PRD](https://github.com/adriannoes/asap-protocol/blob/main/product/prd/prd-v2.0-roadmap.md). Detailed long-term strategy narratives are maintained privately (not shipped in this repository).
195
+ The [agentic marketplace](https://asap-protocol.com/) and Lite Registry are live. The **v2.5.x train** focuses on interop and adoption:
196
+
197
+ - **v2.5.3** — enterprise/workflow adapter spikes (Adapter Lab II)
198
+ - **v2.5.4** — distribution loop (homepage templates, starter kits, adoption metrics)
199
+ - **`@asap-protocol/mcp-auth`** (npm) — HTTP/SSE MCP middleware
200
+ - **Formal spec track** (v2.5.5) — introspection, privacy, cross-protocol interop on the path to v3.0 economy
201
+
202
+ See the [v2.5 roadmap PRD](https://github.com/adriannoes/asap-protocol/blob/main/product/prd/prd-v2.5-roadmap.md) and [ADR index](https://github.com/adriannoes/asap-protocol/blob/main/product/decision-records/README.md).
194
203
 
195
204
  ## Contributing
196
205
 
@@ -218,4 +227,4 @@ This project is licensed under the Apache 2.0 License - see the [license](https:
218
227
 
219
228
  ---
220
229
 
221
- **Built with [Cursor](https://cursor.com/)** using Opus 4.6/4.7, Composer 1.5/2.0, Gemini 3.1 Pro and Kimi K2.5.
230
+ **Built with [Cursor](https://cursor.com/)**, with Composer, Opus, Gemini, Kimi and more.
@@ -1,6 +1,6 @@
1
1
  [project]
2
2
  name = "asap-protocol"
3
- version = "2.5.1"
3
+ version = "2.5.2"
4
4
  description = "Async Simple Agent Protocol - A streamlined protocol for agent-to-agent communication"
5
5
  authors = [
6
6
  {name = "ASAP Protocol Contributors"}
@@ -30,7 +30,7 @@ dependencies = [
30
30
  "fastapi>=0.136.1",
31
31
  "httpx[http2]>=0.28.1",
32
32
  "authlib>=1.6.12,<2",
33
- "joserfc>=1.6.3,<2",
33
+ "joserfc>=1.6.7,<2",
34
34
  "uvicorn>=0.34",
35
35
  "python-ulid>=3.0",
36
36
  "packaging>=25.0",
@@ -60,12 +60,16 @@ dev = [
60
60
  "types-jsonschema>=4.0.0",
61
61
  "ruff>=0.14.14",
62
62
  "pip-audit>=2.7",
63
+ "fakeredis>=2.26.0",
63
64
  ]
64
65
  docs = [
65
66
  "ghp-import>=2.1.0",
66
67
  "mkdocs-material>=9.5",
67
68
  "mkdocstrings[python]>=0.27",
68
69
  "pymdown-extensions>=10.21.3",
70
+ "joserfc>=1.6.7,<2",
71
+ "python-engineio>=4.13.2",
72
+ "python-socketio>=5.16.2",
69
73
  ]
70
74
  dns-sd = [
71
75
  "zeroconf>=0.149.5",
@@ -76,7 +80,7 @@ redis = [
76
80
  ]
77
81
  # Optional WebAuthn (real attestation/assertion when extra installed).
78
82
  webauthn = [
79
- "webauthn>=2.6,<3",
83
+ "webauthn>=2.6,<4",
80
84
  ]
81
85
  # Framework integrations (Sprint E3 — PKG-003).
82
86
  mcp = [
@@ -138,6 +142,9 @@ Issues = "https://github.com/adriannoes/asap-protocol/issues"
138
142
  # - idna>=3.15 for CVE-2026-45409 (DoS in idna.encode; transitive via httpx/requests)
139
143
  # - markdown>=3.10.2 for PYSEC-2026-89 (DoS in html.parser during Markdown parse; mkdocs stack)
140
144
  # - pymdown-extensions>=10.21.3 for CVE-2026-46338 (snippets base_path prefix bypass; mkdocs stack)
145
+ # - joserfc>=1.6.7 for CVE-2026-48990 (JWT/JWS primitives; direct + override)
146
+ # - python-engineio>=4.13.2 for CVE-2026-48802 / CVE-2026-48809 (transitive, locust stack)
147
+ # - python-socketio>=5.16.2 for CVE-2026-48804 (transitive, locust stack)
141
148
  [tool.uv]
142
149
  override-dependencies = [
143
150
  "aiohttp>=3.14.0,<4",
@@ -162,6 +169,9 @@ override-dependencies = [
162
169
  "pymdown-extensions>=10.21.3",
163
170
  "pydantic-settings>=2.14.2",
164
171
  "msgpack>=1.2.1",
172
+ "joserfc>=1.6.7,<2",
173
+ "python-engineio>=4.13.2",
174
+ "python-socketio>=5.16.2",
165
175
  ]
166
176
 
167
177
  [project.scripts]
@@ -2,7 +2,7 @@
2
2
  "$defs": {
3
3
  "CommonMetadata": {
4
4
  "additionalProperties": false,
5
- "description": "Common metadata keys (extra allowed).",
5
+ "description": "Common metadata keys (unknown keys rejected).",
6
6
  "properties": {
7
7
  "purpose": {
8
8
  "anyOf": [