0.9.14

spec: PEAC v0.9.14: receipt media type peac.receipt/0.9, single-header JWS, domain policy (zero-BC)

Summary
This change finalizes the PEAC 0.9.14 wire format. Receipts are now self-describing JWS with a single protected header and a protocol media type. Legacy headers/fields are removed. CI guardrails enforce the new domain policy and format. This is a zero-backward-compatibility release.

Protocol changes

• Media type: Protected header now includes typ: "peac.receipt/0.9".
• Header cleanup: Remove the legacy peac-version header.
• Timing: Use JOSE iat (NumericDate seconds).
• Payment: payment.scheme replaces payment.rail.
• Problem Details: Base set to https://peacprotocol.org/problems.
• Canonical origin: https://peacprotocol.org; well-known paths centralized.

API changes

• verifyReceipt(jws, keySet) replaces legacy verify()/verifyBulk() (removed).
• Signing and verification use explicit Ed25519 JWK shapes (types provided).
• Package exports: dual ESM/CJS with types pointing to dist/index.d.ts.

Rationale

• Self-describing receipts: Using typ adheres to JOSE conventions and avoids out-of-band versioning.
• Intermediary safety: Fewer custom headers reduces proxy/CDN variability.
• Spec hygiene: Standard iat, explicit media type, and clear Problem Details base improve interoperability.

PEAC Protocol is an open-source project stewarded by Originary.

0.9.13.2

Bridge Bootstrap (Local Dev Sidecar)

• Use the release notes we prepared (wire v0.9.13, endpoints, headers, metrics, CLI, security, performance)

Adds Hono-based local sidecar on 127.0.0.1:31415 with:

• /enforce, /verify, /health, /ready
• /metrics on :31416

Features

• Wire Protocol v0.9.13: Enforces headers and media types:

• Success: application/peac+json

• Errors: application/problem+json

• PEAC-Receipt on allow, no-store cache on sensitive responses

• Retry-After on 402 from payment extensions

• Health Check: HEAD /health, Prometheus metrics with correct content-type & quantiles, peac-version on metrics

• CLI: peac bridge install|start|stop|status, discovery via require.resolve

• Verify: Returns proper 4xx/5xx Problem+JSON on error, dynamic import safety checked in readiness (api_verifier_loaded)

• Security Hardening: Loopback-only, nosniff, same-origin CORP, no legacy x-peac headers

• Node ≥18.18, tsup target node18

• SSRF tests aligned to built artifacts

Acceptance Gates (Local)

• /enforce p95 < 5ms, adapters can discover sidecar, CPU idle < 5% @ 100 rps
• All endpoints emit peac-version: 0.9.13, correct content-types
• 402→pay→200 flow validated, verify errors return 4xx/5xx

PEAC Protocol is an open-source project stewarded by Originary

0.9.13.1

v0.9.13.1 : Verifier API + CLI (normative)

Minimal, standards-first release that ships a stable verifier endpoint, a focused CLI, and normative docs/test vectors.

Highlights

• Verifier API: /verify with strict SSRF guards and cache guidance (Vary: PEAC-Receipt).
• CLI: peac discover <url>, peac hash <policy.json>, peac verify <receipt.jws> --resource <url> [--json].
  Exit codes: 0 (valid) / 1 (invalid).
• Normative docs: policy-hash.md (canonicalization + 3 vectors), receipts.md (claims, rid=UUIDv7, exp≤5m), errors.md (RFC7807 registry), quickstart.md.

Security & Limits (MUST/SHALL)

• Schemes: https: only; http: allowed only on loopback.
• SSRF: Block file:/data:; reject private/link-local IPv4 and IPv6 ULA/link-local; ≤ 3 redirects; body ≤ 256 KiB.
• Timing: per-fetch ≤ 150 ms; total budget ≤ 250 ms.
• Headers: set X-Content-Type-Options: nosniff, Cache-Control: no-store, Referrer-Policy: no-referrer, Vary: PEAC-Receipt.

Implementation notes

• Discovery: keep package name @peac/disc (no @peac/discovery).
• Build: TypeScript project refs; deterministic build:types (no path hacks).
• Node/pnpm: Node 20.x in CI; pnpm only.

Tests

• Golden policy-hash vectors (3).
• CLI happy/failure paths (exit codes, --json).
• SSRF unit coverage (schemes, CIDRs, IPv6, redirects, size, timeouts).

---

Quick start

# Discover
peac discover https://example.com

# Policy hash (canonical)
peac hash ./policy.json

# Verify (API-backed)
peac verify ./receipt.jws --resource https://example.com --json

PEAC Protocol is an open-source project stewarded by Originary

0.9.13

• Core enforce() orchestration function with discover → evaluate → settle → prove workflow
• Dynamic imports resolving cyclic dependencies between @peac/core and @peac/pay402
• Comprehensive smoke test suite (7/7 passing)
• Edge worker reference implementation
• Performance target: 5.14ms P95 orchestration time

PEAC Protocol is an open-source project stewarded by Originary

0.9.12.4

PEIP-SAF + Receipt Engine Foundation

Core specifications:

• Ed25519 detached JWS with RFC 7797 compliance
• RFC 8785 JCS canonicalization with URL normalization
• UUIDv7 receipt IDs with replay protection
• PEIP-SAF safety profiles with SB-243 compliance
• JSON Schema Draft 2020-12

Performance:

• Sign/verify: 0.24ms p95
• Policy hash: deterministic with test vectors
• Cross-runtime: Node.js, Deno/Bun optional

Components: @peac/core, @peac/profiles-safety

PEAC Protocol is an open-source project stewarded by Originary

0.9.12.3

- Core/security: .unref() rotation + cleanup intervals
- Core/rate-limit: .unref() cleanup interval
- Crawler/health: .unref() monitor interval
- CI: post-release guardrails (leak check), Nightly stable

PEAC Protocol is an open-source project stewarded by Originary

0.9.12.2

PEAC v0.9.12.2 - Crawler tests stabilized, Nightly reliability, CI sripts hardened

• Comprehensive Jest teardown for clean process exit
• Stable CI scripts: ci:test:unit, ci:test:crawler, ci:nightly, ci:doctor
• TypeScript execution fixes with tsx for integration tests
• Schema validation corrections (verification, audit_chain, crawler_verification)
• Circuit breaker pattern for idempotent shutdown
• Registry cleanup and process listener management
• Performance: Nightly passes reliably in <30 minutes
• Integration: MCP stdio server, OpenAI functions, schema spot-checks
• Quality: Test isolation, deterministic execution patterns

All Jest hanging issues resolved. Nightly workflow now green and stable.

PEAC Protocol is an open-source project stewarded by Originary

0.9.11

This release delivers official PEAC Protocol SDKs with transport-agnostic architecture, enhanced CLI tools for offline verification, and streaming export endpoints with authentication.

Major Features

Official SDKs

• Node.js SDK (@peacprotocol/sdk-node): ESM+CJS dual builds with undici HTTP client
• Python SDK (@peacprotocol/sdk-python): Async-first design with sync compatibility shims
• Transport-agnostic adapter architecture for future protocol support (MCP/A2A/Nanda)

CLI Tools

• peac verify receipt - Offline receipt verification with Ed25519
• peac dir get - Site directory discovery and capability checking
• peac policy lint - Policy validation against schema
• peac receipt show - Receipt display and parsing

Export Endpoints

• Streaming NDJSON/CSV data export with pagination
• HTTP Message Signatures (RFC 9421) authentication
• Bearer token and mTLS authentication support
• Node.js Transform streams for 10k+ rows/sec throughput

Policy Schema v0.9.11

• Enhanced attribution format patterns with regex validation
• Privacy retention controls (1-365 days)
• Export configuration with max rows limits
• Logging sink configuration for telemetry

Breaking Changes

• Header Modernization: All custom headers now use lowercase peac-* format per HTTP/2+ standards
• Removed: Legacy x-peac-* header support (no production usage, clean API surface)

Technical Implementation

• Ed25519 cryptography via @noble/ed25519 for performance and security
• Property-based testing with fast-check for comprehensive edge case coverage
• Adapter pattern enabling pluggable transport protocols
• Constant-time operations for cryptographic security

Performance Targets

• SDK warm calls: <50ms with ETag caching
• Receipt verification: <2ms with Ed25519
• Export streaming: 10,000+ rows/second
• Middleware overhead: <1ms

RFC Compliance

• HTTP Message Signatures (RFC 9421)
• Problem Details (RFC 7807)
• Content Negotiation (RFC 7231)
• HTTP/2+ header standards

Testing

• Comprehensive test suites with property-based testing
• All existing tests passing

PEAC Protocol is an open-source project stewarded by Originary

0.9.9

Web Bot Auth, Ed25519 receipts

Features:

• Web Bot Auth end-to-end verification with SSRF protection
• Ed25519 receipts system with JWS compact format
• Verified tier: 6000 rpm with enhanced caching
• Policy v0.9.9 with verified_rpm field

Security:

• Comprehensive SSRF protection with domain validation
• Rate limiting and circuit breakers for verification
• Token bucket algorithm for verified tier
• DoS protection with size/timeout limits

PEAC Protocol is an open-source project stewarded by Originary

0.9.8.2

• Wire SSOT=0.9.8
• README samples lowercase
• MCP discovery gated
• JWKS If-None-Match list handling
• OpenAPI license Apache-2.0
• Jest CJS
• explicit server→schema dep.

PEAC Protocol is an open-source project stewarded by Originary