Changelog

v0.18.0 — SDK (2026-03-09)

RFC-021 Phase 2: Grandchild sponsorship, batch heartbeat, delegation chains.

batchHeartbeat(children, paymentTx) — heartbeat multiple sponsored children in one call
createDelegation(delegateHash, opts) / revokeDelegation() / listDelegations() — delegation chain management
Grandchild sponsorship support (beyond direct children)
BatchHeartbeatResult, DelegationRecord, DelegationResult types exported

v0.17.0 — SDK (2026-03-06)

Breaking change: Payment arguments are now required for paid operations.

heartbeat(paymentTx) — paymentTx is mandatory (was optional with devnet-skip default)
startHeartbeat(paymentTxFn) — callback function required
reissuePassport(paymentTx) — payment required for reissuance
purchaseSigil(opts) — paymentTx required in options
Devnet-skip default removed from all paid methods
Self-custody wallet documentation removed (Model A was removed in v0.14.0)
SDK v0.17.0 published to npm

v0.16.0 — SDK (2026-03-04)

Passport rename: LineageProof → Passport as canonical type.

Passport is the canonical type; LineageProof is a deprecated alias (sunset 2026-09-01)
All proof-returning routes now return both passport and lineage_proof fields
/api/v1/agent/passport endpoint returns passport + passport_vc (W3C VC)
SDK methods: reissuePassport(), getLatestPassport(), verifyPassportLocally() (old names are deprecated wrappers)
OpenAPI v0.16.0

Registry API v0.15.0 (2026-03-02)

Admin API agent management + error taxonomy

Added: POST /api/v1/admin/agent/freeze — admin freeze with suspended lineage event.
Added: POST /api/v1/admin/agent/unfreeze — admin override unfreeze (no work-proof required).
Added: POST /api/v1/admin/agent/refuse-heartbeat — block heartbeat submissions (DISPUTE_RULING, COURT_ORDER, ADMIN_ACTION).
Added: GET /api/v1/admin/actions — paginated admin audit trail query with filters.
Added: adminKey security scheme (pva_ prefix) documented in OpenAPI spec.
Added: Existing POST /admin/authority-key/rotate and POST /admin/authority-key/revoke now documented in OpenAPI spec.
Added: Machine-readable code field on all API error responses (37 codes). Clients can switch on body.code instead of parsing error strings.
Added: retry_after_ms on rate-limit responses.

SDK v0.15.0 (2026-03-01)

Added: mapApiError() prefers body.code over status-code heuristics. Backward compatible with older servers.

v0.14.0 (2026-02-23)

Model A wallet removal (breaking)

Breaking: Model A (self-custody hex key) wallet registration removed. walletModel option narrowed to 'operator' only.
Removed: generateWalletKeypair() function no longer exported.
Removed: walletSecretKey option from RegisterOptions.
WalletInfo simplified: public_key and secret_key fields removed. Only solana_address, address, and chain remain.
Model B (operator) and Ethereum bring-your-own remain fully supported.

v0.13.0 (2026-02-22)

Work-proof system + deprecated method removal

Breaking: pulse() and checkin() methods removed (were deprecated since v0.9.0).
Added: computeWorkProof(opts) — computes sequential SHA-256 beats locally, weaving in anchor hash, then submits to Beats service for a signed receipt. Required for spawn and resync when BEATS_REQUIRED=true.
Added: requestSpawnWithBeatsProof(opts?) — convenience method that probes spawn for required beats, computes work proof, and submits.
Added: WorkProofReceipt and WorkProofResult types.
Added: beatsUrl config option (default: 'https://beats.provenonce.dev').
Updated: requestSpawn() accepts optional beatsReceipt parameter for receipt-based spawn.
Rewritten: resync() now probes resync endpoint; if RECEIPT_REQUIRED, automatically computes work proof and submits.

v0.12.0 (2026-02-19)

Anchor hash verification

Added: verifyAnchorHash(anchor) — local verification of anchor hashes without network call. Supports V3 binary-canonical and V1 legacy formats.
Added: verifyAnchors config option (default: true) — automatically verifies anchor hashes before trusting fetched anchors.

v0.11.0 (2026-02-18)

Self-service registration (RFC-010)

Added: RegisterOptions type exported for typed registration configuration.
Added: registrationToken option — single-use token from email verification flow.
Added: registrationInvite option — admin-minted invite token.

v0.10.1 (2026-02-18)

SIGIL Namespace v0.4 types + metadata

Added: updateMetadata(fields) — update mutable SIGIL metadata fields via PATCH /api/v1/agent/metadata.
Added: purchaseSigil() now accepts SigilPurchaseOptions object with full namespace fields (identity_class, principal, tier, name, payment_tx, plus optional metadata). Legacy two-argument signature deprecated.
Added: Types: SigilTier, Substrate, SubstrateProvider, Capability, SigilProtocol, ComplianceRegime, SigilPurchaseOptions, SigilMutableFields, MetadataUpdateResult.
Added: VerificationResult type with structured offline verification output (valid, signatureValid, expired, warning).
Enriched: SigilResult now returns sigil (full string), sigil_name, principal, tier fields.

v0.9.1 (2026-02-14)

Security hardening (P0-P3)

Enforced fail-closed payment verification and atomic payment-tx claim handling in paid routes.
Tightened spawn integrity with ownership binding and safer mutation ordering.
Hardened Beats anchor canonicalization and continuity selection in the Beats service.
Made public /api/v1/verify/[hash] read-only for proofs; fresh signed proof issuance stays on paid reissue.
Upgraded authenticated route rate limiting from IP-only to multi-dimensional keys: endpoint path + authenticated subject, with path + IP fallback when subject is missing.
Added fail-fast cost guards on paid routes so oversized/invalid payloads are rejected before auth/payment/DB work: /api/v1/agent/spawn, /api/v1/agent/heartbeat, /api/v1/agent/reissue-proof, /api/v1/sigil (commit ebcf57c).
Added route-level fail-fast tests: tests/cost-guards-fastfail.test.ts, tests/heartbeat-cost-guards-fastfail.test.ts, tests/reissue-proof-cost-guards-fastfail.test.ts, tests/sigil-cost-guards-fastfail.test.ts.
Added payment-failure throttling regression coverage to ensure repeated invalid/replayed payment attempts consume limiter budget and converge to 429 (tests/payment-failure-throttling.test.ts, commit 80046c3, tag security-hardening-p3-2).

v0.9.0 (2026-02-13)

SIGIL identity tiers, heartbeat protocol, lineage proofs

Breaking: checkin() removed — server returns 410 Gone. Use heartbeat() instead.
Breaking: resync() removed — server returns 410 Gone. (Note: resync() was restored and rewritten in v0.13.0 with work-proof receipt support.)
Breaking: Registration no longer writes a Solana SPL Memo. signature and explorer_url removed from RegistrationResult. Birth records are DB-only. (Note: birth memos were restored in v0.10.1 per D-94. Response now includes birth_tx.)
Deprecated: pulse(), computeBeat(), computeBeatsLite() — emit console.warn, will be removed in v1.0.
Added: purchaseSigil({ identity_class, principal, tier, payment_tx }) — acquire SIGIL identity tier (narrow_task, autonomous, orchestrator).
Added: heartbeat(paymentTx?, globalAnchor?) — single-call liveness proof replacing pulse() + checkin().
Added: reissueProof(paymentTx?) — request fresh lineage proof without advancing heartbeat counter.
Added: getLatestProof() — return cached lineage proof (no network).
Added: BeatAgent.verifyProofLocally(proof, authorityPubKeyHex) — offline Ed25519 proof verification.
Added: Types: LineageProof, Passport (alias), SigilResult, HeartbeatResult, IdentityClass.
Added: getPassport() — alias for getLatestProof().
Added: agent_public_key in LineageProof — wallet address bound into signed proof data (prevents bearer-token impersonation).
Added: Ed25519-signed lineage proofs (Passports) with 24h validity window.
Added: Fee summary endpoint (GET /api/v1/fees/summary), authority key endpoint (GET /api/v1/.well-known/authority-key).
Added: startHeartbeat() now calls heartbeat() on interval (replaces old pulse+checkin loop).
Devnet: pass 'devnet-skip' as the heartbeat() / reissueProof() payment argument to bypass payment (removed in v0.17.0).

v0.8.0 (2026-02-12)

Chain-agnostic identity (D-62/63/64)

Breaking: Default registration is now no-wallet (identity only). Pass walletModel: 'self-custody' to generate a Solana wallet.
Wallet is optional at registration — three paths: no-wallet, Solana self-custody, Ethereum BYO
Chain-agnostic wallets: walletChain option ('solana' or 'ethereum')
Ethereum BYO registration via walletAddress + walletSignFn (EIP-191 personal_sign)
v2 hash formula: sha256("root:v2:" + wallet + ":" + chain + ":" + ts + ":" + nonce)
128-bit nonces (was 64-bit)
Two-tier rate limits: 5/hr no-wallet, 10/hr wallet-bound
wallet_chain field in all responses

v0.7.0 (2026-02-09)

Anchor-hash weaving + wallet-per-agent

Global anchor hash woven into sequential-work seed (anti-pre-computation)
Wallet-per-agent registration (Model A self-custody, Model B operator)
generateWalletKeypair() for client-side Ed25519 keypair generation
Two-phase challenge-response registration flow
Difficulty adjustment wired into enforce endpoint

v0.6.0 (2026-02-09)

Anchor-hash weaving (anti-pre-computation)

Global anchor hash woven into each beat’s sequential-work seed
Beat type gains anchor_hash field
computeBeat() and computeBeatsLite() accept anchorHash parameter
Old SDK clients without anchor hash are rejected when anchors exist

v0.5.0 (2026-02-08)

New agent API paths

Agent endpoints moved from /api/v1/beat/* to /api/v1/agent/*
Old /beat/* paths are deprecation proxies (sunset 2026-06-01)
register() function added to SDK
RegistrationResult and WalletInfo types exported

v0.4.0 (2026-02-07)

Spot check enforcement

Minimum 3 spot checks required
to_beat must always be included in spot checks
createCheckinProof() passes anchor_hash through

v0.3.0 (2026-02-06)

Security hardening

Rate limiting on all endpoints
HMAC signature length increased to 128-bit
Input validation on all body-parsed routes

v0.2.0 (2026-02-05)

Beat chain and registration

BeatAgent class with full lifecycle
Root and child registration with Solana SPL Memo birth records

v0.1.0 (2026-02-04)

Initial release

Sequential hash chain engine (computeBeat, computeBeatsLite)
Basic agent lifecycle