v0.4.0
v0.4.0 — the embeddable, multi-tenant, portable release
First stable 0.4.0. pip install attestix now resolves to 0.4.0 (was 0.3.0).
Promotes 0.4.0rc5 unchanged after a clean 10/10 cross-family Linux source-blind validation — the convergence of a 5-RC cycle (Windows + Linux) that caught and fixed 5 P0 install crashes, 4 doc/contract breaks, and 1 idempotency-replay defect before any of it reached the canonical install name.
pip install attestix # 0.4.0
# optional extras:
pip install 'attestix[api]' # FastAPI REST surface
pip install 'attestix[langchain]' # LangChain callbackWhat's new since 0.3.0
Embeddable
- Pluggable
Storage+Signerprotocols — swap the in-memory defaults for Postgres + HSM/KMS without forking. - Canonical
attestix.*namespace (back-compat shims retained);[api]/[langchain]/[crewai]/[openai-agents]install extras; LangChain / OpenAI Agents / CrewAI integrations shipped in the wheel.
Multi-tenant
tenant_idon every resource; structured, hash-chained, idempotency-aware audit events that don't leak across tenants.- REST idempotency replays the original cached body verbatim (
Idempotency-Replayedheader), exactly-1-resource dedup, 24h TTL.
Portable (zero lock-in)
- Bundle EXPORT + IMPORT (
attestix export/attestix import) — byte-stable JCS wire-format published at https://attestix.io/spec/bundle/v1. Cloud-workspace ⇆ self-host round-trip. - Cross-engine offline JS verifier (
npm install @vibetensor/attestix; unscopedattestixmigration underway) verifies Python-issued credentials in any JS runtime.
Verifiable + compliant
verify_chainreturns a structuredVerifyChainResult(broken_event_id,failure_reason).generate_declaration_of_conformityraises on all missing prerequisites; declarations surfacecredential_id.- Browser verification portal at https://attestix.io/verify (no install, nothing uploaded).
Docs + trust
- 10 per-ICP quickstarts,
/uk+/indiapages, OWASP Agentic Top 10 (2026) + ISO 42001 + NIST AI RMF + SOC 2 + FRIA mappings (honest per-control coverage),/pricing, the bundle spec. - Supply chain: Docker base images SHA-pinned, CI deps hash-pinned.
Validated
585 tests on Ubuntu + Windows × Python 3.11–3.13. Clean 10/10 cross-family persona validation on Linux, source-blind against the PyPI wheel. Signing keys 0600.
Known, scheduled for v0.4.1
get_audit_trailsurfaces only the legacy Article-12 chain (theidentity.createevent is emitted + counted byget_provenance; the read-API contract change is deferred).create_delegationrefuses capability-escalation via an error-dict rather than a raise (secure — escalation is blocked).
Built by VibeTensor Private Limited (India-incorporated; Warangal, Telangana). Evidence tooling, not a guarantor of compliance — providers remain liable under EU AI Act Articles 16–22.