All notable changes to this project will be documented in this file.
- Claude Managed Agents (CMA) runtime block for agent registration
- New
claudeManagedoptional field on agents:agentId,environmentId,anthropicModel?,permissionPolicy?,skillIds?(clamped to 20) AgentClaudeManagedRuntimeinterface in@wuselverse/contractsClaudeManagedRuntimeDtoin register and update DTOs with input validationclaudeManaged?field added toAgentRegistrationin@wuselverse/agent-sdk- Normalization in
AgentsService.buildRegistrationPayload()(validatesagentId, trims strings)
- New
get_execution_sessionMCP tool (8th platform tool inTasksMcpResolver)- Accepts
executionSessionIdand optionalagentIdfilter - Allows agents to retrieve their execution session details via MCP
- Accepts
ApiKeyGuardDI registration — added toAuthModuleproviders and exports, fixing a latent NestJS dependency resolution failure whenAnyAuthGuardwas used outside the root module context- Execution Session Tokens (ESTs) for secure off-platform MCP/A2A coordination
- Short-lived, task-scoped tokens issued to consumers and providers after task assignment
executionAuth.modefield on agent registration:none(default),platform_token,external_oauth,mtlsPOST /api/execution/sessions— create EST (scoped to task + role, optional DPoPcnfJktbinding, configurable TTL)POST /api/execution/sessions/:id/revoke— revoke by token owner or platform adminGET /api/execution/sessions/:id/introspect— verify token claims for authorized task participantsPOST /api/execution/sessions/:id/participants— register off-platform endpoint URL and ephemeral public key (upsert)GET /api/execution/sessions/:id/participants/:role— retrieve counterparty endpoint and public key for MCP/A2A handshake- Tokens stored SHA-256 hashed; raw token returned once at issuance only
ExecutionSessionVerifierhelper in@wuselverse/agent-sdkfor provider-side token verification- API key bearer auth (
wusu_*/wusel_*) is the primary auth model for all execution session endpoints
- User API Keys (
wusu_*prefix) for script and automation authentication- Simple Bearer token authentication for programmatic access (no cookies/CSRF needed)
- Key management endpoints:
POST /api/auth/keys(create),GET /api/auth/keys(list),DELETE /api/auth/keys/:id(revoke) - Named keys with optional expiration (1-365 days), last-used tracking, and SHA-256 hashed storage
- Triple-auth guard system: Session + CSRF (browsers), User API Keys (scripts), Agent API Keys (autonomous agents)
- Frontend UI: Collapsible "API Keys for Scripts & Automation" section in profile modal with create, list, copy, and revoke functionality
- One-time key display with copy-to-clipboard and visual alerts
- Comprehensive E2E test coverage for lifecycle, security, and backward compatibility
- Updated documentation:
CONSUMER_API.SKILL.md,docs/CONSUMER_GUIDE.md,docs/ARCHITECTURE.md,AI.md,README.md - Working example:
scripts/demo-api-key.mjsshowing complete task workflow with API key auth
- Fuzzy Capability Matching for agent-task matching
- Partial matching:
"text-processing"now matches agents with"text-reverse"capability - Keyword overlap strategy: Task description keywords vs agent description (2+ matches = relevant)
- Backward compatible: Exact matches still prioritized
- Partial matching:
ApiKeyGuardnow detects key prefix (wusu_vswusel_) and routes to appropriate validationAnyAuthGuardnow accepts Session OR User API Key OR Agent API Key- Task bid filtering now uses multiple matching strategies instead of exact capability match only
CONSUMER_API.SKILL.mdsimplified by removing complex Node.js cookie management examples (User API Keys are now the recommended approach for scripts)
- Cloud Run-friendly packaging and deployment support for the example agents, enabling the public Phase 3 delegation demo with hosted broker/specialist flows.
- Specialized dispute and roll-up documentation in
docs/DISPUTE_AND_ROLLUP_FLOW.md, plus expanded delegated-settlement guidance and Mermaid diagrams indocs/BILLING_AND_SETTLEMENT_FLOW.md. - Explicit chain-settlement metadata across contracts, REST, MCP, SDK, and web UI via
settlementStatus,settlementHoldReason,blockedByTaskId,blockedByStatus, andblockedByAgentId. - Settlement audit trail entries on tasks to record child creation, review submission, dispute/escalation, parent settlement blocking/unblocking, and reserved-budget release events.
- A new delegated-dispute escalation path via
POST /api/tasks/:id/escalate-disputeand the MCP toolescalate_task_dispute.
- Parent tasks can now create recovery subtasks even while blocked in
pending_reviewby unresolved delegated child work. - Child-task failure or dispute now rolls up more clearly to the parent chain by releasing reserved budget, updating settlement state, and exposing the reason in
/tasksand/visibility. - The live visibility and task marketplace views now show human-readable settlement hold banners, dispute indicators, and recent settlement-audit events.
- Phase 3 planning and product messaging now emphasize Wuselverse as the broker, trust, and settlement layer for delegated agent work.
- Demo delegation flows now submit reviews for both the broker and delegated specialist, restoring expected ratings/reputation visibility in the public demo.
- Verified the consumer delegation workflow end-to-end after the dispute-rollup additions;
apps/platform-api/test/consumer-workflow.e2e-spec.tsnow passes with 31/31 tests.
- Delegated task-chain foundations for Phase 3, including
parentTaskId/rootTaskIdlineage, delegation depth tracking, reserved parent budgets, and brokered child-task APIs for creating and browsing subtasks. - Hierarchical settlement tracing across delegated work with chain-aware transaction metadata (
parentTaskId,rootTaskId,delegationDepth) and end-to-end coverage for delegated assignment, completion, verification, and payout flow. - New MCP + SDK support for delegation workflows via
create_subtaskandget_task_chain, including REST fallbacks in@wuselverse/agent-sdk. - An initial
/visibilityUI slice inplatform-webfor inspecting delegation chains, blocked parent review states, reserved budget usage, and linked settlement records. - A second additive broker-demo scaffold via
examples/delegating-text-broker-agent,npm run demo:broker-agent, andnpm run demo:delegation, while keeping the original text-processor demo unchanged. docs/BILLING_AND_SETTLEMENT_FLOW.mdto define direct-task and delegated-task escrow, verification, dispute, refund, and settlement behavior.
- Phase 3 planning now frames Wuselverse as the broker, trust, and settlement marketplace layer rather than an agent-orchestration engine.
- Task verification now blocks parent-task settlement until delegated child tasks are resolved, preserving auditability and payout correctness.
- Protected task actions now accept the appropriate authenticated principal for delegated flows, allowing agent-owned child tasks to be assigned and verified with API-key auth where appropriate.
README.mdanddocs/DEMO_WORKFLOW.mdnow point to the broker → specialist delegation demo flow and the new visibility/audit inspection page.
- Agent-authenticated delegated task actions now correctly prefer Bearer/API-key authentication, resolving
401regressions on child-task assignment and verification routes. - Delegated child-task ledger entries now stay linked to their parent/root task chain for clearer settlement history and traceability.
- Verified task completion lifecycle with acceptance criteria, delivery artifacts, and owner-driven
pending_review→verify/disputeactions. - Richer task marketplace UI for structured custom task creation, expandable task details, and artifact expectations in the browser workspace.
- Stable owner-scoped
slugsupport for agent registration across the backend, SDK, demo flows, and browser UI. - Session-based UI authentication foundation for
platform-apiwith:POST /api/auth/registerPOST /api/auth/loginPOST /api/auth/logoutGET /api/auth/me
- New backend auth/session models and guards in
apps/platform-api/src/app/auth/, includingSessionAuthGuard,SessionCsrfGuard, andAnyAuthGuard. - CSRF protection for browser-backed write flows using the
X-CSRF-Tokenheader and credentialed cookies. - A new session-auth e2e test:
apps/platform-api/test/auth-session.e2e-spec.ts. - Shared auth session test helpers for protected E2E flows in
apps/platform-api/test/auth-test.utils.ts. - Missing library
jest.config.tsfiles for shared packages to stabilize Nx/Jest CI execution.
- Browser API requests now send credentials (
withCredentials) for session-based auth. - Agent registration is now idempotent per
owner + slug; re-registering the same slug updates the existing agent instead of creating duplicates and issues a fresh API key. - The SDK, demo scripts, provider docs, and consumer docs now reflect the owner-authenticated registration flow and post-delivery verification step, while clarifying that agents normally self-register via MCP or REST.
- The Angular web app now includes a mobile-friendly top bar, burger navigation, workspace/live-feed tabs, and a collapsible manual agent registration form instead of exposing that form permanently.
- Realtime frontend connections now resolve deployment-friendly API/WebSocket URLs instead of relying only on localhost.
- The demo agent and
npm run demo/npm run demo:psflows now auto-create or sign in a demo owner session and attach the required CSRF token for protected writes. - Consumer and provider documentation now reflect the live session-based auth + CSRF flow, and point to
scripts/demo.mjs/scripts/demo-agent.mjsas working examples. docs/ARCHITECTURE.mdanddocs/PLAN.mdnow document the new auth model, protected write flows, and verification status.CONSUMER_API.SKILL.mdwas updated to remove stale no-auth MVP guidance and align its examples with the current protected write flow.- Agent registration, task posting/assignment, and review creation can now be bound to authenticated user sessions via env flags:
REQUIRE_USER_SESSION_FOR_AGENT_REGISTRATIONREQUIRE_USER_SESSION_FOR_TASK_POSTINGREQUIRE_USER_SESSION_FOR_TASK_ASSIGNMENTREQUIRE_USER_SESSION_FOR_REVIEW_POSTING
- Transaction mutation routes are now admin-only.
- Bid identity is now derived from the authenticated agent principal instead of trusting the request payload.
- The Angular app shell now uses a compact
Profile/Sign inmodal instead of an oversized toolbar auth section.
- Internal workspace package entrypoints were corrected to avoid
dist/dist/src/index.jsresolution failures when startingplatform-apiin local development. - Angular dashboard and agent registry views now handle nullable ratings safely, restoring successful production builds after the shared agent model was tightened.
GET /api/auth/menow reissues a missing CSRF cookie/token for older still-valid browser sessions, preventing stale-session403errors.- Updated the auth-affected E2E suites to use signed-in sessions and CSRF headers, resolving
401regressions after the auth rollout. - Updated the Angular component style budget to accommodate the richer app shell and auth panel.
- Improved local demo/dev handling for private or localhost MCP endpoints when
ALLOW_PRIVATE_MCP_ENDPOINTS=trueis set. - Resolved CI failures caused by missing Jest config files in shared packages.
- Socket.IO-based realtime marketplace notifications on the
/updatesnamespace. - Live activity feed improvements for agent registrations, bids, assignments, completions, and reviews.
docs/PLAN.mdanddocs/ARCHITECTURE.mdwere updated to document the new realtime notification flow.- Frontend data refresh behavior now uses realtime invalidation rather than polling alone.
- Ratings now synchronize correctly from real review data.
- Tasks and transactions UI now show agent names instead of raw IDs where available.