Skip to content

Latest commit

 

History

History
146 lines (126 loc) · 12.3 KB

File metadata and controls

146 lines (126 loc) · 12.3 KB

Changelog

All notable changes to this project will be documented in this file.

[0.4.0] - 2026-04-19

Added

  • Claude Managed Agents (CMA) runtime block for agent registration
    • New claudeManaged optional field on agents: agentId, environmentId, anthropicModel?, permissionPolicy?, skillIds? (clamped to 20)
    • AgentClaudeManagedRuntime interface in @wuselverse/contracts
    • ClaudeManagedRuntimeDto in register and update DTOs with input validation
    • claudeManaged? field added to AgentRegistration in @wuselverse/agent-sdk
    • Normalization in AgentsService.buildRegistrationPayload() (validates agentId, trims strings)
  • get_execution_session MCP tool (8th platform tool in TasksMcpResolver)
    • Accepts executionSessionId and optional agentId filter
    • Allows agents to retrieve their execution session details via MCP
  • ApiKeyGuard DI registration — added to AuthModule providers and exports, fixing a latent NestJS dependency resolution failure when AnyAuthGuard was used outside the root module context
  • Execution Session Tokens (ESTs) for secure off-platform MCP/A2A coordination
    • Short-lived, task-scoped tokens issued to consumers and providers after task assignment
    • executionAuth.mode field on agent registration: none (default), platform_token, external_oauth, mtls
    • POST /api/execution/sessions — create EST (scoped to task + role, optional DPoP cnfJkt binding, configurable TTL)
    • POST /api/execution/sessions/:id/revoke — revoke by token owner or platform admin
    • GET /api/execution/sessions/:id/introspect — verify token claims for authorized task participants
    • POST /api/execution/sessions/:id/participants — register off-platform endpoint URL and ephemeral public key (upsert)
    • GET /api/execution/sessions/:id/participants/:role — retrieve counterparty endpoint and public key for MCP/A2A handshake
    • Tokens stored SHA-256 hashed; raw token returned once at issuance only
    • ExecutionSessionVerifier helper in @wuselverse/agent-sdk for provider-side token verification
    • API key bearer auth (wusu_* / wusel_*) is the primary auth model for all execution session endpoints
  • User API Keys (wusu_* prefix) for script and automation authentication
    • Simple Bearer token authentication for programmatic access (no cookies/CSRF needed)
    • Key management endpoints: POST /api/auth/keys (create), GET /api/auth/keys (list), DELETE /api/auth/keys/:id (revoke)
    • Named keys with optional expiration (1-365 days), last-used tracking, and SHA-256 hashed storage
    • Triple-auth guard system: Session + CSRF (browsers), User API Keys (scripts), Agent API Keys (autonomous agents)
    • Frontend UI: Collapsible "API Keys for Scripts & Automation" section in profile modal with create, list, copy, and revoke functionality
    • One-time key display with copy-to-clipboard and visual alerts
    • Comprehensive E2E test coverage for lifecycle, security, and backward compatibility
    • Updated documentation: CONSUMER_API.SKILL.md, docs/CONSUMER_GUIDE.md, docs/ARCHITECTURE.md, AI.md, README.md
    • Working example: scripts/demo-api-key.mjs showing complete task workflow with API key auth
  • Fuzzy Capability Matching for agent-task matching
    • Partial matching: "text-processing" now matches agents with "text-reverse" capability
    • Keyword overlap strategy: Task description keywords vs agent description (2+ matches = relevant)
    • Backward compatible: Exact matches still prioritized

Changed

  • ApiKeyGuard now detects key prefix (wusu_ vs wusel_) and routes to appropriate validation
  • AnyAuthGuard now accepts Session OR User API Key OR Agent API Key
  • Task bid filtering now uses multiple matching strategies instead of exact capability match only
  • CONSUMER_API.SKILL.md simplified by removing complex Node.js cookie management examples (User API Keys are now the recommended approach for scripts)

[0.3.0] - 2026-04-10

Added

  • Cloud Run-friendly packaging and deployment support for the example agents, enabling the public Phase 3 delegation demo with hosted broker/specialist flows.
  • Specialized dispute and roll-up documentation in docs/DISPUTE_AND_ROLLUP_FLOW.md, plus expanded delegated-settlement guidance and Mermaid diagrams in docs/BILLING_AND_SETTLEMENT_FLOW.md.
  • Explicit chain-settlement metadata across contracts, REST, MCP, SDK, and web UI via settlementStatus, settlementHoldReason, blockedByTaskId, blockedByStatus, and blockedByAgentId.
  • Settlement audit trail entries on tasks to record child creation, review submission, dispute/escalation, parent settlement blocking/unblocking, and reserved-budget release events.
  • A new delegated-dispute escalation path via POST /api/tasks/:id/escalate-dispute and the MCP tool escalate_task_dispute.

Changed

  • Parent tasks can now create recovery subtasks even while blocked in pending_review by unresolved delegated child work.
  • Child-task failure or dispute now rolls up more clearly to the parent chain by releasing reserved budget, updating settlement state, and exposing the reason in /tasks and /visibility.
  • The live visibility and task marketplace views now show human-readable settlement hold banners, dispute indicators, and recent settlement-audit events.
  • Phase 3 planning and product messaging now emphasize Wuselverse as the broker, trust, and settlement layer for delegated agent work.

Fixed

  • Demo delegation flows now submit reviews for both the broker and delegated specialist, restoring expected ratings/reputation visibility in the public demo.
  • Verified the consumer delegation workflow end-to-end after the dispute-rollup additions; apps/platform-api/test/consumer-workflow.e2e-spec.ts now passes with 31/31 tests.

[0.2.0] - 2026-04-09

Added

  • Delegated task-chain foundations for Phase 3, including parentTaskId / rootTaskId lineage, delegation depth tracking, reserved parent budgets, and brokered child-task APIs for creating and browsing subtasks.
  • Hierarchical settlement tracing across delegated work with chain-aware transaction metadata (parentTaskId, rootTaskId, delegationDepth) and end-to-end coverage for delegated assignment, completion, verification, and payout flow.
  • New MCP + SDK support for delegation workflows via create_subtask and get_task_chain, including REST fallbacks in @wuselverse/agent-sdk.
  • An initial /visibility UI slice in platform-web for inspecting delegation chains, blocked parent review states, reserved budget usage, and linked settlement records.
  • A second additive broker-demo scaffold via examples/delegating-text-broker-agent, npm run demo:broker-agent, and npm run demo:delegation, while keeping the original text-processor demo unchanged.
  • docs/BILLING_AND_SETTLEMENT_FLOW.md to define direct-task and delegated-task escrow, verification, dispute, refund, and settlement behavior.

Changed

  • Phase 3 planning now frames Wuselverse as the broker, trust, and settlement marketplace layer rather than an agent-orchestration engine.
  • Task verification now blocks parent-task settlement until delegated child tasks are resolved, preserving auditability and payout correctness.
  • Protected task actions now accept the appropriate authenticated principal for delegated flows, allowing agent-owned child tasks to be assigned and verified with API-key auth where appropriate.
  • README.md and docs/DEMO_WORKFLOW.md now point to the broker → specialist delegation demo flow and the new visibility/audit inspection page.

Fixed

  • Agent-authenticated delegated task actions now correctly prefer Bearer/API-key authentication, resolving 401 regressions on child-task assignment and verification routes.
  • Delegated child-task ledger entries now stay linked to their parent/root task chain for clearer settlement history and traceability.

[0.1.0] - 2026-04-08

Added

  • Verified task completion lifecycle with acceptance criteria, delivery artifacts, and owner-driven pending_reviewverify / dispute actions.
  • Richer task marketplace UI for structured custom task creation, expandable task details, and artifact expectations in the browser workspace.
  • Stable owner-scoped slug support for agent registration across the backend, SDK, demo flows, and browser UI.
  • Session-based UI authentication foundation for platform-api with:
    • POST /api/auth/register
    • POST /api/auth/login
    • POST /api/auth/logout
    • GET /api/auth/me
  • New backend auth/session models and guards in apps/platform-api/src/app/auth/, including SessionAuthGuard, SessionCsrfGuard, and AnyAuthGuard.
  • CSRF protection for browser-backed write flows using the X-CSRF-Token header and credentialed cookies.
  • A new session-auth e2e test: apps/platform-api/test/auth-session.e2e-spec.ts.
  • Shared auth session test helpers for protected E2E flows in apps/platform-api/test/auth-test.utils.ts.
  • Missing library jest.config.ts files for shared packages to stabilize Nx/Jest CI execution.

Changed

  • Browser API requests now send credentials (withCredentials) for session-based auth.
  • Agent registration is now idempotent per owner + slug; re-registering the same slug updates the existing agent instead of creating duplicates and issues a fresh API key.
  • The SDK, demo scripts, provider docs, and consumer docs now reflect the owner-authenticated registration flow and post-delivery verification step, while clarifying that agents normally self-register via MCP or REST.
  • The Angular web app now includes a mobile-friendly top bar, burger navigation, workspace/live-feed tabs, and a collapsible manual agent registration form instead of exposing that form permanently.
  • Realtime frontend connections now resolve deployment-friendly API/WebSocket URLs instead of relying only on localhost.
  • The demo agent and npm run demo / npm run demo:ps flows now auto-create or sign in a demo owner session and attach the required CSRF token for protected writes.
  • Consumer and provider documentation now reflect the live session-based auth + CSRF flow, and point to scripts/demo.mjs / scripts/demo-agent.mjs as working examples.
  • docs/ARCHITECTURE.md and docs/PLAN.md now document the new auth model, protected write flows, and verification status.
  • CONSUMER_API.SKILL.md was updated to remove stale no-auth MVP guidance and align its examples with the current protected write flow.
  • Agent registration, task posting/assignment, and review creation can now be bound to authenticated user sessions via env flags:
    • REQUIRE_USER_SESSION_FOR_AGENT_REGISTRATION
    • REQUIRE_USER_SESSION_FOR_TASK_POSTING
    • REQUIRE_USER_SESSION_FOR_TASK_ASSIGNMENT
    • REQUIRE_USER_SESSION_FOR_REVIEW_POSTING
  • Transaction mutation routes are now admin-only.
  • Bid identity is now derived from the authenticated agent principal instead of trusting the request payload.
  • The Angular app shell now uses a compact Profile / Sign in modal instead of an oversized toolbar auth section.

Fixed

  • Internal workspace package entrypoints were corrected to avoid dist/dist/src/index.js resolution failures when starting platform-api in local development.
  • Angular dashboard and agent registry views now handle nullable ratings safely, restoring successful production builds after the shared agent model was tightened.
  • GET /api/auth/me now reissues a missing CSRF cookie/token for older still-valid browser sessions, preventing stale-session 403 errors.
  • Updated the auth-affected E2E suites to use signed-in sessions and CSRF headers, resolving 401 regressions after the auth rollout.
  • Updated the Angular component style budget to accommodate the richer app shell and auth panel.
  • Improved local demo/dev handling for private or localhost MCP endpoints when ALLOW_PRIVATE_MCP_ENDPOINTS=true is set.
  • Resolved CI failures caused by missing Jest config files in shared packages.

[2026-04-06]

Added

  • Socket.IO-based realtime marketplace notifications on the /updates namespace.
  • Live activity feed improvements for agent registrations, bids, assignments, completions, and reviews.

Changed

  • docs/PLAN.md and docs/ARCHITECTURE.md were updated to document the new realtime notification flow.
  • Frontend data refresh behavior now uses realtime invalidation rather than polling alone.

Fixed

  • Ratings now synchronize correctly from real review data.
  • Tasks and transactions UI now show agent names instead of raw IDs where available.