Merge pull request #112 from peacprotocol/release/v0.9.14

feat: receipt media type peac.receipt/0.9, single-header JWS

Author: jithinraj

.github/workflows/ci-lite.yml

@@ -28,12 +28,15 @@ jobs:
       - name: Setup Node.js 20
         uses: actions/setup-node@v4
         with:
-          node-version: 20
+          node-version: '20.10.0'
           cache: 'pnpm'
 
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
 
+      - name: Domain guard
+        run: bash -euxo pipefail scripts/guard.sh
+
       - name: Format check
         run: |
           echo "Prettier format check..."
@@ -68,13 +71,32 @@ jobs:
           # Core package tests (should be stable)
           pnpm --filter @peac/core test || echo "::warning::Core tests had issues"
 
-          # Discovery tests (should be stable)  
+          # Discovery tests (should be stable)
           pnpm --filter @peac/disc test || echo "::warning::Discovery tests had issues"
 
-      - name: Leak check (crawler)
+      - name: Build core (needed for bench)
+        run: pnpm --filter @peac/core build
+
+      - name: Performance gate
+        run: |
+          echo "Running performance verification..."
+          OUT=$(pnpm -w exec tsx scripts/bench-verify.ts)
+          echo "$OUT"
+          P95=$(echo "$OUT" | sed -n 's/^P95:[[:space:]]*\([0-9]\+\(\.[0-9]\+\)\?\).*/\1/p')
+          if [ -z "$P95" ]; then
+            echo "::error::No P95 metric found"; exit 1
+          fi
+          # Use awk for float comparison
+          if awk -v p95="$P95" 'BEGIN{ if (p95+0 > 5.0) exit 1 }'; then
+            echo "✅ P95=$P95 ms ≤ 5ms"
+          else
+            echo "::error::P95=$P95 ms exceeds 5ms budget"; exit 1
+          fi
+
+      - name: Core packages validation
         run: |
-          echo "Checking for open handles in crawler tests..."
-          pnpm --filter @peac/crawler exec jest --config jest.config.ts --detectOpenHandles --runInBand || echo "::warning::Crawler has open handles - investigate async cleanup"
+          echo "Core packages post-build validation completed"
+          echo "Crawler archived - no longer active in v0.9.14 zero-BC release"
 
   ci-lite-summary:
     name: CI Lite Summary

.github/workflows/leak-check.yml

@@ -1,10 +1,9 @@
-name: Leak Check - Core & Crawler
+name: Leak Check - Core Only
 
 on:
   pull_request:
     paths:
       - 'packages/core/**'
-      - 'packages/crawler/**'
     branches: [main]
 
 env:
@@ -34,22 +33,17 @@ jobs:
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
 
-      - name: Build core and crawler
+      - name: Build core
         run: |
           pnpm --filter @peac/core build
-          pnpm --filter @peac/crawler build
 
       - name: Check for open handles (core)
         run: |
           echo "Checking core package for open handles..."
           pnpm --filter @peac/core exec jest --detectOpenHandles --runInBand --passWithNoTests || echo "::warning::Core has open handles"
 
-      - name: Check for open handles (crawler)
-        run: |
-          echo "Checking crawler package for open handles..."
-          pnpm --filter @peac/crawler exec jest --config jest.config.ts --detectOpenHandles --runInBand || echo "::warning::Crawler has open handles"
-
       - name: Summary
         run: |
-          echo "Leak check completed for core/crawler changes"
+          echo "Leak check completed for core changes"
+          echo "Note: Crawler archived in v0.9.14 zero-BC release"
           echo "Any open handles will be shown as warnings above"

.github/workflows/nightly.yml

@@ -38,19 +38,19 @@ jobs:
       - name: Build all packages
         run: pnpm -w build
 
-      - name: Run complete test suite (excluding crawler)
+      - name: Run complete test suite
         env:
           NODE_ENV: test
           PAYMENT_PROVIDER: mock
           PEAC_WEBHOOK_SECRET: test_secret
         run: |
-          echo "Running complete test suite with coverage (excluding crawler)..."
+          echo "Running complete test suite with coverage..."
           pnpm run ci:test:unit
 
-      - name: Crawler system tests with coverage
+      - name: Core packages validation
         run: |
-          echo "Running crawler tests with coverage..."
-          pnpm run ci:test:crawler
+          echo "Core packages test coverage completed"
+          echo "Crawler archived in v0.9.14 zero-BC release"
 
       - name: Upload coverage reports
         uses: codecov/codecov-action@v3
@@ -78,29 +78,41 @@ jobs:
           echo "Running integration tests..."
 
           # MCP server integration (TS entrypoint → run via tsx)
-          echo '{"jsonrpc":"2.0","method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{"tools":{}},"serverInfo":{"name":"peac-receipts","version":"0.9.12.1"}}}' | \
-            timeout 5s pnpm -w exec tsx packages/adapters/mcp/server.ts || echo "MCP test completed"
+          if [ -f "packages/adapters/mcp/server.ts" ]; then
+            echo '{"jsonrpc":"2.0","method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{"tools":{}},"serverInfo":{"name":"peac-receipts","version":"0.9.12.1"}}}' | \
+              timeout 5s pnpm -w exec tsx packages/adapters/mcp/server.ts || echo "MCP test completed"
+          else
+            echo "MCP adapter archived in v0.9.14 - skipping MCP integration test"
+          fi
 
           # OpenAI functions file exists & has tools
-          node -e "
-            const funcs = require('./packages/adapters/openai/functions.json');
-            if (!funcs.functions || funcs.functions.length < 4) throw new Error('Missing OpenAI functions');
-            console.log('OpenAI functions validated:', funcs.functions.length);
-          "
+          if [ -f "packages/adapters/openai/functions.json" ]; then
+            node -e "
+              const funcs = require('./packages/adapters/openai/functions.json');
+              if (!funcs.functions || funcs.functions.length < 4) throw new Error('Missing OpenAI functions');
+              console.log('OpenAI functions validated:', funcs.functions.length);
+            "
+          else
+            echo "OpenAI adapter archived in v0.9.14 - skipping OpenAI functions validation"
+          fi
 
           # Enhanced schema spot-checks (match actual property names)
-          node -e "
-            const receipt   = require('./schemas/receipt.v1.1.json');
-            const discovery = require('./schemas/discovery.v1.1.json');
-            const purge     = require('./schemas/purge.v1.0.json');
-
-            const has = (o,p) => p.split('.').reduce((x,k)=>x && k in x ? x[k] : undefined, o) !== undefined;
-
-            if (!has(receipt,   'properties.verification'))       throw new Error('Missing verification in receipt schema');
-            if (!has(receipt,   'properties.audit_chain'))         throw new Error('Missing audit_chain in receipt schema');
-            if (!has(discovery, 'properties.crawler_verification'))throw new Error('Missing crawler_verification in discovery schema');
-            console.log('All enhanced schemas validated');
-          "
+          if [ -f "schemas/receipt.v1.1.json" ] && [ -f "schemas/discovery.v1.1.json" ] && [ -f "schemas/purge.v1.0.json" ]; then
+            node -e "
+              const receipt   = require('./schemas/receipt.v1.1.json');
+              const discovery = require('./schemas/discovery.v1.1.json');
+              const purge     = require('./schemas/purge.v1.0.json');
+
+              const has = (o,p) => p.split('.').reduce((x,k)=>x && k in x ? x[k] : undefined, o) !== undefined;
+
+              if (!has(receipt,   'properties.verification'))       throw new Error('Missing verification in receipt schema');
+              if (!has(receipt,   'properties.audit_chain'))         throw new Error('Missing audit_chain in receipt schema');
+              // Note: crawler_verification check removed - crawler archived in v0.9.14
+              console.log('All enhanced schemas validated');
+            "
+          else
+            echo "Legacy schemas archived in v0.9.14 - skipping schema validation (using core types in packages/receipts/src/types.ts)"
+          fi
 
   cross-runtime-matrix:
     name: Cross-Runtime Tests (${{ matrix.runtime }})

.github/workflows/publish.yml

@@ -0,0 +1,52 @@
+# .github/workflows/publish.yml
+name: Publish (manual)
+
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    env:
+      NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+          registry-url: 'https://registry.npmjs.org'
+
+      - uses: pnpm/action-setup@v4
+        with:
+          version: 9
+
+      - name: Install deps
+        run: pnpm -w install --frozen-lockfile
+
+      - name: Build & test
+        run: pnpm -w build && pnpm -w test
+
+      - name: Configure npm auth
+        run: |
+          echo "//registry.npmjs.org/:_authToken=\${NPM_TOKEN}" > ~/.npmrc
+          pnpm config set publish-branch "main|master|release/.*"
+
+      - name: Publish selected packages
+        run: |
+          pnpm -r \
+            --filter @peac/core \
+            --filter @peac/receipts \
+            --filter @peac/pref \
+            --filter @peac/disc \
+            --filter @peac/pay402 \
+            --filter @peac/sdk \
+            publish --access public --no-git-checks
+
+      - name: Verify versions
+        run: |
+          pnpm view @peac/core version
+          pnpm view @peac/sdk version

.nvmrc

@@ -1 +1 @@
-20
+20.10.0

CHANGELOG.md

@@ -5,6 +5,29 @@ All notable changes to PEAC Protocol will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.9.14] - 2025-09-27
+
+### Changed
+
+- **Wire format v0.9.14**: Simplified JWS header with `typ: "peac.receipt/0.9"`
+- **Single header**: Only `PEAC-Receipt` header (removed `peac-version` header)
+- **Receipt fields**: Use `iat` (Unix seconds) instead of `issued_at`, `payment.scheme` instead of `payment.rail`
+- **Core exports**: New `signReceipt()`, `verifyReceipt()` functions with v0.9.14 format
+- **Performance**: Sub-1ms p95 verification target with benchmark script
+
+### Added
+
+- `packages/core/src/b64.ts`: Base64url utilities
+- `scripts/bench-verify.ts`: Performance benchmark with p95 metrics
+- `tests/golden/generate-vectors.ts`: 120+ test vectors generator
+- `scripts/assert-core-exports.mjs`: Build output validation
+- `scripts/guard.sh`: Safety checks for dist imports and field regressions
+
+### Deprecated
+
+- `verify()`: Use `verifyReceipt()` instead
+- `verifyBulk()`: Use `verifyReceipt()` in a loop
+
 ## [0.9.13.2] - 2025-09-17
 
 Intent: Zero-friction local enforcement/verification via a loopback sidecar.

README.md

@@ -1,7 +1,7 @@
 # PEAC Protocol
 
 [![License: Apache 2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](LICENSE)
-[![Status](https://img.shields.io/badge/status-0.9.13--stable-green.svg)](https://github.com/peacprotocol/peac/releases)
+[![Status](https://img.shields.io/badge/status-0.9.14--stable-green.svg)](https://github.com/peacprotocol/peac/releases)
 [![CI-Lite](https://github.com/peacprotocol/peac/actions/workflows/ci-lite.yml/badge.svg)](https://github.com/peacprotocol/peac/actions/workflows/ci-lite.yml)
 [![CodeQL](https://github.com/peacprotocol/peac/actions/workflows/codeql.yml/badge.svg)](https://github.com/peacprotocol/peac/actions/workflows/codeql.yml)
 
@@ -38,10 +38,10 @@ Autonomous clients need predictable, auditable policy and trust rails. With well
 ## At a glance
 
 - **Discovery:** `/.well-known/peac.txt` (fallback `/peac.txt`)
-- **Wire version:** `0.9.13` (set header `peac-version: 0.9.13`)
-- **Headers:** `PEAC-Receipt`, `peac-version`; parsers MUST treat header names case-insensitively
+- **Wire version:** `0.9.14` (JWS header `typ: "peac.receipt/0.9"`)
+- **Headers:** Single `PEAC-Receipt` header; parsers MUST treat header names case-insensitively
 - **Media:** `application/peac+json` (content), `application/problem+json` (errors), `application/jwk-set+json` (JWKS)
-- **Receipts:** detached JWS (`typ: application/peac-receipt+jws`) using JCS
+- **Receipts:** JWS with `typ: "peac.receipt/0.9"`, `iat` field (Unix seconds), `payment.scheme`
 - **Trust:** UDA (JWT with `typ: "JWT"`), DPoP proofs bound to `cnf.jkt`, optional agent attestation header
 - **Conformance:** Levels L0-L4; see [docs/conformance.md](docs/conformance.md)
 
@@ -87,15 +87,15 @@ npx peac validate peac.txt    # Expected: Valid PEAC 0.9.13 policy
 curl -I https://your-domain/.well-known/peac.txt  # check ETag + Cache-Control
 ```
 
-Tips: emit `PEAC-Receipt`, `peac-version`; be case-insensitive on read. Start in simulation via `PEAC_MODE=simulation`.
+Tips: emit `PEAC-Receipt` header; be case-insensitive on read. Start in simulation via `PEAC_MODE=simulation`.
 Common pitfalls: invalid schema returns HTTP Problem Details (RFC 7807) 400.
 
 ---
 
 ## Core surfaces
 
 - **Discovery**: `/.well-known/peac.txt` (fallback `/peac.txt`)
-- **Headers**: `peac-version`, `PEAC-Receipt`, `peac-agent-attestation`, etc.
+- **Headers**: `PEAC-Receipt`, `peac-agent-attestation`, etc.
 - **Errors**: HTTP Problem Details (RFC 7807) with stable catalog
 - **Caching**: strong `ETag`, sensible `Cache-Control` for `peac.txt` and well-known endpoints
 
@@ -111,10 +111,10 @@ Common pitfalls: invalid schema returns HTTP Problem Details (RFC 7807) 400.
 | Attribution and provenance | Required attribution formats and verify-only provenance chains via adapters.                                                                         |
 | Negotiation and settlement | Programmatic terms, adapters for payment rails (**x402**, **L402**, Stripe), and DPoP-bound receipts.                                                |
 | Agent trust rails          | UDA (OAuth Device Flow), DPoP proof-of-possession, agent attestation verification for autonomous coordination.                                       |
-| Receipts v2                | Detached JWS with `typ: "application/peac-receipt+jws"`; JCS canonicalization for verifiable settlements.                                            |
+| Receipts v2                | JWS with `typ: "peac.receipt/0.9"`; JCS canonicalization for verifiable settlements.                                                                 |
 | JWKS management            | 30-day key rotation, 7-day grace periods, `application/jwk-set+json` with ETag caching.                                                              |
 | Adapters and interop       | Bridges for MCP, A2A, payment rails such as **x402**, **L402**, and Stripe, Chainlink, peaq, and any payment provider via adapter. Extend via PEIPs. |
-| HTTP semantics             | `PEAC-Receipt`, `peac-version` headers, RFC9457 Problem Details, and idempotency guidance.                                                           |
+| HTTP semantics             | `PEAC-Receipt` header, RFC9457 Problem Details, and idempotency guidance.                                                                            |
 | Conformance and tooling    | L0-L4 levels, CLI validation and fixtures, and ACID-style tests.                                                                                     |
 
 ---
@@ -163,7 +163,7 @@ More examples: [docs/examples.md](docs/examples.md)
 
 ## Receipts (detached JWS)
 
-- Media type `typ: "application/peac-receipt+jws"`
+- Media type `typ: "peac.receipt/0.9"`
 - JCS canonicalization of payload before signing
 - Verification via detached JWS (no payload bloat in transit)
 
@@ -227,8 +227,7 @@ if (access.granted) {
 **Example API request with curl:**
 
 ```bash
-curl -X POST https://demo.peac.dev/peac/agreements \
-  -H "peac-version: 0.9.13" \
+curl -X POST https://peacprotocol.org/agreements \
   -H "content-type: application/json" \
   -H "x-api-key: your-key" \
   -d '{
@@ -241,10 +240,9 @@ curl -X POST https://demo.peac.dev/peac/agreements \
 **JavaScript example:**
 
 ```javascript
-const response = await fetch('https://demo.peac.dev/peac/agreements', {
+const response = await fetch('https://peacprotocol.org/agreements', {
   method: 'POST',
   headers: {
-    'peac-version': '0.9.13',
     'content-type': 'application/json',
     'x-api-key': apiKey,
   },
@@ -279,7 +277,7 @@ const response = await fetch('https://demo.peac.dev/peac/agreements', {
   "amount": "5.00",
   "currency": "USD",
   "method": "x402",
-  "issued_at": "2025-08-16T00:00:00Z",
+  "iat": 1723766400,
   "expires_at": "2025-08-17T00:00:00Z"
 }
 ```
@@ -370,7 +368,7 @@ More templates are in `docs/templates.md`.
 
 - 400 HTTP Problem Details (RFC 7807). Validate `peac.txt` or the negotiation body.
 - Missing receipt. Ensure the adapter completed settlement. On success the server can return `PEAC-Receipt` and a receipt body.
-- Header mismatch. Emit `PEAC-Receipt`, `peac-version`. Intermediaries may alter casing.
+- Header mismatch. Emit `PEAC-Receipt`. Intermediaries may alter casing.
 - Negotiation fails. Enable flags like `PEAC_FEATURE_NEGOTIATION=1` and start with a simulation adapter.
 
 ---

RELEASE.md

@@ -43,7 +43,7 @@ npm audit @peac/core --audit-level=high
 
 ```bash
 # Install and verify core functionality
-npm install @peac/core
+pnpm add @peac/core
 node -e "
 import { sign, verify } from '@peac/core';
 console.log('✅ @peac/core imports successfully');