Release 2.2.0#172
Merged
Merged
Conversation
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01SerGP6Am3xz2CKyPgbRc73
Contributor
|
Reviewed; no blockers found. |
Contributor
|
Reviewed; no blockers found. |
…arball Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01SerGP6Am3xz2CKyPgbRc73
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Version bump
2.1.2→2.2.0. Minor release — everything since v2.1.2 is additive; the one default-on surface (CIMD) is flagged below and has a disable knob.Also introduces
CHANGELOG.md(long overdue): Keep-a-Changelog format, backfilled from the GitHub release notes for every prior release (1.1.0 → 2.1.2), with the 2.2.0 entry matching the notes below. Added to the npmfilesallowlist so it ships in the tarball.Verified at the bump: lint clean, prettier clean, full suite 1039 tests / 1037 pass / 2 pre-existing skips.
Draft release notes (for the GitHub Release, which triggers the npm publish)
Minor release — headless-agent (machine-to-machine) MCP authentication: the #159 train, plus key rotation.
private_key_jwtverification — EdDSA/Ed25519 via built-innode:crypto(no new dependency),jtireplay store, ≤60sexpwindow.client_ids are resolved by fetching the client's metadata document through an SSRF-guarded, pinned-connection fetch, with a consent interstitial for interactive flows.mcp.enabled— URL client_ids are now accepted. Disable withmcp.clientIdMetadataDocuments.enabled: false, or restrict withmcp.clientIdMetadataDocuments.allowedHosts.__Host-consent cookie binds the interstitial).client_credentialsgrant (feat(mcp): client_credentials grant with CIMD-first private_key_jwt agents #170, closes client_credentials (2/4): CIMD-first client resolution for private_key_jwt agents (DCR back-compat optional) #161/client_credentials (3/4): token-endpoint grant — resource binding, per-grant TTL, discovery #162): headless agents authenticate as themselves withprivate_key_jwt— no browser, no human. CIMD-first client resolution; short-TTL audience-bound tokens; every issuance audit-logged.client_id(mcp.clientCredentials.rateLimit, default 30 req/min,false/0disables — debited post-authentication so unauthenticated requests can't drain a client's quota), and CIMD document fetches are limited at a fixed 10 attempts/min per URL. Over-limit responses are429slow_downwithRetry-After.@createdTimeinstead of a hand-rolledcreated_at(fix: use Harper @createdTime instead of hand-rolled created_at #169).After this merges
Tag + publish a GitHub Release
v2.2.0targeting the merge commit with the notes above —release.ymlthen lints/tests and npm-publishes@harperfast/oauth@2.2.0tolatestwith provenance.🤖 Generated with Claude Code
https://claude.ai/code/session_01SerGP6Am3xz2CKyPgbRc73