v1.0.0 — OAuth 2.1, Compliance Engine, Dual-Mode Auth

What's New

OAuth 2.1 Authorization Server

• Full OAuth 2.1 authorization server in airlock/oauth/ (14 new files)
• Client Credentials grant with private_key_jwt authentication — agents use their existing Ed25519 key as OAuth credential (no separate client_secret)
• EdDSA-signed JWT access tokens with custom trust claims (airlock:trust_score, airlock:trust_tier)
• RFC 8693 Token Exchange for delegation chains with scope narrowing and cascade revocation
• Nested act claims for multi-hop delegation (Agent A → B → C), max depth configurable
• RFC 7662 Token Introspection with live trust data lookup (not just cached token claims)
• RFC 7591 Dynamic Client Registration for DID-based agents
• OIDC Discovery (/.well-known/openid-configuration) and JWKS (/.well-known/jwks.json) endpoints
• FastAPI dependency injection: require_oauth_agent(), require_scope()
• Feature-flagged: AIRLOCK_OAUTH_ENABLED (default true)

Compliance Engine

• New airlock/compliance/ module with agent inventory, risk classification, and incident tracking
• Agent Inventory: thread-safe registry of all AI agents/models with compliance status tracking
• Risk Classifier: categorizes agents by risk level (low/medium/high/critical) based on capabilities, trust score, and agent type
• Incident Store: hash-chain integrity for tamper-evident incident records (same pattern as audit trail)
• Compliance Report Generator: automated scoring with actionable recommendations
• Regulatory Framework Mapper: maps Airlock features to 7 governance principles and 10 compliance recommendations
• Bias Detector: statistical analysis of verification outcome disparity and trust score distribution
• 8 new API endpoints under /compliance/ (inventory CRUD, reports, incidents, risk classification)
• Feature-flagged: AIRLOCK_COMPLIANCE_ENABLED (default true)

Dual-Mode Identity Verification

• Orchestrator's verify_signature node renamed to verify_identity
• Accepts both Ed25519 signatures AND OAuth bearer tokens
• OAuth validation uses conditional import — graceful fallback to Ed25519 when OAuth module absent
• Bearer token extracted from Authorization header and threaded through event bus to orchestrator

Semantic Challenge Deprecation

• challenge_fallback_mode default changed from "ambiguous" to "disabled"
• When disabled, orchestrator routes directly to issue_verdict (no LLM call)
• LiteLLM moved from required to optional dependency (pip install airlock-protocol[llm])
• All import litellm calls guarded with try/except ImportError
• App starts and runs without LiteLLM installed

Breaking Changes

• challenge_fallback_mode default is now "disabled" — set AIRLOCK_CHALLENGE_FALLBACK_MODE=ambiguous to restore v0.4.0 behavior
• litellm is no longer a required dependency — install with pip install airlock-protocol[llm] if needed
• Orchestrator node verify_signature renamed to verify_identity — affects custom graph extensions

Stats

• 853 tests passing (up from 760 in v0.4.0)
• +4,187 lines across 43 files (30 new, 13 modified)
• 93 new tests covering OAuth, compliance, dual-mode auth, and optional dependencies
• 107 source files across the project

v0.4.0 — Persistent Audit, Multi-Replica Redis, VC Capabilities

What's New

Persistent Audit Trail

• SQLite-backed append-only audit store with hash-chained entries
• WAL journal mode for concurrent read/write, asyncio.to_thread() for async safety
• Survives gateway restarts — chain state restored from highest sequence entry
• Filtered queries by rotation_chain_id and actor_did via indexed columns

Multi-Replica Redis Support

• Single-key Lua scripts for atomic chain registration and rotation (Redis Cluster-safe)
• Per-chain rotated_from field for defense-in-depth first-write-wins enforcement
• Secondary DID-to-chain index with startup reconciliation
• Redis-backed pre-commitment store for multi-replica KERI pre-rotation
• TTL-based revocation grace periods via Redis SETEX (replaces local dict)

VC Capability Verification

• Trust-weighted capability scoring: VC-attested (1.0), self-declared (0.5), absent (0.0)
• Graduated enforcement modes: off, audit, warn, enforce
• Behavioral consistency trap questions for undeclared domains
• Three-tier failure handling: fail-closed on crypto, degrade on parsing, enforce on mismatch
• New orchestrator node: cross_ref_capabilities between delegation and reputation checks

Chain Migration

• rotation_chain_id threaded through sessions, audit entries, and A2A metadata
• DID resolution through chain registry for reputation lookups
• Audit entries filterable by chain ID via GET /audit/entries

LangChain Sync Support

• _run_sync() wrapper for nested event loops (Jupyter, Streamlit)
• GuardedTool._run() now works synchronously instead of raising NotImplementedError

MyPy Strict Enforcement

• mypy --strict passing across all 77 source files with zero errors
• Third-party stub overrides for pyarrow, lancedb, cachetools, pandas, langgraph, litellm

Stats

• 760 tests passing (up from 685 in v0.3.0)
• 3,834 lines added across 33 files
• 77 source files fully strict-typed

v0.3.0 — Memory-Hard PoW, Key Rotation, Pre-Rotation Commitments

What's New

Memory-Hard Proof-of-Work (Argon2id)

• Two-layer verification: SHA-256 pre-filter + Argon2id memory-hard PoW
• Three presets: light (32MB/2 passes), standard (48MB/3), hardened (128MB/4)
• Bounded verification worker pool with configurable concurrency
• Feature flag: AIRLOCK_POW_ALGORITHM=argon2id

Key Rotation with Chain Continuity

• Deterministic rotation_chain_id via SHA-256(first_public_key)
• First-write-wins atomic rotation with configurable grace periods
• Trust score transfer across rotations (with penalty)
• Chain-aware DID rate limiting (follows agents across rotations)
• Persistent RotationChainRegistry with atomic JSON writes

KERI-Inspired Pre-Rotation Commitments

• SHA-256 commitment to next public key before rotation
• 72-hour update lockout for commitment stability
• Mandatory from configurable trust tier (default: Tier 1)
• Chained N+2 commitments during rotation
• Persistent PreCommitmentStore with atomic writes

Hardening

• CRL force-regeneration on key compromise
• Startup guard: multi-replica + key rotation blocked until Redis support
• Mid-session rotation handling via chain_id resolution
• Auto-register rotation chains on /register and /handshake
• 685 tests passing (74 new: 22 Argon2id, 22 key rotation, 14 pre-rotation, 10 chain migration, 6 persistence)

Breaking Changes

None. All features behind config flags (disabled by default).

Full Changelog: v0.2.1...v0.3.0

v0.2.1 — Security Hotfix Batch

Security Hotfix Release

Addresses 4 vulnerabilities discovered during internal security review.

Fixes

HF-1: PoW Challenge Replay Prevention (CRITICAL)

• verify_pow() now validates challenges against a server-side store
• Prevents unlimited replay of pre-computed PoW solutions
• One-time use enforcement, expiry validation, structured error responses

HF-2: RFC 8785 Canonical JSON Compliance (CRITICAL)

• Removed Python-specific default=str serialization from canonicalize()
• Cross-language signature verification now works correctly (Go, Rust, JS)
• Explicit type conversion: datetime→ISO8601, enums→values, UUID→lowercase

HF-3: Irreversible Revocation + Suspension Model (HIGH)

• revoke() is now permanent — compromised keys cannot be un-revoked
• Added suspend()/reinstate() for reversible investigation holds
• 7 revocation reason codes (KEY_COMPROMISE, SUPERSEDED, SYBIL_DETECTED, etc.)
• New admin endpoints: POST /admin/suspend/{did}, POST /admin/reinstate/{did}

HF-4: Attestation Ed25519 Signatures (HIGH)

• AirlockAttestation.airlock_signature is now populated with a real Ed25519 signature
• Relying parties can cryptographically verify attestations using verify_attestation()
• Attestations are signed before trust tokens are added

Stats

• 542 tests, 0 failures
• 22 files changed

Upgrade Notes

• unrevoke() method removed — use suspend()/reinstate() instead
• DELETE /admin/revoke/{did} removed — use POST /admin/reinstate/{did} for suspended agents
• All other APIs are backward compatible

Security audit details: docs/security/

v0.2.0 — Enterprise-Grade Trust Verification

Airlock Protocol v0.2.0

7 architecture upgrades transforming the protocol from experimental to enterprise-grade.

Trust & Security

• Trust Tiers — 4-level progressive trust (Unknown → Challenge-Verified → Domain-Verified → VC-Verified) with per-tier score ceilings
• Tiered Decay — Per-tier half-lives (30/90/180/365 days) with floor protection for established agents
• Proof-of-Work — SHA-256 Hashcash anti-Sybil on handshake (adaptive difficulty for new DIDs)
• Answer Fingerprinting — SimHash + SHA-256 bot farm detection with sliding window

Privacy & Compliance

• Privacy Mode — any / local_only / no_challenge for GDPR/DPDP/RBI compliance
• Agents requesting no_challenge receive DEFERRED verdict with zero trust erosion
• local_only agents skip all reputation writes

LLM Evaluation

• Structured Output — Pydantic-validated JSON results (verdict/confidence/evidence/red_flags)
• Dual-LLM — Optional cross-validation with conservative agreement (FAIL wins, PASS requires unanimity)

Stats

• 469 tests (131 new) — unit, property-based (Hypothesis), security, integration
• 13/13 CI checks green (CodeQL, Trivy, DCO, lint, tests on Python 3.11 + 3.12)
• All features behind config.py feature flags for backward compatibility

New Endpoints

• GET /pow-challenge — Issue PoW challenge for anti-Sybil

Breaking Changes

None. All v0.1 APIs work unchanged. New fields in AirlockAttestation and HandshakeRequest have defaults.

Full changelog: https://github.com/airlock-protocol/airlock/blob/main/CHANGELOG.md

v0.1.0 — The Trust Layer for Agentic AI

Airlock Protocol v0.1.0

The first public release of the Airlock Protocol — DMARC for AI Agents.

What's included

• 5-phase trust verification: Resolve → Handshake → Challenge → Verdict → Seal
• Central registry: api.airlock.ing — every verification routes through the trust registry by default
• CLI: airlock verify, airlock serve, airlock init
• Python SDK: 7-line agent verification via AirlockClient()
• TypeScript SDK: npm package airlock-client
• MCP server: Model Context Protocol integration
• Google A2A: Native agent-to-agent protocol support
• 313 tests passing, zero mypy errors, bandit-clean

Cryptography

• Ed25519 signing at every hop
• W3C DIDs (did:key) for agent identity
• W3C Verifiable Credentials for authorization
• Trust scoring with 30-day half-life decay

Quick start

pip install airlock-protocol
airlock verify did:key:z6Mk...

Apache 2.0 Licensed.