v0.5.0 -- references[] ratification

Diff: v0.4.0...v0.5.0

v0.5.0 -- references[] ratification

Spec ratification of the references[] shape shipped generalized in v0.4.0.
Closes Foxbook ADR 0009 (#73) ratification commitment and v0.4.0 follow-up (c)
layering reconciliation.

Spec changes (Beta-1, PR #6)

• S11.5 Reference linkages: normative spec text for the two-layer references[]
  shape. Layering boundary documented: envelope-level cryptographic;
  attestation-level semantic.
• Relationship vocabulary normative: supersedes (MUST), extends (SHOULD),
  fulfills (SHOULD), references (MAY).
• Schema URN bumped to urn:concordia:schema:*:v0.5.

Python SDK changes (Beta-2)

• pyproject.toml bumped from 0.4.0 to 0.5.0.
• Validator error text aligned with SPEC S11.5 section references.
• Schema URN bumped on emit side; read side accepts both v0.4 and v0.5.
• No breaking API changes; existing v0.4 callers continue working.

Install

pip install concordia-protocol==0.5.0

v0.4.0 — CMPC-ready receipt primitives + Verascore auto-hook

CMPC-ready receipt primitives + Verascore auto-hook

Ships the foundation layer for CMPC (v0.5). Five work packages plus CVE lock-file hygiene. WP4 (mandate_verification) deferred to v0.4.1 pending A2CN mandate-shape coordination.

Added

• WP1 — resolve_algorithm() env-var precedence helper. Single helper in concordia.signing that resolves the JWS algorithm by precedence: explicit arg > CONCORDIA_JWS_ALG env var > EdDSA default. ES256 signing/verification itself (ES256KeyPair, sign_message(alg="ES256"), verify_signature(alg="ES256"), cross-algorithm rejection) was already shipped in pre-v0.4.0 trust-evidence-format envelope and mandate primitive work; this WP adds only the missing env-var layer.
• WP2 — generalized references[] on attestations. Top-level references array on generate_attestation() output with shape {type, id, relationship}. type ∈ {receipt, chain_session, predicate, mandate}. relationship ∈ {supersedes, extends, fulfills, references}. chain_session, predicate, and mandate are reserved for CMPC primitives in v0.5 and accepted today as opaque refs so v0.5 is a pure add rather than a breaking schema change. Distinct from the envelope-level {kind, urn, verified_at, verifier_did, hash} #1734 shape — both coexist at different layers.
• WP3 — three-mode validity_temporal on attestations. Optional tagged union with modes absolute/relative/window: {mode: "absolute", from, until}, {mode: "relative", from, duration_seconds}, or {mode: "window", start, end, duration_seconds}. Adds concordia.is_valid_now(attestation) helper. Attestations without the field return True (no temporal constraint). Distinct from models/mandate.py::ValidityWindow (sequence/windowed/state_bound, #1734 envelope shape); unification is v0.5+.
• WP5 — Verascore post-transition auto-hook. Session.on_terminal is a publicly assignable Callable[[Session], None] that fires exactly once when a session reaches AGREED / REJECTED / EXPIRED. Exceptions inside the callback are swallowed — reputation reporting never blocks a transition. concordia.make_verascore_auto_hook(key_pair, agent_did, ...) produces a callback gated by VERASCORE_ENABLED=true. Endpoint precedence: explicit arg > VERASCORE_ENDPOINT env > default https://verascore.ai. Default report_on=("agreed",); widen to ("agreed", "rejected", "expired") as desired. Payload carries session_id as the Verascore-side idempotency key (prisma.concordiaReceipt.upsert({where: {sessionId}})).
• WP6 — docs/A2A_COMPOSITION.md alignment. Rewrote the "Verascore as the reputation layer" paragraph to describe the v0.4.0 auto-hook surface accurately — reporting is opt-in via VERASCORE_ENABLED, idempotency is keyed on session_id, receipts are the substrate.

Deferred

• WP4 — mandate_verification — deferred to v0.4.1 pending A2CN mandate-shape coordination with cmagorr1. A standalone mandate primitive already ships (concordia.mandate) and is orthogonal to WP4's attestation-side verification path.

Security

• Bumped requirements.lock to clear three pre-existing CVEs (not introduced by this release): cryptography 46.0.6 → 46.0.7 (CVE-2026-39892), pytest 9.0.2 → 9.0.3 (CVE-2025-71176), python-multipart 0.0.22 → 0.0.26 (CVE-2026-40347).

Test baseline

• Pre-v0.4.0 baseline: 832 tests.
• v0.4.0 shipped: 885 tests (+53 across WP1/WP2/WP3/WP5).
• Zero regressions in pre-v0.4.0 tests.
• pip-audit: no known vulnerabilities (1 ignored, pre-existing pygments advisory documented in KNOWN_ISSUES.md).

Install

pip install concordia-protocol==0.4.0

Full changelog

See CHANGELOG.md.

v0.1.0 — Concordia Protocol

Initial release of the Concordia Protocol — structured negotiation between autonomous agents.

Highlights

• 48 MCP tools for multi-attribute negotiation, session management, reputation, and discovery
• Ed25519 signed messages with hash-chain transcript integrity
• Six-state session lifecycle: PROPOSED → ACTIVE → AGREED / REJECTED / EXPIRED → DORMANT
• Four offer types: Basic, Partial, Conditional, Bundle
• Reputation system with Sybil detection and behavioral attestations (no raw deal terms exposed)
• Want Registry and Agent Registry for demand-side and capability discovery
• Negotiation Relay for multi-party coordination
• Optional Sanctuary Bridge for cryptographic commitment and verifiable reputation via Sanctuary Framework
• Graceful degradation for non-Concordia peers
• 587 passing tests across unit, integration, and security suites

Install

pip install concordia-protocol

Run as MCP server

concordia-mcp-server --transport stdio

Links

• Protocol Specification (SPEC.md)
• Sanctuary Framework — optional sovereignty layer