Changelog
Release notes for @agenttrust-sdk/trustgate and @agenttrust-sdk/mcp — auto-generated from each package's CHANGELOG.md.
The published packages keep their own CHANGELOG.md (Keep-a-Changelog format) under trustgate/sdk/ and mcp/. This page is built from those files at lint time so the docs never drift.
Phase reports (Phase F → Phase Q) live separately under docs/proofs/; the Live evidence page indexes them.
Auto-generated from upstream package
CHANGELOG.mdfiles at build time. If you spot drift, themcp/andtrustgate/sdk/sources are authoritative.
@agenttrust-sdk/trustgate
Source of truth: trustgate/sdk/CHANGELOG.md.
[Unreleased]
[0.4.1] — 2026-05-12
Tag: sdk-v0.4.1 · Pairs with mcp@0.4.4. Closes the trailing
chain-level holes surfaced while wiring up init_policy's self-heal
cascade.
Fixed
register_agent_via_cpiinstruction builder now appends theagent_registry_8004program toremainingAccounts. The trustgate Rust handlerinvoke_signeds into that program; the Solana runtime needs its AccountInfo in the tx account list to resolve the CPI. Without it, the sameUnknown program 8oo4J9tBB…log fires that later surfaced separately foremit_feedback(closed inmcp@0.4.5).register_agent_via_cpi's on-chain handler now usesinit_if_neededfor theTrustGateAuthorityPDA so the self-heal cascade is idempotent even when the facilitator already has an authority. The prior shape relied on the caller to skipinit_authoritywhen the authority existed; the new shape collapses both branches into a single instruction.
[0.4.0] — 2026-05-11
Tag: sdk-v0.4.0 · The single-bootstrap headline. New trustgate
instruction register_agent_via_cpi orchestrates Quantu onboarding in
one program-signed CPI; the SDK ships the matching builder, PDA
derivers, and tests so any client can compose the bootstrap path.
Added
buildRegisterAgentViaCpiIx(opts)instruction builder targeting the new on-chaintrustgate::register_agent_via_cpihandler. Threads the Quantu accounts throughremainingAccountsper the documented order and PDA-signs the inneragent_registry::register_with_optionsatom_engine::initialize_statsCPIs.
deriveQuantuRegisterAccounts(opts)helper exposing the full(agent_account, atom_stats, atom_config, registry_authority)quadruple required by the inner CPIs. Single source of truth for any caller that needs to materialise the same account set off-band.- Public constants for the MPL Core base collection on devnet and the
trustgate root + registry config PDAs (
BASE_COLLECTION_DEVNET,deriveRootConfigPda,deriveRegistryConfigPda,MPL_CORE_PROGRAM_ID).
Changed
- The
composeAtomicSettleTxpath is unchanged; only new builders are added. Existing 0.2.x / 0.3.x consumers see no breaking changes.
[0.3.2] — 2026-05-13
Tag: sdk-v0.3.2 · Pipeline-only release pairing the mcp 0.3.5
polish wave.
Added
prepublishOnlyguard: a small Node scriptscripts/check-no-workspace-spec.cjshard-fails any publish that would ship aworkspace:specifier. The sdk has no workspace deps today but the guard is in place against future additions. Same shape as the matching guard in@agenttrust-sdk/mcp.
No runtime changes.
[0.3.1] — 2026-05-12
Tag: sdk-v0.3.1 · Developer-experience polish wave covering the
SDK-side audit P1 findings plus a new public facilitator factory.
Added
makePayShFacilitator(args)andmakeDefaultRegistry(RegistryCtor, args)in a new@agenttrust-sdk/trustgate/facilitator-factorysubpath export. Bundles thevalidateOnChainTx+emitFeedbackCpipriorEmissionLookup+signDecisionwiring documented intrustgate/server/src/production.tsinto a single deps-builder. ThePayShclass andFacilitatorRegistrythemselves stay in the private@agenttrust/trustgate-serverreference impl — consumers passnew PaySh(deps)and theFacilitatorRegistryconstructor into the SDK factories. Non-breaking; previous manual wiring still works.
ReplayCacheLikeshape exported alongside the factory. Production consumers wire a persistent (Redis-backed or similar) implementation; the in-memory default from the private server package is documented as NOT production-safe (replay window re-opens on restart).- Nine new subpath exports in
package.jsonso the imports the README advertises actually resolve:./atomicity,./chain,./emit-feedback,./onchain-validator,./quantu,./spl,./types,./validation-registry,./x402. MAINNET_PROGRAM_IDS: ProgramIds | undefinedplaceholder export with JSDoc explaining that AgentTrust programs aren't deployed to mainnet yet and mainnet callers must pass explicit pubkeys.SignerLike = Keypair | { publicKey: PublicKey }. Accepted bygatePaymentandmountTrustGate.facilitatorKeypairso read-only and simulation flows no longer need to construct aKeypairjust to expose a pubkey.
Changed
loadValidationRegistryno longer silently defaults to the devnet program ID on non-devnet RPCs. The function inspectsprovider.connection.rpcEndpointand applies the devnet default only when the URL containsdevnet,127.0.0.1, orlocalhost. Other endpoints throw with explicit remediation pointing atDEFAULT_DEVNET_PROGRAM_IDS.validationRegistry.- IDL-missing throws from
loadPolicyVault,loadTrustGate, andloadValidationRegistrypoint atanchor idl init <programId>plus the explicitidlargument override. parseGateDecisiontakes an optionalsimLogssecond arg and includes a ~400-char summary of the upstream Solana logs in the thrown error when the returnData buffer is empty.simulateGatePaymentthreadssim.value.logsthrough both the empty-returnData and parse-failure paths.emit-feedbackwrites a one-time stderr warn whenvalueDecimalsis omitted. Preserves the USDC default for compat while making the magnitude trap visible to non-USDC integrators.
Removed
client.dispute(the throw-only"not implemented in v0.1"stub). The on-chaindispute_paymentinstruction exists; a typed composer is deferred to a separate PR. README points future callers atloadTrustGate(...).methods.disputePayment(...).makeSettleRouteandmakeDisputeRoutefromexpress.ts(the 501 stubs).mountTrustGatenow mounts only/verifyand/receipt. The canonical home of/settleand/disputeHTTP routes istrustgate-server::mountFacilitatorRoutes; for TypeScript callers,client.settleis the typed composer.
Net effect of the removals: any consumer who imported these stub exports was already getting throw-on-call or 501-on-call. Removing them is a fix to the surface, not a behavioural break to anyone who was getting real work done.
[0.2.0] — 2026-05-07
Tag: sdk-v0.2.0
· Commit: 00ca222
Changed (breaking)
ProgramIds.trustgaterenamed toProgramIds.trustGate(camelCase, matchespolicyVault). Same value (the deployed-devnet trustgate program ID) — only the field name changed. One-line consumer migration:.trustgate→.trustGate.
Added
ProgramIds.validationRegistry— populated by default with the deployed-devnet validation-registry program IDCx4RFa6ysw3qXYhugPkF8pFSWBkmKq59h2dWgF2tKhtv. Previously consumers had to importVALIDATION_REGISTRY_DEVNET_IDseparately; that import still works butDEFAULT_DEVNET_PROGRAM_IDS.validationRegistryis the preferred entry point.
[0.1.1] — 2026-05-04
Tag: sdk-v0.1.1
· Commit: 64fe14d
Changed
- Metadata refresh after the org rebrand to
agenttrust-labs.homepage,repository, andbugsURLs now point at the new repo. No code changes.
[0.1.0] — 2026-05-02
Tag: sdk-v0.1.0
· Commit: 29f9961
Added
- Initial publish of the TrustGate SDK as a drop-in middleware for x402 facilitators on Solana.
- Express middleware:
mountTrustGate(app, …)addsPOST /verify,POST /settle,POST /dispute,GET /receipt/:hash. - Client helpers:
gatePayment,settle,dispute. - Atomic-tx invariant:
AtomicityEnforcedliteral-true marker +assertAtomicityEnforcedruntime guard +composeAtomicSettleTxthat bundlesgate_payment_strict + SPL transferChecked + emit_feedbackinto one Solana transaction. - ValidationRegistry surface:
register_namespace/register_attestor/request_validation/respond_to_validation/revoke_validationinstruction builders + PDA derivers + read fetchers. - PolicyVault surface:
simulateGatePayment,parseGateDecision, all PDA derivers (derivePolicyPda,deriveVelocityPda,deriveKillSwitchPda,deriveFeedbackLogPda,deriveTrustGateAuthorityPda). - Quantu helpers:
deriveAgentAccountPda,deriveAtomStatsPda,deriveQuantuFeedbackAccounts,DEFAULT_DEVNET_QUANTU_IDS,MAINNET_QUANTU_IDS. - Production factories:
makeValidateOnChainTx,makeEmitFeedbackCpi,makePriorEmissionLookup.
@agenttrust-sdk/mcp
Source of truth: mcp/CHANGELOG.md.
[Unreleased]
Planned
agenttrust_lookup_feedback_by_tx({ tx_signature })— resolve a Solana transaction signature to itsemit_feedbackpayment_id_hash by parsing the tx's inner instructions. Useful when an integrator has the settle signature but not the digest.
[0.4.5] — 2026-05-14
Tag: mcp-v0.4.5 · Two surgical fixes surfaced by the 2026-05-14
demo-flow gate, plus the matching doc surface so the two-MCP-surfaces
design lives next to the code that implements it.
Fixed
agenttrust_emit_feedbackwas missing the AgentRegistry program in the instruction'sremainingAccounts, so the trustgateinvoke_signedCPI intoagent_registry_8004::give_feedbackfailed withUnknown program 8oo4J9tBB3Hna1jRQ3rWvJjojqM5DYTDJo5cejUuJy3Cat runtime. The SDK helper attrustgate/sdk/src/emit-feedback.ts:156-162has shipped the correct pattern since 0.4.0; the MCP tool now mirrors it. B-001 closed. Beat F of the demo-flow gate finalises cleanly on devnet on 0.4.5.
Changed
auth_requiredenvelope hint is now branched by transport.classifyError(err, toolName?, transport?)accepts the active transport; fortransport: "http"(the hosted MCP) the hint points the caller at the local-install path (npx -y @agenttrust-sdk/mcp@latest) instead of "restart the MCP server" guidance that remote callers cannot act on. The thrown source message inchain.ts:requireSigner()is trimmed to a stable matchable substring; the classifier emits the actionable copy. The hosted MCP is read-only by design, not a degraded local install. B-002 closed.
Docs
- New "Two MCP surfaces" section in
/quickstartwith the comparison table (local install: full 21-tool surface + user's keypair · hosted: 13 read-only tools + no shared signer by design). One-paragraph framing in the top-level README. agenttrust_setup_agentprompt rewritten aroundinit_policy's self-heal: 1-2 calls instead of the stale 4-step off-band flow.- Quickstart sample output now lists three
healedSteps(register_agent_via_cpi,init_authority,init_killswitch) and describes the ephemeral asset-Keypair behaviour correctly (the caller's wallet is the payer, not the agent_asset). - Canonical demo-video recording directive at
submission/demo-video-script.md.
[0.4.4] — 2026-05-13
Tag: mcp-v0.4.4 · The self-heal cascade in agenttrust_init_policy
now covers the AgentTrust KillSwitchState PDA as well. Before this
release, a freshly bootstrapped agent's first simulate_payment would
hit Anchor error 3012 on the missing kill-switch state account; the
self-heal landed every other PDA but skipped this one. The single
atomic tx now includes seven program instruction logs in order:
RegisterAgentViaCpi → RegisterWithOptions → CreateV2 →
InitializeStats → InitAuthority → InitKillswitch → InitPolicy.
Changed
agenttrust_init_policyself-heal now returnshealedSteps: ["register_agent_via_cpi", "init_authority", "init_killswitch"](three entries; previously two). Idempotent on second run when the PDAs already exist.
[0.4.1] — 2026-05-11
Tag: mcp-v0.4.1 · Refreshed the bundled IDL files (policy_vault.json,
trustgate.json, validation_registry.json) to match the live devnet
programs after the 0.4.0 trustgate refresh
(register_agent_via_cpi orchestration). No SDK / API changes.
[0.4.0] — 2026-05-11
Tag: mcp-v0.4.0 · Single-bootstrap headline. agenttrust_init_policy
self-heals Quantu's agent_account + atom_stats via TrustGate's new
register_agent_via_cpi instruction, atomically in the same tx as
init_authority + init_policy. A fresh wallet plus one prompt
produces a fully atom-functional agent identity — no off-band setup,
no Anchor 3012 on first simulate, no Quantu instruction names to
learn.
Added
agenttrust_register_namespacewrite tool — register aCapabilityNamespacePDA on the ValidationRegistry program.agenttrust_register_attestorwrite tool — register anAttestorProfilePDA (required beforerespond_to_validation).- Two new write tools brings the surface to 21 tools (10 read + 8 write + 3 discovery), up from 19.
Changed
agenttrust_init_policyis now the single-bootstrap call: when the signer wallet doesn't already have a Quantuagent_accountPDA, the tool prependsregister_agent_via_cpiinto the same atomic tx. Successful self-heal returnshealedSteps: ["register_agent_via_cpi", "init_authority"].- Refreshed bundled IDL files to match the trustgate refresh.
[0.3.5] — 2026-05-13
Tag: mcp-v0.3.5 · Polish wave from the gate E2E rerun that confirmed
0.3.4 closed the four hot-fix items. This release adds defensive
guards plus one classifier extension surfaced by the rerun.
Added
prepublishOnlyguard: a small Node scriptscripts/check-no-workspace-spec.cjsruns before every publish and hard-fails if invoked by anything other than pnpm while the package.json still carriesworkspace:specifiers. Forces the use ofpnpm publish(which rewritesworkspace:^to the concrete semver range at pack time). Prevents another 0.3.2-styleEUNSUPPORTEDPROTOCOLshipping accident at the pipeline level.
Changed
classifyErrorinmcp/src/errors.tsnow landsSendTransactionErrortext shapes aschain_errorwith a remediation-specific hint instead of the genericinternalfallback. Covers four variants:err.name === "SendTransactionError", the literal substringSendTransactionErrorin the message, the"Simulation failed.\nMessage:"simulate-action prefix, and the"Transaction X resulted in an error"send-action prefix. Surfaced by Beat F of the 2026-05-13 gate rerun whose downstream CPI failure was previously misclassified asinternal.
Tests
mcp/test/publish-guard.test.ts(new). Spawns the guard script as a subprocess with threenpm_execpathvalues and asserts the exit code plus stderr branch for each (npm path -> fail, pnpm path -> pass, unset -> fail).mcp/test/errors.test.tsextended with four new cases covering the SendTransactionError classification paths.
Suite size: 117 passing (was 110), conformance 22/22.
[0.3.4] — 2026-05-13
Tag: mcp-v0.3.4 · Hot-fix release for the four regressions surfaced by
the gate E2E run against published 0.3.3 (Claude Code over claude -p,
real devnet RPC, real mainnet RPC for the Quantu read beat). Full
verification report at submission/e2e-claude-code-2026-05-13/README.md.
The gate found that 0.3.3 booted and listed the expected nineteen tools but blocked Claude Code on three of seven tested tools at the Anthropic API tool-validation layer and at the Anchor argument-marshalling layer, plus over-reached on the mainnet program-ID guard. 0.3.4 fixes all four items and ships unit-test coverage so each regression has a defence in the test suite going forward.
Fixed
-
agenttrust_request_validationandagenttrust_respond_to_validationno longer ship JSON Schema draft-04exclusiveMinimum: truein their generated input schemas (the form the Anthropic /v1/messages tool validator rejects with HTTP 400 under draft 2020-12). Bothdeadline_slotandexpires_at_slotnow use Zod.min(1)so the emitted fragment is the draft 2020-12 form{ "type": "integer", "minimum": 1 }. Two surfaces fixed:mcp/src/tools/write/request- validation.tsandmcp/src/tools/write/respond-to-validation.ts. A defence-in-depth post-processorrewriteExclusiveBoundsToDraft2020was added inmcp/src/server.tsand runs on every tool's generated schema, so a future.positive()or.gt(N)in any tool input cannot regress the Anthropic tool-validation path unnoticed. -
agenttrust_emit_feedbackno longer fails with the Anchor "provided too many arguments" error. The on-chaintrustgate::emit_feedbackRust signature added two parameters (value: u64,value_decimals: u8) betweenscoreandtag1for Quantuquality_scoreaccrual, but the bundledmcp/src/idl/trustgate.jsonstill listed the older eight-argument shape. Anchor 0.31'ssplitArgsAndCtxcompared the ten args the handler passed (correct, matches the SDK call) against the stale eight in the IDL and rejected the call. Fix: regenerated the IDL fragment to addvalueandvalue_decimalsin the correct positional slot. The handler call site inmcp/src/tools/write/emit-feedback.tscontinues to pass the 32-bytepayment_id_hashas a single positional array (Array.from(...)), which is what Anchor expects for[u8; 32]. -
Mainnet boot no longer hard-throws when AgentTrust program IDs are unset, which previously blocked Quantu-only reads on mainnet (Beat G in the gate report). The boot guard in
mcp/src/config.tsnow emits a one-time stderr warning, fills the three AT program IDs with a sentinel pubkey (the System Program11111111111111111111111111111111), and exportsisMainnetUndeployedSentinel(pubkey)so the chain layer can detect the sentinel.mcp/src/chain.tsruns aguardATProgramIdcheck before eachloadPolicyVault/loadTrustGate/loadValidationRegistrycall and throws aConfigError-named Error that classifies as the newconfig_errorenvelope code. Quantu reads use the realMAINNET_QUANTU_IDSand are unaffected. -
classifyErrorinmcp/src/errors.tsnow maps SolanaInstructionErrorpayloads (JSON-shaped and text-shaped) toerrorCode: "chain_error"rather than the genericinternalfallback. The Custom NNN code is extracted, named where it appears in the small table of known Anchor error numbers (e.g. 3012 ->AccountNotInitialized), and surfaced in thehintfield. A newconfig_errorcode was added toToolErrorCodeto cover the mainnet-undeployed sentinel case from the chain-layer guard.
Tests
-
mcp/test/json-schema-output.test.ts(new). Recursively walks every tool input schema after therewriteExclusiveBoundsToDraft2020post-processor and asserts no booleanexclusiveMinimum/exclusiveMaximumsurvives anywhere in the nested tree. Pins thedeadline_slotandexpires_at_slotshapes to{ "type": "integer", "minimum": 1 }. Covers six cases including theanyOf/oneOf/allOf/itemswalk paths. -
mcp/test/tools/write/emit-feedback.test.ts(extended). Adds a handler-level test that mocks the Anchortrustgate.methods.emit Feedback(...)chain and asserts the handler passes exactly ten positional arguments matching the on-chain Rust signature, withpayment_id_hashas a single 32-elementnumber[](not spread). -
mcp/test/config.test.ts(new). AssertsloadConfigreturns rather than throws onNETWORK=solana-mainnetwithout overrides, fills the three AT program IDs with the sentinel, leaves the Quantu IDs as the real mainnet pubkeys, and respects explicit overrides. -
mcp/test/errors.test.ts(new). Covers the newchain_errorrouting for the fourInstructionErrorshapes the gate saw (simulation-failed JSON, rawcustom program error: 0x...text, text-shaped InstructionError without a Custom code, Anchor-style with structurederror.errorCode.code), the newconfig_errorrouting, plus regression coverage forauth_required,input_invalid, and theinternalfallback.
Suite size after this release: 110 passing (29 unit tests added vs 0.3.3's 86), plus the stdio conformance harness (22 checks) which continues to pass against the regenerated server.
[0.3.3] — 2026-05-13
Tag: mcp-v0.3.3 · Republish of 0.3.2 to fix a packaging bug.
Fixed
@agenttrust-sdk/trustgatedep in the publishedpackage.jsonis now a concrete semver range (^0.3.1) instead of the pnpm workspace specifier (workspace:^). 0.3.2 was published via plainnpm publishwhich does not rewriteworkspace:specs — npm consumers hitEUNSUPPORTEDPROTOCOLon install. 0.3.3 is published viapnpm publish, which performs the rewrite. 0.3.2 has been deprecated on the registry with a pointer to 0.3.3.
No source changes vs 0.3.2 — every Added / Changed / Fixed item below also applies to this release.
[0.3.2] — 2026-05-12 [deprecated]
Note: 0.3.2 is deprecated on npm because the published manifest
carries "@agenttrust-sdk/trustgate": "workspace:^", which npm
rejects with EUNSUPPORTEDPROTOCOL. Use 0.3.3.
Tag: mcp-v0.3.2 · Developer-experience polish wave covering every
post-submission audit P0 and P1 finding plus the three ergonomics
items called out in submission/post-submission-todos.md. The goal:
a stranger clones a fresh agent host, runs the published install
snippet, and the gate works first try with no pre-flight ritual.
Added
agenttrust_init_authoritywrite tool. Creates thePolicyAuthorityPDA for an agent. Idempotent — existing authorities surface their on-chainmembersandthresholdinstead of failing. Defaults:members = [signer],threshold = 1.- Layered signer detection.
KEYPAIR_B58→KEYPAIR_PATH→~/.config/solana/id.json→SOLANA_KEYPAIR_PATH. The Solana CLI default keypair is picked up automatically. A developer who already ransolana-keygen newno longer needs to set any env var. Solves the root cause of thepatch-claude.shpre-flight script. MCP_HTTP_HOSTenv (default127.0.0.1).MCP_TRANSPORT=httpno longer exposes the server on the LAN by accident. Hosted deploys setMCP_HTTP_HOST=0.0.0.0explicitly.- Structured
tools/callerror envelopes. Failures now carry anerrorCode(auth_required/input_invalid/rpc_failure/chain_error/not_found/internal),message, optionalhint, and a truncatedcause. Encoded as JSON-in-text for backward compat plus a spec-compliantstructuredContentfield. LLMs can react without grepping prose. errorCodefields onagenttrust_get_quantu_reputation(one ofwrong_owner/size_mismatch/schema_mismatch),agenttrust_docs(docs_corpus_not_found), andagenttrust_facilitator_walkthrough(walkthrough_not_bundled). Additive — existingerrorprose strings preserved.readKeypairFile(path)helper exported frommcp/src/config.tsfor direct testing of the JSON-array keypair format.
Changed
agenttrust_init_policy,agenttrust_set_killswitch, and the underlyinginit_killswitchinstruction self-heal. When a prerequisite PDA (PolicyAuthority,KillSwitchState) is missing, the matching init instruction is prepended into the same atomic transaction. Existing accounts remain the source of truth — never silently overwritten. ReturnsselfHealed: truewithhealedStepsso the caller surfaces the bootstrap to the user.agenttrust_init_policydefaults unspecified spending caps to the MAX of specified caps, not 0. Because v1 policies are immutable post-init, the previous 0 default was hostile (always-deny). Velocity caps are left untouched — window-seconds and max-in-window aren't peer caps in the same dimension.agenttrust_simulate_paymentdrops the preemptive funded-fee-payer throw. The underlying simulator usesreplaceRecentBlockhash: trueandsigVerify: falseso an unfunded ephemeral fee-payer is fine.agenttrust_emit_feedbackvalueandvalue_decimalsstay optional but write a one-time stderr warn when both are omitted. Preserves the USDC default for compat while making the magnitude trap visible to non-USDC integrators.requireSigner()error message, MCP serverinstructionsstring, the three signer-required write-tool descriptions, README, and the three docs-site pages (install,tools,hosted-endpoint) all reference the full four-source signer chain instead ofKEYPAIR_B58alone.agenttrust_set_killswitchthreshold>1 error message now points at the multi-sig walkthrough doc and the SDK composer path instead of stopping at "cosigner support is roadmap."agenttrust_init_policy.velocity.tier0_decay_factorandagenttrust_request_validation.deadline_slotZod fields gain.describe()copy that explains basis-points semantics and the current-slot-plus-buffer expectation.emit_feedback.base_collectiondescription spells out the three real discovery paths (demo state, on-chainagent_account.collection, the registration call).
Fixed
NETWORK=solana-mainnethard-throws at boot when no explicitPOLICY_VAULT_PROGRAM_ID/TRUSTGATE_PROGRAM_ID/VALIDATION_REGISTRY_PROGRAM_IDis set. AgentTrust programs aren't deployed to mainnet yet; the previous silent fall-through to devnet IDs produced wrong gate decisions on a mainnet RPC. (F-002)- HELP_TEXT corrections. Default port now
8765(advertised 8080). Docs URL nowhttps://docs.agenttrust.tech/mcp(was the github.io mirror). Dropped the stray backslash that leaked\$MCP_HTTP_PORT. Boot banner printshttp://localhost:PORTfor the click-through URL. RPC_URLis validated withnew URL(rpcUrl)at boot. A typo'd URL throws naming the env var instead of a low-level fetch error on the first chain call.KEYPAIR_B58length errors say what length was received vs the expected 64 bytes, and call out that a 32-byte value is the public key half only.agenttrust_respond_to_validationno longer references a non-existentregister_attestorMCP tool — points at the demo script and the SDK helpers instead.- Protocol-conformance test asserts 19 tools (was 18) and includes
agenttrust_init_authorityin the expected-name list.
Deploy notes (hosted-mcp)
mcp/fly.tomladdsMCP_HTTP_HOST=0.0.0.0to the[env]block. Without it the container binds 127.0.0.1 inside the Fly machine and the platform health check fails.
[0.2.6] — 2026-05-08
Tag: mcp-v0.2.6 · Phase Q1 — fixes the only data-correctness bug Phase P uncovered. The MCP catalog now produces correct on-chain values for every tool that returns data.
Fixed
-
agenttrust_get_quantu_reputationwas reading QuantuAtomStatsat fabricated byte offsets (40 / 41 / 49 / 50 / 51) and returning bogus values — Phase P E2E showedtier: 164for an actually-tier-0 agent, plus a u64-max-ishfeedbackCountthat was junk re-interpretation of the asset-pubkey region. The PDA address, owner, and account size were correct; only the field decoding was wrong.0.2.6 mirrors the canonical offsets from
programs/policy-vault/src/ext/atom_engine.rsverbatim:offset width field 549 u8 risk_score551 u8 tier_immediate555 u8 tier_confirmed557 u16 LE confidence560 u8 schema_version(canary, must equal 1)Adds the schema-version canary at byte 560 and the
tier ≤ ATOM_TIER_MAX = 4range check the on-chain parser uses, so a future Quantu layout change fails loud rather than silently emitting garbage.
Changed (breaking, response shape)
agenttrust_get_quantu_reputationresponsereputationblock now contains:tierImmediate(number, 0..=4) — v1 fast-path tier; whatCounterpartyTierreads in v1 demo modetierConfirmed(number, 0..=4) — post-vesting tier; production policies prefer thisriskScore(number, 0..=255 — lower is better)confidence(number, 0..=10_000 basis points)schemaVersion(number, always 1 in v1)
- Removed
feedbackCountandaverageScore— those fields were not in the canonicalAtomStatsstruct; values were nonsense reinterpretations of unrelated bytes. - Added an
errorfield on the top-level response when the schema-version canary or size check fails — populated in place ofreputation.
Tests
mcp/test/tools/read/get-quantu-reputation.test.tsnow asserts the canonical offsets match the on-chain Rust source exactly, plus 8 byte-level decode cases (zero-state, populated state, undersized buffer, schema-version mismatch, tier overflow on both fields, boundary case atATOM_TIER_MAX, u16-LE confidence reads in the correct byte order).
[0.2.5] — 2026-05-08
Tag: mcp-v0.2.5 · Phase O — description copy polish surfaced by the Phase N+ real-user UX pass.
Changed
- Tool descriptions no longer reference internal repo paths.
agenttrust_demo_state,agenttrust_docs, andagenttrust_emit_feedback'sbase_collectionarg now read as standalone product copy withoutexamples/pay-sh-demo/.../docs-site/content/docs/...leaks. Resourcenamefields underagenttrust://examples/*use human-readable labels ("pay-sh-demo README" instead ofexamples/pay-sh-demo/README.md). agenttrust_emit_feedback.base_collectiondescription now points production integrators at their Quantu agent-registry collection address (the value passed toagent_registry::register_agent), not just at demo state.agenttrust_demo_stateerror message — when the bundled snapshot is unreachable — drops the internal path and explains that the published package bundles it; only mentionsPAY_SH_DEMO_STATE_FILEas the override hook.
No behaviour changes; tools/list output cleaner for Claude Desktop / Cursor / any LLM doing tool-routing from natural-language questions.
[0.2.4] — 2026-05-07
Tag: mcp-v0.2.4 · UX-pass fix: real-user audit found agenttrust_get_validation_attestation requires a 64-char hex capability_hash while its sibling agenttrust_request_validation accepts the friendly capability_name. Real users / LLMs typically have the human-readable capability name; requiring the digest was a Claude-Desktop-level friction point.
Added
agenttrust_get_validation_attestationnow accepts eithercapability_name(preferred — the SDK computes SHA256(name)) orcapability_hash. At least one is required;capability_namewins when both are passed. Mirrors the existingagenttrust_request_validationergonomics.
[0.2.3] — 2026-05-07
Tag: mcp-v0.2.3 · Path-resolution fix follow-up to 0.2.2.
Fixed
- 0.2.2 bundled the embedded-docs / embedded-examples assets correctly but the consumer
path.resolve(__dirname, "…")had an off-by-one —dist/tools/discovery/__dirname + "../../../embedded-docs"resolved to<package-root>/embedded-docs, missing thedist/segment. Files were in the tarball but the loaders couldn't find them. Three relative paths corrected (discovery/docs.ts, discovery/facilitator-walkthrough.ts, resources/docs.ts). Freshnpxinstall now returns full corpus + walkthrough content.
[0.2.2] — 2026-05-07
Tag: mcp-v0.2.2 · Phase N — Phase M E2E surfaced three bugs; this release closes all three plus the SERVER_VERSION fix that landed in 0.2.1.
Fixed
agenttrust_demo_stateno longer reportsavailable: falseon a freshnpxinstall. The build script now bundles the live devnet JSON snapshots (counterparties, demo-policies, smoke, attestor-trace, namespaces, chained-validation) intodist/embedded-data/. The tool prefers the bundled path; a local clone still wins the source-of-truthexamples/.../...jsonlookup. (Phase M Bug #2)agenttrust_docsnow returns ranked hits from the full MDX corpus (27 pages) onnpxinstalls. The build script materialisesdocs-site/content/docs/**/*.mdxintodist/embedded-docs/; the doc loader prefers that directory and falls back to the live tree on a local clone. Theagenttrust://docs/*resource scheme works the same way. (Phase M Bug #3)agenttrust_facilitator_walkthroughreads its source MDX + the trustgate facilitators README fromdist/embedded-docs/first; no more "no walkthrough bundled" responses. (Phase M Bug #3)- The
agenttrust://examples/*resource scheme now reads fromdist/embedded-examples/(READMEs +src/*.tsfor both pay-sh-demo and attestor-demo). (Phase M Bug #3) - HTTP transport now spins up one
Server+StreamableHTTPServerTransportpair perMcp-Session-Idinstead of a singleton. Concurrent clients no longer interfere; secondinitializeno longer errors-32600 Server already initialized. Idle sessions evict after 30 minutes. (Phase M Bug #4)
Changed
- Build pipeline:
pnpm --filter ./mcp run buildnow runstsc && node scripts/copy-embedded-assets.js. The copy script prints a per-bucket count summary so regressions in the bundled set are visible at build time.
Note
The bundled dist/embedded-docs/ is a publish-time snapshot. The live docs at docs.agenttrust.tech evolve independently — clients that need fresh docs should set MCP_DOCS_DIR to a checkout's docs-site/content/docs/ directory, or use the hosted MCP at mcp.agenttrust.tech (redeployed on every main push).
[0.2.1] — 2026-05-07
Tag: mcp-v0.2.1 · simulate_payment clearer error when no caller / KEYPAIR_B58 set.
Fixed
agenttrust_simulate_paymentreturns an actionable error ("requires a funded fee-payer on devnet — passcalleror setKEYPAIR_B58") instead of crypticAccountNotFoundwhen neither input is provided. Phase M E2E driver verified the fix via stdio + HTTP.serverInfo.versionnow reads frompackage.jsonso MCP clients see the same version asnpm view. Previously hardcoded to0.1.0— drifted across 0.1.0 → 0.2.0 → 0.2.1.
[0.2.0] — 2026-05-07
Tag: mcp-v0.2.0
· Commit: 00ca222
Changed
- Re-pinned the
@agenttrust-sdk/trustgatedep fromworkspace:*toworkspace:^, so the published tarball ranges to^0.2.0(matches the SDK's own 0.2.0 bump). MCP code itself swept to the renamedprograms.trustGatefield + the newprograms.validationRegistryfield that the SDK 0.2.0 release added. AgentTrustConfig.validationRegistryId(top-level field) folded intoAgentTrustConfig.programs.validationRegistry— single source of truth, matches the SDK'sProgramIdsshape. TheVALIDATION_REGISTRY_PROGRAM_IDenv override is unchanged.
No new tools, no protocol-conformance changes — every MCP tool surface behaves identically to 0.1.0. 76 unit tests + 21 protocol-conformance checks still green.
[0.1.0] — 2026-05-04
Tag: mcp-v0.1.0
· Commit: 66d4f04
Added
- Initial publish of the AgentTrust MCP server. 18 tools across three
categories:
- Read (10):
get_policy,get_velocity_ledger,get_killswitch,get_authority,get_feedback_log,get_capability_namespace,get_attestor_profile,get_validation_request,get_validation_attestation,simulate_gate_payment. - Write (5):
init_authority,init_killswitch,set_killswitch,request_validation,respond_to_validation,emit_feedback. - Discovery (3):
list_facilitators,health, plus an MCP resource atagenttrust://programsexposing program IDs and explorer URLs.
- Read (10):
- Two transports: stdio (default;
npx -y @agenttrust-sdk/mcp) and HTTP (MCP_TRANSPORT=http MCP_HTTP_PORT=8765). - Bundled IDLs for
policy_vault,trustgate,validation_registryso the server boots against a freshly-redeployed program beforeanchor idl initlands. - Optional signer via
KEYPAIR_B58for write tools; read tools work with no env beyond defaults. - Network selection via
NETWORK=solana-devnet | solana-mainnet.