·
370 commits
to main
since this release
What's Changed
Authority & Policy
- Request-aware authorization: added
methodandpathto the policy input schema and STS token-exchange - Operation-authority checks with mandate-scope validation and tenancy data-document generation
- Rego data-document support and stronger governance validation rules
- Policy/policy-set APIs now return
version_id; control-key max-TTL enforcement in token exchange - Partner-operation approval mechanism with decision handling
Zone-Scoped Keys (JWKS)
- JWKS retrieval now requires
zone_idfor scoped, per-zone keysets (Go + Python) - Zone-aware caching and rate-limited JWKS POST fetching across SDKs
Delegation & Agents
- Service-authority grants added to
spawnService/agent delegation (Python + TS SDKs) - Idempotency-key management for agent sessions and spawn flows; token invalidation
- Coordinator: stale agent sessions excluded from zone caps; caps now configurable
- Async authentication methods and improved mandate verification
New: ASGI / FastAPI Connector
- New
caracalai-asgipackage — ASGI middleware for Caracal mandate verification, with FastAPI guide and tests
Gateway / Security
- Reworked SSRF protection: removed
AllowPrivateUpstreams, addedUPSTREAM_HOST_ALLOWLISTegress control + blocked-address validation, metadata DNS checks - Opt-in client-secret rotation guard; new
bearer_tokenprovider kind and PAT auth flow - Refreshed base-image digests, tracked upstream-pending CVEs, hardened KEK validation
Observability & Audit
- Metrics bearer-token support across runtime/compose, secrets, and doctor/preflight checks
- Audit-chain rehashing with migration scripts; authority-decision metrics
Runtime / Ops
- STS loopback TCP relay with HTTP-status
auth_errorhandling - Docker: corepack in Node 26 images, build-context filtering, dependency hash/security updates
Docs, Console & Community
- Releases page redesigned as a changelog timeline; blog/vlog directories with pagination and bylines
- Console demo: approval gating/toggle, task cards, model selection, collapsible panels
- README clarity ("layer" terminology, security emphasis),
FUNDING.json, Vercel OSS
Package versions: all SDKs 0.1.2 → 0.1.5 (npm + PyPI + Go)
New Contributors
- @umar-aziz-dev made their first contribution in #184
- @aayushprsingh made their first contribution in #186
- @pratyush07-hub made their first contribution in #190
- @Mohammad-Ali-Haider made their first contribution in #191
- @Ashutoshx7 made their first contribution in #249
Full Changelog: v2026.05.14...v2026.06.21
Contributors
umar-aziz-dev, Mohammad-Ali-Haider, and 3 other contributors