aim-sdk 1.24.1

Patch release. pip install -U aim-sdk

Fixed

• CLI login no longer doubles the Token exchange failed: prefix (#286). The message now surfaces the server's error_description and, on a non-JSON response, a hint that the URL should be the AIM API base (https://api.aim.opena2a.org) rather than the dashboard URL.
• Credential-adoption message names the real source path instead of saying "from bundled package" (#288) — the published artifacts contain no credential; the line was misleading.
• login no longer crashes with an EOFError traceback on non-interactive stdin when credentials already exist (#288) — it keeps the credentials and prints a --force hint.

Internal

• test_sdk_verification guarded under __main__ so it no longer makes a network call during pytest collection (#283).

Provenance (Trusted Publishing / PEP 740)

curl -s -o /dev/null -w "%{http_code}\n" \
  https://pypi.org/integrity/aim-sdk/1.24.1/aim_sdk-1.24.1-py3-none-any.whl/provenance
# -> 200

aim-sdk 1.24.0 (Python)

Python SDK causal-denial telemetry parity with the TypeScript SDK (PR #281).

Adds the opt-in aim_sdk.telemetry package: local_writer, relay, joiner, correlation, technique_mapping, correlated_record. No behavior change when telemetry is off.

Published via npm/PyPI Trusted Publishing (OIDC, PEP 740 provenance).

• pip install aim-sdk==1.24.0
• Verify provenance: curl -s https://pypi.org/integrity/aim-sdk/1.24.0/aim_sdk-1.24.0-py3-none-any.whl/provenance

Release-tested: clean build (wheel+sdist), 437 unit tests pass, fresh-venv wheel install imports all telemetry submodules, version consistent (1.24.0).

aim-sdk 1.23.0

aim-sdk 1.23.0

First PyPI release since 1.22.1. Batches merged-but-unpublished work plus packaging and login-UX fixes.

Added (provisional)

• AAP grant surface (#266): @perform_action(grant="grant://..."), BrokerClient, GrantSession, current_grant, BrokerGrantError, GrantDeniedError. The agent references a grant; the Secretless broker verifies the ATX, authorizes, resolves a scoped credential, performs the operation in an ephemeral worker, and returns only the result -- no credential value or backend identifier enters the agent process. Provisional/experimental: the Agent Authorization Protocol is at spec v0.1, so this surface and the broker wire format may change in a future minor release without a major bump. Opt-in only; omitting grant= leaves existing behavior unchanged.

Changed

• OAuth login browser callback pages redesigned to match the AIM dashboard (OpenA2A logo, blue-600-on-white styling, inline SVG status icons; no more purple-gradient emoji card).
• aim-sdk terminal output is now emoji-free; exit codes carry the success/failure signal.
• Richer aim-sdk login output and install-first README quickstart (#270); security-doc credential-storage correction (#272).

Fixed

• tests/ no longer ships inside the wheel.
• aim-sdk --version / -V top-level flag added.

Provenance

Published via PyPI Trusted Publishing (OIDC) from .github/workflows/release.yml. Verify:
curl -s -o /dev/null -w "%{http_code}" https://pypi.org/integrity/aim-sdk/1.23.0/aim_sdk-1.23.0-py3-none-any.whl/provenance (expect 200).

AIM Platform 1.0.0

First stable release of the AIM platform (backend + dashboard).

The stage in STATUS.md is stable, every gate criterion in HARDENING.md's "Roadmap to 1.0" is met, and semver is honored from this release forward.

Artifacts

• Container images (multi-arch linux/amd64 + linux/arm64, cosign keyless-signed, with SBOM + provenance attestations):
  • ghcr.io/opena2a-org/aim-server:1.0.0 · aim-dashboard:1.0.0 (also :latest)
  • docker.io/opena2a/aim-server:1.0.0 · aim-dashboard:1.0.0 (also :latest)
• SBOMs attached to this release: sbom-backend.cdx.json (CycloneDX, Go) · sbom-frontend.cdx.json (CycloneDX, npm)

Notable fixes in 1.0.0

• Dashboard "Download SDK" now produces a working SDK: embedded URLs are coerced to https, so the refresh-token POST is no longer 301-dropped behind the TLS-terminating ingress, and the credentials carry userEmail for the Python SDK and email for the Java SDK (#263).
• Agent-creation no longer leaks raw PostgreSQL errors to the API and drops a duplicated error prefix (#264).
• docker-publish now extracts image tags from platform-v* tags (#268); release CI poll window widened for registry propagation (#265).

Versioning

• The platform is tagged platform-v<version>. The SDKs release independently: aim-sdk on PyPI, @opena2a/aim-sdk on npm, org.opena2a:aim-sdk on Maven Central, under sdk-*-v<version> tags. Earlier bare v* tags in this repo tracked the SDK line and a legacy ad-hoc tag, not the platform.

See CHANGELOG.md and README.md.

v0.9.0-alpha: Per-Capability Trust & Execution Modes

New Features

Per-Capability Trust Thresholds

Each capability can require a minimum agent trust score. Defaults by risk level: low=0%, medium=30%, high=50%, critical=70%.

Per-Capability Execution Modes

Three modes: auto (immediate), notify (execute + alert), review (queue for human approval). Defaults by risk level.

Delegation Trust Attenuation

Trust decays per hop in delegation chains (default 0.8x, floor 0.3). TypeScript SDK verifyDelegationChain() now tracks effective trust.

Changes

• 3 migrations, 20 files changed, 515 insertions
• Go backend: domain models, service enforcement, repository queries
• TypeScript SDK: delegation chain verification with trust tracking
• Docs: README, capability enforcement, trust scoring, A2A guide

v1.5.0

Release v1.5.0 - OAuth Device Authorization Grant (RFC 8628) for CLI …

v0.5.3

Release v0.5.3 - Docker Hub publishing and README refresh

v0.5.2

Release v0.5.2 - Fix 11 pytest fixture errors in integration test files

v0.5.1 - Python SDK Test Stability & Release Workflow Fix

Summary

Patch release fixing all Python SDK test failures after implementation refactors and fixing the release workflow SBOM generation.

Changes

Python SDK (sdk/python/)

• Added AIMClient.from_credentials() classmethod -- load an existing client from saved credentials (921b869)
• Added AIMClient.auto_register_or_load() classmethod -- smart registration/loading wrapper around register_agent() (921b869)
• Fixed all test assertions after parameter rename (talks_to -> mcp_server_names), api_key=None addition, and auto_detect_mcp flag separation (921b869)
• Fixed capability detection tests to pass include_imports=True where import-based detection is mocked (921b869)
• Fixed e2e zero-config test -- mock requests.get for agent-exists check, removed conflicting keypair from mock response (921b869)
• Marked integration tests -- credential management and decorator tests marked @pytest.mark.integration, excluded by default in pytest.ini (921b869)
• Resolved import failures from prior PR (deffbcf)

CI/CD

• Fixed release workflow -- corrected package-lock.json cache path and added --ignore-npm-errors to frontend SBOM generation (789f98f, 68b945f)

Test Results

• Python SDK: 322 passed, 0 failures, 35 skipped, 10 integration deselected
• Go Backend: all tests passing

Assets

• sbom-backend.cdx.json -- Go backend CycloneDX SBOM
• sbom-frontend.cdx.json -- Frontend CycloneDX SBOM

v0.5.0 - Backend Testing & Security Hardening

What's Changed

Backend Fixes

• Fix auth refresh token validation for login-generated tokens vs SDK tokens
• Fix user org assignment during admin approval (users join admin's org)
• Fix MCP server verification returning 500 on DNS failures (now returns structured 200)
• Fix nil-panic in trust score update handler
• Fix MCP GetAgents route conflict with PQC middleware
• Add missing mcp_server_keys database table migration

New: OAuth 2.0 Token Endpoint

• Implement POST /api/v1/oauth/token per RFC 6749 / RFC 7523 (jwt-bearer grant)
• Ed25519 signature verification against agent's registered public key
• Full error handling: invalid grant type, missing fields, malformed assertions, signature failures

Security Hardening

• CRITICAL: OAuth token endpoint now cryptographically verifies JWT signatures (was accepting unsigned JWTs)
• HIGH: Docker-compose default KEYVAULT_MASTER_KEY added to insecure secrets deny list
• MEDIUM: Hardened refresh token revocation — deleted SDK tokens can no longer be refreshed
• MEDIUM: MCP verification error messages sanitized to prevent infrastructure detail leakage
• MEDIUM: Restored cross-organization access denial test with real multi-org isolation
• LOW: Startup warning when rate limits are elevated due to ENVIRONMENT=development/test

Integration Tests

• Resolved all 18 previously skipped integration tests
• 459 PASS, 0 FAIL, 0 SKIP
• OAuth tests use real Ed25519 cryptographic signatures
• Cross-org test creates users in separate organizations and verifies access denial

Documentation

• Updated README with Recent Updates section
• Rewrote Quick Start guide

Full Changelog: v0.4.0...v0.5.0