diff --git a/README.md b/README.md index bb09a19..8a3391c 100644 --- a/README.md +++ b/README.md @@ -93,7 +93,7 @@ is the pure-Python client and expects an `aasm` runtime to be reachable some oth Confirm the `aasm` CLI is on your `PATH`: ```bash -aasm --version # e.g. aasm 0.0.1rc5 +aasm --version # e.g. aasm 0.0.1rc6 ``` > **Supply-chain verification.** The only official PyPI package is `agent-assembly` diff --git a/agent_assembly/__init__.py b/agent_assembly/__init__.py index 0f5b75f..a138365 100644 --- a/agent_assembly/__init__.py +++ b/agent_assembly/__init__.py @@ -8,7 +8,7 @@ import sys from typing import TYPE_CHECKING, Any -__version__ = "0.0.1rc5" +__version__ = "0.0.1rc6" _MODULE_CORE = "agent_assembly.core" _MODULE_ADAPTERS = "agent_assembly.adapters" diff --git a/docs/compatibility/release-notes.md b/docs/compatibility/release-notes.md index 5f320ef..f924cdc 100644 --- a/docs/compatibility/release-notes.md +++ b/docs/compatibility/release-notes.md @@ -5,6 +5,28 @@ Release notes for the Agent Assembly Python SDK. Versions follow [SemVer](https: !!! info "0.x development" The SDK is in active 0.x development; per-release notes are minimal. Track full changes via [the commits to `master`](https://github.com/ai-agent-assembly/python-sdk/commits/master) and the [GitHub releases](https://github.com/ai-agent-assembly/python-sdk/releases) feed. +## 0.0.1-rc.6 + +Sixth **release candidate** on the `0.0.1` line. This release tracks the published +`agent-assembly` core **`v0.0.1-rc.6`**: the bundled `aasm` runtime binary and the +compiled `aa-ffi-python` extension are pinned to that core tag. + +This is a **security-hardening** candidate: the SDK now refuses to resolve a +register endpoint that would send credentials over non-loopback plaintext, and a +LangChain policy `deny` now actually blocks the tool call instead of being swallowed. + +- Enforce non-loopback TLS on register-endpoint resolution, so a register call can + no longer leak credentials over plaintext to a non-loopback host (AAASM-4655). +- Set `raise_error` on the LangChain adapter so a policy `deny` is enforced and + blocks the tool call rather than being silently ignored (AAASM-4658). +- Add an `allow_insecure` opt-in to `init_assembly()` for deliberately trusted + networks, gated and documented as a conscious escape hatch (AAASM-4664). +- Add an `aasm --version` flag sourcing `__version__`, and correct the README error- + handling example to match the actual exception (AAASM-4656 / AAASM-4710). +- Fix a misleading OS classifier on the platform wheels' packaging metadata + (AAASM-4648), and tidy dead LangChain async callbacks / test hygiene + (AAASM-4710 / AAASM-4691). + ## 0.0.1-rc.5 Fifth **release candidate** on the `0.0.1` line. This release tracks the published diff --git a/docs/examples/agno.md b/docs/examples/agno.md index f4ddd2c..3caaead 100644 --- a/docs/examples/agno.md +++ b/docs/examples/agno.md @@ -19,7 +19,7 @@ Version pins (from `pyproject.toml`): | Dependency | Version | |---|---| | `agno` | `>=2.0.0` | -| `agent-assembly` | `>=0.0.1rc5` (the release that ships the Agno adapter) | +| `agent-assembly` | `>=0.0.1rc6` (the release that ships the Agno adapter) | | Python | `>=3.12` | ## How it works diff --git a/docs/examples/haystack.md b/docs/examples/haystack.md index 1a260fb..11c9bd9 100644 --- a/docs/examples/haystack.md +++ b/docs/examples/haystack.md @@ -20,7 +20,7 @@ Version pins (from `pyproject.toml`): | Dependency | Version | |---|---| | `haystack-ai` | `>=2.0.0,<3.0` | -| `agent-assembly` | `>=0.0.1rc5` (the release that ships the Haystack adapter) | +| `agent-assembly` | `>=0.0.1rc6` (the release that ships the Haystack adapter) | | Python | `>=3.12` | ## How it works diff --git a/docs/examples/llamaindex-tool-policy.md b/docs/examples/llamaindex-tool-policy.md index aa1f273..fbe4a5d 100644 --- a/docs/examples/llamaindex-tool-policy.md +++ b/docs/examples/llamaindex-tool-policy.md @@ -19,7 +19,7 @@ Version pins (from `pyproject.toml`): | Dependency | Version | |---|---| | `llama-index-core` | `>=0.14.22` | -| `agent-assembly` | `>=0.0.1rc5` (the release that ships the LlamaIndex adapter) | +| `agent-assembly` | `>=0.0.1rc6` (the release that ships the LlamaIndex adapter) | | Python | `>=3.12` | ## How it works diff --git a/docs/examples/microsoft-agent-framework.md b/docs/examples/microsoft-agent-framework.md index 369c869..1bb567c 100644 --- a/docs/examples/microsoft-agent-framework.md +++ b/docs/examples/microsoft-agent-framework.md @@ -19,7 +19,7 @@ Version pins (from `pyproject.toml`): | Dependency | Version | |---|---| | `agent-framework` (the `live` extra) | `>=1.9,<2` | -| `agent-assembly` | `>=0.0.1rc5` (the release that ships the Microsoft Agent Framework adapter) | +| `agent-assembly` | `>=0.0.1rc6` (the release that ships the Microsoft Agent Framework adapter) | | Python | `>=3.12` | The adapter's `get_supported_versions()` reports `>=1.0.0,<2.0` — governance attaches across the 1.x line. diff --git a/docs/examples/smolagents.md b/docs/examples/smolagents.md index bfe400f..81efe59 100644 --- a/docs/examples/smolagents.md +++ b/docs/examples/smolagents.md @@ -19,7 +19,7 @@ Version pins (from `pyproject.toml`): | Dependency | Version | |---|---| | `smolagents` | `>=1.0.0,<2.0.0` | -| `agent-assembly` | `>=0.0.1rc5` (the release that ships the Smolagents adapter) | +| `agent-assembly` | `>=0.0.1rc6` (the release that ships the Smolagents adapter) | | Python | `>=3.12` | ## How it works diff --git a/docs/guides/container-base-image.md b/docs/guides/container-base-image.md index 93ec51c..a144b91 100644 --- a/docs/guides/container-base-image.md +++ b/docs/guides/container-base-image.md @@ -33,13 +33,13 @@ There are two families of tags: **immutable** (pinned, reproducible) and **movin | Tag | Example | Mutable? | Use it for | | --- | --- | --- | --- | -| `python:-` | `python:3.14-slim-v0.0.1-rc.5` | **No** — immutable | **CI and production.** Reproducible, byte-for-byte stable. | +| `python:-` | `python:3.14-slim-v0.0.1-rc.6` | **No** — immutable | **CI and production.** Reproducible, byte-for-byte stable. | | `python:` | `python:3.14-slim` | Yes — moves per release | Local experiments on a fixed Python runtime. | | `python:latest` | `python:latest` | Yes — moves per release | Quick one-off tries only. | `` is the **Agent Assembly core / `aa-runtime` release** baked into the image — it is also the version of the `aasm` CLI inside the image. Pinning -`python:3.14-slim-v0.0.1-rc.5` therefore pins *both* the Python runtime and the exact +`python:3.14-slim-v0.0.1-rc.6` therefore pins *both* the Python runtime and the exact governance core/CLI version, which is what makes the build reproducible. !!! warning "Pin the immutable tag in CI and production" @@ -53,7 +53,7 @@ A minimal agent image that inherits governance from the base image: ```dockerfile # Pin the immutable tag — Python 3.14 runtime + a fixed governance core/CLI version. -FROM ghcr.io/ai-agent-assembly/python:3.14-slim-v0.0.1-rc.5 +FROM ghcr.io/ai-agent-assembly/python:3.14-slim-v0.0.1-rc.6 WORKDIR /app @@ -123,7 +123,7 @@ which `agent-assembly` SDK release gets baked in. ## Best practices - **Pin the immutable tag in CI and production.** Use - `python:-` (e.g. `python:3.14-slim-v0.0.1-rc.5`); never `:latest`. + `python:-` (e.g. `python:3.14-slim-v0.0.1-rc.6`); never `:latest`. - **Pair the image with the `aa-runtime` sidecar.** The image makes your agent *governance-ready*, but the in-process SDK layer is **not a security boundary on its own** — point `init_assembly()` at an `aa-runtime` instance (sidecar or service) so policy diff --git a/docs/javascripts/source-facts-guard.js b/docs/javascripts/source-facts-guard.js index bafe4e4..409d832 100644 --- a/docs/javascripts/source-facts-guard.js +++ b/docs/javascripts/source-facts-guard.js @@ -7,7 +7,7 @@ It issues TWO unauthenticated calls to api.github.com per page load: 1. GET https://api.github.com/repos///releases/latest - → 404, because this repo publishes only pre-releases (0.0.1a4..0.0.1rc5, + → 404, because this repo publishes only pre-releases (0.0.1a4..0.0.1rc6, 0.0.2); GitHub's /releases/latest endpoint excludes pre-releases and returns 404 when no non-prerelease exists. AAASM-4318 rewrites this request to /releases?per_page=1 and picks the newest so the badge can diff --git a/pyproject.toml b/pyproject.toml index dbd6939..81824c7 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -4,7 +4,7 @@ build-backend = "hatchling.build" [project] name = "agent-assembly" -version = "0.0.1rc5" +version = "0.0.1rc6" description = "Python SDK for AI Agent Assembly - A governance-native runtime for AI agents" authors = [{ name = "Agent Assembly Team", email = "team@agent-assembly.dev" }] requires-python = ">=3.12,<4.0" diff --git a/sonar-project.properties b/sonar-project.properties index bf4a5cd..4b41682 100644 --- a/sonar-project.properties +++ b/sonar-project.properties @@ -12,7 +12,7 @@ sonar.projectName=python-sdk # `-Dsonar.projectVersion=...` (see .github/workflows/rw_run_all_test_and_record.yaml), # so it always tracks the current release; this static value is the local-scan # fallback only. -sonar.projectVersion=0.0.1rc5 +sonar.projectVersion=0.0.1rc6 # Path is relative to the sonar-project.properties file. Replace "\" by "/" on Windows. sonar.projectBaseDir=./ diff --git a/uv.lock b/uv.lock index 83976d9..b6344ee 100644 --- a/uv.lock +++ b/uv.lock @@ -11,7 +11,7 @@ resolution-markers = [ [[package]] name = "agent-assembly" -version = "0.0.1rc5" +version = "0.0.1rc6" source = { editable = "." } dependencies = [ { name = "grpcio" },