v0.6.0

v0.6.0 — Synchronized release

All three vgi-rpc implementations (Python, Go, TypeScript) are now at feature parity and share this version number.

What's in this release

• SHA-256 checksums for external storage pointer batches (vgi_rpc.location.sha256)
• Compute SHA-256 of raw IPC bytes on externalize, verify on resolve/fetch
• Backward compatible — absent checksum skips verification
• Default HTTP prefix changed from /vgi to "" (empty)
• 12 new SHA-256 tests (8 unit + 4 HTTP transport)
• 2,448 tests passing

Feature parity with Go and TypeScript

All three implementations now support: wire protocol v1, describe v3, unary/producer/exchange streams, HTTP server/client, bearer/JWT/mTLS/OAuth auth, OpenTelemetry, dispatch hooks, HTML pages, external storage with SHA-256, S3 and GCS backends.

v0.1.27

Changes

• Default HTTP prefix changed from /vgi to "" (root). Endpoints now live at the root by default (e.g. /bind, /init). Users who need a prefix can still pass --prefix /vgi.
• Client functions (http_connect, http_capabilities, etc.) now auto-detect prefix from _SyncTestClient.prefix when not explicitly passed.
• CI lint job now runs before tests for faster failure feedback.

v0.1.26

What's Changed

• Styled 401 Unauthorized and 404 error pages to match the landing page design (Inter/JetBrains Mono fonts, warm background, consistent branding)
• Added shared _ERROR_PAGE_STYLE for consistent styling across all error pages
• 401 pages now show the specific authentication error detail in a styled box
• Custom Falcon error serializer renders HTML for 401 responses

v0.1.25

What's Changed

• Support custom X-VGI-Accept-Encoding and X-VGI-Content-Encoding headers for zstd compression, to bypass proxies/CDNs that strip standard Content-Encoding headers

v0.1.24

What's Changed

• Improved OAuth validation errors: OAuthResourceMetadata validation errors now include the offending value for easier debugging
• JWT diagnostic logging: jwt_authenticate now logs expected vs actual claims (issuer, audience) when JWT validation fails, aiding troubleshooting of auth misconfiguration

v0.1.23

What's Changed

• Support multiple audiences in jwt_authenticate: The audience parameter now accepts str | tuple[str, ...], allowing tokens from either client_id or device_code_client_id (which may use different audiences) to be validated by a single authenticator. Uses Authlib's "values" key for native multi-audience support — no decode loop needed. Empty tuple raises ValueError eagerly.

v0.1.22

What's New

• Add device_code_client_id and device_code_client_secret to OAuth Resource Metadata for OAuth providers that require separate credentials for the device code grant flow

v0.1.21

What's Changed

• Add use_id_token_as_bearer boolean field to OAuth Resource Metadata (OAuthResourceMetadata, OAuthResourceMetadataResponse, WWW-Authenticate header)
• Add parse_use_id_token_as_bearer() helper for extracting the flag from WWW-Authenticate headers

When use_id_token_as_bearer=True, clients are told to use the OIDC id_token as the Bearer token instead of the access_token. This is a custom extension (not defined in RFC 9728) following the same pattern as client_id and client_secret.

v0.1.20

What's Changed

• Add client_secret to OAuth Resource Metadata (OAuthResourceMetadata, OAuthResourceMetadataResponse, WWW-Authenticate header)
• Add parse_client_secret() helper for extracting client_secret from WWW-Authenticate headers
• Reduce .well-known/oauth-protected-resource cache max-age from 3600s to 60s

Google requires client_secret in OAuth resource metadata even when using PKCE. The client_secret follows the same pattern as client_id — it appears in the well-known JSON document, the WWW-Authenticate challenge header, and is discoverable via http_oauth_metadata().

v0.1.19

What's New

• OAuth client_id support: Added optional client_id field to OAuthResourceMetadata and OAuthResourceMetadataResponse as a custom RFC 9728 extension for MCP compatibility
  • Serialized in /.well-known/oauth-protected-resource JSON and WWW-Authenticate headers on 401 responses
  • New parse_client_id() helper to extract client_id from WWW-Authenticate headers
  • URL-safe character validation on client_id values