Changelog

v0.4.1 — June 2026

Packages live on npm. Beta — the platform is still iterating, but install paths are public and every call is gated on an agent API key.

Added

• @advisors-crypto/sdk on npm — TypeScript SDK with three entry points (default client, /webhooks, /verifier). Pure ESM, zero runtime dependencies, requires Node ≥ 20. Published at v0.1.2 with full legal notices in the README (SEC RIA disclosure, software-as-is, crypto/securities risk language, third-party AI data-flow, sandbox-vs-prod warning, jurisdiction, disclosure version binding).
• @advisors-crypto/mcp on npm — MCP server published at v0.2.0. Six tools, two resources, two prompts. Drop straight into Claude Desktop / Cursor with npx -y @advisors-crypto/mcp.

v0.4.0 — June 2026

PM-audit response. Closes the developer-experience gaps that would have been obvious on the first npm install.

Added

• Test keys. Mint ac_test_-prefixed keys that hit a fixed sandbox IPS (BTC/ETH/SPY/QQQ, $10k cap), never write ServiceRequests, never touch the audit log. Responses carry X-AC-Sandbox: true.
• Per-key rate limiting. 50 req/s default per key via a Redis token bucket. Every response carries X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset. whoami echoes the same budget in its response body.
• Usage telemetry. GET /api/agent/v1/usage returns totals, error rate, p50/p95 latency, daily series, top paths and keys, plus the last 10 raw calls. Daily 30-day retention sweep keeps the table bounded. CSV download on the in-app dashboard.
• Batch validate. POST /policy/validate-batch evaluates up to 25 trades in one call. Sequential evaluation so per-key daily caps reflect what an agent would see one call at a time.
• Atomic key rotation. POST /api/agent/keys/:id/rotate issues a new secret inheriting the old key’s scopes / policy / label. The old key keeps verifying for 24h so callers can swap secrets without downtime. UI button next to Revoke.
• Webhook delivery replay. POST /webhooks/:id/deliveries/:deliveryId/replay re-signs the original envelope against the current secret and queues a fresh delivery with replayOf in the payload for dedup.
• SDK parity. TypeScript and Python SDKs both gain validateBatch / validate_batch and getUsage / get_usage; Whoami types pick up the new keyType and rateLimit fields.
• Live tail on getting-started. Once a key exists, the onboarding card shows the last 5 raw calls with status badge + relative time, refreshed every 15s.
• Cmd+K command palette across /agent. Jumps tabs, opens the mint dialog, new-webhook dialog, signature debugger; try-validate scrolls the card into view + pulses a ring.
• Tab badges + sticky tab bar — Manage shows active key + webhook count; Activity shows blocked- in-24h in red. Tabs follow the scroll so the audit feed never hides the switcher.

Changed

• Rate-limit docs page rewritten to reflect what actually ships (50 req/s per key, real headers, Redis fail-open behavior). The old “100/min sliding window” copy is gone.
• Webhook deliveries inside an expanded subscription gain two filters: status (success/fail/in-flight) and event type. Distinct events are drawn from the actual delivery stream, not a hardcoded enum.
• Mint dialog persists the per-key policy field. Previously the policy section rendered fine but the JSONB column stayed null because the service silently dropped it.

v0.3.0 — June 2026

Enterprise + webhook landing. The agent platform graduates from a polished individual surface to a multi-tenant product with real RBAC.

Added

• Webhooks. Subscribe to attestation.*, validation.blocked, key.* events. HMAC-SHA256 signature scheme, 6-attempt exponential backoff, kill-switch after 20 consecutive failures. UI on /agent.
• Organizations. Multi-tenant primitives with 5 built-in roles (owner / admin / adviser / compliance / viewer), per-role permission matrix, adviser client-book scoping. Self-serve org creation at /organizations.
• Per-key policy constraints. Hard caps on amount, asset allowlists, time windows, daily call cap. Evaluated before IPS on every call.
• SCIM 2.0 scaffold compatible with Okta and Azure AD provisioning. ServiceProviderConfig, ResourceTypes, Schemas, basic Users CRUD.
• Disclosure versioning. Per-mint acceptance with IP + UA captured. New version forces re-acceptance.
• TypeScript SDK (@advisors-crypto/sdk) — typed wrapper, webhook verifier on a separate entry point. Build ready; npm publish landed in v0.4 (see below).
• Idempotency-Key as a first-class column on service_requests with a unique index.
• X-Request-Id on every response; X-RateLimit-* headers.

Changed

• All in-product references to app.advisors.crypto / api.advisors.crypto swapped to the real hosts (app.advisorscrypto.com / api.advisorscrypto.com).
• Disclosure gate is now required at every mint.

v0.2.0 — June 2026

Polish round + dedicated agent landing.

Added

• MCP resources + prompts. ac://mandate/current, ac://holdings/current, plus review-portfolio and propose-trade-with-rationale prompts.
• OpenAPI 3.1 spec at /api/agent/v1/openapi.json, auth-free.
• Dedicated /agents landing with cinematic hero, architecture diagram, demo, tool cards, install snippets.
• Docs site at /agents/docs with sticky sidebar, primitives, prev/next pagination.

v0.1.0 — June 2026

Initial agent platform release.

Added

• 6 REST endpoints under /api/agent/v1/*: whoami, mandate, holdings, policy/validate, trades/propose, audit.
• 3 scopes (read / validate / propose). No execute scope, by design.
• Per-user agent API keys minted at /agent. SHA-256 hashed; plaintext shown once.
• MCP server (@advisors-crypto/mcp) — 6 tools wrapping the REST endpoints.
• Try-it sandbox on /agent hitting the same code path the agent uses.