Release v1.2.0: Protocol-first restructure, TypeScript implementation, URI scheme, full CapsuleType conformance

Author: bradleygauthier

.github/ISSUE_TEMPLATE/new-implementation.md

@@ -23,7 +23,7 @@ Link to the repository (or note if it will be a PR to this repo).
 - [ ] `seal()` — hash + Ed25519 signature
 - [ ] `verify()` — recompute hash and verify signature
 - [ ] `from_dict()` — deserialize from dictionary/map
-- [ ] Pass all 15 golden test vectors from `conformance/fixtures.json`
+- [ ] Pass all 16 golden test vectors from `conformance/fixtures.json`
 - [ ] Chain verification (sequence + hash linkage)
 
 ## Crypto Libraries Used

.github/workflows/python-release.yaml

@@ -24,7 +24,7 @@ jobs:
       - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: ${{ matrix.python-version }}
-      - run: pip install -e ".[storage,dev]"
+      - run: pip install -e ".[storage,fastapi,dev]"
       - run: pytest tests/ -v --tb=short
       - run: pytest tests/test_golden_fixtures.py -v
 

.github/workflows/typescript-release.yaml

@@ -0,0 +1,75 @@
+name: TypeScript Release
+
+on:
+  push:
+    tags:
+      - "v*"
+
+permissions:
+  contents: read
+
+defaults:
+  run:
+    working-directory: reference/typescript
+
+jobs:
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        node-version: ["20", "22"]
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        with:
+          node-version: ${{ matrix.node-version }}
+      - run: npm ci
+      - run: npx vitest run
+
+  conformance:
+    name: Conformance
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        with:
+          node-version: "22"
+      - run: npm ci
+      - run: npx vitest run __tests__/conformance.test.ts
+
+  build:
+    name: Build Package
+    runs-on: ubuntu-latest
+    needs: [test, conformance]
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        with:
+          node-version: "22"
+          registry-url: "https://registry.npmjs.org"
+      - run: npm ci
+      - run: npx tsc
+
+  publish:
+    name: Publish to npm
+    runs-on: ubuntu-latest
+    needs: build
+    permissions:
+      id-token: write
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        with:
+          node-version: "22"
+          registry-url: "https://registry.npmjs.org"
+      - run: npm ci
+      - run: npx tsc
+      - name: Extract version from tag
+        id: version
+        run: echo "VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
+      - name: Set package version
+        run: npm version ${{ steps.version.outputs.VERSION }} --no-git-tag-version
+      - run: npm publish --provenance --access public
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

CHANGELOG.md

@@ -9,6 +9,12 @@ Versioning follows [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+---
+
+## [1.2.0] - 2026-03-08
+
+Protocol-first restructure, TypeScript implementation, finalized URI scheme, and full CapsuleType conformance.
+
 ### Changed
 
 - **Protocol-first repository restructure** — the repo now presents as an open protocol specification, not a Python package:
@@ -21,11 +27,13 @@ Versioning follows [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ### Added
 
-- **`capsule://` URI scheme** — content-addressable references to Capsule records via their SHA3-256 hash. Spec at `spec/uri-scheme.md`. Supports hash references (`capsule://sha3_<hash>`), chain references (`capsule://chain/42`), ID references, and fragment syntax into the 6 sections.
-- **TypeScript reference implementation** — full CPS-conformant implementation at `reference/typescript/`: Capsule model with factories, canonical JSON serializer (CPS Section 2 with float-path handling), SHA3-256 hashing, Ed25519 seal/verify, and chain verification. Passes all 15 golden fixtures. 101 tests, 100% coverage (v8). Uses `@noble/hashes` ^2.0.1, `@noble/ed25519` ^3.0.0, vitest ^4.0.0, TypeScript ^5.9.0. Node.js >= 20.19.0.
+- **`capsule://` URI scheme (Active)** — content-addressable references to Capsule records via their SHA3-256 hash. Spec at `spec/uri-scheme.md`, finalized from Draft to Active. Supports hash references (`capsule://sha3_<hash>`), chain references (`capsule://chain/42`), ID references, and fragment syntax into the 6 sections. Includes URI conformance vectors at `conformance/uri-fixtures.json`.
+- **TypeScript reference implementation** — full CPS-conformant implementation at `reference/typescript/`: Capsule model with factories, canonical JSON serializer (CPS Section 2 with float-path handling), SHA3-256 hashing, Ed25519 seal/verify, and chain verification. Passes all 16 golden fixtures. 101 tests, 100% coverage (v8). Uses `@noble/hashes` ^2.0.1, `@noble/ed25519` ^3.0.0, vitest ^4.0.0, TypeScript ^5.9.0. Node.js >= 20.19.0.
 - **Implementor's Guide** (`docs/implementors-guide.md`) — step-by-step instructions for building a conformant CPS implementation in any language, with language-specific pitfalls for TypeScript, Go, and Rust.
 - **Why Capsules** (`docs/why-capsules.md`) — the case for cryptographic AI memory, aimed at decision-makers and architects.
-- **URI scheme security considerations** — `spec/uri-scheme.md` now includes: URI injection validation, resolution trust model, denial-of-service mitigations, fragment path traversal safety, no ambient authority principle.
+- **URI scheme security considerations** — `spec/uri-scheme.md` includes: URI injection validation, resolution trust model, denial-of-service mitigations, fragment path traversal safety, no ambient authority principle.
+- **URI conformance vectors** (`conformance/uri-fixtures.json`) — 10 valid and 11 invalid URI parsing test vectors for cross-language URI parser verification.
+- **`vault` golden fixture** — conformance suite now covers all 8 CapsuleTypes (16 total fixtures, up from 15). The `vault_secret` fixture tests secret rotation with policy-based authority.
 - **Protocol structure tests** (`reference/python/tests/test_protocol_structure.py`) — guards the protocol-first layout, spec completeness, conformance suite integrity, TypeScript type alignment with spec, markdown link resolution, CI configuration, and root-level file requirements.
 - **Dependabot for TypeScript** — npm dependency updates for `reference/typescript/`.
 
@@ -92,5 +100,6 @@ Initial public release of the Capsule Protocol Specification (CPS) v1.0 referenc
 
 ---
 
+[1.2.0]: https://github.com/quantumpipes/capsule/releases/tag/v1.2.0
 [1.1.0]: https://github.com/quantumpipes/capsule/releases/tag/v1.1.0
 [1.0.0]: https://github.com/quantumpipes/capsule/releases/tag/v1.0.0

CONTRIBUTING.md

@@ -46,7 +46,7 @@ We welcome reference implementations in new languages. To add one:
 
 1. Open a [new implementation issue](https://github.com/quantumpipes/capsule/issues/new?template=new-implementation.md)
 2. Create `reference/<language>/` with the implementation
-3. The implementation must pass all 15 golden test vectors in `conformance/fixtures.json`
+3. The implementation must pass all 16 golden test vectors in `conformance/fixtures.json`
 4. Include a README with installation, quickstart, and API overview
 
 A conformant implementation must provide:

README.md

@@ -8,7 +8,7 @@ Every AI action produces a Capsule — a tamper-evident, content-addressable rec
 
 [![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
 [![CPS](https://img.shields.io/badge/CPS-v1.0-orange.svg)](./spec/)
-[![Conformance](https://img.shields.io/badge/Conformance-15_vectors-brightgreen.svg)](./conformance/)
+[![Conformance](https://img.shields.io/badge/Conformance-16_vectors-brightgreen.svg)](./conformance/)
 [![FIPS](https://img.shields.io/badge/Crypto-FIPS_202%20·%20186--5%20·%20204-purple.svg)](#cryptographic-seal)
 [![Coverage](https://img.shields.io/badge/Coverage-100%25-brightgreen.svg)](./reference/python/)
 
@@ -58,7 +58,7 @@ Section 3 (Reasoning) records the AI's analysis, the options it considered, the
 Every Capsule is hashed and signed at the moment of creation. If anyone modifies the content after the fact, the hash changes, the signature fails, and the chain breaks. This is a property of every individual record, not the storage layer.
 
 **3. Cross-language interoperability.**
-The Capsule Protocol Specification defines byte-level serialization rules. A Capsule sealed in Python can be verified in TypeScript, Go, or Rust. All implementations produce identical canonical JSON for the same input, validated by 15 golden test vectors.
+The Capsule Protocol Specification defines byte-level serialization rules. A Capsule sealed in Python can be verified in TypeScript, Go, or Rust. All implementations produce identical canonical JSON for the same input, validated by 16 golden test vectors.
 
 ---
 
@@ -121,7 +121,7 @@ The **Capsule Protocol Specification (CPS)** defines the complete protocol:
 |---|---|
 | [CPS v1.0](./spec/) | Record structure, canonical serialization, sealing algorithm, hash chain rules |
 | [URI Scheme](./spec/uri-scheme.md) | `capsule://` content-addressable references |
-| [Conformance Suite](./conformance/) | 15 golden test vectors for cross-language verification |
+| [Conformance Suite](./conformance/) | 16 golden test vectors for cross-language verification |
 
 The specification is language-agnostic. Any implementation that passes the conformance suite can seal and verify Capsules produced by any other.
 
@@ -169,7 +169,7 @@ See more examples in [`examples/`](./examples/).
 | Language | Status | Install | Source |
 |---|---|---|---|
 | **Python** | v1.1.0 (stable) | `pip install qp-capsule` | [`reference/python/`](./reference/python/) |
-| **TypeScript** | v0.0.1 (conformant, 15/15 fixtures) | `npm install @quantumpipes/capsule` | [`reference/typescript/`](./reference/typescript/) |
+| **TypeScript** | v0.0.1 (conformant, 16/16 fixtures) | `npm install @quantumpipes/capsule` | [`reference/typescript/`](./reference/typescript/) |
 | Go | Separate repo (planned) | — | [quantumpipes/capsule-go](https://github.com/quantumpipes/capsule-go) |
 | Rust | Separate repo (planned) | — | [quantumpipes/capsule-rust](https://github.com/quantumpipes/capsule-rust) |
 

conformance/README.md

@@ -1,8 +1,8 @@
 # Conformance Test Suite
 
-**15 golden test vectors for cross-language interoperability.**
+**16 golden test vectors for cross-language interoperability.**
 
-Any implementation of the Capsule Protocol Specification (CPS) must produce byte-identical output for these test vectors. If your implementation passes all 15 fixtures, it can seal and verify Capsules interchangeably with every other conformant implementation.
+Any implementation of the Capsule Protocol Specification (CPS) must produce byte-identical output for these test vectors. If your implementation passes all 16 fixtures, it can seal and verify Capsules interchangeably with every other conformant implementation.
 
 ---
 
@@ -25,7 +25,7 @@ For every fixture:
 3. Compute SHA3-256 of the canonical JSON bytes (UTF-8 encoded)
 4. Compare the hash against `sha3_256_hash`
 
-If all 15 pass, your implementation is conformant.
+If all 16 pass, your implementation is conformant.
 
 ---
 
@@ -48,6 +48,7 @@ If all 15 pass, your implementation is conformant.
 | **chain_linked** | Second Capsule with previous_hash set |
 | **failure_with_error** | Failed tool call with error details |
 | **auth_escalated** | Auth-type with MFA escalation chain |
+| **vault_secret** | Vault-type with secret rotation and policy authority |
 
 ---
 
@@ -64,6 +65,40 @@ This regenerates `fixtures.json` from the reference implementation. The generato
 
 ---
 
+## URI Conformance Vectors
+
+The `uri-fixtures.json` file provides test vectors for `capsule://` URI parsing. Implementations that include a URI parser should validate against these vectors.
+
+Each entry in the `valid` array contains:
+
+| Field | Type | Description |
+|---|---|---|
+| `uri` | string | The `capsule://` URI to parse |
+| `expected` | object | The expected parse result with `scheme`, `chain`, `reference_type`, `hash_algorithm`, `hash_value`, `sequence`, `id`, and `fragment` |
+
+Each entry in the `invalid` array contains:
+
+| Field | Type | Description |
+|---|---|---|
+| `uri` | string | A malformed or invalid URI |
+| `reason` | string | Why this URI must be rejected |
+
+### URI conformance check
+
+For every valid fixture:
+
+1. Parse the URI
+2. Compare every field in the parse result against `expected`
+
+For every invalid fixture:
+
+1. Attempt to parse the URI
+2. Confirm the parser rejects it (returns an error or null)
+
+The URI spec is at [`spec/uri-scheme.md`](../spec/uri-scheme.md).
+
+---
+
 ## Adding New Fixtures
 
 New fixtures must be added through the [protocol change proposal](https://github.com/quantumpipes/capsule/issues/new?template=spec-change.md) process. Every new fixture must:

conformance/fixtures.json

@@ -2,7 +2,7 @@
   "version": "1.0",
   "specification": "Capsule Protocol Specification v1.0",
   "generated_by": "Python reference implementation (qp-capsule)",
-  "generated_at": "2026-03-07T18:11:36.964652+00:00",
+  "generated_at": "2026-03-08T15:09:35.637607+00:00",
   "description": "Golden test vectors for cross-language Capsule verification. Each fixture contains a capsule_dict, the expected canonical_json, and the expected sha3_256_hash. A conformant implementation must produce byte-identical canonical_json and matching hash for each fixture.",
   "fixtures": [
     {
@@ -1084,6 +1084,88 @@
       },
       "canonical_json": "{\"authority\":{\"approver\":\"admin@example.com\",\"chain\":[{\"level\":1,\"method\":\"password\",\"result\":\"passed\"},{\"level\":2,\"method\":\"totp\",\"result\":\"passed\"}],\"escalation_reason\":\"Admin action requires MFA\",\"policy_reference\":null,\"type\":\"escalated\"},\"context\":{\"agent_id\":\"\",\"environment\":{},\"session_id\":null},\"domain\":\"auth\",\"execution\":{\"duration_ms\":0,\"resources_used\":{},\"tool_calls\":[]},\"id\":\"c5d6e7f8-a9b0-1234-cdef-3456789abcde\",\"outcome\":{\"error\":null,\"metrics\":{},\"result\":null,\"side_effects\":[],\"status\":\"success\",\"summary\":\"MFA verified, admin access granted\"},\"parent_id\":null,\"previous_hash\":null,\"reasoning\":{\"analysis\":\"\",\"confidence\":0.0,\"model\":null,\"options\":[],\"options_considered\":[],\"prompt_hash\":null,\"reasoning\":\"\",\"selected_option\":\"\"},\"sequence\":0,\"trigger\":{\"correlation_id\":null,\"request\":\"MFA challenge for admin action\",\"source\":\"auth_service\",\"timestamp\":\"2026-01-15T12:00:00+00:00\",\"type\":\"system\",\"user_id\":\"admin@example.com\"},\"type\":\"auth\"}",
       "sha3_256_hash": "336e52623385149110d295881629e517f0ed16740410ac0ec308fced730d49fa"
+    },
+    {
+      "name": "vault_secret",
+      "description": "Vault-type capsule for secret storage/rotation. Tests CapsuleType.VAULT with tool call for secret rotation and policy-based authority.",
+      "capsule_dict": {
+        "id": "d6e7f8a9-b0c1-2345-defa-456789abcdef",
+        "type": "vault",
+        "domain": "secrets",
+        "parent_id": null,
+        "sequence": 0,
+        "previous_hash": null,
+        "trigger": {
+          "type": "scheduled",
+          "source": "secret_rotator",
+          "timestamp": "2026-01-15T12:00:00+00:00",
+          "request": "Rotate database credentials for production",
+          "correlation_id": null,
+          "user_id": null
+        },
+        "context": {
+          "agent_id": "vault-agent",
+          "session_id": null,
+          "environment": {
+            "vault_backend": "hashicorp",
+            "region": "us-east-1"
+          }
+        },
+        "reasoning": {
+          "analysis": "",
+          "options": [],
+          "options_considered": [],
+          "selected_option": "",
+          "reasoning": "",
+          "confidence": 0.0,
+          "model": null,
+          "prompt_hash": null
+        },
+        "authority": {
+          "type": "policy",
+          "approver": null,
+          "policy_reference": "POLICY-SECRET-ROTATION-90D",
+          "chain": [],
+          "escalation_reason": null
+        },
+        "execution": {
+          "tool_calls": [
+            {
+              "tool": "vault_rotate",
+              "arguments": {
+                "secret": "db/prod/credentials",
+                "ttl": "90d"
+              },
+              "result": {
+                "rotated": true,
+                "version": 7
+              },
+              "success": true,
+              "duration_ms": 320,
+              "error": null
+            }
+          ],
+          "duration_ms": 320,
+          "resources_used": {
+            "api_calls": 2
+          }
+        },
+        "outcome": {
+          "status": "success",
+          "result": {
+            "secret_path": "db/prod/credentials",
+            "new_version": 7
+          },
+          "summary": "Rotated database credentials, version 7",
+          "error": null,
+          "side_effects": [
+            "Old credentials revoked after 5m grace period"
+          ],
+          "metrics": {}
+        }
+      },
+      "canonical_json": "{\"authority\":{\"approver\":null,\"chain\":[],\"escalation_reason\":null,\"policy_reference\":\"POLICY-SECRET-ROTATION-90D\",\"type\":\"policy\"},\"context\":{\"agent_id\":\"vault-agent\",\"environment\":{\"region\":\"us-east-1\",\"vault_backend\":\"hashicorp\"},\"session_id\":null},\"domain\":\"secrets\",\"execution\":{\"duration_ms\":320,\"resources_used\":{\"api_calls\":2},\"tool_calls\":[{\"arguments\":{\"secret\":\"db/prod/credentials\",\"ttl\":\"90d\"},\"duration_ms\":320,\"error\":null,\"result\":{\"rotated\":true,\"version\":7},\"success\":true,\"tool\":\"vault_rotate\"}]},\"id\":\"d6e7f8a9-b0c1-2345-defa-456789abcdef\",\"outcome\":{\"error\":null,\"metrics\":{},\"result\":{\"new_version\":7,\"secret_path\":\"db/prod/credentials\"},\"side_effects\":[\"Old credentials revoked after 5m grace period\"],\"status\":\"success\",\"summary\":\"Rotated database credentials, version 7\"},\"parent_id\":null,\"previous_hash\":null,\"reasoning\":{\"analysis\":\"\",\"confidence\":0.0,\"model\":null,\"options\":[],\"options_considered\":[],\"prompt_hash\":null,\"reasoning\":\"\",\"selected_option\":\"\"},\"sequence\":0,\"trigger\":{\"correlation_id\":null,\"request\":\"Rotate database credentials for production\",\"source\":\"secret_rotator\",\"timestamp\":\"2026-01-15T12:00:00+00:00\",\"type\":\"scheduled\",\"user_id\":null},\"type\":\"vault\"}",
+      "sha3_256_hash": "af88f095652eefeb8b6aeaca64860ac4ffc0476f3f274157387dd633ab6c9396"
     }
   ]
 }