Agent surface changelog
Every change to endpoints, discovery files, certificate schemas, and SDKs that agents depend on. Categorized by kind so automated callers can gate on breaking changes.
Published /.well-known/agent.json (agent card) and /.well-known/ai-plugin.json.
Agent-grade client-side verifier shipped. WebCrypto Ed25519 verification with no server trust.
New /agents/sdk, /agents/mcp, /agents/errors, /agents/rate-limits, /agents/changelog pages.
POST /api/demo/decision now server-enforces label/detail length caps and control-char stripping. Verify response returns demo:true, signatureValid:false explicitly.
Shared sanitizeAgentInput() applied to /api/genesis/plan and /api/genesis/nova-schema prompt fields (length cap + control-char strip + injection-pattern reject).
Error strings capped before Scribe agent LLM call to mitigate indirect prompt injection via run errors.
Extended openapi.json to include sandbox generate, notary certify, agent identity routes, and decision demo.
Origin-locked verify_url in DatasetRunPanel, capped response field lengths, client-side engine/template allowlist.
Unified plan tier nomenclature to marketing names (Build+/Trust+/Govern+/Scale) across /agents and llms.txt.
Corrected stale agent endpoint paths and engine tier gating surfaced on /agents/datasets.
Scale plan ($999/mo) added to SubscriptionTier, accessMap, and agents docs.
Machine-readable
Agents that want to gate deployments on breaking changes should poll /agents/changelog.json. The feed carries the same entries plus a monotonically increasing version field.