v0.6.3

Add X-VGI-Content-Encoding to CORS exposed headers.

Access-Control-Expose-Headers now includes X-VGI-Content-Encoding so browser clients can detect zstd-compressed responses cross-origin.

v0.6.2

Expose WWW-Authenticate and X-Request-ID in CORS headers.

Browsers cannot read non-safelisted response headers from cross-origin responses unless they appear in Access-Control-Expose-Headers. These headers are now always exposed when CORS is enabled:

• WWW-Authenticate — needed for OAuth discovery from 401 responses
• X-Request-ID — for client-side debugging

v0.6.1

Changes

• Exempt CORS preflight OPTIONS requests from authentication middleware — browsers do not send credentials on preflight, so auth rejection was blocking cross-origin access.

v0.6.0

v0.6.0 — Synchronized release

All three vgi-rpc implementations (Python, Go, TypeScript) are now at feature parity and share this version number.

What's in this release

• SHA-256 checksums for external storage pointer batches (vgi_rpc.location.sha256)
• Compute SHA-256 of raw IPC bytes on externalize, verify on resolve/fetch
• Backward compatible — absent checksum skips verification
• Default HTTP prefix changed from /vgi to "" (empty)
• 12 new SHA-256 tests (8 unit + 4 HTTP transport)
• 2,448 tests passing

Feature parity with Go and TypeScript

All three implementations now support: wire protocol v1, describe v3, unary/producer/exchange streams, HTTP server/client, bearer/JWT/mTLS/OAuth auth, OpenTelemetry, dispatch hooks, HTML pages, external storage with SHA-256, S3 and GCS backends.

v0.1.27

Changes

• Default HTTP prefix changed from /vgi to "" (root). Endpoints now live at the root by default (e.g. /bind, /init). Users who need a prefix can still pass --prefix /vgi.
• Client functions (http_connect, http_capabilities, etc.) now auto-detect prefix from _SyncTestClient.prefix when not explicitly passed.
• CI lint job now runs before tests for faster failure feedback.

v0.1.26

What's Changed

• Styled 401 Unauthorized and 404 error pages to match the landing page design (Inter/JetBrains Mono fonts, warm background, consistent branding)
• Added shared _ERROR_PAGE_STYLE for consistent styling across all error pages
• 401 pages now show the specific authentication error detail in a styled box
• Custom Falcon error serializer renders HTML for 401 responses

v0.1.25

What's Changed

• Support custom X-VGI-Accept-Encoding and X-VGI-Content-Encoding headers for zstd compression, to bypass proxies/CDNs that strip standard Content-Encoding headers

v0.1.24

What's Changed

• Improved OAuth validation errors: OAuthResourceMetadata validation errors now include the offending value for easier debugging
• JWT diagnostic logging: jwt_authenticate now logs expected vs actual claims (issuer, audience) when JWT validation fails, aiding troubleshooting of auth misconfiguration

v0.1.23

What's Changed

• Support multiple audiences in jwt_authenticate: The audience parameter now accepts str | tuple[str, ...], allowing tokens from either client_id or device_code_client_id (which may use different audiences) to be validated by a single authenticator. Uses Authlib's "values" key for native multi-audience support — no decode loop needed. Empty tuple raises ValueError eagerly.

v0.1.22

What's New

• Add device_code_client_id and device_code_client_secret to OAuth Resource Metadata for OAuth providers that require separate credentials for the device code grant flow