vaaraio · vaaraio · May 29, 2026 · May 29, 2026
@@ -28,6 +28,9 @@ application_*.pdf
 outbound_*.md
 site.py.live
 
+# CodeGraph index (local dev tool, not part of the repo)
+.codegraph/
+
 # Bench output (PAIR runs, dist-shift, vLLM logs). Reproducible by rerun.
 tests/adversarial/v031/
 .parachute/

@@ -6,6 +6,42 @@ and this project follows [Semantic Versioning](https://semver.org/spec/v2.0.0.ht
 
 ## [Unreleased]
 
+## [0.43.0] - 2026-05-29
+
+**Theme: proxy pairing -- SEP-2787 request attestation and execution receipt emitted per tools/call.**
+
+### Added
+- `src/vaara/integrations/_mcp_attest.py`: `AttestPairEmitter`, the paired
+  SEP-2787 attestation and execution-receipt emitter for the MCP proxy. Each
+  allowed `tools/call` writes two JSON files to a configurable receipts
+  directory: `{counter}-{nonce[:8]}-attest.json` (request attestation) and
+  `{counter}-{nonce[:8]}-receipt.json` (execution receipt). The pair is
+  cryptographically linked: the receipt carries a `backLink` digest over the
+  full attestation wire bytes, so a verifier can confirm they belong together.
+- `--attest-signing-key PATH` and `--attest-receipts-dir DIR` flags on
+  `vaara-mcp-proxy`. Off by default. Key type is auto-detected: EC P-256 PEM
+  uses ES256, RSA PEM uses RS256, raw bytes file uses HS256. For ES256 and
+  RS256 a `pubkey.pem` is written to the receipts directory so external
+  verifiers need only the public key.
+- `serverFingerprint` in each attestation starts as a SHA-256 of the upstream
+  command string (`cmd:sha256:{hex}`) and upgrades to a SHA-256 of the
+  canonical JSON of the tools list (`manifest:sha256:{hex}`) on the first
+  `tools/list` response, binding the exact capability set the proxy presented
+  to the agent.
+- `X-Vaara-Intent` HTTP request header: operators can supply a richer intent
+  label per call. stdio transport falls back to the derived
+  `tools/call/{tool_name}` string.
+- `issuerAsserted.iss` is always `"vaara-mcp-proxy"`. `sub` is
+  `"{tenant_id}/{upstream_name}"` when a tenant is set, else
+  `"{upstream_name}"`. Reuses the SEP-2787 and receipt signing stack unchanged
+  (HS256 / ES256 / RS256, RFC 8785 JCS canonicalization): a verifier that
+  already checks SEP-2787 signatures needs no new crypto for the paired
+  receipts.
+- 17 tests in `tests/test_integrations_mcp_proxy_attest.py` covering pairing,
+  SEP-2787 signature verification, back-link integrity, manifest fingerprint
+  upgrade, intent override via ContextVar, errored-receipt pairing when the
+  upstream raises, and `AttestConfigError` handling.
+
 ## [0.42.0] - 2026-05-29
 
 **Theme: execution receipts, the post-execution sibling of SEP-2787.**

@@ -150,25 +150,6 @@ const r = await vaara.score({ tool_name: "tx.transfer", agent_id: "agent-007", b
 if (r.decision === "deny") throw new Error("blocked");
 ```
 
-## Policy modes
-
-Four preset operating points for the risk thresholds, shaped like CPU power profiles:
-
-- `eco` (escalate 0.40, deny 0.60). Tight deny threshold cuts agent loops short on borderline risk. Pair with regex-first gating to short-circuit before any model forward pass.
-- `balanced` (0.55, 0.85). Vaara's default behavior.
-- `performance` (0.70, 0.92). Looser thresholds let more through. For high-throughput pipelines where the deployer keeps tight action-class overrides on the few classes that matter.
-- `strict` (0.30, 0.55). Escalate-on-doubt. For incident response, audit prep, or production lockdown windows.
-
-Each mode emits a minimal valid Vaara policy document with `thresholds.default` set, ready for the deployer to fill in action classes, sequences, and escalation routes.
-
-```bash
-vaara mode list
-vaara mode show balanced
-vaara mode emit strict --format yaml --output policy.yaml
-```
-
-The emitted document round-trips through `vaara.policy.from_dict`, `from_json`, and `from_yaml` like any other policy artifact.
-
 ## MCP proxy (Vaara as a transparent governance layer)
 
 `vaara.integrations.mcp_proxy.VaaraMCPProxy` sits between an MCP client (Claude Code, Cursor, any MCP-capable host) and an upstream MCP server. Every `tools/call` from the client routes through Vaara's interception pipeline before reaching the upstream. Allowed calls forward transparently and report the upstream outcome back to the scorer. Blocked calls return an MCP `isError: true` response with the block reason. The initialization handshake and `notifications/*` forward unchanged. `tools/list`, `resources/list`, `resources/read`, `prompts/list`, and `prompts/get` route through the operator perimeter before reaching the client or upstream.
@@ -208,6 +189,8 @@ The proxy accepts repeatable `--allow-tool NAME` / `--deny-tool NAME`, `--allow-
 
 OVERT envelopes per governed interaction turn on with `--overt-signing-key`, `--overt-operator-key`, `--overt-receipts-dir`. Wire format and verifier covered in the [OVERT 1.0 attestation](#overt-10-attestation) section below. Long-running tools' `notifications/progress` and `notifications/message` route through the same audit pair and OVERT envelope, correlated to the originating call via `_meta.progressToken`.
 
+SEP-2787 request attestation paired with an execution receipt turns on with `--attest-signing-key PATH` and `--attest-receipts-dir DIR`. Each allowed `tools/call` writes a `{n}-attest.json` (pre-execution SEP-2787 envelope) and a `{n}-receipt.json` (post-execution outcome record with a `backLink` digest over the attestation). Key type is auto-detected from the file: EC P-256 PEM uses ES256, RSA PEM uses RS256, raw bytes uses HS256. An operator-supplied `X-Vaara-Intent` HTTP header overrides the derived `tools/call/{tool_name}` intent label. The `serverFingerprint` field in the attestation starts as a hash of the upstream command string and upgrades to a hash of the upstream's `tools/list` response on first use, binding the exact capability set the proxy presented. See [docs/execution-receipts.md](docs/execution-receipts.md) for the receipt format.
+
 Worked examples:
 
 - [`examples/github-mcp-proxy-demo/`](examples/github-mcp-proxy-demo/): Vaara in front of [`github/github-mcp-server`](https://github.com/github/github-mcp-server), 42 tools, hash-chained audit trail recorded end-to-end.

@@ -1,6 +1,6 @@
 {
   "name": "@vaara/client",
-  "version": "0.42.0",
+  "version": "0.43.0",
   "mcpName": "io.github.vaaraio/vaara",
   "description": "TypeScript client for the Vaara HTTP API. Conformal risk scoring, hash-chained audit, policy reload, named detectors.",
   "main": "dist/index.js",

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "vaara"
-version = "0.42.0"
+version = "0.43.0"
 description = "Adaptive AI Agent Execution Layer for risk scoring, audit trails, and regulatory compliance"
 requires-python = ">=3.10"
 license = "Apache-2.0"

@@ -8,13 +8,13 @@
     "url": "https://github.com/vaaraio/vaara",
     "source": "github"
   },
-  "version": "0.42.0",
+  "version": "0.43.0",
   "packages": [
     {
       "registryType": "pypi",
       "registryBaseUrl": "https://pypi.org",
       "identifier": "vaara",
-      "version": "0.42.0",
+      "version": "0.43.0",
       "runtimeHint": "uvx",
       "transport": {
         "type": "stdio"

@@ -8,13 +8,13 @@
     "url": "https://github.com/vaaraio/vaara",
     "source": "github"
   },
-  "version": "0.42.0",
+  "version": "0.43.0",
   "packages": [
     {
       "registryType": "pypi",
       "registryBaseUrl": "https://pypi.org",
       "identifier": "vaara",
-      "version": "0.42.0",
+      "version": "0.43.0",
       "runtimeHint": "uvx",
       "transport": {
         "type": "stdio"

@@ -6,7 +6,7 @@
 oversight.
 """
 
-__version__ = "0.42.0"
+__version__ = "0.43.0"
 
 from vaara.pipeline import InterceptionPipeline, InterceptionResult