Skip to content

Aevum v0.7.0 — The Black Box for AI Agents

Summary

v0.7.0 implements the complete "black box for AI agents" architecture: a forensic recorder (FDR/VDR-equivalent), an operational analytics layer (QAR/FOQA-equivalent), and an automation handoff recorder (DSSAD-equivalent).

This release also delivers full ML-DSA-65 post-quantum signing, six adapter integrations (LangGraph, CrewAI, OpenAI Agents, Google ADK, Microsoft Agent Framework, SPIFFE/SVID), a Scalar API explorer, A2A ASGI audit middleware, MCP Docker Gateway, OPA full-barrier fallback, and ISO 42001 evidence mapping.

What's new

See CHANGELOG.md — [0.7.0] for the complete list of changes. Highlights by session:

  • Sessions 1A–1B — Black box receipt format layer (AevumReceipt + COSE_Sign1 signing path) and SCITT profile headers (AmbientContextReceipt, ADR-009 cross-chain reference architecture).
  • Session 2 — Three-tier SQLite WAL receipt store (hot/warm/cold tiers).
  • Sessions 3A–3B — OTel semconv migration (gen_ai.provider.name dual-emit); QAR/FOQA analytics layer (ExceedanceDetector, GatekeeperFilter, FOQABridge).
  • Sessions 5–6 — Scalar API explorer (API + Vite/React UI) in demo.
  • Sessions 7–9 — Google ADK, Microsoft Agent Framework, and SPIFFE adapter integrations; MCP Docker Gateway shim; A2A ASGI audit middleware.
  • Session 10 — OPA full-barrier fallback and Rego parity policies.
  • Session 11 — Integration guides, compliance corrections, ISO 42001 evidence map.
  • Sessions 12A–12B — zizmor GitHub Actions security scanner; ops monitoring workflows (smoke test, benchmark regression, license compliance).
  • Session 13 — ML-DSA-65 dual-signing hardening documentation; EAR §742.15 supplemental filed 2026-05-24.
  • Session 14 — Pre-release cleanup: SPDX headers (121 files), SHA pinning, version bump, liboqs-python>=0.14.0.

Known open items

V07-VAULT — VaultTransitSigner live integration test

The VaultTransitSigner implementation is complete (httpx calls, real sign/verify — confirmed in the gate report and Session 13). The live integration test against a real Vault dev server was deferred because it requires a local machine with Vault installed. This will be completed in v0.7.1.

Wording note: Do not describe VaultTransitSigner as "not yet implemented" — the implementation is present and functional.

Other open items

See KNOWN_UNKNOWNS.md in the repository root for the complete list, including the v0.7.0 Open Items carry-forward section.

Upgrading from v0.6.0

pip install --upgrade \
  aevum-core \
  aevum-publish \
  aevum-otel \
  aevum-cli \
  aevum-mcp \
  aevum-agent \
  aevum-server \
  aevum-store-oxigraph \
  aevum-store-postgres \
  aevum-conformance \
  aevum-spiffe

Breaking changes

None. All five public function signatures (ingest, query, review, commit, replay) and all OutputEnvelope mandatory fields are unchanged.

Dependency changes

  • liboqs-python lower bound raised from >=0.10.0 to >=0.14.0. If you use DualSigner (ML-DSA-65), upgrade liboqs-python and the native liboqs.so library. See docs/deployment/liboqs.md.

Infrastructure note

  • Live demo: https://demo.aevum.build
  • API: https://api.demo.aevum.build
  • The release workflow publishes all packages from the release environment using PyPI Trusted Publishing (OIDC — no API key required).