orangecheck
§ changelog

What shipped, and when.

Newest first. Terse by design — if an entry isn't something a third-party integrator would care about, it's not here. Package versions link to npm / PyPI; the protocol repo at github.com/orangecheck/oc-protocol is the authoritative source for spec changes.

[2026-04-22]// 6 releases

  • Org landing, /changelog, CI conformance enforcement

    siteci
    • github.com/orangecheck now has a proper org landing page (.github/profile/README.md).
    • oc-protocol and oc-packages get descriptions + topics so they are discoverable.
    • New /changelog page — this one. Backfilled with the last two weeks of shipped work.
    • Cross-impl conformance job in oc-packages CI: diffs the vendored vector sets against oc-protocol/main and runs both TS + Python test suites. Drift = CI failure.

  • /protocol page deleted, GitHub links repointed, /contact reworked

    site
    • /protocol page (duplicated /docs/concepts with drift) removed. Canonical spec now lives only at github.com/orangecheck/oc-protocol.
    • Every `github.com/orangecheck/oc-web` link (private repo) replaced with the correct public target (org, oc-protocol, or oc-packages).
    • /contact rebuilt to match the rest of the site UI system — full container width, numbered section headers, bottom info strip.
    • Landing BottomCta copy updated now that /signin + /dashboard exist.

  • Gate Fastify + Hono adapters, Python SDK offline primitives

    @orangecheck/gate@0.1.3orangecheck@0.1.2
    • Gate ships real ocGateFastify + ocGateHono adapters — README no longer advertises unshipped features.
    • Python SDK adds canonical.py: build_canonical_message, attestation_id, score_v0, format_identities, parse_identities. No more round-trip to ochk.io for core protocol primitives.
    • Python SDK now exercises the same 20 conformance vectors as the TS SDK. Cross-impl byte identity is proven, not claimed.

  • Conformance vectors v0 + SDK 0.1.4 happy-path tests

    @orangecheck/sdk@0.1.4protocol
    • 20 normative test vectors published at github.com/orangecheck/oc-protocol/conformance.
    • Covers canonical message format, identities list sort/escape, attestation_id derivation, score_v0 exact outputs, extension canonicalization, and MUST-reject error cases.
    • SDK test count: 23 → 68 (security regressions + conformance + happy-path).
    • Starter examples added: Express, Next.js App Router, Hono (each ~25 LOC runnable).

  • Security audit fixes across all @orangecheck packages

    @orangecheck/sdk@0.1.3@orangecheck/gate@0.1.2@orangecheck/wallet-adapter@0.1.2@orangecheck/relay-filter@0.1.2
    • SDK: Nostr identity verification now does real schnorr + bech32 (was a no-op returning true). SSRF guards on github/dns identity verifiers. Identity-line smuggling (newline/CR/comma in identifier) rejected at the boundary.
    • Gate: address source warning when caller-supplied (header/cookie/query/body). Cache-key normalization (bc1Q… / bc1q… no longer distinct). 10-min TTL clamp. Hard lookup timeout. Fail-closed by default.
    • Wallet-adapter: tight Xverse detection (empty truthy no longer passes). Dropped UniSat silent BIP-322 → legacy fallback. Every returned signature shape-checked.
    • Relay-filter: critical shebang fix (Strfry plugin could not exec). Per-line try/catch so one bad event cannot kill the plugin. Event shape validated. Short-TTL cache on lookup errors (circuit breaker).
    • All consumers moved from file:../sdk to real ^0.1.x ranges. Published packages now resolve cleanly for npm install.

  • /signin + /dashboard + /api/auth/*

    siteapi
    • Sign in with a single BIP-322 signature → httpOnly session cookie. Supabase-backed account store.
    • Account dashboard: identity, editable profile (display_name + nostr npub), attestations, sign-out.
    • New /api/auth/signin, /api/auth/me, /api/auth/logout, /api/auth/account with specific reason codes ("sig_invalid", "expired", "nonce_mismatch", …) mapped to actionable UI copy.
    • Signin flow: quick-connect wallet buttons auto-fill the address, pre-sign check catches "wallet on a different account" before the signature fails.
[2026-04-20]// 1 release

  • Initial v0 release — protocol + SDK + site

    protocol@orangecheck/sdk@0.1.0orangecheck@0.1.0
    • OrangeCheck Protocol v0 specification published.
    • Seven npm packages + Python SDK published.
    • ochk.io live with /create, /verify, /playground, /attest/discover, /airdrop, /docs.
§ protocol changes

Normative spec edits land first at oc-protocol/main with a commit message and are mirrored here.

§ package releases

Every package version is tagged at oc-packages/releases with auto-generated release notes.

§ site / api

Site + API changes are continuous-delivered to ochk.io. Rough summaries post here weekly.