0.7.3

Added

• act-build push <wasm> <ref> — publish a WASM component as a CNCF
  Wasm OCI Artifact. The manifest carries an
  application/vnd.wasm.config.v0+json config blob (with
  architecture, os, layerDigests, and component.{exports, imports} derived from the component's exports/imports) per the
  CNCF TAG-Runtime Wasm OCI Artifact spec,
  and the layer is application/wasm. Replaces inline oras push
  shell blocks in component justfiles.

  Flags: --also-tag, --annotation key=value, --source,
  --description, --skip-if-identical (matching-content skip /
  drift error), --skip-if-exists (unconditional skip for
  non-reproducible builds), --dry-run. Output ends with an
  oras-compatible Digest: sha256:... line so existing scripts that
  grep for it keep working.

  Auth resolution: OCI_USERNAME/OCI_PASSWORD env →
  GITHUB_TOKEN for ghcr.io → ~/.docker/config.json
  (DOCKER_CONFIG honored) → anonymous.

Changed

• act (host): resolve_oci now validates that the OCI layer media
  type is application/wasm. Empty/legacy media types log a
  warning; anything else is rejected.

0.7.2

Added

• act call --session-args '{...}'. When set, the host opens a
  session against the component before the call (open-session(args, metadata)), injects the returned id as std:session-id metadata
  for the tool call, prints the result, and closes the session
  before exit. The whole open / call / close cycle runs in one
  process, so the wasm instance stays alive for the full sequence.
  This makes session-aware components (bridges, stateful components)
  usable as ordinary one-shot CLI invocations:

  act call ghcr.io/actpkg/openapi-bridge:0.2.0 find_pets_by_status \
    --args '{"status":"sold"}' \
    --session-args '{"spec_url":"https://petstore3.swagger.io/api/v3/openapi.json"}' \
    --http-policy open

  If the component doesn't export act:sessions/session-provider,
  using --session-args is a clear error rather than a silent no-op.

0.7.1

Removed

• act session open and act session close CLI subcommands. They
  inherently can't deliver the primary use case for sessions
  (component-side ephemeral state) — each invocation is a one-shot
  process whose wasm instance dies on exit, so a session opened in
  one act session open is unusable from a subsequent act call.
  For real session work, use act run --http or act run --mcp,
  where the host process holds the wasm instance and the session
  lives as long as the host. act session open-args-schema stays
  — it's a useful smoke test that doesn't depend on persistent state.

0.7.0

Adds first-class support for act:sessions/session-provider. Stateful
components (database connections, browser automation, REPLs, the new
act-http-bridge / mcp-bridge / openapi-bridge) can now expose
typed open-session args, and agents address per-session state via
std:session-id metadata.

Added

• act session open-args-schema | open | close CLI subcommands.
• ACT-HTTP /sessions/open-args-schema, POST /sessions, and
  DELETE /sessions/{id} endpoints (per ACT-SESSIONS §6.2). Mapped
  to std:session-not-found → 404 via the bumped act-types.
• MCP transport: synthetic open_session / close_session tools
  in tools/list for components that export session-provider, with
  _meta.std:session-op annotations (per ACT-SESSIONS §6.1).
• MCP _meta.std:session-id (and any other request-level meta keys)
  is now forwarded into the WIT call metadata so components see the
  agent's session-id.
• Host runtime tracks open session-ids per actor and auto-closes
  them on shutdown (ACT-SESSIONS §2.5).
• tests/fixtures/sessions-canary.wasm — hand-rolled canary
  exercising session-provider for host-side integration tests.

Changed

• Bumped act-types 0.5 → 0.7. Drops the inline session HTTP wire
  types from src/http.rs in favour of the canonical
  act_types::http::OpenSessionRequest / OpenSessionResponse.

0.6.0

Breaking — WIT package layout

• World now imports act:tools/tool-provider@0.1.0 instead of
  act:core/tool-provider@0.3.0. Components built against the old WIT
  will not load — rebuild with act-sdk 0.6.x (Rust) or act-sdk-py
  0.2.x.
• call-tool takes flat (name, arguments, metadata) instead of a
  tool-call record.
• Error replaces ToolError (the type lives in act:core/types now
  and is shared by non-tool providers).

Added

• -v / -vv verbosity flag — opt-in plumbing logs (default level
  demoted to info).

Changed

• MCP transport rewritten on rmcp 1.5: hand-rolled src/mcp.rs
  replaced with a thin ActRmcpBridge over the official Anthropic
  crate. Tool discovery, calls, content mapping, and error mapping
  go through rmcp::model types. Includes a stdio round-trip
  integration test.
• act info text output restyled with terminal colors (yellow
  component name, dimmed version, cyan tool names, green annotations).
  Output evaporates to plain text when stdout isn't a TTY or
  NO_COLOR is set. Tool parameters show (optional) markers; the
  Option<T> wrapper is stripped from rendered types.

Removed

• The --schema flag on act info, the /metadata-schema HTTP
  route, the metadata_schema field on act info JSON output, and
  the rmcp bridge's metadata-schema fetch/inject path. The WIT
  function is gone in act:tools@0.1.0; a discovery mechanism is
  planned for a future minor version.

Fixed

• act info --tools --format text now extracts the real inner type
  from schemars' Option<T> JSON Schema instead of rendering the
  union.

0.5.1

Fixed

• --fs-allow now implicitly grants traversal of ancestor directories
  on the path to any allowed target. WASI's path-resolver stats every
  intermediate directory when opening nested files; without this, users
  had to list each parent explicitly (--fs-allow /tmp --fs-allow "$DB/**" just to reach a file under $DB). An allow entry for
  /tmp/work/db.sqlite now implicitly permits /tmp/work and /tmp
  for directory traversal — sibling files in those directories remain
  denied.

0.5.0

Added

• Runtime policy (Layer 1) for outgoing HTTP and filesystem access. Declarative allow / deny / open modes, configured via ~/.config/act/config.toml or CLI flags (--fs-allow, --fs-deny, --http-allow, --http-deny, --fs-policy, --http-policy). Filesystem gates every path op through a glob matcher with a virtual-root preopen (Unix: /; Windows: one /c, /d, … per accessible drive). HTTP gates each request by host / scheme / method / port / CIDR and filters DNS-resolved IPs against both deny- and allow-CIDR rules via a reqwest DNS resolver hook. Per-hop redirect policy re-checks each target URL.
• Enforcing capability declarations. Components' [std.capabilities.*] entries in act.toml are now a ceiling the host applies to the user's policy — missing declaration or declared-but-empty allow is a hard deny regardless of user config. [std.capabilities."wasi:filesystem"].allow takes {path, mode} entries with mode = "ro" / "rw". [std.capabilities."wasi:http"].allow takes {host, scheme?, methods?, ports?}. Wildcards: host = "*" (any host), path = "**" (any path). act-build pack validates declarations at pack time.
• reqwest-backed HTTP client replacing wasmtime-wasi-http's default_send_request. Outgoing wasi:http requests route through a per-component ActHttpClient. Negotiates HTTP/2 via ALPN; HTTP/3 compiles in (--cfg reqwest_unstable) but stays dormant pending alt-svc cache warmup. SSE-friendly defaults: HTTP/2 keep-alive pings every 30s, TCP keep-alive, 10-minute idle-pool timeout.
• Windows long-path support via an embedded application manifest.
• READMEs ship with the act and act-build release packages.

Changed

• Metadata key renamed [act-component] → [act] across Cargo.toml / pyproject.toml / package.json. Components must update the one-line key.
• act-types bumped to 0.5 — required for the new FilesystemAllow / HttpAllow / FsMode types.
• Deny-CIDR denials surface as DnsError instead of ConnectionRefused by walking the reqwest error chain. Policy-denied requests are attributable to DNS rather than a refused socket.
• p3 wasi:filesystem/preopens is shadowed when fs policy is anything other than open. Returns zero preopens; p3 guests can't obtain a Descriptor::Dir and every path op fails at the default impl. Per-op gating for p3 filesystem awaits upstream wasmtime-wasi API changes.

Removed

• Advisory warn_missing_capabilities helper — undeclared capability classes now hard-deny at policy check time, which is a stronger signal than a startup warning.

Fixed

• fs.deny entries no longer silently ignored — unused rules now emit a warning at startup.

0.4.0

Changed

• Upgrade to act:core@0.3.0. Host runtime dispatches on the new tool-result variant: streaming(stream<tool-event>) uses the existing pipe-to-consumer path; immediate(list<tool-event>) pushes events directly into the consumer without stream machinery.
• Rename StreamEvent → ToolEvent throughout the runtime, HTTP, MCP, and CLI code paths.
• Remove the hardcoded 30s stream-consumption timeout; cancellation is now driven by the protocol (dropping the stream reader) or runtime-level interruption (epoch/fuel).
• Bump act-types to 0.4 and wasmparser / wasm-encoder to 0.247.

Added

• --version flag on act and act-build binaries.

Fixed

• publish CI steps are now idempotent and safe to re-run.

0.3.10

Fixed

• npm packages now preserve executable permissions on binaries (fixes silent failure when running npx @actcore/act on CI)
• npm shims (bin/act, bin/act-build) ensure executable permission before spawning the binary as a fallback

Changed

• npm release pipeline packs .tgz archives before upload to preserve file permissions across artifact transfer
• Per-crate SBOM attestation in release workflow

0.3.9

Fixed

• npm packages now preserve executable permissions on binaries (fixes silent failure when running npx @actcore/act on CI)
• npm shims (bin/act, bin/act-build) ensure executable permission before spawning the binary as a fallback

Changed

• npm release pipeline packs .tgz archives before upload to preserve file permissions across artifact transfer
• Per-crate SBOM attestation in release workflow