v4.2.2 adds the governance & observability layer on top of the v4.1.0 Web7-L6 AAA baseline. Four new modules give every agent declarative guardrails, structured execution telemetry, deterministic replay from trace, and a multi-agent scenario sandbox. All zero-dep, tree-shakeable, and additive — no breaking changes.
New modules (4)
| Module | Subpath | Purpose |
|---|
policy | @hyperbridge/forge/policy | Declarative rule engine for agent guardrails — allow/deny/require predicates, scoped to principals, intents, and tools. |
trace | @hyperbridge/forge/trace | Structured execution telemetry with PoO linkage. Every agent call emits a span tree referenceable from the AIG. |
replay | @hyperbridge/forge/replay | Deterministic re-execution of an agent run from a captured trace. Useful for regression tests and incident review. |
simulator | @hyperbridge/forge/simulator | Sandboxed multi-agent scenario runner. Compose principals, agents, and tools; assert outcomes. |
Numbers
- Framework line count: 104,685 → 106,300+.
- Modules: 61 → 75.
- APIs: 1,280+.
- Dependencies: still 0.
- Web7-L6 AAA conformance: still 30/30 in ~8 ms.
Registry & Infrastructure
v4.2.2 ships the private npm registry alongside the governance modules. Guild members install packages directly from registry.hbforge.dev with a single .npmrc line.
| Component | Detail |
|---|
| Registry endpoint |
https://registry.hbforge.dev — private npm registry, guild-token gated |
| Infrastructure |
Cloudflare Workers (edge handler) · D1 SQLite (package metadata) · R2 (tarball storage) |
| Client setup |
@hyperbridge:registry=https://registry.hbforge.dev in .npmrc |
| Session tokens |
HMAC-signed, hbfadm_ prefix, 8 hr expiry — no DB lookup on every request |
| Rate limiting |
120 req / min / IP · auth-fail lockout after 10 consecutive failures (5 min cool-down) |
| Security |
Request sanitisation, security headers on all responses |
Admin console
Available at registry.hbforge.dev/-/admin/ui. Seven views:
| View | Purpose |
|---|
| Dashboard | Live stats: total packages, installs, active tokens |
| Tokens | Issue and revoke guild tokens per developer |
| RBAC | T0 admin+publish · T1 read+install · T2 read-only |
| CRM | Developer pipeline: lead → applicant → active → alumni |
| Packages | Version list and tarball metadata per package |
| Audit Log | Every install / publish / auth event, timestamped |
| Website | Banner messages, maintenance mode, site settings |
Stats
Extends forge/settlement with a first-class dispute-arbitration workflow and a unified settlement-history view. Arbitration lives inside the same zero-dep module; no new packages required.
Added
DisputeArbitration — full raise → review → resolve lifecycle: raise(), assignArbitrator(), addEvidence(), issueRuling(), resolve(), escalate(), withdraw(). SLA deadline tracking with overdue(). Linked escrow auto-action on resolution (release / forfeit / partial release by outcome type).DISPUTE_STATES — ordered state enum: raised → under_review → pending_resolution → resolved → escalated → withdrawn.DISPUTE_OUTCOMES — five canonical outcomes with descriptions: full_refund, full_release, partial_refund, mediated_split, escalated_to_dao.SettlementHistory — paginated unified view across all four rails plus disputes. page(opts) supports per-page, rail filter, state filter, and date range. summary() for aggregate totals by rail.SettlementManager — now auto-instantiates disputes and history; stats() includes dispute counts (total, open, resolved, overdue).
Numbers
- Modules: 61
- Lines: 104,685
- Dependencies: 0 (unchanged)
Three focused additions to forge/realtime: heartbeat-driven presence management, zero-loss CRDT conflict auditing, and a pure operational-transform helper for collaborative editing.
Added
PresenceHeartbeat — wraps PresenceMap with a setInterval-based auto-prune timer. heartbeat(clientId, data) refreshes a client's timestamp on each keepalive ping.CRDTConflictLog — append-only conflict recorder for any CRDT merge. record(type, key, local, remote, resolution) + drain() for zero-loss conflict auditing.transformOp(op1, op2) — pure operational-transform helper covering all four insert/delete × insert/delete cases with correct tie-breaking. Returns adjusted op2 or null when op2 becomes a no-op after op1.
Numbers
- Modules: 49
- Lines: 101,530
- Dependencies: 0 (unchanged)
The framework now covers the full Web7 Layer 6 primitive set end-to-end: identity & delegation (AMP), accountable inference (AIG), outcome proofs (PoO), settlement rails, agent memory scopes, consent ledger, C2PA-style provenance manifests, ZK-ML multi-attestor claims, skill & reputation registry, revocation, and negotiation. The new conformance suite grades the framework AAA with 30 of 30 checks passing in ~8 ms across 12 categories, with zero runtime dependencies.
New modules (5)
| Module | Subpath | Purpose | Lines |
|---|
memory | @hyperbridge/forge/memory | Scoped agent memory (task → session → principal → global) with fall-through reads, TTL sweep, trigram search, and snapshot/restore. | 267 |
consent | @hyperbridge/forge/consent | Hash-chained, tamper-evident consent ledger with GDPR-aligned purposes, grant/revoke/amend verbs, isPermitted() checks, and daily Merkle roots. | 234 |
provenance | @hyperbridge/forge/provenance | C2PA 2.0 style manifests (c2pa.* + w7.* assertions), signed assertion boxes, parent linkage, selective disclosure, buildInferenceManifest() helper. | 230 |
zkml | @hyperbridge/forge/zkml | ZK-ML multi-attestor MVP: M-of-N threshold HMAC attestations over (model, inputHash, outputHash) tuples, with a swappable registerProofBackend() hook for SNARK backends. | 201 |
conformance | @hyperbridge/forge/conformance | Web7-L6 conformance suite v1.0.0. 30 tests across 12 categories, grade AAA / AA / A / B / C / FAIL, pretty formatReport() renderer. | 319 |
AMP verbs — negotiate & revoke
amp.negotiate({ principal, counterparty, intent, terms }) — opens a negotiation session with counter() / accept() / reject() state transitions, each one auditable via getNegotiation(id).amp.revoke({ from, target, cause, effective }) — writes a REVOCATION node into the AIG and exposes isRevoked(id), getRevocation(id), and listRevocations().- The existing
amp.discover() skill-registry verb is unchanged and continues to resolve advertised agent capabilities.
AIG node types
- Expanded
prime.NODE_TYPES from {PRINCIPAL, AGENT, MODEL, OUTCOME, POLICY, AUDIT} to also include INFERENCE, INTENT, DELEGATION, REVOCATION, ATTESTATION. MODEL is retained — models and inferences are separate concepts per the Web7 L6 spec.
getAuditChain() now returns inferences and revocations arrays alongside the existing outcome/audit streams.
Conformance baseline
| Category | Tests | Pass | Category | Tests | Pass |
|---|
| identity | 4 | 4 / 4 | provenance | 2 | 2 / 2 |
| amp | 6 | 6 / 6 | zkml | 2 | 2 / 2 |
| aig | 2 | 2 / 2 | memory | 3 | 3 / 3 |
| poo | 2 | 2 / 2 | reputation | 2 | 2 / 2 |
| settlement | 3 | 3 / 3 | revocation | 1 | 1 / 1 |
| consent | 2 | 2 / 2 | negotiation | 1 | 1 / 1 |
| Total: 30 / 30 passing · Grade AAA · ~8 ms · 12 categories · 0 deps |
Behaviour
- Public API of every pre-existing module is unchanged. No breaking changes. The five new modules are purely additive and tree-shakeable (
sideEffects: false).
- Each new module ships a companion
.mjs wrapper and is reachable at its own subpath export, plus a typed root re-export from @hyperbridge/forge.
- The
zkml module is intentionally an HMAC MVP today — the registerProofBackend() hook lets you drop in a SNARK/STARK attestor later without changing callers.
Numbers
- Framework line count: 94,653 → 105,356 (+10,703).
- Module count: 22 → 27.
- API surface: 1,200+ → 1,260+.
- Runtime deps: 0 (unchanged).
- Dev deps: 0 (unchanged).
Added
_internal/ shared utilities — single source of truth for crypto, byte-level encoding, and timing primitives previously duplicated across 6–8 modules each.
| File | Exports | Was duplicated in |
|---|
_internal/crypto.js | hmacSha256, sha256, timingSafeEqual, randomBytes, randomId, hex/base64 codec | auth, prime, mail, wasm, pwa |
_internal/binary.js | encodeUtf8, decodeUtf8, LEB128 varints, concatBytes, C-string read/write | wasm, pdf, schema, client, search |
_internal/time.js | now, nowNs, parseDuration, formatDuration, sleep, withTimeout | prime, wasm, server, ai, notify, cli |
- New
./_internal + ./_internal/{crypto,binary,time} subpath exports in package.json. Underscore prefix marks these as advisory APIs (stable signatures, improving internals).
- Runtime strategy: Node uses
node:crypto / process.hrtime; browser uses crypto.subtle (async) and performance.now; sync browser callers get a clear error pointing at the *Async variants.
Behaviour
- Module APIs unchanged — source-level consolidation only. Migration of each module to
_internal/* is incremental; each swap deletes 30–80 lines of duplicated primitives without touching the public surface.
- Bundlers de-duplicate across the tree. A tree-shaken build importing
auth + mail no longer ships two copies of HMAC-SHA-256.
Notes
- Public API: unchanged. Internal-only refactor. No breaking change for apps on
@hyperbridge/forge.
- Framework line count: 94,211 → 94,653 (+442 for shared primitives).
Added
- Browser-condition exports for 5 server-only modules. Browser bundlers (Webpack, Vite, Rollup, esbuild with
platform: "browser") pick a ~1.4 KB throwing stub instead of the full Node implementation:
| Module | Node size | Browser stub | Saved |
|---|
forge/server | 379 KB | 1.4 KB | 378 KB |
forge/mail | 223 KB | 1.4 KB | 222 KB |
forge/pdf | 200 KB | 1.4 KB | 199 KB |
forge/cli | 102 KB | 1.4 KB | 100 KB |
forge/test | 100 KB | 1.4 KB | 98 KB |
| Total saved | ~1 MB |
build/gen-browser-stubs.js — generator writing a Proxy-based throwing stub per module. No enumerable properties (bundlers don't walk a name list). First property access at runtime throws a clear "server-only module" error.
Behaviour
- Existing Node code unchanged —
require('@hyperbridge/forge/mail') still resolves to the full implementation.
- Browser builds (Next.js client chunks, SvelteKit, Remix, etc.) resolve to the stub automatically — no app code changes required.
- Isomorphic modules unaffected:
auth, schema, client, data, form, animate, chart, search, notify, i18n, pwa, ai, 3d, prime, display, wasm.
Notes
- First phase that actually shrinks browser bundles. Phases 1–3 built the contract; Phase 4 starts spending it.
Added
- Deep per-export subpath imports for the three largest modules (
client, server, animate — together ~31,000 lines). Every top-level export is reachable at its own subpath:
import { signal } from "@hyperbridge/forge/client/signal";
import { useEffect } from "@hyperbridge/forge/client/useEffect";
import { Router } from "@hyperbridge/forge/server/Router";
import { Tween } from "@hyperbridge/forge/animate/Tween";
build/gen-deep.js — generator that walks CJS exports of the target modules and writes a thin leaf file per export. Handles case-collisions on case-insensitive filesystems (macOS/Windows default) by preferring PascalCase. Garbage-collects stale leaves on each run.- Wildcard subpath exports in
package.json for ./client/*, ./server/*, ./animate/* with both import and default conditions (so require.resolve() works too).
- 371 leaf files generated — 177
client + 116 server + 78 animate. 7 exports per module deferred due to case-collisions.
Behaviour
- Reference identity preserved across deep, wide, and CJS paths:
deep.signal === wide.signal === require('.../client').signal. Apps mixing import styles still get the same object.
- Bundlers honouring package-exports wildcards (Rollup, Vite, esbuild, Webpack 5+, Parcel 2+) now have per-API resolution.
Fixed
build/gen-esm.js now understands the conditional-export object shape introduced in Phase 2.
Notes
- Not yet a bundle-size win. Deep-path resolution lets the bundler see a single named import, but every leaf still imports from the parent
index.mjs, which drags in the monolithic CJS. Phase 4 / Phase 5 extract real implementation code behind these leaf paths.
Added
- Dual CJS / ESM publishing via conditional exports. Every module now has a companion
index.mjs. Modern bundlers pick the ESM wrapper automatically:
"./client": {
"import": "./client/index.mjs",
"require": "./client/index.js",
"types": "./client/index.d.ts"
}
build/gen-esm.js — deterministic generator that creates .mjs wrappers from each module's CJS exports. Zero runtime cost, zero deps.- 1,257 lines of wrappers across 22 modules, 1,400+ named exports total.
"module": "./index.mjs" and "./package.json" subpath export for ecosystem tooling (Vite, Vitest, Bundlephobia).
Behaviour
- Code using
require('@hyperbridge/forge/client') — unchanged.
- Code using
import { signal } from '@hyperbridge/forge/client' now resolves to the ESM wrapper and becomes statically analyzable by the bundler.
- Reference identity preserved across CJS and ESM paths (wrapper re-exports references, not copies).
Notes
- No source-code rewrites required. Wrappers are thin shims; all logic stays in the existing CJS
index.js.
- Unlocks the build-tool contract that Phase 3 exploits.
Added
"sideEffects": false in package.json. Tells modern bundlers (Rollup, esbuild, Webpack 5+, Vite, Parcel) that every module re-export is pure. Enables aggressive dead-code elimination on unused APIs without any code rewrite.CHANGELOG.md — this file.
Notes
- Immediate bundle-size impact: ~12–18% reduction on tree-shaking-capable bundlers for apps that import from the root.
- Subpath imports unchanged. No public-API changes. No migration required.
- First of five planned bundle-size phases. Targeting ~85 KB tree-shaken for a typical SPA by end of Phase 5.
Added
forge/prime — Web7 bridge: DID identity, AMP routing, Proof-of-Outcome, Vigil audit trail, BYOA agents, Kynetra Prime gateway. 3,016 lines, 32+ APIs.forge/display — Canvas 2D, DOM, layout, color, CSS variables, typography, SVG, theme management. 1,944 lines, 60+ APIs.forge/wasm — Universal WASM loader for KYRx (L1) and ClearScript (L5): memory manager, WASI-lite, worker pool, host imports (web7/prime, vigil, auth, amp), hot-reload, type bridge. 1,481 lines, 20+ APIs.- 79 missing APIs backfilled across 14 existing modules:
queue, cron, cluster, health, isr, edge, action, errors, route (server); provide, inject, boundary, virtualList, infiniteScroll, island, noSSR, keys, font, analyze, split, reactive (client); token, middleware, session, provider (auth); and more.
- 100 Problems page — documented React/Node/Next pain points with before/after solutions.
Changed
- Framework grew from 83,154 → 94,211 lines.
- Module count: 19 → 22.
- API count: 1,060+ → 1,200+.
- WebGL2-based 3D rendering: geometry, PBR materials, lights, cameras, post-fx.
- LLM clients, streaming, tool use, embeddings, RAG pipeline. Drop-in for LangChain/OpenAI-SDK workflows.
- Service worker inline injection, offline-first routing, installable-app manifest helpers.
- 19 modules, 83,154 lines, 1,060+ APIs. Adds
forge/3d, forge/ai, forge/pwa, forge/schema, forge/prime.
- Full-text search with BM25 ranking, fuzzy matching, and faceted filtering. No Elasticsearch dependency.
- Added
forge/pdf, forge/search, forge/chart, forge/mail, forge/test, forge/cli, forge/i18n. Framework grew from 7,957 → 16,250 lines.
- 7,957 lines across 8 core modules:
client, server, auth, data, form, animate, notify, schema.
- Proved the concept: build a real framework without npm.