Skip to content

chore(deps): update cmcp-runtime requirement from >=0.2.1 to >=0.3.0#42

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/cmcp-runtime-gte-0.3.0
Open

chore(deps): update cmcp-runtime requirement from >=0.2.1 to >=0.3.0#42
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/cmcp-runtime-gte-0.3.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 4, 2026

Copy link
Copy Markdown

Updates the requirements on cmcp-runtime to permit the latest version.

Release notes

Sourced from cmcp-runtime's releases.

v0.3.0

Security hardening release. Software-only (non-hardware-backed) claims now return partially_verified instead of verified (fail-closed); a real verification failure is never downgraded. An external-execution receipt whose linked_call_id does not match the entry is no longer reported signature-valid.

Changelog

Sourced from cmcp-runtime's changelog.

0.3.0 - 2026-06-30

Security

  • Software-only (non-hardware-backed) claims now return partially_verified instead of verified (fail-closed); a real verification failure is never downgraded.
  • An external-execution receipt whose linked_call_id does not match the entry is no longer reported signature-valid (short-circuits).

0.2.0 - 2026-06-12

Added

  • Bearer-token auth (Authorization: Bearer) wired into the live gateway server
  • Upstream MCP forwarding: AGT pre-call interception, JSON-RPC forward to the attested catalog server, response size guard, injection/credential/PII response scanning
  • Durable SQLite audit store (WAL mode, synchronous) with TEE-anchored hash chains and orphaned-session detection
  • POST /sessions/{id}/close issues the signed TRACE Trust Record and rotates the session
  • Cedar @annotation metadata returned as structured advice on deny decisions (HITL payloads)
  • cmcp-verify: one-command verification of claims and signed audit bundles, tamper-evident
  • Fail-closed hardware verifiers (TPM, SEV-SNP, TDX, OPAQUE): no attestation evidence means no verification
  • Dev-mode records carry platform: software-only, never tpm2 (requires agentrust-trace>=0.1.1)
  • Silent mode contract: operational logs quiet, audit evidence always recorded

0.1.0 - 2026-06-09

Added

  • Initial TEE gateway with provider support for TPM, SEV-SNP, TDX, and OPAQUE
  • Cedar policy enforcement for request authorization at the gateway layer
  • TRACE Claim generation using the GatewayClaim envelope from agentrust-trace
  • cmcp-verify standalone verifier for validating TRACE Claims offline
  • Audit chain with Ed25519 signing for tamper-evident log integrity
Commits
  • f37b54a chore(release): cmcp-runtime 0.3.0 (#367)
  • 0216ff5 fix(verify): fail closed on software-only and misbound external receipts (#366)
  • 50f5ee2 docs: correct brand name to AgenTrust (#365)
  • 246404b style: remove em dashes repo-wide (#363)
  • 04012bf docs: normalize OPAQUE casing in README config comment (#362)
  • 44a868d docs: standardize OPAQUE brand capitalization in prose (#361)
  • 39f0b37 fix(verify): TPM qualifying_data check uses the implemented key thumbprint (#...
  • 0d3c000 refactor(attestation): align nonce definition to the implemented thumbprint+s...
  • 1d1bf99 feat(experiments): hardware TEE attestation experiment runner (#357)
  • 2c3f594 test(claims): add CI coverage for claim 3 rug-pull and claim 4 nonce binding ...
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Updates the requirements on [cmcp-runtime](https://github.com/agentrust-io/cmcp) to permit the latest version.
- [Release notes](https://github.com/agentrust-io/cmcp/releases)
- [Changelog](https://github.com/agentrust-io/cmcp/blob/main/CHANGELOG.md)
- [Commits](agentrust-io/cmcp@v0.2.1...v0.3.0)

---
updated-dependencies:
- dependency-name: cmcp-runtime
  dependency-version: 0.3.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Jul 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants