HumanAssisted
diff --git a/‎.github/workflows/rust.yml‎
Lines changed: 7 additions & 2 deletions b/‎.github/workflows/rust.yml‎
Lines changed: 7 additions & 2 deletions
diff --git a/‎.github/workflows/static.yml‎
Lines changed: 7 additions & 1 deletion b/‎.github/workflows/static.yml‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎.gitignore‎
Lines changed: 3 additions & 2 deletions b/‎.gitignore‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎A2A_QUICKSTART.md‎
Lines changed: 135 additions & 0 deletions b/‎A2A_QUICKSTART.md‎
Lines changed: 135 additions & 0 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 79 additions & 32 deletions b/‎CHANGELOG.md‎
Lines changed: 79 additions & 32 deletions
diff --git a/‎Cargo.toml‎
Lines changed: 8 additions & 8 deletions b/‎Cargo.toml‎
Lines changed: 8 additions & 8 deletions
@@ -24,7 +24,12 @@ jobs:
     - name: Checkout code
       uses: actions/checkout@v4 # Use v4
 
+    - name: Install Rust toolchain
+      uses: dtolnay/rust-toolchain@stable
+      with:
+        toolchain: '1.93'
+
     - name: Run jacs tests
       # Specify the working directory for the test command
-      working-directory: jacs 
-      run: cargo test --verbose
+      working-directory: jacs
+      run: cargo test --verbose --features cli
@@ -33,10 +33,16 @@ jobs:
         uses: actions/checkout@v4
       - name: Setup Pages
         uses: actions/configure-pages@v5
+      - name: Install mdbook
+        run: |
+          curl -L https://github.com/rust-lang/mdBook/releases/download/v0.4.37/mdbook-v0.4.37-x86_64-unknown-linux-gnu.tar.gz | tar xz
+          sudo mv mdbook /usr/local/bin/
+      - name: Build book
+        run: mdbook build jacs/docs/jacsbook
       - name: Upload artifact
         uses: actions/upload-pages-artifact@v3
         with:
-          path: './docs/jacsbook/book/'
+          path: './jacs/docs/jacsbook/book/'
       - name: Deploy to GitHub Pages
         id: deployment
         uses: actions/deploy-pages@v4
@@ -3,7 +3,7 @@
 debug/
 target/
 .idea
-
+jacs/documents/*
 # Remove Cargo.lock from gitignore if creating an executable, leave it for libraries
 # More information here https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html
 Cargo.lock
@@ -13,8 +13,9 @@ Cargo.lock
 
 # MSVC Windows builds of rustc generate these, which store debugging information
 *.pdb
-
+.cursor
 grant.md
 scratch.md
 jacs.config.json
+!jacs/jacs.config.json
 .DS_Store
@@ -0,0 +1,135 @@
+# JACS A2A Quick Start Guide
+
+JACS extends Google's A2A (Agent-to-Agent) protocol with cryptographic document provenance.
+
+## What JACS Adds to A2A
+
+- **Document signatures** that persist with data (not just transport security)
+- **Post-quantum cryptography** for future-proof security  
+- **Chain of custody** tracking for multi-agent workflows
+- **Self-verifying artifacts** that work offline
+
+## Installation
+
+```bash
+# Rust
+cargo add jacs
+
+# Python
+pip install jacs
+
+# Node.js
+npm install jacsnpm
+```
+
+## Basic Usage
+
+### 1. Export Agent to A2A Format
+
+```python
+from jacs.a2a import JACSA2AIntegration
+
+a2a = JACSA2AIntegration("jacs.config.json")
+agent_card = a2a.export_agent_card({
+    "jacsId": "my-agent",
+    "jacsName": "My Agent",
+    "jacsServices": [{
+        "name": "Process Data",
+        "tools": [{
+            "url": "/api/process",
+            "function": {
+                "name": "process",
+                "description": "Process data"
+            }
+        }]
+    }]
+})
+```
+
+### 2. Wrap A2A Artifacts with Provenance
+
+```javascript
+const { JACSA2AIntegration } = require('jacsnpm');
+const a2a = new JACSA2AIntegration();
+
+// Wrap any A2A artifact
+const wrapped = a2a.wrapArtifactWithProvenance({
+    taskId: 'task-123',
+    operation: 'analyze',
+    data: { /* ... */ }
+}, 'task');
+```
+
+### 3. Verify Wrapped Artifacts
+
+```rust
+use jacs::a2a::provenance::verify_wrapped_artifact;
+
+let result = verify_wrapped_artifact(&agent, &wrapped_artifact)?;
+if result.valid {
+    println!("Verified by: {}", result.signer_id);
+}
+```
+
+### 4. Create Chain of Custody
+
+```python
+# Track multi-step workflows
+step1 = a2a.wrap_artifact_with_provenance(data1, "step")
+step2 = a2a.wrap_artifact_with_provenance(data2, "step", [step1])
+step3 = a2a.wrap_artifact_with_provenance(data3, "step", [step2])
+
+chain = a2a.create_chain_of_custody([step1, step2, step3])
+```
+
+## Well-Known Endpoints
+
+Serve these endpoints for A2A discovery:
+
+- `/.well-known/agent.json` - A2A Agent Card (JWS signed)
+- `/.well-known/jacs-agent.json` - JACS agent descriptor
+- `/.well-known/jacs-pubkey.json` - JACS public key
+
+## JACS Extension in Agent Cards
+
+```json
+{
+  "capabilities": {
+    "extensions": [{
+      "uri": "urn:hai.ai:jacs-provenance-v1",
+      "description": "JACS cryptographic document signing",
+      "params": {
+        "supportedAlgorithms": ["dilithium", "rsa", "ecdsa"],
+        "verificationEndpoint": "/jacs/verify"
+      }
+    }]
+  }
+}
+```
+
+## Examples
+
+- **Rust**: [jacs/examples/a2a_complete_example.rs](./jacs/examples/a2a_complete_example.rs)
+- **Python**: [jacspy/examples/fastmcp/a2a_agent_server.py](./jacspy/examples/fastmcp/a2a_agent_server.py)
+- **Node.js**: [jacsnpm/examples/a2a-agent-example.js](./jacsnpm/examples/a2a-agent-example.js)
+
+## Key Concepts
+
+1. **Dual Keys**: JACS generates two key pairs:
+   - Post-quantum (Dilithium) for document signatures
+   - Traditional (RSA/ECDSA) for A2A compatibility
+
+2. **Separation of Concerns**:
+   - A2A handles discovery and transport
+   - JACS handles document provenance
+
+3. **Zero Trust**: Every artifact is self-verifying with complete audit trail
+
+## Next Steps
+
+1. Set up JACS configuration with keys
+2. Export your agent as A2A Agent Card
+3. Implement verification endpoints
+4. Register with A2A discovery services
+
+See full documentation: [jacs/src/a2a/README.md](./jacs/src/a2a/README.md)
@@ -11,6 +11,7 @@
 . ai.pydantic.dev
 - secure storage of private key for shared server envs https://crates.io/crates/tss-esapi, https://docs.rs/cryptoki/latest/cryptoki/
 - qr code integration
+- https://github.com/sourcemeta/one
 
 ## 0.4.0
 - Domain integration
@@ -22,20 +23,49 @@
    - load document whatever storage config is
    - function test output metadata about current config and current agent
 
+- [] add more feature flags for modular integrations
+- [] a2a integration
+- [] acp integration
+
+
 ## jacs-mcp 0.1.0
 
  - [] use rmcp
  - [] auth or all features
  - [] integration test with client
  - [] https://github.com/modelcontextprotocol/specification/discussions
 
+### devrel
+- [] github actions builder for auto build/deploy of platform specific versions
+--------------------
 
+- [] cli install for brew
+- [] cli install via shell script
+- [] open license
+ - [] api for easier integratios data processing 
+
+ - [] clickhous demo
+ - [] test centralized logging output without file output 
+ 
 --------------------
 
 ## 0.3.7
 
-### devrel
-- [] github actions builder for auto build/deploy of platform specific versions
+### internals
+
+- [x] Updated A2A integration to protocol v0.4.0: rewrote AgentCard schema (protocolVersions array, supportedInterfaces, embedded JWS signatures, SecurityScheme enum, AgentSkill with id/tags), updated well-known path to agent-card.json, and aligned Rust, Python, and Node.js bindings with passing tests across all three.
+- [] remove in memory map if users don't request it. Refactor and DRY storage to prep for DB storage
+- [] test a2a across libraries
+- [] store in database
+- [] awareness of branch, merge, latest for documents. 
+
+### hai.ai
+
+- integration with 
+
+ 1. register
+ 2. 
+
 
 ### jacsnpm
 
@@ -59,11 +89,12 @@
       1. cli create agent 
       2. config jacspy to load each agent
  - [] github actions builder for linux varieties
+ - [] switch to uv from pip/etc
 
 ### JACS core
- - [] acp integration
+ 
  - [] brew installer, review installation instrucitons,  cli install instructions. a .sh command?
- - [] a2a integration
+ - [] more a2a tests
  - [] ensure if a user wants standard logging they can use that
 
 
@@ -78,33 +109,7 @@
  ### minor core
 - [] don't store  "jacs_private_key_password":  in config, don't display
 - [] minor feature - no_save = false should save document and still return json string instead of message on create document
-
---------------------
-
-## 0.3.6
-
-
-### devex
-
-- [] add more feature flags for modular integrations
-- [] a2a integration
-- [] acp integration
-- [] add updates to book
-- [] cli install for brew
-- [] cli install via shell script
-- [] open license
-- [] crew.ai
-- [] langchain
-
-### jacs
-
- - [] redesign api for easier bootstrapping
- - [] PKI choice (dkim, ke)
- - [] private key bootstrapping with vault, kerberos - filesystem
- - [] api for easier integratios data processing 
- - [x] add observability to configuration
-
- - [] test centralized logging output without file output 
+ - [] default to dnssec if domain is present - or WARN
 
 ### jacsmcp
 
@@ -115,14 +120,56 @@
 - [] refactor api
 - [] publish to pipy 
 - [] tracing and logging integration tests
-- [] switch to uv from pip/etc
+
 
 ### jacsnpm
 
 - [] publish to npm
 - [] tracing and logging integration tests
 
 
+==== 
+## 0.3.6
+
+### Security
+
+- **[CRITICAL] Fixed key derivation**: Changed from single SHA-256 hash to proper PBKDF2-HMAC-SHA256 with 100,000 iterations for deriving encryption keys from passwords. The previous single-hash approach was vulnerable to brute-force attacks.
+
+- **[CRITICAL] Fixed crypto panic handling**: Replaced `.expect()` with proper `.map_err()` error handling in AES-GCM encryption/decryption. Crypto failures now return proper errors instead of panicking, which could cause denial of service.
+
+- **[HIGH] Fixed foreign signature verification**: The `verify_wrapped_artifact` function now properly returns `Unverified` status for foreign agent signatures when the public key is not available, rather than incorrectly indicating signatures were verified. Added `VerificationStatus` enum to explicitly distinguish between `Verified`, `SelfSigned`, `Unverified`, and `Invalid` states.
+
+- **[HIGH] Fixed parent signature verification**: The `verify_parent_signatures` function now actually verifies parent signatures recursively. Previously it always returned true regardless of verification status.
+
+- Added `serial_test` for test isolation to prevent environment variable conflicts between tests.
+
+- Added `regenerate_test_keys.rs` utility example for re-encrypting test fixtures with the new KDF.
+
+- **[MEDIUM] Fixed jacsnpm global singleton**: Refactored from global `lazy_static!` mutex to `JacsAgent` NAPI class pattern. Multiple agents can now be used concurrently in the same Node.js process. Legacy functions preserved for backwards compatibility but marked deprecated.
+
+- **[MEDIUM] Fixed jacspy global singleton**: Refactored from global `lazy_static!` mutex to `JacsAgent` PyO3 class pattern. Multiple agents can now be used concurrently in the same Python process. The `Arc<Mutex<Agent>>` pattern ensures thread-safety and works with Python's GIL as well as future free-threading (Python 3.13+). Legacy functions preserved for backwards compatibility.
+
+- **[MEDIUM] Added secure file permissions**: Private keys now get 0600 permissions (owner read/write only) and key directories get 0700 (owner rwx only) on Unix systems. This prevents other users on shared systems from reading private keys.
+
+### devex
+- [x] add updates to book
+- [x] add observability demo
+
+### jacs
+ - [x] a2a integration
+- [x] clean up observability
+   - Observability: added feature-gated backends (`otlp-logs`, `otlp-metrics`, `otlp-tracing`) and optional `observability-convenience`. Default build is minimal (stderr/file logs only), no tokio/OpenTelemetry; clear runtime errors if a requested backend isn’t compiled. Docs now include a feature matrix and compile recipes. Tests updated and all pass with features.
+
+ - [x] dns verification of pubic key hash
+      - DNS: implemented fingerprint-in-DNS (TXT under `_v1.agent.jacs.<domain>.`), CLI emitters for BIND/Route53/Azure/Cloudflare, DNSSEC validation with non-strict fallback, and config flags (`jacs_agent_domain`, `jacs_dns_validate`, `jacs_dns_strict`, `jacs_dns_required`). Added CLI flags `--require-dns`, `--require-strict-dns`, `--ignore-dns`, and `--no-dns` (alias preserved). Improved error messages, updated docs, and added policy/encoding tests.
+
+ 
+ - [x] scaffold private key bootstrapping with vault, kerberos - filesystem
+
+
+
+
+
 --------------------
 
 ## 0.3.5
 
@@ -1,19 +1,19 @@
 [workspace]
 members = [
-    "jacs",   
-    "jacsnpm",       
-     # "mcp-server",      
-    "jacspy"          
+    "jacs",
+    "jacsnpm",
+    "jacspy",
+    "jacs-mcp",
+    "jacsgo/lib"
 ]
 resolver = "3"
-rust-version = "1.85"
-
 
+[workspace.package]
+rust-version = "1.93"
 readme = "README.md"
 authors = ["HAI.AI <engineering@hai.io>"]
 license-file = "LICENSE"
 homepage = "https://humanassisted.github.io/JACS"
 repository = "https://github.com/HumanAssisted/JACS"
 keywords = ["cryptography", "json", "ai", "data", "ml-ops"]
-categories = ["cryptography", "text-processing", "data-structures" ]
-build = "build.rs"
+categories = ["cryptography", "text-processing", "data-structures"]