v0.1.21

What's Changed

• Add use_id_token_as_bearer boolean field to OAuth Resource Metadata (OAuthResourceMetadata, OAuthResourceMetadataResponse, WWW-Authenticate header)
• Add parse_use_id_token_as_bearer() helper for extracting the flag from WWW-Authenticate headers

When use_id_token_as_bearer=True, clients are told to use the OIDC id_token as the Bearer token instead of the access_token. This is a custom extension (not defined in RFC 9728) following the same pattern as client_id and client_secret.

v0.1.20

What's Changed

• Add client_secret to OAuth Resource Metadata (OAuthResourceMetadata, OAuthResourceMetadataResponse, WWW-Authenticate header)
• Add parse_client_secret() helper for extracting client_secret from WWW-Authenticate headers
• Reduce .well-known/oauth-protected-resource cache max-age from 3600s to 60s

Google requires client_secret in OAuth resource metadata even when using PKCE. The client_secret follows the same pattern as client_id — it appears in the well-known JSON document, the WWW-Authenticate challenge header, and is discoverable via http_oauth_metadata().

v0.1.19

What's New

• OAuth client_id support: Added optional client_id field to OAuthResourceMetadata and OAuthResourceMetadataResponse as a custom RFC 9728 extension for MCP compatibility
  • Serialized in /.well-known/oauth-protected-resource JSON and WWW-Authenticate headers on 401 responses
  • New parse_client_id() helper to extract client_id from WWW-Authenticate headers
  • URL-safe character validation on client_id values

v0.1.18

What's Changed

• Bearer token authentication — bearer_authenticate, bearer_authenticate_static, and chain_authenticate factories for composing HTTP auth callbacks
• Mutual TLS (mTLS) authentication — client certificate auth via proxy-forwarded headers:
  • mtls_authenticate — generic factory with custom certificate validation
  • mtls_authenticate_fingerprint — certificate fingerprint lookup
  • mtls_authenticate_subject — Subject CN extraction with optional allowlist
  • mtls_authenticate_xfcc — Envoy x-forwarded-client-cert header parsing (no extra deps)
• New vgi-rpc[mtls] optional dependency (cryptography) for PEM-based factories
• Documentation for mTLS authentication with proxy configuration examples (nginx, AWS ALB, Envoy)

v0.1.17

What's Changed

• Add GitHub artifact attestations and PyPI attestations to publish workflow
• Skip README runnable examples on Windows CI (subprocess transport unreliable)
• Consumers can verify build provenance with gh attestation verify

v0.1.15

What's Changed

• Add cast-compatible exchange conformance tests verifying server-side RecordBatch.cast() for compatible schema mismatches (int32/int64/float32 → float64) and rejection of incompatible column names

v0.1.14

Changes

• Cast compatible Arrow types in stream input schemas (e.g., decimal→double, int32→int64) instead of rejecting mismatches outright

v0.1.13

Fix

• Fix Windows CI logging warnings (ValueError: I/O operation on closed file) during interpreter shutdown by guarding logging calls in SubprocessTransport.close() and WorkerPool.close() with a _stderr_open() check.

v0.1.12

• Add --describe flag to run_server() for introspection support
• Ship conformance pytest suite in package (vgi_rpc.conformance._pytest_suite)
• Fix conftest HTTP server launch with --http flag

v0.1.11

Changes

• Move zero-column exchange test from test_rpc.py to the conformance suite (test_conformance.py) so it runs across all transports (pipe, subprocess, HTTP)
• Add exchange_zero_columns method to ConformanceService protocol and implementation
• Add ZeroColumnExchangeState to conformance types