Changelog

June 2026

UnblockPay cross-border rails on codespar_crypto_pay — onramp + offramp + payout 2026-06-01

codespar_crypto_pay gains three new rails served by UnblockPay, covering the full cross-border lifecycle: onramp (fiat → USDC via Pix BRL / US wire / EUR SEPA — returns a hosted QR / wire instruction the agent surfaces to the payer), offramp (USDC → fiat on a pre-registered bank account), and stablecoin-payout (USDC → external wallet address for web3 recipients). Agents chain onramp + offramp in two calls to drive a complete cross-border purchase or export flow. The receive-flow default (stablecoin × USDC × INTL) still routes to Coinbase Commerce. See codespar_crypto_pay for the rail table + chained-call examples.

Breaking change — counterparty.country is required for direction: send on codespar_crypto_pay 2026-06-01

codespar_crypto_pay calls with direction: "send" must now include counterparty.country as an ISO 3166-1 alpha-2 string (e.g. "US", "BR", "MX"). Receive-direction flows (Coinbase Commerce charges, UnblockPay onramp QR generation) may omit it — the buyer is anonymous until they hit the hosted URL. The coercer rejects send-direction calls missing the field before any provider dispatch. This is the destination half of cross-border tracking; an operator_country (origin) field is planned for a follow-up so the platform can derive cross-border flag deterministically across send + receive. Update agents that previously omitted the country on direction: "send" calls.

May 2026

Chat-loop policy hooks now fire on every session.send() tool call 2026-05-23

The policy engine now evaluates every tool call dispatched from the chat-loop session.send() path, not just calls made through session.execute(). Rules tuned for direct-execute traffic — deny, approval-required, rate-limit, time-window — fire identically on chat-loop dispatches. If you have an approval-required rule on a tool the chat loop picks, expect rows in /dashboard/approvals after the next test run. See Chat-loop Governance for what changes and what to check before your next release.

Audit chain now captures chat-loop tool calls 2026-05-23

Every tool call the chat loop dispatches now writes a tool_call.succeeded or tool_call.failed event to the audit chain. Event names and shape are unchanged — existing SIEM-export rules and audit-page filters pick up the new events without changes. Audit-chain volume grows roughly in proportion to chat-loop tool-call volume per day. See Chat-loop Governance for the full ordering of the AgentGate hooks.

Commerce-memory predicates now fire on chat-loop tool calls 2026-05-23

When the chat loop dispatches a tool whose capture predicate matches (Asaas charges, Stone settlements, Melhor Envio fulfillments, KYC approvals), the runtime writes a commerce-memory row per successful call. The predicates themselves are unchanged; what's new is that chat-loop traffic reaches them. Check /dashboard/commerce-memory for entries you might attribute to a workflow that previously lived only on the direct-execute path. See Chat-loop Governance for details.

v0.9.0 — meta-tool router build-out + SSE streaming 2026-05-04

@codespar/sdk@0.9.0 + @codespar/types@0.7.0 + @codespar/api-types@0.4.0 + codespar (PyPI) 0.9.0 — meta-tool router shipped end-to-end. Eight new typed Session wrappers; two new auth types; SSE streaming for async settlement + verification.

Meta-tool typed wrappers — eight new methods on Session (TypeScript + Python parity, snake_case in Python):

• session.discover(query) — semantic + lexical tool search across the catalog (pgvector + pg_trgm). Composio-analog.
• session.connectionWizard(serverId) — connection wizard backend; agents discover what's connected and initiate flows.
• session.charge(args) — typed wrapper for codespar_charge (inbound, buyer pays merchant). Distinct from outbound pay.
• session.ship(args) — typed wrapper for codespar_ship (Melhor Envio rails: domestic-label / domestic-quote / domestic-track).
• session.paymentStatus(toolCallId) — polling endpoint for async settlement of charge / pay.
• session.paymentStatusStream(toolCallId, { onUpdate?, signal? }) — Server-Sent Events variant. Heartbeats every 15s; auto-closes 5s after terminal state.
• session.verificationStatus(toolCallId) — polling endpoint for async KYC settlement (codespar_kyc). Statuses: approved / rejected / review / expired / pending.
• session.verificationStatusStream(toolCallId, { onUpdate?, signal? }) — SSE variant.

The polling siblings (paymentStatus, verificationStatus) stay live for backward compat — additive change only.

Meta-tool catalog grew from 5 → 53 routing rails across 9 meta-tools:

• codespar_pay — outbound transfers
• codespar_charge (NEW) — inbound charges (Pix BRL: Asaas / Mercado Pago / iugu / Stone; card USD: Stripe)
• codespar_invoice — fiscal invoices. Default rail NFS-e (services); pass rail: "nfe" for products via NFe.io. Also nfci for CFDI MX (Facturapi) + Factura AR (AFIP).
• codespar_notify — messaging (whatsapp via Z-API / Twilio, sms via Twilio, email via SendGrid)
• codespar_ship (NEW) — shipping (Melhor Envio with 3 rails)
• codespar_crypto_pay (NEW) — crypto payments via Coinbase Commerce + Bitso
• codespar_kyc (NEW) — KYC via Persona / Sift / Konduto / Truora
• codespar_discover (NEW) — tool search meta-tool
• codespar_manage_connections (NEW) — connection wizard backend

Two new auth types — total 6 supported (api_key, path_secret, oauth, cert, hmac_signed, none):

• cert — mTLS with X.509 client certificate, for BR open-banking corporate APIs (Banco do Brasil pilot; Itaú, Santander, Bradesco, Caixa next batch).
• hmac_signed — per-request signature (timestamp + method + path + body) with shared key + secret pair. For Foxbit and crypto exchanges following that pattern.

Catalog scale (as of release):

• 109+ MCP servers published on npm
• 2,200+ individual tools
• 53 routing rails in META_TOOL_CATALOG
• 6 LATAM countries covered: BR, MX, AR, CO, CL, PE
• 9 verticals: payments, banking, crypto, communication, ecommerce, erp, fiscal, fraud, identity

@codespar/api-types@0.4.0 — added cert + hmac_signed to the auth_type enum (AuthTypeSchema) and cert to AuthSchemaFieldKindSchema. Web dashboard's Provider Connect modal now renders cert (file-upload) and hmac_signed (KEY/SECRET) flows directly.

@codespar/types@0.7.0 — new wire-contract types: DiscoverResult, ConnectionWizardResult, PaymentStatusResult, PaymentStatusStreamOptions, VerificationStatusResult, VerificationStatusStreamOptions, ChargeArgs / ChargeResult, ShipArgs / ShipResult.

Adapter peerDeps — framework adapters (@codespar/claude, @codespar/openai, @codespar/vercel, @codespar/mcp, @codespar/langchain, @codespar/google-genai, @codespar/mastra, @codespar/crewai, @codespar/autogen, @codespar/llama-index, @codespar/letta, @codespar/camel) remain on 0.3.0. They consume only the SessionBase surface; the new methods land additively on Session.

See the SDK reference for the full method-by-method shape and Auth concepts for the new auth types.

---

April 2026

v0.3.0 — API canonicalization + 2-level tenancy 2026-04-19

@codespar/sdk@0.3.0 — Breaking alignment with the canonical wire contract.

• codespar.create(userId, config) replaces codespar.sessions.create(config). userId is now a required first positional argument; credentials, audit logs, and billing scope to it.
• session.execute(toolName, params) replaces session.execute({ name, arguments }). Two positional arguments instead of a single object.
• session.send(message) and session.sendStream(message) take a natural-language string and run a Claude tool-use loop on the backend, returning SendResult / StreamEvent. The previous framing as fire-and-forget / streaming variants of execute is removed.
• session.mcp is a property { url, headers } instead of a method call.
• 2-level tenancy (Org → Project) shipped end-to-end: projectId on SessionConfig, x-codespar-project header support, Zod schema validation on client (/^prj_[A-Za-z0-9]{16}$/).
• Python package codespar@0.1.1+ on PyPI with matching surface (sync + async).

See Sessions and the SDK Reference for the full canonical shape.

v0.2.0 — SDK + 12 Adapters 2026-04-16

@codespar/sdk@0.2.0 — Major alignment with the api.codespar.dev backend contract.

• session.execute() now returns tool_call_id and called_at for audit
• session.loop() — Complete Loop orchestration with step callbacks and retry policies
• session.send() / session.sendStream() — natural language tool execution
• SessionConfig.preset — connect all servers for a country in one line
• SessionConfig.manageConnections — block until servers are connected

12 Provider Adapters — all published at v0.2.0:

57 MCP Servers — all published on npm under @codespar/mcp-*:

• 14 payments, 5 fiscal, 5 logistics, 5 messaging, 8 banking
• 8 ERP, 3 e-commerce, 4 crypto, 1 public data, 4 agentic protocols
• Coverage: Brazil (35+), Mexico (5), Argentina (5), Colombia (4)

Documentation 2026-04-17

• 12 provider docs pages with full agent loop examples
• 4 cookbooks: Pix Payment Agent, E-Commerce Checkout, Multi-Provider, Streaming Chat
• "How CodeSpar Works" architecture explainer
• Servers & Toolkits catalog (57 servers)
• Expanded API Reference: Sessions, Tools, Connections, Servers
• MCP Generator guide
• Debugging & observability guide
• Build Your Own Server guide
• llms.txt and llms-full.txt for AI assistant context
• Fumadocs callouts fix (46 callouts migrated to <Callout> components)
• Theme toggle (light/dark/system), GitHub link, Discord link, Dashboard CTA
• Fraunces display font for toolkits pages

---

March 2026

v0.1.0 — Initial Release 2026-03-31

• @codespar/sdk@0.1.0 — initial SDK with session management
• @codespar/claude, @codespar/openai, @codespar/vercel, @codespar/mcp — first 4 adapters
• 20 MCP servers (Brazil-focused)
• Basic docs: intro, quickstart, 4 provider pages, concepts, API reference