---
title: Changelog
description: Release history for the CodeSpar SDK, adapters, and MCP servers.
---

# Changelog

## July 2026

### `codespar_checkout` is live on the Pix rail `2026-07-03`

The sell-side checkout meta-tool now executes end to end. Pass `items[]` and the meta-tool lowers them to an inbound charge, routed on the **pix** rail with provider failover. The response carries a hosted payment page (`charge_url`) plus `pix_copy_paste`, so the shopper can pay from a link or straight from the copia-e-cola string. See [codespar_checkout](/docs/concepts/meta-tools/checkout).

### Hosted remote MCP productized `2026-07-03`

One URL now serves any remote MCP client: **`https://connect.codespar.dev/mcp`** (Streamable HTTP). Authenticate with a `csk_` bearer key or OAuth 2.1, with RFC 9728 protected-resource discovery served per host. Claude Code setup is one line:

```bash
claude mcp add --transport http codespar https://connect.codespar.dev/mcp --header "Authorization: Bearer <key>"
```

See the [MCP adapter docs](/docs/providers/mcp) for the full remote setup.

## June 2026

### Multi-slot consumer wallet in production `2026-06-25`

One wallet per consumer, with per-currency slots (BRL + USDC) minted from a single mandate signature. There is no FX inside the wallet: each slot is its own spend authority in its own currency. Shipped surface: `GET /v1/consumers/:id/wallet`, slot-to-slot transfer with onramp and offramp legs, and mandate-gated spend against each slot. See [codespar_wallet](/docs/concepts/meta-tools/wallet).

### `@codespar/sdk` 0.10 is the current line `2026-06`

The SDK moved to the **0.10** line. Typed `Session` wrappers expanded to cover the newer meta-tools, including `session.issue(args)` and `session.ledger(args)`, and the framework adapters now track `^0.10`. If you are pinned to `^0.9.0`, bump the pin; the 0.9 surface carries over additively.

### MCP Generator — dashboard wizard + OpenAPI & GitHub source modes `2026-06-09`

The MCP Generator is now a point-and-click flow in the dashboard at **Develop › Generate** — no install required. Scan your API three ways (paste source, an **OpenAPI 3.x** spec, or a **GitHub repo**), pick the endpoints to expose, review the generated server, then **onboard** and **activate** it. Activated servers become a project-scoped rail in the router (`gen_<project>_<slug>`), so agent calls to your own API run through the same policy engine, credential vault, and audit chain as Pix and NF-e — isolated from other projects. The CLI and library still emit standalone server code; the wizard is the path that makes a server routable. See [MCP Generator](/docs/mcp-generator).

### New meta-tools: `codespar_ledger` + `codespar_issue` `2026-06-05`

Two new meta-tools (with typed SDK wrappers) join the catalog. **`codespar_ledger`** is a double-entry ledger backed by the tenant's self-hosted Lerian Midaz — post journal entries, read balances, create accounts. It is your *books*, distinct from the rails that move real money. **`codespar_issue`** issues and controls payment cards via our card-issuing partner (virtual / physical, freeze / unfreeze / cancel) — the agent-spend-card primitive. Both are wrapped by `session.ledger(args)` and `session.issue(args)`. See [codespar_ledger](/docs/concepts/meta-tools/ledger) and [codespar_issue](/docs/concepts/meta-tools/issue).

### LATAM catalog expansion + new auth engines `2026-06-05`

The provider catalog grew past 60 rails across BR, MX, AR, CO, CL, and PE. **`codespar_pay`** now spans 28 providers — including **nine Brazilian banks connected direct over mTLS** (Banco do Brasil, Itaú, Bradesco, Santander, Caixa, Sicoob, Sicredi, C6, Original) for Pix straight from the account — and **`codespar_charge`** spans 17 (Getnet, PagSeguro, Rede, Clip, Kushki, Izipay, Niubiz, Bold, ePayco, Payway, PicPay, Nequi, and more). A new auth engine landed alongside them: **`two_header`** (two co-equal credential headers, no Bearer — Cielo, Transbank, Kushki, Payway). See [codespar_pay](/docs/concepts/meta-tools/pay), [codespar_charge](/docs/concepts/meta-tools/charge), and [authentication](/docs/concepts/authentication).

### `codespar_checkout` and `codespar_shop` — the two sides of checkout `2026-06-04`

Two meta-tools cover the two sides of a purchase. **`codespar_checkout`** is the sell-side primitive: as a merchant, create and process a checkout for a shopper to pay you (cart, pricing, tax, payment), routing to Stripe ACP, Asaas, or x402 by payment method. **`codespar_shop`** is the buy-side primitive: the agent acts as the shopper, searching a store and buying — a cart engine resolves product and price with adapters for VTEX, Mercado Livre, and a hosted browser-worker (for sites without a programmatic API), minting the store's real Pix to settle via `codespar_pay`. See [codespar_checkout](/docs/concepts/meta-tools/checkout) and [codespar_shop](/docs/concepts/meta-tools/shop).

### Cross-border rails on `codespar_crypto_pay` — onramp + offramp + payout `2026-06-01`

`codespar_crypto_pay` gains three new rails served by our BRL↔USDC on/offramp partner, covering the full cross-border lifecycle: `onramp` (fiat → USDC via Pix BRL / US wire / EUR SEPA — returns a hosted QR / wire instruction the agent surfaces to the payer), `offramp` (USDC → fiat on a pre-registered bank account), and `stablecoin-payout` (USDC → external wallet address for web3 recipients). Agents chain onramp + offramp in two calls to drive a complete cross-border purchase or export flow. The receive-flow default (`stablecoin` × USDC × INTL) still routes to Coinbase Commerce. See [codespar_crypto_pay](/docs/concepts/meta-tools/crypto-pay) for the rail table + chained-call examples.

### Breaking change — `counterparty.country` is required for `direction: send` on `codespar_crypto_pay` `2026-06-01`

`codespar_crypto_pay` calls with `direction: "send"` must now include `counterparty.country` as an ISO 3166-1 alpha-2 string (e.g. `"US"`, `"BR"`, `"MX"`). Receive-direction flows (Coinbase Commerce charges, onramp QR generation) may omit it — the buyer is anonymous until they hit the hosted URL. The coercer rejects send-direction calls missing the field before any provider dispatch. This is the destination half of cross-border tracking; an `operator_country` (origin) field is planned for a follow-up so the platform can derive cross-border flag deterministically across send + receive. Update agents that previously omitted the country on `direction: "send"` calls.

## May 2026

### Chat-loop policy hooks now fire on every `session.send()` tool call `2026-05-23`

The policy engine now evaluates every tool call dispatched from the chat-loop `session.send()` path, not just calls made through `session.execute()`. Rules tuned for direct-execute traffic — `deny`, `approval-required`, rate-limit, time-window — fire identically on chat-loop dispatches. If you have an `approval-required` rule on a tool the chat loop picks, expect rows in `/dashboard/approvals` after the next test run. See [Chat-loop Governance](/docs/concepts/chat-loop-governance) for what changes and what to check before your next release.

### Audit chain now captures chat-loop tool calls `2026-05-23`

Every tool call the chat loop dispatches now writes a `tool_call.succeeded` or `tool_call.failed` event to the audit chain. Event names and shape are unchanged — existing SIEM-export rules and audit-page filters pick up the new events without changes. Audit-chain volume grows roughly in proportion to chat-loop tool-call volume per day. See [Chat-loop Governance](/docs/concepts/chat-loop-governance) for the full ordering of the AgentGate hooks.

### Commerce-memory predicates now fire on chat-loop tool calls `2026-05-23`

When the chat loop dispatches a tool whose capture predicate matches (Asaas charges, Stone settlements, Melhor Envio fulfillments, KYC approvals), the runtime writes a commerce-memory row per successful call. The predicates themselves are unchanged; what's new is that chat-loop traffic reaches them. Check `/dashboard/commerce-memory` for entries you might attribute to a workflow that previously lived only on the direct-execute path. See [Chat-loop Governance](/docs/concepts/chat-loop-governance) for details.

### v0.9.0 — meta-tool router build-out + SSE streaming `2026-05-04`

**@codespar/sdk@0.9.0** + **@codespar/types@0.7.0** + **@codespar/api-types@0.4.0** + **codespar (PyPI) 0.9.0** — meta-tool router shipped end-to-end. Eight new typed `Session` wrappers; two new auth types; SSE streaming for async settlement + verification.

**Meta-tool typed wrappers** — eight new methods on `Session` (TypeScript + Python parity, snake_case in Python):
- `session.discover(query)` — semantic + lexical tool search across the catalog (pgvector + pg_trgm). Composio-analog.
- `session.connectionWizard(serverId)` — connection wizard backend; agents discover what's connected and initiate flows.
- `session.charge(args)` — typed wrapper for `codespar_charge` (inbound, buyer pays merchant). Distinct from outbound `pay`.
- `session.ship(args)` — typed wrapper for `codespar_ship` (Melhor Envio rails: domestic-label / domestic-quote / domestic-track).
- `session.paymentStatus(toolCallId)` — polling endpoint for async settlement of `charge` / `pay`.
- `session.paymentStatusStream(toolCallId, { onUpdate?, signal? })` — Server-Sent Events variant. Heartbeats every 15s; auto-closes 5s after terminal state.
- `session.verificationStatus(toolCallId)` — polling endpoint for async KYC settlement (`codespar_kyc`). Statuses: approved / rejected / review / expired / pending.
- `session.verificationStatusStream(toolCallId, { onUpdate?, signal? })` — SSE variant.

The polling siblings (`paymentStatus`, `verificationStatus`) stay live for backward compat — additive change only.

**Meta-tool catalog** grew from 5 → 53 routing rails across 9 meta-tools:
- `codespar_pay` — outbound transfers
- `codespar_charge` (NEW) — inbound charges (Pix BRL: Asaas / Mercado Pago / iugu / Stone; card USD: Stripe)
- `codespar_invoice` — fiscal invoices. Default rail **NFS-e** (services); pass `rail: "nfe"` for products. Also `nfci` for CFDI MX (Facturapi) + Factura AR (AFIP).
- `codespar_notify` — messaging (whatsapp via Z-API / Twilio, sms via Twilio, email via SendGrid)
- `codespar_ship` (NEW) — shipping (Melhor Envio with 3 rails)
- `codespar_crypto_pay` (NEW) — crypto payments via Coinbase Commerce + Bitso
- `codespar_kyc` (NEW) — KYC via Persona / Sift / Konduto / Truora
- `codespar_discover` (NEW) — tool search meta-tool
- `codespar_manage_connections` (NEW) — connection wizard backend

**Two new auth types** — total 6 supported (api_key, path_secret, oauth, **cert**, **hmac_signed**, none):
- `cert` — mTLS with X.509 client certificate, for BR open-banking corporate APIs (Banco do Brasil pilot; Itaú, Santander, Bradesco, Caixa next batch).
- `hmac_signed` — per-request signature (timestamp + method + path + body) with shared key + secret pair. For Foxbit and crypto exchanges following that pattern.

**Catalog scale** (as of release):
- 109+ MCP servers published on npm
- 2,200+ individual tools
- 53 routing rails in `META_TOOL_CATALOG`
- 6 LATAM countries covered: BR, MX, AR, CO, CL, PE
- 9 verticals: payments, banking, crypto, communication, ecommerce, erp, fiscal, fraud, identity

**`@codespar/api-types@0.4.0`** — added `cert` + `hmac_signed` to the auth_type enum (`AuthTypeSchema`) and `cert` to `AuthSchemaFieldKindSchema`. Web dashboard's Provider Connect modal now renders cert (file-upload) and hmac_signed (KEY/SECRET) flows directly.

**`@codespar/types@0.7.0`** — new wire-contract types: `DiscoverResult`, `ConnectionWizardResult`, `PaymentStatusResult`, `PaymentStatusStreamOptions`, `VerificationStatusResult`, `VerificationStatusStreamOptions`, `ChargeArgs` / `ChargeResult`, `ShipArgs` / `ShipResult`.

**Adapter peerDeps** — framework adapters (`@codespar/claude`, `@codespar/openai`, `@codespar/vercel`, `@codespar/mcp`, `@codespar/langchain`, `@codespar/google-genai`, `@codespar/mastra`, `@codespar/crewai`, `@codespar/autogen`, `@codespar/llama-index`, `@codespar/letta`, `@codespar/camel`) remain on `0.3.0`. They consume only the `SessionBase` surface; the new methods land additively on `Session`.

See [the SDK reference](/docs/api/sdk) for the full method-by-method shape and [Auth concepts](/docs/concepts/authentication) for the new auth types.

---

## April 2026

### v0.3.0 — API canonicalization + 2-level tenancy `2026-04-19`

**@codespar/sdk@0.3.0** — Breaking alignment with the canonical wire contract.

- `codespar.create(userId, config)` replaces `codespar.sessions.create(config)`. `userId` is now a required first positional argument; credentials, audit logs, and billing scope to it.
- `session.execute(toolName, params)` replaces `session.execute({ name, arguments })`. Two positional arguments instead of a single object.
- `session.send(message)` and `session.sendStream(message)` take a natural-language string and run a Claude tool-use loop on the backend, returning `SendResult` / `StreamEvent`. The previous framing as fire-and-forget / streaming variants of `execute` is removed.
- `session.mcp` is a property `{ url, headers }` instead of a method call.
- 2-level tenancy (Account → Project) shipped end-to-end: `projectId` on `SessionConfig`, `x-codespar-project` header support, Zod schema validation on client (`/^prj_[A-Za-z0-9]{16}$/`).
- Python package `codespar@0.1.1+` on PyPI with matching surface (sync + async).

See [Sessions](/docs/concepts/sessions) and the [SDK Reference](/docs/api/sdk) for the full canonical shape.

### v0.2.0 — SDK + 12 Adapters `2026-04-16`

**@codespar/sdk@0.2.0** — Major alignment with the `api.codespar.dev` backend contract.

- `session.execute()` now returns `tool_call_id` and `called_at` for audit
- `session.loop()` — Complete Loop orchestration with step callbacks and retry policies
- `session.send()` / `session.sendStream()` — natural language tool execution
- `SessionConfig.preset` — connect all servers for a country in one line
- `SessionConfig.manageConnections` — block until servers are connected

**12 Provider Adapters** — all published at v0.2.0:

| Package | Framework |
|---------|-----------|
| `@codespar/claude` | Anthropic Claude |
| `@codespar/openai` | OpenAI GPT |
| `@codespar/vercel` | Vercel AI SDK |
| `@codespar/langchain` | LangChain.js |
| `@codespar/google-genai` | Google Gemini |
| `@codespar/mastra` | Mastra |
| `@codespar/crewai` | CrewAI |
| `@codespar/autogen` | Microsoft AutoGen |
| `@codespar/llama-index` | LlamaIndex.TS |
| `@codespar/letta` | Letta (MemGPT) |
| `@codespar/camel` | CAMEL-AI |
| `@codespar/mcp` | MCP (Claude Desktop, Cursor) |

**57 MCP Servers** — all published on npm under `@codespar/mcp-*`:
- 14 payments, 5 fiscal, 5 logistics, 5 messaging, 8 banking
- 8 ERP, 3 e-commerce, 4 crypto, 1 public data, 4 agentic protocols
- Coverage: Brazil (35+), Mexico (5), Argentina (5), Colombia (4)

### Documentation `2026-04-17`

- 12 provider docs pages with full agent loop examples
- 4 cookbooks: Pix Payment Agent, E-Commerce Checkout, Multi-Provider, Streaming Chat
- "How CodeSpar Works" architecture explainer
- Servers & Toolkits catalog (57 servers)
- Expanded API Reference: Sessions, Tools, Connections, Servers
- MCP Generator guide
- Debugging & observability guide
- Build Your Own Server guide
- `llms.txt` and `llms-full.txt` for AI assistant context
- Fumadocs callouts fix (46 callouts migrated to `<Callout>` components)
- Theme toggle (light/dark/system), GitHub link, Discord link, Dashboard CTA
- Fraunces display font for toolkits pages

---

## March 2026

### v0.1.0 — Initial Release `2026-03-31`

- `@codespar/sdk@0.1.0` — initial SDK with session management
- `@codespar/claude`, `@codespar/openai`, `@codespar/vercel`, `@codespar/mcp` — first 4 adapters
- 20 MCP servers (Brazil-focused)
- Basic docs: intro, quickstart, 4 provider pages, concepts, API reference
