Commerce Evidence + Integration Depth

PEAC as the neutral portable evidence layer across paymentauth/MPP, ACP, x402, Stripe SPT, and UCP. This release does not expand PEAC into a payment or checkout protocol.

Added

• @peac/mappings-paymentauth (DD-191): HTTP Payment authentication scheme envelope parsing, evidence mapping, carrier adapter
• paymentauth payment rail registration (DD-190)
• x402 v2 dual-header read compatibility (DD-193)
• ACP session lifecycle evidence (DD-188): session states produce access evidence; commerce evidence only from explicit payment artifacts
• Stripe SPT delegated payment evidence: delegation-specific vocabulary
• UCP order-vs-payment semantic separation (DD-187)
• Experimental commerce evidence bundle (DD-192) in @peac/audit
• Commerce pillar profile, evidence spec, and semantics spec
• Integration kits: paymentauth, ACP, x402
• 6 runnable commerce examples with deterministic output
• 21 cross-package commerce boundary conformance tests
• pnpm verify:examples-commerce smoke target

Fixed

• flatted prototype pollution (GHSA-rf6f-7fwh-wjgh)
• Dynamic error category derivation
• Recursive stable serialization for commerce bundles

Release Facts

• 6664 tests (260 files)
• 361 conformance tests
• 91 build targets
• 29 publishable packages

Full changelog: https://github.com/peacprotocol/peac/blob/main/CHANGELOG.md

PEAC Protocol is open source and community-developed, with stewardship by Originary

A2A v1 compatibility helpers, AIPREF version constants, evaluator quickstarts, and integration guide updates.

PEAC Protocol is open source and community-developed, with stewardship by Originary

Typed Extensions, Profiles, and Validator Hardening

v0.12.2 completes the full 12-group Wire 0.2 extension surface, adds verification-time type-to-extension enforcement for registered receipt types, introduces pillar usage profiles, and strengthens shared validation and extension boundary checks.

Added

• 7 new extension groups: consent, compliance, privacy, safety, provenance, attribution, purpose
• Shared validators for SHA-256 digests, HTTPS URI hints, ISO 8601 durations, ISO 8601 dates, and SPDX 3.0.1 license expressions
• Type-to-extension enforcement for registered receipt types
  • strict mode requires the mapped extension group
  • interop mode emits warnings instead of failing
• Byte-budget controls for extension payloads
  • 64 KB per group
  • 256 KB total
  • 32 KB per array payload
• 9 pillar usage profiles: access, identity, consent, privacy, safety, compliance, provenance, attribution, purpose
• Commerce event field as a closed enum for observational commerce metadata
• AST-based no-network audit for validation-only package surfaces
• Tracked API contract artifacts for public surface review
• Extension regression benchmarks for strict-mode verification and byte-budget boundaries

Changed

• Extension groups: 12 total, up from 5
• All 10 registered receipt types now declare a non-null extension_group
• Node CI matrix now covers Node 24, Node 22, and Node 25

Compatibility

• ProofMethodSchema remains available as a deprecated alias through v0.12.x
• Removal is not before v0.13.0

Install

npm install @peac/protocol@0.12.2 @peac/schema@0.12.2 @peac/crypto@0.12.2

PEAC Protocol is open source and community-developed, with stewardship by Originary

v0.12.1

PEAC Protocol v0.12.1 brings the x402 adapter and conformance assets into alignment with the current upstream offer-receipt shape, and tightens release, security, and documentation quality across the repo.

Highlights

• x402 upstream alignment

  • @peac/adapter-x402 now tracks the current upstream x402 offer-receipt extension shape
  • conformance fixtures, profile metadata, and type snapshots were updated to match the upstream wire model
  • receipt parsing and verification paths were tightened around the current signed artifact variants

• Verification and integration improvements

  • x402 verification logic is split into clearer stages for wire validation, offer-term checks, receipt semantics, and cross-object consistency
  • address comparison remains pluggable for network-aware verification behavior
  • JWS parsing and signed-artifact handling were hardened

• Release and security hardening

  • production dependency fixes landed for undici and hono
  • audit gating is now part of the canonical gate path used by local gates, release gates, and CI
  • strict-mode audit drift was resolved with explicit dependency policy handling

• Tooling and documentation

  • Vitest upgraded to 4.1.0
  • coverage reporting now produces a machine-readable summary used by the dynamic README badge
  • README.md was rewritten for a shorter entry surface
  • docs/README_LONG.md was recast as a task-oriented developer guide

Changed

• x402 offer/receipt handling now reflects the current upstream field model
• offer payload handling expects the current upstream structure, including offers[]
• signed artifacts are handled as explicit format-discriminated variants
• verification APIs are split into narrower stages instead of one broad check path
• release documentation now includes an x402-specific migration guide

Breaking changes

This release includes breaking changes for x402 integrators.

Review the public migration guide before upgrading:

• docs/guides/x402-migration-0.12.1.md

Areas most likely to need updates:

• field names and shapes in x402 offer / receipt payloads
• assumptions around transaction / settlement-related fields
• code that expected a single offer instead of offers[]
• verification code using older combined helper paths

Included pull requests

• #511 — x402 adapter upstream sync
• #512 — x402 profile and conformance sync
• #513 — v0.12.1 release/version bump
• #514 — security fixes and canonical audit-gate unification
• #515 — Vitest upgrade and dynamic coverage badge
• #517 — README and developer-guide rewrite

Notes

• 28 packages were published and promoted on npm for this release line.
• Legacy Wire 0.1 support remains frozen; Wire 0.2 remains the current stable public path.

PEAC Protocol is open source and community-developed, with stewardship by Originary

v0.12.0

PEAC Protocol v0.12.0 is the first stable release of the current Interaction Record format on latest.

This release turns the current receipt format into the default public path for PEAC and brings the repository, conformance assets, release tooling, and documentation into alignment around the stable cut.

Highlights

• Stable Interaction Record format

  • interaction-record+jwt is now the stable public receipt format
  • two structural kinds: evidence and challenge
  • open semantic type model with typed extension groups
  • policy binding with JCS-based hashing
  • stricter JOSE handling and verification behavior

• Canonical public API

  • issue() is the canonical public issuance entry point
  • verifyLocal() remains the canonical local verification path for the current stable format
  • explicit wire-pinned helpers remain available where version-specific control is needed

• Conformance and validation

  • expanded conformance coverage with machine-readable requirement tracking
  • broader negative-vector coverage and stronger validator drift checks
  • property and fuzz testing strengthened across core receipt paths
  • stable release gates now cover conformance, performance, SSRF hardening, install smoke, API surface lock, and release-state integrity

• Security and release integrity

  • OIDC-based trusted publishing path in place
  • stronger release verification and repository truth checks
  • package-surface auditing and install-smoke validation improved
  • documentation and examples aligned with the stable public contract

Changed

• the current receipt format is now the stable public path on latest
• issue() is restored as the primary public issuance API
• Node 24 is the primary tested line; Node 22 remains supported as a compatibility line
• stable release tooling and generated artifacts are synced to 0.12.0

Notes

• peac-receipt/0.1 remains available as a frozen legacy format
• this release keeps the current stable format additive while preserving legacy references where required
• preview-era wording and examples have been cleaned up so public docs now reflect the stable release state

See also

• Full changelog: CHANGELOG.md
• Stable spec and release artifacts in the repository
• Preview release notes remain useful for detailed implementation history leading into v0.12.0

PEAC Protocol is open source and community-developed, with stewardship by Originary

Wire 0.2 Preview

This is the first preview release of Wire 0.2, the next interaction record wire format for PEAC.
It is published as a prerelease and is intended for evaluation, integration testing, and feedback.

• Stability: Preview. APIs and semantics may change before v1.0.
• Production: continue using the stable Wire 0.1 line (current latest) for production workloads.

What shipped (high level)

Wire 0.2 introduces:

• A structured envelope with explicit kind, type, and pillars
• A hardened JWS profile for interaction records
• Policy binding via deterministic canonicalization + hashing
• Typed extension groups with strict validation and accessor helpers
• A conformance suite + normative spec to enable independent implementations

Changes included in this tag

Wire 0.2 foundation

• Wire 0.2 envelope with two structural kinds: evidence and challenge
• Open semantic type (reverse-DNS or absolute URI), plus pillars (closed taxonomy)
• JWS header typ: interaction-record+jwt and dual-stack routing with strict/interop profiles
• Canonical issuer validation (iss) supporting HTTPS origins and DID identifiers (format validation only)
• JOSE hardening (rejects embedded key material and unsafe JOSE features)
• Expanded error and warning surface for deterministic verifier behavior

Policy binding (digest)

• Policy binding via JCS (RFC 8785) canonicalization + SHA-256
• 3-state result: verified / failed / unavailable
• computePolicyDigestJcs() helper and fixed test vectors

Representation fields

• representation fields: content_hash, content_type, content_length
• content_hash is SHA-256 only
• Conservative MIME validation; finite numeric guard; strict unknown-key rejection

Typed extension groups

• Five core groups with strict schemas and typed accessors:
  • org.peacprotocol/commerce
  • org.peacprotocol/access
  • org.peacprotocol/challenge (RFC 9457 problem details; status required)
  • org.peacprotocol/identity
  • org.peacprotocol/correlation (trace/span/workflow identifiers)
• Extension key grammar validation and safer object access patterns

Conformance + spec + release gate

• Wire 0.2 conformance fixture packs (valid/invalid/warnings) and deterministic runner
• WIRE-0.2.md normative specification
• Release gate script and registry parity checks
• Minimal runnable example: examples/wire-02-minimal

Compatibility

• No breaking changes to Wire 0.1 (peac-receipt/0.1): it remains frozen and supported via dual-stack verification.
• Wire 0.2 is a preview track: consumers should pin to @next and expect iteration.

Install (prerelease)

npm install @peac/protocol@next @peac/schema@next @peac/crypto@next

Feedback

If you are implementing Wire 0.2 independently or integrating it into verifiers/issuers, please open:

• conformance diffs (expected vs observed)
• edge cases around header hardening, issuer canonicalization, and extension validation
• suggestions to improve interop without weakening verifier safety

PEAC Protocol is open source and community-developed, with stewardship by Originary.

Zero Trust Profiles, Agent Identity, Key Rotation

Added

• Zero Trust Profile Pack: 7 sub-profiles as documentation overlays (Access, Toolcall, Decision, Risk Signal, Sync, Tracing, ZT Extensions)
• Agent Identity Profile: ActorBinding with 8 proof types, MVIS (5 required identity fields), origin-only validation. Standards: RFC 8032, RFC 9711, W3C DID 1.1, CNCF SPIFFE, NIST SP 800-63, Sigstore
• ZT Extension Schemas: credential-event, tool-registry, control-action in @peac/schema
• Treaty Extension: 4-level commitment class (informational, operational, financial, legal)
• Key Rotation Lifecycle: FSM spec, 30-day normative overlap, emergency revocation via revoked_keys[], kid reuse detection, NIST SP 800-57 alignment
• Reconciliation CLI: peac reconcile for evidence bundle merge, conflict detection, deterministic output, --fail-on-conflict for CI gates
• Governance Mappings: NIST AI RMF, EU AI Act, OWASP ASI, ISO 42001, IEEE 7001, OECD, Singapore MGFAA, AWS RAI (8 documents)
• Multi-Tenant Guide: 3-tier isolation (Shared, Scoped, Isolated) with migration paths
• Examples: content signals observation, A2A gateway pattern
• Registry: proof_types (8), extension_keys (ZT + treaty), pillar_values (10 closed)
• Error Codes: E_KID_REUSE_DETECTED, E_MVIS_INCOMPLETE, E_REVOKED_KEY_USED

Changed

• JWKS.overlapDays: 7 to 30 (normative upgrade)

Notes

• Wire format peac-receipt/0.1 remains frozen
• 28 packages on npm, 4929 tests
• Full changelog: CHANGELOG.md

PEAC Protocol is an open-source project stewarded by Originary and community.

v0.11.2: Errors + Evidence Locators + Content Signals + Distribution (DD-132 through DD-141)

• Error recovery semantics (DD-132/133/134): next_action recovery hints on all 146 error definitions; retriable renamed to retryable; closed vocabulary of 7 hint values; drift-guarded conformance fixture
• receipt_url locator hint (DD-135/141): Optional HTTPS-only locator on PeacEvidenceCarrier; schema remains validation-only in Layer 1 (DD-141); SSRF-hardened resolver in @peac/net-node (Layer 4); round-trip tests for all 5 carrier adapters (MCP, A2A, ACP, UCP, x402)
• @peac/mappings-content-signals (DD-136/137): New Layer 4 package; parsers for robots.txt (RFC 9309), Content-Usage (AIPREF vocab-03/attach-04, RFC 9651 Structured Fields Dictionary), tdmrep.json (EU DSM Directive 2019/790 Art. 4); precedence per DD-137; observation-only model (DD-136 rail neutrality); 16 conformance fixtures
• @peac/adapter-openai-compatible (DD-138): New Layer 4 adapter; hash-first model (SHA-256 digests; no raw text in receipts); deterministic key-sorted JSON canonicalization with type-safe input constraints; self-contained types (no OpenAI SDK dependency)
• Distribution surface (DD-139/140): MCP Registry manifest (server.json schema-validated against vendored schema), Smithery config, llms.txt; plugin pack for Claude Code and Cursor; CI distribution gate with structural validation; publish manifest updates

PEAC Protocol is an open-source project stewarded by Originary and community.

Evidence Carrier Contract + A2A Mapping

v0.11.1 formalizes the Evidence Carrier Contract: the universal interface that lets any protocol (MCP, A2A, ACP, UCP, x402, HTTP) carry PEAC receipts without kernel changes. This is the first release with A2A (Agent-to-Agent Protocol) support and content-addressed receipt references.

Added

• Evidence Carrier Contract (DD-124)
  • PeacEvidenceCarrier type in @peac/kernel (Layer 0, zero runtime)
  • CarrierAdapter<TInput, TOutput> generic interface for protocol adapters
  • CarrierMeta type with transport, format, and size limit metadata
  • computeReceiptRef() in @peac/schema: canonical SHA-256 receipt reference computation (WebCrypto, portable across Node >= 20, Deno, Bun, Workers)
  • validateCarrierConstraints(): transport-aware carrier validation
  • Zod schemas: ReceiptRefSchema, CompactJwsSchema, PeacEvidenceCarrierSchema
  • Conformance fixtures: 7 carrier fixtures (valid + invalid vectors)
• @peac/mappings-a2a (NEW package, DD-126, DD-128)
  • A2A evidence carrier mapping for Agent-to-Agent Protocol v0.3.0
  • Extension URI: https://www.peacprotocol.org/ext/traceability/v1
  • Metadata layout: metadata[extensionURI] = { carriers: [...] } per A2A convention
  • Attach/extract for TaskStatus, Message, and Artifact metadata
  • Agent Card extension type for capabilities.extensions[]
  • A2A-Extensions header parser (DD-86: no X-headers)
  • Agent Card discovery with SSRF protection (DNS rebinding defense, redirect: "error", 256 KB response cap, Content-Type check)
  • No runtime dependency on @a2a-js/sdk (minimal types from spec)
• MCP _meta carrier format (DD-125, DD-129)
  • attachReceiptToMeta() / extractReceiptFromMeta() in @peac/mappings-mcp
  • Keys: org.peacprotocol/receipt_ref, org.peacprotocol/receipt_jws
  • McpCarrierAdapter implementing CarrierAdapter
  • extractReceiptFromMetaAsync(): async extraction with receipt_ref consistency check (DD-129: sha256(receipt_jws) MUST equal receipt_ref)
  • assertNotMcpReservedKey(): MCP _meta reserved key guard per spec 2025-11-25 (checks second label in dot-separated prefix)
  • Backward compat: reads legacy org.peacprotocol/receipt key (v0.10.13), auto-computes receipt_ref from JWS
• ACP carrier adoption in @peac/mappings-acp
  • attachCarrierToACPHeaders() / extractCarrierFromACPHeaders()
  • Header-only transport: PEAC-Receipt = compact JWS (8 KB limit)
  • ACP state transition helpers (create/update/complete/cancel)
  • Webhook HMAC binding via request_nonce
• UCP carrier adoption in @peac/mappings-ucp
  • normalizeToCarrier() from webhook evidence
  • attachCarrierToWebhookPayload() for outbound webhooks
  • Backward compat with extensions["org.peacprotocol/interaction@0.1"]
• x402 carrier adapter in @peac/adapter-x402
  • fromOfferResponse() / fromSettlementResponse() for HTTP 402/200 flows
  • X402CarrierAdapter implementing CarrierAdapter
  • ChallengeType taxonomy: payment, auth, consent, rate_limit, purpose_denied, other
  • Header-only transport: PEAC-Receipt = compact JWS (8 KB limit)
• JWKS resolver in @peac/protocol
  • Shared JWKS key fetching and caching for offline verification
  • SSRF-hardened: private IP blocking, response size cap, timeout
• Discovery Profile spec and 3-step algorithm (DD-110)
  • Agent Card -> /.well-known/peac.json -> PEAC-Receipt header probe
  • discoverPeacCapabilities() in @peac/mappings-a2a
• Normative specs
  • docs/specs/EVIDENCE-CARRIER-CONTRACT.md
  • docs/specs/A2A-RECEIPT-PROFILE.md
  • docs/specs/MCP-EVIDENCE-PROFILE.md
  • docs/specs/DISCOVERY-PROFILE.md
• MCP carrier e2e smoke test (release gate)
  • Full round-trip: issue -> computeReceiptRef -> attachReceiptToMeta -> extractReceiptFromMetaAsync -> verifyLocal
  • Tampered receipt_ref detection (DD-129)
  • Legacy org.peacprotocol/receipt backward compat verification

Changed

• AGENTS.md: updated MCP section to v0.11.1 carrier format, added A2A metadata carrier example, updated discovery table with spec links
• Registry (specs/kernel/registries.json): added a2a, ucp, stripe entries; bumped version to 0.10.0

Deferred

• NIST CAISI RFI submission: deferred to separate submission (March 9 deadline)
• Full OAuth 2.1 MCP server: deferred to v0.11.x+
• A2A body-embed carrier format: deferred to future version (metadata-only in v0.11.1)
• ACP/x402 body-embed carrier format: deferred to future version (header-only in v0.11.1)

Notes

• Wire format peac-receipt/0.1 remains FROZEN
• Design decisions: DD-124 through DD-131
• @modelcontextprotocol/sdk stays at ~1.26.0 (npm latest; v1.27.0 is GitHub tag only, not published to npm)
• PRs: #414, #415, #416, #417, #418, #419, #420, #421, #426

Standards References

• A2A Protocol v0.3.0 (Linux Foundation): Extension metadata layout
• MCP Specification 2025-11-25: _meta reverse-DNS key conventions
• RFC 9711 (EAT, Oct 28, 2025): Entity Attestation Token reference model
• OWASP ASI-04 (Supply Chain): Carrier validation as defense
• CVE-2026-25536: MCP SDK floor remains >= 1.26.0

PEAC Protocol is an open-source project stewarded by Originary and community.

Infrastructure Modernization + Enterprise Readiness

v0.11.0 is an infrastructure modernization release: Zod 4 migration for 7-14x parsing performance, MCP Streamable HTTP transport for remote agent connectivity, kernel constraint enforcement in issuance and verification pipelines, integrator kit scaffolding for ecosystem partners, and OWASP Top 10 for Agentic Applications security alignment.

Breaking change: @peac/schema exports Zod 4 types. If you compile against exported schemas, align your Zod major to v4. Zod 3 and Zod 4 types are not assignment-compatible. Consumers pinned to ^0.10.x will stay on v0.10.14 (safe); ^0.11.x opts in explicitly.

Added

• MCP Streamable HTTP transport (DD-119, DD-123)
  • --transport http flag enables HTTP transport alongside existing stdio
  • Session-isolated McpServer + StreamableHTTPServerTransport per HTTP session (CVE-2026-25536 defense: no cross-client data leak)
  • Mcp-Session-Id lifecycle: server-generated on init, required on subsequent requests, DELETE /mcp for session termination
  • Session eviction: configurable TTL (default 30 min) + max sessions (default 100)
  • POST /mcp: JSON-RPC request/response; GET /mcp: 405 Method Not Allowed
  • GET /health: health check (no auth, returns version + protocol version)
  • RFC 9728 PRM discovery endpoint at GET /.well-known/oauth-protected-resource[/<path>]: enabled when both --authorization-servers and --public-url are configured; returns 404 otherwise
  • Security: CORS deny-all default, localhost-only bind, 1MB request body limit, per-session + per-IP rate limiting (100 req/min default), Origin/Host validation, Node.js server timeouts (slowloris defense)
  • CLI flags: --transport, --port, --host, --cors-origins, --authorization-servers, --public-url, --trust-proxy
• Kernel constraint enforcement in pipelines (DD-121)
  • validateKernelConstraints() called in issue() before signing (rejects oversized claims pre-sign)
  • validateKernelConstraints() called in verifyReceipt() and verifyLocal() after decode/signature, before schema parse (rejects malformed payloads early)
  • New constraint_violation reason in VerifyFailure taxonomy
  • New E_CONSTRAINT_VIOLATION error code in @peac/schema error taxonomy
  • Fail-closed: all violations produce typed errors (no silent failures)
  • Normative specification: docs/specs/KERNEL-CONSTRAINTS.md
• Integrator Kit (DD-108, DD-122)
  • Template kit at integrator-kits/template/ with README, integration guide, and security FAQ
  • Ecosystem scaffolds: MCP, A2A, ACP, x402, Content Signals
  • Conformance harness: scripts/conformance-harness.ts CLI runner with --adapter, --fixtures, --format json|pretty flags
  • Deterministic JSON report output for CI consumption
• OWASP Top 10 for Agentic Applications alignment
  • docs/security/OWASP-ASI-MAPPING.md maps all 10 risks (ASI-01 through ASI-10) to specific PEAC mitigations with test file citations
• Performance baselines updated with Zod 4 benchmarks
  • parseReceiptClaims commerce: ~388K ops/sec; attestation: ~792K ops/sec
  • toCoreClaims commerce: ~11.8M ops/sec; attestation: ~27.3M ops/sec

Changed

• Zod 4 migration (DD-120): all workspace packages migrated from Zod 3.25.x to Zod 4.x (^4.3.6). Key migration patterns:
  • z.record(ValueSchema) to z.record(z.string(), ValueSchema) (2-arg form)
  • .default({}) to .prefault({}) for mutable defaults
  • ZodError.errors to ZodError.issues; issue.path is PropertyKey[]
  • pnpm.overrides enforces single Zod major across workspace
  • MCP SDK peer dependency accepts ^3.25 || ^4.0 (compatible)
• MCP SDK pinned at ~1.27.0 (>= 1.26.0 for CVE-2026-25536 fix)

Zod 4 Consumer Migration Notes

If you import schemas from @peac/schema, align your Zod major to v4:

1. z.record(ValueSchema) now requires two arguments: z.record(z.string(), ValueSchema)
2. .default({}) replaced by .prefault({}) for mutable default values
3. ZodError.errors renamed to ZodError.issues
4. z.infer<> types remain structurally equivalent for all PEAC schemas
5. pnpm.overrides or equivalent should enforce a single Zod major in your workspace

Deferred

• Full OAuth 2.1 MCP server: deferred to v0.11.x+ (HTTP transport needs field validation first)
• MCP protected mode (401 + WWW-Authenticate + token validation): deferred to v0.11.x+
• Evidence Carrier Contract (PeacEvidenceCarrier): deferred to v0.11.1
• @peac/mappings-a2a: deferred to v0.11.1
• NIST CAISI RFI submission: deferred to v0.11.1

Notes

• Wire format peac-receipt/0.1 remains FROZEN
• 22 published packages version-bumped to 0.11.0
• Design decisions: DD-119 (Streamable HTTP), DD-120 (Zod 4), DD-121 (kernel constraints pipeline), DD-122 (conformance harness), DD-123 (HTTP security)
• MCP Streamable HTTP runs in unprotected mode only (no token validation); "OAuth readiness" hooks provided via optional PRM endpoint
• stdio transport remains the default (backward compatible)
• PR merge order: #407 (Zod 4 schema) -> #408 (Zod 4 remaining) -> #409/#410/#411 (HTTP transport / kernel constraints / integrator kit, parallel) -> #412 (release) -> #413 (docs)

Standards References

• MCP Transport 2025-06-18: Streamable HTTP implemented (JSON-only mode, SSE deferred)
• MCP Authorization 2025-11-25: Discovery only (RFC 9728 PRM); protected mode deferred
• RFC 9728 (OAuth Protected Resource Metadata): Conditional PRM endpoint (path-aware routing)
• CVE-2026-25536 (MCP SDK cross-client data leak): Mitigated by per-session transport isolation
• MCP SDK ~1.27.0 (v1.x stable): v2 pre-alpha, not production
• Zod ^4.3.6: Full migration from 3.25.x
• OWASP ASI-01 through ASI-10: Alignment mapping in docs/security/OWASP-ASI-MAPPING.md

PEAC Protocol is an open-source project stewarded by Originary and community.