Chirp 0.8.2
Production-readiness wave — auth S-tier hardening, AI surface, passkeys, pelt E4/E6, contract diff tooling, signal topic scoping, and Furatena docs-extraction fixes (patitas 0.4, CSP, debug pages).
Focus: unblock Furatena and downstream apps with a published PyPI wheel, while shipping the production-readiness burndown accumulated since 0.8.1.
This is a patch release on top of 0.8.1. It lands the framework fixes Furatena
needs to consume Chirp from PyPI (patitas 0.4, markdown sanitization, debug-page
ANSI stripping, CSPdata:images, docs frontmatter for Bengal site extraction),
plus a large wave of auth hardening, AI tooling, passkeys, pelt transport/runtime
work, hypermedia contract diff tooling, and signal topic scoping. Review migration
notes below before upgrading production apps.
Highlights
Furatena — docs extraction + patitas 0.4
The live docs app now lives in the Furatena repo. This release ships the framework
side:patitas[syntax]>=0.4.0, tighter markdown sanitization, ANSI-free debug
error pages,data:URI images allowed in the default CSP, and simplified docs
frontmatter parsing so Bengal site data (collections, glossary, url rewrites) and
the document-catalog protocol compile cleanly.
Furatena can pinbengal-chirp==0.8.2instead of installing from git.
Auth — secure-by-default, fail-loud, contract-checked
A full auth hardening wave:secure_stack()one-call wiring, session cookies
Secure by default in production (secure="auto"), HMAC-SHA-256 session signing,
declarativeAuthSpec parity with @requires, permission/policy/scope registries,
bearer token revocation, access grants +kick_user, passkeys/WebAuthn behind
chirp[passkeys], and a dozen new env-aware app.check()categories that catch
miswired auth before deploy.
AI surface — stable exports + agent loop
Phase 1 AI primitives (LLM, ToolRegistry, …) are now stable top-level exports.
Phase 2 adds the agent loop, MCP client, andchirp new --ai. Phase 3 adds
structured-output retry, additional providers (Gemini/Azure/Bedrock), and
chirp.testing.evalhelpers.
Contract diff — baselines, CLI, MCP, CI
chirp check gains JSON baselines and diff support. chirp diff APP --base REF
compares hypermedia contract reports against a git ref. An MCP tool
(chirp_surface_diff) and advisory PR comments round out the agent/CI workflow.
Signals — topic scoping (#317)
signal_connect() now finalizes a scoped /_chirp/live?topics=…URL at
end-of-render, so async sources pump only for bound topics and derived
dependencies.
Also in this release
- Ops probes — auto-mounted
/health+/readyon every app (including minimal scaffold). - Islands — blessed
optimistic_applyprimitive with zero-server-state guardrails. - Pelt — E4 transport/auth I/O edge + E6 free-threading runtime probes.
- Streaming — request context flows into all streamed renders; SSE resilience fixes.
- Middleware — explicit
priority=ordering; general-purpose keyed rate limiter. - Migrations — checksum drift detection;
chirp migrateCLI +CHIRP_SKIP_MIGRATIONS. - chirp-ui — floor bumped to
>=0.11.0; cross-version CI release gate matrix.
See the full changelog for the complete list.
Migration notes
- Session cookies —
SessionConfig.securedefaults to"auto"(Secure in production/staging). Apps served over plain HTTP in production must opt out withSessionConfig(secure=False). - Auth audit events — declarative and imperative gates now emit the same
authz.permission.deniedshape;details["missing"]is a sorted list, not a string. - AuthSpec.policy — an unregistered policy name now raises 500 (misconfiguration), not 403.
- Password verify — corrupt hashes return
Falseinstead of 500.
Dependencies
markdownextra:patitas[syntax]>=0.4.0(was>=0.3.5)uiextra:chirp-ui>=0.11.0passkeysextra:webauthn>=2.8,<3(new, optional)
Upgrading
pip install --upgrade bengal-chirp
For Furatena and apps that need the docs/markdown fixes:
pip install "bengal-chirp[markdown]==0.8.2"
Review the migration notes above if your app uses sessions, declarative auth, or SIEM audit event parsing.