/api/v1 path, the OCSS spec version, Annex B editions), start with
Versioning; this page is the package-level companion.
Pulled live. Every version, publish date, and status on this page was read from
the public npm registry — the version history
and per-package README — and cross-checked against the docs
Changelog on 2026-07-06. Nothing here is hand-maintained — if a
number looks stale,
npm view it and open an issue.Published packages, today
These are the packages actually on the public npm registry, newest release date first. Pin the ones you use.| Package | Latest | First published | Version history | What it is |
|---|---|---|---|---|
@openchildsafety/ocss | 0.1.3 | 2026-06-28 | 0.1.0 → 0.1.1 → 0.1.2 → 0.1.3 | OCSS protocol + RFC 9421 signing / verification, sealed envelopes, trust-list verify |
@phosra/gatekeeper | 0.2.2 | 2026-06-28 | 0.1.0 → 0.2.0 → 0.2.1 → 0.2.2 | Platform-side decision engine — verify profiles, enforce, send §8.3.8 receipts |
@phosra/link | 0.1.2 | 2026-06-28 | 0.1.0 → 0.1.1 → 0.1.2 | Writer-plane SDK — the consent ceremony + signed rule-write directives |
@phosra/mcp | 0.4.0 | 2026-05-15 | 0.2.0 → 0.4.0 | MCP server exposing Phosra tools to AI agents (npx @phosra/mcp) |
@phosra/cli | 0.2.0 | 2026-06-28 | 0.1.0 → 0.1.1 → 0.2.0 | Partner CLI — scaffold, verify OCSS setup, sandbox round-trips |
@phosra/sdk | 0.1.0 | 2026-06-28 | 0.1.0 | Typed control-plane client (PhosraClient) |
@phosra/connect | 0.1.1 | 2026-07-01 | 0.1.0 → 0.1.1 | Embeddable Connect component (web + React Native) |
@phosra/classify | 0.1.1 | 2026-06-29 | 0.1.0 → 0.1.1 | Rule-category classification helpers |
@phosra/provider | 0.1.0 | 2026-06-29 | 0.1.0 | Provider-side helpers over @openchildsafety/ocss |
There is no
@ocss/* npm scope. The open standard’s reference library ships as
@openchildsafety/ocss; Phosra’s own SDKs ship under @phosra/*. If a guide
anywhere tells you to npm install @ocss/…, it is wrong — that install 404s.
The native iOS / Android enforcement SDKs are distributed privately (not on
npm/Maven Central) — see iOS SDK and Android SDK.npm
The semver commitment
The packages follow Semantic Versioning 2.0.0. Every package above is currently pre-1.0 (0.x), and that changes what a version bump promises.
| Bump | 1.x and later (future) | 0.x (today) |
|---|---|---|
Patch (0.1.1 → 0.1.2) | Bug fixes only, no API change | Bug fixes only, no API change |
Minor (0.1.x → 0.2.0) | New features, backward-compatible | May include breaking changes — this is what 0.x means under SemVer §4 |
Major (0.x → 1.0, later 1.x → 2.0) | Breaking changes, with a migration guide | The 1.0.0 line stabilizes the public API and starts the standard guarantees |
npm
0.x:
Patches never break
A patch bump (
0.2.1 → 0.2.2) is bug-fix-only. Safe to take without a code change.Breaks are documented
A breaking minor lands with a changelog entry and a before/after migration — like
the
@phosra/gatekeeper 0.1 → 0.2 example worked below.Published bytes are immutable
A published version is never re-published with different bytes.
0.1.3 is 0.1.3
forever — new code gets a new number.Deprecated exports are flagged
Anything on the way out carries a
@deprecated JSDoc tag your editor and tsc
surface before it is removed.How an SDK version maps to the API version
There are three independent version axes, and the SDK’s semver is decoupled from both wire axes. The SDK talks to the stable/api/v1 path and stamps the current OCSS
spec version into the signed envelopes it builds; bumping the SDK never changes which
API version or spec version you hit, and either wire axis evolving additively never forces
an SDK bump.
SDK version (@phosra/sdk@0.1.0) | API version (/api/v1) | OCSS spec version (OCSS-Spec-Version) | |
|---|---|---|---|
| Where | your package.json | the request URL path | a request header on signed census calls, and the ocss_version field inside every OCSS envelope |
| Today’s value | per-package semver (e.g. 0.1.0) | v1 | OCSS-v1.0-pre |
| Cadence | normal library releases | only a genuinely incompatible contract cuts /api/v2 | the protocol itself revs; the census negotiates the highest common version |
| Who moves it | you, by upgrading the package | Phosra, and v1 keeps serving in parallel | the OCSS steward; the SDK sets it for you |
| Breaking? | a 0.x minor may break your build | a new path, never a mutation of v1 | negotiated fail-closed — an unsupported version is rejected, never silently downgraded |
0.1.0 SDK and a hand-rolled curl client hit the exact same v1
surface. Proof — the SDK’s default baseUrl is /api/v1, and there is no v2 yet:
curl
The spec-version header is not the SDK version. The
OCSS-Spec-Version request
header (and the matching ocss_version field the writer-plane SDKs stamp into each
signed envelope) identifies the protocol edition — OCSS-v1.0-pre today — and is
covered by your RFC 9421 signature. It moves on the OCSS steward’s cadence, not on any
@phosra/* release. So upgrading @phosra/gatekeeper from 0.1 to 0.2 does not
change the spec version you speak, and a future OCSS-v1.0 does not force an SDK bump —
the census negotiates the highest version you both
support and fails closed if there is no overlap. The three axes rev on three clocks. See
Versioning → the four layers for the full picture.The forward-compatibility rule the SDKs are built for. Inside
v1, Phosra adds
new endpoints, new optional request fields, and new response fields / enum
values without a major bump. The typed clients deserialize leniently and ignore
unknown fields, so an additive API change reaches you as data — no reinstall
required. See Forward compatibility.Deprecation & end-of-life
SDK deprecations ride the same Deprecation & Sunset policy as the wire API, expressed in package terms:- A deprecated export keeps working. It gains a
@deprecatedJSDoc tag naming the replacement;tscand your editor flag it, but the runtime behavior is unchanged. - Removal follows semver. At
0.x, a deprecated export can be removed in the next minor (0.2 → 0.3). Once a package reaches1.0, a deprecated export survives until the next major and its removal is called out in the changelog. - The wire windows still protect you. The
≥ 90-daydeprecation window and≥ 12-monthmajor-version overlap in the Deprecation policy govern the API surface the SDK calls — so even if you pin an old SDK, the endpoints it depends on do not vanish under it without notice.
Native iOS & Android SDK lifecycle
The npm packages above are only the control- and writer-plane. The on-device enforcement SDKs —PhosraSDK (iOS, Swift) and com.phosra:sdk (Android, Kotlin) —
are distributed privately (not npm, not Maven Central, not Swift Package Index), so
their lifecycle is worth stating explicitly. Full API guides: iOS SDK and
Android SDK.
Version scheme & how you pin
iOS — PhosraSDK | Android — com.phosra:sdk | |
|---|---|---|
| Distribution | private Git repo, consumed via Swift Package Manager | private Maven repo (URL + credentials from Phosra) |
| Version identifier | a semver Git tag on the private repo | a semver Maven coordinate — today com.phosra:sdk:1.0.0 |
| How to pin exact | SPM .exact("x.y.z") in Package.swift (or the pinned tag in Xcode) | the fully-qualified coordinate, e.g. implementation("com.phosra:sdk:1.0.0") — never a + dynamic version |
| Platform floor (the real EOL lever) | iOS 16.0+, Swift 5.9+, Xcode 15+, FamilyControls entitlement | Android 8.0+ (API 26), Kotlin 1.9+, Gradle 8+, compileSdk/targetSdk 35 |
0.x:
Upgrade delivery — no npm outdated
Because these SDKs are not on a public registry, you cannot npm outdated them. Upgrade
delivery works differently:
- You are notified by email (the private-preview list) when a new tag/coordinate is cut, with its release note. There is no public dist-tag to poll.
- iOS: bump the
exact:version inPackage.swift(or the pinned tag in Xcode) and re-resolve the package graph. - Android: bump the
com.phosra:sdk:x.y.zcoordinate and re-sync Gradle. - Re-test on-device, not just build — an enforcement behavior change (like the gatekeeper’s staleness floor) compiles clean but changes runtime verdicts.
The on-device policy version is a different axis from the SDK version. The
policy.version integer you ackPolicyVersion(…) on-device increments every time a
parent changes a rule and is delivered over the wire at runtime (the device sends
sinceVersion and gets a 304 when nothing changed) — see
iOS SDK → policy sync and Android SDK → policy sync. That
is not a library upgrade: it moves on the parent’s cadence, needs no rebuild, and is
unrelated to the SPM tag / Maven coordinate. Two separate clocks — don’t conflate them.Deprecation, EOL & support matrix
| Lifecycle question | Private iOS / Android SDKs (today) | At public GA (future) |
|---|---|---|
| Can a version break me? | Yes — a preview tag may break, like a 0.x npm minor. Pin exact; read the emailed release note. | No: semver applies — breaking changes only on a major, with a migration guide. |
| What sets end-of-life? | The OS floor above. When Apple/Google drop an OS release, or the FamilyControls entitlement policy changes, support follows the platform. | OS floor plus the standard ≥ 12-month major-version overlap. |
| How is a removal announced? | By email to the preview list, ahead of the tag that removes it. | Changelog entry + a @deprecated-equivalent symbol annotation before removal. |
| Support channel | developers@phosra.com (private preview — no public LTS yet). | Public support + the wire-API deprecation windows that protect the endpoints the SDK calls. |
The
≥ 90-day / ≥ 12-month wire windows in the
Deprecation policy protect the census
endpoints these native SDKs call (policy fetch, receipt POST) regardless of SDK
distribution — so even a pinned old on-device build keeps talking to a stable /api/v1.Per-package changelogs
The canonical, human record of every release is the Changelog. Package detail lives with the package:Changelog (all packages)
Dated release notes for the API, platform conventions, and every SDK line — newest
first.
@phosra/gatekeeper README
The gatekeeper README documents the behavior contract — the §8.3.6 revoked-tombstone
/
endpointState() handling and the 0.x stability policy. The dated
version-by-version record lives in the Changelog.npm version history
Every published version and its release date, per package, straight from npm.
SDK overview
What each package is, which are published vs. private, and the language coverage
matrix.
Worked example — @phosra/gatekeeper 0.1.x → 0.2.x
This is a real breaking upgrade (recorded in the Changelog; the
behavior contract it introduced is documented in the
@phosra/gatekeeper README),
and the best illustration of why 0.x minors demand attention. The gatekeeper is the
platform-side enforcement engine, so its 0.2.0 “safety hardening” release deliberately
changed a runtime behavior.
What changed (0.1.0 → 0.2.0, published 2026-06-28):
Bounded-staleness floor (behavior change)
A new
profileMaxAgeMs config field (default 60 000 ms) makes isAllowed
return a block verdict for any cached enforcement profile older than the
floor, independent of the census-signed window. Partners relying on long census
windows see more block verdicts unless they refreshProfile() within it.Two new lifecycle surfaces
endpointState() and the onRevoked config callback (below) let you distinguish a
positive disconnect from a transient outage — a distinction 0.1.0 could not
express.0.2.2 (published 2026-07-04) added revoked-state handling — a router-signed
§8.3.6 tombstone (top-level status: "revoked") is recognized as a terminal disconnect,
via two new, additive surfaces on the 0.2.x line:
gk.endpointState()→"active" | "revoked" | "stale" | "absent", so you can tell a disconnect ("revoked"→ release-to-native, stop polling) from an outage ("stale"→ keep enforcing last-known-good, fail-closed).- an
onRevoked({ childRef, endpointLabel })config callback, fired once on the transition to revoked.
isAllowed returns synchronously; it does not throw for a block. In both 0.1.0
and 0.2.2 the signature is gk.isAllowed({ category, signal? }): Verdict, and the
Verdict carries decision: "allow" | "warn" | "block". A block is a return
value, never an exception — so branch on verdict.decision, never a try/catch.
(Verified against the published @phosra/gatekeeper@0.2.2 type declarations.)Migrating your code
The upgrade is behavioral, not a signature break — the sameisAllowed call site
compiles on both versions. The work is adopting the new floor and the new states.
Both snippets below are self-contained (declared placeholders stand in for the platform
key you mint at endpoint-bind time — see Link):
npm
Worked example — @phosra/mcp 0.2.0 → 0.4.0
The MCP server is run, not imported (npx @phosra/mcp), so “upgrading” means bumping
the version your MCP client pins. Between 0.2.0 (2026-05-15) and 0.4.0 (2026-06-28)
the tool surface grew — the published 0.4.0 exposes 79 tools (federation,
streaming, reversibility) — but the invocation and auth are unchanged: same
phosra-mcp binary, same Authorization: Bearer phomcp_… token.
tools/list is authoritative (ignore the cosmetic Registering 42 tools… stderr banner):
Verify tool count
New tools are additive — every tool your agent already called in
0.2.0 still
exists in 0.4.0 with the same name and arguments. There is nothing to rewrite; the
bump only adds capability. See the full tool catalog on the
MCP server page.Worked example — @openchildsafety/ocss 0.1.0 → 0.1.3
The OCSS reference library is pinned byte-for-byte to the spec’s frozen §8.5 golden
vectors, so its 0.1.x line is additive within a stable public barrel: 0.1.1,
0.1.2, and 0.1.3 add and fix subpath exports (./envelope, ./trustlist/verify,
./profile, …) without changing what 0.1.0 already exported. A straight patch/minor
bump inside 0.1.x needs no code change:
npm
Unchanged across 0.1.0 → 0.1.3
@phosra/sdk — one line so far
@phosra/sdk has exactly one published version, 0.1.0 — there is no vX → vY
migration to write yet. Pin it exactly; when 0.2.0 ships it will arrive here with a
before/after example, and (because it is a 0.x minor) you should read that entry
before bumping.
npm
Upgrade checklist
Whenever you bump any@phosra/* or @openchildsafety/* package:
- Read the changelog entry for the target version — /changelog is the
dated record; the package’s own README on npm (
npm view <pkg> readme, or the package page’s Readme tab) documents its behavior contract. - Check the bump class. Patch (
0.2.1 → 0.2.2) is safe; a0.xminor (0.1 → 0.2) may break — treat it like a major. - Pin exact, install, and let
tscsurface any@deprecatedflags or removed exports. - Re-run against the sandbox (
https://phosra-api-sandbox-production.up.railway.app) before touching production — the Quickstart path proves your setup end-to-end with no API key. - Verify runtime behavior, not just that it compiles — the gatekeeper example above
is a compile-clean bump that changes what
isAllowedreturns.
Next steps
Versioning (the four layers)
How the API path, OCSS spec version, Annex B editions, and SDK semver pin together.
Deprecation & Sunset policy
The advance-notice windows, the
Deprecation / Sunset headers, and how a
deprecation reaches you.Changelog
The canonical dated record of every API change, deprecation, and SDK release.
SDK overview
Every package, its status (published vs. private), and the language-coverage matrix.