# Changelog

## 0.2.0 — 2026-05-15

- New `CatalogClient` — pulls signed catalog snapshot
  (`GET /api/v1/catalog/snapshot`) with RSA-SHA256 verification.
- New `CommandClient` — issue, poll, ack tenant writeback commands
  (`/api/v1/tenant-commands*`).
- `SignatureVerifier::verifyMessage()` — generic message verifier for
  things signed over raw bodies (snapshots) rather than canonical
  package tuples.
- `Transport::getRaw()` — exposes raw body + headers for callers that
  need out-of-band signature metadata (catalog, downloads).
- Bundled smoke test (`tests/smoke.php`) covers the read paths.

Server compatibility: Phase 5.4 schema (signing-key `expires_at`,
`tenant_commands` table, snapshot endpoint).

## 0.1.0 — 2026-05-13

- Initial release. EntitlementClient, ApprovalClient, EventClient,
  TokenClient, PackagesClient. RSA-SHA256 package signature
  verification.

Server compatibility: Phase 5.1 schema (products, features,
entitlements, approvals, events, signing_keys).