Release v1.7.0 (pre-release) · Ghost-Frame/Kleos

Pre-release: published for validation. Will be promoted to the latest full release once confirmed good.

Frameshift cross-machine growth tenant (server-side), gated behind KLEOS_FRAMESHIFT_GROWTH (#94).
kleos-phylax: secret-resolve modes. exec runs an allowlisted command with secrets injected into the child process, and verify/sign/derive let an agent use a secret without ever holding its plaintext.
kleos-phylax: no-plaintext agent posture backed by fail-closed policy middleware.
kleos-phylax: out-of-band approval notification and a capability-token decide endpoint.
kleos-cleanup: --delete-where escape hatch for operator-specific junk.

Security audit remediation and monolith multi-user isolation hardening (#93).
kleos-phylax: scrub-totality property tests and an adversarial plaintext-bypass test.

recall: is_static memories now decay by age in ranking instead of being pinned at full retrievability.
kleos-sidecar: drop the orphaned GateResult.original_text field.
gui: untrack stale .svelte-kit build artifacts and restore the ignore rule.

Pin the Rust toolchain to 1.94.0 across CI, Docker, and local dev so unpinned stable upgrades no longer break clippy -D warnings, and serialize the Syntheos mirror workflow to stop concurrent force-pushes from failing on the ref-lock CAS.

Full diff: v1.6.1...v1.7.0

Provide feedback