Skip to content

v0.7.0 — trust closes the loop, gateway goes concurrent

Choose a tag to compare

@github-actions github-actions released this 10 Jul 05:51

Runtime hardening release: the trust gate now covers everything the gateway runs, and the gateway no longer serializes calls behind one lock.

⚠️ One-time re-trust required

The trust digest formula changed: it now covers the manifest layers and agentstack.lock. Every previously trusted project will show as "changed" once after upgrading — review and re-run agentstack trust <dir>.

Trust gate: the consent loop is closed

  • The trust digest covers agentstack.toml + agentstack.local.toml + agentstack.lock — re-pinning the lock re-gates the project, exactly like a manifest edit.
  • The gateway verifies central-library server definitions against the lock's pinned digests before serving them: a drifted definition is refused with a re-run \agentstack lock`` message; an unpinned ref serves with a warning.
  • agentstack trust . now previews the effective runtime surface — library name refs included, each labeled pinned / unpinned / DRIFTED — not just inline [servers.*] tables. What you review is a strict superset of anything any session can run.

Gateway: per-upstream concurrency

  • Calls to different MCP servers now run in parallel — a slow 60-second call to one server no longer blocks every other server. Same-server calls still queue (one stdio pipe).
  • Both serve loops dispatch upstream calls to worker threads (agentstack's own control-plane tools stay serialized), and the code-mode endpoint handles requests concurrently.

Fixes

  • Gateway spawns stdio servers in the project root (or the server's cwd) — previously the .agentstack/ layout anchored relative paths at the manifest dir.
  • Library servers referenced only by name now reach the gateway exactly like inline ones (previously silently absent in zero-files mode).
  • Manifest, lockfile, and library index refuse schema versions newer than the build supports instead of misreading them silently.
  • An unreadable central library is reported on stderr instead of silently resolving to empty.
  • install.sh verifies release tarballs against the published checksums.txt (since v0.6.0); releases publish checksums from a single aggregated job.