Skip to content

v0.19.0

Latest
Latest

Choose a tag to compare

View all tags
@ashfordeOU ashfordeOU released this 19 Jun 06:47
· 9 commits to main since this release
v0.19.0
eeb98c5

Changed

  • Relicensed from Apache-2.0 to the GNU AGPL-3.0-only, with a commercial licence
    available from Ashforde OÜ (dual-licensing).     The open engine stays fully open and
    publicly verifiable; the AGPL's network-copyleft (§13) means a closed or hosted
    derivative must come back to open source — or take a commercial licence. This
    defends the validated core against fork-and-close while keeping the credibility of
    a public, runnable, auditable engine. See LICENSE (AGPL) and the new
    LICENSING.md (what each licence covers and when it applies).
    • LICENSE now contains the AGPL-3.0 text; SPDX headers across all sources updated
      to AGPL-3.0-only; NOTICE, README, GOVERNANCE, GLOSSARY, the website, and
      crate/package metadata (Cargo.toml, pyproject.toml, CITATION.cff, the MCP
      crate + image) updated accordingly.
    • Contributor terms (CONTRIBUTING.md) now license inbound
      under the AGPL and grant Ashforde OÜ the right to include contributions in the
      commercially-licensed edition, so the dual-licence keeps working.
    • Dependency policy unchanged but re-justified (deny.toml,
      GOVERNANCE): dependencies stay permissive (Apache/MIT/BSD/ISC). AGPL is allowed
      only for kshana's own crate — a copyleft dependency would taint the commercial
      edition and break dual-licensing.
    • Note for downstream: this is a copyleft relicence. Users who relied on
      Apache-2.0 permissive terms can continue using the last Apache-2.0 release
      (v0.18.0 and earlier, as published); v0.19.0 onward is AGPL-3.0 / commercial.

Security

  • Bumped pyo3 0.24 → 0.29 to clear RUSTSEC-2026-0176 / RUSTSEC-2026-0177
    (GHSA-36hh-v3qg-5jq4 / GHSA-chgr-c6px-7xpp) from external OSV/dependency scans.
    Both are function-level advisories whose affected functions
    (BoundList/TupleIterator::nth/nth_back, PyCFunction::new_closure) Kshana
    never calls, and pyo3 is an optional (python-feature) dependency — so the
    real exposure was nil — but the bump keeps a clean scan for downstream auditors.
    Migrated src/python.rs to the pyo3 0.29 API (Bound return type for
    scenario_kinds; explicit skip_from_py_object on the RunOutput pyclass).
    All 11 Python binding tests pass against the rebuilt extension.

Get this release

Download — attached below, prebuilt (no toolchain needed); each artifact carries
SLSA build-provenance (verify with gh attestation verify <file> --repo AshfordeOU/kshana):

  • kshana — the simulator CLI / engine (Linux x86-64)
  • kshana-mcp — the Model Context Protocol server (Linux x86-64)
  • kshana-sbom.cdx.json — CycloneDX SBOM
  • kshana-validation-summary.html — the per-release validation summary

On macOS or Windows, install from a registry below — the PyPI wheels, the npm/WASM
package, and the Docker image are all cross-platform.

Install from a package registry:

Channel Get it
crates.io cargo install kshana · cargo install kshana-mcp
PyPI pip install kshana
npm npm install kshana
ghcr.io docker run -i ghcr.io/ashfordeou/kshana-mcp:0.19.0
MCP registry io.github.ashfordeOU/kshana-mcp (auto-discovered by MCP clients)
JetBrains Marketplace search "Kshana" in your IDE → Plugins

No install: run it in your browser at kshana.dev · Cite: DOI 10.5281/zenodo.20528627

Full changelog: CHANGELOG.md · Docs: README

Assets 6
Loading