Release v0.9.0

A substantial feature release: Bifrost can now connect to external MCP servers as a client (symmetric to its existing role as an MCP server), v2 apps get full Tailwind compilation, deploys are zero-downtime, and skills distribute via Claude Code plugins. 55 commits since v0.8.0; no breaking changes.

Features

• External MCP client — Bifrost can now connect to remote MCP servers and surface their tools to agents and chat. Three-layer model: server template (platform), per-org connection (with two visibility flags: chat / autonomous), and per-agent grants (default-deny). Per-user delegated credentials let vendors see the user's identity instead of a shared service account. Streamable HTTP transport; OAuth discovery via /.well-known/oauth-authorization-server. (#176 spec, #177 implementation by @sdc53)
• Tailwind compilation for v2 apps — Arbitrary values, @apply, @layer, per-app config. v2 apps now get the full Tailwind dev experience instead of the prior CDN-runtime restrictions. (#143)
• Zero-downtime deploys — API rolling restart, worker drain, client version banner with retry. AMQP probe and publish retry close the deploy-window AMQP error class. (#174, #194)
• Skills via Claude Code plugin — Bifrost skills are distributed as a Claude Code plugin, with a bifrost skill CLI for managing them. (#169)
• Per-worktree debug stacks — ./debug.sh derives a project name from the worktree path; multiple worktrees can run debug stacks in parallel. New bifrost-debug skill. (#137)
• Unified files model — {location}/{scope}/{path} consolidates all file storage paths. Signed-URL location fix included. (#155)
• Table access policies + redesigned policy editor — Per-table access controls. (#178)
• Embeddings — Endpoint override + automatic reindex on model change; batch resilience and accurate reindex status. (#195, #199)
• CLI — workflows execute with WebSocket streaming + requirements group (#168); ephemeral sessions + multi-instance auth (#151); access controls on form/workflow create/update (#163); --json flag position fix and pagination tiebreaker (#189).
• Workflow hooks — errorMessage is the canonical alias; error deprecated. (#166)
• Execution hardening — Webhook rate limits, schedule overlap protection, stuck-execution fix. (#141)

Security & Supply-Chain Hardening

• Close py/partial-ssrf in GitHubAPIClient (#219) and the embedding-endpoint validator (#216).
• Close py/log-injection in the tables router (#215).
• Unify access gates — close MCP cross-tenant leak + UUID coercion bug (#201).
• Code scanning dismissal reason format fix (#220).
• Agent stats roll up chat conversations (#221).

Bug Fixes

• Firefox 150 bundle load failures fixed via static import map (#175 by @Cory-Covi). Without this, Firefox users couldn't load the app at all. Companion fix swaps JSPM for jsDelivr after JSPM tag 404s (#190).
• Version-banner reload loop fix; banner moved into header (#209).
• MCP: commit DB before refresh_workflow_tools() so new tools appear without a restart (#196); expose search_knowledge over MCP and scope by mount (#211).
• Apps: toast wired to runtime registry (#204); preserve local source on create + sync app.yaml deps + .env from cwd (#161).
• CLI: load .env from cwd, not pipx venv (#160); persist password-grant login to .env in cwd (#164); version check actually blocks stale CLIs (#207).
• Tables: backfill admin_bypass policy on existing tables (#179).
• Files: remove workspace .git/ write gate (#159).
• Manifest import: refresh dependent caches after integration UUID rewrite (#150).
• Watch: close echo race, block multi-session in workspace, fix validator dep classifier (#154).

Developer Experience

• GitHub merge queue adopted (#210).
• Semver dev image tags 0.8.1-dev.N (#218).
• Drop app.yaml from app source dirs — manifest carries metadata (#191).
• Drop redundant bifrost- prefix from plugin skill names (#202).
• Plugin marketplace.json valid relative-path source (#180).
• bifrost-issues skill drops stale env-copy guidance (#212).

Breaking Changes

None in this release.

Contributors

Huge thanks to the external contributors who shipped meaningful work this cycle:

• @sdc53 — designed and implemented the external MCP client, the headline feature of v0.9.0. Spec PR (#176) and implementation PR (#177) — months of design plus ~10K lines across backend, frontend, and tests, including the per-agent grant model that closes a real authorization gap.
• @Cory-Covi — fixed a regression that broke Bifrost's client bundle on Firefox 150 by introducing a static import map (#175). Without this, Firefox users couldn't load the app at all.

Fixed CVEs

None in this release. The npm group bump in #186 closed multiple Dependabot security advisories via dep bumps; see commit log for details.

---

Docker Images

API:

docker pull jackmusick/bifrost-api:v0.9.0

Client:

docker pull jackmusick/bifrost-client:v0.9.0

Type Stubs for IDEs

Download bifrost.pyi from the assets below and place it in your workspace directory for IDE autocomplete and type checking support. See DISTRIBUTION.md for instructions.

Signed artifacts (Sigstore / cosign — keyless)

Each release asset has a matching .sigstore bundle (Sigstore's self-contained signature + certificate + Rekor inclusion proof, produced via keyless OIDC — no maintainer-held keys involved).

Verify with cosign (>= v2.4):

cosign verify-blob \
  --bundle bifrost-v0.9.0-source.tar.gz.sigstore \
  --certificate-identity-regexp 'https://github\.com/jackmusick/bifrost/.*' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  bifrost-v0.9.0-source.tar.gz

A SLSA build-provenance attestation is also published and verifiable via:

gh attestation verify bifrost-v0.9.0-source.tar.gz --owner jackmusick