Releases: hokupod/kyoso
Release list
v0.7.1
Changed
- Update
@agentclientprotocol/sdkfrom 1.1.0 to 1.2.0: ACP schema 1.19.0,
linear-timendJsonStreamreceive path, and unified JSON-RPC message
validation across transports.
Commits
- chore(release): add 0.7.1 changelog (49daf4a)
- build: bump version to 0.7.1 (cd22aae)
- fix(deps): update dependency @agentclientprotocol/sdk to v1.2.0 (#10) (4a83083)
Full Changelog: v0.7.0...v0.7.1
v0.7.0
Added
agents.<name>.effortconfig field for Codex and Claude, mirroring
agents.<name>.model. Kyoso sends it once per session as an ACP
session/set_config_optionrequest (effortfor Claude,
reasoning_effortfor Codex). The request is fail-soft: a rejection is
logged to stderr as a sanitized warning and surfaced to MCP/JSON callers
viaresult.audit.warnings, and the review continues at the backend's
own default effort. Settable from both user-global and project TOML
(same risk profile asmodel: no command execution or env forwarding).
Fixed
- Documentation still described the default Claude agent timeout as 240
seconds; README (all languages), the design document, and the example
config now reflect the 300-second default introduced in 0.6.0.
Commits
- chore(release): add 0.7.0 changelog (9bad77d)
- build: bump version to 0.7.0 (a4b2269)
- docs: update Claude agent timeout references to 300s (196abe6)
- feat(agents): add effort config for codex and claude (#9) (fb9e92b)
- docs(readme): add review flow diagrams for all languages (3986cc4)
Full Changelog: v0.6.0...v0.7.0
v0.6.0
Added
- TOML config loading with XDG user-global layering:
$XDG_CONFIG_HOME/kyoso/config.tomlor~/.config/kyoso/config.toml, then
projectkyoso.toml. - Unknown-key detection for user-global
config.toml; security-sensitive
unknown settings fail closed by default, with--allow-unknown-configas an
explicit opt-out. - Project TOML scope validation for repository-owned settings, including
additiveworkspace.denyand tightening-only security/network keys. kyoso doctornow reports global, project TOML, and legacy TypeScript config
layers.
Changed
kyoso initnow writeskyoso.toml.--confignow fails when the specified file does not exist.- Default Claude agent timeout raised from 240s to 300s; dogfooding traces
showed frequent reviews truncated at the previous limit. - Repository dogfooding config and examples now use TOML.
Deprecated
kyoso.config.tsremains supported through the existing trust flow, but emits
a deprecation warning. When bothkyoso.tomlandkyoso.config.tsexist,
TOML takes precedence.
Commits
- docs(readme): add ensemble illustration and model docs links (783d0a3)
- feat(config): raise default Claude agent timeout to 300s (15ae71f)
- feat(config): fail closed on missing --config and unknown security-sensitive keys (d76e9fa)
- chore(release): add 0.6.0 changelog (472dcc5)
- build: bump version to 0.6.0 (46ec6a3)
- feat(config): add TOML config with XDG layering and deprecate kyoso.config.ts (0ece184)
Full Changelog: v0.5.0...v0.6.0
v0.5.0
Added
- Cross-validation classification on aggregated findings: findings backed by
both agents are markedcorroborated, single-agent findingssingle_source. - Fusion-style cross-model analysis from the advisory judge: blind spots,
semantic contradictions, and partial coverage are reported as advisory
metadata (crossModelAnalysis); the deterministic decision is unchanged. - Optional adversarial verification round (
verification.enabled, default
off): single-source high/critical findings are sent to the other agent with
a skeptical refute-first prompt. Annotate-only: verdicts adjust confidence
and notes, never severity or the decision. - CI-ready MCP stdio and ACP subprocess integration tests now cover the real
protocol boundaries without live LLM credentials.pack:verifyalso starts
the packed CLI bin as an MCP server and checks its version and tool list. - Nix development shell pinning Node.js and Bun for reproducible local setups.
Changed
- Reviewer prompts now require concise English finding titles (evidence,
recommendations, and summaries may stay in the user's language) and clarify
that selected files show the pre-change base state during diff reviews. - Same-category findings that reference overlapping line ranges in the same
file now merge regardless of title wording, so cross-model corroboration no
longer depends on title phrasing.
Commits
- chore(release): add 0.5.0 changelog and keep packaged skill generic (a1c4cf9)
- build: bump version to 0.5.0 (c6eaecd)
- feat(aggregate): merge findings by overlapping line ranges (14dcdba)
- feat(prompts): normalize finding titles to English and clarify base state (dbd6899)
- chore: enable verification dogfooding for local reviews (a7fb293)
- feat(verification): add adversarial cross-agent verification for high findings (b34a870)
- feat(judge): add Fusion-style cross-model analysis to advisory judge (7b16076)
- feat(aggregate): mark findings as corroborated or single_source (5bf394c)
- build: add nix development shell (68ab7e6)
- test: add MCP stdio and ACP subprocess integration coverage (61d284c)
Full Changelog: v0.4.1...v0.5.0
v0.4.1
Changed
- Updated
@modelcontextprotocol/serverto 2.0.0-beta.2 and
@agentclientprotocol/sdkto 1.1.0. Before release, the MCP stdio server
handshake was smoke-tested against beta.2 and a full multi-agent review run
was verified with real Codex and Claude agents on the updated ACP stack.
Commits
- build: bump version to 0.4.1 (c6cfb7c)
- chore(deps): update dependency node to v24 (#7) (cb96206)
- chore(deps): update actions/setup-node action to v6 (#6) (0f404fe)
- chore(deps): update actions/checkout action to v7 (#5) (31db841)
- fix(deps): update dependency @agentclientprotocol/sdk to v1.1.0 (#4) (1d19c0f)
- docs: add DeepWiki badge (4b4634e)
- chore(deps): update dependency prettier to v3.9.4 (#1) (ab40e41)
- fix(deps): update dependency @modelcontextprotocol/server to v2.0.0-beta.2 (#2) (01ed8c1)
- ci: add Renovate with custom managers for out-of-manifest pins (abdd3a3)
- ci: automate GitHub Release notes from CHANGELOG and commit log (7fccb8a)
Full Changelog: v0.4.0...v0.4.1
v0.4.0
What's New
Supply-chain hardening
- Pinned ACP adapter versions: the default config now pins
@agentclientprotocol/codex-acp@1.1.0and
@agentclientprotocol/claude-agent-acp@0.57.0instead of always fetching
the latest version at runtime. Adapter updates now ship through deliberate
Kyoso releases. You can still override the command/version in
kyoso.config.ts. - Version consistency enforcement:
bun testandpack:verifynow fail
if the MCP server version constant drifts frompackage.json, and a
release build fails if the git tag does not match the package version. - CI dependency scanning: CI and release workflows now install
dependencies through Aikido safe-chain, blocking known-malicious package
versions before they execute.
Release pipeline
- Starting with this release, Kyoso is published via npm trusted publishing
(OIDC) from GitHub Actions with provenance attestation. You can verify the
package withnpm audit signatures.
Full Changelog: v0.3.0...v0.4.0
v0.3.0
What's New
Single-agent mode: use Kyoso with only Claude or only Codex
Kyoso now works when only one backend CLI is available. Disable the missing
backend in kyoso.config.ts (see examples/claude-only.config.ts /
examples/codex-only.config.ts), and the remaining agent runs once as
combined_reviewer, covering both implementation and architecture/security
focus areas.
- JSON output now includes
reviewMode(multi_agent/single_agent) andagentsUsed - Markdown output shows a
Review mode:line; in single-agent mode it states
that cross-model verification was not performed and marks Disagreements as N/A kyoso doctorandkyoso setupsuggest a single-agent config when only one
backend command is found on PATH- Audit traces record the effective role per agent
Behavior change
- Agent role prompts are now driven by
agents.<name>.roleinkyoso.config.ts
instead of being hardcoded per agent name. Default configs behave the same;
if you had customizedrole, it now takes effect. - The MCP server now reports the correct package version (previously stuck at 0.1.0).
Full Changelog: v0.2.0...v0.3.0
v0.2.0 — one-command setup & multilingual READMEs
📦 npm: https://www.npmjs.com/package/@kyo-so/cli
Highlights
kyoso setup <codex|claude-code>— registers the Kyoso MCP server and installs the bundledkyoso-reviewskill in one command. Dry-run by default: nothing is written until you pass--write. Existing config entries are always kept, and reruns are idempotent.--runner npx|bunxpicks the launcher;--globaltargets user-level skill placement.kyoso doctornow detects MCP registration and skill placement, and tells you what to do next.- Quick Start docs — per-client, copy-paste setup for Claude Code and Codex, built on the npx/bunx-first premise (no global install).
- Multilingual READMEs — 日本語 (README.ja.md) and 简体中文 (README.zh-CN.md), with the English README as the canonical source.
Quick Start
npx @kyo-so/cli setup claude-code --write # or: setup codex
npx @kyo-so/cli doctorNotes
- Requires Node.js >= 20 for the packaged CLI
- Supply-chain tools enforcing a minimum package age (e.g. safe-chain) may hide this version for a few days right after release
v0.1.0 — first public release
Kyo-so (協奏) is an MCP-native, ACP-powered multi-agent review gate for AI coding workflows. It coordinates Codex and Claude as independent reviewers and merges their findings into a deterministic decision.
📦 npm: https://www.npmjs.com/package/@kyo-so/cli
Highlights
- MCP tools:
plan_review,security_review,diff_review - Two-agent review via ACP (codex-acp + claude-agent-acp) with schema-constrained findings — agents cannot write files or run commands
- CISA Secure by Design gates for security reviews
- Prompt-injection hardening: repository content, plans, and diffs are wrapped as untrusted content (verified against a live injection canary)
- Secret detection with redact-and-block defaults
- Config trust-on-first-use for
kyoso.config.ts - Per-agent model pins (
agents.<name>.model) — omit to use each agent's own default - Deterministic judge with optional lightweight LLM judge
Install
```bash
npx @kyo-so/cli mcp # or: bunx @kyo-so/cli mcp
```
See the README for MCP client registration (Codex / Claude Code) and the bundled kyoso-review skill.
Notes
- Requires Node.js >= 20 for the packaged CLI
- Depends on a prerelease
@modelcontextprotocol/serverAPI (no stable release yet) - Supply-chain tools that enforce a minimum package age (e.g. safe-chain) may hide this package for a few days right after release