Skip to content

Releases: hokupod/kyoso

v0.7.1

Choose a tag to compare

@github-actions github-actions released this 09 Jul 13:53

Changed

  • Update @agentclientprotocol/sdk from 1.1.0 to 1.2.0: ACP schema 1.19.0,
    linear-time ndJsonStream receive path, and unified JSON-RPC message
    validation across transports.

Commits

  • chore(release): add 0.7.1 changelog (49daf4a)
  • build: bump version to 0.7.1 (cd22aae)
  • fix(deps): update dependency @agentclientprotocol/sdk to v1.2.0 (#10) (4a83083)

Full Changelog: v0.7.0...v0.7.1

v0.7.0

Choose a tag to compare

@github-actions github-actions released this 09 Jul 13:31

Added

  • agents.<name>.effort config field for Codex and Claude, mirroring
    agents.<name>.model. Kyoso sends it once per session as an ACP
    session/set_config_option request (effort for Claude,
    reasoning_effort for Codex). The request is fail-soft: a rejection is
    logged to stderr as a sanitized warning and surfaced to MCP/JSON callers
    via result.audit.warnings, and the review continues at the backend's
    own default effort. Settable from both user-global and project TOML
    (same risk profile as model: no command execution or env forwarding).

Fixed

  • Documentation still described the default Claude agent timeout as 240
    seconds; README (all languages), the design document, and the example
    config now reflect the 300-second default introduced in 0.6.0.

Commits

  • chore(release): add 0.7.0 changelog (9bad77d)
  • build: bump version to 0.7.0 (a4b2269)
  • docs: update Claude agent timeout references to 300s (196abe6)
  • feat(agents): add effort config for codex and claude (#9) (fb9e92b)
  • docs(readme): add review flow diagrams for all languages (3986cc4)

Full Changelog: v0.6.0...v0.7.0

v0.6.0

Choose a tag to compare

@github-actions github-actions released this 08 Jul 14:09

Added

  • TOML config loading with XDG user-global layering:
    $XDG_CONFIG_HOME/kyoso/config.toml or ~/.config/kyoso/config.toml, then
    project kyoso.toml.
  • Unknown-key detection for user-global config.toml; security-sensitive
    unknown settings fail closed by default, with --allow-unknown-config as an
    explicit opt-out.
  • Project TOML scope validation for repository-owned settings, including
    additive workspace.deny and tightening-only security/network keys.
  • kyoso doctor now reports global, project TOML, and legacy TypeScript config
    layers.

Changed

  • kyoso init now writes kyoso.toml.
  • --config now fails when the specified file does not exist.
  • Default Claude agent timeout raised from 240s to 300s; dogfooding traces
    showed frequent reviews truncated at the previous limit.
  • Repository dogfooding config and examples now use TOML.

Deprecated

  • kyoso.config.ts remains supported through the existing trust flow, but emits
    a deprecation warning. When both kyoso.toml and kyoso.config.ts exist,
    TOML takes precedence.

Commits

  • docs(readme): add ensemble illustration and model docs links (783d0a3)
  • feat(config): raise default Claude agent timeout to 300s (15ae71f)
  • feat(config): fail closed on missing --config and unknown security-sensitive keys (d76e9fa)
  • chore(release): add 0.6.0 changelog (472dcc5)
  • build: bump version to 0.6.0 (46ec6a3)
  • feat(config): add TOML config with XDG layering and deprecate kyoso.config.ts (0ece184)

Full Changelog: v0.5.0...v0.6.0

v0.5.0

Choose a tag to compare

@github-actions github-actions released this 08 Jul 09:52

Added

  • Cross-validation classification on aggregated findings: findings backed by
    both agents are marked corroborated, single-agent findings single_source.
  • Fusion-style cross-model analysis from the advisory judge: blind spots,
    semantic contradictions, and partial coverage are reported as advisory
    metadata (crossModelAnalysis); the deterministic decision is unchanged.
  • Optional adversarial verification round (verification.enabled, default
    off): single-source high/critical findings are sent to the other agent with
    a skeptical refute-first prompt. Annotate-only: verdicts adjust confidence
    and notes, never severity or the decision.
  • CI-ready MCP stdio and ACP subprocess integration tests now cover the real
    protocol boundaries without live LLM credentials. pack:verify also starts
    the packed CLI bin as an MCP server and checks its version and tool list.
  • Nix development shell pinning Node.js and Bun for reproducible local setups.

Changed

  • Reviewer prompts now require concise English finding titles (evidence,
    recommendations, and summaries may stay in the user's language) and clarify
    that selected files show the pre-change base state during diff reviews.
  • Same-category findings that reference overlapping line ranges in the same
    file now merge regardless of title wording, so cross-model corroboration no
    longer depends on title phrasing.

Commits

  • chore(release): add 0.5.0 changelog and keep packaged skill generic (a1c4cf9)
  • build: bump version to 0.5.0 (c6eaecd)
  • feat(aggregate): merge findings by overlapping line ranges (14dcdba)
  • feat(prompts): normalize finding titles to English and clarify base state (dbd6899)
  • chore: enable verification dogfooding for local reviews (a7fb293)
  • feat(verification): add adversarial cross-agent verification for high findings (b34a870)
  • feat(judge): add Fusion-style cross-model analysis to advisory judge (7b16076)
  • feat(aggregate): mark findings as corroborated or single_source (5bf394c)
  • build: add nix development shell (68ab7e6)
  • test: add MCP stdio and ACP subprocess integration coverage (61d284c)

Full Changelog: v0.4.1...v0.5.0

v0.4.1

Choose a tag to compare

@github-actions github-actions released this 07 Jul 13:14

Changed

  • Updated @modelcontextprotocol/server to 2.0.0-beta.2 and
    @agentclientprotocol/sdk to 1.1.0. Before release, the MCP stdio server
    handshake was smoke-tested against beta.2 and a full multi-agent review run
    was verified with real Codex and Claude agents on the updated ACP stack.

Commits

  • build: bump version to 0.4.1 (c6cfb7c)
  • chore(deps): update dependency node to v24 (#7) (cb96206)
  • chore(deps): update actions/setup-node action to v6 (#6) (0f404fe)
  • chore(deps): update actions/checkout action to v7 (#5) (31db841)
  • fix(deps): update dependency @agentclientprotocol/sdk to v1.1.0 (#4) (1d19c0f)
  • docs: add DeepWiki badge (4b4634e)
  • chore(deps): update dependency prettier to v3.9.4 (#1) (ab40e41)
  • fix(deps): update dependency @modelcontextprotocol/server to v2.0.0-beta.2 (#2) (01ed8c1)
  • ci: add Renovate with custom managers for out-of-manifest pins (abdd3a3)
  • ci: automate GitHub Release notes from CHANGELOG and commit log (7fccb8a)

Full Changelog: v0.4.0...v0.4.1

v0.4.0

Choose a tag to compare

@hokupod hokupod released this 07 Jul 12:00

What's New

Supply-chain hardening

  • Pinned ACP adapter versions: the default config now pins
    @agentclientprotocol/codex-acp@1.1.0 and
    @agentclientprotocol/claude-agent-acp@0.57.0 instead of always fetching
    the latest version at runtime. Adapter updates now ship through deliberate
    Kyoso releases. You can still override the command/version in
    kyoso.config.ts.
  • Version consistency enforcement: bun test and pack:verify now fail
    if the MCP server version constant drifts from package.json, and a
    release build fails if the git tag does not match the package version.
  • CI dependency scanning: CI and release workflows now install
    dependencies through Aikido safe-chain, blocking known-malicious package
    versions before they execute.

Release pipeline

  • Starting with this release, Kyoso is published via npm trusted publishing
    (OIDC) from GitHub Actions with provenance attestation. You can verify the
    package with npm audit signatures.

Full Changelog: v0.3.0...v0.4.0

v0.3.0

Choose a tag to compare

@hokupod hokupod released this 07 Jul 09:23

What's New

Single-agent mode: use Kyoso with only Claude or only Codex

Kyoso now works when only one backend CLI is available. Disable the missing
backend in kyoso.config.ts (see examples/claude-only.config.ts /
examples/codex-only.config.ts), and the remaining agent runs once as
combined_reviewer, covering both implementation and architecture/security
focus areas.

  • JSON output now includes reviewMode (multi_agent / single_agent) and agentsUsed
  • Markdown output shows a Review mode: line; in single-agent mode it states
    that cross-model verification was not performed and marks Disagreements as N/A
  • kyoso doctor and kyoso setup suggest a single-agent config when only one
    backend command is found on PATH
  • Audit traces record the effective role per agent

Behavior change

  • Agent role prompts are now driven by agents.<name>.role in kyoso.config.ts
    instead of being hardcoded per agent name. Default configs behave the same;
    if you had customized role, it now takes effect.
  • The MCP server now reports the correct package version (previously stuck at 0.1.0).

Full Changelog: v0.2.0...v0.3.0

v0.2.0 — one-command setup & multilingual READMEs

Choose a tag to compare

@hokupod hokupod released this 05 Jul 08:18

📦 npm: https://www.npmjs.com/package/@kyo-so/cli

Highlights

  • kyoso setup <codex|claude-code> — registers the Kyoso MCP server and installs the bundled kyoso-review skill in one command. Dry-run by default: nothing is written until you pass --write. Existing config entries are always kept, and reruns are idempotent. --runner npx|bunx picks the launcher; --global targets user-level skill placement.
  • kyoso doctor now detects MCP registration and skill placement, and tells you what to do next.
  • Quick Start docs — per-client, copy-paste setup for Claude Code and Codex, built on the npx/bunx-first premise (no global install).
  • Multilingual READMEs — 日本語 (README.ja.md) and 简体中文 (README.zh-CN.md), with the English README as the canonical source.

Quick Start

npx @kyo-so/cli setup claude-code --write   # or: setup codex
npx @kyo-so/cli doctor

Notes

  • Requires Node.js >= 20 for the packaged CLI
  • Supply-chain tools enforcing a minimum package age (e.g. safe-chain) may hide this version for a few days right after release

v0.1.0 — first public release

Choose a tag to compare

@hokupod hokupod released this 05 Jul 06:58

Kyo-so (協奏) is an MCP-native, ACP-powered multi-agent review gate for AI coding workflows. It coordinates Codex and Claude as independent reviewers and merges their findings into a deterministic decision.

📦 npm: https://www.npmjs.com/package/@kyo-so/cli

Highlights

  • MCP tools: plan_review, security_review, diff_review
  • Two-agent review via ACP (codex-acp + claude-agent-acp) with schema-constrained findings — agents cannot write files or run commands
  • CISA Secure by Design gates for security reviews
  • Prompt-injection hardening: repository content, plans, and diffs are wrapped as untrusted content (verified against a live injection canary)
  • Secret detection with redact-and-block defaults
  • Config trust-on-first-use for kyoso.config.ts
  • Per-agent model pins (agents.<name>.model) — omit to use each agent's own default
  • Deterministic judge with optional lightweight LLM judge

Install

```bash
npx @kyo-so/cli mcp # or: bunx @kyo-so/cli mcp
```

See the README for MCP client registration (Codex / Claude Code) and the bundled kyoso-review skill.

Notes

  • Requires Node.js >= 20 for the packaged CLI
  • Depends on a prerelease @modelcontextprotocol/server API (no stable release yet)
  • Supply-chain tools that enforce a minimum package age (e.g. safe-chain) may hide this package for a few days right after release