v0.4.0
What's New
Supply-chain hardening
- Pinned ACP adapter versions: the default config now pins
@agentclientprotocol/codex-acp@1.1.0and
@agentclientprotocol/claude-agent-acp@0.57.0instead of always fetching
the latest version at runtime. Adapter updates now ship through deliberate
Kyoso releases. You can still override the command/version in
kyoso.config.ts. - Version consistency enforcement:
bun testandpack:verifynow fail
if the MCP server version constant drifts frompackage.json, and a
release build fails if the git tag does not match the package version. - CI dependency scanning: CI and release workflows now install
dependencies through Aikido safe-chain, blocking known-malicious package
versions before they execute.
Release pipeline
- Starting with this release, Kyoso is published via npm trusted publishing
(OIDC) from GitHub Actions with provenance attestation. You can verify the
package withnpm audit signatures.
Full Changelog: v0.3.0...v0.4.0