The v4 release wave, tied off.
If you are upgrading from 0.3.x, everything that shipped in 0.4.0 is here with both follow-up fixes folded in.
Fix in this patch
The ten OAuth provider factories added in 0.4.0 were missing from the top-level kavachos/auth barrel, so import { notion } from "kavachos/auth" did not resolve even though the code was there. auth/index.ts now re-exports the whole providers barrel, which also means future provider additions pick themselves up automatically.
What the full v4 wave delivered (0.4.0 + 0.4.1 + 0.4.2)
Agentic JWT claim constants
Two IETF drafts, draft-goswami-agentic-jwt-00 and draft-liu-agent-operation-authorization-01, are encoded as typed constants in the new kavachos/standards subpath. Turn on emitAgenticJwtClaims and every issued token carries agent_id, agent_type, and trust_tier. Off by default so existing deployments do not change token shape on upgrade.
Ten new OAuth providers as first-class named exports
Notion, Spotify, Discord, Slack, Twitch, Reddit, Figma, Dropbox, Zoom, Atlassian. Each ships with a typed factory, a DEFAULT_X_SCOPES constant, and a profile normaliser. You stop writing those three boilerplate files per provider.
Audit export as W3C Verifiable Credentials
exportAuditAsVC from the new kavachos/vc subpath writes your audit log out as ldp_vc or jwt_vc, individual events or a Verifiable Presentation. Useful for compliance exports that downstream auditors can verify offline without touching your database.
create-kavachos-app on npm
pnpm create kavachos-app my-app scaffolds a working Next.js App Router template.
Upgrade
pnpm add [email protected]
No breaking changes from 0.3.x. Every new feature is behind an opt-in config flag or an additional import path.