release(#1695): v0.4.2 — clear BC dependabot false positives

Functionally identical to v0.4.1; consumer-visible POM is byte-for-byte
the same (no BouncyCastle in runtimeClasspath, confirmed).

The only change: make the existing BC 1.84 pin visible to Dependabot.

Dependabot reads the submitted *requested* dependency graph, not the
resolved graph, so our `force(...)` block was invisible to it — it
kept alerting on 1.80-range CVEs that don't apply to our build (1.84
is patched per OSV + GHSA, and lockfile + verification-metadata both
record 1.84 as resolved).

Fix: declare the four BC artifacts explicitly at 1.84 via
`compileOnly(...)` in build.gradle.kts. `compileOnly` doesn't ship to
consumers (no transitive leak; runtimeClasspath stays clean), but
gives Dependabot the explicit 1.84 nodes it reads from.

Existing `configurations.all { force(...) }` block kept as
belt-and-suspenders for any transitive request that bypasses
compileClasspath.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: Skobeltsyn

CHANGELOG.md

@@ -2,6 +2,11 @@
 
 All notable changes to Agents.KT are documented here. The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and the project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). Pre-1.0, minor bumps may add new public API; existing API surface is preserved.
 
+## [0.4.2] — 2026-05-12
+
+### Security
+- **Make BouncyCastle 1.84 pin visible to Dependabot.** The existing `force(...)` block in `build.gradle.kts` already pins BC to 1.84 (the patched release per OSV + GHSA) and the lockfile + verification metadata confirm 1.84 is what resolves. However, Dependabot's submitted dependency graph reads *requested* versions, not resolved, and was still alerting on the 1.80-range CVEs that don't apply to our build. Declare BC 1.84 explicitly at the project level via `compileOnly(...)` so Dependabot sees the explicit 1.84 nodes. `compileOnly` does NOT ship to consumers and does NOT add to the runtime jar — `runtimeClasspath` stays free of BC, as before. No functional change for downstream users.
+
 ## [0.4.1] — 2026-05-12
 
 Dependency refresh on top of the v0.4.0 feature set. v0.4.0 was tagged on GitHub but never reached Maven Central; **0.4.1 is the first published release of the three-providers feature set**.

PUBLISHING.md

@@ -57,13 +57,13 @@ Escape newlines as `\n` for the property file.
 ./gradlew publishMavenCentralPublicationToMavenLocal
 ```
 
-Artifacts land in `~/.m2/repository/ai/deep-code/agents-kt/0.4.1/`.
+Artifacts land in `~/.m2/repository/ai/deep-code/agents-kt/0.4.2/`.
 
 ### 2. Generate checksums and create bundle
 
 ```bash
-SRC=~/.m2/repository/ai/deep-code/agents-kt/0.4.1
-DEST=build/bundle/ai/deep-code/agents-kt/0.4.1
+SRC=~/.m2/repository/ai/deep-code/agents-kt/0.4.2
+DEST=build/bundle/ai/deep-code/agents-kt/0.4.2
 mkdir -p "$DEST"
 
 for f in "$SRC"/agents-kt-*; do
@@ -78,17 +78,17 @@ done
 
 ```bash
 cd build/bundle
-zip -r ../agents-kt-0.4.1-bundle.zip ai/
+zip -r ../agents-kt-0.4.2-bundle.zip ai/
 ```
 
-The ZIP must contain the full path: `ai/deep-code/agents-kt/0.4.1/...`
+The ZIP must contain the full path: `ai/deep-code/agents-kt/0.4.2/...`
 
 ## Upload to Central Portal
 
 1. Go to [central.sonatype.com](https://central.sonatype.com) → **Deployments** → **Publish Component**
-2. **Deployment Name:** `ai.deep-code:agents-kt:0.4.1`
+2. **Deployment Name:** `ai.deep-code:agents-kt:0.4.2`
 3. **Description:** `Typed Kotlin DSL framework for AI agent systems`
-4. Upload `build/agents-kt-0.4.1-bundle.zip`
+4. Upload `build/agents-kt-0.4.2-bundle.zip`
 5. Wait for validation to pass
 6. Click **Publish**
 
@@ -99,27 +99,27 @@ Propagation to Maven Central search takes 10-30 minutes after publishing.
 Each artifact needs: the file itself, `.asc` (GPG signature), `.md5`, and `.sha1`.
 
 ```
-ai/deep-code/agents-kt/0.4.1/
-  agents-kt-0.4.1.jar
-  agents-kt-0.4.1.jar.asc
-  agents-kt-0.4.1.jar.md5
-  agents-kt-0.4.1.jar.sha1
-  agents-kt-0.4.1-sources.jar
-  agents-kt-0.4.1-sources.jar.asc
-  agents-kt-0.4.1-sources.jar.md5
-  agents-kt-0.4.1-sources.jar.sha1
-  agents-kt-0.4.1-javadoc.jar
-  agents-kt-0.4.1-javadoc.jar.asc
-  agents-kt-0.4.1-javadoc.jar.md5
-  agents-kt-0.4.1-javadoc.jar.sha1
-  agents-kt-0.4.1.pom
-  agents-kt-0.4.1.pom.asc
-  agents-kt-0.4.1.pom.md5
-  agents-kt-0.4.1.pom.sha1
-  agents-kt-0.4.1.module
-  agents-kt-0.4.1.module.asc
-  agents-kt-0.4.1.module.md5
-  agents-kt-0.4.1.module.sha1
+ai/deep-code/agents-kt/0.4.2/
+  agents-kt-0.4.2.jar
+  agents-kt-0.4.2.jar.asc
+  agents-kt-0.4.2.jar.md5
+  agents-kt-0.4.2.jar.sha1
+  agents-kt-0.4.2-sources.jar
+  agents-kt-0.4.2-sources.jar.asc
+  agents-kt-0.4.2-sources.jar.md5
+  agents-kt-0.4.2-sources.jar.sha1
+  agents-kt-0.4.2-javadoc.jar
+  agents-kt-0.4.2-javadoc.jar.asc
+  agents-kt-0.4.2-javadoc.jar.md5
+  agents-kt-0.4.2-javadoc.jar.sha1
+  agents-kt-0.4.2.pom
+  agents-kt-0.4.2.pom.asc
+  agents-kt-0.4.2.pom.md5
+  agents-kt-0.4.2.pom.sha1
+  agents-kt-0.4.2.module
+  agents-kt-0.4.2.module.asc
+  agents-kt-0.4.2.module.md5
+  agents-kt-0.4.2.module.sha1
 ```
 
 ## Version Bump

README.md

@@ -173,7 +173,7 @@ Topical guides:
 ```kotlin
 // build.gradle.kts
 dependencies {
-    implementation("ai.deep-code:agents-kt:0.4.1")
+    implementation("ai.deep-code:agents-kt:0.4.2")
 }
 ```
 

RELEASE_NOTES.md

@@ -1,97 +1,43 @@
-# Agents.KT v0.4.1 — Three Providers, Refreshed Deps
+# Agents.KT v0.4.2 — Three Providers + Clean Dependabot
 
 **Release date:** 2026-05-12
 
-**0.4.1 is the first Maven Central release of the three-providers feature set.** v0.4.0 was tagged on GitHub but never published; if you grabbed the artifacts manually from the v0.4.0 tag, switch your dependency declaration to `0.4.1` to pick up the security refresh.
+Functionally identical to v0.4.1. The only change is making the BouncyCastle 1.84 pin visible to Dependabot so the four false-positive alerts on `main` clear.
 
-## What's new (same as the v0.4.0 surface)
+## What changed
 
-### Three model providers, one `ModelClient`
+### BouncyCastle 1.84 declared explicitly (build-only)
 
-```kotlin
-// Local / cloud Ollama (since 0.1)
-model { ollama("qwen2.5:7b"); host = "localhost"; port = 11434 }
-
-// Anthropic — new
-model { claude("claude-opus-4-7"); apiKey = System.getenv("ANTHROPIC_API_KEY") }
-
-// OpenAI Chat Completions — new
-model { openai("gpt-4o"); apiKey = System.getenv("OPENAI_API_KEY") }
-```
-
-`LlmMessage` / `LlmResponse` are provider-agnostic. Each adapter handles the provider's own conventions internally — Anthropic's structured `tool_use` / `tool_result` content blocks, OpenAI's stringified `function.arguments` and synthesized `tool_call_id`s, Ollama's flat shape with inline-JSON fallback. The agentic loop on top is unchanged.
-
-Both new adapters share the same boundary contract `OllamaClient` established: top-level provider error envelopes surface as `LlmProviderException`, not garbled text masquerading as model output (`#702`).
-
-### Fail-fast at REPL startup
+The existing `force(...)` block in `build.gradle.kts` already pins BC to 1.84 — confirmed patched by both OSV and GHSA. The lockfile and `gradle/verification-metadata.xml` both record 1.84 as the resolved version. But Dependabot reads the *requested* dependency graph submitted by `gradle/actions/dependency-submission`, not the *resolved* graph, so it kept alerting on the 1.80 vulnerabilities that don't apply.
 
-`LiveShowBuilder.precheck: (() -> Unit)?` runs after argument parsing and before the banner / `--once` / REPL prompt. Throw to abort; the runner prints `error: <msg>` and returns exit code 2. No more mid-spinner `java.net.ConnectException` on the first turn.
+The fix: declare BC 1.84 explicitly via `compileOnly(...)` at the project level. `compileOnly` does NOT propagate to consumers — `runtimeClasspath` stays free of BC, same as 0.4.1. The only effect is that Dependabot now sees explicit 1.84 nodes in the graph.
 
 ```kotlin
-LiveRunner.serve(captain, args) {
-    prompt = "fib> "
-    precheck = OllamaPreflight(host = "localhost", port = 11434)::check
+dependencies {
+    compileOnly("org.bouncycastle:bcprov-jdk18on:1.84")
+    compileOnly("org.bouncycastle:bcpg-jdk18on:1.84")
+    compileOnly("org.bouncycastle:bcpkix-jdk18on:1.84")
+    compileOnly("org.bouncycastle:bcutil-jdk18on:1.84")
 }
 ```
 
-The precheck hook is generic — config validation, environment checks, even a database connection can run before the user types anything (`#1132`).
-
-### Typed `@Generable` args, live, on every provider
-
-`TypedArgsLiveIntegrationTest` covers the full round-trip — `@Generable` schema generation → provider envelope (Ollama `parameters`, Anthropic `input_schema`, OpenAI `parameters`) → wire serialization → response parse → `KClass.constructFromMap` → typed executor — against real models. Three tests, one per provider, each gated so a fresh clone without keys stays green (`#1675`).
-
-### `apiKey` no longer leaks through `toString`
-
-`ModelConfig.toString()` masks the API key as `apiKey=sk-ant…108chars` instead of dumping the body. `equals`/`hashCode` still consider apiKey (cache keying stays correct); masking is observation-only. `SECURITY.md` gained a "Handling LLM provider credentials" section with the `.secrets/` convention, file perms, the masking contract, and a "if a key is committed → rotate first" runbook (`#1665`).
-
-## Fixed
-
-### OllamaClient: assistant tool-call turns wire `content: null`
+Why we don't drop the `force(...)` block: it's still belt-and-suspenders for any transitive request that bypasses `compileClasspath`.
 
-External bug report: every multi-turn agentic loop against Ollama Cloud `gpt-oss:120b-cloud` / `gpt-oss:20b-cloud` was hitting `500 Internal Server Error`. Root cause: assistant messages with `tool_calls` and no text were serialised as `content: ""`, but the OpenAI / Ollama chat-completions spec says `content` should be `null` (or omitted) when `tool_calls` is present.
+## Inherited from v0.4.1
 
-The fix null-coerces only when **all three** hold: role is `assistant`, `tool_calls` is non-empty, and content is blank. Legitimate empty-string assistant turns (no tool_calls) keep their previous shape. Ollama-only patch; the other two adapters were already spec-compliant. Six regression cases cover the truth table from the bug report (`#1694`).
+(See `RELEASE_NOTES.md` in the v0.4.1 tag for the full notes; same content lands in 0.4.2 unchanged.)
 
-## Security refresh (new in 0.4.1)
-
-- `kotlinx-coroutines-core` and `kotlinx-coroutines-test` 1.10.2 → 1.11.0 (production + test).
-- Gradle wrapper 9.4.1 → 9.5.0 (build).
-- Lockfile and `gradle/verification-metadata.xml` regenerated.
-
-Closes the four dependabot advisories on `main` and supersedes the open dependabot PRs.
-
-## Binary compatibility
-
-**Source-compatible** with 0.3.x — every new public API has defaults; existing code compiles unchanged.
-
-**Wire-shape change for Ollama tool-call messages** (`#1694`) — assistant turns with `tool_calls` and no textual content now serialize as `content: null` on the wire instead of `content: ""`. Pure payload shaping; in-memory `LlmMessage` is unchanged. Local Ollama tolerated both shapes; Ollama Cloud's strict validators only accept the new form, so this is functionally a regression fix for cloud users.
-
-## Migration
-
-If you're on 0.3.x and only using Ollama, nothing to do. Bump the version, rebuild, ship.
-
-If you want to try Claude or OpenAI:
-
-```kotlin
-agent("coder") {
-    model {
-        claude("claude-opus-4-7")            // or openai("gpt-4o")
-        apiKey = System.getenv("ANTHROPIC_API_KEY")
-        temperature = 0.0
-        maxTokens = 4096                     // required for both cloud providers
-    }
-    skills { /* unchanged */ }
-}
-```
+- Three model providers — Ollama, Claude, OpenAI (#1644, #1656)
+- LiveRunner precheck hook + `OllamaPreflight` (#1132)
+- Live typed-args integration tests across all three providers (#1675)
+- `ModelConfig.toString()` masks `apiKey` (#1665)
+- Ollama wire-shape fix: `content: null` on assistant tool-call turns (#1694)
+- Dependency refresh: `kotlinx-coroutines` 1.11.0, Gradle 9.5.0
 
-Local development convention: keep keys in `<repo-root>/.secrets/anthropic-key` and `<repo-root>/.secrets/openai-key` (gitignored), `chmod 0600`. See `SECURITY.md` for the full handling guidance.
+## Migration from v0.4.1
 
-## What's next (Phase 2)
+Nothing to do. Drop-in upgrade. `runtimeClasspath` is byte-for-byte identical.
 
-- Streaming (`Flow<LlmResponseChunk>`) on every adapter — kills the dead-air spinner.
-- Prompt caching headers for Claude — `cache_control: ephemeral` on long system prompts and knowledge blocks.
-- KSP compile-time `@Generable` (replaces runtime reflection).
-- Google (Gemini) adapter — last on the multi-provider list.
-- `Tool<IN, OUT>` base hierarchy + `McpTool<IN, OUT>` subclass, unblocking `grants { }` typed permissions.
+## Migration from 0.3.x
 
-Full roadmap: [`docs/roadmap.md`](docs/roadmap.md).
+Same as 0.4.1 — see [`RELEASE_NOTES.md`](https://github.com/Deep-CodeAI/Agents.KT/blob/v0.4.1/RELEASE_NOTES.md) at the v0.4.1 tag.

build.gradle.kts

@@ -6,7 +6,7 @@ plugins {
 }
 
 group = "ai.deep-code"
-version = "0.4.1"
+version = "0.4.2"
 
 repositories {
     mavenCentral()
@@ -37,6 +37,20 @@ dependencies {
     implementation("org.jetbrains.kotlinx:kotlinx-coroutines-core:1.11.0")
     testImplementation(kotlin("test"))
     testImplementation("org.jetbrains.kotlinx:kotlinx-coroutines-test:1.11.0")
+
+    // #1695 — Dependabot's submitted dependency graph reads requested
+    // versions, not resolved. The `force(...)` block above pins to 1.84 (a
+    // patched release with no known CVEs per OSV + GHSA), but dependabot
+    // still sees the Kotlin Gradle plugin's transitive request for 1.80 and
+    // alerts on the 1.80-range vulnerabilities. Declaring 1.84 explicitly at
+    // the project level — via `compileOnly`, which does NOT ship to
+    // consumers and does NOT add to the runtime jar — gives dependabot an
+    // explicit 1.84 node in the graph so it stops flagging the resolved-away
+    // 1.80 vulnerabilities.
+    compileOnly("org.bouncycastle:bcprov-jdk18on:1.84")
+    compileOnly("org.bouncycastle:bcpg-jdk18on:1.84")
+    compileOnly("org.bouncycastle:bcpkix-jdk18on:1.84")
+    compileOnly("org.bouncycastle:bcutil-jdk18on:1.84")
 }
 
 kotlin {

gradle.lockfile

@@ -8,10 +8,10 @@ org.antlr:stringtemplate:3.2.1=pitest
 org.apache.commons:commons-lang3:3.18.0=pitest
 org.apache.commons:commons-text:1.14.0=pitest
 org.apiguardian:apiguardian-api:1.1.2=testCompileClasspath
-org.bouncycastle:bcpg-jdk18on:1.84=kotlinBouncyCastleConfiguration
-org.bouncycastle:bcpkix-jdk18on:1.84=kotlinBouncyCastleConfiguration
-org.bouncycastle:bcprov-jdk18on:1.84=kotlinBouncyCastleConfiguration
-org.bouncycastle:bcutil-jdk18on:1.84=kotlinBouncyCastleConfiguration
+org.bouncycastle:bcpg-jdk18on:1.84=compileClasspath,kotlinBouncyCastleConfiguration
+org.bouncycastle:bcpkix-jdk18on:1.84=compileClasspath,kotlinBouncyCastleConfiguration
+org.bouncycastle:bcprov-jdk18on:1.84=compileClasspath,kotlinBouncyCastleConfiguration
+org.bouncycastle:bcutil-jdk18on:1.84=compileClasspath,kotlinBouncyCastleConfiguration
 org.jetbrains.kotlin:abi-tools-api:2.3.21=kotlinInternalAbiValidation
 org.jetbrains.kotlin:abi-tools:2.3.21=kotlinInternalAbiValidation
 org.jetbrains.kotlin:kotlin-build-tools-api:2.3.21=kotlinBuildToolsApiClasspath,kotlinCompilerClasspath