Skip to content

v3.7.1: config-honesty + SkillSpector v2.1.4

Choose a tag to compare

View all tags
@HetCreep HetCreep released this 14 Jun 15:40
· 21 commits to main since this release
v3.7.1
This tag was signed with the committer’s verified signature.
HetCreep
SSH Key Fingerprint: 0osv9sipbbl2qmrI00rRA3kcEKs4ZuS+FBihPD/c8DU
Verified
Learn about vigilant mode.
13e0a75
This commit was signed with the committer’s verified signature.
HetCreep
SSH Key Fingerprint: 0osv9sipbbl2qmrI00rRA3kcEKs4ZuS+FBihPD/c8DU
Verified
Learn about vigilant mode.

v3.7.1: config-honesty + SkillSpector v2.1.4

Changed

  • Config-honesty pass: every documented .coalmine.json key now has a real consumer. Seven keys that were defined and documented but never read are now wired into the canaries and the conductor: defaultTier, autoFixMode, schemaPaths/migrationDirs, packageManifests, trustedDomains, skipOnboarding. Adds a conductor skipOnboarding test (gate suite 35).

Removed

  • Tombstoned skillUpdateCheckDays: no consumer, and offline skill-staleness is not verifiable by a fail-silent hook (the marketplace/host owns update checks).

Security

  • SkillSpector refreshed to v2.1.4: the static pass scores 58/100, and all 3 findings remain reviewed false-positives (an HTML-comment freshness stamp, the consent-gate line itself, a session-scoped temp file). The LLM semantic pass does not complete on the available API tier, so the headline falls back to the pessimistic static number. The real assurance is structural (Phoenix-13). See SECURITY.md.

Added (carried from Unreleased)

  • Version-pin drift gate: any doc line with a version-pin: marker must quote the current plugin.json version, or verify.mjs fails.

Gate: build-plugin 9/9, verify PASS, 35 tests. Commit + tag SSH-signed (Verified).

Assets 2
Loading