Fixed
- Provenance no longer deadlocks the install that brings its own verifier. A fresh checkout with
provenanceactive could not install its ownsigstore(the tool provenance needs).tooling-unavailablenow degrades the tool-absent case to a loud warning while a genuinely invalid bundle still blocks fail-closed. The residual (an attacker deletingsigstore) is a first-class Attack Labknown-gap, not silently swallowed. - Clearer guard block message for a package-manager word inside shell substitution — explains the non-install case instead of the misleading 'rewrite the install' text. Parser unchanged, still fail-closed.
First release guarded by the new SECURITY.md supported-versions test. Published with Sigstore provenance from CI; dist reproduces byte-identically from the v0.13.1 tag.