Skip to content

Releases: SuperMarioYL/skillsig

v0.7.0

Choose a tag to compare

@SuperMarioYL SuperMarioYL released this 12 Jul 22:35

First public release.

v0.6.0

Choose a tag to compare

@SuperMarioYL SuperMarioYL released this 05 Jul 23:23

Two verification-correctness fixes.

Security / Fixed

  • verify now actually checks the signature bundle (high). runVerify never called the verifier package — verifier.VerifySkill was fully implemented but had zero callers, so a scope-clean skill with no/invalid bundle still read TRUSTED. A tampered manifest + missing bundle passed verify --ci TRUSTED at cold-start — the exact supply-chain vector skillsig exists to catch. verify now folds signature verification into every row: missing bundle → UNSIGNED, bundle that doesn't verify → SCOPE-DRIFTED (fails --ci), keyless → pending, and TRUSTED requires a valid signature. New internal/verifier/verifier_test.go covers signed / no-bundle / tampered / corrupt / keyless.
  • verify --trust no longer silently re-baselines a drifted scope (high). ScanAndTrust recorded the current (possibly broadened) declares into the lock for every in-version-TRUSTED skill, erasing cross-version drift. It now runs the lock-drift check first — a drifted skill reports SCOPE-DRIFTED and its baseline is preserved; re-baselining a drifted skill requires the new explicit verify --trust --force-trust.

Full notes: CHANGELOG.md.

v0.5.0

Choose a tag to compare

@SuperMarioYL SuperMarioYL released this 03 Jul 01:54

Signed manifest + cross-version scope-drift detector for Claude Code skills

v0.4.0

Choose a tag to compare

@SuperMarioYL SuperMarioYL released this 30 Jun 00:59

Signed manifest + scope-drift detector for Claude Code skills

v0.3.0

Choose a tag to compare

@SuperMarioYL SuperMarioYL released this 26 Jun 22:52

Signed manifest + scope-drift detector for Claude Code skills

v0.2.0

Choose a tag to compare

@SuperMarioYL SuperMarioYL released this 19 Jun 03:15

First feature iteration on the v0.1 line.

Added

  • verify --json / diff --json — machine-readable reports so CI can branch on results with jq instead of scraping the colored table. verify --json carries a per-skill array, a summary tally, and a top-level drift boolean (same condition --ci exits non-zero on). diff --json carries an escalation boolean plus the offending grants.

Fixed

  • Glob-aware cross-version diffskillsig diff and the ~/.skillsig/lock.yaml lock check previously used a literal string set-difference, so tightening an existing grant was wrongly reported as an escalation (e.g. narrowing Bash(git status*)Bash(git status -s), or \${WORKSPACE}/**\${WORKSPACE}/build/out.txt). The diff now reuses the same coverage predicate as the in-version verify check on every axis (tools + fs_write + network_egress), so only a genuinely new, uncovered grant fails CI.

Full notes: CHANGELOG.md

v0.1.1

Choose a tag to compare

@github-actions github-actions released this 19 Jun 01:36

Changelog

skillsig v0.1.0

Choose a tag to compare

@SuperMarioYL SuperMarioYL released this 13 Jun 05:01

Signed manifest + scope-drift detector for Claude Code skills.