v0.30.0 — the verification substrate

Verel becomes a verification substrate any agent can call over MCP — a conscience, a pair of eyes, and a receipt a different party can check. Three substrate slices, each shipped through the full audit → 3-round adversarial red-team cadence.

Highlights

• Publicly-verifiable receipts (ed25519). A second party verifies a receipt offline with only the producer's public key — no shared secret. Trust is pinning, never TOFU: a valid signature isn't enough; the key_id must be trusted. New verify_receipt() + verel verify <receipt.json>. Optional extra verel[attest]; absent → ed25519 fails closed.
• gate over MCP (the conscience). verel_gate runs the real graders on a repo and returns the attested verdict + a signed, publicly-verifiable gate-level receipt. An agent can no longer self-declare "done"; "an agent cannot fake green" becomes checkable. New verel_verify MCP verb.
• sight over MCP (the eyes). verel_sight renders a URL through AgentVision and returns an attested percept — observations with pixel bboxes, an image_ref, intent conformance, and a receipt bound to the screenshot bytes. SSRF-safe by default; allow_local is an explicit opt-in.

Security

Shipped through audit → ≥3 adversarial red-team rounds per slice. Hardening (all regression-pinned): injective length-prefixed signing payloads across every signer (closed a real delimiter-injection on receipts and the toolsmith/registry signers), strict base64, ASCII-only key_id, cross-type domain separation, the gate envelope signs the verdict + ceiling_clamped + a percept subject so no trust-implying field is unsigned, and MCP host-boundary crash safety.

378-test suite; ruff + mypy clean.

pip install verel · pip install "verel[attest]" for public verifiability