Skip to content

v0.1.216

Choose a tag to compare

View all tags
@github-actions github-actions released this 04 Jun 21:52
· 9 commits to main since this release
v0.1.216
This tag was signed with the committer’s verified signature.
lhassa8
SSH Key Fingerprint: WmM2DTKXbVq8E+hq1kYumoFw7q9To8gUeMsSg8k2SJU
Verified
Learn about vigilant mode.
3b5fe95
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

What's new in v0.1.216

[0.1.216] — 2026-06-04

Security fix (pyjwt CVE) + honest FedRAMP framing + the hosted one-line installer reach PyPI.

Rollup release of the post-v0.1.215 work merged to main, so what users install matches the current docs. The headline is the pyjwt security fix — a fresh pip install efterlev==0.1.215 still resolves the vulnerable pyjwt 2.12.1; this release carries the floor.

Fixed

  • Security: pyjwt>=2.13.0 floor over the mcp transitive — closes PYSEC-2026-175/177/178/179 (4 CVEs in 2.12.1). pip-audit clean.
  • install.sh uses uv tool install --force so the one-liner overwrites a stale efterlev instead of erroring out on "Executable already exists."

Added

  • One-line bootstrap installer hosted at https://docs.efterlev.org/install.sh (curl -LsSf … | sh installs uv if missing, then the CLI). README leads with it.

Changed

  • Framing aligned with FedRAMP maintainer guidance (FedRAMP/community #101): README gains a "What FedRAMP 20x actually grades" section; the deterministic detectors are framed as the signal, with the persistent-validation surface (provenance, change-control, continuous re-scan, runtime ingestion) as the value; "FRMR is the primary output" softened toward the emerging Security Decision Record. LIMITATIONS gains "Config evidence is a signal, not proof."
  • README/docs refer to the FedRAMP level as "Class C (Moderate)" (FedRAMP 20x / RFC-0020 certification classes); the docs site moved to docs.efterlev.org.
  • docker/setup-qemu-action SHA bump (v4.0.0 → v4.1.0; folded in from Dependabot #442).

Internal

  • DECISIONS: SDR/persistent-V&V arc re-scope (2026-06-03); CR26 migration tracking + RFC-0031 INR scope (2026-05-31, amended 2026-06-04). Test/detector counts unchanged (2403 / 66).

Cross-references

  • Bundles PRs #439#445. The bedrock_openai (OpenAI-on-Bedrock) backend is intentionally NOT in this release — it's experimental and holding for live accuracy validation on its own PR.

Efterlev v0.1.216 — post-release triage

Deterministic, zero-LLM validation of the published wheel + container.
Generated by scripts/triage.sh on every tag push (see
.github/workflows/post-release-triage.yml).

Summary

Check Status Detail
T1 install ✅ PASS wheel installed; efterlev --version → 0.1.216
T2 doctor shape ✅ PASS all 7 checks present (python_version, install_uniqueness, efterlev_dir, frmr_cache, anthropic_api_key, bedrock_credentials, boundary_declared)
T3 detector count ✅ PASS registry reports 66 detectors
T4 verify-release.sh ✅ PASS 4/4 checks passed (PyPI PEP 740 + cosign + SLSA v1)
T5 container manifest ✅ PASS multi-arch image present: linux/amd64 linux/arm64
T6 check-docs ✅ PASS no doc-vs-code drift detected
T7 release-smoke ✅ PASS matrix green across all cells (run #26981770540)

Result: 7 passed, 0 failed.

Methodology

This triage runs the same shape that surfaced F1–H1 across the v0.1.12–v0.1.15
arc: install the published wheel from PyPI in a fresh venv, run sanity checks,
invoke verify-release.sh against PyPI + ghcr, inspect container manifest

  • supply-chain artifacts, run check-docs.py against tagged source. Every
    check is deterministic — no LLM call, no per-release cost beyond CI minutes.

Release v0.1.216 ships clean.

Assets 4
Loading