v0.7.1 — PROVE robustness hardening
Proximo 0.7.1 — PROVE robustness hardening
A hardening pass over the 0.7.0 PROVE audit-ledger. The cryptographic guarantees were re-verified as holding (chain integrity, downgrade-rejection, no-key forgery, off-box tail-pin detection) — these are robustness, crash-consistency, and upgrade-UX fixes around the crypto, found by an adversarial review and shipped with 23 new regression tests.
Highlights
- Race-safe keyed-default migration — the unkeyed→keyed rotation claims the new log path atomically, so a concurrent writer can't corrupt the new keyed ledger.
- Crash-consistency — a crash-torn last line can no longer concatenate the next append (which could silently re-anchor the chain at genesis);
verify()fails clean on a malformedentry_hashinstead of crashing; an entry chained after a ledger seal is now flagged. - Upgrade UX — a pinned
PROXIMO_AUDIT_EXPECTED_HEADis normalized (case/whitespace-tolerant) so a copy-paste slip can't brick tooling;audit_verifyreturns arotation_hintthat tells a benign migration head-rotation apart from a tail attack. - Non-finite (NaN/Inf) audit detail is rejected at write time (the ledger stays RFC 8259-clean).
- Release leak-audit strips
CLAUDE.mdby basename in both theauditreport and thebuild-treepublisher.
⚠️ Upgrade note (rolling upgrades)
A PROVE ledger is all-keyed or all-unkeyed for its whole life. During a rolling upgrade, quiesce or upgrade all writers of a given ledger together — a mixed keyed/unkeyed fleet writing the same ledger across the cutover will land a downgraded entry and fail verify(). Single-process deployments are unaffected. (The keyed-default auto-migration introduced in 0.7.0 is unchanged.)
See the CHANGELOG for the full list.