v0.18.1
Fixed
scripts/validate.shsafety-preamble check: regex now matches the canonical period form (> **Runtime required.**); previously required a colon (> **Runtime required:**), which no actual template, policy, op, orSKILL.mdin the repo uses — only the validator and one stray spot indocs/README.md. Result: post-merge CI on master flagged spec-compliant skills (including the bundledcanopyandcanopy-debug) as missing the preamble.
Notes — release integrity
- Tags are now SSH-signed. Verify with
git verify-tag v0.18.1. The local clone hastag.gpgsign trueset; the public key is registered as a Signing Key on GitHub. - SLSA build provenance is attached to every release.
release.ymlnow usesactions/attest-build-provenance@v2to produce a Sigstore-signed provenance record over the install tarball (canopy-${VERSION}.tar.gz), eachSKILL.md, and both plugin manifests. Verify withgh attestation verify canopy-0.18.1.tar.gz --owner kostiantyn-matsebora. - Install tarball is now uploaded as a release asset. Same install surface as
gh skill install/ plugin marketplace, just packaged for offline / scripted consumption. SECURITY.mdadded at the repo root (private vulnerability reporting, supported versions, integrity-verification snippet, in-scope / out-of-scope list). Auto-surfaces on the repo's Security tab.masterbranch protection enabled: PR required, status checkvalidatemust pass, no force pushes, no deletions, linear history, conversation resolution required, admin enforcement on (no bypass).- Docs site published at https://kostiantyn-matsebora.github.io/claude-canopy/ — full reference rendered with cayman theme, dark/light toggle, and per-section TOC.
No skill behavior changes from 0.18.0; this is a patch release for repo hygiene + verifiable supply-chain.
Verifying this release
# Verify the signed tag (uses GitHub's pubkey for SSH/GPG signatures)
git verify-tag v0.18.1
# Verify SLSA build provenance for the install tarball
gh attestation verify canopy-0.18.1.tar.gz --owner kostiantyn-matsebora