Skip to content

ClawZero v0.4.0 — Compliance Attestation + MVAR Hardening Baseline

Choose a tag to compare

@Sdvegas21 Sdvegas21 released this 16 Apr 02:17

Added

  • Added enforcement-strength generated test surfaces and audit artifacts on top of v0.3.0, including:
    • policy matrix, witness integrity, OWASP ASI-2026, EU AI Act, adversarial evasion, adapter matrix, cross-session isolation, SARIF export, engine parity, and fuzzing suites added across commits ac2ebd6 through d32190a.
    • documented audit baseline and authoring standard in:
      • docs/test-suite-audit-summary.md
      • docs/test-authoring-guide.md
  • Added compliance attestation CLI surface in clawzero compliance verify (commit 6776cdf; hardened in later commits), including signed attestation payload output and suite presence checks.
  • Added official SARIF schema validation contracts (tests/exports/test_sarif_official_schema_contract.py, commit db4db6e).

Security Hardening (Post-PR81–PR86 MVAR Baseline)

  • Integrated and validated against the post-PR81–PR86 MVAR hardening baseline (52f2038, 6fbbb89, 174beee, 7513c7f, 3f53bc7, a9a1dfd) used in this workspace:
    • Ed25519 default signing with truthful algorithm labeling (ed25519 vs hmac-sha256), removing algorithm-label misrepresentation in audit output.
    • Vault-mediated credential execution path for credentials.access, with token-reference mediation and no raw credential material returned to the agent path.
    • Cryptographic policy lineage enforcement with lineage-chain verification and fail-closed behavior in prod_locked.
    • Advanced risk scoring in the default execution path with profile-aware modes (BLOCKING in prod_locked) and counterfactual injection signals.
    • Taint-laundering prevention integration proofs covering single-hop/multi-hop propagation, trust-boundary crossing, source fragmentation, and Claim-18-style provenance differential behavior (mvar/tests/integration/test_taint_laundering_prevention.py).
    • Machine-readable architecture registry with signed runtime self-report, layer status, and compatibility matrix (mvar/mvar-core/architecture.py).

Validation

  • Full ClawZero suite green on this release line:
    • 9598 passed
    • 17 skipped (intentional gap markers)
    • 0 failed
    • 9615 collected
  • PyPI: pip install clawzero==0.4.0
  • GitHub: github.com/mvar-security/clawzero