ToolPin 0.5.3
Bug-fix release: toolpin ci no longer permanently fails verified-tier lock entries on unverified runs.
Fixed
toolpin ciwithout--verifyfailed every lock entry recorded at theverifiedtier with a misleadingtrust tier decreased verified -> conditional. Since 0.4.0, registry-declared evidence is a claim rather than proof, so an unverified run recomputes trust withverifiedByToolPin: falseand can never re-derive a locally earnedverifiedtier — but the frozen-lock comparison still measured the recorded tier against that weaker recomputation. The gate now compares the locked artifact integrity claims (npm SRI, OCI digest, MCPB hash) against the current resolution: unchanged claims are accepted as "no drift"; changed or missing claims still fail, and now say why. This also fixes the composite Action's default invocation (toolpin ci --live) for verified-tier locks.
Added
toolpin ci --strict-tier— refuse claim-backed tier acceptance: verified-tier entries then fail unless the run re-earns them with--verify. The lenient-on-unchanged-claims behavior remains the default. Semantics documented in Catch drift in CI.
Notes
- Tier drift messages now state the reason: artifact claims changed, no claims to compare, or the run could not re-verify (with the flag that fixes it).
- Release gate: 361 tests (6 new for the tier semantics),
self:doctor,self:ci,docs:check, Docusaurus build, curated-registry check,npm auditclean, pack dry-run verified (76 files). - Published to npm with provenance:
@proofofwork-agency/toolpin@0.5.3