Skip to content

ToolPin 0.5.3

Choose a tag to compare

@nillo nillo released this 10 Jul 09:04

Bug-fix release: toolpin ci no longer permanently fails verified-tier lock entries on unverified runs.

Fixed

  • toolpin ci without --verify failed every lock entry recorded at the verified tier with a misleading trust tier decreased verified -> conditional. Since 0.4.0, registry-declared evidence is a claim rather than proof, so an unverified run recomputes trust with verifiedByToolPin: false and can never re-derive a locally earned verified tier — but the frozen-lock comparison still measured the recorded tier against that weaker recomputation. The gate now compares the locked artifact integrity claims (npm SRI, OCI digest, MCPB hash) against the current resolution: unchanged claims are accepted as "no drift"; changed or missing claims still fail, and now say why. This also fixes the composite Action's default invocation (toolpin ci --live) for verified-tier locks.

Added

  • toolpin ci --strict-tier — refuse claim-backed tier acceptance: verified-tier entries then fail unless the run re-earns them with --verify. The lenient-on-unchanged-claims behavior remains the default. Semantics documented in Catch drift in CI.

Notes

  • Tier drift messages now state the reason: artifact claims changed, no claims to compare, or the run could not re-verify (with the flag that fixes it).
  • Release gate: 361 tests (6 new for the tier semantics), self:doctor, self:ci, docs:check, Docusaurus build, curated-registry check, npm audit clean, pack dry-run verified (76 files).
  • Published to npm with provenance: @proofofwork-agency/toolpin@0.5.3