Hardening release: the claim-backed tier acceptance introduced in 0.5.3 was put through an adversarial review; every finding is addressed.
Fixed
- Locked-side anchoring — the gate now only accepts a recorded
verifiedtier on the basis of claims the lock actually earned with local verification (passed+verifiedByToolPin+trustedAnchor). Registry-declared or unavailable locked evidence no longer qualifies. - Exact claim-set comparison — for every locked evidence code the current resolution declares, the claim sets must match exactly. A registry declaring extra claims for the same artifact code (old and new SRI side by side) now reads as drift instead of slipping through subset membership.
- Unobservable is explicit — evidence codes the current resolution does not declare at all are treated as unobservable without
--verify: accepted by default, refused under--strict-tier, never silently matched. - Evidence dedupe — trust-evidence deduplication now includes the integrity claim in its identity key, so entries differing only by claim are no longer collapsed.
- Warning noise — the stale registry-cache warning prints once per run instead of once per cache read.
Notes
- Semantics documented in Catch drift in CI → Trust tiers without --verify.
- Release gate: 365 tests (4 new adversarial cases),
self:doctor,self:ci,docs:check, Docusaurus build, curated-registry check,npm auditclean, pack dry-run verified (76 files). - Published to npm with provenance:
@proofofwork-agency/toolpin@0.5.4