Skip to content

ToolPin 0.5.4

Latest

Choose a tag to compare

@nillo nillo released this 10 Jul 10:30

Hardening release: the claim-backed tier acceptance introduced in 0.5.3 was put through an adversarial review; every finding is addressed.

Fixed

  • Locked-side anchoring — the gate now only accepts a recorded verified tier on the basis of claims the lock actually earned with local verification (passed + verifiedByToolPin + trustedAnchor). Registry-declared or unavailable locked evidence no longer qualifies.
  • Exact claim-set comparison — for every locked evidence code the current resolution declares, the claim sets must match exactly. A registry declaring extra claims for the same artifact code (old and new SRI side by side) now reads as drift instead of slipping through subset membership.
  • Unobservable is explicit — evidence codes the current resolution does not declare at all are treated as unobservable without --verify: accepted by default, refused under --strict-tier, never silently matched.
  • Evidence dedupe — trust-evidence deduplication now includes the integrity claim in its identity key, so entries differing only by claim are no longer collapsed.
  • Warning noise — the stale registry-cache warning prints once per run instead of once per cache read.

Notes