Skip to content

release: v0.8.1 — audit-driven hardening#101

Merged
avrabe merged 1 commit into
mainfrom
release/v0.8.1
May 1, 2026
Merged

release: v0.8.1 — audit-driven hardening#101
avrabe merged 1 commit into
mainfrom
release/v0.8.1

Conversation

@avrabe
Copy link
Copy Markdown
Contributor

@avrabe avrabe commented Apr 30, 2026

Merge LAST, after #96, #97, #98, #99, #100.

Bumps version to 0.8.1 and adds the project's first CHANGELOG.md with the full release notes. Closes 26 of 33 findings from the 2026-04-30 14-perspective audit (audit/2026-04-30/).

What's in the release

This PR is the version-bump capstone. The actual fixes live in five fix-PRs:

PR Theme Findings closed
#96 STPA-Sec / docs L-3, L-4, L-6
#97 Hygiene wins M-10, L-1, L-2, L-5, M-7, M-8, M-11, H-8, H-9
#98 Parser hardness H-1, H-2, H-6, H-7
#99 Formal-verif honesty + CI C-1, C-2, C-3, C-7, M-9
#100 Keyless / OIDC hardening C-6, H-4, H-5, M-5, M-6

See CHANGELOG.md for the per-finding release notes (Security / Hardening / Honesty / CI / DX / Deferred sections).

Deferred findings (filed as separate issues)

Merge ordering

This PR conflicts with #97 on `MODULE.bazel` and `src/cli/BUILD.bazel` (audit H-8 — version drift fix). Both branches end at the same value (`0.8.1` here, `0.8.0` in #97), so the conflict is trivial:

Recommended order: #96, #98, #100 in any order (no overlap), then #99 and #97 together (both touch `.github/workflows/rust.yml` — small overlap on `paths:` / `bazel test` blocks), then this PR.

Test plan

  • `cargo build --workspace --release` clean at 0.8.1
  • `Cargo.lock` updated to 0.8.1 for `wsc`, `wsc-attestation`, etc.
  • CI: passes after the 5 fix-PRs are merged
  • Tag `v0.8.1` cut from main once this merges

After merge: tag `v0.8.1` and let the release workflow run.

@avrabe avrabe mentioned this pull request Apr 30, 2026
Merged
4 tasks
@avrabe @claude
release: v0.8.1 — audit-driven hardening
49ff74b 
Bumps Cargo.toml, MODULE.bazel, src/cli/BUILD.bazel, and Cargo.lock
to 0.8.1. Adds CHANGELOG.md (new file, repo did not have one) with
the full release notes.

This release closes 26 of 33 findings from the 2026-04-30
14-perspective audit. Specific fix-PRs are #96 (STPA-Sec / docs),
#97 (hygiene), #98 (parser hardness), #99 (formal-verif honesty +
CI), #100 (keyless / OIDC hardening). Two findings (cert-pinning
enforcement, no_std verifier) are deferred to issue #95 and issue
#79 respectively.

Note on H-8 (version drift): MODULE.bazel and src/cli/BUILD.bazel
were at 0.2.7 on main; this commit takes them straight to 0.8.1.
PR #97 also bumps these to 0.8.0 as part of its H-8 fix; whichever
PR merges last has a trivial conflict that resolves to 0.8.1.

Trace: skip

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@avrabe avrabe force-pushed the release/v0.8.1 branch from 9d394ac to 49ff74b Compare May 1, 2026 07:04
This was referenced May 1, 2026
Closed
Closed
@avrabe avrabe merged commit ddb6729 into main May 1, 2026
17 of 19 checks passed
@avrabe avrabe deleted the release/v0.8.1 branch May 1, 2026 09:51
@codecov
Copy link
Copy Markdown

codecov Bot commented May 2, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@avrabe