Releases: ShieldNet-360/securevibe
Release list
v0.10.2
Automated Skills Library release for tag v0.10.2.
⚠️ This release is a draft. The bundledmanifest.json
still contains"signature": "TBD"and is not consumable by
securevibe update. The release manager must sign the
manifest offline per SIGNING.md, re-upload
it to the draft, and then run theSign & publishworkflow
(.github/workflows/sign-and-publish.yml) to mark this
release as published.
Assets:
securevibe-<goos>-<goarch>[.exe]— the single binary: CLI + MCP server (securevibe mcp), reproducible build. This is whatinstall.shand Homebrew download, and whatgo install .../cmd/securevibe@latestproduces. Reads its library data from--path/$SKILLS_LIBRARY_PATH(it does not embed the data tree).checksums-<goos>-<goarch>.txt— SHA-256 of the binary for that platform.manifest.json— library manifest (signed out-of-band before publish).skills-library-data.tar.gz— library payload (skills, vulnerabilities, dictionaries, dist, rules, compliance, profiles, manifest.json). This is whatsecurevibe updatedownloads by default. The bundledvulnerabilities/osv/tree is a small latest-first sample.osv-cache.tar.gz— full upstream OSV catalogue (osv/<eco>/...). Consumed bysecurevibe dev fetch-vulns --from-releaseto populate the user cache with complete coverage without hitting osv.dev.deltas.tar.gz— patch set against the previous release (best effort).SHA256SUMS.txt— checksum of every asset above.
Verification (post-publish):
- Verify the binary with the matching
checksums-<goos>-<goarch>.txtfile. - Verify
manifest.jsonwithsecurevibe dev manifest verify --path .. - The
Sign & publishworkflow runs the same verification in CI
before flipping the draft to public.
v0.10.0
Automated Skills Library release for tag v0.10.0.
⚠️ This release is a draft. The bundledmanifest.json
still contains"signature": "TBD"and is not consumable by
securevibe update. The release manager must sign the
manifest offline per SIGNING.md, re-upload
it to the draft, and then run theSign & publishworkflow
(.github/workflows/sign-and-publish.yml) to mark this
release as published.
Assets:
securevibe-<goos>-<goarch>[.exe]— the single binary: CLI + MCP server (securevibe mcp), reproducible build. This is whatinstall.shand Homebrew download, and whatgo install .../cmd/securevibe@latestproduces. Reads its library data from--path/$SKILLS_LIBRARY_PATH(it does not embed the data tree).checksums-<goos>-<goarch>.txt— SHA-256 of the binary for that platform.manifest.json— library manifest (signed out-of-band before publish).skills-library-data.tar.gz— library payload (skills, vulnerabilities, dictionaries, dist, rules, compliance, profiles, manifest.json). This is whatsecurevibe updatedownloads by default. The bundledvulnerabilities/osv/tree is a small latest-first sample.osv-cache.tar.gz— full upstream OSV catalogue (osv/<eco>/...). Consumed bysecurevibe dev fetch-vulns --from-releaseto populate the user cache with complete coverage without hitting osv.dev.deltas.tar.gz— patch set against the previous release (best effort).SHA256SUMS.txt— checksum of every asset above.
Verification (post-publish):
- Verify the binary with the matching
checksums-<goos>-<goarch>.txtfile. - Verify
manifest.jsonwithsecurevibe dev manifest verify --path .. - The
Sign & publishworkflow runs the same verification in CI
before flipping the draft to public.