Skip to content

Releases: trivoallan/houba

v0.8.0

Choose a tag to compare

@trivoallan trivoallan released this 23 Jun 11:11
003c4c5

0.8.0 (2026-06-23)

Features

  • deploy: demonstrable blast-radius — owner + cluster join (demo glue, no houba-core) (#156) (9554927)
  • deploy: make argocd-ui + distinct UI ports (registry 8080→8082) (#158) (db0ab65)
  • domain: SARIF kind routes governance verdicts to policy.* (#166) (75eaf13)
  • image: rebase runtime on Alpine + Python 3.13 (#161) (494f1dc)

Bug Fixes

  • adapters: emit marked/attested/sbom counts in the journal summary (#169) (d28135e)
  • reconcile: backfill SBOM coverage on kept digests (#167) (29d12e6)

Documentation

  • docs: docs polish pass — architecture narrative, rebuild/harden how-to, slidev deck (#155) (448329f)
  • docs: documentation polish pass — architecture page, restructured reference, search, glossary, llms.txt (#157) (1ded166)
  • docs: publish the SARIF ingestion profile reference (#168) (30ea1f2)
  • how-to: governance findings as portable provenance (any SARIF analyzer) (#164) (e7ea143)
  • roadmap: decouple forward direction from versions; re-theme Now to adoption (#153) (9ff6a42)
  • roadmap: defer MirrorPolicy-as-CRD (operator unrequested) (#159) (ccaa7ac)
  • roadmap: re-snapshot to 0.8.0 (#171) (1d191b6)

v0.7.0

Choose a tag to compare

@trivoallan trivoallan released this 17 Jun 18:39
89e6661

0.7.0 (2026-06-17)

Features

  • attach registry-config parity — wire HOUBA_REGISTRIES into houba attach (#97) (c320179)
  • audit: digest on every coverage outcome + observational --sbom tier (#143) (522b764)
  • deploy: default argocd-prod policy to the bundled busybox example (014cb95)
  • deploy: default overlays/prod policy to the busybox example (#87) (208bd85)
  • deploy: Dependency-Track consumer + XZ (CVE-2024-3094) incident demo for package-level blast-radius (#136) (b1b2034)
  • deploy: make argocd-prod + argocd-seed (bring up the full prod App-of-Apps on kind) (59b69f2)
  • deploy: make argocd-prod a complete end-to-end mirror on kind (76ac75b)
  • deploy: weekly houba-gc CronJob in the reference deployment (#107) (a06d171)
  • deploy: Zot demo registry with built-in UI; text logs in Jobs (#92) (21dc7bd)
  • domain: stamp OCI image.title and configurable vendor (#134) (1253d70)
  • finding-type-aware SARIF mapper (rule evaluations ≠ vulnerabilities) (#102) (3aee05b)
  • houba attach --fail-on <severity> CI gate (#86) (f0cf0bc)
  • multi-owner ownership (io.houba.owners) (#100) (139f7b1)
  • SBOM generation on the rebuild path (package-level blast-radius) (#128) (003f0b8)
  • scan-referrer garbage collection (houba gc) (#105) (b9892d6)
  • sign the SBOM under houba's identity (trust tier) (#144) (f2fec80)
  • signed-coverage audit tier (houba audit --signed) (#98) (3e4336d)
  • unify SBOM generation on syft — both paths, SPDX + CycloneDX (#140) (eec9aa2)

Bug Fixes

  • .claude: point superpowers at its own marketplace so it loads in ephemeral sessions (#94) (578601d)
  • adapters: honor tls_verify on the BuildKit push path (#127) (118ec54)
  • ci: update the manifests job for the single Argo app set (#91) (ee1cad9)
  • cli: render failed policy with only operation errors (#126) (36efafd)
  • demo reference policy/rebuild — busybox tag selection + arch-robust inspect (#139) (51e8bc1)
  • deploy: select the OpenBao server pod by name, not a chart label (#88) (16d4c56)
  • deps: clear docs-site high/uuid CVEs — bump Docusaurus + pin transitives (a5a9c20)
  • deps: update react monorepo to v19 (#138) (1d78def)

Documentation

  • add "Why houba" argument page (#104) (0dbffb9)
  • add the CLI command reference to the reference section (#125) (786b412)
  • docs: mark Now items delivered; renumber signed-coverage ADR to 0026 (#99) (ff5fdea)
  • fix the generated reference's in-page TOC anchors (#121) (3cf1ffb)
  • generate how-to & explanation section indexes from page front-matter (#147) (b88f452)
  • generate policy + config reference from the Pydantic schemas (#108) (f8e52b7)
  • generate policy + config reference from the Pydantic schemas (#109) (28651c2)
  • order the Reference sidebar — mirror-policy before config (#120) (cb35be0)
  • order, label, and flatten the docs-site sidebar (#118) (f7cb370)
  • prepare 0.7.0 release — stamp roadmap + getting-started version (2daebf9)
  • promote the local walkthrough to a top-level Getting started (#106) (ba91bf9)
  • publish the docs site with Docusaurus on GitHub Pages (#115) (3e5eba3)
  • record the Dependency-Track boundary (attach = scan provenance, not a store) (#135) (28af8a4)
  • refresh README for the delivered mandate, gc, and the docs site (#110) (10a92cb)
  • renumber duplicate ADR 0026 → 0030 (multi-owner ownership) (#122) (cab739c)
  • restructure docs into Diátaxis sections (step 1 — folders + moves) (#111) (1009b72)
  • restructure docs into Diátaxis sections (step 1) (#112) (c0c52cd)
  • roadmap — add docs-site item, cut deferred bets, proxycache out of scope (#103) (5685732)
  • roadmap: sync Now/Next/Later — the mandate is delivered (#90) (e3de9ad)
  • scan attestation max-age freshness contract (admission gate) (#137) (5fc046b)
  • spec — Docusaurus docs site published to GitHub Pages (#114) ([3...
Read more

v0.6.0

Choose a tag to compare

@trivoallan trivoallan released this 15 Jun 15:46
b99bf6d

0.6.0 (2026-06-15)

Features

  • complete attestation coverage — sign copy path + idempotent skip-backfill (#77) (9a3515a)
  • deploy: ArgoCD App-of-Apps reference deployment (variant) (#79) (98f2669)
  • freeze org.opencontainers.image.revision semantics (#80) (dad2ffc)

Documentation

  • roadmap: mark single-front-door mandate validated (#76) (5d27d17)
  • roadmap: restructure to Now/Next/Later (#74) (bb7c172)

v0.5.0

Choose a tag to compare

@trivoallan trivoallan released this 15 Jun 08:39
6b54d4e

0.5.0 (2026-06-15)

Features

  • deploy: buildkitd autoscaling — KEDA scale-up 1→K (impl of ADR 0016) (#59) (baaca35)
  • domain: deb822 support in rewritePackageSources (#61) (b8efe9f)
  • reconcile: retention-driven soft-delete (roadmap item 5) (#63) (3fdbf95)
  • scan attestation — sign the houba attach referrer (#56) (388e970)

Bug Fixes

  • adapters: cosign v3 signing-config migration (signing was broken on bundled cosign) (#58) (4af77b4)
  • use-case: scope reconcile unmark cleanup to the axis being unmarked (#64) (ff3a957)

Documentation

  • readme: bring README + examples current with v0.5 (#65) (4808315)
  • readme: bring README current with v0.4 (commands, SLSA, autoscaling, arch) (#60) (00d8946)
  • roadmap: mark lifecycle ⑤ delivered and archive_restore rejected (#66) (8bfd778)
  • specs: buildkitd autoscaling design — KEDA-driven scale-up (#43) (3046148)

v0.4.0

Choose a tag to compare

@trivoallan trivoallan released this 14 Jun 07:21
2ba468c

0.4.0 (2026-06-13)

Features

  • concurrent reconcile (scale-up) + horizontal sharding (scale-out) (#37) (6cb2d29)
  • coverage audit — houba audit (roadmap ④) (#53) (248dd1a)
  • delegated tag deletion (soft-delete via OCI referrer, mode cascade) (#41) (d8a0e43)
  • deploy: local-transform demo tier — self-contained rebuild path (no Harbor) (#32) (a8954f5)
  • deploy: opt-in source-registry credentials to dodge Docker Hub rate limits (#34) (a271fa1)
  • houba attach — ingest + stamp scan results as OCI referrers (#42) (b2afcb6)
  • houba purge — the reference reaper (usage-gated tag deletion) (#45) (f52eaee)
  • reconcile: surface applied transform steps + produced digest per operation (#38) (602247a)
  • SLSA / in-toto attestation — sign the rebuild path (roadmap ①) (#49) (2c1b6e4)

Documentation

  • align CLAUDE.md with the delivered hexagon + embed design/specs in the C4 workspace (#35) (42c10af)
  • architecture: add attach to the C4 model + finish the CLAUDE.md inventory (#55) (0d3a634)
  • architecture: add ADRs for the 3 remaining specs (scale-up/-out, source creds) (#40) (c06bde0)
  • architecture: add C4 container/component/hexagon views, refresh stale docs (#39) (9525fa6)
  • architecture: link each view / example name to its Mermaid export (#46) (769c86f)
  • architecture: redraw the error hierarchy as Mermaid in design.md (#48) (41ed446)
  • architecture: redraw the hexagon schema as Mermaid in design.md (#47) (d26648c)
  • architecture: split the deployment view into one per example + commit Mermaid exports (#44) (91c4f8d)
  • sync design.md + roadmap with delivered work (CLI verbs, SLSA, new ports/adapters) (#54) (4153b9e)

v0.3.0

Choose a tag to compare

@trivoallan trivoallan released this 12 Jun 07:57
7bda537

0.3.0 (2026-06-12)

Features

  • deploy: reference deployment — kustomize, kind demo, blast-radius consumer (#29) (68d7535)
  • domain: pluggable transform-step registry (+ setTimezone, discriminated-union schema) (#26) (3aad9dd)
  • image transform / hardening — the rebuild path (Phase 6) (#24) (79e9dfa)
  • make the reconcile path runnable — bundle regctl + per-registry TLS/CA (#27) (de46501)
  • reconcile: structured two-stream output + per-policy resilience (#25) (1aa22f2)

Bug Fixes

  • image: run runtime image as non-root (uid 65532) (#30) (409b0fe)

Documentation

  • architecture: VS Code launch config for Structurizr C4 viewer (#22) (53e2ad3)
  • specs: SLSA / in-toto attestation design — the heavy-provenance layer (#28) (5f36c15)

v0.2.0

Choose a tag to compare

@trivoallan trivoallan released this 11 Jun 13:17
e822a16

Initial public release — houba reconcile: declarative MirrorPolicy reconciliation (tag selection, moving-tag aliases, variants, provenance-based change detection) with OCI provenance stamping over regctl (copy path).