v0.1.0

Themis v0.1.0

Built 2026-06-03T07:10:41Z from 98026fa on go1.26.x.
Verify: see docs/ops/deployment.md.

Changelog

• c90ae63: build(docker): bump golang base 1.26.1-alpine3.20 → 1.26.4-alpine3.22 (Thando Mini thando.mini@sanlam.co.za)
• 98026fa: build(docker): split Dockerfile.release for goreleaser (Phase 8 retry) (Thando Mini thando.mini@sanlam.co.za)
• c209bd0: build: distroless Dockerfile + smoke script (Phase 3) (Thando Mini thando.mini@sanlam.co.za)
• d006cc4: chore(go): bump toolchain 1.26.1 → 1.26.3 (clear 8 stdlib vulns) (Thando Mini thando.mini@sanlam.co.za)
• 5a4b062: chore(go): bump toolchain 1.26.3 → 1.26.4 (clear remaining stdlib vulns) (Thando Mini thando.mini@sanlam.co.za)
• 51f155d: chore(go): use toolchain directive for go1.26.4 (setup-go manifest lag) (Thando Mini thando.mini@sanlam.co.za)
• 56d9abc: chore(security): document prompt-injection defenses (#1) (Thando Mini thando.mini@sanlam.co.za)
• 7f22b9e: ci(github-actions): bump golangci-lint v2.1.0→v2.12.2 (built with go1.26) (Thando Mini thando.mini@sanlam.co.za)
• f2f542e: ci(github-actions): bump golangci-lint-action v6→v7 (required for v2 binary) (Thando Mini thando.mini@sanlam.co.za)
• 2116ee6: ci(github-actions): pin golangci-lint v2 + go.mod-driven Go version + vulncheck advisory (Thando Mini thando.mini@sanlam.co.za)
• b77819b: ci(plan-11): rebase global 88→87, api 85→83 to absorb Plan-11 handler err-wrap branches (Thando Mini thando.mini@sanlam.co.za)
• d52e673: ci(plan-12): silence errcheck on Fprintf/Fprintln in tokens_cmd (Thando Mini thando.mini@sanlam.co.za)
• eea393b: ci(plan-13): tagged switch for manifest dispatch (staticcheck QF1002) (Thando Mini thando.mini@sanlam.co.za)
• 37b35d2: ci(plan-15-17): silence errcheck + SA4000; calibrate per-pkg thresholds for new packages (Thando Mini thando.mini@sanlam.co.za)
• 5501bfa: ci(plan-18): rename stubIdP→stubIDP (revive var-naming) (Thando Mini thando.mini@sanlam.co.za)
• c9cfadc: ci(plan-2): lint clean (revive comment style), aichange cov 100%, full make ci PASS (Thando Mini thando.mini@sanlam.co.za)
• 4313ee9: ci(plan-4): lint comment style + bom threshold @ 85% (json.Encode err wraps unreachable) (Thando Mini thando.mini@sanlam.co.za)
• 20f3edf: ci(plan-6): vulncheck-advisory + serve runtime tests + threshold rebase (global 88, api 85, bom 85) (Thando Mini thando.mini@sanlam.co.za)
• 8821927: ci(plan-8): drop unused runMCP helper; lint clean (Thando Mini thando.mini@sanlam.co.za)
• c9565b0: ci(release): goreleaser + cosign keyless + syft SBOM on v* tags (Phase 4) (Thando Mini thando.mini@sanlam.co.za)
• 67b4d71: ci: GitHub Actions workflow (vet, lint, test, coverage gate, vulncheck) (Thando Mini thando.mini@sanlam.co.za)
• cf52749: ci: add coverage threshold config + gate script (95% global) (Thando Mini thando.mini@sanlam.co.za)
• 4c18052: ci: add golangci-lint config (errcheck, gosec, staticcheck, ...) (Thando Mini thando.mini@sanlam.co.za)
• 3127259: ci: add govulncheck to local CI chain (Thando Mini thando.mini@sanlam.co.za)
• c432583: ci: migrate .golangci.yml to v2 schema + silence checked-but-irrelevant Close/Fprint errors (Thando Mini thando.mini@sanlam.co.za)
• 6728c53: ci: pin actions to SHAs + least-privilege permissions (Phase 6) (Thando Mini thando.mini@sanlam.co.za)
• 8953cc6: ci: rebase pipeline coverage target to 80 (err-wrap branches unreachable post-validation) (Thando Mini thando.mini@sanlam.co.za)
• 2843be4: docs(ops): deployment + observability + backup-restore + runbook (Phase 5) (Thando Mini thando.mini@sanlam.co.za)
• 2d4cebd: docs(spec): production-readiness pass design → v0.1.0 (Thando Mini thando.mini@sanlam.co.za)
• 1453a89: feat(actions): GitHub Action wrapper — composite action.yml + themis-check.sh shim (curl+jq+git only) (Thando Mini thando.mini@sanlam.co.za)
• e46336a: feat(aichange): AIChange + FileTouch + Validate (5 tests, 100% paths) (Thando Mini thando.mini@sanlam.co.za)
• f6b78e9: feat(api): GET /v1/tenants/{id}/events — paginated, newest-first, kind-filterable timeline (Thando Mini thando.mini@sanlam.co.za)
• 5225da2: feat(api): NewMux + handlers (health, tenant health, decisions, boms with path-traversal guard) (Thando Mini thando.mini@sanlam.co.za)
• e3a6896: feat(api): POST + GET /v1/tenants/{id}/approvals — grant/deny with auto-finalise + 10 tests (Thando Mini thando.mini@sanlam.co.za)
• ed7aec7: feat(api): POST /v1/tenants/{id}/decide — JSON body, base64 workdir files, ledger SCAN_FINDING+DECISION_ISSUED (Thando Mini thando.mini@sanlam.co.za)
• a29e05b: feat(api): POST/GET overrides + POST overrides/postmortem with validation + 9 tests (Thando Mini thando.mini@sanlam.co.za)
• 7bf1533: feat(api): embedded SPA dashboard at / — vanilla JS, single binary, audit timeline + decision detail (Thando Mini thando.mini@sanlam.co.za)
• 5b6155a: feat(api): heartbeat + anchor + incidents endpoints (9 tests covering 4 status codes each) (Thando Mini thando.mini@sanlam.co.za)
• 91d0363: feat(api): per-tenant Bearer token auth with constant-time compare (Thando Mini thando.mini@sanlam.co.za)
• 898faaa: feat(api): role-aware RequireIdentity middleware + per-endpoint role gates (6 tests across all 5 roles) (Thando Mini thando.mini@sanlam.co.za)
• 6b8354d: feat(approvals): pure Compute/CanFinalise/BuildFinalised + 12 tests covering grant/deny/finalise semantics (Thando Mini thando.mini@sanlam.co.za)
• eeff948: feat(auth): OIDCTokenStore + ChainStore — pluggable IdP behind same TokenStore interface; 12 tests (Thando Mini thando.mini@sanlam.co.za)
• 0082f27: feat(auth): Role + Identity + FileTokenStore with YAML primary + legacy api-tokens fallback (14 tests) (Thando Mini thando.mini@sanlam.co.za)
• 6ed7bfe: feat(bom): BOM + Canonical (deterministic JSON, timezone-agnostic, field-sensitive) (Thando Mini thando.mini@sanlam.co.za)
• 2e24332: feat(catalogue): CatalogueGraph value types + lookup methods (Thando Mini thando.mini@sanlam.co.za)
• 41d584c: feat(catalogue): Parse(root) loads EventCatalog markdown front-matter into CatalogueGraph (Thando Mini thando.mini@sanlam.co.za)
• 9312601: feat(classify): Classify(AIChange, CatalogueGraph) → Impact with 7 Kinds and priority order (Thando Mini thando.mini@sanlam.co.za)
• 6f49604: feat(classify): Impact + Kind + severity ordering (Thando Mini thando.mini@sanlam.co.za)
• 4d5b37a: feat(cli): 'themis ledger' doctor / verify / replay; remove stubs (Thando Mini thando.mini@sanlam.co.za)
• 5ed98f8: feat(cli): 'themis tenant init' creates tenant + emits TENANT_INITIALISED (Thando Mini thando.mini@sanlam.co.za)
• ef46e1b: feat(cli): cobra root + --version + main entrypoint + tenant/ledger stubs (Thando Mini thando.mini@sanlam.co.za)
• 4e76ac4: feat(cli): four-field --version (semver, commit, build date, go runtime) (Thando Mini thando.mini@sanlam.co.za)
• 0440e08: feat(cli): ledger verify emits LEDGER_INTEGRITY_BROKEN incident on chain break (Thando Mini thando.mini@sanlam.co.za)
• 9db4f5f: feat(cli): themis approval grant/deny/status — appends ledger event, emits DECISION_FINALISED when ripe (Thando Mini thando.mini@sanlam.co.za)
• fc1ff8a: feat(cli): themis bom build + sign — canonical JSON, ed25519 signature, BOM_BUILT/BOM_SIGNED events (Thando Mini thando.mini@sanlam.co.za)
• 5141739: feat(cli): themis catalogue sync — parses tree + emits CATALOGUE_SYNCED + writes snapshot (Thando Mini thando.mini@sanlam.co.za)
• c9a0c6e: feat(cli): themis classify — runs Classify + emits IMPACT_CLASSIFIED ledger event (Thando Mini thando.mini@sanlam.co.za)
• c640308: feat(cli): themis decide — classify+scan+decide orchestration; emits SCAN_FINDING + DECISION_ISSUED + POLICY_INVALID (Thando Mini thando.mini@sanlam.co.za)
• 69ed98a: feat(cli): themis heartbeat report — records ENFORCEMENT_MISSING from external monitoring (design spec §9.1.2) (Thando Mini thando.mini@sanlam.co.za)
• 4982141...