Releases: udhawan97/Golavo
Release list
v0.15.0
Golavo v0.15.0 — One home for each rule
Golavo 0.15.0 changes no forecast, no source boundary, and no seal. It changes where the
app's rules live. Three of them had drifted into being kept in several places at once,
and each copy was one edit away from disagreeing with the others. Every committed sample
artifact reproduces byte-for-byte on this release, which is the evidence that the engine
underneath is untouched.
This is a release for the codebase's future, not for this week's page.
Why an architecture release
The most important promise Golavo makes is that a forecast never sees the future. Until
now, the app kept that promise in four places.
The rule is: train on everything before kickoff - 1s, from this fixture's own source,
never the fixture's own row, and fail closed if a later row survives. The guard that
enforces the last part was always central and always machine-checked. But the cutoff was
derived independently in the match analysis, the retrospective, the seal path, and the
evaluation folds — and the scoping half existed twice, character for character, in the
server's analysis path and in the core retrospective. Nothing checked that the two copies
agreed. A comment in one of them said it matched "the app's own on-demand path" and named
the other file; that promise was the only thing holding them together.
That class of leak has already bitten this project three times in a single day, always the
same way: stale data hid the problem, and fresh data woke it up.
Now there is one module. leak_safe_training_view returns a fixture's training history and
the instant it was cut off at, and the four facts are inseparable inside it — you cannot
get the rows without the cutoff, or the cutoff without the scoping, or either without the
guard having run. The seal path calls the same module and only tightens the boundary
(min(as_of, kickoff - 1s)), never loosens it.
What else moved
Cached reads. Six surfaces each hand-rolled the same dance: retry across a data
refresh, key a private cache, re-check the snapshot before trusting a hit, stamp the
provenance. Worse, the base module hardcoded the names of the modules caching on top of
it in order to invalidate them — so a seventh cached read would be invalidated only if
somebody remembered to add it to a tuple, and if they forgot, the app would serve a retired
data generation after a refresh and look exactly like it was working. Readers now register
themselves. Forgetting is no longer possible.
Background jobs. The retrospective borrowed the AI read's job store, which meant a
football backtest reported "Assembling the evidence" until the endpoint stamped over it,
and the UI minted an AI job id and rewrote its prefix with a regular expression. Each kind
of work now declares its own stages and its own id space.
The trust table. The retrospective's skill fold scores five model families; the
backtest offers four, dropping bivariate Poisson because it is numerically identical to
independent Poisson and would imply two opinions where there is one. The React view knew
that rule too, and re-applied it. If either side had changed, the page's two tables would
have quietly contradicted each other. The sidecar now sends the four voices and names what
it dropped.
What you will notice
Almost nothing, which is the point.
- The retrospective's trust table is unchanged on screen, but the API now sends four
families rather than five and names the omitted one in a newomitted_familiesfield.
Anything readingtrust.modelsfor a five-family list should readomitted_families. - The retrospective's job routes now accept only their own lane's job ids. A job id from
the AI lane submitted to the retrospective's start or cancel route returns 400 where it
was previously accepted and acted on. Golavo's own UI has always minted the right id, so
this only affects a client that hand-rolled one. - Competition analytics is cached per minute rather than recomputed per request.
- Sealed forecasts, replays, outlooks, and evaluation folds are unchanged.
Verification
- 808 Python tests and 177 UI tests pass.
- The 8 committed sample artifacts (sealed, scored, abstained, voided) validate unchanged —
the seal engine now runs through the shared leak-safe view and produces identical bytes. - Provenance, source-registry, license-isolation, correction-isolation, research-isolation
and context-pack validators all pass. - New machine-checked guards: the leak-safe view's cutoff, scoping and self-exclusion; the
snapshot reader's staleness and self-registration (every shipped cached read is named);
each job lane's stage vocabulary; that two concurrent retrospective runs cannot cross
their packs; and that the client's contract types cannot drift from the frozen schema.
v0.14.2
Golavo v0.14.2 — The final, a leak closed, the tournament looked back on
Golavo 0.14.2 brings the 2026 World Cup final into the app, closes a training-data leak
that the tournament's own exact kickoff times made reachable, and adds a retrospective
that backtests every played match of the tournament. The source rules, the model-input
boundary, and the seal→score loop are unchanged.
Forecasts no longer train on the future
This is the reason to update.
Training rows were selected by calendar date. A date is not a time, so every fixture
on a day looked simultaneous: a result from 20:00 could inform a forecast for a match
that kicked off at 00:30 that morning. The leakage guard compared the same dates, so it
could not see the problem it existed to catch.
- What changes for you: Match Cockpit replays on days with several matches will show
different probabilities than 0.14.1. That is the fix, not a regression — those replays
were using information that did not exist yet. - What does not change: sealed forecasts were never affected. A match played later
the same day is not complete when a seal is written, so it was already excluded.
Historical backtests cut on day boundaries and are unchanged. - Why now: almost every row in the index is a midnight date stand-in, and midnight is
never later than midnight — so date ordering was accidentally correct until real kickoff
times arrived. Of the 92 completed matches carrying a true kickoff, 55 were affected,
and all 55 are 2026 World Cup matches.
The World Cup outlook had a related fault: it treated a semifinal as decided whenever the
snapshot carried a result, without asking whether that match had kicked off at the cutoff
being requested. Asking about an earlier moment could return a later match's winner as
settled fact.
The final is in the app
- Spain v Argentina, 19 July, 19:00 UTC, and the third-place match, France v England,
18 July, 21:00 UTC — both with exact kickoff times, so the seal window stays open until
the whistle instead of closing at midnight the night before. - Both semifinals now carry their results: France 0-2 Spain, England 1-2 Argentina.
A retrospective of the tournament
New in Model Lab → World Cup 2026 retrospective.
It replays every played match of the tournament at that match's own pre-kickoff cutoff —
the same cutoff a seal uses — and ranks them by how surprised the goal model was. Beside
it sits the tournament's evaluation fold, answering a different question with a different
cutoff: did the models have skill at all, judged from outside the tournament.
Every number on the page is a backtest, not a record. Nothing there was called in
advance by anyone; nothing is persisted or scored as a seal. The page says so, because a
backtest sitting alone is easy to mistake for a track record.
- Computed on demand from your active data — a few minutes, with real progress and a
cancel button — then cached until that data changes. - Rows whose training data includes a same-day date-proxy kickoff are marked. Their
ordering within the day cannot be proven, and the page says that rather than implying a
precision it does not have.
Unchanged
Installers remain OS-unsigned. The deterministic engine, source registry, licence
isolation, and the display-only OpenLigaDB overlay boundary are untouched.
v0.14.1
Golavo v0.14.1 — Live results, cleaner context
Golavo 0.14.1 fixes the installed-app refresh path that could leave completed picks
unsettled, then reshapes Match Conditions into a calmer, more scannable read. The
deterministic forecast engine, source rules, and model-input boundary are unchanged.
Results now reach Pick History
- Packaged HTTPS refresh works: the frozen sidecar now ships and uses an explicit
CA trust bundle instead of inheriting a build-machine OpenSSL path that does not
exist on another Mac. - Completed evidence stays append-only: an upstream file can remove an old result
without erasing the already verified local result. Refresh metadata records the base
index hash and every retained completed match. - Fixture identities survive harmless corrections: unique international fixtures
keep their local match id when an upstream venue label changes, so picks and follows
do not lose their match reference. - Safety checks still fail closed: changed completed scores remain blocked, while
equivalent duplicate completed rows may be consolidated safely. - The UI follows the active generation: My Season and Pick History reload as soon
as a new data generation activates, so finals and points appear without restarting. - First-launch prompts stay ordered: the newcomer tour yields to update notices and
the Software Update sheet instead of covering the action that opens a newly found release.
Match Conditions is easier to read
- Four icon-led cards align location, venue, local kickoff, and elevation with a compact
resolved-field indicator and dedicated source rows. - Home and away teams use matching recovery timelines with stable travel-origin and
great-circle fields instead of drifting three-column text. - Subtle pitch-grid texture, restrained home/away accents, and a designed route canvas
add visual structure while staying inside Golavo's existing dark editorial theme. - Missing route and weather coverage now have intentional, concise states. Sources,
calculations, and the statement that this context never enters a forecast remain
directly available.
Install and update safely
- macOS: open the DMG, drag Golavo to Applications, then right-click Golavo and
choose Open on first launch if Gatekeeper warns. - Windows: if SmartScreen appears, choose More info → Run anyway after confirming
the download came from this GitHub release. SHA256SUMS.txtdetects corrupted manual downloads. In-app updates are separately
authenticated with the updater signature compiled into Golavo.
Installers remain OS-unsigned. Golavo remains free, local-first, non-betting, and fully
usable without AI, accounts, paid APIs, or user keys.
v0.14.0
Golavo v0.14.0 — Source-aware depth, kept honest
Golavo 0.14.0 makes free-data refresh and match follow-up real without turning the
app into a background tracker or weakening the deterministic forecast boundary.
What is new
- Approved-source refresh: consent-gated manual, launch, and while-open checks for
martj42 internationals plus genuinely published OpenFootball World Cup and club files.
Raw responses are hashed, schema-checked, activated atomically, and retain a
last-known-good generation. - Optional OpenLigaDB overlay: keyless Bundesliga 1/2/3 and DFB-Pokal context fetched
per user into a removable, display-only ODbL database. No OpenLigaDB bytes ship or enter
CC0 packs, training, forecasts, calibration, settlements, or exports. - Geographic match context: unique-exact GeoNames places, revision-pinned Wikidata
venue entities, an offline Natural Earth route map, and deterministic local-kickoff,
rest, distance, and travel displays. Context is not a model input. - Follow this match: local follow/unfollow, targeted checks, deduplicated kickoff,
venue, score and settlement-availability history, plus optional local notifications.
Checks stop when Golavo closes. - Provenance-first corrections: source-backed local proposals with immutable history,
explicit license namespaces, fail-closed conflicts, and user-triggered export. Proposals
never alter packs, training data, calibration, settlements, or sealed forecasts. - Evidence-bound research: user-selected Wikimedia sources are captured with exact
text, URL, retrieval time and hash; deterministic parsing precedes optional local
AI fallback. Candidates route into correction review. DuckDuckGo HTML scraping is off. - Deeper deterministic explanations: Match Cockpit now names history support, exact
model-voice gaps, capability coverage, missing evidence, and hypothetical change triggers.
It does not call these confidence, accuracy, or causal model effects.
Release hardening
- Match analysis uses a validated content-addressed cache and Phase 8 performs no extra
model fit, keeping repeat exploration quick. - The frozen server no longer carries unrelated optional ML/dataframe runtimes; local AI
still connects over HTTP, while desktop downloads and cold-start extraction stay lean. - Release builds embed and expose their exact 40-character source commit in the runtime,
Settings, and new forecast artifacts. - The release workflow runs Python, determinism, provenance, license isolation, UI, and
docs gates before platform packaging or publication. - Update recovery retains only the latest retired ledger generation, preventing unbounded
Application Support growth. - The website and README now present the new local-data workflows, larger product media,
and a repaired architecture diagram whose developer label stays inside its capsule.
Installers remain OS-unsigned, so Gatekeeper or SmartScreen may warn on first install.
In-app update downloads are cryptographically verified. Golavo remains free, local-first,
non-betting, and fully usable without AI, OpenLigaDB, accounts, paid APIs, or user keys.
Install and update safely
- macOS: open the DMG, drag Golavo to Applications, then right-click Golavo and choose
Open on first launch. If Gatekeeper still blocks it, run
xattr -dr com.apple.quarantine /Applications/Golavo.appand open it again. - Windows: if SmartScreen appears, choose More info → Run anyway after confirming the
download came from this GitHub release. SHA256SUMS.txtdetects a corrupted manual download; because the checksum is distributed
beside the files, it is not an authenticity signature. In-app updates are separately
verified against the public key compiled into Golavo before installation.- Builds older than v0.2.1 did not include the updater. Install v0.14.0 manually once; later
releases can then use the consent-gated in-app update flow.
v0.13.0
Golavo v0.13.0 — Competition intelligence, kept in its lane
Golavo 0.13.0 adds competition-local strength and workload analytics, European
competition pages, exact World Cup bracket outlooks, verified domestic standings
and season gates, offline place/rest/travel context, and team-only historical
event research.
The release keeps its boundaries explicit:
- World Cup and season outlooks are simulations, never sealed forecasts.
- Current domestic season probabilities remain blocked without a complete,
gap-free fixture list. - Pappalardo/Wyscout research is labeled by competition and era, ships no raw
events or player identities, and never enters the model. - Weather has no value or provider until an issued-before-kickoff historical
source passes the license and leakage gates. - World Cup 2026 now lives under International tournaments, not Domestic leagues.
Installers remain OS-unsigned, so first install may trigger Gatekeeper or
SmartScreen. In-app update downloads are cryptographically verified.
v0.12.0
Golavo v0.12.0
In-app updates are cryptographically signed: the updater verifies
every download against the public key compiled into the app before
installing (the .sig assets). Installers are not yet
OS-signed/notarized, so macOS Gatekeeper and Windows SmartScreen
warn on FIRST install (macOS: right-click → Open; Windows: More
info → Run anyway). SHA256SUMS.txt detects a corrupted manual
download; it is not itself signed, so it does not by itself prove
authenticity — the in-app updater's signature check does.
Updating from v0.1.0 or v0.2.0? Builds before v0.2.1 shipped
without the in-app updater — download and install this version
manually once; after that, updates arrive in-app.
What's Changed
- Release Golavo v0.12.0 by @udhawan97 in #24
Full Changelog: v0.11.1...v0.12.0
v0.11.1
Golavo v0.11.1
In-app updates are cryptographically signed: the updater verifies
every download against the public key compiled into the app before
installing (the .sig assets). Installers are not yet
OS-signed/notarized, so macOS Gatekeeper and Windows SmartScreen
warn on FIRST install (macOS: right-click → Open; Windows: More
info → Run anyway). SHA256SUMS.txt detects a corrupted manual
download; it is not itself signed, so it does not by itself prove
authenticity — the in-app updater's signature check does.
Updating from v0.1.0 or v0.2.0? Builds before v0.2.1 shipped
without the in-app updater — download and install this version
manually once; after that, updates arrive in-app.
Full Changelog: v0.10.3...v0.11.1
v0.10.3
Golavo v0.10.3
In-app updates are cryptographically signed: the updater verifies
every download against the public key compiled into the app before
installing (the .sig assets). Installers are not yet
OS-signed/notarized, so macOS Gatekeeper and Windows SmartScreen
warn on FIRST install (macOS: right-click → Open; Windows: More
info → Run anyway). SHA256SUMS.txt detects a corrupted manual
download; it is not itself signed, so it does not by itself prove
authenticity — the in-app updater's signature check does.
Updating from v0.1.0 or v0.2.0? Builds before v0.2.1 shipped
without the in-app updater — download and install this version
manually once; after that, updates arrive in-app.
Full Changelog: v0.10.2...v0.10.3
v0.10.2
Golavo v0.10.2
In-app updates are cryptographically signed: the updater verifies
every download against the public key compiled into the app before
installing (the .sig assets). Installers are not yet
OS-signed/notarized, so macOS Gatekeeper and Windows SmartScreen
warn on FIRST install (macOS: right-click → Open; Windows: More
info → Run anyway). SHA256SUMS.txt detects a corrupted manual
download; it is not itself signed, so it does not by itself prove
authenticity — the in-app updater's signature check does.
Updating from v0.1.0 or v0.2.0? Builds before v0.2.1 shipped
without the in-app updater — download and install this version
manually once; after that, updates arrive in-app.
What's Changed
- Polish score outlook markets by @udhawan97 in #23
Full Changelog: v0.10.0...v0.10.2
v0.10.0
Golavo v0.10.0
In-app updates are cryptographically signed: the updater verifies
every download against the public key compiled into the app before
installing (the .sig assets). Installers are not yet
OS-signed/notarized, so macOS Gatekeeper and Windows SmartScreen
warn on FIRST install (macOS: right-click → Open; Windows: More
info → Run anyway). SHA256SUMS.txt detects a corrupted manual
download; it is not itself signed, so it does not by itself prove
authenticity — the in-app updater's signature check does.
Updating from v0.1.0 or v0.2.0? Builds before v0.2.1 shipped
without the in-app updater — download and install this version
manually once; after that, updates arrive in-app.
Full Changelog: v0.9.0...v0.10.0