v0.4.2

Highlights

• Fail-closed manifest input, symlink, duplicate-path, and metadata validation.
• Atomic output replacement and input-overwrite protection across file-producing commands.
• Manifest and sandbox-SARIF schemas with packaged contract checks.
• Executable README command smoke coverage.
• Enforced Ruff, Mypy, branch coverage, and arbitrary-working-directory tests.
• Strict dependency audit, CycloneDX SBOM artifacts, Dependabot, and release build provenance.
• Boundary regressions for permission failures, large trees, Unicode paths, and corrupted structured inputs.
• Single-source package and CLI version metadata.

The proof boundaries remain unchanged: hashes and local HMAC sidecars support narrow byte-level review and tamper detection, not command execution, semantic correctness, signer identity, or a public trust chain.

v0.4.1

What's changed

• Add Python 3.10, 3.11, and 3.12 CI coverage using normal package installs.
• Add checked wheel and source-distribution builds.
• Add release-triggered PyPI Trusted Publishing with OIDC.

Proof boundary

This release improves package distribution and release automation. Hashes, manifests, sandbox checks, and signed sidecars retain the documented proof boundaries; they do not by themselves prove artifact semantics or signer identity.

v0.4.0

Highlights

• Add JSON Schema validation for signature sidecars, including packaged-schema regression coverage.
• Improve verify-signature text/JSON diagnostics and optional schema checks.
• Add evidence sign --dry-run and input-overwrite protection for signature output paths.
• Add required sandbox-change checks plus SARIF and evidence-validation JUnit adapters.
• Add synthetic examples, CI recipes, release guidance, and fresh-install smoke tooling.

Proof boundary

Signed sidecars remain a local hmac-sha256 tamper-detection workflow. They do not prove signer identity, public trust chains, command execution, or artifact semantic correctness.

v0.3.0

Highlights\n\n- Adds local-key signed evidence bundle sidecars with evidence sign and evidence verify-signature.\n- Keeps unsigned bundles fully supported.\n- Documents the signed-bundle boundary: local tamper detection for exact bundle bytes only; no command-execution, artifact-semantics, signer-identity, keyserver, or trust-chain claim.\n- Adds signed-sidecar tutorial coverage and regression tests.\n\n## Validation\n\n- PR #21 CI passed.\n- Local validation on merged main: uv run pytest -q and uv run --extra schema pytest -q.\n

v0.2.0

v0.2.0

This release adds the first CI report-output format and documents the signed-bundle support boundary.

Added

• repro-evidence verify sandbox-run --format junit for JUnit XML report consumers.
• Tests and CLI coverage for JUnit sandbox verification output.
• CI cookbook documentation for uploading sandbox verification as JUnit XML.
• Signed evidence bundles design note with a sidecar-first proposal.

Boundaries

• Existing JSON output behavior is unchanged.
• Unsigned evidence bundles remain fully supported.
• Signed bundle implementation is not included yet; the release documents what signing should and should not prove.

Validation

• CI passed on PR #17, PR #18, and PR #19.
• Local final validation on main: uv run --extra schema pytest -q -> 25 passed.

v0.1.2

v0.1.2

This release hardens the v0.1.x maintainer workflow with CI-oriented documentation and validation features.

Added

• Optional JSON Schema validation for evidence bundles.
• Include/exclude filters for manifest creation.
• Markdown output for manifest diff reports.
• Expanded GitHub Actions cookbook coverage for schema-backed filtered manifest workflows.
• Stable CLI exit-code documentation and regression coverage.

Notes

• Examples remain synthetic and target-neutral.
• Install from source with:

pip install "git+https://github.com/xodnr927-byte/repro-evidence-kit.git@v0.1.2"

Validation

• CI passed on PR #15 and PR #16.
• Local final validation on main: uv run --extra schema pytest -q -> 22 passed.

v0.1.1 portable path handling

Changes

• Normalize Windows-style \ manifest paths to / for manifest diffs.
• Normalize sandbox verification allowlists through the same path boundary.
• Add regression tests for nested POSIX manifest output, Windows-style manifest diffs, and allowlist matching.
• Expand README maintainer positioning and CLI path-normalization docs.

Validation

• Main CI passed on commit 2d6bad8e224b87a3d2ef6a46b0cdbd8bb724b4fa.
• Local source-tree checks passed with PYTHONPATH=src python3 -m unittest discover -s tests.
• Leakage audit passed with no project-specific/private markers found outside the CI rule itself.

v0.1.0 initial release candidate

Initial release candidate with manifest creation, manifest diffing, sandbox-output verification, evidence-bundle validation, synthetic examples, tests, and CI.