Skip to content

v0.4.0

Choose a tag to compare

View all tags
@xodnr927-byte xodnr927-byte released this 06 Jun 13:59
· 30 commits to main since this release
v0.4.0
43a32ec
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Highlights

  • Add JSON Schema validation for signature sidecars, including packaged-schema regression coverage.
  • Improve verify-signature text/JSON diagnostics and optional schema checks.
  • Add evidence sign --dry-run and input-overwrite protection for signature output paths.
  • Add required sandbox-change checks plus SARIF and evidence-validation JUnit adapters.
  • Add synthetic examples, CI recipes, release guidance, and fresh-install smoke tooling.

Proof boundary

Signed sidecars remain a local hmac-sha256 tamper-detection workflow. They do not prove signer identity, public trust chains, command execution, or artifact semantic correctness.

Assets 2
Loading