Highlights
- Fail-closed manifest input, symlink, duplicate-path, and metadata validation.
- Atomic output replacement and input-overwrite protection across file-producing commands.
- Manifest and sandbox-SARIF schemas with packaged contract checks.
- Executable README command smoke coverage.
- Enforced Ruff, Mypy, branch coverage, and arbitrary-working-directory tests.
- Strict dependency audit, CycloneDX SBOM artifacts, Dependabot, and release build provenance.
- Boundary regressions for permission failures, large trees, Unicode paths, and corrupted structured inputs.
- Single-source package and CLI version metadata.
The proof boundaries remain unchanged: hashes and local HMAC sidecars support narrow byte-level review and tamper detection, not command execution, semantic correctness, signer identity, or a public trust chain.