gnezim/clawsec
1
0
Fork 0
mirror of https://github.com/prompt-security/clawsec.git synced 2026-06-13 05:28:02 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
26af277afd9a5bcb32cdbe9797d2fdae84dbb30f
clawsec/skills/hermes-attestation-guardian/CHANGELOG.md
T
David Abutbul 26af277afd feat(hermes-attestation-guardian): v0.1.0 release hardening (verify gate + trust policy + .mjs scan context) (#200) 
* feat(hermes-attestation-guardian): release v0.0.2 hardening

* docs(wiki): add v0.0.2 hardening update note

* docs: add Hermes support coverage to README and compatibility report

* fix(hermes-attestation-guardian): address baz review on crontab detection and doc dedup

* feat(wiki): add PR-200 skill feature/platform matrix

* docs(wiki): rewrite PR-200 matrix as narrative capability mapping

* docs(readme): add skill feature matrix with requested headers

* docs(readme): replace unknowns with mapped yes/no feature matrix

* docs: move NanoClaw and CI/CD details from README to wiki modules

* docs(readme): remove platform/suite sections and keep wiki module pointers

* docs(readme): refresh project structure to match current repo

* feat(hermes-attestation-guardian): add signed advisory feed verification pipeline

* feat(hermes-attestation-guardian): add advisory-gated guarded skill verification

* feat(hermes-attestation-guardian): add advisory scheduler helper and phase-3 parity docs

* docs(wiki): expand hermes attestation guardian capability coverage

* fix(pr-200): address Baz review findings across Hermes parity rollout

* test(sandbox): extend Hermes regression to cover feed, guarded verify, and advisory scheduler

* fix(pr-200): address Baz semver parsing and feed-state fallback visibility

* fix(ci): suppress shellcheck false positives in sandbox inline docker script

* fix(hermes-attestation-guardian): fail closed on unsupported advisory ranges

* fix(hermes-attestation-guardian): restore safe install verdict in sandbox

* fix(sandbox): capture guarded verify exit under set -e

* fix(semver): fail closed on malformed affected specifiers

* docs(readme): clarify hermes capability matrix wording

* refactor(feed): share signed artifact verification flow

* refactor(cron): share managed block helpers across setup scripts

* fix(feed): require checksum manifest artifacts when enabled

* chore(hermes-skill): relocate sandbox test, refresh docs, and add v0.1.0 release notes

* chore(docs): remove remaining hermes parity plan file

* chore(release): roll hermes-attestation-guardian to v0.1.0

* chore(release): remove standalone v0.1.0 release notes file

* docs(hermes): update README status to v0.1.0

---------

Co-authored-by: David Abutbul <David.a@prompt.security>
2026-04-21 13:56:50 +03:00

2.4 KiB
Raw Blame History

Changelog

[0.1.0] - 2026-04-21

  • Added mandatory release verification gate guidance before install: checksums.json, checksums.sig, and pinned signing public-key fingerprint.
  • Added explicit Hermes guard trust-policy note for signature-aware trust (trusted signer fingerprint allowlist) over source-name-only trust.
  • Moved sandbox regression harness into the skill test surface (test/hermes_attestation_sandbox_regression.sh) and fixed in-skill default path resolution.
  • Tightened advisory feed verification to require checksum-manifest artifacts when checksum-manifest verification is enabled (fail-closed when missing).
  • Added feed regression coverage for missing local/remote checksum-manifest artifacts under strict verification mode.
  • Refactored cron setup scripts to share managed-block helpers from lib/cron.mjs, reducing drift risk.
  • Added explicit .mjs scan/test coverage guidance so Hermes-side scanner scope and regression harness context stay aligned with scripts/*.mjs, lib/*.mjs, and test/*.test.mjs.
  • Clarified fresh-node first-run edge-case documentation.
  • Clarified Hermes runtime metadata/frontmatter and README capability coverage for ClawHub publishing.
  • Removed compatibility-report wiki page references in favor of README capability matrix as the primary compatibility surface.
  • Updated skill metadata/docs to v0.1.0 and aligned README quickstart with fail-closed verification expectations.

[0.0.1] - 2026-04-15

  • Implemented deterministic Hermes attestation generator CLI (scripts/generate_attestation.mjs).
  • Implemented fail-closed verifier CLI with schema, canonical digest, expected checksum, and optional detached signature checks (scripts/verify_attestation.mjs).
  • Implemented meaningful baseline diff engine with stable severity mapping for risky toggle regressions, feed verification regressions, trust anchor drift, and watched file drift (lib/diff.mjs).
  • Implemented Hermes-only cron setup helper with print-only default and managed-block apply mode (scripts/setup_attestation_cron.mjs).
  • Added shared attestation library for canonicalization, schema validation, digest generation, and policy parsing (lib/attestation.mjs).
  • Expanded tests for schema determinism, diff behavior, generator/verifier fail-closed behavior, and cron helper Hermes-only output.
  • Updated metadata/docs to match actual implemented behavior and ClawSec release pipeline expectations.
Reference in New Issue View Git Blame Copy Permalink