mirror of
https://github.com/prompt-security/clawsec.git
synced 2026-06-13 05:28:02 +03:00
davida-ps
4dbac421ab
* feat(advisories): add provisional ghsa feed * fix(workflows): include advisory signatures in checksums * fix(workflows): mirror ghsa feed at release root * feat(advisories): consolidate ghsa into agent feed * ci(advisories): consolidate ghsa during nvd poll * fix(advisories): retain unreplaced ghsa feed entries * chore(skills): bump advisory feed consumers * fix(release): resolve ts import closure dry run * fix(release): preserve urls while stripping comments * fix(release): ignore skill test-only changes * fix(advisories): follow ghsa pagination links * test(advisories): add nvd ghsa pipeline dry run
1.2 KiB
1.2 KiB
Changelog
[0.0.3] - 2026-05-24
Changed
- Documented that Picoclaw advisory checks consume the consolidated signed advisory feed, including NVD CVEs, approved community advisories, and provisional GHSA-without-CVE records.
[0.0.2] - 2026-05-13
Security
- Added explicit signed release artifact verification instructions for standalone installs, including
checksums.json,checksums.sig,signing-public.pem, archive hash verification, andSKILL.md/skill.jsonchecksum checks.
Changed
- Re-release skill payload metadata after excluding test-only files from release SBOMs and archives.
[0.0.1] - 2026-04-26
Added
- Initial Picoclaw-specific ClawSec skill package for advisory awareness, deterministic profile generation, drift detection, and supply-chain verification.
- Picoclaw-native Docker pre-release install regression harness using
find_skills/install_skilland skill-loader validation.
Changed
- Split optional posture-review checks into separate
picoclaw-self-pen-testingpackage so this package remains the core public guardian lane. - Updated metadata/docs/regression expectations to keep this package focused on advisory, drift, and supply-chain checks.