Skip to content

Commit 8a2f0fc

Browse files
BayyinahEnterpriseClaude (cowork)
andcommitted
release: v0.10.0
Phase G11.0 (Kiraman Katibin) closing release. Sigstore-CASM Gate 11 v1.0 ships behind the opt-in [gate11] extra; default install path unchanged. Local verification (sandbox sigstore 3.6.7, rfc8785 0.1.4, onnx 1.17.0, onnxruntime 1.23.2, numpy 2.2.6, onnx_tool installed): - pytest --collect-only -q -> 511 tests collected (target: 511, +70 from v0.9.4's 441: +67 across test_gate11_*.py modules, +3 in test_regenerate_check_table.py) - pytest -q -> 465 passed, 46 skipped - ruff check . clean - ruff format --check . clean - mypy src/furqan_lint clean - furqan-lint version -> 'furqan-lint 0.10.0' - Em-dash check (extended scope; excludes CODE_OF_CONDUCT.md) clean - Manifest sign-and-verify smoke (manifest_schema + module_canonicalization + signature_canonicalization + bundle + verification) round-trips with a stub Bundle and raises CASM-V-NNN on each documented failure mode - regenerate_check_table.py --check -> no drift on README - CASM-V-INDETERMINATE surfaces on dynamic __all__ rather than silent false-pass - additive-only contract: manifest update refuses removals (CASM-V-050) and signature drift on retained names (CASM-V-051) Closes finding F1 (README count drift). Documents Shape A scope statements F4 (recursive linter trust) and F7 (Rekor public-surface leakage). Documents Newman 2022 disclosures N1 (OIDC compromise), N2 (typosquatting), N3 (Rekor privacy), N4 (log retention). Co-authored-by: Claude (cowork) <claude+cowork@anthropic.com>
1 parent 6449b40 commit 8a2f0fc

3 files changed

Lines changed: 60 additions & 11 deletions

File tree

CHANGELOG.md

Lines changed: 58 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ introduced this convention.
1919

2020
---
2121

22-
## [0.10.0] - <DATE>
22+
## [0.10.0] - 2026-05-07
2323

2424
Phase G11.0 (Kiraman Katibin) ships Sigstore-CASM Gate 11 v1.0
2525
for Python. New optional ``[gate11]`` extra brings in
@@ -30,22 +30,71 @@ The CASM v1.0 manifest schema enforces the additive-only
3030
contract on a Python module's public surface via Sigstore's
3131
OIDC-keyed ephemeral certificates plus Rekor transparency log.
3232

33-
### Fixed
34-
35-
(populate during release commit)
36-
3733
### Added
3834

39-
(populate during release commit)
35+
- ``[gate11]`` optional extra (``sigstore>=3.0.0,<4`` and
36+
``rfc8785>=0.1.4,<0.2``). Independent of ``[onnx]`` /
37+
``[onnx-runtime]`` / ``[onnx-profile]``; adds no inference
38+
dependencies.
39+
- New ``furqan_lint.gate11`` package: ``manifest_schema``
40+
(frozen ``Manifest`` + ``PublicName`` dataclasses, RFC 8785
41+
canonical serialization), ``module_canonicalization``
42+
(BOM-strip + UTF-8 decode + LF-normalize + SHA-256),
43+
``signature_canonicalization`` (canonical type-string
44+
collapse for ``Optional[X]`` / ``Union[X, None]`` / ``X | None``
45+
to alphabetized ``X | None``), ``surface_extraction``
46+
(reuses ``furqan_lint.additive._extract_public_names``),
47+
``signing`` (Sigstore production / staging / GitHub-OIDC),
48+
``bundle`` (``<module>.furqan.manifest.sigstore`` wire
49+
format), ``verification`` (9-step CASM-V flow), ``cli``
50+
(manifest subcommand dispatch).
51+
- ``furqan-lint manifest init / verify / update <module.py>``
52+
CLI subcommand.
53+
- ``furqan-lint check --gate11 <path>`` flag that runs the
54+
normal check pipeline plus CASM-V verification on any
55+
sibling ``.furqan.manifest.sigstore`` bundle.
56+
- ``CASM-V-NNN`` error namespace covering parse (010), version
57+
/ language (001..002), TUF (020 / 021), Sigstore (030..034),
58+
module-hash (040), additive-only contract (050 / 051),
59+
chain (060 / 061).
60+
- ``CASM-V-INDETERMINATE`` result on dynamic ``__all__``
61+
modules (rather than a false pass).
62+
- ``scripts/regenerate_check_table.py`` plus pre-commit hook
63+
plus ``tests/test_regenerate_check_table.py`` close
64+
finding F1 (README structural-checks block now auto-derived
65+
between sentinel comments).
66+
- ``.github/workflows/ci.yml`` ``gate11-smoke-test`` job
67+
(push-to-main only; ``id-token: write``;
68+
``FURQAN_LINT_GATE11_SMOKE_TEST=1``).
69+
- ``action.yml`` composite-action ``gate11`` input (default
70+
``false``).
71+
- README ``Sigstore-CASM Gate 11 (opt-in)`` section,
72+
``Closed in v0.10.0`` block, the four Newman 2022 disclosures
73+
(N1 short-window OIDC compromise, N2 typosquatting, N3 Rekor
74+
privacy, N4 retention horizon), the SCITT vocabulary
75+
citation, and Shape A scope statements F4 (recursive linter
76+
trust) and F7 (Rekor public-surface leakage).
77+
- ``SECURITY.md`` Gate 11 disclosures section; supported-versions
78+
table refreshed (0.10.x supported, 0.8.x EOL).
79+
- ``CONTRIBUTING.md`` Gate 11 testing section.
4080

4181
### Changed
4282

43-
(populate during release commit)
83+
- The CLI dispatcher now recognises ``args[0] == "manifest"``
84+
and routes to ``furqan_lint.gate11.cli.dispatch_manifest``;
85+
the ``check`` subcommand parses out an optional ``--gate11``
86+
flag before invoking the existing primary-check pipeline.
87+
88+
### Fixed
89+
90+
- F1 (README count drift): closed structurally via the
91+
pre-commit / CI ``regenerate_check_table.py --check`` gate.
4492

4593
### Tests
4694

47-
Test count: 441 (v0.9.4 ship state) -> <TBD>
48-
(v0.10.0). Net delta: <TBD>.
95+
Test count: 441 (v0.9.4 ship state) -> 511 (v0.10.0).
96+
Net delta: +70 (67 across the eight ``test_gate11_*.py``
97+
modules; 3 in ``test_regenerate_check_table.py``).
4998

5099
## [0.9.4] - 2026-05-05
51100

pyproject.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
44

55
[project]
66
name = "furqan-lint"
7-
version = "0.9.4"
7+
version = "0.10.0"
88
description = "Structural-honesty checks for Python, powered by Furqan"
99
readme = "README.md"
1010
requires-python = ">=3.10"

src/furqan_lint/__init__.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
"""furqan-lint: structural-honesty checks for Python."""
22

3-
__version__ = "0.9.4"
3+
__version__ = "0.10.0"
44

55
# Explicit public surface declaration. The implicit surface (anything
66
# not starting with an underscore at module level) is fragile: any

0 commit comments

Comments
 (0)