Skip to content

v0.3.0.md

Latest commit

 

History

History
49 lines (34 loc) · 2.58 KB

v0.3.0.md

File metadata and controls

49 lines (34 loc) · 2.58 KB

Traverse v0.3.0

Release date: 2026-06-06

Traverse v0.3.0 is the first GitHub Release after the historical v0.2.0 tag. The v0.2.0 tag remains part of the repository history, but it was not published as a GitHub Release. Consumers should pin v0.3.0 for the current app-consumable, supply-chain-hardened baseline.

The downstream public surface compatibility statement is docs/v0.3.0-public-surface-compatibility.md.

Source-build consumer packaging expectations are documented in docs/v0.3.0-source-build-consumer-packaging.md.

Highlights

  • Adds the HTTP/JSON application API surface for downstream apps, including local serve, discovery, registration, and execution paths.
  • Adds workspace identity, auth, runtime grants, isolation policy, and audit evidence for app-facing execution.
  • Adds OpenTelemetry-compatible runtime trace export so runtime decisions can be inspected outside Traverse-specific tooling.
  • Adds WASI Host ABI v1 insulation so host imports are validated through a governed compatibility boundary.
  • Adds connector plugin registry and resolution primitives for external integration growth.
  • Adds the portable DataStore runtime model for the AP-leaning state path used by browser/offline-first consumers.
  • Adds governed artifact signature verification, including Ed25519 and Sigstore trust paths.
  • Adds supply-chain hardening evidence, including SBOM generation, provenance evidence, reproducibility checks, and artifact verification.

Compatibility Notes

  • Traverse remains a 0.x project. Public surfaces are governed and validated, but compatibility is still allowed to evolve before a 1.0 stability commitment.
  • The v0.2.0 tag exists as a historical workspace version bump and should not be treated as the current published release baseline.
  • No cross-platform binary package is attached to this release. The release publishes source, release notes, and supply-chain evidence artifacts.

Validation

Release preparation must pass these local gates before tagging:

bash scripts/ci/repository_checks.sh
bash scripts/ci/rust_checks.sh
bash scripts/ci/coverage_gate.sh
bash scripts/ci/supply_chain_check.sh

The GitHub Release should attach the generated supply-chain evidence from target/supply-chain/:

  • traverse-sbom.cdx.json
  • supply-chain-summary.json
  • artifact-verify-report.json
  • traverse-cli.provenance.json

Traceability

  • Release issue: #432
  • Governing specs: 001-foundation-v0-1, 031-supply-chain-hardening