Back to blog

Stable public contracts with stricter fail-closed verification

Ink/charcoal doodle: published contract pages enter a fail-closed verifier and produce a checked artifact.

InvarLock 0.4.0 stabilizes contracts around policies, evidence packs, and evaluation provenance while tightening verification, CI, and coverage enforcement.

2 min read
InvarLock Team

Release: InvarLock 0.4.0 - Stable contracts and a narrower trust surface

Highlights

  • InvarLock now publishes stable public contracts for support matrices, adapter capabilities, plugin compatibility, evidence-pack manifests, and policy packs, with new CLI policy tooling plus shipped evidence fixtures for published-basis lanes.
  • Evaluation reports now carry dataset and RMT provenance, while verification and evidence-pack paths are tightened to preserve parity and fail closed more consistently.
  • Trust-critical paths were refactored into thinner orchestration shells, the enforced coverage floor rises to 90%, and legacy CLI/reporting/config plus old evidence-pack layout compatibility have been removed.

0.4.0 is a surface-stabilization release. The biggest change is not a single feature but a clearer public contract around how InvarLock describes supported adapters, plugins, evidence packs, and policy artifacts. That is paired with stronger provenance in evaluation reports, so the evidence produced by the framework is easier to audit and compare across runs.

The release also hardens the implementation beneath that surface. The trust-critical verify, runner, variance, and spectral paths have been split into thinner shells with stronger per-file coverage thresholds, and the repo now enforces a 90% project-wide floor across a broader critical surface. Documentation checks are stricter as well: docs-only CI is blocking on staging/next and main, with markdown and spellcheck lint treated as required gates rather than advisory steps.

Operationally, 0.4.0 is stricter than the recent patch releases. Verify-policy parity, baseline evidence reuse, evidence-pack verification, and release-bundling flows are all hardened for fail-closed behavior, while legacy CLI/reporting/config surfaces and the older evidence-pack layout compatibility are intentionally removed. If you maintain downstream tooling around older pack layouts or command surfaces, this is the release to re-check against the current docs and published contracts.

For the immutable release record, read the tagged CHANGELOG.md for v0.4.0.

More in Release

Continue through nearby posts in the same reading thread.

Release

Offline release verification with a slimmer public CLI

InvarLock 0.5.0 adds offline release-verification bundles, package-native evidence-pack verification, and a simplified public CLI centered on evaluate, verify, and report.

Release

Coverage floors and fail-closed CLI/reporting paths

Split-module coverage thresholds now protect critical CLI/reporting paths while config, plugin, report, overhead, and observability edge cases fail closed more reliably.

Release

Attested smoke lanes with package-native evidence pack signing

InvarLock 0.5.1 adds a push-gated tiny attested smoke lane, a scheduled GPT-2 canary lane, and package-native Ed25519 evidence pack signatures.