Back to blog

Release

Offline release verification with a slimmer public CLI

Ink/charcoal doodle: a sealed release bundle narrows into a main command path and lands in a verified package.

InvarLock 0.5.0 adds offline release-verification bundles, package-native proof-pack verification, and a simplified public CLI centered on evaluate, verify, and report.

2 min read
InvarLock Team

Release: InvarLock 0.5.0 - Offline verification with a narrower trusted surface

Highlights

  • InvarLock now ships offline release-verification bundles, packaged public contract artifacts, and package-native proof-pack verify, inspect, and build flows for shipped artifacts.
  • The public CLI is simplified around evaluate, verify, report, doctor, and advanced, with proof-pack, policy, plugin, and calibration workflows moved behind advanced and trusted-host evaluation made explicit via --mode local.
  • Runtime defaults, CI/release pinning, proof-pack attestation, and model-evidence sweep tooling are all tightened so support claims, packaged artifacts, and verification flows stay more consistent under audit.

0.5.0 is a release-contract and operator-workflow cleanup. The most visible change is the slimmer public command surface: the docs and CLI now lead with evaluate -> verify -> report html, while specialized proof-pack, policy, plugin, and calibration paths sit behind advanced. That keeps the common trust path easier to learn without dropping the heavier workflows from the distribution.

The release also makes shipped artifacts easier to audit offline. Release-verification bundles, packaged runtime-manifest and model-family contracts, and package-native proof-pack verification mean reviewers can inspect what was published without reconstructing the repo state from scratch. That is paired with stronger proof-pack manifest and attestation tooling, plus explicit inspect and build flows for packaged proof artifacts.

Operationally, 0.5.0 is stricter about where execution happens and how evidence is carried forward. Secure-default runtime behavior is tighter, generated configs stay invocation-local, helper and CI dependencies are more aggressively pinned, and the shipped model lanes are refreshed around evidence-backed support. If you maintain wrappers around older subcommands or rely on host-local model loading, re-check the current docs: advanced flows moved, and invarlock evaluate --mode local is now the deliberate escape hatch for trusted local execution.

For more details, see CHANGELOG.md.

More from the blog

Continue through recent releases and implementation notes.

Release

Stable public contracts with stricter fail-closed verification

InvarLock 0.4.0 stabilizes contracts around policies, proof packs, and evaluation provenance while tightening verification, CI, and coverage enforcement.

Release

Coverage hardening across CLI, reporting, and observability paths

Coverage thresholds now enforce split-module branch floors for critical CLI/reporting paths.

Release

Targeted regression hardening for quantization and reporting paths

A focused hardening release: safer AWQ plugin discovery, stronger quantization clipping behavior, and broader report-schema acceptance for edge payloads.