Back to blog

Offline release verification with a slimmer public CLI

Ink/charcoal doodle: a sealed release tag enters a command path and lands in a verified package.

InvarLock 0.5.0 adds offline release-verification bundles, package-native evidence-pack verification, and a simplified public CLI centered on evaluate, verify, and report.

2 min read
InvarLock Team

Release: InvarLock 0.5.0 - Offline verification with a narrower trusted surface

Highlights

  • InvarLock now ships offline release-verification bundles, packaged public contract artifacts, and package-native evidence-pack verify, inspect, and build flows for shipped artifacts.
  • The public CLI is simplified around evaluate, verify, report, doctor, and advanced, with evidence-pack, policy, plugin, and calibration workflows moved behind advanced and trusted-host evaluation made explicit via --mode local.
  • Runtime defaults, CI/release pinning, evidence-pack attestation, and model-evidence sweep tooling are all tightened so support claims, packaged artifacts, and verification flows stay more consistent under audit.

0.5.0 is a release-contract and operator-workflow cleanup. The most visible change is the slimmer public command surface: the docs and CLI now lead with evaluate -> verify -> report html, while specialized evidence-pack, policy, plugin, and calibration paths sit behind advanced. That keeps the common trust path easier to learn without dropping the heavier workflows from the distribution.

The release also makes shipped artifacts easier to audit offline. Release-verification bundles, packaged runtime-manifest and model-family contracts, and package-native evidence-pack verification mean reviewers can inspect what was published without reconstructing the repo state from scratch. That is paired with stronger evidence-pack manifest and attestation tooling, plus explicit inspect and build flows for packaged proof artifacts.

Operationally, 0.5.0 is stricter about where execution happens and how evidence is carried forward. Secure-default runtime behavior is tighter, generated configs stay invocation-local, helper and CI dependencies are more aggressively pinned, and the shipped model lanes are refreshed around evidence-backed support. If you maintain wrappers around older subcommands or rely on host-local model loading, re-check the current docs: advanced flows moved, and invarlock evaluate --mode local is now the deliberate escape hatch for trusted local execution.

For the immutable release record, read the tagged CHANGELOG.md for v0.5.0.

More in Release

Continue through nearby posts in the same reading thread.

Release

Attested smoke lanes with package-native evidence pack signing

InvarLock 0.5.1 adds a push-gated tiny attested smoke lane, a scheduled GPT-2 canary lane, and package-native Ed25519 evidence pack signatures.

Release

Stable public contracts with stricter fail-closed verification

InvarLock 0.4.0 stabilizes contracts around policies, evidence packs, and evaluation provenance while tightening verification, CI, and coverage enforcement.

Release

Gemma 4 pilot lanes with a clearer assurance contract

InvarLock 0.6.0 adds a shipped Gemma 4 E2B text lane, phase-1 multimodal evaluation, and a unified `--assurance attested|trusted-local` workflow.