Back to blog

Release

Offline release verification with a slimmer public CLI

Ink/charcoal doodle: a sealed release tag enters a command path and lands in a verified package.

InvarLock 0.5.0 adds offline release-verification bundles, package-native proof-pack verification, and a simplified public CLI centered on evaluate, verify, and report.

2 min read
InvarLock Team

Release: InvarLock 0.5.0 - Offline verification with a narrower trusted surface

Highlights

  • InvarLock now ships offline release-verification bundles, packaged public contract artifacts, and package-native proof-pack verify, inspect, and build flows for shipped artifacts.
  • The public CLI is simplified around evaluate, verify, report, doctor, and advanced, with proof-pack, policy, plugin, and calibration workflows moved behind advanced and trusted-host evaluation made explicit via --mode local.
  • Runtime defaults, CI/release pinning, proof-pack attestation, and model-evidence sweep tooling are all tightened so support claims, packaged artifacts, and verification flows stay more consistent under audit.

0.5.0 is a release-contract and operator-workflow cleanup. The most visible change is the slimmer public command surface: the docs and CLI now lead with evaluate -> verify -> report html, while specialized proof-pack, policy, plugin, and calibration paths sit behind advanced. That keeps the common trust path easier to learn without dropping the heavier workflows from the distribution.

The release also makes shipped artifacts easier to audit offline. Release-verification bundles, packaged runtime-manifest and model-family contracts, and package-native proof-pack verification mean reviewers can inspect what was published without reconstructing the repo state from scratch. That is paired with stronger proof-pack manifest and attestation tooling, plus explicit inspect and build flows for packaged proof artifacts.

Operationally, 0.5.0 is stricter about where execution happens and how evidence is carried forward. Secure-default runtime behavior is tighter, generated configs stay invocation-local, helper and CI dependencies are more aggressively pinned, and the shipped model lanes are refreshed around evidence-backed support. If you maintain wrappers around older subcommands or rely on host-local model loading, re-check the current docs: advanced flows moved, and invarlock evaluate --mode local is now the deliberate escape hatch for trusted local execution.

For the immutable release record, read the tagged CHANGELOG.md for v0.5.0.

More from the blog

Continue through recent releases and implementation notes.

Research Note

Null Sweeps as Threshold Derivation, Not Tuning Folklore

Thresholds are stronger when they come from measured null behavior and end in a policy patch, not from knob-tuning folklore.

Synthesis

The Minimum Evidence Surface for Trustworthy Weight-Edit Results

A trustworthy weight-edit result needs more than a benchmark delta. It needs a bounded claim, an exactly paired comparison, and verification that rejects incomplete evidence.

Release

Evidence packs and explicit runtime provenance

InvarLock 0.8.0 moves the public bundle surface to evidence packs, pins docs to versioned release paths, and makes container-vs-host runtime provenance explicit across evaluate and verify.