Back to blog

Release

Standalone contract bundles with tighter release gates

Ink/charcoal doodle: a contract bundle passes through a verified gate into a report page.

InvarLock 0.7.1 makes wheel-only verify/report workflows first-class, ships a public contract bundle, and tightens supply-chain and release-validation gates.

2 min read
InvarLock Team

Release: InvarLock 0.7.1 - Wheel-first verification and tighter supply-chain gates

Highlights

  • The minimal pip install invarlock path is now documented as enough for doctor, verify, report, and proof-pack verification, while invarlock[hf] is positioned as the extra you add only when evaluate needs to load Hugging Face models.
  • Tagged releases now ship invarlock-<version>-public-contract-bundle.tar.gz, giving downstream reviewers a standalone contract and runtime-profile archive with a reproducible hash inventory.
  • PR and release workflows are tighter around install-surface SBOMs, shipped-surface pip-audit, gitleaks, typed/coverage gates, and fail-closed report-validation rules when canonical inputs or validation contracts are missing or ambiguous.

0.7.1 is mostly about making the published OSS surface stand on its own. The getting-started and quickstart docs now separate the minimal wheel install from the Hugging Face evaluate path, spell out which report commands expect report.json versus evaluation.report.json, and keep proof-pack verification available from an installed wheel. That matters for downstream reviewers who only need to validate artifacts, not run the full repo workflow.

The other visible addition is the public contract bundle. Tagged releases now publish invarlock-<version>-public-contract-bundle.tar.gz alongside the offline bundle, with a manifest that records the release version, tag, commit SHA, and per-file hashes. On the site, the synced contract and release-verification docs make that bundle auditable without a repo checkout and keep the boundary between public contract data and heavier repo-only surfaces explicit.

Underneath that, 0.7.1 hardens release discipline. The security pages now describe install-surface SBOM generation, shipped-surface pip-audit, gitleaks history scans, validated tag resolution, and stricter fail-closed report validation when canonical inputs or validation_keys.json are missing or ambiguous. If you maintain downstream verification wrappers, minimal wheel installs, or supply-chain review workflows, this is the patch release to re-check against the current docs and release assets.

For more details, see CHANGELOG.md.

More from the blog

Continue through recent releases and implementation notes.

Research Note

Why Paired Evaluation Beats Before/After Benchmarks

A model-edit benchmark number is only as strong as the comparison behind it. Pairing makes the comparison inspectable.

Release

GPT-OSS pilots with CUDA-ready attested lanes

InvarLock 0.7.0 adds first-class GPT-OSS support, pilot Ministral 3 8B/14B presets, and a CUDA-capable attested runtime path for GPU hosts.

Research Note

What InvarLock Actually Claims

A narrow claim can be stronger than a broad one. InvarLock is about auditable regression risk from weight edits, not general model safety.