Back to blog

Standalone contract bundles with tighter release gates

Ink/charcoal doodle: a standalone contract bundle passes through a release gate into a verified hash record.

InvarLock 0.7.1 makes wheel-only verify/report workflows first-class, ships a public contract bundle, and tightens supply-chain and release-validation gates.

2 min read
InvarLock Team

Release: InvarLock 0.7.1 - Wheel-first verification and tighter supply-chain gates

Highlights

  • The minimal pip install invarlock path is now documented as enough for doctor, verify, report, and proof-pack verification, while invarlock[hf] is positioned as the extra you add only when evaluate needs to load Hugging Face models.
  • Tagged releases now ship invarlock-<version>-public-contract-bundle.tar.gz, giving downstream reviewers a standalone contract and runtime-profile archive with a reproducible hash inventory.
  • PR and release workflows are tighter around install-surface SBOMs, shipped-surface pip-audit, gitleaks, typed/coverage gates, and fail-closed report-validation rules when canonical inputs or validation contracts are missing or ambiguous.

0.7.1 is mostly about making the published OSS surface stand on its own. The getting-started and quickstart docs now separate the minimal wheel install from the Hugging Face evaluate path, spell out which report commands expect report.json versus evaluation.report.json, and keep proof-pack verification available from an installed wheel. That matters for downstream reviewers who only need to validate artifacts, not run the full repo workflow.

The other visible addition is the public contract bundle. Tagged releases now publish invarlock-<version>-public-contract-bundle.tar.gz alongside the offline bundle, with a manifest that records the release version, tag, commit SHA, and per-file hashes. On the site, the synced contract and release-verification docs make that bundle auditable without a repo checkout and keep the boundary between public contract data and heavier repo-only surfaces explicit.

Underneath that, 0.7.1 hardens release discipline. The security pages now describe install-surface SBOM generation, shipped-surface pip-audit, gitleaks history scans, validated tag resolution, and stricter fail-closed report validation when canonical inputs or validation_keys.json are missing or ambiguous. If you maintain downstream verification wrappers, minimal wheel installs, or supply-chain review workflows, this is the patch release to re-check against the current docs and release assets.

For the immutable release record, read the tagged CHANGELOG.md for v0.7.1.

More in Release

Continue through nearby posts in the same reading thread.

Release

Tag-based publishing with slimmer release verification

InvarLock 0.7.2 simplifies the public release surface around immutable source tags plus the PyPI wheel and sdist, with docs and verification gates aligned around that path.

Release

GPT-OSS pilots with CUDA-ready attested lanes

InvarLock 0.7.0 adds first-class GPT-OSS support, pilot Ministral 3 8B/14B presets, and a CUDA-capable attested runtime path for GPU hosts.

Release

Evidence packs and explicit runtime provenance

InvarLock 0.8.0 moves the public bundle surface to evidence packs, pins docs to versioned release paths, and makes container-vs-host runtime provenance explicit across evaluate and verify.