Skip to content

Releases: omkhar/vulnerability-validation-skill

v0.30.0

Choose a tag to compare

@omkhar omkhar released this 12 Jul 01:51
v0.30.0
4d4d671

v0.30.0

This release fails closed before any target read unless an external operator-controlled verifier authenticates the selected whole package, proves project/local instruction neutralization, and records operator-originated target and scope authorization.

All five supported surfaces — Codex, Claude Code, Gemini CLI, GitHub Copilot, and Google Antigravity — remain documentation/package compatibility only in v0.30.0. Do not point an agent or the packaged discovery engine at a target repository until a later reviewed release promotes a startup path.

The release also freezes an exact Git-object manifest of v0.29.0 and adds closed-schema startup-contract regressions so future runtime work can be compared without silently rewriting the baseline.

Validation: 853 unit tests and 9 integration tests passed locally; Linux, macOS, and Windows CI, CodeQL, zizmor, Kusari, privacy, optimization, and review-invariant gates are green. Codex reviewed the release commit with no P0/P1 findings.

v0.29.0

Choose a tag to compare

@omkhar omkhar released this 11 Jul 11:10
v0.29.0
7903f14

v0.29.0

Promoted findings now require a sealed vulnerable/negative-control/fixed replay transcript with exact designated-PoC linkage and byte-consistent evidence.

This release also refreshes the supported-agent documentation, distinguishing Gemini CLI package compatibility from the discontinued consumer-hosted tier.

Validation: full local verification plus green Linux, macOS, and Windows CI.

v0.12.0

Choose a tag to compare

@omkhar omkhar released this 01 Jul 13:42
a5d4afd

Release for the current skill.json version. Includes changelog entries since previous tag v0.7.0.

[0.12.0] - 2026-07-01

  • Rejection/withdrawal-pattern hardening (five gaps synthesized from observed GHSA
    rejection/withdrawal data; all land in uncapped reference prose, no canonical-body edit):
    • G1 — boundary direction. portable-invariants.md now requires an
      attacker_input_class=external_untrusted finding to name both boundary endpoints as an ordered
      pair {untrusted_source -> trusted_sink_side} and cite where the untrusted data enters; a
      tainted value that provably originates on the trusted side routes
      operator_trusted/policy_excluded (reversed direction). Witnessed by a drift-gate.md fail
      row and a Security-Vulnerability-Researcher review-lens question.
    • G2 — deployed-artifact boundary. The line-22 low-signal triage-prior catalog names
      build/CI/release-pipeline primitives, metrics/registry-cardinality hygiene, and
      documentation/example/link defects as operator-overridable, discovery-time priors that sit
      outside the deployed runtime artifact's trust boundary by construction.
    • G3 — release-build reachability. A crash/abort/assert oracle must record whether the
      asserting/UBSan/ASan check fires in the project's default released build; a
      debug/assert/sanitizer-only fault is not advisory-eligible above informational on that oracle
      alone absent a separately-proven release-build-reachable impact. Witnessed by a review-lens
      question.
    • G4 — merged-fix != security acceptance. The inbound-signal invariant now records that a
      maintainer-merged fix or fix-PR paired with (or defaulting to) "a bug, not a security issue"
      confirms the bug but declines the security framing — route to bugfix/hardening, no new enum.
    • G5 — batch integrity. Before filing more than one advisory to a single maintainer venue in
      a run, every row must independently carry live-runtime-proof (or an accepted non-live
      exception), a fresh threat-model fit, and a non-maintainer_rejected_prior/non-self-duplicate
      status, with a per-venue "each row reviewer-vetted, not bulk-passed" outbound-count attestation.
      Witnessed by a drift-gate.md fail row.

[0.11.0] - 2026-06-30

  • Autonomous discovery engine: add scripts/discovery_engine.py, a deterministic local scanner
    that inventories target repositories, runs source heuristics, optionally runs supported local-only
    tools, falls back when tools fail, and emits native-discovery ledgers plus merge aids
    (discovery-engine-report.json, source-review-notes.json,
    run-state.discovery-fragment.json, verification-sheet.seed.json, and tool-runs/).
    Tool installation is explicit opt-in via --tool-policy auto-install, and OSV-Scanner /
    Scorecard-style remote metadata queries are explicit opt-in via --allow-remote-metadata;
    the minimal command makes no default network touch.
    The engine generates and ranks candidates only; proof, severity, patching, adjudication, and
    maintainer handoff still require the existing validation workflow. The generated agent packages
    now ship this helper alongside the artifact validator. See
    reviews/autonomous-discovery-engine-consensus.md.

[0.10.0] - 2026-06-30

  • Native discovery contract: add a modular discovery-router architecture with new references for
    orchestration, specialist routing, discovery playbooks, and proof-harness routing. Native bundles
    must now ship discovery-plan.json, surface-inventory.json,
    discovery-lane-results.json, and candidate-fusion.json; the validator enforces artifact
    presence, selected-lane result/blocker accounting, high-applicability omission rationales,
    admitted-candidate joins to verification-sheet.json, non-admitted candidate joins to
    out_of_scope_rows, snapshot/fusion reconciliation when snapshot ids are present, and
    validation bridges for tool-only admitted candidates. The canonical body stays lean; generated
    agent surfaces remain behavioral equivalents after a 2026-06-30 official-docs refresh for Codex,
    Claude Code, Gemini CLI, GitHub Copilot, and Google Antigravity. See
    reviews/discovery-router-agent-doc-refresh-consensus.md.

[0.9.0] - 2026-06-29

  • Pre-filing discipline: add eight empirically-derived gates that reconcile a maintainer-facing claim to its own evidence before transmission, from a cross-bundle scrub of prior filings (over-scoped severity, works-as-designed, refuted-at-HEAD, source-only runtime claims, public/self duplicates, stale-vs-live status, placeholder version ranges, and send-decision drift). New controlled fields demonstrated_impact and baseline_grant, plus an expanded capability_gained, in references/controlled-fields.md. The Latest-HEAD Filing Gate now requires a behavior re-proof (re-run the finding's oracle against the fetched HEAD; a newly-present guard that does not neutralize the primitive is an incomplete-fix/residual candidate, never a closure) and a severity floor at the minimum tier the proven demonstrated_impact supports — the in-scope untrusted-input channel that constitutes the vulnerability is never subtracted. Workflow steps 4–5 add a self-duplicate scan and capability_gained/baseline_grant design-contract routing; Proof Labels bar above-informational runtime-impact severity asserted on source_proof/model_only_with_controls while a live oracle is feasible (fault-injection/OOM reachability becomes a recorded caveat, never auto-out-of-scope); Handoff Rules add a fresh live-upstream status reconciliation, a placeholder/template version-range check (deliberate unreleased-branch scope exempt), and a pre-transmission send-decision reconciliation. Eight matching references/drift-gate.md fail rows and a references/review-lenses.md lens field ship alongside. Guardrails preserved: in-scope server-supplied findings are never suppressed; closure hinges on primitive-still-fires, never guard-presence. See reviews/pre-filing-gates-budget-raise-consensus.md.

[0.8.0] - 2026-06-29

  • Handoff contract: tighten the pre-filing clean delivered-entry replay invariant so the maintainer-facing reproducer must run from the delivered bundle alone on a clean maintainer machine — no reporter-local fixture, unbundled scaffolding, or host-absolute path, with every input bundled or generated in-script (run-time fetches limited to dependency/runtime provisioning carrying no reporter-hosted content). The prior gate only proved the reporter could replay; a bundle that secretly depended on the reporter's environment could pass and push reproduction back onto a (likely volunteer) maintainer. Refines references/portable-invariants.md only; no new field, enum, or validator check. Two non-contract reference refinements ship alongside (not version-gated): review-lenses.md Technical Writer lens now requires the handoff to open with a few-sentence plain-language problem+impact statement before the detail, and portable-invariants.md filing discipline now bisects/git-blames the proven sink to pin the earliest-affected lower bound (or marks it unresolved) when the introducing commit is unknown. Derived from Daniel Stenberg's "Do excellent vulnerability reports" (2026-06-29); see reviews/excellent-vuln-reports-refinement-consensus.md.

v0.7.0

Choose a tag to compare

@omkhar omkhar released this 28 Jun 21:37
v0.7.0
306ce45

Release for the current skill.json version. Includes changelog entries since previous tag v0.4.0.

[0.7.0] - 2026-06-24

  • Validator: dossier-not-verdict / human-adjudication protocol (AX12). On a maintainer-facing handoff a terminal closure_status now carries an adjudication record: the agent emits proposed_disposition/proposed_severity, and a human (or an explicitly-labeled simulated_local_role_lens) renders the verdict. Five machine gates witness the SHADOW of adjudication: G-ADJ-PRESENCE (a terminal closure requires a non-empty adjudication), G-SIM-CAP (a simulated lens may not terminally close validated_fixed/risk-accept — it must state no human adjudicated it; capped to the artifact-provable set), G-FIELD-SIGNOFF (a human adjudicator signs off every adjudicated field-token, and a changed disposition must be signed amended/rejected), G-SLA-DOWNGRADE (a lapsed human-adjudication SLA auto-downgrades record_state to stale_needs_human, with the clock floored by sealed_at and evidence time), and G-AUDIT-FLOOR (a randomized ratification audit samples ≥ max(1, ceil(0.20·N_human)) human-adjudicated findings, anti-self-audit, seed-bound). The adjudication_checklist (falsifier / AX10 concordance / AX11 env-delta / residuals / what-would-make-this-not-a-bug) is enforced as a presence + AX10/AX11-binding FLOOR, not content-adequacy; accountability records a named owner + ticket. The reframe RELOCATES optimism ("this bug is real" → "this dossier is done"); it does not remove it — the irreducible residual is the human (see reviews/dossier-not-verdict-adjudication-consensus.md). New gates fire only under output_mode=maintainer_facing_handoff (legacy bundles grandfathered); planted fp_34fp_38 fixtures + four new maintainer-facing TP fixtures; baseline repinned (41→50). Transition: maintainer-facing bundles now require an adjudication per terminal closure — regenerate any in-flight v0.6 handoff bundles.

[0.6.0] - 2026-06-24

  • Validator: environment-fidelity gate (AX11). An executable PoC row must carry a non-empty target_env_fidelity attesting how the validation environment relates to the affected/threat-model configuration — a match, or the delta named with why reachability/impact still holds. replay.env_fingerprint records only WHICH environment ran, not whether it represents the affected configuration; a PoC that "validates" on a non-representative env (a debug/instrumented build, a different kernel/build-config, or a load profile that inflates or fabricates the signal) would not reproduce on the configuration the finding claims, and the prior gates accepted it. Body step 8, the Validator Profile, and the placeholder/stub scan move in lockstep; planted fp_33 (missing target_env_fidelity) fixture added.

[0.5.0] - 2026-06-24

  • Validator: oracle–mechanism concordance gate (AX10). An executable PoC's oracle must carry a structured mechanism_concordance object: a non-empty sink_failure_modes list (the sink's documented failure signals) of which the validator requires every vulnerable-side signal — the row's vulnerable_expected_observation AND its observed_baseline_result — to be a member (set membership bound to the actual claim, so the discordant signal cannot hide in a separate or observed field; angle-placeholder modes are rejected). The prior vacuous/differ checks proved an oracle distinguishes two runs, not that the vulnerable observation is a signal the sink can actually emit — a SIGSEGV attributed to a madvise/fallocate sink that returns errno or silently discards passed as proof. The gate is structural set-membership rather than a free-text/keyword scan (which a discordant record can phrase around): discordance now surfaces as an explicit, auditable claim — to pass, a balloon oracle would have to LIST the impossible signal among the sink's failure modes (a visible false assertion about the sink's contract) instead of burying it in prose. Full semantic truth of the declared set remains a reviewer responsibility. Planted fp_31 (missing object) + fp_32 (discordant: vulnerable_expected_observation absent from sink_failure_modes) fixtures; body step 7, the Validator Profile, and the placeholder/stub scan are updated in lockstep.