Releases: omkhar/vulnerability-validation-skill
Release list
v0.30.0
v0.30.0
This release fails closed before any target read unless an external operator-controlled verifier authenticates the selected whole package, proves project/local instruction neutralization, and records operator-originated target and scope authorization.
All five supported surfaces — Codex, Claude Code, Gemini CLI, GitHub Copilot, and Google Antigravity — remain documentation/package compatibility only in v0.30.0. Do not point an agent or the packaged discovery engine at a target repository until a later reviewed release promotes a startup path.
The release also freezes an exact Git-object manifest of v0.29.0 and adds closed-schema startup-contract regressions so future runtime work can be compared without silently rewriting the baseline.
Validation: 853 unit tests and 9 integration tests passed locally; Linux, macOS, and Windows CI, CodeQL, zizmor, Kusari, privacy, optimization, and review-invariant gates are green. Codex reviewed the release commit with no P0/P1 findings.
v0.29.0
v0.29.0
Promoted findings now require a sealed vulnerable/negative-control/fixed replay transcript with exact designated-PoC linkage and byte-consistent evidence.
This release also refreshes the supported-agent documentation, distinguishing Gemini CLI package compatibility from the discontinued consumer-hosted tier.
Validation: full local verification plus green Linux, macOS, and Windows CI.
v0.12.0
Release for the current skill.json version. Includes changelog entries since previous tag v0.7.0.
[0.12.0] - 2026-07-01
- Rejection/withdrawal-pattern hardening (five gaps synthesized from observed GHSA
rejection/withdrawal data; all land in uncapped reference prose, no canonical-body edit):- G1 — boundary direction.
portable-invariants.mdnow requires an
attacker_input_class=external_untrustedfinding to name both boundary endpoints as an ordered
pair{untrusted_source -> trusted_sink_side}and cite where the untrusted data enters; a
tainted value that provably originates on the trusted side routes
operator_trusted/policy_excluded(reversed direction). Witnessed by adrift-gate.mdfail
row and a Security-Vulnerability-Researcher review-lens question. - G2 — deployed-artifact boundary. The line-22 low-signal triage-prior catalog names
build/CI/release-pipeline primitives, metrics/registry-cardinality hygiene, and
documentation/example/link defects as operator-overridable, discovery-time priors that sit
outside the deployed runtime artifact's trust boundary by construction. - G3 — release-build reachability. A crash/abort/assert oracle must record whether the
asserting/UBSan/ASan check fires in the project's default released build; a
debug/assert/sanitizer-only fault is not advisory-eligible above informational on that oracle
alone absent a separately-proven release-build-reachable impact. Witnessed by a review-lens
question. - G4 — merged-fix != security acceptance. The inbound-signal invariant now records that a
maintainer-merged fix or fix-PR paired with (or defaulting to) "a bug, not a security issue"
confirms the bug but declines the security framing — route to bugfix/hardening, no new enum. - G5 — batch integrity. Before filing more than one advisory to a single maintainer venue in
a run, every row must independently carry live-runtime-proof (or an accepted non-live
exception), a fresh threat-model fit, and a non-maintainer_rejected_prior/non-self-duplicate
status, with a per-venue "each row reviewer-vetted, not bulk-passed" outbound-count attestation.
Witnessed by adrift-gate.mdfail row.
- G1 — boundary direction.
[0.11.0] - 2026-06-30
- Autonomous discovery engine: add
scripts/discovery_engine.py, a deterministic local scanner
that inventories target repositories, runs source heuristics, optionally runs supported local-only
tools, falls back when tools fail, and emits native-discovery ledgers plus merge aids
(discovery-engine-report.json,source-review-notes.json,
run-state.discovery-fragment.json,verification-sheet.seed.json, andtool-runs/).
Tool installation is explicit opt-in via--tool-policy auto-install, and OSV-Scanner /
Scorecard-style remote metadata queries are explicit opt-in via--allow-remote-metadata;
the minimal command makes no default network touch.
The engine generates and ranks candidates only; proof, severity, patching, adjudication, and
maintainer handoff still require the existing validation workflow. The generated agent packages
now ship this helper alongside the artifact validator. See
reviews/autonomous-discovery-engine-consensus.md.
[0.10.0] - 2026-06-30
- Native discovery contract: add a modular discovery-router architecture with new references for
orchestration, specialist routing, discovery playbooks, and proof-harness routing. Native bundles
must now shipdiscovery-plan.json,surface-inventory.json,
discovery-lane-results.json, andcandidate-fusion.json; the validator enforces artifact
presence, selected-lane result/blocker accounting, high-applicability omission rationales,
admitted-candidate joins toverification-sheet.json, non-admitted candidate joins to
out_of_scope_rows, snapshot/fusion reconciliation when snapshot ids are present, and
validation bridges for tool-only admitted candidates. The canonical body stays lean; generated
agent surfaces remain behavioral equivalents after a 2026-06-30 official-docs refresh for Codex,
Claude Code, Gemini CLI, GitHub Copilot, and Google Antigravity. See
reviews/discovery-router-agent-doc-refresh-consensus.md.
[0.9.0] - 2026-06-29
- Pre-filing discipline: add eight empirically-derived gates that reconcile a maintainer-facing claim to its own evidence before transmission, from a cross-bundle scrub of prior filings (over-scoped severity, works-as-designed, refuted-at-HEAD, source-only runtime claims, public/self duplicates, stale-vs-live status, placeholder version ranges, and send-decision drift). New controlled fields
demonstrated_impactandbaseline_grant, plus an expandedcapability_gained, inreferences/controlled-fields.md. The Latest-HEAD Filing Gate now requires a behavior re-proof (re-run the finding's oracle against the fetched HEAD; a newly-present guard that does not neutralize the primitive is an incomplete-fix/residual candidate, never a closure) and a severity floor at the minimum tier the provendemonstrated_impactsupports — the in-scope untrusted-input channel that constitutes the vulnerability is never subtracted. Workflow steps 4–5 add a self-duplicate scan andcapability_gained/baseline_grantdesign-contract routing; Proof Labels bar above-informational runtime-impact severity asserted onsource_proof/model_only_with_controlswhile a live oracle is feasible (fault-injection/OOM reachability becomes a recorded caveat, never auto-out-of-scope); Handoff Rules add a fresh live-upstream status reconciliation, a placeholder/template version-range check (deliberate unreleased-branch scope exempt), and a pre-transmission send-decision reconciliation. Eight matchingreferences/drift-gate.mdfail rows and areferences/review-lenses.mdlens field ship alongside. Guardrails preserved: in-scope server-supplied findings are never suppressed; closure hinges on primitive-still-fires, never guard-presence. Seereviews/pre-filing-gates-budget-raise-consensus.md.
[0.8.0] - 2026-06-29
- Handoff contract: tighten the pre-filing clean delivered-entry replay invariant so the maintainer-facing reproducer must run from the delivered bundle alone on a clean maintainer machine — no reporter-local fixture, unbundled scaffolding, or host-absolute path, with every input bundled or generated in-script (run-time fetches limited to dependency/runtime provisioning carrying no reporter-hosted content). The prior gate only proved the reporter could replay; a bundle that secretly depended on the reporter's environment could pass and push reproduction back onto a (likely volunteer) maintainer. Refines
references/portable-invariants.mdonly; no new field, enum, or validator check. Two non-contract reference refinements ship alongside (not version-gated):review-lenses.mdTechnical Writer lens now requires the handoff to open with a few-sentence plain-language problem+impact statement before the detail, andportable-invariants.mdfiling discipline now bisects/git-blames the proven sink to pin the earliest-affected lower bound (or marks it unresolved) when the introducing commit is unknown. Derived from Daniel Stenberg's "Do excellent vulnerability reports" (2026-06-29); seereviews/excellent-vuln-reports-refinement-consensus.md.
v0.7.0
Release for the current skill.json version. Includes changelog entries since previous tag v0.4.0.
[0.7.0] - 2026-06-24
- Validator: dossier-not-verdict / human-adjudication protocol (AX12). On a maintainer-facing handoff a terminal
closure_statusnow carries anadjudicationrecord: the agent emitsproposed_disposition/proposed_severity, and a human (or an explicitly-labeledsimulated_local_role_lens) renders the verdict. Five machine gates witness the SHADOW of adjudication: G-ADJ-PRESENCE (a terminal closure requires a non-empty adjudication), G-SIM-CAP (a simulated lens may not terminally closevalidated_fixed/risk-accept — it must state no human adjudicated it; capped to the artifact-provable set), G-FIELD-SIGNOFF (a human adjudicator signs off every adjudicated field-token, and a changed disposition must be signed amended/rejected), G-SLA-DOWNGRADE (a lapsed human-adjudication SLA auto-downgradesrecord_statetostale_needs_human, with the clock floored bysealed_atand evidence time), and G-AUDIT-FLOOR (a randomized ratification audit samples ≥ max(1, ceil(0.20·N_human)) human-adjudicated findings, anti-self-audit, seed-bound). Theadjudication_checklist(falsifier / AX10 concordance / AX11 env-delta / residuals / what-would-make-this-not-a-bug) is enforced as a presence + AX10/AX11-binding FLOOR, not content-adequacy;accountabilityrecords a named owner + ticket. The reframe RELOCATES optimism ("this bug is real" → "this dossier is done"); it does not remove it — the irreducible residual is the human (seereviews/dossier-not-verdict-adjudication-consensus.md). New gates fire only underoutput_mode=maintainer_facing_handoff(legacy bundles grandfathered); plantedfp_34–fp_38fixtures + four new maintainer-facing TP fixtures; baseline repinned (41→50). Transition: maintainer-facing bundles now require anadjudicationper terminal closure — regenerate any in-flight v0.6 handoff bundles.
[0.6.0] - 2026-06-24
- Validator: environment-fidelity gate (AX11). An executable PoC row must carry a non-empty
target_env_fidelityattesting how the validation environment relates to the affected/threat-model configuration — a match, or the delta named with why reachability/impact still holds.replay.env_fingerprintrecords only WHICH environment ran, not whether it represents the affected configuration; a PoC that "validates" on a non-representative env (a debug/instrumented build, a different kernel/build-config, or a load profile that inflates or fabricates the signal) would not reproduce on the configuration the finding claims, and the prior gates accepted it. Body step 8, the Validator Profile, and the placeholder/stub scan move in lockstep; plantedfp_33(missingtarget_env_fidelity) fixture added.
[0.5.0] - 2026-06-24
- Validator: oracle–mechanism concordance gate (AX10). An executable PoC's
oraclemust carry a structuredmechanism_concordanceobject: a non-emptysink_failure_modeslist (the sink's documented failure signals) of which the validator requires every vulnerable-side signal — the row'svulnerable_expected_observationAND itsobserved_baseline_result— to be a member (set membership bound to the actual claim, so the discordant signal cannot hide in a separate or observed field; angle-placeholder modes are rejected). The prior vacuous/differ checks proved an oracle distinguishes two runs, not that the vulnerable observation is a signal the sink can actually emit — a SIGSEGV attributed to amadvise/fallocatesink that returns errno or silently discards passed as proof. The gate is structural set-membership rather than a free-text/keyword scan (which a discordant record can phrase around): discordance now surfaces as an explicit, auditable claim — to pass, a balloon oracle would have to LIST the impossible signal among the sink's failure modes (a visible false assertion about the sink's contract) instead of burying it in prose. Full semantic truth of the declared set remains a reviewer responsibility. Plantedfp_31(missing object) +fp_32(discordant:vulnerable_expected_observationabsent fromsink_failure_modes) fixtures; body step 7, the Validator Profile, and the placeholder/stub scan are updated in lockstep.