v0.1.1

Patch release closing the crates.io gap that v0.1.0 left open. No
runtime code changes — release-pipeline metadata only.

Fixed

• jarvy-templates is now publishable. The crate was marked
  publish = false and lacked the repository / homepage metadata
  crates.io requires. Both jarvy and cargo-jarvy depend on it via
  { version = "X", path = "..." }; crates.io strips path on publish
  and resolves from the registry, so the dep must already be available
  there. With publish = false + no version spec on the parents, the
  v0.1.0 cargo publish failed at error: failed to verify manifest ... 'jarvy-templates' does not specify a version before either crate
  could upload.
• Both jarvy-templates path dependency declarations now carry a
  version = "0.1.1" requirement. Required by cargo publish —
  without it the parent crate cannot verify against the published
  registry form of the dep.
• publish-packages.yml::publish-crates-io step is now ordered.
  Previously one cargo publish call attempted to publish jarvy as
  the workspace root; jarvy-templates was never published, so the
  parent's resolve always 404'd. The job now publishes
  jarvy-templates first, polls the crates.io index for up to 150s
  until the dep surfaces, then publishes jarvy with --no-verify
  (the workspace verify already ran at tag-build time; the
  post-publish re-verify would race the index refresh).

Impact on v0.1.0 users

• The GitHub Release for v0.1.0 (all 49 binary assets + Sigstore
  signatures) is unaffected. .deb / .rpm / .dmg / .msi /
  .AppImage install paths work exactly as documented.
• cargo install jarvy resolves to v0.1.1 (the first crates.io
  release in the v0.1.x line). Users who tried cargo install jarvy
  during the v0.1.0 → v0.1.1 window saw error: could not find jarvy 0.1.0 in registry crates-io.
• Other channels (Homebrew tap, AUR, winget, Chocolatey) were not
  affected by this gap.

Full Changelog: v0.1.0...v0.1.1

Installation

Quick Install (Unix)

curl -fsSL https://raw.githubusercontent.com/bearbinary/jarvy/main/dist/scripts/install.sh | bash

Quick Install (Windows PowerShell)

irm https://raw.githubusercontent.com/bearbinary/jarvy/main/dist/scripts/install.ps1 | iex

Homebrew

brew install bearbinary/tap/jarvy

Cargo

cargo install jarvy

Early-Release Channel

Pre-release tags (-rc.N, -beta.N) are routed through the beta channel.
Opt in: JARVY_CHANNEL=beta on the install script, or jarvy update --channel beta.
See docs/release-testing.md.

See installation docs for more options.

Security

Verify Signatures

All release artifacts are signed with Sigstore keyless OIDC. Verify any artifact:

ARTIFACT=jarvy-linux-x86_64.tar.gz
BASE=https://github.com/bearbinary/jarvy/releases/download/v0.1.1
curl -LO $BASE/$ARTIFACT
curl -LO $BASE/$ARTIFACT.sig
curl -LO $BASE/$ARTIFACT.pem
cosign verify-blob \
  --signature $ARTIFACT.sig \
  --certificate $ARTIFACT.pem \
  --certificate-identity-regexp '^https://github\.com/bearbinary/Jarvy/\.github/workflows/release\.yml@refs/tags/v[0-9.]+(-[A-Za-z0-9.]+)?$' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  $ARTIFACT

Tag Signature

This release was cut from a signed git tag. Verify with:

git -c gpg.ssh.allowedSignersFile=.github/allowed_signers tag --verify v0.1.1

SBOM

Software Bill of Materials in SPDX 2.3 (sbom.spdx.json) and CycloneDX 1.4 (sbom.cdx.json).

Checksums

SHA256 checksums for all artifacts are in SHA256SUMS.txt.

v0.1.0

First feature-complete stable. Closes the round-2 hardening review
(45 items across two passes), ships clean-laptop onboarding, and
publishes 14 ready-to-copy jarvy.toml project templates.
Telemetry-enabled deployments now actually export records — four
compounding OTLP bugs that left env-only opt-in silently emitting
zero records are fixed (see ### Fixed below). The public surface
from v0.0.5 is preserved; everything below is either additive,
fail-closed by default, or a tightening of internal invariants.

Upgrading from v0.0.5

jarvy update --channel beta (and jarvy update in general) is broken in
v0.0.5 — it exits 0 without actually upgrading. Two pre-existing bugs in
v0.0.5: a hardcoded version = "0.2" clap string that makes v0.0.5 think
it is newer than v0.1.0, plus an update path that never triggers an
artifact download. Both are fixed in v0.1.0 but cannot be patched
retroactively. v0.0.5 users must upgrade by reinstalling via their
package manager, not via jarvy update:

• macOS (Homebrew tap restored): brew upgrade jarvy
• Debian/Ubuntu: sudo apt install ./jarvy_0.1.0_amd64.deb
• Fedora/RHEL: sudo dnf install ./jarvy-0.1.0-1.x86_64.rpm
• Arch (AUR): yay -Syu jarvy-bin
• Windows (winget): winget upgrade Jarvy.Jarvy
• Cargo: cargo install jarvy --force

From v0.1.0 onward, jarvy update --channel beta and jarvy update
work as documented.

Added

• Project templates. examples/<stack>/jarvy.toml ships 14
  validated drop-in configs (node-npm/pnpm/bun, deno, python-api/uv,
  go-api, rust-cli/workspace, ruby-rails, java-spring, react-app,
  fullstack, k8s-platform). Companion docs at
  docs/templates-index.md give an AI-agent decision table mapping
  detect-by signals (lockfiles, manifests) to template URLs.
• Clean-laptop onboarding. New Makefile + idempotent
  scripts/bootstrap.sh give contributors a two-command setup
  (curl install.sh | bash then make setup). Bootstrap script
  honors JARVY_CHANNEL for stable/beta/nightly, falls back to
  wget if curl is missing, and forwards extra args to
  jarvy setup. shellcheck-clean.
• jarvy validate recognizes the full top-level surface.
  [npm], [pip], [cargo], [commands], [drift], [git],
  [network], [logging] no longer trigger
  "unknown configuration section" warnings. Toolchain channel
  aliases (stable, beta, nightly, lts, current) are
  accepted as valid version strings — rust = "stable" validates
  cleanly.
• SecretError::PathEscapesProject + JARVY_ALLOW_EXTERNAL_SECRETS
  override. [env.secrets] from_file paths that resolve outside
  the project root and $HOME after symlink-resolving
  canonicalization are refused by default. Common legitimate paths
  (~/.aws/credentials, <project>/.env.secret) keep working.
  Override with JARVY_ALLOW_EXTERNAL_SECRETS=1.
• tools::pinned_installer::PinnedInstaller helper for the
  curl-bash class of installers. arctl, kmcp, and ollama (Linux
  fallback only) now fetch their installer scripts at a pinned
  commit, sha256-verify the body, and refuse to exec on mismatch —
  same pattern Homebrew already used. Refreshing a pinned installer
  requires updating the commit + sha256 constants together.
• POSIX env-var grammar validation before writing
  [env.vars] to shell rc files. Keys not matching
  ^[A-Za-z_][A-Za-z0-9_]*$ are skipped with a structured
  event="env.refused_invalid_key" warning instead of corrupting
  ~/.bashrc / ~/.zshrc.
• tools::install_method canonical classifier
  (Brew/Cargo/Nvm/Pyenv/Rustup/Snap/System/
  NotFound/Unknown). commands::diagnose, commands::drift,
  and observability::bundle all delegate here instead of
  hand-rolling three near-identical detectors.
• Unsupported-tool feedback loop with telemetry-first delivery.
  When a user (or AI agent) hits a tool Jarvy doesn't support, the
  run now surfaces a structured request payload — fuzzy Levenshtein
  suggestions with prefix-match boost, a define_tool! scaffold
  snippet, exit code TOOL_UNSUPPORTED (8), and a delivery channel.
  Telemetry is canonical: no GitHub account needed and zero triage
  work for the maintainer. The pre-filled tool_request.yml issue
  URL is surfaced only when telemetry is off, with
  jarvy telemetry enable offered as a one-time alternative. New
  jarvy tools --request <name> [--open] flag with pretty / JSON /
  YAML / TOML output. Setup-path returns exit 8 only when every
  configured tool was unknown — mixed runs still return 0 so partial
  setups succeed. Canonical tool.unsupported event with uniform
  field shape across both call sites; OTEL counter
  jarvy.tool.unsupported renamed from …not_supported to match.
• crates/jarvy-templates workspace member — dep-free crate
  shipping validate_tool_name, render_tool_template,
  MAX_TOOL_NAME_LEN, and the embedded define_tool! template.
  cargo-jarvy depends only on this crate now; clean-build time
  drops from minutes (full jarvy lib) to ~7s.

Changed

• Logging pipeline rewired to tracing_appender::rolling for
  daily rotation + tracing_appender::non_blocking for buffered
  writes. analytics::shutdown_logging() flushes both the
  SdkLoggerProvider and the file WorkerGuard before
  process::exit, so buffered records aren't lost on early
  termination. EnvFilter now has a default-on floor of
  warn,jarvy=info if RUST_LOG is unset.
• Hook::run_with_policy collapsed from a 3-state HookOutcome
  enum to Result<(), HookError>. Production callers only ever
  checked Fail vs not-Fail; the warning-on-continue_on_error
  side effect already conveyed the difference. The new Err case
  returns the underlying HookError so error_codes::HOOK_FAILED
  callers keep working.
• Sanitizer::sanitize_borrowed returns Cow<'_, str> so the
  no-match path skips allocation entirely. Sanitizer::sanitize
  preserves the same fast path internally.
• tracing::warn! → tracing::error! on tool.failed,
  hook.failed, hook.timeout, config.parse_error, and
  telemetry.endpoint.refused. These are operator-actionable
  conditions, not advisory.
• Subprocess spans. services::run_command and
  tools::common::run_capture are now wrapped in
  tracing::info_span!("subprocess.exec", cmd, args_count, ...)
  with start/duration/exit_code events.
• paths.rs cleanup. cache_dir inlined into
  remote_config_cache_dir (only caller); #![allow(dead_code)]
  removed since every public function has external callers now.

Security

• CA-bundle trust check tightened. network::propagate no
  longer accepts paths under the broad ~/.jarvy/ cache prefix —
  only ~/.jarvy/ca/ is trusted, with a trailing-slash anchor so
  ~/.jarvy/ca-attacker/... can't slip through.
• Cross-origin redirects refused on
  remote::validated_get / fetch_remote_config. ureq agent
  now uses .max_redirects(0); redirects must be revalidated
  through the policy gate.
• Sigstore companion verification. update::release returns
  None for cosign companion files when the .sig/.pem aren't
  exact-match siblings — a substring-match bug that would have let
  a malicious tarball claim sibling signatures was closed.
• exec.rs deleted (zero-caller speculative seam).
• team::inheritance::transform_github_url duplicate deleted;
  callers route through the canonical remote::transform_github_url
  so URL hardening lives in one place.

Fixed

• validate_get rejected URLs with empty hosts under file://
  scheme but didn't match the documented "scheme not allowed"
  error string. Test relaxed to accept any error variant; behavior
  unchanged.
• paths::remote_config_cache_dir now reads JARVY_HOME
  consistently with the rest of paths.rs (was hand-rolling the
  override before).
• update_rc_content argument order documented; previously the
  test suite caller had (content, &vars, &ctx, ShellType) instead
  of the actual (content, ShellType, &vars, &ctx).
• OTLP env-only opt-in now actually exports. Four compounding
  bugs caused JARVY_TELEMETRY=1 + JARVY_OTLP_ENDPOINT=… to
  silently produce zero records, and even file-flag opt-in lost
  every metric point on short-lived commands:
  (1) init_logging gated on the file flag, missing the env
  override — the OTEL log layer was excluded from the
  subscriber whenever telemetry was opt-in via env only;
  (2) opentelemetry-otlp 0.31's with_endpoint() is the FULL URL
  not a base — a bare http://localhost:4318 produced POST /
  and the collector 404'd every batch. New
  analytics::resolve_otlp_endpoint(base, signal) appends
  /v1/{logs|metrics|traces} idempotently;
  (3) otlp_logs_endpoint() ignored the file config's
  [telemetry] endpoint — setting it via
  jarvy telemetry set-endpoint silently failed to reroute
  logs. The logger builder now reads the merged
  TelemetryConfig;
  (4) telemetry::shutdown() was defined but never called from
  main, so the SdkMeterProvider's 60s PeriodicReader had
  no chance to flush on jarvy setup-length runs.
  Now called alongside analytics::shutdown_logging() in
  the exit path.
• host.name emitted as resource attribute, not per-event
  field. Grafana Cloud was receiving plaintext
  hostname=<machine>.local from the setup.inventory event,
  defeating the chart-side anonymize pipeline (which only operated
  on resource-context attrs). Build a shared
  opentelemetry_sdk::Resource once at telemetry init with
  service.name, service.version, host.name, os.type,
  os.description; attach to both SdkLoggerProvider and
  SdkMeterProvider. Previously service.name defaulted to
  unknown_service, which broke stack-level filtering and made
  "where did this record come from" guesswork. Local file logger
  and s...

Helm chart 0.5.3

Helm chart for the Jarvy telemetry forwarder.

Install

helm install jarvy-telemetry \
  oci://ghcr.io/bearbinary/charts/jarvy-telemetry-forwarder \
  --version 0.5.3 \
  --namespace jarvy-telemetry --create-namespace

Verify signature

The --certificate-identity flag is exact, not a
substring match. A fork named bearbinary/jarvy-anything
cannot satisfy this identity even with a valid Sigstore
certificate.

cosign verify \
  --certificate-identity "https://github.com/bearbinary/Jarvy/.github/workflows/helm-release.yml@refs/tags/helm-v0.5.3" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  ghcr.io/bearbinary/charts/jarvy-telemetry-forwarder:0.5.3

Artifacts

• OCI: ghcr.io/bearbinary/charts/jarvy-telemetry-forwarder:0.5.3
• Digest: sha256:b3b0635f4c4e0ed5c0e0b1c62895de9b9ceeb8e37f1368645a6a8f11c714afac
• Chart SHA256: 073b30963c9f8c676d6b92f0c3e4bc2524ad06a21a486431e03e238858fbcb1d
• Signature Rekor UUID: 1583588242 — https://search.sigstore.dev/?logIndex=1583588242
• SBOM attestation Rekor UUID: 1583589126 — https://search.sigstore.dev/?logIndex=1583589126
• SBOMs: sbom.spdx.json, sbom.cdx.json attached

Operational documentation:
https://jarvy.dev/operations/telemetry-forwarder/

Full Changelog: helm-v0.4.0...helm-v0.5.3

Helm chart 0.4.0

Helm chart for the Jarvy telemetry forwarder.

Install

helm install jarvy-telemetry \
  oci://ghcr.io/bearbinary/charts/jarvy-telemetry-forwarder \
  --version 0.4.0 \
  --namespace jarvy-telemetry --create-namespace

Verify signature

The --certificate-identity flag is exact, not a
substring match. A fork named bearbinary/jarvy-anything
cannot satisfy this identity even with a valid Sigstore
certificate.

cosign verify \
  --certificate-identity "https://github.com/bearbinary/Jarvy/.github/workflows/helm-release.yml@refs/tags/helm-v0.4.0" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  ghcr.io/bearbinary/charts/jarvy-telemetry-forwarder:0.4.0

Artifacts

• OCI: ghcr.io/bearbinary/charts/jarvy-telemetry-forwarder:0.4.0
• Digest: sha256:8971e1e6e070c6424e39700319e0d5d717c664282de2ccb62cf1f91755dc5859
• Chart SHA256: 8c068152a683ed5db54cc9067090ada8b028569860d29fad6cf527177b0c05a1
• Signature Rekor UUID: 1534842539 — https://search.sigstore.dev/?logIndex=1534842539
• SBOM attestation Rekor UUID: 1534843855 — https://search.sigstore.dev/?logIndex=1534843855
• SBOMs: sbom.spdx.json, sbom.cdx.json attached

Operational documentation:
https://jarvy.dev/operations/telemetry-forwarder/

Full Changelog: helm-v0.3.0...helm-v0.4.0

Helm chart 0.3.0

Helm chart for the Jarvy telemetry forwarder.

Install

helm install jarvy-telemetry \
  oci://ghcr.io/bearbinary/charts/jarvy-telemetry-forwarder \
  --version 0.3.0 \
  --namespace jarvy-telemetry --create-namespace

Verify signature

The --certificate-identity flag is exact, not a
substring match. A fork named bearbinary/jarvy-anything
cannot satisfy this identity even with a valid Sigstore
certificate.

cosign verify \
  --certificate-identity "https://github.com/bearbinary/Jarvy/.github/workflows/helm-release.yml@refs/tags/helm-v0.3.0" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  ghcr.io/bearbinary/charts/jarvy-telemetry-forwarder:0.3.0

Artifacts

• OCI: ghcr.io/bearbinary/charts/jarvy-telemetry-forwarder:0.3.0
• Digest: sha256:9346a99b72e77c8eb2047624c6ef5c93048bf6bc584bf27ff7a2950f39baf076
• Chart SHA256: b576b947a45e61dea3ad3f2e1480b013b1f5782cd0e2f9792ae90ade94f63548
• Signature Rekor UUID: 1524537986 — https://search.sigstore.dev/?logIndex=1524537986
• SBOM attestation Rekor UUID: 1524540654 — https://search.sigstore.dev/?logIndex=1524540654
• SBOMs: sbom.spdx.json, sbom.cdx.json attached

Operational documentation:
https://jarvy.dev/operations/telemetry-forwarder/

Full Changelog: helm-v0.1.0...helm-v0.3.0

Helm chart 0.1.0

Helm chart for the Jarvy telemetry forwarder.

Install

helm install jarvy-telemetry \
  oci://ghcr.io/bearbinary/charts/jarvy-telemetry-forwarder \
  --version 0.1.0 \
  --namespace jarvy-telemetry --create-namespace

Verify

cosign verify \
  --certificate-identity-regexp "https://github.com/bearbinary/Jarvy/" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  ghcr.io/bearbinary/charts/jarvy-telemetry-forwarder:0.1.0

Artifacts

• OCI: ghcr.io/bearbinary/charts/jarvy-telemetry-forwarder:0.1.0
• Digest: sha256:fc974eee95af151686e94319da5495e807130363a8f4798fedd421b0685fe0ea
• Chart SHA256: a577851120cd23588250b1affc1e0d9e8a4fd25bbe5d8c07042771e4a44d31d4
• SBOMs: sbom.spdx.json, sbom.cdx.json attached

Operational documentation:
https://jarvy.dev/operations/telemetry-forwarder/

Full Changelog: v0.1.0-rc.10...helm-v0.1.0

v0.1.0-rc.10

• chore(security): allowlist synthetic JWT test fixture in sanitizer.rs (bcdff1d)
• chore(release): v0.1.0 prep — Cargo bumps + CHANGELOG + UPGRADING (631d491)
• fix(clippy): unnecessary_get_then_check + field_reassign_with_default (7143e8a)
• feat(templates): 14 jarvy.toml templates + LLM index docs (fbeb4b9)
• feat(onboarding): clean-laptop bootstrap — Makefile + scripts/bootstrap.sh (a552ef8)
• refactor,security,test(v0.1.0): R2 P2 batch — pin installers, secrets containment, HookOutcome collapse (d354193)
• refactor,perf,obs(v0.1.0): R2 P1 batch — observability, perf, consolidations (ec390ef)
• feat(security,obs): close round-2 P0s (CA bundle, env-vars, sigstore, flush) (265d4a8)
• docs: cookbook + JSON schema + auto-gen CLI/registry + CI + analytics (6000612)
• test(paths,ticket): serialize JARVY_HOME env mutation across tests (a4b7045)
• refactor,test(v0.1.0): paths migration + exec seam + setup_cmd phases (6a45989)
• refactor,test(v0.1.0): ShellInit macro + run_with_policy + config tests (0671baa)
• docs(migration): YC-quality docs overhaul + AI migration prompts + eval harness (642b343)
• feat(security,perf): sigstore companions + paths.rs + has() cache (33b4c16)
• feat(observability): wire file logging + run_id correlation + startup banner (4e40fbd)
• feat(security): route team/* through hardened remote pipeline + perms (b34c681)
• refactor(v0.1.0): consolidate drifted helpers (CI detect, has, extract_version) (a00288a)
• perf,test(v0.1.0): shared ureq agent + BufWriters + meaningful registry tests (7d56c9a)
• feat(security,observability): sanitizer rewrite + perms + endpoint guard (7edb998)
• feat(security): refuse hostile jarvy.toml config patterns (P0 family) (acd5f0d)
• test(v0.1.0): regression tests + drop String::leak in topo sort (a481981)
• chore(chocolatey): add iconUrl and packageSourceUrl to nuspec (9dc7d10)

Full Changelog: v0.0.5...v0.1.0-rc.10

Installation

Quick Install (Unix)

curl -fsSL https://raw.githubusercontent.com/bearbinary/jarvy/main/dist/scripts/install.sh | bash

Quick Install (Windows PowerShell)

irm https://raw.githubusercontent.com/bearbinary/jarvy/main/dist/scripts/install.ps1 | iex

Homebrew

brew install bearbinary/tap/jarvy

Cargo

cargo install jarvy

Early-Release Channel

Pre-release tags (-rc.N, -beta.N) are routed through the beta channel.
Opt in: JARVY_CHANNEL=beta on the install script, or jarvy update --channel beta.
See docs/release-testing.md.

See installation docs for more options.

Security

Verify Signatures

All release artifacts are signed with Sigstore keyless OIDC. Verify any artifact:

ARTIFACT=jarvy-linux-x86_64.tar.gz
BASE=https://github.com/bearbinary/jarvy/releases/download/v0.1.0-rc.10
curl -LO $BASE/$ARTIFACT
curl -LO $BASE/$ARTIFACT.sig
curl -LO $BASE/$ARTIFACT.pem
cosign verify-blob \
  --signature $ARTIFACT.sig \
  --certificate $ARTIFACT.pem \
  --certificate-identity-regexp 'https://github.com/bearbinary/Jarvy/' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  $ARTIFACT

Tag Signature

This release was cut from a signed git tag. Verify with:

git -c gpg.ssh.allowedSignersFile=.github/allowed_signers tag --verify v0.1.0-rc.10

SBOM

Software Bill of Materials in SPDX 2.3 (sbom.spdx.json) and CycloneDX 1.4 (sbom.cdx.json).

Checksums

SHA256 checksums for all artifacts are in SHA256SUMS.txt.

v0.1.0-rc.9

• ci(e2e): drop macos-13 + fix Windows path-escape in jarvy bin output (e74a965)
• fix(quickstart): bail before inquire prompts when no TTY (Windows hang) (40f0016)

Full Changelog: v0.1.0-rc.8...v0.1.0-rc.9

Installation

Quick Install (Unix)

curl -fsSL https://raw.githubusercontent.com/bearbinary/jarvy/main/dist/scripts/install.sh | bash

Quick Install (Windows PowerShell)

irm https://raw.githubusercontent.com/bearbinary/jarvy/main/dist/scripts/install.ps1 | iex

Homebrew

brew install bearbinary/tap/jarvy

Cargo

cargo install jarvy

Early-Release Channel

Pre-release tags (-rc.N, -beta.N) are routed through the beta channel.
Opt in: JARVY_CHANNEL=beta on the install script, or jarvy update --channel beta.
See docs/release-testing.md.

See installation docs for more options.

Security

Verify Signatures

All release artifacts are signed with Sigstore keyless OIDC. Verify any artifact:

ARTIFACT=jarvy-linux-x86_64.tar.gz
BASE=https://github.com/bearbinary/jarvy/releases/download/v0.1.0-rc.9
curl -LO $BASE/$ARTIFACT
curl -LO $BASE/$ARTIFACT.sig
curl -LO $BASE/$ARTIFACT.pem
cosign verify-blob \
  --signature $ARTIFACT.sig \
  --certificate $ARTIFACT.pem \
  --certificate-identity-regexp 'https://github.com/bearbinary/jarvy' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  $ARTIFACT

Tag Signature

This release was cut from a signed git tag. Verify with:

git -c gpg.ssh.allowedSignersFile=.github/allowed_signers tag --verify v0.1.0-rc.9

SBOM

Software Bill of Materials in SPDX 2.3 (sbom.spdx.json) and CycloneDX 1.4 (sbom.cdx.json).

Checksums

SHA256 checksums for all artifacts are in SHA256SUMS.txt.

v0.0.5

Folds in everything queued for v0.0.4 (which was tagged but never
publicly published) plus a Chocolatey install-script fix.

Fixed

• Chocolatey package v0.0.3 failed moderation with 404 Not Found
  for the install URL. Two bugs in
  dist/windows/chocolatey/tools/chocolateyinstall.ps1:

  • URL pattern referenced
    jarvy-vVERSION_PLACEHOLDER-x86_64-pc-windows-msvc.zip — but
    cargo-packager produces .msi and .exe, no .zip for Windows.
  • VERSION_PLACEHOLDER and SHA256_PLACEHOLDER were never substituted
    because the publish workflow only ran sed against jarvy.nuspec,
    not the install script.

  Rewrote the install script to use Install-ChocolateyPackage with
  -FileType msi and silent install args, pointing at the actual
  jarvy_<v>_x64_en-US.msi asset. Updated
  publish-packages.yml::update-chocolatey to substitute both files
  AND pull the real msi SHA256 from SHA256SUMS.txt so the integrity
  check passes.

• cargo fmt --check drift in src/team/inheritance.rs:760-768
  (single-quoted TOML literals from v0.0.3 needed compaction).

• OpenSSF Scorecard failed on v0.0.3 tag with Only the default branch main is supported. ossf/scorecard-action explicitly refuses
  tag-push triggers. Restored push: branches: [main] for scorecard
  only — every other validating workflow stays tag-triggered.

• Homebrew tap publish now gracefully skips when
  HOMEBREW_TAP_DEPLOY_KEY is not configured. Previously the missing
  secret failed the whole publish-packages.yml workflow, masking
  the success of crates.io, AUR, winget, and Chocolatey jobs.

Validated downstream (v0.0.3)

After the v0.0.3 fixes, the following propagation channels worked:

• ✅ crates.io: jarvy@0.0.3 + cargo-jarvy@0.0.3 published
• ✅ AUR (jarvy-bin)
• ✅ Submit to winget (publish-packages.yml job; separate winget.yml
  still needs manual first submission)
• ✅ GitHub Pages docs site (after maintainer enabled Pages)
• ❌ Chocolatey: failed moderation due to broken install script
  (v0.0.5 fixes)
• ⚠️ Homebrew tap: pending secret config (now non-blocking)

Note

v0.0.4 was tagged but the draft was never publicly published —
v0.0.4's fixes ship together with the Chocolatey fix as v0.0.5 to
reduce propagation churn (one round of crates.io / AUR / etc.
updates instead of two back-to-back).

Full Changelog: v0.0.4...v0.0.5

Installation

Quick Install (Unix)

curl -fsSL https://raw.githubusercontent.com/bearbinary/jarvy/main/dist/scripts/install.sh | bash

Quick Install (Windows PowerShell)

irm https://raw.githubusercontent.com/bearbinary/jarvy/main/dist/scripts/install.ps1 | iex

Homebrew

brew install bearbinary/tap/jarvy

Cargo

cargo install jarvy

Early-Release Channel

Pre-release tags (-rc.N, -beta.N) are routed through the beta channel.
Opt in: JARVY_CHANNEL=beta on the install script, or jarvy update --channel beta.
See docs/release-testing.md.

See installation docs for more options.

Security

Verify Signatures

All release artifacts are signed with Sigstore keyless OIDC. Verify any artifact:

ARTIFACT=jarvy-linux-x86_64.tar.gz
BASE=https://github.com/bearbinary/jarvy/releases/download/v0.0.5
curl -LO $BASE/$ARTIFACT
curl -LO $BASE/$ARTIFACT.sig
curl -LO $BASE/$ARTIFACT.pem
cosign verify-blob \
  --signature $ARTIFACT.sig \
  --certificate $ARTIFACT.pem \
  --certificate-identity-regexp 'https://github.com/bearbinary/Jarvy/' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  $ARTIFACT

Tag Signature

This release was cut from a signed git tag. Verify with:

git -c gpg.ssh.allowedSignersFile=.github/allowed_signers tag --verify v0.0.5

SBOM

Software Bill of Materials in SPDX 2.3 (sbom.spdx.json) and CycloneDX 1.4 (sbom.cdx.json).

Checksums

SHA256 checksums for all artifacts are in SHA256SUMS.txt.

v0.0.3

Patch release. v0.0.2 went live on the GitHub release page but the
crates.io and Homebrew workflows that fire on release: published
both failed, leaving cargo install jarvy and
brew install bearbinary/tap/jarvy unavailable.

Fixed

• Cargo.toml declared readme = "README.md" (uppercase) but the
  tracked file is Readme.md (mixed case). On macOS the difference
  is invisible (case-insensitive filesystem); on the Linux CI runner
  it failed cargo publish with readme "README.md" does not appear to exist. Both Publish Crate and Publish to Package Managers
  workflows hit the same error. Same fix in the include = [...]
  manifest list. Now matches what's actually in the git tree.
• .github/workflows/winget.yml was scaffolded from a different
  project's template and never customized — identifier: Benji377.Tooka
  and fork-user: Benji377 referenced a totally unrelated package.
  Rewrote with placeholder TODO values for Jarvy.Jarvy /
  bearbinary and changed the trigger from release: published to
  workflow_dispatch only. winget-releaser cannot create a brand-new
  package registration; the first submission must go through
  wingetcreate new and a hand-reviewed PR to microsoft/winget-pkgs.
  After that's merged the trigger can be flipped back.

Removed

• Duplicate .github/workflows/crates.yml deleted. Both that and
  publish-packages.yml::publish-crates-io were firing on
  release: published and trying to cargo publish. Even if both
  had the right secret, the second one would race-fail with "crate
  version already exists". Kept the version inside publish-packages.yml
  because it composes with the Homebrew tap update via needs:.
• docs/release-testing.md and docs/release-quirks-jarvy.md
  references to crates.yml updated to point at the surviving
  workflow path.

Known issues (not fixed in this release)

• GitHub Pages is not enabled for bearbinary/Jarvy repo — the
  Deploy Docs workflow fails with HttpError: Not Found ... Ensure GitHub Pages has been enabled. Fix is in repo Settings → Pages,
  not in code. Until enabled, the docs site at jarvy.dev (or
  whichever Pages URL ends up provisioned) won't update on release.
• winget first submission still requires manual wingetcreate new
  intervention (see Fixed above for the workflow disable).

Full Changelog: v0.0.2...v0.0.3

Installation

Quick Install (Unix)

curl -fsSL https://raw.githubusercontent.com/bearbinary/jarvy/main/dist/scripts/install.sh | bash

Quick Install (Windows PowerShell)

irm https://raw.githubusercontent.com/bearbinary/jarvy/main/dist/scripts/install.ps1 | iex

Homebrew

brew install bearbinary/tap/jarvy

Cargo

cargo install jarvy

Early-Release Channel

Pre-release tags (-rc.N, -beta.N) are routed through the beta channel.
Opt in: JARVY_CHANNEL=beta on the install script, or jarvy update --channel beta.
See docs/release-testing.md.

See installation docs for more options.

Security

Verify Signatures

All release artifacts are signed with Sigstore keyless OIDC. Verify any artifact:

ARTIFACT=jarvy-linux-x86_64.tar.gz
BASE=https://github.com/bearbinary/jarvy/releases/download/v0.0.3
curl -LO $BASE/$ARTIFACT
curl -LO $BASE/$ARTIFACT.sig
curl -LO $BASE/$ARTIFACT.pem
cosign verify-blob \
  --signature $ARTIFACT.sig \
  --certificate $ARTIFACT.pem \
  --certificate-identity-regexp 'https://github.com/bearbinary/Jarvy/' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  $ARTIFACT

Tag Signature

This release was cut from a signed git tag. Verify with:

git -c gpg.ssh.allowedSignersFile=.github/allowed_signers tag --verify v0.0.3

SBOM

Software Bill of Materials in SPDX 2.3 (sbom.spdx.json) and CycloneDX 1.4 (sbom.cdx.json).

Checksums

SHA256 checksums for all artifacts are in SHA256SUMS.txt.