v0.4.10

Build Artifacts

Binaries

• 5 binaries:
  • jvs-linux-amd64 - Linux x86_64
  • jvs-linux-arm64 - Linux ARM64
  • jvs-darwin-amd64 - macOS x86_64
  • jvs-darwin-arm64 - macOS ARM64 (Apple Silicon)
  • jvs-windows-amd64.exe - Windows x86_64
• matching .bundle files for each binary
• SHA256SUMS - SHA-256 hashes for the published binaries
• SHA256SUMS.bundle - cosign v3 bundle for SHA256SUMS

Verification

All binaries and SHA256SUMS are signed using Sigstore/cosign v3 bundle files. Download each artifact with its matching .bundle; see docs/SIGNING.md for the full guide.

cosign verify-blob jvs-linux-amd64 \
  --bundle jvs-linux-amd64.bundle \
  --certificate-identity=https://github.com/agentsmith-project/jvs/.github/workflows/ci.yml@refs/tags/v0.4.10 \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

cosign verify-blob SHA256SUMS \
  --bundle SHA256SUMS.bundle \
  --certificate-identity=https://github.com/agentsmith-project/jvs/.github/workflows/ci.yml@refs/tags/v0.4.10 \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

After verifying SHA256SUMS, run sha256sum -c --ignore-missing SHA256SUMS.

• For tag-push releases, the signing certificate identity is the tag ref, for example refs/tags/v0.4.10.
• For manual workflow_dispatch releases, artifacts are checked out from refs/tags/v0.4.10 and published as v0.4.10, but the signing certificate identity remains the workflow ref (refs/tags/v0.4.10) that launched the run.

Canonical final evidence

• source archive: the GitHub source archive is a tag snapshot for v0.4.10; it records source readiness at tag time.
• publication final evidence: this GitHub Release page and the post-release main ledger on main record workflow run, release state, assets, checksums, signing identity, smoke, and coverage.
• Release URL: https://github.com/agentsmith-project/jvs/releases/tag/v0.4.10
• Tag: v0.4.10
• Workflow run: https://github.com/agentsmith-project/jvs/actions/runs/26012602687
• Commit: 6a0f762
• Asset count: 12
• Release state: draft=false, prerelease=false
• Signing identity: https://github.com/agentsmith-project/jvs/.github/workflows/ci.yml@refs/tags/v0.4.10
• Tag movement: tag was not moved; post-publication facts live in the GitHub Release page and post-release main ledger.

Breaking changes

• None for the stable v0 public CLI contract.

Known limitations

• v0 does not include remote push/pull, in-JVS signing commands, public partial-save contracts, compression contracts, merge/rebase, or complex retention policy flags.
• Full verification reads save point payloads and can be I/O intensive on large workspaces.
• Descriptor signing and in-JVS trust policy remain outside the stable v0 repository format.

Risk labels

• integrity: descriptor checksum and payload hash detect independent corruption; coordinated descriptor-plus-checksum rewrite remains a v0 residual risk.
• migration: runtime operation state must be rebuilt at the destination with jvs doctor --strict --repair-runtime; exclude active .jvs/locks/, .jvs/intents/, and .jvs/gc/*.json during physical backup or storage sync.

Migration notes

• Existing repositories do not need an on-disk migration for this release.
• After upgrading, run jvs doctor --strict on a representative repo.
• After physical backup or storage migration, exclude active .jvs/locks/, .jvs/intents/, and .jvs/gc/*.json, then run jvs doctor --strict --repair-runtime at the destination before verification.

v0.4.9

Build Artifacts

Binaries

• 5 binaries:
  • jvs-linux-amd64 - Linux x86_64
  • jvs-linux-arm64 - Linux ARM64
  • jvs-darwin-amd64 - macOS x86_64
  • jvs-darwin-arm64 - macOS ARM64 (Apple Silicon)
  • jvs-windows-amd64.exe - Windows x86_64
• matching .bundle files for each binary
• SHA256SUMS - SHA-256 hashes for the published binaries
• SHA256SUMS.bundle - cosign v3 bundle for SHA256SUMS

Verification

All binaries and SHA256SUMS are signed using Sigstore/cosign v3 bundle files. Download each artifact with its matching .bundle; see docs/SIGNING.md for the full guide.

cosign verify-blob jvs-linux-amd64 \
  --bundle jvs-linux-amd64.bundle \
  --certificate-identity=https://github.com/agentsmith-project/jvs/.github/workflows/ci.yml@refs/tags/v0.4.9 \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

cosign verify-blob SHA256SUMS \
  --bundle SHA256SUMS.bundle \
  --certificate-identity=https://github.com/agentsmith-project/jvs/.github/workflows/ci.yml@refs/tags/v0.4.9 \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

After verifying SHA256SUMS, run sha256sum -c --ignore-missing SHA256SUMS.

• For tag-push releases, the signing certificate identity is the tag ref, for example refs/tags/v0.4.9.
• For manual workflow_dispatch releases, artifacts are checked out from refs/tags/v0.4.9 and published as v0.4.9, but the signing certificate identity remains the workflow ref (refs/tags/v0.4.9) that launched the run.

Canonical final evidence

• source archive: the GitHub source archive is a tag snapshot for v0.4.9; it records source readiness at tag time.
• publication final evidence: this GitHub Release page and the post-release main ledger on main record workflow run, release state, assets, checksums, signing identity, smoke, and coverage.
• Release URL: https://github.com/agentsmith-project/jvs/releases/tag/v0.4.9
• Tag: v0.4.9
• Workflow run: https://github.com/agentsmith-project/jvs/actions/runs/25706028835
• Commit: ae4e097
• Asset count: 12
• Release state: draft=false, prerelease=false
• Signing identity: https://github.com/agentsmith-project/jvs/.github/workflows/ci.yml@refs/tags/v0.4.9
• Tag movement: tag was not moved; post-publication facts live in the GitHub Release page and post-release main ledger.

Breaking changes

• None for the stable v0 public CLI contract.

Known limitations

• v0 does not include remote push/pull, in-JVS signing commands, public partial-save contracts, compression contracts, merge/rebase, or complex retention policy flags.
• Full verification reads save point payloads and can be I/O intensive on large workspaces.
• Descriptor signing and in-JVS trust policy remain outside the stable v0 repository format.

Risk labels

• integrity: descriptor checksum and payload hash detect independent corruption; coordinated descriptor-plus-checksum rewrite remains a v0 residual risk.
• migration: runtime operation state must be rebuilt at the destination with jvs doctor --strict --repair-runtime; exclude active .jvs/locks/, .jvs/intents/, and .jvs/gc/*.json during physical backup or storage sync.

Migration notes

• Existing repositories do not need an on-disk migration for this release.
• After upgrading, run jvs doctor --strict on a representative repo.
• After physical backup or storage migration, exclude active .jvs/locks/, .jvs/intents/, and .jvs/gc/*.json, then run jvs doctor --strict --repair-runtime at the destination before verification.

v0.4.8

Build Artifacts

Binaries

• 5 binaries:
  • jvs-linux-amd64 - Linux x86_64
  • jvs-linux-arm64 - Linux ARM64
  • jvs-darwin-amd64 - macOS x86_64
  • jvs-darwin-arm64 - macOS ARM64 (Apple Silicon)
  • jvs-windows-amd64.exe - Windows x86_64
• matching .bundle files for each binary
• SHA256SUMS - SHA-256 hashes for the published binaries
• SHA256SUMS.bundle - cosign v3 bundle for SHA256SUMS

Verification

All binaries and SHA256SUMS are signed using Sigstore/cosign v3 bundle files. Download each artifact with its matching .bundle; see docs/SIGNING.md for the full guide.

cosign verify-blob jvs-linux-amd64 \
  --bundle jvs-linux-amd64.bundle \
  --certificate-identity=https://github.com/agentsmith-project/jvs/.github/workflows/ci.yml@refs/tags/v0.4.8 \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

cosign verify-blob SHA256SUMS \
  --bundle SHA256SUMS.bundle \
  --certificate-identity=https://github.com/agentsmith-project/jvs/.github/workflows/ci.yml@refs/tags/v0.4.8 \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

After verifying SHA256SUMS, run sha256sum -c --ignore-missing SHA256SUMS.

• For tag-push releases, the signing certificate identity is the tag ref, for example refs/tags/v0.4.8.
• For manual workflow_dispatch releases, artifacts are checked out from refs/tags/v0.4.8 and published as v0.4.8, but the signing certificate identity remains the workflow ref (refs/tags/v0.4.8) that launched the run.

Canonical final evidence

• source archive: the GitHub source archive is a tag snapshot for v0.4.8; it records source readiness at tag time.
• publication final evidence: this GitHub Release page and the post-release main ledger on main record workflow run, release state, assets, checksums, signing identity, smoke, and coverage.
• Release URL: https://github.com/agentsmith-project/jvs/releases/tag/v0.4.8
• Tag: v0.4.8
• Workflow run: https://github.com/agentsmith-project/jvs/actions/runs/25369519260
• Commit: 589c4d7
• Asset count: 12
• Release state: draft=false, prerelease=false
• Signing identity: https://github.com/agentsmith-project/jvs/.github/workflows/ci.yml@refs/tags/v0.4.8
• Tag movement: tag was not moved; post-publication facts live in the GitHub Release page and post-release main ledger.

Breaking changes

• None for the stable v0 public CLI contract.

Known limitations

• v0 does not include remote push/pull, in-JVS signing commands, public partial-save contracts, compression contracts, merge/rebase, or complex retention policy flags.
• Full verification reads save point payloads and can be I/O intensive on large workspaces.
• Descriptor signing and in-JVS trust policy remain outside the stable v0 repository format.

Risk labels

• integrity: descriptor checksum and payload hash detect independent corruption; coordinated descriptor-plus-checksum rewrite remains a v0 residual risk.
• migration: runtime operation state must be rebuilt at the destination with jvs doctor --strict --repair-runtime; exclude active .jvs/locks/, .jvs/intents/, and .jvs/gc/*.json during physical backup or storage sync.

Migration notes

• Existing repositories do not need an on-disk migration for this release.
• After upgrading, run jvs doctor --strict on a representative repo.
• After physical backup or storage migration, exclude active .jvs/locks/, .jvs/intents/, and .jvs/gc/*.json, then run jvs doctor --strict --repair-runtime at the destination before verification.

v0.4.7

Build Artifacts

Binaries

• 5 binaries:
  • jvs-linux-amd64 - Linux x86_64
  • jvs-linux-arm64 - Linux ARM64
  • jvs-darwin-amd64 - macOS x86_64
  • jvs-darwin-arm64 - macOS ARM64 (Apple Silicon)
  • jvs-windows-amd64.exe - Windows x86_64
• matching .bundle files for each binary
• SHA256SUMS - SHA-256 hashes for the published binaries
• SHA256SUMS.bundle - cosign v3 bundle for SHA256SUMS

Verification

All binaries and SHA256SUMS are signed using Sigstore/cosign v3 bundle files. Download each artifact with its matching .bundle; see docs/SIGNING.md for the full guide.

cosign verify-blob jvs-linux-amd64 \
  --bundle jvs-linux-amd64.bundle \
  --certificate-identity=https://github.com/agentsmith-project/jvs/.github/workflows/ci.yml@refs/tags/v0.4.7 \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

cosign verify-blob SHA256SUMS \
  --bundle SHA256SUMS.bundle \
  --certificate-identity=https://github.com/agentsmith-project/jvs/.github/workflows/ci.yml@refs/tags/v0.4.7 \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

After verifying SHA256SUMS, run sha256sum -c --ignore-missing SHA256SUMS.

• For tag-push releases, the signing certificate identity is the tag ref, for example refs/tags/v0.4.7.
• For manual workflow_dispatch releases, artifacts are checked out from refs/tags/v0.4.7 and published as v0.4.7, but the signing certificate identity remains the workflow ref (refs/tags/v0.4.7) that launched the run.

Canonical final evidence

• source archive: the GitHub source archive is a tag snapshot for v0.4.7; it records source readiness at tag time.
• publication final evidence: this GitHub Release page and the post-release main ledger on main record workflow run, release state, assets, checksums, signing identity, smoke, and coverage.
• Release URL: https://github.com/agentsmith-project/jvs/releases/tag/v0.4.7
• Tag: v0.4.7
• Workflow run: https://github.com/agentsmith-project/jvs/actions/runs/25355112705
• Commit: e098b6a
• Asset count: 12
• Release state: draft=false, prerelease=false
• Signing identity: https://github.com/agentsmith-project/jvs/.github/workflows/ci.yml@refs/tags/v0.4.7
• Tag movement: tag was not moved; post-publication facts live in the GitHub Release page and post-release main ledger.

Breaking changes

• None for the stable v0 public CLI contract.

Known limitations

• v0 does not include remote push/pull, in-JVS signing commands, public partial-save contracts, compression contracts, merge/rebase, or complex retention policy flags.
• Full verification reads save point payloads and can be I/O intensive on large workspaces.
• Descriptor signing and in-JVS trust policy remain outside the stable v0 repository format.

Risk labels

• integrity: descriptor checksum and payload hash detect independent corruption; coordinated descriptor-plus-checksum rewrite remains a v0 residual risk.
• migration: runtime operation state must be rebuilt at the destination with jvs doctor --strict --repair-runtime; exclude active .jvs/locks/, .jvs/intents/, and .jvs/gc/*.json during physical backup or storage sync.

Migration notes

• Existing repositories do not need an on-disk migration for this release.
• After upgrading, run jvs doctor --strict on a representative repo.
• After physical backup or storage migration, exclude active .jvs/locks/, .jvs/intents/, and .jvs/gc/*.json, then run jvs doctor --strict --repair-runtime at the destination before verification.

v0.4.2

Build Artifacts

Binaries

• 5 binaries:
  • jvs-linux-amd64 - Linux x86_64
  • jvs-linux-arm64 - Linux ARM64
  • jvs-darwin-amd64 - macOS x86_64
  • jvs-darwin-arm64 - macOS ARM64 (Apple Silicon)
  • jvs-windows-amd64.exe - Windows x86_64
• matching .bundle files for each binary
• SHA256SUMS - SHA-256 hashes for the published binaries
• SHA256SUMS.bundle - cosign v3 bundle for SHA256SUMS

Verification

All binaries and SHA256SUMS are signed using Sigstore/cosign v3 bundle files. Download each artifact with its matching .bundle; see docs/SIGNING.md for the full guide.

cosign verify-blob jvs-linux-amd64 \
  --bundle jvs-linux-amd64.bundle \
  --certificate-identity=https://github.com/agentsmith-project/jvs/.github/workflows/ci.yml@refs/tags/v0.4.2 \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

cosign verify-blob SHA256SUMS \
  --bundle SHA256SUMS.bundle \
  --certificate-identity=https://github.com/agentsmith-project/jvs/.github/workflows/ci.yml@refs/tags/v0.4.2 \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

After verifying SHA256SUMS, run sha256sum -c --ignore-missing SHA256SUMS.

• For tag-push releases, the signing certificate identity is the tag ref, for example refs/tags/v0.4.2.
• For manual workflow_dispatch releases, artifacts are checked out from refs/tags/v0.4.2 and published as v0.4.2, but the signing certificate identity remains the workflow ref (refs/tags/v0.4.2) that launched the run.

Breaking changes

• None for the stable v0 public CLI contract.

Known limitations

• v0 does not include remote push/pull, in-JVS signing commands, public partial-save contracts, compression contracts, merge/rebase, or complex retention policy flags.
• Full verification reads save point payloads and can be I/O intensive on large workspaces.
• Descriptor signing and in-JVS trust policy remain outside the stable v0 repository format.

Risk labels

• integrity: descriptor checksum and payload hash detect independent corruption; coordinated descriptor-plus-checksum rewrite remains a v0 residual risk.
• migration: runtime operation state must be rebuilt at the destination with jvs doctor --strict --repair-runtime; exclude active .jvs/locks/, .jvs/intents/, and .jvs/gc/*.json during physical backup or storage sync.

Migration notes

• Existing repositories do not need an on-disk migration for this release.
• After upgrading, run jvs doctor --strict on a representative repo.
• After physical backup or storage migration, exclude active .jvs/locks/, .jvs/intents/, and .jvs/gc/*.json, then run jvs doctor --strict --repair-runtime at the destination before verification.

v0.4.1

Build Artifacts

Binaries

• jvs-linux-amd64 - Linux x86_64
• jvs-linux-arm64 - Linux ARM64
• jvs-darwin-amd64 - macOS x86_64
• jvs-darwin-arm64 - macOS ARM64 (Apple Silicon)
• jvs-windows-amd64.exe - Windows x86_64
• SHA256SUMS - SHA-256 hashes for the published binaries

Verification

All binaries are signed using Sigstore/cosign. Download the binary with its matching .sig and .pem sidecars; see docs/SIGNING.md for the full guide.

cosign verify-blob jvs-linux-amd64 \
  --signature jvs-linux-amd64.sig \
  --certificate jvs-linux-amd64.pem \
  --certificate-identity=https://github.com/agentsmith-project/jvs/.github/workflows/ci.yml@refs/tags/v0.4.1 \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

Verify the checksum file with SHA256SUMS.sig and SHA256SUMS.pem, then run sha256sum -c --ignore-missing SHA256SUMS.

• For tag-push releases, the signing certificate identity is the tag ref, for example refs/tags/v0.4.1.
• For manual workflow_dispatch releases, artifacts are checked out from refs/tags/v0.4.1 and published as v0.4.1, but the signing certificate identity remains the workflow ref (refs/tags/v0.4.1) that launched the run.

Breaking changes

• None for the stable v0 public CLI contract.

Known limitations

• v0 does not include remote push/pull, in-JVS signing commands, partial checkpoint contracts, compression contracts, merge/rebase, or complex retention policy flags.
• Full verification reads checkpoint payloads and can be I/O intensive on large workspaces.
• Descriptor signing and in-JVS trust policy remain outside the stable v0 repository format.

Risk labels

• integrity: descriptor checksum and payload hash detect independent corruption; coordinated descriptor-plus-checksum rewrite remains a v0 residual risk.
• migration: runtime operation state must be rebuilt at the destination with jvs doctor --strict --repair-runtime; exclude active .jvs/locks/, .jvs/intents/, and .jvs/gc/*.json during physical backup or storage sync.

Migration notes

• Existing repositories do not need an on-disk migration for this release.
• After upgrading, run jvs doctor --strict and jvs verify --all on a representative repo.
• After physical backup or storage migration, exclude active .jvs/locks/, .jvs/intents/, and .jvs/gc/*.json, then run jvs doctor --strict --repair-runtime at the destination before verification.

v0.4.0

Build Artifacts

Binaries

• jvs-linux-amd64 - Linux x86_64
• jvs-linux-arm64 - Linux ARM64
• jvs-darwin-amd64 - macOS x86_64
• jvs-darwin-arm64 - macOS ARM64 (Apple Silicon)
• jvs-windows-amd64.exe - Windows x86_64
• SHA256SUMS - SHA-256 hashes for the published binaries

Verification

All binaries are signed using Sigstore/cosign. Download the binary with its matching .sig and .pem sidecars; see docs/SIGNING.md for the full guide.

cosign verify-blob jvs-linux-amd64 \
  --signature jvs-linux-amd64.sig \
  --certificate jvs-linux-amd64.pem \
  --certificate-identity=https://github.com/agentsmith-project/jvs/.github/workflows/ci.yml@refs/tags/v0.4.0 \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

Verify the checksum file with SHA256SUMS.sig and SHA256SUMS.pem, then run sha256sum -c --ignore-missing SHA256SUMS.

• For tag-push releases, the signing certificate identity is the tag ref, for example refs/tags/v0.4.0.
• For manual workflow_dispatch releases, artifacts are checked out from refs/tags/v0.4.0 and published as v0.4.0, but the signing certificate identity remains the workflow ref (refs/tags/v0.4.0) that launched the run.

Breaking changes

• None for the stable v0 public CLI contract.

Known limitations

• v0 does not include remote push/pull, in-JVS signing commands, partial checkpoint contracts, compression contracts, merge/rebase, or complex retention policy flags.
• Full verification reads checkpoint payloads and can be I/O intensive on large workspaces.
• Descriptor signing and in-JVS trust policy remain outside the stable v0 repository format.

Risk labels

• integrity: descriptor checksum and payload hash detect independent corruption; coordinated descriptor-plus-checksum rewrite remains a v0 residual risk.
• migration: runtime operation state must be rebuilt at the destination with jvs doctor --strict --repair-runtime; exclude active .jvs/locks/, .jvs/intents/, and .jvs/gc/*.json during physical backup or storage sync.

Migration notes

• Existing repositories do not need an on-disk migration for this release.
• After upgrading, run jvs doctor --strict and jvs verify --all on a representative repo.
• After physical backup or storage migration, exclude active .jvs/locks/, .jvs/intents/, and .jvs/gc/*.json, then run jvs doctor --strict --repair-runtime at the destination before verification.