@intentsolutions/audit-harness 1.2.0 → 1.2.2

package/CHANGELOG.md

@@ -10,6 +10,51 @@ _Nothing yet._
 
 - **OTel event-name polish (iah-E07b/c).** The `agent.rollout.gate.evaluated` and `gate.decision.emitted` event names are already locked + tested on main (PRs #78, #81 per NORMATIVE `intent-eval-lab/000-docs/067-AT-SPEC`). Any further attribute-schema polish on those events is deferred to a routine v2.1 release rather than headlined here — it is additive telemetry refinement, not a 1.2.0 capability boundary.
 
+## [1.2.2] - 2026-06-16
+
+A patch release closing the polyglot publish loop. No CLI surface, runtime behavior,
+or API boundary changes — only the release machinery moved. v1.2.1 published to npm
+but failed PyPI (a twine bug) and crates.io (an account email-verification gate);
+this release publishes all three registries cleanly.
+
+### Fixed — PyPI publish (#92)
+
+- **twine now uploads only built distributions, not the `.sigstore.json` bundles.** The
+  `publish-pypi` leg's `twine upload` call is scoped to `dist/*.whl dist/*.tar.gz`, so
+  the sigstore signature bundles emitted alongside the wheel + sdist are no longer
+  passed to twine (which rejected them and failed the v1.2.1 PyPI publish).
+
+### Fixed — crates.io publish now active
+
+- **crates.io publish goes live.** The account email-verification gate that blocked the
+  v1.2.1 crates.io publish is now resolved, so the `publish-crates` leg publishes on
+  this tag — closing the npm + PyPI + crates polyglot publish loop.
+
+## [1.2.1] - 2026-06-16
+
+A patch release: release-pipeline supply-chain hardening (polyglot signing) plus
+dev-dependency bumps. No CLI surface, runtime behavior, or API boundary changes —
+the published artifacts are byte-identical in behavior to 1.2.0; only the release
+machinery and dev tooling moved.
+
+### Changed — polyglot release signing wired into the publish pipeline (#90)
+
+- **crates.io build-provenance attestation.** The `publish-crates` leg now emits a
+  GitHub build-provenance attestation for the published crate artifact, extending the
+  signed-supply-chain guarantee to the Rust distribution.
+- **sigstore-python wheel + sdist signing.** The `publish-pypi` leg now signs the built
+  wheel and sdist with `sigstore-python` (keyless Fulcio OIDC + Rekor), so the PyPI
+  distribution carries verifiable provenance alongside the existing npm sigstore path.
+- **crates.io publish is now active.** With `CARGO_REGISTRY_TOKEN` provisioned as a
+  repository secret, the `publish-crates` leg goes live on this tag — closing the
+  polyglot publish loop (npm + PyPI + crates.io all publish + sign from one tag).
+
+### Changed — dev-dependency bumps
+
+- Bump `eslint` from 9.39.4 to 10.5.0 (#71).
+- Bump `jeremylongshore/intent-rollout-gate` GitHub Action pin (#86).
+- Bump `crate-ci/typos` from 1.29.4 to 1.47.2 (#87).
+
 ## [1.2.0] - 2026-06-15
 
 A minor release: the read-only "comprehensive audit, on any repo" brain (`classify` → `conform` → `audit` → `scan` → `currency`), the kernel-emitting evidence path (`emit-evidence` Evidence Bundle, E04), the provider credential gate (`cred-gate`, E08), shared vendorable lint configs (#85), and a golden-master fitness function — all additive, with the zero-runtime-dependency guarantee preserved.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@intentsolutions/audit-harness",
-  "version": "1.2.0",
+  "version": "1.2.2",
   "description": "Deterministic test-enforcement harness — escape-scan, hash-pinning, CRAP, architecture checks, bias detection, Gherkin lint. Companion to the audit-tests and implement-tests Claude Code skills.",
   "license": "Apache-2.0",
   "author": "Jeremy Longshore <jeremy@intentsolutions.io>",
@@ -46,7 +46,7 @@
   },
   "devDependencies": {
     "@eslint/js": "^9.39.4",
-    "eslint": "^9.39.4",
+    "eslint": "^10.5.0",
     "lefthook": "^1.13.6"
   },
   "publishConfig": {