The current public verifier release packages the Python runtime, Lean corridor, public specs, evidence schemas, conformance scripts, static docs, local workbench UI, and synthetic ExampleCo corridors into one replayable bundle. It is still synthetic and scoped, but it is no longer only a private monorepo execution path, and the release is now rebuilt and revalidated through one scripted private release path before publication.
opencompliance-verifier-0.9.4The release bundle lives in the public examples repository because it is a stitched, public-safe snapshot of the verifier runtime plus the synthetic corridors it can replay.
opencompliance-verifier/0.9.4All current public corridors now report one stable verifier version rather than a different version string per fixture. The current release line exposes the CLI, a local HTTP/JSON Verify API, a local browser workbench, and a bundle-level release attestation, so the public bundle now carries a pinned runtime contract instead of only filesystem-oriented scripts. The bundled signer and witness surfaces now also fail closed against the published actor-identity registry before signature or replay verification succeeds, system-export claims now have to match a published connector-ingress profile instead of only a generic system-actor label, and the release line now publishes explicit trust-root profiles for synthetic fallback versus environment-supplied publication roots.
The bundle ships the verifier runtime under src/opencompliance/ plus runnable scripts for fixture verification, local HTTP/JSON API serving, Lean batch inspection, release attestation, transparency verification, and signed-artifact verification.
The bundle ships the Lean 4 corridor source under lean4-controls/. On first use it bootstraps the local Lake build state instead of assuming a prebuilt private workspace.
The bundle includes open-specs/, evidence-schema/, conformance/, docs/, and ui/ so the artifact shapes, replay checks, runtime docs, and local workbench travel with the release. The release manifest now points at a machine-readable verifier contract, explicit bundled trust registries for policies, identities, connector ingress, and release trust roots, and a concrete release-attestation.json artifact instead of leaving the runtime surface implicit, and the current release line is rebuilt, self-attested, smoke-checked from a temporary bundle copy, and republished through one scripted private workflow instead of a hand-sequenced local checklist.
The bundle now ships a minimal browser workbench under ui/verify/. It is still local-only, but it gives reviewers one browser entrypoint for loading synthetic ExampleCo bundles, sending fixture-path or inline-bundle requests, and inspecting the raw deterministic response.
The bundled fixtures cover minimal, failed, stale, medium, issued, cyber-baseline, and ai-governance, plus the showcase, lifecycle, and signing packs.
The release line now publishes a trust-root registry that distinguishes the current synthetic reference roots from the environment-override path for non-synthetic publication. That makes the live publication story inspectable without pretending the public reference bundle already uses it.
python3 scripts/verify_fixture.py --fixture-root fixtures/public/minimal --check
python3 scripts/serve_verify_api.py --port 8788
python3 -m http.server 8000
python3 scripts/run_lean_batch.py --fixture minimal
python3 scripts/attest_release_bundle.py --bundle-root . --check
python3 conformance/scripts/validate_public_examples.py --fixture all
python3 scripts/verify_signed_artifacts.py --manifest signed-artifact-manifest.json --artifact-root .The release proves that a third party can take the public bundle, rerun the verifier, rerun the Lean slice, validate the synthetic corridors, verify the signed file manifest, verify the synthetic release attestation, and read one explicit contract describing which release artifacts, fixture artifacts, trust registries, typed-boundary tags, and outcome policies are meant to stay stable.
It does not yet prove live-connector operation, real-organisation evidence ingestion, or that a non-synthetic publication root has already been exercised on the public bundle. It is still a synthetic public reference release, not a claim of full audit readiness for arbitrary organisations.