v0.4.3

v0.4.3 — public rule read model for catalog consumers

pkg/kensa gains the normalized rule read model (tranche 1 of the
OpenWatch read-model ask): RuleFrameworkRefs (normalized refs via
internal/mappings), Framework/FrameworkFromID/Frameworks registry,
RuleSummary/RuleToSummary/LoadRuleSummaries catalog projection, and a
RemediationSummary of derivable facts only (Available/Mechanisms/
RestartsServices/RebootBehavior) — no risk level, no blanket
requires-reboot, per the ownership boundary. PATCH bump; api/ untouched.

v0.4.2

v0.4.2 — per-rule OSCAL export + unmapped-rule conformance fix

pkg/kensa.ExportOSCALOutcome / WriteOSCALOutcome render a single
api.RuleOutcome as its own valid one-finding OSCAL 1.0.6 AR (host context
preserved) — the per-rule counterpart of ExportOSCALScan. Fix: a result
with no framework-mapped control now falls back to OSCAL include-all
(empty include-controls was schema-invalid), on scan + remediation paths.
PATCH bump; api/ untouched.

v0.4.1

v0.4.1 — public OSCAL export for api consumers

pkg/kensa now exports ExportOSCALScan/WriteOSCALScan (api.ScanResult ->
OSCAL 1.0.6 AR, unsigned) and ExportOSCAL/WriteOSCAL (signed
api.EvidenceEnvelope -> OSCAL 1.0.6 AR), thin wrappers over
internal/evidence. Completes the public chain LoadRules -> NewScanner ->
Scan -> Outcomes -> ExportOSCALScan for embedders. PATCH bump; api/
untouched.

v0.4.0

v0.4.0 — native-evidence parity + OSCAL enrichment

Structured per-check observation evidence on the scan path, surfaced in
two artifacts: the Kensa-native evidence document (-o evidence:) and an
OSCAL 1.0.6 Assessment Results document (-o oscal: on check). Additive
api/ surface (MINOR): RuleOutcome.Evidence, ScanResult.Capabilities +
Platform, new CheckEvidence + DetectedPlatform types. Schemas vendored
with a hard CI conformance gate; live-validated on the test fleet.

v0.3.2

Kensa v0.3.2 — public scanner construction (NewScanner, DefaultWithTr…

v0.3.1

Kensa v0.3.1 — public rule loader (LoadRules, BuiltInVars, RuleVariab…

v0.3.0

Kensa v0.3.0 — compliance-verdict API, platform gating, param-contrac…

v0.2.3

Kensa v0.2.3 — live result-row streaming

v0.2.2

Kensa v0.2.2 — supply-chain + service-handler hardening

v0.2.1

Kensa v0.2.1 — packaging-UX hardening

Built on v0.2.0's signed-package foundation:

  * KEYS file at the repo root for one-stop verify-key import
  * kensa rpm + deb Recommends: kensa-rules so 'dnf install kensa'
    pulls the corpus automatically; postinst warns when it doesn't
    (no network fetch — distro policy + air-gap reality)
  * kensa_<v>_linux_<arch>_with-rules.tar.gz — single-download
    air-gap install path (binaries + 539-rule corpus)
  * docs/guide/01-install.md rewritten with signed-key import as
    Step 1 and explicit cosign + sha256sum verify for air-gap

No binary behaviour change from v0.2.0. Same signing posture (GPG-
signed rpm/deb + cosign-signed checksums). Same 4 secrets in CI.

Signed by the Hanalyx LLC release-signing subkey (master fingerprint
4CB70E1C 09426E43 CBBAD280 4AA0538F E239E50C). Verify checksums
with cosign + the published Hanalyx cosign public key (now in KEYS
at the repo root).

See CHANGELOG.md for the full v0.2.1 entry.