Helm chart 0.5.3

Helm chart for the Jarvy telemetry forwarder.

Install

helm install jarvy-telemetry \
  oci://ghcr.io/bearbinary/charts/jarvy-telemetry-forwarder \
  --version 0.5.3 \
  --namespace jarvy-telemetry --create-namespace

Verify signature

The --certificate-identity flag is exact, not a
substring match. A fork named bearbinary/jarvy-anything
cannot satisfy this identity even with a valid Sigstore
certificate.

cosign verify \
  --certificate-identity "https://github.com/bearbinary/Jarvy/.github/workflows/helm-release.yml@refs/tags/helm-v0.5.3" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  ghcr.io/bearbinary/charts/jarvy-telemetry-forwarder:0.5.3

Artifacts

• OCI: ghcr.io/bearbinary/charts/jarvy-telemetry-forwarder:0.5.3
• Digest: sha256:b3b0635f4c4e0ed5c0e0b1c62895de9b9ceeb8e37f1368645a6a8f11c714afac
• Chart SHA256: 073b30963c9f8c676d6b92f0c3e4bc2524ad06a21a486431e03e238858fbcb1d
• Signature Rekor UUID: 1583588242 — https://search.sigstore.dev/?logIndex=1583588242
• SBOM attestation Rekor UUID: 1583589126 — https://search.sigstore.dev/?logIndex=1583589126
• SBOMs: sbom.spdx.json, sbom.cdx.json attached

Operational documentation:
https://jarvy.dev/operations/telemetry-forwarder/

Full Changelog: helm-v0.4.0...helm-v0.5.3

Helm chart 0.4.0

Helm chart for the Jarvy telemetry forwarder.

Install

helm install jarvy-telemetry \
  oci://ghcr.io/bearbinary/charts/jarvy-telemetry-forwarder \
  --version 0.4.0 \
  --namespace jarvy-telemetry --create-namespace

Verify signature

The --certificate-identity flag is exact, not a
substring match. A fork named bearbinary/jarvy-anything
cannot satisfy this identity even with a valid Sigstore
certificate.

cosign verify \
  --certificate-identity "https://github.com/bearbinary/Jarvy/.github/workflows/helm-release.yml@refs/tags/helm-v0.4.0" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  ghcr.io/bearbinary/charts/jarvy-telemetry-forwarder:0.4.0

Artifacts

• OCI: ghcr.io/bearbinary/charts/jarvy-telemetry-forwarder:0.4.0
• Digest: sha256:8971e1e6e070c6424e39700319e0d5d717c664282de2ccb62cf1f91755dc5859
• Chart SHA256: 8c068152a683ed5db54cc9067090ada8b028569860d29fad6cf527177b0c05a1
• Signature Rekor UUID: 1534842539 — https://search.sigstore.dev/?logIndex=1534842539
• SBOM attestation Rekor UUID: 1534843855 — https://search.sigstore.dev/?logIndex=1534843855
• SBOMs: sbom.spdx.json, sbom.cdx.json attached

Operational documentation:
https://jarvy.dev/operations/telemetry-forwarder/

Full Changelog: helm-v0.3.0...helm-v0.4.0

Helm chart 0.3.0

Helm chart for the Jarvy telemetry forwarder.

Install

helm install jarvy-telemetry \
  oci://ghcr.io/bearbinary/charts/jarvy-telemetry-forwarder \
  --version 0.3.0 \
  --namespace jarvy-telemetry --create-namespace

Verify signature

The --certificate-identity flag is exact, not a
substring match. A fork named bearbinary/jarvy-anything
cannot satisfy this identity even with a valid Sigstore
certificate.

cosign verify \
  --certificate-identity "https://github.com/bearbinary/Jarvy/.github/workflows/helm-release.yml@refs/tags/helm-v0.3.0" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  ghcr.io/bearbinary/charts/jarvy-telemetry-forwarder:0.3.0

Artifacts

• OCI: ghcr.io/bearbinary/charts/jarvy-telemetry-forwarder:0.3.0
• Digest: sha256:9346a99b72e77c8eb2047624c6ef5c93048bf6bc584bf27ff7a2950f39baf076
• Chart SHA256: b576b947a45e61dea3ad3f2e1480b013b1f5782cd0e2f9792ae90ade94f63548
• Signature Rekor UUID: 1524537986 — https://search.sigstore.dev/?logIndex=1524537986
• SBOM attestation Rekor UUID: 1524540654 — https://search.sigstore.dev/?logIndex=1524540654
• SBOMs: sbom.spdx.json, sbom.cdx.json attached

Operational documentation:
https://jarvy.dev/operations/telemetry-forwarder/

Full Changelog: helm-v0.1.0...helm-v0.3.0

Helm chart 0.1.0

Helm chart for the Jarvy telemetry forwarder.

Install

helm install jarvy-telemetry \
  oci://ghcr.io/bearbinary/charts/jarvy-telemetry-forwarder \
  --version 0.1.0 \
  --namespace jarvy-telemetry --create-namespace

Verify

cosign verify \
  --certificate-identity-regexp "https://github.com/bearbinary/Jarvy/" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  ghcr.io/bearbinary/charts/jarvy-telemetry-forwarder:0.1.0

Artifacts

• OCI: ghcr.io/bearbinary/charts/jarvy-telemetry-forwarder:0.1.0
• Digest: sha256:fc974eee95af151686e94319da5495e807130363a8f4798fedd421b0685fe0ea
• Chart SHA256: a577851120cd23588250b1affc1e0d9e8a4fd25bbe5d8c07042771e4a44d31d4
• SBOMs: sbom.spdx.json, sbom.cdx.json attached

Operational documentation:
https://jarvy.dev/operations/telemetry-forwarder/

Full Changelog: v0.1.0-rc.10...helm-v0.1.0

v0.1.0-rc.10

• chore(security): allowlist synthetic JWT test fixture in sanitizer.rs (bcdff1d)
• chore(release): v0.1.0 prep — Cargo bumps + CHANGELOG + UPGRADING (631d491)
• fix(clippy): unnecessary_get_then_check + field_reassign_with_default (7143e8a)
• feat(templates): 14 jarvy.toml templates + LLM index docs (fbeb4b9)
• feat(onboarding): clean-laptop bootstrap — Makefile + scripts/bootstrap.sh (a552ef8)
• refactor,security,test(v0.1.0): R2 P2 batch — pin installers, secrets containment, HookOutcome collapse (d354193)
• refactor,perf,obs(v0.1.0): R2 P1 batch — observability, perf, consolidations (ec390ef)
• feat(security,obs): close round-2 P0s (CA bundle, env-vars, sigstore, flush) (265d4a8)
• docs: cookbook + JSON schema + auto-gen CLI/registry + CI + analytics (6000612)
• test(paths,ticket): serialize JARVY_HOME env mutation across tests (a4b7045)
• refactor,test(v0.1.0): paths migration + exec seam + setup_cmd phases (6a45989)
• refactor,test(v0.1.0): ShellInit macro + run_with_policy + config tests (0671baa)
• docs(migration): YC-quality docs overhaul + AI migration prompts + eval harness (642b343)
• feat(security,perf): sigstore companions + paths.rs + has() cache (33b4c16)
• feat(observability): wire file logging + run_id correlation + startup banner (4e40fbd)
• feat(security): route team/* through hardened remote pipeline + perms (b34c681)
• refactor(v0.1.0): consolidate drifted helpers (CI detect, has, extract_version) (a00288a)
• perf,test(v0.1.0): shared ureq agent + BufWriters + meaningful registry tests (7d56c9a)
• feat(security,observability): sanitizer rewrite + perms + endpoint guard (7edb998)
• feat(security): refuse hostile jarvy.toml config patterns (P0 family) (acd5f0d)
• test(v0.1.0): regression tests + drop String::leak in topo sort (a481981)
• chore(chocolatey): add iconUrl and packageSourceUrl to nuspec (9dc7d10)

Full Changelog: v0.0.5...v0.1.0-rc.10

Installation

Quick Install (Unix)

curl -fsSL https://raw.githubusercontent.com/bearbinary/jarvy/main/dist/scripts/install.sh | bash

Quick Install (Windows PowerShell)

irm https://raw.githubusercontent.com/bearbinary/jarvy/main/dist/scripts/install.ps1 | iex

Homebrew

brew install bearbinary/tap/jarvy

Cargo

cargo install jarvy

Early-Release Channel

Pre-release tags (-rc.N, -beta.N) are routed through the beta channel.
Opt in: JARVY_CHANNEL=beta on the install script, or jarvy update --channel beta.
See docs/release-testing.md.

See installation docs for more options.

Security

Verify Signatures

All release artifacts are signed with Sigstore keyless OIDC. Verify any artifact:

ARTIFACT=jarvy-linux-x86_64.tar.gz
BASE=https://github.com/bearbinary/jarvy/releases/download/v0.1.0-rc.10
curl -LO $BASE/$ARTIFACT
curl -LO $BASE/$ARTIFACT.sig
curl -LO $BASE/$ARTIFACT.pem
cosign verify-blob \
  --signature $ARTIFACT.sig \
  --certificate $ARTIFACT.pem \
  --certificate-identity-regexp 'https://github.com/bearbinary/Jarvy/' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  $ARTIFACT

Tag Signature

This release was cut from a signed git tag. Verify with:

git -c gpg.ssh.allowedSignersFile=.github/allowed_signers tag --verify v0.1.0-rc.10

SBOM

Software Bill of Materials in SPDX 2.3 (sbom.spdx.json) and CycloneDX 1.4 (sbom.cdx.json).

Checksums

SHA256 checksums for all artifacts are in SHA256SUMS.txt.

v0.1.0-rc.9

• ci(e2e): drop macos-13 + fix Windows path-escape in jarvy bin output (e74a965)
• fix(quickstart): bail before inquire prompts when no TTY (Windows hang) (40f0016)

Full Changelog: v0.1.0-rc.8...v0.1.0-rc.9

Installation

Quick Install (Unix)

curl -fsSL https://raw.githubusercontent.com/bearbinary/jarvy/main/dist/scripts/install.sh | bash

Quick Install (Windows PowerShell)

irm https://raw.githubusercontent.com/bearbinary/jarvy/main/dist/scripts/install.ps1 | iex

Homebrew

brew install bearbinary/tap/jarvy

Cargo

cargo install jarvy

Early-Release Channel

Pre-release tags (-rc.N, -beta.N) are routed through the beta channel.
Opt in: JARVY_CHANNEL=beta on the install script, or jarvy update --channel beta.
See docs/release-testing.md.

See installation docs for more options.

Security

Verify Signatures

All release artifacts are signed with Sigstore keyless OIDC. Verify any artifact:

ARTIFACT=jarvy-linux-x86_64.tar.gz
BASE=https://github.com/bearbinary/jarvy/releases/download/v0.1.0-rc.9
curl -LO $BASE/$ARTIFACT
curl -LO $BASE/$ARTIFACT.sig
curl -LO $BASE/$ARTIFACT.pem
cosign verify-blob \
  --signature $ARTIFACT.sig \
  --certificate $ARTIFACT.pem \
  --certificate-identity-regexp 'https://github.com/bearbinary/jarvy' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  $ARTIFACT

Tag Signature

This release was cut from a signed git tag. Verify with:

git -c gpg.ssh.allowedSignersFile=.github/allowed_signers tag --verify v0.1.0-rc.9

SBOM

Software Bill of Materials in SPDX 2.3 (sbom.spdx.json) and CycloneDX 1.4 (sbom.cdx.json).

Checksums

SHA256 checksums for all artifacts are in SHA256SUMS.txt.

v0.0.5

Folds in everything queued for v0.0.4 (which was tagged but never
publicly published) plus a Chocolatey install-script fix.

Fixed

• Chocolatey package v0.0.3 failed moderation with 404 Not Found
  for the install URL. Two bugs in
  dist/windows/chocolatey/tools/chocolateyinstall.ps1:

  • URL pattern referenced
    jarvy-vVERSION_PLACEHOLDER-x86_64-pc-windows-msvc.zip — but
    cargo-packager produces .msi and .exe, no .zip for Windows.
  • VERSION_PLACEHOLDER and SHA256_PLACEHOLDER were never substituted
    because the publish workflow only ran sed against jarvy.nuspec,
    not the install script.

  Rewrote the install script to use Install-ChocolateyPackage with
  -FileType msi and silent install args, pointing at the actual
  jarvy_<v>_x64_en-US.msi asset. Updated
  publish-packages.yml::update-chocolatey to substitute both files
  AND pull the real msi SHA256 from SHA256SUMS.txt so the integrity
  check passes.

• cargo fmt --check drift in src/team/inheritance.rs:760-768
  (single-quoted TOML literals from v0.0.3 needed compaction).

• OpenSSF Scorecard failed on v0.0.3 tag with Only the default branch main is supported. ossf/scorecard-action explicitly refuses
  tag-push triggers. Restored push: branches: [main] for scorecard
  only — every other validating workflow stays tag-triggered.

• Homebrew tap publish now gracefully skips when
  HOMEBREW_TAP_DEPLOY_KEY is not configured. Previously the missing
  secret failed the whole publish-packages.yml workflow, masking
  the success of crates.io, AUR, winget, and Chocolatey jobs.

Validated downstream (v0.0.3)

After the v0.0.3 fixes, the following propagation channels worked:

• ✅ crates.io: jarvy@0.0.3 + cargo-jarvy@0.0.3 published
• ✅ AUR (jarvy-bin)
• ✅ Submit to winget (publish-packages.yml job; separate winget.yml
  still needs manual first submission)
• ✅ GitHub Pages docs site (after maintainer enabled Pages)
• ❌ Chocolatey: failed moderation due to broken install script
  (v0.0.5 fixes)
• ⚠️ Homebrew tap: pending secret config (now non-blocking)

Note

v0.0.4 was tagged but the draft was never publicly published —
v0.0.4's fixes ship together with the Chocolatey fix as v0.0.5 to
reduce propagation churn (one round of crates.io / AUR / etc.
updates instead of two back-to-back).

Full Changelog: v0.0.4...v0.0.5

Installation

Quick Install (Unix)

curl -fsSL https://raw.githubusercontent.com/bearbinary/jarvy/main/dist/scripts/install.sh | bash

Quick Install (Windows PowerShell)

irm https://raw.githubusercontent.com/bearbinary/jarvy/main/dist/scripts/install.ps1 | iex

Homebrew

brew install bearbinary/tap/jarvy

Cargo

cargo install jarvy

Early-Release Channel

Pre-release tags (-rc.N, -beta.N) are routed through the beta channel.
Opt in: JARVY_CHANNEL=beta on the install script, or jarvy update --channel beta.
See docs/release-testing.md.

See installation docs for more options.

Security

Verify Signatures

All release artifacts are signed with Sigstore keyless OIDC. Verify any artifact:

ARTIFACT=jarvy-linux-x86_64.tar.gz
BASE=https://github.com/bearbinary/jarvy/releases/download/v0.0.5
curl -LO $BASE/$ARTIFACT
curl -LO $BASE/$ARTIFACT.sig
curl -LO $BASE/$ARTIFACT.pem
cosign verify-blob \
  --signature $ARTIFACT.sig \
  --certificate $ARTIFACT.pem \
  --certificate-identity-regexp 'https://github.com/bearbinary/Jarvy/' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  $ARTIFACT

Tag Signature

This release was cut from a signed git tag. Verify with:

git -c gpg.ssh.allowedSignersFile=.github/allowed_signers tag --verify v0.0.5

SBOM

Software Bill of Materials in SPDX 2.3 (sbom.spdx.json) and CycloneDX 1.4 (sbom.cdx.json).

Checksums

SHA256 checksums for all artifacts are in SHA256SUMS.txt.

v0.0.3

Patch release. v0.0.2 went live on the GitHub release page but the
crates.io and Homebrew workflows that fire on release: published
both failed, leaving cargo install jarvy and
brew install bearbinary/tap/jarvy unavailable.

Fixed

• Cargo.toml declared readme = "README.md" (uppercase) but the
  tracked file is Readme.md (mixed case). On macOS the difference
  is invisible (case-insensitive filesystem); on the Linux CI runner
  it failed cargo publish with readme "README.md" does not appear to exist. Both Publish Crate and Publish to Package Managers
  workflows hit the same error. Same fix in the include = [...]
  manifest list. Now matches what's actually in the git tree.
• .github/workflows/winget.yml was scaffolded from a different
  project's template and never customized — identifier: Benji377.Tooka
  and fork-user: Benji377 referenced a totally unrelated package.
  Rewrote with placeholder TODO values for Jarvy.Jarvy /
  bearbinary and changed the trigger from release: published to
  workflow_dispatch only. winget-releaser cannot create a brand-new
  package registration; the first submission must go through
  wingetcreate new and a hand-reviewed PR to microsoft/winget-pkgs.
  After that's merged the trigger can be flipped back.

Removed

• Duplicate .github/workflows/crates.yml deleted. Both that and
  publish-packages.yml::publish-crates-io were firing on
  release: published and trying to cargo publish. Even if both
  had the right secret, the second one would race-fail with "crate
  version already exists". Kept the version inside publish-packages.yml
  because it composes with the Homebrew tap update via needs:.
• docs/release-testing.md and docs/release-quirks-jarvy.md
  references to crates.yml updated to point at the surviving
  workflow path.

Known issues (not fixed in this release)

• GitHub Pages is not enabled for bearbinary/Jarvy repo — the
  Deploy Docs workflow fails with HttpError: Not Found ... Ensure GitHub Pages has been enabled. Fix is in repo Settings → Pages,
  not in code. Until enabled, the docs site at jarvy.dev (or
  whichever Pages URL ends up provisioned) won't update on release.
• winget first submission still requires manual wingetcreate new
  intervention (see Fixed above for the workflow disable).

Full Changelog: v0.0.2...v0.0.3

Installation

Quick Install (Unix)

curl -fsSL https://raw.githubusercontent.com/bearbinary/jarvy/main/dist/scripts/install.sh | bash

Quick Install (Windows PowerShell)

irm https://raw.githubusercontent.com/bearbinary/jarvy/main/dist/scripts/install.ps1 | iex

Homebrew

brew install bearbinary/tap/jarvy

Cargo

cargo install jarvy

Early-Release Channel

Pre-release tags (-rc.N, -beta.N) are routed through the beta channel.
Opt in: JARVY_CHANNEL=beta on the install script, or jarvy update --channel beta.
See docs/release-testing.md.

See installation docs for more options.

Security

Verify Signatures

All release artifacts are signed with Sigstore keyless OIDC. Verify any artifact:

ARTIFACT=jarvy-linux-x86_64.tar.gz
BASE=https://github.com/bearbinary/jarvy/releases/download/v0.0.3
curl -LO $BASE/$ARTIFACT
curl -LO $BASE/$ARTIFACT.sig
curl -LO $BASE/$ARTIFACT.pem
cosign verify-blob \
  --signature $ARTIFACT.sig \
  --certificate $ARTIFACT.pem \
  --certificate-identity-regexp 'https://github.com/bearbinary/Jarvy/' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  $ARTIFACT

Tag Signature

This release was cut from a signed git tag. Verify with:

git -c gpg.ssh.allowedSignersFile=.github/allowed_signers tag --verify v0.0.3

SBOM

Software Bill of Materials in SPDX 2.3 (sbom.spdx.json) and CycloneDX 1.4 (sbom.cdx.json).

Checksums

SHA256 checksums for all artifacts are in SHA256SUMS.txt.

v0.0.2

Patch release fixing the cosign verification snippet baked into
release notes, SECURITY.md, and docs/release-quirks-jarvy.md.

Fixed

• release notes / SECURITY.md / docs: the
  --certificate-identity-regexp value used bearbinary/jarvy
  (lowercase j). The actual Sigstore cert subject GitHub Actions
  produces is bearbinary/Jarvy/... (capital J — the repo's
  canonical case). cosign's regex is case-sensitive, so users
  copy-pasting the verify command from the v0.0.1 release page
  saw "none of the expected identities matched" even though the
  signature was valid. Corrected all three sources to
  bearbinary/Jarvy/. github.com URLs elsewhere in the repo are
  unchanged because GitHub URL matching is case-insensitive — only
  cosign's regex was affected.

Full Changelog: v0.0.1...v0.0.2

Installation

Quick Install (Unix)

curl -fsSL https://raw.githubusercontent.com/bearbinary/jarvy/main/dist/scripts/install.sh | bash

Quick Install (Windows PowerShell)

irm https://raw.githubusercontent.com/bearbinary/jarvy/main/dist/scripts/install.ps1 | iex

Homebrew

brew install bearbinary/tap/jarvy

Cargo

cargo install jarvy

Early-Release Channel

Pre-release tags (-rc.N, -beta.N) are routed through the beta channel.
Opt in: JARVY_CHANNEL=beta on the install script, or jarvy update --channel beta.
See docs/release-testing.md.

See installation docs for more options.

Security

Verify Signatures

All release artifacts are signed with Sigstore keyless OIDC. Verify any artifact:

ARTIFACT=jarvy-linux-x86_64.tar.gz
BASE=https://github.com/bearbinary/jarvy/releases/download/v0.0.2
curl -LO $BASE/$ARTIFACT
curl -LO $BASE/$ARTIFACT.sig
curl -LO $BASE/$ARTIFACT.pem
cosign verify-blob \
  --signature $ARTIFACT.sig \
  --certificate $ARTIFACT.pem \
  --certificate-identity-regexp 'https://github.com/bearbinary/Jarvy/' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  $ARTIFACT

Tag Signature

This release was cut from a signed git tag. Verify with:

git -c gpg.ssh.allowedSignersFile=.github/allowed_signers tag --verify v0.0.2

SBOM

Software Bill of Materials in SPDX 2.3 (sbom.spdx.json) and CycloneDX 1.4 (sbom.cdx.json).

Checksums

SHA256 checksums for all artifacts are in SHA256SUMS.txt.

v0.0.1

First publicly tagged stable release. Validated through the
v0.1.0-rc.1 → v0.1.0-rc.9 soak cycle (same tree, version-string
only differs); cut as 0.0.1 to keep the first-stable surface narrow
and reserve room for 0.1.0 as the first feature-complete milestone.

Features

• provisioner: Cross-platform tool provisioner driven by jarvy.toml
  (macOS, Linux, Windows) with native package managers
• tools: 154+ tool registry covering compilers, runtimes, CLIs, container
  tools, Kubernetes ecosystem (kubectl, helm, k9s, kagent, kmcp, arctl), cloud
  CLIs (gcloud, aws, az), security tools, observability (opentelemetry-collector),
  Dockerfile converter (dfc) (PRD-013)
• tools: Parallel version checking with rayon for ~5x speedup; batch
  package-manager operations
• tools: Declarative define_tool! macro for tool definitions (~2000 lines
  reduced)
• tools: Strict (depends_on) and flexible (depends_on_one_of) tool
  dependencies with topological install ordering (PRD-034)
• hooks: 29+ default post-install hooks for shell completion and
  configuration; idempotent, advisory, user-overridable
• roles: Role-based configurations with deep inheritance, version overrides,
  roles list|show|diff commands (PRD-033)
• packages: Language package deps via [npm], [pip], [cargo] —
  package-manager auto-detection, virtualenv support, lockfile install (PRD-039)
• git: Git configuration automation — identity, SSH/GPG signing, default
  branch, aliases, credential helper auto-detect per OS (PRD-041)
• drift: Configuration drift detection with SHA-256 file hashing, version
  policies, jarvy drift check|status|accept|fix (PRD-043)
• update: Self-updating with stable/beta/nightly channel selection,
  throttled checks, rollback, multi-method install detection (Homebrew, Cargo,
  apt, dnf, winget, Chocolatey, Scoop, binary fallback) (PRD-035)
• telemetry: OTEL-unified logs, metrics, optional traces; OTLP HTTP/gRPC
  endpoints; CI auto-disable; jarvy telemetry status|enable|disable|test|preview
  (PRD-022, PRD-050)
• logging: Persistent file logging with rotation, gzip compression,
  sensitive-data redaction; jarvy logs view|stats|clean|config (PRD-050)
• ticket: Debug bundles via jarvy ticket create|show|list|clean — ZIP with
  system info, tool versions, sanitized logs (PRD-050)
• network: Corporate proxy support — HTTP/HTTPS/SOCKS, NO_PROXY, custom CA
  bundles, per-tool overrides, secure password sources (PRD-019)
• services: Docker Compose and Tilt backend support
• ci: Auto-detection for 11 CI/CD providers with provider-specific output
• env: Environment variable management with .env generation and shell rc
  updates
• mcp: MCP server exposing tools and resources for AI assistants
• interactive: Menu mode when running jarvy without a subcommand
• bootstrap: jarvy bootstrap, jarvy configure, jarvy diagnose for
  onboarding (PRD-023)

Distribution

• Multi-channel: crates.io, Homebrew tap, AUR (source + binary), .deb, .rpm,
  winget, Chocolatey, universal install scripts for macOS/Linux/Windows (PRD-012)
• Prebuilt platforms: macOS arm64, Linux x86_64 (musl), Linux aarch64,
  Linux armv7, Windows x86_64. macOS Intel (x86_64) not shipped as prebuilt —
  Intel users install via cargo install jarvy or Homebrew (both compile from
  source). See docs/release-testing.md for rationale.
• Sigstore keyless signing for all release artifacts (PRD-020)
• SBOM generation in SPDX 2.3 and CycloneDX 1.4 formats per release (PRD-020)
• GitHub build provenance attestation per release (PRD-020)
• Opt-in early-release channel: JARVY_CHANNEL=beta env var on install
  scripts; [update] channel = "beta" in ~/.jarvy/config.toml;
  jarvy update --channel beta

Quality & Security

• Clippy gate, mutation testing, fuzzing, coverage, benchmarks, OpenSSF
  Scorecard (PRD-018)
• Hybrid cross-platform E2E testing harness (PRD-038)
• Tag-signing enforcement (SSH or GPG) on release workflow
• Cosign keyless signing via GitHub OIDC for all release artifacts

Infrastructure

• Semantic version checking with proper semver operators
• Cross-platform shell detection and hook execution
• Workspace lint configuration; Rust 2024 edition; MSRV 1.85

Full Changelog: v0.1.0-rc.9...v0.0.1

Installation

Quick Install (Unix)

curl -fsSL https://raw.githubusercontent.com/bearbinary/jarvy/main/dist/scripts/install.sh | bash

Quick Install (Windows PowerShell)

irm https://raw.githubusercontent.com/bearbinary/jarvy/main/dist/scripts/install.ps1 | iex

Homebrew

brew install bearbinary/tap/jarvy

Cargo

cargo install jarvy

Early-Release Channel

Pre-release tags (-rc.N, -beta.N) are routed through the beta channel.
Opt in: JARVY_CHANNEL=beta on the install script, or jarvy update --channel beta.
See docs/release-testing.md.

See installation docs for more options.

Security

Verify Signatures

All release artifacts are signed with Sigstore keyless OIDC. Verify any artifact:

ARTIFACT=jarvy-linux-x86_64.tar.gz
BASE=https://github.com/bearbinary/jarvy/releases/download/v0.0.1
curl -LO $BASE/$ARTIFACT
curl -LO $BASE/$ARTIFACT.sig
curl -LO $BASE/$ARTIFACT.pem
cosign verify-blob \
  --signature $ARTIFACT.sig \
  --certificate $ARTIFACT.pem \
  --certificate-identity-regexp 'https://github.com/bearbinary/jarvy' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  $ARTIFACT

Tag Signature

This release was cut from a signed git tag. Verify with:

git -c gpg.ssh.allowedSignersFile=.github/allowed_signers tag --verify v0.0.1

SBOM

Software Bill of Materials in SPDX 2.3 (sbom.spdx.json) and CycloneDX 1.4 (sbom.cdx.json).

Checksums

SHA256 checksums for all artifacts are in SHA256SUMS.txt.