Release train (signed distribution)
Artifacts
- /downloads/releases.json + .sig (tools list)
- /standard/registries.bundle.json + .sig (pack manifests SSoT)
- Per-tool downloads include SHA256SUMS + signature checks (where applicable).
Backward compatibility rules
- Never mutate receipts (upgrades create new receipt objects).
- Additive schema only (fields can be added, not removed).
- Domain separation remains intact (issuance on getevidex.net; verify read-only on verify.getevidex.net).
Operator checklist
- Run tests.
- Update changelog.
- Generate signed distribution artifacts.
- Publish downloads (no remote scripts).