Sigstore signature verification in varyup, unified vulnerability scanning across all ecosystems, reproducible JARs, and five dependency upgrades including two CVE fixes. The compiler gained a review command, host-language leakage detection, canonical naming enforcement, and four project templates for `vary new`. The release pipeline added SLSA build provenance, automated artifact validation, content scanning, and Windows packaging support.

<div class="table-scroll">
<table style="width: 100%;">
<colgroup><col style="width: 240px;"><col></colgroup>
<thead><tr style="background: rgba(0, 0, 0, 0.03);"><th style="text-align: left;">Change</th><th style="text-align: left;">Description</th></tr></thead>
<tbody>
<tr><td>Sigstore release signing</td><td>Release artifacts are now signed with Sigstore via cosign keyless signing. <code>varyup</code> verifies signatures on download using the cosign bundle format. <strong>Breaking:</strong> older varyup binaries that do not understand Sigstore bundles cannot verify new releases; upgrade varyup first.</td></tr>
<tr><td>Unified vulnerability scanning</td><td>New <code>osv-scanner</code> security gate covers Go, npm, and Java transitive dependencies in a single pass. Six Go vulnerabilities and one npm vulnerability fixed.</td></tr>
<tr><td>Pebble 4.1.1 upgrade</td><td>Upgraded Pebble template engine from 3.2.2 to 4.1.1 to fix an SSTI (server-side template injection) vulnerability.</td></tr>
<tr><td>Quarkus 3.34.2 upgrade</td><td>Upgraded Quarkus from 3.31.1 to 3.34.2. Fixed bean discovery changes in 3.34 and removed the netty dependency force-override.</td></tr>
<tr><td><code>vary review</code> command</td><td>New CLI command that produces a module review covering roles, test inventory, effects, contracts, trust gaps, and mutation guidance.</td></tr>
<tr><td><code>vary new</code> templates</td><td>Four project templates (cli, library, service-client, and serious) with agent selection and skill scaffolding.</td></tr>
<tr><td>Canonical naming enforcement</td><td>Compiler error for non-canonical names. <code>PascalCase</code> required for types, <code>snake_case</code> for everything else.</td></tr>
<tr><td>Property testing framework</td><td>Replay, corpus persistence, generators, and shrinking analysis for property-based tests using <code>across</code>.</td></tr>
<tr><td>SLSA build provenance</td><td>SLSA build provenance attestation for verifiable supply chain metadata on release artifacts.</td></tr>
<tr><td>Release artifact validation</td><td>Automated release asset validation and content scanning wired into the CI release pipeline.</td></tr>
<tr><td>VAST corpus protection</td><td>Acceptance-set corpus entries are now protected from nightly pruning to preserve historical evidence.</td></tr>
<tr><td>Result match codegen fix</td><td>Fixed missing <code>CHECKCAST</code> for enum error types in <code>match</code> arms over <code>Result</code> values.</td></tr>
<tr><td>Contract codegen fix</td><td>Fixed <code>out</code> contracts on <code>Result</code> and enum return types causing JVM <code>VerifyError</code>.</td></tr>
<tr><td>LSP import resolution fix</td><td>Fixed import resolution for nested project layouts so the language server finds modules correctly.</td></tr>
</tbody>
</table>
</div>