Changelog

Unreleased

• (none yet)

v1.1.6rc3 (2026-01-25) — Release signing + proof kit hardening

• Release: optional macOS codesign/notarization and Windows Authenticode signing in CI when secrets are configured.
• Proof kit: require a pinned runner image ref (no placeholder default).
• Docs: align release provenance + verification guidance with current release assets.

v1.1.6rc2 (2026-01-25) — Enterprise deploy polish

• Deploy: add a minimal Helm chart for Teams/Registry (deploy/helm/helix-teams/).
• Deploy: flesh out the Kubernetes manifest (deploy/k8s/helix-teams-registry.yaml) with probes, PVC, and high-signal env hints.
• Release: add macOS Helix Studio PyInstaller packaging (tools/package_macos.py) and attach helix-studio-macos.zip on release tags.
• Docs: remove template placeholders and clarify Kubernetes/Helm deployment options.

v1.1.6rc1 (2026-01-25) — Enterprise release candidate

• CLI: prove-guide-sweep now prints the effective bundle URL and source (default/env/flag).
• CLI: bump CLI Session Contract to v3 (exports now embed the scientific contract header; identity/downgrades are auditable by default).
• Teams: API tokens support TTL/explicit expiry and admin revocation.
• Teams: OIDC JWKS can be configured via file/URL/discovery with refresh-on-key-rotation.
• Teams: Prometheus /metrics endpoint plus optional auth (HELIX_TEAMS_METRICS_MIN_ROLE).
• Deploy: add deploy/docker-compose.image.yml for prebuilt Teams images; document production knobs.
• CI: add Teams Image workflow to publish ghcr.io/<owner>/helix-teams:<tag> on release tags.
• Docs: add enterprise evaluation guide, Teams deploy guide, and support policy template.

v1.1.5 (2026-01-13) — Public golden bundle host

• CLI: helix crispr prove-guide-sweep now defaults to the public helix-public-assets bundle URL (override with --url or HELIX_GUIDE_SWEEP_BUNDLE_URL).
• Packaging: include jsonschema in core deps so decision-validate works in clean installs.
• CLI: prove-guide-sweep verifies bundle integrity without requiring signatures for public golden bundles.

v1.1.4 (2026-01-13) — Guide sweep proof command

• CLI: add helix crispr prove-guide-sweep to download the golden bundle, validate decision.json, and verify artifact bundles in one step.

v1.1.3 (2026-01-12) — Tripwire + Teams hotfixes

• Teams: fix search_program_versions(tag=...) crash (Python f-string SyntaxError).
• CI: tripwire no longer fails reruns when the violating SHA is already recorded in the open issue.
• CI: fix calibration guard workflows YAML heredoc indentation (base + prime multiplex).
• CLI: helix info now prints contract metadata for support/debug (contract_id, contract_version, contract_hash, schema_digest).

v1.1.2 (2026-01-12) — Fresh install smoke fixes

• Packaging: include cryptography in core deps.
• Demo: stamp base v2 registry_ref prior to zip/publish under registry enforcement.

v1.1.1 (2026-01-12) — Audit portability fixes

• Governance: approvals now emit v2 receipts with mandatory toolchain; v1 receipts are explicitly treated as legacy.
• Governance: add one-shot migrator to rewrite v1 receipts to v2 where possible (helix governance migrate-v1-receipts).
• Registry: dependency impact propagation now fingerprints riskSummaryHash + approvalSurfaceHash and requires explicit acknowledgement when they change.
• Registry: add helix registry explain-block to surface the exact predicate(s) and copy/paste fix commands.

v1.1.0 (2026-01-11) — Governance ledger + Registry v1

Non-bypassable rules (when enforced)

• In HELIX_GOVERNANCE_MODE=enforce, “official exports” fail closed unless the bundle is integrity-verified and governance-Approved (or explicitly waived by a signed waiver receipt where policy allows).
• If HELIX_REGISTRY_URL is configured, “official exports” fail closed unless the bundle is registered (governance/registry_ref.json present) and the registry reports it is not deprecated / needsReview.
• In HELIX_GOVERNANCE_MODE=enforce, side-channel artifact writers (reports/exports written outside governed bundles) fail closed.

Features

• CLI: bump Helix CLI Session Contract to v2 and stamp contract_id/contract_hash into .helix sessions, *.export.json, and *.png.provenance.json.
• Governance ledger: event-sourced lifecycle (Draft → Review → Approved → Deprecated) via signed receipts (transition_request_v1, signoff_v1, waiver_v1) with deterministic replay.
• Registry v1: publish approved bundles as semver ProgramVersions, search/filter (gene/nuclease/edit type/tag + off-target risk), dependency graph, deprecation impact propagation, and acknowledgements.
• Receipt fetch: materialize the exact bundle for an approval receipt id (helix fetch --receipt …) and verify it end-to-end.
• Blob storage: S3/MinIO content-addressed backend (HELIX_BLOB_BACKEND=s3) with explicit timeouts/retries and optional strict no-overwrite (HELIX_S3_STRICT_NO_OVERWRITE=1).
• GitHub: PR verify/diff workflow (.github/workflows/helix-verify-diff.yml) with fork-safe commenting and deterministic artifacts.
• Ops UX: enforcement posture banner on Teams/Registry server startup, helix status, and posture footer in helix governance status.
• Deploy templates: deploy/docker-compose.yml (Teams + MinIO), deploy/production.env.example, and a Kubernetes manifest skeleton.
• Telemetry: server counters endpoint for export blocks + registry activity (/api/v0/telemetry/counters).

Breaking changes

• None by default (governance defaults to warn), but enabling HELIX_GOVERNANCE_MODE=enforce will block side-channel outputs and enforce governed/registered exports.

v1.0.10 (2026-01-07) — PyPI bootstrap hardening

• Release workflow: build in a clean dist/ so trusted publishing uploads only helix-governance artifacts (no legacy veri_helix-* files).
• Packaging: add helix-governance[studio] extra and a helix-studio shim that prints install guidance when GUI deps are missing.
• Release assets: placeholder .asc files are non-empty (avoids GitHub Release asset upload failures when GPG is not configured).

v1.0.9 (2026-01-07) — Windows packaging meta fix

• Windows release packaging: tolerate PyInstaller _internal/ layout by copying helix_build_meta.json to the app root before zipping.
• CLI: add Helix CLI Session Contract v1 (cross-platform E2E gate + deterministic failure-path contract for simulate → report → export).

v1.0.8 (2026-01-07) — Windows PyInstaller spec fix

• Windows release packaging: fix EXE(...) wiring in PyInstaller spec (pass TOC iterables, not a single TOC tuple).

v1.0.7 (2026-01-07) — Windows release packaging fix

• Windows release packaging: fix PyInstaller datas shader inclusion (use explicit (src, dest) pairs; no Tree(...) entries).

v1.0.6 (2026-01-07) — Release workflow validity fix

• CI/release: fix .github/workflows/release.yml conditional publish steps so the workflow parses and runs on GitHub Actions.

v1.0.5 (2026-01-07) — Release pipeline hardening

• Windows release packaging: fix PyInstaller datas shader Tree handling (datas += Tree(...), not append).
• Release workflow: allow optional API-token publish fallback (secrets PYPI_API_TOKEN / TEST_PYPI_API_TOKEN) to bootstrap new PyPI projects; otherwise uses trusted publishing.

v1.0.4 (2026-01-07) — Release packaging fix

• Windows release packaging: fix PyInstaller spec repo-root detection (no __file__ reliance; honors GITHUB_WORKSPACE/HELIX_REPO_ROOT).
• Docs: surface veri-helix → helix-governance migration note prominently in README and Getting Started.

v1.0.3 (2026-01-07) — Governance authority made visible

• Breaking: distribution rename migration path for legacy installs: python -m pip uninstall -y veri-helix && python -m pip install -U helix-governance (module/CLI entrypoints unchanged).
• Authority visibility wedge: deterministic provenance header + block injected into *.export.json, *.evidence.json, and HTML reports; Studio surfaces DECISION_GRADE vs EXPLORATORY via readiness gates.
• Artifact bundle verifier UX: helix verify <bundle> prepends a human summary (includes short manifest hash even on failure) while preserving stable machine FAIL\t... lines.
• Decision-grade export hardening: decision-grade writers fail closed without a signing context; bundle builder plumbs signing through so signed bundles don’t trip SIGNING_KEY_REQUIRED.
• Governance onboarding primitive: helix governance self-check (offline, JSON + --strict) reports pinned issuer keys, policy label, license scope, and signing readiness without leaking secrets.

v1.0.2 (2025-12-23) — Partner intake & reproducibility guardrails

• End-to-end design partner funnel: helix partner run now emits three seeded demos + optional support bundle with JSON handshake metadata for easy triage.
• Intake automation: tools/partner_intake.py (strict bundle + handshake checks), tools/partner_case.py (case folder + ledger regeneration), and tools/partner_followup.py (templated emails) harden the return path.
• Repro bundle v1: repro/helix_repro_bundle_v1 plus CLI helix run --out/helix verify --kind repro keep CPU↔GPU outputs aligned; backend parity tests exercise the bundle in CI.

v1.0.1 (2025-12-15) — Lightcone GPU + audit packs

• Studio Lightcone panel with GPU renderer, picking, and selection drilldowns; exports audit-pack zips (manifest + receipts + selection dump) for traceable viz artifacts.
• Lightcone perf harness + pinned baseline gate (tools/lightcone_perf.py, tests/test_lightcone_perf_smoke.py) keep shader/geometry changes honest on the pinned GPU runner.
• CLI experiment dump accepts Lightcone audit packs (helix experiment dump --audit-pack …) so headless workflows can consume the same fixtures.

v1.0.0 (2025-12-05) — Helix 1.0 contract

• Snapshot-driven .helix sessions with headless parity: helix simulate|run writes sessions, helix report/export renders HTML + PNG evidence, and helix engine info/benchmark stamp backend + scoring metadata.
• Reproducibility + schema surface: Snapshot Spec v1 published; helixspec compile/diff/run/verify commands added; VeriBiota export/lean-check/preflight wired into the CLI.
• Studio spine stabilized: start panel + presets, run history table with compare/export shortcuts, and refreshed Outcome Explorer/Guide Inspector flows (see 0.5.x notes below).

v0.5.0 (2025-11-29) — Genome IDE shell, presets, and run history

• New Start panel + hero status console (running/error/last run) with shortcuts.
• Built-in CRISPR & Prime EMX1 demos via experiment presets; user presets save/load/picker.
• Outcome Explorer upgrades: chips, prob-mass label, pinned intended row, hover tooltips, selection glow, chart PNG export.
• Guides/Compare redesign with run chips, deltas, and baseline/candidate wiring from Run History (B/C shortcuts).
• Run History now a styled experiment table with labels, intended/frameshift metrics, relative “When”, rename, export summary.
• Layout preset + screenshot helper; onboarding hint banners; keyboard shortcuts dialog expanded.
• Tests for hero status, outcome explorer, experiment presets; perf guard for large runs.

v0.1.0 (2025-11-26)

• Canonical data models: RunModel / OutcomeModel / EngineInfo; SessionModel stores runs; .helix sessions for CLI + Studio interoperability.
• Simulation: CRISPR and PRIME via LocalEngine (Studio + helix-cli simulate), with prime knobs (pam_profile, draws, seed) and scenario tagging.
• Analysis UX: Guide Inspector (score, rank, filters, scenario column, batch export, compare), Outcome Explorer (chips for cut/no-cut/frameshift|cut, physics, engine, rank, metadata), compare view, PCR CTA, helix highlight.
• Reports: GUI and headless HTML export (engine/backend + scoring versions + metadata; CSV/JSON; no-chart tolerant).
• Benchmarks: helix-cli bench and Engine Health panel; last bench persisted to ~/.helix/benchmarks.json and shown in Studio.
• Persistence: save/load sessions, recent sessions MRU, welcome dialog, demo session bundled (docs/demo/demo_session.helix).
• Headless pipeline: helix-cli simulate (CRISPR/Prime, scenarios) → .helix → helix-cli report (optional run-id filter).
• Docs: studio tour, headless CLI guide, config schema, validation scaffold.
• Tests: CLI simulate/report (CRISPR/Prime), run-id filter, metadata chips, no-chart reporting, engine info, Inspector filters, demo session load, Studio integration.