[
  {
    "date": "2026-03-14",
    "scannerVersion": "0.6.2",
    "title": "Browser/Auth Coverage and Dedup Cleanup",
    "summary": "Scanner coverage expanded again around browser-session reuse, auth-heavy skill patterns, and cleaner merged finding output.",
    "changes": [
      "Broadened browser workflow and authenticated-session inference, including profile reuse, remote browser delegation, and local-service patterns.",
      "Expanded auth/dependency coverage for credential-bearing query parameters, persistent credential stores, and browser-auth handoff flows.",
      "Deduplicated overlapping auth, cookie, session, dependency, and permission-contract findings into cleaner rendered summaries."
    ]
  },
  {
    "date": "2026-03-01",
    "scannerVersion": "0.6.1",
    "title": "Lifecycle False-Negative Fixes",
    "summary": "Lifecycle-script coverage was hardened to close bypasses in docs-context handling and JSONC package snippets.",
    "changes": [
      "Reclassified `Usage` headings so lifecycle hooks there retain normal risk scoring.",
      "Added JSONC-aware lifecycle script extraction for fenced `jsonc` package snippets.",
      "Restored `Demo`/`Output` headings as documentation contexts to avoid benign-example penalties."
    ]
  },
  {
    "date": "2026-03-01",
    "scannerVersion": "0.6.0",
    "title": "Lifecycle, Capability Contracts, and SBOM",
    "summary": "Scanner coverage expanded with lifecycle-hook detection, capability-contract mismatch findings, and CycloneDX SBOM output.",
    "changes": [
      "Added lifecycle script scanning in embedded package snippets with critical-path detection for dangerous install hooks.",
      "Introduced capability-contract mismatch findings for undeclared inferred behaviors.",
      "Shipped SBOM generation support and registry/report updates for the expanded scanner output."
    ]
  },
  {
    "date": "2026-02-11",
    "scannerVersion": "0.5.0",
    "title": "Code Safety Category Added",
    "summary": "Scoring expanded from five to six categories, with a dedicated Code Safety analyzer for embedded code blocks.",
    "changes": [
      "Added code-safety scoring and persisted code_safety_score in scan results.",
      "Backfilled historical scan rows so report consumers can compare code safety over time.",
      "Updated API schemas, docs, and trust report UI to surface the sixth category and ASST-11 alignment."
    ]
  },
  {
    "date": "2026-02-09",
    "scannerVersion": "0.4.0",
    "title": "Detection Coverage Expanded",
    "summary": "The scanner added multiple high-signal detections, improving threat coverage at the cost of slightly stricter scoring.",
    "changes": [
      "Added Unicode steganography and indirect prompt-injection detection.",
      "Added coercive tool-priority override and trigger-hijacking detection.",
      "Added binary artifact detection for packaged ELF/PE/Mach-O payloads."
    ]
  },
  {
    "date": "2026-02-08",
    "scannerVersion": "0.1.0",
    "title": "Initial Public Baseline",
    "summary": "First public report baseline for registry-wide trust scoring and ASST taxonomy classification.",
    "changes": [
      "Published initial scoring model and badge tiers.",
      "Established baseline metrics for certified, suspicious, and rejected skill rates.",
      "Introduced public aggregate stats for repeatable trend comparisons."
    ]
  }
]