Two big things, a pile of small ones.
cleave diff. A supply-chain attack is unexpected change. Compare new to old; ask whether the delta matches the project's normal pace. Nobody else measures that.
The command diffs files or directories across six scopes — traits, metrics, kv, symbols, strings, sections — with --scope, --limit-changes, JSON, and a colored terminal view. kv arrays diff order-independently; churn is suppressed. Because kv now reaches into binary headers — Authenticode, Rich, DWARF, codesign, entitlements, plists — the diff catches tampered provenance, not just behavior.
Each scope emits a rate-of-change score in [0, 1], weighted by criticality and confidence. A point release that looks like a rewrite is worth knowing. This is the signal feeding valence, our forthcoming model for ranking releases by supply-chain risk.
cleave kv now reads PE, ELF, Mach-O, Office (OLE2, OOXML), RTF, PDF, PNG/JPEG, JAR, .class, .pyc, pickle, RPM, and source.
- Provenance. PE manifests, Authenticode, Rich headers, DWARF producers, Go build info, Mach-O codesign, entitlements,
Info.plist, launchd plists. - PDF. JavaScript,
Launch,URI, XFA, embedded files, filter chains. - Office. VBA, XLM, DDE, external references, template injection,
OLE10Native, embedded executables. - CHM. LZX decode, members, metrics, kv.
- PyInstaller. Extraction plus kv on the unpacked payload.
cleave validate gained real fixtures — hostile, benign, does-nothing — with structured output, categories, and --exclude. CI now tells you whether cleave is correct.
Under the hood. Archive analysis uses the global rayon pool; no more deadlock. ZIP, JAR, CHM, and PyInstaller stay in memory. macOS prefers performance cores. YARA storage is capped. PNG/JPEG skip pixel decode. Large source files no longer crash tree-sitter. Archive and UPX wrappers inherit children's findings.
v1.3.1 release notes · FILE_FORMATS.md
brew upgrade atomdrift/tap/cleave