Four releases, one headline: updates no longer depend on git. Until now cleave refreshed its trait rules and litmus refreshed its models by cloning and pulling git repos — slow, heavy, and one more thing to install on the host. As of rc.5 both pull signed, sha256-verified .tar.zst bundles straight from R2, install them atomically, and support pin/check/update. Smaller downloads, no git dependency, and a verified artifact instead of "whatever HEAD happened to be."
cleave v2.0.0-rc.5 carries the new updater: signed, sha256-verified .tar.zst trait bundles from R2 with atomic install and pin/check/update, replacing git clones. It adds archive routing for package ecosystems — gem, npm, crate, conda, NuGet, IPA, VSIX, Android/Alpine APK, Arch/FreeBSD pkg — and lets composites pool findings across archive members, catching split payloads and browser-extension tricks. Two detection holes closed: archive members were missing encoded-payload findings and skipping XOR extraction, weakening detection inside npm packages, zips, and jars. Release notes.
litmus v2.0.0-rc.5 gets the same updater for models — sha256-verified .tar.zst bundles from R2, validated before they go live, with the old git updater and rollback paths gone. New trait-floor escalation lets a confident high-severity cleave finding raise a model-benign verdict to suspicious. Suspicious verdicts are now capped at level 20000 so loose grid hits can't drift into "suspicious." Release notes.
stng v1.6.0 drops a dependency: native PE import recovery surfaces API names like CreateProcessW, and Mach-O symbol extraction types imports, exports, and ObjC classes — both without radare2. Release notes.
filefacts v0.9.5 adds Debian and RubyGems package metadata and new PE/.NET signals — managed-resource entropy, suspicious VERSIONINFO identity text, .reloc overhang, and certificate-table size. Release notes.
The release candidates are still candidates. Pin if you need stability; otherwise:
brew upgrade atomdrift/tap/cleave atomdrift/tap/litmus atomdrift/tap/stng