v0.0.50 — Supply-chain integrity bundle

Released: 2026-05-05.

Python 3.9 hotfix

v0.0.49 shipped _AUDIT_INVOCATION_ID: str | None = None at module level — PEP 604 union syntax requires Python 3.10+. Rocky 9.4 hosts on Python 3.9 saw honeyframe version/verify/rollback/status crash on import. Fixed by adding from __future__ import annotations; two regression tests pin the future-import requirement and scan for new module-level PEP 604 assignments.

Pubkey bake at release time

build_release.py now substitutes the runtime env-var lookup of HONEYFRAME_PUBKEY_HEX with a baked-in literal during release assembly. Without this, v0.0.49's signature verify always fell into the "no-pubkey" path on customer hosts because the env var only existed in CircleCI. Signed releases now ship with a verify-able pubkey embedded in the CLI.

secrets_provider interface stub

New paas/backend/secrets_provider.py — pluggable backend selector via HONEYFRAME_SECRETS_PROVIDER=env|vault|aws-sm. Default env matches today's os.environ.get(...) so existing installs see no change. Vault and aws-sm raise NotImplementedError until the full integration lands in v0.0.51+. Named secrets_provider (not secrets) to avoid shadowing the stdlib module.