• v0.0.1-rc.25 7f1b8163db

    Carol v0.0.1-rc.25
    All checks were successful
    Secrets / gitleaks (push) Successful in 9s
    Release / Build, sign, and publish (push) Successful in 2m22s
    Release (Android) / Build, sign, attach (push) Successful in 13m48s
    Pre-release

    james released this 2026-06-29 18:56:40 +00:00 | 2 commits to main since this release

    Signed by james
    SSH key fingerprint: SHA256:vAv/s1UqS+brNCXATCv/JPKIc/j94WCgmQAszXM+m8s

    0.0.1-rc.25 — 2026-06-29

    Bug fixes

    • let native clients manage Personal Access Tokens (#386) (e5b51aa)
    • clear native session on logout so it doesn't auto-sign-in (8aebae4)
    • complete Android OAuth on cold start (#300) (fe806ee)
    • validate organizationId in the agent job/contract CRUD tools (#375) (481fa0d)
    • back navigation follows history, not always the landing screen (39f7346)

    Chores

    • scrub style={[...]} on DOM-leaf primitives + ESLint guardrail (#239) (1c35e77)

    Features

    • probe /api/health on server-setup save (#236) (df4fbc9)
    • link_job_to_org agent tool (#375 follow-up) (6b4a512)
    • link a Job/Contract employer to an Organization in the UI (#375) (c2ed86e)
    • link a Job/Contract's employer to a network Organization (#375) (9f79621)

    Other

    • Merge pull request 'fix(api): let native clients manage Personal Access Tokens (#386)' (#387) from 386-native-pat-management into main (7f1b816)
    • Merge pull request 'fix(client): clear the native session on logout' (#385) from fix/native-logout-clears-session into main (b074afe)
    • Merge pull request 'chore(client): scrub style={[...]} on DOM-leaf primitives + ESLint guardrail (#239)' (#384) from 239-style-array-scrub into main (e72419d)
    • Merge pull request 'fix(client): complete Android OAuth on cold start (#300)' (#383) from 300-oauth-cold-start into main (18f8ab4)
    • Merge pull request 'feat(client): probe /api/health on server-setup save (#236)' (#382) from 236-health-probe into main (0e11d37)
    • Merge pull request 'fix(api): validate organizationId in the agent job/contract CRUD tools (#375)' (#381) from validate-job-org-in-crud-tools into main (91e50a7)
    • Merge pull request 'test(e2e): cross-browser and mobile-viewport projects' (#380) from test/e2e-cross-browser-mobile into main (89d7f0d)
    • Merge pull request 'feat(api): link_job_to_org agent tool (#375 follow-up)' (#379) from link-job-to-org-tool into main (76b147b)
    • Merge pull request 'feat(client): link a Job/Contract employer to an Organization in the UI (#375)' (#378) from 375-job-org-link-client into main (9490829)
    • Merge pull request 'test(e2e): shared session, db reset, and admin spec' (#377) from test/e2e-infra-hardening into main (a8f904f)
    • Merge pull request 'feat(api): link a Job/Contract's employer to a network Organization (#375)' (#376) from 375-job-org-link-backend into main (25fe865)
    • Merge pull request 'test(e2e): add per-domain critical-path specs' (#335) from test/e2e-per-domain-specs into main (ad313e7)
    • Merge pull request 'fix(client): back navigation follows history, not always the landing screen' (#374) from fix-drawer-back-history into main (9035718)

    Tests

    • cross-browser and mobile-viewport projects (5ec412b)
    • shared session, db reset, and admin spec (33b8014)
    • rename masked-input placeholder to clear njsscan (0f8fb75)
    • add per-domain critical-path specs (cc04a7d)

    Verifying the image

    cosign verify \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:70a8536cb9ddc10cde89423fdba4cf5674ec65af88fe40778badb0c1b97b8e8f
    
    cosign verify-attestation \
      --type slsaprovenance1 \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:70a8536cb9ddc10cde89423fdba4cf5674ec65af88fe40778badb0c1b97b8e8f
    
    Downloads
  • v0.0.1-rc.24 bf5fb41bff

    Carol v0.0.1-rc.24
    All checks were successful
    Secrets / gitleaks (push) Successful in 10s
    Release / Build, sign, and publish (push) Successful in 2m28s
    Release (Android) / Build, sign, attach (push) Successful in 13m58s
    Pre-release

    james released this 2026-06-29 15:00:15 +00:00 | 29 commits to main since this release

    Signed by james
    SSH key fingerprint: SHA256:vAv/s1UqS+brNCXATCv/JPKIc/j94WCgmQAszXM+m8s

    0.0.1-rc.24 — 2026-06-29

    Bug fixes

    • open People & Organizations detail screens in read mode (#371) (9580e80)

    Features

    • make Chat the default landing screen (was Notes) (11e2972)

    Other

    • Merge pull request 'fix(client): open People & Organizations detail screens in read mode (#371)' (#372) from 371-network-read-mode into main (bf5fb41)
    • Merge pull request 'feat(client): make Chat the default landing screen (was Notes)' (#373) from default-screen-chat into main (c77be03)

    Verifying the image

    cosign verify \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:1b8031906f4f27bf78fccc841cda3227946b3d3e6cdd07f8a3fbab733ab7991f
    
    cosign verify-attestation \
      --type slsaprovenance1 \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:1b8031906f4f27bf78fccc841cda3227946b3d3e6cdd07f8a3fbab733ab7991f
    
    Downloads
  • v0.0.1-rc.23 25376ff02c

    Carol v0.0.1-rc.23
    All checks were successful
    Secrets / gitleaks (push) Successful in 10s
    Release / Build, sign, and publish (push) Successful in 2m7s
    Release (Android) / Build, sign, attach (push) Successful in 10m47s
    Pre-release

    james released this 2026-06-29 14:18:22 +00:00 | 33 commits to main since this release

    Signed by james
    SSH key fingerprint: SHA256:vAv/s1UqS+brNCXATCv/JPKIc/j94WCgmQAszXM+m8s

    0.0.1-rc.23 — 2026-06-29

    Features

    • use the shared ProposalDiff in the activity undo card (#363 follow-up) (e0f676d)
    • chat conversation management — rename, delete, search, auto-scroll (#364) (307f6c7)

    Other

    • Merge pull request 'feat(client): use the shared ProposalDiff in the activity undo card (#363 follow-up)' (#370) from 363-followup-activity-diff into main (25376ff)
    • Merge pull request 'feat(client): chat conversation management — rename, delete, search, auto-scroll (#364)' (#369) from 364-chat-conversation-ui into main (4c7688e)

    Verifying the image

    cosign verify \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:92cd1c262ed911e7d66ef6922e0ac450d62f6d7d109a38917fe21726a9f60733
    
    cosign verify-attestation \
      --type slsaprovenance1 \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:92cd1c262ed911e7d66ef6922e0ac450d62f6d7d109a38917fe21726a9f60733
    
    Downloads
  • v0.0.1-rc.22 ec27a4cab1

    Carol v0.0.1-rc.22
    All checks were successful
    Secrets / gitleaks (push) Successful in 27s
    Release / Build, sign, and publish (push) Successful in 2m32s
    Release (Android) / Build, sign, attach (push) Successful in 13m13s
    Pre-release

    james released this 2026-06-29 13:53:40 +00:00 | 37 commits to main since this release

    Signed by james
    SSH key fingerprint: SHA256:vAv/s1UqS+brNCXATCv/JPKIc/j94WCgmQAszXM+m8s

    0.0.1-rc.22 — 2026-06-29

    Bug fixes

    • give every edit button the pencil icon (#353) (778c4f3)

    Chores

    • register MessageDto as a named OpenAPI component (#365) (789759d)

    Documentation

    • add the agent / MCP setup guide for self-hosters (eceea52)

    Features

    • render proposal diffs as readable field-level changes (#363) (2aa3158)
    • rename + delete conversation endpoints (#364) (2477890)
    • render chat replies as markdown with collapsible thinking (78a204f)
    • undo button on the activity screen (01cd2ff)
    • undo an agent write by proposing its inverse (ADR-0031) (9a6a34e)
    • agent activity history UI — "what Carol changed" (c4569eb)
    • GET /api/agent/audit — the user's agent write history (6b1798e)

    Other

    • Merge pull request 'chore(api): register MessageDto as a named OpenAPI component (#365)' (#368) from 365-name-messagedto-component into main (ec27a4c)
    • Merge pull request 'feat(client): render proposal diffs as readable field-level changes (#363)' (#367) from 363-readable-proposal-diffs into main (357a8b8)
    • Merge pull request 'feat(api): rename + delete conversation endpoints (#364)' (#366) from 364-chat-conversation-mgmt into main (f1bd354)
    • Merge pull request 'docs: add the agent / MCP setup guide for self-hosters' (#360) from agent-setup-guide into main (9e8c34d)
    • Merge pull request 'feat(client): render chat replies as markdown with collapsible thinking' (#359) from 352-chat-markdown into main (aa55e08)
    • Merge pull request 'fix(client): give every edit button the pencil icon (#353)' (#358) from 353-standardize-edit-buttons into main (3f574aa)
    • Merge pull request 'feat(client): undo button on the activity screen' (#357) from 356-undo-button-ui into main (58bde43)
    • Merge pull request 'feat(api): undo an agent write by proposing its inverse (ADR-0031)' (#355) from 352-agent-write-undo into main (dcb1e19)
    • Merge pull request 'feat(client): agent activity history UI — "what Carol changed"' (#351) from 350-activity-history-ui into main (f278e79)
    • Merge pull request 'feat(api): GET /api/agent/audit — the user's agent write history' (#349) from 348-audit-log-api into main (7b95d97)

    Verifying the image

    cosign verify \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:2fdaa6394d978c66913678632702a3c37c8cb0ca7cccd16b0b6a429d3560f47b
    
    cosign verify-attestation \
      --type slsaprovenance1 \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:2fdaa6394d978c66913678632702a3c37c8cb0ca7cccd16b0b6a429d3560f47b
    
    Downloads
  • v0.0.1-rc.21 d535b586fa

    Carol v0.0.1-rc.21
    All checks were successful
    Secrets / gitleaks (push) Successful in 9s
    Release / Build, sign, and publish (push) Successful in 2m18s
    Release (Android) / Build, sign, attach (push) Successful in 17m37s
    Pre-release

    james released this 2026-06-29 11:23:44 +00:00 | 57 commits to main since this release

    Signed by james
    SSH key fingerprint: SHA256:vAv/s1UqS+brNCXATCv/JPKIc/j94WCgmQAszXM+m8s

    0.0.1-rc.21 — 2026-06-29

    Bug fixes

    • typecheck export test + regenerate api-client types (966ca62)

    Chores

    • regenerate types for the proposal-read endpoint (2a95954)

    Documentation

    • ADR-0030 agent tool surface granularity and naming (dc61bd2)
    • ADR-0029 agent runtime architecture (fcccf01)

    Features

    • built-in chat UI — streaming chat panel + inline write confirmations (874f046)
    • conversation + agent hooks + pure SSE streaming transport (2f40657)
    • GET /api/agent/proposals/{id} — read a proposed agent write (1c9c2e4)
    • streaming agent turns — LlmClient.stream() + SSE chat endpoint (729d3fd)
    • server-side agent loop + conversations/messages schema (e844c96)
    • LLM provider adapters — Anthropic + OpenAI-compatible (32c903d)
    • per-user LLM provider config with encrypted API-key storage (39d43b9)
    • streamable-HTTP MCP server endpoint (/api/mcp, PAT-authed) (2872ec6)
    • shared agent domain tool registry, proposals, and commit path (6b3898e)
    • export user domain data as a tar.gz archive (a185ab2)
    • surface per-OIDC-instance status on /api/health (0710cb0)
    • implement invite and admin-approval registration policies (2c49295)

    Other

    • Merge pull request 'feat(client): built-in chat UI — streaming chat panel + inline write confirmations' (#347) from 346-chat-ui into main (d535b58)
    • Merge pull request 'feat(api-client): conversation + agent hooks + pure SSE streaming transport' (#345) from 344-api-client-agent-hooks into main (664a2fb)
    • Merge pull request 'feat(api): GET /api/agent/proposals/{id} — read a proposed agent write' (#343) from 342-proposal-read-endpoint into main (af007e4)
    • Merge pull request 'feat(api): streaming agent turns — LlmClient.stream() + SSE chat endpoint' (#341) from 340-agent-streaming into main (8b75832)
    • Merge pull request 'feat(api): server-side agent loop + conversations/messages schema' (#339) from 338-agent-loop into main (393cba3)
    • Merge pull request 'feat(api): LLM provider adapters — Anthropic + OpenAI-compatible' (#337) from 336-llm-provider-adapters into main (5e3b1e9)
    • Merge pull request 'feat(api): per-user LLM provider config with encrypted API-key storage' (#334) from 333-llm-provider-config into main (4b68097)
    • Merge pull request 'feat(api): streamable-HTTP MCP server endpoint (/api/mcp, PAT-authed)' (#332) from 331-mcp-endpoint into main (2a17d97)
    • Merge pull request 'feat(api): shared agent domain tool registry, proposals, and commit path' (#330) from 51-domain-tool-surface into main (46026b7)
    • Merge pull request 'test(e2e): Playwright harness and smoke suite' (#329) from test/e2e-playwright-foundation into main (29f466c)
    • Merge pull request 'docs(adr): ADR-0030 agent tool surface granularity and naming' (#328) from 50-adr-tool-surface into main (271e954)
    • Merge pull request 'docs(adr): ADR-0029 agent runtime architecture' (#324) from 48-adr-agent-runtime into main (15d3866)
    • Merge pull request 'feat(api): export user domain data as a tar.gz archive' (#322) from feat/data-export into main (d13f7ca)
    • Merge pull request 'feat(api): surface per-OIDC-instance status on /api/health' (#323) from 214-oidc-health into main (d51af86)
    • Merge pull request 'feat(auth): implement invite and admin-approval registration policies' (#321) from 219-registration-policies into main (f1d8337)

    Tests

    • silence njsscan hardcoded-password finding on test fixture (82b0468)
    • add Playwright harness and smoke suite (65a3196)

    Verifying the image

    cosign verify \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:9ff1726d19ba6fbc8d8e42dcbf03d0db9c997559a6afe5c10e932eb0fee0b8fd
    
    cosign verify-attestation \
      --type slsaprovenance1 \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:9ff1726d19ba6fbc8d8e42dcbf03d0db9c997559a6afe5c10e932eb0fee0b8fd
    
    Downloads
  • v0.0.1-rc.20 377391c9a8

    Carol v0.0.1-rc.20
    All checks were successful
    Secrets / gitleaks (push) Successful in 14s
    Release / Build, sign, and publish (push) Successful in 3m54s
    Release (Android) / Build, sign, attach (push) Successful in 27m48s
    Pre-release

    james released this 2026-06-27 01:45:57 +00:00 | 90 commits to main since this release

    Signed by james
    SSH key fingerprint: SHA256:vAv/s1UqS+brNCXATCv/JPKIc/j94WCgmQAszXM+m8s

    0.0.1-rc.20 — 2026-06-27

    Bug fixes

    • consistent back navigation via goBackOr history-or-parent helper (0366454)
    • keep native session alive via proactive token refresh (7b378d1)

    CI

    • disable release-tag trigger while the build is blocked (5430030)

    Features

    • add pull-to-refresh to every content page (5796531)
    • merge Skills into Experience as a tab (ca66636)

    Other

    • Merge pull request 'feat(client): add pull-to-refresh to every content page' (#314) from 309-pull-to-refresh into main (377391c)
    • Merge pull request 'feat(client): merge Skills into Experience as a tab (#311)' (#312) from experience-skills-tab into main (ff07e04)
    • Merge pull request 'ci(flatpak): disable release-tag trigger while the build is blocked' (#315) from 313-disable-flatpak-build into main (4b53dfd)
    • Merge pull request 'fix(client): consistent back navigation via goBackOr history-or-parent helper' (#310) from 308-back-nav-consistency into main (4c7156c)
    • Merge pull request 'fix(client): keep the Android app logged in via proactive token refresh (#306)' (#307) from native-stay-logged-in into main (ba24b4c)

    Verifying the image

    cosign verify \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:2f4f6c1d4bafe2637745e11729120695c58245fae6702aeaaa66c2ea469fe69a
    
    cosign verify-attestation \
      --type slsaprovenance1 \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:2f4f6c1d4bafe2637745e11729120695c58245fae6702aeaaa66c2ea469fe69a
    
    Downloads
  • v0.0.1-rc.19 3ac635d82f

    Carol v0.0.1-rc.19
    Some checks failed
    Secrets / gitleaks (push) Successful in 12s
    Release / Build, sign, and publish (push) Successful in 4m10s
    Release (Flatpak) / Build and attach .flatpak (push) Failing after 10m32s
    Release (Android) / Build, sign, attach (push) Successful in 15m49s
    Pre-release

    james released this 2026-06-26 23:42:52 +00:00 | 100 commits to main since this release

    Signed by james
    SSH key fingerprint: SHA256:vAv/s1UqS+brNCXATCv/JPKIc/j94WCgmQAszXM+m8s

    0.0.1-rc.19 — 2026-06-26

    Bug fixes

    • use the Carol web icon for the Android app icon (fe68633)
    • bump Flatpak Rust toolchain to 1.88.0 (1edb076)

    Other

    • Merge pull request 'fix(client): use the Carol web icon for the Android app icon' (#305) from 303-android-app-icon into main (3ac635d)
    • Merge pull request 'fix(ci): bump Flatpak Rust toolchain to 1.88.0 (#301)' (#302) from flatpak-rust-toolchain-188 into main (7f8198d)

    Verifying the image

    cosign verify \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:e01fdf0ee0787dac6bae85fb3d9b505f7df9375a6a7a50fa51aa167beaa223bb
    
    cosign verify-attestation \
      --type slsaprovenance1 \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:e01fdf0ee0787dac6bae85fb3d9b505f7df9375a6a7a50fa51aa167beaa223bb
    
    Downloads
  • v0.0.1-rc.18 0dffb2661e

    Carol v0.0.1-rc.18
    Some checks failed
    Secrets / gitleaks (push) Successful in 13s
    Release / Build, sign, and publish (push) Successful in 2m52s
    Release (Flatpak) / Build and attach .flatpak (push) Failing after 5m17s
    Release (Android) / Build, sign, attach (push) Successful in 20m10s
    Pre-release

    james released this 2026-06-26 23:04:49 +00:00 | 104 commits to main since this release

    Signed by james
    SSH key fingerprint: SHA256:vAv/s1UqS+brNCXATCv/JPKIc/j94WCgmQAszXM+m8s

    0.0.1-rc.18 — 2026-06-26

    Bug fixes

    • tmpfs Postgres service data dir (#277) (e726a9a)
    • WHATWG URL polyfill + native-intent for Android OAuth return (6a271aa)

    Other

    • Merge pull request 'fix(ci): stop Postgres state-bleed across CI runs (#277)' (#299) from 277-postgres-ci-state-bleed into main (0dffb26)
    • Merge pull request 'fix(client): WHATWG URL polyfill + native-intent for Android OAuth return' (#298) from 297-android-oauth-url-polyfill into main (76a9d44)

    Tests

    • derive Postgres teardown drop-list at runtime (#277) (0c24923)

    Verifying the image

    cosign verify \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:1e658e9401425bb468c316aa827bdc08d743eb933eef423a381b1c0befbc5afc
    
    cosign verify-attestation \
      --type slsaprovenance1 \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:1e658e9401425bb468c316aa827bdc08d743eb933eef423a381b1c0befbc5afc
    
    Downloads
  • v0.0.1-rc.17 f12fffaf85

    Carol v0.0.1-rc.17
    Some checks failed
    Secrets / gitleaks (push) Successful in 18s
    Release / Build, sign, and publish (push) Successful in 2m34s
    Release (Flatpak) / Build and attach .flatpak (push) Failing after 5m24s
    Release (Android) / Build, sign, attach (push) Successful in 19m12s
    Pre-release

    james released this 2026-06-26 22:30:06 +00:00 | 109 commits to main since this release

    Signed by james
    SSH key fingerprint: SHA256:vAv/s1UqS+brNCXATCv/JPKIc/j94WCgmQAszXM+m8s

    0.0.1-rc.17 — 2026-06-26

    Bug fixes

    • inset the native sidebar below the status bar (dfa3748)
    • bump Flatpak Rust toolchain to 1.85 and stamp build version (9eeacab)
    • stamp app.json expo.version in the container build (2c1b484)

    Features

    • log app name and version at server startup (ec09774)

    Other

    • Merge pull request 'fix(client): inset the native sidebar below the status bar' (#296) from 295-sidebar-safe-area into main (f12fffa)
    • Merge pull request 'fix(ci): bump Flatpak Rust toolchain to 1.85 and stamp build version' (#294) from 293-flatpak-rust-toolchain into main (9b482d4)
    • Merge pull request 'fix(ci): stamp app.json expo.version in the container build' (#292) from 291-web-version-stamp into main (1bebb8c)

    Verifying the image

    cosign verify \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:0186daef37949abe6d89009c560a7c07e2b684b5a07921aa7cc7597f15e9abc3
    
    cosign verify-attestation \
      --type slsaprovenance1 \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:0186daef37949abe6d89009c560a7c07e2b684b5a07921aa7cc7597f15e9abc3
    
    Downloads
  • v0.0.1-rc.16 a006ee5d56

    Carol v0.0.1-rc.16
    Some checks failed
    Secrets / gitleaks (push) Successful in 8s
    Release / Build, sign, and publish (push) Successful in 2m33s
    Release (Flatpak) / Build and attach .flatpak (push) Failing after 3m5s
    Release (Android) / Build, sign, attach (push) Successful in 12m33s
    Pre-release

    james released this 2026-06-26 21:56:24 +00:00 | 116 commits to main since this release

    Signed by james
    SSH key fingerprint: SHA256:vAv/s1UqS+brNCXATCv/JPKIc/j94WCgmQAszXM+m8s

    0.0.1-rc.16 — 2026-06-26

    Bug fixes

    • bumped expo-secure-store (3698cc7)

    Features

    • show app + server version at the bottom of settings (f06d68c)

    Other

    • Merge pull request 'feat(client): show app + server version at the bottom of settings' (#290) from 289-settings-version-display into main (a006ee5)
    • Merge pull request 'fix(android): bumped expo-secure-store' (#288) from 287-android-crash into main (d5bff3b)

    Verifying the image

    cosign verify \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:40216ab3493a2be129a2aab5e4c3344d6f386ad22da8ba64bc1ad939601afac9
    
    cosign verify-attestation \
      --type slsaprovenance1 \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:40216ab3493a2be129a2aab5e4c3344d6f386ad22da8ba64bc1ad939601afac9
    
    Downloads