Release train and distribution status

Artifacts

• /downloads/releases.json + .sig (tools list)
• /standard/registries.bundle.json + .sig (pack manifests single source of truth)
• Per-tool downloads include `SHA256SUMS` and local integrity checks where applicable.

Current public wording remains READY_TO_SIGN / PENDING FINAL SIGNATURE until a real final signature is published. A checksum is not a signature.

Backward compatibility rules

• Never mutate receipts (upgrades create new receipt objects).
• Additive schema only (fields can be added, not removed).
• Verification remains read-only and separate from write/publish paths.

Operator checklist

1. Run tests and guards.
2. Update the changelog.
3. Refresh distribution artifacts and checksums.
4. Publish downloads without remote scripts.
5. Publish a final signature only when the real private signing key is available.