Release Notes

Current version

The current software package for TSF (also available as a .tar.gz) is:

• trustable-0.2.0-py3-none-any.whl

Refer to the provided instructions for installing and updating.

v0.2.0

• Trustable Changes:

  • Reformat assertions to add section header files for TAs.

• Performance improvements:

  • Added concurrency to references.
  • Added option to resolve validators concurrently during scoring and publishing operations (with the --concurrent-validation flag)
  • Improved performance of trudag publish through caching and simplifying of report figures.
  • Added caching of artifact references for faster trudag operations.
  • Added cached successors and predecessors for BaseGraph for faster graph read-only operations.
  • Changes scoring algorithm to switch from an Adjacency matrix to an Adjacency List to improve performance.

• Tooling improvements:

  • Changed the default exporting of artifacts to stop when encountering failed references (this can be changed through --allow-failure flag).
  • Sets --fail-on-error flag to True by default. This flag is generally applied to linting and diffing trudag operations.
  • Added item file order and SME scores to exported artifacts.
  • Various improvements to SourceSpanReference reference type.
  • Added version hash postfix for trudag --version and trudag shell.
  • Links can now be be made if parent/child item is unreviewed.

• New Features:

  • Added trudag manage move-item command to move items between .dotstop.dot and .needs.dot files.
  • Added publishing from artifacts through trudag publish --artifact artifact_path.
  • trudag publish --sensitivity is made functional.

• Documentation updates:

  • Fixed README typos.
  • Added explanation of system and testing faults in RAFIA documentation.
  • Improved Remote Graph documentation.
  • Improved Scoring implementation documentation.

v0.1.0

• Project Updates:

  • The Trustable Software Framework is now hosted at: https://gitlab.eclipse.org/eclipse/tsf/tsf in co-ordination with the Eclipse Foundation as the Eclipse Trustable Software Framework (project home at: https://projects.eclipse.org/projects/technology.tsf).
  • TSF releases now follow SemVer versioning
  • Updated release process with inclusion of release candidates.
  • Updated project chat service URL from #trustable channel on https://www.libera.chat to https://matrix.to/#/#technology.tsf:matrix.eclipse.org.
  • Added SECURITY.md for guidance on vulnerability reporting.
  • Added NOTICE.md for notices on Copyright and licensing information.
  • Updated CODE_OF_CONDUCT.md to be in line with the Eclipse Foundation.
  • Updated CONTRIBUTING.md to be in line with the Eclipse Foundation.
  • Updated Copyright headers.
  • Added Eclipse branding to the project.
  • TSF artifacts/Remote graphs now available on mainline pipelines for users.

• New Features:

  • trudag shell can be used to create a single session repl through which users can run various trudag commands and make changes in-session. For more information, please look at the documentation on using the shell
  • Adds artifact versioning. (Currently it's optional and not enforced but will be in the future, see: issue #491).
  • Adds a delete file option (default being enabled) for trudag manage rename-item/trudag manage remove-item.

• Fixes:

  • Spelling fixes for documentation and TSF tenets and assertions.
  • Removed key duplication in scoring and collecting validators. Fixes bug where validation results were being duplicated.
  • Links in published index file corrected.
  • Disables validation result inclusion from artifact to avoid errors with exporting of Trustable Remote Graphs/Artifacts (will be correctly included in the next release).
  • trudag manage format now supports SemVer and CalVer versioning.
  • Corrects sensitivity admonition for reports.
  • Corrects navigation index in published reports when using Artifact References.
  • Clearer --reviewed option for trudag set-item.
  • Option to enable/disable item text in trudag plot.

• Tool Improvements:

  • Faster resolution of Remote Graph/Artifact references in consumer/downstream projects.
  • Faster validation of TrustableGraph during scoring.
  • Pooled requests and retries option for Gitlab References.

• Documentation:

  • Added Trustable in Media page to the project documentation.
  • Improved installation instructions.
  • TSF Objectives section added to explain the TSF objectives and the principles behind them.
  • Adds a dynamic layout footer section (useful when browsing the documentation with mobile devices).

v2026.01.28-01

• Fixes:
  • Removed typing_extensions as a runtime dependency.

v2026.01.28

• Breaking Changes:

  • trudag build dependency updated: python3.10 -> python3.11.
  • Turns non-normative trustable assertions into file references in the trustable repository.

• Trudag Tool Enhancements:

  • Improved output/logging for:
    • trudag manage lint
    • trudag help messages.
    • trudag manage errors.
  • Improved performance for:
    • trudag manage show-link
    • trudag manage lint
    • Loading of Trustable Items during initialisation of the trudag tool.
  • trudag manage show-item --path command added to show path of an Item.
  • trudag manage add-item command added to add an existing markdown item file to the Trustable project database.
  • Fixed regression (introduced in v2025.12.18) causing validators to be run twice in trudag.
  • Linking is permitted only between reviewed items.
  • Preserve links between items when importing a Trustable Artifact.
  • Add optional validation for the Trustable artifact export process in trudag.
  • Preserve metadata in Trustable item references when importing Trustable artifacts.
  • Failure in resolution of item references are logged instead of blowing up as exceptions.

• Report Improvements:

  • Item sensitivities sorted through scientific notation.
  • SME Name, SME Score, and SME reasoning are shown as tables in the compliance report.
  • Adds rendering options for reference type of FileReference.

• Documentation:

  • Broken links are fixed.
  • Improve dark mode colours.
  • Remove documentation for un-implemented feature (configuration for trudag).

v2025.12.18

• Breaking Changes:

  • Score origins included in Trustable artifact schema, prior artifacts to this release are unusable.
  • Unified BaseItem interface to concrete type Item.
    • Serialisation and deserialiation formats have changed.

• Trudag Tool Enhancements:

  • Ability to reference subgraphs in artifacts.
    • Referenced artifact reports are generated as sub-reports.
    • Reference renders as a link to subgraph root items.
  • TSF artifact generated in Trustable repository CI.
    • All TSF tenets and argumentations are considered "needs".
  • Support for a general configuration file.
  • Support for metadata in Reference definition.

• Report Improvements:

  • Origin of score shown in compliance report.
  • Additional validator information displayed.

• Documentation:

  • Restructuring of documentation.
  • Roadmap for new Rust tools.
  • Documenting proposed use cases for remote graphs.
  • TSF expectations graph expands on mouse hover.

v2025.11.27

• Breaking Changes

  • Change default Trustable Report and Graph plot output path from docs/doorstop to docs/trustable (as the doorstop backend is no longer supported).
  • Change importing directory option for trudag import from --needs-dir to --import-dir.
  • Remove resolved graph's root node from being exported/imported through Trustable artifacts.

• Trudag Tool Enhancements

  • GitlabFileReference now fetches files from private GitLab repositories more securely.
  • More expressive log messages and warning for:
    • References
    • Needs/AOU items during exporting/importing of Trustable artifacts.
  • Add pyyaml python package as runtime dependency (fixes issues with fresh installations).
  • Importing of Items from Trustable artifacts required providing a namespace, now the namespace is checked to be unique during import.
  • Needs/AOU items can now contain Trustable references.
  • Trustable projects containing only needs/AOU items and without scored/resolved graph items can now be exported/imported through Trustable artifacts. (Trudag's inability to consume parts of the resolved/scored graph in the artifact is a known issue and will be worked on in the future).

• Report Improvements

  • Add Sensitivity Summarisation for Trustable Statements (while this feature has known performance limitations).
  • Bugfix: Remove Fallacies from showing up in reports as they are not fully implemented.

• Documentation

  • Bugfix: Make Trustable Graph in the landing page to be clickable.
  • Add expected architectural design of TSF informing future tooling and data store implementations directions.
  • Add instructions for trudag tool's publish and plot commands.
  • Update Architectural diagram illustrating Remote Graphs.

v2025.10.22

• Breaking Changes

  • Removal of doorstop as a supported backend and dependency
    • Removal of migrate command
  • init is now a command, not an option
  • Unreviewed items and links are now scored as 0, rather than being removed
    • This means lint warnings consistently degrade the score.
  • Clarifications to all TSF Trustable Tenets and Assertions

• Trudag Tool Enhancements

  • Re-add concurrency and parallelism to graph linting
  • Allow use of project name or id number for Gitlab file references
  • Fix for artifact bug when root node score was 0
  • Rounding of scores to 5 decimal places
  • Introduce trudag manage rename-item
    • Creates a copy of markdown item with new name
  • Eager evaluation of --help

• Report Improvements

  • Limiting rows in historical data table to 20 to prevent them growing too large
  • Better presentation of information for item sections
  • Sensitivity analysis inclusion in report
    • Defaults to off because sensitivity analysis can take an extraordinarily long time for large graphs.
  • Fixes table colour for darkmode
  • Display commit datetime in a more readable format
  • Replace Emojis with Unicode characters

• Documentation

  • Add documentation for RAFIA validation
  • Improve documentation on artifacts and remote graph
  • Small fixes to API docs

v2025.09.16

Remote scoring now supports creating serialized artifacts from resolved items and needs for downstream projects in the local environment, which can be imported into remote graphs. This is an early, unstable iteration, and both the user experience and documentation will be refined in future updates.

This release also includes bug fixes and introduces a new interface for diff commands.

• Breaking Changes

  • Introduce trudag manage diff commands
    • And remove trudag manage lint --diff options

• Trudag Tool Enhancements

  • Add feature to generate artifacts for remote graphs
  • Improve error message for unexpected items without scores
  • Improve error message for normative scored items marked as informative
  • Add feature to pass boolean values to validators
  • Add feature to set-item unreviewed from cli
  • Fix missing frontends/cli declaration in pyproject.toml
  • Fix not providing a default graph name during trudag init
  • Fix --help evaluating subcommands from cli command groups
  • Refactor internal graph object access functions

• Documentation

  • Fix single page view
  • Clarify SME score replacement options

• Miscellaneous

  • Improve Flox setup
    • Run poetry install on activate
    • Add graphviz dependency for plotting

v2025.08.05

This version includes performance improvements across several areas of the Trudag tool. In this release, we added multiprocessing support for linting tasks, which leads to faster execution. We also introduced caching for items and the reference builder. These changes improve the overall experience, especially when working with larger graphs.

• Trudag Tool Enhancements
  • Linting tasks are now processed in parallel
  • Caching added for the reference builder and items
  • set-link now supports multiple links in one call
  • set-link now logs errors instead of raising them
  • Fixed broken links in the documentation
  • Small changes to data store values:
    • "Commit SHA" now stores whole sha rather than abbreviated version.
    • "Commit tag" appends the abbreviated commit sha.
  • Extended documentation and glossary for STPA.

v2025.07.23

The new Remote Scoring feature allows the integration of multiple trustable graphs (hosted in external Git repositories) into the scoring process of the local trustable graph. This update lays the groundwork for upcoming features related to the consumption of external graphs and introduces improvements to user experience.

Change Summary

• Trudag Tool Enhancements
  • Added new reference type: source code reference
  • Redesigned the graph interface to simplify the addition of new backends
  • Introduced support for an ignore list file to exclude specific files from Trudag operations
  • Reference classes are now loaded from the entry point file location rather work directory
  • Added monitoring for validator execution time
  • Improved over exception handling and linting function
  • Updated documentation for usage with Doorstop
  • More explanatory user-facing messages

v2025.06.25

A new feature has landed: Data Store. This feature enables users to visualize the progression of each expectation as a graph. Additionally, users can now slice the graph directly from the CLI for more targeted insights.

This release also includes several user experience improvements to the trudag tool.

Change Summary

• Trudag Tool Enhancements
  • Nodes and edges are now organized by name and source name
  • Introduced the new Data Store feature:
    • Graphical view of expectations
  • CLI-based graph slicing
  • Added more tests:
    • Including coverage for the publish command
• Publish command improvements:
  • Now runs faster
  • Outputs only SVG images
• Matrix calculations are now more efficient
• Removed mutable object from constructor interface

• Improved tracebacks for validators and reference plugins

• Documentation

  • Clarified behavior of "inputs"
  • Fixed pinned links in the NEWS section

• CI Pipeline Improvements

  • Fixed issues in linting stage
  • Added more tests
  • Added Markdown linting

• Misc

  • Fixed a known issue related to a hidden Python 3.13 dependency

Known Issues

• All trudag commands require a GitLab auth token if a public: false reference of type: gitlab is present in the tree.

v2025.05.29

Refinements to the user experience for Trudag.

Change Summary

• Improvements to trudag CLI tool
  • Proper logging of StopIteration error raised on encountering missing item files
  • Proper logging of schema.SchemaError raised on encountering invalid item frontmatter
  • Proper logging of Exception errors raised when building references
  • Fixed bug where inconsistent dotfiles (edge including unspecified node) caused an unhandled Exception
  • Fixed bug where warnings in Validator plugins were treated as Exceptions
  • Fixed bug where mkdocs (specifically its used of jinja) interpreted raw escape blocks sequences in referenced content as template specifiers
  • Fixed bug where markdown items were not ordered according to their level
  • Fixed bug where duplicate markdown item files caused unnannounced nondeterministic behaviour
  • Fixed bug where trudag manage create-item caused an unhandled Exception
  • Improved import of custom Validators, each Validator is now only imported once
  • public option added to references of type gitlab, allowing public repositories to be referenced without an access token.
  • Upgrade to mkdocs-puml 2.3.0
  • Documents are now ordered alphabetically
  • Remove HEAD request from references of type gitlab to improve performance on large graphs.
• Documentation and Methodology
  • Improved Reference and Validator plugin documentation to include worked examples
  • Introduced new code of conduct for contributors
  • Trudag API reference documentation automated and updated across the codebase

Known issues

• Exceptions in custom Validator and Reference plugins are not handled reliably
• Additional undocumented dependencies required when using python 3.13 or newer
• All trudag commands require a gitlab auth tokens, if a public: false reference of type: gitlab is present in the tree.

v2025.04.30

First release including trudag, a Statement management and analysis tool designed specifically for trustable.

Change Summary

• Improvements to trudag/trustable-compliance CLI tool
  • Rename trustable-compliance as trudag
  • New subcommand manage for manipulating, linting and migrating to dot
  • Support for completeness and correctness model in scoring backend
  • Validator plugin API and optional use through --validate flag
  • Reference plugin API
  • Improved logging, including --verbose flag
  • Score dumping functionality, including --dump flag
• TSF Statements
  • TSF Statements now use dotstop backend, not doorstop
• Documentation and Methodology
  • Improved explanation of Misbehaviours and their role in RAFIA
  • Improved STPA schema
  • Improved methodology documentation
  • Safety requirement process refinement
• Project workflow
  • New base container stored in container registry to mitigate DockerHub pull rate limit impact
  • End to end tests for command availability, score dumping and dot management
  • Test coverage tracking
  • Lychee link linting

Breaking Changes

• trustable-compliance CLI tool and library renamed trudag
• trudag defaults to dotstop, not doorstop backend
• Leaf nodes are now called Premises. When linked to Artifacts they are Evidence, otherwise they are Assumptions

Known issues

• Exceptions in custom Validator and Reference plugins are not handled
• Additional undocumented dependencies required when using python 3.13 or newer

v2025.03.14

Documentation improvements, ongoing implementation of dotstop (TSF-specific replacement for Doorstop) and documentation on the RAFIA process.

Change Summary

• Added API references for trustable_compliance, graphalyzer and dotstop
• Added Lint and format checks using ruff
• Progress on implementation of dotstop
  • Read and write dotstop graphs and items natively from files
  • Reference management and reference plug-in support, including unit tests
  • YAML front matter schema
• Improved guidance for TA-MISBEHAVIOURS and associated glossary definitions
• RAFIA process documentation, illustrating some specific applications of TSF
• Renamed and expanded the TAs (see Breaking Changes)

Breaking Changes

The identifiers for the Trustable assertions have been changed in this release, to replace the numbers with more meaningful names. A new TA (TA-CONSTRAINTS) has also been added. The following table summarises the changes.

Old	New
TA_A-01	TA-SUPPLY_CHAIN
TA_A-02	TA-INPUTS
TA_A-03	TA-RELEASES
TA_A-04	TA-TESTS
TA_A-05	TA-ITERATIONS
TA_A-06	TA-FIXES
TA_A-07	TA-UPDATES
TA_A-08	TA-BEHAVIOURS
TA_A-09	TA-MISBEHAVIOURS
TA_A-10	TA-INDICATORS
TA_A-11	TA-VALIDATION
TA_A-12	TA-DATA
TA_A-13	TA-ANALYSIS
TA_A-14	TA-METHODOLOGIES
TA_A-15	TA-CONFIDENCE
(new)	TA-CONSTRAINTS

Known issues

• Needs guidance on how to:
  • Import existing requirements into a TSF graph
  • Integrate TSF graphs from other projects
• Support for multi-repository usage of TSF is experimental only and has a number of known issues

v2025.02.18

Improved user instructions

Changes

• Improved tool and getting started documentation
• Guidance on organisation of items and graphs
• Clarifications and improved guidance for TA items
• Criteria for SME assessments
• Clarified documentation about review and the review status field
• Small TSF tool improvements, including graduated colour maps for scores

Known issues

• See list for previous release (unchanged)

v2025.01.30

Release of project in preparation for public launch.

Changes

• Added licenses for documentation and tools
• Removed deprecated validator code
• Improved release job to publish package in project PyPi via twine
• Improved readability for text on coloured background in compliance report

Known issues

• Mermaid diagram rendering is broken in the Compliance documentation
• Needs guidance on how to:
  • Import existing requirements into a TSF graph
  • Integrate TSF graphs from other projects
• Missing API reference pages for trustable-compliance
• Support for multi-repository usage of TSF is experimental only and has a number of known issues

v2025.01.29

Interim release of project in its new context on gitlab.com

Changes

• CI and tooling updated to build for the new context
• Theme and document generation configuration updated to a Trustable theme

Resolved issues

• Guidance for TA-18 and TA-20 needs adding

Known issues

• Mermaid diagram rendering is broken in the Compliance documentation
• Needs guidance on how to:
  • Import existing requirements into a TSF graph
  • Integrate TSF graphs from other projects
• Missing API reference pages for trustable-compliance
• Support for multi-repository usage of TSF is experimental only and has a number of known issues

v2025.01.28

Improvements to documentation, tooling to support future migration to a new graph model design and renumbering of the Trustable Assertions

Changes

• Tooling extended and improved to support:
  • New 'dotstop' interface layer to support new graph model design in future
  • Restructured Trustable report
• Documentation extended and improved to:
  • Design concept description for 'dotstop'
  • Refined requirements management process
  • Expanded and improved methodology
• Trustable Assertions and Tenets updated to:
  • Separate informative (guidance) from normative (Statements) text
  • Change TA UIDs to define a new 'series', with a series identifier (A) and a new numerical sequence for the Items

Known issues

• Needs guidance on how to:
  • Import existing requirements into a TSF graph
  • Integrate TSF graphs from other projects
• Missing API reference pages for trustable-compliance
• Guidance for TA-18 and TA-20 needs adding
• Support for multi-repository usage of TSF is experimental only and has a number of known issues

v2024.12.19

Further refinement of the methodology, tooling to support confidence scoring and a refactoring of the Trustable Assertions to align with the TSF graph model.

Changes

• Tooling extended and improved to support:
  • Autogenerate the Trustable Tenets and Assertions diagram from Doorstop Items
  • Add support for aggregating confidence scores from Doorstop Items
  • Inclusion of inlined Artifacts in the Trustable Report
• Documentation extended and improved to:
  • Clarify and refine the methodology, adding diagrams to illustrate the TSF graph model
  • Provide detailed instructions for creating, storing, and managing a TSF graph
  • Refactor the Trustable Assertions to address identified problems and align their relationships with the TSF graph logic

Resolved issues

• Guidance added to documentation for how to:
  • Integrate the Trustable TSF graph into a project
  • Update a TSF graph when evidence changes

Known issues

• Needs guidance on how to:
  • Import existing requirements into a TSF graph
  • Integrate TSF graphs from other projects
• Missing API reference pages for trustable-compliance
• Guidance for TA-18 and TA-20 needs adding
• Support for multi-repository usage of TSF is experimental only and has a number of known issues

v2024.11.29

Updates to support confidence scoring, reporting and provide guidance to users on the use of the TSF tools and methodology.

Changes

• Tooling extended and improved to support:
  • Recording and management of confidence scores
  • Plotting graphical summaries of databases
  • Improved compliance reporting
• Documentation extended and improved to:
  • Describe what TSF compliance involves
  • Explain how to start applying TSF to a project
  • Add instructions for installing and updating TSF tools
  • Add guidance for projects applying TSF on the use of a -trustable suffix on release versions

Resolved issues

• Tooling to support confidence scoring is now provided
• Spurious 'fatal error' reported by trustable-compliance fixed

Known issues

• Needs guidance on how to:
  • Integrate the Trustable TSF graph into a project
  • Import existing requirements into a TSF graph
  • Update a TSF graph when evidence changes
  • Integrate TSF graphs from other projects
• Missing API reference pages for trustable-compliance

v2024.10.24

Initial release of Eclipse Trustable Software Framework

Changes

• Overview and rationale for Trustable
• Preliminary guidance on implementation
• Methodology for authoring and organising TSF metadata
• Instructions for managing metadata using Doorstop
• Examples of automated verification
• Report generation tooling based on custom version of Doorstop

Known issues

• Integration of the TSF Doorstop tree into a project is a manual process
• Tooling to support confidence scoring is not yet provided
• Needs clearer guidance on:
  • How to import existing requirements into a TSF Doorstop tree
  • How to update Doorstop when evidence changes