Witness — cryptographic fix-regression tracking

The witness toolkit lets you ship every release with a signed manifest that lists every documented fix in your codebase along with a sha256 + marker substring. Anyone with the same git commit can re-derive the public key and verify the signature without a committed private key.

A temporal history (JSONL) tracks how the fix population evolves across releases — so when a regression appears, you can pinpoint the commit that introduced it, not just "it's broken now."

This skill works two ways:

1. Inside ruflo — used by ruflo's own CI to gate publishes (see .github/workflows/v3-ci.yml job witness-verify).
2. In your own project — copy plugins/ruflo-core/scripts/witness/ into your repo, run init.mjs, register your fixes in witness-fixes.json, and call regen.mjs from your release pipeline.

Quick start (any project)