fix: release v0.37.2 runtime signature backend dependencies (#303)

Author: djm81

CHANGELOG.md

@@ -8,6 +8,15 @@ All notable changes to this project will be documented in this file.
 **Important:** Changes need to be documented below this block as this is the header section. Each section should be separated by a horizontal rule. Newer changelog entries need to be added on top of prior ones to keep the history chronological with most recent changes first.
 
 
+---
+
+## [0.37.2] - 2026-02-24
+
+### Fixed
+
+- Restored runtime signature verification prerequisites by making `cryptography` and `cffi` hard installation dependencies for published package installs.
+- Prevented post-install signature verification failures caused by missing `_cffi_backend` in environments that previously installed `specfact-cli` without explicit crypto backend dependencies.
+
 ---
 
 ## [0.37.1] - 2026-02-24

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "specfact-cli"
-version = "0.37.1"
+version = "0.37.2"
 description = "The swiss knife CLI for agile DevOps teams. Keep backlog, specs, tests, and code in sync with validation and contract enforcement for new projects and long-lived codebases."
 readme = "README.md"
 requires-python = ">=3.11"
@@ -56,6 +56,8 @@ dependencies = [
     "PyYAML>=6.0.3",
     "requests>=2.32.3",
     "azure-identity>=1.17.1",
+    "cryptography>=43.0.0",
+    "cffi>=1.17.1",
 
     # CLI framework
     "typer>=0.20.0",
@@ -378,8 +380,8 @@ packages = [
 "resources/schemas" = "specfact_cli/resources/schemas"
 "resources/mappings" = "specfact_cli/resources/mappings"
 "resources/keys" = "specfact_cli/resources/keys"
-"modules/backlog-core" = "specfact_cli/resources/modules/backlog-core"
-"modules/bundle-mapper" = "specfact_cli/resources/modules/bundle-mapper"
+"modules/backlog-core" = "specfact_cli/modules/backlog-core"
+"modules/bundle-mapper" = "specfact_cli/modules/bundle-mapper"
 # Note: resources/semgrep files are in src/specfact_cli/resources/semgrep/ and are automatically included
 
 [tool.hatch.build.targets.sdist]

setup.py

@@ -7,7 +7,7 @@
 if __name__ == "__main__":
     _setup = setup(
         name="specfact-cli",
-        version="0.37.1",
+        version="0.37.2",
         description=(
             "The swiss knife CLI for agile DevOps teams. Keep backlog, specs, tests, and code in sync with "
             "validation and contract enforcement for new projects and long-lived codebases."
@@ -20,6 +20,8 @@
             "PyYAML>=6.0.2",
             "requests>=2.32.3",
             "azure-identity>=1.17.1",
+            "cryptography>=43.0.0",
+            "cffi>=1.17.1",
             "typer>=0.15.0",
             "rich>=14.0.0",
             "jinja2>=3.1.0",

src/__init__.py

@@ -3,4 +3,4 @@
 """
 
 # Package version: keep in sync with pyproject.toml, setup.py, src/specfact_cli/__init__.py
-__version__ = "0.36.1"
+__version__ = "0.37.2"

src/specfact_cli/__init__.py

@@ -8,6 +8,6 @@
 - Supporting agile ceremonies and team workflows
 """
 
-__version__ = "0.37.1"
+__version__ = "0.37.2"
 
 __all__ = ["__version__"]

src/specfact_cli/modules/analyze/module-package.yaml

@@ -1,5 +1,5 @@
 name: analyze
-version: 0.37.1
+version: 0.37.2
 commands:
   - analyze
 command_help:
@@ -15,5 +15,5 @@ publisher:
 description: Analyze codebase quality, contracts, and architecture signals.
 license: Apache-2.0
 integrity:
-  checksum: sha256:81401deb9416cb772437ab806dbc377778f7cf4d2986e8169765de59d1708733
-  signature: YfTBJOyF5OxkRkIg5Fffqtbc3DHa/eXoewyav97FwEMRZoqRXH6Fhhu80UUjKPEYMWP5JzRU8dWgvi8FgfFqBQ==
+  checksum: sha256:8f0919570eb25f9643f3f4557f40d8137c4754e4422ff71bdbb7ed2aa04e4bff
+  signature: 6sTJRGUeApach2vdwQJubd3bHaJm2bu7b46DnUFJGAZ95X6dLMCyuCWVdxTRA6kX3YHblYZD8SfFwAPPsl1KAg==

src/specfact_cli/modules/auth/module-package.yaml

@@ -1,5 +1,5 @@
 name: auth
-version: 0.37.1
+version: 0.37.2
 commands:
   - auth
 command_help:
@@ -15,5 +15,5 @@ publisher:
 description: Authenticate SpecFact with supported DevOps providers.
 license: Apache-2.0
 integrity:
-  checksum: sha256:d085de940d5de887f858462eff10a75e5acdb2e31cc61ed7dc79bfe6e4527e76
-  signature: SyoiHxZHlmQLzdnqn45c8B/dzZuqyWzflAo/hf0PWsckPSfeGN6ytlGgTJPV8Rq8IG96aVnPkir2dEJ4gavxAQ==
+  checksum: sha256:fd0c9ff643c73a25c229e5925b58446ff25af7ec5ab4412d3eff9704b4cc10c1
+  signature: 4KKwmf58+3boa+2jMF9m2NvjGcXB6Jdjfu0C6MV5Io+XjF6FUPyOmf7iz2xH9afgTTeVLVdc7X5EjJJGm5tMAQ==

src/specfact_cli/modules/backlog/module-package.yaml

@@ -1,5 +1,5 @@
 name: backlog
-version: 0.37.1
+version: 0.37.2
 commands:
   - backlog
 command_help:
@@ -28,5 +28,5 @@ publisher:
 description: Manage backlog ceremonies, refinement, and dependency insights.
 license: Apache-2.0
 integrity:
-  checksum: sha256:db36a40672119b436b50bd4142400feec3398ae2732cfa357eacb7b40d8b8582
-  signature: NXgVtRf+ubB+upfAacJUTX8yaGw/cdZa9SSxqusak3ijGZe5POtK+ud+n2lnVMCg/9pOzoq8wdgsTrVr3mkCDA==
+  checksum: sha256:6d31c481c40241a744ffa255d29bcf834e5715de310f58f7ebc74e19f1e4fd8d
+  signature: 20mO8sayOcVV992iqYROkQL/Q7jxjJE3re1fWYbTLIW7HPskNg1CROpCnaeUv9dr629qPMs/YVlzadMl317VDw==

src/specfact_cli/modules/contract/module-package.yaml

@@ -1,5 +1,5 @@
 name: contract
-version: 0.37.1
+version: 0.37.2
 commands:
   - contract
 command_help:
@@ -15,5 +15,5 @@ publisher:
 description: Validate and manage API contracts for project bundles.
 license: Apache-2.0
 integrity:
-  checksum: sha256:577b9ee6af8075c0ebf58665a50ec5be6b2de935f401454f831447905320b649
-  signature: gHyTzZkYnLDxf27XFNHH/pauUhZ5ZZfTwPNQBwWCZ/v4oEdDV8gGjDr84g2KSsH8myrE7J8q47iBChxqO+FjBw==
+  checksum: sha256:5cc204c3bab58765f19862a6fe2127ddb0b6f0b56422bfc078d69beb91398f0d
+  signature: URMN7NMTIsPqZmtcDW4onpaH1Up4kpZaE49iyb3jaqN4x2KuEGDyU4uudhzu/4Pu1DObWu20c+aVfwtj26LbCQ==

src/specfact_cli/modules/drift/module-package.yaml

@@ -1,5 +1,5 @@
 name: drift
-version: 0.37.1
+version: 0.37.2
 commands:
   - drift
 command_help:
@@ -15,5 +15,5 @@ publisher:
 description: Detect and report drift between code, plans, and specs.
 license: Apache-2.0
 integrity:
-  checksum: sha256:5bf84d0a840bbdb47ccacda4490d19685d1298c3f7fd3b8e48ca641a08727e08
-  signature: S8djuQsc+7LBZH8myx+aUNeSfSpnLHXL70iCrK9yCfyYJbqDklQpKNxBGJQ4DjzrApm6ZyTBoxZdmA1BxDvDBw==
+  checksum: sha256:368d6beaf1b4356741c1dbdd8125800e466abb47d8a18e14e2c0f9c66c94397b
+  signature: +gU8OTtpxWqIKTk2xoL4Msed1alxTk4soy/HYG4wJuOcwQgaxG7tM/WEWTRMCXHTN4kCiN+3Wqp975FUtW0UDw==