Witness — cryptographic fix-regression tracking The witness toolkit lets you ship every release with a signed manifest that lists every documented fix in your codebase along with a sha256 + marker substring. Anyone with the same git commit can re-derive the public key and verify the signature without a committed private key. A temporal history (JSONL) tracks how the fix population evolves across releases — so when a regression appears, you can pinpoint the commit that introduced it , not just "it's broken now." This skill works two ways: 1. Inside ruflo — used by ruflo's own CI to gate publis…