# FastTool Evidence v0.1.0 direct-download release

Publication state: `direct_site_release`.

FastTool direct-download is the canonical release channel; external registries are not published by this release. This folder is the immutable public-release payload for that channel.

## Files

- `fasttool-evidence-cli-v0.1.0.tgz`: self-contained Node.js 20+ CLI archive.
- `fasttool-evidence-action-v0.1.0.zip`: self-contained composite Action archive for runners with Node.js 20+.
- `fasttool-evidence-v0.1.0-SHA256SUMS.txt`: SHA-256 list for every release artifact except the checksum file itself.
- `fasttool-evidence-v0.1.0-release-receipt.json`: fail-closed FastTool Evidence Receipt v1.
- `fasttool-evidence-v0.1.0-release-manifest.json`: release state, exact sizes and hashes.

## Verify before use

Download the complete folder, then run:

```bash
shasum -a 256 -c fasttool-evidence-v0.1.0-SHA256SUMS.txt
```

Receipt core integrity can also be checked locally at https://fasttool.app/tools/receipt-verifier/. A matching hash establishes byte integrity, not security certification, ownership, deployment, legal admissibility or independent review.

## Privacy boundary

The CLI and analysis step make no network calls. Raw input, file names and generated result content are not sent to FastTool analytics. The Action transfers an evidence packet to GitHub artifact storage only when `upload_artifact: "true"` is explicitly selected. If a Git-hosted mirror is used later, pin its reviewed 40-character commit SHA rather than a moving branch or tag.
