The @bitwarden/cli attack in April was a wake-up call: behavioral scoring told the right story (9 maintainers, 7-year history, genuine org) but couldn't see the compromised CI/CD pipeline. Behavioral signals identify who can publish . They don't catch whether what was published matches the source . v1.2.0 adds three new layers that together cover the build integrity surface behavioral scoring misses. What's new OpenSSF Scorecard integration Every audit now returns a Scorecard score alongside behavioral signals. Scorecard measures whether a project follows secure development practices: code review requirements, branch protection, SLSA provenance, dangerous workflow detection, vulnerability disclosure policy. npx proof-of-commitment axios zod chalk Enter fullscreen mode Exit fullscreen mode Output now includes Scorecard scores.…