kit v0.6.0 Ship audit release. Root cause fix for checksum verification failures on own tools, plus 8 additional findings from comprehensive code audit. kit check was downloading cosign bundles (.bundle files) instead of binaries for own tools. The release link matching used contains() which matched kit-darwin-arm64.bundle before kit-darwin-arm64 because the bundle link appeared earlier in the release links array. Fixed: exact name match first, then URL ends_with(/asset_name) fallback. - jq advisory filter: escape dots in version before regex interpolation - Bundle URL construction: append .bundle instead of replace() which could corrupt URL path - resolve_installed_sha: return None when binary not found (don't store registry checksums in the binary_sha256 field) - cmd_upgrade: remove stale [tool.checksums] after version bump - check_crates: exact name match instead of prefix match - URL validation: reject embedded newlines - cmd_pin: validate version before saving - apply commit: include flagged updates in commit message 125 tests. 0 clippy warnings. 6 adversarial reviews + 1 ship audit, 55 total findings addressed.