What's new.

First tagged release of the CLI and the gate contract. Signed multi-arch binaries are published on GitHub releases; you can also install via the one-line script, build from source, or pin the GitHub Action to a commit SHA.

• Addedpostil review with --staged, --base, and --diff-file inputs, plus JSON envelope output via --output-json and SARIF 2.1.0 output via --sarif.
• AddedTwo named check-runs on every PR: postil/gate (blocking) and postil/review (advisory), with documented branch-protection setup.
• AddedForge support beyond GitHub via --forge gitlab, bitbucket, and azure, each covering its self-managed/server variant through a base-URL environment variable (GITLAB_API_URL and friends). Bitbucket and Azure DevOps are early: shipped, not yet validated against live instances.
• AddedIncremental re-review (--since-sha + --baseline) with resolved/carried finding reconciliation.
• Addedpostil respond: the interactive @postil bot engine for PR and issue mentions (GitHub only; review-and-answer only, never opens PRs).
• Addedpostil doctor preflight, postil plan dry-run against stored envelopes, and postil hook install for a pre-push review hook.
• AddedRepo guardrails: rules in .postil/guardrails.md are injected into the prompt; violations surface as guardrail findings that quote the rule.
• AddedOne-line install script with SHA-256 checksum verification and Sigstore keyless signature verification when cosign is present; build from source with cargo install --git.
• SecurityLeast-privilege GitHub App (no contents:write), fail-closed gate on operational errors (repos can opt into gate.onError: advisory), AES-256-GCM sealing for bring-your-own inference keys, Sigstore keyless signing of release artifacts in CI.