chore: prepare v0.3.0 release

[Fieldnote-Echo]

Summary

• bump Rust/Python release surfaces to 0.3.0, promote the changelog, and update README/ROADMAP/THREAT_MODEL/RELEASING wording for the v0.3.0 release boundary
• keep ordvec-manifest, ordvec-ffi, ordvec-go, and Python/release operational material out of the root .crate package while documenting sidecars as full-checkout artifacts with links that stay valid before the release tag exists
• harden release workflow gates with exact wheel smoke tests, native linux/aarch64 wheel execution, pinned cargo-fuzz install/toolchains, PyPI post-publish hash verification, and stronger signed-release invariants
• add Python add() capacity preflight so public add paths raise ValueError instead of allowing core asserts to cross the binding boundary; follow-up remediation also checks total byte-size overflow before core allocation
• remove the last ordered-float comparator dependency pattern by using finite f32::total_cmp with explicit equal-value index tie-breaks

Validation

• cargo package -p ordvec --locked --list
• cargo publish -p ordvec --dry-run --locked
• cargo test -p ordvec --all-targets --no-default-features
• cargo test -p ordvec --all-targets --features experimental
• cargo +1.89.0 test -p ordvec --locked
• cargo clippy -p ordvec --all-targets --all-features -- -D warnings
• cargo test -p ordvec-manifest --no-default-features
• cargo test -p ordvec-manifest --all-features
• cargo clippy -p ordvec-manifest --all-targets --all-features -- -D warnings
• cargo test -p ordvec-ffi
• cargo build -p ordvec-ffi --release
• GOCACHE=/tmp/ordvec-go-cache go test -count=1 ./...
• cargo clippy -p ordvec-python --all-targets -- -D warnings
• maturin build --release --manifest-path ordvec-python/Cargo.toml --out /tmp/ordvec-wheels-v2
• clean venv install of built wheel + python -m pytest ordvec-python/tests -q (503 passed)
• cargo +1.89.0 install cargo-fuzz --version 0.13.1 --locked --root /tmp/cargo-fuzz-install-check
• bash tests/release_signed_release_invariants.sh
• bash tests/release_publish_invariants.sh
• workflow YAML parse check with PyYAML

Bot remediation validation

• cargo fmt --all -- --check
• cargo clippy -p ordvec-python --all-targets -- -D warnings
• cargo clippy -p ordvec --all-targets --all-features -- -D warnings
• maturin build --release --manifest-path ordvec-python/Cargo.toml --out /tmp/ordvec-wheels-remediation
• clean venv install of exact remediation wheel + /tmp/ordvec-remediation-venv/bin/python -m pytest ordvec-python/tests -q (503 passed)

Notes

Do not tag from this branch. The final v0.3.0 tag should wait until this PR lands, main CI is green for the exact SHA, and the external GitHub environment / Trusted Publisher settings are verified.

[qodo-code-review]

Review Summary by Qodo

Prepare v0.3.0 release with hardened workflows and Python input validation

✨ Enhancement 🐞 Bug fix

Walkthroughs

Description

• Bump version to 0.3.0 across Rust/Python release surfaces
• Add Python add() capacity preflight checks to raise ValueError instead of core asserts
• Replace ordered-float comparator with finite f32::total_cmp and explicit index tie-breaks
• Harden release workflow with exact linux/aarch64 wheel smoke tests and post-publish PyPI hash
  verification
• Pin cargo-fuzz installation with locked bundled lockfile on stable toolchain
• Exclude sidecars (ordvec-ffi, ordvec-go, ordvec-manifest, ordvec-python) from published
  .crate package

Diagram

flowchart LR
  A["Version Bump<br/>0.2.0 → 0.3.0"] --> B["Python Capacity<br/>Validation"]
  A --> C["Comparator<br/>Refactor"]
  A --> D["Release Workflow<br/>Hardening"]
  B --> E["ValueError on<br/>Overflow"]
  C --> F["total_cmp +<br/>Index Tiebreak"]
  D --> G["aarch64 Wheel<br/>Smoke Test"]
  D --> H["PyPI Hash<br/>Verification"]
  D --> I["Pinned cargo-fuzz<br/>Install"]
  A --> J["Crate Exclude<br/>Sidecars"]

Loading

File Changes

1. ordvec-python/src/lib.rs Error handling +49/-0

Add capacity validation and tests for Python add methods

ordvec-python/src/lib.rs

---

2. src/util.rs 🐞 Bug fix +5/-4

Replace partial_cmp with total_cmp for finite f32

src/util.rs

---

3. ordvec-python/python/ordvec/__init__.py ⚙️ Configuration changes +1/-1

Bump Python package version to 0.3.0

ordvec-python/python/ordvec/init.py

---

View more (12)

4. tests/release_signed_release_invariants.sh ✨ Enhancement +31/-1

Add aarch64 wheel smoke test and publish step ordering checks

tests/release_signed_release_invariants.sh

---

5. .github/workflows/fuzz.yml ✨ Enhancement +22/-18

Pin cargo-fuzz version and toolchain with locked install

.github/workflows/fuzz.yml

---

6. .github/workflows/release.yml ✨ Enhancement +115/-6

Add native aarch64 wheel smoke test and PyPI hash verification

.github/workflows/release.yml

---

7. CHANGELOG.md 📝 Documentation +23/-2

Document v0.3.0 release with security and feature updates

CHANGELOG.md

---

8. Cargo.toml ⚙️ Configuration changes +26/-1

Bump version to 0.3.0 and exclude sidecars from crate

Cargo.toml

---

9. README.md 📝 Documentation +18/-14

Update version references and document numpy dependency

README.md

---

10. RELEASING.md 📝 Documentation +6/-2

Document post-publish PyPI hash verification step

RELEASING.md

---

11. ROADMAP.md 📝 Documentation +9/-6

Update roadmap with C ABI and Go wrapper status

ROADMAP.md

---

12. THREAT_MODEL.md 📝 Documentation +5/-4

Update threat model status to v0.3.0 with release gate details

THREAT_MODEL.md

---

13. ordvec-python/Cargo.toml ⚙️ Configuration changes +1/-1

Bump Python bindings version to 0.3.0

ordvec-python/Cargo.toml

---

14. ordvec-python/README.md 📝 Documentation +3/-2

Document numpy>=2.2 runtime dependency requirement

ordvec-python/README.md

---

15. ordvec-python/pyproject.toml ⚙️ Configuration changes +1/-1

Bump pyproject version to 0.3.0

ordvec-python/pyproject.toml

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0)

1. Pre-tag docs links 404 🐞 Bug ⚙ Maintainability

Description

README.md and CHANGELOG.md now hardcode GitHub URLs to tag v0.3.0, but the repo’s documented
release procedure pushes the tag only after the version-bump commit lands on main and CI is green.
Between merge and the eventual tag push, these links will 404 in the default-branch docs.

Code

README.md[R158-165]

Evidence

README.md now points users to blob/v0.3.0 and tree/v0.3.0, and CHANGELOG.md’s compare links also
reference v0.3.0. RELEASING.md documents that the tag is pushed only after landing on main and
CI completion, so those URLs are guaranteed to 404 during the merge→tag interval.

README.md[147-165]
README.md[223-230]
CHANGELOG.md[163-165]
RELEASING.md[105-135]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
README.md and CHANGELOG.md link to `blob/v0.3.0` / `tree/v0.3.0` / `compare/v0.3.0...HEAD`, but `v0.3.0` is created only later in the release process. This makes documentation links temporarily broken on `main`.

### Issue Context
The release procedure explicitly pushes the version tag only after the bump commit is on `main` and CI has completed green, creating a time window where `v0.3.0` does not exist.

### Fix Focus Areas
- Update docs links to avoid referencing a not-yet-created tag (e.g., use `main` links until the tag exists, or adjust the release process/docs so the tag exists before these links are relied on).
- file paths and locations:
 - README.md[153-165]
 - README.md[223-230]
 - CHANGELOG.md[163-164]
 - RELEASING.md[105-135]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

[codecov]

Codecov Report

❌ Patch coverage is 78.00000% with 11 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
ordvec-python/src/lib.rs	76.59%	11 Missing ⚠️

📢 Thoughts on this report? Let us know!

[gemini-code-assist]

Code Review

This pull request updates the project to version 0.3.0, hardens release workflow scripts, and introduces a capacity check in the Python bindings to prevent index capacity overflows from causing Rust panics across the FFI boundary. The review feedback correctly identifies a potential vulnerability on 32-bit platforms where the total allocated byte size could overflow usize even if the element count does not. To resolve this, the reviewer suggests passing the element size to the capacity check function to perform a second checked multiplication, and provides specific suggestions to update all call sites and tests.

[Copilot]

Pull request overview

Prepares the v0.3.0 release across the Rust crate, Python bindings, and supporting docs/workflows. Version bumps are paired with packaging exclusions that keep the root .crate minimal while documenting ordvec-ffi/ordvec-go/ordvec-manifest as full-checkout sidecars, plus a focused set of behavioral hardenings (Python add() capacity preflight, finite-f32 comparator without partial_cmp panic, release-workflow gating).

Changes:

• Bump crate/Python package versions to 0.3.0, promote the changelog entry, and refresh README/ROADMAP/THREAT_MODEL/RELEASING wording (including pinned v0.3.0 doc links).
• Harden release pipeline: native linux/aarch64 wheel smoke job gated into release-assets-draft, exact-wheel install via --no-index, post-publish PyPI SHA-256 verification, pinned cargo-fuzz install/toolchains, and stronger release_signed_release_invariants.sh ordering checks.
• Add Python-side check_add_capacity preflight on all add() paths and replace the partial_cmp(...).expect(...) finite comparator with total_cmp + explicit index tie-break (with unit tests).

Reviewed changes

Copilot reviewed 15 out of 16 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
Cargo.toml	Bump to 0.3.0; expand exclude to keep sidecars/release tests out of the published .crate.
Cargo.lock	Regenerated for the 0.3.0 bump of ordvec / ordvec-python.
src/util.rs	Replace partial_cmp.expect with ==-shortcut + f32::total_cmp for the finite comparator.
ordvec-python/Cargo.toml	Version bump to 0.3.0.
ordvec-python/pyproject.toml	Version bump to 0.3.0.
ordvec-python/python/ordvec/init.py	__version__ bump to 0.3.0.
ordvec-python/src/lib.rs	Add check_add_capacity and call it from every add() path; add unit tests.
ordvec-python/README.md	Note numpy>=2.2 runtime requirement.
README.md	Bump install snippet to 0.3, note numpy floor, repoint sidecar docs to v0.3.0 tag.
CHANGELOG.md	Promote [Unreleased] to [0.3.0] - 2026-05-29; numpy 2.2 correction; new compare links.
ROADMAP.md	Mark distribution baseline done; describe new C ABI / Go wrapper status.
RELEASING.md	Document the post-publish PyPI hash verification step.
THREAT_MODEL.md	Update status to v0.3.0 / 2026-05-29 and refine SUPPLY-001 wording.
.github/workflows/release.yml	New smoke-linux-aarch64-wheel job, exact-wheel install, PyPI post-publish hash check.
.github/workflows/fuzz.yml	Pin cargo-fuzz install toolchain + nightly via env, install with --locked.
tests/release_signed_release_invariants.sh	New ordering assertions for publish-crate steps and PyPI post-publish hash check.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Fieldnote-Echo]

Bot remediation summary:

• Qodo pre-tag docs-link report was fixed in 7e85f6e: README now links sidecar docs to main, and CHANGELOG no longer defines compare links that depend on the not-yet-created v0.3.0 tag.
• Gemini 32-bit byte-capacity report was fixed in 8e77878: Python add() preflight now checks element count and byte-size overflow, with concrete element sizes for Rank, RankQuant, Bitmap, and SignBitmap; helper tests cover the byte-size overflow case.

Validation after the Gemini fix:

• cargo fmt --all -- --check
• cargo clippy -p ordvec-python --all-targets -- -D warnings
• cargo clippy -p ordvec --all-targets --all-features -- -D warnings
• maturin build --release --manifest-path ordvec-python/Cargo.toml --out /tmp/ordvec-wheels-remediation
• clean venv install of the exact wheel + /tmp/ordvec-remediation-venv/bin/python -m pytest ordvec-python/tests -q (503 passed)

All six Gemini inline review threads have been replied to and resolved.