[codex] v2.5.0 operational robustness and observability

[IgnazioDS]

Summary

This PR advances SentinelID to v2.5.0 and focuses on operational robustness and observability during release validation.

The release line is now aligned across the release-critical docs, desktop package/config metadata, pilot evidence target, and cloud API metadata. The release gate also became stricter about version drift by checking the desktop package/config surfaces in addition to the existing docs and cloud metadata.

The main runtime addition is a dedicated invariant smoke script that validates loopback binding, edge bearer enforcement, cloud admin token enforcement, and support-bundle endpoint behavior. It writes a machine-readable JSON report, release-check publishes that report into output/release/, and the evidence pack now includes it.

The main diagnostics addition is a desktop warning-noise budget for Rust/Tauri build output. Release-check now captures desktop cargo output into a log, parses warning counts into a JSON summary, enforces DESKTOP_WARNING_BUDGET, and surfaces the top warning sources directly. This reduces noise during normal runs while making failures easier to triage.

Why this change

Release-check was already comprehensive, but it still left some failure modes too implicit:

• runtime invariants were spread across separate smokes and tests, with no single machine-readable report
• desktop Rust warning volume was visible but not budgeted, so warning regressions were hard to spot
• evidence packs did not directly capture these diagnostics for later review
• some desktop version surfaces could still drift independently from the release line

This PR closes those gaps and makes the release path more diagnosable for both local operators and CI parity runs.

Implementation details

• bumped release markers to v2.5.0 across changelog, runbook, release docs, pilot target, Make help banner, desktop package/config metadata, and cloud metadata
• extended scripts/release/check_version_consistency.sh to cover:
  • apps/desktop/package.json
  • apps/desktop/package-lock.json
  • apps/desktop/tauri.conf.json
  • apps/desktop/src-tauri/tauri.conf.json
  • apps/desktop/src-tauri/tauri.dev.conf.json
  • scripts/release/build_pilot_evidence_index.sh
• added scripts/check_invariants.py
• added scripts/ci/check_desktop_warning_budget.py
• integrated both reports into scripts/release/checklist.sh
• included invariant and desktop warning summaries in scripts/release/build_evidence_pack.sh
• added a Make target for runtime invariants and another for standalone desktop warning-budget checks
• added test coverage for both new scripts in apps/cloud/tests/test_release_observability_scripts.py
• updated docs to explain how to interpret the invariant report and desktop warning budget outputs
• reduced cloud smoke log verbosity and fixed local support-bundle sanitization to allow benign observability fields exposed by the new demo-readiness edge runtime

Validation

Locally verified:

• ./scripts/release/check_version_consistency.sh
• make check-invariants
• make demo-verify
• make release-check
• apps/cloud/tests/test_release_observability_scripts.py

Release evidence from the successful local gate includes:

• invariant_report.json
• desktop_warning_budget.json
• reliability_slo.json
• support_bundle_latest.tar.gz
• bench_edge_latest.json

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 16160244cc

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".