v0.8.19 — fourth-round doc-accuracy sweep + --max-body-bytes CLI flag

Fourth-round Codex CLI + Claude Code review of v0.8.18 caught
fabrications in the v0.8.18 runbook + threat-model + bolero
module doc (written from memory rather than verified against
the source tree) and one missing CLI flag the threat model
already advertised. v0.8.19 closes all 12 items.

Published to crates.io as s4-server@0.8.19, s4-codec@0.8.19,
s4-config@0.8.19, s4-codec-py@0.8.19. Install via
cargo install s4-server (CPU build).

What's new since v0.8.18

Added (#174)

• #174 D-1 — --max-body-bytes <BYTES> CLI flag. The cap
  was builder-only before v0.8.19 (with_max_body_bytes), but
  the threat model already advertised it as an operator-
  tunable defence — the doc was right; the missing piece was
  the CLI flag. Default 5 GiB matches the AWS S3 single-PUT
  max.

Fixed (#175-#185, doc / minor)

• #175 D-2 — docs/security/threat-model.md no longer
  references a non-existent --state-dir. Replaced with the
  per-manager --<x>-state-file list (versioning,
  object_lock, mfa_delete, cors, inventory, notifications,
  tagging, replication, lifecycle).
• #176 D-3 — Runbook §1 (disk full) rewritten. The pre-D-3
  text told operators that systemctl reload would "stop
  accepting new connections" — SIGHUP only rotates TLS
  certificates. Mitigation path now correctly says front S4
  with a load balancer + drain there, or change
  --max-concurrent-connections and restart (not reload).
• #177 D-4 — Runbook §6 (MFA-Delete recovery) now points
  at the --mfa-delete-state-file <PATH> operator-supplied
  file, not the fictional mfa.json under a fictional
  --state-dir.
• #178 D-5 — Runbook §12 (signals) SIGUSR1 description was
  wrong: pre-D-5 it claimed access-log flush; reality is the
  v0.8.5 #86 helper atomically dumps every in-memory state
  manager (versioning / object_lock / mfa_delete / cors /
  inventory / notifications / tagging / replication /
  lifecycle) to its --<x>-state-file. Access-log buffer
  drains on shutdown, not on SIGUSR1.
• #179 D-6 — Runbook metric reference table renamed every
  metric to its canonical name in
  crates/s4-server/src/metrics.rs. The pre-D-6 table cited
  s4_backend_error_total, s4_replication_pending_total,
  s4_replication_completed_total,
  s4_replication_failed_total,
  s4_tls_cert_reload_failed_total,
  s4_gpu_compress_oom_total — none of those exist.
  Real names: s4_replication_dropped_total,
  s4_replication_replicated_total,
  s4_tls_cert_reload_total{result=\"err\"},
  s4_gpu_oom_total.
• #180 D-7 — Runbook PromQL alert syntax corrected:
  action=\"s3:Bypass*\" (literal *, never matches) →
  action=~\"s3:Bypass.*\" (regex matcher).
• #181 D-8 — Runbook §4 SSE-S4 rotation typo retiredsl
  → retired slots.
• #182 D-9 — crates/s4-server/tests/fuzz_bolero.rs
  module doc trimmed to the 2 targets actually shipped
  (sigv4a_auth_header_bolero, policy_json_bolero). The
  pre-D-9 text claimed 4 targets (including a
  pub(crate)-re-export-based one that doesn't exist). The
  two missing targets are tagged honestly as v0.8.19+
  roadmap.
• #183 D-10 — crates/s4-server/tests/chaos.rs placeholder
  smoke test now carries concrete assert_eq! checks so a
  future refactor can't accidentally leave the file
  compiling-but-useless.
• #184 D-11 — AWS SigV4 vectors module doc no longer
  claims every vector comes from the AWS-published suite.
  Split honestly into AWS-published (4 vectors) and
  S3 spec-derived edge vectors (7 vectors, motivated by the
  v0.8.16 #150 byte-level fix).
• #185 D-12 — Threat-model residual risk #4 (versioned
  multipart Range GET fall-back to full read) now includes
  the cost note about large multipart objects + range-heavy
  workloads.

Tests

449 lib + 45 integration + 11 SigV4 vectors + 2 bolero + 1
chaos = unchanged from v0.8.18; all green under
RUSTFLAGS=\"-D warnings\"; cargo clippy --workspace --all-targets clean; cargo fmt --all --check clean; MinIO
E2E + coverage + bench-smoke jobs all green on CI.

Notes

• v0.8.19 closes the fourth-round audit. Four full audit
  cycles (3 security + 1 production-readiness + 1
  doc-accuracy) have now run against this codebase. The doc
  fabrications (#175–#180) were a reminder that runbooks
  written from memory are unreliable; future doc work will be
  verified against the source tree before each commit.
• --max-body-bytes is the only new operator-visible knob
  since v0.8.17. The four opt-ins now available are:
  --trust-x-forwarded-for (v0.8.11),
  --prefer-columnar-gpu (v0.8.13),
  --allow-legacy-reserved-key-reads (v0.8.17), and
  --max-body-bytes (v0.8.19).

Full per-issue notes: CHANGELOG.md.