Skip to content

v0.8.22 — eighth-round convergence (clean bill of health)

Choose a tag to compare

View all tags
@masumi-ryugo masumi-ryugo released this 06 Jun 17:44
· 76 commits to main since this release
v0.8.22
142e50e

Convergence reached. Eight consecutive Codex CLI + Claude
Code review rounds against this codebase, totalling 130+ fixes
across 5 security audit cycles + 1 production-readiness sweep +
3 doc-accuracy sweeps. Round 8 returned clean bill of health — convergence reached.

Skipped intermediate versions: v0.8.20 was never published to
crates.io (Round 6 caught a silent-truncation regression in
v0.8.20 R5-8 → reverted in v0.8.21 R6-1) and v0.8.21 was
never published (Round 7 caught that v0.8.21 R6-6 introduced
a fresh fabrication in the SIGUSR1 grep recipe → fixed in
v0.8.22 R7-1). End users go straight from v0.8.19 → v0.8.22.

Published to crates.io as s4-server@0.8.22, s4-codec@0.8.22,
s4-config@0.8.22, s4-codec-py@0.8.22. Install via
cargo install s4-server.

What converged

Round 7 → v0.8.22 (#200-#202)

  • #200 R7-1 — Runbook §1 SIGUSR1 grep target corrected to
    "S4 SIGUSR1: dumped attached-manager snapshots" (the real
    substring in main.rs:1830). v0.8.21 R6-6 used a
    hand-written string that never matched.
  • #201 R7-2 — README §roadmap "v0.8.8 released
    (2026-05-20)" replaced with a moving-target reference to
    CHANGELOG + GitHub Releases. The pinned bullet was 13
    patches stale.
  • #202 R7-3 — Threat-model + runbook "Last reviewed"
    stamps both bumped to v0.8.22 with a one-line Stamp
    policy     declaring future cuts bump both in lockstep.

Round 6 → v0.8.21 (#194-#199, rolled into v0.8.22)

  • #194 R6-1 — Reverted v0.8.20 R5-8's silent-truncation
    regression. --max-body-bytes default stays as the bare
    5 * 1024 * 1024 * 1024 literal, which is a loud compile
    error on 32-bit — the correct failure mode.
  • #195 R6-2 — Runbook trailing "Metric-naming note"
    s4_requests_total{status=~\"5...\"}result=\"err\".
  • #196 R6-3 — Runbook "Last reviewed" stamp bumped
    (R7-3 then re-bumped in lockstep with threat-model).
  • #197 R6-4 — AWS SigV4 vectors docstring reverted
    get-utf8-pathget-utf8 (R5-7 walk-back; AWS upstream
    name is get-utf8).
  • #198 R6-5 — Orphan-sidecar roadmap aligned with
    README #106 (v0.9 s4-tool repair-sidecar / verify).
  • #199 R6-6 — Runbook §1 SIGUSR1 recipe drops sleep 1
    in favour of journalctl ... | grep -m1 ... + sleep 5
    fallback. (R7-1 then fixed the grep target itself.)

Round 5 → v0.8.20 (#186-#193, rolled into v0.8.22)

  • #186 R5-1 — Runbook §1 "graceful shutdown dumps state"
    claim removed. Only SIGUSR1 dumps; shutdown only drains
    the access-log buffer.
  • #187 R5-2 — Runbook §2 / §3 / §7 / §8 metric names
    canonicalised. v0.8.19 D-6 only covered §12's dedicated
    alert table; the other 4 sections shipped fabricated
    names. Real names now: s4_gpu_oom_total,
    s4_requests_total{result=\"err\"},
    s4_replication_{dropped,replicated,status_swept}_total,
    s4_tls_cert_reload_total{result=\"err\"}.
  • #188 R5-3 — README + SOCIAL_POSTS drop the fabricated
    s4_codec_chosen_total{codec} — the codec label lives
    on the real s4_requests_total counter.
  • #189 R5-4docs/orphan-sidecar-recovery.md shell
    recipe defines BACKEND_ENDPOINT alongside ENDPOINT
    (the recipe used \$BACKEND_ENDPOINT without ever
    defining it).
  • #190 R5-5 — Orphan-sidecar stale "v0.8.17 may add"
    claim advanced (then R6-5 / R7 re-aligned to v0.9).
  • #191 R5-6 — Threat-model stamp bumped (R7-3 then
    re-bumped in lockstep with runbook).
  • #192 R5-7 — AWS SigV4 vectors docstring (R6-4 walked
    this back since the AWS upstream name is get-utf8, not
    get-utf8-path).
  • #193 R5-8--max-body-bytes default through u64
    cast. Reverted in R6-1 — silent truncation on
    32-bit was the wrong direction.

Cumulative scope (all 8 audit cycles)

Round Issues fixed Cumulative cuts
R1 (security cycle 1) CRIT 5 + HIGH 9 + MED 4 + hotfix v0.8.11–v0.8.14
R2 (security cycle 2) HIGH+MED 18 v0.8.15
R3 (security cycle 3) follow-up 15 + 5 v0.8.16, v0.8.17
R4 (production readiness) P1-P7 + #172 v0.8.18
R4 (doc audit) 12 v0.8.19
R5 (metric fabrication sweep) 9 v0.8.20 ⛔ skipped publish
R6 (silent-truncation regression) 6 v0.8.21 ⛔ skipped publish
R7 (fresh-fabrication sweep) 3 v0.8.22 ✅ published
R8 (convergence check) 0 — clean

Operator-visible knobs cumulative

--trust-x-forwarded-for (v0.8.11),
--prefer-columnar-gpu (v0.8.13),
--allow-legacy-reserved-key-reads (v0.8.17),
--max-body-bytes (v0.8.19).

Tests

449 lib + 45 integration + 11 AWS SigV4 vectors + 2 server
bolero fuzz + 1 chaos = total target count ≈ 540, all green
under RUSTFLAGS=\"-D warnings\"; cargo clippy --workspace --all-targets clean; cargo fmt --all --check clean; MinIO
E2E + coverage + bench-smoke jobs all green on CI.

Upgrade notes

  • No new operator-visible knobs since v0.8.19. The same four
    opt-ins above.
  • The v0.8.20 → v0.8.21 skip on crates.io means end users on
    v0.8.19 get every fix in #186 through #202 in a single
    upgrade.

Recommended pre-launch reading order

  1. docs/security/threat-model.md
  2. docs/ops/runbook.md
  3. README.md
  4. Per-version per-issue notes: CHANGELOG.md
Assets 2
Loading