v0.9.0 — six-feature roadmap landing + 7-round integrated audit (clean)

First v0.9 minor cut. Six roadmap items shipped in this release line, followed by a 7-round integrated cross-feature audit that converged on round 7 (clean bill of health). Net diff vs v0.8.22: 26 files / +8,500 lines across s4-codec and s4-server, all behind opt-in flags or new subcommands — no behavioral change on existing CLI surface or default-config deployments.

Published to crates.io as s4-server@0.9.0, s4-codec@0.9.0, s4-config@0.9.0, s4-codec-py@0.9.0. Install via cargo install s4-server.

Headline additions

• Operator tooling — s4 verify-sidecar / s4 repair-sidecar / s4 sweep-orphan-sidecars subcommands close the gap that v0.8.x docs/orphan-sidecar-recovery.md left as a manual aws-cli recipe. Library API s4_server::repair::{verify_sidecar, repair_sidecar, sweep_orphan_sidecars} available for programmatic use. DeletePolicy::{DryRun, PairBoundOnly, IncludeUndecodable} tiers protect legacy reserved-name user data (the v0.8.17 --allow-legacy-reserved-key-reads migration scenario) from accidental sweep delete.

• Performance regression gate — criterion-based bench targets (~30 bench points across codec_roundtrip / frame_codec / index_codec) + GitHub-Pages-backed trend chart via benchmark-action/github-action-benchmark. Bench workflow auto-bootstraps the gh-pages branch on first push.

• Encryption-aware sidecar (SSE-S4 chunked / S4E6) — Range GET on --sse-chunk-size > 0 objects now hits a partial-fetch fast path via the new v3 sidecar format (extends v2 with a 30-byte SSE binding block: chunk_size + chunk_count + key_id + salt + plaintext_len + header_bytes). SSE-KMS / SSE-C / SSE-S4 buffered (S4E2) / multipart remain on the v0.8.12 #120 buffered fallback (deferred to v0.10+).

• True streaming PUT checksum verify (tee-into-hasher) for cpu-zstd / nvcomp-zstd single-PUT — closes the v0.8.13 #127 regression that v0.8.14 #129 reverted to a buffered fallback. Honors Content-MD5 + x-amz-checksum-{crc32, crc32c, sha1, sha256, crc64nvme} headers AND SigV4-streaming x-amz-trailer claims. Multipart upload_part keeps the buffered per-part verify (bytes are already in memory there for framing).

• Chaos infrastructure — 5 deterministic backend-fault scenarios (mid-stream GET error, HEAD latency timeout, concurrent overwrite, SSE keyring rotation mid-PUT, multipart Complete failure) replace the v0.8.18 P7 scaffold. In-memory mock backend; no Docker dep, no flake.

• 32-bit cross-compile (i686-unknown-linux-gnu) across every workspace crate. Runtime is NOT claimed — cargo check --target parity only. Closes the v0.8.21 R5-8 regression where the 5 GiB usize const overflowed on 32-bit.

Audit posture

• 6 per-feature audits (11 Codex CLI rounds total) on the roadmap commits.
• 7-round integrated cross-feature audit on the full v0.9 range (142e50e..main). Catches gaps per-feature audits couldn't see: encrypted-body handling in sidecar tooling, trailer-verify dispatch consistency, OOM hardening, HEAD→GET TOCTOU on the bounded sidecar fetch.
• Zero P1 findings across all 18 rounds. 7 P2 + 1 self-review fix in the integrated audit, all landed.
• cargo audit clean (same 4 documented ignores as v0.8.22: RUSTSEC-2026-0098/0099/0104 in the upstream aws-sdk-rust TLS stack, RUSTSEC-2025-0134 unmaintained dev-only rustls-pemfile).

Coverage

• ~720 workspace tests pass, 0 failed.
• 17 new lib unit tests in s4_server::repair (parsing, ETag normalization, Option<&str> equality semantics, DeletePolicy::allows truth table, status truth table including MissingHarmless / MissingDivergent / MissingUnknown, body-cap constant pinning, NotFramed / SidecarTooLarge / EncryptedSidecarUnsupported / OverwrittenDuringRepair wire shapes).
• 14 new MinIO E2E tests covering verify-clean, repair-after-delete, repair-after-clobber, sweep-finds-and-deletes-orphan, sweep-pair-bound-only-preserves-undecodable, post-PUT race detector (best-effort), MissingHarmless on small single-PUT, encrypted-body reject, P2-R3 NotFramed reject (empty + raw body), P2-R4 verify-side MissingHarmless, P2-R5 oversized-sidecar sweep classification, plus 4 server-side encryption-aware sidecar tests (chunked range-GET uses v3 partial-fetch, round-trip correctness, buffered fallback unchanged, non-SSE PUT still emits v2).
• 6 deterministic chaos scenarios + scaffold smoke.

v0.10 follow-up (deferred, scope-out)

• Encrypted sidecar repair via CLI keyring plumbing (--sse-s4-key <path>).
• Encryption-aware sidecar for SSE-KMS / SSE-C / S4E2 / multipart.
• Streaming PUT checksum verify for multipart upload_part + GPU codec non-streaming branch.
• 32-bit runtime smoke test of s4-server (currently cargo check --target parity only).

Full changelog

See CHANGELOG.md for the per-finding detail.

🤖 Generated with Claude Code