feat!: add WASIX asset pipeline and protocol recovery

.gitattributes

@@ -0,0 +1 @@
+spikes/wasix-postgres-build/patches/*.patch whitespace=-blank-at-eol,-space-before-tab

.github/actions/setup-rust-tools/action.yml

@@ -0,0 +1,50 @@
+name: Set up Rust tools
+description: Install the pinned Rust toolchain, cache Cargo output, and install optional Cargo tools.
+
+inputs:
+  toolchain:
+    description: Rust toolchain version.
+    required: false
+    default: "1.92"
+  components:
+    description: Comma-separated Rust components.
+    required: false
+    default: ""
+  cache:
+    description: Whether to enable the Cargo cache.
+    required: false
+    default: "true"
+  cache-workspaces:
+    description: Workspace mapping for Swatinem/rust-cache.
+    required: false
+    default: ". -> target"
+  cache-save-if:
+    description: Expression string passed to Swatinem/rust-cache save-if.
+    required: false
+    default: "false"
+  tools:
+    description: Comma-separated tools for taiki-e/install-action.
+    required: false
+    default: ""
+
+runs:
+  using: composite
+  steps:
+    - name: Install Rust toolchain
+      uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9
+      with:
+        toolchain: ${{ inputs.toolchain }}
+        components: ${{ inputs.components }}
+
+    - name: Cache Cargo output
+      if: ${{ inputs.cache == 'true' }}
+      uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32
+      with:
+        workspaces: ${{ inputs.cache-workspaces }}
+        save-if: ${{ inputs.cache-save-if }}
+
+    - name: Install Cargo tools
+      if: ${{ inputs.tools != '' }}
+      uses: taiki-e/install-action@1f2425cdb59f8fffb99ee16a5968edf6f57a2b93
+      with:
+        tool: ${{ inputs.tools }}

.github/actions/setup-wasmer-llvm/action.yml

@@ -0,0 +1,109 @@
+name: Set up Wasmer LLVM
+description: Restore or install the pinned Wasmer LLVM toolchain used for WASIX and AOT generation.
+
+inputs:
+  url:
+    description: Wasmer LLVM archive URL.
+    required: true
+  version:
+    description: Expected LLVM major.minor version.
+    required: false
+    default: "22.1"
+  cache:
+    description: Whether to restore and save the extracted LLVM toolchain.
+    required: false
+    default: "true"
+  cache-save-if:
+    description: Whether to save a cache miss after installation.
+    required: false
+    default: "false"
+
+runs:
+  using: composite
+  steps:
+    - name: Derive LLVM cache key
+      id: cache-key
+      shell: bash
+      env:
+        LLVM_URL: ${{ inputs.url }}
+        LLVM_VERSION: ${{ inputs.version }}
+      run: |
+        if command -v shasum >/dev/null 2>&1; then
+          url_hash="$(printf '%s' "$LLVM_URL" | shasum -a 256 | cut -c1-16)"
+        else
+          url_hash="$(printf '%s' "$LLVM_URL" | sha256sum | cut -c1-16)"
+        fi
+        echo "key=wasmer-llvm-${RUNNER_OS}-${RUNNER_ARCH}-${LLVM_VERSION}-${url_hash}" >> "$GITHUB_OUTPUT"
+
+    - name: Restore Wasmer LLVM cache
+      id: cache
+      if: ${{ inputs.cache == 'true' }}
+      uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830
+      with:
+        path: ${{ runner.temp }}/wasmer-llvm/${{ steps.cache-key.outputs.key }}
+        key: ${{ steps.cache-key.outputs.key }}
+
+    - name: Install Wasmer LLVM
+      shell: bash
+      env:
+        LLVM_URL: ${{ inputs.url }}
+        LLVM_VERSION: ${{ inputs.version }}
+        CACHE_KEY: ${{ steps.cache-key.outputs.key }}
+      run: | # zizmor: ignore[github-env] repo-owned LLVM URLs and validated tool paths are exported for later workflow steps.
+        runner_temp="$RUNNER_TEMP"
+        if [ "$RUNNER_OS" = "Windows" ]; then
+          runner_temp="$(cygpath -u "$RUNNER_TEMP")"
+        fi
+
+        cache_root="$runner_temp/wasmer-llvm/$CACHE_KEY"
+        install_dir="$cache_root/llvm"
+        if [ "$RUNNER_OS" = "Windows" ]; then
+          llvm_config="$install_dir/bin/llvm-config.exe"
+        else
+          llvm_config="$install_dir/bin/llvm-config"
+        fi
+
+        if [ ! -x "$llvm_config" ]; then
+          archive="$runner_temp/llvm-${LLVM_VERSION}.tar.xz"
+          rm -rf "$install_dir"
+          mkdir -p "$install_dir"
+          curl -L --fail --retry 3 --output "$archive" "$LLVM_URL"
+          tar -xJf "$archive" -C "$install_dir"
+        fi
+
+        if [ ! -x "$llvm_config" ]; then
+          echo "LLVM extraction did not produce bin/llvm-config" >&2
+          find "$install_dir" -maxdepth 3 -type f -name 'llvm-config*' -print >&2
+          exit 1
+        fi
+
+        if [ "$RUNNER_OS" = "Windows" ]; then
+          env_prefix="$(cygpath -w "$install_dir")"
+          path_entry="$(cygpath -w "$install_dir/bin")"
+        else
+          env_prefix="$install_dir"
+          path_entry="$install_dir/bin"
+        fi
+
+        echo "LLVM_PATH=$env_prefix" >> "$GITHUB_ENV"
+        echo "LLVM_SYS_221_PREFIX=$env_prefix" >> "$GITHUB_ENV"
+        echo "$path_entry" >> "$GITHUB_PATH"
+
+        version="$("$llvm_config" --version)"
+        case "$version" in
+          "$LLVM_VERSION".*) ;;
+          *) echo "expected LLVM $LLVM_VERSION.x, got $version" >&2; exit 1 ;;
+        esac
+
+        targets="$("$llvm_config" --targets-built)"
+        case "$targets" in
+          *LoongArch*WebAssembly*|*WebAssembly*LoongArch*) ;;
+          *) echo "expected Wasmer LLVM build with LoongArch and WebAssembly targets; got $targets" >&2; exit 1 ;;
+        esac
+
+    - name: Save Wasmer LLVM cache
+      if: ${{ inputs.cache == 'true' && inputs.cache-save-if == 'true' && steps.cache.outputs.cache-hit != 'true' }}
+      uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830
+      with:
+        path: ${{ runner.temp }}/wasmer-llvm/${{ steps.cache-key.outputs.key }}
+        key: ${{ steps.cache-key.outputs.key }}

.github/pull_request_template.md

@@ -4,9 +4,13 @@
 
 - [ ] Package/API/runtime change: PR title uses `feat:`, `fix:`, `perf:`, `refactor:`, `revert:`, or a breaking `!`.
 - [ ] Docs/CI/repository-only change: no release intended.
+- [ ] Asset/source-spine change: source pins/fingerprints are current and the Assets workflow will generate/test release artifacts.
 
 ## Verification
 
-- [ ] `scripts/validate.sh ci`
-- [ ] `scripts/validate.sh release`
+- [ ] `scripts/validate.sh repo`
+- [ ] `scripts/validate.sh artifacts`
+- [ ] `scripts/validate.sh lint`
+- [ ] `scripts/validate.sh test`
+- [ ] `scripts/validate.sh package` when published package contents changed
 - [ ] `cargo deny check`

.github/scripts/check-release-intent.sh

@@ -21,38 +21,62 @@ if [[ "${subject}" =~ ${release_pr_pattern} && "${head_branch}" == release-plz-*
   is_release_pr=true
 fi
 
-package_version_from_ref() {
-  local ref="${1:?package_version_from_ref requires a git ref}"
-
-  git show "${ref}:Cargo.toml" | awk '
+package_versions_from_ref() {
+  local ref="${1:?package_versions_from_ref requires a git ref}"
+  local files
+
+  files="$(
+    git ls-tree -r --name-only "${ref}" |
+      grep -E '(^Cargo.toml$|^crates/.*/Cargo.toml$)' || true
+  )"
+
+  while IFS= read -r file; do
+    [[ -z "${file}" ]] && continue
+    git show "${ref}:${file}" | awk -v file="${file}" '
     /^\[package\][[:space:]]*$/ {
       in_package = 1
       next
     }
     /^\[/ && in_package {
       exit
     }
+    in_package && $0 ~ /^[[:space:]]*name[[:space:]]*=/ {
+      name = $0
+      sub(/^[^=]*=[[:space:]]*"/, "", name)
+      sub(/".*$/, "", name)
+    }
     in_package && $0 ~ /^[[:space:]]*version[[:space:]]*=/ {
       line = $0
       sub(/^[^=]*=[[:space:]]*"/, "", line)
       sub(/".*$/, "", line)
-      print line
+      if (name == "") {
+        name = file
+      }
+      print name "=" line
       exit
     }
   '
+  done <<< "${files}" | sort
 }
 
-base_version="$(package_version_from_ref "${base_ref}")"
-head_version="$(package_version_from_ref "${head_ref}")"
+base_versions="$(package_versions_from_ref "${base_ref}")"
+head_versions="$(package_versions_from_ref "${head_ref}")"
 
-if [[ -z "${base_version}" || -z "${head_version}" ]]; then
-  echo "could not read package version from Cargo.toml" >&2
+if [[ -z "${base_versions}" || -z "${head_versions}" ]]; then
+  echo "could not read package versions from Cargo.toml files" >&2
   exit 1
 fi
 
-if [[ "${base_version}" != "${head_version}" && "${is_release_pr}" != true ]]; then
+changed_existing_versions="$(
+  join -t $'\t' \
+    <(printf '%s\n' "${base_versions}" | sed 's/=/\t/' | sort -t $'\t' -k1,1) \
+    <(printf '%s\n' "${head_versions}" | sed 's/=/\t/' | sort -t $'\t' -k1,1) |
+    awk -F '\t' '$2 != $3 { print $1 "=" $2 " -> " $3 }'
+)"
+
+if [[ -n "${changed_existing_versions}" && "${is_release_pr}" != true ]]; then
   cat >&2 <<EOF
-This PR changes the root package version from ${base_version} to ${head_version}.
+This PR changes one or more workspace package versions.
 
 Package version bumps are release-plz owned. Run the Release workflow with
 prepare-release-pr and merge the generated release-plz PR instead of changing
@@ -63,6 +87,15 @@ their title starts with chore(release):.
 
 Received:
   ${subject}
+
+Base package versions:
+${base_versions}
+
+Head package versions:
+${head_versions}
+
+Changed existing package versions:
+${changed_existing_versions}
 EOF
   exit 1
 fi
@@ -71,7 +104,7 @@ while IFS= read -r file; do
   [[ -z "${file}" ]] && continue
 
   case "${file}" in
-    Cargo.toml | Cargo.lock | build.rs | src/* | assets/* | examples/* | benches/*)
+    Cargo.toml | build.rs | src/* | crates/*)
       affected_files+=("${file}")
       ;;
   esac
@@ -102,8 +135,9 @@ Breaking changes may use any type with !, for example:
 release-plz PRs are exempt only when their branch starts with release-plz- and
 their title starts with chore(release):.
 
-Docs, CI, issue-template, and repository-only changes can keep non-release types
-such as docs:, ci:, chore:, style:, or test: when they do not touch package code.
+Docs, CI, tests, examples, xtask-only maintenance, source-checkout scripts, and
+other repository-only changes can keep non-release types such as docs:, ci:,
+chore:, style:, or test: when they do not touch published package code.
 
 Received:
   ${subject}

.github/scripts/download-aot-artifacts.sh

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+: "${GITHUB_SHA:?GITHUB_SHA is required}"
+: "${GITHUB_TOKEN:?GITHUB_TOKEN is required}"
+
+cargo run -p xtask -- assets download --sha "$GITHUB_SHA" --all-targets

.github/scripts/require-workflow-success.sh

@@ -0,0 +1,78 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+workflow="${1:?usage: require-workflow-success.sh <workflow> <sha> [timeout-seconds] [--artifact <name>...]}"
+sha="${2:?usage: require-workflow-success.sh <workflow> <sha> [timeout-seconds] [--artifact <name>...]}"
+timeout="${3:-7200}"
+if [[ $# -ge 3 ]]; then
+  shift 3
+else
+  shift "$#"
+fi
+
+required_artifacts=()
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --artifact)
+      required_artifacts+=("${2:?--artifact requires a name}")
+      shift 2
+      ;;
+    *)
+      echo "unknown argument: $1" >&2
+      exit 2
+      ;;
+  esac
+done
+
+: "${GH_TOKEN:?GH_TOKEN is required}"
+: "${GH_REPO:?GH_REPO is required}"
+
+required_artifacts_present() {
+  run_id="$1"
+  if [[ "${#required_artifacts[@]}" -eq 0 ]]; then
+    return 0
+  fi
+
+  artifacts="$(gh api "repos/$GH_REPO/actions/runs/$run_id/artifacts" \
+    --paginate \
+    --jq '.artifacts[].name')" || return 1
+  for expected in "${required_artifacts[@]}"; do
+    if ! printf '%s\n' "$artifacts" | grep -Fxq "$expected"; then
+      return 1
+    fi
+  done
+}
+
+deadline=$((SECONDS + timeout))
+while true; do
+  runs="$(gh run list \
+    --workflow "$workflow" \
+    --commit "$sha" \
+    --limit 10 \
+    --json databaseId,status,conclusion,url,event \
+    --jq '.[] | [.databaseId, .status, (.conclusion // ""), .url, .event] | @tsv')"
+  if [ -n "$runs" ]; then
+    echo "$runs"
+    for run_id in $(echo "$runs" | awk -F '\t' '$2 == "completed" && $3 == "success" { print $1 }'); do
+      if required_artifacts_present "$run_id"; then
+        exit 0
+      fi
+      echo "$workflow run $run_id is successful but is missing one or more required artifacts"
+    done
+    if echo "$runs" | awk -F '\t' '$2 != "completed" { active=1 } END { exit active ? 0 : 1 }'; then
+      echo "$workflow is still running for $sha"
+    elif echo "$runs" | awk -F '\t' '$2 == "completed" && $3 != "success" && $5 != "workflow_dispatch" { failed=1 } END { exit failed ? 0 : 1 }'; then
+      echo "$workflow failed for $sha" >&2
+      exit 1
+    else
+      echo "waiting for successful $workflow workflow for $sha"
+    fi
+  else
+    echo "waiting for $workflow workflow for $sha"
+  fi
+  if [ "$SECONDS" -ge "$deadline" ]; then
+    echo "timed out waiting for successful $workflow workflow for $sha" >&2
+    exit 1
+  fi
+  sleep 60
+done