feat(release): aarch64-linux + WASM target + SHA256 verification (arch-4 §4)

[srmcguirt]

Summary

Implements arch-4 §4 (CI release pipeline updates) and arch-4 §4.6 (WASM bundle for homepage playground per Directive 1). Resolves the TODO(v1.x) in packages/compiler/js/postinstall.ts.

What changed

Release workflow (.github/workflows/release.yml)

Change	Why
+ aarch64-unknown-linux-gnu matrix entry (5th target, use_cross: true)	Closes the M1 gap in arch-4 §4.1 — every npm install @aihu/compiler on Linux ARM (Raspberry Pi, Cloudflare Workers ARM, AWS Graviton) currently downloads nothing.
+ build-wasm job using wasm-pack, publishes aihu-compile-wasm.tar.gz	Required by Directive 1 (homepage playground) — playground will fetch from releases/latest/download/aihu-compile-wasm.tar.gz. Emits non-blocking ::warning:: if gzipped .wasm >500 KB.
+ SHA256 sidecars (Unix sha256sum, Windows Get-FileHash)	Enables tamper-evident verification at install time per arch-4 §4.3. One sidecar per binary + one for the WASM tarball.
release job needs: [build, build-wasm]	Both the platform binaries and WASM bundle ship in the same Release.

Postinstall verification (packages/compiler/js/postinstall.ts)

Change	Why
+ linux/arm64 case in resolveAsset() returning aihu-compile-linux-arm64	Pairs with the new matrix entry.
+ verifySha256() using node:crypto createHash('sha256')	Implements arch-4 §4.3. Hard-fail on digest mismatch: binary deleted, both digests printed, exit 1.
+ Soft-warn on sidecar 404	Allows pre-v1.1 releases without sidecars to install successfully — temporary scaffolding; v1.1+ tags always emit sidecars.
+ Graceful 404 handling for aarch64-linux in main()	Until v1.1 ships, the asset doesn't exist yet — same fallback path as Windows had pre-this-PR.

Documentation (packages/compiler/WASM.md)

Replaced the brief Release Workflow Integration paragraph with a full CI Release Flow section covering:

• Matrix of every published asset and its consumer
• Cross-compilation via cross (pinned commit)
• WASM build job mechanics + size diagnostics threshold
• SHA256 verification flow step-by-step
• Dry-run via workflow_dispatch

.gitignore (packages/compiler/.gitignore)

Added target/, pkg-wasm/, *.sha256 so local release-asset staging never accidentally lands in git.

Verification

• python -c "import yaml; yaml.safe_load(open('.github/workflows/release.yml'))" → OK
• All five existing matrix targets still build the same way (cargo build, no use_cross)
• The aarch64-linux entry alone uses cross — installed once per matrix run at the pinned rev
• WASM bundle size warning is non-blocking; release continues even if budget regresses (so a v1.1 bug won't gate the release, but the warning surfaces in the workflow run)

Out of scope (held)

• Live-binding (RFC docs(spec): live-binding RFC — M1 keystone #56) — security review of §9 still required per Directive 3
• <playground-embed> custom element — gates on the first v1.1.0 tag push that produces the WASM bundle

Spec sources

• arch-4 §4 — pre-built compiler binary distribution
• arch-4 §4.3 — SHA256 sidecar verification
• arch-4 §4.6 — WASM bundle for browser playground
• Directive 1 — interactive homepage playground

🤖 Generated with Claude Code

[changeset-bot]

⚠️ No Changeset found

Latest commit: 08ddbe2

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR