anodizer v0.3.0

Changelog

Features

• 70a3241 add --preflight, --no-preflight, --strict-preflight flags (@tj-smith47)
• 1ffda6f add --resume-release and --replace-existing release-stage overrides (@tj-smith47)
• b28f64f anodize check determinism harness (@tj-smith47)
• 2a131ba restructure anodize check + add core::git::worktree (@tj-smith47)
• d5c7fdf add release-resilience flags (--no-gate-submitter, --rollback, --simulate-failure, --rollback-only, --from-run, --allow-nondeterministic, --summary-json) (@tj-smith47)
• 1d9a13e exit non-zero when required publishers fail (@tj-smith47)
• d0fa896 add DeterminismState for SDE + compile/runtime allowlist (@tj-smith47)
• b5e67c2 add PublishEvidence + PublishReport foundation types (@tj-smith47)
• 24e0af8 add preflight publisher-state enum + report types (@tj-smith47)
• 489103b introduce Publisher trait + PreflightCheck (@tj-smith47)
• 89372af BlobConfig.required field + thread through record_blob_result (@tj-smith47)
• 5ad6a76 snapshot SDE resolver (env > HEAD > dirty-tree-hash) (@tj-smith47)
• 12067d8 stable Context::test_fixture() under feature flag (@tj-smith47)
• b60e737 wire brontes path-dep for dogfooding (@tj-smith47)
• 40e55b9 --inject-drift test hook + --allow-nondeterministic end-to-end wiring (@tj-smith47)
• 684f465 --preserve-dist= copies run-0 dist + context.json (@tj-smith47)
• fe5aa28 auto-detect tag commits + project-version-aware hint (@tj-smith47)
• 5f6a49c run sign hermetically with ephemeral cosign + GPG keys (@tj-smith47)
• 4a34d1a wire SOURCE_DATE_EPOCH through sbom + byte-stability tests (@tj-smith47)
• a84cf39 auto-detect krew-release-bot, switch to bot-template mode (@tj-smith47)
• 1e3c830 wire brontes as anodizer MCP server (@tj-smith47)
• 11a10b2 add changelog + announce to publish-only pipeline (@tj-smith47)
• 7389b93 runtime SHA256 verify of preserved-dist before re-sign (@tj-smith47)
• 52a04d7 --publish-only loads preserved dist + re-signs with prod keys (@tj-smith47)
• 3ee4886 eliminate redundant build job via --publish-only (@tj-smith47)
• b51db83 auto-inject gpg --faked-system-time when SOURCE_DATE_EPOCH set (@tj-smith47)
• 9dc7cda add announce.gate_on (required_publishers|all|none) (@tj-smith47)
• 1195ce5 real DELETE rollback via object_store::delete (@tj-smith47)
• d980eec add Publisher registry + group-aware dispatch (@tj-smith47)
• 3f7b499 add preflight checker impls (cargo, chocolatey, winget, aur) (@tj-smith47)
• 8555889 best-effort rollback dispatch after publish failures (@tj-smith47)
• 7c8cd03 implement --rollback-only --from-run replay (@tj-smith47)
• 44cd754 persist publish_report to dist/run-/report.json (@tj-smith47)
• 376a762 poll chocolatey moderation + winget PR validation after publish (@tj-smith47)
• 4a1ac0c port chocolatey, winget, upstream-AUR to Publisher trait (@tj-smith47)
• ff47f22 port dockerhub, artifactory, cloudsmith, blob to Publisher trait (@tj-smith47)
• 7ba9df2 port homebrew, scoop, nix, aur to Publisher trait (Bundle B) (@tj-smith47)
• 665627f port krew, mcp to Publisher trait (Bundle C) (@tj-smith47)
• 8a79bf1 real DELETE rollback for cloudsmith (slug-keyed) (@tj-smith47)
• 4203522 run-summary JSON + end-of-pipeline status table (@tj-smith47)
• a5f7e3d swap PublishStage to Result + Submitter gate (@tj-smith47)
• 7972a09 port cargo to Publisher trait + shared FakePublisher (@tj-smith47)
• 7911326 check rollback token scopes (@tj-smith47)
• 0303d20 port github-release to Publisher trait (@tj-smith47)
• c649b3e probe gpg --faked-system-time at pipeline start (@tj-smith47)
• 82bb469 port snapcraft to Publisher trait (@tj-smith47)

---

Bug Fixes

• 4027c89 shard Determinism Harness 3-way + add --targets filter (@tj-smith47)
• a19af43 unblock v0.2.1 cut — 5 cross-platform test + workflow fixes (@tj-smith47)
• 6274193 Win harness drops RUNNER_TEMP + GH/RUNNER namespace hermeticity (@tj-smith47)
• d1bd9eb harness env on Windows inherits host with credential deny-list (@tj-smith47)
• 098e334 harness inherits host PATH + defaults RUSTUP_HOME, drop env-block bandaids (@tj-smith47)
• 81a842f teach --stages parser makeself + snapcraft (@tj-smith47)
• 341ec8f determinism harness — explicit env allow-list + single-source skip-list (@tj-smith47)
• 443d785 Win MSVC link.exe + macOS poller timeout robustness (@tj-smith47)
• 7fb1c7a sanitize --from-run against path traversal (@tj-smith47)
• ef64cc3 align PublishReport JSON shape with spec example (@tj-smith47)
• 69c05df make tests compile on Windows so CI auto-tag can fire (@tj-smith47)
• ff312d3 drop emdash in new rustdoc bullet (@tj-smith47)
• 41e481a MSVC /Brepro for reproducible Windows binaries (@tj-smith47)
• 80c672d MSVC link.exe full deterministic flag set + drift diagnostics (@tj-smith47)
• eb380fe address Phase 1 review — module split, basename lookup, atomic write, streaming hash (@tj-smith47)
• 99955f7 byte-identical artifacts.json across runs (@tj-smith47)
• 8e57810 close config.yaml/artifacts.json SDE gap; hash raw binary (@tj-smith47)
• 406f859 close sampler gap, prune-bin basename match, text-diff in summary (@tj-smith47)
• b0eb28a convert serialized HashMaps to BTreeMap (@tj-smith47)
• 7b84e3c default worktree root to /.det-worktrees, not /tmp (@tj-smith47)
• 5104477 kill 27-artifact drift surfaced by CI run 25975073213 (@tj-smith47)
• 33e6172 make Windows MSVC drift offsets visible in CI (@tj-smith47)
• 35987ab make harness signing work on macOS + older cosign (@tj-smith47)
• b23ebee make inject_drift_byte process-local atomic counter (@tj-smith47)
• 725ed51 normalize Windows path separators in stage inference (@tj-smith47)
• 1192e29 pin ephemeral GPG key creation to SDE; normalize paths (@tj-smith47)
• ff6dba0 route 6 wall-clock callsites through sde::resolve_now (@tj-smith47)
• 3efbe6a route determinism-fast through the action; scope inject-drift test (@tj-smith47)
• 0a6cb56 skip makeself scratch dir during dist preservation (@tj-smith47)
• 27de44d skip non-diffed produce-stages in child subprocess (@tj-smith47)
• b0bc9be sort artifact metadata keys for byte-stable artifacts.json (@tj-smith47)
• 7aa3c8a sort extra_binaries names for stable artifacts.json (@tj-smith47)
• 9c2ea35 source archive SDE mtime, MSYS gpg paths, sha256 sidecar allowlist (@tj-smith47)
• 2f49a66 strip PDB debug entries on MSVC; add MSVC flags to global RUSTFLAGS (@tj-smith47)
• 00fd062 strip content-hash keys from artifacts.json metadata; grow drift sample window (@tj-smith47)
• ae7a715 strip release debug info for MSVC reproducibility (@tj-smith47)
• e7e8bdb strip worktree path + sort YAML keys in dist artifacts (@tj-smith47)
• 5bf3824 teach harness parse_stages source/upx/nfpm (@tj-smith47)
• 35b0422 tighten harness — worktree path, MSVC flags, tail sample (@tj-smith47)
• 9d71f0d use cargo-zigbuild for Windows MSVC builds (@tj-smith47)
• 1f7db90 use stable worktree path across runs (UTF-16 path leakage) (@tj-smith47)
• 2931169 vary inject_drift fallback byte by wall-clock nanos (@tj-smith47)
• 0abe046 PID-suffix worktree path so parallel tests don't collide (@tj-smith47)
• 304a425 widen env whitelist so cargo/rustup work under env_clear (@tj-smith47)
• 164ceab pin --target + force --xz default for byte-stable .run (@tj-smith47)
• a236efc pin packaging-date + tar mtimes from SOURCE_DATE_EPOCH (@tj-smith47)
• 480616f accept any shard's recorded hash for cross-shard duplicates (@tj-smith47)
• 35217d5 address Phase 2 review — env-injection preflight, commit cross-check fail-closed, pipeline test, gpg-agent cleanup (@tj-smith47)
• c0c0472 address review #4/#5 — unified discovery, collision detection, version cross-check (@tj-smith47)
• 41fbae5 auto-enable resume_release to bypass duplicate-release bail (@tj-smith47)
• d1a5147 close 5 critical findings from review (@tj-smith47)
• dd96d20 dedupe target=None cross-shard duplicates in registry (@tj-smith47)
• 65347ac exclude sibling manifests from preserved-artifact list (@tj-smith47)
• 5981621 reorder strip-ephemeral, exempt Metadata from existence check (@tj-smith47)
• 89b2d26 revise Binary handling — keep in registry, suppress binary_signs (@tj-smith47)
• 7bfc972 round-2 review — allowlist, cleanup scope, binary_signs warn (@tj-smith47)
• d7fd094 skip ephemeral sig/cert paths in multi-shard hash-verify (@tj-smith47)
• de3ab64 skip on version-exists without comparing local bytes (@tj-smith47)
• 75ea990 pre-check for existing package, skip or bail by md5 (@tj-smith47)
• ca33a60 bail early when prior release has assets and replace_existing_artifacts is false (@tj-smith47)
• d37b991 restore harness build path — revert hooks env_clear, skip changelog in harness (@tj-smith47)
• 026c854 swap blob before snapcraft, drop double-publish, narrow test seam (@tj-smith47)
• e0fc1ba explicit shard-label, partial-shard guard, comment-hygiene sweep (@tj-smith47)
• a594eb8 switch to built-in CycloneDX with per-artifact iteration (@tj-smith47)
• ec70a45 repair DEFAULT_BINARY_SIGNATURE_TEMPLATE — drop duplicate suffix, restore .sig extension (@tj-smith47)
• c444220 address B1/B2 review (@tj-smith47)
• f5caa6d bucket close-PR outcomes, paginate PR queries, correct MCP scope (@tj-smith47)
• 64a81ab close review findings on post-publish polling (@tj-smith47)
• 3f7d26d correct chocolatey moderation discriminator + close preflight review (@tj-smith47)
• 3417715 gate rollback evidence on actual push outcome (@tj-smith47)
• c96d056 harden Bundle A rollback paths + consolidate publisher boilerplate (@tj-smith47)
• 3c2c9bf homebrew multi-archive disambiguation with .tar.gz fallback (@tj-smith47)
• 618a8e2 make --rollback-only --from-run replays idempotent (@tj-smith47)
• c8241d2 redact AUR credentials, dedup taps, parallelize Bundle B rollback (@tj-smith47)
• d9cc68c scoop multi-artifact disambiguation with .zip/.tar.gz fallback (@tj-smith47)
• dc43cac match artifact basenames + surface worktree stderr (@tj-smith47)
• 65437a5 rerun guard + announce gate semantics + scope dedup (@tj-smith47)
• f07680a correct prerelease parsing + functional rollback path (@tj-smith47)
• a7e0c6a exclude binary-sign outputs from release upload candidates (@tj-smith47)
• af2d365 handle GitHub secondary rate-limit + cap upload concurrency (@tj-smith47)
• 64d737d plug remaining B3 binary-sign leak sites (@tj-smith47)
• 10bdb2a widen already-absent bucket + dedup release-id lookups (@tj-smith47)
• b3791cf drop SnapcraftPublisher to stop double-publish (@tj-smith47)
• 45a8e78 chocolatey responder race on slow CI (@tj-smith47)
• fe46c86 drop sign from harness default + correct if_condition Tera syntax (@tj-smith47)

---

Others

• 6b30375 polish B8 — rustdoc parens + RUNNER_* symmetry test (@tj-smith47)
• 7bf6cc4 tighten --from-run rejection test + error UX (@tj-smith47)
• c7a898b determinism polish — sentinel allow-list, stage typo error, SDE bounds (@tj-smith47)
• 96f5fd9 document PublishEvidence credential contract + Bundle B no-leak tests + omit-None serde (@tj-smith47)
• 03fcb66 bump brontes 0.1.0 → 0.2.0 (@tj-smith47)
• 09afe1c drop yanked constant_time_eq 0.4.3 (@tj-smith47)
• 86b06e9 flip brontes from git-master to crates.io 0.1.0 (@tj-smith47)
• 3fa7e13 fix stale 'disable' wording in skip-check comment (@tj-smith47)
• cfec38f bump workspace → 0.3.0 (github-actions[bot])
• 52c51da dynamic-width status table + clarify run_with_publishers stability (@tj-smith47)
• 874add5 make report.json write atomic + doc polish (@tj-smith47)
• 9beb7c1 polish --rollback-only error UX + help text (@tj-smith47)
• cf76718 polish B6 — rollback-only summary, conflict, doc walkthrough (@tj-smith47)
• 4dee3bd fix asymmetrically typo (@tj-smith47)
• ae370f9 emit head_samples_b64 in drift rows; add -C strip=symbols (@tj-smith47)
• 0783c05 log discovered artifacts when --inject-drift misses (@tj-smith47)
• d7e099e upload full drifted binaries alongside report (@tj-smith47)
• 181b00c explain Send + Sync bound on the trait (@tj-smith47)
• 022622f list Context::test_fixture in module rustdoc (@tj-smith47)
• b51891b create feature matrix tracking release-resilience + determinism rollout (@tj-smith47)
• 6f27c90 integrate release-resilience + determinism rows into existing release tree (@tj-smith47)
• 4274139 link operator guides to rendered docsite (@tj-smith47)
• b763842 logo + badges + dogfood anodizer-action and anodize tag (@tj-smith47)
• 7d5a451 document github upload-concurrency + secondary-RL env vars (@tj-smith47)
• a98fe53 pin cloudsmith API field names to OpenAPI spec (@tj-smith47)
• 9c62200 deep-audit batch 3 — dedup, size-cap, observability (@tj-smith47)
• c5303ce deep-audit batch 1 — security, dedup, dead-code sweep (@tj-smith47)
• 320baa5 deep-audit batch 2 — config-layer hardening + dedup (@tj-smith47)
• 8803c68 relocate gpg probe to tool_detect to satisfy module-boundary rule (@tj-smith47)
• 25f2c8f route populate_time_vars through sde::resolve_now (@tj-smith47)
• 0d777b1 split harness into module dir; drop redundant cleanup (@tj-smith47)
• 137b5fd deep-audit batch 4 — mutex recovery, silent-error surfacing, dead-code delete (@tj-smith47)
• d46beed extract run_uploads helper + cover failure-record path (@tj-smith47)
• d9146df deep-audit batch 5 — mutex recovery, thread-join, token/URL redaction (@tj-smith47)
• 45c95d6 deep-audit batch 6 — stderr redaction, target-inference dedup, nfpm template helper (@tj-smith47)
• 62de409 final regression sweep — snapcraft redaction, lock_recover dedup, build/source observability (@tj-smith47)
• 3a33b40 centralize HTTP test responder; fix race across workspace (@tj-smith47)
• 4d9dbe4 MSVC zigbuild swap (9d71f0d) (@tj-smith47)
• c4f7c1c cycle 14 MSVC kitchen-sink link flags (80c672d) (@tj-smith47)
• c7fd04f drop sign from harness default stages (fe46c86, partial) (@tj-smith47)
• af1e321 normalize_external_sbom syft post-processor (5104477, partial) (@tj-smith47)
• ccde7e0 strip=debuginfo in release profile (ae7a715) (@tj-smith47)
• dc9e15c drop session-tracker labels from B3b comments (@tj-smith47)
• 621433c strip session-note markers + fix cloudsmith docstring (@tj-smith47)
• b69e645 binary-level I14 regression - required-failure gates exit code (@tj-smith47)
• 032bcd1 real drift integration test + shared FakePublisher + drop empty-stubs (@tj-smith47)
• 3179b3b pin gpg probe argv + refresh stale rustdoc post-refactor (@tj-smith47)
• 44aa4e5 cover disambiguator log + drop duplicate label invocation (@tj-smith47)
• 92fbc88 sibling-publisher isolation via dispatch (closes B10) (@tj-smith47)

Full Changelog: v0.2.0...v0.3.0