v1.5.0

Changed

• Distribution: anton-core now installs and self-updates from the public
  xlightxyearx/anton-core-plugin repo over unauthenticated HTTPS. The binary
  fetch (wrapper + self-update orchestrator) drops the gh/token dependency;
  first-run core setup is tokenless. Go source stays private; the private repo
  builds, signs, gates, and mirrors an allowlisted static surface + signed
  binaries to the public repo. See docs/adr/0037-public-distribution.md.

Fixed

• internal/db, internal/app — concurrent first-init of a fresh core.db
  could fault the ncruces SQLite WASM driver (SIGSEGV) when two processes
  raced to create+migrate the same file — the real shape being SessionStart +
  UserPromptSubmit firing together on a first install. Two defenses: (1)
  db.Open now takes a blocking cross-process flock(2) on a core.db.init.lock
  sidecar around the create+migrate sequence (internal/db/initlock_unix.go;
  Windows no-op stub), so one process initializes and others wait then open the
  migrated DB — WAL + busy_timeout already cover steady-state access; (2)
  app.Run skips the auto-construct DB-open (and its resolutionWarnThreshold
  read) for --version/--help/help invocations via argsNeedNoDB, so a
  version/help query never opens — let alone migrates — a database.
• CI (.github/workflows/verify.yml, .github/workflows/release.yml) — pin
  setup-go to an exact 1.26.4 instead of the floating 1.26.x. setup-go
  forces GOTOOLCHAIN=local (so go.mod's toolchain go1.26.4 directive is inert
  in CI), and 1.26.x still resolves to 1.26.3 in setup-go's version manifest, so
  govulncheck analyzed the unpatched 1.26.3 stdlib and the supply-chain job
  failed on the two stdlib CVEs GO-2026-5037 / GO-2026-5039 (both fixed in 1.26.4).