[codex] Guard release compatibility drift

[Fieldnote-Echo]

Summary

Stacked on #179.

This lane turns the pre-release compatibility drift findings into enforced release invariants:

• updates the README Quickstart dependency to the current 0.4 minor line;
• gives ordvec-ffi an explicit rust-version = "1.89" so every Rust surface shares the declared MSRV;
• aligns cliff.toml with the strict no-leading-zero stable SemVer tag guard from release.yml;
• extends tests/release_publish_invariants.py to check lockstep MSRV/docs/CI sync, publication model, Python package floors, pyo3 abi3 feature settings, Dependabot NumPy floor wording, and strict release tag behavior.

Review Follow-Up

An adversarial subagent review found four issues before publication; all were remediated:

• parse the actual jobs.guard semver step rather than string-searching all of release.yml;
• make the fallback TOML parser handle multiline arrays so Python 3.10 manual runs do not false-fail on pyproject.toml;
• include the live Dependabot NumPy-floor comment in the Python metadata sync check;
• anchor the README dependency check to the Quickstart TOML block.

Validation

python3 -m py_compile tests/release_publish_invariants.py
python3 -c "import importlib.util; spec=importlib.util.spec_from_file_location('rpi','tests/release_publish_invariants.py'); m=importlib.util.module_from_spec(spec); spec.loader.exec_module(m); m.tomllib=None; data=m.minimal_load_toml('ordvec-python/pyproject.toml'); assert data['project']['dependencies'] == ['numpy>=2.2'], data['project']['dependencies']; print('fallback ok')"
bash tests/release_publish_invariants.sh
bash tests/release_signed_release_invariants.sh
cargo check -p ordvec-ffi
git diff --check

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[gemini-code-assist]

Code Review

This pull request enhances the release and publication invariant checks in tests/release_publish_invariants.py by adding strict SemVer tag validation, Rust MSRV compatibility checks, publication model verification, and Python package metadata validation. It also updates the minimal TOML parser to handle multiline arrays. A review comment identifies a potential bug in the updated TOML parser where nested arrays or inline tables ending with ] could prematurely close a multiline array, and suggests a robust fix to count the brackets.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[qodo-code-review]

Review Summary by Qodo

Enforce release compatibility drift guards and invariants

✨ Enhancement 🧪 Tests

Walkthroughs

Description

• Enforce release compatibility invariants across Rust/Python packages
• Add comprehensive validation checks for MSRV, documentation, and CI sync
• Improve TOML parser to handle multiline arrays correctly
• Update dependency versions and tag patterns to strict SemVer format

Diagram

flowchart LR
  A["Release Workflow"] -->|parse semver guard| B["Strict SemVer Pattern"]
  C["Cargo.toml files"] -->|validate MSRV| D["Compatibility Check"]
  E["README.md"] -->|verify quickstart| D
  F["CI Workflows"] -->|check toolchain| D
  G["Python Metadata"] -->|validate deps| H["Publication Model"]
  I["cliff.toml"] -->|align tag pattern| B
  D -->|all checks pass| J["Release Invariants Met"]
  H --> J

Loading

File Changes

1. tests/release_publish_invariants.py 🧪 Tests +177/-8

Add comprehensive release compatibility validation checks

• Add strict SemVer tag pattern constant matching release.yml guard
• Refactor TOML parser to properly handle multiline arrays with trailing commas
• Extract package_manifest() helper and add package_rust_version() and
 package_publish_setting() functions
• Add semver_minor_requirement() to extract MAJOR.MINOR from version strings
• Implement check_release_compatibility_sync() to validate MSRV across all Rust packages and
 documentation
• Implement check_publication_model() to enforce correct publish settings per crate
• Implement check_python_package_metadata() to validate Python dependencies, pyo3 features, and
 abi3 configuration
• Implement check_strict_release_tag_patterns() to parse and validate release.yml's semver guard
 step
• Integrate all new checks into main() function

tests/release_publish_invariants.py

---

2. .github/dependabot.yml ⚙️ Configuration changes +1/-1

Update NumPy dependency floor version

• Update NumPy floor version from >=2.0 to >=2.2 in comment

.github/dependabot.yml

---

3. README.md 📝 Documentation +1/-1

Update quickstart dependency to 0.4 minor line

• Update Quickstart dependency from ordvec = "0.3" to ordvec = "0.4"

README.md

---

View more (2)

4. cliff.toml ⚙️ Configuration changes +3/-4

Enforce strict SemVer tag pattern without leading zeros

• Replace loose SemVer pattern with strict no-leading-zero pattern
• Update pattern from ^v[0-9]+\.[0-9]+\.[0-9]+$ to
 ^v(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)$
• Clarify comment to explain strict segment validation matching release.yml guard

cliff.toml

---

5. ordvec-ffi/Cargo.toml ⚙️ Configuration changes +1/-0

Add explicit MSRV declaration to ordvec-ffi

• Add explicit rust-version = "1.89" to declare MSRV

ordvec-ffi/Cargo.toml

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0)

1. Fallback TOML parse fails 🐞 Bug ≡ Correctness

Description

On Python versions without tomllib, minimal_load_toml() parses multiline arrays by splitting
lines on commas via split_inline_table(), but that splitter does not track {} depth and will
split inside inline tables. Since check_strict_release_tag_patterns() calls
load_toml("cliff.toml"), this will fail to parse cliff.toml’s
commit_preprocessors/commit_parsers arrays and abort the invariant script.

Code

tests/release_publish_invariants.py[R211-221]

+        if multiline_array is not None:
+            closes = line == "]" or line.endswith("]")
+            if closes:
+                line = line[:-1].strip()
+            if line.endswith(","):
+                line = line[:-1].strip()
+            if line:
+                for part in split_inline_table(line):
+                    multiline_array.append(parse_toml_value(part))
+            if closes:
+                multiline_array = None

Evidence

The fallback parser’s multiline-array mode splits each line using split_inline_table(), which does
not consider {} nesting, so commas inside inline tables are treated as top-level separators.
cliff.toml contains multiline arrays whose elements are inline tables with commas inside, and
check_strict_release_tag_patterns() loads cliff.toml via load_toml(), which uses
minimal_load_toml() when tomllib is missing (Python <3.11).

tests/release_publish_invariants.py[147-176]
tests/release_publish_invariants.py[203-243]
tests/release_publish_invariants.py[246-256]
tests/release_publish_invariants.py[454-456]
tests/release_publish_invariants.py[942-949]
cliff.toml[42-61]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`minimal_load_toml()` uses `split_inline_table()` to split TOML array elements, but `split_inline_table()` only tracks square bracket nesting (`[]`) and ignores curly braces (`{}`). As a result, when parsing arrays of inline tables (e.g., `{ message = "^feat", group = "Added" },`), it incorrectly splits on the comma between inline-table fields, producing invalid fragments that `parse_toml_value()` cannot parse.

This breaks `load_toml("cliff.toml")` on Python <3.11 (when `tomllib` is unavailable), and `main()` now always calls `check_strict_release_tag_patterns()` which loads `cliff.toml`.

## Issue Context
`cliff.toml` contains multiline arrays of inline tables (`commit_preprocessors`, `commit_parsers`). The fallback parser must treat each `{ ... }` inline table as a single array element when splitting.

## Fix Focus Areas
- tests/release_publish_invariants.py[147-176]
- tests/release_publish_invariants.py[203-243]

### Implementation notes
- Update `split_inline_table()` to also track curly-brace depth (e.g., `brace_depth` increment on `{` and decrement on `}` when not in quotes), and only split on commas when both `bracket_depth == 0` and `brace_depth == 0`.
- Add a small self-check in the invariant script (or a unit-like check) to ensure `minimal_load_toml('cliff.toml')` succeeds when `tomllib is None`.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 484c51033c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Fieldnote-Echo]

Addressed the fallback TOML parser findings in f980406.

What changed:

• split_inline_table() now tracks curly-brace depth, so arrays of inline tables are split on element commas rather than field commas.
• Multiline array closing detection no longer treats every line ending in ] as the outer array close.
• check_strict_release_tag_patterns() now reads only cliff.toml's git.tag_pattern scalar instead of loading the whole cliff.toml through the Python 3.10 fallback parser. This avoids unsupported triple-quoted changelog templates while preserving the release-tag invariant.

Validation:

• python3 -m py_compile tests/release_publish_invariants.py
• bash tests/release_publish_invariants.sh
• fallback-mode self-check for ordvec-python/pyproject.toml, cliff.toml tag extraction, and inline-table array splitting
• bash tests/release_signed_release_invariants.sh
• cargo check -p ordvec-ffi
• git diff --check