chore(master): release 0.4.5

[arcbox-labs]

🤖 I have created a release beep boop

0.4.5 (2026-06-10)

Features

• core: own a VM lifecycle per utility VM role (64fa38d)
• core: role-aware runtime lookups and connector dispatch (8eb86af)
• daemon,docker: fan-out resource wait + fail-closed unsupported roles (03530ca)
• docker: add utility VM routing seam (05aaa9d)
• docker: persist workload-to-role bindings for lifecycle routing (3a7fc34)
• docker: resolve BuildKit /session role + lazy-recover bindings after daemon restart (e7a91d6)
• docker: route amd64 runtime to HV/FEX64, fail closed, demote VZ (ABX-375) (9c85662)
• docker: schedule Compose projects on a single utility VM role (588d217)
• net,docker: fan out host port forwarding per utility VM (87f27d7)
• net: mount host /private via VirtioFS and rewrite Docker bind paths (94578ac)
• vm: dm-snapshot CoW with jailer mode support (#208) (7e740a1)
• vm: symlink indirection for dm-snapshot checkpoint/restore (#209) (19dfcbf)

Bug Fixes

• core: check FEX64 at runtime/bin/FEX, matching boot-assets binfmt path (9efa368)
• core: eliminate TOCTOU in MachineManager::create by holding write lock (42f3e3f)
• daemon: add ExitTimeOut to launchd plists to prevent SIGKILL during shutdown (bef9051)
• daemon: include ExitTimeOut in installed plist (d423f5a)
• dhcp: add expiry for declined IPs to prevent pool exhaustion (d677941)
• dhcp: guard lease removal on declined IP and skip quarantine test on low uptime (526bd71)
• dhcp: only quarantine offered IPs and preserve reservations on release (de30a8e)
• docker: cfg-gate resolve() to macOS, remove stale Content-Length (7622347)
• docker: fail closed on ambiguous workload identifiers (a3fc08c)
• docker: refuse to guess on prefix collisions and keep alias ownership consistent (937e188)
• docker: track workload aliases and route catch-all by URI role (2977b3c)
• docker: use raw container ID as fallback for networking teardown (#155) (c9bd1a6)
• use virtiofs constants in init.rs, make host_path pub(crate) (d2350df)
• vmm: disable guest SVE/SME on Apple Silicon (phantom SVE traps) (7be30d7)
• vmm: mask guest SME so FEX amd64 doesn't SIGILL on Apple SME cores (8f2c8a7)
• vmm: recreate default VM when the desired kernel path changes (82b96a4)

Reverts

• vmm: drop guest SVE/SME disable (misdiagnosed cause) (b46b2a6)

Code Refactoring

• core: parameterize VmLifecycleManager on machine name (36cb538)
• core: pick the hypervisor backend per machine (77e0952)
• fex: rename mistaken FEX64 naming to FEX (f0ddbfb)
• vmm: generalize default-VM drift detection to all overridable fields (fbde372)

Tests

• core: cover MachineManager::create concurrent same-name race (35d2d23)
• core: gate concurrent create tasks on a Barrier (2686255)
• fex: add reproducible FEX64 validation harness (ABX-375 step 1) (158fbce)
• fex: classify unprovisioned FEX64 as BLOCKED, not a Gate-A FAIL (ed3c561)
• fex: point harness at /arcbox/runtime/bin/FEX; skip B/C when unprovisioned (0e59700)

Documentation

• docker: document the BuildKit /session routing limitation (6c3b2f3)
• docker: fix stale FEX path in require_amd64_runtime comment (682d956)
• fex: correct binfmt registration to rootfs /sbin/init, not a guest setup_fex() (8840336)
• fex: FEX is binfmt-only via a small patch, ships no FEXServer (dacc25a)
• machine: explain why create holds the write lock across I/O (8b8ac58)
• mount: update mount_standard_shares doc to include /private share (6e414f7)

Continuous Integration

• release: pass release-please PR JSON via env, not inline interpolation (#295) (d16228a)

Miscellaneous Chores

• assets: bump boot assets to 0.5.11 (45d60e3)
• assets: bump boot assets to 0.5.13 (46b45f0)
• assets: bump boot assets to v0.5.10 (working FEX64 runtime) (89df9a7)
• assets: pin boot assets v0.5.9 with static FEX64 runtime (7c5c641)
• devenv: add devenv-based reproducible dev shell (25d3836)
• vmm: drop redundant clone in drift-detection test (684ce18)

---

This PR was generated with Release Please. See documentation.

[pullfrog]

✅ No new issues found.

Reviewed changes — release-please version bump from 0.4.4 to 0.4.5, driven solely by the devenv chore commit (25d3836).

• Bump workspace version pin — .release-please-manifest.json and Cargo.toml workspace.package.version advance to 0.4.5; all internal arcbox-* workspace dep pins marked # x-release-please-version follow. arcbox-hv is correctly left at 0.3.20 per its independent release cadence.
• Changelog entry — single 0.4.5 section in CHANGELOG.md citing the devenv commit, consistent with the only conventional-commit input since v0.4.4.
• Lockfile refresh — Cargo.lock updates version = "0.4.5" for every workspace crate; no third-party dependency changes.

  ^{｜ View workflow run ｜ Using Claude Opus ｜ 𝕏}

[greptile-apps]

Greptile Summary

Automated release-please PR bumping the workspace from v0.4.4 to v0.4.5. All three changed files are version-metadata only — no logic changes are included in this PR; the underlying feature and fix commits are already merged.

• .release-please-manifest.json and Cargo.toml workspace version updated from 0.4.4 → 0.4.5; all 30+ internal crate pins follow suit, while arcbox-hv is correctly left at 0.3.20 per its independent release cadence.
• CHANGELOG.md gains the full 0.4.5 entry covering features (multi-VM role routing, dm-snapshot CoW, VirtioFS /private mount), bug fixes (DHCP pool exhaustion, TOCTOU in MachineManager, SVE/SME masking), and CI improvements.

Confidence Score: 5/5

Safe to merge — all changes are automated version-metadata updates with no logic modifications.

The diff touches only three files, all of which are release bookkeeping: the manifest JSON, the changelog, and workspace crate version pins. Every internal crate is uniformly bumped to 0.4.5; arcbox-hv is intentionally held at its independent version with an explanatory comment already present. There is nothing here that could alter runtime behavior.

No files require special attention.

Important Files Changed

Filename	Overview
.release-please-manifest.json	Version bumped from 0.4.4 to 0.4.5 — standard release-please manifest update.
CHANGELOG.md	0.4.5 release notes prepended; content matches the commit list in the PR description.
Cargo.toml	Workspace version and all release-please-managed internal crate pins bumped from 0.4.4 to 0.4.5; arcbox-hv intentionally stays at 0.3.20 per its independent release cadence note.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[release-please bot] -->|generates| B[PR #288]
    B --> C[.release-please-manifest.json\n0.4.4 → 0.4.5]
    B --> D[Cargo.toml\nworkspace version + all internal crates\n0.4.4 → 0.4.5]
    B --> E[CHANGELOG.md\nappend 0.4.5 release notes]
    D --> F[arcbox-hv unchanged\n0.3.20 — independent cadence]

Loading

_{Reviews (10): Last reviewed commit: "chore: update Cargo.lock for release" | Re-trigger Greptile}

[pullfrog]

✅ No new issues found.

Reviewed changes — release-please regenerated the PR after five additional commits landed on master; the version bump itself (0.4.4 → 0.4.5) is unchanged from the prior review.

• Expanded CHANGELOG.md 0.4.5 entry — now lists every conventional-commit input since v0.4.4: two feat (94578ac net /private VirtioFS, 7e740a1 vm dm-snapshot CoW), two fix (7622347 docker cfg-gate, d2350df virtiofs constants), one docs (6e414f7 mount_standard_shares), one chore (25d3836 devenv). Verified 1:1 against git log v0.4.4..origin/master.
• Version pins unchanged from prior review — .release-please-manifest.json, Cargo.toml workspace.package.version, all arcbox-* workspace dep pins with # x-release-please-version, and Cargo.lock workspace crate versions are all at 0.4.5. arcbox-hv stays at 0.3.20 per its independent release cadence.

  ^{｜ View workflow run ｜ Using Claude Opus ｜ 𝕏}

[pullfrog]

✅ No new issues found.

Reviewed changes — release-please regenerated the PR after 19dfcbf landed on master; the version bump and lockfile remain at 0.4.5, only the CHANGELOG gains one entry.

• Added #209 to the 0.4.5 Features list — new bullet for 19dfcbf (vm: symlink indirection for dm-snapshot checkpoint/restore). Verified 1:1 against git log d382cf9..master — the full set of conventional-commit inputs since v0.4.4 (2× feat, 2× fix, 1× docs, 1× chore) plus the newly added third feat are all present.
• Version pins and lockfile unchanged — .release-please-manifest.json, Cargo.toml workspace.package.version, every arcbox-* workspace dep pin marked # x-release-please-version, and Cargo.lock workspace crate versions remain at 0.4.5. arcbox-hv correctly stays at 0.3.20 per its independent release cadence.

  ^{｜ View workflow run ｜ Using Claude Opus ｜ 𝕏}

[pullfrog]

✅ No new issues found.

Reviewed changes — release-please regenerated the PR after c9bd1a6 landed on master; the version bump and lockfile remain at 0.4.5, only the CHANGELOG gains one entry.

• Added #155 to the 0.4.5 Bug Fixes list — new bullet for c9bd1a6 (docker: use raw container ID as fallback for networking teardown). Verified 1:1 against git log d382cf9..master — the full set of conventional-commit inputs since v0.4.4 (3× feat, 3× fix, 1× docs, 1× chore) are all present.
• Version pins and lockfile unchanged — .release-please-manifest.json, Cargo.toml workspace.package.version, every arcbox-* workspace dep pin marked # x-release-please-version, and Cargo.lock workspace crate versions remain at 0.4.5. arcbox-hv correctly stays at 0.3.20 per its independent release cadence.

  ^{｜ View workflow run ｜ Using Claude Opus ｜ 𝕏}

[pullfrog]

✅ No new issues found.

Reviewed changes — release-please regenerated the PR after four fix commits and one docs commit landed on master; the version bump and lockfile remain at 0.4.5, only the CHANGELOG gains entries.

• Added four 0.4.5 Bug Fixes bullets — new entries for 42f3e3f (core: TOCTOU in MachineManager::create), d677941 (dhcp: declined-IP expiry), 526bd71 (dhcp: lease removal guard + quarantine test skip), and de30a8e (dhcp: quarantine offered IPs only, preserve reservations on release).
• Added one 0.4.5 Documentation bullet — new entry for 8b8ac58 (machine: explain why create holds the write lock across I/O).
• Version pins and lockfile unchanged — .release-please-manifest.json, Cargo.toml workspace.package.version, every arcbox-* workspace dep pin marked # x-release-please-version, and Cargo.lock workspace crate versions remain at 0.4.5. arcbox-hv correctly stays at 0.3.20 per its independent release cadence.

Verified 1:1 against git log d382cf9..origin/master — the full set of conventional-commit inputs since v0.4.4 (3× feat, 7× fix, 2× docs, 1× chore) are all present.

  ^{｜ View workflow run ｜ Using Claude Opus ｜ 𝕏}

[pullfrog]

✅ No new issues found.

Reviewed changes — release-please regenerated the PR after two fix(daemon) commits landed on master; the version bump and lockfile remain at 0.4.5, only the CHANGELOG gains entries.

• Added two 0.4.5 Bug Fixes bullets — new entries for bef9051 (daemon: add ExitTimeOut to launchd plists to prevent SIGKILL during shutdown) and d423f5a (daemon: include ExitTimeOut in installed plist).
• Version pins and lockfile unchanged — .release-please-manifest.json, Cargo.toml workspace.package.version, every arcbox-* workspace dep pin marked # x-release-please-version, and Cargo.lock workspace crate versions remain at 0.4.5. arcbox-hv correctly stays at 0.3.20 per its independent release cadence.

Verified 1:1 against git log v0.4.4..d423f5a — the full set of conventional-commit inputs since v0.4.4 (3× feat, 9× fix, 2× docs, 1× chore) are all present.

  ^{｜ View workflow run ｜ Using Claude Opus ｜ 𝕏}

[pullfrog]

✅ No new issues found.

Reviewed changes — release-please regenerated the PR after two test(core): commits landed on master; the version bump and lockfile remain at 0.4.5, only the CHANGELOG gains a new Tests section (and the release date rolls from 2026-05-27 to 2026-05-28).

• Added a 0.4.5 Tests section — new entries for 35d2d23 (cover MachineManager::create concurrent same-name race) and 2686255 (gate concurrent create tasks on a Barrier).
• Release date updated — ## [0.4.5](...) (2026-05-28) reflects today's regeneration.
• Version pins and lockfile unchanged — .release-please-manifest.json, Cargo.toml workspace.package.version, every arcbox-* workspace dep pin marked # x-release-please-version, and Cargo.lock workspace crate versions remain at 0.4.5. arcbox-hv correctly stays at 0.3.20 per its independent release cadence.

Verified 1:1 against git log v0.4.4..origin/master — the full set of conventional-commit inputs since v0.4.4 (3× feat, 9× fix, 2× test, 2× docs, 1× chore) are all present.

  ^{｜ View workflow run ｜ Using Claude Opus ｜ 𝕏}

[pullfrog]

Caution

This PR bumps the workspace version but does not regenerate Cargo.lock, which breaks the --locked release build.

Reviewed changes — release-please force-pushed the PR into a single squashed commit (b1b9b4d), expanding the 0.4.5 CHANGELOG to the full conventional-commit set since v0.4.4 and rolling the release date to 2026-06-10. Compared against the prior review at 458bb2a.

• Expanded 0.4.5 CHANGELOG — CHANGELOG.md now lists the complete set of inputs (Features, Bug Fixes, Reverts, Code Refactoring, Tests, Documentation, Miscellaneous Chores) and the date moved from 2026-05-28 to 2026-06-10.
• Version pins bumped — .release-please-manifest.json and Cargo.toml workspace.package.version advance to 0.4.5; all arcbox-* dep pins marked # x-release-please-version follow. arcbox-hv correctly stays at 0.3.20 per its independent cadence.
• Lockfile update dropped — the prior PR head (458bb2a) carried a separate chore: update Cargo.lock for release commit; this squash omits it, and Cargo.lock is absent from the diff entirely.

🚨 Cargo.lock not bumped — --locked release build will fail

Cargo.toml advances the workspace to 0.4.5, but Cargo.lock is not part of this PR and all 40 arcbox-* workspace crates in it remain pinned at 0.4.4. The release workflow builds the tagged release with cargo build --release --locked, which refuses to proceed when the lockfile is out of sync with the manifest — so merging and tagging 0.4.5 as-is will fail the release build.

This is a regression of a previously-fixed incident: the prior PR head included a dedicated lockfile-update commit, and the project history records the original fix (3b84b26 "update Cargo.lock in release-please PR and restore --locked builds"). The squash that produced b1b9b4d dropped that lockfile update.

Technical details

# Cargo.lock left at 0.4.4 while Cargo.toml is 0.4.5

## Affected sites
- `Cargo.lock` — all workspace crates (e.g. `arcbox-core`, `arcbox-daemon`, `arcbox-vmm`, `arcbox-virtio-fs`, ...) still `version = "0.4.4"`; only third-party `axum-core 0.4.5` matches by coincidence. Not present in the PR diff.
- `Cargo.toml:70` — `workspace.package.version = "0.4.5"`, plus every `arcbox-*` `# x-release-please-version` pin at `0.4.5`.
- `.github/workflows/release.yml:116` and `:201` — `cargo build --release --locked ...` for `arcbox-cli`/`arcbox-daemon`/`arcbox-helper` and `arcbox-agent`.
- `.github/workflows/release-please.yml:32` — comment: lockfile must be current "so the release tag can build with --locked."

## Required outcome
- `Cargo.lock` on this branch must show `version = "0.4.5"` for every workspace crate before merge, so `cargo build --locked` succeeds on the release tag.

## Suggested approach
- Have release-please regenerate the lockfile (run `cargo update -w` / a plain `cargo build` and commit the resulting `Cargo.lock`) on the `release-please--branches--master` branch so the bump is included in the release commit, matching the prior `458bb2a` head.

## Open questions for the human
- Why did the lockfile-update step drop out of release-please's output on this regeneration? Worth confirming the release-please config (`extra-files` / lockfile updater) is still wired up so this doesn't recur on the next release.

  ^{｜ Fix it ➔ ｜ View workflow run ｜ Using Claude Opus ｜ 𝕏}

[arcbox-labs]

🤖 Created releases:

• v0.4.5

🌻