chore: promote staging for v1.0.0 final review

.github/workflows/ci.yml

@@ -1,8 +1,5 @@
 name: CI
 
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-
 on:
   push:
     branches: [main, staging]
@@ -17,11 +14,11 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-latest, macos-latest, windows-latest]
+        os: [ubuntu-latest, macos-latest, windows-2022]
         go-version: ['1.25.9']
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - name: Set up Go
         uses: actions/setup-go@v6
@@ -40,6 +37,17 @@ jobs:
       - name: Build
         run: go build -v ./cmd/rampart
 
+      - name: Installer scripts are synced
+        if: runner.os == 'Linux'
+        run: |
+          cmp -s install.sh docs/install
+          cmp -s install.sh docs/install.sh
+          cmp -s install.sh scripts/install.sh
+          sh -n install.sh
+          sh -n docs/install
+          sh -n docs/install.sh
+          sh -n scripts/install.sh
+
       - name: OpenClaw plugin regression tests
         if: runner.os != 'Windows'
         run: |
@@ -65,19 +73,73 @@ jobs:
         run: go test -bench=. -benchmem ./internal/engine/ ./internal/audit/
 
       - name: Upload coverage
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: coverage-${{ matrix.os }}
           path: coverage.out
 
+  docker-smoke:
+    name: docker smoke (amd64 runtime + arm64 build)
+    runs-on: ubuntu-latest
+    needs: test
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: docker/setup-buildx-action@v4
+
+      - name: Build amd64 image
+        run: |
+          set -euo pipefail
+          docker buildx build \
+            --platform linux/amd64 \
+            --load \
+            --build-arg VERSION=ci-smoke \
+            --build-arg COMMIT=${GITHUB_SHA::12} \
+            --build-arg DATE=$(date -u +%Y-%m-%dT%H:%M:%SZ) \
+            -t rampart:ci-smoke \
+            .
+
+      - name: Smoke test amd64 image
+        run: |
+          set -euo pipefail
+
+          docker run --rm rampart:ci-smoke version | tee /tmp/rampart-docker-version.txt
+          grep -F "rampart ci-smoke" /tmp/rampart-docker-version.txt
+
+          cid="$(docker run -d -p 19090:9090 rampart:ci-smoke)"
+          trap 'docker rm -f "$cid" >/dev/null 2>&1 || true' EXIT
+
+          for _ in $(seq 1 20); do
+            if curl -fsS http://127.0.0.1:19090/healthz >/dev/null 2>&1; then
+              exit 0
+            fi
+            sleep 1
+          done
+
+          docker logs "$cid"
+          exit 1
+
+      - name: Build arm64 image
+        run: |
+          set -euo pipefail
+          docker buildx build \
+            --platform linux/arm64 \
+            --build-arg VERSION=ci-smoke \
+            --build-arg COMMIT=${GITHUB_SHA::12} \
+            --build-arg DATE=$(date -u +%Y-%m-%dT%H:%M:%SZ) \
+            --output=type=cacheonly \
+            .
+
   release-dry-run:
     name: goreleaser snapshot (cross-platform build check)
     runs-on: ubuntu-latest
     needs: test
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
 

.github/workflows/community-policy-ci.yml

@@ -1,8 +1,5 @@
 name: Community Policy CI
 
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-
 on:
   pull_request:
     paths:
@@ -17,7 +14,7 @@ jobs:
   validate:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - uses: actions/setup-go@v6
         with:

.github/workflows/docker.yml

@@ -1,8 +1,5 @@
 name: Docker
 
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-
 on:
   push:
     tags: ['v*']
@@ -15,33 +12,88 @@ jobs:
   docker:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
-
-      - uses: docker/setup-qemu-action@v4
+      - uses: actions/checkout@v6
 
       - uses: docker/setup-buildx-action@v4
 
-      - uses: docker/login-action@v4
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
       - uses: docker/metadata-action@v6
         id: meta
         with:
           images: ghcr.io/peg/rampart
           tags: |
             type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}.{{minor}},enable=${{ !contains(github.ref_name, '-') }}
             type=raw,value=latest,enable=${{ !contains(github.ref_name, '-') }}
 
-      - uses: docker/build-push-action@v7
+      - name: Compute build metadata
+        id: build
+        run: |
+          echo "version=${GITHUB_REF_NAME#v}" >> "$GITHUB_OUTPUT"
+          echo "commit=${GITHUB_SHA::12}" >> "$GITHUB_OUTPUT"
+          echo "date=$(date -u +%Y-%m-%dT%H:%M:%SZ)" >> "$GITHUB_OUTPUT"
+
+      - name: Build local image for smoke test
+        uses: docker/build-push-action@v7
         with:
           context: .
           platforms: linux/amd64
+          load: true
+          tags: rampart:release-smoke
+          build-args: |
+            VERSION=${{ steps.build.outputs.version }}
+            COMMIT=${{ steps.build.outputs.commit }}
+            DATE=${{ steps.build.outputs.date }}
+          cache-from: type=gha
+
+      - name: Smoke test local Docker image
+        env:
+          IMAGE: rampart:release-smoke
+          VERSION: ${{ steps.build.outputs.version }}
+        run: |
+          set -euo pipefail
+
+          docker run --rm "$IMAGE" version | tee /tmp/rampart-docker-version.txt
+          grep -F "rampart ${VERSION}" /tmp/rampart-docker-version.txt
+
+          cid="$(docker run -d -p 19090:9090 "$IMAGE")"
+          trap 'docker rm -f "$cid" >/dev/null 2>&1 || true' EXIT
+
+          for _ in $(seq 1 20); do
+            if curl -fsS http://127.0.0.1:19090/healthz >/dev/null 2>&1; then
+              exit 0
+            fi
+            sleep 1
+          done
+
+          docker logs "$cid"
+          exit 1
+
+      - uses: docker/login-action@v4
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push multi-arch image
+        uses: docker/build-push-action@v7
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            VERSION=${{ steps.build.outputs.version }}
+            COMMIT=${{ steps.build.outputs.commit }}
+            DATE=${{ steps.build.outputs.date }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
+
+      - name: Verify multi-arch manifest
+        env:
+          IMAGE: ghcr.io/peg/rampart:${{ steps.build.outputs.version }}
+        run: |
+          set -euo pipefail
+          docker buildx imagetools inspect "$IMAGE" | tee /tmp/rampart-docker-manifest.txt
+          grep -F 'linux/amd64' /tmp/rampart-docker-manifest.txt
+          grep -F 'linux/arm64' /tmp/rampart-docker-manifest.txt

.github/workflows/docs.yml

@@ -1,8 +1,5 @@
 name: Deploy Docs
 
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-
 on:
   workflow_dispatch:
   push:
@@ -19,7 +16,7 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - uses: actions/setup-python@v6
         with:

.github/workflows/release.yml

@@ -1,8 +1,5 @@
 name: Release
 
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-
 on:
   push:
     tags:
@@ -15,7 +12,7 @@ jobs:
   release:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
 

.github/workflows/render-diagrams.yml

@@ -1,8 +1,5 @@
 name: Render Diagrams
 
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-
 on:
   push:
     branches: [main, staging]
@@ -16,7 +13,7 @@ jobs:
   render:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - name: Install D2
         run: curl -fsSL https://d2lang.com/install.sh | sh -s --

CHANGELOG.md

@@ -7,6 +7,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.0.0] - 2026-05-06
+
+### Fixed
+
+- **Docker images now boot and report release metadata** — The Dockerfile uses the current `serve --addr/--port` flags, injects version/commit/date ldflags, aligns its Go toolchain with the release workflow, and sets a writable runtime home for the nonroot distroless container.
+- **Installer surfaces are canonical again** — `install.sh`, `docs/install`, `docs/install.sh`, and `scripts/install.sh` are byte-for-byte synced, with CI checks to prevent future drift.
+
+### Changed
+
+- **1.0 launch metadata is aligned** — The embedded OpenClaw plugin manifest, runtime export, package metadata, landing structured data, docs homepage, support matrix, and roadmap now use final `1.0.0` launch language instead of stale RC labels.
+- **Release docs point at the live package channels** — Homebrew examples use `peg/tap/rampart`, binary download docs describe the actual archive formats, and Docker docs describe stable/minor/prerelease tags accurately.
+
 ## [1.0.0-rc.2] - 2026-05-04
 
 ### Fixed

Dockerfile

@@ -1,15 +1,32 @@
-# Build stage
-FROM golang:1.24-bookworm AS build
+# Build stage. Build on the native runner platform and cross-compile for the
+# requested image platform so linux/arm64 releases don't depend on slow QEMU
+# emulation for the Go build itself.
+ARG BUILDPLATFORM
+FROM --platform=$BUILDPLATFORM golang:1.25.9-bookworm AS build
 WORKDIR /src
+
+ARG TARGETOS
+ARG TARGETARCH
+ARG VERSION=dev
+ARG COMMIT=unknown
+ARG DATE=unknown
+
 COPY go.mod go.sum ./
 RUN go mod download
 COPY . .
-RUN CGO_ENABLED=0 GOOS=linux go build -trimpath -ldflags="-s -w" -o /rampart ./cmd/rampart
+RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH:-amd64} go build -trimpath \
+    -ldflags="-s -w \
+      -X github.com/peg/rampart/internal/build.versionFromLDFlags=${VERSION} \
+      -X github.com/peg/rampart/internal/build.Commit=${COMMIT} \
+      -X github.com/peg/rampart/internal/build.Date=${DATE}" \
+    -o /rampart ./cmd/rampart
 
 # Runtime stage — distroless for minimal attack surface
 FROM gcr.io/distroless/static-debian12:nonroot
 COPY --from=build /rampart /rampart
 USER nonroot:nonroot
+ENV HOME=/tmp
+WORKDIR /tmp
 EXPOSE 9090
 ENTRYPOINT ["/rampart"]
-CMD ["serve", "--bind", "0.0.0.0:9090"]
+CMD ["serve", "--addr", "0.0.0.0", "--port", "9090"]

Makefile

@@ -2,7 +2,7 @@ VERSION ?= $(shell git describe --tags --always --dirty 2>/dev/null || echo dev)
 COMMIT  ?= $(shell git rev-parse --short HEAD 2>/dev/null || echo unknown)
 DATE    ?= $(shell date -u +%Y-%m-%dT%H:%M:%SZ)
 LDFLAGS  = -s -w \
-	-X github.com/peg/rampart/internal/build.Version=$(VERSION) \
+	-X github.com/peg/rampart/internal/build.versionFromLDFlags=$(VERSION) \
 	-X github.com/peg/rampart/internal/build.Commit=$(COMMIT) \
 	-X github.com/peg/rampart/internal/build.Date=$(DATE)
 

SECURITY.md

@@ -4,9 +4,9 @@
 
 | Version | Supported          |
 |---------|--------------------|
-| 0.7.x   | ✅ Current release |
-| 0.6.x   | ⚠️ Critical fixes only |
-| < 0.6   | ❌ No longer supported |
+| 1.0.x   | ✅ Current release |
+| 0.9.x   | ⚠️ Critical fixes only |
+| < 0.9   | ❌ No longer supported |
 
 ## Reporting a Vulnerability