What's new in chart-v0.2.37
This is a metadata-only chart bump: appVersion advances from 0.7.1 to 0.7.2, the default image.tag now resolves to ghcr.io/robintra/perf-sentinel:0.7.2, and the artifacthub.io/changes annotation refreshes to surface the new hash-bake subcommand on Artifact Hub. No chart-level template diff, no values.yaml schema change, no new RBAC, no new optional ConfigMap or Secret, no .perf-sentinel.toml review needed. The chart-v0.2.36 surface is preserved byte-for-byte.
The 0.7.2 daemon image is a small-feature release. It adds the perf-sentinel hash-bake CLI subcommand (canonical content_hash baking for test fixture generation and debugging), tightens terminal ANSI sanitisation across every render boundary, and aligns a 64 MiB local read cap between hash-bake and verify-hash --report <local>. Full release notes for the daemon at v0.7.2. None of these changes touches a chart-level template, a daemon HTTP route, a Prometheus metric, or the OTLP listener wire format.
Changed
appVersionbumped from0.7.1to0.7.2, defaultimage.tagnow resolves toghcr.io/robintra/perf-sentinel:0.7.2.artifacthub.io/changesannotation refreshed to surface thehash-bakesubcommand addition on Artifact Hub.- No chart-level config change.
values.yaml, every template, theServiceMonitorrendering, theNetworkPolicyrendering, the optional[daemon.ack]and[daemon.cors]plumbing, and theack-toml-baselinemount are byte-for-byte identical to chart-v0.2.36.
Behavior
- Daemon binary side: new
hash-bakeCLI subcommand. Reads a periodic disclosure JSON, recomputes the canonicalcontent_hash, writes it back via an atomic temp+rename. CLI-only, the daemon does not invoke it at runtime. A chart upgrade neither enables it nor exposes it on any Service or Ingress. - Daemon binary side: terminal sanitisation extended.
sanitize_for_terminalandsafe_urlnow strip the C1 control range0x80..=0x9F(CSIU+009B, STU+009C, OSCU+009D), workspace-wide. Affects every log line and dashboard render that quotes an attacker-controlled string. - Daemon binary side: TOML config validation extended.
has_control_charrejects the same C1 range, so a.perf-sentinel.tomlplacing a C1 byte indisclose_output_path,auth_token, or any free-form path field is refused at load time before reachingtracing::warn!. - Daemon binary side:
verify-hash --report <local>now caps the local file at 64 MiB, matching the newhash-bakecap. Remote--urlmode unchanged (10 MiB cap preserved). - No HTTP-shape change on the daemon side. Every
/api/*route, every/metricsline, the OTLP HTTP and gRPC routes, and every JSON shape are byte-for-byte identical to chart-v0.2.36 for already-clean inputs. - No upgrade hook required, no on-disk migration. The runtime ack store JSONL schema is unchanged. Existing acks survive the upgrade.
Install
helm install perf-sentinel oci://ghcr.io/robintra/charts/perf-sentinel --version 0.2.37Upgrade an existing release:
helm upgrade perf-sentinel oci://ghcr.io/robintra/charts/perf-sentinel --version 0.2.37The bump is metadata-only on the chart side. The new daemon binary brings a CLI-only feature (hash-bake), so no .perf-sentinel.toml edit, no RBAC change, and no Service or Ingress reconfiguration is needed.
Full Changelog: chart-v0.2.36...chart-v0.2.37