Rel v25.10.2 (#1734)

* new dev branch towards v25.10.2

* Add comprehensive SHA256 verification for native wheels artifacts

Fixes #1733, #1732 - Prevents corrupted artifacts from reaching PyPI

## Problem

Native wheels (macOS, Windows, Linux no-NVX) had NO checksum verification
during artifact transfer from wheels workflow to release workflows. This is
the SAME vulnerability that allowed the corrupted v25.10.1 source distribution
to reach PyPI (issue #1714).

The root cause: all three native wheel artifacts download to the same dist/
directory with files all named CHECKSUMS.sha256, causing them to overwrite
each other. Only the last downloaded checksum file remains, leaving most
wheels unverified.

## Solution

Implemented immediate verification pattern for all three release jobs
(release-development, release-nightly, release-stable):

1. Changed from merge-multiple downloads to separate artifact downloads
2. Verify checksums immediately after each download, before the next
   download overwrites the checksum file
3. Fail fast on any checksum mismatch or missing files

## Coverage

ALL artifact transfer pairs now have SHA256 verification:
- ✅ Source distributions (wheels → release) - already fixed in prior commit
- ✅ macOS ARM64 wheels (wheels → release) - NEW
- ✅ Windows x86_64 wheels (wheels → release) - NEW
- ✅ Linux no-NVX wheels (wheels → release) - NEW
- ✅ Manylinux wheels with NVX (wheels-docker → release) - already existed
- ✅ ARM64 wheels with NVX (wheels-arm64 → release) - already existed

Complete end-to-end cryptographic chain of custody from build → PyPI.

* bump version to 25.10.2

* Reorganize documentation: add Runtime Environment Notes section

Fixes #1731 - Adds comprehensive Conda installation guidance

## Changes

1. **New documentation structure**
   - Created `docs/environments/` directory for environment-specific guides
   - Added `docs/environments/index.rst` overview page
   - Moved `autobahn-on-free-threaded-python.rst` → `environments/free-threaded-python.rst`

2. **New Conda documentation** (`docs/environments/conda.rst`)
   - Explains why conda-forge lags behind PyPI
   - Recommends `pip install autobahn` within Conda environments
   - Documents native wheel selection and NVX acceleration
   - Troubleshooting guide for common Conda issues
   - Addresses user feedback from issue #1731

3. **Updated references**
   - Modified `docs/index.rst` to reference new `environments/index` section
   - Updated reference label from `autobahn-on-free-threaded-python` to `free-threaded-python`

## Why This Structure

Consolidates all environment-specific documentation under a single section,
making it easier for users to find platform/deployment-specific guidance.
Future additions (Docker, embedded systems, etc.) can follow the same pattern.

## Documentation Quality

- Follows existing .rst formatting patterns
- Includes comprehensive examples and code blocks
- Cross-references related documentation pages
- Provides troubleshooting sections
- Uses consistent section hierarchy

Addresses user confusion about installing Autobahn in Conda environments
and getting outdated versions from conda-forge.

* Integrate cryptographic artifact verification in wheels workflow

Updates wheels.yml to use new upload-artifact-verified action from wamp-cicd.

## Changes

1. **Updated .cicd submodule** to bfe9880 (includes new verified artifact actions)

2. **Replaced all upload-artifact@v4 calls** with upload-artifact-verified:
   - wheels-{platform}-{arch} upload (line 591)
   - source-distribution upload (line 773, Linux only)
   - linux-wheels-no-nvx upload (line 781, Linux only)

3. **Simplified upload paths** from file patterns to entire dist/ directory

## Behavior Changes

**Before:**
- Manual CHECKSUMS.sha256 generation (kept for debugging)
- Upload specific files via YAML list pattern
- No meta-checksum verification

**After:**
- Automated CHECKSUMS.sha256 generation by verified action
- Upload entire dist/ directory (includes all build outputs)
- Auto-generated CHECKSUMS.sha256.meta for integrity verification
- Filesystem sync before/after checksum generation

## Files in Uploaded Artifacts

Each artifact now includes:
- Original build outputs (*.whl, *.tar.gz, *.verify.txt, VALIDATION.txt)
- CHECKSUMS.sha256 (generated by action, replaces manual version)
- CHECKSUMS.sha256.meta (NEW - enables two-level verification)

## Security Improvement

Artifacts now have cryptographic chain-of-custody protection:
1. Build creates files → dist/
2. verified-upload generates checksums + meta-checksum
3. verified-download verifies meta-checksum → checksums → files
4. Any corruption during artifact transfer is detected

This prevents corrupted artifacts (like the PyPy ARM64 wheel in v25.10.1)
from reaching the release workflow and ultimately PyPI.

Part of fixing #1733, #1732 (chain-of-custody verification).

* Replace artifact upload/download with cryptographic chain-of-custody verification

This commit integrates the new verified artifact actions from wamp-cicd to
replace standard GitHub Actions artifact handling with cryptographically
verified transfers that include automatic retry logic for GitHub storage
eventual consistency issues.

Changes:

1. wheels-docker.yml (line 478-484):
   - Replaced upload-artifact@v4 with upload-artifact-verified
   - Changed from file patterns to directory path (wheelhouse/)
   - Automatic CHECKSUMS.sha256 and meta-checksum generation

2. wheels-arm64.yml (line 414-419):
   - Replaced upload-artifact@v4 with upload-artifact-verified
   - Changed from file patterns to directory path (wheelhouse/)
   - Automatic CHECKSUMS.sha256 and meta-checksum generation

3. release.yml (multiple locations):
   - Replaced download-artifact@v4 with download-artifact-verified for:
     * wheels-macos-arm64 (3 occurrences)
     * wheels-windows-x86_64 (3 occurrences)
     * source-distribution (3 occurrences)
     * linux-wheels-no-nvx (3 occurrences)
   - Removed 12 manual "Re-verify" steps (replaced by built-in verification)
   - Added max-attempts: 3 and retry-delay: 60 for all downloads
   - Preserved continue-on-error behavior for optional artifacts

Technical improvements:

- Two-level cryptographic verification:
  1. Meta-checksum verifies CHECKSUMS.sha256 integrity
  2. Individual file checksums verify each artifact file

- Automatic retry logic with delay handles GitHub Actions storage eventual
  consistency issues (artifacts marked "completed" before async writes finish)

- Filesystem sync before/after checksum generation ensures QEMU buffer flush

- Self-contained verification (checksum files travel with artifacts)

- Fail-safe design: only succeeds after complete verification

Note: Pattern-based downloads (artifacts-*, artifacts-arm64-*) still use
standard download-artifact@v4 with merge-multiple because the verified action
doesn't yet support pattern matching. These artifacts are protected at upload
time by the verified upload actions in wheels-docker.yml and wheels-arm64.yml.

Related issues:
- Addresses artifact corruption detected in run 18516073936
- Implements solution discussed in issue #1714

* Add comprehensive docstrings for public API attributes

Added detailed Sphinx-compatible docstrings for the following public API
attributes to improve documentation and developer experience:

1. autobahn.websocket.HAS_NVX
   - Explains build-time NVX availability check
   - Documents what NVX provides (UTF-8 validation, XOR masking)
   - Clarifies independence from AUTOBAHN_USE_NVX runtime setting
   - Includes usage example and cross-reference to USES_NVX

2. autobahn.websocket.USES_NVX
   - Explains runtime NVX usage decision
   - Documents interaction between build-time availability and runtime config
   - Provides complete AUTOBAHN_USE_NVX environment variable reference
   - Includes scenario examples and cross-reference to HAS_NVX

3. autobahn.twisted.__ident__
   - Enhanced existing brief docstring with comprehensive documentation
   - Documents format variations (with/without NVX acceleration)
   - Explains usage in protocol handshakes (WebSocket Upgrade, WAMP HELLO)
   - Provides example values for different configurations
   - Cross-references asyncio.__ident__ and USES_NVX

4. autobahn.asyncio.__ident__
   - Enhanced existing brief docstring with comprehensive documentation
   - Documents format variations (with/without NVX acceleration)
   - Explains usage in protocol handshakes (WebSocket Upgrade, WAMP HELLO)
   - Notes difference from Twisted variant (no asyncio version number)
   - Provides example values for different configurations
   - Cross-references twisted.__ident__ and USES_NVX

All docstrings follow reStructuredText format for proper Sphinx rendering in
Read the Docs documentation. This is a documentation-only change with no
functional modifications.

Related: This is a safe change to trigger final workflow testing before
merging rel_v25.10.2 to master (addresses issues #1735, #1714).

Author: oberstet

.audit/oberstet_rel_v25.10.2.md

@@ -0,0 +1,8 @@
+- [ ] I did **not** use any AI-assistance tools to help create this pull request.
+- [x] I **did** use AI-assistance tools to *help* create this pull request.
+- [x] I have read, understood and followed the projects' [AI Policy](https://github.com/crossbario/autobahn-python/blob/main/AI_POLICY.md) when creating code, documentation etc. for this pull request.
+
+Submitted by: @oberstet
+Date: 2025-10-21
+Related issue(s): #1733
+Branch: oberstet:rel_v25.10.2

.cicd

@@ -122,23 +122,37 @@ jobs:
         with:
           submodules: recursive
 
-      - name: Download all wheel artifacts (from wheels workflow)
-        uses: actions/download-artifact@v4
+      - name: Download and verify macOS wheels with retry logic
+        uses: wamp-proto/wamp-cicd/actions/download-artifact-verified@main
         with:
-          pattern: wheels-*
-          merge-multiple: true
+          name: wheels-macos-arm64
           path: dist/
           run-id: ${{ needs.check-all-workflows.outputs.wheels_run_id }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
+          max-attempts: 3
+          retry-delay: 60
         continue-on-error: true
 
-      - name: Download source distribution
-        uses: actions/download-artifact@v4
+      - name: Download and verify Windows wheels with retry logic
+        uses: wamp-proto/wamp-cicd/actions/download-artifact-verified@main
+        with:
+          name: wheels-windows-x86_64
+          path: dist/
+          run-id: ${{ needs.check-all-workflows.outputs.wheels_run_id }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          max-attempts: 3
+          retry-delay: 60
+        continue-on-error: true
+
+      - name: Download and verify source distribution with retry logic
+        uses: wamp-proto/wamp-cicd/actions/download-artifact-verified@main
         with:
           name: source-distribution
           path: dist/
           run-id: ${{ needs.check-all-workflows.outputs.wheels_run_id }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
+          max-attempts: 3
+          retry-delay: 60
         continue-on-error: true
 
       - name: Debug - List downloaded files
@@ -172,6 +186,7 @@ jobs:
           echo ""
 
           HAS_ERRORS=0
+          TARBALLS_VERIFIED=0
 
           for tarball in dist/*.tar.gz; do
             if [ ! -f "$tarball" ]; then
@@ -194,6 +209,8 @@ jobs:
             echo "==> Re-verifying: $BASENAME"
             echo ""
 
+            TARBALLS_VERIFIED=$((TARBALLS_VERIFIED + 1))
+
             # Re-compute SHA256 hash
             echo "Computing current SHA256 fingerprint..."
             CURRENT_SHA256=$(openssl sha256 "$tarball" | awk '{print $2}')
@@ -286,23 +303,40 @@ jobs:
             echo "DO NOT PROCEED WITH RELEASE - investigate and fix first."
             echo ""
             exit 1
+          elif [ $TARBALLS_VERIFIED -eq 0 ]; then
+            echo "======================================================================"
+            echo "❌ RE-VERIFICATION FAILED - NO SOURCE DISTRIBUTIONS VERIFIED"
+            echo "======================================================================"
+            echo ""
+            echo "Zero source distributions were verified. This means:"
+            echo "  1. No *.tar.gz files were found in dist/, OR"
+            echo "  2. Source distribution download from artifacts failed"
+            echo ""
+            echo "This is a critical failure - we cannot confirm source distribution integrity."
+            echo "This was the root cause of issue #1714 (corrupted v25.10.1 on PyPI)."
+            echo ""
+            echo "DO NOT PROCEED WITH RELEASE - investigate artifact download!"
+            echo ""
+            exit 1
           else
             echo "======================================================================"
-            echo "✅ All source distributions re-verified successfully"
+            echo "✅ All source distributions re-verified successfully ($TARBALLS_VERIFIED tarballs)"
             echo "======================================================================"
             echo ""
             echo "Chain of custody confirmed: wheels workflow → release workflow"
             echo "Cryptographic integrity maintained throughout pipeline."
           fi
         shell: bash
 
-      - name: Download Linux wheels without NVX
-        uses: actions/download-artifact@v4
+      - name: Download and verify Linux wheels without NVX with retry logic
+        uses: wamp-proto/wamp-cicd/actions/download-artifact-verified@main
         with:
           name: linux-wheels-no-nvx
           path: dist/
           run-id: ${{ needs.check-all-workflows.outputs.wheels_run_id }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
+          max-attempts: 3
+          retry-delay: 60
         continue-on-error: true
 
       - name: Download manylinux wheel artifacts (from wheels-docker workflow)
@@ -783,23 +817,37 @@ jobs:
         with:
           submodules: recursive
 
-      - name: Download all wheel artifacts (from wheels workflow)
-        uses: actions/download-artifact@v4
+      - name: Download and verify macOS wheels with retry logic
+        uses: wamp-proto/wamp-cicd/actions/download-artifact-verified@main
         with:
-          pattern: wheels-*
-          merge-multiple: true
+          name: wheels-macos-arm64
           path: dist/
           run-id: ${{ needs.check-all-workflows.outputs.wheels_run_id }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
+          max-attempts: 3
+          retry-delay: 60
         continue-on-error: true
 
-      - name: Download source distribution
-        uses: actions/download-artifact@v4
+      - name: Download and verify Windows wheels with retry logic
+        uses: wamp-proto/wamp-cicd/actions/download-artifact-verified@main
+        with:
+          name: wheels-windows-x86_64
+          path: dist/
+          run-id: ${{ needs.check-all-workflows.outputs.wheels_run_id }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          max-attempts: 3
+          retry-delay: 60
+        continue-on-error: true
+
+      - name: Download and verify source distribution with retry logic
+        uses: wamp-proto/wamp-cicd/actions/download-artifact-verified@main
         with:
           name: source-distribution
           path: dist/
           run-id: ${{ needs.check-all-workflows.outputs.wheels_run_id }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
+          max-attempts: 3
+          retry-delay: 60
         continue-on-error: true
 
       - name: Debug - List downloaded files
@@ -833,6 +881,7 @@ jobs:
           echo ""
 
           HAS_ERRORS=0
+          TARBALLS_VERIFIED=0
 
           for tarball in dist/*.tar.gz; do
             if [ ! -f "$tarball" ]; then
@@ -855,6 +904,8 @@ jobs:
             echo "==> Re-verifying: $BASENAME"
             echo ""
 
+            TARBALLS_VERIFIED=$((TARBALLS_VERIFIED + 1))
+
             # Re-compute SHA256 hash
             echo "Computing current SHA256 fingerprint..."
             CURRENT_SHA256=$(openssl sha256 "$tarball" | awk '{print $2}')
@@ -947,23 +998,40 @@ jobs:
             echo "DO NOT PROCEED WITH RELEASE - investigate and fix first."
             echo ""
             exit 1
+          elif [ $TARBALLS_VERIFIED -eq 0 ]; then
+            echo "======================================================================"
+            echo "❌ RE-VERIFICATION FAILED - NO SOURCE DISTRIBUTIONS VERIFIED"
+            echo "======================================================================"
+            echo ""
+            echo "Zero source distributions were verified. This means:"
+            echo "  1. No *.tar.gz files were found in dist/, OR"
+            echo "  2. Source distribution download from artifacts failed"
+            echo ""
+            echo "This is a critical failure - we cannot confirm source distribution integrity."
+            echo "This was the root cause of issue #1714 (corrupted v25.10.1 on PyPI)."
+            echo ""
+            echo "DO NOT PROCEED WITH RELEASE - investigate artifact download!"
+            echo ""
+            exit 1
           else
             echo "======================================================================"
-            echo "✅ All source distributions re-verified successfully"
+            echo "✅ All source distributions re-verified successfully ($TARBALLS_VERIFIED tarballs)"
             echo "======================================================================"
             echo ""
             echo "Chain of custody confirmed: wheels workflow → release workflow"
             echo "Cryptographic integrity maintained throughout pipeline."
           fi
         shell: bash
 
-      - name: Download Linux wheels without NVX
-        uses: actions/download-artifact@v4
+      - name: Download and verify Linux wheels without NVX with retry logic
+        uses: wamp-proto/wamp-cicd/actions/download-artifact-verified@main
         with:
           name: linux-wheels-no-nvx
           path: dist/
           run-id: ${{ needs.check-all-workflows.outputs.wheels_run_id }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
+          max-attempts: 3
+          retry-delay: 60
         continue-on-error: true
 
       - name: Download manylinux wheel artifacts (from wheels-docker workflow)
@@ -1461,31 +1529,37 @@ jobs:
         with:
           submodules: recursive
 
-      - name: Download macOS wheels
-        uses: actions/download-artifact@v4
+      - name: Download and verify macOS wheels with retry logic
+        uses: wamp-proto/wamp-cicd/actions/download-artifact-verified@main
         with:
           name: wheels-macos-arm64
           path: dist/
           run-id: ${{ needs.check-all-workflows.outputs.wheels_run_id }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
+          max-attempts: 3
+          retry-delay: 60
         continue-on-error: true
 
-      - name: Download Windows wheels
-        uses: actions/download-artifact@v4
+      - name: Download and verify Windows wheels with retry logic
+        uses: wamp-proto/wamp-cicd/actions/download-artifact-verified@main
         with:
           name: wheels-windows-x86_64
           path: dist/
           run-id: ${{ needs.check-all-workflows.outputs.wheels_run_id }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
+          max-attempts: 3
+          retry-delay: 60
         continue-on-error: true
 
-      - name: Download source distribution
-        uses: actions/download-artifact@v4
+      - name: Download and verify source distribution with retry logic
+        uses: wamp-proto/wamp-cicd/actions/download-artifact-verified@main
         with:
           name: source-distribution
           path: dist/
           run-id: ${{ needs.check-all-workflows.outputs.wheels_run_id }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
+          max-attempts: 3
+          retry-delay: 60
         continue-on-error: true
 
       - name: Debug - List downloaded files
@@ -1519,6 +1593,7 @@ jobs:
           echo ""
 
           HAS_ERRORS=0
+          TARBALLS_VERIFIED=0
 
           for tarball in dist/*.tar.gz; do
             if [ ! -f "$tarball" ]; then
@@ -1541,6 +1616,8 @@ jobs:
             echo "==> Re-verifying: $BASENAME"
             echo ""
 
+            TARBALLS_VERIFIED=$((TARBALLS_VERIFIED + 1))
+
             # Re-compute SHA256 hash
             echo "Computing current SHA256 fingerprint..."
             CURRENT_SHA256=$(openssl sha256 "$tarball" | awk '{print $2}')
@@ -1633,23 +1710,40 @@ jobs:
             echo "DO NOT PROCEED WITH RELEASE - investigate and fix first."
             echo ""
             exit 1
+          elif [ $TARBALLS_VERIFIED -eq 0 ]; then
+            echo "======================================================================"
+            echo "❌ RE-VERIFICATION FAILED - NO SOURCE DISTRIBUTIONS VERIFIED"
+            echo "======================================================================"
+            echo ""
+            echo "Zero source distributions were verified. This means:"
+            echo "  1. No *.tar.gz files were found in dist/, OR"
+            echo "  2. Source distribution download from artifacts failed"
+            echo ""
+            echo "This is a critical failure - we cannot confirm source distribution integrity."
+            echo "This was the root cause of issue #1714 (corrupted v25.10.1 on PyPI)."
+            echo ""
+            echo "DO NOT PROCEED WITH RELEASE - investigate artifact download!"
+            echo ""
+            exit 1
           else
             echo "======================================================================"
-            echo "✅ All source distributions re-verified successfully"
+            echo "✅ All source distributions re-verified successfully ($TARBALLS_VERIFIED tarballs)"
             echo "======================================================================"
             echo ""
             echo "Chain of custody confirmed: wheels workflow → release workflow"
             echo "Cryptographic integrity maintained throughout pipeline."
           fi
         shell: bash
 
-      - name: Download Linux wheels without NVX
-        uses: actions/download-artifact@v4
+      - name: Download and verify Linux wheels without NVX with retry logic
+        uses: wamp-proto/wamp-cicd/actions/download-artifact-verified@main
         with:
           name: linux-wheels-no-nvx
           path: dist/
           run-id: ${{ needs.check-all-workflows.outputs.wheels_run_id }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
+          max-attempts: 3
+          retry-delay: 60
         continue-on-error: true
 
       - name: Download manylinux wheels with NVX (from wheels-docker)

.github/workflows/release.yml

@@ -411,16 +411,11 @@ jobs:
           echo "==> Wheel inventory:"
           find wheelhouse/ -name "*.whl" -exec basename {} \; 2>/dev/null | sort || echo "No wheels found"
 
-      - name: Upload wheels and build metadata artifacts
-        uses: actions/upload-artifact@v4
+      - name: Upload wheels and build metadata with cryptographic verification
+        uses: wamp-proto/wamp-cicd/actions/upload-artifact-verified@main
         with:
           name: artifacts-arm64-${{ matrix.target.name }}
-          path: |
-            wheelhouse/*.whl
-            wheelhouse/*.tar.gz
-            wheelhouse/build-info.txt
-            wheelhouse/CHECKSUMS.sha256
-            wheelhouse/VALIDATION.txt
+          path: wheelhouse/
           retention-days: 30
 
   # GitHub Releases, PyPI, and RTD publishing are now handled by the centralized 'release' workflow

.github/workflows/wheels-arm64.yml

@@ -476,16 +476,11 @@ jobs:
           find wheelhouse/ -name "*.whl" -exec basename {} \; 2>/dev/null | sort || echo "No wheels found"
 
       - name:
-          Upload wheels, source dist and build metadata artifacts
-        uses: actions/upload-artifact@v4
+          Upload wheels, source dist and build metadata with cryptographic verification
+        uses: wamp-proto/wamp-cicd/actions/upload-artifact-verified@main
         with:
           name: artifacts-${{ matrix.target.name }}
-          path: |
-            wheelhouse/*.whl
-            wheelhouse/*.tar.gz
-            wheelhouse/build-info.txt
-            wheelhouse/CHECKSUMS.sha256
-            wheelhouse/VALIDATION.txt
+          path: wheelhouse/
           retention-days: 30
 
   # GitHub Releases, PyPI, and RTD publishing are now handled by the centralized 'release' workflow