release: v2.0.0

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: mikkeldamsgaard

.claude/skills/release/SKILL.md

@@ -37,12 +37,14 @@ Once confirmed:
 2. Bump version in `Cargo.toml` (the `version = "..."` field under `[package]`).
 3. Run `cargo check` to ensure the project builds successfully after the version bump.
 4. Update `CHANGELOG.md`:
-   - Move everything under `## [Unreleased]` into a new `## [X.Y.Z] - YYYY-MM-DD` section (use today's date).
+   - Move everything under `## [Unreleased]` into a new `## [X.Y.Z] - YYYY-MM-DD` section (use today's date), placed immediately below `## [Unreleased]` (i.e., at the top of the released versions list).
    - Leave `## [Unreleased]` empty (with just the heading).
-5. Run `cargo test` to verify nothing is broken.
-6. Run `cargo clippy -- -D warnings` and `cargo fmt -- --check`.
-7. Commit: `release: vX.Y.Z`
-8. Push the branch and create a PR with title `release: vX.Y.Z`.
-9. The PR body should include the changelog entries for this version.
+   - Each released version must have its own section with its changes — never merge entries across versions.
+5. Search all documentation files (`docs/`, `README.md`, `examples/`) for references to the previous version (e.g. image tags like `initium:1.3.1`, version strings) and update them to the new version. Exclude `CHANGELOG.md` (historical entries should keep their original versions).
+6. Run `cargo test` to verify nothing is broken.
+7. Run `cargo clippy -- -D warnings` and `cargo fmt -- --check`.
+8. Commit: `release: vX.Y.Z`
+9. Push the branch and create a PR with title `release: vX.Y.Z`.
+10. The PR body should include the changelog entries for this version.
 
 When the PR merges, the auto-tag workflow detects the version bump in `Cargo.toml` and creates the `vX.Y.Z` tag, which triggers the release workflow (Docker build + crates.io publish).

CHANGELOG.md

@@ -7,6 +7,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [2.0.0] - 2026-03-14
+
 ### Security
 
 - Cosign keyless image signing in release workflow for both `initium` and `initium-jyq` container images. Images are signed using Sigstore OIDC via GitHub Actions. SBOM attestations are also signed and attached to each image.
@@ -15,7 +17,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 
 - `urlencode` template filter for percent-encoding strings in URLs. Useful for embedding passwords or other values containing URL-reserved characters (`@`, `%`, `:`, `/`, etc.) in connection strings.
-- `dprint` formatter for Markdown, JSON, TOML, YAML, and Dockerfile with CI check (`dprint/check@v2.2`) and definition-of-done gate.
 - Structured database connection config as an alternative to URL (`host`, `port`, `user`, `password`, `name`, `options` fields). Passwords with URL-reserved characters (`@`, `%`, `:`, etc.) work without encoding. Connections are built using driver-native APIs (PostgreSQL key-value DSN, MySQL `OptsBuilder`), bypassing URL parsing entirely. The `url`/`url_env` fields remain supported for backward compatibility. See [#39](https://github.com/KitStream/initium/issues/39).
 
 ### Removed
@@ -29,8 +30,21 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 
+- Reject unsupported `options` field in MySQL structured config — MySQL `OptsBuilder` does not support arbitrary connection options.
+
+### Chores
+
+- `dprint` formatter for Markdown, JSON, TOML, YAML, and Dockerfile with CI check (`dprint/check@v2.2`) and definition-of-done gate.
+- YAML plugin for `dprint` formatter.
 - Render tests now use an RAII `EnvGuard` to restore environment variables on drop, preventing cross-test interference when tests run in parallel.
+- `EnvGuard` now uses `OsString` for correctness and supports `remove()` constructor for unsetting variables.
+
+## [1.3.1] - 2026-03-12
+
+### Fixed
+
 - Auto Tag workflow now uses `RELEASE_TOKEN` instead of `GITHUB_TOKEN` so the pushed tag triggers the Release workflow. Tags pushed by the default `GITHUB_TOKEN` do not trigger other workflows (GitHub Actions security feature).
+- Added `RELEASE_TOKEN` preflight check to Auto Tag workflow and removed unused environment variable.
 
 ## [1.3.0] - 2026-03-12
 

CLAUDE.md

@@ -28,7 +28,7 @@ Quality gates
 
 6. Update CHANGELOG with all changes.
    - Every user-visible change must be added to CHANGELOG.md under “Unreleased”.
-   - Use categories: Added / Changed / Fixed / Security / Deprecated / Removed.
+   - Use categories: Added / Changed / Fixed / Security / Deprecated / Removed / Chores.
    - Mention migration steps if behavior changes.
 
 Robustness & correctness

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "initium"
-version = "1.3.1"
+version = "2.0.0"
 authors = ["Kitstream <opensource@kitstream.io>"]
 categories = ["command-line-utilities", "development-tools"]
 documentation = "https://docs.rs/initium"

docs/security.md

@@ -87,10 +87,10 @@ Release images are signed with [cosign](https://github.com/sigstore/cosign) usin
 cosign verify \
   --certificate-oidc-issuer https://token.actions.githubusercontent.com \
   --certificate-identity 'https://github.com/KitStream/initium/.github/workflows/release.yml@refs/tags/v*' \
-  ghcr.io/kitstream/initium:1.3.1
+  ghcr.io/kitstream/initium:2.0.0
 
 # Or use the Makefile target (also supports IMAGE=ghcr.io/kitstream/initium-jyq)
-make verify-image VERSION=1.3.1
+make verify-image VERSION=2.0.0
 ```
 
 ### Verify SBOM attestation
@@ -100,7 +100,7 @@ cosign verify-attestation \
   --type spdx \
   --certificate-oidc-issuer https://token.actions.githubusercontent.com \
   --certificate-identity 'https://github.com/KitStream/initium/.github/workflows/release.yml@refs/tags/v*' \
-  ghcr.io/kitstream/initium:1.3.1
+  ghcr.io/kitstream/initium:2.0.0
 ```
 
 ### View provenance and SBOM
@@ -109,8 +109,8 @@ Provenance and SBOM attestations are generated by Docker BuildKit during the ima
 
 ```bash
 # View provenance
-docker buildx imagetools inspect ghcr.io/kitstream/initium:1.3.1 --format '{{json .Provenance}}'
+docker buildx imagetools inspect ghcr.io/kitstream/initium:2.0.0 --format '{{json .Provenance}}'
 
 # View SBOM
-docker buildx imagetools inspect ghcr.io/kitstream/initium:1.3.1 --format '{{json .SBOM}}'
+docker buildx imagetools inspect ghcr.io/kitstream/initium:2.0.0 --format '{{json .SBOM}}'
 ```