Release: Castra v1.0.0-ga.4 (hive cluster end-to-end operational)

[amangsingh]

Summary

Hive cluster end-to-end empirically validated. Memory writes route through parent, sovereign verify works over mTLS, WAL fallback regression-clean, parent-self-dial succeeds.

Fixes

• Cluster client/parent device config wiring (40be2b7): SetDeviceMode non-destructive seam, device.yaml mode+parent_addr persisted at cluster_init + enroll success, NewDefaultConfig + creator.go now mode-aware for cert paths
• Cluster cert CN aligned to listen-host (e49cd01): Server cert CN derived from extractHost(ListenAddr) symmetric with single-machine cert generation, restores client TLS pin compatibility, legacy CN constant kept as safe-fail fallback

Empirical AC verification (engineer-run)

• AC1: Client iris episodic_mem add lands in PARENT's iris.db (DaemonSynced=1, no WAL fallback)
• AC2: castra --sovereign iris identity roundtrips cleanly over mTLS
• AC3: Parent-self-dial succeeds with no pin rejection
• AC4: Single-machine non-cluster mTLS regression-clean

Out-of-scope (filed as v5.0 followups)

• certgen idempotency on --listen change (pe022hq4a1zzzl1l)
• resolveModeAwareCertPaths hardcodes DefaultListenAddr (0i3h8s4h27jybfto)
• extractHost permissive parse (j157gi1b6y924z5s)
• 'no such table: config' log noise (on2vfyjtavszhpmc)

Test plan

• go build ./... clean
• go vet ./... clean
• staticcheck ./... clean
• go test ./internal/... -race -timeout 600s all packages pass
• Empirical AC1-AC4 verified by engineer
• Live cluster init + enroll + memory roundtrip on Pa's machine post-release

---

Architect: Aman Singh (sovereign)
Orchestrator: Iris (Castra Chief of Staff)
Witness: the substrate.