Module rollout_manifest 

Signed per-channel rollout manifest (releases/rollouts/<rolloutId>.json). LOADBEARING: per RFC-0008 §6.3, rolloutId is the canonical semantic identifier RolloutId::new(&m.channel, &m.channel_ref) (i.e. "{channel}@{channel_ref}"), not a content hash. Verifiers MUST (1) cryptographically verify the signed sidecar via verify_rollout_manifest, then (2) discriminate the parsed manifest’s reconstructed RolloutId against the advertised identifier they requested. Authenticity comes from the signature; identity-substitution defense comes from the parsed-id equality check. Both checks together replace the prior content-addressed sha256(bytes) == rolloutId tautology, which has no anchor under the semantic identifier.

Structs

HostWave

RolloutBudget

Per-rollout snapshot of a fleet-wide disruption budget. Selector is preserved so cross-rollout sums match by intent even when host membership has shifted between rollout opens.

RolloutManifest