v0.3.0

Agent

Added

• AddedHTTPS binary registry with signed manifests. The agent fetches a pg_dump / pg_restore bundle for the server's major on demand and verifies the manifest signature before extraction.
• AddedTwo-key trust hierarchy: a long-lived ROOT public key baked into the agent at build time signs a short-lived MSK certificate; the MSK signs every published manifest. Rotation does not require a new agent build.
• Addeddbcrate binaries list, dbcrate backup, and dbcrate restore as one-shot dev CLI subcommands against the configured registry.
• AddedReal-fixture error tests for the registry path: server failures, network failures, cache corruption. Each one returns a clean, well-typed error rather than a panic.

Changed

• ChangedBuild pipeline: make build-dev and make build-prod bake the registry URL into the binary via -ldflags. The runtime YAML block becomes optional.

Fixed

• FixedResponse size caps on registry fetches, a deterministic clock for manifest-validity checks, and a robust path for resolving the cert URL relative to the manifest.