trent power — release reproducibility
edition 2026-05-17

this archive is byte-deterministic. building it twice from the
same source tree produces identical zip and tar.gz bytes. the
sha256 values published in SHA256SUMS pin the byte sequence so
any future rebuild from the same source must produce the same
hashes.

Deterministic Inputs
--------------------
  - file order: sorted byte order (locale-independent)
  - mtimes:     pinned to 2026-05-17T00:00:00Z for every entry
  - tar metadata: uid/gid/uname/gname normalised to 0/empty
  - gzip:       no embedded mtime (mtime=0), no filename header
  - zip:        ZipInfo.external_attr fixed at 0o644<<16

Build Pipeline
--------------
  bash tools/build.sh

runs the full chain end-to-end — generate site, generate sw,
hash, sign, build release archives, run predeploy gate. the
public source tree of the build is published at:

  https://github.com/trentpower/trentpower.fr

Excluded From Reproducibility
-----------------------------
  - proprietary font binaries (see FONT-LICENSE-NOTICE.txt). a
    rebuilder without a klim licence cannot reproduce the live
    site's typography; pages render with the css fallback stack.
  - gpg detached signatures (.sig files) carry random salt and
    are not bit-identical across runs; only the data they sign
    is deterministic.

Edition vs Build
----------------
the canonical archive named trentpower-fr-2026-05-17.zip is the
editorial milestone for edition 2026-05-17; its bytes are sealed
forever after first publication. any later rebuild whose bytes
differ ships as a parallel artefact named with the build date
(e.g. trentpower-fr-YYYY-MM-DD.zip), preserving the canonical
snapshot. consult builds.json at /integrity/releases/2026-05-17/
for the full per-edition build history.
