feat: add Rust kernel release gates

[MapleEve]

Summary

• Add a typed Rust-kernel release-gate matrix for the selected voiceprint, post-process, artifact, and status helper paths.
• Add repository-owned public release scanning and run it in CI before PR/release text can publish private paths, raw validation material, real IDs, or secret-like values.
• Bump the internal voscript_core crate version to 0.8.4 and extend unit coverage for the gate matrix and scanner.

Validation

• PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 python -m pytest tests/unit/ tests/test_security.py tests/test_voiceprint_db.py tests/test_job_service.py -q --tb=short -> 233 passed
• python voscript-api/scripts/public_release_scan.py --root . -> passed, 195 tracked files
• ruff check app/ tests/unit/test_kernel_release_gates.py tests/unit/test_public_release_scan.py voscript-api/scripts/public_release_scan.py --ignore E501
• ruff format --check app/ tests/unit/test_kernel_release_gates.py tests/unit/test_public_release_scan.py voscript-api/scripts/public_release_scan.py
• cargo fmt --manifest-path crates/voscript_core/Cargo.toml -- --check
• cargo test --manifest-path crates/voscript_core/Cargo.toml
• cargo clippy --manifest-path crates/voscript_core/Cargo.toml --features python-bindings --all-targets -- -D warnings

Notes

• Public HTTP API shape is unchanged.
• Python remains the orchestrator; Rust remains limited to selected provider/kernel internals.
• Dependency audit is covered by the GitHub CI security scan.

[github-actions]

👍 @MapleEve

Thank you for raising your pull request and contributing to VoScript.
Please make sure you have followed our contributing guidelines. We will review it as soon as possible.
If you encounter any problems, please feel free to connect with us.
非常感谢您提出拉取请求并为 VoScript 做出贡献，请确保您已经遵循了我们的贡献指南，我们会尽快审查它。
如果您遇到任何问题，请随时与我们联系。

[claude]

Claude encountered an error after 0s —— View job

---

I'll analyze this and get back to you.

[codecov]

Codecov Report

❌ Patch coverage is 86.53846% with 7 lines in your changes missing coverage. Please review.
✅ Project coverage is 90.90%. Comparing base (218da33) to head (3c8387a).
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
app/providers/kernel_bridge/release_gates.py	86.27%	7 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main      #40      +/-   ##
==========================================
- Coverage   90.97%   90.90%   -0.07%     
==========================================
  Files          83       84       +1     
  Lines        3644     3696      +52     
==========================================
+ Hits         3315     3360      +45     
- Misses        329      336       +7     

Flag	Coverage Δ
unit	90.90% <86.53%> (-0.07%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

[Copilot]

Pull request overview

This PR introduces explicit release governance for the Rust-backed kernel surface by adding (1) a typed “release gate” matrix describing selected Rust-backed paths and required evidence, and (2) a repository-owned public-release scanner enforced in CI to prevent accidental publication of private paths, real IDs, validation artifacts, or secret-like strings. It also bumps the internal voscript_core crate version to 0.8.4 and extends unit coverage for the new policy/code paths.

Changes:

• Added a Rust-kernel release-gate matrix (release_gates.py) and unit coverage to validate “fail-closed”, rollback, CI gate, and regression/perf evidence expectations.
• Added public_release_scan.py plus unit tests and a new CI job to block privacy/secret leakage in tracked files.
• Bumped voscript_core version from 0.8.3 to 0.8.4 (Rust crate + related tests/docs).

Reviewed changes

Copilot reviewed 12 out of 13 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
voscript-api/scripts/public_release_scan.py	New repository-owned scanner for secret-like values, private paths, real IDs, and local-only artifacts in tracked files.
tests/unit/test_public_release_scan.py	Unit tests for placeholder allowances and leak detection in the public release scanner.
tests/unit/test_kernel_release_gates.py	Unit tests ensuring the release-gate matrix and required CI/workflow commands are present.
tests/unit/test_kernel_bridge.py	Updates expected voscript_core version to 0.8.4.
doc/changelog.zh.md	Changelog entry documenting the 0.8.4 gates and public release scan (Chinese).
doc/changelog.en.md	Changelog entry documenting the 0.8.4 gates and public release scan (English).
crates/voscript_core/src/lib.rs	Updates version assertion for PACKAGE_VERSION to 0.8.4.
crates/voscript_core/Cargo.toml	Bumps crate version to 0.8.4.
Cargo.lock	Updates lockfile to reflect voscript_core 0.8.4.
app/providers/kernel_bridge/release_gates.py	New typed release-gate matrix + policy validation helper for selected Rust-backed bridge paths.
app/providers/kernel_bridge/__init__.py	Exposes release-gate API from providers.kernel_bridge.
.github/workflows/ci.yml	Adds a CI job to run the public release scan.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

❤️ Great PR @MapleEve ❤️

The growth of the project is inseparable from user feedback and contribution. Thanks for your contribution!
项目的成长离不开用户反馈和贡献，感谢您的贡献!