perf(release): optimize Gate4 polling and bump to 5.1.2 (#49)

* perf(release): optimize gate4 polling and bump version to 5.1.2

* docs(release): align gate4 retry defaults and env docs

---------

Co-authored-by: GitHub Copilot Agent <github-actions[bot]@users.noreply.github.com>

Author: tomtastisch

Directory.Build.props

@@ -5,6 +5,6 @@
         <RestorePackagesWithLockFile>true</RestorePackagesWithLockFile>
     </PropertyGroup>
   <PropertyGroup>
-    <RepoVersion>5.1.1</RepoVersion>
+    <RepoVersion>5.1.2</RepoVersion>
   </PropertyGroup>
 </Project>

docs/021_USAGE_NUGET.MD

@@ -56,7 +56,8 @@ Relevante Inputs:
 - `REQUIRE_FLATCONTAINER`: aktiviert/deaktiviert Flatcontainer als Pflichtcheck (`1`/`0`, Default `1`).
 
 Release-Gate-4 (post-publish) nutzt eigene Defaults über den Wrapper:
-- `SVT_POSTPUBLISH_RETRY_COUNT` (Default `59`)
+- `SVT_POSTPUBLISH_RETRY_SCHEDULE_SECONDS` (Default `2,3,5,8,13,21,34,55,89,89,89`)
+- `SVT_POSTPUBLISH_RETRY_COUNT` (Default: Anzahl Schedule-Elemente, aktuell `11`; optional explizit überschreibbar)
 - `SVT_POSTPUBLISH_RETRY_SLEEP_SECONDS` (Default `10`)
 - Blocking-Scope im Release:
   - `REQUIRE_SEARCH=0`

docs/ci/002_NUGET_TRUSTED_PUBLISHING.MD

@@ -20,9 +20,10 @@ Die aktive Trusted-Publishing-Policy ist an folgende Identität gebunden:
   - `REQUIRE_REGISTRATION=1`
   - `REQUIRE_SEARCH=0` (Search ist aus dem blocking Gate entkoppelt).
 - Default-Wartefenster für Gate 4:
-  - `SVT_POSTPUBLISH_RETRY_COUNT=59`
+  - `SVT_POSTPUBLISH_RETRY_SCHEDULE_SECONDS=2,3,5,8,13,21,34,55,89,89,89`
+  - `SVT_POSTPUBLISH_RETRY_COUNT=11` (dynamisch aus Schedule-Länge, sofern nicht explizit gesetzt)
   - `SVT_POSTPUBLISH_RETRY_SLEEP_SECONDS=10`
-  - entspricht deterministisch einem Retry-Sleep-Budget von bis zu 590s (9m50s) zuzüglich HTTP-Timeout-Anteilen pro Versuch.
+  - entspricht deterministisch einem Retry-Sleep-Budget von bis zu 408s (6m48s) zuzüglich HTTP-Timeout-Anteilen pro Versuch.
 - Bei Incident-Diagnose kann das Fenster über die beiden Variablen erhöht werden, ohne Workflow-Jobnamen oder Required Contexts zu ändern.
 
 ## 5. Entkoppelte Online-Konvergenz (Async)

docs/versioning/002_HISTORY_VERSIONS.MD

@@ -8,10 +8,11 @@ Heuristik fuer die Rueckwirkungs-Zuordnung:
 - `docs|test|ci|chore|tooling|refactor|fix` => Patch
 
 Aktueller Entwicklungsstand:
-- Aktuelle Entwicklungslinie enthält `5.x` (aktuell veroeffentlichtes Tag: `v5.1.0`; Details in `docs/versioning/003_CHANGELOG_RELEASES.MD`).
+- Aktuelle Entwicklungslinie enthält `5.x` (aktuell veroeffentlichtes Tag: `v5.1.1`; Details in `docs/versioning/003_CHANGELOG_RELEASES.MD`).
 
 | Version | Kurzbeschreibung | Commit | Keyword |
 |---|---|---|---|
+| `5.1.2` | Optimize Gate4 NuGet post-publish polling with adaptive retry schedule and bump patch version | pending merge commit | patch |
 | `5.1.1` | Dependabot security-only mode und fail-closed Guards fuer secret-pflichtige Workflows | [d0ad8ec](https://github.com/tomtastisch/FileClassifier/commit/d0ad8ec) | patch |
 | `5.1.0` | Security/Governance hardening wave: pinned actions, dependency review, labeler fixes, root assurance index | [e2a4a42](https://github.com/tomtastisch/FileClassifier/commit/e2a4a42) | minor |
 | `5.0.0` | Finalize hashing API rename to EvidenceHashing and add optional HMAC digests | [444d027](https://github.com/tomtastisch/FileClassifier/commit/444d027) | breaking |

docs/versioning/003_CHANGELOG_RELEASES.MD

@@ -4,6 +4,13 @@ Alle Aenderungen werden hier technisch dokumentiert. Die Release-Version selbst
 der Git-Tag `vX.Y.Z` (optional `-prerelease`) als SSOT.
 
 ## [Unreleased]
+- Changed:
+  - NuGet Post-Publish SVT (`Gate 4`) auf adaptiven Retry-Schedule umgestellt, um die durchschnittliche Laufzeit bei unverändert fail-closed Verhalten zu senken.
+  - Repo-/Package-Version auf `5.1.2` (Patch `Z + 1`) angehoben.
+- Docs/CI/Tooling:
+  - Retry-Schedule-Defaults und neues ENV `SVT_POSTPUBLISH_RETRY_SCHEDULE_SECONDS` in `docs/021_USAGE_NUGET.MD` und `docs/ci/002_NUGET_TRUSTED_PUBLISHING.MD` nachgezogen.
+
+## [5.1.1]
 - Added:
   - Dependabot-Schutz fuer secret-pflichtige Workflows (`qodana`, `security-claims-evidence`) bei Dependabot-PR-Kontext.
 - Changed:

src/FileTypeDetection/FileTypeDetectionLib.vbproj

@@ -7,8 +7,8 @@
         <IsPackable>true</IsPackable>
         <GeneratePackageOnBuild>false</GeneratePackageOnBuild>
         <PackageId>Tomtastisch.FileClassifier</PackageId>
-        <Version>5.1.1</Version>
-        <PackageVersion>5.1.1</PackageVersion>
+        <Version>5.1.2</Version>
+        <PackageVersion>5.1.2</PackageVersion>
         <Authors>tomtastisch</Authors>
         <Description>Deterministic file type and MIME detection with fail-closed archive safety checks, secure extraction primitives, and reproducible hashing evidence for .NET.</Description>
         <PackageTags>filetype;mime;detection;magic-bytes;sniffing;archive;zip;tar;7z;rar;zipslip;security;hashing;sha256;deterministic;dotnet;net8;net10</PackageTags>

tools/ci/release/gate4_verify_postpublish.sh

@@ -3,7 +3,17 @@ set -euo pipefail
 
 expected_version="${1:?expected version required}"
 nupkg_path="${2:?nupkg path required}"
-retry_count="${SVT_POSTPUBLISH_RETRY_COUNT:-59}"
+default_retry_schedule_seconds="2,3,5,8,13,21,34,55,89,89,89"
+retry_schedule_seconds="${SVT_POSTPUBLISH_RETRY_SCHEDULE_SECONDS:-${default_retry_schedule_seconds}}"
+if [[ -n "${SVT_POSTPUBLISH_RETRY_COUNT:-}" ]]; then
+  retry_count="${SVT_POSTPUBLISH_RETRY_COUNT}"
+else
+  if [[ -n "${retry_schedule_seconds}" ]]; then
+    retry_count="$(awk -F',' '{print NF}' <<<"${retry_schedule_seconds}")"
+  else
+    retry_count="59"
+  fi
+fi
 retry_sleep_seconds="${SVT_POSTPUBLISH_RETRY_SLEEP_SECONDS:-10}"
 
 if [[ ! "${retry_count}" =~ ^[0-9]+$ ]]; then
@@ -14,11 +24,16 @@ if [[ ! "${retry_sleep_seconds}" =~ ^[0-9]+$ ]]; then
   echo "SVT_POSTPUBLISH_RETRY_SLEEP_SECONDS must be a non-negative integer (actual='${retry_sleep_seconds}')" >&2
   exit 1
 fi
+if [[ -n "${retry_schedule_seconds}" && ! "${retry_schedule_seconds}" =~ ^[0-9]+(,[0-9]+)*$ ]]; then
+  echo "SVT_POSTPUBLISH_RETRY_SCHEDULE_SECONDS must be comma-separated non-negative integers (actual='${retry_schedule_seconds}')" >&2
+  exit 1
+fi
 
 EXPECTED_VERSION="${expected_version}" \
 NUPKG_PATH="${nupkg_path}" \
 RETRY_COUNT="${retry_count}" \
 RETRY_SLEEP_SECONDS="${retry_sleep_seconds}" \
+RETRY_SCHEDULE_SECONDS="${retry_schedule_seconds}" \
 REQUIRE_SEARCH=0 \
 REQUIRE_REGISTRATION=1 \
 REQUIRE_FLATCONTAINER=1 \

tools/ci/verify_nuget_release.sh

@@ -11,6 +11,7 @@ EXPECTED_VERSION="${EXPECTED_VERSION:-}"
 TIMEOUT_SECONDS="${TIMEOUT_SECONDS:-30}"
 RETRY_COUNT="${RETRY_COUNT:-6}"
 RETRY_SLEEP_SECONDS="${RETRY_SLEEP_SECONDS:-10}"
+RETRY_SCHEDULE_SECONDS="${RETRY_SCHEDULE_SECONDS:-}"
 VERIFY_ONLINE="${VERIFY_ONLINE:-1}"
 REQUIRE_SEARCH="${REQUIRE_SEARCH:-1}"
 REQUIRE_REGISTRATION="${REQUIRE_REGISTRATION:-1}"
@@ -69,9 +70,18 @@ retry_network() {
     if [[ "${attempt}" -ge "${RETRY_COUNT}" ]]; then
       fail "Network check '${name}' failed after $((RETRY_COUNT + 1)) attempts."
     fi
-    info "Network check '${name}' attempt ${current_attempt}/${max_attempts} failed; retrying in ${RETRY_SLEEP_SECONDS}s."
+    local sleep_seconds="${RETRY_SLEEP_SECONDS}"
+    if [[ -n "${RETRY_SCHEDULE_SECONDS}" ]]; then
+      local schedule_value
+      schedule_value="$(awk -F',' -v idx="${current_attempt}" '{ if (idx <= NF) print $idx; else print $NF }' <<<"${RETRY_SCHEDULE_SECONDS}")"
+      if [[ -z "${schedule_value}" || ! "${schedule_value}" =~ ^[0-9]+$ ]]; then
+        fail "RETRY_SCHEDULE_SECONDS must contain only comma-separated non-negative integers."
+      fi
+      sleep_seconds="${schedule_value}"
+    fi
+    info "Network check '${name}' attempt ${current_attempt}/${max_attempts} failed; retrying in ${sleep_seconds}s."
     attempt=$((attempt + 1))
-    sleep "${RETRY_SLEEP_SECONDS}"
+    sleep "${sleep_seconds}"
   done
 }
 
@@ -301,6 +311,11 @@ main() {
   require_cmd python3
   require_nonnegative_integer "RETRY_COUNT" "${RETRY_COUNT}"
   require_nonnegative_integer "RETRY_SLEEP_SECONDS" "${RETRY_SLEEP_SECONDS}"
+  if [[ -n "${RETRY_SCHEDULE_SECONDS}" ]]; then
+    if [[ ! "${RETRY_SCHEDULE_SECONDS}" =~ ^[0-9]+(,[0-9]+)*$ ]]; then
+      fail "RETRY_SCHEDULE_SECONDS must be comma-separated non-negative integers (actual='${RETRY_SCHEDULE_SECONDS}')"
+    fi
+  fi
   require_bool_flag "REQUIRE_SEARCH" "${REQUIRE_SEARCH}"
   require_bool_flag "REQUIRE_REGISTRATION" "${REQUIRE_REGISTRATION}"
   require_bool_flag "REQUIRE_FLATCONTAINER" "${REQUIRE_FLATCONTAINER}"