> Plain-language companion for v0.74.0 implementation.
>
> Detailed status: [v0.74.0.md-full.md](v0.74.0.md-full.md)

## v0.74.0 — Test Coverage, CI Integrity & Security Hardening

Status: Planned.

### Items

- [ ] TEST-002: Replace fixed WAL/safety stabilization sleeps with condition-based polling.
- [ ] TEST-004: Path-filtered full E2E + reduced TPC-H slice on risky PRs (security-sensitive changes).
- [ ] TEST-005: `just coverage-summary` recipe with per-module risk output.
- [ ] CODE-002: `#[cfg(test)]` unit tests for `src/refresh/merge/mod.rs`, `src/refresh/codegen.rs`, `src/api/metrics_ext.rs`.
- [ ] SEC-001: Centralize advisory ignores in `deny.toml` and make `just security` reproduce CI advisory checks.
- [ ] SEC-002: Restrict IVM AFTER trigger search path or add targeted shadowing tests.
- [ ] SEC-003: SQL builder helpers audit and lint for raw `format!()` SQL injection vectors.
- [ ] DEVEX-001: Re-enable push-to-main benchmark baselines and CI integration.
- [ ] DEVEX-002: Add `just lint-ci` recipe covering generated doc/schema/version/docs-truth checks.
- [ ] DEVEX-003: Replace stale version tags in Dockerfile examples and justfile.
- [ ] **DEP-001**: Upgrade `sqlx` 0.8.6 → 0.9.0 (query string safety, MySQL text inference, Postgres options escaping, SQLite extensions unsafe, Migrator return types, offline mode). Requires code audit for dynamic query patterns and comprehensive testing.
- [ ] **DEP-002**: Upgrade `lru` 0.16.4 → 0.18.0 (minor version bump; verify API changes in cache usage).
- [ ] **DEP-003**: Upgrade `object_store` 0.10.2 → 0.13.2 (3-version jump; full E2E testing required for DuckLake sink F-2 path before merge).

### Notes

- v0.74.0 is the first of the final pre-1.0 hardening arc, focusing on test quality, CI truthfulness, and security best practices.
- DEP-001 (sqlx 0.9.0) is a breaking-change upgrade that requires careful review. Run full test suite before merge. Audit all dynamic query construction (`format!()`, string concatenation) against the new `SqlSafeStr` requirement.
- DEP-002 and DEP-003 are scheduled for v0.74.0 but should be triaged first — DEP-002 is low-risk (minor bump); DEP-003 requires DuckLake E2E validation.