Back to Docs
Recipe

SemVer Strategy

A deterministic playbook for versioning Nimbus releases so customers, loaders, and CDN pipelines never drift.

The Rule

Nimbus follows strict MAJOR.MINOR.PATCH. Every tag maps to a single signed payload. No exceptions.

  • MAJOR — loader ABI break, new syscall surface, or license schema migration.
  • MINOR — new feature gated behind existing license tier, no ABI change.
  • PATCH — anti-tamper hardening, ETW rule tuning, or Themida config refresh.

Pipeline Contract

CI produces three artifacts per tag: the signed loader stub, the wrapped payload, and a detached Ed25519 signature. The CDN serves them under /releases/<tag>/.

nimbus_loader_3.2.1.exe

nimbus_payload_3.2.1.bin

nimbus_3.2.1.sig

Pre-release Channel

Canary builds append -canary.<commit-short>. These never ship to stable auto-update. They exist solely for internal validation against the latest Themida build.

Rollback Protocol

If a PATCH introduces a regression, the CDN rollback pointer shifts to the previous tag within 60 seconds. Loaders with an offline grace cache will hold the last-known-good signature for 72 hours before falling back to the CDN.

← Return to Docs