pre-publish fixes: pin SBOM tool version, remove hardcoded paths, fix changelog

- Pin cargo-cyclonedx@0.5.5 in scripts/generate-sbom.sh (matches CI)
- Remove hardcoded /home/lateuf paths from .cargo/config.toml
- Remove stale 'quick' command reference from CHANGELOG 0.1.0

.cargo/config.toml

@@ -11,11 +11,12 @@
 [env]
 SOURCE_DATE_EPOCH = "0"
 
-[build]
+# [build]
-# Remap common local paths in release builds.
+# Path remapping for local dev builds is optional.
-# These are best-effort for local dev — CI RUSTFLAGS override this entirely.
+# CI RUSTFLAGS override build.rustflags entirely.
-# The $HOME/.cargo/registry/src prefix covers most dependency crate paths.
+# strip = true in profile.release removes debug paths from binaries.
-rustflags = [
+# Uncomment and adjust for your system if you want local path remapping:
-  "--remap-path-prefix", "/home/lateuf/.cargo/registry/src=crate",
+# rustflags = [
-  "--remap-path-prefix", "/home/lateuf/Projects/Karapace=src",
+#   "--remap-path-prefix", "/home/YOU/.cargo/registry/src=crate",
-]
+#   "--remap-path-prefix", "/home/YOU/Projects/Karapace=src",
+# ]

CHANGELOG.md

@@ -57,7 +57,6 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 - **Lock file v2** — resolved packages with pinned versions, base image content digest (not tag), dual verification (integrity + manifest intent).
 - **Content-addressable store** — blake3 hashing, atomic writes (NamedTempFile + persist), integrity verification on read, reference counting, garbage collection with signal cancellation.
 - **CLI commands** — `build`, `rebuild`, `enter`, `exec`, `destroy`, `stop`, `freeze`, `archive`, `list`, `inspect`, `diff`, `snapshots`, `commit`, `restore`, `gc`, `verify-store`, `push`, `pull`, `rename`, `completions`, `man-pages`, `doctor`, `migrate`.
-- **`quick` command** — one-step environment creation for casual users (`karapace quick rolling -p git,curl --enter`). Generates a real manifest + lock file, preserving determinism while matching Distrobox-like simplicity.
 - **Example manifests** — `examples/minimal.toml`, `examples/dev.toml`, `examples/gui-dev.toml`, `examples/ubuntu-dev.toml`, `examples/rust-dev.toml` for common use cases.
 - **Multi-distro image support** — openSUSE Tumbleweed/Leap, Ubuntu (20.04–24.10), Debian (Bookworm/Trixie/Sid), Fedora (40–42), Arch Linux, custom URLs.
 - **Runtime backends** — user namespace (`unshare` + `fuse-overlayfs` + `chroot`), OCI (`crun`/`runc`/`youki`), mock (for testing).

scripts/generate-sbom.sh

@@ -3,7 +3,7 @@ set -euo pipefail
 
 command -v cargo-cyclonedx >/dev/null 2>&1 || {
     echo "Installing cargo-cyclonedx..."
-    cargo install cargo-cyclonedx --locked
+    cargo install cargo-cyclonedx@0.5.5 --locked
 }
 
 cargo cyclonedx --format json --output-prefix karapace