2.0.4 updates

.github/release-footer.md

@@ -0,0 +1,35 @@
+### Download
+
+| Platform | Architecture | Asset |
+|----------|--------------|-------|
+| Linux    | x86_64       | `stackql-deploy-linux-x86_64.tar.gz` |
+| Linux    | arm64        | `stackql-deploy-linux-arm64.tar.gz` |
+| macOS    | Universal (Apple Silicon + Intel) | `stackql-deploy-macos-universal.tar.gz` |
+| Windows  | x86_64       | `stackql-deploy-windows-x86_64.zip` |
+
+Each archive contains a single binary named `stackql-deploy` (or `stackql-deploy.exe` on Windows). Verify your download with `SHA256SUMS`.
+
+### Install (quick)
+
+**Linux / macOS:**
+
+```sh
+curl -L https://get-stackql-deploy.rs -o stackql-deploy.tar.gz && tar xz stackql-deploy.tar.gz
+```
+
+**Windows (PowerShell):**
+
+```powershell
+Invoke-WebRequest -Uri https://get-stackql-deploy.rs -OutFile stackql-deploy.zip
+Expand-Archive stackql-deploy.zip -DestinationPath .
+```
+
+**cargo:**
+
+```sh
+cargo install stackql-deploy
+```
+
+---
+
+Full documentation: [stackql-deploy.io](https://stackql-deploy.io) - Source: [github.com/stackql/stackql-deploy](https://github.com/stackql/stackql-deploy)

.github/workflows/release.yml

@@ -132,10 +132,38 @@ jobs:
           path: ${{ matrix.artifact-name }}.*
           if-no-files-found: error
 
+  universal-macos:
+    name: Universal macOS binary
+    needs: build
+    runs-on: macos-latest
+    steps:
+      - uses: actions/download-artifact@v8
+        with:
+          name: stackql-deploy-macos-arm64
+          path: arm64
+      - uses: actions/download-artifact@v8
+        with:
+          name: stackql-deploy-macos-x86_64
+          path: x86_64
+      - name: Extract binaries
+        run: |
+          tar -xzf arm64/stackql-deploy-macos-arm64.tar.gz -C arm64
+          tar -xzf x86_64/stackql-deploy-macos-x86_64.tar.gz -C x86_64
+      - name: Create universal binary
+        run: |
+          lipo -create arm64/stackql-deploy x86_64/stackql-deploy \
+            -output stackql-deploy
+          tar -czf stackql-deploy-macos-universal.tar.gz stackql-deploy
+      - uses: actions/upload-artifact@v8
+        with:
+          name: stackql-deploy-macos-universal
+          path: stackql-deploy-macos-universal.tar.gz
+          if-no-files-found: error
+
   # Runtime smoke test on each platform before releasing
   runtime-test:
     name: Runtime Test (${{ matrix.os }})
-    needs: build
+    needs: [build, universal-macos]
     strategy:
       fail-fast: false
       matrix:
@@ -192,23 +220,32 @@ jobs:
 
   release:
     name: Create GitHub Release
-    needs: [build, runtime-test]
+    needs: [build, runtime-test, universal-macos]
     runs-on: ubuntu-latest
     permissions:
       contents: write
     steps:
-      - name: Download all build artifacts
+      - uses: actions/checkout@v6
+      - name: Download selected build artifacts
         uses: actions/download-artifact@v8
         with:
           path: artifacts/
-          pattern: stackql-deploy-*
+          pattern: stackql-deploy-@(linux-*|windows-*|macos-universal)
       - name: Collect archives and generate SHA256SUMS
         run: |
           mkdir -p dist
           find artifacts/ -type f \( -name '*.tar.gz' -o -name '*.zip' \) \
             -exec mv {} dist/ \;
           cd dist
           sha256sum * | tee SHA256SUMS
+      - name: Build release body
+        run: |
+          VERSION=${GITHUB_REF_NAME#v}
+          echo "## stackql-deploy ${GITHUB_REF_NAME}" > release-body.md
+          echo "" >> release-body.md
+          awk "/^## $VERSION/{found=1; next} found && /^## /{exit} found{print}" CHANGELOG.md >> release-body.md
+          echo "" >> release-body.md
+          cat .github/release-footer.md >> release-body.md
       - name: GH Release
         uses: softprops/action-gh-release@v2.6.0
         with:
@@ -219,68 +256,7 @@ jobs:
             dist/*.tar.gz
             dist/*.zip
             dist/SHA256SUMS
-          body: |
-            ## stackql-deploy ${{ github.ref_name }}
-
-            ### What's new
-
-            This release ships the **Rust rewrite** of `stackql-deploy` — a complete
-            ground-up reimplementation that replaces the original Python package.
-
-            Key improvements over the Python version:
-
-            - **Single self-contained binary** — no Python runtime, pip, or virtualenv required.
-              Drop the binary on any supported platform and run.
-            - **Faster startup and execution** — Rust compile-time optimisations mean commands
-              that previously took seconds to initialise now start instantly.
-            - **Smaller install footprint** — the stripped Linux x86_64 binary is under 10 MB;
-              no transitive Python dependencies to manage.
-            - **Statically linked on Linux** — works on any glibc >= 2.17 distro without
-              installing extra system libraries.
-            - **Native Windows and macOS ARM64 support** — pre-built for all five major targets
-              (see assets below).
-
-            ### Download
-
-            | Platform | Architecture | Asset |
-            |----------|--------------|-------|
-            | Linux    | x86_64       | `stackql-deploy-linux-x86_64.tar.gz` |
-            | Linux    | arm64        | `stackql-deploy-linux-arm64.tar.gz` |
-            | macOS    | Apple Silicon (arm64) | `stackql-deploy-macos-arm64.tar.gz` |
-            | macOS    | Intel (x86_64) | `stackql-deploy-macos-x86_64.tar.gz` |
-            | Windows  | x86_64       | `stackql-deploy-windows-x86_64.zip` |
-
-            Each archive contains a single binary named `stackql-deploy` (or
-            `stackql-deploy.exe` on Windows). Verify your download with `SHA256SUMS`.
-
-            ### Migrating from the Python package
-
-            If you are currently using the Python package on PyPI, please migrate to this
-            release. The Python package is now deprecated and will no longer receive updates:
-            https://pypi.org/project/stackql-deploy/
-
-            The CLI interface is fully compatible — existing `stackql_manifest.yml` files and
-            project layouts work without modification.
-
-            ### Install (quick)
-
-            **Linux / macOS:**
-            ```sh
-            curl -sSL https://github.com/stackql/stackql-deploy/releases/download/${{ github.ref_name }}/stackql-deploy-linux-x86_64.tar.gz \
-              | tar -xz -C /usr/local/bin
-            ```
-
-            **Windows (PowerShell):**
-            ```powershell
-            Invoke-WebRequest -Uri https://github.com/stackql/stackql-deploy/releases/download/${{ github.ref_name }}/stackql-deploy-windows-x86_64.zip `
-              -OutFile stackql-deploy.zip
-            Expand-Archive stackql-deploy.zip -DestinationPath $env:LOCALAPPDATA\stackql-deploy
-            ```
-
-            Or install via `cargo`:
-            ```sh
-            cargo install stackql-deploy
-            ```
+          body_path: release-body.md
 
   # --no-verify skips the verification build that cargo publish runs by default.
   # That build fails because build.rs writes contributors.csv into the package

.gitignore

@@ -6,6 +6,9 @@ stackql*.zip
 stackql*.pkg
 stackql_history.txt
 stackql.log
+stackql-zip
 .env
 nohup.out
 contributors.csv
+.claude/
+nohup.out

CHANGELOG.md

@@ -1,5 +1,74 @@
 # Changelog
 
+## 2.0.4 (2026-03-18)
+
+### Identifier capture from `exists` queries
+
+The `exists` query can now return a named field (e.g. `vpc_id`) instead of `count`. The returned value is automatically captured as a resource-scoped variable (`{{ this.<field> }}`) and made available to all subsequent queries (`statecheck`, `exports`, `delete`) for that resource. This enables a two-step workflow where `exists` discovers the resource identifier and `statecheck` verifies its properties.
+
+- When `exists` returns `null` or empty for the captured field, the resource is treated as non-existent
+- Multiple rows from an `exists` (identifier pattern) or `exports` query is now a fatal error
+- After a `create`, the `exists` query is automatically re-run to capture the identifier for use in post-deploy `statecheck` and `exports` queries
+
+### `RETURNING *` identifier capture
+
+When a `create` statement includes `RETURNING *` and the response contains an `Identifier` field, it is automatically injected as `this.identifier` — skipping the post-create `exists` re-run and saving an API call per resource.
+
+### `return_vals` manifest field
+
+New optional `return_vals` field on resources to explicitly map fields from `RETURNING *` responses to resource-scoped variables:
+
+```yaml
+return_vals:
+  create:
+    - Identifier: identifier   # rename pattern
+    - ErrorCode                 # direct capture
+```
+
+If `return_vals` is specified but the field is missing from the response, the build fails.
+
+### `to_aws_tag_filters` template filter
+
+New AWS-specific Tera filter that converts `global_tags` (list of `Key`/`Value` pairs) to the AWS Resource Groups Tagging API `TagFilters` format:
+
+```sql
+AND TagFilters = '{{ global_tags | to_aws_tag_filters }}'
+```
+
+### YAML type preservation fix
+
+Fixed an issue where YAML string values that look like numbers (e.g. `IpProtocol: "-1"`) were being coerced to integers during JSON serialization. String types declared in YAML are now preserved through to the rendered query.
+
+### Teardown improvements
+
+- Teardown no longer retries exports queries that return empty results — missing exports are set to `<unknown>` and teardown continues best-effort
+- Post-delete existence checks accept the first empty response instead of retrying, reducing teardown time significantly
+
+### AWS starter template updated
+
+The `stackql-deploy init --provider aws` starter template now uses:
+- `awscc` (Cloud Control) provider instead of `aws`
+- CTE + INNER JOIN exists pattern with `to_aws_tag_filters`
+- `AWS_POLICY_EQUAL` for statecheck tag comparison
+- `this.<field>` identifier capture pattern
+- `RETURNING *` on create statements
+- `stackql:stack-name` / `stackql:stack-env` / `stackql:resource-name` tag taxonomy
+
+### AWS VPC Web Server example
+
+Complete rewrite of the `examples/aws/aws-vpc-webserver` stack (renamed from `aws-stack`) using the `awscc` provider exclusively. Includes 10 resources demonstrating all query patterns: tag-based discovery, identifier capture, property-level statechecks, PatchDocument updates, and the `to_aws_tag_filters` filter.
+
+### Patch Document Test example
+
+New `examples/aws/patch-doc-test` example demonstrating the Cloud Control API `UPDATE` workflow with `PatchDocument` — deploy an S3 bucket, modify its versioning config in the manifest, and re-deploy to apply the update.
+
+### Other changes
+
+- Fixed `init` command missing `--env` argument (defaulting to `dev`)
+- Added `debug` log import to build command
+- Debug logging now shows full `RETURNING *` payloads
+- Documentation updates: `resource-query-files.md`, `template-filters.md`, `manifest-file.md`, and AWS template library
+
 ## 2.0.0 (2026-03-14)
 
 ### Initial Rust Release

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "stackql-deploy"
-version = "2.0.3"
+version = "2.0.4"
 edition = "2021"
 rust-version = "1.75"
 description = "Infrastructure-as-code framework for declarative cloud resource management using StackQL"