Fantastic, thanks for the quick reply, digging in, and the suggestions.
Just to get over the hump, I did two more releases, the first manually relaxing the text lower bound (failed), and the second removing --pvp-bounds altogether (succeeded). In the past I've been advised by Hackage curators to set bounds for every dependency for a package I took over maintainership of. Which in principle I agree with but in practice it's tedious and also hard to know what the actual requirements are. To illustrate, the candidates upload feature does not do CI, so I can't know if it'll fail, and I can't delete non-building releases when they do fail.
My outstanding questions are:
1. Where is there documented a sensible policy for setting and maintaining bounds that will satisfy mainstream tools and personnel;
2. Do any tools exist that can help automate this;
3. How can I have these bounds committed to source control versus manually tweaking the tarball before upload, and hopefully still use Stack in my project;
4. How can I test Hackage's CI locally to know if my upload will build there?
Thanks again for the assistance.