From fa062f41df9039a754321dfe093f6c35d2475fc1 Mon Sep 17 00:00:00 2001 From: docushell-admin Date: Wed, 1 Jul 2026 20:02:42 +0530 Subject: [PATCH] Record v0.3 publication approval decision Signed-off-by: docushell-admin --- ...st_v0_3_0_publication_approval_decision.py | 198 +++++++++++++++++ CHANGELOG.md | 5 + Makefile | 1 + docs/execution-status.md | 8 + docs/public-release-checklist.md | 8 + docs/validation/README.md | 9 + ...approval-decision-validation-2026-07-01.md | 205 ++++++++++++++++++ 7 files changed, 434 insertions(+) create mode 100644 .github/scripts/test_v0_3_0_publication_approval_decision.py create mode 100644 docs/validation/v0-3-0-publication-approval-decision-validation-2026-07-01.md diff --git a/.github/scripts/test_v0_3_0_publication_approval_decision.py b/.github/scripts/test_v0_3_0_publication_approval_decision.py new file mode 100644 index 0000000..11a28ba --- /dev/null +++ b/.github/scripts/test_v0_3_0_publication_approval_decision.py @@ -0,0 +1,198 @@ +#!/usr/bin/env python3 +# +# Copyright 2026 The Ethos maintainers +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# + +from __future__ import annotations + +import json +import re +import unittest +from pathlib import Path + +from makefile_guard import target_block +from validation_record_source import assert_record_source_binding + + +ROOT = Path(__file__).resolve().parents[2] +RECORD = ROOT / "docs/validation/v0-3-0-publication-approval-decision-validation-2026-07-01.md" +REQUEST = ROOT / "docs/validation/v0-3-0-package-publication-approval-request-validation-2026-07-01.md" +EVIDENCE = ROOT / "docs/validation/v0-3-0-package-build-evidence-validation-2026-07-01.md" +VALIDATION_README = ROOT / "docs/validation/README.md" +EXECUTION_STATUS = ROOT / "docs/execution-status.md" +PUBLIC_RELEASE_CHECKLIST = ROOT / "docs/public-release-checklist.md" +MAKEFILE = ROOT / "Makefile" +NPM_PACKAGE = ROOT / "packages/npm/ethos-pdf/package.json" + +SOURCE_SHORT = "1f6ab3c" +SOURCE_COMMIT = "1f6ab3c7294c390d87f70cde6514a02024cf964c" +SOURCE_TREE = "6541e73b597f39eea91d4d802b08823aa0bfa9a8" +REQUEST_SOURCE_COMMIT = "39cb548cf6cfe20fbcb47ee605ba51f1ebf71f6b" +EVIDENCE_SOURCE_COMMIT = "4b6d219df1757b6e4728c16c8023bee5c8cf8962" +VERSION = "0.3.0" +CRATES = ("ethos-doc-core", "ethos-verify", "ethos-pdf") +PACKAGE_TAGS = ( + "ethos-package-ethos-doc-core-0.3.0", + "ethos-package-ethos-verify-0.3.0", + "ethos-package-ethos-pdf-0.3.0", +) +CRATE_HASHES = ( + "7ba41a2ae299a53a4677153beaaec5ed486a07b5da08b2ef13974b9a0be141cb", + "00f001455ca207e65aaf464551d3ba05945cda0b06e9e1036f49ac587accbb95", + "c2f4f2ccb6de6e54cd3257597cd28e7f6dec2a6d22befbd230d2c4cf31931cfd", +) +WHEEL = "ethos_pdf-0.3.0-py3-none-any.whl" +WHEEL_SHA256 = "9eb106deafcd1d9717e5e7b67dc9413180421aba25a5257266352d09540b3265" +FORBIDDEN = ( + "crates are published", + "published crates", + "python package is published", + "wheel is published", + "github release artifacts are published", + "npm package is published", + "installable 0.3.0 wording approved", + "public installation wording approved", + "docushell integration approved", + "production-ready", + "hosted surfaces approved", + "windows packaged artifacts approved", + "bundled pdfium approved", + "public benchmark claims approved", +) +PRIVATE_PATH_MARKERS = ( + "/" + "Users/", + "/" + "private/tmp", + "/" + "private/var", + "/" + "var/folders", + "saumil" + "diwaker", + "Desktop/" + "Stuff", + "project/repo/" + "ethos", +) + + +def read(path: Path) -> str: + return path.read_text(encoding="utf-8") + + +def normalized(path: Path) -> str: + return re.sub(r"\s+", " ", read(path)) + + +class V030PublicationApprovalDecisionTests(unittest.TestCase): + def test_decision_record_is_source_bound_and_indexed(self) -> None: + raw = read(RECORD) + record = normalized(RECORD) + + assert_record_source_binding( + self, + root=ROOT, + raw_record=raw, + normalized_record=record, + validated_head=SOURCE_SHORT, + source_label="v0.3.0 publication approval decision", + source_commit=SOURCE_COMMIT, + source_tree=SOURCE_TREE, + ) + self.assertIn(REQUEST.name, record) + self.assertIn(EVIDENCE.name, record) + self.assertIn(REQUEST_SOURCE_COMMIT, record) + self.assertIn(EVIDENCE_SOURCE_COMMIT, record) + + for path in (VALIDATION_README, EXECUTION_STATUS, PUBLIC_RELEASE_CHECKLIST): + text = normalized(path) + self.assertIn(RECORD.name, text, str(path)) + self.assertIn("v0.3.0 publication approval decision", text.lower(), str(path)) + self.assertIn("operator", text.lower(), str(path)) + + def test_decision_accepts_exact_rust_and_python_package_inputs(self) -> None: + record = normalized(RECORD) + + self.assertIn( + "Status: **v0.3.0 publication approval decision recorded; operator publication remains pending**", + record, + ) + self.assertIn("Decision: accept exact v0.3.0 Rust crates.io and Python PyPI publication inputs.", record) + for crate in CRATES: + self.assertIn(f"`{crate} = {VERSION}`", record) + self.assertIn(f"{crate}-0.3.0.crate", record) + self.assertIn(f"cargo publish --locked -p {crate}", record) + for tag in PACKAGE_TAGS: + self.assertIn(tag, record) + for digest in CRATE_HASHES: + self.assertIn(digest, record) + for expected in ( + WHEEL, + WHEEL_SHA256, + "SOURCE_DATE_EPOCH=0", + "EthosCli", + "proof_summary", + "app_answer_release_decision", + "Name: `ethos-pdf`", + "Version: `0.3.0`", + "Tag: `py3-none-any`", + ): + self.assertIn(expected, record) + + def test_operator_actions_are_later_bounded_and_artifact_npm_lanes_are_not_executed(self) -> None: + raw = read(RECORD) + record = normalized(RECORD) + lower = record.lower() + + for expected in ( + "This decision record does not run `cargo publish`.", + "This decision record does not upload any Python distribution.", + "Publication remains a separate operator action.", + "After this decision record is merged and validation passes on merged source, an operator may run only these Rust commands:", + "The operator must publish `ethos-doc-core` first.", + "The operator must wait for crates.io to report `ethos-doc-core = 0.3.0` before publishing dependent crates.", + "After this decision record is merged and validation passes on merged source, an operator may upload only this Python wheel:", + "The operator must use a PyPI-approved authentication path and must not record credentials in the repository.", + "CLI/GitHub Release artifact publication is approved only to start the v0.3.0 artifact evidence lane.", + "npm publication is approved only to start the v0.3.0 npm alignment and vendor-refresh evidence lane.", + "No GitHub Release artifact upload is authorized by this decision record.", + "No `npm publish` command is authorized by this decision record.", + "Installable `0.3.0` public wording remains blocked until registry and artifact availability closeout passes.", + "DocuShell integration remains blocked pending closeout or explicit source-dependency integration approval.", + ): + self.assertIn(expected, record) + for forbidden in FORBIDDEN: + self.assertNotIn(forbidden, lower) + for marker in PRIVATE_PATH_MARKERS: + self.assertNotIn(marker, raw) + + def test_source_surface_remains_bounded_before_operator_publication(self) -> None: + self.assertEqual("0.2.1", json.loads(read(NPM_PACKAGE))["version"]) + + for manifest in ( + ROOT / "crates/ethos-core/Cargo.toml", + ROOT / "crates/ethos-verify/Cargo.toml", + ROOT / "crates/ethos-pdf/Cargo.toml", + ): + text = read(manifest) + self.assertNotIn("publish = false", text, str(manifest)) + self.assertIn('publication_status = "approved_for_crates_io_publication"', text, str(manifest)) + + for manifest in ( + ROOT / "crates/ethos-cli/Cargo.toml", + ROOT / "crates/ethos-layout/Cargo.toml", + ROOT / "crates/ethos-tables/Cargo.toml", + ): + self.assertIn("publish = false", read(manifest), str(manifest)) + + def test_v0_3_release_prep_runs_decision_guard_after_request_guard(self) -> None: + makefile = read(MAKEFILE) + block = target_block("v0-3-release-prep") + request_guard = "$(PYTHON) .github/scripts/test_v0_3_0_package_publication_approval_request.py" + decision_guard = "$(PYTHON) .github/scripts/test_v0_3_0_publication_approval_decision.py" + public_surface_guard = "$(PYTHON) .github/scripts/test_public_surface_posture.py" + + self.assertIn(decision_guard, block) + self.assertEqual(1, makefile.count(decision_guard)) + self.assertLess(block.index(request_guard), block.index(decision_guard)) + self.assertLess(block.index(decision_guard), block.index(public_surface_guard)) + + +if __name__ == "__main__": + unittest.main() diff --git a/CHANGELOG.md b/CHANGELOG.md index 68f7b18..8d8e33a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,11 @@ ## Unreleased +- boundary-exception: record v0.3.0 Rust crates.io and PyPI publication approval decision for + later operator action while keeping actual GitHub Release artifact upload, npm publish, + installable `0.3.0` wording, release/package tags, hosted, production, Windows, bundled PDFium, + benchmark, `ethos-doc`, `ethos-rag`, and DocuShell integration blocked pending later evidence + and closeout records. - boundary-exception: request decider review for exact v0.3.0 Rust crates.io publication inputs and exact v0.3.0 deterministic PyPI wheel publication inputs while keeping `cargo publish`, PyPI upload, npm publish, GitHub Release artifact publication, release/package tags, installable diff --git a/Makefile b/Makefile index 5874b21..5edbe4e 100644 --- a/Makefile +++ b/Makefile @@ -93,6 +93,7 @@ v0-3-release-prep: $(PYTHON) .github/scripts/test_validation_record_source.py $(PYTHON) .github/scripts/test_v0_3_0_package_build_evidence.py $(PYTHON) .github/scripts/test_v0_3_0_package_publication_approval_request.py + $(PYTHON) .github/scripts/test_v0_3_0_publication_approval_decision.py $(PYTHON) .github/scripts/test_public_surface_posture.py $(PYTHON) .github/scripts/claims_gate.py $(PYTHON) .github/scripts/public_boundary_claims_gate.py diff --git a/docs/execution-status.md b/docs/execution-status.md index 72c0109..345c4ba 100644 --- a/docs/execution-status.md +++ b/docs/execution-status.md @@ -21,6 +21,14 @@ creation, release tag creation, installable `0.3.0` wording, npm alignment, GitH publication, and DocuShell integration remain blocked pending explicit approval, operator action, and closeout records. +v0.3.0 publication approval decision is recorded in +`docs/validation/v0-3-0-publication-approval-decision-validation-2026-07-01.md`. It accepts the +exact `0.3.0` Rust crates.io operator inputs and the exact deterministic PyPI wheel for later +operator action after merged-source validation passes. CLI/GitHub Release and npm lanes are +approved to start evidence work only; actual GitHub Release artifact upload, `npm publish`, +installable `0.3.0` wording, release/package tag creation, and DocuShell integration remain blocked +pending exact artifact/npm evidence, later approval records, operator action, and closeout records. + v0.3.0 release approval decision is recorded in `docs/validation/v0-3-0-release-approval-decision-validation-2026-07-01.md`. It accepts the exact app-answer-release contract release-prep packet and authorizes source activation on diff --git a/docs/public-release-checklist.md b/docs/public-release-checklist.md index de0aed3..6082ac3 100644 --- a/docs/public-release-checklist.md +++ b/docs/public-release-checklist.md @@ -33,6 +33,14 @@ install wording, package tags, release tags, npm alignment, GitHub Release artif or DocuShell integration; those remain blocked until explicit approval, operator action, and closeout records pass. +v0.3.0 publication approval decision is recorded in +`docs/validation/v0-3-0-publication-approval-decision-validation-2026-07-01.md`. It accepts the +exact `0.3.0` Rust crates.io operator inputs and the exact deterministic PyPI wheel for later +operator action after merged-source validation passes. CLI/GitHub Release and npm lanes are +approved to start evidence work only; actual GitHub Release artifact upload, `npm publish`, +installable `0.3.0` wording, release/package tag creation, and DocuShell integration remain blocked +pending exact artifact/npm evidence, later approval records, operator action, and closeout records. + v0.3.0 release approval decision is recorded in `docs/validation/v0-3-0-release-approval-decision-validation-2026-07-01.md`. It accepts the exact app-answer-release contract prep packet and authorizes release-candidate source activation on diff --git a/docs/validation/README.md b/docs/validation/README.md index 354b241..73b8cd0 100644 --- a/docs/validation/README.md +++ b/docs/validation/README.md @@ -10,6 +10,15 @@ in `docs/public-release-checklist.md`. Records: +v0.3.0 publication approval decision is recorded in +`v0-3-0-publication-approval-decision-validation-2026-07-01.md`. It accepts the exact `0.3.0` +Rust crates.io operator inputs for `ethos-doc-core`, `ethos-verify`, and `ethos-pdf`, and the exact +deterministic PyPI wheel `ethos_pdf-0.3.0-py3-none-any.whl`, for later operator action after +merged-source validation passes. CLI/GitHub Release and npm lanes are approved to start evidence +work only; actual GitHub Release artifact upload, `npm publish`, installable `0.3.0` wording, +release/package tag creation, and DocuShell integration remain blocked pending exact artifact/npm +evidence, later approval records, operator action, and closeout records. + v0.3.0 package publication approval request is recorded in `v0-3-0-package-publication-approval-request-validation-2026-07-01.md`. It requests decider review for the exact `0.3.0` crates.io publication inputs for `ethos-doc-core`, `ethos-verify`, and diff --git a/docs/validation/v0-3-0-publication-approval-decision-validation-2026-07-01.md b/docs/validation/v0-3-0-publication-approval-decision-validation-2026-07-01.md new file mode 100644 index 0000000..068a123 --- /dev/null +++ b/docs/validation/v0-3-0-publication-approval-decision-validation-2026-07-01.md @@ -0,0 +1,205 @@ +# v0.3.0 Publication Approval Decision Validation - 2026-07-01 + +Validated source HEAD before this record: `1f6ab3c`. + +v0.3.0 publication approval decision source commit: +`1f6ab3c7294c390d87f70cde6514a02024cf964c`. + +v0.3.0 publication approval decision source tree: +`6541e73b597f39eea91d4d802b08823aa0bfa9a8`. + +Status: **v0.3.0 publication approval decision recorded; operator publication remains pending** + +Decision: accept exact v0.3.0 Rust crates.io and Python PyPI publication inputs. + +This record accepts the exact v0.3.0 package publication approval request for later operator +execution. It also records the decider instruction to start the v0.3.0 CLI/GitHub Release and npm +publication lanes, but those artifact/npm lanes still require exact v0.3.0 artifact evidence and +vendor/package evidence before any GitHub Release artifact upload or `npm publish` action. + +This decision record does not run `cargo publish`, upload any Python distribution, run +`npm publish`, upload GitHub Release artifacts, create release tags, create package tags, change +installable `0.3.0` public wording, approve hosted surfaces, approve production positioning, +approve Windows packaged artifacts, approve bundled project-maintained PDFium builds, approve +`ethos-doc`, approve `ethos-rag`, approve public benchmark reports or claims, or approve DocuShell +integration. + +## Accepted Inputs + +- Repository: `docushell/ethos` +- Decision source commit: `1f6ab3c7294c390d87f70cde6514a02024cf964c` +- Decision source tree: `6541e73b597f39eea91d4d802b08823aa0bfa9a8` +- Approval request record: + `docs/validation/v0-3-0-package-publication-approval-request-validation-2026-07-01.md` +- Approval request source commit: `39cb548cf6cfe20fbcb47ee605ba51f1ebf71f6b` +- Package evidence record: + `docs/validation/v0-3-0-package-build-evidence-validation-2026-07-01.md` +- Package evidence source commit: `4b6d219df1757b6e4728c16c8023bee5c8cf8962` +- Approver: `docushell-admin` acting as decider. +- Date accepted: 2026-07-01. + +## Rust crates.io Decision + +Accepted Rust crate set: + +- `ethos-doc-core = 0.3.0` +- `ethos-verify = 0.3.0` +- `ethos-pdf = 0.3.0` + +Accepted Rust crate artifacts: + +```text +ethos-doc-core-0.3.0.crate +sha256: 7ba41a2ae299a53a4677153beaaec5ed486a07b5da08b2ef13974b9a0be141cb + +ethos-verify-0.3.0.crate +sha256: 00f001455ca207e65aaf464551d3ba05945cda0b06e9e1036f49ac587accbb95 + +ethos-pdf-0.3.0.crate +sha256: c2f4f2ccb6de6e54cd3257597cd28e7f6dec2a6d22befbd230d2c4cf31931cfd +``` + +After this decision record is merged and validation passes on merged source, an operator may run +only these Rust commands: + +```sh +cargo publish --locked -p ethos-doc-core +cargo publish --locked -p ethos-verify +cargo publish --locked -p ethos-pdf +``` + +The operator must publish `ethos-doc-core` first. The operator must wait for crates.io to report +`ethos-doc-core = 0.3.0` before publishing dependent crates. The operator must stop if any crate +filename, hash, package version, source binding, package list, or retained blocker differs from +this record. + +## Python PyPI Decision + +Accepted Python package: `ethos-pdf==0.3.0`. + +Accepted Python wheel: + +```text +ethos_pdf-0.3.0-py3-none-any.whl +sha256: 9eb106deafcd1d9717e5e7b67dc9413180421aba25a5257266352d09540b3265 +``` + +Accepted deterministic build input: `SOURCE_DATE_EPOCH=0`. + +Accepted wheel metadata: + +- Name: `ethos-pdf` +- Version: `0.3.0` +- License-Expression: `Apache-2.0` +- Requires-Python: `>=3.8` +- Tag: `py3-none-any` + +Accepted Python helper surface: + +- `EthosCli` +- `proof_summary` +- `app_answer_release_decision` + +After this decision record is merged and validation passes on merged source, an operator may upload +only this Python wheel: `ethos_pdf-0.3.0-py3-none-any.whl` with SHA256 +`9eb106deafcd1d9717e5e7b67dc9413180421aba25a5257266352d09540b3265`. + +The operator must build with `SOURCE_DATE_EPOCH=0`. The operator must use a PyPI-approved +authentication path and must not record credentials in the repository. The operator must stop if +the built wheel filename, SHA256, package version, source commit, source tree, deterministic build +input, helper surface, or retained blockers differ from this record. + +## CLI, GitHub Release, and npm Direction + +CLI/GitHub Release artifact publication is approved only to start the v0.3.0 artifact evidence +lane. No GitHub Release artifact upload is authorized by this decision record. + +npm publication is approved only to start the v0.3.0 npm alignment and vendor-refresh evidence +lane. No `npm publish` command is authorized by this decision record. + +Required next evidence before GitHub Release artifact upload or npm publication: + +- update the draft CLI artifact workflow smoke expectation from `ethos 0.2.0` to `ethos 0.3.0`; +- run the draft CLI artifact workflow for macOS arm64 and Linux x64; +- record exact v0.3.0 CLI artifact, checksum, inventory, and smoke evidence; +- refresh the npm vendor payload from the accepted v0.3.0 CLI artifacts; +- bump npm metadata only after the vendor evidence exists; +- record npm pack/install evidence for the exact v0.3.0 npm package candidate; +- record a separate GitHub Release artifact publication approval decision before upload; +- record a separate npm publication approval decision before `npm publish`. + +## Package Tag Set + +Accepted package tag name set for later package-tag approval: + +- `ethos-package-ethos-doc-core-0.3.0` +- `ethos-package-ethos-verify-0.3.0` +- `ethos-package-ethos-pdf-0.3.0` + +This decision record does not create package tags. Package tag creation remains blocked pending a +separate package-tag approval or closeout record. + +## Non-Actions + +- This decision record does not run `cargo publish`. +- This decision record does not upload any Python distribution. +- This decision record does not run `npm publish`. +- This decision record does not upload GitHub Release artifacts. +- This decision record does not create release tags. +- This decision record does not create package tags. +- This decision record does not approve installable `0.3.0` public wording. +- This decision record does not approve DocuShell integration. +- This decision record does not approve hosted surfaces. +- This decision record does not approve production positioning. +- This decision record does not approve Windows packaged artifacts. +- This decision record does not approve bundled project-maintained PDFium builds. +- This decision record does not approve public benchmark reports. +- This decision record does not approve public benchmark claims. +- This decision record does not approve `ethos-doc`. +- This decision record does not approve `ethos-rag`. + +Publication remains a separate operator action. + +## Retained Blockers + +- Installable `0.3.0` public wording remains blocked until registry and artifact availability + closeout passes. +- Rust public installation wording remains blocked until crates.io availability closeout passes. +- Python public installation wording remains blocked until PyPI availability closeout passes. +- GitHub Release artifact publication remains blocked pending exact v0.3.0 artifact evidence and + a later artifact publication approval decision. +- npm publication remains blocked pending exact v0.3.0 vendor/package evidence and a later npm + publication approval decision. +- Release tag creation remains blocked pending explicit release-tag approval. +- Package tag creation remains blocked pending explicit package-tag approval. +- DocuShell integration remains blocked pending closeout or explicit source-dependency integration + approval. +- Hosted surfaces remain blocked. +- Production positioning remains blocked. +- Public benchmark reports remain blocked. +- Public benchmark claims remain blocked. +- Windows packaged artifacts remain blocked. +- Bundled project-maintained PDFium builds remain blocked. +- `ethos-doc` remains blocked. +- `ethos-rag` remains blocked. +- PDFium remains caller-provided through `ETHOS_PDFIUM_LIBRARY_PATH`. + +## Commands + +```sh +python3 .github/scripts/test_v0_3_0_publication_approval_decision.py +python3 .github/scripts/test_v0_3_0_package_publication_approval_request.py +python3 .github/scripts/test_v0_3_0_package_build_evidence.py +make v0-3-release-prep PYTHON=python3 +python3 .github/scripts/check_release_boundary_paths.py +python3 .github/scripts/validation_record_integrity.py +git diff --check +``` + +## Result + +```text +v0.3.0 publication approval decision recorded +Exact Rust crates.io and Python PyPI operator inputs were accepted +CLI/GitHub Release and npm lanes are approved to start evidence work, but upload/publish execution remains blocked until exact artifact/npm evidence and later approval records pass +```