diff --git a/.github/scripts/test_release_artifact_workflow_prep.py b/.github/scripts/test_release_artifact_workflow_prep.py index 8d8d2d2..936cdd6 100644 --- a/.github/scripts/test_release_artifact_workflow_prep.py +++ b/.github/scripts/test_release_artifact_workflow_prep.py @@ -48,7 +48,7 @@ def test_workflow_generates_draft_artifacts_without_publication(self) -> None: self.assertIn("cargo build --locked --release -p ethos-cli", text) self.assertIn("write_release_artifact_inventory.py", text) self.assertIn("smoke_release_cli_artifact.py", text) - self.assertIn('--expected-version "ethos 0.2.0"', text) + self.assertIn('--expected-version "ethos 0.3.0"', text) self.assertIn("--target \"${{ matrix.artifact_target }}\"", text) self.assertIn("*.smoke.json", text) self.assertIn("validate_release_artifact_inventory.py", text) diff --git a/.github/scripts/test_v0_2_0_package_build_evidence.py b/.github/scripts/test_v0_2_0_package_build_evidence.py index bcb9bd7..d5d9da5 100644 --- a/.github/scripts/test_v0_2_0_package_build_evidence.py +++ b/.github/scripts/test_v0_2_0_package_build_evidence.py @@ -123,11 +123,16 @@ def test_npm_and_cross_platform_artifact_blockers_remain_explicit(self) -> None: ): self.assertIn(expected, record) - def test_release_workflow_expects_v0_2_smoke(self) -> None: - workflow = read(RELEASE_WORKFLOW) + def test_record_captures_historical_v0_2_workflow_smoke(self) -> None: + record = normalized(RECORD) - self.assertIn('--expected-version "ethos 0.2.0"', workflow) - self.assertNotIn('--expected-version "ethos 0.1.2"', workflow) + self.assertIn('`--expected-version "ethos 0.2.0"`', record) + self.assertIn( + 'python3 .github/scripts/smoke_release_cli_artifact.py --expected-version "ethos 0.2.0" --target macos-arm64', + record, + ) + self.assertIn("version_stdout: ethos 0.2.0", record) + self.assertNotIn('`--expected-version "ethos 0.1.2"`', record) def test_boundaries_private_paths_and_v0_2_release_prep_guard(self) -> None: raw = read(RECORD) diff --git a/.github/scripts/test_v0_3_0_cli_artifact_evidence_prep.py b/.github/scripts/test_v0_3_0_cli_artifact_evidence_prep.py new file mode 100644 index 0000000..5b6c270 --- /dev/null +++ b/.github/scripts/test_v0_3_0_cli_artifact_evidence_prep.py @@ -0,0 +1,148 @@ +#!/usr/bin/env python3 +# +# Copyright 2026 The Ethos maintainers +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# + +from __future__ import annotations + +import re +import unittest +from pathlib import Path + +from makefile_guard import target_block +from validation_record_source import assert_record_source_binding + + +ROOT = Path(__file__).resolve().parents[2] +RECORD = ROOT / "docs/validation/v0-3-0-cli-artifact-evidence-prep-validation-2026-07-01.md" +VALIDATION_README = ROOT / "docs/validation/README.md" +EXECUTION_STATUS = ROOT / "docs/execution-status.md" +PUBLIC_RELEASE_CHECKLIST = ROOT / "docs/public-release-checklist.md" +RELEASE_PREP = ROOT / "docs/v0-3-0-release-prep.md" +WORKFLOW = ROOT / ".github/workflows/release.yml" +MAKEFILE = ROOT / "Makefile" + +SOURCE_SHORT = "3ae36b9" +SOURCE_COMMIT = "3ae36b95f9fe7c1f74f58075eacbbaaa7c469bea" +SOURCE_TREE = "d9d6313cd28b647eba89e02b29adcba54349c190" +EXPECTED_VERSION = "ethos 0.3.0" +GUARD_NAME = "test_v0_3_0_cli_artifact_evidence_prep.py" +PRIVATE_PATH_MARKERS = ( + "/" + "Users/", + "/" + "private/tmp", + "/" + "private/var", + "/" + "var/folders", + "saumil" + "diwaker", + "Desktop/" + "Stuff", + "project/repo/" + "ethos", +) +FORBIDDEN_APPROVALS = ( + "github release artifact publication approved", + "github release publication approved", + "npm vendor refresh approved", + "npm publication approved", + "release tag creation approved", + "package tag creation approved", + "public installation wording approved", + "installable 0.3.0 wording approved", + "docushell integration approved", + "production-ready", + "hosted surfaces approved", + "windows packaged artifacts approved", + "bundled pdfium approved", + "public benchmark claims approved", +) + + +def read(path: Path) -> str: + return path.read_text(encoding="utf-8") + + +def normalized(path: Path) -> str: + return re.sub(r"\s+", " ", read(path)) + + +class V030CliArtifactEvidencePrepTests(unittest.TestCase): + def test_record_is_source_bound_and_indexed(self) -> None: + raw = read(RECORD) + record = normalized(RECORD) + + assert_record_source_binding( + self, + root=ROOT, + raw_record=raw, + normalized_record=record, + validated_head=SOURCE_SHORT, + source_label="v0.3.0 CLI artifact evidence prep", + source_commit=SOURCE_COMMIT, + source_tree=SOURCE_TREE, + ) + + for path in (VALIDATION_README, EXECUTION_STATUS, PUBLIC_RELEASE_CHECKLIST): + text = normalized(path) + self.assertIn(RECORD.name, text, str(path)) + self.assertIn("v0.3.0 CLI artifact evidence prep", text, str(path)) + self.assertIn("GitHub Release artifact upload remains blocked", text, str(path)) + + def test_release_workflow_is_aligned_to_v0_3_draft_artifact_smoke(self) -> None: + workflow = read(WORKFLOW) + + self.assertIn("cli-draft-artifacts", workflow) + self.assertIn("macos-arm64", workflow) + self.assertIn("linux-x64", workflow) + self.assertIn("cargo build --locked --release -p ethos-cli", workflow) + self.assertIn("write_release_artifact_inventory.py", workflow) + self.assertIn("smoke_release_cli_artifact.py", workflow) + self.assertIn(f'--expected-version "{EXPECTED_VERSION}"', workflow) + self.assertNotIn('--expected-version "ethos 0.2.0"', workflow) + self.assertIn("validate_release_artifact_inventory.py", workflow) + self.assertIn("actions/upload-artifact@v4", workflow) + self.assertNotIn("gh release create", workflow) + self.assertNotIn("gh release upload", workflow) + self.assertNotIn("npm publish", workflow) + + def test_record_names_required_later_artifact_evidence_without_claiming_it(self) -> None: + raw = read(RECORD) + record = normalized(RECORD) + lower = record.lower() + + for expected in ( + "No workflow run is recorded by this prep record.", + 'The workflow now passes `--expected-version "ethos 0.3.0"`', + "The next record must capture the workflow run URL and run id.", + "The next record must capture macOS arm64 and Linux x64 archive SHA256 values", + '"version_stdout": "ethos 0.3.0"', + "GH_PROMPT_DISABLED=1 gh workflow run release.yml --repo docushell/ethos --ref dev/v0-3-cli-artifact-evidence-prep", + "python3 .github/scripts/validate_release_artifact_inventory.py /*/*.inventory.json", + "GitHub Release artifact publication remains blocked.", + "npm vendor refresh remains blocked.", + "npm publication remains blocked.", + "Public installation wording remains blocked.", + "DocuShell integration remains blocked.", + ): + self.assertIn(expected, record) + for forbidden in FORBIDDEN_APPROVALS: + self.assertNotIn(forbidden, lower) + for marker in PRIVATE_PATH_MARKERS: + self.assertNotIn(marker, raw) + + def test_release_prep_and_v0_3_gate_include_the_artifact_prep_guard(self) -> None: + release_prep = normalized(RELEASE_PREP) + makefile = read(MAKEFILE) + block = target_block("v0-3-release-prep") + closeout_guard = "$(PYTHON) .github/scripts/test_v0_3_0_publication_closeout.py" + prep_guard = f"$(PYTHON) .github/scripts/{GUARD_NAME}" + public_surface_guard = "$(PYTHON) .github/scripts/test_public_surface_posture.py" + + self.assertIn('`--expected-version "ethos 0.3.0"`', release_prep) + self.assertIn("v0.3.0 CLI artifact evidence prep", release_prep) + self.assertIn(prep_guard, block) + self.assertEqual(1, makefile.count(prep_guard)) + self.assertLess(block.index(closeout_guard), block.index(prep_guard)) + self.assertLess(block.index(prep_guard), block.index(public_surface_guard)) + + +if __name__ == "__main__": + unittest.main() diff --git a/.github/scripts/test_v0_3_0_version_activation.py b/.github/scripts/test_v0_3_0_version_activation.py index 94ac4b5..ecb5250 100644 --- a/.github/scripts/test_v0_3_0_version_activation.py +++ b/.github/scripts/test_v0_3_0_version_activation.py @@ -189,13 +189,13 @@ def test_v0_3_release_prep_runs_activation_guard_after_decision_guard(self) -> N self.assertLess(block.index(decision_guard), block.index(activation_guard)) self.assertLess(block.index(activation_guard), block.index(claims)) - def test_release_prep_keeps_current_artifact_workflow_out_of_scope(self) -> None: + def test_release_prep_keeps_artifact_workflow_bound_to_separate_evidence_lane(self) -> None: text = normalized(RELEASE_PREP) self.assertIn("`.github/workflows/release.yml` artifact workflow", text) - self.assertIn('`--expected-version "ethos 0.2.0"`', text) - self.assertIn("Do not use that workflow as evidence for `0.3.0` CLI artifact readiness", text) - self.assertIn("separate CLI artifact lane", text) + self.assertIn('`--expected-version "ethos 0.3.0"`', text) + self.assertIn("v0.3.0 CLI artifact evidence prep", text) + self.assertIn("Draft artifacts remain CI evidence only until a later artifact evidence", text) if __name__ == "__main__": diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1f8e7a0..9f26703 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -65,7 +65,7 @@ jobs: run: | python3 .github/scripts/smoke_release_cli_artifact.py \ --artifact-dir "target/release-artifacts/ethos-${{ matrix.artifact_target }}" \ - --expected-version "ethos 0.2.0" \ + --expected-version "ethos 0.3.0" \ --target "${{ matrix.artifact_target }}" \ --out "target/release-artifacts/ethos-${{ matrix.artifact_target }}.smoke.json" - name: validate draft artifact inventory diff --git a/CHANGELOG.md b/CHANGELOG.md index bd13177..75952be 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,11 @@ ## Unreleased +- boundary-exception: align the v0.3.0 draft CLI artifact workflow smoke expectation to + `ethos 0.3.0` and record CLI artifact evidence prep while keeping GitHub Release artifact + upload, npm vendor refresh, npm publish, public install wording, release/package tags, hosted, + production, Windows, bundled PDFium, benchmark, `ethos-doc`, `ethos-rag`, and DocuShell + integration blocked pending later evidence and approval lanes. - boundary-exception: close v0.3.0 Rust crates.io and Python PyPI publication with exact live registry evidence while keeping GitHub Release artifact upload, npm publish, public install wording, release/package tags, hosted, production, Windows, bundled PDFium, benchmark, diff --git a/Makefile b/Makefile index 6df162b..45a9b8c 100644 --- a/Makefile +++ b/Makefile @@ -95,6 +95,7 @@ v0-3-release-prep: $(PYTHON) .github/scripts/test_v0_3_0_package_publication_approval_request.py $(PYTHON) .github/scripts/test_v0_3_0_publication_approval_decision.py $(PYTHON) .github/scripts/test_v0_3_0_publication_closeout.py + $(PYTHON) .github/scripts/test_v0_3_0_cli_artifact_evidence_prep.py $(PYTHON) .github/scripts/test_public_surface_posture.py $(PYTHON) .github/scripts/claims_gate.py $(PYTHON) .github/scripts/public_boundary_claims_gate.py diff --git a/docs/execution-status.md b/docs/execution-status.md index da2deaf..72df585 100644 --- a/docs/execution-status.md +++ b/docs/execution-status.md @@ -4,6 +4,14 @@ Date: 2026-07-01 Owner: product / decider Status: v0.3.0 Rust library crates `ethos-doc-core`, `ethos-verify`, and `ethos-pdf` are live on crates.io, and the Python `ethos-pdf` wheel is live on PyPI. v0.2.0 remains the public CLI artifact baseline with GitHub Release `v0.2.0` macOS arm64/Linux x64 artifacts, and npm remains `@docushell/ethos-pdf@0.2.1`; npm `@docushell/ethos-pdf@0.2.0` is deprecated because it shipped stale CLI binaries that reported `ethos 0.1.2`. Public `0.3.0` install wording, GitHub Release artifact upload, npm publication/alignment, release/package tags, and DocuShell integration remain blocked pending separate evidence, approval, and closeout records. PDFium-backed commands use caller-provided PDFium through `ETHOS_PDFIUM_LIBRARY_PATH`. Hosted surfaces, production positioning, Windows packaged artifacts, bundled project-maintained PDFium builds, public benchmark reports, public benchmark claims, speed, footprint, parser-quality, table-quality, `ethos-doc`, and `ethos-rag` remain blocked. +v0.3.0 CLI artifact evidence prep is recorded in +`docs/validation/v0-3-0-cli-artifact-evidence-prep-validation-2026-07-01.md`. It aligns the draft +CLI artifact workflow to smoke `ethos 0.3.0` for macOS arm64 and Linux x64 draft artifacts. It does +not record a workflow run, artifact bytes, checksums, GitHub Release upload, npm vendor refresh, +npm publication, release/package tag creation, public install wording, or DocuShell integration. +GitHub Release artifact upload remains blocked pending later workflow evidence, approval, operator +action, and closeout records. + v0.3.0 publication closeout is recorded in `docs/validation/v0-3-0-publication-closeout-validation-2026-07-01.md`. It records successful publication and live registry verification for `ethos-doc-core`, `ethos-verify`, and `ethos-pdf` diff --git a/docs/public-release-checklist.md b/docs/public-release-checklist.md index 5fa4400..2381ea8 100644 --- a/docs/public-release-checklist.md +++ b/docs/public-release-checklist.md @@ -16,6 +16,14 @@ positioning, Windows packaged artifacts, bundled project-maintained PDFium build reports, public benchmark claims, speed, footprint, parser-quality, table-quality, `ethos-doc`, and `ethos-rag` remain blocked. +v0.3.0 CLI artifact evidence prep is recorded in +`docs/validation/v0-3-0-cli-artifact-evidence-prep-validation-2026-07-01.md`. It aligns the draft +CLI artifact workflow to smoke `ethos 0.3.0` for macOS arm64 and Linux x64 draft artifacts. It does +not record a workflow run, artifact bytes, checksums, GitHub Release upload, npm vendor refresh, +npm publication, release/package tag creation, public install wording, or DocuShell integration. +GitHub Release artifact upload remains blocked pending later workflow evidence, approval, operator +action, and closeout records. + v0.3.0 publication closeout is recorded in `docs/validation/v0-3-0-publication-closeout-validation-2026-07-01.md`. It records successful publication and live registry verification for `ethos-doc-core`, `ethos-verify`, and `ethos-pdf` diff --git a/docs/v0-3-0-release-prep.md b/docs/v0-3-0-release-prep.md index d9ed82d..831487e 100644 --- a/docs/v0-3-0-release-prep.md +++ b/docs/v0-3-0-release-prep.md @@ -73,12 +73,17 @@ The target runs the workspace Rust test suite, app-answer-release contract guard surface checks, 0.3.0 approval and activation guards, public posture checks, claims gates, and diff hygiene. -### 3a. Keep The Artifact Workflow Out Of Scope +### 3a. Prepare CLI Artifact Evidence -The current `.github/workflows/release.yml` artifact workflow remains pinned to the published -`0.2.x` CLI artifact lane and still smokes `--expected-version "ethos 0.2.0"`. Do not use that -workflow as evidence for `0.3.0` CLI artifact readiness until a separate CLI artifact lane updates -the expected version, records package evidence, and closes the release boundary. +The `.github/workflows/release.yml` artifact workflow is aligned to the v0.3.0 CLI artifact +evidence lane and smokes `--expected-version "ethos 0.3.0"`. The v0.3.0 CLI artifact evidence +prep record documents this workflow alignment without running the workflow, publishing artifacts, +creating tags, refreshing npm vendor payloads, or changing public install wording. + +Draft artifacts remain CI evidence only until a later artifact evidence record captures the +workflow run URL, source commit, macOS arm64 and Linux x64 archive SHA256 values, inventory +sidecars, and smoke sidecars. GitHub Release artifact upload remains blocked until a separate +approval decision and operator closeout pass. ### 4. Gather Package Evidence Before Any Publication Decision diff --git a/docs/validation/README.md b/docs/validation/README.md index 2ee53a8..8a4c179 100644 --- a/docs/validation/README.md +++ b/docs/validation/README.md @@ -10,6 +10,14 @@ in `docs/public-release-checklist.md`. Records: +v0.3.0 CLI artifact evidence prep is recorded in +`v0-3-0-cli-artifact-evidence-prep-validation-2026-07-01.md`. It aligns the draft +`.github/workflows/release.yml` CLI artifact workflow to smoke `ethos 0.3.0` for macOS arm64 and +Linux x64 draft artifacts. No workflow run, artifact bytes, checksums, GitHub Release upload, npm +vendor refresh, npm publication, release/package tag creation, public install wording, or +DocuShell integration is approved by this prep record. GitHub Release artifact upload remains +blocked pending later workflow evidence, approval, operator action, and closeout records. + v0.3.0 publication closeout is recorded in `v0-3-0-publication-closeout-validation-2026-07-01.md`. It records successful crates.io publication for `ethos-doc-core`, `ethos-verify`, and `ethos-pdf` at `0.3.0`, successful PyPI diff --git a/docs/validation/v0-3-0-cli-artifact-evidence-prep-validation-2026-07-01.md b/docs/validation/v0-3-0-cli-artifact-evidence-prep-validation-2026-07-01.md new file mode 100644 index 0000000..c099c19 --- /dev/null +++ b/docs/validation/v0-3-0-cli-artifact-evidence-prep-validation-2026-07-01.md @@ -0,0 +1,143 @@ +# v0.3.0 CLI Artifact Evidence Prep Validation - 2026-07-01 + +Validated source HEAD before this record: `3ae36b9`. + +v0.3.0 CLI artifact evidence prep source commit: +`3ae36b95f9fe7c1f74f58075eacbbaaa7c469bea`. + +v0.3.0 CLI artifact evidence prep source tree: +`d9d6313cd28b647eba89e02b29adcba54349c190`. + +Status: **CLI artifact evidence prep recorded; artifact publication remains blocked** + +This record starts the v0.3.0 CLI/GitHub Release artifact evidence lane after the v0.3.0 Rust +crates.io and Python PyPI publication closeout. It aligns the draft CLI artifact workflow to the +current source version so a later workflow-dispatch run can produce macOS arm64 and Linux x64 +draft artifact evidence for review. + +No workflow run is recorded by this prep record. No artifact bytes, checksums, release assets, npm +vendor payloads, release tags, package tags, or public install wording are changed by this record. + +## Workflow Prep + +Workflow: + +```text +.github/workflows/release.yml +``` + +The workflow now passes `--expected-version "ethos 0.3.0"` to +`.github/scripts/smoke_release_cli_artifact.py` for both draft artifact targets: + +- `macos-arm64` on `macos-14` +- `linux-x64` on `ubuntu-latest` + +The workflow remains a draft-artifact workflow. It runs public-surface posture checks, claims +gates, package-surface guards, and PDFium manual setup contract tests before building artifacts. +It uploads CI artifacts containing: + +- `ethos-.tar.gz` +- `ethos-.tar.gz.sha256` +- `ethos-.inventory.json` +- `ethos-.smoke.json` + +The workflow still does not create a GitHub Release, upload release assets, publish npm packages, +publish PyPI distributions, publish Rust crates, create tags, or approve launch wording. + +## Required Later Evidence + +The next record must capture the workflow run URL and run id. It must bind the run to the reviewed +source commit and record `status: completed` and `conclusion: success`. + +The next record must capture macOS arm64 and Linux x64 archive SHA256 values, checksum sidecar +matches, inventory sidecars, smoke sidecars, and archive inventories. The smoke sidecars must show: + +```json +{ + "version_stdout": "ethos 0.3.0", + "missing_pdfium_exit_code": 12, + "pdfium_policy": "caller-provided" +} +``` + +The next record must keep artifact publication, npm vendor refresh, npm publication, release tags, +package tags, public install wording, and DocuShell integration blocked unless separate approval +and closeout records explicitly open those boundaries. + +## Operator Commands For Later Evidence + +After this prep branch is reviewed and pushed, collect draft artifact evidence with: + +```sh +git push origin dev/v0-3-cli-artifact-evidence-prep +GH_PROMPT_DISABLED=1 gh workflow run release.yml --repo docushell/ethos --ref dev/v0-3-cli-artifact-evidence-prep +GH_PROMPT_DISABLED=1 gh run watch --repo docushell/ethos --exit-status --interval 10 +GH_PROMPT_DISABLED=1 gh run view --repo docushell/ethos --json url,status,conclusion,event,headBranch,headSha,createdAt,updatedAt,jobs +GH_PROMPT_DISABLED=1 gh run download --repo docushell/ethos --dir +python3 .github/scripts/validate_release_artifact_inventory.py /*/*.inventory.json +shasum -a 256 /*/*.tar.gz +tar -tzf /ethos-cli-draft-linux-x64/ethos-linux-x64.tar.gz +tar -tzf /ethos-cli-draft-macos-arm64/ethos-macos-arm64.tar.gz +``` + +Do not upload GitHub Release assets from this prep record. Use the downloaded evidence to create a +separate v0.3.0 draft artifact evidence record first. + +## Boundary + +- This record does not approve GitHub Release artifact publication. +- This record does not approve GitHub Release creation. +- This record does not approve release tag creation. +- This record does not approve package tag creation. +- This record does not approve npm vendor refresh. +- This record does not approve npm publication. +- This record does not approve public installation wording for `0.3.0`. +- This record does not approve DocuShell integration. +- Hosted surfaces remain blocked. +- Production positioning remains blocked. +- Windows packaged artifacts remain blocked. +- Bundled project-maintained PDFium builds remain blocked. +- Public benchmark reports remain blocked. +- Public benchmark claims remain blocked. +- `ethos-doc` remains blocked. +- `ethos-rag` remains blocked. +- PDFium remains caller-provided through `ETHOS_PDFIUM_LIBRARY_PATH`. + +## Retained Blockers + +- GitHub Release artifact publication remains blocked. +- npm vendor refresh remains blocked. +- npm publication remains blocked. +- Release tag creation remains blocked. +- Package tag creation remains blocked. +- Public installation wording remains blocked. +- DocuShell integration remains blocked. +- Hosted surfaces remain blocked. +- Production positioning remains blocked. +- Windows packaged artifacts remain blocked. +- Bundled project-maintained PDFium builds remain blocked. +- Public benchmark reports remain blocked. +- Public benchmark claims remain blocked. +- `ethos-doc` remains blocked. +- `ethos-rag` remains blocked. + +## Verification Commands + +```sh +python3 .github/scripts/test_v0_3_0_cli_artifact_evidence_prep.py +python3 .github/scripts/test_release_artifact_workflow_prep.py +python3 .github/scripts/test_v0_3_0_version_activation.py +python3 .github/scripts/test_v0_2_0_package_build_evidence.py +make v0-3-release-prep PYTHON=python3 +python3 .github/scripts/check_release_boundary_paths.py +python3 .github/scripts/validation_record_integrity.py +git diff --check +``` + +## Result + +```text +v0.3.0 CLI artifact evidence prep: PASS +release.yml draft artifact smoke expectation: ethos 0.3.0 +workflow run evidence, artifact checksums, GitHub Release upload, npm alignment, tags, install wording, and DocuShell integration: BLOCKED +```