diff --git a/.github/scripts/test_v0_3_0_artifact_publication_approval_request.py b/.github/scripts/test_v0_3_0_artifact_publication_approval_request.py new file mode 100644 index 0000000..7c6e0e8 --- /dev/null +++ b/.github/scripts/test_v0_3_0_artifact_publication_approval_request.py @@ -0,0 +1,196 @@ +#!/usr/bin/env python3 +# +# Copyright 2026 The Ethos maintainers +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# + +from __future__ import annotations + +import re +import unittest +from pathlib import Path + +from makefile_guard import target_block +from validation_record_source import assert_record_source_binding + + +ROOT = Path(__file__).resolve().parents[2] +RECORD = ROOT / ( + "docs/validation/" + "v0-3-0-artifact-publication-approval-request-validation-2026-07-01.md" +) +DRAFT_EVIDENCE = ROOT / "docs/validation/v0-3-0-draft-artifact-evidence-validation-2026-07-01.md" +VALIDATION_README = ROOT / "docs/validation/README.md" +EXECUTION_STATUS = ROOT / "docs/execution-status.md" +PUBLIC_RELEASE_CHECKLIST = ROOT / "docs/public-release-checklist.md" +RELEASE_PREP = ROOT / "docs/v0-3-0-release-prep.md" +MAKEFILE = ROOT / "Makefile" + +SOURCE_SHORT = "d6496e8" +SOURCE_COMMIT = "d6496e82e613e653edc197db4cf4153271d131dc" +SOURCE_TREE = "2594c63071c512f2c61e78b223a74406440a8516" +RUN_URL = "https://github.com/docushell/ethos/actions/runs/28531102130" +WORKFLOW_HEAD = "7287358475a96e827d536f0d2d250a1c2961ba84" +MACOS_SHA256 = "efb163f140bf4afffd1caeb396f79e42f484591c3e90a86810ca6c0f0c209c96" +LINUX_SHA256 = "b549ba5968e04b7679a8d3e879cd45d27f3e9a6fd226eee5c270a4e4f5c01405" + +REQUESTED_WORDING = ( + "Ethos v0.3.0 CLI artifacts for macOS arm64 and Linux x64 are requested for GitHub " + "Release evaluation with caller-provided PDFium. Rust crates `ethos-doc-core`, " + "`ethos-verify`, and `ethos-pdf` at `0.3.0`, plus the Python `ethos-pdf` wheel at " + "`0.3.0`, are already live. npm alignment/publication, public `0.3.0` install wording, " + "release/package tags, DocuShell integration, hosted surfaces, production positioning, " + "Windows packaged artifacts, bundled project-maintained PDFium builds, `ethos-doc`, " + "`ethos-rag`, public benchmark reports, public benchmark claims, and speed, footprint, " + "parser-quality, table-quality, or production claims remain blocked." +) +FORBIDDEN_SCOPE_EXPANSION = ( + "publication approved", + "published artifacts", + "uploaded", + "release complete", + "tag created", + "github release artifact publication approved", + "github release publication approved", + "npm vendor refresh approved", + "npm publication approved", + "release tag creation approved", + "package tag creation approved", + "public installation wording approved", + "public install wording approved", + "installable 0.3.0 wording approved", + "docushell integration approved", + "vendor payload refreshed", + "production-ready", + "hosted surfaces approved", + "windows packaged artifacts approved", + "bundled pdfium approved", + "public benchmark claims approved", +) +PRIVATE_PATH_MARKERS = ( + "/" + "Users/", + "/" + "private/tmp", + "/" + "private/var", + "/" + "var/folders", + "saumil" + "diwaker", + "Desktop/" + "Stuff", + "project/repo/" + "ethos", +) + + +def read(path: Path) -> str: + return path.read_text(encoding="utf-8") + + +def normalized(path: Path) -> str: + return re.sub(r"\s+", " ", read(path)) + + +class V030ArtifactPublicationApprovalRequestTests(unittest.TestCase): + def test_record_binds_source_and_draft_artifact_evidence(self) -> None: + raw = read(RECORD) + text = normalized(RECORD) + + assert_record_source_binding( + self, + root=ROOT, + raw_record=raw, + normalized_record=text, + validated_head=SOURCE_SHORT, + source_label="v0.3.0 artifact publication approval request", + source_commit=SOURCE_COMMIT, + source_tree=SOURCE_TREE, + ) + self.assertIn(DRAFT_EVIDENCE.name, text) + self.assertIn(RUN_URL, text) + self.assertIn("Run status: `completed`", text) + self.assertIn("Run conclusion: `success`", text) + self.assertIn("Run event: `workflow_dispatch`", text) + self.assertIn("Run branch: `main`", text) + self.assertIn(f"Run head SHA: `{WORKFLOW_HEAD}`", text) + + def test_record_requests_only_exact_cli_artifacts_for_v0_3_0(self) -> None: + text = normalized(RECORD) + + self.assertIn("GitHub Release `v0.3.0`", text) + for artifact in ( + "ethos-macos-arm64.tar.gz", + "ethos-macos-arm64.tar.gz.sha256", + "ethos-macos-arm64.inventory.json", + "ethos-macos-arm64.smoke.json", + "ethos-linux-x64.tar.gz", + "ethos-linux-x64.tar.gz.sha256", + "ethos-linux-x64.inventory.json", + "ethos-linux-x64.smoke.json", + ): + self.assertIn(artifact, text) + self.assertIn(MACOS_SHA256, text) + self.assertIn(LINUX_SHA256, text) + self.assertIn("Both smoke sidecars report `ethos 0.3.0`", text) + self.assertIn("Both inventory sidecars report `draft_not_release_ready`", text) + self.assertIn("`publication: blocked`", text) + + def test_record_preserves_bounded_request_wording_and_current_install_baseline(self) -> None: + record = re.sub(r"\s+", " ", read(RECORD).replace("> ", "")) + + self.assertIn(REQUESTED_WORDING, record) + self.assertIn("Any broader public wording requires a separate decision record.", record) + self.assertIn( + "public install baseline remains current published `0.2.0` Rust/Python and `0.2.1` npm", + record, + ) + self.assertIn("README installation examples remain unchanged", record) + + def test_record_keeps_upload_tags_npm_and_install_wording_blocked(self) -> None: + raw = read(RECORD) + text = normalized(RECORD) + lower = text.lower() + + for blocker in ( + "GitHub Release artifact publication remains blocked", + "GitHub Release artifact upload remains blocked", + "npm vendor refresh remains blocked", + "npm publication remains blocked", + "Release tag creation remains blocked", + "Package tag creation remains blocked", + "Public installation wording remains blocked", + "DocuShell integration remains blocked", + "Hosted surfaces remain blocked", + "Production positioning remains blocked", + "Windows packaged artifacts remain blocked", + "Bundled project-maintained PDFium builds remain blocked", + "Public benchmark reports remain blocked", + "Public benchmark claims remain blocked", + "`ethos-doc` remains blocked", + "`ethos-rag` remains blocked", + ): + self.assertIn(blocker, raw) + self.assertIn("Upload remains blocked until explicit approval is recorded.", text) + for forbidden in FORBIDDEN_SCOPE_EXPANSION: + self.assertNotIn(forbidden, lower) + for private in PRIVATE_PATH_MARKERS: + self.assertNotIn(private, raw) + + def test_record_is_indexed_statused_and_wired_after_draft_artifact_guard(self) -> None: + readme = normalized(VALIDATION_README) + execution = normalized(EXECUTION_STATUS) + checklist = normalized(PUBLIC_RELEASE_CHECKLIST) + release_prep = normalized(RELEASE_PREP) + block = target_block("v0-3-release-prep") + draft_guard = "$(PYTHON) .github/scripts/test_v0_3_0_draft_artifact_evidence.py" + request_guard = "$(PYTHON) .github/scripts/test_v0_3_0_artifact_publication_approval_request.py" + public_surface_guard = "$(PYTHON) .github/scripts/test_public_surface_posture.py" + + for text in (readme, execution, checklist, release_prep): + self.assertIn(RECORD.name, text) + self.assertIn("v0.3.0 artifact publication approval request", text.lower()) + self.assertIn("GitHub Release artifact upload remains blocked", text) + self.assertIn(request_guard, block) + self.assertEqual(1, block.count(request_guard)) + self.assertLess(block.index(draft_guard), block.index(request_guard)) + self.assertLess(block.index(request_guard), block.index(public_surface_guard)) + + +if __name__ == "__main__": + unittest.main() diff --git a/CHANGELOG.md b/CHANGELOG.md index 3f78b17..ced9ec0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,11 @@ ## Unreleased +- boundary-exception: request decider review for exact v0.3.0 macOS arm64 and Linux x64 GitHub + Release CLI artifact publication inputs while keeping upload, npm vendor refresh, npm publish, + public install wording, release/package tags, hosted, production, Windows, bundled PDFium, + benchmark, `ethos-doc`, `ethos-rag`, and DocuShell integration blocked pending later approval, + operator action, and closeout lanes. - boundary-exception: record v0.3.0 macOS arm64 and Linux x64 draft CLI artifact evidence while keeping GitHub Release artifact upload, npm vendor refresh, npm publish, public install wording, release/package tags, hosted, production, Windows, bundled PDFium, benchmark, `ethos-doc`, diff --git a/Makefile b/Makefile index 7389770..274a5c2 100644 --- a/Makefile +++ b/Makefile @@ -97,6 +97,7 @@ v0-3-release-prep: $(PYTHON) .github/scripts/test_v0_3_0_publication_closeout.py $(PYTHON) .github/scripts/test_v0_3_0_cli_artifact_evidence_prep.py $(PYTHON) .github/scripts/test_v0_3_0_draft_artifact_evidence.py + $(PYTHON) .github/scripts/test_v0_3_0_artifact_publication_approval_request.py $(PYTHON) .github/scripts/test_public_surface_posture.py $(PYTHON) .github/scripts/claims_gate.py $(PYTHON) .github/scripts/public_boundary_claims_gate.py diff --git a/docs/execution-status.md b/docs/execution-status.md index 99c20d4..2d83d71 100644 --- a/docs/execution-status.md +++ b/docs/execution-status.md @@ -4,6 +4,14 @@ Date: 2026-07-01 Owner: product / decider Status: v0.3.0 Rust library crates `ethos-doc-core`, `ethos-verify`, and `ethos-pdf` are live on crates.io, and the Python `ethos-pdf` wheel is live on PyPI. v0.2.0 remains the public CLI artifact baseline with GitHub Release `v0.2.0` macOS arm64/Linux x64 artifacts, and npm remains `@docushell/ethos-pdf@0.2.1`; npm `@docushell/ethos-pdf@0.2.0` is deprecated because it shipped stale CLI binaries that reported `ethos 0.1.2`. Public `0.3.0` install wording, GitHub Release artifact upload, npm publication/alignment, release/package tags, and DocuShell integration remain blocked pending separate evidence, approval, and closeout records. PDFium-backed commands use caller-provided PDFium through `ETHOS_PDFIUM_LIBRARY_PATH`. Hosted surfaces, production positioning, Windows packaged artifacts, bundled project-maintained PDFium builds, public benchmark reports, public benchmark claims, speed, footprint, parser-quality, table-quality, `ethos-doc`, and `ethos-rag` remain blocked. +v0.3.0 artifact publication approval request is recorded in +`docs/validation/v0-3-0-artifact-publication-approval-request-validation-2026-07-01.md`. It +requests decider review for only the exact macOS arm64 and Linux x64 draft CLI artifacts and +sidecars from workflow run `28531102130`, bound by the v0.3.0 draft CLI artifact evidence record. +GitHub Release artifact upload remains blocked pending an explicit approval decision, operator +action, and closeout record; npm vendor refresh, npm publication, release/package tag creation, +public install wording, and DocuShell integration remain blocked. + v0.3.0 draft CLI artifact evidence is recorded in `docs/validation/v0-3-0-draft-artifact-evidence-validation-2026-07-01.md`. It records green `release.yml` workflow-dispatch run `28531102130` on `main` for macOS arm64 and Linux x64 draft diff --git a/docs/public-release-checklist.md b/docs/public-release-checklist.md index 7d03877..56306c7 100644 --- a/docs/public-release-checklist.md +++ b/docs/public-release-checklist.md @@ -16,6 +16,14 @@ positioning, Windows packaged artifacts, bundled project-maintained PDFium build reports, public benchmark claims, speed, footprint, parser-quality, table-quality, `ethos-doc`, and `ethos-rag` remain blocked. +v0.3.0 artifact publication approval request is recorded in +`docs/validation/v0-3-0-artifact-publication-approval-request-validation-2026-07-01.md`. It +requests decider review for only the exact macOS arm64 and Linux x64 draft CLI artifacts and +sidecars from workflow run `28531102130`, bound by the v0.3.0 draft CLI artifact evidence record. +GitHub Release artifact upload remains blocked pending an explicit approval decision, operator +action, and closeout record; npm vendor refresh, npm publication, release/package tag creation, +public install wording, and DocuShell integration remain blocked. + v0.3.0 draft CLI artifact evidence is recorded in `docs/validation/v0-3-0-draft-artifact-evidence-validation-2026-07-01.md`. It records green `release.yml` workflow-dispatch run `28531102130` on `main` for macOS arm64 and Linux x64 draft diff --git a/docs/v0-3-0-release-prep.md b/docs/v0-3-0-release-prep.md index a96cc62..fb1bacf 100644 --- a/docs/v0-3-0-release-prep.md +++ b/docs/v0-3-0-release-prep.md @@ -85,12 +85,17 @@ The v0.3.0 draft CLI artifact evidence record captures `7287358475a96e827d536f0d2d250a1c2961ba84`, with macOS arm64 and Linux x64 archive SHA256 values, inventory sidecars, archive listings, and smoke sidecars that report `ethos 0.3.0`. +The v0.3.0 artifact publication approval request is recorded in +`docs/validation/v0-3-0-artifact-publication-approval-request-validation-2026-07-01.md`. It asks +the decider to accept or reject only the exact macOS arm64 and Linux x64 draft CLI artifact names, +checksums, workflow evidence, and bounded wording. + Draft artifacts remain CI evidence only. GitHub Release artifact upload remains blocked until a -separate approval decision and operator closeout pass. npm vendor refresh remains blocked until a -separate vendor-refresh evidence and approval lane passes. npm publication, release/package tag -creation, public install wording, and DocuShell integration remain blocked. The public install -wording remains blocked until the relevant registry, artifact, npm, tag, and wording closeout -records pass. +separate approval decision, operator action, and closeout record pass. npm vendor refresh remains +blocked until a separate vendor-refresh evidence and approval lane passes. npm publication, +release/package tag creation, public install wording, and DocuShell integration remain blocked. +The public install wording remains blocked until the relevant registry, artifact, npm, tag, and +wording closeout records pass. ### 4. Gather Package Evidence Before Any Publication Decision diff --git a/docs/validation/README.md b/docs/validation/README.md index ac2dd2f..d5cb2e8 100644 --- a/docs/validation/README.md +++ b/docs/validation/README.md @@ -10,6 +10,14 @@ in `docs/public-release-checklist.md`. Records: +v0.3.0 artifact publication approval request is recorded in +`v0-3-0-artifact-publication-approval-request-validation-2026-07-01.md`. It requests decider +review for only the exact macOS arm64 and Linux x64 draft CLI artifacts and sidecars from workflow +run `28531102130`, bound by the v0.3.0 draft CLI artifact evidence record. GitHub Release artifact +upload remains blocked pending an explicit approval decision, operator action, and closeout record; +npm vendor refresh, npm publication, release/package tag creation, public install wording, and +DocuShell integration remain blocked. + v0.3.0 draft CLI artifact evidence is recorded in `v0-3-0-draft-artifact-evidence-validation-2026-07-01.md`. It records green `release.yml` workflow-dispatch run `28531102130` on `main` for macOS arm64 and Linux x64 draft diff --git a/docs/validation/v0-3-0-artifact-publication-approval-request-validation-2026-07-01.md b/docs/validation/v0-3-0-artifact-publication-approval-request-validation-2026-07-01.md new file mode 100644 index 0000000..ea2c246 --- /dev/null +++ b/docs/validation/v0-3-0-artifact-publication-approval-request-validation-2026-07-01.md @@ -0,0 +1,141 @@ +# v0.3.0 Artifact Publication Approval Request Validation - 2026-07-01 + +## Purpose + +Record the exact v0.3.0 GitHub Release artifact publication approval request for decider review. +This record does not publish artifacts, create a GitHub Release, create tags, refresh npm vendor +binaries, publish npm, change public installation wording, change PDFium posture, or open any new +public surface. + +Validated source HEAD before this record: `d6496e8`. + +v0.3.0 artifact publication approval request source commit: +`d6496e82e613e653edc197db4cf4153271d131dc`. + +v0.3.0 artifact publication approval request source tree: +`2594c63071c512f2c61e78b223a74406440a8516`. + +## Evidence Inputs + +- Release workflow: `.github/workflows/release.yml` +- Workflow run: `https://github.com/docushell/ethos/actions/runs/28531102130` +- Evidence record: + `docs/validation/v0-3-0-draft-artifact-evidence-validation-2026-07-01.md` +- Run status: `completed` +- Run conclusion: `success` +- Run event: `workflow_dispatch` +- Run branch: `main` +- Run head SHA: `7287358475a96e827d536f0d2d250a1c2961ba84` + +## Requested Artifact Evaluation Surface + +The decider is asked to accept or reject only attaching these exact draft CLI artifacts and sidecars +to GitHub Release `v0.3.0` for release evaluation if and when the release target is authorized. +This request does not create the release, create the tag, upload release assets, or approve public +installation wording. + +macOS arm64: + +- `ethos-macos-arm64.tar.gz` +- `ethos-macos-arm64.tar.gz.sha256` +- `ethos-macos-arm64.inventory.json` +- `ethos-macos-arm64.smoke.json` +- archive SHA256: + +```text +efb163f140bf4afffd1caeb396f79e42f484591c3e90a86810ca6c0f0c209c96 +``` + +Linux x64: + +- `ethos-linux-x64.tar.gz` +- `ethos-linux-x64.tar.gz.sha256` +- `ethos-linux-x64.inventory.json` +- `ethos-linux-x64.smoke.json` +- archive SHA256: + +```text +b549ba5968e04b7679a8d3e879cd45d27f3e9a6fd226eee5c270a4e4f5c01405 +``` + +Both smoke sidecars report `ethos 0.3.0`. Both inventory sidecars report +`draft_not_release_ready` and `publication: blocked`; those sidecars are evidence inputs for +decider review and are not themselves publication approvals. + +## Requested Public Wording + +If the decider accepts the exact artifacts above, the bounded GitHub Release wording may remain: + +> Ethos v0.3.0 CLI artifacts for macOS arm64 and Linux x64 are requested for GitHub Release +> evaluation with caller-provided PDFium. Rust crates `ethos-doc-core`, `ethos-verify`, and +> `ethos-pdf` at `0.3.0`, plus the Python `ethos-pdf` wheel at `0.3.0`, are already live. npm +> alignment/publication, public `0.3.0` install wording, release/package tags, DocuShell +> integration, hosted surfaces, production positioning, Windows packaged artifacts, bundled +> project-maintained PDFium builds, `ethos-doc`, `ethos-rag`, public benchmark reports, public +> benchmark claims, and speed, footprint, parser-quality, table-quality, or production claims +> remain blocked. + +Any broader public wording requires a separate decision record. The public install baseline remains +current published `0.2.0` Rust/Python and `0.2.1` npm, and README installation examples remain +unchanged. + +## Retained Blockers + +- GitHub Release artifact publication remains blocked until the decider explicitly accepts the + exact artifact names, checksums, source binding, workflow evidence, and bounded public wording in + this request. +- GitHub Release artifact upload remains blocked until an explicit approval decision, operator + action, and closeout record pass. +- npm vendor refresh remains blocked. +- npm publication remains blocked. +- Release tag creation remains blocked. +- Package tag creation remains blocked. +- Public installation wording remains blocked. +- DocuShell integration remains blocked. +- Hosted surfaces remain blocked. +- Production positioning remains blocked. +- Windows packaged artifacts remain blocked. +- Bundled project-maintained PDFium builds remain blocked. +- Public benchmark reports remain blocked. +- Public benchmark claims remain blocked. +- `ethos-doc` remains blocked. +- `ethos-rag` remains blocked. +- PDFium remains caller-provided through `ETHOS_PDFIUM_LIBRARY_PATH`. + +Upload remains blocked until explicit approval is recorded. + +## Required Operator Checks Before Decision + +Before acceptance, the operator should verify the downloaded workflow artifacts: + +```sh +shasum -a 256 ethos-macos-arm64.tar.gz +cat ethos-macos-arm64.tar.gz.sha256 +cat ethos-macos-arm64.inventory.json +cat ethos-macos-arm64.smoke.json +shasum -a 256 ethos-linux-x64.tar.gz +cat ethos-linux-x64.tar.gz.sha256 +cat ethos-linux-x64.inventory.json +cat ethos-linux-x64.smoke.json +``` + +If any output changes artifact names, checksums, version output, inventory publication status, +PDFium posture, license and NOTICE inclusion, public install baseline, or requested public wording, +publication must stop until a refreshed evidence record and approval request pass. + +## Validation Commands + +```sh +python3 .github/scripts/test_v0_3_0_artifact_publication_approval_request.py +python3 .github/scripts/test_v0_3_0_draft_artifact_evidence.py +python3 .github/scripts/public_boundary_claims_gate.py +make v0-3-release-prep PYTHON=python3 +python3 .github/scripts/check_release_boundary_paths.py +python3 .github/scripts/validation_record_integrity.py +git diff --check +``` + +## Result + +The v0.3.0 artifact publication approval request is ready for decider review. Upload remains +blocked until explicit approval is recorded.