Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 6 additions & 4 deletions .cursor/rules/release-versioning.mdc
Original file line number Diff line number Diff line change
Expand Up @@ -31,11 +31,13 @@ alwaysApply: false

## Version facts (ADR-0073 — Accepted)

> **Esta regra DERIVA de ADR-0073 (+ `docs/VERSIONING.md`). Em conflito, a ADR vence → corrigir o `.mdc`, não a ADR. Se o certo não estiver claro, PARAR e perguntar ao operador.**

- **`main` today:** **`1.7.4` STABLE** (release PR **#1024**); ADR-0073 **Accepted**; release gate **#406 CLOSED**.
- **#970:** premature stable bump/tag without release gate — corrected by **ADR-0072** + **#406**; **`1.7.4` is not VOID**.
- **Published stable:** tag **`v1.7.4`**, GitHub Release, Docker Hub **`1.7.4`** / **`latest`** — operator **release-ritual** post-merge (not agent-autonomous).
- **`1.7.5` does not exist.** Next dev line: **`1.8.0-beta`** (#772) **after** publish ritual completes.
- **Maturity octet** (0–127 beta · 128–199 rc · 200–255 release): **`[tool.databoar] maturity_build = 201`** side-channel — **never** in `[project] version` or About. See **`docs/VERSIONING.md`**.
- **Maturity octet** (1–126 beta · 127–199 rc · 200–254 GA+fix; counter starts at **`1`**): **`[tool.databoar] maturity_build = 208`** side-channel — **never** in `[project] version` or About. See **`docs/VERSIONING.md`**.

## Distribution policy (pre-release vs stable)

Expand Down Expand Up @@ -111,9 +113,9 @@ When opening **`1.8.0-beta`** (next dev line after **`1.7.4`** completes), **`ma

| `[project] version` | `maturity_build` band | Typical start |
| --- | --- | --- |
| **`1.8.0-beta`** | **0–127** (inclusive, 0-based) | e.g. **`1`** — document in release notes |
| **`1.8.0-rc`** | **128–199** | e.g. **`128`** |
| **`1.8.0`** GA | **200–255** | **`.200`** GA; **`.201`** first fix on that line |
| **`1.8.0-beta`** | **1–126** (counter starts at **`1`**; forgiving ceiling) | e.g. **`1`** — first beta = `.1`; document in release notes |
| **`1.8.0-rc`** | **127–199** | e.g. **`127`** or **`128`** — forgiving ceiling |
| **`1.8.0`** GA | **200–254** | **`.200`** GA; **`.201`** first fix on that line |

**`.postN`** applies only on the **release band** of a line (fix-line republication). **Beta/rc bands** use the octet only — no PyPI pre-release uploads per distribution policy.

Expand Down
15 changes: 8 additions & 7 deletions docs/VERSIONING.md
Original file line number Diff line number Diff line change
Expand Up @@ -43,21 +43,22 @@ Octet bands when using `maturity_build` (operator/beacon tooling — **not** the

| Octet range | Meaning |
| --- | --- |
| **0–127** | beta maturity (inclusive — **0** is valid) |
| **128–199** | rc maturity (inclusive) |
| **200–255** | release maturity (`.200` = GA on that line, `.201` = first post-GA fix, …) |
| **1–126** | beta maturity (counter starts at **1** — first beta = `.1`; forgiving ceiling) |
| **127–199** | rc maturity |
| **200–254** | release / GA + fix (`.200` = GA on that line, `.201` = first post-GA fix, …) |
| **255** | overflow sentinel — consult TXT beacon |

**Band boundaries are inclusive and 0-based** (not `1–126` / `127–199`). If a mental model used `1–126` for beta, shift by one — the **regime** is the same.
**Counting starts at 1** (nothing is `.0`) for non-technical clarity. Band ceilings are **forgiving** — beacon TXT absorbs overflow; do not treat band tops as rigid hard limits.

### New public line — maturity band reset

When the project opens a **new semver line** (e.g. **`1.8.0`** after **`1.7.4`**), **`maturity_build` does not continue** from `.208` on the old line. It **resets into the Gibson band** that matches the **pre-release suffix** on `[project] version`:

| `[project] version` on the new line | `maturity_build` band | Typical anchor |
| --- | --- | --- |
| **`X.Y.Z-beta`** (or `-beta.N`) | **0–127** | Restart low in band (e.g. **`1`**) — record in release notes |
| **`X.Y.Z-rc`** (or `-rc.N`) | **128–199** | Restart low in band (e.g. **`128`**) |
| **`X.Y.Z`** stable (GA) | **200–255** | **`.200`** = GA maturity on that line; **`.201`** = first fix, … |
| **`X.Y.Z-beta`** (or `-beta.N`) | **1–126** | Restart at **`1`** (first beta = `.1`) — record in release notes |
| **`X.Y.Z-rc`** (or `-rc.N`) | **127–199** | Restart low in band (e.g. **`127`** or **`128`**) |
| **`X.Y.Z`** stable (GA) | **200–254** | **`.200`** = GA maturity on that line; **`.201`** = first fix, … |

**`.postN` PyPI counters apply only on a GA release band** (fix-line republication on the **same** public line, e.g. `1.7.4.post2`). They do **not** carry across to **`1.8.0-beta`**.

Expand Down
15 changes: 8 additions & 7 deletions docs/VERSIONING.pt_BR.md
Original file line number Diff line number Diff line change
Expand Up @@ -43,21 +43,22 @@ Faixas do octeto quando `maturity_build` estiver em uso (ferramentas operador/be

| Faixa octeto | Significado |
| --- | --- |
| **0–127** | maturidade beta (inclusivo — **0** é válido) |
| **128–199** | maturidade rc (inclusivo) |
| **200–255** | maturidade release (`.200` = GA na linha, `.201` = primeiro fix pós-GA, …) |
| **1–126** | maturidade beta (contador começa em **1** — primeiro beta = `.1`; teto forgiving) |
| **127–199** | maturidade rc |
| **200–254** | release / GA + fix (`.200` = GA na linha, `.201` = primeiro fix pós-GA, …) |
| **255** | sentinela de overflow — consultar TXT beacon |

**Limites inclusivos e base 0** (não `1–126` / `127–199`). Se o modelo mental usava `1–126` para beta, desloque um — o **regime** é o mesmo.
**A contagem começa em 1** (nada é `.0`) por clareza para não técnicos. Os tetos de faixa são **forgiving** o TXT do beacon absorve overflow; não trate o topo da faixa como limite rígido.

### Nova linha pública — reset da faixa de maturidade

Ao abrir uma **nova linha semver** (ex.: **`1.8.0`** após **`1.7.4`**), **`maturity_build` não continua** a partir de `.208` na linha antiga. **Reinicia na faixa Gibson** que corresponde ao **sufixo pre-release** em `[project] version`:

| `[project] version` na nova linha | Faixa `maturity_build` | Âncora típica |
| --- | --- | --- |
| **`X.Y.Z-beta`** (ou `-beta.N`) | **0–127** | Reinício baixo na faixa (ex.: **`1`**) — registrar nas release notes |
| **`X.Y.Z-rc`** (ou `-rc.N`) | **128–199** | Reinício baixo na faixa (ex.: **`128`**) |
| **`X.Y.Z`** stable (GA) | **200–255** | **`.200`** = GA na linha; **`.201`** = primeiro fix, … |
| **`X.Y.Z-beta`** (ou `-beta.N`) | **1–126** | Reinício em **`1`** (primeiro beta = `.1`) — registrar nas release notes |
| **`X.Y.Z-rc`** (ou `-rc.N`) | **127–199** | Reinício baixo na faixa (ex.: **`127`** ou **`128`**) |
| **`X.Y.Z`** stable (GA) | **200–254** | **`.200`** = GA na linha; **`.201`** = primeiro fix, … |

**`.postN` no PyPI** aplica-se só na faixa **release** (republicação fix-line na **mesma** linha pública, ex. `1.7.4.post2`). **Não** carrega para **`1.8.0-beta`**.

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,8 @@ Accepted
- 2026-06-23 — Proposed (amended): destensionar octeto da versão pública; regras (1)–(4) abaixo; TBD pós-GA aberto (#977 auditoria RO)
- 2026-06-25 — Accepted: resolve #977 — post-GA public fixes stay on the **same public line** (`1.7.4`); **`maturity_build`** octet distinguishes fix maturity; **`1.7.5` does not exist**; next **public** line = **`1.8.0`** (#971)
- 2026-06-27 — Amended: cláusula de distribuição PyPI (#1047) — post-release como publish-counter. (ratificado pelo operador)
- 2026-07-01 — Amended: faixas Gibson **inclusivas 0-based**; reset de `maturity_build` em nova linha semver; octeto na fix-line avança por **fix discreto** (não por merge/build/docs) — alinhado a `release-versioning.mdc` e `docs/releases/1.7.4.post2.md`.
- 2026-07-01 — Amended: reset de `maturity_build` em nova linha semver; octeto na fix-line avança por **fix discreto** (não por merge/build/docs) — ver `docs/releases/1.7.4.post2.md`.
- 2026-07-01 — Amended (band-fix): contador Gibson **começa em 1** (primeiro beta = `.1`; **0** não usado); tetos de faixa **forgiving** (overflow → TXT beacon). Corrige redação 0-based que derivara do `.mdc` em vez desta ADR.

## Context

Expand All @@ -29,9 +30,9 @@ A richer scheme (vault `self-upgrade-beacon-heartbeat-design-2026-06-15`, Gibson
## Decision

1. **Public version (release line):** `major.minor.build` (**three segments only**) + optional PEP 440 pre-release suffix (`-beta[.N]` / `-rc[.N]`) or **none**. **Never a fourth semver segment** (e.g. `1.7.4.201` is invalid). PEP 440 **`.postN`** on PyPI is **not** that fourth segment — see § *PyPI dual counters* below.
2. **Octet-maturity (Gibson DNS-beacon bands):** lives in a **separate derived field** — `[tool.databoar] maturity_build` — a **side-channel** (release notes, beacon, operator tooling). Bands (**inclusive, 0-based**): **0–127** beta · **128–199** rc · **200–255** release (`.200` = GA maturity on that line, `.201` = fix-1, …). **Never** copy this octet into `[project] version` or any version string. **`.postN` is never the octet** — rule (1) stays intact.
2. **Octet-maturity (Gibson DNS-beacon bands):** lives in a **separate derived field** — `[tool.databoar] maturity_build` — a **side-channel** (release notes, beacon, operator tooling). Counter **starts at 1** (first beta = `.1`; **0** unused). Bands (ceilings **forgiving** — overflow → TXT): **1–126** beta · **127–199** rc · **200–254** GA + fix (`.200` = GA maturity on that line, `.201` = fix-1, …; e.g. `.208` valid) · **255** = overflow sentinel (consult TXT). **Never** copy this octet into `[project] version` or any version string. **`.postN` is never the octet** — rule (1) stays intact.

**New public line (e.g. `1.8.0`):** `maturity_build` **resets into the band** matching the pre-release suffix — beta → **0–127**, rc → **128–199**, GA → **`.200`** anchor — it does **not** continue from the previous line (e.g. `.208` on `1.7.4`). **`.postN`** applies only on the **release band** of a given public line.
**New public line (e.g. `1.8.0`):** `maturity_build` **resets into the band** matching the pre-release suffix — beta → **1–126** (starts at **`1`**), rc → **127–199**, GA → **`.200`** anchor — it does **not** continue from the previous line (e.g. `.208` on `1.7.4`). **`.postN`** applies only on the **release band** of a given public line.

**On a fix-line (post-GA):** octet **+1 per discrete fix** to installed/runtime behavior (bug, CVE, dangling feature completion); **not** docs/ADR/chore/ci/test/rito-only. **`postN`** advances only on PyPI upload when fixes warrant republication.
3. **`-alpha` suffix:** tamper-detection axis only (GitHub #856), **not** a maturity band — separate from beta/rc/release.
Expand Down
6 changes: 3 additions & 3 deletions docs/adr/INVENTORY.txt
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# ADR Inventory - generated by scripts/inv-adr.ps1
# GeneratedUtc: 2026-07-01T09:34:57Z
# GeneratedUtc: 2026-07-01T16:18:37Z
# Algorithm: SHA256
# Format: NUMBER | STATUS | FILE_HASH | FILENAME | TITLE | RATIFIED_BY
# RATIFIED_BY: - = N/A; PENDING = ratification line with signature PENDING; @op = stamped
Expand Down Expand Up @@ -75,11 +75,11 @@
0070 | Accepted | 6027996FE7D12C83E574AD77CCAAD47541B61609C6371C9A9175F76E28BC651A | ADR-0070-primer-taxonomy-and-home.md | Primer taxonomy and home: technical/onboarding (docs/primers/) vs deliverable (docs/plans/) | -
0071 | Accepted | 8D6FB89D7247D8E353D30EF14F6C3A281C15BBED9ECF574D2955E220DA8734D8 | ADR-0071-self-protecting-pii-gate.md | Self-protecting PII gate: word-boundary matcher, CODEOWNERS, modification tripwire, sanctioned FP allowlist | @FabioLeitao
0072 | Accepted | 0BE6A85E1154BC9951A0228B5528993471FA37760B1B3B507ABC952AD0045E8C | ADR-0072-commit-gate-vs-release-gate-distinct-criteria.md | Commit Gate vs Release Gate: distinct criteria | @FabioLeitao
0073 | Accepted | C6353A34C1AA2A688373B52E6F90A28576D4C87CFC0D79610B5B425219599982 | ADR-0073-version-scheme-octet-maturity-and-roadmap.md | Version scheme: octet-maturity side-channel + release-line roadmap | -
0073 | Accepted | 18FD36B57C63831085804D3772AC3E6DB01FB398330879BDDA84F0315D5F1D98 | ADR-0073-version-scheme-octet-maturity-and-roadmap.md | Version scheme: octet-maturity side-channel + release-line roadmap | -
0075 | Proposed | DFB13E4514D8BBC0E5A994FA6D6649C870AF672670D951DB938DBC1BCA13E456 | ADR-0075-plugin-auth-file-based-vs-bearer.md | Plugin authentication — file-based license vs Bearer per-request | -
0076 | Proposed | FD2760FE46D765A060352C48F4B99A892A40846817328691C0DCE29C34E6B25C | ADR-0076-opa-rego-ci-tier-drift-linter-not-runtime.md | OPA/Rego as CI drift linter for commercial tier enforcement (not runtime) | -
0077 | Accepted | F8A4C9D3B2BE2BEE3721C5AE09476F9CD066DB0B58E6B3174D4B783B123A1BAF | ADR-0077-filesystem-scan-no-client-gitignore-by-design.md | Filesystem scan does not honor client `.gitignore` (deliberate design) | -
0078 | Proposed | 5FEF0DCAC3DA292E33519F24FE6387584C04A850771958FF78B19D3EEB856990 | ADR-0078-multi-pattern-regex-benchmark-gate-regexset-before-vectorscan.md | Multi-pattern regex acceleration gated by benchmark (RegexSet before Vectorscan) | -
0079 | Proposed | 158C68D90B9C6934F0FAAC392E86C6C889FA8F5A6E9AD8197168205946435F9D | ADR-0079-ecosystem-engineering-rigor-canon.md | Ecosystem engineering rigor canon (UMADR satellites) | -
#
# InventoryHash: A4D38F67D132F63EA4E99EEDB6723FD37AE7B6D00CE2C17E97D29053D5B7013D
# InventoryHash: 517314AF60C1709438B1E9AF5E9760921B54BA55EB70F9CFA9A3671691E7DD07