diff --git a/.github/scripts/test_patch_0_1_1_crates_publication_approval_request.py b/.github/scripts/test_patch_0_1_1_crates_publication_approval_request.py new file mode 100644 index 0000000..3e11578 --- /dev/null +++ b/.github/scripts/test_patch_0_1_1_crates_publication_approval_request.py @@ -0,0 +1,164 @@ +#!/usr/bin/env python3 +# +# Copyright 2026 The Ethos maintainers +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +from __future__ import annotations + +import re +import subprocess +import unittest +from pathlib import Path + + +ROOT = Path(__file__).resolve().parents[2] +RECORD = ROOT / "docs/validation/patch-0-1-1-crates-publication-approval-request-validation-2026-06-24.md" +VALIDATION_README = ROOT / "docs/validation/README.md" +MAKEFILE = ROOT / "Makefile" + +SOURCE_SHORT = "a085103" +SOURCE_COMMIT = "a0851030e28c155c12f5f966af8fa0739a536ea9" +SOURCE_TREE = "0238c3f6bfd264f8803708e4a828d8352320f08f" +VERSION = "0.1.1" +CRATES = ("ethos-doc-core", "ethos-verify", "ethos-pdf") +TAGS = ( + "ethos-package-ethos-doc-core-0.1.1", + "ethos-package-ethos-verify-0.1.1", + "ethos-package-ethos-pdf-0.1.1", +) +CRATE_HASHES = ( + "d845042c391d584a26dc3aa7ff367f118cfd94e8290a3caec81642186ed0de51", + "27313b8decab66a3ea1b9e4c3e82dc47088e5c2f9d289a1450203cff1b9a7070", + "a07e6436cceb64dddce1d5468fb25c44b745a26e4d044858b72bd570dcb84529", +) +FORBIDDEN = ( + "cargo publish approved", + "crates are published", + "published crates", + "production-ready", + "hosted surfaces approved", + "windows packaged artifacts approved", + "bundled pdfium approved", + "ethos-doc approved", + "ethos-rag approved", +) + + +def read(path: Path) -> str: + return path.read_text(encoding="utf-8") + + +def normalized(path: Path) -> str: + return re.sub(r"\s+", " ", read(path)) + + +def git(*args: str) -> str: + return subprocess.check_output( + ["git", *args], + cwd=ROOT, + encoding="utf-8", + stderr=subprocess.DEVNULL, + ).strip() + + +class Patch011CratesPublicationApprovalRequestTests(unittest.TestCase): + def test_request_record_is_source_bound_and_indexed(self) -> None: + record = normalized(RECORD) + readme = normalized(VALIDATION_README) + + self.assertIn(RECORD.name, readme) + self.assertIn("patch 0.1.1 crates.io publication approval request", readme.lower()) + self.assertIn(f"Validated source HEAD before this record: `{SOURCE_SHORT}`", read(RECORD)) + self.assertIn(f"Patch 0.1.1 crates publication approval request source commit: `{SOURCE_COMMIT}`", record) + self.assertIn(f"Patch 0.1.1 crates publication approval request source tree: `{SOURCE_TREE}`", record) + self.assertEqual(SOURCE_COMMIT, git("rev-parse", SOURCE_SHORT)) + self.assertEqual(SOURCE_TREE, git("rev-parse", f"{SOURCE_SHORT}^{{tree}}")) + + def test_request_names_exact_crates_versions_tags_and_artifacts(self) -> None: + record = normalized(RECORD) + + self.assertIn( + "Status: **patch 0.1.1 crates.io publication approval request recorded; cargo publish remains blocked**", + record, + ) + for crate in CRATES: + self.assertIn(crate, record) + self.assertIn(f"{crate} = {VERSION}", record) + self.assertIn(f"{crate}-0.1.1.crate", record) + for tag in TAGS: + self.assertIn(tag, record) + for digest in CRATE_HASHES: + self.assertIn(digest, record) + self.assertIn("cargo publish --locked -p ethos-doc-core", record) + self.assertIn("cargo publish --locked -p ethos-verify", record) + self.assertIn("cargo publish --locked -p ethos-pdf", record) + + def test_request_retains_publication_and_surface_boundaries(self) -> None: + raw = read(RECORD) + lower = normalized(RECORD).lower() + + for expected in ( + "This request record does not approve `cargo publish`.", + "Actual crates.io publication remains blocked pending explicit decider approval.", + "Public installation wording remains blocked pending explicit decider approval.", + "The `ethos-cli` package remains `publish = false`.", + "`ethos-doc` remains blocked.", + "`ethos-rag` remains blocked.", + "PDFium remains caller-provided through `ETHOS_PDFIUM_LIBRARY_PATH`.", + ): + self.assertIn(expected, raw) + for forbidden in FORBIDDEN: + self.assertNotIn(forbidden, lower) + self.assertNotIn("/Users/", raw) + self.assertNotIn("/private/tmp", raw) + self.assertNotIn("/private/var", raw) + self.assertNotIn("/var/folders", raw) + self.assertNotIn("saumildiwaker", raw) + + def test_source_manifests_keep_expected_publish_surface(self) -> None: + for manifest in ( + ROOT / "crates/ethos-core/Cargo.toml", + ROOT / "crates/ethos-verify/Cargo.toml", + ROOT / "crates/ethos-pdf/Cargo.toml", + ): + text = read(manifest) + self.assertNotIn("publish = false", text, str(manifest)) + self.assertIn('publication_status = "approved_for_crates_io_publication"', text, str(manifest)) + + for manifest in ( + ROOT / "crates/ethos-cli/Cargo.toml", + ROOT / "crates/ethos-layout/Cargo.toml", + ROOT / "crates/ethos-tables/Cargo.toml", + ): + self.assertIn("publish = false", read(manifest), str(manifest)) + + def test_release_candidate_prep_runs_request_guard(self) -> None: + makefile = read(MAKEFILE) + guard = "$(PYTHON) .github/scripts/test_patch_0_1_1_crates_publication_approval_request.py" + + self.assertIn(guard, makefile) + self.assertEqual(1, makefile.count(guard)) + self.assertLess( + makefile.index("$(PYTHON) .github/scripts/test_npm_publication_closeout.py"), + makefile.index(guard), + ) + self.assertLess( + makefile.index(guard), + makefile.index("$(PYTHON) .github/scripts/test_pdfium_manual_setup_contract.py"), + ) + + +if __name__ == "__main__": + unittest.main() diff --git a/.github/scripts/test_release_candidate_prep.py b/.github/scripts/test_release_candidate_prep.py index 20948f4..5aafec8 100644 --- a/.github/scripts/test_release_candidate_prep.py +++ b/.github/scripts/test_release_candidate_prep.py @@ -37,6 +37,7 @@ "$(PYTHON) .github/scripts/test_npm_publication_final_approval_request.py", "$(PYTHON) .github/scripts/test_npm_publication_final_approval_decision.py", "$(PYTHON) .github/scripts/test_npm_publication_closeout.py", + "$(PYTHON) .github/scripts/test_patch_0_1_1_crates_publication_approval_request.py", "$(PYTHON) .github/scripts/test_pdfium_manual_setup_contract.py", "$(PYTHON) .github/scripts/test_release_artifact_workflow_prep.py", "$(PYTHON) .github/scripts/test_patch_0_1_1_release_artifact_evidence.py", diff --git a/CHANGELOG.md b/CHANGELOG.md index 57975ef..4688912 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ ## Unreleased +- boundary-exception: request exact patch `0.1.1` Rust crates.io publication approval for decider review; no `cargo publish` or support-boundary change. - boundary-exception: close patch `0.1.1` npm publication with exact registry evidence; no hosted, production, Windows, bundled PDFium, benchmark, `ethos-doc`, or `ethos-rag` boundary change. - boundary-exception: approve exact patch `0.1.1` npm publication decision for later operator publish; no npm publish or support-boundary change. - boundary-exception: request patch `0.1.1` npm publication approval for exact refreshed package candidate; no npm publish or support-boundary change. diff --git a/Makefile b/Makefile index 514010b..8301242 100644 --- a/Makefile +++ b/Makefile @@ -279,6 +279,7 @@ release-candidate-prep: $(PYTHON) .github/scripts/test_npm_publication_final_approval_request.py $(PYTHON) .github/scripts/test_npm_publication_final_approval_decision.py $(PYTHON) .github/scripts/test_npm_publication_closeout.py + $(PYTHON) .github/scripts/test_patch_0_1_1_crates_publication_approval_request.py $(PYTHON) .github/scripts/test_pdfium_manual_setup_contract.py $(PYTHON) .github/scripts/test_release_artifact_workflow_prep.py $(PYTHON) .github/scripts/test_patch_0_1_1_release_artifact_evidence.py diff --git a/docs/validation/README.md b/docs/validation/README.md index 8f24f40..5125d5f 100644 --- a/docs/validation/README.md +++ b/docs/validation/README.md @@ -602,6 +602,11 @@ recording the exact current-main source candidate and required follow-up evidenc closeout validation records successful publication of `@docushell/ethos-pdf@0.1.1`, registry verification for version, latest tag, shasum, integrity, file count, unpacked size, npm's publish-time bin-name auto-correction warning, and retained blockers. +- `patch-0-1-1-crates-publication-approval-request-validation-2026-06-24.md` - patch 0.1.1 + crates.io publication approval request validation binds the exact `ethos-doc-core`, + `ethos-verify`, and `ethos-pdf` `0.1.1` crate set, source commit, package tag names, local crate + artifact hashes, publish order, and retained blockers for decider review; `cargo publish` + remains blocked. - `milestone-e-validation-command-index-validation-2026-06-20.md` - internal Milestone E validation-command index validation passed through command-alignment checks, schema enum checks, row-record checks, public-surface posture checks, `make milestone-e-prep`, and diff hygiene; the diff --git a/docs/validation/patch-0-1-1-crates-publication-approval-request-validation-2026-06-24.md b/docs/validation/patch-0-1-1-crates-publication-approval-request-validation-2026-06-24.md new file mode 100644 index 0000000..3df6c1a --- /dev/null +++ b/docs/validation/patch-0-1-1-crates-publication-approval-request-validation-2026-06-24.md @@ -0,0 +1,133 @@ +# Patch 0.1.1 crates.io Publication Approval Request Validation - 2026-06-24 + +Validated source HEAD before this record: `a085103`. + +Patch 0.1.1 crates publication approval request source commit: `a0851030e28c155c12f5f966af8fa0739a536ea9`. + +Patch 0.1.1 crates publication approval request source tree: `0238c3f6bfd264f8803708e4a828d8352320f08f`. + +Status: **patch 0.1.1 crates.io publication approval request recorded; cargo publish remains blocked** + +This record requests decider review for publishing exactly the patch `0.1.1` Ethos Rust library +crate set to crates.io. It does not approve or perform `cargo publish`, create package tags, change +public wording, approve hosted surfaces, approve production positioning, approve Windows packaged +artifacts, approve bundled project-maintained PDFium builds, approve `ethos-doc`, approve +`ethos-rag`, or approve public benchmark reports or claims. + +## Subject + +- Repository: `docushell/ethos` +- Lane: Rust crates publication +- Package source commit: `a0851030e28c155c12f5f966af8fa0739a536ea9` +- Package source tree: `0238c3f6bfd264f8803708e4a828d8352320f08f` +- Candidate crates: + - `ethos-doc-core = 0.1.1` + - `ethos-verify = 0.1.1` + - `ethos-pdf = 0.1.1` +- Excluded workspace packages: + - `ethos-cli` + - `ethos-layout` + - `ethos-tables` + - `ethos-grounding-opendataloader-json` + - reserved `ethos-doc` + - reserved `ethos-rag` + +## Exact Request Fields + +- Decision requested: approve exact patch `0.1.1` crates.io publication preparation inputs for + later operator execution. +- Approver requested: `docushell-admin` acting as decider. +- Date requested: 2026-06-24. +- Exact candidate crate list requested: `ethos-doc-core`, `ethos-verify`, and `ethos-pdf` only. +- Exact package version map requested: `ethos-doc-core = 0.1.1`, `ethos-verify = 0.1.1`, and + `ethos-pdf = 0.1.1`. +- Exact package tag name set requested: `ethos-package-ethos-doc-core-0.1.1`, + `ethos-package-ethos-verify-0.1.1`, and `ethos-package-ethos-pdf-0.1.1`. +- Exact package tag source commit requested: `a0851030e28c155c12f5f966af8fa0739a536ea9`. +- Exact package tag source tree requested: `0238c3f6bfd264f8803708e4a828d8352320f08f`. +- Exact candidate package artifacts requested: + - `ethos-doc-core-0.1.1.crate` + - SHA256: `d845042c391d584a26dc3aa7ff367f118cfd94e8290a3caec81642186ed0de51` + - `ethos-verify-0.1.1.crate` + - SHA256: `27313b8decab66a3ea1b9e4c3e82dc47088e5c2f9d289a1450203cff1b9a7070` + - `ethos-pdf-0.1.1.crate` + - SHA256: `a07e6436cceb64dddce1d5468fb25c44b745a26e4d044858b72bd570dcb84529` +- Exact operator commands requested for later approval: + - `cargo publish --locked -p ethos-doc-core` + - `cargo publish --locked -p ethos-verify` + - `cargo publish --locked -p ethos-pdf` + +## Requested Publication Order + +1. Publish `ethos-doc-core` first. +2. Publish `ethos-verify` after crates.io reports `ethos-doc-core = 0.1.1`. +3. Publish `ethos-pdf` after crates.io reports `ethos-doc-core = 0.1.1`. + +`ethos-verify` and `ethos-pdf` both depend on `ethos-doc-core`; no dependent crate publish should +be attempted until the base crate is visible from crates.io. + +## Evidence Bound To This Request + +- Candidate activation produced crate artifacts for exactly `ethos-doc-core`, `ethos-verify`, and + `ethos-pdf`. +- Candidate activation reported version `0.1.1`. +- Candidate activation reported registry-equivalent consumer check status `pass`. +- Candidate activation reported source manifest activation applied. +- Candidate activation reported package publication approval `false`. +- Candidate activation reported public installation approval `false`. +- `ethos-doc-core`, `ethos-verify`, and `ethos-pdf` manifests do not contain `publish = false`. +- The `ethos-cli` package remains `publish = false`. +- The `ethos-layout` package remains `publish = false`. +- The `ethos-tables` package remains `publish = false`. +- PDFium remains caller-provided through `ETHOS_PDFIUM_LIBRARY_PATH`. + +## Non-Approvals + +- This request record does not approve `cargo publish`. +- This request record does not publish any crate. +- This request record does not create package tags. +- This request record does not approve public installation wording. +- This request record does not approve the `ethos-cli` crate for publication. +- This request record does not approve hosted surfaces. +- This request record does not approve production positioning. +- This request record does not approve Windows packaged artifacts. +- This request record does not approve bundled project-maintained PDFium builds. +- This request record does not approve public benchmark reports. +- This request record does not approve public benchmark claims. +- This request record does not approve `ethos-doc`. +- This request record does not approve `ethos-rag`. + +## Retained Blockers + +- Actual crates.io publication remains blocked pending explicit decider approval. +- Public installation wording remains blocked pending explicit decider approval. +- Package tag creation remains blocked pending explicit decider approval. +- Hosted surfaces remain blocked. +- Production positioning remains blocked. +- Public benchmark reports remain blocked. +- Public benchmark claims remain blocked. +- Windows packaged artifacts remain blocked. +- Bundled project-maintained PDFium builds remain blocked. +- `ethos-doc` remains blocked. +- `ethos-rag` remains blocked. + +## Commands + +```sh +python3 .github/scripts/test_patch_0_1_1_crates_publication_approval_request.py +python3 .github/scripts/test_milestone_e_package_publication_current_registry_assembly.py +python3 .github/scripts/test_milestone_e_package_publication_dry_run_smoke.py +cargo package --locked --offline -p ethos-doc-core --allow-dirty --no-verify +cargo check --locked --offline -p ethos-verify +cargo check --locked --offline -p ethos-pdf +make release-candidate-prep PYTHON=python3 +git diff --check +``` + +## Result + +```text +patch 0.1.1 crates.io publication approval request recorded +Exact crate set, version map, package tag names, source binding, local crate artifact hashes, publish order, and retained blockers were recorded +cargo publish remains blocked pending explicit decider approval and later operator action +```