Request patch 0.1.1 Rust publication approval

.github/scripts/test_patch_0_1_1_crates_publication_approval_request.py

@@ -0,0 +1,164 @@
+#!/usr/bin/env python3
+#
+# Copyright 2026 The Ethos maintainers
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+from __future__ import annotations
+
+import re
+import subprocess
+import unittest
+from pathlib import Path
+
+
+ROOT = Path(__file__).resolve().parents[2]
+RECORD = ROOT / "docs/validation/patch-0-1-1-crates-publication-approval-request-validation-2026-06-24.md"
+VALIDATION_README = ROOT / "docs/validation/README.md"
+MAKEFILE = ROOT / "Makefile"
+
+SOURCE_SHORT = "a085103"
+SOURCE_COMMIT = "a0851030e28c155c12f5f966af8fa0739a536ea9"
+SOURCE_TREE = "0238c3f6bfd264f8803708e4a828d8352320f08f"
+VERSION = "0.1.1"
+CRATES = ("ethos-doc-core", "ethos-verify", "ethos-pdf")
+TAGS = (
+    "ethos-package-ethos-doc-core-0.1.1",
+    "ethos-package-ethos-verify-0.1.1",
+    "ethos-package-ethos-pdf-0.1.1",
+)
+CRATE_HASHES = (
+    "d845042c391d584a26dc3aa7ff367f118cfd94e8290a3caec81642186ed0de51",
+    "27313b8decab66a3ea1b9e4c3e82dc47088e5c2f9d289a1450203cff1b9a7070",
+    "a07e6436cceb64dddce1d5468fb25c44b745a26e4d044858b72bd570dcb84529",
+)
+FORBIDDEN = (
+    "cargo publish approved",
+    "crates are published",
+    "published crates",
+    "production-ready",
+    "hosted surfaces approved",
+    "windows packaged artifacts approved",
+    "bundled pdfium approved",
+    "ethos-doc approved",
+    "ethos-rag approved",
+)
+
+
+def read(path: Path) -> str:
+    return path.read_text(encoding="utf-8")
+
+
+def normalized(path: Path) -> str:
+    return re.sub(r"\s+", " ", read(path))
+
+
+def git(*args: str) -> str:
+    return subprocess.check_output(
+        ["git", *args],
+        cwd=ROOT,
+        encoding="utf-8",
+        stderr=subprocess.DEVNULL,
+    ).strip()
+
+
+class Patch011CratesPublicationApprovalRequestTests(unittest.TestCase):
+    def test_request_record_is_source_bound_and_indexed(self) -> None:
+        record = normalized(RECORD)
+        readme = normalized(VALIDATION_README)
+
+        self.assertIn(RECORD.name, readme)
+        self.assertIn("patch 0.1.1 crates.io publication approval request", readme.lower())
+        self.assertIn(f"Validated source HEAD before this record: `{SOURCE_SHORT}`", read(RECORD))
+        self.assertIn(f"Patch 0.1.1 crates publication approval request source commit: `{SOURCE_COMMIT}`", record)
+        self.assertIn(f"Patch 0.1.1 crates publication approval request source tree: `{SOURCE_TREE}`", record)
+        self.assertEqual(SOURCE_COMMIT, git("rev-parse", SOURCE_SHORT))
+        self.assertEqual(SOURCE_TREE, git("rev-parse", f"{SOURCE_SHORT}^{{tree}}"))
+
+    def test_request_names_exact_crates_versions_tags_and_artifacts(self) -> None:
+        record = normalized(RECORD)
+
+        self.assertIn(
+            "Status: **patch 0.1.1 crates.io publication approval request recorded; cargo publish remains blocked**",
+            record,
+        )
+        for crate in CRATES:
+            self.assertIn(crate, record)
+            self.assertIn(f"{crate} = {VERSION}", record)
+            self.assertIn(f"{crate}-0.1.1.crate", record)
+        for tag in TAGS:
+            self.assertIn(tag, record)
+        for digest in CRATE_HASHES:
+            self.assertIn(digest, record)
+        self.assertIn("cargo publish --locked -p ethos-doc-core", record)
+        self.assertIn("cargo publish --locked -p ethos-verify", record)
+        self.assertIn("cargo publish --locked -p ethos-pdf", record)
+
+    def test_request_retains_publication_and_surface_boundaries(self) -> None:
+        raw = read(RECORD)
+        lower = normalized(RECORD).lower()
+
+        for expected in (
+            "This request record does not approve `cargo publish`.",
+            "Actual crates.io publication remains blocked pending explicit decider approval.",
+            "Public installation wording remains blocked pending explicit decider approval.",
+            "The `ethos-cli` package remains `publish = false`.",
+            "`ethos-doc` remains blocked.",
+            "`ethos-rag` remains blocked.",
+            "PDFium remains caller-provided through `ETHOS_PDFIUM_LIBRARY_PATH`.",
+        ):
+            self.assertIn(expected, raw)
+        for forbidden in FORBIDDEN:
+            self.assertNotIn(forbidden, lower)
+        self.assertNotIn("/Users/", raw)
+        self.assertNotIn("/private/tmp", raw)
+        self.assertNotIn("/private/var", raw)
+        self.assertNotIn("/var/folders", raw)
+        self.assertNotIn("saumildiwaker", raw)
+
+    def test_source_manifests_keep_expected_publish_surface(self) -> None:
+        for manifest in (
+            ROOT / "crates/ethos-core/Cargo.toml",
+            ROOT / "crates/ethos-verify/Cargo.toml",
+            ROOT / "crates/ethos-pdf/Cargo.toml",
+        ):
+            text = read(manifest)
+            self.assertNotIn("publish = false", text, str(manifest))
+            self.assertIn('publication_status = "approved_for_crates_io_publication"', text, str(manifest))
+
+        for manifest in (
+            ROOT / "crates/ethos-cli/Cargo.toml",
+            ROOT / "crates/ethos-layout/Cargo.toml",
+            ROOT / "crates/ethos-tables/Cargo.toml",
+        ):
+            self.assertIn("publish = false", read(manifest), str(manifest))
+
+    def test_release_candidate_prep_runs_request_guard(self) -> None:
+        makefile = read(MAKEFILE)
+        guard = "$(PYTHON) .github/scripts/test_patch_0_1_1_crates_publication_approval_request.py"
+
+        self.assertIn(guard, makefile)
+        self.assertEqual(1, makefile.count(guard))
+        self.assertLess(
+            makefile.index("$(PYTHON) .github/scripts/test_npm_publication_closeout.py"),
+            makefile.index(guard),
+        )
+        self.assertLess(
+            makefile.index(guard),
+            makefile.index("$(PYTHON) .github/scripts/test_pdfium_manual_setup_contract.py"),
+        )
+
+
+if __name__ == "__main__":
+    unittest.main()

.github/scripts/test_release_candidate_prep.py

@@ -37,6 +37,7 @@
     "$(PYTHON) .github/scripts/test_npm_publication_final_approval_request.py",
     "$(PYTHON) .github/scripts/test_npm_publication_final_approval_decision.py",
     "$(PYTHON) .github/scripts/test_npm_publication_closeout.py",
+    "$(PYTHON) .github/scripts/test_patch_0_1_1_crates_publication_approval_request.py",
     "$(PYTHON) .github/scripts/test_pdfium_manual_setup_contract.py",
     "$(PYTHON) .github/scripts/test_release_artifact_workflow_prep.py",
     "$(PYTHON) .github/scripts/test_patch_0_1_1_release_artifact_evidence.py",

CHANGELOG.md

@@ -2,6 +2,7 @@
 
 ## Unreleased
 
+- boundary-exception: request exact patch `0.1.1` Rust crates.io publication approval for decider review; no `cargo publish` or support-boundary change.
 - boundary-exception: close patch `0.1.1` npm publication with exact registry evidence; no hosted, production, Windows, bundled PDFium, benchmark, `ethos-doc`, or `ethos-rag` boundary change.
 - boundary-exception: approve exact patch `0.1.1` npm publication decision for later operator publish; no npm publish or support-boundary change.
 - boundary-exception: request patch `0.1.1` npm publication approval for exact refreshed package candidate; no npm publish or support-boundary change.

Makefile

@@ -279,6 +279,7 @@ release-candidate-prep:
 	$(PYTHON) .github/scripts/test_npm_publication_final_approval_request.py
 	$(PYTHON) .github/scripts/test_npm_publication_final_approval_decision.py
 	$(PYTHON) .github/scripts/test_npm_publication_closeout.py
+	$(PYTHON) .github/scripts/test_patch_0_1_1_crates_publication_approval_request.py
 	$(PYTHON) .github/scripts/test_pdfium_manual_setup_contract.py
 	$(PYTHON) .github/scripts/test_release_artifact_workflow_prep.py
 	$(PYTHON) .github/scripts/test_patch_0_1_1_release_artifact_evidence.py

docs/validation/README.md

@@ -602,6 +602,11 @@ recording the exact current-main source candidate and required follow-up evidenc
   closeout validation records successful publication of `@docushell/ethos-pdf@0.1.1`, registry
   verification for version, latest tag, shasum, integrity, file count, unpacked size, npm's
   publish-time bin-name auto-correction warning, and retained blockers.
+- `patch-0-1-1-crates-publication-approval-request-validation-2026-06-24.md` - patch 0.1.1
+  crates.io publication approval request validation binds the exact `ethos-doc-core`,
+  `ethos-verify`, and `ethos-pdf` `0.1.1` crate set, source commit, package tag names, local crate
+  artifact hashes, publish order, and retained blockers for decider review; `cargo publish`
+  remains blocked.
 - `milestone-e-validation-command-index-validation-2026-06-20.md` - internal Milestone E
   validation-command index validation passed through command-alignment checks, schema enum checks,
   row-record checks, public-surface posture checks, `make milestone-e-prep`, and diff hygiene; the

docs/validation/patch-0-1-1-crates-publication-approval-request-validation-2026-06-24.md

@@ -0,0 +1,133 @@
+# Patch 0.1.1 crates.io Publication Approval Request Validation - 2026-06-24
+
+Validated source HEAD before this record: `a085103`.
+
+Patch 0.1.1 crates publication approval request source commit: `a0851030e28c155c12f5f966af8fa0739a536ea9`.
+
+Patch 0.1.1 crates publication approval request source tree: `0238c3f6bfd264f8803708e4a828d8352320f08f`.
+
+Status: **patch 0.1.1 crates.io publication approval request recorded; cargo publish remains blocked**
+
+This record requests decider review for publishing exactly the patch `0.1.1` Ethos Rust library
+crate set to crates.io. It does not approve or perform `cargo publish`, create package tags, change
+public wording, approve hosted surfaces, approve production positioning, approve Windows packaged
+artifacts, approve bundled project-maintained PDFium builds, approve `ethos-doc`, approve
+`ethos-rag`, or approve public benchmark reports or claims.
+
+## Subject
+
+- Repository: `docushell/ethos`
+- Lane: Rust crates publication
+- Package source commit: `a0851030e28c155c12f5f966af8fa0739a536ea9`
+- Package source tree: `0238c3f6bfd264f8803708e4a828d8352320f08f`
+- Candidate crates:
+  - `ethos-doc-core = 0.1.1`
+  - `ethos-verify = 0.1.1`
+  - `ethos-pdf = 0.1.1`
+- Excluded workspace packages:
+  - `ethos-cli`
+  - `ethos-layout`
+  - `ethos-tables`
+  - `ethos-grounding-opendataloader-json`
+  - reserved `ethos-doc`
+  - reserved `ethos-rag`
+
+## Exact Request Fields
+
+- Decision requested: approve exact patch `0.1.1` crates.io publication preparation inputs for
+  later operator execution.
+- Approver requested: `docushell-admin` acting as decider.
+- Date requested: 2026-06-24.
+- Exact candidate crate list requested: `ethos-doc-core`, `ethos-verify`, and `ethos-pdf` only.
+- Exact package version map requested: `ethos-doc-core = 0.1.1`, `ethos-verify = 0.1.1`, and
+  `ethos-pdf = 0.1.1`.
+- Exact package tag name set requested: `ethos-package-ethos-doc-core-0.1.1`,
+  `ethos-package-ethos-verify-0.1.1`, and `ethos-package-ethos-pdf-0.1.1`.
+- Exact package tag source commit requested: `a0851030e28c155c12f5f966af8fa0739a536ea9`.
+- Exact package tag source tree requested: `0238c3f6bfd264f8803708e4a828d8352320f08f`.
+- Exact candidate package artifacts requested:
+  - `ethos-doc-core-0.1.1.crate`
+    - SHA256: `d845042c391d584a26dc3aa7ff367f118cfd94e8290a3caec81642186ed0de51`
+  - `ethos-verify-0.1.1.crate`
+    - SHA256: `27313b8decab66a3ea1b9e4c3e82dc47088e5c2f9d289a1450203cff1b9a7070`
+  - `ethos-pdf-0.1.1.crate`
+    - SHA256: `a07e6436cceb64dddce1d5468fb25c44b745a26e4d044858b72bd570dcb84529`
+- Exact operator commands requested for later approval:
+  - `cargo publish --locked -p ethos-doc-core`
+  - `cargo publish --locked -p ethos-verify`
+  - `cargo publish --locked -p ethos-pdf`
+
+## Requested Publication Order
+
+1. Publish `ethos-doc-core` first.
+2. Publish `ethos-verify` after crates.io reports `ethos-doc-core = 0.1.1`.
+3. Publish `ethos-pdf` after crates.io reports `ethos-doc-core = 0.1.1`.
+
+`ethos-verify` and `ethos-pdf` both depend on `ethos-doc-core`; no dependent crate publish should
+be attempted until the base crate is visible from crates.io.
+
+## Evidence Bound To This Request
+
+- Candidate activation produced crate artifacts for exactly `ethos-doc-core`, `ethos-verify`, and
+  `ethos-pdf`.
+- Candidate activation reported version `0.1.1`.
+- Candidate activation reported registry-equivalent consumer check status `pass`.
+- Candidate activation reported source manifest activation applied.
+- Candidate activation reported package publication approval `false`.
+- Candidate activation reported public installation approval `false`.
+- `ethos-doc-core`, `ethos-verify`, and `ethos-pdf` manifests do not contain `publish = false`.
+- The `ethos-cli` package remains `publish = false`.
+- The `ethos-layout` package remains `publish = false`.
+- The `ethos-tables` package remains `publish = false`.
+- PDFium remains caller-provided through `ETHOS_PDFIUM_LIBRARY_PATH`.
+
+## Non-Approvals
+
+- This request record does not approve `cargo publish`.
+- This request record does not publish any crate.
+- This request record does not create package tags.
+- This request record does not approve public installation wording.
+- This request record does not approve the `ethos-cli` crate for publication.
+- This request record does not approve hosted surfaces.
+- This request record does not approve production positioning.
+- This request record does not approve Windows packaged artifacts.
+- This request record does not approve bundled project-maintained PDFium builds.
+- This request record does not approve public benchmark reports.
+- This request record does not approve public benchmark claims.
+- This request record does not approve `ethos-doc`.
+- This request record does not approve `ethos-rag`.
+
+## Retained Blockers
+
+- Actual crates.io publication remains blocked pending explicit decider approval.
+- Public installation wording remains blocked pending explicit decider approval.
+- Package tag creation remains blocked pending explicit decider approval.
+- Hosted surfaces remain blocked.
+- Production positioning remains blocked.
+- Public benchmark reports remain blocked.
+- Public benchmark claims remain blocked.
+- Windows packaged artifacts remain blocked.
+- Bundled project-maintained PDFium builds remain blocked.
+- `ethos-doc` remains blocked.
+- `ethos-rag` remains blocked.
+
+## Commands
+
+```sh
+python3 .github/scripts/test_patch_0_1_1_crates_publication_approval_request.py
+python3 .github/scripts/test_milestone_e_package_publication_current_registry_assembly.py
+python3 .github/scripts/test_milestone_e_package_publication_dry_run_smoke.py
+cargo package --locked --offline -p ethos-doc-core --allow-dirty --no-verify
+cargo check --locked --offline -p ethos-verify
+cargo check --locked --offline -p ethos-pdf
+make release-candidate-prep PYTHON=python3
+git diff --check
+```
+
+## Result
+
+```text
+patch 0.1.1 crates.io publication approval request recorded
+Exact crate set, version map, package tag names, source binding, local crate artifact hashes, publish order, and retained blockers were recorded
+cargo publish remains blocked pending explicit decider approval and later operator action
+```