From 6676069a692b53b846d5f89b2fcea984fed2009d Mon Sep 17 00:00:00 2001 From: docushell-admin Date: Wed, 24 Jun 2026 19:08:14 +0530 Subject: [PATCH] Record patch 0.1.2 draft artifact evidence Signed-off-by: docushell-admin --- ...est_patch_0_1_2_draft_artifact_evidence.py | 174 +++++++++++++++ .../scripts/test_release_candidate_prep.py | 1 + CHANGELOG.md | 1 + Makefile | 1 + docs/execution-status.md | 2 + docs/public-release-checklist.md | 8 + docs/validation/README.md | 6 + ...artifact-evidence-validation-2026-06-24.md | 204 ++++++++++++++++++ 8 files changed, 397 insertions(+) create mode 100644 .github/scripts/test_patch_0_1_2_draft_artifact_evidence.py create mode 100644 docs/validation/patch-0-1-2-draft-artifact-evidence-validation-2026-06-24.md diff --git a/.github/scripts/test_patch_0_1_2_draft_artifact_evidence.py b/.github/scripts/test_patch_0_1_2_draft_artifact_evidence.py new file mode 100644 index 0000000..a9d1726 --- /dev/null +++ b/.github/scripts/test_patch_0_1_2_draft_artifact_evidence.py @@ -0,0 +1,174 @@ +#!/usr/bin/env python3 +# +# Copyright 2026 The Ethos maintainers +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +from __future__ import annotations + +import re +import subprocess +import unittest +from pathlib import Path + +from makefile_guard import target_block + + +ROOT = Path(__file__).resolve().parents[2] +RECORD = ROOT / "docs/validation/patch-0-1-2-draft-artifact-evidence-validation-2026-06-24.md" +VALIDATION_README = ROOT / "docs/validation/README.md" +EXECUTION_STATUS = ROOT / "docs/execution-status.md" +PUBLIC_RELEASE_CHECKLIST = ROOT / "docs/public-release-checklist.md" + +SOURCE_SHORT = "2cb092b" +SOURCE_COMMIT = "2cb092b403eefe937e30c902fcebf7bb5754d590" +SOURCE_TREE = "9e23207526591813c4aaf311ec8788b94e6a95ab" +RUN_URL = "https://github.com/docushell/ethos/actions/runs/28102259869" +MACOS_SHA256 = "7da7da71fb0c21b25cd2ffc198480ee80bf9f0c9e70e461cffbdcbdda8d7023c" +LINUX_SHA256 = "4e260b464dc9557bc31c29fb1d1dfa75311fe12734bc79af4a31e1649797e456" +EXPECTED_ARTIFACTS = ( + "ethos-cli-draft-macos-arm64/ethos-macos-arm64.tar.gz", + "ethos-cli-draft-macos-arm64/ethos-macos-arm64.tar.gz.sha256", + "ethos-cli-draft-macos-arm64/ethos-macos-arm64.inventory.json", + "ethos-cli-draft-macos-arm64/ethos-macos-arm64.smoke.json", + "ethos-cli-draft-linux-x64/ethos-linux-x64.tar.gz", + "ethos-cli-draft-linux-x64/ethos-linux-x64.tar.gz.sha256", + "ethos-cli-draft-linux-x64/ethos-linux-x64.inventory.json", + "ethos-cli-draft-linux-x64/ethos-linux-x64.smoke.json", +) +RETAINED_BLOCKERS = ( + "GitHub Release artifact publication remains blocked", + "Registry publication remains blocked", + "npm vendor refresh remains blocked", + "npm publication remains blocked", + "Public installation wording remains blocked", + "Hosted surfaces remain blocked", + "Production positioning remains blocked", + "Windows packaged artifacts remain blocked", + "Bundled project-maintained PDFium builds remain blocked", + "Public benchmark reports remain blocked", + "Public benchmark claims remain blocked", + "`ethos-doc` remains blocked", + "`ethos-rag` remains blocked", +) +FORBIDDEN_APPROVALS = ( + "github release artifact publication approved", + "github release publication approved", + "registry publication approved", + "npm vendor refresh approved", + "npm publication approved", + "public installation wording approved", + "production-ready", + "hosted surfaces approved", + "windows packaged artifacts approved", + "bundled pdfium approved", + "public benchmark claims approved", +) +PRIVATE_PATH_MARKERS = ( + "/" + "Users/", + "/" + "private/tmp", + "/" + "private/var", + "/" + "var/folders", + "saumil" + "diwaker", + "Desktop/" + "Stuff", + "project/repo/" + "ethos", +) + + +def read(path: Path) -> str: + return path.read_text(encoding="utf-8") + + +def normalized(path: Path) -> str: + return re.sub(r"\s+", " ", read(path)) + + +def git(*args: str) -> str: + return subprocess.check_output( + ["git", *args], + cwd=ROOT, + encoding="utf-8", + stderr=subprocess.DEVNULL, + ).strip() + + +class Patch012DraftArtifactEvidenceTests(unittest.TestCase): + def test_record_is_source_and_workflow_bound(self) -> None: + raw = read(RECORD) + record = normalized(RECORD) + + self.assertIn(f"Validated source HEAD before this record: `{SOURCE_SHORT}`", raw) + self.assertIn(f"Patch 0.1.2 draft artifact evidence source commit: `{SOURCE_COMMIT}`", record) + self.assertIn(f"Patch 0.1.2 draft artifact evidence source tree: `{SOURCE_TREE}`", record) + self.assertEqual(SOURCE_COMMIT, git("rev-parse", SOURCE_SHORT)) + self.assertEqual(SOURCE_TREE, git("rev-parse", f"{SOURCE_SHORT}^{{tree}}")) + self.assertIn(RUN_URL, record) + self.assertIn("event: `workflow_dispatch`", record) + self.assertIn("branch: `main`", record) + self.assertIn("head SHA: `2cb092b403eefe937e30c902fcebf7bb5754d590`", record) + self.assertIn("conclusion: `success`", record) + + def test_record_captures_both_platform_artifacts_inventory_and_smoke(self) -> None: + raw = read(RECORD) + record = normalized(RECORD) + + for artifact in EXPECTED_ARTIFACTS: + self.assertIn(artifact, record) + self.assertIn(MACOS_SHA256, record) + self.assertIn(LINUX_SHA256, record) + self.assertEqual(2, raw.count('"schema": "ethos.release_artifact_inventory.v1"')) + self.assertEqual(2, raw.count('"schema": "ethos.release_artifact_smoke.v1"')) + self.assertEqual(2, raw.count('"version_stdout": "ethos 0.1.2"')) + self.assertEqual(2, raw.count('"missing_pdfium_exit_code": 12')) + self.assertEqual(2, raw.count('"publication": "blocked"')) + self.assertEqual(2, raw.count('"status": "draft_not_release_ready"')) + self.assertIn("caller-provided", record) + + def test_record_keeps_publication_install_wording_and_npm_blocked(self) -> None: + raw = read(RECORD) + record = normalized(RECORD) + lower = record.lower() + + self.assertIn("public install baseline remains `0.1.1`", record) + self.assertIn("This record does not approve GitHub Release artifact publication.", record) + self.assertIn("This record does not approve registry publication.", record) + self.assertIn("This record does not refresh the checked-in npm vendor payload.", record) + for blocker in RETAINED_BLOCKERS: + self.assertIn(blocker, record) + for forbidden in FORBIDDEN_APPROVALS: + self.assertNotIn(forbidden, lower) + for marker in PRIVATE_PATH_MARKERS: + self.assertNotIn(marker, raw) + + def test_record_is_indexed_and_wired_after_package_evidence_guard(self) -> None: + readme = normalized(VALIDATION_README) + execution = normalized(EXECUTION_STATUS) + checklist = normalized(PUBLIC_RELEASE_CHECKLIST) + block = target_block("release-candidate-prep") + package_guard = "$(PYTHON) .github/scripts/test_patch_0_1_2_artifact_package_evidence.py" + draft_guard = "$(PYTHON) .github/scripts/test_patch_0_1_2_draft_artifact_evidence.py" + first_public_guard = "$(PYTHON) .github/scripts/test_first_public_release_artifact_evidence.py" + + self.assertIn(RECORD.name, readme) + self.assertIn("patch 0.1.2 draft artifact evidence validation", readme) + self.assertIn(RECORD.name, execution) + self.assertIn(RECORD.name, checklist) + self.assertIn(draft_guard, block) + self.assertEqual(1, block.count(draft_guard)) + self.assertLess(block.index(package_guard), block.index(draft_guard)) + self.assertLess(block.index(draft_guard), block.index(first_public_guard)) + + +if __name__ == "__main__": + unittest.main() diff --git a/.github/scripts/test_release_candidate_prep.py b/.github/scripts/test_release_candidate_prep.py index 7f5fccf..4196ae1 100644 --- a/.github/scripts/test_release_candidate_prep.py +++ b/.github/scripts/test_release_candidate_prep.py @@ -59,6 +59,7 @@ "$(PYTHON) .github/scripts/test_patch_0_1_2_readiness_prep.py", "$(PYTHON) .github/scripts/test_patch_0_1_2_version_activation.py", "$(PYTHON) .github/scripts/test_patch_0_1_2_artifact_package_evidence.py", + "$(PYTHON) .github/scripts/test_patch_0_1_2_draft_artifact_evidence.py", "$(PYTHON) .github/scripts/test_first_public_release_artifact_evidence.py", "$(PYTHON) .github/scripts/test_first_public_release_final_decider.py", "$(PYTHON) .github/scripts/test_first_public_release_linux_x64_artifact_evidence.py", diff --git a/CHANGELOG.md b/CHANGELOG.md index 41d9e88..122b380 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ ## Unreleased +- boundary-exception: record patch `0.1.2` draft CLI artifact evidence for macOS arm64 and Linux x64 while keeping GitHub Release publication, registry publication, npm vendor refresh, public install wording, hosted, production, Windows, bundled PDFium, benchmark, `ethos-doc`, and `ethos-rag` surfaces blocked. - boundary-exception: record patch `0.1.2` artifact/package evidence prep and update draft CLI artifact smoke expectations to `ethos 0.1.2` while keeping npm, public install wording, registry publication, GitHub Release publication, hosted, production, Windows, bundled PDFium, benchmark, `ethos-doc`, and `ethos-rag` surfaces blocked. - boundary-exception: activate Rust workspace and Python source/package metadata for patch `0.1.2` candidate validation while keeping npm and public install wording on the published `0.1.1` baseline; no release, tag, package publication, hosted, production, Windows, bundled PDFium, benchmark, `ethos-doc`, or `ethos-rag` boundary change. - boundary-exception: record narrow patch `0.1.2` readiness prep and professional public README beta wording while retaining `0.1.1` install baselines; no release, tag, package publication, hosted, production, Windows, bundled PDFium, benchmark, `ethos-doc`, or `ethos-rag` boundary change. diff --git a/Makefile b/Makefile index 207e067..92043cc 100644 --- a/Makefile +++ b/Makefile @@ -310,6 +310,7 @@ release-candidate-prep: $(PYTHON) .github/scripts/test_patch_0_1_2_readiness_prep.py $(PYTHON) .github/scripts/test_patch_0_1_2_version_activation.py $(PYTHON) .github/scripts/test_patch_0_1_2_artifact_package_evidence.py + $(PYTHON) .github/scripts/test_patch_0_1_2_draft_artifact_evidence.py $(PYTHON) .github/scripts/test_first_public_release_artifact_evidence.py $(PYTHON) .github/scripts/test_first_public_release_final_decider.py $(PYTHON) .github/scripts/test_first_public_release_linux_x64_artifact_evidence.py diff --git a/docs/execution-status.md b/docs/execution-status.md index 0ba2b23..9e70017 100644 --- a/docs/execution-status.md +++ b/docs/execution-status.md @@ -274,6 +274,8 @@ The patch `0.1.2` version activation record in `docs/validation/patch-0-1-2-vers The patch `0.1.2` artifact/package evidence record in `docs/validation/patch-0-1-2-artifact-package-evidence-validation-2026-06-24.md` adds a dynamic release-candidate-prep guard for local `0.1.2` Rust crate candidates and the `ethos_pdf-0.1.2-py3-none-any.whl` candidate, and updates draft CLI artifact workflow smoke expectations to `ethos 0.1.2`. The public install baseline remains `0.1.1`, public installation wording remains blocked, registry publication remains blocked, GitHub Release artifact publication remains blocked, and npm vendor refresh remains blocked until separate approval, operator evidence, and closeout records pass. +The patch `0.1.2` draft artifact evidence record in `docs/validation/patch-0-1-2-draft-artifact-evidence-validation-2026-06-24.md` records a green `release.yml` workflow run and downloaded macOS arm64/Linux x64 draft CLI artifact sidecars. Both draft artifact smokes reported `ethos 0.1.2`; the public install baseline remains `0.1.1`, GitHub Release artifact publication remains blocked, registry publication remains blocked, npm vendor refresh remains blocked, and public installation wording remains blocked until separate approval, operator evidence, and closeout records pass. + | Work item | Current status | Remaining blocker | | --- | --- | --- | | PDFium Phase 1 profile | Landed: pinned profile, V8/XFA-disabled state, platform hashes, runtime library hashes, and provenance are recorded | Phase 2 project-maintained builds still block Public Beta | diff --git a/docs/public-release-checklist.md b/docs/public-release-checklist.md index 9acfb8d..13fc637 100644 --- a/docs/public-release-checklist.md +++ b/docs/public-release-checklist.md @@ -44,6 +44,14 @@ wording remains blocked, registry publication remains blocked, GitHub Release ar remains blocked, and npm vendor refresh remains blocked until separate approval, operator evidence, and closeout records pass. +Patch `0.1.2` draft artifact evidence is recorded in +`docs/validation/patch-0-1-2-draft-artifact-evidence-validation-2026-06-24.md` for artifact +candidate validation only. The downloaded macOS arm64 and Linux x64 draft CLI artifact sidecars +smoke as `ethos 0.1.2`. The public install baseline remains `0.1.1`, GitHub Release artifact +publication remains blocked, registry publication remains blocked, npm vendor refresh remains +blocked, and public installation wording remains blocked until separate approval, operator +evidence, and closeout records pass. + ## Required Before Public Push - Package-name and trademark decision is closed by accepted ADR-0006 in diff --git a/docs/validation/README.md b/docs/validation/README.md index b9bfcf9..7e8dd4f 100644 --- a/docs/validation/README.md +++ b/docs/validation/README.md @@ -665,6 +665,12 @@ recording the exact current-main source candidate and required follow-up evidenc expectations to `ethos 0.1.2`, and keeps npm at `0.1.1`, public install wording blocked, registry publication blocked, GitHub Release artifact publication blocked, hosted, production, Windows, bundled PDFium, benchmark, `ethos-doc`, and `ethos-rag` surfaces unapproved. +- `patch-0-1-2-draft-artifact-evidence-validation-2026-06-24.md` - patch 0.1.2 draft artifact + evidence validation records the green `release.yml` workflow run and downloaded macOS arm64 and + Linux x64 draft CLI artifact sidecars, with smoke output `ethos 0.1.2`, while keeping GitHub + Release artifact publication, registry publication, npm vendor refresh, public install wording, + hosted, production, Windows, bundled PDFium, benchmark, `ethos-doc`, and `ethos-rag` surfaces + blocked. - `milestone-e-validation-command-index-validation-2026-06-20.md` - internal Milestone E validation-command index validation passed through command-alignment checks, schema enum checks, row-record checks, public-surface posture checks, `make milestone-e-prep`, and diff hygiene; the diff --git a/docs/validation/patch-0-1-2-draft-artifact-evidence-validation-2026-06-24.md b/docs/validation/patch-0-1-2-draft-artifact-evidence-validation-2026-06-24.md new file mode 100644 index 0000000..88f6822 --- /dev/null +++ b/docs/validation/patch-0-1-2-draft-artifact-evidence-validation-2026-06-24.md @@ -0,0 +1,204 @@ +# Patch 0.1.2 Draft Artifact Evidence Validation - 2026-06-24 + +Validated source HEAD before this record: `2cb092b`. + +Patch 0.1.2 draft artifact evidence source commit: +`2cb092b403eefe937e30c902fcebf7bb5754d590`. + +Patch 0.1.2 draft artifact evidence source tree: +`9e23207526591813c4aaf311ec8788b94e6a95ab`. + +Status: **patch 0.1.2 draft CLI artifact evidence recorded; publication remains blocked** + +This record captures a green draft CLI artifact workflow run for patch `0.1.2` after the +artifact/package evidence prep lane landed on `main`. It records downloaded macOS arm64 and Linux +x64 draft artifact sidecars and checksums. It does not publish those artifacts, create a GitHub +Release, update npm vendor payloads, publish registries, or change public installation wording. + +## Workflow Run + +Workflow: + +```text +.github/workflows/release.yml +``` + +Run: + +```text +https://github.com/docushell/ethos/actions/runs/28102259869 +``` + +Observed run metadata: + +- status: `completed` +- conclusion: `success` +- event: `workflow_dispatch` +- branch: `main` +- head SHA: `2cb092b403eefe937e30c902fcebf7bb5754d590` +- created at: `2026-06-24T13:32:01Z` +- updated at: `2026-06-24T13:33:06Z` + +Observed jobs: + +- `preflight`: passed. +- `cli-draft-artifacts (macos-arm64, macos-14, tar.gz)`: passed. +- `cli-draft-artifacts (linux-x64, ubuntu-latest, tar.gz)`: passed. + +Both artifact jobs passed build, draft artifact assembly, release artifact runtime smoke, draft +artifact inventory validation, and artifact upload. + +## Downloaded Artifact Set + +The operator downloaded these workflow artifacts from run `28102259869`: + +- `ethos-cli-draft-macos-arm64/ethos-macos-arm64.tar.gz` +- `ethos-cli-draft-macos-arm64/ethos-macos-arm64.tar.gz.sha256` +- `ethos-cli-draft-macos-arm64/ethos-macos-arm64.inventory.json` +- `ethos-cli-draft-macos-arm64/ethos-macos-arm64.smoke.json` +- `ethos-cli-draft-linux-x64/ethos-linux-x64.tar.gz` +- `ethos-cli-draft-linux-x64/ethos-linux-x64.tar.gz.sha256` +- `ethos-cli-draft-linux-x64/ethos-linux-x64.inventory.json` +- `ethos-cli-draft-linux-x64/ethos-linux-x64.smoke.json` + +## Artifact Evidence + +macOS arm64: + +- archive: `ethos-macos-arm64.tar.gz` +- SHA256: `7da7da71fb0c21b25cd2ffc198480ee80bf9f0c9e70e461cffbdcbdda8d7023c` +- checksum sidecar matched the recomputed archive SHA256 +- inventory: + +```json +{ + "artifact": "ethos-macos-arm64.tar.gz", + "artifact_class": "github-release-binary", + "pdfium_policy": "caller-provided", + "publication": "blocked", + "required_notices": [ + "LICENSE", + "NOTICE", + "docs/pdfium-manual-setup.md" + ], + "schema": "ethos.release_artifact_inventory.v1", + "sha256": "7da7da71fb0c21b25cd2ffc198480ee80bf9f0c9e70e461cffbdcbdda8d7023c", + "status": "draft_not_release_ready", + "target": "macos-arm64" +} +``` + +- smoke: + +```json +{ + "artifact_dir": "ethos-macos-arm64", + "help_command_groups": [ + "doc", + "rag", + "security", + "verify", + "fingerprint" + ], + "missing_pdfium_exit_code": 12, + "schema": "ethos.release_artifact_smoke.v1", + "target": "macos-arm64", + "version_stdout": "ethos 0.1.2" +} +``` + +Linux x64: + +- archive: `ethos-linux-x64.tar.gz` +- SHA256: `4e260b464dc9557bc31c29fb1d1dfa75311fe12734bc79af4a31e1649797e456` +- checksum sidecar matched the recomputed archive SHA256 +- inventory: + +```json +{ + "artifact": "ethos-linux-x64.tar.gz", + "artifact_class": "github-release-binary", + "pdfium_policy": "caller-provided", + "publication": "blocked", + "required_notices": [ + "LICENSE", + "NOTICE", + "docs/pdfium-manual-setup.md" + ], + "schema": "ethos.release_artifact_inventory.v1", + "sha256": "4e260b464dc9557bc31c29fb1d1dfa75311fe12734bc79af4a31e1649797e456", + "status": "draft_not_release_ready", + "target": "linux-x64" +} +``` + +- smoke: + +```json +{ + "artifact_dir": "ethos-linux-x64", + "help_command_groups": [ + "doc", + "rag", + "security", + "verify", + "fingerprint" + ], + "missing_pdfium_exit_code": 12, + "schema": "ethos.release_artifact_smoke.v1", + "target": "linux-x64", + "version_stdout": "ethos 0.1.2" +} +``` + +The smoke sidecars also recorded the expected missing-PDFium guidance text for caller-provided +`ETHOS_PDFIUM_LIBRARY_PATH` setup. + +## Boundary + +This record does not approve GitHub Release artifact publication. This record does not approve +registry publication. This record does not approve PyPI upload. This record does not approve npm +publication. This record does not refresh the checked-in npm vendor payload. This record does not +approve public installation wording for `0.1.2`. + +The public install baseline remains `0.1.1` until separate registry/GitHub Release publication +decisions, operator actions, npm vendor refresh, and public wording closeout records pass. + +## Retained Blockers + +- GitHub Release artifact publication remains blocked. +- Registry publication remains blocked. +- npm vendor refresh remains blocked. +- npm publication remains blocked. +- Public installation wording remains blocked. +- Hosted surfaces remain blocked. +- Production positioning remains blocked. +- Windows packaged artifacts remain blocked. +- Bundled project-maintained PDFium builds remain blocked. +- Public benchmark reports remain blocked. +- Public benchmark claims remain blocked. +- `ethos-doc` remains blocked. +- `ethos-rag` remains blocked. +- PDFium remains caller-provided through `ETHOS_PDFIUM_LIBRARY_PATH`. + +## Verification Commands + +```sh +GH_PROMPT_DISABLED=1 gh workflow run release.yml --repo docushell/ethos --ref main +GH_PROMPT_DISABLED=1 gh run watch 28102259869 --repo docushell/ethos --exit-status --interval 10 +GH_PROMPT_DISABLED=1 gh run download 28102259869 --repo docushell/ethos --dir +python3 .github/scripts/validate_release_artifact_inventory.py /*/*.inventory.json +shasum -a 256 /*/*.tar.gz +python3 .github/scripts/test_patch_0_1_2_draft_artifact_evidence.py +make release-candidate-prep PYTHON=python3 +git diff --check +``` + +## Result + +```text +patch 0.1.2 draft CLI artifact evidence recorded +macOS arm64 and Linux x64 draft artifacts smoke as ethos 0.1.2 +public install baseline remains 0.1.1 +publication and npm vendor refresh remain blocked pending separate approval and operator evidence +```