diff --git a/.github/scripts/test_patch_0_1_2_artifact_publication_approval_request.py b/.github/scripts/test_patch_0_1_2_artifact_publication_approval_request.py new file mode 100644 index 0000000..d7d9245 --- /dev/null +++ b/.github/scripts/test_patch_0_1_2_artifact_publication_approval_request.py @@ -0,0 +1,196 @@ +#!/usr/bin/env python3 +# +# Copyright 2026 The Ethos maintainers +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +from __future__ import annotations + +import re +import subprocess +import unittest +from pathlib import Path + +from makefile_guard import target_block + + +ROOT = Path(__file__).resolve().parents[2] +RECORD = ROOT / ( + "docs/validation/" + "patch-0-1-2-artifact-publication-approval-request-validation-2026-06-24.md" +) +VALIDATION_README = ROOT / "docs/validation/README.md" +EXECUTION_STATUS = ROOT / "docs/execution-status.md" +PUBLIC_RELEASE_CHECKLIST = ROOT / "docs/public-release-checklist.md" + +SOURCE_SHORT = "09750a8" +SOURCE_COMMIT = "09750a81cb72cbc91f9e0c35e52ae2711c2ee7b7" +SOURCE_TREE = "7a7eeb7b3b258facd4f171ce00ed4df5533259b1" +RUN_URL = "https://github.com/docushell/ethos/actions/runs/28102259869" +WORKFLOW_HEAD = "2cb092b403eefe937e30c902fcebf7bb5754d590" +MACOS_SHA256 = "7da7da71fb0c21b25cd2ffc198480ee80bf9f0c9e70e461cffbdcbdda8d7023c" +LINUX_SHA256 = "4e260b464dc9557bc31c29fb1d1dfa75311fe12734bc79af4a31e1649797e456" + +REQUESTED_WORDING = ( + "Ethos patch `0.1.2` CLI artifacts for macOS arm64 and Linux x64 are requested for public beta " + "evaluation with caller-provided PDFium. Rust crates, the Python wheel, npm package install " + "instructions, and public README installation examples remain on the published `0.1.1` baseline " + "until separate registry, npm vendor refresh, and public wording closeout records pass. Hosted " + "surfaces, production positioning, Windows packaged artifacts, bundled project-maintained PDFium " + "builds, `ethos-doc`, `ethos-rag`, public benchmark reports, public benchmark claims, and speed, " + "footprint, parser-quality, table-quality, or production claims remain blocked." +) +FORBIDDEN_SCOPE_EXPANSION = ( + "publication approved", + "published artifacts", + "uploaded", + "release complete", + "tag created", + "github release artifact publication approved", + "github release publication approved", + "registry publication approved", + "npm vendor refresh approved", + "npm publication approved", + "public installation wording approved", + "public install wording approved", + "vendor payload refreshed", + "production-ready", + "hosted surfaces approved", + "windows packaged artifacts approved", + "bundled pdfium approved", + "public benchmark claims approved", +) +PRIVATE_PATH_MARKERS = ( + "/" + "Users/", + "/" + "private/tmp", + "/" + "private/var", + "/" + "var/folders", + "saumil" + "diwaker", + "Desktop/" + "Stuff", + "project/repo/" + "ethos", +) + + +def read(path: Path) -> str: + return path.read_text(encoding="utf-8") + + +def normalized(path: Path) -> str: + return re.sub(r"\s+", " ", read(path)) + + +def git(*args: str) -> str: + return subprocess.check_output( + ["git", *args], + cwd=ROOT, + encoding="utf-8", + stderr=subprocess.DEVNULL, + ).strip() + + +class Patch012ArtifactPublicationApprovalRequestTests(unittest.TestCase): + def test_record_binds_source_and_draft_artifact_evidence(self) -> None: + raw = read(RECORD) + text = normalized(RECORD) + + self.assertIn(f"Validated source HEAD before this record: `{SOURCE_SHORT}`", raw) + self.assertIn(f"Patch 0.1.2 artifact publication approval request source commit: `{SOURCE_COMMIT}`", text) + self.assertIn(f"Patch 0.1.2 artifact publication approval request source tree: `{SOURCE_TREE}`", text) + self.assertEqual(SOURCE_COMMIT, git("rev-parse", SOURCE_SHORT)) + self.assertEqual(SOURCE_TREE, git("rev-parse", f"{SOURCE_SHORT}^{{tree}}")) + self.assertIn("patch-0-1-2-draft-artifact-evidence-validation-2026-06-24.md", text) + self.assertIn(RUN_URL, text) + self.assertIn("Run status: `completed`", text) + self.assertIn("Run conclusion: `success`", text) + self.assertIn("Run event: `workflow_dispatch`", text) + self.assertIn("Run branch: `main`", text) + self.assertIn(f"Run head SHA: `{WORKFLOW_HEAD}`", text) + + def test_record_requests_only_exact_cli_artifacts_for_v0_1_2(self) -> None: + text = normalized(RECORD) + + self.assertIn("GitHub Release `v0.1.2`", text) + for artifact in ( + "ethos-macos-arm64.tar.gz", + "ethos-macos-arm64.tar.gz.sha256", + "ethos-macos-arm64.inventory.json", + "ethos-macos-arm64.smoke.json", + "ethos-linux-x64.tar.gz", + "ethos-linux-x64.tar.gz.sha256", + "ethos-linux-x64.inventory.json", + "ethos-linux-x64.smoke.json", + ): + self.assertIn(artifact, text) + self.assertIn(MACOS_SHA256, text) + self.assertIn(LINUX_SHA256, text) + self.assertIn("Both smoke sidecars report `ethos 0.1.2`", text) + self.assertIn("Both inventory sidecars report `draft_not_release_ready`", text) + self.assertIn("`publication: blocked`", text) + + def test_record_preserves_bounded_request_wording_and_public_install_baseline(self) -> None: + record = re.sub(r"\s+", " ", read(RECORD).replace("> ", "")) + + self.assertIn(REQUESTED_WORDING, record) + self.assertIn("Any broader public wording requires a separate decision record.", record) + self.assertIn("public install baseline remains `0.1.1`", record) + self.assertIn("README installation examples remain unchanged", record) + + def test_record_keeps_publication_blocked_until_explicit_decision(self) -> None: + raw = read(RECORD) + text = normalized(RECORD) + lower = text.lower() + + for blocker in ( + "GitHub Release artifact publication remains blocked", + "Registry publication remains blocked", + "npm vendor refresh remains blocked", + "npm publication remains blocked", + "Public installation wording remains blocked", + "Hosted surfaces remain blocked", + "Production positioning remains blocked", + "Windows packaged artifacts remain blocked", + "Bundled project-maintained PDFium builds remain blocked", + "Public benchmark reports remain blocked", + "Public benchmark claims remain blocked", + "`ethos-doc` remains blocked", + "`ethos-rag` remains blocked", + ): + self.assertIn(blocker, raw) + self.assertIn("Publication remains blocked until explicit approval is recorded.", text) + for forbidden in FORBIDDEN_SCOPE_EXPANSION: + self.assertNotIn(forbidden, lower) + for private in PRIVATE_PATH_MARKERS: + self.assertNotIn(private, raw) + + def test_record_is_indexed_statused_and_wired_into_release_candidate_prep(self) -> None: + readme = normalized(VALIDATION_README) + execution = normalized(EXECUTION_STATUS) + checklist = normalized(PUBLIC_RELEASE_CHECKLIST) + block = target_block("release-candidate-prep") + draft_guard = "$(PYTHON) .github/scripts/test_patch_0_1_2_draft_artifact_evidence.py" + request_guard = "$(PYTHON) .github/scripts/test_patch_0_1_2_artifact_publication_approval_request.py" + first_public_guard = "$(PYTHON) .github/scripts/test_first_public_release_artifact_evidence.py" + + self.assertIn(RECORD.name, readme) + self.assertIn("patch 0.1.2 artifact publication approval request", readme.lower()) + self.assertIn(RECORD.name, execution) + self.assertIn(RECORD.name, checklist) + self.assertIn(request_guard, block) + self.assertEqual(1, block.count(request_guard)) + self.assertLess(block.index(draft_guard), block.index(request_guard)) + self.assertLess(block.index(request_guard), block.index(first_public_guard)) + + +if __name__ == "__main__": + unittest.main() diff --git a/.github/scripts/test_release_candidate_prep.py b/.github/scripts/test_release_candidate_prep.py index 4196ae1..15e27f2 100644 --- a/.github/scripts/test_release_candidate_prep.py +++ b/.github/scripts/test_release_candidate_prep.py @@ -60,6 +60,7 @@ "$(PYTHON) .github/scripts/test_patch_0_1_2_version_activation.py", "$(PYTHON) .github/scripts/test_patch_0_1_2_artifact_package_evidence.py", "$(PYTHON) .github/scripts/test_patch_0_1_2_draft_artifact_evidence.py", + "$(PYTHON) .github/scripts/test_patch_0_1_2_artifact_publication_approval_request.py", "$(PYTHON) .github/scripts/test_first_public_release_artifact_evidence.py", "$(PYTHON) .github/scripts/test_first_public_release_final_decider.py", "$(PYTHON) .github/scripts/test_first_public_release_linux_x64_artifact_evidence.py", diff --git a/CHANGELOG.md b/CHANGELOG.md index 122b380..4ae7d53 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ ## Unreleased +- boundary-exception: request decider review for exact patch `0.1.2` macOS arm64 and Linux x64 GitHub Release CLI artifact publication while keeping publication, registry, npm vendor refresh, public install wording, hosted, production, Windows, bundled PDFium, benchmark, `ethos-doc`, and `ethos-rag` surfaces blocked. - boundary-exception: record patch `0.1.2` draft CLI artifact evidence for macOS arm64 and Linux x64 while keeping GitHub Release publication, registry publication, npm vendor refresh, public install wording, hosted, production, Windows, bundled PDFium, benchmark, `ethos-doc`, and `ethos-rag` surfaces blocked. - boundary-exception: record patch `0.1.2` artifact/package evidence prep and update draft CLI artifact smoke expectations to `ethos 0.1.2` while keeping npm, public install wording, registry publication, GitHub Release publication, hosted, production, Windows, bundled PDFium, benchmark, `ethos-doc`, and `ethos-rag` surfaces blocked. - boundary-exception: activate Rust workspace and Python source/package metadata for patch `0.1.2` candidate validation while keeping npm and public install wording on the published `0.1.1` baseline; no release, tag, package publication, hosted, production, Windows, bundled PDFium, benchmark, `ethos-doc`, or `ethos-rag` boundary change. diff --git a/Makefile b/Makefile index 92043cc..c4e0aba 100644 --- a/Makefile +++ b/Makefile @@ -311,6 +311,7 @@ release-candidate-prep: $(PYTHON) .github/scripts/test_patch_0_1_2_version_activation.py $(PYTHON) .github/scripts/test_patch_0_1_2_artifact_package_evidence.py $(PYTHON) .github/scripts/test_patch_0_1_2_draft_artifact_evidence.py + $(PYTHON) .github/scripts/test_patch_0_1_2_artifact_publication_approval_request.py $(PYTHON) .github/scripts/test_first_public_release_artifact_evidence.py $(PYTHON) .github/scripts/test_first_public_release_final_decider.py $(PYTHON) .github/scripts/test_first_public_release_linux_x64_artifact_evidence.py diff --git a/docs/execution-status.md b/docs/execution-status.md index 9e70017..266f4d1 100644 --- a/docs/execution-status.md +++ b/docs/execution-status.md @@ -276,6 +276,8 @@ The patch `0.1.2` artifact/package evidence record in `docs/validation/patch-0-1 The patch `0.1.2` draft artifact evidence record in `docs/validation/patch-0-1-2-draft-artifact-evidence-validation-2026-06-24.md` records a green `release.yml` workflow run and downloaded macOS arm64/Linux x64 draft CLI artifact sidecars. Both draft artifact smokes reported `ethos 0.1.2`; the public install baseline remains `0.1.1`, GitHub Release artifact publication remains blocked, registry publication remains blocked, npm vendor refresh remains blocked, and public installation wording remains blocked until separate approval, operator evidence, and closeout records pass. +The patch `0.1.2` artifact publication approval request in `docs/validation/patch-0-1-2-artifact-publication-approval-request-validation-2026-06-24.md` binds the exact macOS arm64/Linux x64 draft CLI artifact names, SHA256 values, source commit, workflow evidence, and requested bounded wording for decider review only. Publication remains blocked, the public install baseline remains `0.1.1`, registry publication remains blocked, npm vendor refresh remains blocked, and public installation wording remains blocked until a separate decision and operator evidence pass. + | Work item | Current status | Remaining blocker | | --- | --- | --- | | PDFium Phase 1 profile | Landed: pinned profile, V8/XFA-disabled state, platform hashes, runtime library hashes, and provenance are recorded | Phase 2 project-maintained builds still block Public Beta | diff --git a/docs/public-release-checklist.md b/docs/public-release-checklist.md index 13fc637..a445e23 100644 --- a/docs/public-release-checklist.md +++ b/docs/public-release-checklist.md @@ -52,6 +52,14 @@ publication remains blocked, registry publication remains blocked, npm vendor re blocked, and public installation wording remains blocked until separate approval, operator evidence, and closeout records pass. +Patch `0.1.2` artifact publication approval request is recorded in +`docs/validation/patch-0-1-2-artifact-publication-approval-request-validation-2026-06-24.md` for +decider review only. It binds the exact macOS arm64/Linux x64 CLI artifact names and SHA256 values +for possible GitHub Release publication, but publication remains blocked, the public install +baseline remains `0.1.1`, registry publication remains blocked, npm vendor refresh remains blocked, +and public installation wording remains blocked until a separate decision and operator evidence +pass. + ## Required Before Public Push - Package-name and trademark decision is closed by accepted ADR-0006 in diff --git a/docs/validation/README.md b/docs/validation/README.md index 7e8dd4f..8d4669e 100644 --- a/docs/validation/README.md +++ b/docs/validation/README.md @@ -671,6 +671,12 @@ recording the exact current-main source candidate and required follow-up evidenc Release artifact publication, registry publication, npm vendor refresh, public install wording, hosted, production, Windows, bundled PDFium, benchmark, `ethos-doc`, and `ethos-rag` surfaces blocked. +- `patch-0-1-2-artifact-publication-approval-request-validation-2026-06-24.md` - patch 0.1.2 + artifact publication approval request binds the exact macOS arm64 and Linux x64 draft CLI + artifact names, SHA256 values, source commit, workflow evidence, and requested bounded wording + for decider review while keeping publication, registry, npm vendor refresh, public install + wording, hosted, production, Windows, bundled PDFium, benchmark, `ethos-doc`, and `ethos-rag` + surfaces blocked. - `milestone-e-validation-command-index-validation-2026-06-20.md` - internal Milestone E validation-command index validation passed through command-alignment checks, schema enum checks, row-record checks, public-surface posture checks, `make milestone-e-prep`, and diff hygiene; the diff --git a/docs/validation/patch-0-1-2-artifact-publication-approval-request-validation-2026-06-24.md b/docs/validation/patch-0-1-2-artifact-publication-approval-request-validation-2026-06-24.md new file mode 100644 index 0000000..450cab9 --- /dev/null +++ b/docs/validation/patch-0-1-2-artifact-publication-approval-request-validation-2026-06-24.md @@ -0,0 +1,128 @@ +# Patch 0.1.2 Artifact Publication Approval Request Validation - 2026-06-24 + +## Purpose + +Record the exact patch `0.1.2` GitHub Release artifact publication approval request for decider +review. This record does not publish artifacts, create a GitHub Release, refresh npm vendor +binaries, publish npm, publish registries, change public installation wording, change PDFium +posture, or open any new public surface. + +Validated source HEAD before this record: `09750a8`. +Patch 0.1.2 artifact publication approval request source commit: +`09750a81cb72cbc91f9e0c35e52ae2711c2ee7b7`. +Patch 0.1.2 artifact publication approval request source tree: +`7a7eeb7b3b258facd4f171ce00ed4df5533259b1`. + +## Evidence Inputs + +- Release workflow: `.github/workflows/release.yml` +- Workflow run: `https://github.com/docushell/ethos/actions/runs/28102259869` +- Evidence record: + `docs/validation/patch-0-1-2-draft-artifact-evidence-validation-2026-06-24.md` +- Run status: `completed` +- Run conclusion: `success` +- Run event: `workflow_dispatch` +- Run branch: `main` +- Run head SHA: `2cb092b403eefe937e30c902fcebf7bb5754d590` + +## Requested Artifact Evaluation Surface + +The decider is asked to accept or reject only attaching these exact draft CLI artifacts and sidecars +to GitHub Release `v0.1.2` for public beta evaluation: + +macOS arm64: + +- `ethos-macos-arm64.tar.gz` +- `ethos-macos-arm64.tar.gz.sha256` +- `ethos-macos-arm64.inventory.json` +- `ethos-macos-arm64.smoke.json` +- archive SHA256: + +```text +7da7da71fb0c21b25cd2ffc198480ee80bf9f0c9e70e461cffbdcbdda8d7023c +``` + +Linux x64: + +- `ethos-linux-x64.tar.gz` +- `ethos-linux-x64.tar.gz.sha256` +- `ethos-linux-x64.inventory.json` +- `ethos-linux-x64.smoke.json` +- archive SHA256: + +```text +4e260b464dc9557bc31c29fb1d1dfa75311fe12734bc79af4a31e1649797e456 +``` + +Both smoke sidecars report `ethos 0.1.2`. Both inventory sidecars report +`draft_not_release_ready` and `publication: blocked`; those sidecars are evidence inputs for +decider review and are not themselves publication approvals. + +## Requested Public Wording + +If the decider accepts the exact artifacts above, the bounded GitHub Release wording may remain: + +> Ethos patch `0.1.2` CLI artifacts for macOS arm64 and Linux x64 are requested for public beta +> evaluation with caller-provided PDFium. Rust crates, the Python wheel, npm package install +> instructions, and public README installation examples remain on the published `0.1.1` baseline +> until separate registry, npm vendor refresh, and public wording closeout records pass. Hosted +> surfaces, production positioning, Windows packaged artifacts, bundled project-maintained PDFium +> builds, `ethos-doc`, `ethos-rag`, public benchmark reports, public benchmark claims, and speed, +> footprint, parser-quality, table-quality, or production claims remain blocked. + +Any broader public wording requires a separate decision record. The public install baseline remains +`0.1.1`, and README installation examples remain unchanged. + +## Retained Blockers + +- GitHub Release artifact publication remains blocked until the decider explicitly accepts the + exact artifact names, checksums, source binding, and public wording in this request. +- Registry publication remains blocked. +- npm vendor refresh remains blocked. +- npm publication remains blocked. +- Public installation wording remains blocked. +- Hosted surfaces remain blocked. +- Production positioning remains blocked. +- Windows packaged artifacts remain blocked. +- Bundled project-maintained PDFium builds remain blocked. +- Public benchmark reports remain blocked. +- Public benchmark claims remain blocked. +- `ethos-doc` remains blocked. +- `ethos-rag` remains blocked. +- PDFium remains caller-provided through `ETHOS_PDFIUM_LIBRARY_PATH`. + +Publication remains blocked until explicit approval is recorded. + +## Required Operator Checks Before Decision + +Before acceptance, the operator should verify the downloaded workflow artifacts: + +```sh +shasum -a 256 ethos-macos-arm64.tar.gz +cat ethos-macos-arm64.tar.gz.sha256 +cat ethos-macos-arm64.inventory.json +cat ethos-macos-arm64.smoke.json +shasum -a 256 ethos-linux-x64.tar.gz +cat ethos-linux-x64.tar.gz.sha256 +cat ethos-linux-x64.inventory.json +cat ethos-linux-x64.smoke.json +``` + +If any output changes artifact names, checksums, version output, inventory publication status, +PDFium posture, license and NOTICE inclusion, public install baseline, or requested public wording, +publication must stop until a refreshed evidence record and approval request pass. + +## Validation Commands + +```sh +python3 .github/scripts/test_patch_0_1_2_artifact_publication_approval_request.py +python3 .github/scripts/test_patch_0_1_2_draft_artifact_evidence.py +python3 .github/scripts/public_boundary_claims_gate.py +make release-candidate-prep PYTHON=python3 +git diff --check +``` + +## Result + +The patch `0.1.2` artifact publication approval request is ready for decider review. Publication +remains blocked until explicit approval is recorded.