Approve patch 0.1.2 Python publication

.github/scripts/test_patch_0_1_2_python_publication_approval_decision.py

@@ -0,0 +1,149 @@
+#!/usr/bin/env python3
+#
+# Copyright 2026 The Ethos maintainers
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+#
+
+from __future__ import annotations
+
+import re
+import subprocess
+import unittest
+from pathlib import Path
+
+from makefile_guard import target_block
+
+
+ROOT = Path(__file__).resolve().parents[2]
+RECORD = ROOT / "docs/validation/patch-0-1-2-python-publication-approval-decision-validation-2026-06-25.md"
+REQUEST = ROOT / "docs/validation/patch-0-1-2-python-publication-approval-request-validation-2026-06-25.md"
+VALIDATION_README = ROOT / "docs/validation/README.md"
+MAKEFILE = ROOT / "Makefile"
+
+SOURCE_SHORT = "a35ff66"
+SOURCE_COMMIT = "a35ff66cbb7d04f4df4d7ac478edcd1f11ecbcdc"
+SOURCE_TREE = "2deb30a01223fd9afc4291460cfd5578a3c3242c"
+PACKAGE_SOURCE_COMMIT = "e431982cca2922d4cc59ddc7cacb9e72538b1cd0"
+PACKAGE_SOURCE_TREE = "f59ddd018d234eeee0ac77292b417f4acb892b4e"
+PACKAGE = "ethos-pdf==0.1.2"
+WHEEL = "ethos_pdf-0.1.2-py3-none-any.whl"
+WHEEL_SHA256 = "6f17240954f1257ece3c762c820ad771ccb114353bfb699fe87f418a5ceb663c"
+FORBIDDEN = (
+    "python package is published",
+    "wheel is published",
+    "python installation wording approved",
+    "package tags approved",
+    "production-ready",
+    "hosted surfaces approved",
+    "windows packaged artifacts approved",
+    "bundled pdfium approved",
+    "public benchmark claims approved",
+    "ethos-doc approved",
+    "ethos-rag approved",
+)
+
+
+def read(path: Path) -> str:
+    return path.read_text(encoding="utf-8")
+
+
+def normalized(path: Path) -> str:
+    return re.sub(r"\s+", " ", read(path))
+
+
+def git(*args: str) -> str:
+    return subprocess.check_output(
+        ["git", *args],
+        cwd=ROOT,
+        encoding="utf-8",
+        stderr=subprocess.DEVNULL,
+    ).strip()
+
+
+class Patch012PythonPublicationApprovalDecisionTests(unittest.TestCase):
+    def test_decision_record_is_source_bound_and_indexed(self) -> None:
+        record = normalized(RECORD)
+        readme = normalized(VALIDATION_README)
+
+        self.assertIn(RECORD.name, readme)
+        self.assertIn("patch 0.1.2 Python PyPI publication approval decision", readme)
+        self.assertIn(f"Validated source HEAD before this record: `{SOURCE_SHORT}`", read(RECORD))
+        self.assertIn(f"Patch 0.1.2 Python publication approval decision source commit: `{SOURCE_COMMIT}`", record)
+        self.assertIn(f"Patch 0.1.2 Python publication approval decision source tree: `{SOURCE_TREE}`", record)
+        self.assertEqual(SOURCE_COMMIT, git("rev-parse", SOURCE_SHORT))
+        self.assertEqual(SOURCE_TREE, git("rev-parse", f"{SOURCE_SHORT}^{{tree}}"))
+
+    def test_decision_accepts_exact_deterministic_request_packet(self) -> None:
+        record = normalized(RECORD)
+
+        self.assertIn(REQUEST.name, record)
+        self.assertIn("Decision: accept exact deterministic patch `0.1.2` Python PyPI wheel publication decision packet.", record)
+        self.assertIn(f"Package source commit accepted by this decision: `{PACKAGE_SOURCE_COMMIT}`", record)
+        self.assertIn(f"Package source tree accepted by this decision: `{PACKAGE_SOURCE_TREE}`", record)
+        for expected in (
+            PACKAGE,
+            WHEEL,
+            WHEEL_SHA256,
+            "SOURCE_DATE_EPOCH=0",
+            "Name: `ethos-pdf`",
+            "Version: `0.1.2`",
+            "License-Expression: `Apache-2.0`",
+            "Requires-Python: `>=3.8`",
+            "Wheel-Version: `1.0`",
+            "Root-Is-Purelib: `true`",
+            "Tag: `py3-none-any`",
+            "member timestamps: `1980-01-01 00:00:00`",
+            "EthosCli",
+            "EthosCommandError",
+            "ETHOS_PDFIUM_LIBRARY_PATH",
+        ):
+            self.assertIn(expected, record)
+
+    def test_decision_allows_only_later_operator_upload_with_boundaries(self) -> None:
+        raw = read(RECORD)
+        lower = normalized(RECORD).lower()
+        record = normalized(RECORD)
+
+        for expected in (
+            "This decision record does not upload any Python distribution.",
+            "PyPI upload remains a separate operator action.",
+            "After this decision record is merged and validation passes on merged source, an operator may upload only this wheel:",
+            "The operator must build with `SOURCE_DATE_EPOCH=0`.",
+            "The operator must use a PyPI-approved authentication path and must not record credentials in the repository.",
+            "The operator must stop if the built wheel filename, SHA256, package version, source commit, source tree, deterministic build input, or retained blockers differ.",
+            "Python public installation wording remains blocked until PyPI availability is closed out.",
+            "Package tag creation remains blocked until a separate explicit approval or closeout record permits it.",
+            "`ethos-doc` remains blocked.",
+            "`ethos-rag` remains blocked.",
+        ):
+            self.assertIn(expected, record)
+        for forbidden in FORBIDDEN:
+            self.assertNotIn(forbidden, lower)
+        for private in (
+            "/" + "Users/",
+            "/" + "tmp",
+            "/" + "private/tmp",
+            "/" + "private/var",
+            "/" + "var/folders",
+            "saumil" + "diwaker",
+            "Desktop/" + "Stuff",
+            "project/repo/" + "ethos",
+        ):
+            self.assertNotIn(private, raw)
+
+    def test_release_candidate_prep_runs_decision_guard_after_request_guard(self) -> None:
+        makefile = read(MAKEFILE)
+        request_guard = "$(PYTHON) .github/scripts/test_patch_0_1_2_python_publication_approval_request.py"
+        decision_guard = "$(PYTHON) .github/scripts/test_patch_0_1_2_python_publication_approval_decision.py"
+        first_public_guard = "$(PYTHON) .github/scripts/test_first_public_release_artifact_evidence.py"
+        block = target_block("release-candidate-prep")
+
+        self.assertIn(decision_guard, block)
+        self.assertEqual(1, makefile.count(decision_guard))
+        self.assertLess(block.index(request_guard), block.index(decision_guard))
+        self.assertLess(block.index(decision_guard), block.index(first_public_guard))
+
+
+if __name__ == "__main__":
+    unittest.main()

.github/scripts/test_release_candidate_prep.py

@@ -74,6 +74,7 @@
     "$(PYTHON) .github/scripts/test_patch_0_1_2_crates_publication_closeout.py",
     "$(PYTHON) .github/scripts/test_patch_0_1_2_rust_public_install_wording_closeout.py",
     "$(PYTHON) .github/scripts/test_patch_0_1_2_python_publication_approval_request.py",
+    "$(PYTHON) .github/scripts/test_patch_0_1_2_python_publication_approval_decision.py",
     "$(PYTHON) .github/scripts/test_first_public_release_artifact_evidence.py",
     "$(PYTHON) .github/scripts/test_first_public_release_final_decider.py",
     "$(PYTHON) .github/scripts/test_first_public_release_linux_x64_artifact_evidence.py",

CHANGELOG.md

@@ -2,6 +2,7 @@
 
 ## Unreleased
 
+- boundary-exception: record decider approval for bounded later deterministic patch `0.1.2` Python PyPI wheel publication while keeping actual upload, Python public install wording, package tag creation, hosted, production, Windows, bundled PDFium, benchmark, `ethos-doc`, and `ethos-rag` surfaces blocked.
 - boundary-exception: request decider review for exact deterministic patch `0.1.2` Python PyPI wheel publication while keeping PyPI upload, Python public install wording, hosted, production, Windows, bundled PDFium, benchmark, `ethos-doc`, and `ethos-rag` surfaces blocked.
 - boundary-exception: close patch `0.1.2` Rust public install wording for published crates `ethos-doc-core`, `ethos-verify`, and `ethos-pdf` while keeping PyPI publication, hosted, production, Windows, bundled PDFium, benchmark, `ethos-doc`, and `ethos-rag` surfaces blocked.
 - boundary-exception: close patch `0.1.2` crates.io publication for Rust crates `ethos-doc-core`, `ethos-verify`, and `ethos-pdf` while keeping Rust public install wording, PyPI publication, hosted, production, Windows, bundled PDFium, benchmark, `ethos-doc`, and `ethos-rag` surfaces blocked.

Makefile

@@ -325,6 +325,7 @@ release-candidate-prep:
 	$(PYTHON) .github/scripts/test_patch_0_1_2_crates_publication_closeout.py
 	$(PYTHON) .github/scripts/test_patch_0_1_2_rust_public_install_wording_closeout.py
 	$(PYTHON) .github/scripts/test_patch_0_1_2_python_publication_approval_request.py
+	$(PYTHON) .github/scripts/test_patch_0_1_2_python_publication_approval_decision.py
 	$(PYTHON) .github/scripts/test_first_public_release_artifact_evidence.py
 	$(PYTHON) .github/scripts/test_first_public_release_final_decider.py
 	$(PYTHON) .github/scripts/test_first_public_release_linux_x64_artifact_evidence.py

docs/execution-status.md

@@ -81,6 +81,14 @@ public installation wording, package tag creation, hosted surfaces, production p
 packaged artifacts, bundled project-maintained PDFium builds, `ethos-doc`, `ethos-rag`, and public
 benchmark claims remain blocked.
 
+Patch `0.1.2` Python PyPI publication approval decision is recorded in
+`docs/validation/patch-0-1-2-python-publication-approval-decision-validation-2026-06-25.md`. It
+accepts only the exact bounded later operator action for the deterministic `ethos-pdf==0.1.2`
+wheel. Actual PyPI upload remains a separate operator action, Python public installation wording
+remains blocked until PyPI availability closeout, package tag creation remains blocked, and hosted
+surfaces, production positioning, Windows packaged artifacts, bundled project-maintained PDFium
+builds, `ethos-doc`, `ethos-rag`, and public benchmark claims remain blocked.
+
 Public approval lane blocker prep is recorded in
 `docs/milestone-e-public-approval-lane-blockers.json` and schema-bound by
 `schemas/ethos-milestone-e-public-approval-lane-blockers.schema.json`. This public approval lane

docs/public-release-checklist.md

@@ -159,6 +159,15 @@ blocked, production positioning remains blocked, Windows packaged artifacts rema
 project-maintained PDFium builds remain blocked, `ethos-doc` remains blocked, `ethos-rag` remains
 blocked, and public benchmark claims remain blocked.
 
+Patch `0.1.2` Python PyPI publication approval decision is recorded in
+`docs/validation/patch-0-1-2-python-publication-approval-decision-validation-2026-06-25.md`. It
+accepts only later operator upload of the exact deterministic `ethos-pdf==0.1.2` wheel candidate.
+Actual PyPI upload remains a separate operator action, Python public installation wording remains
+blocked until PyPI availability closeout, package tag creation remains blocked, hosted surfaces
+remain blocked, production positioning remains blocked, Windows packaged artifacts remain blocked,
+bundled project-maintained PDFium builds remain blocked, `ethos-doc` remains blocked, `ethos-rag`
+remains blocked, and public benchmark claims remain blocked.
+
 ## Required Before Public Push
 
 - Package-name and trademark decision is closed by accepted ADR-0006 in

docs/validation/README.md

@@ -743,6 +743,12 @@ recording the exact current-main source candidate and required follow-up evidenc
   `ethos-pdf==0.1.2` wheel candidate, source commit, source tree, metadata, SHA256, and local
   install/import smoke for decider review; PyPI upload and Python public installation wording
   remain blocked until separate decision, operator, and closeout records pass.
+- `patch-0-1-2-python-publication-approval-decision-validation-2026-06-25.md` - patch 0.1.2
+  Python PyPI publication approval decision validation accepts only bounded later operator
+  execution for the exact deterministic `ethos-pdf==0.1.2` wheel candidate; actual upload,
+  Python public installation wording, package tag creation, hosted, production, Windows, bundled
+  PDFium, benchmark, `ethos-doc`, and `ethos-rag` surfaces remain blocked until separate operator
+  evidence, closeout, or approval records pass.
 - `milestone-e-validation-command-index-validation-2026-06-20.md` - internal Milestone E
   validation-command index validation passed through command-alignment checks, schema enum checks,
   row-record checks, public-surface posture checks, `make milestone-e-prep`, and diff hygiene; the

docs/validation/patch-0-1-2-python-publication-approval-decision-validation-2026-06-25.md

@@ -0,0 +1,155 @@
+# Patch 0.1.2 Python PyPI Publication Approval Decision Validation - 2026-06-25
+
+Validated source HEAD before this record: `a35ff66`.
+
+Patch 0.1.2 Python publication approval decision source commit:
+`a35ff66cbb7d04f4df4d7ac478edcd1f11ecbcdc`.
+
+Patch 0.1.2 Python publication approval decision source tree:
+`2deb30a01223fd9afc4291460cfd5578a3c3242c`.
+
+Status: **patch 0.1.2 Python PyPI publication approval decision recorded; operator upload remains pending**
+
+This record accepts the exact deterministic patch `0.1.2` Python PyPI publication request packet
+after decider approval. It approves only the bounded later operator action for the
+`ethos-pdf==0.1.2` wheel. It does not upload any Python distribution, create package tags, change
+Python public installation wording, approve hosted surfaces, approve production positioning, approve
+Windows packaged artifacts, approve bundled project-maintained PDFium builds, approve `ethos-doc`,
+approve `ethos-rag`, or approve public benchmark reports or claims.
+
+## Subject
+
+- Repository: `docushell/ethos`
+- Lane: Python PyPI deterministic wheel publication
+- Approval owner: `docushell-admin`
+- Approval request record:
+  `docs/validation/patch-0-1-2-python-publication-approval-request-validation-2026-06-25.md`
+- Package source commit accepted by this decision: `e431982cca2922d4cc59ddc7cacb9e72538b1cd0`
+- Package source tree accepted by this decision: `f59ddd018d234eeee0ac77292b417f4acb892b4e`
+
+## Exact Decision Fields
+
+- Decision: accept exact deterministic patch `0.1.2` Python PyPI wheel publication decision packet.
+- Approver: `docushell-admin` acting as decider.
+- Date: 2026-06-25.
+- Exact package accepted by this decision: `ethos-pdf==0.1.2`.
+- Exact distribution accepted by this decision: `ethos_pdf-0.1.2-py3-none-any.whl` only.
+- Exact deterministic build input accepted by this decision: `SOURCE_DATE_EPOCH=0`.
+- Exact source commit accepted by this decision: `e431982cca2922d4cc59ddc7cacb9e72538b1cd0`.
+- Exact source tree accepted by this decision: `f59ddd018d234eeee0ac77292b417f4acb892b4e`.
+- Exact deterministic wheel SHA256 accepted by this decision:
+  `6f17240954f1257ece3c762c820ad771ccb114353bfb699fe87f418a5ceb663c`.
+
+## Wheel Metadata Accepted By This Decision
+
+- Name: `ethos-pdf`
+- Version: `0.1.2`
+- Summary: `Python wrapper for the Ethos document evidence CLI.`
+- License-Expression: `Apache-2.0`
+- Requires-Python: `>=3.8`
+- Wheel-Version: `1.0`
+- Root-Is-Purelib: `true`
+- Tag: `py3-none-any`
+- Build input: `SOURCE_DATE_EPOCH=0`
+- Wheel member timestamps: `1980-01-01 00:00:00`
+- Import smoke accepted by this decision: version `0.1.2`, `EthosCli`, and `EthosCommandError`.
+- PDFium boundary accepted by this decision: PDFium remains caller-provided through
+  `ETHOS_PDFIUM_LIBRARY_PATH`.
+
+## Approved Operator Action
+
+After this decision record is merged and validation passes on merged source, an operator may upload
+only this wheel:
+
+```text
+ethos_pdf-0.1.2-py3-none-any.whl
+```
+
+The operator must build with `SOURCE_DATE_EPOCH=0`. The operator must use a PyPI-approved
+authentication path and must not record credentials in the repository. The operator must stop if the
+built wheel filename, SHA256, package version, source commit, source tree, deterministic build input,
+or retained blockers differ.
+
+PyPI upload remains a separate operator action. This decision record does not upload any Python
+distribution.
+
+## Required Operator Pre-Upload Checks
+
+Before uploading, the operator must run:
+
+```sh
+SOURCE_DATE_EPOCH=0 python3 -m build --wheel --outdir <candidate-dir>
+shasum -a 256 <candidate-dir>/ethos_pdf-0.1.2-py3-none-any.whl
+python3 .github/scripts/test_patch_0_1_2_python_publication_approval_decision.py
+python3 .github/scripts/test_patch_0_1_2_python_publication_approval_request.py
+python3 .github/scripts/test_python_public_api_policy.py
+PYTHONPATH=python python3 -m unittest discover -s python/tests
+make release-candidate-prep PYTHON=python3
+git diff --check
+```
+
+## Explicit Exclusions
+
+- Source distributions remain excluded.
+- Alternate wheels remain excluded.
+- Alternate Python package names remain excluded.
+- Package tag creation remains blocked until a separate explicit approval or closeout record permits it.
+- Python public installation wording remains blocked until PyPI availability is closed out.
+- Hosted surfaces remain blocked.
+- Production positioning remains blocked.
+- Public benchmark reports remain blocked.
+- Public benchmark claims remain blocked.
+- Windows packaged artifacts remain blocked.
+- Bundled project-maintained PDFium builds remain blocked.
+- `ethos-doc` remains blocked.
+- `ethos-rag` remains blocked.
+- Broader public wording remains blocked.
+
+## Evidence Bound To This Decision
+
+- Decider decision supplied: Approved; exact deterministic patch `0.1.2` Python PyPI publication
+  request accepted.
+- `python3 .github/scripts/test_patch_0_1_2_python_publication_approval_request.py` passed.
+- `python3 .github/scripts/test_release_candidate_prep.py` passed.
+- `python3 .github/scripts/public_boundary_claims_gate.py` passed.
+- `make light-check PYTHON=python3` passed on merged `main` before this decision branch.
+- `make milestone-e-prep PYTHON=python3` passed on merged `main` before this decision branch.
+- `make release-candidate-prep PYTHON=python3` passed on merged `main` before this decision branch.
+
+## Non-Actions
+
+- This decision record does not upload any Python distribution.
+- This decision record does not approve an sdist.
+- This decision record does not approve another wheel.
+- This decision record does not approve package tags.
+- This decision record does not approve Python public installation wording.
+- This decision record does not approve hosted surfaces.
+- This decision record does not approve production positioning.
+- This decision record does not approve public benchmark reports.
+- This decision record does not approve public benchmark claims.
+- This decision record does not approve Windows packaged artifacts.
+- This decision record does not approve bundled project-maintained PDFium builds.
+- This decision record does not approve `ethos-doc`.
+- This decision record does not approve `ethos-rag`.
+
+## Retained Blockers
+
+- Actual PyPI upload remains pending operator action.
+- Python public installation wording remains blocked until PyPI availability is closed out.
+- Package tag creation remains blocked until a separate explicit approval or closeout record permits it.
+- Hosted surfaces remain blocked.
+- Production positioning remains blocked.
+- Public benchmark reports remain blocked.
+- Public benchmark claims remain blocked.
+- Windows packaged artifacts remain blocked.
+- Bundled project-maintained PDFium builds remain blocked.
+- `ethos-doc` remains blocked.
+- `ethos-rag` remains blocked.
+- PDFium remains caller-provided through `ETHOS_PDFIUM_LIBRARY_PATH`.
+
+## Result
+
+The exact deterministic patch `0.1.2` Python PyPI wheel publication decision packet for
+`ethos-pdf==0.1.2` is accepted. Actual PyPI upload remains a separate operator action requiring
+final pre-upload checks, PyPI-approved authentication, exact deterministic wheel hash verification,
+and later registry closeout evidence.