Close patch 0.1.2 Python publication

.github/scripts/test_patch_0_1_2_python_publication_closeout.py

@@ -0,0 +1,171 @@
+#!/usr/bin/env python3
+#
+# Copyright 2026 The Ethos maintainers
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+#
+
+from __future__ import annotations
+
+import json
+import re
+import subprocess
+import unittest
+import urllib.request
+from pathlib import Path
+
+from makefile_guard import target_block
+
+
+ROOT = Path(__file__).resolve().parents[2]
+RECORD = ROOT / "docs/validation/patch-0-1-2-python-publication-closeout-validation-2026-06-25.md"
+VALIDATION_README = ROOT / "docs/validation/README.md"
+MAKEFILE = ROOT / "Makefile"
+
+SOURCE_SHORT = "26012eb"
+SOURCE_COMMIT = "26012ebfaf9a50e02c12515827f63c21e6a69ca6"
+SOURCE_TREE = "a178affbdf5a0f46d52aa80c804b1142688f4a82"
+PACKAGE_SOURCE_COMMIT = "e431982cca2922d4cc59ddc7cacb9e72538b1cd0"
+PACKAGE_SOURCE_TREE = "f59ddd018d234eeee0ac77292b417f4acb892b4e"
+PACKAGE = "ethos-pdf"
+VERSION = "0.1.2"
+WHEEL = "ethos_pdf-0.1.2-py3-none-any.whl"
+WHEEL_SHA256 = "6f17240954f1257ece3c762c820ad771ccb114353bfb699fe87f418a5ceb663c"
+WHEEL_URL = "https://files.pythonhosted.org/packages/32/0f/06fe9ab696ee596cc88f9b061b5c2b9f443fe7fcdc54ebb02a4189dda129/ethos_pdf-0.1.2-py3-none-any.whl"
+WHEEL_SIZE = 11445
+UPLOAD_TIME = "2026-06-25T05:06:17.574879Z"
+FORBIDDEN = (
+    "production-ready",
+    "hosted surfaces approved",
+    "windows packaged artifacts approved",
+    "bundled pdfium approved",
+    "public benchmark claims approved",
+    "ethos-doc approved",
+    "ethos-rag approved",
+)
+
+
+def read(path: Path) -> str:
+    return path.read_text(encoding="utf-8")
+
+
+def normalized(path: Path) -> str:
+    return re.sub(r"\s+", " ", read(path))
+
+
+def git(*args: str) -> str:
+    return subprocess.check_output(
+        ["git", *args],
+        cwd=ROOT,
+        encoding="utf-8",
+        stderr=subprocess.DEVNULL,
+    ).strip()
+
+
+def pypi_release_json() -> dict:
+    with urllib.request.urlopen(f"https://pypi.org/pypi/{PACKAGE}/{VERSION}/json", timeout=30) as response:
+        return json.load(response)
+
+
+class Patch012PythonPublicationCloseoutTests(unittest.TestCase):
+    def test_closeout_record_is_source_bound_and_indexed(self) -> None:
+        record = normalized(RECORD)
+        readme = normalized(VALIDATION_README)
+
+        self.assertIn(RECORD.name, readme)
+        self.assertIn("patch 0.1.2 Python PyPI publication closeout", readme)
+        self.assertIn(f"Validated source HEAD before this record: `{SOURCE_SHORT}`", read(RECORD))
+        self.assertIn(f"Patch 0.1.2 Python publication closeout source commit: `{SOURCE_COMMIT}`", record)
+        self.assertIn(f"Patch 0.1.2 Python publication closeout source tree: `{SOURCE_TREE}`", record)
+        self.assertEqual(SOURCE_COMMIT, git("rev-parse", SOURCE_SHORT))
+        self.assertEqual(SOURCE_TREE, git("rev-parse", f"{SOURCE_SHORT}^{{tree}}"))
+
+    def test_closeout_records_upload_and_registry_evidence(self) -> None:
+        record = normalized(RECORD)
+
+        for expected in (
+            "python3 -m twine upload target/python-pypi-0.1.2/ethos_pdf-0.1.2-py3-none-any.whl",
+            "Uploading distributions to https://upload.pypi.org/legacy/",
+            "WARNING This environment is not supported for trusted publishing",
+            "Uploading ethos_pdf-0.1.2-py3-none-any.whl",
+            "View at: https://pypi.org/project/ethos-pdf/0.1.2/",
+            "SOURCE_DATE_EPOCH=0",
+            PACKAGE,
+            VERSION,
+            WHEEL,
+            WHEEL_SHA256,
+            WHEEL_URL,
+            UPLOAD_TIME,
+            "bdist_wheel",
+            "py3",
+            "yanked: false",
+            "ETHOS_PDFIUM_LIBRARY_PATH",
+            f"Package source commit: `{PACKAGE_SOURCE_COMMIT}`",
+            f"Package source tree: `{PACKAGE_SOURCE_TREE}`",
+        ):
+            self.assertIn(expected, record)
+
+    def test_live_pypi_reports_published_candidate(self) -> None:
+        data = pypi_release_json()
+
+        self.assertEqual(PACKAGE, data["info"]["name"])
+        self.assertEqual(VERSION, data["info"]["version"])
+        self.assertEqual(">=3.8", data["info"]["requires_python"])
+        self.assertEqual(1, len(data["urls"]))
+        file = data["urls"][0]
+        self.assertEqual(WHEEL, file["filename"])
+        self.assertEqual("bdist_wheel", file["packagetype"])
+        self.assertEqual("py3", file["python_version"])
+        self.assertEqual(WHEEL_SHA256, file["digests"]["sha256"])
+        self.assertEqual(WHEEL_URL, file["url"])
+        self.assertEqual(WHEEL_SIZE, file["size"])
+        self.assertEqual(UPLOAD_TIME, file["upload_time_iso_8601"])
+        self.assertFalse(file["yanked"])
+
+    def test_retained_blockers_and_public_path_hygiene(self) -> None:
+        raw = read(RECORD)
+        lower = normalized(RECORD).lower()
+
+        for expected in (
+            "Public installation wording may be updated only in a separate bounded docs lane.",
+            "Package tag creation remains blocked until a separate explicit approval or closeout record permits it.",
+            "Hosted surfaces remain blocked.",
+            "Production positioning remains blocked.",
+            "Public benchmark reports remain blocked.",
+            "Public benchmark claims remain blocked.",
+            "Windows packaged artifacts remain blocked.",
+            "Bundled project-maintained PDFium builds remain blocked.",
+            "`ethos-doc` remains blocked.",
+            "`ethos-rag` remains blocked.",
+            "PDFium remains caller-provided through `ETHOS_PDFIUM_LIBRARY_PATH`.",
+        ):
+            self.assertIn(expected, raw)
+        for forbidden in FORBIDDEN:
+            self.assertNotIn(forbidden, lower)
+        for private in (
+            "/" + "Users/",
+            "/" + "tmp",
+            "/" + "private/tmp",
+            "/" + "private/var",
+            "/" + "var/folders",
+            "saumil" + "diwaker",
+            "Desktop/" + "Stuff",
+            "project/repo/" + "ethos",
+        ):
+            self.assertNotIn(private, raw)
+
+    def test_release_candidate_prep_runs_closeout_after_decision_guard(self) -> None:
+        makefile = read(MAKEFILE)
+        decision_guard = "$(PYTHON) .github/scripts/test_patch_0_1_2_python_publication_approval_decision.py"
+        closeout_guard = "$(PYTHON) .github/scripts/test_patch_0_1_2_python_publication_closeout.py"
+        first_public_guard = "$(PYTHON) .github/scripts/test_first_public_release_artifact_evidence.py"
+        block = target_block("release-candidate-prep")
+
+        self.assertIn(closeout_guard, block)
+        self.assertEqual(1, makefile.count(closeout_guard))
+        self.assertLess(block.index(decision_guard), block.index(closeout_guard))
+        self.assertLess(block.index(closeout_guard), block.index(first_public_guard))
+
+
+if __name__ == "__main__":
+    unittest.main()

.github/scripts/test_release_candidate_prep.py

@@ -75,6 +75,7 @@
     "$(PYTHON) .github/scripts/test_patch_0_1_2_rust_public_install_wording_closeout.py",
     "$(PYTHON) .github/scripts/test_patch_0_1_2_python_publication_approval_request.py",
     "$(PYTHON) .github/scripts/test_patch_0_1_2_python_publication_approval_decision.py",
+    "$(PYTHON) .github/scripts/test_patch_0_1_2_python_publication_closeout.py",
     "$(PYTHON) .github/scripts/test_first_public_release_artifact_evidence.py",
     "$(PYTHON) .github/scripts/test_first_public_release_final_decider.py",
     "$(PYTHON) .github/scripts/test_first_public_release_linux_x64_artifact_evidence.py",

CHANGELOG.md

@@ -2,6 +2,7 @@
 
 ## Unreleased
 
+- boundary-exception: close patch `0.1.2` Python PyPI publication with exact registry evidence for `ethos-pdf==0.1.2` while keeping Python public install wording, package tag creation, hosted, production, Windows, bundled PDFium, benchmark, `ethos-doc`, and `ethos-rag` surfaces blocked.
 - boundary-exception: record decider approval for bounded later deterministic patch `0.1.2` Python PyPI wheel publication while keeping actual upload, Python public install wording, package tag creation, hosted, production, Windows, bundled PDFium, benchmark, `ethos-doc`, and `ethos-rag` surfaces blocked.
 - boundary-exception: request decider review for exact deterministic patch `0.1.2` Python PyPI wheel publication while keeping PyPI upload, Python public install wording, hosted, production, Windows, bundled PDFium, benchmark, `ethos-doc`, and `ethos-rag` surfaces blocked.
 - boundary-exception: close patch `0.1.2` Rust public install wording for published crates `ethos-doc-core`, `ethos-verify`, and `ethos-pdf` while keeping PyPI publication, hosted, production, Windows, bundled PDFium, benchmark, `ethos-doc`, and `ethos-rag` surfaces blocked.

Makefile

@@ -326,6 +326,7 @@ release-candidate-prep:
 	$(PYTHON) .github/scripts/test_patch_0_1_2_rust_public_install_wording_closeout.py
 	$(PYTHON) .github/scripts/test_patch_0_1_2_python_publication_approval_request.py
 	$(PYTHON) .github/scripts/test_patch_0_1_2_python_publication_approval_decision.py
+	$(PYTHON) .github/scripts/test_patch_0_1_2_python_publication_closeout.py
 	$(PYTHON) .github/scripts/test_first_public_release_artifact_evidence.py
 	$(PYTHON) .github/scripts/test_first_public_release_final_decider.py
 	$(PYTHON) .github/scripts/test_first_public_release_linux_x64_artifact_evidence.py

docs/execution-status.md

@@ -89,6 +89,14 @@ remains blocked until PyPI availability closeout, package tag creation remains b
 surfaces, production positioning, Windows packaged artifacts, bundled project-maintained PDFium
 builds, `ethos-doc`, `ethos-rag`, and public benchmark claims remain blocked.
 
+Patch `0.1.2` Python PyPI publication closeout is recorded in
+`docs/validation/patch-0-1-2-python-publication-closeout-validation-2026-06-25.md`. PyPI now
+reports `ethos-pdf==0.1.2` with matching wheel filename, SHA256, upload time, size, URL, and
+non-yanked status. Python public installation wording remains blocked until a separate wording and
+availability closeout, package tag creation remains blocked, and hosted surfaces, production
+positioning, Windows packaged artifacts, bundled project-maintained PDFium builds, `ethos-doc`,
+`ethos-rag`, and public benchmark claims remain blocked.
+
 Public approval lane blocker prep is recorded in
 `docs/milestone-e-public-approval-lane-blockers.json` and schema-bound by
 `schemas/ethos-milestone-e-public-approval-lane-blockers.schema.json`. This public approval lane

docs/public-release-checklist.md

@@ -168,6 +168,15 @@ remain blocked, production positioning remains blocked, Windows packaged artifac
 bundled project-maintained PDFium builds remain blocked, `ethos-doc` remains blocked, `ethos-rag`
 remains blocked, and public benchmark claims remain blocked.
 
+Patch `0.1.2` Python PyPI publication closeout is recorded in
+`docs/validation/patch-0-1-2-python-publication-closeout-validation-2026-06-25.md`. PyPI reports
+`ethos-pdf==0.1.2` as the exact deterministic wheel approved for publication. Python public
+installation wording remains blocked until a separate wording and availability closeout, package tag
+creation remains blocked, hosted surfaces remain blocked, production positioning remains blocked,
+Windows packaged artifacts remain blocked, bundled project-maintained PDFium builds remain blocked,
+`ethos-doc` remains blocked, `ethos-rag` remains blocked, and public benchmark claims remain
+blocked.
+
 ## Required Before Public Push
 
 - Package-name and trademark decision is closed by accepted ADR-0006 in

docs/validation/README.md

@@ -749,6 +749,12 @@ recording the exact current-main source candidate and required follow-up evidenc
   Python public installation wording, package tag creation, hosted, production, Windows, bundled
   PDFium, benchmark, `ethos-doc`, and `ethos-rag` surfaces remain blocked until separate operator
   evidence, closeout, or approval records pass.
+- `patch-0-1-2-python-publication-closeout-validation-2026-06-25.md` - patch 0.1.2
+  Python PyPI publication closeout validation records operator upload evidence and live PyPI
+  registry visibility for the exact deterministic `ethos-pdf==0.1.2` wheel; Python public
+  installation wording, package tag creation, hosted, production, Windows, bundled PDFium,
+  benchmark, `ethos-doc`, and `ethos-rag` surfaces remain blocked until separate closeout or
+  approval records pass.
 - `milestone-e-validation-command-index-validation-2026-06-20.md` - internal Milestone E
   validation-command index validation passed through command-alignment checks, schema enum checks,
   row-record checks, public-surface posture checks, `make milestone-e-prep`, and diff hygiene; the

docs/validation/patch-0-1-2-python-publication-closeout-validation-2026-06-25.md

@@ -0,0 +1,147 @@
+# Patch 0.1.2 Python PyPI Publication Closeout Validation - 2026-06-25
+
+Validated source HEAD before this record: `26012eb`.
+
+Patch 0.1.2 Python publication closeout source commit:
+`26012ebfaf9a50e02c12515827f63c21e6a69ca6`.
+
+Patch 0.1.2 Python publication closeout source tree:
+`a178affbdf5a0f46d52aa80c804b1142688f4a82`.
+
+Status: **patch 0.1.2 Python PyPI wheel published**
+
+This record closes the bounded patch `0.1.2` Python PyPI publication lane for
+`ethos-pdf==0.1.2`. It records operator upload evidence and live PyPI registry verification for the
+exact approved deterministic wheel. It does not approve Python public installation wording, package
+tag creation, hosted surfaces, production positioning, Windows packaged artifacts, bundled
+project-maintained PDFium builds, `ethos-doc`, `ethos-rag`, public benchmark reports, public
+benchmark claims, or broader public wording.
+
+## Published Package
+
+- Package: `ethos-pdf`
+- Version: `0.1.2`
+- Import package: `ethos_pdf`
+- Registry: `https://pypi.org/`
+- Project URL: `https://pypi.org/project/ethos-pdf/0.1.2/`
+- Distribution: `ethos_pdf-0.1.2-py3-none-any.whl`
+- Deterministic build input: `SOURCE_DATE_EPOCH=0`
+- SHA256:
+  `6f17240954f1257ece3c762c820ad771ccb114353bfb699fe87f418a5ceb663c`
+
+## Operator Upload Evidence
+
+Pre-upload checks:
+
+```text
+shasum -a 256 target/python-pypi-0.1.2/ethos_pdf-0.1.2-py3-none-any.whl
+6f17240954f1257ece3c762c820ad771ccb114353bfb699fe87f418a5ceb663c  target/python-pypi-0.1.2/ethos_pdf-0.1.2-py3-none-any.whl
+python3 .github/scripts/test_patch_0_1_2_python_publication_approval_decision.py
+Ran 4 tests in 0.085s
+OK
+python3 .github/scripts/test_patch_0_1_2_python_publication_approval_request.py
+Ran 5 tests in 0.053s
+OK
+python3 .github/scripts/test_python_public_api_policy.py
+Ran 4 tests in 0.001s
+OK
+PYTHONPATH=python python3 -m unittest discover -s python/tests
+Ran 23 tests in 3.912s
+OK
+make release-candidate-prep PYTHON=python3
+git diff --check
+```
+
+Upload command:
+
+```text
+python3 -m twine upload target/python-pypi-0.1.2/ethos_pdf-0.1.2-py3-none-any.whl
+```
+
+Observed upload result:
+
+```text
+Uploading distributions to https://upload.pypi.org/legacy/
+WARNING This environment is not supported for trusted publishing
+Uploading ethos_pdf-0.1.2-py3-none-any.whl
+100% 17.0/17.0 kB
+View at: https://pypi.org/project/ethos-pdf/0.1.2/
+```
+
+The upload used a PyPI-approved credential path. No credential is recorded in this repository.
+
+## Registry Verification
+
+Registry endpoint:
+
+```text
+https://pypi.org/pypi/ethos-pdf/0.1.2/json
+```
+
+Result:
+
+```text
+name: ethos-pdf
+version: 0.1.2
+requires_python: >=3.8
+filename: ethos_pdf-0.1.2-py3-none-any.whl
+packagetype: bdist_wheel
+python_version: py3
+digests.sha256: 6f17240954f1257ece3c762c820ad771ccb114353bfb699fe87f418a5ceb663c
+size: 11445
+upload_time_iso_8601: 2026-06-25T05:06:17.574879Z
+yanked: false
+url: https://files.pythonhosted.org/packages/32/0f/06fe9ab696ee596cc88f9b061b5c2b9f443fe7fcdc54ebb02a4189dda129/ethos_pdf-0.1.2-py3-none-any.whl
+```
+
+## Approved Candidate Binding
+
+- Approval request record:
+  `docs/validation/patch-0-1-2-python-publication-approval-request-validation-2026-06-25.md`
+- Approval decision record:
+  `docs/validation/patch-0-1-2-python-publication-approval-decision-validation-2026-06-25.md`
+- Package source commit: `e431982cca2922d4cc59ddc7cacb9e72538b1cd0`
+- Package source tree: `f59ddd018d234eeee0ac77292b417f4acb892b4e`
+- Exact deterministic build input: `SOURCE_DATE_EPOCH=0`
+- Exact wheel: `ethos_pdf-0.1.2-py3-none-any.whl`
+- Exact wheel SHA256:
+  `6f17240954f1257ece3c762c820ad771ccb114353bfb699fe87f418a5ceb663c`
+- Wheel metadata: `Name: ethos-pdf`, `Version: 0.1.2`, `Requires-Python: >=3.8`,
+  `Wheel-Version: 1.0`, `Root-Is-Purelib: true`, `Tag: py3-none-any`.
+
+## Retained Blockers
+
+- Public installation wording may be updated only in a separate bounded docs lane.
+- Package tag creation remains blocked until a separate explicit approval or closeout record permits it.
+- Hosted surfaces remain blocked.
+- Production positioning remains blocked.
+- Public benchmark reports remain blocked.
+- Public benchmark claims remain blocked.
+- Windows packaged artifacts remain blocked.
+- Bundled project-maintained PDFium builds remain blocked.
+- `ethos-doc` remains blocked.
+- `ethos-rag` remains blocked.
+- PDFium remains caller-provided through `ETHOS_PDFIUM_LIBRARY_PATH`.
+
+## Commands
+
+```sh
+SOURCE_DATE_EPOCH=0 python3 -m build --wheel --outdir target/python-pypi-0.1.2
+shasum -a 256 target/python-pypi-0.1.2/ethos_pdf-0.1.2-py3-none-any.whl
+python3 .github/scripts/test_patch_0_1_2_python_publication_approval_decision.py
+python3 .github/scripts/test_patch_0_1_2_python_publication_approval_request.py
+python3 .github/scripts/test_python_public_api_policy.py
+PYTHONPATH=python python3 -m unittest discover -s python/tests
+make release-candidate-prep PYTHON=python3
+python3 -m twine upload target/python-pypi-0.1.2/ethos_pdf-0.1.2-py3-none-any.whl
+python3 .github/scripts/test_patch_0_1_2_python_publication_closeout.py
+git diff --check
+```
+
+## Result
+
+```text
+patch 0.1.2 Python PyPI publication closeout recorded
+ethos-pdf 0.1.2 is live on PyPI as the approved deterministic py3-none-any wheel
+Public installation wording must still be handled in a separate bounded docs lane
+```