Release v0.10.1 Docs: Diátaxis Alignment & CI/CD Guides

.bumpversion.toml

@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 
 [tool.bumpversion]
-current_version = "0.10.0"
+current_version = "0.10.1"
 parse = "(?P<major>\\d+)\\.(?P<minor>\\d+)\\.(?P<patch>\\d+)"
 serialize = ["{major}.{minor}.{patch}"]
 

.github/workflows/ci.yml

@@ -1,13 +1,10 @@
 # SPDX-FileCopyrightText: 2026 PythonWoods <dev@pythonwoods.dev>
 # SPDX-License-Identifier: Apache-2.0
 
-name: zenzic-audit
+name: Zenzic Docs CI
 
 on:
   pull_request:
-    branches:
-      - main
-      - 'release/**'
     paths:
       - 'docs/**'
       - 'i18n/**'
@@ -26,7 +23,6 @@ on:
   push:
     branches:
       - main
-      - 'release/**'
     paths:
       - 'docs/**'
       - 'i18n/**'
@@ -50,89 +46,24 @@ concurrency:
 
 jobs:
   verify:
-    name: Verify (ubuntu-latest, Node LTS)
+    name: Build
     runs-on: ubuntu-latest
     defaults:
       run:
         shell: bash
 
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
-      - name: Determine Zenzic Core Branch (Parity or Fallback)
-        id: resolve-branch
-        shell: bash
-        run: |
-          TARGET_BRANCH="${{ github.head_ref || github.ref_name }}"
-          echo "Target branch is: $TARGET_BRANCH"
-
-          if git ls-remote --exit-code --heads https://github.com/PythonWoods/zenzic.git "$TARGET_BRANCH" > /dev/null 2>&1; then
-            echo "Branch $TARGET_BRANCH exists in core. Using it."
-            echo "core_ref=$TARGET_BRANCH" >> $GITHUB_OUTPUT
-          else
-            echo "Branch $TARGET_BRANCH not found in core. Falling back to main."
-            echo "core_ref=main" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Checkout local zenzic (unreleased)
+      - name: Checkout Repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          repository: PythonWoods/zenzic
-          ref: ${{ steps.resolve-branch.outputs.core_ref }}
-          path: _zenzic_core
-
-      - name: Setup Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version: '3.13'
-
-      - name: Install local zenzic in editable mode
-        run: python -m pip install -e ./_zenzic_core
-
-      - name: Install just
-        uses: taiki-e/install-action@ea85faa6acd705ad6d40586db99f1a70b09c2929 # just
 
       - name: Setup Node
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: '24'
           cache: npm
 
-      - name: Install uv
-        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
-
       - name: Install dependencies
         run: npm ci
 
-      - name: Certify Zenzic public hooks contract
-        shell: bash
-        run: |
-          set -euo pipefail
-          hooks_file="_zenzic_core/.pre-commit-hooks.yaml"
-          test -f "$hooks_file"
-
-          # Required public hook ids
-          grep -q "id: zenzic-verify" "$hooks_file"
-          grep -q "id: zenzic-guard" "$hooks_file"
-          grep -q "id: zenzic-score" "$hooks_file"
-
-          # Required public contract entries
-          grep -q "entry: zenzic check all" "$hooks_file"
-          grep -q "entry: zenzic guard scan" "$hooks_file"
-          grep -q "entry: zenzic score" "$hooks_file"
-
-          # Required extension coverage (Markdown + MDX)
-          grep -q "markdown" "$hooks_file"
-          grep -q "mdx" "$hooks_file"
-
-          echo "Public hooks contract certified from _zenzic_core/.pre-commit-hooks.yaml"
-
-      - name: Run unified verification
-        shell: bash
-        env:
-          PYTHONUTF8: '1'
-          # Runtime-only injection point for local isolation checks in CI.
-          ZENZIC_EXTRA_ARGS: ${{ secrets.ZENZIC_EXTRA_ARGS }}
-          # ZRT-010 — Sovereign Parity: Pre-Launch Guard lives in justfile.
-          # Local and CI run identical 'just check' invocations.
-        run: just verify
+      - name: Build Docusaurus
+        run: npm run build

.github/workflows/codeql.yml

@@ -1,7 +1,7 @@
 # SPDX-FileCopyrightText: 2026 PythonWoods <dev@pythonwoods.dev>
 # SPDX-License-Identifier: Apache-2.0
 
-name: codeql
+name: Zenzic Docs CodeQL
 
 on:
   push:
@@ -38,7 +38,7 @@ jobs:
           - javascript-typescript
 
     steps:
-      - name: Checkout
+      - name: Checkout Repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Initialize CodeQL

.github/workflows/dependency-review.yml

@@ -1,7 +1,7 @@
 # SPDX-FileCopyrightText: 2026 PythonWoods <dev@pythonwoods.dev>
 # SPDX-License-Identifier: Apache-2.0
 
-name: dependency-review
+name: Zenzic Docs Dependency Review
 
 on:
   pull_request:
@@ -21,11 +21,11 @@ concurrency:
 
 jobs:
   dependency-review:
-    name: Dependency review
+    name: Review
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - name: Checkout
+      - name: Checkout Repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Dependency Review

.github/workflows/npm-audit.yml

@@ -1,7 +1,7 @@
 # SPDX-FileCopyrightText: 2026 PythonWoods <dev@pythonwoods.dev>
 # SPDX-License-Identifier: Apache-2.0
 
-name: npm-audit
+name: Zenzic Docs NPM Audit
 
 on:
   push:
@@ -26,13 +26,13 @@ permissions:
 
 jobs:
   audit:
-    name: Dependency audit
+    name: Audit
     runs-on: ubuntu-latest
     env:
       FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
 
     steps:
-      - name: Checkout
+      - name: Checkout Repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Setup Node

.github/workflows/release-docs.yml

@@ -1,7 +1,7 @@
 # SPDX-FileCopyrightText: 2026 PythonWoods <dev@pythonwoods.dev>
 # SPDX-License-Identifier: Apache-2.0
 
-name: release-docs
+name: Zenzic Docs Release Docs
 
 on:
   push:
@@ -19,13 +19,13 @@ concurrency:
 
 jobs:
   release:
-    name: Build and publish docs artifact
+    name: Release
     runs-on: ubuntu-latest
     env:
       FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
 
     steps:
-      - name: Checkout
+      - name: Checkout Repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Setup Node

.github/workflows/release.yml

@@ -1,6 +1,6 @@
 # SPDX-FileCopyrightText: 2026 PythonWoods <dev@pythonwoods.dev>
 # SPDX-License-Identifier: Apache-2.0
-name: release
+name: Zenzic Docs Release
 
 on:
   push:
@@ -16,13 +16,13 @@ concurrency:
 
 jobs:
   release:
-    name: Build docs and create GitHub Release
+    name: Release
     runs-on: ubuntu-latest
     env:
       FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
 
     steps:
-      - name: Checkout
+      - name: Checkout Repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Setup Node

.github/workflows/secret-scan.yml

@@ -1,7 +1,7 @@
 # SPDX-FileCopyrightText: 2026 PythonWoods <dev@pythonwoods.dev>
 # SPDX-License-Identifier: Apache-2.0
 
-name: Secret Scan
+name: Zenzic Docs Secret Scan
 on:
   push:
     branches: [ main ]
@@ -13,7 +13,7 @@ permissions:
 
 jobs:
   secret-scan:
-    name: Native GitHub Secret Scan Proxy
+    name: Scan
     runs-on: ubuntu-latest
     steps:
       - name: Info

.github/workflows/security-posture.yml

@@ -1,7 +1,7 @@
 # SPDX-FileCopyrightText: 2026 PythonWoods <dev@pythonwoods.dev>
 # SPDX-License-Identifier: Apache-2.0
 
-name: Security Posture
+name: Zenzic Docs Security Posture
 
 on:
   push:
@@ -11,13 +11,14 @@ on:
 
 jobs:
   check-posture:
-    name: Evaluate Repository Security Posture
+    name: Audit
     runs-on: ubuntu-latest
     permissions:
       contents: read
 
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - name: Checkout Repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Check for SECURITY.md
         run: |

.github/workflows/zenzic.yml

@@ -0,0 +1,28 @@
+# SPDX-FileCopyrightText: 2026 PythonWoods <dev@pythonwoods.dev>
+# SPDX-License-Identifier: Apache-2.0
+
+name: Zenzic Docs Quality Gate
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  quality-gate:
+    name: Audit
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+
+      - name: Run Zenzic Quality Gate
+        uses: PythonWoods/zenzic-action@v1
+        with:
+          strict: 'true'
+          upload-sarif: 'true'

.zenzic.toml

@@ -4,30 +4,8 @@
 # Precedence: .zenzic.toml is shared baseline; .zenzic.local.toml overrides locally.
 # Keep secrets and workstation-only values in .zenzic.local.toml.
 
-# --- PROJECT IDENTITY ---
-# [project]
-# name = "zenzic-doc" # Used for personalized CLI Governance headers
-
-# --- CORE SETTINGS ---
-# ---------------------------------------------------------------------------
-# docs_dir
-# ---------------------------------------------------------------------------
-# The relative path to your documentation root.
-#
-# BEHAVIOR:
-#   - If commented out (default), Zenzic uses Auto-Discovery to find your
-#     docs based on the engine (reads docusaurus.config.ts, mkdocs.yml…).
-#   - Set to "." to scan the entire repository (L1 system exclusions apply).
-#
-# DEFAULT: Auto-discovered
-#
-# docs_dir = "docs"
-
 strict = true
 fail_under = 90
-# exit_zero = false
-# respect_vcs_ignore = true
-# validate_same_page_anchors = true
 
 # External URLs excluded from the broken-link check (applies only with --strict)
 excluded_external_urls = [
@@ -58,13 +36,38 @@ excluded_external_urls = [
     #"https://zenzic.dev/developers",
 ]
 
+# Placeholder checks disabled: the documentation describes placeholder patterns
+# by example, which would cause false positives.
+placeholder_patterns = []
+
+# --- PROJECT IDENTITY ---
+# [project]
+# name = "zenzic-doc" # Used for personalized CLI Governance headers
+
+# --- CORE SETTINGS ---
+# ---------------------------------------------------------------------------
+# docs_dir
+# ---------------------------------------------------------------------------
+# The relative path to your documentation root.
+#
+# BEHAVIOR:
+#   - If commented out (default), Zenzic uses Auto-Discovery to find your
+#     docs based on the engine (reads docusaurus.config.ts, mkdocs.yml…).
+#   - Set to "." to scan the entire repository (L1 system exclusions apply).
+#
+# DEFAULT: Auto-discovered
+#
+# docs_dir = "docs"
+
+# exit_zero = false
+# respect_vcs_ignore = true
+# validate_same_page_anchors = true
+
+
 # Z204 Privacy Gate — terms that must never appear in published docs.
 # forbidden_patterns = []
 
 # --- PLACEHOLDERS & CODE SNIPPETS (Optional) ---
-# Placeholder checks disabled: the documentation describes placeholder patterns
-# by example, which would cause false positives.
-placeholder_patterns = []
 placeholder_max_words = 0
 
 # --- ENGINE CONTEXT ---

CONTRIBUTING.md

@@ -226,6 +226,11 @@ This must pass with zero errors before you open or update a PR.
 
 - Execute a D.I.A. (Documentation Impact Analysis). If your PR alters CLI behavior or API contracts, explicitly state it in your PR description. You are encouraged to open a matching PR on zenzic-doc, but if you cannot, the maintainers will handle the documentation sync before release.
 
+### CI/CD & Workflow
+- **Draft PRs:** We run CI exclusively on `main` and Pull Requests to save resources. Open a **Draft PR** early to get continuous CI feedback on your branch.
+- **Hooks:** Use `pre-commit` for local mutations. Do not use `post-commit`.
+- **Full Guide:** Read the complete workflow in our [Developer Documentation](https://zenzic.dev/developers/how-to/contribute/pull-requests).
+
 ### Pre-commit hooks
 
 The repository enforces quality automatically on every `git commit`: