docs: release v0.10.3 D.I.A. routing and governance upgrade

.bumpversion.toml

@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 
 [tool.bumpversion]
-current_version = "0.10.1"
+current_version = "0.10.3"
 parse = "(?P<major>\\d+)\\.(?P<minor>\\d+)\\.(?P<patch>\\d+)"
 serialize = ["{major}.{minor}.{patch}"]
 

.github/PULL_REQUEST_TEMPLATE.md

@@ -51,6 +51,16 @@ Every PR touching `docs/`, `blog/`, `src/`, or `i18n/` must satisfy all that app
 
 ---
 
+## Enterprise governance compliance
+
+- [ ] This PR addresses an approved Issue #___ and complies with the **Issue-First Policy**.
+- [ ] Every commit in this PR is **cryptographically signed** (GPG/SSH/S/MIME) and shows as "Verified" on GitHub.
+- [ ] Every commit has a valid **Developer Certificate of Origin (DCO)** sign-off (`Signed-off-by:` via `git commit -s`).
+- [ ] I have verified and can architecturally justify every single line of code proposed in this PR (**No AI Slop**).
+- [ ] All commit messages comply with the **Conventional Commits** specification.
+
+---
+
 ## Notes for reviewers
 
 <!-- Anything unusual about this PR that reviewers should know? -->

.github/workflows/compliance.yml

@@ -0,0 +1,48 @@
+# SPDX-FileCopyrightText: 2026 PythonWoods <dev@pythonwoods.dev>
+# SPDX-License-Identifier: Apache-2.0
+
+name: Zenzic Doc Compliance
+
+on:
+  pull_request:
+    types: [opened, edited, synchronize, reopened]
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  pr-title:
+    name: Lint PR Title
+    runs-on: ubuntu-latest
+    steps:
+      - name: Validate PR Title
+        uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  dco:
+    name: Check DCO
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+
+      - name: Verify Signed-off-by
+        run: |
+          BASE_SHA="${{ github.event.pull_request.base.sha }}"
+          HEAD_SHA="${{ github.event.pull_request.head.sha }}"
+
+          echo "Checking commits between $BASE_SHA and $HEAD_SHA"
+
+          # Check each commit in the range
+          git log --no-merges --format='%H' "$BASE_SHA..$HEAD_SHA" | while read -r commit_sha; do
+            commit_msg=$(git log -1 --format='%B' "$commit_sha")
+            if ! echo "$commit_msg" | grep -q "^Signed-off-by:"; then
+              echo "::error::Commit $commit_sha is missing 'Signed-off-by:' sign-off."
+              exit 1
+            fi
+          done
+          echo "All commits have valid DCO sign-offs."

CONTRIBUTING.it.md

@@ -12,6 +12,18 @@ programmatori Python. Se vuoi contribuire al motore Zenzic, consulta il
 
 ---
 
+## Policy di Governance Enterprise e Contributo
+
+Per garantire la sicurezza, l'integrità architetturale e la conformità legale di Zenzic, tutti i contributi devono aderire alle seguenti linee guida di Governance Enterprise:
+
+1. **Issue-First Policy (Prima le Issue)**: Nessuna Pull Request sarà presa in carico, revisionata o discussa se non preceduta da una Issue corrispondente discussa e approvata dai maintainer. Collega sempre l'Issue approvata nella descrizione della tua PR.
+2. **Firma Crittografica Obbligatoria**: Tutti i commit devono essere firmati crittograficamente tramite chiavi GPG, SSH o S/MIME (mostrati come "Verified" su GitHub). I commit non firmati verranno respinti automaticamente dal gate di merge.
+3. **Clausola "No AI Slop"**: Applichiamo una policy severa contro il codice generato da intelligenza artificiale non verificato. I contributor devono comprendere appieno, saper spiegare e giustificare dal punto di vista architetturale ogni singola riga di codice proposta nella PR. La proposta di codice non compreso porterà al rifiuto immediato del contributo.
+4. **Developer Certificate of Origin (DCO)**: Tutti i commit devono includere la riga `Signed-off-by:` (usando `git commit -s`) per certificare la conformità con la DCO.
+5. **Conventional Commits**: I messaggi di commit devono seguire rigorosamente la specifica Conventional Commits (es. `feat: add block anchor support (#123)`).
+
+---
+
 ## Prerequisiti
 
 | Strumento | Versione | Installazione |

CONTRIBUTING.md

@@ -12,6 +12,18 @@ programmers. If you want to contribute to the Zenzic engine itself, see the
 
 ---
 
+## Enterprise Governance & Contribution Policy
+
+To maintain the security, architectural integrity, and legal compliance of Zenzic, all contributions must adhere to the following Enterprise Governance guidelines:
+
+1. **Issue-First Policy**: No Pull Request will be reviewed, merged, or discussed unless it is preceded by a corresponding Issue that has been formally discussed and approved by the maintainers. Always link the approved Issue in your PR description.
+2. **Mandatory Cryptographic Commit Signatures**: Every commit must be cryptographically signed using GPG, SSH, or S/MIME keypairs (appearing as "Verified" on GitHub). Unsigned commits will be rejected by the merge gates.
+3. **No AI Slop Clause**: We enforce a strict policy against unverified AI-generated code. Contributors must fully understand, explain, and architecturally justify every single line of code proposed in a PR. Proposing code that you cannot explain will lead to immediate rejection of the contribution.
+4. **Developer Certificate of Origin (DCO)**: All commits must include a `Signed-off-by:` line (using `git commit -s`) to certify compliance with the DCO.
+5. **Conventional Commits**: Commit messages must strictly follow the Conventional Commits specification (e.g., `feat: add block anchor support (#123)`).
+
+---
+
 ## Prerequisites
 
 | Tool | Version | Install |

README.it.md

@@ -23,7 +23,7 @@ SPDX-License-Identifier: Apache-2.0
 [![REUSE 3.x compliant](https://img.shields.io/badge/REUSE-3.x%20compliant-0d9488?style=flat-square)](https://reuse.software/)
 [![License](https://img.shields.io/badge/license-Apache--2.0-0d9488?style=flat-square)](LICENSE)
 [![Documentation: Diátaxis](https://img.shields.io/badge/Docs-Di%C3%A1taxis-brightgreen?style=flat-square)](https://diataxis.fr/)
-[![Zenzic](https://img.shields.io/badge/Zenzic-v0.10.1-blue?style=flat-square)](https://github.com/PythonWoods/zenzic)
+[![Zenzic](https://img.shields.io/badge/Zenzic-v0.10.3-blue?style=flat-square)](https://github.com/PythonWoods/zenzic)
 
 ---
 

README.md

@@ -23,7 +23,7 @@ SPDX-License-Identifier: Apache-2.0
 [![REUSE 3.x compliant](https://img.shields.io/badge/REUSE-3.x%20compliant-0d9488?style=flat-square)](https://reuse.software/)
 [![License](https://img.shields.io/badge/license-Apache--2.0-0d9488?style=flat-square)](LICENSE)
 [![Documentation: Diátaxis](https://img.shields.io/badge/Docs-Di%C3%A1taxis-brightgreen?style=flat-square)](https://diataxis.fr/)
-[![Zenzic](https://img.shields.io/badge/Zenzic-v0.10.1-blue?style=flat-square)](https://github.com/PythonWoods/zenzic)
+[![Zenzic](https://img.shields.io/badge/Zenzic-v0.10.3-blue?style=flat-square)](https://github.com/PythonWoods/zenzic)
 
 ---
 

RELEASE.md

@@ -8,9 +8,9 @@
 
 | Field    | Value      |
 | :------- | :--------- |
-| Version  | v0.10.1     |
+| Version  | v0.10.3     |
 | Codename | Magnetite   |
-| Date     | 2026-06-07 |
+| Date     | 2026-06-08 |
 | Status   | Stable     |
 
 ## Release Checklist
@@ -47,11 +47,11 @@ git checkout main
 git pull origin main
 
 # 3. Tag the main branch and push
-git tag v0.10.1
+git tag v0.10.3
 git push origin main --tags
 ```
 
-- [ ] Create GitHub Release from the tag, using the `## v0.10.1` CHANGELOG section as the release body.
+- [ ] Create GitHub Release from the tag, using the `## v0.10.3` CHANGELOG section as the release body.
 
 ## Changelog Reference
 

developers/how-to/contribute/index.mdx

@@ -86,6 +86,10 @@ In this section, we guide you through our processes.
   [request a change]: request-a-change.mdx
   [make a pull request]: pull-requests.mdx
 
+## Issue-First Policy
+
+To maintain a healthy codebase and optimize maintainer resources, Zenzic enforces a strict **Issue-First Policy**. No Pull Request will be reviewed, merged, or discussed unless it is preceded by a corresponding Issue that has been formally discussed and approved by the maintainers. Always link the approved Issue in your PR description.
+
 ## Checklist
 
 Before interacting within the project, please take a moment to consider the

developers/how-to/contribute/pull-requests.mdx

@@ -115,13 +115,9 @@ The `zenzic` binary in your activated virtual environment is what you want
 — not `uvx`, which would download the published PyPI version.
 :::
 
-## Before you start
+## Issue-First Policy
 
-Before you start work on a pull request (PR), we need you to open an issue and
-discuss it with us so we know what you are working on and so we can agree on the
-approach to take. This prevents you from spending time on a feature that may not
-align with the project's goals. You then reference the issue number in your PR
-to link back to our discussion.
+To optimize resources and ensure contributions align with the architectural goals of the project, Zenzic enforces a strict **Issue-First Policy**. No Pull Request will be reviewed, merged, or discussed unless it is preceded by a corresponding Issue that has been formally discussed and approved by the maintainers. Always link the approved Issue in your PR description.
 
 ## CI/CD & Draft PRs
 
@@ -226,15 +222,9 @@ For binary files, generated assets, or formats with no comment syntax, add an
 entry to `REUSE.toml` at the repository root instead of adding inline headers.
 The pre-commit hook validates both inline headers and `REUSE.toml` entries.
 
-## Use of Generative AI
+## Use of Generative AI (No AI Slop)
 
-AI-assisted coding can be useful, but the unreflected inclusion of AI-generated
-code can also do great harm. By signing off on commits, you attest that you have
-either written all the code yourself or have thoroughly reviewed and fully
-understood any generated code.
-
-Code contributions that contain obviously AI-generated code that you cannot
-fully explain to us will be rejected.
+We enforce a strict policy against unverified AI-generated code ("No AI Slop"). AI-assisted coding can be useful, but contributors must thoroughly understand, explain, and architecturally justify every single line of code proposed in a PR. Proposing code that you cannot explain will lead to immediate rejection of the contribution.
 
 ## Commit message standards
 

docs/how-to/configure-ci-cd.mdx

@@ -199,7 +199,7 @@ jobs:
 
         uses: PythonWoods/zenzic-action@<version>
         with:
-          version: "0.10.1"          # pin to a stable release
+          version: "0.10.3"          # pin to a stable release
           format: sarif             # emit SARIF for Code Scanning
           upload-sarif: "true"
           fail-on-error: "true"
@@ -254,7 +254,7 @@ Slack notifications without re-parsing the SARIF file:
         id: zenzic
         uses: PythonWoods/zenzic-action@<version>
         with:
-          version: "0.10.1"
+          version: "0.10.3"
 
       - name: Post finding count
 
@@ -271,7 +271,7 @@ By setting `ci: "true"`, the action natively injects the `--ci` flag under the h
       - name: Zenzic Progressive Gate
         uses: PythonWoods/zenzic-action@<version>
         with:
-          version: "0.10.1"
+          version: "0.10.3"
           ci: "true"              # Native inline PR annotations (no SARIF required)
           only: "Z101,Z201"       # Gate ONLY fails on broken links and leaked secrets
           fail-on-error: "true"
@@ -320,7 +320,7 @@ jobs:
       - name: Run Zenzic and save baseline
         uses: PythonWoods/zenzic-action@<version>
         with:
-          version: "0.10.1"
+          version: "0.10.3"
           format: json          # triggers .zenzic-score.json snapshot
           upload-sarif: "false"
 
@@ -352,7 +352,7 @@ jobs:
         uses: PythonWoods/zenzic-action@<version>
         id: zenzic
         with:
-          version: "0.10.1"
+          version: "0.10.3"
           format: sarif
           upload-sarif: "true"
           diff-base: ".zenzic-baseline/.zenzic-score.json"
@@ -400,7 +400,7 @@ jobs:
       - name: Sovereign Audit (suppressions bypassed)
         uses: PythonWoods/zenzic-action@<version>
         with:
-          version: "0.10.1"
+          version: "0.10.3"
           format: sarif
           upload-sarif: "true"
           audit: "true"           # bypass all zenzic:ignore and per_file_ignores
@@ -419,7 +419,7 @@ The `guard-scan: "true"` input runs `zenzic guard scan` as a standalone step **b
       - name: Run Zenzic Documentation Quality Gate
         uses: PythonWoods/zenzic-action@<version>
         with:
-          version: "0.10.1"
+          version: "0.10.3"
           guard-scan: "true"   # zenzic guard scan runs before check all
           format: sarif
           upload-sarif: "true"

docs/tutorials/examples/z1xx-links/z102-anchor-missing.mdx

@@ -97,6 +97,10 @@ This error or warning is raised by Zenzic when a markdown link contains a fragme
 
 Exit code 1 halts the CI/CD pipeline. Resolve the issue by adding the missing header to the target document, ensuring its slugified name matches the fragment, or updating the link to target a valid header.
 
+## Explicit Anchors & Attribute Lists
+
+Zenzic natively supports explicit block-level anchors (such as `{#id}`) and handles markdown attribute lists (e.g., `{ data-toc-label="Overview" }`) attached to headings. When compiling the header registry, Zenzic strips these attribute lists before slugifying heading text, preventing false-positive `Z102` errors.
+
 ## See Also
 
 - [z101 — Broken Links](z101-broken-links) — the file-level variant: the target file itself does not exist.

docs/tutorials/examples/z1xx-links/z104-file-not-found.mdx

@@ -85,6 +85,10 @@ filesystem entry:
 + For the complete API specification, see the [API Reference](api/index.md).
 ```
 
+## Footnotes Parsing Behavior
+
+Footnote definitions (such as `[^1]: footnote text`) are parsed and recognized correctly by Zenzic's link parser. Zenzic automatically ignores footnotes during the link verification process, preventing them from being mistakenly validated as filesystem links, thereby avoiding false-positive `Z104` errors.
+
 ## See Also
 
 - [Z101 — Broken Links](z101-broken-links) — routing-level link integrity.

docs/tutorials/examples/z5xx-content/z503-snippet-error.mdx

@@ -58,6 +58,10 @@ This error or warning is raised by Zenzic when a fenced code block has syntax er
 
 Exit code 1. Fix the syntax error in the Python code block to ensure it is valid Python code.
 
+## Custom YAML Tags Support
+
+The YAML validator used by Zenzic's Snippet Guard natively registers and supports standard PyYAML custom tags (such as `!!python/name:` or `!!python/object/apply:`) as well as unregistered custom tags (such as `!ENV` or `!file`) commonly used in MkDocs configuration files. This ensures that valid YAML files incorporating these structures are parsed successfully without throwing false-positive `Z503` exceptions.
+
 ## See Also
 
 - [Checks Reference](../../../reference/checks) — full rule specification.

docusaurus.config.ts

@@ -75,7 +75,7 @@ const config: Config = {
           lastVersion: 'current',
           versions: {
             current: {
-              label: '0.10.1',
+              label: '0.10.3',
               badge: false,
               banner: 'none',
             },
@@ -239,7 +239,7 @@ const config: Config = {
           ],
         },
       ],
-      copyright: `© ${new Date().getFullYear()} PythonWoods · Zenzic v0.10.1 · Engineered with precision by PythonWoods in Italy 🇮🇹`,
+      copyright: `© ${new Date().getFullYear()} PythonWoods · Zenzic v0.10.3 · Engineered with precision by PythonWoods in Italy 🇮🇹`,
     },
     prism: {
       theme: prismThemes.github,

i18n/en/code.json

@@ -43,7 +43,7 @@
     "message": "Brand obsolescence"
   },
   "homepage.hero.badge": {
-    "message": "v0.10.1",
+    "message": "v0.10.3",
     "description": "Wait release version badge"
   },
   "enterprise.section.sub": {

i18n/it/code.json

@@ -379,7 +379,7 @@
     "message": "Marchio obsoleto"
   },
   "homepage.hero.badge": {
-    "message": "v0.10.1",
+    "message": "v0.10.3",
     "description": "Wait release version badge"
   },
   "homepage.hero.title": {

i18n/it/docusaurus-plugin-content-docs/current.json

@@ -1,6 +1,6 @@
 {
   "version.label": {
-    "message": "0.10.1",
+    "message": "0.10.3",
     "description": "The label for version current"
   },
   "sidebar.tutorialSidebar.category.User Guide": {