zenzic 0.10.4 — Security patch & CI hardening

What's changed

Security

• urllib3 2.6.3 → 2.7.0 — CVE-2026-44431, CVE-2026-44432
• idna 3.11 → 3.18 — CVE-2026-45409
• pip 26.0.1 → 26.1.2 — CVE-2026-6357, CVE-2026-3219
• actions/checkout pinned to v6.0.3 SHA (closes #98)
• amannn/action-semantic-pull-request pinned to v6.1.1 SHA (closes #99)

CI

• Removed pull_request.paths filter from ci.yml so the required Audit check is always created for every PR — eliminates false-pending states in branch protection

Documentation

• SSH commit signing setup instructions added to CONTRIBUTING.md
• Badge centering fixed in README.md / README.it.md

Full changelog

https://github.com/PythonWoods/zenzic/blob/main/CHANGELOG.md

v0.10.3: Core AST Parsers & Custom YAML Support Patch

This patch release resolves critical false-positive findings identified during static analysis audits of MkDocs and Docusaurus projects. It also introduces hardened enterprise-grade contribution standards and PR compliance workflows.

🐛 Bug Fixes

• Footnote Link Resolution (Z104): Refactored the AST reference link builder (_build_ref_map) to properly recognize and ignore footnote definitions (e.g., [^1]:). This prevents footnote descriptions from being mistakenly processed as broken filesystem paths.
• Heading Attribute Lists & Custom Block Anchors (Z102):
  • Implemented stripping of markdown attribute list metadata (e.g., { data-toc-label="..." }) from ATX headings prior to slugification, preventing mismatched heading anchor findings.
  • Added native support for explicit block-level custom anchors ({#id}) and footnote targets (#fn:1), aligning the validator with Python-Markdown and Docusaurus anchor resolution.
• Custom YAML Tag Constructors (Z503): Registered standard PyYAML type tags (e.g., !!python/name:) and custom unregistered tags (e.g., !ENV) in the snippet validator's PermissiveSafeLoader. This enables MkDocs config validations to pass cleanly without throwing syntax validator exceptions.

🛡️ Enterprise Governance & Compliance

• Issue-First Policy: PRs must now be linked to an approved and discussed issue before review.
• Conventional Commits & DCO: Enforced Conventional Commits formatting and DCO sign-offs (git commit -s) via a new automated PR workflow (compliance.yml).
• AI-Slop Prevention: Strict requirement for contributors to understand and justify all code alterations.

v0.10.2 (AST & Local Path Resolution Patch)

This patch release resolves two critical false-positive detection bugs in the core engine.

Fixed

• AST Parser Blindspot (Z302): The reference parser now correctly harvests image nodes (![alt][id]), eliminating false-positive "Orphan Definition" warnings for valid image definitions.
• Path Resolution Fragments (Z101/Z104): The local filesystem resolver now automatically strips GitHub Flavored Markdown (GFM) suffixes (e.g., #gh-light-mode-only) and query strings (?...) before validation, preventing false-positive unreachable errors on dynamically-styled images and local targets.

v0.10.1: i18n Path Resolution Fixes & CI Hardening

What's New in v0.10.1

This patch release resolves critical path mapping bugs affecting localized documentation (i18n) and standardizes our CI/CD workflows for external contributors.

Bug Fixes

• i18n Path Remapping (Windows & POSIX): Fixed a regression where findings in localized directories (e.g., i18n/it/docs/) produced malformed absolute paths (like docs//home/...). The _locale_path_remap is now perfectly synchronized with SecurityFinding objects, ensuring clean, logical paths on both Linux and Windows environments.

CI/CD & Governance

• Draft PR Paradigm: Optimized GitHub Actions triggers to run exclusively on main pushes and pull_request events. This fully supports the modern Shift-Left pattern of opening Draft PRs for continuous remote feedback while saving CI resources on orphaned branches.
• Global CI Naming Contract: Aligned all Zenzic Core workflow files to the new organizational naming standard (e.g. Zenzic Core CI, Run Zenzic Quality Gate).
• Gateway Documentation: Consolidated workflow instructions into a single source of truth, updating CONTRIBUTING.md with pointer references to prevent DRY violations across the ecosystem.

---

Full Changelog: v0.10.0...v0.10.1

Release v0.10.0 (Diamond)

Added

• Native GitHub Annotations: Added --format github-annotations which outputs findings using the ::error:: workflow command syntax, allowing GitHub Actions to natively inject inline review comments directly into PR diffs.
• CI Shorthand: Added --ci flag, which automatically sets --strict mode (warnings become errors) and enables --format github-annotations, standardizing the CI integration.
• Targeted Filtering: Added --only flag (e.g. --only Z104,Z201) to perform destructive filtering of findings at the engine level. This enables progressive adoption of Zenzic on legacy repositories by letting teams start with critical rules before expanding scope.
• Added: Motore di rete asincrono basato su asyncio e httpx per la validazione concorrente dei link esterni (Z109).
• Added: Caching locale atomico (.zenzic_cache/external_links.json) con TTL configurabile a 24h per azzerare la latenza nelle esecuzioni ripetute.
• Added: Smart Fallback (HEAD -> GET stream) per aggirare i server che bloccano le richieste HEAD (es. 403/405).
• Added: Nuova configurazione TOML [network] per il controllo granulare della cache.

v0.9.2 (Graphite)

v0.9.2 (Graphite)

This patch release hardens the core engine against false positives and resolves a silent scoring penalty.

Fixed

• Core: Resolved Z501 (Placeholder) over-reach by restricting default patterns to strict word boundaries (\bTODO\b, \bFIXME\b).
• Core: Fixed a silent DQS penalty bug for Z401 (Missing Directory Index) by zeroing its penalty weight.
• Core: Added README.md fallback support for directory index resolution in standalone mode.
• Adapter: Added conditional support for .pages files in MkDocsAdapter (prevents Z405 false positives when awesome-pages plugin is active).
• CLI: Enhanced zenzic init output with actionable CI/CD integration instructions.

v0.9.1 - Graphite

Zenzic v0.9.1 "Graphite"

This maintenance and quality-focused release aligns path resolution architectures, resolves scoring discrepancies, and completes the Z-Code rule validation coverage.

What's Changed

Added

• New Lint Rules Coverage: Native engine checks, fixtures, lab, and test validation coverage for:
  • Z107 CIRCULAR_ANCHOR (detects self-referential anchor links)
  • Z104 FILE_NOT_FOUND (checks for missing referenced files)

Changed

• Unified Score Exclusions Pipeline: Refactored zenzic score calculations (_run_all_checks in _standalone.py) to run the exact same collection and translation pipeline as check all. Suppression exclusions (per_file_ignores and directory_policies) are now applied identically to ensure DQS aligns perfectly with linter findings.
• Repository-Relative Path Resolution: Refactored path mapping across the core engine scanner (scanner.py), CLI check commands (_check.py), findings reporter (reporter.py), and governance filter (_governance.py) to strictly resolve all finding relative paths against repo_root instead of docs_root, eliminating path inconsistencies.
• Badge Stamping Path Resolution: Fixed score --stamp and score --check-stamp path resolution so that configured badge_stamp_files paths are resolved relative to the target project's repo_root instead of the process's working directory.

Fixed

• Core scanner integration fix for Z403 MISSING_ALT_TEXT to align fixture coverage with production scan paths.
• Fixture line-number correction in scanner test cases to keep finding locations deterministic and stable.

---

For a complete migration history, see the Changelog.

v0.9.0 — The Governance Engine

What's new in v0.9.0

Score telemetry & stamp gates

• zenzic score --stamp writes a deterministic in-file badge with the current score.
• zenzic score --check-stamp enforces a freshness gate: fails if the stamp is stale.
• badge_stamp_files key in project metadata declares which files carry a stamp.

Lab gallery — all 20 Z-code sandboxes

• zenzic lab is now a fully populated empirical gallery covering 100% of Z-codes.
• 15 new sandbox directories added under examples/ (z102 → z505), each with a .zenzic.toml, a README.md, and a minimal docs/ tree that reliably triggers the target rule.
• zenzic lab all validates every scenario exits with the expected code in a single command.

Performance

• Z204 (FORBIDDEN_TERM): ZenzicConfig pre-compiles a RE2 union regex once at init (_recompile_forbidden_patterns()). Scan complexity drops from O(N_lines × N_patterns) to O(N_lines).
• Z601 (BRAND_OBSOLESCENCE): BrandObsolescenceRule replaced per-pattern iteration with a single RE2 union compiled at __init__. Same O(N_lines) reduction.

Suppression model

• Debt model migrated to flat-cost scoring (one point per suppression).
• suppression_cap is now an independent hard-fail governance gate (not folded into the score).
• Local overlay parsing hardened with strict unknown-key rejection.

Removed

• Legacy adapter methods map_url() and classify_route().
• Legacy --export-shields flag (superseded by --stamp / --check-stamp).

---

Full changelog: CHANGELOG.md

Zenzic v0.8.0 (Basalt)

Zenzic v0.8.0 establishes the foundation for enterprise documentation governance. This release replaces heuristic configurations with deterministic mathematical models, hardens the CI/CD integration contracts, and optimizes the I/O discovery engine.

Core Capabilities

The Flat-Cost DQS Model

The Documentation Quality Score (DQS) calculation has been redesigned. The previous allowance-based system is replaced by a Flat-Cost model: every suppression directive (zenzic:ignore) deducts exactly 1.0 point from the final score. The suppression_cap configuration is now a strict hard-fail ceiling. If the total number of suppressions exceeds the cap, the CI pipeline terminates with Exit Code 1, regardless of the numeric score.

Native Telemetry Validation

Zenzic now natively manages its own reporting artifacts.

• zenzic score --stamp: Injects the current DQS badge directly into configured Markdown files (e.g., README.md), crystallizing the score at the commit level (Time-Traveling Badges).
• zenzic score --check-stamp: A native CI gate that fails the build if the committed badge does not match the actual repository score, eliminating the need for external git diff scripts.

I/O Choke Point & Auto-Discovery

File system traversal has been rewritten. The engine no longer uses unconstrained recursive globs. All discovery operations pass through a centralized I/O choke point guarded by the LayeredExclusionManager. System directories (.venv, node_modules, .git) are pruned in-place, drastically reducing disk thrashing and execution time on large monorepos.

Local Governance Hardening

The .zenzic.local.toml override file now utilizes ADDITIVE deep merge semantics for security and governance arrays (custom_rules, brand_obsolescence, excluded_dirs). Local workstation configurations extend the global repository policy rather than replacing it, preventing silent security bypasses.

Migration Guide (Breaking Changes)

For Plugin Authors:
The BaseAdapter abstract base class has been streamlined. The map_url() and classify_route() methods have been removed from the public API. Custom adapters must now implement the unified get_route_info() method.

For CI/CD Integrators:
The --strict flag no longer forces the score threshold to 100. It now acts solely to promote warnings to errors. The score gate is controlled exclusively by the fail_under configuration.

Assets

• brand-kit.zip: Contains the official, atemporal Zenzic vector assets (SVG) for offline and enterprise use.

Zenzic v0.7.1 — Infrastructure Patch & Zero-Config Alignment

This release is a silent infrastructure patch focused on CI/CD alignment, test matrix correctness, and enforcing the "Zero-Config" philosophy. It carries no architectural or narrative significance; all foundational achievements belong exclusively to v0.7.0 (Quartz Maturity).

Changed (Breaking)

• Zero-Config Enforcement: Changed respect_vcs_ignore default to True. Zenzic now natively respects .gitignore files out-of-the-box, matching industry standards.
• Test Matrices: Aligned Nox test matrices to test all supported Python versions (3.10 through 3.14), mirroring GitHub Actions boundary testing.
• Mypy Strictness: Lowered mypy.python_version to 3.10 and implemented tomli fallback to guarantee true backward compatibility for older Python environments.

Removed

• Pre-commit Redundancy: Removed the restrictive no-commit-to-branch hook to unblock automated release workflows on the main branch.
• CI Double Execution: Removed pytest from the default pre-commit hook. Tests are now correctly isolated to the pre-push gate (just verify) and remote CI, restoring instant local linting.