Clarify patch 0.1.1 artifact refresh prep

.github/scripts/test_release_reproducibility_scaffold.py

@@ -17,6 +17,7 @@
 
 from __future__ import annotations
 
+import re
 import unittest
 from pathlib import Path
 
@@ -25,12 +26,18 @@
 WORKFLOW = ROOT / ".github/workflows/release.yml"
 INVENTORY_WRITER = ROOT / ".github/scripts/write_release_artifact_inventory.py"
 INVENTORY_VALIDATOR = ROOT / ".github/scripts/validate_release_artifact_inventory.py"
+OPERATOR_RUNBOOK = ROOT / "docs/RELEASE_OPERATOR_RUNBOOK.md"
+RELEASE_NOTICES = ROOT / "docs/release-artifact-notices.md"
 
 
 def read(path: Path) -> str:
     return path.read_text(encoding="utf-8")
 
 
+def normalized(path: Path) -> str:
+    return re.sub(r"\s+", " ", read(path))
+
+
 class ReleaseReproducibilityScaffoldTests(unittest.TestCase):
     def test_workflow_records_rebuildable_cli_inputs(self) -> None:
         text = read(WORKFLOW)
@@ -53,6 +60,23 @@ def test_inventory_binds_checksum_target_and_publication_status(self) -> None:
         self.assertIn("linux-x64", validator)
         self.assertIn("malformed sha256", validator)
 
+    def test_patch_release_artifact_refresh_prep_stays_bounded(self) -> None:
+        runbook = read(OPERATOR_RUNBOOK)
+        notices = read(RELEASE_NOTICES)
+        normalized_notices = normalized(RELEASE_NOTICES)
+        combined = f"{runbook}\n{notices}"
+
+        self.assertIn("@docushell/ethos-pdf@0.1.1", runbook)
+        self.assertIn("Patch 0.1.1 Artifact Refresh Prep", runbook)
+        self.assertIn("ethos 0.1.1", runbook)
+        self.assertIn("ethos 0.1.1", notices)
+        self.assertIn("packages/npm/ethos-pdf/vendor/manifest.json", combined)
+        self.assertIn("draft_not_release_ready", notices)
+        self.assertIn("publication: blocked", notices)
+        self.assertIn("does not authorize", normalized_notices)
+        self.assertIn("npm publication as blocked", runbook)
+        self.assertNotIn("@docushell/ethos-pdf@0.1.0` surfaces", combined)
+
 
 if __name__ == "__main__":
     unittest.main()

CHANGELOG.md

@@ -2,6 +2,7 @@
 
 ## Unreleased
 
+- boundary-exception: clarify patch `0.1.1` artifact and npm vendor refresh prep in operator docs; no artifact publication, package publication, or support-boundary change.
 - boundary-exception: prepare patch `0.1.1` workspace, Python, npm, CLI, and public install/version surfaces for review; no new hosted, production, Windows, bundled PDFium, benchmark, `ethos-doc`, or `ethos-rag` boundary opens.
 - boundary-exception: add patch `0.1.1` readiness-prep record for review only; no version bump, release approval, artifact approval, package publication, or support-boundary change.
 - process-follow-up: record patch `0.1.1` readiness prep contents and retained blockers without approving release action or changing versions.

docs/RELEASE_OPERATOR_RUNBOOK.md

@@ -1,10 +1,10 @@
 # Release Operator Runbook
 
-Ethos is public beta evaluation for approved source, Rust crate, Python wheel, macOS arm64 CLI
-artifact, Linux x64 CLI artifact, and npm `@docushell/ethos-pdf@0.1.0` surfaces. This runbook
-describes the operator checks required before any additional public promotion. It does not authorize
-new GitHub Release artifacts, new package publication, hosted surfaces, production positioning,
-Windows packaged artifacts, bundled project-maintained PDFium builds, or benchmark reports.
+Ethos is public beta evaluation for source, Rust crate, Python wheel, macOS arm64 CLI artifact,
+Linux x64 CLI artifact, and npm `@docushell/ethos-pdf@0.1.1` surfaces. This runbook describes the
+operator checks required before any public promotion. It does not authorize new GitHub Release
+artifacts, new package publication, hosted surfaces, production positioning, Windows packaged
+artifacts, bundled project-maintained PDFium builds, or benchmark reports.
 
 ## Who Can Release
 
@@ -24,6 +24,23 @@ record names an operator or approving group, treat the workflow output as draft
 7. Treat the downloaded archives as CI evidence only unless a separate approval record authorizes
    the exact public release artifact, version, checksum, and wording.
 
+## Patch 0.1.1 Artifact Refresh Prep
+
+The source tree now prepares `0.1.1` package and CLI version surfaces. The checked-in npm vendor
+manifest and vendor binaries must not be refreshed from local builds or unapproved archives. Before
+publishing or attaching any `0.1.1` artifact, the operator must:
+
+1. Produce macOS arm64 and Linux x64 draft CLI archives from the release workflow at the reviewed
+   source commit.
+2. Verify each archive with `smoke_release_cli_artifact.py` and require `ethos 0.1.1` in the smoke
+   evidence.
+3. Record each archive SHA256 and inventory in a dedicated approval record.
+4. Update `packages/npm/ethos-pdf/vendor/manifest.json` only from approved `0.1.1` archive
+   checksums.
+5. Run `npm run prepare:vendor -- <release-artifact-dir>` only against the approved archives.
+6. Treat npm publication as blocked until an approval record binds the refreshed vendor checksums,
+   package version, artifact source commit, and exact public wording.
+
 ## Local Checks Before Any Future Promotion
 
 ```sh
@@ -36,8 +53,7 @@ python3 .github/scripts/validate_release_artifact_inventory.py target/release-ar
 ## Promotion Gate
 
 Before creating or updating any public GitHub Release, package registry entry, or public release
-notes beyond the already-approved `v0.1.0` evaluation surfaces, the operator needs an approval
-record that binds:
+notes for `v0.1.1`, the operator needs an approval record that binds:
 
 - exact source commit;
 - artifact names and platform targets;

docs/release-artifact-notices.md

@@ -1,7 +1,7 @@
 # Release Artifact Notices
 
-Ethos has approved `v0.1.0` public beta evaluation surfaces for source, Rust crates, Python wheel,
-macOS arm64 CLI artifact, Linux x64 CLI artifact, and npm `@docushell/ethos-pdf@0.1.0`. This
+Ethos has prepared `v0.1.1` public beta evaluation surfaces for source, Rust crates, Python wheel,
+macOS arm64 CLI artifact, Linux x64 CLI artifact, and npm `@docushell/ethos-pdf@0.1.1`. This
 document defines the license and NOTICE bundle contract for release artifacts; it does not
 authorize additional releases, package publication, binaries, wheels, npm updates, hosted surfaces,
 production positioning, Windows packaged artifacts, bundled project-maintained PDFium builds, or
@@ -56,8 +56,9 @@ It writes a planning bundle under `target/release-notice-draft/`:
 
 The draft bundle is intentionally marked `draft_not_release_ready`.
 
-The first public release-prep workflow may also create CI-only draft CLI artifact archives for
-macOS arm64 and Linux x64. Those archives must include SHA256 checksums and an
+The release-prep workflow may also create CI-only draft CLI artifact archives for macOS arm64 and
+Linux x64. Patch `0.1.1` archives must smoke as `ethos 0.1.1`. Those archives must include SHA256
+checksums and an
 `ethos.release_artifact_inventory.v1` inventory marked `draft_not_release_ready` and
 `publication: blocked`.
 
@@ -79,6 +80,7 @@ Before any public release artifact:
 
 - replace the draft artifact identifier with the concrete artifact name and platform;
 - review the artifact payload inventory and checksums;
+- refresh `packages/npm/ethos-pdf/vendor/manifest.json` only from approved artifact checksums;
 - include PDFium/font notices when those assets are bundled;
 - rerun `make release-advisory`;
 - rerun `make third-party-license-manifest`;