diff --git a/.github/scripts/test_patch_0_1_1_artifact_publication_approval_request.py b/.github/scripts/test_patch_0_1_1_artifact_publication_approval_request.py new file mode 100644 index 0000000..695c5c7 --- /dev/null +++ b/.github/scripts/test_patch_0_1_1_artifact_publication_approval_request.py @@ -0,0 +1,161 @@ +#!/usr/bin/env python3 +# +# Copyright 2026 The Ethos maintainers +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +from __future__ import annotations + +import re +import unittest +from pathlib import Path + +from makefile_guard import target_block + + +ROOT = Path(__file__).resolve().parents[2] +RECORD = ROOT / ( + "docs/validation/" + "patch-0-1-1-artifact-publication-approval-request-validation-2026-06-23.md" +) +VALIDATION_README = ROOT / "docs/validation/README.md" + +SOURCE_SHORT = "bfc6dc1" +SOURCE_COMMIT = "bfc6dc11801af4416b6760c1bbd216c5a1a22809" +SOURCE_TREE = "41680dbd9d506df280a5ca246c4225db6a047be7" +RUN_URL = "https://github.com/docushell/ethos/actions/runs/28040466463" +MACOS_SHA256 = "eac79cddc6f5fc834ecc279401905729978d73e99ae11a2bea82d7356a4bcd88" +LINUX_SHA256 = "842aa4b71333aecc54f344d9f5362160d0943d8efd32dffabe99dc19553916a0" + +APPROVAL_REQUEST_WORDING = ( + "Ethos is public beta for source, Rust crate, Python wheel, macOS arm64 CLI artifact, Linux x64 " + "CLI artifact, and npm `@docushell/ethos-pdf` evaluation. It verifies whether AI citations are " + "grounded in document evidence across native Ethos JSON and supported foreign parser outputs. " + "Rust library crates `ethos-doc-core`, `ethos-verify`, and `ethos-pdf` are available on crates.io " + "at `0.1.1` for evaluation. The Python `ethos-pdf` wheel, npm `@docushell/ethos-pdf@0.1.1` " + "package, and macOS arm64/Linux x64 CLI artifacts are available for evaluation with " + "caller-provided PDFium. Hosted surfaces, production positioning, Windows packaged artifacts, " + "bundled project-maintained PDFium builds, `ethos-doc`, `ethos-rag`, public benchmark reports, " + "public benchmark claims, and speed, footprint, parser-quality, table-quality, or production " + "claims remain blocked." +) + + +def read(path: Path) -> str: + return path.read_text(encoding="utf-8") + + +def normalized(path: Path) -> str: + return re.sub(r"\s+", " ", read(path)) + + +class Patch011ArtifactPublicationApprovalRequestTests(unittest.TestCase): + def test_record_binds_current_source_and_workflow_evidence(self) -> None: + raw = read(RECORD) + text = normalized(RECORD) + + self.assertIn(f"Validated source HEAD before this record: `{SOURCE_SHORT}`", raw) + self.assertIn(f"Artifact-publication-request source commit: `{SOURCE_COMMIT}`", text) + self.assertIn(f"Artifact-publication-request source tree: `{SOURCE_TREE}`", text) + self.assertIn(RUN_URL, text) + self.assertIn("Run conclusion: `success`", text) + self.assertIn("Run event: `workflow_dispatch`", text) + self.assertIn("Run branch: `main`", text) + + def test_record_requests_only_exact_cli_artifacts_for_v0_1_1(self) -> None: + text = normalized(RECORD) + + for artifact in ( + "ethos-macos-arm64.tar.gz", + "ethos-macos-arm64.tar.gz.sha256", + "ethos-macos-arm64.inventory.json", + "ethos-macos-arm64.smoke.json", + "ethos-linux-x64.tar.gz", + "ethos-linux-x64.tar.gz.sha256", + "ethos-linux-x64.inventory.json", + "ethos-linux-x64.smoke.json", + ): + self.assertIn(artifact, text) + self.assertIn("GitHub Release tag `v0.1.1`", text) + self.assertIn(MACOS_SHA256, text) + self.assertIn(LINUX_SHA256, text) + self.assertIn("Both smoke sidecars report `ethos 0.1.1`", text) + self.assertIn("Both inventory sidecars report `draft_not_release_ready`", text) + self.assertIn("`publication: blocked`", text) + + def test_record_preserves_bounded_public_wording(self) -> None: + record = re.sub(r"\s+", " ", read(RECORD).replace("> ", "")) + + self.assertIn(APPROVAL_REQUEST_WORDING, record) + self.assertIn("Any broader public wording requires a separate decider record.", record) + + def test_record_keeps_publication_blocked_until_explicit_approval(self) -> None: + raw = read(RECORD) + text = normalized(RECORD) + lower = text.lower() + + for blocker in ( + "GitHub Release artifact publication remains blocked", + "`packages/npm/ethos-pdf/vendor/manifest.json` must not be refreshed", + "npm publication remains blocked", + "Hosted surfaces remain blocked", + "Production positioning remains blocked", + "Windows packaged artifacts remain blocked", + "Bundled project-maintained PDFium builds remain blocked", + "Public benchmark reports remain blocked", + "Public benchmark claims remain blocked", + "`ethos-doc` remains blocked", + "`ethos-rag` remains blocked", + ): + self.assertIn(blocker, raw) + self.assertIn("Publication remains blocked until explicit approval is recorded.", text) + for forbidden in ( + "publication approved", + "published artifacts", + "npm publication approved", + "vendor payload refreshed", + "production-ready", + "benchmark-validated", + "bundled pdfium approved", + ): + self.assertNotIn(forbidden, lower) + + def test_record_is_indexed_and_wired_into_release_candidate_prep(self) -> None: + readme = normalized(VALIDATION_README) + block = target_block("release-candidate-prep") + + self.assertIn(RECORD.name, readme) + self.assertIn("patch 0.1.1 artifact publication approval request", readme.lower()) + self.assertIn( + "$(PYTHON) .github/scripts/test_patch_0_1_1_artifact_publication_approval_request.py", + block, + ) + + def test_record_avoids_local_private_paths(self) -> None: + text = read(RECORD) + + for private in ( + "/" + "Users/", + "/" + "private/tmp", + "/" + "private/var", + "/" + "var/folders", + "saumil" + "diwaker", + "Desktop/" + "Stuff", + "project/repo/" + "ethos", + ): + self.assertNotIn(private, text) + + +if __name__ == "__main__": + unittest.main() diff --git a/.github/scripts/test_release_candidate_prep.py b/.github/scripts/test_release_candidate_prep.py index 5ce2a2e..4abae3c 100644 --- a/.github/scripts/test_release_candidate_prep.py +++ b/.github/scripts/test_release_candidate_prep.py @@ -40,6 +40,7 @@ "$(PYTHON) .github/scripts/test_pdfium_manual_setup_contract.py", "$(PYTHON) .github/scripts/test_release_artifact_workflow_prep.py", "$(PYTHON) .github/scripts/test_patch_0_1_1_release_artifact_evidence.py", + "$(PYTHON) .github/scripts/test_patch_0_1_1_artifact_publication_approval_request.py", "$(PYTHON) .github/scripts/test_release_candidate_prep.py", "$(PYTHON) .github/scripts/test_release_reproducibility_scaffold.py", "$(PYTHON) .github/scripts/test_launch_copy_approval_scaffold.py", diff --git a/CHANGELOG.md b/CHANGELOG.md index a1fe4a5..b1895d6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ ## Unreleased +- boundary-exception: request patch `0.1.1` artifact publication approval for exact evidenced CLI assets; no publication, npm vendor refresh, npm publication, or support-boundary change. - boundary-exception: record patch `0.1.1` draft artifact evidence for decider review; no GitHub Release publication, npm vendor refresh, npm publication, or support-boundary change. - boundary-exception: clarify patch `0.1.1` artifact and npm vendor refresh prep in operator docs; no artifact publication, package publication, or support-boundary change. - boundary-exception: prepare patch `0.1.1` workspace, Python, npm, CLI, and public install/version surfaces for review; no new hosted, production, Windows, bundled PDFium, benchmark, `ethos-doc`, or `ethos-rag` boundary opens. diff --git a/Makefile b/Makefile index 3322cc1..245fe56 100644 --- a/Makefile +++ b/Makefile @@ -282,6 +282,7 @@ release-candidate-prep: $(PYTHON) .github/scripts/test_pdfium_manual_setup_contract.py $(PYTHON) .github/scripts/test_release_artifact_workflow_prep.py $(PYTHON) .github/scripts/test_patch_0_1_1_release_artifact_evidence.py + $(PYTHON) .github/scripts/test_patch_0_1_1_artifact_publication_approval_request.py $(PYTHON) .github/scripts/test_release_candidate_prep.py $(PYTHON) .github/scripts/test_release_reproducibility_scaffold.py $(PYTHON) .github/scripts/test_launch_copy_approval_scaffold.py diff --git a/docs/validation/README.md b/docs/validation/README.md index c4e3419..ebd9f69 100644 --- a/docs/validation/README.md +++ b/docs/validation/README.md @@ -568,6 +568,12 @@ recording the exact current-main source candidate and required follow-up evidenc Release publication, npm vendor refresh, npm publication, hosted surfaces, production positioning, Windows packaged artifacts, bundled project-maintained PDFium, or public benchmark claims. +- `patch-0-1-1-artifact-publication-approval-request-validation-2026-06-23.md` - patch 0.1.1 + artifact publication approval request validation binds the exact requested macOS arm64 and Linux + x64 GitHub Release `v0.1.1` artifact names, SHA256 values, source commit, workflow evidence, and + bounded public wording for decider review while keeping publication, npm vendor refresh, npm + publication, hosted surfaces, production positioning, Windows packaged artifacts, bundled + project-maintained PDFium, and public benchmark claims blocked. - `milestone-e-validation-command-index-validation-2026-06-20.md` - internal Milestone E validation-command index validation passed through command-alignment checks, schema enum checks, row-record checks, public-surface posture checks, `make milestone-e-prep`, and diff hygiene; the diff --git a/docs/validation/patch-0-1-1-artifact-publication-approval-request-validation-2026-06-23.md b/docs/validation/patch-0-1-1-artifact-publication-approval-request-validation-2026-06-23.md new file mode 100644 index 0000000..8630609 --- /dev/null +++ b/docs/validation/patch-0-1-1-artifact-publication-approval-request-validation-2026-06-23.md @@ -0,0 +1,114 @@ +# Patch 0.1.1 Artifact Publication Approval Request Validation - 2026-06-23 + +## Purpose + +Record the exact patch `0.1.1` GitHub Release artifact publication approval request for decider +review. This record does not publish artifacts, refresh npm vendor binaries, publish npm, change +PDFium posture, or open any new public surface. + +Validated source HEAD before this record: `bfc6dc1`. +Artifact-publication-request source commit: `bfc6dc11801af4416b6760c1bbd216c5a1a22809`. +Artifact-publication-request source tree: `41680dbd9d506df280a5ca246c4225db6a047be7`. + +## Evidence Inputs + +- Release workflow: `.github/workflows/release.yml` +- Workflow run: `https://github.com/docushell/ethos/actions/runs/28040466463` +- Evidence record: + `docs/validation/patch-0-1-1-release-artifact-evidence-validation-2026-06-23.md` +- Run status: `completed` +- Run conclusion: `success` +- Run event: `workflow_dispatch` +- Run branch: `main` +- Run head SHA: `3cbbb8f8b8195fe0f964ab4e5d2bf0458770ad11` + +## Requested Artifact Evaluation Surface + +The decider is asked to approve only attaching these exact draft CLI artifacts and sidecars to +GitHub Release tag `v0.1.1` for public beta evaluation: + +macOS arm64: + +- `ethos-macos-arm64.tar.gz` +- `ethos-macos-arm64.tar.gz.sha256` +- `ethos-macos-arm64.inventory.json` +- `ethos-macos-arm64.smoke.json` +- archive SHA256: + +```text +eac79cddc6f5fc834ecc279401905729978d73e99ae11a2bea82d7356a4bcd88 +``` + +Linux x64: + +- `ethos-linux-x64.tar.gz` +- `ethos-linux-x64.tar.gz.sha256` +- `ethos-linux-x64.inventory.json` +- `ethos-linux-x64.smoke.json` +- archive SHA256: + +```text +842aa4b71333aecc54f344d9f5362160d0943d8efd32dffabe99dc19553916a0 +``` + +Both smoke sidecars report `ethos 0.1.1`. Both inventory sidecars report +`draft_not_release_ready` and `publication: blocked`; those sidecars are evidence inputs for +decider review and are not themselves publication approvals. + +## Requested Public Wording + +If the decider approves the exact artifacts above, the bounded public release wording may remain: + +> Ethos is public beta for source, Rust crate, Python wheel, macOS arm64 CLI artifact, Linux x64 +> CLI artifact, and npm `@docushell/ethos-pdf` evaluation. It verifies whether AI citations are +> grounded in document evidence across native Ethos JSON and supported foreign parser outputs. +> Rust library crates `ethos-doc-core`, `ethos-verify`, and `ethos-pdf` are available on crates.io +> at `0.1.1` for evaluation. The Python `ethos-pdf` wheel, npm `@docushell/ethos-pdf@0.1.1` +> package, and macOS arm64/Linux x64 CLI artifacts are available for evaluation with +> caller-provided PDFium. Hosted surfaces, production positioning, Windows packaged artifacts, +> bundled project-maintained PDFium builds, `ethos-doc`, `ethos-rag`, public benchmark reports, +> public benchmark claims, and speed, footprint, parser-quality, table-quality, or production +> claims remain blocked. + +Any broader public wording requires a separate decider record. + +## Retained Blockers + +- GitHub Release artifact publication remains blocked until the decider explicitly approves the + exact artifact names, checksums, source binding, and public wording in this request. +- `packages/npm/ethos-pdf/vendor/manifest.json` must not be refreshed until after artifact + publication is explicitly approved and completed. +- npm publication remains blocked until the checked-in vendor payload is refreshed from approved + artifacts and a dedicated npm approval record passes. +- Hosted surfaces remain blocked. +- Production positioning remains blocked. +- Windows packaged artifacts remain blocked. +- Bundled project-maintained PDFium builds remain blocked. +- Public benchmark reports remain blocked. +- Public benchmark claims remain blocked. +- `ethos-doc` remains blocked. +- `ethos-rag` remains blocked. + +## Required Operator Checks Before Approval + +Before approval, the operator should verify the downloaded workflow artifacts: + +```sh +shasum -a 256 ethos-macos-arm64.tar.gz +cat ethos-macos-arm64.tar.gz.sha256 +cat ethos-macos-arm64.inventory.json +cat ethos-macos-arm64.smoke.json +shasum -a 256 ethos-linux-x64.tar.gz +cat ethos-linux-x64.tar.gz.sha256 +cat ethos-linux-x64.inventory.json +cat ethos-linux-x64.smoke.json +``` + +If any output changes artifact names, checksums, version output, inventory publication status, +PDFium posture, license and NOTICE inclusion, or approved public wording, publication must stop +until a refreshed evidence record and approval request pass. + +## Result + +The patch `0.1.1` artifact publication approval request is ready for decider review. Publication +remains blocked until explicit approval is recorded.