From 2d41d0beb31893036c8df03e8cc203e0fe0e18c7 Mon Sep 17 00:00:00 2001 From: docushell-admin Date: Tue, 23 Jun 2026 22:19:42 +0530 Subject: [PATCH] Approve patch 0.1.1 artifact publication Signed-off-by: docushell-admin --- ..._artifact_publication_approval_decision.py | 184 ++++++++++++++++++ .../scripts/test_release_candidate_prep.py | 1 + CHANGELOG.md | 1 + Makefile | 1 + docs/validation/README.md | 6 + ...approval-decision-validation-2026-06-23.md | 165 ++++++++++++++++ 6 files changed, 358 insertions(+) create mode 100644 .github/scripts/test_patch_0_1_1_artifact_publication_approval_decision.py create mode 100644 docs/validation/patch-0-1-1-artifact-publication-approval-decision-validation-2026-06-23.md diff --git a/.github/scripts/test_patch_0_1_1_artifact_publication_approval_decision.py b/.github/scripts/test_patch_0_1_1_artifact_publication_approval_decision.py new file mode 100644 index 0000000..4115755 --- /dev/null +++ b/.github/scripts/test_patch_0_1_1_artifact_publication_approval_decision.py @@ -0,0 +1,184 @@ +#!/usr/bin/env python3 +# +# Copyright 2026 The Ethos maintainers +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +from __future__ import annotations + +import re +import subprocess +import unittest +from pathlib import Path + +from makefile_guard import target_block + + +ROOT = Path(__file__).resolve().parents[2] +RECORD = ROOT / ( + "docs/validation/" + "patch-0-1-1-artifact-publication-approval-decision-validation-2026-06-23.md" +) +VALIDATION_README = ROOT / "docs/validation/README.md" + +SOURCE_SHORT = "7df928c" +SOURCE_COMMIT = "7df928cd453decd273a5e83fc2b2191a0edf654e" +SOURCE_TREE = "6b9ebbb7087604367f53022406c50a4ec8509992" +RUN_URL = "https://github.com/docushell/ethos/actions/runs/28040466463" +WORKFLOW_HEAD = "3cbbb8f8b8195fe0f964ab4e5d2bf0458770ad11" +MACOS_SHA256 = "eac79cddc6f5fc834ecc279401905729978d73e99ae11a2bea82d7356a4bcd88" +LINUX_SHA256 = "842aa4b71333aecc54f344d9f5362160d0943d8efd32dffabe99dc19553916a0" + +APPROVED_WORDING = ( + "Ethos is public beta for source, Rust crate, Python wheel, macOS arm64 CLI artifact, Linux x64 " + "CLI artifact, and npm `@docushell/ethos-pdf` evaluation. It verifies whether AI citations are " + "grounded in document evidence across native Ethos JSON and supported foreign parser outputs. " + "Rust library crates `ethos-doc-core`, `ethos-verify`, and `ethos-pdf` are available on crates.io " + "at `0.1.1` for evaluation. The Python `ethos-pdf` wheel, npm `@docushell/ethos-pdf@0.1.1` " + "package, and macOS arm64/Linux x64 CLI artifacts are available for evaluation with " + "caller-provided PDFium. Hosted surfaces, production positioning, Windows packaged artifacts, " + "bundled project-maintained PDFium builds, `ethos-doc`, `ethos-rag`, public benchmark reports, " + "public benchmark claims, and speed, footprint, parser-quality, table-quality, or production " + "claims remain blocked." +) + +FORBIDDEN_SCOPE_EXPANSION = ( + "npm publication approved", + "vendor payload refreshed", + "hosted surfaces approved", + "production positioning approved", + "windows packaged artifacts approved", + "bundled pdfium approved", + "public benchmark claims approved", + "production-ready", + "benchmark-validated", +) + + +def read(path: Path) -> str: + return path.read_text(encoding="utf-8") + + +def normalized(path: Path) -> str: + return re.sub(r"\s+", " ", read(path)) + + +def git(*args: str) -> str: + return subprocess.check_output( + ["git", *args], + cwd=ROOT, + encoding="utf-8", + stderr=subprocess.DEVNULL, + ).strip() + + +class Patch011ArtifactPublicationApprovalDecisionTests(unittest.TestCase): + def test_record_is_source_bound(self) -> None: + raw = read(RECORD) + record = normalized(RECORD) + + self.assertIn(f"Validated source HEAD before this record: `{SOURCE_SHORT}`", raw) + self.assertIn( + f"Patch 0.1.1 artifact publication approval decision source commit: `{SOURCE_COMMIT}`", + record, + ) + self.assertIn( + f"Patch 0.1.1 artifact publication approval decision source tree: `{SOURCE_TREE}`", + record, + ) + self.assertEqual(SOURCE_COMMIT, git("rev-parse", SOURCE_SHORT)) + self.assertEqual(SOURCE_TREE, git("rev-parse", f"{SOURCE_SHORT}^{{tree}}")) + + def test_decision_accepts_exact_release_assets_only(self) -> None: + record = normalized(RECORD) + + for expected in ( + "Decision: accept the exact patch `0.1.1` artifact publication request.", + "Exact GitHub Release tag accepted by this decision: `v0.1.1`", + RUN_URL, + WORKFLOW_HEAD, + "ethos-macos-arm64.tar.gz", + "ethos-macos-arm64.tar.gz.sha256", + "ethos-macos-arm64.inventory.json", + "ethos-macos-arm64.smoke.json", + "ethos-linux-x64.tar.gz", + "ethos-linux-x64.tar.gz.sha256", + "ethos-linux-x64.inventory.json", + "ethos-linux-x64.smoke.json", + MACOS_SHA256, + LINUX_SHA256, + "Exact CLI smoke accepted by this decision: `ethos 0.1.1`", + "caller-provided PDFium only through `ETHOS_PDFIUM_LIBRARY_PATH`", + ): + self.assertIn(expected, record) + + def test_decision_preserves_bounded_public_wording(self) -> None: + record = re.sub(r"\s+", " ", read(RECORD).replace("> ", "")) + + self.assertIn(APPROVED_WORDING, record) + self.assertIn("Any broader public wording requires a separate decider record.", record) + + def test_decision_requires_later_operator_upload_and_closeout(self) -> None: + record = normalized(RECORD) + + self.assertIn("This decision does not itself upload artifacts.", record) + self.assertIn("Publication remains an explicit later operator action.", record) + self.assertIn("post-upload closeout evidence", record) + self.assertIn("python3 .github/scripts/test_patch_0_1_1_artifact_publication_approval_decision.py", record) + self.assertIn("make release-candidate-prep PYTHON=python3", record) + + def test_retains_unrelated_blockers_and_avoids_scope_expansion(self) -> None: + raw = read(RECORD) + lower = normalized(RECORD).lower() + + for blocker in ( + "`packages/npm/ethos-pdf/vendor/manifest.json` must not be refreshed", + "npm publication remains blocked", + "Hosted surfaces remain blocked", + "Production positioning remains blocked", + "Windows packaged artifacts remain blocked", + "Bundled project-maintained PDFium builds remain blocked", + "Public benchmark reports remain blocked", + "Public benchmark claims remain blocked", + "`ethos-doc` remains blocked", + "`ethos-rag` remains blocked", + ): + self.assertIn(blocker, raw) + for phrase in FORBIDDEN_SCOPE_EXPANSION: + self.assertNotIn(phrase, lower) + for private in ( + "/" + "Users/", + "/" + "private/tmp", + "/" + "private/var", + "/" + "var/folders", + "saumil" + "diwaker", + "Desktop/" + "Stuff", + "project/repo/" + "ethos", + ): + self.assertNotIn(private, raw) + + def test_record_is_indexed_and_wired_into_release_candidate_prep(self) -> None: + readme = normalized(VALIDATION_README) + block = target_block("release-candidate-prep") + + self.assertIn(RECORD.name, readme) + self.assertIn("patch 0.1.1 artifact publication approval decision", readme.lower()) + self.assertIn( + "$(PYTHON) .github/scripts/test_patch_0_1_1_artifact_publication_approval_decision.py", + block, + ) + + +if __name__ == "__main__": + unittest.main() diff --git a/.github/scripts/test_release_candidate_prep.py b/.github/scripts/test_release_candidate_prep.py index 4abae3c..9b7b412 100644 --- a/.github/scripts/test_release_candidate_prep.py +++ b/.github/scripts/test_release_candidate_prep.py @@ -41,6 +41,7 @@ "$(PYTHON) .github/scripts/test_release_artifact_workflow_prep.py", "$(PYTHON) .github/scripts/test_patch_0_1_1_release_artifact_evidence.py", "$(PYTHON) .github/scripts/test_patch_0_1_1_artifact_publication_approval_request.py", + "$(PYTHON) .github/scripts/test_patch_0_1_1_artifact_publication_approval_decision.py", "$(PYTHON) .github/scripts/test_release_candidate_prep.py", "$(PYTHON) .github/scripts/test_release_reproducibility_scaffold.py", "$(PYTHON) .github/scripts/test_launch_copy_approval_scaffold.py", diff --git a/CHANGELOG.md b/CHANGELOG.md index b1895d6..56ccacd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ ## Unreleased +- boundary-exception: approve exact patch `0.1.1` CLI artifact publication decision for later operator upload; no upload, npm vendor refresh, npm publication, or support-boundary change. - boundary-exception: request patch `0.1.1` artifact publication approval for exact evidenced CLI assets; no publication, npm vendor refresh, npm publication, or support-boundary change. - boundary-exception: record patch `0.1.1` draft artifact evidence for decider review; no GitHub Release publication, npm vendor refresh, npm publication, or support-boundary change. - boundary-exception: clarify patch `0.1.1` artifact and npm vendor refresh prep in operator docs; no artifact publication, package publication, or support-boundary change. diff --git a/Makefile b/Makefile index 245fe56..e6c2b9d 100644 --- a/Makefile +++ b/Makefile @@ -283,6 +283,7 @@ release-candidate-prep: $(PYTHON) .github/scripts/test_release_artifact_workflow_prep.py $(PYTHON) .github/scripts/test_patch_0_1_1_release_artifact_evidence.py $(PYTHON) .github/scripts/test_patch_0_1_1_artifact_publication_approval_request.py + $(PYTHON) .github/scripts/test_patch_0_1_1_artifact_publication_approval_decision.py $(PYTHON) .github/scripts/test_release_candidate_prep.py $(PYTHON) .github/scripts/test_release_reproducibility_scaffold.py $(PYTHON) .github/scripts/test_launch_copy_approval_scaffold.py diff --git a/docs/validation/README.md b/docs/validation/README.md index ebd9f69..d3f1874 100644 --- a/docs/validation/README.md +++ b/docs/validation/README.md @@ -574,6 +574,12 @@ recording the exact current-main source candidate and required follow-up evidenc bounded public wording for decider review while keeping publication, npm vendor refresh, npm publication, hosted surfaces, production positioning, Windows packaged artifacts, bundled project-maintained PDFium, and public benchmark claims blocked. +- `patch-0-1-1-artifact-publication-approval-decision-validation-2026-06-23.md` - patch 0.1.1 + artifact publication approval decision validation accepts only the exact evidenced macOS arm64 + and Linux x64 GitHub Release `v0.1.1` artifact assets and bounded public wording while leaving + operator upload, post-upload closeout evidence, npm vendor refresh, npm publication, hosted + surfaces, production positioning, Windows packaged artifacts, bundled project-maintained PDFium, + and public benchmark claims blocked. - `milestone-e-validation-command-index-validation-2026-06-20.md` - internal Milestone E validation-command index validation passed through command-alignment checks, schema enum checks, row-record checks, public-surface posture checks, `make milestone-e-prep`, and diff hygiene; the diff --git a/docs/validation/patch-0-1-1-artifact-publication-approval-decision-validation-2026-06-23.md b/docs/validation/patch-0-1-1-artifact-publication-approval-decision-validation-2026-06-23.md new file mode 100644 index 0000000..9c57d78 --- /dev/null +++ b/docs/validation/patch-0-1-1-artifact-publication-approval-decision-validation-2026-06-23.md @@ -0,0 +1,165 @@ +# Patch 0.1.1 Artifact Publication Approval Decision Validation - 2026-06-23 + +Validated source HEAD before this record: `7df928c`. + +Patch 0.1.1 artifact publication approval decision source commit: +`7df928cd453decd273a5e83fc2b2191a0edf654e`. + +Patch 0.1.1 artifact publication approval decision source tree: +`6b9ebbb7087604367f53022406c50a4ec8509992`. + +Status: **patch 0.1.1 artifact publication approval decision recorded; operator upload remains pending** + +This record accepts the exact patch `0.1.1` GitHub Release artifact publication request after +decider approval. It approves only attaching the exact evidenced macOS arm64 and Linux x64 CLI +artifact assets below to GitHub Release tag `v0.1.1` for public beta evaluation. It does not upload +artifacts, refresh npm vendor binaries, publish npm, change PDFium posture, approve hosted +surfaces, approve production positioning, approve Windows packaged artifacts, approve bundled +project-maintained PDFium builds, approve `ethos-doc`, approve `ethos-rag`, or approve public +benchmark reports or claims. + +## Subject + +- Repository: `docushell/ethos` +- Lane: patch `0.1.1` GitHub Release artifact publication +- Approval owner: `docushell-admin` +- Approval request record: + `docs/validation/patch-0-1-1-artifact-publication-approval-request-validation-2026-06-23.md` +- Artifact evidence record: + `docs/validation/patch-0-1-1-release-artifact-evidence-validation-2026-06-23.md` +- Release workflow run: `https://github.com/docushell/ethos/actions/runs/28040466463` + +## Exact Decision Fields + +- Decision: accept the exact patch `0.1.1` artifact publication request. +- Approver: `docushell-admin` acting as decider. +- Date: 2026-06-23. +- Exact GitHub Release tag accepted by this decision: `v0.1.1`. +- Exact workflow run accepted by this decision: + `https://github.com/docushell/ethos/actions/runs/28040466463`. +- Exact workflow head SHA accepted by this decision: + `3cbbb8f8b8195fe0f964ab4e5d2bf0458770ad11`. + +macOS arm64 assets accepted by this decision: + +- `ethos-macos-arm64.tar.gz` +- `ethos-macos-arm64.tar.gz.sha256` +- `ethos-macos-arm64.inventory.json` +- `ethos-macos-arm64.smoke.json` +- archive SHA256: + +```text +eac79cddc6f5fc834ecc279401905729978d73e99ae11a2bea82d7356a4bcd88 +``` + +Linux x64 assets accepted by this decision: + +- `ethos-linux-x64.tar.gz` +- `ethos-linux-x64.tar.gz.sha256` +- `ethos-linux-x64.inventory.json` +- `ethos-linux-x64.smoke.json` +- archive SHA256: + +```text +842aa4b71333aecc54f344d9f5362160d0943d8efd32dffabe99dc19553916a0 +``` + +Exact CLI smoke accepted by this decision: `ethos 0.1.1` for both accepted platform artifacts. + +Exact PDFium boundary accepted by this decision: caller-provided PDFium only through +`ETHOS_PDFIUM_LIBRARY_PATH`; no bundled or project-maintained PDFium build is approved. + +## Approved Operator Action + +After this decision record is merged and the validation commands below pass on the merged source, +an operator may attach only the exact accepted asset names above to GitHub Release tag `v0.1.1`. + +This decision does not itself upload artifacts. Publication remains an explicit later operator +action. + +## Approved Public Wording + +After the exact assets above are attached to GitHub Release tag `v0.1.1`, the bounded public +release wording may remain: + +> Ethos is public beta for source, Rust crate, Python wheel, macOS arm64 CLI artifact, Linux x64 +> CLI artifact, and npm `@docushell/ethos-pdf` evaluation. It verifies whether AI citations are +> grounded in document evidence across native Ethos JSON and supported foreign parser outputs. +> Rust library crates `ethos-doc-core`, `ethos-verify`, and `ethos-pdf` are available on crates.io +> at `0.1.1` for evaluation. The Python `ethos-pdf` wheel, npm `@docushell/ethos-pdf@0.1.1` +> package, and macOS arm64/Linux x64 CLI artifacts are available for evaluation with +> caller-provided PDFium. Hosted surfaces, production positioning, Windows packaged artifacts, +> bundled project-maintained PDFium builds, `ethos-doc`, `ethos-rag`, public benchmark reports, +> public benchmark claims, and speed, footprint, parser-quality, table-quality, or production +> claims remain blocked. + +Any broader public wording requires a separate decider record. + +## Required Operator Pre-Upload Checks + +Before uploading, the operator must verify the downloaded workflow artifacts: + +```sh +shasum -a 256 ethos-macos-arm64.tar.gz +cat ethos-macos-arm64.tar.gz.sha256 +cat ethos-macos-arm64.inventory.json +cat ethos-macos-arm64.smoke.json +shasum -a 256 ethos-linux-x64.tar.gz +cat ethos-linux-x64.tar.gz.sha256 +cat ethos-linux-x64.inventory.json +cat ethos-linux-x64.smoke.json +python3 .github/scripts/test_patch_0_1_1_artifact_publication_approval_decision.py +make release-candidate-prep PYTHON=python3 +git diff --check +``` + +The operator must stop if artifact names, checksums, version output, PDFium posture, license and +NOTICE inclusion, or approved public wording differ from this decision record. + +## Retained Blockers + +- `packages/npm/ethos-pdf/vendor/manifest.json` must not be refreshed until after the approved + GitHub Release assets are attached and publication closeout evidence is recorded. +- npm publication remains blocked until the checked-in vendor payload is refreshed from approved + artifacts and a dedicated npm approval record passes. +- Hosted surfaces remain blocked. +- Production positioning remains blocked. +- Windows packaged artifacts remain blocked. +- Bundled project-maintained PDFium builds remain blocked. +- Public benchmark reports remain blocked. +- Public benchmark claims remain blocked. +- `ethos-doc` remains blocked. +- `ethos-rag` remains blocked. + +## Evidence Bound To This Decision + +- Decider decision supplied: Approved. +- Exact approval supplied by operator: + `Yes, I approve publishing the exact v0.1.1 macOS arm64 and Linux x64 CLI artifacts named and + checksummed in the merged approval-request record.` +- `python3 .github/scripts/test_patch_0_1_1_artifact_publication_approval_request.py` passed on + merged `main`. +- `python3 .github/scripts/test_release_candidate_prep.py` passed on merged `main`. +- `make light-check PYTHON=python3` passed on merged `main`. +- `make release-candidate-prep PYTHON=python3` passed on merged `main`. + +## Non-Actions + +- This decision record does not upload GitHub Release assets. +- This decision record does not refresh npm vendor binaries. +- This decision record does not publish npm. +- This decision record does not change PDFium posture. +- This decision record does not approve hosted surfaces. +- This decision record does not approve production positioning. +- This decision record does not approve Windows packaged artifacts. +- This decision record does not approve bundled project-maintained PDFium builds. +- This decision record does not approve public benchmark reports. +- This decision record does not approve public benchmark claims. +- This decision record does not approve `ethos-doc`. +- This decision record does not approve `ethos-rag`. + +## Result + +The exact patch `0.1.1` GitHub Release artifact publication decision is accepted. Actual asset +upload remains a separate operator action requiring the exact bounded assets approved here, final +pre-upload checks, and post-upload closeout evidence.