Approve patch 0.1.1 artifact publication

.github/scripts/test_patch_0_1_1_artifact_publication_approval_decision.py

@@ -0,0 +1,184 @@
+#!/usr/bin/env python3
+#
+# Copyright 2026 The Ethos maintainers
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+from __future__ import annotations
+
+import re
+import subprocess
+import unittest
+from pathlib import Path
+
+from makefile_guard import target_block
+
+
+ROOT = Path(__file__).resolve().parents[2]
+RECORD = ROOT / (
+    "docs/validation/"
+    "patch-0-1-1-artifact-publication-approval-decision-validation-2026-06-23.md"
+)
+VALIDATION_README = ROOT / "docs/validation/README.md"
+
+SOURCE_SHORT = "7df928c"
+SOURCE_COMMIT = "7df928cd453decd273a5e83fc2b2191a0edf654e"
+SOURCE_TREE = "6b9ebbb7087604367f53022406c50a4ec8509992"
+RUN_URL = "https://github.com/docushell/ethos/actions/runs/28040466463"
+WORKFLOW_HEAD = "3cbbb8f8b8195fe0f964ab4e5d2bf0458770ad11"
+MACOS_SHA256 = "eac79cddc6f5fc834ecc279401905729978d73e99ae11a2bea82d7356a4bcd88"
+LINUX_SHA256 = "842aa4b71333aecc54f344d9f5362160d0943d8efd32dffabe99dc19553916a0"
+
+APPROVED_WORDING = (
+    "Ethos is public beta for source, Rust crate, Python wheel, macOS arm64 CLI artifact, Linux x64 "
+    "CLI artifact, and npm `@docushell/ethos-pdf` evaluation. It verifies whether AI citations are "
+    "grounded in document evidence across native Ethos JSON and supported foreign parser outputs. "
+    "Rust library crates `ethos-doc-core`, `ethos-verify`, and `ethos-pdf` are available on crates.io "
+    "at `0.1.1` for evaluation. The Python `ethos-pdf` wheel, npm `@docushell/ethos-pdf@0.1.1` "
+    "package, and macOS arm64/Linux x64 CLI artifacts are available for evaluation with "
+    "caller-provided PDFium. Hosted surfaces, production positioning, Windows packaged artifacts, "
+    "bundled project-maintained PDFium builds, `ethos-doc`, `ethos-rag`, public benchmark reports, "
+    "public benchmark claims, and speed, footprint, parser-quality, table-quality, or production "
+    "claims remain blocked."
+)
+
+FORBIDDEN_SCOPE_EXPANSION = (
+    "npm publication approved",
+    "vendor payload refreshed",
+    "hosted surfaces approved",
+    "production positioning approved",
+    "windows packaged artifacts approved",
+    "bundled pdfium approved",
+    "public benchmark claims approved",
+    "production-ready",
+    "benchmark-validated",
+)
+
+
+def read(path: Path) -> str:
+    return path.read_text(encoding="utf-8")
+
+
+def normalized(path: Path) -> str:
+    return re.sub(r"\s+", " ", read(path))
+
+
+def git(*args: str) -> str:
+    return subprocess.check_output(
+        ["git", *args],
+        cwd=ROOT,
+        encoding="utf-8",
+        stderr=subprocess.DEVNULL,
+    ).strip()
+
+
+class Patch011ArtifactPublicationApprovalDecisionTests(unittest.TestCase):
+    def test_record_is_source_bound(self) -> None:
+        raw = read(RECORD)
+        record = normalized(RECORD)
+
+        self.assertIn(f"Validated source HEAD before this record: `{SOURCE_SHORT}`", raw)
+        self.assertIn(
+            f"Patch 0.1.1 artifact publication approval decision source commit: `{SOURCE_COMMIT}`",
+            record,
+        )
+        self.assertIn(
+            f"Patch 0.1.1 artifact publication approval decision source tree: `{SOURCE_TREE}`",
+            record,
+        )
+        self.assertEqual(SOURCE_COMMIT, git("rev-parse", SOURCE_SHORT))
+        self.assertEqual(SOURCE_TREE, git("rev-parse", f"{SOURCE_SHORT}^{{tree}}"))
+
+    def test_decision_accepts_exact_release_assets_only(self) -> None:
+        record = normalized(RECORD)
+
+        for expected in (
+            "Decision: accept the exact patch `0.1.1` artifact publication request.",
+            "Exact GitHub Release tag accepted by this decision: `v0.1.1`",
+            RUN_URL,
+            WORKFLOW_HEAD,
+            "ethos-macos-arm64.tar.gz",
+            "ethos-macos-arm64.tar.gz.sha256",
+            "ethos-macos-arm64.inventory.json",
+            "ethos-macos-arm64.smoke.json",
+            "ethos-linux-x64.tar.gz",
+            "ethos-linux-x64.tar.gz.sha256",
+            "ethos-linux-x64.inventory.json",
+            "ethos-linux-x64.smoke.json",
+            MACOS_SHA256,
+            LINUX_SHA256,
+            "Exact CLI smoke accepted by this decision: `ethos 0.1.1`",
+            "caller-provided PDFium only through `ETHOS_PDFIUM_LIBRARY_PATH`",
+        ):
+            self.assertIn(expected, record)
+
+    def test_decision_preserves_bounded_public_wording(self) -> None:
+        record = re.sub(r"\s+", " ", read(RECORD).replace("> ", ""))
+
+        self.assertIn(APPROVED_WORDING, record)
+        self.assertIn("Any broader public wording requires a separate decider record.", record)
+
+    def test_decision_requires_later_operator_upload_and_closeout(self) -> None:
+        record = normalized(RECORD)
+
+        self.assertIn("This decision does not itself upload artifacts.", record)
+        self.assertIn("Publication remains an explicit later operator action.", record)
+        self.assertIn("post-upload closeout evidence", record)
+        self.assertIn("python3 .github/scripts/test_patch_0_1_1_artifact_publication_approval_decision.py", record)
+        self.assertIn("make release-candidate-prep PYTHON=python3", record)
+
+    def test_retains_unrelated_blockers_and_avoids_scope_expansion(self) -> None:
+        raw = read(RECORD)
+        lower = normalized(RECORD).lower()
+
+        for blocker in (
+            "`packages/npm/ethos-pdf/vendor/manifest.json` must not be refreshed",
+            "npm publication remains blocked",
+            "Hosted surfaces remain blocked",
+            "Production positioning remains blocked",
+            "Windows packaged artifacts remain blocked",
+            "Bundled project-maintained PDFium builds remain blocked",
+            "Public benchmark reports remain blocked",
+            "Public benchmark claims remain blocked",
+            "`ethos-doc` remains blocked",
+            "`ethos-rag` remains blocked",
+        ):
+            self.assertIn(blocker, raw)
+        for phrase in FORBIDDEN_SCOPE_EXPANSION:
+            self.assertNotIn(phrase, lower)
+        for private in (
+            "/" + "Users/",
+            "/" + "private/tmp",
+            "/" + "private/var",
+            "/" + "var/folders",
+            "saumil" + "diwaker",
+            "Desktop/" + "Stuff",
+            "project/repo/" + "ethos",
+        ):
+            self.assertNotIn(private, raw)
+
+    def test_record_is_indexed_and_wired_into_release_candidate_prep(self) -> None:
+        readme = normalized(VALIDATION_README)
+        block = target_block("release-candidate-prep")
+
+        self.assertIn(RECORD.name, readme)
+        self.assertIn("patch 0.1.1 artifact publication approval decision", readme.lower())
+        self.assertIn(
+            "$(PYTHON) .github/scripts/test_patch_0_1_1_artifact_publication_approval_decision.py",
+            block,
+        )
+
+
+if __name__ == "__main__":
+    unittest.main()

.github/scripts/test_release_candidate_prep.py

@@ -41,6 +41,7 @@
     "$(PYTHON) .github/scripts/test_release_artifact_workflow_prep.py",
     "$(PYTHON) .github/scripts/test_patch_0_1_1_release_artifact_evidence.py",
     "$(PYTHON) .github/scripts/test_patch_0_1_1_artifact_publication_approval_request.py",
+    "$(PYTHON) .github/scripts/test_patch_0_1_1_artifact_publication_approval_decision.py",
     "$(PYTHON) .github/scripts/test_release_candidate_prep.py",
     "$(PYTHON) .github/scripts/test_release_reproducibility_scaffold.py",
     "$(PYTHON) .github/scripts/test_launch_copy_approval_scaffold.py",

CHANGELOG.md

@@ -2,6 +2,7 @@
 
 ## Unreleased
 
+- boundary-exception: approve exact patch `0.1.1` CLI artifact publication decision for later operator upload; no upload, npm vendor refresh, npm publication, or support-boundary change.
 - boundary-exception: request patch `0.1.1` artifact publication approval for exact evidenced CLI assets; no publication, npm vendor refresh, npm publication, or support-boundary change.
 - boundary-exception: record patch `0.1.1` draft artifact evidence for decider review; no GitHub Release publication, npm vendor refresh, npm publication, or support-boundary change.
 - boundary-exception: clarify patch `0.1.1` artifact and npm vendor refresh prep in operator docs; no artifact publication, package publication, or support-boundary change.

Makefile

@@ -283,6 +283,7 @@ release-candidate-prep:
 	$(PYTHON) .github/scripts/test_release_artifact_workflow_prep.py
 	$(PYTHON) .github/scripts/test_patch_0_1_1_release_artifact_evidence.py
 	$(PYTHON) .github/scripts/test_patch_0_1_1_artifact_publication_approval_request.py
+	$(PYTHON) .github/scripts/test_patch_0_1_1_artifact_publication_approval_decision.py
 	$(PYTHON) .github/scripts/test_release_candidate_prep.py
 	$(PYTHON) .github/scripts/test_release_reproducibility_scaffold.py
 	$(PYTHON) .github/scripts/test_launch_copy_approval_scaffold.py

docs/validation/README.md

@@ -574,6 +574,12 @@ recording the exact current-main source candidate and required follow-up evidenc
   bounded public wording for decider review while keeping publication, npm vendor refresh, npm
   publication, hosted surfaces, production positioning, Windows packaged artifacts, bundled
   project-maintained PDFium, and public benchmark claims blocked.
+- `patch-0-1-1-artifact-publication-approval-decision-validation-2026-06-23.md` - patch 0.1.1
+  artifact publication approval decision validation accepts only the exact evidenced macOS arm64
+  and Linux x64 GitHub Release `v0.1.1` artifact assets and bounded public wording while leaving
+  operator upload, post-upload closeout evidence, npm vendor refresh, npm publication, hosted
+  surfaces, production positioning, Windows packaged artifacts, bundled project-maintained PDFium,
+  and public benchmark claims blocked.
 - `milestone-e-validation-command-index-validation-2026-06-20.md` - internal Milestone E
   validation-command index validation passed through command-alignment checks, schema enum checks,
   row-record checks, public-surface posture checks, `make milestone-e-prep`, and diff hygiene; the

docs/validation/patch-0-1-1-artifact-publication-approval-decision-validation-2026-06-23.md

@@ -0,0 +1,165 @@
+# Patch 0.1.1 Artifact Publication Approval Decision Validation - 2026-06-23
+
+Validated source HEAD before this record: `7df928c`.
+
+Patch 0.1.1 artifact publication approval decision source commit:
+`7df928cd453decd273a5e83fc2b2191a0edf654e`.
+
+Patch 0.1.1 artifact publication approval decision source tree:
+`6b9ebbb7087604367f53022406c50a4ec8509992`.
+
+Status: **patch 0.1.1 artifact publication approval decision recorded; operator upload remains pending**
+
+This record accepts the exact patch `0.1.1` GitHub Release artifact publication request after
+decider approval. It approves only attaching the exact evidenced macOS arm64 and Linux x64 CLI
+artifact assets below to GitHub Release tag `v0.1.1` for public beta evaluation. It does not upload
+artifacts, refresh npm vendor binaries, publish npm, change PDFium posture, approve hosted
+surfaces, approve production positioning, approve Windows packaged artifacts, approve bundled
+project-maintained PDFium builds, approve `ethos-doc`, approve `ethos-rag`, or approve public
+benchmark reports or claims.
+
+## Subject
+
+- Repository: `docushell/ethos`
+- Lane: patch `0.1.1` GitHub Release artifact publication
+- Approval owner: `docushell-admin`
+- Approval request record:
+  `docs/validation/patch-0-1-1-artifact-publication-approval-request-validation-2026-06-23.md`
+- Artifact evidence record:
+  `docs/validation/patch-0-1-1-release-artifact-evidence-validation-2026-06-23.md`
+- Release workflow run: `https://github.com/docushell/ethos/actions/runs/28040466463`
+
+## Exact Decision Fields
+
+- Decision: accept the exact patch `0.1.1` artifact publication request.
+- Approver: `docushell-admin` acting as decider.
+- Date: 2026-06-23.
+- Exact GitHub Release tag accepted by this decision: `v0.1.1`.
+- Exact workflow run accepted by this decision:
+  `https://github.com/docushell/ethos/actions/runs/28040466463`.
+- Exact workflow head SHA accepted by this decision:
+  `3cbbb8f8b8195fe0f964ab4e5d2bf0458770ad11`.
+
+macOS arm64 assets accepted by this decision:
+
+- `ethos-macos-arm64.tar.gz`
+- `ethos-macos-arm64.tar.gz.sha256`
+- `ethos-macos-arm64.inventory.json`
+- `ethos-macos-arm64.smoke.json`
+- archive SHA256:
+
+```text
+eac79cddc6f5fc834ecc279401905729978d73e99ae11a2bea82d7356a4bcd88
+```
+
+Linux x64 assets accepted by this decision:
+
+- `ethos-linux-x64.tar.gz`
+- `ethos-linux-x64.tar.gz.sha256`
+- `ethos-linux-x64.inventory.json`
+- `ethos-linux-x64.smoke.json`
+- archive SHA256:
+
+```text
+842aa4b71333aecc54f344d9f5362160d0943d8efd32dffabe99dc19553916a0
+```
+
+Exact CLI smoke accepted by this decision: `ethos 0.1.1` for both accepted platform artifacts.
+
+Exact PDFium boundary accepted by this decision: caller-provided PDFium only through
+`ETHOS_PDFIUM_LIBRARY_PATH`; no bundled or project-maintained PDFium build is approved.
+
+## Approved Operator Action
+
+After this decision record is merged and the validation commands below pass on the merged source,
+an operator may attach only the exact accepted asset names above to GitHub Release tag `v0.1.1`.
+
+This decision does not itself upload artifacts. Publication remains an explicit later operator
+action.
+
+## Approved Public Wording
+
+After the exact assets above are attached to GitHub Release tag `v0.1.1`, the bounded public
+release wording may remain:
+
+> Ethos is public beta for source, Rust crate, Python wheel, macOS arm64 CLI artifact, Linux x64
+> CLI artifact, and npm `@docushell/ethos-pdf` evaluation. It verifies whether AI citations are
+> grounded in document evidence across native Ethos JSON and supported foreign parser outputs.
+> Rust library crates `ethos-doc-core`, `ethos-verify`, and `ethos-pdf` are available on crates.io
+> at `0.1.1` for evaluation. The Python `ethos-pdf` wheel, npm `@docushell/ethos-pdf@0.1.1`
+> package, and macOS arm64/Linux x64 CLI artifacts are available for evaluation with
+> caller-provided PDFium. Hosted surfaces, production positioning, Windows packaged artifacts,
+> bundled project-maintained PDFium builds, `ethos-doc`, `ethos-rag`, public benchmark reports,
+> public benchmark claims, and speed, footprint, parser-quality, table-quality, or production
+> claims remain blocked.
+
+Any broader public wording requires a separate decider record.
+
+## Required Operator Pre-Upload Checks
+
+Before uploading, the operator must verify the downloaded workflow artifacts:
+
+```sh
+shasum -a 256 ethos-macos-arm64.tar.gz
+cat ethos-macos-arm64.tar.gz.sha256
+cat ethos-macos-arm64.inventory.json
+cat ethos-macos-arm64.smoke.json
+shasum -a 256 ethos-linux-x64.tar.gz
+cat ethos-linux-x64.tar.gz.sha256
+cat ethos-linux-x64.inventory.json
+cat ethos-linux-x64.smoke.json
+python3 .github/scripts/test_patch_0_1_1_artifact_publication_approval_decision.py
+make release-candidate-prep PYTHON=python3
+git diff --check
+```
+
+The operator must stop if artifact names, checksums, version output, PDFium posture, license and
+NOTICE inclusion, or approved public wording differ from this decision record.
+
+## Retained Blockers
+
+- `packages/npm/ethos-pdf/vendor/manifest.json` must not be refreshed until after the approved
+  GitHub Release assets are attached and publication closeout evidence is recorded.
+- npm publication remains blocked until the checked-in vendor payload is refreshed from approved
+  artifacts and a dedicated npm approval record passes.
+- Hosted surfaces remain blocked.
+- Production positioning remains blocked.
+- Windows packaged artifacts remain blocked.
+- Bundled project-maintained PDFium builds remain blocked.
+- Public benchmark reports remain blocked.
+- Public benchmark claims remain blocked.
+- `ethos-doc` remains blocked.
+- `ethos-rag` remains blocked.
+
+## Evidence Bound To This Decision
+
+- Decider decision supplied: Approved.
+- Exact approval supplied by operator:
+  `Yes, I approve publishing the exact v0.1.1 macOS arm64 and Linux x64 CLI artifacts named and
+  checksummed in the merged approval-request record.`
+- `python3 .github/scripts/test_patch_0_1_1_artifact_publication_approval_request.py` passed on
+  merged `main`.
+- `python3 .github/scripts/test_release_candidate_prep.py` passed on merged `main`.
+- `make light-check PYTHON=python3` passed on merged `main`.
+- `make release-candidate-prep PYTHON=python3` passed on merged `main`.
+
+## Non-Actions
+
+- This decision record does not upload GitHub Release assets.
+- This decision record does not refresh npm vendor binaries.
+- This decision record does not publish npm.
+- This decision record does not change PDFium posture.
+- This decision record does not approve hosted surfaces.
+- This decision record does not approve production positioning.
+- This decision record does not approve Windows packaged artifacts.
+- This decision record does not approve bundled project-maintained PDFium builds.
+- This decision record does not approve public benchmark reports.
+- This decision record does not approve public benchmark claims.
+- This decision record does not approve `ethos-doc`.
+- This decision record does not approve `ethos-rag`.
+
+## Result
+
+The exact patch `0.1.1` GitHub Release artifact publication decision is accepted. Actual asset
+upload remains a separate operator action requiring the exact bounded assets approved here, final
+pre-upload checks, and post-upload closeout evidence.