diff --git a/.github/scripts/test_patch_0_1_1_artifact_publication_closeout.py b/.github/scripts/test_patch_0_1_1_artifact_publication_closeout.py new file mode 100644 index 0000000..509a21a --- /dev/null +++ b/.github/scripts/test_patch_0_1_1_artifact_publication_closeout.py @@ -0,0 +1,156 @@ +#!/usr/bin/env python3 +# +# Copyright 2026 The Ethos maintainers +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +from __future__ import annotations + +import re +import subprocess +import unittest +from pathlib import Path + +from makefile_guard import target_block + + +ROOT = Path(__file__).resolve().parents[2] +RECORD = ROOT / "docs/validation/patch-0-1-1-artifact-publication-closeout-validation-2026-06-23.md" +VALIDATION_README = ROOT / "docs/validation/README.md" + +SOURCE_SHORT = "5231b56" +SOURCE_COMMIT = "5231b56383afbc08c874325a7f47d6ae90e60a24" +SOURCE_TREE = "b0e5d2e5ac534facf9bd78a580366aab1995f0e1" +MACOS_SHA256 = "eac79cddc6f5fc834ecc279401905729978d73e99ae11a2bea82d7356a4bcd88" +LINUX_SHA256 = "842aa4b71333aecc54f344d9f5362160d0943d8efd32dffabe99dc19553916a0" + + +def read(path: Path) -> str: + return path.read_text(encoding="utf-8") + + +def normalized(path: Path) -> str: + return re.sub(r"\s+", " ", read(path)) + + +def git(*args: str) -> str: + return subprocess.check_output( + ["git", *args], + cwd=ROOT, + encoding="utf-8", + stderr=subprocess.DEVNULL, + ).strip() + + +class Patch011ArtifactPublicationCloseoutTests(unittest.TestCase): + def test_record_is_source_bound(self) -> None: + raw = read(RECORD) + record = normalized(RECORD) + + self.assertIn(f"Validated source HEAD before this record: `{SOURCE_SHORT}`", raw) + self.assertIn(f"Patch 0.1.1 artifact publication closeout source commit: `{SOURCE_COMMIT}`", record) + self.assertIn(f"Patch 0.1.1 artifact publication closeout source tree: `{SOURCE_TREE}`", record) + self.assertEqual(SOURCE_COMMIT, git("rev-parse", SOURCE_SHORT)) + self.assertEqual(SOURCE_TREE, git("rev-parse", f"{SOURCE_SHORT}^{{tree}}")) + + def test_record_captures_release_metadata_and_exact_assets(self) -> None: + record = normalized(RECORD) + + for expected in ( + "Status: **patch 0.1.1 GitHub Release artifact publication complete**", + "GitHub Release tag: `v0.1.1`", + "Release name: `Release v0.1.1`", + "Release draft status: `false`", + "Release prerelease status: `false`", + f"Tag target: `{SOURCE_COMMIT}`", + "ethos-macos-arm64.tar.gz", + "ethos-macos-arm64.tar.gz.sha256", + "ethos-macos-arm64.inventory.json", + "ethos-macos-arm64.smoke.json", + "ethos-linux-x64.tar.gz", + "ethos-linux-x64.tar.gz.sha256", + "ethos-linux-x64.inventory.json", + "ethos-linux-x64.smoke.json", + MACOS_SHA256, + LINUX_SHA256, + ): + self.assertIn(expected, record) + + def test_record_captures_sidecar_payload_and_smoke_evidence(self) -> None: + record = normalized(RECORD) + + for expected in ( + "schema `ethos.release_artifact_inventory.v1`, target `macos-arm64`", + "schema `ethos.release_artifact_smoke.v1`, target `macos-arm64`, version `ethos 0.1.1`", + "schema `ethos.release_artifact_inventory.v1`, target `linux-x64`", + "schema `ethos.release_artifact_smoke.v1`, target `linux-x64`, version `ethos 0.1.1`", + "`LICENSE`", + "`NOTICE`", + "`ethos`", + "`pdfium-manual-setup.md`", + "`ethos doctor` preserved the caller-provided PDFium setup-warning posture", + ): + self.assertIn(expected, record) + + def test_record_preserves_blockers_and_private_path_safety(self) -> None: + raw = read(RECORD) + lower = normalized(RECORD).lower() + + for blocker in ( + "`packages/npm/ethos-pdf/vendor/manifest.json` must not be refreshed", + "npm publication remains blocked", + "Hosted surfaces remain blocked", + "Production positioning remains blocked", + "Windows packaged artifacts remain blocked", + "Bundled project-maintained PDFium builds remain blocked", + "Public benchmark reports remain blocked", + "Public benchmark claims remain blocked", + "`ethos-doc` remains blocked", + "`ethos-rag` remains blocked", + ): + self.assertIn(blocker, raw) + for forbidden in ( + "npm publication approved", + "vendor payload refreshed", + "production-ready", + "benchmark-validated", + "hosted surfaces approved", + "bundled pdfium approved", + ): + self.assertNotIn(forbidden, lower) + for private in ( + "/" + "Users/", + "/" + "private/tmp", + "/" + "private/var", + "/" + "var/folders", + "saumil" + "diwaker", + "Desktop/" + "Stuff", + "project/repo/" + "ethos", + ): + self.assertNotIn(private, raw) + + def test_record_is_indexed_and_wired_into_release_candidate_prep(self) -> None: + readme = normalized(VALIDATION_README) + block = target_block("release-candidate-prep") + + self.assertIn(RECORD.name, readme) + self.assertIn("patch 0.1.1 artifact publication closeout", readme.lower()) + self.assertIn( + "$(PYTHON) .github/scripts/test_patch_0_1_1_artifact_publication_closeout.py", + block, + ) + + +if __name__ == "__main__": + unittest.main() diff --git a/.github/scripts/test_release_candidate_prep.py b/.github/scripts/test_release_candidate_prep.py index 9b7b412..20948f4 100644 --- a/.github/scripts/test_release_candidate_prep.py +++ b/.github/scripts/test_release_candidate_prep.py @@ -42,6 +42,7 @@ "$(PYTHON) .github/scripts/test_patch_0_1_1_release_artifact_evidence.py", "$(PYTHON) .github/scripts/test_patch_0_1_1_artifact_publication_approval_request.py", "$(PYTHON) .github/scripts/test_patch_0_1_1_artifact_publication_approval_decision.py", + "$(PYTHON) .github/scripts/test_patch_0_1_1_artifact_publication_closeout.py", "$(PYTHON) .github/scripts/test_release_candidate_prep.py", "$(PYTHON) .github/scripts/test_release_reproducibility_scaffold.py", "$(PYTHON) .github/scripts/test_launch_copy_approval_scaffold.py", diff --git a/CHANGELOG.md b/CHANGELOG.md index 56ccacd..4cfc608 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ ## Unreleased +- boundary-exception: close patch `0.1.1` CLI artifact publication with exact GitHub Release evidence; no npm vendor refresh, npm publication, or support-boundary change. - boundary-exception: approve exact patch `0.1.1` CLI artifact publication decision for later operator upload; no upload, npm vendor refresh, npm publication, or support-boundary change. - boundary-exception: request patch `0.1.1` artifact publication approval for exact evidenced CLI assets; no publication, npm vendor refresh, npm publication, or support-boundary change. - boundary-exception: record patch `0.1.1` draft artifact evidence for decider review; no GitHub Release publication, npm vendor refresh, npm publication, or support-boundary change. diff --git a/Makefile b/Makefile index e6c2b9d..514010b 100644 --- a/Makefile +++ b/Makefile @@ -284,6 +284,7 @@ release-candidate-prep: $(PYTHON) .github/scripts/test_patch_0_1_1_release_artifact_evidence.py $(PYTHON) .github/scripts/test_patch_0_1_1_artifact_publication_approval_request.py $(PYTHON) .github/scripts/test_patch_0_1_1_artifact_publication_approval_decision.py + $(PYTHON) .github/scripts/test_patch_0_1_1_artifact_publication_closeout.py $(PYTHON) .github/scripts/test_release_candidate_prep.py $(PYTHON) .github/scripts/test_release_reproducibility_scaffold.py $(PYTHON) .github/scripts/test_launch_copy_approval_scaffold.py diff --git a/docs/validation/README.md b/docs/validation/README.md index d3f1874..3d96034 100644 --- a/docs/validation/README.md +++ b/docs/validation/README.md @@ -580,6 +580,11 @@ recording the exact current-main source candidate and required follow-up evidenc operator upload, post-upload closeout evidence, npm vendor refresh, npm publication, hosted surfaces, production positioning, Windows packaged artifacts, bundled project-maintained PDFium, and public benchmark claims blocked. +- `patch-0-1-1-artifact-publication-closeout-validation-2026-06-23.md` - patch 0.1.1 artifact + publication closeout validation records GitHub Release `v0.1.1`, approved tag target, exact + published macOS arm64 and Linux x64 assets, matching checksums, sidecars, archive payloads, + macOS smoke output, bounded release wording, and retained blockers; npm vendor refresh and npm + publication remain separate blocked lanes. - `milestone-e-validation-command-index-validation-2026-06-20.md` - internal Milestone E validation-command index validation passed through command-alignment checks, schema enum checks, row-record checks, public-surface posture checks, `make milestone-e-prep`, and diff hygiene; the diff --git a/docs/validation/patch-0-1-1-artifact-publication-closeout-validation-2026-06-23.md b/docs/validation/patch-0-1-1-artifact-publication-closeout-validation-2026-06-23.md new file mode 100644 index 0000000..15b9c25 --- /dev/null +++ b/docs/validation/patch-0-1-1-artifact-publication-closeout-validation-2026-06-23.md @@ -0,0 +1,147 @@ +# Patch 0.1.1 Artifact Publication Closeout Validation - 2026-06-23 + +Validated source HEAD before this record: `5231b56`. + +Patch 0.1.1 artifact publication closeout source commit: +`5231b56383afbc08c874325a7f47d6ae90e60a24`. + +Patch 0.1.1 artifact publication closeout source tree: +`b0e5d2e5ac534facf9bd78a580366aab1995f0e1`. + +Status: **patch 0.1.1 GitHub Release artifact publication complete** + +This record closes the bounded GitHub Release artifact publication action for patch `0.1.1`. It +records that GitHub Release tag `v0.1.1` exists at the approved source commit, contains the exact +approved macOS arm64 and Linux x64 CLI artifact assets, and preserves the approved public-beta +wording. It does not refresh npm vendor binaries, publish npm, change PDFium posture, approve hosted +surfaces, approve production positioning, approve Windows packaged artifacts, approve bundled +project-maintained PDFium builds, approve `ethos-doc`, approve `ethos-rag`, or approve public +benchmark reports or claims. + +## Subject + +- Repository: `docushell/ethos` +- GitHub Release tag: `v0.1.1` +- GitHub Release URL: `https://github.com/docushell/ethos/releases/tag/v0.1.1` +- Approval decision record: + `docs/validation/patch-0-1-1-artifact-publication-approval-decision-validation-2026-06-23.md` +- Approval request record: + `docs/validation/patch-0-1-1-artifact-publication-approval-request-validation-2026-06-23.md` +- Artifact evidence record: + `docs/validation/patch-0-1-1-release-artifact-evidence-validation-2026-06-23.md` + +## Release Metadata Verified + +- Release tag: `v0.1.1` +- Release name: `Release v0.1.1` +- Release draft status: `false` +- Release prerelease status: `false` +- Tag target: `5231b56383afbc08c874325a7f47d6ae90e60a24` + +## Published Assets Verified + +The published release asset list contains exactly these approved assets: + +- `ethos-macos-arm64.tar.gz` +- `ethos-macos-arm64.tar.gz.sha256` +- `ethos-macos-arm64.inventory.json` +- `ethos-macos-arm64.smoke.json` +- `ethos-linux-x64.tar.gz` +- `ethos-linux-x64.tar.gz.sha256` +- `ethos-linux-x64.inventory.json` +- `ethos-linux-x64.smoke.json` + +The published archive SHA256 values match the approval decision: + +```text +eac79cddc6f5fc834ecc279401905729978d73e99ae11a2bea82d7356a4bcd88 ethos-macos-arm64.tar.gz +842aa4b71333aecc54f344d9f5362160d0943d8efd32dffabe99dc19553916a0 ethos-linux-x64.tar.gz +``` + +The GitHub Release asset API also reported matching archive digests: + +```text +sha256:eac79cddc6f5fc834ecc279401905729978d73e99ae11a2bea82d7356a4bcd88 ethos-macos-arm64.tar.gz +sha256:842aa4b71333aecc54f344d9f5362160d0943d8efd32dffabe99dc19553916a0 ethos-linux-x64.tar.gz +``` + +The downloaded published sidecars verified as follows: + +- `ethos-macos-arm64.inventory.json`: schema `ethos.release_artifact_inventory.v1`, target + `macos-arm64`, status `draft_not_release_ready`, publication `blocked`. +- `ethos-macos-arm64.smoke.json`: schema `ethos.release_artifact_smoke.v1`, target + `macos-arm64`, version `ethos 0.1.1`. +- `ethos-linux-x64.inventory.json`: schema `ethos.release_artifact_inventory.v1`, target + `linux-x64`, status `draft_not_release_ready`, publication `blocked`. +- `ethos-linux-x64.smoke.json`: schema `ethos.release_artifact_smoke.v1`, target `linux-x64`, + version `ethos 0.1.1`. + +Both published archives contain the expected payload: + +- `LICENSE` +- `NOTICE` +- `ethos` +- `pdfium-manual-setup.md` + +The published macOS arm64 CLI smoke run reported: + +```text +ethos 0.1.1 +``` + +`ethos doctor` preserved the caller-provided PDFium setup-warning posture when +`ETHOS_PDFIUM_LIBRARY_PATH` was unset. + +## Published Release Wording Verified + +The GitHub Release body contains the approved bounded public-beta wording: + +> Ethos is public beta for source, Rust crate, Python wheel, macOS arm64 CLI artifact, Linux x64 +> CLI artifact, and npm `@docushell/ethos-pdf` evaluation. It verifies whether AI citations are +> grounded in document evidence across native Ethos JSON and supported foreign parser outputs. +> Rust library crates `ethos-doc-core`, `ethos-verify`, and `ethos-pdf` are available on crates.io +> at `0.1.1` for evaluation. The Python `ethos-pdf` wheel, npm `@docushell/ethos-pdf@0.1.1` +> package, and macOS arm64/Linux x64 CLI artifacts are available for evaluation with +> caller-provided PDFium. Hosted surfaces, production positioning, Windows packaged artifacts, +> bundled project-maintained PDFium builds, `ethos-doc`, `ethos-rag`, public benchmark reports, +> public benchmark claims, and speed, footprint, parser-quality, table-quality, or production +> claims remain blocked. + +The release body includes the approved archive SHA256 values shown above. + +## Verification Commands + +Operator verification completed: + +```sh +gh release view v0.1.1 --repo docushell/ethos --json tagName,name,isDraft,isPrerelease,url,assets +git ls-remote --tags origin v0.1.1 +gh release view v0.1.1 --repo docushell/ethos --json targetCommitish,tagName,url +gh release view v0.1.1 --repo docushell/ethos --json body --jq .body +gh release download v0.1.1 --repo docushell/ethos --dir /tmp/ethos-v0.1.1-published-assets +python3 .github/scripts/validate_release_artifact_inventory.py \ + /tmp/ethos-v0.1.1-published-assets/ethos-macos-arm64.inventory.json \ + /tmp/ethos-v0.1.1-published-assets/ethos-linux-x64.inventory.json +``` + +## Retained Blockers + +- `packages/npm/ethos-pdf/vendor/manifest.json` must not be refreshed until after this closeout + record is merged and a dedicated npm vendor refresh lane starts. +- npm publication remains blocked until the checked-in vendor payload is refreshed from approved + artifacts and a dedicated npm approval record passes. +- Hosted surfaces remain blocked. +- Production positioning remains blocked. +- Windows packaged artifacts remain blocked. +- Bundled project-maintained PDFium builds remain blocked. +- Public benchmark reports remain blocked. +- Public benchmark claims remain blocked. +- `ethos-doc` remains blocked. +- `ethos-rag` remains blocked. + +## Result + +Patch `0.1.1` GitHub Release artifact publication is complete for the exact approved macOS arm64 +and Linux x64 CLI artifacts. The next release lane may prepare npm vendor refresh from these +published assets, but only after this closeout record is merged and the dedicated vendor-refresh +guards pass.