Close patch 0.1.1 artifact publication

.github/scripts/test_patch_0_1_1_artifact_publication_closeout.py

@@ -0,0 +1,156 @@
+#!/usr/bin/env python3
+#
+# Copyright 2026 The Ethos maintainers
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+from __future__ import annotations
+
+import re
+import subprocess
+import unittest
+from pathlib import Path
+
+from makefile_guard import target_block
+
+
+ROOT = Path(__file__).resolve().parents[2]
+RECORD = ROOT / "docs/validation/patch-0-1-1-artifact-publication-closeout-validation-2026-06-23.md"
+VALIDATION_README = ROOT / "docs/validation/README.md"
+
+SOURCE_SHORT = "5231b56"
+SOURCE_COMMIT = "5231b56383afbc08c874325a7f47d6ae90e60a24"
+SOURCE_TREE = "b0e5d2e5ac534facf9bd78a580366aab1995f0e1"
+MACOS_SHA256 = "eac79cddc6f5fc834ecc279401905729978d73e99ae11a2bea82d7356a4bcd88"
+LINUX_SHA256 = "842aa4b71333aecc54f344d9f5362160d0943d8efd32dffabe99dc19553916a0"
+
+
+def read(path: Path) -> str:
+    return path.read_text(encoding="utf-8")
+
+
+def normalized(path: Path) -> str:
+    return re.sub(r"\s+", " ", read(path))
+
+
+def git(*args: str) -> str:
+    return subprocess.check_output(
+        ["git", *args],
+        cwd=ROOT,
+        encoding="utf-8",
+        stderr=subprocess.DEVNULL,
+    ).strip()
+
+
+class Patch011ArtifactPublicationCloseoutTests(unittest.TestCase):
+    def test_record_is_source_bound(self) -> None:
+        raw = read(RECORD)
+        record = normalized(RECORD)
+
+        self.assertIn(f"Validated source HEAD before this record: `{SOURCE_SHORT}`", raw)
+        self.assertIn(f"Patch 0.1.1 artifact publication closeout source commit: `{SOURCE_COMMIT}`", record)
+        self.assertIn(f"Patch 0.1.1 artifact publication closeout source tree: `{SOURCE_TREE}`", record)
+        self.assertEqual(SOURCE_COMMIT, git("rev-parse", SOURCE_SHORT))
+        self.assertEqual(SOURCE_TREE, git("rev-parse", f"{SOURCE_SHORT}^{{tree}}"))
+
+    def test_record_captures_release_metadata_and_exact_assets(self) -> None:
+        record = normalized(RECORD)
+
+        for expected in (
+            "Status: **patch 0.1.1 GitHub Release artifact publication complete**",
+            "GitHub Release tag: `v0.1.1`",
+            "Release name: `Release v0.1.1`",
+            "Release draft status: `false`",
+            "Release prerelease status: `false`",
+            f"Tag target: `{SOURCE_COMMIT}`",
+            "ethos-macos-arm64.tar.gz",
+            "ethos-macos-arm64.tar.gz.sha256",
+            "ethos-macos-arm64.inventory.json",
+            "ethos-macos-arm64.smoke.json",
+            "ethos-linux-x64.tar.gz",
+            "ethos-linux-x64.tar.gz.sha256",
+            "ethos-linux-x64.inventory.json",
+            "ethos-linux-x64.smoke.json",
+            MACOS_SHA256,
+            LINUX_SHA256,
+        ):
+            self.assertIn(expected, record)
+
+    def test_record_captures_sidecar_payload_and_smoke_evidence(self) -> None:
+        record = normalized(RECORD)
+
+        for expected in (
+            "schema `ethos.release_artifact_inventory.v1`, target `macos-arm64`",
+            "schema `ethos.release_artifact_smoke.v1`, target `macos-arm64`, version `ethos 0.1.1`",
+            "schema `ethos.release_artifact_inventory.v1`, target `linux-x64`",
+            "schema `ethos.release_artifact_smoke.v1`, target `linux-x64`, version `ethos 0.1.1`",
+            "`LICENSE`",
+            "`NOTICE`",
+            "`ethos`",
+            "`pdfium-manual-setup.md`",
+            "`ethos doctor` preserved the caller-provided PDFium setup-warning posture",
+        ):
+            self.assertIn(expected, record)
+
+    def test_record_preserves_blockers_and_private_path_safety(self) -> None:
+        raw = read(RECORD)
+        lower = normalized(RECORD).lower()
+
+        for blocker in (
+            "`packages/npm/ethos-pdf/vendor/manifest.json` must not be refreshed",
+            "npm publication remains blocked",
+            "Hosted surfaces remain blocked",
+            "Production positioning remains blocked",
+            "Windows packaged artifacts remain blocked",
+            "Bundled project-maintained PDFium builds remain blocked",
+            "Public benchmark reports remain blocked",
+            "Public benchmark claims remain blocked",
+            "`ethos-doc` remains blocked",
+            "`ethos-rag` remains blocked",
+        ):
+            self.assertIn(blocker, raw)
+        for forbidden in (
+            "npm publication approved",
+            "vendor payload refreshed",
+            "production-ready",
+            "benchmark-validated",
+            "hosted surfaces approved",
+            "bundled pdfium approved",
+        ):
+            self.assertNotIn(forbidden, lower)
+        for private in (
+            "/" + "Users/",
+            "/" + "private/tmp",
+            "/" + "private/var",
+            "/" + "var/folders",
+            "saumil" + "diwaker",
+            "Desktop/" + "Stuff",
+            "project/repo/" + "ethos",
+        ):
+            self.assertNotIn(private, raw)
+
+    def test_record_is_indexed_and_wired_into_release_candidate_prep(self) -> None:
+        readme = normalized(VALIDATION_README)
+        block = target_block("release-candidate-prep")
+
+        self.assertIn(RECORD.name, readme)
+        self.assertIn("patch 0.1.1 artifact publication closeout", readme.lower())
+        self.assertIn(
+            "$(PYTHON) .github/scripts/test_patch_0_1_1_artifact_publication_closeout.py",
+            block,
+        )
+
+
+if __name__ == "__main__":
+    unittest.main()

.github/scripts/test_release_candidate_prep.py

@@ -42,6 +42,7 @@
     "$(PYTHON) .github/scripts/test_patch_0_1_1_release_artifact_evidence.py",
     "$(PYTHON) .github/scripts/test_patch_0_1_1_artifact_publication_approval_request.py",
     "$(PYTHON) .github/scripts/test_patch_0_1_1_artifact_publication_approval_decision.py",
+    "$(PYTHON) .github/scripts/test_patch_0_1_1_artifact_publication_closeout.py",
     "$(PYTHON) .github/scripts/test_release_candidate_prep.py",
     "$(PYTHON) .github/scripts/test_release_reproducibility_scaffold.py",
     "$(PYTHON) .github/scripts/test_launch_copy_approval_scaffold.py",

CHANGELOG.md

@@ -2,6 +2,7 @@
 
 ## Unreleased
 
+- boundary-exception: close patch `0.1.1` CLI artifact publication with exact GitHub Release evidence; no npm vendor refresh, npm publication, or support-boundary change.
 - boundary-exception: approve exact patch `0.1.1` CLI artifact publication decision for later operator upload; no upload, npm vendor refresh, npm publication, or support-boundary change.
 - boundary-exception: request patch `0.1.1` artifact publication approval for exact evidenced CLI assets; no publication, npm vendor refresh, npm publication, or support-boundary change.
 - boundary-exception: record patch `0.1.1` draft artifact evidence for decider review; no GitHub Release publication, npm vendor refresh, npm publication, or support-boundary change.

Makefile

@@ -284,6 +284,7 @@ release-candidate-prep:
 	$(PYTHON) .github/scripts/test_patch_0_1_1_release_artifact_evidence.py
 	$(PYTHON) .github/scripts/test_patch_0_1_1_artifact_publication_approval_request.py
 	$(PYTHON) .github/scripts/test_patch_0_1_1_artifact_publication_approval_decision.py
+	$(PYTHON) .github/scripts/test_patch_0_1_1_artifact_publication_closeout.py
 	$(PYTHON) .github/scripts/test_release_candidate_prep.py
 	$(PYTHON) .github/scripts/test_release_reproducibility_scaffold.py
 	$(PYTHON) .github/scripts/test_launch_copy_approval_scaffold.py

docs/validation/README.md

@@ -580,6 +580,11 @@ recording the exact current-main source candidate and required follow-up evidenc
   operator upload, post-upload closeout evidence, npm vendor refresh, npm publication, hosted
   surfaces, production positioning, Windows packaged artifacts, bundled project-maintained PDFium,
   and public benchmark claims blocked.
+- `patch-0-1-1-artifact-publication-closeout-validation-2026-06-23.md` - patch 0.1.1 artifact
+  publication closeout validation records GitHub Release `v0.1.1`, approved tag target, exact
+  published macOS arm64 and Linux x64 assets, matching checksums, sidecars, archive payloads,
+  macOS smoke output, bounded release wording, and retained blockers; npm vendor refresh and npm
+  publication remain separate blocked lanes.
 - `milestone-e-validation-command-index-validation-2026-06-20.md` - internal Milestone E
   validation-command index validation passed through command-alignment checks, schema enum checks,
   row-record checks, public-surface posture checks, `make milestone-e-prep`, and diff hygiene; the

docs/validation/patch-0-1-1-artifact-publication-closeout-validation-2026-06-23.md

@@ -0,0 +1,147 @@
+# Patch 0.1.1 Artifact Publication Closeout Validation - 2026-06-23
+
+Validated source HEAD before this record: `5231b56`.
+
+Patch 0.1.1 artifact publication closeout source commit:
+`5231b56383afbc08c874325a7f47d6ae90e60a24`.
+
+Patch 0.1.1 artifact publication closeout source tree:
+`b0e5d2e5ac534facf9bd78a580366aab1995f0e1`.
+
+Status: **patch 0.1.1 GitHub Release artifact publication complete**
+
+This record closes the bounded GitHub Release artifact publication action for patch `0.1.1`. It
+records that GitHub Release tag `v0.1.1` exists at the approved source commit, contains the exact
+approved macOS arm64 and Linux x64 CLI artifact assets, and preserves the approved public-beta
+wording. It does not refresh npm vendor binaries, publish npm, change PDFium posture, approve hosted
+surfaces, approve production positioning, approve Windows packaged artifacts, approve bundled
+project-maintained PDFium builds, approve `ethos-doc`, approve `ethos-rag`, or approve public
+benchmark reports or claims.
+
+## Subject
+
+- Repository: `docushell/ethos`
+- GitHub Release tag: `v0.1.1`
+- GitHub Release URL: `https://github.com/docushell/ethos/releases/tag/v0.1.1`
+- Approval decision record:
+  `docs/validation/patch-0-1-1-artifact-publication-approval-decision-validation-2026-06-23.md`
+- Approval request record:
+  `docs/validation/patch-0-1-1-artifact-publication-approval-request-validation-2026-06-23.md`
+- Artifact evidence record:
+  `docs/validation/patch-0-1-1-release-artifact-evidence-validation-2026-06-23.md`
+
+## Release Metadata Verified
+
+- Release tag: `v0.1.1`
+- Release name: `Release v0.1.1`
+- Release draft status: `false`
+- Release prerelease status: `false`
+- Tag target: `5231b56383afbc08c874325a7f47d6ae90e60a24`
+
+## Published Assets Verified
+
+The published release asset list contains exactly these approved assets:
+
+- `ethos-macos-arm64.tar.gz`
+- `ethos-macos-arm64.tar.gz.sha256`
+- `ethos-macos-arm64.inventory.json`
+- `ethos-macos-arm64.smoke.json`
+- `ethos-linux-x64.tar.gz`
+- `ethos-linux-x64.tar.gz.sha256`
+- `ethos-linux-x64.inventory.json`
+- `ethos-linux-x64.smoke.json`
+
+The published archive SHA256 values match the approval decision:
+
+```text
+eac79cddc6f5fc834ecc279401905729978d73e99ae11a2bea82d7356a4bcd88  ethos-macos-arm64.tar.gz
+842aa4b71333aecc54f344d9f5362160d0943d8efd32dffabe99dc19553916a0  ethos-linux-x64.tar.gz
+```
+
+The GitHub Release asset API also reported matching archive digests:
+
+```text
+sha256:eac79cddc6f5fc834ecc279401905729978d73e99ae11a2bea82d7356a4bcd88  ethos-macos-arm64.tar.gz
+sha256:842aa4b71333aecc54f344d9f5362160d0943d8efd32dffabe99dc19553916a0  ethos-linux-x64.tar.gz
+```
+
+The downloaded published sidecars verified as follows:
+
+- `ethos-macos-arm64.inventory.json`: schema `ethos.release_artifact_inventory.v1`, target
+  `macos-arm64`, status `draft_not_release_ready`, publication `blocked`.
+- `ethos-macos-arm64.smoke.json`: schema `ethos.release_artifact_smoke.v1`, target
+  `macos-arm64`, version `ethos 0.1.1`.
+- `ethos-linux-x64.inventory.json`: schema `ethos.release_artifact_inventory.v1`, target
+  `linux-x64`, status `draft_not_release_ready`, publication `blocked`.
+- `ethos-linux-x64.smoke.json`: schema `ethos.release_artifact_smoke.v1`, target `linux-x64`,
+  version `ethos 0.1.1`.
+
+Both published archives contain the expected payload:
+
+- `LICENSE`
+- `NOTICE`
+- `ethos`
+- `pdfium-manual-setup.md`
+
+The published macOS arm64 CLI smoke run reported:
+
+```text
+ethos 0.1.1
+```
+
+`ethos doctor` preserved the caller-provided PDFium setup-warning posture when
+`ETHOS_PDFIUM_LIBRARY_PATH` was unset.
+
+## Published Release Wording Verified
+
+The GitHub Release body contains the approved bounded public-beta wording:
+
+> Ethos is public beta for source, Rust crate, Python wheel, macOS arm64 CLI artifact, Linux x64
+> CLI artifact, and npm `@docushell/ethos-pdf` evaluation. It verifies whether AI citations are
+> grounded in document evidence across native Ethos JSON and supported foreign parser outputs.
+> Rust library crates `ethos-doc-core`, `ethos-verify`, and `ethos-pdf` are available on crates.io
+> at `0.1.1` for evaluation. The Python `ethos-pdf` wheel, npm `@docushell/ethos-pdf@0.1.1`
+> package, and macOS arm64/Linux x64 CLI artifacts are available for evaluation with
+> caller-provided PDFium. Hosted surfaces, production positioning, Windows packaged artifacts,
+> bundled project-maintained PDFium builds, `ethos-doc`, `ethos-rag`, public benchmark reports,
+> public benchmark claims, and speed, footprint, parser-quality, table-quality, or production
+> claims remain blocked.
+
+The release body includes the approved archive SHA256 values shown above.
+
+## Verification Commands
+
+Operator verification completed:
+
+```sh
+gh release view v0.1.1 --repo docushell/ethos --json tagName,name,isDraft,isPrerelease,url,assets
+git ls-remote --tags origin v0.1.1
+gh release view v0.1.1 --repo docushell/ethos --json targetCommitish,tagName,url
+gh release view v0.1.1 --repo docushell/ethos --json body --jq .body
+gh release download v0.1.1 --repo docushell/ethos --dir /tmp/ethos-v0.1.1-published-assets
+python3 .github/scripts/validate_release_artifact_inventory.py \
+  /tmp/ethos-v0.1.1-published-assets/ethos-macos-arm64.inventory.json \
+  /tmp/ethos-v0.1.1-published-assets/ethos-linux-x64.inventory.json
+```
+
+## Retained Blockers
+
+- `packages/npm/ethos-pdf/vendor/manifest.json` must not be refreshed until after this closeout
+  record is merged and a dedicated npm vendor refresh lane starts.
+- npm publication remains blocked until the checked-in vendor payload is refreshed from approved
+  artifacts and a dedicated npm approval record passes.
+- Hosted surfaces remain blocked.
+- Production positioning remains blocked.
+- Windows packaged artifacts remain blocked.
+- Bundled project-maintained PDFium builds remain blocked.
+- Public benchmark reports remain blocked.
+- Public benchmark claims remain blocked.
+- `ethos-doc` remains blocked.
+- `ethos-rag` remains blocked.
+
+## Result
+
+Patch `0.1.1` GitHub Release artifact publication is complete for the exact approved macOS arm64
+and Linux x64 CLI artifacts. The next release lane may prepare npm vendor refresh from these
+published assets, but only after this closeout record is merged and the dedicated vendor-refresh
+guards pass.