Refresh patch 0.1.1 npm vendor payload

.github/scripts/test_npm_binary_package_scaffold.py

@@ -41,12 +41,12 @@
     "darwin:arm64": {
         "binary": "ethos-darwin-arm64",
         "release_asset": "ethos-macos-arm64.tar.gz",
-        "release_asset_sha256": "9cb66dac20f93c55f574357dd0494e0cad711e1e5969cdfb29ae4c64ddf7c95d",
+        "release_asset_sha256": "eac79cddc6f5fc834ecc279401905729978d73e99ae11a2bea82d7356a4bcd88",
     },
     "linux:x64": {
         "binary": "ethos-linux-x64",
         "release_asset": "ethos-linux-x64.tar.gz",
-        "release_asset_sha256": "59dc8e4efe4888afe80d18488fd83b08293ea30550ab38961e601f8f18a098b2",
+        "release_asset_sha256": "842aa4b71333aecc54f344d9f5362160d0943d8efd32dffabe99dc19553916a0",
     },
 }
 

.github/scripts/test_npm_tarball_candidate_evidence.py

@@ -30,11 +30,11 @@
 ROOT = Path(__file__).resolve().parents[2]
 PACKAGE_DIR = ROOT / "packages/npm/ethos-pdf"
 PACKAGE_TARBALL = PACKAGE_DIR / "docushell-ethos-pdf-0.1.1.tgz"
-RECORD = ROOT / "docs/validation/npm-tarball-candidate-evidence-validation-2026-06-23.md"
+RECORD = ROOT / "docs/validation/patch-0-1-1-npm-vendor-refresh-validation-2026-06-23.md"
 VALIDATION_README = ROOT / "docs/validation/README.md"
-SOURCE_SHORT = "5a956a5"
-SOURCE_COMMIT = "5a956a562ea70e1ae63eccb4e830d68699d5f767"
-SOURCE_TREE = "5f9d252ed8544850bd7b1327dfb2e7f1660b3a03"
+SOURCE_SHORT = "da5b5f4"
+SOURCE_COMMIT = "da5b5f4ed1a2645e13d8e629ed18d67babaf7eee"
+SOURCE_TREE = "24781c7305a3daca92cd5c1cb0ae6efe3edf1f23"
 EXPECTED_FILES = {
     "LICENSE",
     "NOTICE",
@@ -49,19 +49,19 @@
     "vendor/manifest.json",
 }
 EXPECTED_VENDOR_SHA256 = {
-    "vendor/ethos-darwin-arm64": "f1b0c9e47dace78b7e8b3639b9445afe9a01f0db5d5b7b0bd81858def4df2cf5",
-    "vendor/ethos-linux-x64": "7ef796a6d1c86b7c3b5b1afe58dd9cc348b706cec441602833540d8a0c9260ac",
-    "vendor/manifest.json": "0d03124957255dca55b7374e3318707da488f4b6648bfcec5e6e598079353b1f",
+    "vendor/ethos-darwin-arm64": "a3d0d4be596da25313659a89de8fbff0e13f4b355462381e1bbedd05078c09f2",
+    "vendor/ethos-linux-x64": "ee14be020fb79e326686fc77bcf781503f4759d2e3b7bcb6a641b2311608a354",
+    "vendor/manifest.json": "7be6e6c02c0086de7c10594a6f0443c8535d5782a4ffc0bc0eed3f8ebb13bda8",
 }
-EXPECTED_PACK_SHASUM = "d60100a96a27094ee4b5007699be9235e63ba991"
-EXPECTED_PACK_SHA256 = "1716bf6f0163672497aaa8d5d678759f251e07860f23fe1a3e04d85f6cc3052e"
+EXPECTED_PACK_SHASUM = "a150d08395724aa186d077074782413249a48689"
+EXPECTED_PACK_SHA256 = "4b227d37bd125c6db1ffe40534f6cb5223a60073f26e3c4dbf60709561671d3d"
 EXPECTED_PACK_INTEGRITY = (
-    "sha512-kYTwuzx0nZTHekEFP8iRB4q4eIacDN/nuRPlB7d0v3hhtipHSxeenbonQ78kTJKDjzew6YKK8ix/Uk27tZ7KoQ=="
+    "sha512-wVF4Ew6836sRncPZkvVieyQuo8FFbbBsIQ/vdupleUQZVX4YHgXb+lFZzZNcVB54Hh7srbbY17El4Z5sV7odhA=="
 )
-EVIDENCE_PACK_SHASUM = "17a053c5ccb802bca2a295e1b1d0e6106c6a3ca6"
-EVIDENCE_PACK_SHA256 = "8d0483d69a6de471dee52c8ef06d46712c06861682a0d7319ca573fdb1fe6376"
+EVIDENCE_PACK_SHASUM = EXPECTED_PACK_SHASUM
+EVIDENCE_PACK_SHA256 = EXPECTED_PACK_SHA256
 EVIDENCE_PACK_INTEGRITY = (
-    "sha512-uWTHYd9Hfkm3nkahK2UchCMOVvYWe82z03jffZnX6aYPqYGd6LkuiEoTH5DjrXl+oA817EjlE88fIKBxZbhjMw=="
+    EXPECTED_PACK_INTEGRITY
 )
 EXPECTED_NODE_VERSION = "v23.11.1"
 EXPECTED_NPM_VERSION = "10.9.2"
@@ -127,21 +127,21 @@ def test_candidate_evidence_record_is_source_bound_and_indexed(self) -> None:
         readme = normalized(VALIDATION_README)
 
         self.assertIn(f"Validated source HEAD before this record: `{SOURCE_SHORT}`", read(RECORD))
-        self.assertIn(f"npm tarball candidate source commit: `{SOURCE_COMMIT}`", record)
-        self.assertIn(f"npm tarball candidate source tree: `{SOURCE_TREE}`", record)
+        self.assertIn(f"npm vendor refresh source commit: `{SOURCE_COMMIT}`", record)
+        self.assertIn(f"npm vendor refresh source tree: `{SOURCE_TREE}`", record)
         self.assertIn(EVIDENCE_PACK_SHASUM, record)
         self.assertIn(EVIDENCE_PACK_SHA256, record)
         self.assertIn(EVIDENCE_PACK_INTEGRITY, record)
         self.assertIn(f"Node.js: `{EXPECTED_NODE_VERSION}`", record)
         self.assertIn(f"npm: `{EXPECTED_NPM_VERSION}`", record)
         self.assertIn("durable package-content provenance", record)
         self.assertIn("per-file vendor SHA256 values as the durable content binding", record)
-        self.assertIn("ethos 0.1.0", record)
+        self.assertIn("ethos 0.1.1", record)
         self.assertIn("exit code `12`", record)
         self.assertIn("npm publication remains blocked", record)
         self.assertNotIn("npm publication approved", record.lower())
         self.assertIn(RECORD.name, readme)
-        self.assertIn("npm tarball candidate evidence validation", readme)
+        self.assertIn("patch 0.1.1 npm vendor refresh validation", readme)
 
     def test_candidate_tarball_installs_and_preserves_pdfium_boundary(self) -> None:
         with tempfile.TemporaryDirectory(prefix="ethos-npm-install-") as temp:
@@ -177,7 +177,7 @@ def test_candidate_tarball_installs_and_preserves_pdfium_boundary(self) -> None:
                     stderr=subprocess.PIPE,
                 )
                 self.assertEqual(0, version.returncode, version.stderr)
-                self.assertEqual("ethos 0.1.0", version.stdout.strip())
+                self.assertEqual("ethos 0.1.1", version.stdout.strip())
 
                 dummy_pdf = Path(temp) / "dummy.pdf"
                 dummy_pdf.write_text("%PDF-1.4\n%%EOF\n", encoding="utf-8")

CHANGELOG.md

@@ -2,6 +2,7 @@
 
 ## Unreleased
 
+- boundary-exception: refresh patch `0.1.1` npm vendor payload from published CLI artifacts; no npm publication or support-boundary change.
 - boundary-exception: close patch `0.1.1` CLI artifact publication with exact GitHub Release evidence; no npm vendor refresh, npm publication, or support-boundary change.
 - boundary-exception: approve exact patch `0.1.1` CLI artifact publication decision for later operator upload; no upload, npm vendor refresh, npm publication, or support-boundary change.
 - boundary-exception: request patch `0.1.1` artifact publication approval for exact evidenced CLI assets; no publication, npm vendor refresh, npm publication, or support-boundary change.

docs/validation/README.md

@@ -585,6 +585,10 @@ recording the exact current-main source candidate and required follow-up evidenc
   published macOS arm64 and Linux x64 assets, matching checksums, sidecars, archive payloads,
   macOS smoke output, bounded release wording, and retained blockers; npm vendor refresh and npm
   publication remain separate blocked lanes.
+- `patch-0-1-1-npm-vendor-refresh-validation-2026-06-23.md` - patch 0.1.1 npm vendor refresh
+  validation records the checked-in `@docushell/ethos-pdf@0.1.1` vendor payload refreshed from
+  published GitHub Release `v0.1.1` assets, per-file vendor SHA256 values, local `npm pack`
+  metadata, install smoke, missing-PDFium behavior, and retained publication blockers.
 - `milestone-e-validation-command-index-validation-2026-06-20.md` - internal Milestone E
   validation-command index validation passed through command-alignment checks, schema enum checks,
   row-record checks, public-surface posture checks, `make milestone-e-prep`, and diff hygiene; the

docs/validation/patch-0-1-1-npm-vendor-refresh-validation-2026-06-23.md

@@ -0,0 +1,152 @@
+# Patch 0.1.1 npm Vendor Refresh Validation - 2026-06-23
+
+Validated source HEAD before this record: `da5b5f4`.
+
+npm vendor refresh source commit: `da5b5f4ed1a2645e13d8e629ed18d67babaf7eee`.
+
+npm vendor refresh source tree: `24781c7305a3daca92cd5c1cb0ae6efe3edf1f23`.
+
+Status: **patch 0.1.1 npm vendor payload refreshed from published GitHub Release assets; npm publication remains blocked**
+
+This record validates the checked-in `@docushell/ethos-pdf@0.1.1` vendor payload after refreshing it
+from the published GitHub Release `v0.1.1` macOS arm64 and Linux x64 CLI artifacts. It does not
+approve `npm publish`, hosted surfaces, production positioning, Windows packaged artifacts, bundled
+project-maintained PDFium builds, `ethos-doc`, `ethos-rag`, public benchmark reports, or public
+benchmark claims.
+
+## Published Release Artifact Inputs
+
+Downloaded from GitHub Release `v0.1.1`:
+
+- `ethos-macos-arm64.tar.gz`
+  - SHA256: `eac79cddc6f5fc834ecc279401905729978d73e99ae11a2bea82d7356a4bcd88`
+- `ethos-linux-x64.tar.gz`
+  - SHA256: `842aa4b71333aecc54f344d9f5362160d0943d8efd32dffabe99dc19553916a0`
+
+Vendor binaries assembled with:
+
+```sh
+node packages/npm/ethos-pdf/scripts/prepare-vendor.js /tmp/ethos-v0.1.1-published-assets
+```
+
+Result:
+
+```text
+prepared vendor/ethos-darwin-arm64
+prepared vendor/ethos-linux-x64
+```
+
+## Vendor Payload Checksums
+
+- `vendor/ethos-darwin-arm64`
+  - SHA256: `a3d0d4be596da25313659a89de8fbff0e13f4b355462381e1bbedd05078c09f2`
+- `vendor/ethos-linux-x64`
+  - SHA256: `ee14be020fb79e326686fc77bcf781503f4759d2e3b7bcb6a641b2311608a354`
+- `vendor/manifest.json`
+  - SHA256: `7be6e6c02c0086de7c10594a6f0443c8535d5782a4ffc0bc0eed3f8ebb13bda8`
+
+## npm Pack Candidate
+
+Command:
+
+```sh
+npm_config_cache=/tmp/ethos-npm-vendor-refresh-cache npm pack --json
+```
+
+Pack toolchain:
+
+- Node.js: `v23.11.1`
+- npm: `10.9.2`
+
+The npm shasum, tarball SHA256, and integrity below are qualified by this exact pack toolchain
+because npm's gzip/tar serialization can change across npm versions. The durable package-content
+provenance is the packed file list plus the per-file vendor SHA256 values as the durable content
+binding for the release-derived vendor payload above.
+
+Candidate metadata:
+
+- package: `@docushell/ethos-pdf@0.1.1`
+- filename: `docushell-ethos-pdf-0.1.1.tgz`
+- npm shasum: a150d08395724aa186d077074782413249a48689
+- tarball SHA256: `4b227d37bd125c6db1ffe40534f6cb5223a60073f26e3c4dbf60709561671d3d`
+- integrity:
+  `sha512-wVF4Ew6836sRncPZkvVieyQuo8FFbbBsIQ/vdupleUQZVX4YHgXb+lFZzZNcVB54Hh7srbbY17El4Z5sV7odhA==`
+
+Packed file list:
+
+- `LICENSE`
+- `NOTICE`
+- `QUICKSTART.md`
+- `README.md`
+- `bin/ethos-pdf.js`
+- `package.json`
+- `scripts/postinstall.js`
+- `scripts/prepare-vendor.js`
+- `vendor/ethos-darwin-arm64`
+- `vendor/ethos-linux-x64`
+- `vendor/manifest.json`
+
+The vendor binaries were packed with executable mode `493`.
+
+## Local Install Smoke
+
+Install command:
+
+```sh
+npm_config_cache=/tmp/ethos-npm-vendor-refresh-cache npm install \
+  packages/npm/ethos-pdf/docushell-ethos-pdf-0.1.1.tgz \
+  --prefix /tmp/ethos-npm-vendor-refresh-install
+```
+
+Result:
+
+```text
+added 1 package
+```
+
+Version smoke:
+
+```sh
+/tmp/ethos-npm-vendor-refresh-install/node_modules/.bin/ethos --version
+```
+
+Result:
+
+```text
+ethos 0.1.1
+```
+
+Missing-PDFium smoke with an existing dummy PDF returned exit code `12` and included
+`ETHOS_PDFIUM_LIBRARY_PATH`.
+
+## Validation Command
+
+```sh
+python3 .github/scripts/test_npm_tarball_candidate_evidence.py
+```
+
+Result:
+
+```text
+Ran 4 tests
+OK
+```
+
+## Retained Blockers
+
+- npm publication remains blocked until a dedicated decider record approves `npm publish` for this
+  exact `0.1.1` candidate and public wording.
+- Windows packaged artifacts remain blocked.
+- Hosted surfaces remain blocked.
+- Production positioning remains blocked.
+- Public benchmark reports remain blocked.
+- Public benchmark claims remain blocked.
+- Bundled project-maintained PDFium builds remain blocked.
+- `ethos-doc` remains blocked.
+- `ethos-rag` remains blocked.
+
+## Result
+
+The `@docushell/ethos-pdf@0.1.1` npm vendor payload is refreshed from the published `v0.1.1`
+GitHub Release assets and locally validated. npm publication remains blocked pending a dedicated
+approval request, approval decision, explicit operator action, and closeout evidence.

packages/npm/ethos-pdf/vendor/manifest.json

@@ -5,12 +5,12 @@
     "darwin:arm64": {
       "binary": "ethos-darwin-arm64",
       "release_asset": "ethos-macos-arm64.tar.gz",
-      "release_asset_sha256": "9cb66dac20f93c55f574357dd0494e0cad711e1e5969cdfb29ae4c64ddf7c95d"
+      "release_asset_sha256": "eac79cddc6f5fc834ecc279401905729978d73e99ae11a2bea82d7356a4bcd88"
     },
     "linux:x64": {
       "binary": "ethos-linux-x64",
       "release_asset": "ethos-linux-x64.tar.gz",
-      "release_asset_sha256": "59dc8e4efe4888afe80d18488fd83b08293ea30550ab38961e601f8f18a098b2"
+      "release_asset_sha256": "842aa4b71333aecc54f344d9f5362160d0943d8efd32dffabe99dc19553916a0"
     }
   }
 }