Request patch 0.1.1 npm publication approval

.github/scripts/test_npm_publication_final_approval_request.py

@@ -24,16 +24,16 @@
 
 
 ROOT = Path(__file__).resolve().parents[2]
-RECORD = ROOT / "docs/validation/npm-publication-final-approval-request-validation-2026-06-23.md"
+RECORD = ROOT / "docs/validation/patch-0-1-1-npm-publication-approval-request-validation-2026-06-23.md"
 VALIDATION_README = ROOT / "docs/validation/README.md"
 
-SOURCE_SHORT = "73f673c"
-SOURCE_COMMIT = "73f673cd4e6afcac6c96baffd743b339a89de96c"
-SOURCE_TREE = "942087f3d45f8d62e46f116b3f576b1713e17f37"
-PACKAGE = "@docushell/ethos-pdf@0.1.0"
-NPM_SHASUM = "17a053c5ccb802bca2a295e1b1d0e6106c6a3ca6"
-TARBALL_SHA256 = "8d0483d69a6de471dee52c8ef06d46712c06861682a0d7319ca573fdb1fe6376"
-INTEGRITY = "sha512-uWTHYd9Hfkm3nkahK2UchCMOVvYWe82z03jffZnX6aYPqYGd6LkuiEoTH5DjrXl+oA817EjlE88fIKBxZbhjMw=="
+SOURCE_SHORT = "af1851c"
+SOURCE_COMMIT = "af1851c88b2b7c17f706a902ca64987c2af082be"
+SOURCE_TREE = "7d501ab7fa5a585352918f65fbd2de1756a184b9"
+PACKAGE = "@docushell/ethos-pdf@0.1.1"
+NPM_SHASUM = "a150d08395724aa186d077074782413249a48689"
+TARBALL_SHA256 = "4b227d37bd125c6db1ffe40534f6cb5223a60073f26e3c4dbf60709561671d3d"
+INTEGRITY = "sha512-wVF4Ew6836sRncPZkvVieyQuo8FFbbBsIQ/vdupleUQZVX4YHgXb+lFZzZNcVB54Hh7srbbY17El4Z5sV7odhA=="
 NODE_VERSION = "v23.11.1"
 NPM_VERSION = "10.9.2"
 FORBIDDEN = (
@@ -70,8 +70,8 @@ def test_request_record_is_source_bound(self) -> None:
         record = normalized(RECORD)
 
         self.assertIn(f"Validated source HEAD before this record: `{SOURCE_SHORT}`", read(RECORD))
-        self.assertIn(f"npm publication final approval request source commit: `{SOURCE_COMMIT}`", record)
-        self.assertIn(f"npm publication final approval request source tree: `{SOURCE_TREE}`", record)
+        self.assertIn(f"npm publication approval request source commit: `{SOURCE_COMMIT}`", record)
+        self.assertIn(f"npm publication approval request source tree: `{SOURCE_TREE}`", record)
         self.assertEqual(SOURCE_COMMIT, git("rev-parse", SOURCE_SHORT))
         self.assertEqual(SOURCE_TREE, git("rev-parse", f"{SOURCE_SHORT}^{{tree}}"))
 
@@ -80,20 +80,20 @@ def test_request_names_exact_candidate_and_evidence(self) -> None:
 
         for expected in (
             PACKAGE,
-            "docushell-ethos-pdf-0.1.0.tgz",
+            "docushell-ethos-pdf-0.1.1.tgz",
             NPM_SHASUM,
             TARBALL_SHA256,
             INTEGRITY,
             f"Node.js: `{NODE_VERSION}`",
             f"npm: `{NPM_VERSION}`",
-            "per-file SHA256 values are the durable cross-toolchain provenance binding",
+            "per-file vendor SHA256 values are the durable cross-toolchain provenance binding",
             "vendor/ethos-darwin-arm64",
             "vendor/ethos-linux-x64",
             "vendor/manifest.json",
-            "ethos 0.1.0",
+            "ethos 0.1.1",
             "exit code `12`",
             "ETHOS_PDFIUM_LIBRARY_PATH",
-            "npm-tarball-candidate-evidence-validation-2026-06-23.md",
+            "patch-0-1-1-npm-vendor-refresh-validation-2026-06-23.md",
             "npm-vendor-binary-payload-strategy-validation-2026-06-23.md",
         ):
             self.assertIn(expected, record)
@@ -139,7 +139,7 @@ def test_record_is_indexed(self) -> None:
         readme = normalized(VALIDATION_README)
 
         self.assertIn(RECORD.name, readme)
-        self.assertIn("npm publication final approval request validation", readme)
+        self.assertIn("patch 0.1.1 npm publication approval request", readme.lower())
         self.assertIn("npm publish remains blocked", readme)
 
 

CHANGELOG.md

@@ -2,6 +2,7 @@
 
 ## Unreleased
 
+- boundary-exception: request patch `0.1.1` npm publication approval for exact refreshed package candidate; no npm publish or support-boundary change.
 - boundary-exception: refresh patch `0.1.1` npm vendor payload from published CLI artifacts; no npm publication or support-boundary change.
 - boundary-exception: close patch `0.1.1` CLI artifact publication with exact GitHub Release evidence; no npm vendor refresh, npm publication, or support-boundary change.
 - boundary-exception: approve exact patch `0.1.1` CLI artifact publication decision for later operator upload; no upload, npm vendor refresh, npm publication, or support-boundary change.

docs/validation/README.md

@@ -589,6 +589,10 @@ recording the exact current-main source candidate and required follow-up evidenc
   validation records the checked-in `@docushell/ethos-pdf@0.1.1` vendor payload refreshed from
   published GitHub Release `v0.1.1` assets, per-file vendor SHA256 values, local `npm pack`
   metadata, install smoke, missing-PDFium behavior, and retained publication blockers.
+- `patch-0-1-1-npm-publication-approval-request-validation-2026-06-23.md` - patch 0.1.1 npm
+  publication approval request validation binds the exact `@docushell/ethos-pdf@0.1.1` npm
+  candidate, toolchain-qualified tarball hashes, durable vendor payload checksums, installed CLI
+  smoke, PDFium boundary, and retained blockers for decider review; npm publish remains blocked.
 - `milestone-e-validation-command-index-validation-2026-06-20.md` - internal Milestone E
   validation-command index validation passed through command-alignment checks, schema enum checks,
   row-record checks, public-surface posture checks, `make milestone-e-prep`, and diff hygiene; the

docs/validation/patch-0-1-1-npm-publication-approval-request-validation-2026-06-23.md

@@ -0,0 +1,146 @@
+# Patch 0.1.1 npm Publication Approval Request Validation - 2026-06-23
+
+Validated source HEAD before this record: `af1851c`.
+
+npm publication approval request source commit: `af1851c88b2b7c17f706a902ca64987c2af082be`.
+
+npm publication approval request source tree: `7d501ab7fa5a585352918f65fbd2de1756a184b9`.
+
+Status: **patch 0.1.1 npm publication approval request packet recorded; npm publish remains blocked**
+
+This record requests decider review for publishing exactly `@docushell/ethos-pdf@0.1.1` to npm
+using the refreshed and locally validated vendor payload evidence. It does not approve or perform
+`npm publish`, change public wording, approve hosted surfaces, approve production positioning,
+approve Windows packaged artifacts, approve bundled project-maintained PDFium builds, approve
+`ethos-doc`, approve `ethos-rag`, or approve public benchmark reports or claims.
+
+## Subject
+
+- Repository: `docushell/ethos`
+- Lane: npm publication
+- Package: `@docushell/ethos-pdf`
+- Version: `0.1.1`
+- Candidate evidence record:
+  `docs/validation/patch-0-1-1-npm-vendor-refresh-validation-2026-06-23.md`
+- Vendor strategy record:
+  `docs/validation/npm-vendor-binary-payload-strategy-validation-2026-06-23.md`
+- Approved release artifacts used by candidate:
+  - `ethos-macos-arm64.tar.gz`
+  - `ethos-linux-x64.tar.gz`
+
+## Exact Request Fields
+
+- Decision requested: approve exact npm publication preparation inputs for later operator
+  execution.
+- Approver requested: `docushell-admin` acting as decider.
+- Date requested: 2026-06-23.
+- Exact package requested: `@docushell/ethos-pdf@0.1.1`.
+- Exact npm tarball filename requested: `docushell-ethos-pdf-0.1.1.tgz`.
+- Exact npm shasum requested: a150d08395724aa186d077074782413249a48689.
+- Exact npm tarball SHA256 requested:
+  `4b227d37bd125c6db1ffe40534f6cb5223a60073f26e3c4dbf60709561671d3d`.
+- Exact npm integrity requested:
+  `sha512-wVF4Ew6836sRncPZkvVieyQuo8FFbbBsIQ/vdupleUQZVX4YHgXb+lFZzZNcVB54Hh7srbbY17El4Z5sV7odhA==`.
+- Exact npm pack toolchain requested for reproducing those tarball hashes:
+  - Node.js: `v23.11.1`
+  - npm: `10.9.2`
+- Exact npm tarball hash interpretation requested: npm shasum, tarball SHA256, and integrity are
+  qualified by Node.js `v23.11.1` and npm `10.9.2`; per-file vendor SHA256 values are the durable
+  cross-toolchain provenance binding.
+- Exact vendor binary payload requested:
+  - `vendor/ethos-darwin-arm64`
+    - SHA256: `a3d0d4be596da25313659a89de8fbff0e13f4b355462381e1bbedd05078c09f2`
+  - `vendor/ethos-linux-x64`
+    - SHA256: `ee14be020fb79e326686fc77bcf781503f4759d2e3b7bcb6a641b2311608a354`
+  - `vendor/manifest.json`
+    - SHA256: `7be6e6c02c0086de7c10594a6f0443c8535d5782a4ffc0bc0eed3f8ebb13bda8`
+- Exact supported npm platforms requested:
+  - macOS arm64
+  - Linux x64
+- Exact installed CLI smoke accepted for request: `ethos 0.1.1`.
+- Exact missing-PDFium behavior accepted for request: exit code `12` with
+  `PDFium not found: set ETHOS_PDFIUM_LIBRARY_PATH to the caller-provided PDFium dynamic library path`.
+- Exact PDFium boundary requested: caller-provided PDFium only through
+  `ETHOS_PDFIUM_LIBRARY_PATH`; no bundled or project-maintained PDFium build.
+
+## Requested Publication Boundaries
+
+- Only `@docushell/ethos-pdf@0.1.1` is in scope.
+- Publication must use the exact candidate tarball bound above.
+- Publication must use Node.js `v23.11.1` and npm `10.9.2` when reproducing npm pack hashes or
+  running `npm publish`.
+- Publication must not change the package version.
+- Publication must not add Windows packaged artifacts.
+- Publication must not add hosted surfaces.
+- Publication must not add production positioning.
+- Publication must not add public benchmark reports or claims.
+- Publication must not bundle PDFium or claim a project-maintained PDFium build.
+- Publication must not approve `ethos-doc` or `ethos-rag`.
+
+## Required Manual Decider Step
+
+Manual action is required before any publish operation:
+
+1. A decider must accept or reject this exact request packet.
+2. If accepted, a separate approval decision record must bind the exact npm candidate and retained
+   blockers.
+3. Only after that decision record passes may an operator run `npm publish` with npm credentials.
+
+No `npm publish` command is approved by this request record.
+
+## Evidence Bound To This Request
+
+- `python3 .github/scripts/test_npm_tarball_candidate_evidence.py` passed.
+- `npm test --prefix packages/npm/ethos-pdf` passed.
+- `python3 .github/scripts/test_npm_binary_package_scaffold.py` passed.
+- `make release-candidate-prep PYTHON=python3` passed on merged `main` before this request branch.
+- Provenance chain confirmed: approved GitHub Release `v0.1.1` archives are bound by archive
+  SHA256, the extracted npm vendor payload is bound by per-file SHA256, and npm tarball hashes are
+  toolchain-qualified under Node.js `v23.11.1` and npm `10.9.2`.
+
+## Non-Approvals
+
+- This request packet does not approve `npm publish`.
+- This request packet does not publish the npm package.
+- This request packet does not approve public wording changes.
+- This request packet does not approve hosted surfaces.
+- This request packet does not approve production positioning.
+- This request packet does not approve public benchmark reports.
+- This request packet does not approve public benchmark claims.
+- This request packet does not approve Windows packaged artifacts.
+- This request packet does not approve bundled project-maintained PDFium builds.
+- This request packet does not approve `ethos-doc`.
+- This request packet does not approve `ethos-rag`.
+
+## Retained Blockers
+
+- npm publication remains blocked pending explicit decider approval.
+- Actual npm publish remains blocked pending explicit operator action with npm credentials.
+- Hosted surfaces remain blocked.
+- Production positioning remains blocked.
+- Public benchmark reports remain blocked.
+- Public benchmark claims remain blocked.
+- Windows packaged artifacts remain blocked.
+- Bundled project-maintained PDFium builds remain blocked.
+- `ethos-doc` remains blocked.
+- `ethos-rag` remains blocked.
+
+## Commands
+
+```sh
+python3 .github/scripts/test_npm_publication_final_approval_request.py
+python3 .github/scripts/test_npm_tarball_candidate_evidence.py
+python3 .github/scripts/test_npm_binary_package_scaffold.py
+python3 .github/scripts/test_npm_vendor_binary_payload_strategy.py
+npm test --prefix packages/npm/ethos-pdf
+make release-candidate-prep PYTHON=python3
+git diff --check
+```
+
+## Result
+
+```text
+patch 0.1.1 npm publication approval request packet recorded
+Exact package, version, toolchain-qualified npm shasum, toolchain-qualified tarball SHA256, toolchain-qualified integrity, durable vendor payload checksums, installed CLI smoke, and PDFium boundary were recorded
+npm publish remains blocked pending explicit decider approval and later operator action
+```