Approve patch 0.1.1 npm publication decision

.github/scripts/test_npm_publication_final_approval_decision.py

@@ -24,16 +24,16 @@
 
 
 ROOT = Path(__file__).resolve().parents[2]
-RECORD = ROOT / "docs/validation/npm-publication-final-approval-decision-validation-2026-06-23.md"
+RECORD = ROOT / "docs/validation/patch-0-1-1-npm-publication-approval-decision-validation-2026-06-23.md"
 VALIDATION_README = ROOT / "docs/validation/README.md"
 
-SOURCE_SHORT = "aab7a97"
-SOURCE_COMMIT = "aab7a97dabc17fa1f90e085e8934e1582827dcda"
-SOURCE_TREE = "b842f2aaedf51275cebf25c9ecadc37f56120106"
-PACKAGE = "@docushell/ethos-pdf@0.1.0"
-NPM_SHASUM = "17a053c5ccb802bca2a295e1b1d0e6106c6a3ca6"
-TARBALL_SHA256 = "8d0483d69a6de471dee52c8ef06d46712c06861682a0d7319ca573fdb1fe6376"
-INTEGRITY = "sha512-uWTHYd9Hfkm3nkahK2UchCMOVvYWe82z03jffZnX6aYPqYGd6LkuiEoTH5DjrXl+oA817EjlE88fIKBxZbhjMw=="
+SOURCE_SHORT = "25d52b9"
+SOURCE_COMMIT = "25d52b9dc0119aaa39e66d3886583a95bb852128"
+SOURCE_TREE = "26e6faa2d0171589efc4d18a7ce6593f36583d32"
+PACKAGE = "@docushell/ethos-pdf@0.1.1"
+NPM_SHASUM = "a150d08395724aa186d077074782413249a48689"
+TARBALL_SHA256 = "4b227d37bd125c6db1ffe40534f6cb5223a60073f26e3c4dbf60709561671d3d"
+INTEGRITY = "sha512-wVF4Ew6836sRncPZkvVieyQuo8FFbbBsIQ/vdupleUQZVX4YHgXb+lFZzZNcVB54Hh7srbbY17El4Z5sV7odhA=="
 NODE_VERSION = "v23.11.1"
 NPM_VERSION = "10.9.2"
 FORBIDDEN = (
@@ -79,17 +79,17 @@ def test_decision_accepts_exact_bounded_npm_candidate(self) -> None:
 
         for expected in (
             PACKAGE,
-            "docushell-ethos-pdf-0.1.0.tgz",
+            "docushell-ethos-pdf-0.1.1.tgz",
             NPM_SHASUM,
             TARBALL_SHA256,
             INTEGRITY,
             f"Node.js: `{NODE_VERSION}`",
             f"npm: `{NPM_VERSION}`",
-            "per-file SHA256 values are the durable cross-toolchain provenance binding",
+            "per-file vendor SHA256 values are the durable cross-toolchain provenance binding",
             "vendor/ethos-darwin-arm64",
             "vendor/ethos-linux-x64",
             "vendor/manifest.json",
-            "ethos 0.1.0",
+            "ethos 0.1.1",
             "exit code `12`",
             "ETHOS_PDFIUM_LIBRARY_PATH",
             "Approved Operator Action",
@@ -103,7 +103,7 @@ def test_decision_permits_only_later_operator_publish_with_boundaries(self) -> N
         self.assertIn("publication remains an explicit later operator action", record)
         self.assertIn("the operator uses Node.js `v23.11.1` and npm `10.9.2`", record)
         self.assertIn("npm credentials authorized for the `@docushell` scope", record)
-        self.assertIn("targets only `@docushell/ethos-pdf@0.1.0`", record)
+        self.assertIn("targets only `@docushell/ethos-pdf@0.1.1`", record)
 
     def test_decision_retains_unrelated_blockers_and_avoids_scope_expansion(self) -> None:
         raw = read(RECORD)
@@ -134,7 +134,7 @@ def test_decision_is_indexed(self) -> None:
         readme = normalized(VALIDATION_README)
 
         self.assertIn(RECORD.name, readme)
-        self.assertIn("npm publication final approval decision validation", readme)
+        self.assertIn("patch 0.1.1 npm publication approval decision", readme.lower())
         self.assertIn("leaves operator publish pending", readme)
 
 

CHANGELOG.md

@@ -2,6 +2,7 @@
 
 ## Unreleased
 
+- boundary-exception: approve exact patch `0.1.1` npm publication decision for later operator publish; no npm publish or support-boundary change.
 - boundary-exception: request patch `0.1.1` npm publication approval for exact refreshed package candidate; no npm publish or support-boundary change.
 - boundary-exception: refresh patch `0.1.1` npm vendor payload from published CLI artifacts; no npm publication or support-boundary change.
 - boundary-exception: close patch `0.1.1` CLI artifact publication with exact GitHub Release evidence; no npm vendor refresh, npm publication, or support-boundary change.

docs/validation/README.md

@@ -593,6 +593,11 @@ recording the exact current-main source candidate and required follow-up evidenc
   publication approval request validation binds the exact `@docushell/ethos-pdf@0.1.1` npm
   candidate, toolchain-qualified tarball hashes, durable vendor payload checksums, installed CLI
   smoke, PDFium boundary, and retained blockers for decider review; npm publish remains blocked.
+- `patch-0-1-1-npm-publication-approval-decision-validation-2026-06-23.md` - patch 0.1.1 npm
+  publication approval decision validation accepts the exact `@docushell/ethos-pdf@0.1.1` bounded
+  npm candidate, binds the Node.js `v23.11.1` and npm `10.9.2` toolchain-qualified tarball
+  metadata plus durable per-file vendor SHA256 values, keeps unrelated blockers explicit, and
+  leaves operator publish pending as a separate credentialed action.
 - `milestone-e-validation-command-index-validation-2026-06-20.md` - internal Milestone E
   validation-command index validation passed through command-alignment checks, schema enum checks,
   row-record checks, public-surface posture checks, `make milestone-e-prep`, and diff hygiene; the

docs/validation/patch-0-1-1-npm-publication-approval-decision-validation-2026-06-23.md

@@ -0,0 +1,138 @@
+# Patch 0.1.1 npm Publication Approval Decision Validation - 2026-06-23
+
+Validated source HEAD before this record: `25d52b9`.
+
+npm publication final approval decision source commit: `25d52b9dc0119aaa39e66d3886583a95bb852128`.
+
+npm publication final approval decision source tree: `26e6faa2d0171589efc4d18a7ce6593f36583d32`.
+
+Status: **patch 0.1.1 npm publication approval decision recorded; operator publish remains pending**
+
+This record accepts the exact patch `0.1.1` npm publication request packet after decider approval.
+It approves only the bounded npm publication decision for `@docushell/ethos-pdf@0.1.1` using the
+exact package contents and provenance bindings below. It does not run `npm publish`, does not
+publish any package, and does not approve hosted surfaces, production positioning, Windows packaged
+artifacts, bundled project-maintained PDFium builds, `ethos-doc`, `ethos-rag`, public benchmark
+reports, or public benchmark claims.
+
+## Subject
+
+- Repository: `docushell/ethos`
+- Lane: npm publication
+- Approval owner: `docushell-admin`
+- Final approval request record:
+  `docs/validation/patch-0-1-1-npm-publication-approval-request-validation-2026-06-23.md`
+- Candidate evidence record:
+  `docs/validation/patch-0-1-1-npm-vendor-refresh-validation-2026-06-23.md`
+- Vendor strategy record:
+  `docs/validation/npm-vendor-binary-payload-strategy-validation-2026-06-23.md`
+
+## Exact Decision Fields
+
+- Decision: accept exact patch `0.1.1` npm publication decision packet for the bounded npm
+  candidate.
+- Approver: `docushell-admin` acting as decider.
+- Date: 2026-06-23.
+- Exact package accepted by this decision: `@docushell/ethos-pdf@0.1.1`.
+- Exact npm tarball filename accepted by this decision: `docushell-ethos-pdf-0.1.1.tgz`.
+- Exact npm shasum accepted by this decision: a150d08395724aa186d077074782413249a48689.
+- Exact npm tarball SHA256 accepted by this decision:
+  `4b227d37bd125c6db1ffe40534f6cb5223a60073f26e3c4dbf60709561671d3d`.
+- Exact npm integrity accepted by this decision:
+  `sha512-wVF4Ew6836sRncPZkvVieyQuo8FFbbBsIQ/vdupleUQZVX4YHgXb+lFZzZNcVB54Hh7srbbY17El4Z5sV7odhA==`.
+- Exact npm pack toolchain accepted for reproducing those tarball hashes and for operator publish:
+  - Node.js: `v23.11.1`
+  - npm: `10.9.2`
+- Exact npm tarball hash interpretation accepted by this decision: npm shasum, tarball SHA256,
+  and integrity are qualified by Node.js `v23.11.1` and npm `10.9.2`; per-file vendor SHA256
+  values are the durable cross-toolchain provenance binding.
+- Exact vendor binary payload accepted by this decision:
+  - `vendor/ethos-darwin-arm64`
+    - SHA256: `a3d0d4be596da25313659a89de8fbff0e13f4b355462381e1bbedd05078c09f2`
+  - `vendor/ethos-linux-x64`
+    - SHA256: `ee14be020fb79e326686fc77bcf781503f4759d2e3b7bcb6a641b2311608a354`
+  - `vendor/manifest.json`
+    - SHA256: `7be6e6c02c0086de7c10594a6f0443c8535d5782a4ffc0bc0eed3f8ebb13bda8`
+- Exact supported npm platforms accepted by this decision:
+  - macOS arm64
+  - Linux x64
+- Exact installed CLI smoke accepted by this decision: `ethos 0.1.1`.
+- Exact missing-PDFium behavior accepted by this decision: exit code `12` with
+  `PDFium not found: set ETHOS_PDFIUM_LIBRARY_PATH to the caller-provided PDFium dynamic library path`.
+- Exact PDFium boundary accepted by this decision: caller-provided PDFium only through
+  `ETHOS_PDFIUM_LIBRARY_PATH`; no bundled or project-maintained PDFium build.
+
+## Approved Operator Action
+
+After this decision record is merged and the validation commands below pass on the merged source,
+an operator may run `npm publish` for the exact `@docushell/ethos-pdf@0.1.1` candidate only if all
+of the following are true:
+
+- the operator uses Node.js `v23.11.1` and npm `10.9.2`;
+- the operator has npm credentials authorized for the `@docushell` scope;
+- the package contents still match the accepted packed file list and durable vendor SHA256 values;
+- `npm publish` targets only `@docushell/ethos-pdf@0.1.1`;
+- the package version remains `0.1.1`.
+
+This decision does not itself execute `npm publish`; publication remains an explicit later
+operator action.
+
+## Required Operator Pre-Publish Checks
+
+Before publishing, the operator must run:
+
+```sh
+node --version
+npm --version
+python3 .github/scripts/test_npm_publication_final_approval_decision.py
+python3 .github/scripts/test_npm_tarball_candidate_evidence.py
+npm test --prefix packages/npm/ethos-pdf
+make release-candidate-prep PYTHON=python3
+git diff --check
+```
+
+The operator must stop if Node.js is not `v23.11.1`, npm is not `10.9.2`, candidate contents differ,
+the durable vendor SHA256 values differ, the missing-PDFium behavior changes, or any retained
+blocker is softened.
+
+## Explicit Exclusions
+
+- hosted surfaces remain blocked;
+- production positioning remains blocked;
+- public benchmark reports remain blocked;
+- public benchmark claims remain blocked;
+- Windows packaged artifacts remain blocked;
+- bundled project-maintained PDFium builds remain blocked;
+- `ethos-doc` remains blocked;
+- `ethos-rag` remains blocked;
+- broader public wording remains blocked.
+
+## Evidence Bound To This Decision
+
+- Decider decision supplied: Approved; exact patch `0.1.1` npm publication approval request
+  accepted.
+- `python3 .github/scripts/test_npm_tarball_candidate_evidence.py` passed.
+- `python3 .github/scripts/test_npm_publication_final_approval_request.py` passed.
+- `python3 .github/scripts/test_npm_publication_final_approval_decision.py` passed.
+- `make release-candidate-prep PYTHON=python3` passed on merged `main` before this decision branch.
+
+## Non-Actions
+
+- This decision record does not run `npm publish`.
+- This decision record does not publish the npm package.
+- This decision record does not change the package version.
+- This decision record does not approve public wording changes.
+- This decision record does not approve hosted surfaces.
+- This decision record does not approve production positioning.
+- This decision record does not approve public benchmark reports.
+- This decision record does not approve public benchmark claims.
+- This decision record does not approve Windows packaged artifacts.
+- This decision record does not approve bundled project-maintained PDFium builds.
+- This decision record does not approve `ethos-doc`.
+- This decision record does not approve `ethos-rag`.
+
+## Result
+
+The exact npm publication decision packet for `@docushell/ethos-pdf@0.1.1` is accepted. Actual
+publication remains a separate operator action requiring the accepted Node/npm toolchain, npm
+credentials, final pre-publish checks, and the exact bounded package contents approved here.