|
| 1 | +# v0.2 Release Readiness Report |
| 2 | + |
| 3 | +Status: blocked for v0.2 release, approved for release preparation. |
| 4 | + |
| 5 | +Date: 2026-06-15. |
| 6 | + |
| 7 | +Base commit reviewed: 7594346ebeb674a7e471197250bccbca8b4c36bf. |
| 8 | + |
| 9 | +CI run reviewed: 27545634227. |
| 10 | + |
| 11 | +This report records the release-readiness state after the unreleased v0.2 governance baseline landed on `main`. |
| 12 | + |
| 13 | +It is not a release note, tag decision, version bump, or stability claim. |
| 14 | + |
| 15 | +## Scope |
| 16 | + |
| 17 | +This report covers readiness for a future `v0.2.0` GitHub release of the governance baseline currently present on `main`. |
| 18 | + |
| 19 | +It does not approve: |
| 20 | + |
| 21 | +- changing `pyproject.toml`; |
| 22 | +- cutting a changelog release section; |
| 23 | +- creating a tag; |
| 24 | +- creating a GitHub Release; |
| 25 | +- uploading artifacts; |
| 26 | +- publishing to PyPI; |
| 27 | +- adding new governance rules; |
| 28 | +- changing CLI output behavior. |
| 29 | + |
| 30 | +Those actions require separate explicit phases. |
| 31 | + |
| 32 | +## Current verified state |
| 33 | + |
| 34 | +The reviewed `main` branch is clean and synchronized with `origin/main`. |
| 35 | + |
| 36 | +The reviewed commit is: |
| 37 | + |
| 38 | +- `7594346ebeb674a7e471197250bccbca8b4c36bf`. |
| 39 | + |
| 40 | +The reviewed GitHub Actions run is: |
| 41 | + |
| 42 | +- `27545634227`; |
| 43 | +- branch: `main`; |
| 44 | +- conclusion: `success`. |
| 45 | + |
| 46 | +Local checks pass through `./scripts/check.sh`. |
| 47 | + |
| 48 | +The current local check output includes: |
| 49 | + |
| 50 | +- Python syntax check passing; |
| 51 | +- 94 unit tests passing; |
| 52 | +- text hygiene passing; |
| 53 | +- Git whitespace checks passing. |
| 54 | + |
| 55 | +The published `v0.1.0` tag remains intact at: |
| 56 | + |
| 57 | +- `104697f263df450d45f195436235937a99d4918c`. |
| 58 | + |
| 59 | +The current package version is still: |
| 60 | + |
| 61 | +- `0.1.0`. |
| 62 | + |
| 63 | +That is correct for this phase and blocks any `v0.2.0` release until a dedicated version-cut phase. |
| 64 | + |
| 65 | +## Current unreleased v0.2 behavior on main |
| 66 | + |
| 67 | +Current `main` contains unreleased governance diagnostics for AI agent instruction files. |
| 68 | + |
| 69 | +The governance baseline remains within the intended product boundary: |
| 70 | + |
| 71 | +- local CLI; |
| 72 | +- read-only by default; |
| 73 | +- no runtime network dependency; |
| 74 | +- no runtime LLM dependency; |
| 75 | +- no execution of commands from analyzed repositories; |
| 76 | +- no security-scanner claim; |
| 77 | +- no proof-of-safety claim. |
| 78 | + |
| 79 | +Smoke output from the `risky-instructions` fixture shows governance findings in console output. |
| 80 | + |
| 81 | +JSON output includes structured finding evidence for line-based governance findings. |
| 82 | + |
| 83 | +Markdown output shows the documented finding table without evidence payloads. |
| 84 | + |
| 85 | +Golden contract coverage exists for current governance console, JSON, and Markdown output behavior. |
| 86 | + |
| 87 | +## Documentation state |
| 88 | + |
| 89 | +README.md distinguishes: |
| 90 | + |
| 91 | +- the published `v0.1.0` GitHub pre-release; |
| 92 | +- current unreleased v0.2 governance behavior on `main`; |
| 93 | +- absence of a stable public release. |
| 94 | + |
| 95 | +README.md no longer pins a fragile unit test count. It points to `./scripts/check.sh` and the matching GitHub Actions run as the source of truth. |
| 96 | + |
| 97 | +CHANGELOG.md records unreleased governance diagnostics, structured finding evidence, evidence redaction, golden contract coverage, and the GitHub Actions Node 24-compatible update under `[Unreleased]`. |
| 98 | + |
| 99 | +SECURITY.md preserves the security boundary: |
| 100 | + |
| 101 | +- not a security scanner; |
| 102 | +- no security guarantees; |
| 103 | +- best-effort pre-release support; |
| 104 | +- private reporting path preferred when available; |
| 105 | +- stable support policy still required before a stable release. |
| 106 | + |
| 107 | +docs/V0.2-GOVERNANCE-RULES-SPEC.md requires a release-readiness audit before any v0.2 version, tag, or release decision. |
| 108 | + |
| 109 | +## Release blockers |
| 110 | + |
| 111 | +The project is not ready for a `v0.2.0` release until these blockers are closed in separate phases. |
| 112 | + |
| 113 | +### Blocker 1: version metadata not cut |
| 114 | + |
| 115 | +`pyproject.toml` still declares: |
| 116 | + |
| 117 | +- `version = "0.1.0"`. |
| 118 | + |
| 119 | +A dedicated release-cut phase must update version metadata only after readiness gates are satisfied. |
| 120 | + |
| 121 | +### Blocker 2: changelog release section not cut |
| 122 | + |
| 123 | +CHANGELOG.md still uses `[Unreleased]` for v0.2 governance work. |
| 124 | + |
| 125 | +A dedicated release-cut phase must create a dated `0.2.0` section from the current unreleased entries. |
| 126 | + |
| 127 | +### Blocker 3: v0.2 artifacts not built and installed from clean environments |
| 128 | + |
| 129 | +The audit confirmed that `python -m build` is available, but did not build, checksum, install, and smoke-test `v0.2.0` wheel and sdist artifacts. |
| 130 | + |
| 131 | +A dedicated packaging dry-run phase must verify: |
| 132 | + |
| 133 | +- source distribution build; |
| 134 | +- wheel build; |
| 135 | +- clean virtual environment install from wheel; |
| 136 | +- clean virtual environment install from sdist; |
| 137 | +- console script execution; |
| 138 | +- `python -m agent_rules_kit.cli` execution; |
| 139 | +- no unexpected runtime dependencies. |
| 140 | + |
| 141 | +### Blocker 4: v0.2 tag and GitHub Release do not exist |
| 142 | + |
| 143 | +No `v0.2.0` tag or GitHub Release should exist yet. |
| 144 | + |
| 145 | +A dedicated release phase must create them only after version metadata, changelog, artifacts, and release notes are verified. |
| 146 | + |
| 147 | +### Blocker 5: branch protection and private vulnerability reporting need explicit release evidence |
| 148 | + |
| 149 | +README.md states that branch protection is active and names the required status check. |
| 150 | + |
| 151 | +The release-readiness command attempted read-only GitHub API checks, but the captured output did not provide enough visible evidence to close this as release evidence. |
| 152 | + |
| 153 | +Before a `v0.2.0` release, a dedicated verification phase must capture clear evidence for: |
| 154 | + |
| 155 | +- main branch protection; |
| 156 | +- required status checks; |
| 157 | +- admin enforcement; |
| 158 | +- force-push prevention; |
| 159 | +- deletion prevention; |
| 160 | +- pull-request review profile appropriate for a solo-maintainer repo; |
| 161 | +- private vulnerability reporting enabled, or explicit documented alternative if unavailable. |
| 162 | + |
| 163 | +### Blocker 6: release notes not cut from verified artifacts |
| 164 | + |
| 165 | +The release notes for `v0.2.0` must be written after artifacts are built and verified. |
| 166 | + |
| 167 | +They must not claim: |
| 168 | + |
| 169 | +- stable public maturity; |
| 170 | +- security scanning; |
| 171 | +- proof of repository safety; |
| 172 | +- complete governance coverage; |
| 173 | +- LLM-based semantic analysis; |
| 174 | +- PyPI availability unless PyPI publication is explicitly completed in a separate phase. |
| 175 | + |
| 176 | +## Required v0.2 release train |
| 177 | + |
| 178 | +The recommended release train is: |
| 179 | + |
| 180 | +1. `docs/add-v02-release-readiness-report` |
| 181 | + - create and merge this report; |
| 182 | + - no release mutation. |
| 183 | + |
| 184 | +2. `release/v02-packaging-dry-run` |
| 185 | + - build wheel and sdist; |
| 186 | + - install from clean temporary environments; |
| 187 | + - smoke-test installed commands; |
| 188 | + - document results if needed. |
| 189 | + |
| 190 | +3. `release/verify-v02-governance-boundaries` |
| 191 | + - verify branch protection; |
| 192 | + - verify required status check name; |
| 193 | + - verify vulnerability reporting path or document explicit alternative; |
| 194 | + - no code changes unless separately approved. |
| 195 | + |
| 196 | +4. `release/cut-v0.2.0-metadata` |
| 197 | + - update `pyproject.toml` version; |
| 198 | + - cut CHANGELOG.md `0.2.0` section; |
| 199 | + - prepare release notes draft; |
| 200 | + - no tag yet. |
| 201 | + |
| 202 | +5. `release/v0.2.0` |
| 203 | + - verify final SHA; |
| 204 | + - build final artifacts; |
| 205 | + - checksum artifacts; |
| 206 | + - create exact tag; |
| 207 | + - create GitHub Release; |
| 208 | + - upload verified artifacts; |
| 209 | + - verify assets can be downloaded, installed, and smoke-tested. |
| 210 | + |
| 211 | +6. `audit/post-v0.2.0-release` |
| 212 | + - verify tag; |
| 213 | + - verify GitHub Release; |
| 214 | + - verify artifacts; |
| 215 | + - verify README/CHANGELOG/SECURITY alignment; |
| 216 | + - verify CI for release SHA; |
| 217 | + - confirm no open release blockers. |
| 218 | + |
| 219 | +## Decision |
| 220 | + |
| 221 | +Do not publish `v0.2.0` from the current state. |
| 222 | + |
| 223 | +The correct next action is a packaging and install dry-run after this report is merged. |
| 224 | + |
| 225 | +## Readiness verdict |
| 226 | + |
| 227 | +v0.2 release status: |
| 228 | + |
| 229 | +- implementation baseline: ready for release preparation; |
| 230 | +- documentation alignment: mostly ready; |
| 231 | +- tests: ready for release preparation; |
| 232 | +- CI: ready for release preparation; |
| 233 | +- packaging: not yet verified for v0.2 release; |
| 234 | +- version metadata: not cut; |
| 235 | +- changelog release section: not cut; |
| 236 | +- tag/release: not created; |
| 237 | +- security reporting evidence: not closed; |
| 238 | +- final release decision: blocked. |
| 239 | + |
| 240 | +Final verdict: |
| 241 | + |
| 242 | +`v0.2.0` is not releasable yet, but the repository is in a good state to continue a disciplined v0.2 release train. |
0 commit comments