Close patch 0.1.1 public install wording #360
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ci.yml — every PR (plan §9). Red = no merge. | |
| name: ci | |
| on: | |
| pull_request: | |
| push: | |
| branches: [main] | |
| env: | |
| CARGO_TERM_COLOR: always | |
| jobs: | |
| fmt: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - run: rustup show # installs the pinned toolchain from rust-toolchain.toml | |
| - run: cargo fmt --all --check | |
| clippy: | |
| # includes the disallowed network API lints from clippy.toml (invariant 5b) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - run: rustup show | |
| - run: cargo clippy --locked --workspace --all-targets --all-features -- -D warnings | |
| deny: | |
| # ADR-0004 license allowlist + network-crate bans + advisories (invariant 5a, 6) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: EmbarkStudios/cargo-deny-action@v2 | |
| with: | |
| command: check | |
| test: | |
| # unit + fixture tests, c14n idempotence property tests, contract vectors, | |
| # deterministic-profile pin, same-platform double-parse (engine-gated below) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - run: rustup show | |
| - run: cargo test --locked --workspace --all-features | |
| - name: fixture manifest validation | |
| run: python3 fixtures/validate_fixtures.py | |
| - name: layout evaluator alpha | |
| run: make layout-evaluator-alpha | |
| - name: Python surface tests | |
| run: PYTHONPATH=python python3 -m unittest discover -s python/tests | |
| - name: readiness gate tests | |
| run: python3 .github/scripts/test_readiness_gate.py | |
| - name: Gate Zero evidence preflight tests | |
| run: python3 .github/scripts/test_gate_zero_evidence_preflight.py | |
| - name: determinism workflow tests | |
| run: python3 .github/scripts/test_determinism_workflow.py | |
| - name: CI workflow tests | |
| run: python3 .github/scripts/test_ci_workflow.py | |
| - name: Milestone B internal check target tests | |
| run: python3 .github/scripts/test_milestone_b_internal_checks.py | |
| - name: RAG chunk alpha target tests | |
| run: python3 .github/scripts/test_rag_chunk_alpha.py | |
| - name: Security report alpha target tests | |
| run: python3 .github/scripts/test_security_report_alpha.py | |
| - name: execution status tests | |
| run: python3 .github/scripts/test_execution_status.py | |
| - name: roadmap status tests | |
| run: python3 .github/scripts/test_roadmap_status.py | |
| - name: public surface posture tests | |
| run: python3 .github/scripts/test_public_surface_posture.py | |
| - name: public pre-alpha wording approval tests | |
| run: python3 .github/scripts/test_public_prealpha_wording_approval.py | |
| - name: release readiness next-step approval tests | |
| run: python3 .github/scripts/test_release_readiness_next_steps_approval.py | |
| - name: H1 public-safe comparison closeout tests | |
| run: python3 .github/scripts/test_h1_public_safe_comparison_closeout.py | |
| - name: H2 source-snapshot scope approval tests | |
| run: python3 .github/scripts/test_h2_source_snapshot_scope_approval.py | |
| - name: Milestone E source-snapshot candidate audit tests | |
| run: python3 .github/scripts/test_milestone_e_source_snapshot_candidate_audit.py | |
| - name: H2 source-snapshot candidate evidence tests | |
| run: python3 .github/scripts/test_h2_source_snapshot_candidate_evidence.py | |
| - name: H2 source-snapshot closeout tests | |
| run: python3 .github/scripts/test_h2_source_snapshot_closeout.py | |
| - name: Milestone D internal contract target tests | |
| run: python3 .github/scripts/test_milestone_d_internal_contracts.py | |
| - name: Milestone B closeout validation record tests | |
| run: python3 .github/scripts/test_milestone_b_closeout_record.py | |
| - name: Milestone C closeout validation record tests | |
| run: python3 .github/scripts/test_milestone_c_closeout_record.py | |
| - name: Milestone D contract closeout prep record tests | |
| run: python3 .github/scripts/test_milestone_d_closeout_prep_record.py | |
| - name: Milestone D contract closeout validation record tests | |
| run: python3 .github/scripts/test_milestone_d_closeout_record.py | |
| - name: Milestone D final closeout validation record tests | |
| run: python3 .github/scripts/test_milestone_d_final_closeout_record.py | |
| - name: Milestone E schema registry alignment tests | |
| run: python3 .github/scripts/test_milestone_e_schema_registry_alignment.py | |
| - name: Milestone E public-boundary alignment tests | |
| run: python3 .github/scripts/test_milestone_e_public_boundary_alignment.py | |
| - name: Milestone E blocked-output alignment tests | |
| run: python3 .github/scripts/test_milestone_e_blocked_output_alignment.py | |
| - name: Milestone E evidence-lane alignment tests | |
| run: python3 .github/scripts/test_milestone_e_evidence_lane_alignment.py | |
| - name: Milestone E diagnostic-boundary alignment tests | |
| run: python3 .github/scripts/test_milestone_e_diagnostic_boundary_alignment.py | |
| - name: Milestone E promotion-status alignment tests | |
| run: python3 .github/scripts/test_milestone_e_promotion_status_alignment.py | |
| - name: Milestone E source-status alignment tests | |
| run: python3 .github/scripts/test_milestone_e_source_status_alignment.py | |
| - name: Milestone E applies-to binding alignment tests | |
| run: python3 .github/scripts/test_milestone_e_applies_to_binding_alignment.py | |
| - name: Milestone E required-before alignment tests | |
| run: python3 .github/scripts/test_milestone_e_required_before_alignment.py | |
| - name: Milestone E prep scope tests | |
| run: python3 .github/scripts/test_milestone_e_prep_scope.py | |
| - name: Milestone E fixture promotion criteria tests | |
| run: python3 .github/scripts/test_milestone_e_fixture_promotion_criteria.py | |
| - name: Milestone E fixture-candidate blocker alignment validation record tests | |
| run: python3 .github/scripts/test_milestone_e_fixture_candidate_blocker_alignment_validation_record.py | |
| - name: Milestone E prep-scope structured blocker validation record tests | |
| run: python3 .github/scripts/test_milestone_e_prep_scope_structured_blocker_validation_record.py | |
| - name: Milestone E internal trust-loop walkthrough tests | |
| run: python3 .github/scripts/test_milestone_e_internal_trust_loop_walkthrough.py | |
| - name: Milestone E internal trust-loop use protocol tests | |
| run: python3 .github/scripts/test_milestone_e_internal_trust_loop_use_protocol.py | |
| - name: Milestone E internal trust-loop rehearsal evidence matrix tests | |
| run: python3 .github/scripts/test_milestone_e_internal_trust_loop_rehearsal_evidence_matrix.py | |
| - name: Milestone E internal trust-loop blocker ledger tests | |
| run: python3 .github/scripts/test_milestone_e_internal_trust_loop_blocker_ledger.py | |
| - name: Milestone E fixture promotion criteria validation record tests | |
| run: python3 .github/scripts/test_milestone_e_fixture_promotion_criteria_validation_record.py | |
| - name: Milestone E internal trust-loop walkthrough validation record tests | |
| run: python3 .github/scripts/test_milestone_e_internal_trust_loop_walkthrough_validation_record.py | |
| - name: Milestone E internal trust-loop use protocol validation record tests | |
| run: python3 .github/scripts/test_milestone_e_internal_trust_loop_use_protocol_validation_record.py | |
| - name: Milestone E internal trust-loop rehearsal evidence matrix validation record tests | |
| run: python3 .github/scripts/test_milestone_e_internal_trust_loop_rehearsal_evidence_matrix_validation_record.py | |
| - name: Milestone E internal trust-loop blocker ledger validation record tests | |
| run: python3 .github/scripts/test_milestone_e_internal_trust_loop_blocker_ledger_validation_record.py | |
| - name: Milestone E native grounding baseline rehearsal validation record tests | |
| run: python3 .github/scripts/test_milestone_e_native_grounding_baseline_rehearsal_validation_record.py | |
| - name: Milestone E diagnostic boundary check rehearsal validation record tests | |
| run: python3 .github/scripts/test_milestone_e_diagnostic_boundary_check_rehearsal_validation_record.py | |
| - name: Milestone E capability downgrade boundary rehearsal validation record tests | |
| run: python3 .github/scripts/test_milestone_e_capability_downgrade_boundary_rehearsal_validation_record.py | |
| - name: Milestone E OpenDataLoader adapter grounding rehearsal validation record tests | |
| run: python3 .github/scripts/test_milestone_e_opendataloader_adapter_grounding_rehearsal_validation_record.py | |
| - name: Milestone E pinned OpenDataLoader fixture path rehearsal validation record tests | |
| run: python3 .github/scripts/test_milestone_e_pinned_opendataloader_fixture_path_rehearsal_validation_record.py | |
| - name: Milestone E crop descriptor source-bound shape rehearsal validation record tests | |
| run: python3 .github/scripts/test_milestone_e_crop_descriptor_source_bound_shape_rehearsal_validation_record.py | |
| - name: Milestone E RAG chunk artifact loop rehearsal validation record tests | |
| run: python3 .github/scripts/test_milestone_e_rag_chunk_artifact_loop_rehearsal_validation_record.py | |
| - name: Milestone E security report artifact loop rehearsal validation record tests | |
| run: python3 .github/scripts/test_milestone_e_security_report_artifact_loop_rehearsal_validation_record.py | |
| - name: Milestone E demo narrative index rehearsal validation record tests | |
| run: python3 .github/scripts/test_milestone_e_demo_narrative_index_rehearsal_validation_record.py | |
| - name: Milestone E rehearsal row-record coverage validation tests | |
| run: python3 .github/scripts/test_milestone_e_rehearsal_row_record_coverage_validation.py | |
| - name: Milestone E schema registry alignment validation record tests | |
| run: python3 .github/scripts/test_milestone_e_schema_registry_alignment_validation_record.py | |
| - name: Milestone E public-boundary alignment validation record tests | |
| run: python3 .github/scripts/test_milestone_e_public_boundary_alignment_validation_record.py | |
| - name: Milestone E blocked-output alignment validation record tests | |
| run: python3 .github/scripts/test_milestone_e_blocked_output_alignment_validation_record.py | |
| - name: Milestone E evidence-lane alignment validation record tests | |
| run: python3 .github/scripts/test_milestone_e_evidence_lane_alignment_validation_record.py | |
| - name: Milestone E diagnostic-boundary alignment validation record tests | |
| run: python3 .github/scripts/test_milestone_e_diagnostic_boundary_alignment_validation_record.py | |
| - name: Milestone E promotion-status alignment validation record tests | |
| run: python3 .github/scripts/test_milestone_e_promotion_status_alignment_validation_record.py | |
| - name: Milestone E source-status alignment validation record tests | |
| run: python3 .github/scripts/test_milestone_e_source_status_alignment_validation_record.py | |
| - name: Milestone E applies-to binding alignment validation record tests | |
| run: python3 .github/scripts/test_milestone_e_applies_to_binding_alignment_validation_record.py | |
| - name: Milestone E required-before alignment validation record tests | |
| run: python3 .github/scripts/test_milestone_e_required_before_alignment_validation_record.py | |
| - name: Milestone E public approval lane blocker tests | |
| run: python3 .github/scripts/test_milestone_e_public_approval_lane_blockers.py | |
| - name: Milestone E public approval lane blocker validation record tests | |
| run: python3 .github/scripts/test_milestone_e_public_approval_lane_blockers_validation_record.py | |
| - name: Milestone E public beta approval prep tests | |
| run: python3 .github/scripts/test_milestone_e_public_beta_approval_prep.py | |
| - name: Milestone E public beta approval prep validation record tests | |
| run: python3 .github/scripts/test_milestone_e_public_beta_approval_prep_validation_record.py | |
| - name: Milestone E public beta required evidence record tests | |
| run: python3 .github/scripts/test_milestone_e_public_beta_required_evidence_records.py | |
| - name: Milestone E public beta source-only approval tests | |
| run: python3 .github/scripts/test_milestone_e_public_beta_source_only_approval.py | |
| - name: Milestone E package publication approval prep tests | |
| run: python3 .github/scripts/test_milestone_e_package_publication_approval_prep.py | |
| - name: Milestone E package publication approval prep validation record tests | |
| run: python3 .github/scripts/test_milestone_e_package_publication_approval_prep_validation_record.py | |
| - name: Milestone E package publication prep approval validation record tests | |
| run: python3 .github/scripts/test_milestone_e_package_publication_prep_approval_validation_record.py | |
| - name: Milestone E package publication evidence record tests | |
| run: python3 .github/scripts/test_milestone_e_package_publication_evidence_records.py | |
| - name: Milestone E package publication metadata readiness tests | |
| run: python3 .github/scripts/test_milestone_e_package_publication_metadata_readiness.py | |
| - name: Milestone E package publication dry-run smoke target | |
| run: make package-publication-dry-run-smoke | |
| - name: Milestone E package publication dry-run smoke tests | |
| run: python3 .github/scripts/test_milestone_e_package_publication_dry_run_smoke.py | |
| - name: Milestone E package publication version/tag policy tests | |
| run: python3 .github/scripts/test_milestone_e_package_publication_version_tag_policy.py | |
| - name: Milestone E package publication PDFium boundary tests | |
| run: python3 .github/scripts/test_milestone_e_package_publication_pdfium_boundary.py | |
| - name: Milestone E package publication dependency ordering tests | |
| run: python3 .github/scripts/test_milestone_e_package_publication_dependency_ordering.py | |
| - name: Milestone E package publication manifest-migration prep tests | |
| run: python3 .github/scripts/test_milestone_e_package_publication_manifest_migration_prep.py | |
| - name: Milestone E package publication registry-assembly prep tests | |
| run: python3 .github/scripts/test_milestone_e_package_publication_registry_assembly_prep.py | |
| - name: Milestone E package publication real-version-selection prep tests | |
| run: python3 .github/scripts/test_milestone_e_package_publication_real_version_selection_prep.py | |
| - name: Milestone E package publication tag-creation prep tests | |
| run: python3 .github/scripts/test_milestone_e_package_publication_tag_creation_prep.py | |
| - name: Milestone E package publication manifest-activation prep tests | |
| run: python3 .github/scripts/test_milestone_e_package_publication_manifest_activation_prep.py | |
| - name: Milestone E package publication registry-assembly activation prep tests | |
| run: python3 .github/scripts/test_milestone_e_package_publication_registry_assembly_activation_prep.py | |
| - name: Milestone E package publication decision-bundle validation record tests | |
| run: python3 .github/scripts/test_milestone_e_package_publication_decision_bundle_validation_record.py | |
| - name: Milestone E package publication pre-approval gap ledger tests | |
| run: python3 .github/scripts/test_milestone_e_package_publication_pre_approval_gap_ledger.py | |
| - name: Milestone E package publication approval resolution-plan tests | |
| run: python3 .github/scripts/test_milestone_e_package_publication_approval_resolution_plan.py | |
| - name: Milestone E package publication decision-input packet tests | |
| run: python3 .github/scripts/test_milestone_e_package_publication_decision_input_packet.py | |
| - name: Milestone E package publication approval-readiness review tests | |
| run: python3 .github/scripts/test_milestone_e_package_publication_approval_readiness_review.py | |
| - name: Milestone E package publication manifest-activation diff review tests | |
| run: python3 .github/scripts/test_milestone_e_package_publication_manifest_activation_diff_review.py | |
| - name: Milestone E package publication registry-assembly evidence review tests | |
| run: python3 .github/scripts/test_milestone_e_package_publication_registry_assembly_evidence_review.py | |
| - name: Milestone E package publication public installation wording review tests | |
| run: python3 .github/scripts/test_milestone_e_package_publication_public_installation_wording_review.py | |
| - name: Milestone E package publication approval decision template tests | |
| run: python3 .github/scripts/test_milestone_e_package_publication_approval_decision_template.py | |
| - name: Milestone E package publication approval decision record tests | |
| run: python3 .github/scripts/test_milestone_e_package_publication_approval_decision_record.py | |
| - name: Milestone E package publication candidate activation evidence tests | |
| run: python3 .github/scripts/test_milestone_e_package_publication_candidate_activation_evidence.py | |
| - name: Milestone E package publication approval decision refresh tests | |
| run: python3 .github/scripts/test_milestone_e_package_publication_approval_decision_refresh.py | |
| - name: Milestone E package publication manifest activation applied tests | |
| run: python3 .github/scripts/test_milestone_e_package_publication_manifest_activation_applied.py | |
| - name: Milestone E package publication current registry-equivalent assembly tests | |
| run: python3 .github/scripts/test_milestone_e_package_publication_current_registry_assembly.py | |
| - name: Milestone E package publication final approval request tests | |
| run: python3 .github/scripts/test_milestone_e_package_publication_final_approval_request.py | |
| - name: Milestone E package publication final approval decision tests | |
| run: python3 .github/scripts/test_milestone_e_package_publication_final_approval_decision.py | |
| - name: Milestone E package publication publish-flag activation request tests | |
| run: python3 .github/scripts/test_milestone_e_package_publication_activation_request.py | |
| - name: Milestone E package publication activation applied tests | |
| run: python3 .github/scripts/test_milestone_e_package_publication_activation_applied.py | |
| - name: Milestone E package publication tag binding refresh tests | |
| run: python3 .github/scripts/test_milestone_e_package_publication_tag_binding_refresh.py | |
| - name: Milestone E package publication operator preflight tests | |
| run: python3 .github/scripts/test_milestone_e_package_publication_operator_preflight.py | |
| - name: Milestone E package publication manual registry evidence request tests | |
| run: python3 .github/scripts/test_milestone_e_package_publication_manual_registry_evidence_request.py | |
| - name: Milestone E package publication manual registry evidence supplied tests | |
| run: python3 .github/scripts/test_milestone_e_package_publication_manual_registry_evidence_supplied.py | |
| - name: Milestone E package publication registry action authorization request tests | |
| run: python3 .github/scripts/test_milestone_e_package_publication_registry_action_authorization_request.py | |
| - name: Milestone E package publication registry action approval tests | |
| run: python3 .github/scripts/test_milestone_e_package_publication_registry_action_approval.py | |
| - name: Milestone E package publication registry action evidence tests | |
| run: python3 .github/scripts/test_milestone_e_package_publication_registry_action_evidence.py | |
| - name: Milestone E package publication dependent registry action approval tests | |
| run: python3 .github/scripts/test_milestone_e_package_publication_dependent_registry_action_approval.py | |
| - name: Milestone E package publication dependent registry action evidence tests | |
| run: python3 .github/scripts/test_milestone_e_package_publication_dependent_registry_action_evidence.py | |
| - name: Milestone E package publication public installation availability tests | |
| run: python3 .github/scripts/test_milestone_e_package_publication_public_installation_availability.py | |
| - name: Milestone E public-facing readiness ledger tests | |
| run: python3 .github/scripts/test_milestone_e_public_facing_readiness_ledger.py | |
| - name: Milestone E public beta current-main refresh prep tests | |
| run: python3 .github/scripts/test_milestone_e_public_beta_current_main_refresh_prep.py | |
| - name: Milestone E public beta current-main source-only approval tests | |
| run: python3 .github/scripts/test_milestone_e_public_beta_current_main_source_only_approval.py | |
| - name: Milestone E public evaluation current-state closeout tests | |
| run: python3 .github/scripts/test_milestone_e_public_evaluation_current_state_closeout.py | |
| - name: Milestone E prep validation record tests | |
| run: python3 .github/scripts/test_milestone_e_prep_validation_record.py | |
| - name: Milestone E final prep closeout validation record tests | |
| run: python3 .github/scripts/test_milestone_e_final_closeout_record.py | |
| - name: Milestone B exit checklist tests | |
| run: python3 .github/scripts/test_milestone_b_exit_checklist.py | |
| - name: Gate Zero harness tests | |
| run: python3 benchmarks/harness/test_run_gate_zero.py | |
| - name: same-platform double-parse byte-diff | |
| run: | | |
| echo "skipped: PDFium runtime is not configured in base CI yet" | |
| verify-portability: | |
| # Invariant 4: ethos-verify compiles against the grounding trait module alone and | |
| # its dependency tree never contains parser internals. | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - run: rustup show | |
| - run: cargo check --locked -p ethos-verify | |
| - run: cargo check --locked -p ethos-grounding-opendataloader-json | |
| - name: no parser internals in the verify tree | |
| run: | | |
| tree=$(cargo tree -p ethos-verify -e normal) | |
| echo "$tree" | |
| if echo "$tree" | grep -qiE 'ethos-pdf|ethos-layout|ethos-tables|ethos-render|pdfium'; then | |
| echo "ethos-verify depends on parser internals (invariant 4 violated)"; exit 1 | |
| fi | |
| - name: grounding feature really is minimal | |
| run: | | |
| # the trait module must build without serde_json/sha2/thiserror | |
| cargo check --locked -p ethos-doc-core --no-default-features --features grounding | |
| cargo check --locked -p ethos-doc-core --no-default-features --features verify-types | |
| schema-validate: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.12" | |
| - run: pip install "jsonschema>=4.18" | |
| - run: python3 schemas/validate_examples.py | |
| - run: python3 schemas/test_security_report_validation.py | |
| - run: python3 schemas/test_table_model_validation.py | |
| - name: Gate Zero result schema validation | |
| run: | | |
| python3 - <<'PY' | |
| import json | |
| from pathlib import Path | |
| from jsonschema import Draft202012Validator | |
| schema = json.loads(Path("benchmarks/gate-zero/result.schema.json").read_text()) | |
| Draft202012Validator.check_schema(schema) | |
| PY | |
| - run: python3 fixtures/validate_fixtures.py | |
| no-network-runtime: | |
| # Invariant 5c: the base CLI functions with zero network egress. Runs the CLI inside | |
| # a no-net namespace; any egress attempt fails hard. Extends to full parses when the | |
| # engine lands. | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - run: rustup show | |
| - run: cargo build --locked -p ethos-cli | |
| - name: run CLI under network-denied namespace | |
| run: | | |
| sudo unshare -n -- ./target/debug/ethos fingerprint schemas/examples/document.example.json | |
| sudo unshare -n -- ./target/debug/ethos rag chunk schemas/examples/document.example.json > /tmp/chunks.jsonl | |
| test -s /tmp/chunks.jsonl | |
| claims-gate: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - run: python3 .github/scripts/test_public_surface_posture.py | |
| - run: python3 .github/scripts/claims_gate.py | |
| dco: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: check DCO sign-offs | |
| run: | | |
| if [ "${{ github.event_name }}" = "pull_request" ]; then | |
| python3 .github/scripts/check_dco.py "${{ github.event.pull_request.base.sha }}" "${{ github.event.pull_request.head.sha }}" | |
| else | |
| python3 .github/scripts/check_dco.py "${{ github.event.before }}" "${{ github.sha }}" | |
| fi |