From 76cb7a0099f6209d69c3cc7dfb7ea8727c3a1630 Mon Sep 17 00:00:00 2001 From: docushell-admin Date: Wed, 24 Jun 2026 10:39:55 +0530 Subject: [PATCH] Approve patch 0.1.1 Python publication decision Signed-off-by: docushell-admin --- ..._1_python_publication_approval_decision.py | 133 ++++++++++++++++ .../scripts/test_release_candidate_prep.py | 1 + CHANGELOG.md | 1 + Makefile | 1 + docs/validation/README.md | 4 + ...approval-decision-validation-2026-06-24.md | 144 ++++++++++++++++++ 6 files changed, 284 insertions(+) create mode 100644 .github/scripts/test_patch_0_1_1_python_publication_approval_decision.py create mode 100644 docs/validation/patch-0-1-1-python-publication-approval-decision-validation-2026-06-24.md diff --git a/.github/scripts/test_patch_0_1_1_python_publication_approval_decision.py b/.github/scripts/test_patch_0_1_1_python_publication_approval_decision.py new file mode 100644 index 0000000..03eba52 --- /dev/null +++ b/.github/scripts/test_patch_0_1_1_python_publication_approval_decision.py @@ -0,0 +1,133 @@ +#!/usr/bin/env python3 +# +# Copyright 2026 The Ethos maintainers +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# + +from __future__ import annotations + +import re +import subprocess +import unittest +from pathlib import Path + + +ROOT = Path(__file__).resolve().parents[2] +RECORD = ROOT / "docs/validation/patch-0-1-1-python-publication-approval-decision-validation-2026-06-24.md" +REQUEST = ROOT / "docs/validation/patch-0-1-1-python-publication-approval-request-validation-2026-06-24.md" +VALIDATION_README = ROOT / "docs/validation/README.md" +MAKEFILE = ROOT / "Makefile" + +SOURCE_SHORT = "d3c7db2" +SOURCE_COMMIT = "d3c7db24c8fac6cd9da627df76bde6df54dd46f9" +SOURCE_TREE = "90253df1cb04ef7c587138b3439bb1825d13a395" +PACKAGE_SOURCE_COMMIT = "16b2c189e1f23962dced921551cf6b4f9af4ba06" +PACKAGE_SOURCE_TREE = "c76ba8525faaa63c53ac7f037d349a8ab4803fcb" +PACKAGE = "ethos-pdf==0.1.1" +WHEEL = "ethos_pdf-0.1.1-py3-none-any.whl" +WHEEL_SHA256 = "faa6c4751341b603b986ad3cf65d3c0c2f574e5df1d7232f76c3afd0221dac14" +FORBIDDEN = ( + "python package is published", + "wheel is published", + "production-ready", + "hosted surfaces approved", + "windows packaged artifacts approved", + "bundled pdfium approved", + "public benchmark claims approved", + "ethos-doc approved", + "ethos-rag approved", +) + + +def read(path: Path) -> str: + return path.read_text(encoding="utf-8") + + +def normalized(path: Path) -> str: + return re.sub(r"\s+", " ", read(path)) + + +def git(*args: str) -> str: + return subprocess.check_output( + ["git", *args], + cwd=ROOT, + encoding="utf-8", + stderr=subprocess.DEVNULL, + ).strip() + + +class Patch011PythonPublicationApprovalDecisionTests(unittest.TestCase): + def test_decision_record_is_source_bound_and_indexed(self) -> None: + record = normalized(RECORD) + readme = normalized(VALIDATION_README) + + self.assertIn(RECORD.name, readme) + self.assertIn("patch 0.1.1 Python PyPI publication approval decision", readme) + self.assertIn(f"Validated source HEAD before this record: `{SOURCE_SHORT}`", read(RECORD)) + self.assertIn(f"Patch 0.1.1 Python publication approval decision source commit: `{SOURCE_COMMIT}`", record) + self.assertIn(f"Patch 0.1.1 Python publication approval decision source tree: `{SOURCE_TREE}`", record) + self.assertEqual(SOURCE_COMMIT, git("rev-parse", SOURCE_SHORT)) + self.assertEqual(SOURCE_TREE, git("rev-parse", f"{SOURCE_SHORT}^{{tree}}")) + + def test_decision_accepts_exact_request_packet(self) -> None: + record = normalized(RECORD) + + self.assertIn(REQUEST.name, record) + self.assertIn("Decision: accept exact patch `0.1.1` Python PyPI wheel publication decision packet.", record) + self.assertIn(f"Package source commit accepted by this decision: `{PACKAGE_SOURCE_COMMIT}`", record) + self.assertIn(f"Package source tree accepted by this decision: `{PACKAGE_SOURCE_TREE}`", record) + for expected in ( + PACKAGE, + WHEEL, + WHEEL_SHA256, + "Name: `ethos-pdf`", + "Version: `0.1.1`", + "License-Expression: `Apache-2.0`", + "Requires-Python: `>=3.8`", + "Tag: `py3-none-any`", + "EthosCli", + "EthosCommandError", + "ETHOS_PDFIUM_LIBRARY_PATH", + ): + self.assertIn(expected, record) + + def test_decision_allows_only_later_operator_upload_with_boundaries(self) -> None: + raw = read(RECORD) + lower = normalized(RECORD).lower() + record = normalized(RECORD) + + for expected in ( + "This decision record does not upload any Python distribution.", + "PyPI upload remains a separate operator action.", + "After this decision record is merged and validation passes on merged source, an operator may upload only this wheel:", + "The operator must use a PyPI-approved authentication path and must not record credentials in the repository.", + "The operator must stop if the built wheel filename, SHA256, package version, source commit, source tree, or retained blockers differ.", + "Public installation wording remains blocked until PyPI availability is closed out.", + "`ethos-doc` remains blocked.", + "`ethos-rag` remains blocked.", + ): + self.assertIn(expected, record) + for forbidden in FORBIDDEN: + self.assertNotIn(forbidden, lower) + self.assertNotIn("/Users/", raw) + self.assertNotIn("/tmp", raw) + self.assertNotIn("/private/tmp", raw) + self.assertNotIn("/private/var", raw) + self.assertNotIn("/var/folders", raw) + self.assertNotIn("saumildiwaker", raw) + + def test_release_candidate_prep_runs_decision_guard_after_request_guard(self) -> None: + makefile = read(MAKEFILE) + request_guard = "$(PYTHON) .github/scripts/test_patch_0_1_1_python_publication_approval_request.py" + decision_guard = "$(PYTHON) .github/scripts/test_patch_0_1_1_python_publication_approval_decision.py" + npm_guard = "$(PYTHON) .github/scripts/test_npm_binary_package_scaffold.py" + + self.assertIn(decision_guard, makefile) + self.assertEqual(1, makefile.count(decision_guard)) + self.assertLess(makefile.index(request_guard), makefile.index(decision_guard)) + self.assertLess(makefile.index(decision_guard), makefile.index(npm_guard)) + + +if __name__ == "__main__": + unittest.main() diff --git a/.github/scripts/test_release_candidate_prep.py b/.github/scripts/test_release_candidate_prep.py index 5e7d38a..619ec17 100644 --- a/.github/scripts/test_release_candidate_prep.py +++ b/.github/scripts/test_release_candidate_prep.py @@ -31,6 +31,7 @@ "$(PYTHON) .github/scripts/test_python_public_api_policy.py", "$(MAKE) python-surface-test PYTHON=$(PYTHON)", "$(PYTHON) .github/scripts/test_patch_0_1_1_python_publication_approval_request.py", + "$(PYTHON) .github/scripts/test_patch_0_1_1_python_publication_approval_decision.py", "$(PYTHON) .github/scripts/test_npm_binary_package_scaffold.py", "npm test --prefix packages/npm/ethos-pdf", "$(PYTHON) .github/scripts/test_npm_vendor_binary_payload_strategy.py", diff --git a/CHANGELOG.md b/CHANGELOG.md index ae26a06..f4f93b3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ ## Unreleased +- boundary-exception: approve exact patch `0.1.1` Python PyPI wheel publication decision for later operator upload; no PyPI upload or support-boundary change. - boundary-exception: request exact patch `0.1.1` Python PyPI wheel publication approval for decider review; no PyPI upload or support-boundary change. - boundary-exception: close patch `0.1.1` Rust crates.io publication with exact registry evidence; no public installation wording or support-boundary change. - boundary-exception: approve exact patch `0.1.1` Rust crates.io publication decision for later operator publish; no `cargo publish` or support-boundary change. diff --git a/Makefile b/Makefile index 483882d..11394c3 100644 --- a/Makefile +++ b/Makefile @@ -273,6 +273,7 @@ release-candidate-prep: $(PYTHON) .github/scripts/test_python_public_api_policy.py $(MAKE) python-surface-test PYTHON=$(PYTHON) $(PYTHON) .github/scripts/test_patch_0_1_1_python_publication_approval_request.py + $(PYTHON) .github/scripts/test_patch_0_1_1_python_publication_approval_decision.py $(PYTHON) .github/scripts/test_npm_binary_package_scaffold.py npm test --prefix packages/npm/ethos-pdf $(PYTHON) .github/scripts/test_npm_vendor_binary_payload_strategy.py diff --git a/docs/validation/README.md b/docs/validation/README.md index 7640faa..f1c3124 100644 --- a/docs/validation/README.md +++ b/docs/validation/README.md @@ -619,6 +619,10 @@ recording the exact current-main source candidate and required follow-up evidenc Python PyPI publication approval request validation binds the exact `ethos-pdf==0.1.1` wheel, source commit, wheel metadata, wheel SHA256, local install/import smoke, and retained blockers for decider review; PyPI upload remains blocked. +- `patch-0-1-1-python-publication-approval-decision-validation-2026-06-24.md` - patch 0.1.1 + Python PyPI publication approval decision validation accepts the exact `ethos-pdf==0.1.1` wheel + candidate, source binding, wheel metadata, SHA256, and retained blockers; operator upload remains + pending. - `milestone-e-validation-command-index-validation-2026-06-20.md` - internal Milestone E validation-command index validation passed through command-alignment checks, schema enum checks, row-record checks, public-surface posture checks, `make milestone-e-prep`, and diff hygiene; the diff --git a/docs/validation/patch-0-1-1-python-publication-approval-decision-validation-2026-06-24.md b/docs/validation/patch-0-1-1-python-publication-approval-decision-validation-2026-06-24.md new file mode 100644 index 0000000..6d80c59 --- /dev/null +++ b/docs/validation/patch-0-1-1-python-publication-approval-decision-validation-2026-06-24.md @@ -0,0 +1,144 @@ +# Patch 0.1.1 Python PyPI Publication Approval Decision Validation - 2026-06-24 + +Validated source HEAD before this record: `d3c7db2`. + +Patch 0.1.1 Python publication approval decision source commit: +`d3c7db24c8fac6cd9da627df76bde6df54dd46f9`. + +Patch 0.1.1 Python publication approval decision source tree: +`90253df1cb04ef7c587138b3439bb1825d13a395`. + +Status: **patch 0.1.1 Python PyPI publication approval decision recorded; operator upload remains pending** + +This record accepts the exact patch `0.1.1` Python PyPI publication request packet after decider +approval. It approves only the bounded later operator action for the `ethos-pdf==0.1.1` wheel. It +does not upload any Python distribution, create package tags, change public wording, approve hosted +surfaces, approve production positioning, approve Windows packaged artifacts, approve bundled +project-maintained PDFium builds, approve `ethos-doc`, approve `ethos-rag`, or approve public +benchmark reports or claims. + +## Subject + +- Repository: `docushell/ethos` +- Lane: Python PyPI wheel publication +- Approval owner: `docushell-admin` +- Approval request record: + `docs/validation/patch-0-1-1-python-publication-approval-request-validation-2026-06-24.md` +- Package source commit accepted by this decision: `16b2c189e1f23962dced921551cf6b4f9af4ba06` +- Package source tree accepted by this decision: `c76ba8525faaa63c53ac7f037d349a8ab4803fcb` + +## Exact Decision Fields + +- Decision: accept exact patch `0.1.1` Python PyPI wheel publication decision packet. +- Approver: `docushell-admin` acting as decider. +- Date: 2026-06-24. +- Exact package accepted by this decision: `ethos-pdf==0.1.1`. +- Exact distribution accepted by this decision: `ethos_pdf-0.1.1-py3-none-any.whl` only. +- Exact source commit accepted by this decision: `16b2c189e1f23962dced921551cf6b4f9af4ba06`. +- Exact source tree accepted by this decision: `c76ba8525faaa63c53ac7f037d349a8ab4803fcb`. +- Exact wheel SHA256 accepted by this decision: + `faa6c4751341b603b986ad3cf65d3c0c2f574e5df1d7232f76c3afd0221dac14`. + +## Wheel Metadata Accepted By This Decision + +- Name: `ethos-pdf` +- Version: `0.1.1` +- Summary: `Python wrapper for the Ethos document evidence CLI.` +- License-Expression: `Apache-2.0` +- Requires-Python: `>=3.8` +- Wheel-Version: `1.0` +- Root-Is-Purelib: `true` +- Tag: `py3-none-any` +- Import smoke accepted by this decision: version `0.1.1`, `EthosCli`, and `EthosCommandError`. +- PDFium boundary accepted by this decision: PDFium remains caller-provided through + `ETHOS_PDFIUM_LIBRARY_PATH`. + +## Approved Operator Action + +After this decision record is merged and validation passes on merged source, an operator may upload +only this wheel: + +```text +ethos_pdf-0.1.1-py3-none-any.whl +``` + +The operator must use a PyPI-approved authentication path and must not record credentials in the +repository. The operator must stop if the built wheel filename, SHA256, package version, source +commit, source tree, or retained blockers differ. + +PyPI upload remains a separate operator action. This decision record does not upload any Python +distribution. + +## Required Operator Pre-Upload Checks + +Before uploading, the operator must run: + +```sh +python3 -m build --wheel --outdir +shasum -a 256 /ethos_pdf-0.1.1-py3-none-any.whl +python3 .github/scripts/test_patch_0_1_1_python_publication_approval_decision.py +python3 .github/scripts/test_patch_0_1_1_python_publication_approval_request.py +python3 .github/scripts/test_python_public_api_policy.py +PYTHONPATH=python python3 -m unittest discover -s python/tests +make release-candidate-prep PYTHON=python3 +git diff --check +``` + +## Explicit Exclusions + +- Source distributions remain excluded. +- Alternate wheels remain excluded. +- Alternate Python package names remain excluded. +- Hosted surfaces remain blocked. +- Production positioning remains blocked. +- Public benchmark reports remain blocked. +- Public benchmark claims remain blocked. +- Windows packaged artifacts remain blocked. +- Bundled project-maintained PDFium builds remain blocked. +- `ethos-doc` remains blocked. +- `ethos-rag` remains blocked. +- Broader public wording remains blocked. + +## Evidence Bound To This Decision + +- Decider decision supplied: Approved; exact patch `0.1.1` Python PyPI publication request + accepted. +- `python3 .github/scripts/test_patch_0_1_1_python_publication_approval_request.py` passed. +- `python3 .github/scripts/test_python_public_api_policy.py` passed. +- `PYTHONPATH=python python3 -m unittest discover -s python/tests` passed. +- `make release-candidate-prep PYTHON=python3` passed on merged `main` before this decision branch. + +## Non-Actions + +- This decision record does not upload any Python distribution. +- This decision record does not approve an sdist. +- This decision record does not approve another wheel. +- This decision record does not approve package tags. +- This decision record does not approve public installation wording. +- This decision record does not approve hosted surfaces. +- This decision record does not approve production positioning. +- This decision record does not approve public benchmark reports. +- This decision record does not approve public benchmark claims. +- This decision record does not approve Windows packaged artifacts. +- This decision record does not approve bundled project-maintained PDFium builds. +- This decision record does not approve `ethos-doc`. +- This decision record does not approve `ethos-rag`. + +## Retained Blockers + +- Public installation wording remains blocked until PyPI availability is closed out. +- Hosted surfaces remain blocked. +- Production positioning remains blocked. +- Public benchmark reports remain blocked. +- Public benchmark claims remain blocked. +- Windows packaged artifacts remain blocked. +- Bundled project-maintained PDFium builds remain blocked. +- `ethos-doc` remains blocked. +- `ethos-rag` remains blocked. +- PDFium remains caller-provided through `ETHOS_PDFIUM_LIBRARY_PATH`. + +## Result + +The exact patch `0.1.1` Python PyPI wheel publication decision packet for `ethos-pdf==0.1.1` is +accepted. Actual PyPI upload remains a separate operator action requiring final pre-upload checks, +PyPI-approved authentication, exact wheel hash verification, and later registry closeout evidence.