From 31ae99e79bb1ed4a9e1ce6b75ca89788ae9f2315 Mon Sep 17 00:00:00 2001 From: docushell-admin Date: Wed, 24 Jun 2026 11:27:09 +0530 Subject: [PATCH] Approve patch 0.1.1 deterministic Python wheel publication Signed-off-by: docushell-admin --- ...n_deterministic_wheel_approval_decision.py | 145 +++++++++++++++ .../scripts/test_release_candidate_prep.py | 1 + CHANGELOG.md | 1 + Makefile | 1 + docs/validation/README.md | 4 + ...approval-decision-validation-2026-06-24.md | 165 ++++++++++++++++++ 6 files changed, 317 insertions(+) create mode 100644 .github/scripts/test_patch_0_1_1_python_deterministic_wheel_approval_decision.py create mode 100644 docs/validation/patch-0-1-1-python-deterministic-wheel-approval-decision-validation-2026-06-24.md diff --git a/.github/scripts/test_patch_0_1_1_python_deterministic_wheel_approval_decision.py b/.github/scripts/test_patch_0_1_1_python_deterministic_wheel_approval_decision.py new file mode 100644 index 0000000..582020b --- /dev/null +++ b/.github/scripts/test_patch_0_1_1_python_deterministic_wheel_approval_decision.py @@ -0,0 +1,145 @@ +#!/usr/bin/env python3 +# +# Copyright 2026 The Ethos maintainers +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# + +from __future__ import annotations + +import re +import subprocess +import unittest +from pathlib import Path + +from makefile_guard import target_block + + +ROOT = Path(__file__).resolve().parents[2] +RECORD = ROOT / "docs/validation/patch-0-1-1-python-deterministic-wheel-approval-decision-validation-2026-06-24.md" +REQUEST = ROOT / "docs/validation/patch-0-1-1-python-deterministic-wheel-approval-request-validation-2026-06-24.md" +VALIDATION_README = ROOT / "docs/validation/README.md" +MAKEFILE = ROOT / "Makefile" + +SOURCE_SHORT = "0c8ffe7" +SOURCE_COMMIT = "0c8ffe7db3b83896ab0be1c106bd1ec7de3cb278" +SOURCE_TREE = "44376507f98789401efae7b9cf0ab97ca3b78980" +PACKAGE_SOURCE_COMMIT = "d3e3953b99fbc74669f82ee56b753de7db6e63e4" +PACKAGE_SOURCE_TREE = "8920cbc9bc6ae05ec0c417533513637eda12658d" +PACKAGE = "ethos-pdf==0.1.1" +WHEEL = "ethos_pdf-0.1.1-py3-none-any.whl" +DETERMINISTIC_SHA256 = "e0292276e711e75d4f7e1bb8c2c6137c6e89d4c343dd308943eb9b22094ea451" +PRIOR_APPROVED_SHA256 = "faa6c4751341b603b986ad3cf65d3c0c2f574e5df1d7232f76c3afd0221dac14" +FRESH_STANDARD_SHA256 = "52cc738637a84aa084b776db8be866e7af7438d580f3d564801a2ce94492a950" +FORBIDDEN = ( + "python package is published", + "wheel is published", + "production-ready", + "hosted surfaces approved", + "windows packaged artifacts approved", + "bundled pdfium approved", + "public benchmark claims approved", + "ethos-doc approved", + "ethos-rag approved", +) + + +def read(path: Path) -> str: + return path.read_text(encoding="utf-8") + + +def normalized(path: Path) -> str: + return re.sub(r"\s+", " ", read(path)) + + +def git(*args: str) -> str: + return subprocess.check_output( + ["git", *args], + cwd=ROOT, + encoding="utf-8", + stderr=subprocess.DEVNULL, + ).strip() + + +class Patch011PythonDeterministicWheelApprovalDecisionTests(unittest.TestCase): + def test_decision_record_is_source_bound_and_indexed(self) -> None: + record = normalized(RECORD) + readme = normalized(VALIDATION_README) + + self.assertIn(RECORD.name, readme) + self.assertIn("patch 0.1.1 Python deterministic wheel approval decision", readme) + self.assertIn(f"Validated source HEAD before this record: `{SOURCE_SHORT}`", read(RECORD)) + self.assertIn(f"Patch 0.1.1 Python deterministic wheel approval decision source commit: `{SOURCE_COMMIT}`", record) + self.assertIn(f"Patch 0.1.1 Python deterministic wheel approval decision source tree: `{SOURCE_TREE}`", record) + self.assertEqual(SOURCE_COMMIT, git("rev-parse", SOURCE_SHORT)) + self.assertEqual(SOURCE_TREE, git("rev-parse", f"{SOURCE_SHORT}^{{tree}}")) + + def test_decision_accepts_exact_deterministic_request_packet(self) -> None: + record = normalized(RECORD) + + self.assertIn(REQUEST.name, record) + self.assertIn("Decision: accept exact patch `0.1.1` deterministic Python PyPI wheel publication decision packet.", record) + self.assertIn(f"Deterministic package source commit accepted by this decision: `{PACKAGE_SOURCE_COMMIT}`", record) + self.assertIn(f"Deterministic package source tree accepted by this decision: `{PACKAGE_SOURCE_TREE}`", record) + for expected in ( + PACKAGE, + WHEEL, + DETERMINISTIC_SHA256, + PRIOR_APPROVED_SHA256, + FRESH_STANDARD_SHA256, + "SOURCE_DATE_EPOCH=0", + "Name: `ethos-pdf`", + "Version: `0.1.1`", + "License-Expression: `Apache-2.0`", + "Requires-Python: `>=3.8`", + "Wheel-Version: `1.0`", + "Root-Is-Purelib: `true`", + "Tag: `py3-none-any`", + "member timestamps: `1980-01-01 00:00:00`", + "EthosCli", + "EthosCommandError", + "ETHOS_PDFIUM_LIBRARY_PATH", + ): + self.assertIn(expected, record) + + def test_decision_allows_only_later_operator_upload_with_boundaries(self) -> None: + raw = read(RECORD) + lower = normalized(RECORD).lower() + record = normalized(RECORD) + + for expected in ( + "This decision record does not upload any Python distribution.", + "PyPI upload remains a separate operator action.", + "After this decision record is merged and validation passes on merged source, an operator may upload only this deterministic wheel:", + "The operator must set `SOURCE_DATE_EPOCH=0` before building the wheel for upload.", + "The operator must use a PyPI-approved authentication path and must not record credentials in the repository.", + "The operator must stop if the built wheel filename, SHA256, package version, source commit, source tree, deterministic build input, or retained blockers differ.", + "Public installation wording remains blocked until PyPI availability is closed out.", + "`ethos-doc` remains blocked.", + "`ethos-rag` remains blocked.", + ): + self.assertIn(expected, record) + for forbidden in FORBIDDEN: + self.assertNotIn(forbidden, lower) + self.assertNotIn("/Users/", raw) + self.assertNotIn("/tmp", raw) + self.assertNotIn("/private/tmp", raw) + self.assertNotIn("/private/var", raw) + self.assertNotIn("/var/folders", raw) + self.assertNotIn("saumildiwaker", raw) + + def test_release_candidate_prep_runs_decision_guard_after_request_guard(self) -> None: + makefile = read(MAKEFILE) + request_guard = "$(PYTHON) .github/scripts/test_patch_0_1_1_python_deterministic_wheel_approval_request.py" + decision_guard = "$(PYTHON) .github/scripts/test_patch_0_1_1_python_deterministic_wheel_approval_decision.py" + npm_guard = "$(PYTHON) .github/scripts/test_npm_binary_package_scaffold.py" + block = target_block("release-candidate-prep") + + self.assertIn(decision_guard, block) + self.assertEqual(1, makefile.count(decision_guard)) + self.assertLess(block.index(request_guard), block.index(decision_guard)) + self.assertLess(block.index(decision_guard), block.index(npm_guard)) + + +if __name__ == "__main__": + unittest.main() diff --git a/.github/scripts/test_release_candidate_prep.py b/.github/scripts/test_release_candidate_prep.py index 825efa5..eb10cd3 100644 --- a/.github/scripts/test_release_candidate_prep.py +++ b/.github/scripts/test_release_candidate_prep.py @@ -34,6 +34,7 @@ "$(PYTHON) .github/scripts/test_patch_0_1_1_python_publication_approval_decision.py", "$(PYTHON) .github/scripts/test_patch_0_1_1_python_wheel_reproducibility_blocker.py", "$(PYTHON) .github/scripts/test_patch_0_1_1_python_deterministic_wheel_approval_request.py", + "$(PYTHON) .github/scripts/test_patch_0_1_1_python_deterministic_wheel_approval_decision.py", "$(PYTHON) .github/scripts/test_npm_binary_package_scaffold.py", "npm test --prefix packages/npm/ethos-pdf", "$(PYTHON) .github/scripts/test_npm_vendor_binary_payload_strategy.py", diff --git a/CHANGELOG.md b/CHANGELOG.md index 0c0b9c1..481cb8c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ ## Unreleased +- boundary-exception: approve exact patch `0.1.1` deterministic Python PyPI wheel publication decision for later operator upload; no PyPI upload or support-boundary change. - boundary-exception: request exact patch `0.1.1` deterministic Python PyPI wheel approval for decider review; no PyPI upload or support-boundary change. - boundary-exception: record patch `0.1.1` Python wheel reproducibility blocker after pre-upload hash mismatch; no PyPI upload or support-boundary change. - boundary-exception: approve exact patch `0.1.1` Python PyPI wheel publication decision for later operator upload; no PyPI upload or support-boundary change. diff --git a/Makefile b/Makefile index 098106c..ef5a8d5 100644 --- a/Makefile +++ b/Makefile @@ -276,6 +276,7 @@ release-candidate-prep: $(PYTHON) .github/scripts/test_patch_0_1_1_python_publication_approval_decision.py $(PYTHON) .github/scripts/test_patch_0_1_1_python_wheel_reproducibility_blocker.py $(PYTHON) .github/scripts/test_patch_0_1_1_python_deterministic_wheel_approval_request.py + $(PYTHON) .github/scripts/test_patch_0_1_1_python_deterministic_wheel_approval_decision.py $(PYTHON) .github/scripts/test_npm_binary_package_scaffold.py npm test --prefix packages/npm/ethos-pdf $(PYTHON) .github/scripts/test_npm_vendor_binary_payload_strategy.py diff --git a/docs/validation/README.md b/docs/validation/README.md index b5b0e2f..6008882 100644 --- a/docs/validation/README.md +++ b/docs/validation/README.md @@ -632,6 +632,10 @@ recording the exact current-main source candidate and required follow-up evidenc `SOURCE_DATE_EPOCH=0` `ethos-pdf==0.1.1` wheel candidate, source commit, wheel metadata, deterministic SHA256, local install/import smoke, and retained blockers for decider review; PyPI upload remains blocked. +- `patch-0-1-1-python-deterministic-wheel-approval-decision-validation-2026-06-24.md` - patch + 0.1.1 Python deterministic wheel approval decision validation accepts the exact + `SOURCE_DATE_EPOCH=0` `ethos-pdf==0.1.1` wheel candidate, source binding, wheel metadata, + deterministic SHA256, and retained blockers; operator upload remains pending. - `milestone-e-validation-command-index-validation-2026-06-20.md` - internal Milestone E validation-command index validation passed through command-alignment checks, schema enum checks, row-record checks, public-surface posture checks, `make milestone-e-prep`, and diff hygiene; the diff --git a/docs/validation/patch-0-1-1-python-deterministic-wheel-approval-decision-validation-2026-06-24.md b/docs/validation/patch-0-1-1-python-deterministic-wheel-approval-decision-validation-2026-06-24.md new file mode 100644 index 0000000..b974a12 --- /dev/null +++ b/docs/validation/patch-0-1-1-python-deterministic-wheel-approval-decision-validation-2026-06-24.md @@ -0,0 +1,165 @@ +# Patch 0.1.1 Python Deterministic Wheel Approval Decision Validation - 2026-06-24 + +Validated source HEAD before this record: `0c8ffe7`. + +Patch 0.1.1 Python deterministic wheel approval decision source commit: +`0c8ffe7db3b83896ab0be1c106bd1ec7de3cb278`. + +Patch 0.1.1 Python deterministic wheel approval decision source tree: +`44376507f98789401efae7b9cf0ab97ca3b78980`. + +Status: **patch 0.1.1 Python deterministic wheel approval decision recorded; operator upload remains pending** + +This record accepts the exact patch `0.1.1` deterministic Python PyPI publication request packet +after decider approval. It approves only the bounded later operator action for the +`SOURCE_DATE_EPOCH=0` `ethos-pdf==0.1.1` wheel. It does not upload any Python distribution, create +package tags, change public wording, approve hosted surfaces, approve production positioning, +approve Windows packaged artifacts, approve bundled project-maintained PDFium builds, approve +`ethos-doc`, approve `ethos-rag`, or approve public benchmark reports or claims. + +## Subject + +- Repository: `docushell/ethos` +- Lane: Python PyPI deterministic wheel publication +- Approval owner: `docushell-admin` +- Approval request record: + `docs/validation/patch-0-1-1-python-deterministic-wheel-approval-request-validation-2026-06-24.md` +- Deterministic package source commit accepted by this decision: + `d3e3953b99fbc74669f82ee56b753de7db6e63e4` +- Deterministic package source tree accepted by this decision: + `8920cbc9bc6ae05ec0c417533513637eda12658d` + +## Exact Decision Fields + +- Decision: accept exact patch `0.1.1` deterministic Python PyPI wheel publication decision packet. +- Approver: `docushell-admin` acting as decider. +- Date: 2026-06-24. +- Exact package accepted by this decision: `ethos-pdf==0.1.1`. +- Exact distribution accepted by this decision: `ethos_pdf-0.1.1-py3-none-any.whl` only. +- Exact deterministic build input accepted by this decision: `SOURCE_DATE_EPOCH=0`. +- Exact source commit accepted by this decision: `d3e3953b99fbc74669f82ee56b753de7db6e63e4`. +- Exact source tree accepted by this decision: `8920cbc9bc6ae05ec0c417533513637eda12658d`. +- Exact deterministic wheel SHA256 accepted by this decision: + `e0292276e711e75d4f7e1bb8c2c6137c6e89d4c343dd308943eb9b22094ea451`. + +## Superseded Hash Context + +- Prior timestamp-sensitive approved wheel SHA256: + `faa6c4751341b603b986ad3cf65d3c0c2f574e5df1d7232f76c3afd0221dac14` +- Fresh standard pre-upload rebuild SHA256: + `52cc738637a84aa084b776db8be866e7af7438d580f3d564801a2ce94492a950` +- The approved deterministic request packet classified the difference as generated ZIP timestamp + drift with identical wheel member bytes. + +## Wheel Metadata Accepted By This Decision + +- Name: `ethos-pdf` +- Version: `0.1.1` +- Summary: `Python wrapper for the Ethos document evidence CLI.` +- License-Expression: `Apache-2.0` +- Requires-Python: `>=3.8` +- Wheel-Version: `1.0` +- Root-Is-Purelib: `true` +- Tag: `py3-none-any` +- Wheel member timestamps: `1980-01-01 00:00:00` +- Import smoke accepted by this decision: version `0.1.1`, `EthosCli`, and `EthosCommandError`. +- PDFium boundary accepted by this decision: PDFium remains caller-provided through + `ETHOS_PDFIUM_LIBRARY_PATH`. + +## Approved Operator Action + +After this decision record is merged and validation passes on merged source, an operator may upload +only this deterministic wheel: + +```text +ethos_pdf-0.1.1-py3-none-any.whl +``` + +The operator must set `SOURCE_DATE_EPOCH=0` before building the wheel for upload. The operator must +use a PyPI-approved authentication path and must not record credentials in the repository. The +operator must stop if the built wheel filename, SHA256, package version, source commit, source +tree, deterministic build input, or retained blockers differ. + +PyPI upload remains a separate operator action. This decision record does not upload any Python +distribution. + +## Required Operator Pre-Upload Checks + +Before uploading, the operator must run: + +```sh +SOURCE_DATE_EPOCH=0 python3 -m build --wheel --outdir +shasum -a 256 /ethos_pdf-0.1.1-py3-none-any.whl +python3 .github/scripts/test_patch_0_1_1_python_deterministic_wheel_approval_decision.py +python3 .github/scripts/test_patch_0_1_1_python_deterministic_wheel_approval_request.py +python3 .github/scripts/test_patch_0_1_1_python_wheel_reproducibility_blocker.py +python3 .github/scripts/test_python_public_api_policy.py +PYTHONPATH=python python3 -m unittest discover -s python/tests +make release-candidate-prep PYTHON=python3 +git diff --check +``` + +## Explicit Exclusions + +- Source distributions remain excluded. +- Alternate wheels remain excluded. +- Alternate Python package names remain excluded. +- Package tags remain excluded. +- Hosted surfaces remain blocked. +- Production positioning remains blocked. +- Public benchmark reports remain blocked. +- Public benchmark claims remain blocked. +- Windows packaged artifacts remain blocked. +- Bundled project-maintained PDFium builds remain blocked. +- `ethos-doc` remains blocked. +- `ethos-rag` remains blocked. +- Broader public wording remains blocked. + +## Evidence Bound To This Decision + +- Decider decision supplied: Approved; create the patch `0.1.1` Python PyPI publication approval + decision record for the exact deterministic `ethos-pdf==0.1.1` wheel candidate in the merged + approval-request record. +- `python3 .github/scripts/test_patch_0_1_1_python_deterministic_wheel_approval_request.py` + passed on merged `main`. +- `python3 .github/scripts/test_patch_0_1_1_python_wheel_reproducibility_blocker.py` passed on + merged `main`. +- `python3 .github/scripts/test_python_public_api_policy.py` passed on merged `main`. +- `PYTHONPATH=python python3 -m unittest discover -s python/tests` passed on merged `main`. +- `make release-candidate-prep PYTHON=python3` passed on merged `main` before this decision branch. + +## Non-Actions + +- This decision record does not upload any Python distribution. +- This decision record does not approve an sdist. +- This decision record does not approve another wheel. +- This decision record does not approve package tags. +- This decision record does not approve public installation wording. +- This decision record does not approve hosted surfaces. +- This decision record does not approve production positioning. +- This decision record does not approve public benchmark reports. +- This decision record does not approve public benchmark claims. +- This decision record does not approve Windows packaged artifacts. +- This decision record does not approve bundled project-maintained PDFium builds. +- This decision record does not approve `ethos-doc`. +- This decision record does not approve `ethos-rag`. + +## Retained Blockers + +- Public installation wording remains blocked until PyPI availability is closed out. +- Hosted surfaces remain blocked. +- Production positioning remains blocked. +- Public benchmark reports remain blocked. +- Public benchmark claims remain blocked. +- Windows packaged artifacts remain blocked. +- Bundled project-maintained PDFium builds remain blocked. +- `ethos-doc` remains blocked. +- `ethos-rag` remains blocked. +- PDFium remains caller-provided through `ETHOS_PDFIUM_LIBRARY_PATH`. + +## Result + +The exact patch `0.1.1` deterministic Python PyPI wheel publication decision packet for +`ethos-pdf==0.1.1` is accepted. Actual PyPI upload remains a separate operator action requiring +final pre-upload checks, PyPI-approved authentication, exact deterministic wheel hash verification, +and later registry closeout evidence.