From ede3550c2e760fdd3020cafffbfe858df25349ed Mon Sep 17 00:00:00 2001
From: CoderDeltaLAN <CoderDeltaLAN@users.noreply.github.com>
Date: Fri, 19 Jun 2026 11:10:47 +0100
Subject: [PATCH] docs: sync v0.3 public truth guards

---
 CHANGELOG.md                  |  1 +
 SUPPORT.md                    |  6 ++---
 docs/PRODUCT-STRATEGY.md      | 48 +++++++++++++++++++----------------
 scripts/post-release-audit.sh |  7 +++++
 4 files changed, 37 insertions(+), 25 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 21b4c0a..d9ed7b1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -19,6 +19,7 @@ This project has a published GitHub Release line, but no stable support or API g
 
 ### Changed
 
+- Synced product strategy and support public-truth wording with v0.3.0, and expanded the post-release audit guard for stale version and private reporting claims.
 - Improved PyPI package metadata with SPDX license metadata, explicit license files, project URLs, and additional classifiers.
 - Synced the README source-tree layout with the actual v0.3.0 module structure.
 - Reviewed the threat model for the v0.3.0 doctor, budget, and explain command surface.
diff --git a/SUPPORT.md b/SUPPORT.md
index ec32a78..4d9619c 100644
--- a/SUPPORT.md
+++ b/SUPPORT.md
@@ -38,13 +38,13 @@ Best-effort support does not include:
 
 ## Security and vulnerability handling
 
-Private vulnerability reporting is currently disabled for this repository.
+Private vulnerability reporting is enabled for this repository after manual GitHub UI verification.
 
-Do not claim GitHub Security Advisories or private vulnerability reporting are enabled unless that setting has been explicitly verified.
+Use GitHub private vulnerability reporting for sensitive vulnerability reports when available. This disclosure channel does not change the best-effort support boundary and is not a security guarantee.
 
 Security-relevant reports should avoid posting real secrets, tokens, credentials, private URLs, customer data, or exploit material.
 
-See `SECURITY.md` for the project security boundary and supported-version policy.
+See `SECURITY.md` and `docs/PRIVATE-VULNERABILITY-REPORTING.md` for the project security boundary, supported-version policy, verification record, and limits of this disclosure channel.
 
 ## Project boundaries
 
diff --git a/docs/PRODUCT-STRATEGY.md b/docs/PRODUCT-STRATEGY.md
index 9d2a672..e5b8e13 100644
--- a/docs/PRODUCT-STRATEGY.md
+++ b/docs/PRODUCT-STRATEGY.md
@@ -1,12 +1,12 @@
 # Product Strategy Roadmap
 
-This document defines the product direction for agent-rules-kit after the published v0.2.0 GitHub Release and current post-v0.2.0 main fixes.
+This document defines the product direction for agent-rules-kit after the published v0.3.0 GitHub Release and PyPI package, with current post-v0.3.0 maintenance hardening on main.
 
 It is a strategy document, not an implementation plan for a specific feature. It must not be used to claim capabilities that are not already implemented.
 
 ## Current product truth
 
-agent-rules-kit has a published v0.2.0 GitHub Release line. Current main contains unreleased post-v0.2.0 fixes intended for a future patch release.
+agent-rules-kit has a published v0.3.0 GitHub Release and PyPI package line. `v0.2.3` remains the previous published GitHub Release and PyPI package baseline. Current main contains post-v0.3.0 maintenance hardening intended for a future patch release.
 
 The implemented product currently supports:
 
@@ -19,14 +19,17 @@ The implemented product currently supports:
 - conservative governance diagnostics for `AIRK-GOV001` through `AIRK-GOV006`;
 - structured evidence for line-based governance findings;
 - pattern-based redaction for supported secret-like values in supported output paths;
-- local tests, Ruff linting, CI, release assets, and documented safety boundaries.
+- read-only `doctor` repository diagnosis output;
+- read-only `budget` deterministic local size and context-pressure approximation output;
+- read-only `explain` output for known governance rule IDs;
+- local tests, Ruff linting, CI, release assets, PyPI publication, and documented safety boundaries.
 
 The implemented product does not yet provide:
 
 - governance scoring;
 - cross-file consistency analysis;
 - instruction conflict detection;
-- context budget analysis;
+- exact tokenizer-specific token accounting;
 - policy profiles;
 - remediation workflows;
 - broad rule generation;
@@ -172,7 +175,7 @@ Any claim that depends on measured results must be backed by tests, fixtures, be
 
 ### v0.2: Governance baseline
 
-Status: published in v0.2.0, with unreleased post-v0.2.0 fixes on main.
+Status: historical baseline published in v0.2.0 and hardened through the v0.2.x patch line.
 
 Implemented scope:
 
@@ -194,24 +197,23 @@ Still non-goals for v0.2:
 - repository-wide code analysis;
 - LLM-based evaluation.
 
-### v0.3: Context budget approximation
+### v0.3: Local diagnosis toolkit baseline
 
-Goal: help maintainers understand instruction-file weight without promising exact token savings.
+Status: published in v0.3.0.
 
-Candidate capabilities:
+Implemented scope:
 
-- file count;
-- byte count;
-- line count;
-- approximate character budget;
-- large-file warnings;
-- duplicate-section hints if simple and explainable.
+- read-only `doctor` repository diagnosis output;
+- read-only `budget` deterministic local size and context-pressure approximation output;
+- read-only `explain` output for known governance rule IDs;
+- updated output and release documentation for the v0.3.0 command surface.
 
-Non-goals for v0.3:
+Still non-goals for v0.3:
 
 - exact token accounting across providers;
 - cost prediction;
-- model-specific optimization promises.
+- model-specific optimization promises;
+- JSON output for `doctor` and `budget`.
 
 ### v0.4: Cross-file consistency lint
 
@@ -264,16 +266,18 @@ Candidate criteria:
 - private vulnerability reporting path or explicit documented alternative;
 - no unsupported security or maturity claims.
 
-## Next implementation direction after v0.2
+## Next implementation direction after v0.3.0
 
-The next implementation phase should be justified against the current repository state, not against the old v0.1 strategy snapshot.
+The next implementation phase should be justified against the current repository state, not against older strategy snapshots.
 
 Good next candidates are narrow and evidence-backed:
 
+- v0.3.1 maintenance hardening before new product features;
 - release and package smoke hardening;
+- README, support, security, and strategy public-truth checks;
+- supply-chain workflow additions only after dedicated evaluation phases;
 - additional instruction-file discovery only when official tool documentation supports it;
-- a `doctor` baseline that summarizes existing scan and governance behavior without inventing new capabilities;
-- context budget approximation only after output contracts are stable.
+- JSON output for `doctor` and `budget` in a later feature release.
 
 Any next code phase must preserve local-first behavior, read-only default behavior, no runtime network access, no runtime LLM dependency, no execution of repository commands, and conservative claims.
 
@@ -283,8 +287,8 @@ Decision: keep product strategy as the boundary document after v0.2.
 
 Reason:
 
-- v0.2.0 already published the first governance baseline;
-- current main contains post-v0.2.0 fixes that should become a future patch release;
+- v0.3.0 already published the local diagnosis toolkit baseline;
+- current main contains post-v0.3.0 maintenance hardening that should become a future patch release;
 - adjacent tools still cover repository packaging, context frameworks, and broad rule generation better than this project should;
 - the real product wedge remains instruction governance;
 - future features must be justified against this document to avoid scope drift.
diff --git a/scripts/post-release-audit.sh b/scripts/post-release-audit.sh
index 023ccb8..05abcfe 100755
--- a/scripts/post-release-audit.sh
+++ b/scripts/post-release-audit.sh
@@ -34,6 +34,8 @@ require_file pyproject.toml
 require_file README.md
 require_file CHANGELOG.md
 require_file SECURITY.md
+require_file SUPPORT.md
+require_file docs/PRODUCT-STRATEGY.md
 require_file docs/THREAT-MODEL.md
 require_file docs/V0.3.0-POST-RELEASE-AUDIT.md
 require_file scripts/check.sh
@@ -59,7 +61,12 @@ printf '\n== local checks ==\n'
 printf '\n== v0.3.0 documentation sanity ==\n'
 require_absent README.md 'doctor\.py'
 require_absent docs/THREAT-MODEL.md 'v0\.2\.0 release line|post-v0\.2\.0 main state'
+require_absent docs/PRODUCT-STRATEGY.md 'published v0\.2\.0 GitHub Release and current post-v0\.2\.0 main fixes|published v0\.2\.0 GitHub Release line|unreleased post-v0\.2\.0 fixes|Status: published in v0\.2\.0, with unreleased post-v0\.2\.0 fixes on main|current main contains post-v0\.2\.0 fixes'
+require_absent SUPPORT.md 'Private vulnerability reporting is currently disabled'
 require_contains docs/THREAT-MODEL.md 'v0\.3\.0 doctor, budget, and explain command surface'
+require_contains docs/PRODUCT-STRATEGY.md 'published v0\.3\.0 GitHub Release and PyPI package line'
+require_contains docs/PRODUCT-STRATEGY.md 'Status: published in v0\.3\.0'
+require_contains SUPPORT.md 'Private vulnerability reporting is enabled'
 require_contains docs/V0.3.0-POST-RELEASE-AUDIT.md 'v0\.3\.0'
 printf 'OK: v0.3.0 documentation sanity checks passed.\n'