Skip to content

docs: sync v0.2.1 public truth #78

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
CoderDeltaLAN merged 1 commit into from
Jun 18, 2026
Merged

docs: sync v0.2.1 public truth #78

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ This project has a published GitHub Release line, but no stable support or API g
### Changed

- Documented the published `v0.2.1` GitHub Release and PyPI package state on `main`.
- Synced public security, README, and changelog wording after `v0.2.1` publication, PyPI availability, and GitHub Release assets were verified.

## [0.2.1] - 2026-06-17

Expand Down Expand Up @@ -42,8 +43,8 @@ This project has a published GitHub Release line, but no stable support or API g

### Release notes

- These changes are present on `main` after `v0.2.0` and are not part of the published `v0.2.0` release artifacts.
- The next release should be cut as a new patch release instead of moving the existing `v0.2.0` tag.
- These changes were accumulated on `main` after `v0.2.0` and are released in `v0.2.1`.
- The existing `v0.2.0` tag was not moved; `v0.2.1` was cut as a new patch release.

## [0.2.0] - 2026-06-15

Expand Down
14 changes: 7 additions & 7 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@ The default behavior is read-only.

## What This Project Does

`v0.2.1` is published as a GitHub Release and as the first PyPI package line for `agent-rules-kit`. Current `main` may include post-release documentation updates after that published package.
`v0.2.1` is published as a GitHub Release and as the first PyPI package line for `agent-rules-kit`. Current `main` reflects that published state and may include later documentation or maintenance updates.

The implemented behavior includes:

Expand All @@ -150,7 +150,7 @@ The implemented behavior includes:
- avoids LLM calls;
- avoids executing commands from analyzed repositories.

Governance diagnostics were introduced in `v0.2.0` and have received post-release fixes on `main`.
Governance diagnostics were introduced in `v0.2.0` and hardened through the published `v0.2.1` release.

These diagnostics are heuristic findings for instruction-file governance. They are meant to flag review-worthy instruction patterns, not to prove that a repository is safe.

Expand All @@ -173,7 +173,7 @@ Current `main` evaluates the following governance finding rules, in stable evalu

Governance findings are intentionally conservative and pattern-based. They may produce false positives or false negatives, and they are not a substitute for maintainer review.

The `v0.2.0` GitHub Release introduced this governance rule set. Current `main` may include unreleased fixes and coverage improvements after that tag.
The `v0.2.0` GitHub Release introduced this governance rule set. The published `v0.2.1` release includes subsequent governance hardening, coverage expansion, and release/PyPI documentation sync without moving the `v0.2.0` tag.

For detailed rule purpose, evidence, limits, and false-positive notes, see `docs/RULES.md`.

Expand Down Expand Up @@ -469,20 +469,20 @@ Current status:
- `v0.2.0` remains the previous published GitHub Release baseline;
- `main` may include post-`v0.2.1` documentation or maintenance updates;
- no stable support or API guarantee yet;
- release tag `v0.2.0` points to the verified release SHA;
- release tag `v0.2.1` points to the verified release SHA;
- local CLI behavior implemented;
- governance diagnostics, structured finding evidence, and evidence redaction are implemented;
- CI active;
- branch protection is active with the required `local-checks / Python 3.12` status check;
- the `pypi` GitHub environment exists for the release publishing workflow;
- `.github/workflows/publish-pypi.yml` is prepared to publish `v0.2.1` through PyPI Trusted Publishing when the GitHub Release is published;
- `.github/workflows/publish-pypi.yml` published `v0.2.1` through PyPI Trusted Publishing and remains the release publishing workflow;
- README screenshots are generated from real local CLI commands;
- security boundaries documented;
- threat model documented.

For future releases, verify:

- all intended unreleased fixes for the patch release are merged into `main`;
- all intended changes for the release are merged into `main`;
- no known release-blocking audit finding remains open;
- local checks pass from a development virtual environment;
- CI passes for the release SHA;
Expand All @@ -494,7 +494,7 @@ For future releases, verify:
- README documents normal CLI use, source-tree development use, virtual environment setup, development dependencies, and local checks;
- README does not claim unsupported maturity;
- SECURITY.md and CHANGELOG.md are current;
- private vulnerability reporting is enabled or its absence is clearly documented;
- private vulnerability reporting status is accurately documented;
- tag and GitHub Release point to the verified release SHA;
- no real secrets or private data are present.

Expand Down
10 changes: 5 additions & 5 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,9 @@ It is not a security scanner, provides no security guarantees, and must not be d

## Supported versions

`v0.2.0` is published as a GitHub Release.
`v0.2.1` is published as a GitHub Release and PyPI package.

Current `main` contains unreleased post-`v0.2.0` fixes intended for a future patch release.
Current `main` may include post-`v0.2.1` documentation or maintenance updates after the published package.

The project is still maintained on a best-effort basis. There is no commercial SLA, no guaranteed response time, and no guarantee that every security-relevant issue will be found or fixed.

Expand All @@ -18,7 +18,7 @@ The project is still maintained on a best-effort basis. There is no commercial S
| 0.1.x | Historical pre-release line / not supported |
| < 0.1 | Not supported |

This project is not published to PyPI yet. Do not claim PyPI availability until a separate release phase verifies and publishes it.
`agent-rules-kit==0.2.1` is published on PyPI. Future PyPI availability claims must be verified per release before updating this policy.

## Security boundaries

Expand Down Expand Up @@ -71,13 +71,13 @@ Security response is best-effort for the current `0.2.x` GitHub Release line.

There is no commercial SLA or guaranteed response time.

Before any broader public distribution, the maintainer should re-check and document:
For future releases or broader public distribution, the maintainer should re-check and document:

- supported versions;
- expected response time;
- disclosure handling;
- whether GitHub Security Advisories or private vulnerability reporting are enabled;
- whether PyPI publication changes the support policy.
- whether the published package channel changes the support policy.

## Safe development rules

Expand Down