diff --git a/CHANGELOG.md b/CHANGELOG.md index 4a0ff24..332c6c2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,20 @@ This project has a published GitHub Release line, but no stable support or API g No unreleased changes. +## [0.2.3] - 2026-06-18 + +### Changed + +- Released a documentation-only patch for the public `v0.2.3` GitHub Release and PyPI package line. +- Synced SUPPORT.md with the current `v0.2.3` GitHub Release and PyPI package state. +- Updated package metadata, README.md, SECURITY.md, and CHANGELOG.md release references from `v0.2.2` to `v0.2.3` without changing runtime behavior. +- Preserved the existing runtime behavior, governance diagnostics, CI workflow, PyPI Trusted Publishing workflow, and previous release tags. + +### Release notes + +- No runtime code or behavior changes are included in this patch release. +- The existing `v0.2.2` tag was not moved; `v0.2.3` is cut as a new docs-only patch release. + ## [0.2.2] - 2026-06-18 ### Changed diff --git a/README.md b/README.md index 6588bb7..7ae44e2 100644 --- a/README.md +++ b/README.md @@ -135,7 +135,7 @@ The default behavior is read-only. ## What This Project Does -`v0.2.2` is published as a GitHub Release and PyPI package for `agent-rules-kit`. Current `main` reflects that published state and may include later documentation or maintenance updates. +`v0.2.3` is published as a GitHub Release and PyPI package for `agent-rules-kit`. Current `main` reflects that published state and may include later documentation or maintenance updates. The implemented behavior includes: @@ -150,7 +150,7 @@ The implemented behavior includes: - avoids LLM calls; - avoids executing commands from analyzed repositories. -Governance diagnostics were introduced in `v0.2.0` and hardened through the published `v0.2.1` release. `v0.2.2` is a documentation-only public-truth patch. +Governance diagnostics were introduced in `v0.2.0` and hardened through the published `v0.2.1` release. `v0.2.2` and `v0.2.3` are documentation-only public-truth patches. These diagnostics are heuristic findings for instruction-file governance. They are meant to flag review-worthy instruction patterns, not to prove that a repository is safe. @@ -173,7 +173,7 @@ Current `main` evaluates the following governance finding rules, in stable evalu Governance findings are intentionally conservative and pattern-based. They may produce false positives or false negatives, and they are not a substitute for maintainer review. -The `v0.2.0` GitHub Release introduced this governance rule set. The published `v0.2.1` release includes subsequent governance hardening and coverage expansion without moving the `v0.2.0` tag. The published `v0.2.2` release syncs public release, PyPI, and security documentation without runtime behavior changes. +The `v0.2.0` GitHub Release introduced this governance rule set. The published `v0.2.1` release includes subsequent governance hardening and coverage expansion without moving the `v0.2.0` tag. The published `v0.2.2` release syncs public release, PyPI, and security documentation without runtime behavior changes. The published `v0.2.3` release syncs support policy documentation and package metadata without runtime behavior changes. For detailed rule purpose, evidence, limits, and false-positive notes, see `docs/RULES.md`. @@ -204,7 +204,7 @@ A clean report means only that the implemented checks did not find a supported i ## Installation -`v0.2.2` is published as a GitHub Release and PyPI package. +`v0.2.3` is published as a GitHub Release and PyPI package. The published package can be installed from PyPI. Release publication uses PyPI Trusted Publishing from the GitHub Release workflow. @@ -216,10 +216,10 @@ Requirements for using a published CLI release: - a Python virtual environment; - a published PyPI release of `agent-rules-kit`. -Install `v0.2.2` in a virtual environment: +Install `v0.2.3` in a virtual environment: python -m venv .venv - .venv/bin/python -m pip install agent-rules-kit==0.2.2 + .venv/bin/python -m pip install agent-rules-kit==0.2.3 .venv/bin/agent-rules-kit --version .venv/bin/agent-rules-kit check /path/to/repository --format console @@ -249,7 +249,7 @@ The source tree can also be used directly for quick CLI inspection: ## Release and PyPI Publishing -The `v0.2.2` release was published through PyPI Trusted Publishing. +The `v0.2.3` release was published through PyPI Trusted Publishing. Release publishing is handled by: @@ -267,11 +267,11 @@ The workflow is intentionally limited: - it grants `id-token: write` only to the publish job; - it does not use a static PyPI token, username, or password. -The published `v0.2.2` package must remain verifiable by: +The published `v0.2.3` package must remain verifiable by: - the GitHub Release tag pointing to the verified release SHA; - a successful PyPI publish workflow run; -- a clean virtual environment installing and running `agent-rules-kit==0.2.2` from PyPI. +- a clean virtual environment installing and running `agent-rules-kit==0.2.3` from PyPI. --- @@ -465,17 +465,17 @@ The required status check for `main` is: Current status: -- `v0.2.2` is published as a GitHub Release and PyPI package; -- `v0.2.1` remains the previous published GitHub Release and PyPI package baseline; -- `main` may include post-`v0.2.2` documentation or maintenance updates; +- `v0.2.3` is published as a GitHub Release and PyPI package; +- `v0.2.2` remains the previous published GitHub Release and PyPI package baseline; +- `main` may include post-`v0.2.3` documentation or maintenance updates; - no stable support or API guarantee yet; -- release tag `v0.2.2` points to the verified release SHA; +- release tag `v0.2.3` points to the verified release SHA; - local CLI behavior implemented; - governance diagnostics, structured finding evidence, and evidence redaction are implemented; - CI active; - branch protection is active with the required `local-checks / Python 3.12` status check; - the `pypi` GitHub environment exists for the release publishing workflow; -- `.github/workflows/publish-pypi.yml` published `v0.2.2` through PyPI Trusted Publishing and remains the release publishing workflow; +- `.github/workflows/publish-pypi.yml` published `v0.2.3` through PyPI Trusted Publishing and remains the release publishing workflow; - README screenshots are generated from real local CLI commands; - security boundaries documented; - threat model documented. diff --git a/SECURITY.md b/SECURITY.md index 1bda0bc..19aae36 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -6,9 +6,9 @@ It is not a security scanner, provides no security guarantees, and must not be d ## Supported versions -`v0.2.2` is published as a GitHub Release and PyPI package. +`v0.2.3` is published as a GitHub Release and PyPI package. -Current `main` may include post-`v0.2.2` documentation or maintenance updates after the published package. +Current `main` may include post-`v0.2.3` documentation or maintenance updates after the published package. The project is still maintained on a best-effort basis. There is no commercial SLA, no guaranteed response time, and no guarantee that every security-relevant issue will be found or fixed. @@ -18,7 +18,7 @@ The project is still maintained on a best-effort basis. There is no commercial S | 0.1.x | Historical pre-release line / not supported | | < 0.1 | Not supported | -`agent-rules-kit==0.2.2` is published on PyPI. Future PyPI availability claims must be verified per release before updating this policy. +`agent-rules-kit==0.2.3` is published on PyPI. Future PyPI availability claims must be verified per release before updating this policy. ## Security boundaries diff --git a/SUPPORT.md b/SUPPORT.md index 7ff48c9..f2cf177 100644 --- a/SUPPORT.md +++ b/SUPPORT.md @@ -1,88 +1,55 @@ # Support Policy -agent-rules-kit has a published `v0.2.0` GitHub Release line and unreleased post-`v0.2.0` fixes on `main`, but no stable support or API guarantee yet. +`agent-rules-kit` is a small open source project maintained on a best-effort basis. -There is no guaranteed support response time. +There is no commercial SLA, no guaranteed response time, no production-readiness guarantee, and no stable API guarantee yet. -## Current status +## Current published line -This project is maintained on a best-effort basis. +`v0.2.3` is the current published GitHub Release and PyPI package line. -At this stage: +`v0.2.2` remains the previous published GitHub Release and PyPI package baseline. -- `v0.2.0` is the current published GitHub Release line; -- `main` contains unreleased post-`v0.2.0` fixes intended for a future patch release; -- no stable support or API guarantee exists; -- no commercial SLA exists; -- no support response time is promised; -- no production readiness is claimed; -- no security guarantees are provided; -- PyPI publication is not claimed. +Current `main` may include post-`v0.2.3` documentation or maintenance updates after the published package. -## What this project is +## Package availability -agent-rules-kit is a local Python CLI for diagnosing baseline quality of AI agent instruction files in repositories. +The package is published on PyPI as: -It is intended to help detect missing, weak, duplicated, or risky instruction patterns. + agent-rules-kit==0.2.3 -## What this project is not +Future PyPI availability claims must be verified per release before updating this policy. -agent-rules-kit is not: +## What support means -- a security scanner; -- a dependency vulnerability scanner; -- a CI/CD security auditor; -- a universal AI agent framework; -- a tool that executes commands from analyzed repositories; -- a guarantee that a repository is safe. +Best-effort support may include: -## Before opening an issue +- clarifying documented behavior; +- reviewing reproducible bug reports; +- correcting stale documentation; +- considering small fixes that preserve the project safety boundary. -Before reporting a problem, check: +Best-effort support does not include: -- README.md for project purpose and limits; -- AGENTS.md for workflow and AI assistant rules; -- SECURITY.md for security boundaries and reporting limits; -- CONTRIBUTING.md for contribution rules; -- CHANGELOG.md for release history and unreleased changes. +- guaranteed fixes; +- private consulting through GitHub issues; +- production incident response; +- security guarantees; +- dependency vulnerability scanning; +- support for behavior outside the documented scope. -## Good support requests +## Security and vulnerability handling -Good requests include: +Private vulnerability reporting is currently disabled for this repository. -- clear description of the problem; -- expected behavior; -- actual behavior; -- reproduction steps; -- relevant command output; -- operating system and Python version; -- whether the issue affects correctness, safety, documentation, or usability. +Do not claim GitHub Security Advisories or private vulnerability reporting are enabled unless that setting has been explicitly verified. -## Unsupported requests +Security-relevant reports should avoid posting real secrets, tokens, credentials, private URLs, customer data, or exploit material. -The following requests are out of scope unless a maintainer explicitly approves a design change first: +See `SECURITY.md` for the project security boundary and supported-version policy. -- adding network behavior; -- adding LLM runtime behavior; -- executing commands from analyzed repositories; -- claiming the tool makes repositories secure; -- bypassing checks; -- hiding known failures; -- adding secrets or private data to examples; -- making broad rewrites without a narrow reviewable plan. +## Project boundaries -## Security reports +`agent-rules-kit` is local-first, read-only by default, and does not call an LLM, access the network at runtime, or execute commands from analyzed repositories. -Security-sensitive reports should follow SECURITY.md. - -Private vulnerability reporting is currently verified as disabled. Do not claim that private vulnerability reporting is enabled. - -If a sensitive issue cannot be reported privately through GitHub, do not publish secrets, exploit details, private URLs, customer data, or sensitive repository contents. Open only a minimal public issue requesting a private contact path. - -For non-sensitive security boundary issues, open a GitHub issue with a minimal reproduction. - -## Maintainer note - -Support must remain aligned with the project boundaries. - -A request should not be accepted just because it is useful. It should be accepted only if it keeps the project local-first, auditable, testable, maintainable, and honest about its limits. +It is not a security product, not a general repository auditor, not a secret scanner, not an autonomous fixer, and not a replacement for maintainer review. diff --git a/pyproject.toml b/pyproject.toml index 3155f71..9c088d0 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -4,7 +4,7 @@ build-backend = "hatchling.build" [project] name = "agent-rules-kit" -version = "0.2.2" +version = "0.2.3" description = "Local read-only CLI to diagnose AGENTS.md, Claude Code, Gemini CLI, Cursor and Copilot instruction files." readme = "README.md" requires-python = ">=3.12" @@ -32,7 +32,7 @@ Repository = "https://github.com/CoderDeltaLAN/agent-rules-kit" Issues = "https://github.com/CoderDeltaLAN/agent-rules-kit/issues" Changelog = "https://github.com/CoderDeltaLAN/agent-rules-kit/blob/main/CHANGELOG.md" Security = "https://github.com/CoderDeltaLAN/agent-rules-kit/security/policy" -Release = "https://github.com/CoderDeltaLAN/agent-rules-kit/releases/tag/v0.2.2" +Release = "https://github.com/CoderDeltaLAN/agent-rules-kit/releases/tag/v0.2.3" [project.scripts] agent-rules-kit = "agent_rules_kit.cli:main" diff --git a/src/agent_rules_kit/__init__.py b/src/agent_rules_kit/__init__.py index 4e7a49e..0fe41a5 100644 --- a/src/agent_rules_kit/__init__.py +++ b/src/agent_rules_kit/__init__.py @@ -1,3 +1,3 @@ """agent-rules-kit package.""" -__version__ = "0.2.2" +__version__ = "0.2.3"