release: prepare v0.2.3 support docs-only patch

CHANGELOG.md

@@ -8,6 +8,20 @@ This project has a published GitHub Release line, but no stable support or API g
 
 No unreleased changes.
 
+## [0.2.3] - 2026-06-18
+
+### Changed
+
+- Released a documentation-only patch for the public `v0.2.3` GitHub Release and PyPI package line.
+- Synced SUPPORT.md with the current `v0.2.3` GitHub Release and PyPI package state.
+- Updated package metadata, README.md, SECURITY.md, and CHANGELOG.md release references from `v0.2.2` to `v0.2.3` without changing runtime behavior.
+- Preserved the existing runtime behavior, governance diagnostics, CI workflow, PyPI Trusted Publishing workflow, and previous release tags.
+
+### Release notes
+
+- No runtime code or behavior changes are included in this patch release.
+- The existing `v0.2.2` tag was not moved; `v0.2.3` is cut as a new docs-only patch release.
+
 ## [0.2.2] - 2026-06-18
 
 ### Changed

README.md

@@ -135,7 +135,7 @@ The default behavior is read-only.
 
 ## What This Project Does
 
-`v0.2.2` is published as a GitHub Release and PyPI package for `agent-rules-kit`. Current `main` reflects that published state and may include later documentation or maintenance updates.
+`v0.2.3` is published as a GitHub Release and PyPI package for `agent-rules-kit`. Current `main` reflects that published state and may include later documentation or maintenance updates.
 
 The implemented behavior includes:
 
@@ -150,7 +150,7 @@ The implemented behavior includes:
 - avoids LLM calls;
 - avoids executing commands from analyzed repositories.
 
-Governance diagnostics were introduced in `v0.2.0` and hardened through the published `v0.2.1` release. `v0.2.2` is a documentation-only public-truth patch.
+Governance diagnostics were introduced in `v0.2.0` and hardened through the published `v0.2.1` release. `v0.2.2` and `v0.2.3` are documentation-only public-truth patches.
 
 These diagnostics are heuristic findings for instruction-file governance. They are meant to flag review-worthy instruction patterns, not to prove that a repository is safe.
 
@@ -173,7 +173,7 @@ Current `main` evaluates the following governance finding rules, in stable evalu
 
 Governance findings are intentionally conservative and pattern-based. They may produce false positives or false negatives, and they are not a substitute for maintainer review.
 
-The `v0.2.0` GitHub Release introduced this governance rule set. The published `v0.2.1` release includes subsequent governance hardening and coverage expansion without moving the `v0.2.0` tag. The published `v0.2.2` release syncs public release, PyPI, and security documentation without runtime behavior changes.
+The `v0.2.0` GitHub Release introduced this governance rule set. The published `v0.2.1` release includes subsequent governance hardening and coverage expansion without moving the `v0.2.0` tag. The published `v0.2.2` release syncs public release, PyPI, and security documentation without runtime behavior changes. The published `v0.2.3` release syncs support policy documentation and package metadata without runtime behavior changes.
 
 For detailed rule purpose, evidence, limits, and false-positive notes, see `docs/RULES.md`.
 
@@ -204,7 +204,7 @@ A clean report means only that the implemented checks did not find a supported i
 
 ## Installation
 
-`v0.2.2` is published as a GitHub Release and PyPI package.
+`v0.2.3` is published as a GitHub Release and PyPI package.
 
 The published package can be installed from PyPI. Release publication uses PyPI Trusted Publishing from the GitHub Release workflow.
 
@@ -216,10 +216,10 @@ Requirements for using a published CLI release:
 - a Python virtual environment;
 - a published PyPI release of `agent-rules-kit`.
 
-Install `v0.2.2` in a virtual environment:
+Install `v0.2.3` in a virtual environment:
 
     python -m venv .venv
-    .venv/bin/python -m pip install agent-rules-kit==0.2.2
+    .venv/bin/python -m pip install agent-rules-kit==0.2.3
     .venv/bin/agent-rules-kit --version
     .venv/bin/agent-rules-kit check /path/to/repository --format console
 
@@ -249,7 +249,7 @@ The source tree can also be used directly for quick CLI inspection:
 
 ## Release and PyPI Publishing
 
-The `v0.2.2` release was published through PyPI Trusted Publishing.
+The `v0.2.3` release was published through PyPI Trusted Publishing.
 
 Release publishing is handled by:
 
@@ -267,11 +267,11 @@ The workflow is intentionally limited:
 - it grants `id-token: write` only to the publish job;
 - it does not use a static PyPI token, username, or password.
 
-The published `v0.2.2` package must remain verifiable by:
+The published `v0.2.3` package must remain verifiable by:
 
 - the GitHub Release tag pointing to the verified release SHA;
 - a successful PyPI publish workflow run;
-- a clean virtual environment installing and running `agent-rules-kit==0.2.2` from PyPI.
+- a clean virtual environment installing and running `agent-rules-kit==0.2.3` from PyPI.
 
 ---
 
@@ -465,17 +465,17 @@ The required status check for `main` is:
 
 Current status:
 
-- `v0.2.2` is published as a GitHub Release and PyPI package;
-- `v0.2.1` remains the previous published GitHub Release and PyPI package baseline;
-- `main` may include post-`v0.2.2` documentation or maintenance updates;
+- `v0.2.3` is published as a GitHub Release and PyPI package;
+- `v0.2.2` remains the previous published GitHub Release and PyPI package baseline;
+- `main` may include post-`v0.2.3` documentation or maintenance updates;
 - no stable support or API guarantee yet;
-- release tag `v0.2.2` points to the verified release SHA;
+- release tag `v0.2.3` points to the verified release SHA;
 - local CLI behavior implemented;
 - governance diagnostics, structured finding evidence, and evidence redaction are implemented;
 - CI active;
 - branch protection is active with the required `local-checks / Python 3.12` status check;
 - the `pypi` GitHub environment exists for the release publishing workflow;
-- `.github/workflows/publish-pypi.yml` published `v0.2.2` through PyPI Trusted Publishing and remains the release publishing workflow;
+- `.github/workflows/publish-pypi.yml` published `v0.2.3` through PyPI Trusted Publishing and remains the release publishing workflow;
 - README screenshots are generated from real local CLI commands;
 - security boundaries documented;
 - threat model documented.

SECURITY.md

@@ -6,9 +6,9 @@ It is not a security scanner, provides no security guarantees, and must not be d
 
 ## Supported versions
 
-`v0.2.2` is published as a GitHub Release and PyPI package.
+`v0.2.3` is published as a GitHub Release and PyPI package.
 
-Current `main` may include post-`v0.2.2` documentation or maintenance updates after the published package.
+Current `main` may include post-`v0.2.3` documentation or maintenance updates after the published package.
 
 The project is still maintained on a best-effort basis. There is no commercial SLA, no guaranteed response time, and no guarantee that every security-relevant issue will be found or fixed.
 
@@ -18,7 +18,7 @@ The project is still maintained on a best-effort basis. There is no commercial S
 | 0.1.x | Historical pre-release line / not supported |
 | < 0.1 | Not supported |
 
-`agent-rules-kit==0.2.2` is published on PyPI. Future PyPI availability claims must be verified per release before updating this policy.
+`agent-rules-kit==0.2.3` is published on PyPI. Future PyPI availability claims must be verified per release before updating this policy.
 
 ## Security boundaries
 

SUPPORT.md

@@ -1,88 +1,55 @@
 # Support Policy
 
-agent-rules-kit has a published `v0.2.0` GitHub Release line and unreleased post-`v0.2.0` fixes on `main`, but no stable support or API guarantee yet.
+`agent-rules-kit` is a small open source project maintained on a best-effort basis.
 
-There is no guaranteed support response time.
+There is no commercial SLA, no guaranteed response time, no production-readiness guarantee, and no stable API guarantee yet.
 
-## Current status
+## Current published line
 
-This project is maintained on a best-effort basis.
+`v0.2.3` is the current published GitHub Release and PyPI package line.
 
-At this stage:
+`v0.2.2` remains the previous published GitHub Release and PyPI package baseline.
 
-- `v0.2.0` is the current published GitHub Release line;
-- `main` contains unreleased post-`v0.2.0` fixes intended for a future patch release;
-- no stable support or API guarantee exists;
-- no commercial SLA exists;
-- no support response time is promised;
-- no production readiness is claimed;
-- no security guarantees are provided;
-- PyPI publication is not claimed.
+Current `main` may include post-`v0.2.3` documentation or maintenance updates after the published package.
 
-## What this project is
+## Package availability
 
-agent-rules-kit is a local Python CLI for diagnosing baseline quality of AI agent instruction files in repositories.
+The package is published on PyPI as:
 
-It is intended to help detect missing, weak, duplicated, or risky instruction patterns.
+    agent-rules-kit==0.2.3
 
-## What this project is not
+Future PyPI availability claims must be verified per release before updating this policy.
 
-agent-rules-kit is not:
+## What support means
 
-- a security scanner;
-- a dependency vulnerability scanner;
-- a CI/CD security auditor;
-- a universal AI agent framework;
-- a tool that executes commands from analyzed repositories;
-- a guarantee that a repository is safe.
+Best-effort support may include:
 
-## Before opening an issue
+- clarifying documented behavior;
+- reviewing reproducible bug reports;
+- correcting stale documentation;
+- considering small fixes that preserve the project safety boundary.
 
-Before reporting a problem, check:
+Best-effort support does not include:
 
-- README.md for project purpose and limits;
-- AGENTS.md for workflow and AI assistant rules;
-- SECURITY.md for security boundaries and reporting limits;
-- CONTRIBUTING.md for contribution rules;
-- CHANGELOG.md for release history and unreleased changes.
+- guaranteed fixes;
+- private consulting through GitHub issues;
+- production incident response;
+- security guarantees;
+- dependency vulnerability scanning;
+- support for behavior outside the documented scope.
 
-## Good support requests
+## Security and vulnerability handling
 
-Good requests include:
+Private vulnerability reporting is currently disabled for this repository.
 
-- clear description of the problem;
-- expected behavior;
-- actual behavior;
-- reproduction steps;
-- relevant command output;
-- operating system and Python version;
-- whether the issue affects correctness, safety, documentation, or usability.
+Do not claim GitHub Security Advisories or private vulnerability reporting are enabled unless that setting has been explicitly verified.
 
-## Unsupported requests
+Security-relevant reports should avoid posting real secrets, tokens, credentials, private URLs, customer data, or exploit material.
 
-The following requests are out of scope unless a maintainer explicitly approves a design change first:
+See `SECURITY.md` for the project security boundary and supported-version policy.
 
-- adding network behavior;
-- adding LLM runtime behavior;
-- executing commands from analyzed repositories;
-- claiming the tool makes repositories secure;
-- bypassing checks;
-- hiding known failures;
-- adding secrets or private data to examples;
-- making broad rewrites without a narrow reviewable plan.
+## Project boundaries
 
-## Security reports
+`agent-rules-kit` is local-first, read-only by default, and does not call an LLM, access the network at runtime, or execute commands from analyzed repositories.
 
-Security-sensitive reports should follow SECURITY.md.
-
-Private vulnerability reporting is currently verified as disabled. Do not claim that private vulnerability reporting is enabled.
-
-If a sensitive issue cannot be reported privately through GitHub, do not publish secrets, exploit details, private URLs, customer data, or sensitive repository contents. Open only a minimal public issue requesting a private contact path.
-
-For non-sensitive security boundary issues, open a GitHub issue with a minimal reproduction.
-
-## Maintainer note
-
-Support must remain aligned with the project boundaries.
-
-A request should not be accepted just because it is useful. It should be accepted only if it keeps the project local-first, auditable, testable, maintainable, and honest about its limits.
+It is not a security product, not a general repository auditor, not a secret scanner, not an autonomous fixer, and not a replacement for maintainer review.

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "agent-rules-kit"
-version = "0.2.2"
+version = "0.2.3"
 description = "Local read-only CLI to diagnose AGENTS.md, Claude Code, Gemini CLI, Cursor and Copilot instruction files."
 readme = "README.md"
 requires-python = ">=3.12"
@@ -32,7 +32,7 @@ Repository = "https://github.com/CoderDeltaLAN/agent-rules-kit"
 Issues = "https://github.com/CoderDeltaLAN/agent-rules-kit/issues"
 Changelog = "https://github.com/CoderDeltaLAN/agent-rules-kit/blob/main/CHANGELOG.md"
 Security = "https://github.com/CoderDeltaLAN/agent-rules-kit/security/policy"
-Release = "https://github.com/CoderDeltaLAN/agent-rules-kit/releases/tag/v0.2.2"
+Release = "https://github.com/CoderDeltaLAN/agent-rules-kit/releases/tag/v0.2.3"
 
 [project.scripts]
 agent-rules-kit = "agent_rules_kit.cli:main"

src/agent_rules_kit/__init__.py

@@ -1,3 +1,3 @@
 """agent-rules-kit package."""
 
-__version__ = "0.2.2"
+__version__ = "0.2.3"