diff --git a/CHANGELOG.md b/CHANGELOG.md index 0dddb1c..ab8fb77 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,7 +6,9 @@ This project has a published GitHub Release line, but no stable support or API g ## [Unreleased] -No unreleased changes. +### Added + +- Documented the v0.3.0 post-release audit findings and v0.3.1 maintenance hardening target. ## [0.3.0] - 2026-06-19 diff --git a/docs/V0.3.0-POST-RELEASE-AUDIT.md b/docs/V0.3.0-POST-RELEASE-AUDIT.md new file mode 100644 index 0000000..7b9cf25 --- /dev/null +++ b/docs/V0.3.0-POST-RELEASE-AUDIT.md @@ -0,0 +1,88 @@ +# v0.3.0 Post-Release Audit + +Status: post-release audit record. +Release: v0.3.0. +Main SHA: c3c7b3eb8cf8b5164c90d2d940f861ce64390d31. +GitHub Release: v0.3.0. +PyPI package: agent-rules-kit==0.3.0. + +## Scope + +This document records the post-release findings for the published v0.3.0 release. + +It does not change runtime behavior, release artifacts, tags, GitHub Release state, PyPI publication, CI configuration, branch protection, or security settings. + +## Verified release state + +The v0.3.0 release was closed after: + +- PR #90 was squash-merged into main; +- main was synchronized with origin/main; +- tag v0.3.0 pointed to the final main SHA; +- GitHub Release v0.3.0 existed with wheel, sdist, and SHA256SUMS assets; +- PyPI exposed agent-rules-kit==0.3.0; +- a clean PyPI install smoke succeeded; +- the release branch was removed locally and remotely; +- the final repository checkpoint was clean. + +## Non-blocking findings + +### P1 — README layout drift + +The README repository layout lists: + +- src/agent_rules_kit/doctor.py + +The file does not exist in v0.3.0. The doctor command is implemented in src/agent_rules_kit/cli.py. + +Decision: fix the README layout in the v0.3.1 maintenance cycle. Do not refactor doctor into a separate module unless a later phase explicitly decides that the command has grown enough to justify it. + +### P1 — Threat model review drift + +docs/THREAT-MODEL.md still says it was reviewed for the published v0.2.0 release line and post-v0.2.0 main state. + +v0.3.0 added the public doctor, budget, and explain command surface. These commands remain local and read-only, but the threat model should explicitly say it was reviewed for v0.3.0 and should mention the v0.3.0 command surface. + +Decision: update the threat model in the v0.3.1 maintenance cycle before adding new product features. + +### P2 — CI compatibility coverage + +CI currently verifies Python 3.12. The package metadata declares Python >=3.12. + +Decision: add a non-disruptive compatibility job in a later phase without breaking the current required check name. + +### P2 — Release audit automation + +The v0.3.0 release was verified manually through multiple read-only gates. The process worked, but manual command chains created avoidable operational noise. + +Decision: add a read-only post-release audit script before the next release. + +### P2 — Security and supply-chain evaluation + +Potential hardening areas include CodeQL, private vulnerability reporting, OpenSSF Scorecard, Dependabot, and a GitHub Actions pinning policy. + +Decision: evaluate these areas in separate phases. Do not enable noisy or sensitive features blindly. + +### P2 — Product integration surface + +doctor and budget are console-only in v0.3.0. + +Decision: keep v0.3.1 focused on maintenance hardening. Plan JSON output for doctor and budget in a later feature release. + +## v0.3.1 maintenance target + +The next patch release should focus on maintenance hardening: + +- record this post-release audit; +- sync README layout with the real source tree; +- review the threat model for v0.3.0; +- add a read-only post-release audit script; +- improve packaging metadata if needed; +- add safe Python compatibility coverage; +- evaluate security and supply-chain improvements without enabling risky settings blindly. + +## Decision + +v0.3.0 remains published and should not be modified. + +The next development cycle should start with v0.3.1 maintenance hardening before any v0.4.0 product features.