docs: add v0.3.0 post-release audit

CHANGELOG.md

@@ -6,7 +6,9 @@ This project has a published GitHub Release line, but no stable support or API g
 
 ## [Unreleased]
 
-No unreleased changes.
+### Added
+
+- Documented the v0.3.0 post-release audit findings and v0.3.1 maintenance hardening target.
 
 ## [0.3.0] - 2026-06-19
 

docs/V0.3.0-POST-RELEASE-AUDIT.md

@@ -0,0 +1,88 @@
+# v0.3.0 Post-Release Audit
+
+Status: post-release audit record.
+Release: v0.3.0.
+Main SHA: c3c7b3eb8cf8b5164c90d2d940f861ce64390d31.
+GitHub Release: v0.3.0.
+PyPI package: agent-rules-kit==0.3.0.
+
+## Scope
+
+This document records the post-release findings for the published v0.3.0 release.
+
+It does not change runtime behavior, release artifacts, tags, GitHub Release state, PyPI publication, CI configuration, branch protection, or security settings.
+
+## Verified release state
+
+The v0.3.0 release was closed after:
+
+- PR #90 was squash-merged into main;
+- main was synchronized with origin/main;
+- tag v0.3.0 pointed to the final main SHA;
+- GitHub Release v0.3.0 existed with wheel, sdist, and SHA256SUMS assets;
+- PyPI exposed agent-rules-kit==0.3.0;
+- a clean PyPI install smoke succeeded;
+- the release branch was removed locally and remotely;
+- the final repository checkpoint was clean.
+
+## Non-blocking findings
+
+### P1 — README layout drift
+
+The README repository layout lists:
+
+- src/agent_rules_kit/doctor.py
+
+The file does not exist in v0.3.0. The doctor command is implemented in src/agent_rules_kit/cli.py.
+
+Decision: fix the README layout in the v0.3.1 maintenance cycle. Do not refactor doctor into a separate module unless a later phase explicitly decides that the command has grown enough to justify it.
+
+### P1 — Threat model review drift
+
+docs/THREAT-MODEL.md still says it was reviewed for the published v0.2.0 release line and post-v0.2.0 main state.
+
+v0.3.0 added the public doctor, budget, and explain command surface. These commands remain local and read-only, but the threat model should explicitly say it was reviewed for v0.3.0 and should mention the v0.3.0 command surface.
+
+Decision: update the threat model in the v0.3.1 maintenance cycle before adding new product features.
+
+### P2 — CI compatibility coverage
+
+CI currently verifies Python 3.12. The package metadata declares Python >=3.12.
+
+Decision: add a non-disruptive compatibility job in a later phase without breaking the current required check name.
+
+### P2 — Release audit automation
+
+The v0.3.0 release was verified manually through multiple read-only gates. The process worked, but manual command chains created avoidable operational noise.
+
+Decision: add a read-only post-release audit script before the next release.
+
+### P2 — Security and supply-chain evaluation
+
+Potential hardening areas include CodeQL, private vulnerability reporting, OpenSSF Scorecard, Dependabot, and a GitHub Actions pinning policy.
+
+Decision: evaluate these areas in separate phases. Do not enable noisy or sensitive features blindly.
+
+### P2 — Product integration surface
+
+doctor and budget are console-only in v0.3.0.
+
+Decision: keep v0.3.1 focused on maintenance hardening. Plan JSON output for doctor and budget in a later feature release.
+
+## v0.3.1 maintenance target
+
+The next patch release should focus on maintenance hardening:
+
+- record this post-release audit;
+- sync README layout with the real source tree;
+- review the threat model for v0.3.0;
+- add a read-only post-release audit script;
+- improve packaging metadata if needed;
+- add safe Python compatibility coverage;
+- evaluate security and supply-chain improvements without enabling risky settings blindly.
+
+## Decision
+
+v0.3.0 remains published and should not be modified.
+
+The next development cycle should start with v0.3.1 maintenance hardening before any v0.4.0 product features.