diff --git a/.github/scripts/test_v0_3_0_artifact_publication_approval_decision.py b/.github/scripts/test_v0_3_0_artifact_publication_approval_decision.py new file mode 100644 index 0000000..234f0a1 --- /dev/null +++ b/.github/scripts/test_v0_3_0_artifact_publication_approval_decision.py @@ -0,0 +1,207 @@ +#!/usr/bin/env python3 +# +# Copyright 2026 The Ethos maintainers +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# + +from __future__ import annotations + +import re +import unittest +from pathlib import Path + +from makefile_guard import target_block +from validation_record_source import assert_record_source_binding + + +ROOT = Path(__file__).resolve().parents[2] +RECORD = ROOT / ( + "docs/validation/" + "v0-3-0-artifact-publication-approval-decision-validation-2026-07-01.md" +) +REQUEST = ROOT / ( + "docs/validation/" + "v0-3-0-artifact-publication-approval-request-validation-2026-07-01.md" +) +DRAFT_EVIDENCE = ROOT / "docs/validation/v0-3-0-draft-artifact-evidence-validation-2026-07-01.md" +VALIDATION_README = ROOT / "docs/validation/README.md" +EXECUTION_STATUS = ROOT / "docs/execution-status.md" +PUBLIC_RELEASE_CHECKLIST = ROOT / "docs/public-release-checklist.md" +RELEASE_PREP = ROOT / "docs/v0-3-0-release-prep.md" + +SOURCE_SHORT = "a20b42a" +SOURCE_COMMIT = "a20b42a7927052f727fcaaa585a7a050aec02abe" +SOURCE_TREE = "ed4f624ad29a8c8c457b045b2519b5aadb2c4f40" +REQUEST_SOURCE_COMMIT = "d6496e82e613e653edc197db4cf4153271d131dc" +REQUEST_SOURCE_TREE = "2594c63071c512f2c61e78b223a74406440a8516" +ARTIFACT_SOURCE_COMMIT = "7287358475a96e827d536f0d2d250a1c2961ba84" +ARTIFACT_SOURCE_TREE = "84d7908f91f3bb2024acb6bad4c71b6c75d4f357" +RUN_URL = "https://github.com/docushell/ethos/actions/runs/28531102130" +MACOS_SHA256 = "efb163f140bf4afffd1caeb396f79e42f484591c3e90a86810ca6c0f0c209c96" +LINUX_SHA256 = "b549ba5968e04b7679a8d3e879cd45d27f3e9a6fd226eee5c270a4e4f5c01405" + +APPROVED_WORDING = ( + "Ethos v0.3.0 CLI artifacts for macOS arm64 and Linux x64 are requested for GitHub " + "Release evaluation with caller-provided PDFium. Rust crates `ethos-doc-core`, " + "`ethos-verify`, and `ethos-pdf` at `0.3.0`, plus the Python `ethos-pdf` wheel at " + "`0.3.0`, are already live. npm alignment/publication, public `0.3.0` install wording, " + "release/package tags, DocuShell integration, hosted surfaces, production positioning, " + "Windows packaged artifacts, bundled project-maintained PDFium builds, `ethos-doc`, " + "`ethos-rag`, public benchmark reports, public benchmark claims, and speed, footprint, " + "parser-quality, table-quality, or production claims remain blocked." +) +FORBIDDEN_SCOPE_EXPANSION = ( + "npm vendor refresh approved", + "npm publication approved", + "package tag creation approved", + "public installation wording approved", + "public install wording approved", + "installable 0.3.0 wording approved", + "docushell integration approved", + "production-ready", + "hosted surfaces approved", + "windows packaged artifacts approved", + "bundled pdfium approved", + "public benchmark claims approved", +) +PRIVATE_PATH_MARKERS = ( + "/" + "Users/", + "/" + "private/tmp", + "/" + "private/var", + "/" + "var/folders", + "saumil" + "diwaker", + "Desktop/" + "Stuff", + "project/repo/" + "ethos", +) + + +def read(path: Path) -> str: + return path.read_text(encoding="utf-8") + + +def normalized(path: Path) -> str: + return re.sub(r"\s+", " ", read(path)) + + +class V030ArtifactPublicationApprovalDecisionTests(unittest.TestCase): + def test_record_is_source_bound(self) -> None: + raw = read(RECORD) + text = normalized(RECORD) + + assert_record_source_binding( + self, + root=ROOT, + raw_record=raw, + normalized_record=text, + validated_head=SOURCE_SHORT, + source_label="v0.3.0 artifact publication approval decision", + source_commit=SOURCE_COMMIT, + source_tree=SOURCE_TREE, + ) + + def test_decision_accepts_exact_release_assets_only(self) -> None: + text = normalized(RECORD) + + for expected in ( + "Decision: accept the exact v0.3.0 artifact publication request.", + "Exact GitHub Release target accepted by this decision: `v0.3.0`", + REQUEST.name, + DRAFT_EVIDENCE.name, + f"Exact request source commit accepted by this decision: `{REQUEST_SOURCE_COMMIT}`", + f"Exact request source tree accepted by this decision: `{REQUEST_SOURCE_TREE}`", + f"Exact artifact source commit accepted by this decision: `{ARTIFACT_SOURCE_COMMIT}`", + f"Exact artifact source tree accepted by this decision: `{ARTIFACT_SOURCE_TREE}`", + RUN_URL, + "ethos-macos-arm64.tar.gz", + "ethos-macos-arm64.tar.gz.sha256", + "ethos-macos-arm64.inventory.json", + "ethos-macos-arm64.smoke.json", + "ethos-linux-x64.tar.gz", + "ethos-linux-x64.tar.gz.sha256", + "ethos-linux-x64.inventory.json", + "ethos-linux-x64.smoke.json", + MACOS_SHA256, + LINUX_SHA256, + "Exact CLI smoke accepted by this decision: `ethos 0.3.0`", + "caller-provided PDFium only through `ETHOS_PDFIUM_LIBRARY_PATH`", + ): + self.assertIn(expected, text) + + def test_decision_preserves_bounded_public_wording_and_install_baseline(self) -> None: + record = re.sub(r"\s+", " ", read(RECORD).replace("> ", "")) + + self.assertIn(APPROVED_WORDING, record) + self.assertIn("Any broader public wording requires a separate decider record.", record) + self.assertIn( + "public install baseline remains current published `0.2.0` Rust/Python and `0.2.1` npm", + record, + ) + self.assertIn("README installation examples remain unchanged", record) + + def test_decision_requires_later_operator_upload_and_closeout(self) -> None: + text = normalized(RECORD) + + self.assertIn("This decision does not itself upload artifacts.", text) + self.assertIn("Publication remains an explicit later operator action.", text) + self.assertIn("post-upload closeout evidence", text) + self.assertIn( + "operator may attach only the exact accepted asset names above to GitHub Release target `v0.3.0`", + text, + ) + self.assertIn("The operator must not create or use any other release target.", text) + self.assertIn( + "python3 .github/scripts/test_v0_3_0_artifact_publication_approval_decision.py", + text, + ) + self.assertIn("make v0-3-release-prep PYTHON=python3", text) + + def test_retains_unrelated_blockers_and_avoids_scope_expansion(self) -> None: + raw = read(RECORD) + lower = normalized(RECORD).lower() + + for blocker in ( + "`packages/npm/ethos-pdf/vendor/manifest.json` must not be refreshed", + "npm vendor refresh remains blocked", + "npm publication remains blocked", + "Package tag creation remains blocked", + "Public installation wording remains blocked", + "DocuShell integration remains blocked", + "Hosted surfaces remain blocked", + "Production positioning remains blocked", + "Windows packaged artifacts remain blocked", + "Bundled project-maintained PDFium builds remain blocked", + "Public benchmark reports remain blocked", + "Public benchmark claims remain blocked", + "`ethos-doc` remains blocked", + "`ethos-rag` remains blocked", + ): + self.assertIn(blocker, raw) + for phrase in FORBIDDEN_SCOPE_EXPANSION: + self.assertNotIn(phrase, lower) + for private in PRIVATE_PATH_MARKERS: + self.assertNotIn(private, raw) + + def test_record_is_indexed_statused_and_wired_after_request_guard(self) -> None: + readme = normalized(VALIDATION_README) + execution = normalized(EXECUTION_STATUS) + checklist = normalized(PUBLIC_RELEASE_CHECKLIST) + release_prep = normalized(RELEASE_PREP) + block = target_block("v0-3-release-prep") + request_guard = "$(PYTHON) .github/scripts/test_v0_3_0_artifact_publication_approval_request.py" + decision_guard = "$(PYTHON) .github/scripts/test_v0_3_0_artifact_publication_approval_decision.py" + public_surface_guard = "$(PYTHON) .github/scripts/test_public_surface_posture.py" + + for text in (readme, execution, checklist, release_prep): + self.assertIn(RECORD.name, text) + self.assertIn("v0.3.0 artifact publication approval decision", text.lower()) + self.assertIn("GitHub Release artifact upload remains blocked", text) + self.assertIn("operator action and closeout", text) + self.assertIn(decision_guard, block) + self.assertEqual(1, block.count(decision_guard)) + self.assertLess(block.index(request_guard), block.index(decision_guard)) + self.assertLess(block.index(decision_guard), block.index(public_surface_guard)) + + +if __name__ == "__main__": + unittest.main() diff --git a/CHANGELOG.md b/CHANGELOG.md index ced9ec0..ce5bc87 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,11 @@ ## Unreleased +- boundary-exception: approve exact v0.3.0 macOS arm64 and Linux x64 GitHub Release CLI artifact + publication for later operator upload while keeping upload, npm vendor refresh, npm publish, + public install wording, package tags, hosted, production, Windows, bundled PDFium, benchmark, + `ethos-doc`, `ethos-rag`, and DocuShell integration blocked pending operator action and + closeout lanes. - boundary-exception: request decider review for exact v0.3.0 macOS arm64 and Linux x64 GitHub Release CLI artifact publication inputs while keeping upload, npm vendor refresh, npm publish, public install wording, release/package tags, hosted, production, Windows, bundled PDFium, diff --git a/Makefile b/Makefile index 274a5c2..361c321 100644 --- a/Makefile +++ b/Makefile @@ -98,6 +98,7 @@ v0-3-release-prep: $(PYTHON) .github/scripts/test_v0_3_0_cli_artifact_evidence_prep.py $(PYTHON) .github/scripts/test_v0_3_0_draft_artifact_evidence.py $(PYTHON) .github/scripts/test_v0_3_0_artifact_publication_approval_request.py + $(PYTHON) .github/scripts/test_v0_3_0_artifact_publication_approval_decision.py $(PYTHON) .github/scripts/test_public_surface_posture.py $(PYTHON) .github/scripts/claims_gate.py $(PYTHON) .github/scripts/public_boundary_claims_gate.py diff --git a/docs/execution-status.md b/docs/execution-status.md index 2d83d71..34e5f1d 100644 --- a/docs/execution-status.md +++ b/docs/execution-status.md @@ -2,15 +2,23 @@ Date: 2026-07-01 Owner: product / decider -Status: v0.3.0 Rust library crates `ethos-doc-core`, `ethos-verify`, and `ethos-pdf` are live on crates.io, and the Python `ethos-pdf` wheel is live on PyPI. v0.2.0 remains the public CLI artifact baseline with GitHub Release `v0.2.0` macOS arm64/Linux x64 artifacts, and npm remains `@docushell/ethos-pdf@0.2.1`; npm `@docushell/ethos-pdf@0.2.0` is deprecated because it shipped stale CLI binaries that reported `ethos 0.1.2`. Public `0.3.0` install wording, GitHub Release artifact upload, npm publication/alignment, release/package tags, and DocuShell integration remain blocked pending separate evidence, approval, and closeout records. PDFium-backed commands use caller-provided PDFium through `ETHOS_PDFIUM_LIBRARY_PATH`. Hosted surfaces, production positioning, Windows packaged artifacts, bundled project-maintained PDFium builds, public benchmark reports, public benchmark claims, speed, footprint, parser-quality, table-quality, `ethos-doc`, and `ethos-rag` remain blocked. +Status: v0.3.0 Rust library crates `ethos-doc-core`, `ethos-verify`, and `ethos-pdf` are live on crates.io, and the Python `ethos-pdf` wheel is live on PyPI. v0.2.0 remains the public CLI artifact baseline with GitHub Release `v0.2.0` macOS arm64/Linux x64 artifacts, and npm remains `@docushell/ethos-pdf@0.2.1`; npm `@docushell/ethos-pdf@0.2.0` is deprecated because it shipped stale CLI binaries that reported `ethos 0.1.2`. Public `0.3.0` install wording, actual GitHub Release artifact upload, npm publication/alignment, package tags, and DocuShell integration remain blocked pending their separate evidence, operator action, and closeout records. The exact GitHub Release target `v0.3.0` is accepted only by the artifact-publication approval decision below. PDFium-backed commands use caller-provided PDFium through `ETHOS_PDFIUM_LIBRARY_PATH`. Hosted surfaces, production positioning, Windows packaged artifacts, bundled project-maintained PDFium builds, public benchmark reports, public benchmark claims, speed, footprint, parser-quality, table-quality, `ethos-doc`, and `ethos-rag` remain blocked. + +v0.3.0 artifact publication approval decision is recorded in +`docs/validation/v0-3-0-artifact-publication-approval-decision-validation-2026-07-01.md`. It +accepts the exact macOS arm64 and Linux x64 CLI artifact names, checksums, source binding, +workflow evidence, and bounded wording for later operator attachment to GitHub Release target +`v0.3.0`. GitHub Release artifact upload remains blocked pending operator action and closeout; +npm vendor refresh, npm publication, package tag creation, public install wording, and DocuShell +integration remain blocked. v0.3.0 artifact publication approval request is recorded in `docs/validation/v0-3-0-artifact-publication-approval-request-validation-2026-07-01.md`. It requests decider review for only the exact macOS arm64 and Linux x64 draft CLI artifacts and sidecars from workflow run `28531102130`, bound by the v0.3.0 draft CLI artifact evidence record. -GitHub Release artifact upload remains blocked pending an explicit approval decision, operator -action, and closeout record; npm vendor refresh, npm publication, release/package tag creation, -public install wording, and DocuShell integration remain blocked. +GitHub Release artifact upload remains blocked pending the recorded approval decision's operator +action and closeout record; npm vendor refresh, npm publication, package tag creation, public +install wording, and DocuShell integration remain blocked. v0.3.0 draft CLI artifact evidence is recorded in `docs/validation/v0-3-0-draft-artifact-evidence-validation-2026-07-01.md`. It records green diff --git a/docs/public-release-checklist.md b/docs/public-release-checklist.md index 56306c7..5634466 100644 --- a/docs/public-release-checklist.md +++ b/docs/public-release-checklist.md @@ -10,19 +10,28 @@ crates.io, and the Python `ethos-pdf` wheel is live on PyPI. v0.2.0 remains the baseline with GitHub Release `v0.2.0` macOS arm64/Linux x64 CLI artifacts, and npm remains `@docushell/ethos-pdf@0.2.1`; npm `@docushell/ethos-pdf@0.2.0` is deprecated because it shipped stale CLI binaries that reported `ethos 0.1.2`. Public `0.3.0` install wording, GitHub Release -artifact upload, npm publication/alignment, release/package tags, and DocuShell integration remain -blocked pending separate evidence, approval, and closeout records. Hosted surfaces, production -positioning, Windows packaged artifacts, bundled project-maintained PDFium builds, public benchmark -reports, public benchmark claims, speed, footprint, parser-quality, table-quality, `ethos-doc`, and -`ethos-rag` remain blocked. +artifact upload, npm publication/alignment, package tags, and DocuShell integration remain blocked +pending their separate evidence, operator action, and closeout records. The exact GitHub Release +target `v0.3.0` is accepted only by the artifact-publication approval decision below. Hosted +surfaces, production positioning, Windows packaged artifacts, bundled project-maintained PDFium +builds, public benchmark reports, public benchmark claims, speed, footprint, parser-quality, +table-quality, `ethos-doc`, and `ethos-rag` remain blocked. + +v0.3.0 artifact publication approval decision is recorded in +`docs/validation/v0-3-0-artifact-publication-approval-decision-validation-2026-07-01.md`. It +accepts the exact macOS arm64 and Linux x64 CLI artifact names, checksums, source binding, +workflow evidence, and bounded wording for later operator attachment to GitHub Release target +`v0.3.0`. GitHub Release artifact upload remains blocked pending operator action and closeout; +npm vendor refresh, npm publication, package tag creation, public install wording, and DocuShell +integration remain blocked. v0.3.0 artifact publication approval request is recorded in `docs/validation/v0-3-0-artifact-publication-approval-request-validation-2026-07-01.md`. It requests decider review for only the exact macOS arm64 and Linux x64 draft CLI artifacts and sidecars from workflow run `28531102130`, bound by the v0.3.0 draft CLI artifact evidence record. -GitHub Release artifact upload remains blocked pending an explicit approval decision, operator -action, and closeout record; npm vendor refresh, npm publication, release/package tag creation, -public install wording, and DocuShell integration remain blocked. +GitHub Release artifact upload remains blocked pending the recorded approval decision's operator +action and closeout record; npm vendor refresh, npm publication, package tag creation, public +install wording, and DocuShell integration remain blocked. v0.3.0 draft CLI artifact evidence is recorded in `docs/validation/v0-3-0-draft-artifact-evidence-validation-2026-07-01.md`. It records green diff --git a/docs/v0-3-0-release-prep.md b/docs/v0-3-0-release-prep.md index fb1bacf..5d41b4b 100644 --- a/docs/v0-3-0-release-prep.md +++ b/docs/v0-3-0-release-prep.md @@ -90,10 +90,16 @@ The v0.3.0 artifact publication approval request is recorded in the decider to accept or reject only the exact macOS arm64 and Linux x64 draft CLI artifact names, checksums, workflow evidence, and bounded wording. -Draft artifacts remain CI evidence only. GitHub Release artifact upload remains blocked until a -separate approval decision, operator action, and closeout record pass. npm vendor refresh remains -blocked until a separate vendor-refresh evidence and approval lane passes. npm publication, -release/package tag creation, public install wording, and DocuShell integration remain blocked. +The v0.3.0 artifact publication approval decision is recorded in +`docs/validation/v0-3-0-artifact-publication-approval-decision-validation-2026-07-01.md`. It +accepts only the exact macOS arm64 and Linux x64 CLI artifact names, checksums, source binding, +workflow evidence, and bounded wording for later operator attachment to GitHub Release target +`v0.3.0`. + +Draft artifacts remain CI evidence only. GitHub Release artifact upload remains blocked until the +approved operator action and closeout record pass. npm vendor refresh remains blocked until a +separate vendor-refresh evidence and approval lane passes. npm publication, package tag creation, +public install wording, and DocuShell integration remain blocked. The public install wording remains blocked until the relevant registry, artifact, npm, tag, and wording closeout records pass. diff --git a/docs/validation/README.md b/docs/validation/README.md index d5cb2e8..9d1985a 100644 --- a/docs/validation/README.md +++ b/docs/validation/README.md @@ -10,12 +10,20 @@ in `docs/public-release-checklist.md`. Records: +v0.3.0 artifact publication approval decision is recorded in +`v0-3-0-artifact-publication-approval-decision-validation-2026-07-01.md`. It accepts the exact +macOS arm64 and Linux x64 CLI artifact names, checksums, source binding, workflow evidence, and +bounded wording for later operator attachment to GitHub Release target `v0.3.0`. GitHub Release +artifact upload remains blocked pending operator action and closeout; npm vendor refresh, npm +publication, package tag creation, public install wording, and DocuShell integration remain +blocked. + v0.3.0 artifact publication approval request is recorded in `v0-3-0-artifact-publication-approval-request-validation-2026-07-01.md`. It requests decider review for only the exact macOS arm64 and Linux x64 draft CLI artifacts and sidecars from workflow run `28531102130`, bound by the v0.3.0 draft CLI artifact evidence record. GitHub Release artifact -upload remains blocked pending an explicit approval decision, operator action, and closeout record; -npm vendor refresh, npm publication, release/package tag creation, public install wording, and +upload remains blocked pending the recorded approval decision's operator action and closeout +record; npm vendor refresh, npm publication, package tag creation, public install wording, and DocuShell integration remain blocked. v0.3.0 draft CLI artifact evidence is recorded in diff --git a/docs/validation/v0-3-0-artifact-publication-approval-decision-validation-2026-07-01.md b/docs/validation/v0-3-0-artifact-publication-approval-decision-validation-2026-07-01.md new file mode 100644 index 0000000..b8750a5 --- /dev/null +++ b/docs/validation/v0-3-0-artifact-publication-approval-decision-validation-2026-07-01.md @@ -0,0 +1,186 @@ +# v0.3.0 Artifact Publication Approval Decision Validation - 2026-07-01 + +Validated source HEAD before this record: `a20b42a`. + +v0.3.0 artifact publication approval decision source commit: +`a20b42a7927052f727fcaaa585a7a050aec02abe`. + +v0.3.0 artifact publication approval decision source tree: +`ed4f624ad29a8c8c457b045b2519b5aadb2c4f40`. + +Status: **v0.3.0 artifact publication approval decision recorded; operator upload remains +pending** + +This record accepts the exact v0.3.0 GitHub Release artifact publication request after decider +approval. It approves only later attaching the exact evidenced macOS arm64 and Linux x64 CLI +artifact assets below to GitHub Release target `v0.3.0` for release evaluation. It does not upload +artifacts, refresh npm vendor binaries, publish npm, change public installation wording, change +PDFium posture, approve DocuShell integration, approve hosted surfaces, approve production +positioning, approve Windows packaged artifacts, approve bundled project-maintained PDFium builds, +approve `ethos-doc`, approve `ethos-rag`, approve public benchmark reports or claims, or approve +package tags. + +## Subject + +- Repository: `docushell/ethos` +- Lane: v0.3.0 GitHub Release artifact publication +- Approval owner: `docushell-admin` +- Approval request record: + `docs/validation/v0-3-0-artifact-publication-approval-request-validation-2026-07-01.md` +- Artifact evidence record: + `docs/validation/v0-3-0-draft-artifact-evidence-validation-2026-07-01.md` +- Release workflow run: `https://github.com/docushell/ethos/actions/runs/28531102130` + +## Exact Decision Fields + +- Decision: accept the exact v0.3.0 artifact publication request. +- Approver: `docushell-admin` acting as decider. +- Date: 2026-07-01. +- Exact GitHub Release target accepted by this decision: `v0.3.0`. +- Exact request source commit accepted by this decision: + `d6496e82e613e653edc197db4cf4153271d131dc`. +- Exact request source tree accepted by this decision: + `2594c63071c512f2c61e78b223a74406440a8516`. +- Exact artifact source commit accepted by this decision: + `7287358475a96e827d536f0d2d250a1c2961ba84`. +- Exact artifact source tree accepted by this decision: + `84d7908f91f3bb2024acb6bad4c71b6c75d4f357`. +- Exact workflow run accepted by this decision: + `https://github.com/docushell/ethos/actions/runs/28531102130`. +- Exact workflow head SHA accepted by this decision: + `7287358475a96e827d536f0d2d250a1c2961ba84`. + +macOS arm64 assets accepted by this decision: + +- `ethos-macos-arm64.tar.gz` +- `ethos-macos-arm64.tar.gz.sha256` +- `ethos-macos-arm64.inventory.json` +- `ethos-macos-arm64.smoke.json` +- archive SHA256: + +```text +efb163f140bf4afffd1caeb396f79e42f484591c3e90a86810ca6c0f0c209c96 +``` + +Linux x64 assets accepted by this decision: + +- `ethos-linux-x64.tar.gz` +- `ethos-linux-x64.tar.gz.sha256` +- `ethos-linux-x64.inventory.json` +- `ethos-linux-x64.smoke.json` +- archive SHA256: + +```text +b549ba5968e04b7679a8d3e879cd45d27f3e9a6fd226eee5c270a4e4f5c01405 +``` + +Exact CLI smoke accepted by this decision: `ethos 0.3.0` for both accepted platform artifacts. + +Exact PDFium boundary accepted by this decision: caller-provided PDFium only through +`ETHOS_PDFIUM_LIBRARY_PATH`; no bundled or project-maintained PDFium build is approved. + +## Approved Operator Action + +After this decision record is merged and the validation commands below pass on the merged source, +an operator may attach only the exact accepted asset names above to GitHub Release target `v0.3.0`. +If the target does not already exist, the operator may create or use only that exact target for the +accepted assets and bounded wording in this record. The operator must not create or use any other +release target. + +This decision does not itself upload artifacts. Publication remains an explicit later operator +action. + +## Approved Public Wording + +After the exact assets above are attached to GitHub Release target `v0.3.0`, the bounded public +release wording may remain: + +> Ethos v0.3.0 CLI artifacts for macOS arm64 and Linux x64 are requested for GitHub Release +> evaluation with caller-provided PDFium. Rust crates `ethos-doc-core`, `ethos-verify`, and +> `ethos-pdf` at `0.3.0`, plus the Python `ethos-pdf` wheel at `0.3.0`, are already live. npm +> alignment/publication, public `0.3.0` install wording, release/package tags, DocuShell +> integration, hosted surfaces, production positioning, Windows packaged artifacts, bundled +> project-maintained PDFium builds, `ethos-doc`, `ethos-rag`, public benchmark reports, public +> benchmark claims, and speed, footprint, parser-quality, table-quality, or production claims +> remain blocked. + +Any broader public wording requires a separate decider record. The public install baseline remains +current published `0.2.0` Rust/Python and `0.2.1` npm, and README installation examples remain +unchanged. + +## Required Operator Pre-Upload Checks + +Before uploading, the operator must verify the downloaded workflow artifacts: + +```sh +shasum -a 256 ethos-macos-arm64.tar.gz +cat ethos-macos-arm64.tar.gz.sha256 +cat ethos-macos-arm64.inventory.json +cat ethos-macos-arm64.smoke.json +shasum -a 256 ethos-linux-x64.tar.gz +cat ethos-linux-x64.tar.gz.sha256 +cat ethos-linux-x64.inventory.json +cat ethos-linux-x64.smoke.json +python3 .github/scripts/test_v0_3_0_artifact_publication_approval_decision.py +make v0-3-release-prep PYTHON=python3 +git diff --check +``` + +The operator must stop if artifact names, checksums, version output, inventory publication status, +PDFium posture, license and NOTICE inclusion, public install baseline, or approved public wording +differ from this decision record. + +## Retained Blockers + +- `packages/npm/ethos-pdf/vendor/manifest.json` must not be refreshed until after the approved + GitHub Release assets are attached and publication closeout evidence is recorded. +- npm vendor refresh remains blocked. +- npm publication remains blocked. +- Package tag creation remains blocked. +- Public installation wording remains blocked. +- DocuShell integration remains blocked. +- Hosted surfaces remain blocked. +- Production positioning remains blocked. +- Windows packaged artifacts remain blocked. +- Bundled project-maintained PDFium builds remain blocked. +- Public benchmark reports remain blocked. +- Public benchmark claims remain blocked. +- `ethos-doc` remains blocked. +- `ethos-rag` remains blocked. +- PDFium remains caller-provided through `ETHOS_PDFIUM_LIBRARY_PATH`. + +## Evidence Bound To This Decision + +- Decider decision supplied: Approved. +- Exact approval supplied by operator: + `Approve exact v0.3.0 GitHub Release artifact publication request for the listed macOS arm64 + and Linux x64 CLI artifacts, checksums, source binding, workflow evidence, and bounded public + wording.` +- `python3 .github/scripts/test_v0_3_0_artifact_publication_approval_request.py` passed on + merged `main`. +- `python3 .github/scripts/test_v0_3_0_draft_artifact_evidence.py` passed on merged `main`. +- `make v0-3-release-prep PYTHON=python3` passed on merged `main`. + +## Non-Actions + +- This decision record does not upload GitHub Release assets. +- This decision record does not refresh npm vendor binaries. +- This decision record does not publish npm. +- This decision record does not change public installation wording. +- This decision record does not change PDFium posture. +- This decision record does not approve DocuShell integration. +- This decision record does not approve hosted surfaces. +- This decision record does not approve production positioning. +- This decision record does not approve Windows packaged artifacts. +- This decision record does not approve bundled project-maintained PDFium builds. +- This decision record does not approve public benchmark reports. +- This decision record does not approve public benchmark claims. +- This decision record does not approve `ethos-doc`. +- This decision record does not approve `ethos-rag`. +- This decision record does not approve package tags. + +## Result + +The exact v0.3.0 GitHub Release artifact publication decision is accepted. Actual asset upload +remains a separate operator action requiring the exact bounded assets approved here, final +pre-upload checks, and post-upload closeout evidence.