diff --git a/.github/scripts/test_v0_3_0_npm_publication_approval_request.py b/.github/scripts/test_v0_3_0_npm_publication_approval_request.py new file mode 100644 index 0000000..859c20e --- /dev/null +++ b/.github/scripts/test_v0_3_0_npm_publication_approval_request.py @@ -0,0 +1,191 @@ +#!/usr/bin/env python3 +# +# Copyright 2026 The Ethos maintainers +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# + +from __future__ import annotations + +import hashlib +import json +import re +import unittest +from pathlib import Path + +from makefile_guard import target_block +from validation_record_source import assert_record_source_binding + + +ROOT = Path(__file__).resolve().parents[2] +PACKAGE_DIR = ROOT / "packages/npm/ethos-pdf" +PACKAGE_JSON = PACKAGE_DIR / "package.json" +VENDOR_MANIFEST = PACKAGE_DIR / "vendor/manifest.json" +RECORD = ROOT / ( + "docs/validation/v0-3-0-npm-publication-approval-request-validation-2026-07-02.md" +) +VENDOR_RECORD = ROOT / "docs/validation/v0-3-0-npm-vendor-refresh-validation-2026-07-02.md" +ARTIFACT_CLOSEOUT = ROOT / ( + "docs/validation/v0-3-0-artifact-publication-closeout-validation-2026-07-02.md" +) +VALIDATION_README = ROOT / "docs/validation/README.md" +EXECUTION_STATUS = ROOT / "docs/execution-status.md" +PUBLIC_RELEASE_CHECKLIST = ROOT / "docs/public-release-checklist.md" +RELEASE_PREP = ROOT / "docs/v0-3-0-release-prep.md" +CHANGELOG = ROOT / "CHANGELOG.md" +MAKEFILE = ROOT / "Makefile" + +SOURCE_SHORT = "161645d" +SOURCE_COMMIT = "161645d7d3b5564cc4fafff411de07631616acca" +SOURCE_TREE = "3f872c9ff0685bcf6f95e8e05f9530f852b0bd98" +PACKAGE = "@docushell/ethos-pdf@0.3.0" +CURRENT_PUBLISHED = "@docushell/ethos-pdf@0.2.1" +NPM_TARBALL = "docushell-ethos-pdf-0.3.0.tgz" +NPM_SHASUM = "1a90cebd8d52011ea5c41629becdfb37dec73ee7" +TARBALL_SHA256 = "1b72ef2fd9415f9edff93319ee2763e8f67cd6168ea00cd64d89a3760101c5fa" +INTEGRITY = ( + "sha512-ZWoIY5BO7O8tzN88ICGvRasmOt7/RSN/xWFM2ONT8lavQqIOuCY/bQjvxnuK9vGpNeogh8X4UXHLLSRKqqHVOQ==" +) +NODE_VERSION = "v23.11.1" +NPM_VERSION = "10.9.2" +MACOS_ARTIFACT_SHA256 = "efb163f140bf4afffd1caeb396f79e42f484591c3e90a86810ca6c0f0c209c96" +LINUX_ARTIFACT_SHA256 = "b549ba5968e04b7679a8d3e879cd45d27f3e9a6fd226eee5c270a4e4f5c01405" +EXPECTED_VENDOR_SHA256 = { + "vendor/ethos-darwin-arm64": "777e1fb243425a46b83b63ed92fbf7cb810f59cfedd81cfe671cf791410c20dc", + "vendor/ethos-linux-x64": "b416993fc38e6f794611b8b71789ed85af18eb6aa63fef380d9ae7738661f154", + "vendor/manifest.json": "e313b42e49b258171611935455fd9e70bad7ce61c409df63ab90aaa2732a46af", +} +PRIVATE_PATH_MARKERS = ( + "/" + "Users/", + "/" + "private/tmp", + "/" + "private/var", + "/" + "var/folders", + "saumil" + "diwaker", + "Desktop/" + "Stuff", + "project/repo/" + "ethos", +) +FORBIDDEN = ( + "npm publish is approved", + "npm publication approved", + "operator publish approved", + "package is published", + "public installation wording approved", + "hosted surfaces approved", + "production-ready", + "public benchmark claims approved", + "windows packaged artifacts approved", + "bundled pdfium approved", +) + + +def sha256(path: Path) -> str: + return hashlib.sha256(path.read_bytes()).hexdigest() + + +def read(path: Path) -> str: + return path.read_text(encoding="utf-8") + + +def normalized(path: Path) -> str: + return re.sub(r"\s+", " ", read(path)) + + +class V030NpmPublicationApprovalRequestTests(unittest.TestCase): + def test_request_record_is_source_bound(self) -> None: + raw = read(RECORD) + record = normalized(RECORD) + + assert_record_source_binding( + self, + root=ROOT, + raw_record=raw, + normalized_record=record, + validated_head=SOURCE_SHORT, + source_label="v0.3.0 npm publication approval request", + source_commit=SOURCE_COMMIT, + source_tree=SOURCE_TREE, + ) + + def test_checked_in_candidate_matches_exact_request(self) -> None: + self.assertEqual("0.3.0", json.loads(read(PACKAGE_JSON))["version"]) + + for relative_path, expected in EXPECTED_VENDOR_SHA256.items(): + self.assertEqual(expected, sha256(PACKAGE_DIR / relative_path)) + + manifest = json.loads(read(VENDOR_MANIFEST)) + self.assertEqual(MACOS_ARTIFACT_SHA256, manifest["targets"]["darwin:arm64"]["release_asset_sha256"]) + self.assertEqual(LINUX_ARTIFACT_SHA256, manifest["targets"]["linux:x64"]["release_asset_sha256"]) + + def test_request_names_exact_candidate_and_boundaries(self) -> None: + record = normalized(RECORD) + raw = read(RECORD) + + for expected in ( + PACKAGE, + CURRENT_PUBLISHED, + NPM_TARBALL, + NPM_SHASUM, + TARBALL_SHA256, + INTEGRITY, + f"Node.js: `{NODE_VERSION}`", + f"npm: `{NPM_VERSION}`", + VENDOR_RECORD.name, + ARTIFACT_CLOSEOUT.name, + "per-file vendor SHA256 values are the durable cross-toolchain provenance binding", + "Publication must use Node.js `v23.11.1` and npm `10.9.2`", + "Exact installed CLI smoke accepted for request: `ethos 0.3.0`", + "Exact missing-PDFium behavior accepted for request: exit code `12`", + "ETHOS_PDFIUM_LIBRARY_PATH", + "No `npm publish` command is approved by this request record.", + "npm publication remains blocked pending explicit decider approval.", + "Actual npm publish remains blocked pending explicit operator action", + ): + self.assertIn(expected, record) + + for expected in ( + MACOS_ARTIFACT_SHA256, + LINUX_ARTIFACT_SHA256, + *EXPECTED_VENDOR_SHA256.values(), + ): + self.assertIn(expected, record) + + for marker in PRIVATE_PATH_MARKERS: + self.assertNotIn(marker, raw) + for phrase in FORBIDDEN: + self.assertNotIn(phrase, record.lower()) + + def test_request_is_indexed_and_wired_into_status_docs(self) -> None: + for path in ( + VALIDATION_README, + EXECUTION_STATUS, + PUBLIC_RELEASE_CHECKLIST, + RELEASE_PREP, + ): + text = normalized(path) + self.assertIn(RECORD.name, text) + self.assertIn("v0.3.0 npm publication approval request", text.lower()) + self.assertIn("npm publish", text) + self.assertIn("blocked", text.lower()) + + changelog = normalized(CHANGELOG) + self.assertIn("request decider review for exact `@docushell/ethos-pdf@0.3.0`", changelog) + self.assertIn("npm publication inputs", changelog) + self.assertIn("blocked", changelog.lower()) + + def test_release_prep_target_runs_request_guard_after_vendor_refresh(self) -> None: + block = target_block("v0-3-release-prep") + vendor_guard = "$(PYTHON) .github/scripts/test_v0_3_0_npm_vendor_refresh.py" + request_guard = ( + "$(PYTHON) .github/scripts/test_v0_3_0_npm_publication_approval_request.py" + ) + public_surface_guard = "$(PYTHON) .github/scripts/test_public_surface_posture.py" + + self.assertIn(vendor_guard, block) + self.assertIn(request_guard, block) + self.assertEqual(1, block.count(request_guard)) + self.assertLess(block.index(vendor_guard), block.index(request_guard)) + self.assertLess(block.index(request_guard), block.index(public_surface_guard)) + + +if __name__ == "__main__": + unittest.main() diff --git a/CHANGELOG.md b/CHANGELOG.md index 9139dd0..c049e3b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,11 @@ ## Unreleased +- boundary-exception: request decider review for exact `@docushell/ethos-pdf@0.3.0` npm + publication inputs while keeping `npm publish`, public install wording, release/package tags, + hosted, production, Windows, bundled PDFium, benchmark, `ethos-doc`, `ethos-rag`, and + DocuShell integration blocked pending a later approval decision, operator action, registry + smoke, and closeout lanes. - boundary-exception: refresh the `@docushell/ethos-pdf@0.3.0` npm source package candidate from published v0.3.0 GitHub Release CLI artifacts while keeping npm publish, public install wording, package tags, hosted, production, Windows, bundled PDFium, benchmark, `ethos-doc`, `ethos-rag`, diff --git a/Makefile b/Makefile index dc78d00..6eedba7 100644 --- a/Makefile +++ b/Makefile @@ -103,6 +103,7 @@ v0-3-release-prep: $(PYTHON) .github/scripts/test_npm_binary_package_scaffold.py npm test --prefix packages/npm/ethos-pdf $(PYTHON) .github/scripts/test_v0_3_0_npm_vendor_refresh.py + $(PYTHON) .github/scripts/test_v0_3_0_npm_publication_approval_request.py $(PYTHON) .github/scripts/test_public_surface_posture.py $(PYTHON) .github/scripts/claims_gate.py $(PYTHON) .github/scripts/public_boundary_claims_gate.py diff --git a/docs/execution-status.md b/docs/execution-status.md index 7e9942e..df95911 100644 --- a/docs/execution-status.md +++ b/docs/execution-status.md @@ -2,7 +2,16 @@ Date: 2026-07-02 Owner: product / decider -Status: v0.3.0 Rust library crates `ethos-doc-core`, `ethos-verify`, and `ethos-pdf` are live on crates.io, and the Python `ethos-pdf` wheel is live on PyPI. GitHub Release `v0.3.0` now contains closed-out macOS arm64/Linux x64 CLI artifacts for evaluation with caller-provided PDFium. The npm source package candidate is refreshed as `@docushell/ethos-pdf@0.3.0`. v0.2.0 remains the public CLI artifact baseline with GitHub Release `v0.2.0` macOS arm64/Linux x64 artifacts, and npm remains `@docushell/ethos-pdf@0.2.1` for public install wording until a later wording closeout; npm `@docushell/ethos-pdf@0.2.0` is deprecated because it shipped stale CLI binaries that reported `ethos 0.1.2`. Public `0.3.0` install wording, npm publication/alignment, package tags, and DocuShell integration remain blocked pending their separate evidence, operator action, and closeout records. The exact GitHub Release artifact closeout is limited to the approved `v0.3.0` release assets below. PDFium-backed commands use caller-provided PDFium through `ETHOS_PDFIUM_LIBRARY_PATH`. Hosted surfaces, production positioning, Windows packaged artifacts, bundled project-maintained PDFium builds, public benchmark reports, public benchmark claims, speed, footprint, parser-quality, table-quality, `ethos-doc`, and `ethos-rag` remain blocked. +Status: v0.3.0 Rust library crates `ethos-doc-core`, `ethos-verify`, and `ethos-pdf` are live on crates.io, and the Python `ethos-pdf` wheel is live on PyPI. GitHub Release `v0.3.0` now contains closed-out macOS arm64/Linux x64 CLI artifacts for evaluation with caller-provided PDFium. The npm source package candidate is refreshed as `@docushell/ethos-pdf@0.3.0`, and the v0.3.0 npm publication approval request is recorded for decider review only. v0.2.0 remains the public CLI artifact baseline with GitHub Release `v0.2.0` macOS arm64/Linux x64 artifacts, and npm remains `@docushell/ethos-pdf@0.2.1` for public install wording until a later wording closeout; npm `@docushell/ethos-pdf@0.2.0` is deprecated because it shipped stale CLI binaries that reported `ethos 0.1.2`. Public `0.3.0` install wording, npm publication/alignment, package tags, and DocuShell integration remain blocked pending their separate approval decision, operator action, registry-smoke, tag, wording, and closeout records. The exact GitHub Release artifact closeout is limited to the approved `v0.3.0` release assets below. PDFium-backed commands use caller-provided PDFium through `ETHOS_PDFIUM_LIBRARY_PATH`. Hosted surfaces, production positioning, Windows packaged artifacts, bundled project-maintained PDFium builds, public benchmark reports, public benchmark claims, speed, footprint, parser-quality, table-quality, `ethos-doc`, and `ethos-rag` remain blocked. + +v0.3.0 npm publication approval request is recorded in +`docs/validation/v0-3-0-npm-publication-approval-request-validation-2026-07-02.md`. It requests +decider review for only the exact `@docushell/ethos-pdf@0.3.0` npm candidate, tarball metadata, +vendor payload checksums, supported platforms, installed CLI smoke, and caller-provided PDFium +boundary. It does not approve `npm publish`; npm publication remains blocked pending an explicit +approval decision, operator action with npm credentials, registry smoke, and closeout record. +Public `0.3.0` install wording, package tag creation, release tag creation, and DocuShell +integration remain blocked. v0.3.0 npm vendor refresh is recorded in `docs/validation/v0-3-0-npm-vendor-refresh-validation-2026-07-02.md`. It refreshes the diff --git a/docs/public-release-checklist.md b/docs/public-release-checklist.md index 07a99d3..8609bf8 100644 --- a/docs/public-release-checklist.md +++ b/docs/public-release-checklist.md @@ -8,17 +8,28 @@ or launch announcement. It is intentionally stricter than the day-to-day enginee Ethos v0.3.0 Rust library crates `ethos-doc-core`, `ethos-verify`, and `ethos-pdf` are live on crates.io, and the Python `ethos-pdf` wheel is live on PyPI. GitHub Release `v0.3.0` now contains closed-out macOS arm64/Linux x64 CLI artifacts for evaluation with caller-provided PDFium. The npm -source package candidate is refreshed as `@docushell/ethos-pdf@0.3.0`. v0.2.0 remains the public +source package candidate is refreshed as `@docushell/ethos-pdf@0.3.0`, and the v0.3.0 npm +publication approval request is recorded for decider review only. v0.2.0 remains the public CLI artifact baseline with GitHub Release `v0.2.0` macOS arm64/Linux x64 artifacts, and npm remains `@docushell/ethos-pdf@0.2.1` for public install wording until a later wording closeout; npm `@docushell/ethos-pdf@0.2.0` is deprecated because it shipped stale CLI binaries that reported `ethos 0.1.2`. Public `0.3.0` install wording, npm publication/alignment, package tags, and -DocuShell integration remain blocked pending their separate evidence, operator action, and closeout -records. The exact GitHub Release artifact closeout is limited to the approved `v0.3.0` release +DocuShell integration remain blocked pending their separate approval decision, operator action, +registry-smoke, tag, wording, and closeout records. The exact GitHub Release artifact closeout is +limited to the approved `v0.3.0` release assets below. Hosted surfaces, production positioning, Windows packaged artifacts, bundled project-maintained PDFium builds, public benchmark reports, public benchmark claims, speed, footprint, parser-quality, table-quality, `ethos-doc`, and `ethos-rag` remain blocked. +v0.3.0 npm publication approval request is recorded in +`docs/validation/v0-3-0-npm-publication-approval-request-validation-2026-07-02.md`. It requests +decider review for only the exact `@docushell/ethos-pdf@0.3.0` npm candidate, tarball metadata, +vendor payload checksums, supported platforms, installed CLI smoke, and caller-provided PDFium +boundary. It does not approve `npm publish`; npm publication remains blocked pending an explicit +approval decision, operator action with npm credentials, registry smoke, and closeout record. +Public `0.3.0` install wording, package tag creation, release tag creation, and DocuShell +integration remain blocked. + v0.3.0 npm vendor refresh is recorded in `docs/validation/v0-3-0-npm-vendor-refresh-validation-2026-07-02.md`. It refreshes the `@docushell/ethos-pdf@0.3.0` source package candidate from the published GitHub Release `v0.3.0` diff --git a/docs/v0-3-0-release-prep.md b/docs/v0-3-0-release-prep.md index 3390742..8b64c9f 100644 --- a/docs/v0-3-0-release-prep.md +++ b/docs/v0-3-0-release-prep.md @@ -123,6 +123,19 @@ This refresh does not approve `npm publish`. It does not approve public `0.3.0` npm publication, package tag creation, public install wording, and DocuShell integration remain blocked until separate approval, operator, registry-smoke, tag, and wording closeout records pass. +### 3c. Request npm Publication Approval + +The v0.3.0 npm publication approval request is recorded in +`docs/validation/v0-3-0-npm-publication-approval-request-validation-2026-07-02.md`. It asks the +decider to accept or reject only the exact `@docushell/ethos-pdf@0.3.0` npm candidate, tarball +metadata, vendor payload checksums, supported platforms, installed CLI smoke, and caller-provided +PDFium boundary. + +This request does not approve `npm publish`. npm publication remains blocked until a separate +approval decision record passes and an operator publishes with npm credentials. Public `0.3.0` +install wording, package tag creation, release tag creation, and DocuShell integration remain +blocked until separate closeout lanes pass. + ### 4. Gather Package Evidence Before Any Publication Decision Before any public package or artifact decision, record exact evidence for the surfaces that are in diff --git a/docs/validation/README.md b/docs/validation/README.md index 0dc8e4a..c55b221 100644 --- a/docs/validation/README.md +++ b/docs/validation/README.md @@ -10,6 +10,14 @@ in `docs/public-release-checklist.md`. Records: +v0.3.0 npm publication approval request is recorded in +`v0-3-0-npm-publication-approval-request-validation-2026-07-02.md`. It requests decider review for +only the exact `@docushell/ethos-pdf@0.3.0` npm candidate, tarball metadata, vendor payload +checksums, supported platforms, installed CLI smoke, and caller-provided PDFium boundary. It does +not approve `npm publish`; npm publication remains blocked pending an explicit approval decision, +operator action with npm credentials, registry smoke, and closeout record. Public `0.3.0` install +wording, package tag creation, release tag creation, and DocuShell integration remain blocked. + v0.3.0 npm vendor refresh is recorded in `v0-3-0-npm-vendor-refresh-validation-2026-07-02.md`. It refreshes the `@docushell/ethos-pdf@0.3.0` source package candidate from the published GitHub Release `v0.3.0` diff --git a/docs/validation/v0-3-0-npm-publication-approval-request-validation-2026-07-02.md b/docs/validation/v0-3-0-npm-publication-approval-request-validation-2026-07-02.md new file mode 100644 index 0000000..b923de9 --- /dev/null +++ b/docs/validation/v0-3-0-npm-publication-approval-request-validation-2026-07-02.md @@ -0,0 +1,177 @@ +# v0.3.0 npm Publication Approval Request Validation - 2026-07-02 + +Validated source HEAD before this record: `161645d`. + +v0.3.0 npm publication approval request source commit: +`161645d7d3b5564cc4fafff411de07631616acca`. + +v0.3.0 npm publication approval request source tree: +`3f872c9ff0685bcf6f95e8e05f9530f852b0bd98`. + +Status: **v0.3.0 npm publication approval request packet recorded; npm publish remains blocked** + +This record requests decider review for publishing exactly `@docushell/ethos-pdf@0.3.0` to npm +using the refreshed and locally validated vendor payload evidence. It does not approve or perform +`npm publish`, change public `0.3.0` installation wording, approve package tags, approve release +tags, approve hosted surfaces, approve production positioning, approve Windows packaged artifacts, +approve bundled project-maintained PDFium builds, approve `ethos-doc`, approve `ethos-rag`, or +approve public benchmark reports or claims. + +The current published npm package observed for this request lane remains +`@docushell/ethos-pdf@0.2.1`. + +## Subject + +- Repository: `docushell/ethos` +- Lane: npm publication +- Package: `@docushell/ethos-pdf` +- Version: `0.3.0` +- Candidate evidence record: + `docs/validation/v0-3-0-npm-vendor-refresh-validation-2026-07-02.md` +- GitHub Release artifact closeout record: + `docs/validation/v0-3-0-artifact-publication-closeout-validation-2026-07-02.md` +- Published GitHub Release artifacts used by candidate: + - `ethos-macos-arm64.tar.gz` + - SHA256: `efb163f140bf4afffd1caeb396f79e42f484591c3e90a86810ca6c0f0c209c96` + - `ethos-linux-x64.tar.gz` + - SHA256: `b549ba5968e04b7679a8d3e879cd45d27f3e9a6fd226eee5c270a4e4f5c01405` + +## Exact Request Fields + +- Decision requested: approve exact npm publication preparation inputs for later operator + execution. +- Approver requested: `docushell-admin` acting as decider. +- Date requested: 2026-07-02. +- Exact package requested: `@docushell/ethos-pdf@0.3.0`. +- Exact current published npm baseline observed before request: `@docushell/ethos-pdf@0.2.1`. +- Exact npm tarball filename requested: `docushell-ethos-pdf-0.3.0.tgz`. +- Exact npm shasum requested: 1a90cebd8d52011ea5c41629becdfb37dec73ee7. +- Exact npm tarball SHA256 requested: + `1b72ef2fd9415f9edff93319ee2763e8f67cd6168ea00cd64d89a3760101c5fa`. +- Exact npm integrity requested: + `sha512-ZWoIY5BO7O8tzN88ICGvRasmOt7/RSN/xWFM2ONT8lavQqIOuCY/bQjvxnuK9vGpNeogh8X4UXHLLSRKqqHVOQ==`. +- Exact npm pack toolchain requested for reproducing those tarball hashes: + - Node.js: `v23.11.1` + - npm: `10.9.2` +- Exact npm tarball hash interpretation requested: npm shasum, tarball SHA256, and integrity are + qualified by Node.js `v23.11.1` and npm `10.9.2`; per-file vendor SHA256 values are the durable + cross-toolchain provenance binding. +- Exact vendor binary payload requested: + - `vendor/ethos-darwin-arm64` + - SHA256: `777e1fb243425a46b83b63ed92fbf7cb810f59cfedd81cfe671cf791410c20dc` + - `vendor/ethos-linux-x64` + - SHA256: `b416993fc38e6f794611b8b71789ed85af18eb6aa63fef380d9ae7738661f154` + - `vendor/manifest.json` + - SHA256: `e313b42e49b258171611935455fd9e70bad7ce61c409df63ab90aaa2732a46af` +- Exact supported npm platforms requested: + - macOS arm64 + - Linux x64 +- Exact installed CLI smoke accepted for request: `ethos 0.3.0`. +- Exact missing-PDFium behavior accepted for request: exit code `12` with caller-provided PDFium + guidance through `ETHOS_PDFIUM_LIBRARY_PATH`. +- Exact PDFium boundary requested: caller-provided PDFium only through + `ETHOS_PDFIUM_LIBRARY_PATH`; no bundled or project-maintained PDFium build. + +## Requested Publication Boundaries + +- Only `@docushell/ethos-pdf@0.3.0` is in scope. +- Publication must use the exact candidate tarball bound above. +- Publication must use Node.js `v23.11.1` and npm `10.9.2` when reproducing npm pack hashes or + running `npm publish`. +- Publication must not change the package version. +- Publication must not change public `0.3.0` installation wording. +- Publication must not create package tags. +- Publication must not create release tags. +- Publication must not add Windows packaged artifacts. +- Publication must not add hosted surfaces. +- Publication must not add production positioning. +- Publication must not add public benchmark reports or claims. +- Publication must not bundle PDFium or claim a project-maintained PDFium build. +- Publication must not approve `ethos-doc` or `ethos-rag`. +- Publication must not approve DocuShell integration. + +## Required Manual Decider Step + +Manual action is required before any publish operation: + +1. A decider must accept or reject this exact request packet. +2. If accepted, a separate approval decision record must bind the exact npm candidate and retained + blockers. +3. Only after that decision record passes may an operator run `npm publish` with npm credentials. + +No `npm publish` command is approved by this request record. + +## Evidence Bound To This Request + +- `python3 .github/scripts/test_v0_3_0_npm_vendor_refresh.py` passed. +- `python3 .github/scripts/test_npm_tarball_candidate_evidence.py` passed. +- `python3 .github/scripts/test_npm_binary_package_scaffold.py` passed. +- `npm test --prefix packages/npm/ethos-pdf` passed. +- `python3 .github/scripts/test_public_surface_posture.py` passed. +- `python3 .github/scripts/claims_gate.py` passed. +- `python3 .github/scripts/public_boundary_claims_gate.py` passed. +- `make v0-3-release-prep PYTHON=python3` passed on merged `main` after the v0.3.0 npm vendor + refresh merge. +- `npm view @docushell/ethos-pdf version` returned `0.2.1` before this request, confirming that + `@docushell/ethos-pdf@0.3.0` was not already live. +- Provenance chain confirmed: published GitHub Release `v0.3.0` archives are bound by archive + SHA256, the extracted npm vendor payload is bound by per-file SHA256, and npm tarball hashes are + toolchain-qualified under Node.js `v23.11.1` and npm `10.9.2`. + +## Non-Approvals + +- This request packet does not approve `npm publish`. +- This request packet does not publish the npm package. +- This request packet does not approve public `0.3.0` installation wording changes. +- This request packet does not approve package tag creation. +- This request packet does not approve release tag creation. +- This request packet does not approve DocuShell integration. +- This request packet does not approve hosted surfaces. +- This request packet does not approve production positioning. +- This request packet does not approve public benchmark reports. +- This request packet does not approve public benchmark claims. +- This request packet does not approve Windows packaged artifacts. +- This request packet does not approve bundled project-maintained PDFium builds. +- This request packet does not approve `ethos-doc`. +- This request packet does not approve `ethos-rag`. + +## Retained Blockers + +- npm publication remains blocked pending explicit decider approval. +- Actual npm publish remains blocked pending explicit operator action with npm credentials. +- Public `0.3.0` installation wording remains blocked. +- Registry publication remains blocked. +- Package tag creation remains blocked. +- Release tag creation remains blocked. +- DocuShell integration remains blocked. +- Hosted surfaces remain blocked. +- Production positioning remains blocked. +- Public benchmark reports remain blocked. +- Public benchmark claims remain blocked. +- Windows packaged artifacts remain blocked. +- Bundled project-maintained PDFium builds remain blocked. +- `ethos-doc` remains blocked. +- `ethos-rag` remains blocked. + +## Commands + +```sh +python3 .github/scripts/test_v0_3_0_npm_publication_approval_request.py +python3 .github/scripts/test_v0_3_0_npm_vendor_refresh.py +python3 .github/scripts/test_npm_tarball_candidate_evidence.py +python3 .github/scripts/test_npm_binary_package_scaffold.py +npm test --prefix packages/npm/ethos-pdf +python3 .github/scripts/validation_record_integrity.py +make v0-3-release-prep PYTHON=python3 +git diff --check +``` + +## Result + +```text +v0.3.0 npm publication approval request packet recorded +Exact package, version, toolchain-qualified npm shasum, toolchain-qualified tarball SHA256, +toolchain-qualified integrity, durable vendor payload checksums, installed CLI smoke, and PDFium +boundary were recorded +npm publish remains blocked pending explicit decider approval and later operator action +```