Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
191 changes: 191 additions & 0 deletions .github/scripts/test_v0_3_0_npm_publication_approval_request.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,191 @@
#!/usr/bin/env python3
#
# Copyright 2026 The Ethos maintainers
#
# Licensed under the Apache License, Version 2.0 (the "License");
#

from __future__ import annotations

import hashlib
import json
import re
import unittest
from pathlib import Path

from makefile_guard import target_block
from validation_record_source import assert_record_source_binding


ROOT = Path(__file__).resolve().parents[2]
PACKAGE_DIR = ROOT / "packages/npm/ethos-pdf"
PACKAGE_JSON = PACKAGE_DIR / "package.json"
VENDOR_MANIFEST = PACKAGE_DIR / "vendor/manifest.json"
RECORD = ROOT / (
"docs/validation/v0-3-0-npm-publication-approval-request-validation-2026-07-02.md"
)
VENDOR_RECORD = ROOT / "docs/validation/v0-3-0-npm-vendor-refresh-validation-2026-07-02.md"
ARTIFACT_CLOSEOUT = ROOT / (
"docs/validation/v0-3-0-artifact-publication-closeout-validation-2026-07-02.md"
)
VALIDATION_README = ROOT / "docs/validation/README.md"
EXECUTION_STATUS = ROOT / "docs/execution-status.md"
PUBLIC_RELEASE_CHECKLIST = ROOT / "docs/public-release-checklist.md"
RELEASE_PREP = ROOT / "docs/v0-3-0-release-prep.md"
CHANGELOG = ROOT / "CHANGELOG.md"
MAKEFILE = ROOT / "Makefile"

SOURCE_SHORT = "161645d"
SOURCE_COMMIT = "161645d7d3b5564cc4fafff411de07631616acca"
SOURCE_TREE = "3f872c9ff0685bcf6f95e8e05f9530f852b0bd98"
PACKAGE = "@docushell/ethos-pdf@0.3.0"
CURRENT_PUBLISHED = "@docushell/ethos-pdf@0.2.1"
NPM_TARBALL = "docushell-ethos-pdf-0.3.0.tgz"
NPM_SHASUM = "1a90cebd8d52011ea5c41629becdfb37dec73ee7"
TARBALL_SHA256 = "1b72ef2fd9415f9edff93319ee2763e8f67cd6168ea00cd64d89a3760101c5fa"
INTEGRITY = (
"sha512-ZWoIY5BO7O8tzN88ICGvRasmOt7/RSN/xWFM2ONT8lavQqIOuCY/bQjvxnuK9vGpNeogh8X4UXHLLSRKqqHVOQ=="
)
NODE_VERSION = "v23.11.1"
NPM_VERSION = "10.9.2"
MACOS_ARTIFACT_SHA256 = "efb163f140bf4afffd1caeb396f79e42f484591c3e90a86810ca6c0f0c209c96"
LINUX_ARTIFACT_SHA256 = "b549ba5968e04b7679a8d3e879cd45d27f3e9a6fd226eee5c270a4e4f5c01405"
EXPECTED_VENDOR_SHA256 = {
"vendor/ethos-darwin-arm64": "777e1fb243425a46b83b63ed92fbf7cb810f59cfedd81cfe671cf791410c20dc",
"vendor/ethos-linux-x64": "b416993fc38e6f794611b8b71789ed85af18eb6aa63fef380d9ae7738661f154",
"vendor/manifest.json": "e313b42e49b258171611935455fd9e70bad7ce61c409df63ab90aaa2732a46af",
}
PRIVATE_PATH_MARKERS = (
"/" + "Users/",
"/" + "private/tmp",
"/" + "private/var",
"/" + "var/folders",
"saumil" + "diwaker",
"Desktop/" + "Stuff",
"project/repo/" + "ethos",
)
FORBIDDEN = (
"npm publish is approved",
"npm publication approved",
"operator publish approved",
"package is published",
"public installation wording approved",
"hosted surfaces approved",
"production-ready",
"public benchmark claims approved",
"windows packaged artifacts approved",
"bundled pdfium approved",
)


def sha256(path: Path) -> str:
return hashlib.sha256(path.read_bytes()).hexdigest()


def read(path: Path) -> str:
return path.read_text(encoding="utf-8")


def normalized(path: Path) -> str:
return re.sub(r"\s+", " ", read(path))


class V030NpmPublicationApprovalRequestTests(unittest.TestCase):
def test_request_record_is_source_bound(self) -> None:
raw = read(RECORD)
record = normalized(RECORD)

assert_record_source_binding(
self,
root=ROOT,
raw_record=raw,
normalized_record=record,
validated_head=SOURCE_SHORT,
source_label="v0.3.0 npm publication approval request",
source_commit=SOURCE_COMMIT,
source_tree=SOURCE_TREE,
)

def test_checked_in_candidate_matches_exact_request(self) -> None:
self.assertEqual("0.3.0", json.loads(read(PACKAGE_JSON))["version"])

for relative_path, expected in EXPECTED_VENDOR_SHA256.items():
self.assertEqual(expected, sha256(PACKAGE_DIR / relative_path))

manifest = json.loads(read(VENDOR_MANIFEST))
self.assertEqual(MACOS_ARTIFACT_SHA256, manifest["targets"]["darwin:arm64"]["release_asset_sha256"])
self.assertEqual(LINUX_ARTIFACT_SHA256, manifest["targets"]["linux:x64"]["release_asset_sha256"])

def test_request_names_exact_candidate_and_boundaries(self) -> None:
record = normalized(RECORD)
raw = read(RECORD)

for expected in (
PACKAGE,
CURRENT_PUBLISHED,
NPM_TARBALL,
NPM_SHASUM,
TARBALL_SHA256,
INTEGRITY,
f"Node.js: `{NODE_VERSION}`",
f"npm: `{NPM_VERSION}`",
VENDOR_RECORD.name,
ARTIFACT_CLOSEOUT.name,
"per-file vendor SHA256 values are the durable cross-toolchain provenance binding",
"Publication must use Node.js `v23.11.1` and npm `10.9.2`",
"Exact installed CLI smoke accepted for request: `ethos 0.3.0`",
"Exact missing-PDFium behavior accepted for request: exit code `12`",
"ETHOS_PDFIUM_LIBRARY_PATH",
"No `npm publish` command is approved by this request record.",
"npm publication remains blocked pending explicit decider approval.",
"Actual npm publish remains blocked pending explicit operator action",
):
self.assertIn(expected, record)

for expected in (
MACOS_ARTIFACT_SHA256,
LINUX_ARTIFACT_SHA256,
*EXPECTED_VENDOR_SHA256.values(),
):
self.assertIn(expected, record)

for marker in PRIVATE_PATH_MARKERS:
self.assertNotIn(marker, raw)
for phrase in FORBIDDEN:
self.assertNotIn(phrase, record.lower())

def test_request_is_indexed_and_wired_into_status_docs(self) -> None:
for path in (
VALIDATION_README,
EXECUTION_STATUS,
PUBLIC_RELEASE_CHECKLIST,
RELEASE_PREP,
):
text = normalized(path)
self.assertIn(RECORD.name, text)
self.assertIn("v0.3.0 npm publication approval request", text.lower())
self.assertIn("npm publish", text)
self.assertIn("blocked", text.lower())

changelog = normalized(CHANGELOG)
self.assertIn("request decider review for exact `@docushell/ethos-pdf@0.3.0`", changelog)
self.assertIn("npm publication inputs", changelog)
self.assertIn("blocked", changelog.lower())

def test_release_prep_target_runs_request_guard_after_vendor_refresh(self) -> None:
block = target_block("v0-3-release-prep")
vendor_guard = "$(PYTHON) .github/scripts/test_v0_3_0_npm_vendor_refresh.py"
request_guard = (
"$(PYTHON) .github/scripts/test_v0_3_0_npm_publication_approval_request.py"
)
public_surface_guard = "$(PYTHON) .github/scripts/test_public_surface_posture.py"

self.assertIn(vendor_guard, block)
self.assertIn(request_guard, block)
self.assertEqual(1, block.count(request_guard))
self.assertLess(block.index(vendor_guard), block.index(request_guard))
self.assertLess(block.index(request_guard), block.index(public_surface_guard))


if __name__ == "__main__":
unittest.main()
5 changes: 5 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,11 @@

## Unreleased

- boundary-exception: request decider review for exact `@docushell/ethos-pdf@0.3.0` npm
publication inputs while keeping `npm publish`, public install wording, release/package tags,
hosted, production, Windows, bundled PDFium, benchmark, `ethos-doc`, `ethos-rag`, and
DocuShell integration blocked pending a later approval decision, operator action, registry
smoke, and closeout lanes.
- boundary-exception: refresh the `@docushell/ethos-pdf@0.3.0` npm source package candidate from
published v0.3.0 GitHub Release CLI artifacts while keeping npm publish, public install wording,
package tags, hosted, production, Windows, bundled PDFium, benchmark, `ethos-doc`, `ethos-rag`,
Expand Down
1 change: 1 addition & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,7 @@ v0-3-release-prep:
$(PYTHON) .github/scripts/test_npm_binary_package_scaffold.py
npm test --prefix packages/npm/ethos-pdf
$(PYTHON) .github/scripts/test_v0_3_0_npm_vendor_refresh.py
$(PYTHON) .github/scripts/test_v0_3_0_npm_publication_approval_request.py
$(PYTHON) .github/scripts/test_public_surface_posture.py
$(PYTHON) .github/scripts/claims_gate.py
$(PYTHON) .github/scripts/public_boundary_claims_gate.py
Expand Down
11 changes: 10 additions & 1 deletion docs/execution-status.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,16 @@

Date: 2026-07-02
Owner: product / decider
Status: v0.3.0 Rust library crates `ethos-doc-core`, `ethos-verify`, and `ethos-pdf` are live on crates.io, and the Python `ethos-pdf` wheel is live on PyPI. GitHub Release `v0.3.0` now contains closed-out macOS arm64/Linux x64 CLI artifacts for evaluation with caller-provided PDFium. The npm source package candidate is refreshed as `@docushell/ethos-pdf@0.3.0`. v0.2.0 remains the public CLI artifact baseline with GitHub Release `v0.2.0` macOS arm64/Linux x64 artifacts, and npm remains `@docushell/ethos-pdf@0.2.1` for public install wording until a later wording closeout; npm `@docushell/ethos-pdf@0.2.0` is deprecated because it shipped stale CLI binaries that reported `ethos 0.1.2`. Public `0.3.0` install wording, npm publication/alignment, package tags, and DocuShell integration remain blocked pending their separate evidence, operator action, and closeout records. The exact GitHub Release artifact closeout is limited to the approved `v0.3.0` release assets below. PDFium-backed commands use caller-provided PDFium through `ETHOS_PDFIUM_LIBRARY_PATH`. Hosted surfaces, production positioning, Windows packaged artifacts, bundled project-maintained PDFium builds, public benchmark reports, public benchmark claims, speed, footprint, parser-quality, table-quality, `ethos-doc`, and `ethos-rag` remain blocked.
Status: v0.3.0 Rust library crates `ethos-doc-core`, `ethos-verify`, and `ethos-pdf` are live on crates.io, and the Python `ethos-pdf` wheel is live on PyPI. GitHub Release `v0.3.0` now contains closed-out macOS arm64/Linux x64 CLI artifacts for evaluation with caller-provided PDFium. The npm source package candidate is refreshed as `@docushell/ethos-pdf@0.3.0`, and the v0.3.0 npm publication approval request is recorded for decider review only. v0.2.0 remains the public CLI artifact baseline with GitHub Release `v0.2.0` macOS arm64/Linux x64 artifacts, and npm remains `@docushell/ethos-pdf@0.2.1` for public install wording until a later wording closeout; npm `@docushell/ethos-pdf@0.2.0` is deprecated because it shipped stale CLI binaries that reported `ethos 0.1.2`. Public `0.3.0` install wording, npm publication/alignment, package tags, and DocuShell integration remain blocked pending their separate approval decision, operator action, registry-smoke, tag, wording, and closeout records. The exact GitHub Release artifact closeout is limited to the approved `v0.3.0` release assets below. PDFium-backed commands use caller-provided PDFium through `ETHOS_PDFIUM_LIBRARY_PATH`. Hosted surfaces, production positioning, Windows packaged artifacts, bundled project-maintained PDFium builds, public benchmark reports, public benchmark claims, speed, footprint, parser-quality, table-quality, `ethos-doc`, and `ethos-rag` remain blocked.

v0.3.0 npm publication approval request is recorded in
`docs/validation/v0-3-0-npm-publication-approval-request-validation-2026-07-02.md`. It requests
decider review for only the exact `@docushell/ethos-pdf@0.3.0` npm candidate, tarball metadata,
vendor payload checksums, supported platforms, installed CLI smoke, and caller-provided PDFium
boundary. It does not approve `npm publish`; npm publication remains blocked pending an explicit
approval decision, operator action with npm credentials, registry smoke, and closeout record.
Public `0.3.0` install wording, package tag creation, release tag creation, and DocuShell
integration remain blocked.

v0.3.0 npm vendor refresh is recorded in
`docs/validation/v0-3-0-npm-vendor-refresh-validation-2026-07-02.md`. It refreshes the
Expand Down
17 changes: 14 additions & 3 deletions docs/public-release-checklist.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,17 +8,28 @@ or launch announcement. It is intentionally stricter than the day-to-day enginee
Ethos v0.3.0 Rust library crates `ethos-doc-core`, `ethos-verify`, and `ethos-pdf` are live on
crates.io, and the Python `ethos-pdf` wheel is live on PyPI. GitHub Release `v0.3.0` now contains
closed-out macOS arm64/Linux x64 CLI artifacts for evaluation with caller-provided PDFium. The npm
source package candidate is refreshed as `@docushell/ethos-pdf@0.3.0`. v0.2.0 remains the public
source package candidate is refreshed as `@docushell/ethos-pdf@0.3.0`, and the v0.3.0 npm
publication approval request is recorded for decider review only. v0.2.0 remains the public
CLI artifact baseline with GitHub Release `v0.2.0` macOS arm64/Linux x64 artifacts, and npm
remains `@docushell/ethos-pdf@0.2.1` for public install wording until a later wording closeout; npm
`@docushell/ethos-pdf@0.2.0` is deprecated because it shipped stale CLI binaries that reported
`ethos 0.1.2`. Public `0.3.0` install wording, npm publication/alignment, package tags, and
DocuShell integration remain blocked pending their separate evidence, operator action, and closeout
records. The exact GitHub Release artifact closeout is limited to the approved `v0.3.0` release
DocuShell integration remain blocked pending their separate approval decision, operator action,
registry-smoke, tag, wording, and closeout records. The exact GitHub Release artifact closeout is
limited to the approved `v0.3.0` release
assets below. Hosted surfaces, production positioning, Windows packaged artifacts, bundled
project-maintained PDFium builds, public benchmark reports, public benchmark claims, speed,
footprint, parser-quality, table-quality, `ethos-doc`, and `ethos-rag` remain blocked.

v0.3.0 npm publication approval request is recorded in
`docs/validation/v0-3-0-npm-publication-approval-request-validation-2026-07-02.md`. It requests
decider review for only the exact `@docushell/ethos-pdf@0.3.0` npm candidate, tarball metadata,
vendor payload checksums, supported platforms, installed CLI smoke, and caller-provided PDFium
boundary. It does not approve `npm publish`; npm publication remains blocked pending an explicit
approval decision, operator action with npm credentials, registry smoke, and closeout record.
Public `0.3.0` install wording, package tag creation, release tag creation, and DocuShell
integration remain blocked.

v0.3.0 npm vendor refresh is recorded in
`docs/validation/v0-3-0-npm-vendor-refresh-validation-2026-07-02.md`. It refreshes the
`@docushell/ethos-pdf@0.3.0` source package candidate from the published GitHub Release `v0.3.0`
Expand Down
13 changes: 13 additions & 0 deletions docs/v0-3-0-release-prep.md
Original file line number Diff line number Diff line change
Expand Up @@ -123,6 +123,19 @@ This refresh does not approve `npm publish`. It does not approve public `0.3.0`
npm publication, package tag creation, public install wording, and DocuShell integration remain
blocked until separate approval, operator, registry-smoke, tag, and wording closeout records pass.

### 3c. Request npm Publication Approval

The v0.3.0 npm publication approval request is recorded in
`docs/validation/v0-3-0-npm-publication-approval-request-validation-2026-07-02.md`. It asks the
decider to accept or reject only the exact `@docushell/ethos-pdf@0.3.0` npm candidate, tarball
metadata, vendor payload checksums, supported platforms, installed CLI smoke, and caller-provided
PDFium boundary.

This request does not approve `npm publish`. npm publication remains blocked until a separate
approval decision record passes and an operator publishes with npm credentials. Public `0.3.0`
install wording, package tag creation, release tag creation, and DocuShell integration remain
blocked until separate closeout lanes pass.

### 4. Gather Package Evidence Before Any Publication Decision

Before any public package or artifact decision, record exact evidence for the surfaces that are in
Expand Down
8 changes: 8 additions & 0 deletions docs/validation/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,14 @@ in `docs/public-release-checklist.md`.

Records:

v0.3.0 npm publication approval request is recorded in
`v0-3-0-npm-publication-approval-request-validation-2026-07-02.md`. It requests decider review for
only the exact `@docushell/ethos-pdf@0.3.0` npm candidate, tarball metadata, vendor payload
checksums, supported platforms, installed CLI smoke, and caller-provided PDFium boundary. It does
not approve `npm publish`; npm publication remains blocked pending an explicit approval decision,
operator action with npm credentials, registry smoke, and closeout record. Public `0.3.0` install
wording, package tag creation, release tag creation, and DocuShell integration remain blocked.

v0.3.0 npm vendor refresh is recorded in
`v0-3-0-npm-vendor-refresh-validation-2026-07-02.md`. It refreshes the
`@docushell/ethos-pdf@0.3.0` source package candidate from the published GitHub Release `v0.3.0`
Expand Down
Loading
Loading