From 3a6a7adba2a792bc6f7ea47b3a90405e05d23380 Mon Sep 17 00:00:00 2001 From: CoderDeltaLAN Date: Tue, 9 Jun 2026 11:52:48 +0100 Subject: [PATCH] docs: prepare v0.1.0 release documentation --- CHANGELOG.md | 8 +++++++- README.md | 6 +++++- SECURITY.md | 21 ++++++++++----------- docs/BUILD-PLAN.md | 3 +++ 4 files changed, 25 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cc4caf7..db08d32 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,10 @@ This project has no stable public release yet. ## [Unreleased] +No unreleased changes yet. + +## [0.1.0] - 2026-06-09 + ### Added - Repository identity baseline with README, MIT license, and .gitignore. @@ -65,14 +69,16 @@ This project has no stable public release yet. ## Release policy -Before the first stable public release, the maintainer must verify: +Before publishing any GitHub release, the maintainer must verify: - local checks pass; - CI passes for the release SHA; - README reflects actual behavior; +- sdist and wheel build and install from clean temporary environments; - SECURITY.md has a private reporting channel or clearly documents the absence of one; - CHANGELOG.md describes the released changes; - version number matches pyproject.toml and package metadata; +- the tag and GitHub Release point to the verified release SHA; - no unsupported security, production, or maturity claims are present. ## Notes for maintainers diff --git a/README.md b/README.md index 7954405..e89b5f0 100644 --- a/README.md +++ b/README.md @@ -313,9 +313,10 @@ The required status check for `main` is: Current status: -- pre-release v0.1 development; +- v0.1.0 release-candidate documentation stage; - no public stable release yet; - local CLI behavior implemented; +- packaging verified from real sdist and wheel artifacts; - CI active; - branch protection active; - README reflects current behavior only; @@ -326,9 +327,12 @@ Before a public release, verify: - local checks pass; - CI passes for the release SHA; +- sdist and wheel build and install from clean temporary environments; - output examples are generated from real commands; - README does not claim unsupported maturity; - SECURITY.md and CHANGELOG.md are current; +- private vulnerability reporting is enabled or its absence is clearly documented; +- tag and GitHub Release point to the verified release SHA; - no real secrets or private data are present. --- diff --git a/SECURITY.md b/SECURITY.md index 4e2fe57..efa0b61 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -6,11 +6,11 @@ It is not a security scanner, provides no security guarantees, and must not be d ## Supported versions -There is no stable supported release yet. +There is no stable supported release yet. The `0.1.x` line is a pre-release support boundary, not a stability guarantee. | Version | Status | | --- | --- | -| 0.1.x | Pre-release development | +| 0.1.x | Pre-release / best-effort security fixes | | < 0.1 | Not supported | ## Security boundaries @@ -38,13 +38,13 @@ Use fake examples only. ## Reporting a vulnerability -This repository is public but has no stable release and no formal private vulnerability disclosure process yet. +This repository is public and has no stable release yet. -For non-sensitive security boundary issues, open a GitHub issue with a minimal reproduction. +Preferred sensitive-reporting path: use GitHub Security Advisories or GitHub private vulnerability reporting when available to the maintainer. -Do not include secrets, tokens, credentials, cookies, private URLs, customer data, or sensitive repository contents in public issues. +If a sensitive issue cannot be reported privately through GitHub, do not publish secrets, exploit details, private URLs, customer data, or sensitive repository contents. Open only a minimal public issue requesting a private contact path. -Before a stable public release, the maintainer must define a private reporting channel or enable GitHub Security Advisories. +For non-sensitive security boundary issues, open a GitHub issue with a minimal reproduction. ## Non-goals @@ -60,15 +60,14 @@ agent-rules-kit does not aim to: ## Maintainer response -There is no guaranteed security response time before a stable release. +Security response is best-effort for pre-release `0.1.x`. There is no commercial SLA or guaranteed response time. -Before a stable public release, the maintainer must define: +Before any stable release, the maintainer must define: -- contact channel; -- expected response time; - supported versions; +- expected response time; - disclosure handling; -- whether GitHub Security Advisories are enabled. +- whether GitHub Security Advisories or private vulnerability reporting are enabled. ## Safe development rules diff --git a/docs/BUILD-PLAN.md b/docs/BUILD-PLAN.md index e7ab9c0..6c0f8c6 100644 --- a/docs/BUILD-PLAN.md +++ b/docs/BUILD-PLAN.md @@ -123,8 +123,11 @@ Before a public v0.1 release, verify: - local checks pass; - CI passes for the release SHA; - tests cover the implemented commands; +- sdist and wheel build and install from clean temporary environments; - output examples are generated from real commands; - secret-like findings are redacted in all formats; - README reflects actual behavior only; - SECURITY.md and CHANGELOG.md are current; +- private vulnerability reporting is enabled or its absence is clearly documented; +- tag and GitHub Release point to the verified release SHA; - no unsupported production or security claims are present.