docs: prepare v0.1.0 release documentation

CHANGELOG.md

@@ -6,6 +6,10 @@ This project has no stable public release yet.
 
 ## [Unreleased]
 
+No unreleased changes yet.
+
+## [0.1.0] - 2026-06-09
+
 ### Added
 
 - Repository identity baseline with README, MIT license, and .gitignore.
@@ -65,14 +69,16 @@ This project has no stable public release yet.
 
 ## Release policy
 
-Before the first stable public release, the maintainer must verify:
+Before publishing any GitHub release, the maintainer must verify:
 
 - local checks pass;
 - CI passes for the release SHA;
 - README reflects actual behavior;
+- sdist and wheel build and install from clean temporary environments;
 - SECURITY.md has a private reporting channel or clearly documents the absence of one;
 - CHANGELOG.md describes the released changes;
 - version number matches pyproject.toml and package metadata;
+- the tag and GitHub Release point to the verified release SHA;
 - no unsupported security, production, or maturity claims are present.
 
 ## Notes for maintainers

README.md

@@ -313,9 +313,10 @@ The required status check for `main` is:
 
 Current status:
 
-- pre-release v0.1 development;
+- v0.1.0 release-candidate documentation stage;
 - no public stable release yet;
 - local CLI behavior implemented;
+- packaging verified from real sdist and wheel artifacts;
 - CI active;
 - branch protection active;
 - README reflects current behavior only;
@@ -326,9 +327,12 @@ Before a public release, verify:
 
 - local checks pass;
 - CI passes for the release SHA;
+- sdist and wheel build and install from clean temporary environments;
 - output examples are generated from real commands;
 - README does not claim unsupported maturity;
 - SECURITY.md and CHANGELOG.md are current;
+- private vulnerability reporting is enabled or its absence is clearly documented;
+- tag and GitHub Release point to the verified release SHA;
 - no real secrets or private data are present.
 
 ---

SECURITY.md

@@ -6,11 +6,11 @@ It is not a security scanner, provides no security guarantees, and must not be d
 
 ## Supported versions
 
-There is no stable supported release yet.
+There is no stable supported release yet. The `0.1.x` line is a pre-release support boundary, not a stability guarantee.
 
 | Version | Status |
 | --- | --- |
-| 0.1.x | Pre-release development |
+| 0.1.x | Pre-release / best-effort security fixes |
 | < 0.1 | Not supported |
 
 ## Security boundaries
@@ -38,13 +38,13 @@ Use fake examples only.
 
 ## Reporting a vulnerability
 
-This repository is public but has no stable release and no formal private vulnerability disclosure process yet.
+This repository is public and has no stable release yet.
 
-For non-sensitive security boundary issues, open a GitHub issue with a minimal reproduction.
+Preferred sensitive-reporting path: use GitHub Security Advisories or GitHub private vulnerability reporting when available to the maintainer.
 
-Do not include secrets, tokens, credentials, cookies, private URLs, customer data, or sensitive repository contents in public issues.
+If a sensitive issue cannot be reported privately through GitHub, do not publish secrets, exploit details, private URLs, customer data, or sensitive repository contents. Open only a minimal public issue requesting a private contact path.
 
-Before a stable public release, the maintainer must define a private reporting channel or enable GitHub Security Advisories.
+For non-sensitive security boundary issues, open a GitHub issue with a minimal reproduction.
 
 ## Non-goals
 
@@ -60,15 +60,14 @@ agent-rules-kit does not aim to:
 
 ## Maintainer response
 
-There is no guaranteed security response time before a stable release.
+Security response is best-effort for pre-release `0.1.x`. There is no commercial SLA or guaranteed response time.
 
-Before a stable public release, the maintainer must define:
+Before any stable release, the maintainer must define:
 
-- contact channel;
-- expected response time;
 - supported versions;
+- expected response time;
 - disclosure handling;
-- whether GitHub Security Advisories are enabled.
+- whether GitHub Security Advisories or private vulnerability reporting are enabled.
 
 ## Safe development rules
 

docs/BUILD-PLAN.md

@@ -123,8 +123,11 @@ Before a public v0.1 release, verify:
 - local checks pass;
 - CI passes for the release SHA;
 - tests cover the implemented commands;
+- sdist and wheel build and install from clean temporary environments;
 - output examples are generated from real commands;
 - secret-like findings are redacted in all formats;
 - README reflects actual behavior only;
 - SECURITY.md and CHANGELOG.md are current;
+- private vulnerability reporting is enabled or its absence is clearly documented;
+- tag and GitHub Release point to the verified release SHA;
 - no unsupported production or security claims are present.