From 980ef1d3ec4568029d43c83d34bbe4219a0e6aae Mon Sep 17 00:00:00 2001 From: CoderDeltaLAN Date: Mon, 15 Jun 2026 21:39:32 +0100 Subject: [PATCH] docs: add v0.2 governance boundaries evidence --- docs/V0.2-GOVERNANCE-BOUNDARIES.md | 223 +++++++++++++++++++++++++++++ 1 file changed, 223 insertions(+) create mode 100644 docs/V0.2-GOVERNANCE-BOUNDARIES.md diff --git a/docs/V0.2-GOVERNANCE-BOUNDARIES.md b/docs/V0.2-GOVERNANCE-BOUNDARIES.md new file mode 100644 index 0000000..4069b17 --- /dev/null +++ b/docs/V0.2-GOVERNANCE-BOUNDARIES.md @@ -0,0 +1,223 @@ +# v0.2 Governance Boundaries Verification + +Status: release governance evidence captured; private vulnerability reporting is not enabled. + +Date: 2026-06-15. + +Branch reviewed: `main`. + +Commit reviewed: `d82a22b75962a34e44cfdf2b8a0b159c8d8fde63`. + +GitHub Actions run reviewed: `27571802495`. + +This document records read-only release evidence for the governance boundaries required before cutting a future `v0.2.0` release. + +It is not a version bump, changelog cut, tag decision, GitHub Release approval, artifact upload, or PyPI publication. + +## Scope + +This verification covers: + +- main branch protection; +- required status check configuration; +- admin enforcement; +- force-push prevention; +- branch deletion prevention; +- pull-request review profile for a solo-maintainer repository; +- private vulnerability reporting availability; +- security advisories endpoint availability. + +This verification does not change repository settings. + +## Current repository state + +The repository is public and owned by `CoderDeltaLAN`. + +The default branch is: + +- `main`. + +The reviewed `main` SHA is: + +- `d82a22b75962a34e44cfdf2b8a0b159c8d8fde63`. + +The GitHub API reported: + +- branch SHA matches the expected reviewed SHA; +- `main` is protected. + +The exact branch API evidence was: + +- `BRANCH_SHA=d82a22b75962a34e44cfdf2b8a0b159c8d8fde63`; +- `EXPECTED_MAIN_SHA=d82a22b75962a34e44cfdf2b8a0b159c8d8fde63`; +- `BRANCH_PROTECTED=true`. + +## Required status check + +Required status checks are enabled for `main`. + +The required status check configuration is: + +- `strict=true`; +- required context: `local-checks / Python 3.12`; +- check app id: `15368`. + +The reviewed CI run was: + +- run id: `27571802495`; +- workflow name: `CI`; +- event: `push`; +- branch: `main`; +- head SHA: `d82a22b75962a34e44cfdf2b8a0b159c8d8fde63`; +- status: `completed`; +- conclusion: `success`. + +Decision: + +- required status check evidence is verified for v0.2 release preparation; +- the exact required check name is `local-checks / Python 3.12`. + +## Pull request and solo-maintainer profile + +The branch protection API reports required pull request review configuration. + +The pull request review profile is: + +- `required_approving_review_count=0`; +- `dismiss_stale_reviews=false`; +- `require_code_owner_reviews=false`; +- `require_last_push_approval=false`. + +This matches the intended solo-maintainer profile for this repository. + +Rationale: + +- this is currently a solo-maintainer repository; +- requiring one approval without a real second reviewer can block correct PRs without adding real review value; +- protection is instead enforced through pull request workflow, required CI, exact SHA verification, no force pushes, no branch deletion, staged review, and Always-Green discipline. + +## Admin enforcement + +Admin enforcement is enabled. + +The branch protection API reported: + +- `enforce_admins.enabled=true`. + +Decision: + +- admin enforcement evidence is verified for v0.2 release preparation. + +## Force-push prevention + +Force pushes are not allowed on `main`. + +The branch protection API reported: + +- `allow_force_pushes.enabled=false`. + +Decision: + +- force-push prevention evidence is verified for v0.2 release preparation. + +## Branch deletion prevention + +Branch deletion is not allowed on `main`. + +The branch protection API reported: + +- `allow_deletions.enabled=false`. + +Decision: + +- branch deletion prevention evidence is verified for v0.2 release preparation. + +## Private vulnerability reporting + +Private vulnerability reporting is reachable through the GitHub API, but it is not enabled. + +The endpoint returned: + +- `enabled=false`. + +Decision: + +- private vulnerability reporting evidence is verified; +- private vulnerability reporting is not currently enabled; +- v0.2 release notes, README, and SECURITY.md must not claim that private vulnerability reporting is enabled. + +Documented alternative for the current pre-release state: + +- sensitive vulnerabilities should not be opened as public issues; +- the maintainer should use GitHub Security Advisories or private vulnerability reporting when available; +- if private reporting is unavailable, reporters should use the maintainer's documented non-public contact path if one is added later; +- non-sensitive security boundary issues may be opened as GitHub issues with minimal reproduction and no secrets. + +Release impact: + +- this does not block v0.2 preparation if the absence is explicitly documented; +- it does block any claim that private vulnerability reporting is active; +- before a stable release, the maintainer should either enable private vulnerability reporting or document a clear private reporting contact. + +## Security advisories endpoint + +The security advisories endpoint was reachable. + +No active advisory data was printed by the read-only probe. + +Decision: + +- security advisories availability probe is verified; +- no open advisory evidence was found in this probe; +- this is not a substitute for a full security audit. + +## v0.2 release impact + +The governance-boundaries evidence required by the v0.2 release-readiness blocker is now captured with one limitation: + +- branch protection: verified; +- required status check name: verified; +- admin enforcement: verified; +- force-push prevention: verified; +- branch deletion prevention: verified; +- solo-maintainer PR review profile: verified; +- private vulnerability reporting: verified as disabled; +- explicit alternative/limitation: documented. + +This closes the evidence gap for branch protection and required status checks. + +It does not close other v0.2 release blockers: + +- version metadata is still `0.1.0`; +- CHANGELOG.md is not cut for `0.2.0`; +- final v0.2.0 artifacts are not built; +- `v0.2.0` tag does not exist; +- GitHub Release `v0.2.0` does not exist; +- release notes are not cut from verified final artifacts; +- PyPI has not been touched. + +## Prohibited claims + +Do not claim: + +- private vulnerability reporting is enabled; +- this project is a security scanner; +- this project proves repository safety; +- this project provides security guarantees; +- v0.2.0 is released; +- v0.2.0 is stable; +- PyPI publication exists. + +## Decision + +AIRK-REL020 status: + +- governance-boundaries evidence captured; +- branch protection verified; +- required status check verified; +- security reporting limitation documented; +- release preparation may continue to the metadata-cut phase only after this document is reviewed, committed, merged, and verified on `main`. + +Recommended next phase after this phase is fully merged and closed: + +- `release/cut-v0.2.0-metadata`.