Skip to content

docs: add v0.2 governance boundaries evidence #39

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
CoderDeltaLAN merged 1 commit into from
Jun 15, 2026
Merged

docs: add v0.2 governance boundaries evidence #39

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
223 changes: 223 additions & 0 deletions docs/V0.2-GOVERNANCE-BOUNDARIES.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,223 @@
# v0.2 Governance Boundaries Verification

Status: release governance evidence captured; private vulnerability reporting is not enabled.

Date: 2026-06-15.

Branch reviewed: `main`.

Commit reviewed: `d82a22b75962a34e44cfdf2b8a0b159c8d8fde63`.

GitHub Actions run reviewed: `27571802495`.

This document records read-only release evidence for the governance boundaries required before cutting a future `v0.2.0` release.

It is not a version bump, changelog cut, tag decision, GitHub Release approval, artifact upload, or PyPI publication.

## Scope

This verification covers:

- main branch protection;
- required status check configuration;
- admin enforcement;
- force-push prevention;
- branch deletion prevention;
- pull-request review profile for a solo-maintainer repository;
- private vulnerability reporting availability;
- security advisories endpoint availability.

This verification does not change repository settings.

## Current repository state

The repository is public and owned by `CoderDeltaLAN`.

The default branch is:

- `main`.

The reviewed `main` SHA is:

- `d82a22b75962a34e44cfdf2b8a0b159c8d8fde63`.

The GitHub API reported:

- branch SHA matches the expected reviewed SHA;
- `main` is protected.

The exact branch API evidence was:

- `BRANCH_SHA=d82a22b75962a34e44cfdf2b8a0b159c8d8fde63`;
- `EXPECTED_MAIN_SHA=d82a22b75962a34e44cfdf2b8a0b159c8d8fde63`;
- `BRANCH_PROTECTED=true`.

## Required status check

Required status checks are enabled for `main`.

The required status check configuration is:

- `strict=true`;
- required context: `local-checks / Python 3.12`;
- check app id: `15368`.

The reviewed CI run was:

- run id: `27571802495`;
- workflow name: `CI`;
- event: `push`;
- branch: `main`;
- head SHA: `d82a22b75962a34e44cfdf2b8a0b159c8d8fde63`;
- status: `completed`;
- conclusion: `success`.

Decision:

- required status check evidence is verified for v0.2 release preparation;
- the exact required check name is `local-checks / Python 3.12`.

## Pull request and solo-maintainer profile

The branch protection API reports required pull request review configuration.

The pull request review profile is:

- `required_approving_review_count=0`;
- `dismiss_stale_reviews=false`;
- `require_code_owner_reviews=false`;
- `require_last_push_approval=false`.

This matches the intended solo-maintainer profile for this repository.

Rationale:

- this is currently a solo-maintainer repository;
- requiring one approval without a real second reviewer can block correct PRs without adding real review value;
- protection is instead enforced through pull request workflow, required CI, exact SHA verification, no force pushes, no branch deletion, staged review, and Always-Green discipline.

## Admin enforcement

Admin enforcement is enabled.

The branch protection API reported:

- `enforce_admins.enabled=true`.

Decision:

- admin enforcement evidence is verified for v0.2 release preparation.

## Force-push prevention

Force pushes are not allowed on `main`.

The branch protection API reported:

- `allow_force_pushes.enabled=false`.

Decision:

- force-push prevention evidence is verified for v0.2 release preparation.

## Branch deletion prevention

Branch deletion is not allowed on `main`.

The branch protection API reported:

- `allow_deletions.enabled=false`.

Decision:

- branch deletion prevention evidence is verified for v0.2 release preparation.

## Private vulnerability reporting

Private vulnerability reporting is reachable through the GitHub API, but it is not enabled.

The endpoint returned:

- `enabled=false`.

Decision:

- private vulnerability reporting evidence is verified;
- private vulnerability reporting is not currently enabled;
- v0.2 release notes, README, and SECURITY.md must not claim that private vulnerability reporting is enabled.

Documented alternative for the current pre-release state:

- sensitive vulnerabilities should not be opened as public issues;
- the maintainer should use GitHub Security Advisories or private vulnerability reporting when available;
- if private reporting is unavailable, reporters should use the maintainer's documented non-public contact path if one is added later;
- non-sensitive security boundary issues may be opened as GitHub issues with minimal reproduction and no secrets.

Release impact:

- this does not block v0.2 preparation if the absence is explicitly documented;
- it does block any claim that private vulnerability reporting is active;
- before a stable release, the maintainer should either enable private vulnerability reporting or document a clear private reporting contact.

## Security advisories endpoint

The security advisories endpoint was reachable.

No active advisory data was printed by the read-only probe.

Decision:

- security advisories availability probe is verified;
- no open advisory evidence was found in this probe;
- this is not a substitute for a full security audit.

## v0.2 release impact

The governance-boundaries evidence required by the v0.2 release-readiness blocker is now captured with one limitation:

- branch protection: verified;
- required status check name: verified;
- admin enforcement: verified;
- force-push prevention: verified;
- branch deletion prevention: verified;
- solo-maintainer PR review profile: verified;
- private vulnerability reporting: verified as disabled;
- explicit alternative/limitation: documented.

This closes the evidence gap for branch protection and required status checks.

It does not close other v0.2 release blockers:

- version metadata is still `0.1.0`;
- CHANGELOG.md is not cut for `0.2.0`;
- final v0.2.0 artifacts are not built;
- `v0.2.0` tag does not exist;
- GitHub Release `v0.2.0` does not exist;
- release notes are not cut from verified final artifacts;
- PyPI has not been touched.

## Prohibited claims

Do not claim:

- private vulnerability reporting is enabled;
- this project is a security scanner;
- this project proves repository safety;
- this project provides security guarantees;
- v0.2.0 is released;
- v0.2.0 is stable;
- PyPI publication exists.

## Decision

AIRK-REL020 status:

- governance-boundaries evidence captured;
- branch protection verified;
- required status check verified;
- security reporting limitation documented;
- release preparation may continue to the metadata-cut phase only after this document is reviewed, committed, merged, and verified on `main`.

Recommended next phase after this phase is fully merged and closed:

- `release/cut-v0.2.0-metadata`.