release: cut v0.2.0 metadata

CHANGELOG.md

@@ -6,27 +6,35 @@ This project has no stable public release yet.
 
 ## [Unreleased]
 
+No unreleased changes yet.
+
+## [0.2.0] - 2026-06-15
+
 ### Added
 
 - Documented the v0.2 product direction toward local-first AI agent instruction governance.
 - Added the v0.2 governance rules specification for conservative, deterministic instruction-file diagnostics.
-- Added unreleased governance findings for unsupported security or maturity claims, review or CI bypass guidance, unsafe command execution guidance, runtime network or LLM dependency guidance, missing secret-handling boundaries, and missing instruction scope or authority.
+- Added governance findings for unsupported security or maturity claims, review or CI bypass guidance, unsafe command execution guidance, runtime network or LLM dependency guidance, missing secret-handling boundaries, and missing instruction scope or authority.
 - Added governance finding coverage across console, JSON, and Markdown output paths.
 - Added golden contract coverage for current governance console, JSON, and Markdown output behavior.
 - Added structured finding evidence for line-based governance findings.
 - Added regression coverage for redacting secret-like values from finding evidence in JSON output.
+- Added v0.2 release-readiness, packaging dry-run, and governance-boundaries evidence documents.
 
 ### Changed
 
 - Updated GitHub Actions workflow actions to Node 24-compatible major versions.
-- Preserved the published `v0.1.0` pre-release while documenting unreleased v0.2 governance behavior on `main`.
+- Preserved the published `v0.1.0` pre-release while preparing v0.2.0 metadata.
+- Updated package metadata from `0.1.0` to `0.2.0`.
 
 ### Security
 
 - Kept governance diagnostics conservative, heuristic, and pattern-based.
 - Preserved the runtime boundary: read-only by default, no runtime network calls, no runtime LLM calls, and no execution of commands from analyzed repositories.
 - Redacted secret-like values in finding message, path, and evidence payload fields before emitting supported output.
 - Documented that governance findings are not proof that a repository is safe and do not replace maintainer review.
+- Captured branch protection, required status check, admin enforcement, force-push prevention, deletion prevention, solo-maintainer review profile, and private vulnerability reporting evidence for v0.2 release preparation.
+- Documented that private vulnerability reporting is currently verified as disabled and must not be claimed as enabled.
 
 ## [0.1.0] - 2026-06-09
 

docs/V0.2.0-RELEASE-NOTES-DRAFT.md

@@ -0,0 +1,98 @@
+# v0.2.0 Release Notes Draft
+
+Status: draft only. Do not publish yet.
+
+Date prepared: 2026-06-15.
+
+Target version: `0.2.0`.
+
+This document is a release notes draft for the future `v0.2.0` GitHub Release.
+
+It is not a tag, not a GitHub Release, not an artifact manifest, and not a PyPI publication.
+
+## Release summary draft
+
+`agent-rules-kit` v0.2.0 moves the project from a basic AI-agent instruction-file diagnostic CLI toward a conservative local-first governance diagnostic tool for AI agent instructions.
+
+The release keeps the original product boundary:
+
+- local CLI;
+- read-only by default;
+- no runtime network calls;
+- no runtime LLM calls;
+- no execution of commands from analyzed repositories;
+- no security-scanner claim;
+- no proof-of-safety claim.
+
+## Main changes
+
+v0.2.0 is expected to include:
+
+- governance diagnostics for unsupported security, production-readiness, or maturity claims;
+- governance diagnostics for review or CI bypass guidance;
+- governance diagnostics for unsafe command execution guidance;
+- governance diagnostics for runtime network or LLM dependency guidance;
+- governance diagnostics for missing secret-handling boundaries;
+- governance diagnostics for missing instruction scope or authority;
+- structured finding evidence for line-based governance findings;
+- redaction of secret-like values in finding messages, paths, and evidence payload fields;
+- golden contract coverage for console, JSON, and Markdown output behavior;
+- Node 24-compatible GitHub Actions workflow actions;
+- release-readiness, packaging dry-run, and governance-boundaries evidence documents.
+
+## Security and reporting notes
+
+This project is not a security scanner and does not prove that a repository is safe.
+
+Private vulnerability reporting has been checked and is currently verified as disabled.
+
+Do not claim private vulnerability reporting is enabled.
+
+Sensitive vulnerabilities should not be opened as public issues. If private reporting is unavailable, reporters should avoid publishing secrets, exploit details, private URLs, customer data, or sensitive repository contents.
+
+## Packaging notes
+
+A packaging dry-run was completed before the version cut, but final `v0.2.0` artifacts are still pending.
+
+Final release artifacts must be built after this metadata phase is merged and verified.
+
+The pre-version-cut dry-run checksums must not be reused as final `v0.2.0` release checksums.
+
+## Not included
+
+v0.2.0 must not claim:
+
+- stable public maturity;
+- PyPI availability;
+- complete governance coverage;
+- LLM-based semantic analysis;
+- security scanning;
+- proof of repository safety;
+- private vulnerability reporting enabled;
+- complete secret scanning;
+- runtime repository command execution.
+
+## Remaining release gates
+
+Before publishing a GitHub Release, the maintainer must still verify:
+
+- final release SHA;
+- local checks on final release SHA;
+- CI on final release SHA;
+- final wheel and sdist build;
+- final artifact SHA256 checksums;
+- clean virtual environment install from wheel;
+- clean virtual environment install from sdist;
+- console script smoke test;
+- `python -m agent_rules_kit.cli` smoke test;
+- exact `v0.2.0` tag creation;
+- GitHub Release creation;
+- uploaded release assets;
+- downloaded release assets install and smoke test;
+- no PyPI claim unless PyPI publication is completed in a separate explicit phase.
+
+## Draft decision
+
+This draft may be used only after AIRK-REL021 is merged and verified on `main`.
+
+The next phase after this metadata cut should build and verify final `v0.2.0` artifacts before any tag or GitHub Release is created.

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "agent-rules-kit"
-version = "0.1.0"
+version = "0.2.0"
 description = "Local read-only CLI to diagnose AGENTS.md, Claude Code, Gemini CLI, Cursor and Copilot instruction files."
 readme = "README.md"
 requires-python = ">=3.12"
@@ -27,7 +27,7 @@ Repository = "https://github.com/CoderDeltaLAN/agent-rules-kit"
 Issues = "https://github.com/CoderDeltaLAN/agent-rules-kit/issues"
 Changelog = "https://github.com/CoderDeltaLAN/agent-rules-kit/blob/main/CHANGELOG.md"
 Security = "https://github.com/CoderDeltaLAN/agent-rules-kit/security/policy"
-Release = "https://github.com/CoderDeltaLAN/agent-rules-kit/releases/tag/v0.1.0"
+Release = "https://github.com/CoderDeltaLAN/agent-rules-kit/releases/tag/v0.2.0"
 
 [project.scripts]
 agent-rules-kit = "agent_rules_kit.cli:main"

src/agent_rules_kit/__init__.py

@@ -1,3 +1,3 @@
 """agent-rules-kit package."""
 
-__version__ = "0.1.0"
+__version__ = "0.2.0"

tests/test_cli.py

@@ -20,7 +20,7 @@ def test_version_flag_prints_version(self) -> None:
             exit_code = main(["--version"])
 
         self.assertEqual(exit_code, 0)
-        self.assertIn("agent-rules-kit 0.1.0", output.getvalue())
+        self.assertIn("agent-rules-kit 0.2.0", output.getvalue())
 
     def test_help_is_default(self) -> None:
         output = io.StringIO()