From 82616ef55f76374d6ab0f155aa5a7c621bc5eac2 Mon Sep 17 00:00:00 2001 From: PythonWoods-Dev Date: Fri, 8 May 2026 09:06:05 +0200 Subject: [PATCH 01/13] infra: align Nox matrix and Mypy to CI Boundary Testing (Floor 3.10 / Peak 3.14) - PYTHONS: ["3.11","3.12","3.13"] -> ["3.10","3.14"] (mirrors CI Pillar Matrix) - Fixed sessions (lint, format, fmt, typecheck, reuse, security, mutation, bump): python="3.11" -> python="3.14" - [tool.mypy] python_version: "3.11" -> "3.10" (enforces floor compat; tomllib/tomli guard and backport dep already in place) - CHANGELOG: [Unreleased] section added (EN + IT) --- CHANGELOG.it.md | 17 +++++++++++++++++ CHANGELOG.md | 17 +++++++++++++++++ noxfile.py | 22 ++++++++++++---------- pyproject.toml | 2 +- 4 files changed, 47 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.it.md b/CHANGELOG.it.md index ee1fc61..d9bfa93 100644 --- a/CHANGELOG.it.md +++ b/CHANGELOG.it.md @@ -11,6 +11,23 @@ Le versioni seguono il [Semantic Versioning](https://semver.org/). > **Cronologia di sviluppo (v0.1.0 – v0.6.x):** Consultare l'[Archivio Changelog](CHANGELOG.it.archive.md). +## [Non Rilasciato] + +### Modificato + +- **Matrice di test — Boundary Testing (parità CI):** `PYTHONS` di Nox aggiornato da + `["3.11", "3.12", "3.13"]` a `["3.10", "3.14"]`, specchiando la CI Pillar Matrix + (Floor 3.10 / Peak 3.14). Elimina la divergenza "verde in locale ≠ verde in remoto". +- **Sessioni a versione fissa pinnate al Peak 3.14:** Le sessioni `lint`, `format`, + `fmt`, `typecheck`, `reuse`, `security`, `mutation` e `bump` aggiornate da + `python="3.11"` a `python="3.14"`. +- **Floor Mypy abbassato a 3.10:** `[tool.mypy] python_version` modificato da `"3.11"` a + `"3.10"`, imponendo la compatibilità al floor dichiarato `requires-python = ">=3.10"`. + Il guard `tomllib` / `tomli` (`sys.version_info >= (3, 11)`) e la dipendenza runtime + `tomli>=2.0.0; python_version < '3.11'` erano già in posto. + +--- + ## [0.7.0] — 2026-05-07 — Quartz Maturity (Stable) > **Documentazione precedente:** Le versioni precedenti a v0.7.0 sono ufficialmente deprecate diff --git a/CHANGELOG.md b/CHANGELOG.md index 7877d8e..63feb8f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,23 @@ Versions follow [Semantic Versioning](https://semver.org/). > **Development history (v0.1.0 – v0.6.x):** See the [Changelog Archive](CHANGELOG.archive.md). +## [Unreleased] + +### Changed + +- **Test matrix — Boundary Testing (CI parity):** Nox `PYTHONS` updated from + `["3.11", "3.12", "3.13"]` to `["3.10", "3.14"]`, mirroring the CI Pillar Matrix + (Floor 3.10 / Peak 3.14). Eliminates the local-vs-remote "green divergence". +- **Fixed-version sessions pinned to Peak 3.14:** `lint`, `format`, `fmt`, `typecheck`, + `reuse`, `security`, `mutation`, and `bump` sessions updated from `python="3.11"` to + `python="3.14"`. +- **Mypy floor lowered to 3.10:** `[tool.mypy] python_version` changed from `"3.11"` to + `"3.10"`, enforcing compatibility at the declared `requires-python = ">=3.10"` floor. + The `tomllib` / `tomli` compatibility guard (`sys.version_info >= (3, 11)`) and the + `tomli>=2.0.0; python_version < '3.11'` runtime dependency were already in place. + +--- + ## [0.7.0] — 2026-05-07 — Quartz Maturity (Stable) > **Legacy Documentation:** Versions prior to v0.7.0 are officially deprecated and do not follow diff --git a/noxfile.py b/noxfile.py index 424f996..fdf9fe6 100644 --- a/noxfile.py +++ b/noxfile.py @@ -9,12 +9,14 @@ nox.options.reuse_existing_virtualenvs = True nox.options.default_venv_backend = "uv" -# Nox = isolated environments for multi-version compatibility (3.11/3.12/3.13). +# Nox = isolated environments for multi-version compatibility (3.10 – 3.14). # Daily quality gate is `just verify` (single entry-point — see justfile). # NOTE: posargs are forwarded with `--`, e.g.: nox -s lint -- --fix nox.options.sessions = ["lint", "format", "typecheck"] -PYTHONS = ["3.11", "3.12", "3.13"] +# Boundary Testing: mirrors the CI Pillar Matrix (Floor 3.10 / Peak 3.14). +# Intermediate versions are covered by the full nox-all run in release cycles. +PYTHONS = ["3.10", "3.14"] # Per-group sync tuples — each session installs only what it needs. _SYNC_TEST = ("uv", "sync", "--active", "--group", "test") @@ -36,7 +38,7 @@ def tests(session: nox.Session) -> None: ) -@nox.session(python="3.11") +@nox.session(python="3.14") def lint(session: nox.Session) -> None: """Run ruff linting checks. @@ -46,35 +48,35 @@ def lint(session: nox.Session) -> None: session.run("ruff", "check", *session.posargs, "src/", "tests/") -@nox.session(python="3.11") +@nox.session(python="3.14") def format(session: nox.Session) -> None: # noqa: A001 """Check code formatting with ruff (read-only, used in CI).""" session.run(*_SYNC_LINT, external=True) session.run("ruff", "format", "--check", "src/", "tests/") -@nox.session(python="3.11") +@nox.session(python="3.14") def fmt(session: nox.Session) -> None: """Auto-format code with ruff in place (use during development).""" session.run(*_SYNC_LINT, external=True) session.run("ruff", "format", "src/", "tests/") -@nox.session(python="3.11") +@nox.session(python="3.14") def typecheck(session: nox.Session) -> None: """Run static type checking with mypy.""" session.run(*_SYNC_LINT, external=True) session.run("mypy", "src/") -@nox.session(python="3.11") +@nox.session(python="3.14") def reuse(session: nox.Session) -> None: """Verify REUSE/SPDX license compliance.""" session.run(*_SYNC_LINT, external=True) session.run("reuse", "lint") -@nox.session(python="3.11") +@nox.session(python="3.14") def security(session: nox.Session) -> None: """Audit third-party dependencies for known CVEs with pip-audit.""" session.install("pip-audit") @@ -114,7 +116,7 @@ def security(session: nox.Session) -> None: ) -@nox.session(python="3.11") +@nox.session(python="3.14") def mutation(session: nox.Session) -> None: """Run mutation testing with mutmut on the security-critical core modules. @@ -163,7 +165,7 @@ def dev(session: nox.Session) -> None: session.run("uv", "run", "pre-commit", "install", "-t", "pre-push", external=True) -@nox.session(python="3.11", venv_backend="none") +@nox.session(python="3.14", venv_backend="none") def bump(session: nox.Session) -> None: """Bump the project version and create a release commit + tag. diff --git a/pyproject.toml b/pyproject.toml index 43e7d66..b3bbb2b 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -148,7 +148,7 @@ indent-style = "space" # ─── Mypy ───────────────────────────────────────────────────────────────────── [tool.mypy] -python_version = "3.11" +python_version = "3.10" strict = true ignore_missing_imports = true From 85e0663044610b06a9e03c0641f46a64fb6ad6c0 Mon Sep 17 00:00:00 2001 From: PythonWoods-Dev Date: Fri, 8 May 2026 09:14:28 +0200 Subject: [PATCH 02/13] fix(mypy): resolve 4 errors exposed by python_version="3.10" floor MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Remove unused # type: ignore[no-redef] from tomllib/tomli guards in config.py, _zensical.py, validator.py: with target 3.10 mypy evaluates sys.version_info >= (3, 11) as False, sees only the else branch (first and only import), no redefinition occurs. ignore_missing_imports=true handles the missing tomli stub. - exclusion.py: replace 'from typing import Self' with 'from typing_extensions import Self' under TYPE_CHECKING. typing.Self requires Python 3.11+ (PEP 673); typing_extensions provides the backport, available as transitive dep via pydantic>=2. mypy src/: Success — 39 source files, 0 errors. --- src/zenzic/core/adapters/_zensical.py | 2 +- src/zenzic/core/exclusion.py | 2 +- src/zenzic/core/validator.py | 2 +- src/zenzic/models/config.py | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/zenzic/core/adapters/_zensical.py b/src/zenzic/core/adapters/_zensical.py index d8472d6..e2f5f52 100644 --- a/src/zenzic/core/adapters/_zensical.py +++ b/src/zenzic/core/adapters/_zensical.py @@ -30,7 +30,7 @@ if sys.version_info >= (3, 11): import tomllib else: - import tomli as tomllib # type: ignore[no-redef] # PEP 680 backport + import tomli as tomllib # PEP 680 backport from typing import TYPE_CHECKING, Any from zenzic.core.adapters._mkdocs import MkDocsAdapter, _load_doc_config, find_config_file diff --git a/src/zenzic/core/exclusion.py b/src/zenzic/core/exclusion.py index c97a391..62c5e5d 100644 --- a/src/zenzic/core/exclusion.py +++ b/src/zenzic/core/exclusion.py @@ -34,7 +34,7 @@ if TYPE_CHECKING: - from typing import Self # PEP 673; available at runtime only from Python 3.11+ + from typing_extensions import Self # PEP 673; typing.Self requires Python 3.11+ from zenzic.models.config import ( SYSTEM_EXCLUDED_DIRS, diff --git a/src/zenzic/core/validator.py b/src/zenzic/core/validator.py index 7a24550..9d3e963 100644 --- a/src/zenzic/core/validator.py +++ b/src/zenzic/core/validator.py @@ -39,7 +39,7 @@ if sys.version_info >= (3, 11): import tomllib else: - import tomli as tomllib # type: ignore[no-redef] # PEP 680 backport + import tomli as tomllib # PEP 680 backport from dataclasses import dataclass, field from pathlib import Path from typing import TYPE_CHECKING, Any, Literal, NamedTuple diff --git a/src/zenzic/models/config.py b/src/zenzic/models/config.py index e0aada6..552275e 100644 --- a/src/zenzic/models/config.py +++ b/src/zenzic/models/config.py @@ -12,7 +12,7 @@ if sys.version_info >= (3, 11): import tomllib else: - import tomli as tomllib # type: ignore[no-redef] # PEP 680 backport + import tomli as tomllib # PEP 680 backport from typing import Any, Literal from pydantic import BaseModel, Field From 5d77e407bec0aab67593c36d55039a868283998e Mon Sep 17 00:00:00 2001 From: PythonWoods-Dev Date: Fri, 8 May 2026 12:40:12 +0200 Subject: [PATCH 03/13] feat(dx): add _check-hooks pre-push guard to just verify --- CHANGELOG.it.md | 6 ++++++ CHANGELOG.md | 6 ++++++ justfile | 9 ++++++++- 3 files changed, 20 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.it.md b/CHANGELOG.it.md index d9bfa93..570c5bf 100644 --- a/CHANGELOG.it.md +++ b/CHANGELOG.it.md @@ -13,6 +13,12 @@ Le versioni seguono il [Semantic Versioning](https://semver.org/). ## [Non Rilasciato] +### Aggiunto + +- **DX guard `_check-hooks`:** Aggiunta recipe nascosta `_check-hooks` come prima dipendenza + di `just verify`. Emette un avviso se l’hook Final Guard pre-push (`pre-commit install + -t pre-push`) non è installato localmente, senza bloccare l’esecuzione della verifica. + ### Modificato - **Matrice di test — Boundary Testing (parità CI):** `PYTHONS` di Nox aggiornato da diff --git a/CHANGELOG.md b/CHANGELOG.md index 63feb8f..fc03732 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,12 @@ Versions follow [Semantic Versioning](https://semver.org/). ## [Unreleased] +### Added + +- **`_check-hooks` DX guard:** Added hidden `_check-hooks` recipe as first dependency of + `just verify`. Emits a warning if the pre-push Final Guard hook (`pre-commit install + -t pre-push`) is not installed locally, without blocking the verification run. + ### Changed - **Test matrix — Boundary Testing (CI parity):** Nox `PYTHONS` updated from diff --git a/justfile b/justfile index 0d462d4..be1c4a2 100644 --- a/justfile +++ b/justfile @@ -76,11 +76,18 @@ lint: # Final Guard: atomic verification invoked by pre-push hook + GHA. # Sequence: pre-commit (all hooks) → test-cov (with coverage gate) → zenzic self-check. -verify: +verify: _check-hooks uvx pre-commit run --all-files just test-cov just check +_check-hooks: + #!/usr/bin/env bash + if [ ! -f .git/hooks/pre-push ]; then + echo "⚠️ WARNING: Pre-push hook not installed — commits are unprotected before push." + echo "👉 Run: pre-commit install -t pre-push" + fi + # ─── Cleanup ────────────────────────────────────────────────────────────── # Remove generated artefacts (.nox is kept — reuse avoids reinstalling deps) From ca12399a97f8bcc89658b03a1af65713052ba0ab Mon Sep 17 00:00:00 2001 From: PythonWoods-Dev Date: Fri, 8 May 2026 12:50:20 +0200 Subject: [PATCH 04/13] =?UTF-8?q?dx:=20polish=20=5Fcheck-hooks=20warning?= =?UTF-8?q?=20=E2=80=94=20empathetic=20copy=20with=20uvx=20fix=20command?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- justfile | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/justfile b/justfile index be1c4a2..a0a4222 100644 --- a/justfile +++ b/justfile @@ -84,8 +84,10 @@ verify: _check-hooks _check-hooks: #!/usr/bin/env bash if [ ! -f .git/hooks/pre-push ]; then - echo "⚠️ WARNING: Pre-push hook not installed — commits are unprotected before push." - echo "👉 Run: pre-commit install -t pre-push" + echo -e "\033[33m⚠️ WARNING: Pre-push hook is not installed.\033[0m" + echo "Without it, you might accidentally push broken code to GitHub and fail the remote CI." + echo "👉 Fix it by running: uvx pre-commit install -t pre-push" + echo "" fi # ─── Cleanup ────────────────────────────────────────────────────────────── From a7aa0ef0d254863a3b2c056738f378c6551372ad Mon Sep 17 00:00:00 2001 From: PythonWoods-Dev Date: Fri, 8 May 2026 14:59:13 +0200 Subject: [PATCH 05/13] fix(registry): add Z000 to CODE_NAMES, CODE_DESCRIPTIONS, CODE_SARIF_LEVELS Z000 (UNSUPPORTED_ENGINE) was documented in docstring and finding-codes.mdx but missing from the three canonical dicts. Registry now at 34 codes. verify-codes-parity counts Z000 as a full encyclopedia entry. --- CHANGELOG.it.md | 8 ++++++++ CHANGELOG.md | 8 ++++++++ src/zenzic/core/codes.py | 8 ++++++++ 3 files changed, 24 insertions(+) diff --git a/CHANGELOG.it.md b/CHANGELOG.it.md index 570c5bf..1924d98 100644 --- a/CHANGELOG.it.md +++ b/CHANGELOG.it.md @@ -32,6 +32,14 @@ Le versioni seguono il [Semantic Versioning](https://semver.org/). Il guard `tomllib` / `tomli` (`sys.version_info >= (3, 11)`) e la dipendenza runtime `tomli>=2.0.0; python_version < '3.11'` erano già in posto. +### Corretto + +- **`Z000` aggiunto al registro dei codici (`codes.py`):** `Z000` (UNSUPPORTED_ENGINE) + era già documentato nello schema nel docstring di `codes.py` e in `finding-codes.mdx`, + ma mancava dai dizionari `CODE_NAMES`, `CODE_DESCRIPTIONS` e `CODE_SARIF_LEVELS`. + Il registro conta ora 34 codici canonici. La sessione `verify-codes-parity` include + Z000 come voce completa dell’enciclopedia con anchor `{#z000}`. + --- ## [0.7.0] — 2026-05-07 — Quartz Maturity (Stable) diff --git a/CHANGELOG.md b/CHANGELOG.md index fc03732..8a13361 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -32,6 +32,14 @@ Versions follow [Semantic Versioning](https://semver.org/). The `tomllib` / `tomli` compatibility guard (`sys.version_info >= (3, 11)`) and the `tomli>=2.0.0; python_version < '3.11'` runtime dependency were already in place. +### Fixed + +- **`Z000` added to code registry (`codes.py`):** `Z000` (UNSUPPORTED_ENGINE) was + already documented in the `codes.py` docstring schema and in `finding-codes.mdx`, + but was absent from `CODE_NAMES`, `CODE_DESCRIPTIONS`, and `CODE_SARIF_LEVELS`. + Registry now complete at 34 canonical codes. The `verify-codes-parity` session + counts Z000 as a full encyclopedia entry with `{#z000}` anchor. + --- ## [0.7.0] — 2026-05-07 — Quartz Maturity (Stable) diff --git a/src/zenzic/core/codes.py b/src/zenzic/core/codes.py index d6f18bd..003666b 100644 --- a/src/zenzic/core/codes.py +++ b/src/zenzic/core/codes.py @@ -7,6 +7,9 @@ Schema ------ +Z0xx — Migration & Compatibility + Z000 UNSUPPORTED_ENGINE — unsupported/removed engine identifier; ConfigurationError before analysis + Z1xx — Link Integrity Z101 LINK_BROKEN — target file not found in the Virtual Site Map Z102 ANCHOR_MISSING — fragment target (#anchor) not defined on the page @@ -89,6 +92,7 @@ class ZenzicExitCode: #: Human-readable name for each code (for report headers). CODE_NAMES: dict[str, str] = { + "Z000": "UNSUPPORTED_ENGINE", "Z101": "LINK_BROKEN", "Z102": "ANCHOR_MISSING", "Z103": "ORPHAN_LINK", @@ -127,6 +131,8 @@ class ZenzicExitCode: #: Short description of each code for SARIF ``shortDescription`` and human display. #: Single source of truth — never duplicate these strings in other modules. CODE_DESCRIPTIONS: dict[str, str] = { + # Z0xx — Migration & Compatibility + "Z000": "Unsupported or removed engine identifier in zenzic.toml — configuration guard raised before analysis begins", # Z1xx — Link Integrity "Z101": "Link target not found in the Virtual Site Map", "Z102": "Fragment anchor (#anchor) not defined on the target page", @@ -172,6 +178,8 @@ class ZenzicExitCode: #: Z1xx/Z2xx → "error" | Z3xx–Z9xx quality → "warning" | Z906 informational → "note" #: Individual Finding severity always takes precedence at result level. CODE_SARIF_LEVELS: dict[str, str] = { + # Z0xx — Migration & Compatibility: fatal error (aborts before analysis begins) + "Z000": "error", # Z1xx — Link Integrity: errors (broken links block the user experience) "Z101": "error", "Z102": "error", From 60818ca7bb59436ec02764fb8f6bdebed60e6a5f Mon Sep 17 00:00:00 2001 From: PythonWoods Date: Fri, 8 May 2026 18:03:33 +0200 Subject: [PATCH 06/13] chore: align documentation and fix bump configuration --- .../ISSUE_TEMPLATE/security_vulnerability.yml | 2 +- CHANGELOG.it.md | 2 +- CHANGELOG.md | 2 +- CITATION.cff | 4 ++-- CONTRIBUTING.md | 4 ++-- README.it.md | 10 ++++---- README.md | 8 +++---- RELEASE.md | 24 +++++++++---------- pyproject.toml | 15 ++++-------- src/zenzic/__init__.py | 2 +- uv.lock | 2 +- 11 files changed, 34 insertions(+), 41 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/security_vulnerability.yml b/.github/ISSUE_TEMPLATE/security_vulnerability.yml index 5624e5b..8d513cf 100644 --- a/.github/ISSUE_TEMPLATE/security_vulnerability.yml +++ b/.github/ISSUE_TEMPLATE/security_vulnerability.yml @@ -29,7 +29,7 @@ body: attributes: label: Zenzic version description: Output of `zenzic --version` - placeholder: "0.6.1rc1" + placeholder: "0.7.1a1" validations: required: true diff --git a/CHANGELOG.it.md b/CHANGELOG.it.md index 1924d98..4f96549 100644 --- a/CHANGELOG.it.md +++ b/CHANGELOG.it.md @@ -42,7 +42,7 @@ Le versioni seguono il [Semantic Versioning](https://semver.org/). --- -## [0.7.0] — 2026-05-07 — Quartz Maturity (Stable) +## [0.7.1a1] — 2026-05-07 — Quartz Maturity (Stable) > **Documentazione precedente:** Le versioni precedenti a v0.7.0 sono ufficialmente deprecate > e non seguono l'attuale architettura Diátaxis. Per riferimento storico, vedere la diff --git a/CHANGELOG.md b/CHANGELOG.md index 8a13361..8513e66 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -42,7 +42,7 @@ Versions follow [Semantic Versioning](https://semver.org/). --- -## [0.7.0] — 2026-05-07 — Quartz Maturity (Stable) +## [0.7.1a1] — 2026-05-07 — Quartz Maturity (Stable) > **Legacy Documentation:** Versions prior to v0.7.0 are officially deprecated and do not follow > the current Diátaxis architecture. For historical reference, see the diff --git a/CITATION.cff b/CITATION.cff index 81af61b..9bfcf38 100644 --- a/CITATION.cff +++ b/CITATION.cff @@ -14,8 +14,8 @@ abstract: >- Markdown-based documentation. Zenzic introduces Universal Discovery, VCS-aware exclusion mapping, and the Sentinel Shield middleware to provide a deterministic Safe Harbor for complex documentation lifecycles. -version: 0.7.0 -date-released: 2026-05-07 +version: 0.7.1a1 +date-released: 2026-05-08 url: "https://zenzic.dev" repository-code: "https://github.com/PythonWoods/zenzic" repository-artifact: "https://pypi.org/project/zenzic/" diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 58c0aad..7810eca 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -64,7 +64,7 @@ uvx pre-commit install # commit-stage: light hooks (ruff, format, h uvx pre-commit install -t pre-push # pre-push: 🛡️ Final Guard runs `just verify` ``` -The pre-push hook is the atomic gate of EPOCH 4 / v0.7.0: a single +The pre-push hook is the atomic gate of EPOCH 4 / v0.7.1a1: a single entry-point (`just verify`) runs both locally and in GitHub Actions — **locale ≡ remote, no drift**. Pushes are blocked when any of the 4 Gates (pre-commit hooks, coverage, tests, `zenzic check all`) fails. @@ -145,7 +145,7 @@ paths in any contribution, use `pathlib.Path` throughout — never string concat > Node 24 runner environment. GitHub-hosted runners (`ubuntu-latest`) satisfy this > automatically; self-hosted runners must use Node ≥ 24. -### CI Pillar Matrix (v0.7.0) +### CI Pillar Matrix (v0.7.1a1) Zenzic adopts a **Pillar Matrix** strategy — testing the boundaries rather than every intermediate version: diff --git a/README.it.md b/README.it.md index 1ee96f4..b6ea9e3 100644 --- a/README.it.md +++ b/README.it.md @@ -124,7 +124,7 @@ zenzic check all # Analizza la cartella corrente **Correzione automatica:** `zenzic clean assets [-y] [--dry-run]` elimina gli asset inutilizzati. -> 🚀 **v0.7.0 "Quartz Maturity" (Stabile)** — Suggerimenti proattivi Z104, audit di verità +> 🚀 **v0.7.1a1 "Quartz Maturity" (Stabile)** — Suggerimenti proattivi Z104, audit di verità > Standalone Mode e hardening dell'Engineering Ledger. Vedi [CHANGELOG.md](CHANGELOG.md). --- @@ -221,7 +221,7 @@ severity = "warning" Le regole si attivano identicamente su tutti gli adapter. Nessuna modifica richiesta dopo la migrazione del motore. -> **Garanzia DFA** (v0.7.0+): I pattern delle custom rule devono essere compatibili con RE2 — +> **Garanzia DFA** (v0.7.1a1+): I pattern delle custom rule devono essere compatibili con RE2 — > backreference, lookahead e lookbehind vengono rifiutati al caricamento. Consulta > [Architettura › Garanzia DFA](https://zenzic.dev/it/docs/explanation/architecture#dfa-guarantee). @@ -322,7 +322,7 @@ zenzic lab [--act N] [--list] ## 📟 Tour Visivo ```text -╭─────────────────────── 🛡 ZENZIC SENTINEL v0.7.0 ────────────────────────╮ +╭─────────────────────── 🛡 ZENZIC SENTINEL v0.7.1a1 ────────────────────────╮ │ │ │ docusaurus • 38 file (18 docs, 20 asset) • 0.9s │ │ │ @@ -498,9 +498,9 @@ Zenzic è nato da un percorso tecnico attraverso la fragilità dei moderni ecosi documentazione. Scopri la filosofia, l'assedio della sicurezza e l'ingegneria dietro il Sentinel nelle [**Engineering Chronicles**](https://zenzic.dev/blog/tags/chronicles) sul blog ufficiale. -La storia della release v0.7.0 — l'assedio red-team guidato dall'IA, 4 vettori di bypass +La storia della release v0.7.1a1 — l'assedio red-team guidato dall'IA, 4 vettori di bypass chiusi, e la strada verso la parità engine-agnostica — è documentata in -[**Beyond the Siege: Zenzic v0.7.0**](https://zenzic.dev/blog/beyond-the-siege-zenzic-v070-quartz). +[**Beyond the Siege: Zenzic v0.7.1a1**](https://zenzic.dev/blog/beyond-the-siege-zenzic-v070-quartz). --- diff --git a/README.md b/README.md index de9372d..8f9f993 100644 --- a/README.md +++ b/README.md @@ -139,7 +139,7 @@ zenzic check all # Audit the current directory **Autofix:** `zenzic clean assets [-y] [--dry-run]` deletes unused images. -> 🚀 **v0.7.0 "Quartz Maturity" (Stable)** — Z104 proactive suggestions, Standalone +> 🚀 **v0.7.1a1 "Quartz Maturity" (Stable)** — Z104 proactive suggestions, Standalone > Mode truth audit, and Engineering Ledger hardening. See [CHANGELOG.md](CHANGELOG.md). --- @@ -234,7 +234,7 @@ severity = "warning" Rules fire identically across all adapters. No changes required after engine migration. -> **DFA Guarantee** (v0.7.0+): Custom rule patterns must be RE2-compatible — backreferences, +> **DFA Guarantee** (v0.7.1a1+): Custom rule patterns must be RE2-compatible — backreferences, > lookaheads, and lookbehinds are rejected at load time. See > [Architecture › DFA Guarantee](https://zenzic.dev/docs/explanation/architecture#dfa-guarantee). @@ -493,9 +493,9 @@ Zenzic was born from a technical journey through the fragility of modern documen ecosystems. Discover the philosophy, the security siege, and the engineering behind the Sentinel in the [**Engineering Chronicles**](https://zenzic.dev/blog/tags/chronicles) on the official blog. -The v0.7.0 release story — AI-driven red-team siege, 4 bypass vectors closed, and the +The v0.7.1a1 release story — AI-driven red-team siege, 4 bypass vectors closed, and the road to engine-agnostic parity — is documented in -[**Beyond the Siege: Zenzic v0.7.0**](https://zenzic.dev/blog/beyond-the-siege-zenzic-v070-quartz). +[**Beyond the Siege: Zenzic v0.7.1a1**](https://zenzic.dev/blog/beyond-the-siege-zenzic-v070-quartz). --- diff --git a/RELEASE.md b/RELEASE.md index 06c95fd..1a8790e 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -1,10 +1,10 @@ -# 💎 Zenzic v0.7.0 — The Quartz Era (Quartz Maturity) +# 💎 Zenzic v0.7.1a1 — The Quartz Era (Quartz Maturity) This release marks the birth of the Sovereign Knowledge System. Following the Quartz Purgation, Zenzic definitively abandons all experimental residues to become a deterministic, industrial-grade infrastructure. -## 🏛️ The Pillars of v0.7.0 +## 🏛️ The Pillars of v0.7.1a1 - **Deterministic Integrity**: Complete absence of any probabilistic dependency or logic. Zenzic now operates exclusively on structural facts and certain invariants. - **Sentinel Seal**: A 4-stage validation system (4-Gates Standard) ensuring absolute quality before every push. @@ -17,7 +17,7 @@ This release marks the birth of the Sovereign Knowledge System. Following the Qu ## ⚠️ Evolution Note (Breaking Changes) -v0.7.0 is Year Zero. Previous versions are officially deprecated as they do not follow the current Diátaxis architecture. Every reference to old brands or legacy architectures has been removed to make way for a lean ecosystem focused on source purity. +v0.7.1a1 is Year Zero. Previous versions are officially deprecated as they do not follow the current Diátaxis architecture. Every reference to old brands or legacy architectures has been removed to make way for a lean ecosystem focused on source purity. ## 🚀 Towards the Future @@ -45,7 +45,7 @@ With this release, Zenzic is no longer just a tool, but a trust platform for doc ## 🛡️ EPOCH 4 — The Safe Port (4-Gates Standard) -v0.7.0 introduces the **atomic single entry-point** for quality: +v0.7.1a1 introduces the **atomic single entry-point** for quality: ```bash just verify # locale ≡ remote — same command in pre-push hook AND GitHub Actions @@ -77,7 +77,7 @@ harden the gate; a silent one is a betrayal of the Safe Port. ## 🌍 EPOCH 5 — Z907 I18N_PARITY (Cross-Language Integrity) -v0.7.0 closes the last gap in the documentation integrity story: +v0.7.1a1 closes the last gap in the documentation integrity story: **translation drift**. A new core scanner — `Z907 I18N_PARITY` — verifies that every base-language documentation file has a mirror in each configured target language root, and that key frontmatter fields @@ -125,7 +125,7 @@ The check integrates seamlessly into `zenzic check all` and respects Multi-instance Docusaurus setups (e.g. `/docs/*` user area + `/developers/*` contributor area) need legitimate cross-plugin links — but those links look absolute (`/developers/foo`) and would normally trip `Z105 ABSOLUTE_PATH`. -v0.7.0 introduces a **declarative trust contract**: +v0.7.1a1 introduces a **declarative trust contract**: ```toml # zenzic.toml — opt-in, empty by default @@ -176,7 +176,7 @@ read-only `zenzic inspect config` command. Documented in the ## 🌳 EPOCH 7a — Multi-Root Discovery (VSM Blindness Sealed) -For every release before v0.7.0 the VSM ingested **only** files under `docs_dir`. +For every release before v0.7.1a1 the VSM ingested **only** files under `docs_dir`. Modern static-site generators routinely manage content trees that live outside `docs/` — the textbook case is the Docusaurus `blog/` directory, materialised as live URLs at build time. A pre-EPOCH-7a `zenzic check all --strict` would never see those files: broken @@ -198,7 +198,7 @@ Adapters opt in by implementing the optional `get_extra_content_roots(repo_root) -> list[ContentRoot]` method. The Core discovers it via `hasattr()` — the same convention already used by `get_locale_source_roots` — so adapters that have nothing to declare need no stub. **The addition is non-breaking** for -third-party adapters built against the v0.7.0 Protocol. +third-party adapters built against the v0.7.1a1 Protocol. ### Four pipeline stages cooperate @@ -267,7 +267,7 @@ ever saying `where`. ## 🌿 EPOCH 7a.1 — Zero-Config Sovereignty (`absolute_path_allowlist` Purged) -EPOCH 7a.1 extends the Zero-Config invariant to one of v0.7.0's last residues of +EPOCH 7a.1 extends the Zero-Config invariant to one of v0.7.1a1's last residues of user-side coupling: the `[link_validation].absolute_path_allowlist` block. Multi-instance Docusaurus sites (one `@docusaurus/plugin-content-docs` instance per top-level URL prefix — e.g. `/docs/` for the user manual and @@ -388,7 +388,7 @@ all three. Zero asymmetries. ### Why Hard-Remove, Not Deprecate D002 introduced `.zenzic.dev.toml` as an Environmental Privacy Gate. v0.6.1 was never -published to end users; v0.7.0 is Year Zero. There are no production deployments to protect. +published to end users; v0.7.1a1 is Year Zero. There are no production deployments to protect. A deprecation warning would add scanning overhead and imply a support contract that does not exist. The Quartz Maturity standard admits no nostalgia. @@ -427,7 +427,7 @@ credential obfuscation via Base64 encoding, percent-encoding, and mixed-case nor (Shield — exit 2), Windows absolute path injection (`C:\`, UNC shares), and cross-line credential splitting via the ZRT-007 lookback buffer. -**Base64 Speculative Decoder (v0.7.0 D095):** The Shield now decodes candidate Base64 tokens +**Base64 Speculative Decoder (v0.7.1a1 D095):** The Shield now decodes candidate Base64 tokens and re-scans the decoded text. A GitHub PAT encoded as `Z2hwXzEyMzQ...` in frontmatter triggers Z201 and exits 2. Attack vector S2 sealed. @@ -436,7 +436,7 @@ so that mixed-case paths on APFS/NTFS no longer produce false-positive traversal **Known limitations:** The ReDoS canary (`_CANARY_STRINGS` / `_assert_regex_canary`) uses `SIGALRM` and is a **no-op on Windows** — the 50 ms interrupt is not available on that -platform. Plugin authors on Windows operate without startup ReDoS validation in v0.7.0. +platform. Plugin authors on Windows operate without startup ReDoS validation in v0.7.1a1. Deterministic enforcement via a process-based watchdog is planned for v0.8.0 "Basalt". Full audit report: [Quartz Tribunal Audit](https://zenzic.dev/docs/explanation/audit-v070-quartz-siege) diff --git a/pyproject.toml b/pyproject.toml index b3bbb2b..ed5f05a 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -14,7 +14,7 @@ build-backend = "hatchling.build" [project] name = "zenzic" -version = "0.7.0" +version = "0.7.1a1" description = "Engineering-grade, engine-agnostic linter and security shield for Markdown documentation" readme = "README.md" requires-python = ">=3.10" @@ -201,7 +201,7 @@ pytest_add_cli_args = ["--import-mode=prepend"] # ─── Version bumping ─────────────────────────────────────────────────────────── [tool.bumpversion] -current_version = "0.7.0" +current_version = "0.7.1a1" commit = true tag = true tag_name = "v{new_version}" @@ -279,14 +279,7 @@ filename = "RELEASE.md" search = "v{current_version}" replace = "v{new_version}" -[[tool.bumpversion.files]] -# Requires zenzic-doc checked out as sibling directory: ../zenzic-doc/ -# bump-my-version exits non-zero if the pattern is not found — D077 hardening. -filename = "../zenzic-doc/static/assets/brand/zenzic-brand-system.html" -search = "v{current_version}" -replace = "v{new_version}" - [[tool.bumpversion.files]] filename = ".github/ISSUE_TEMPLATE/security_vulnerability.yml" -search = '"{current_version}"' -replace = '"{new_version}"' +search = 'placeholder: "{current_version}"' +replace = 'placeholder: "{new_version}"' diff --git a/src/zenzic/__init__.py b/src/zenzic/__init__.py index 45c5304..981944e 100644 --- a/src/zenzic/__init__.py +++ b/src/zenzic/__init__.py @@ -2,4 +2,4 @@ # SPDX-License-Identifier: Apache-2.0 """Zenzic — engine-agnostic linter and security shield for Markdown documentation.""" -__version__ = "0.7.0" +__version__ = "0.7.1a1" diff --git a/uv.lock b/uv.lock index fd10108..fb353ea 100644 --- a/uv.lock +++ b/uv.lock @@ -2000,7 +2000,7 @@ wheels = [ [[package]] name = "zenzic" -version = "0.7.0" +version = "0.7.1a1" source = { editable = "." } dependencies = [ { name = "google-re2" }, From c23cb32acc13fbfdc0e9fe03ab5a0ff47c95164b Mon Sep 17 00:00:00 2001 From: PythonWoods Date: Fri, 8 May 2026 18:38:41 +0200 Subject: [PATCH 07/13] =?UTF-8?q?chore:=20transparent=20release=20orchestr?= =?UTF-8?q?ation=20=E2=80=94=20remove=20bump=20auto-commit,=20add=20just?= =?UTF-8?q?=20release=20recipe?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../ISSUE_TEMPLATE/security_vulnerability.yml | 2 +- CHANGELOG.it.md | 2 +- CHANGELOG.md | 2 +- CITATION.cff | 2 +- CONTRIBUTING.md | 4 ++-- README.it.md | 10 ++++---- README.md | 8 +++---- RELEASE.it.md | 6 ++--- RELEASE.md | 24 +++++++++---------- justfile | 19 +++++++++++++++ noxfile.py | 21 ---------------- pyproject.toml | 13 +++++----- src/zenzic/__init__.py | 2 +- uv.lock | 2 +- 14 files changed, 58 insertions(+), 59 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/security_vulnerability.yml b/.github/ISSUE_TEMPLATE/security_vulnerability.yml index 8d513cf..37bdfac 100644 --- a/.github/ISSUE_TEMPLATE/security_vulnerability.yml +++ b/.github/ISSUE_TEMPLATE/security_vulnerability.yml @@ -29,7 +29,7 @@ body: attributes: label: Zenzic version description: Output of `zenzic --version` - placeholder: "0.7.1a1" + placeholder: "0.7.1" validations: required: true diff --git a/CHANGELOG.it.md b/CHANGELOG.it.md index 4f96549..7785687 100644 --- a/CHANGELOG.it.md +++ b/CHANGELOG.it.md @@ -42,7 +42,7 @@ Le versioni seguono il [Semantic Versioning](https://semver.org/). --- -## [0.7.1a1] — 2026-05-07 — Quartz Maturity (Stable) +## [0.7.1] — 2026-05-07 — Quartz Maturity (Stable) > **Documentazione precedente:** Le versioni precedenti a v0.7.0 sono ufficialmente deprecate > e non seguono l'attuale architettura Diátaxis. Per riferimento storico, vedere la diff --git a/CHANGELOG.md b/CHANGELOG.md index 8513e66..e32136b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -42,7 +42,7 @@ Versions follow [Semantic Versioning](https://semver.org/). --- -## [0.7.1a1] — 2026-05-07 — Quartz Maturity (Stable) +## [0.7.1] — 2026-05-07 — Quartz Maturity (Stable) > **Legacy Documentation:** Versions prior to v0.7.0 are officially deprecated and do not follow > the current Diátaxis architecture. For historical reference, see the diff --git a/CITATION.cff b/CITATION.cff index 9bfcf38..50a4024 100644 --- a/CITATION.cff +++ b/CITATION.cff @@ -14,7 +14,7 @@ abstract: >- Markdown-based documentation. Zenzic introduces Universal Discovery, VCS-aware exclusion mapping, and the Sentinel Shield middleware to provide a deterministic Safe Harbor for complex documentation lifecycles. -version: 0.7.1a1 +version: 0.7.1 date-released: 2026-05-08 url: "https://zenzic.dev" repository-code: "https://github.com/PythonWoods/zenzic" diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 7810eca..095d889 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -64,7 +64,7 @@ uvx pre-commit install # commit-stage: light hooks (ruff, format, h uvx pre-commit install -t pre-push # pre-push: 🛡️ Final Guard runs `just verify` ``` -The pre-push hook is the atomic gate of EPOCH 4 / v0.7.1a1: a single +The pre-push hook is the atomic gate of EPOCH 4 / v0.7.1: a single entry-point (`just verify`) runs both locally and in GitHub Actions — **locale ≡ remote, no drift**. Pushes are blocked when any of the 4 Gates (pre-commit hooks, coverage, tests, `zenzic check all`) fails. @@ -145,7 +145,7 @@ paths in any contribution, use `pathlib.Path` throughout — never string concat > Node 24 runner environment. GitHub-hosted runners (`ubuntu-latest`) satisfy this > automatically; self-hosted runners must use Node ≥ 24. -### CI Pillar Matrix (v0.7.1a1) +### CI Pillar Matrix (v0.7.1) Zenzic adopts a **Pillar Matrix** strategy — testing the boundaries rather than every intermediate version: diff --git a/README.it.md b/README.it.md index b6ea9e3..99c72f3 100644 --- a/README.it.md +++ b/README.it.md @@ -124,7 +124,7 @@ zenzic check all # Analizza la cartella corrente **Correzione automatica:** `zenzic clean assets [-y] [--dry-run]` elimina gli asset inutilizzati. -> 🚀 **v0.7.1a1 "Quartz Maturity" (Stabile)** — Suggerimenti proattivi Z104, audit di verità +> 🚀 **v0.7.1 "Quartz Maturity" (Stabile)** — Suggerimenti proattivi Z104, audit di verità > Standalone Mode e hardening dell'Engineering Ledger. Vedi [CHANGELOG.md](CHANGELOG.md). --- @@ -221,7 +221,7 @@ severity = "warning" Le regole si attivano identicamente su tutti gli adapter. Nessuna modifica richiesta dopo la migrazione del motore. -> **Garanzia DFA** (v0.7.1a1+): I pattern delle custom rule devono essere compatibili con RE2 — +> **Garanzia DFA** (v0.7.1+): I pattern delle custom rule devono essere compatibili con RE2 — > backreference, lookahead e lookbehind vengono rifiutati al caricamento. Consulta > [Architettura › Garanzia DFA](https://zenzic.dev/it/docs/explanation/architecture#dfa-guarantee). @@ -322,7 +322,7 @@ zenzic lab [--act N] [--list] ## 📟 Tour Visivo ```text -╭─────────────────────── 🛡 ZENZIC SENTINEL v0.7.1a1 ────────────────────────╮ +╭─────────────────────── 🛡 ZENZIC SENTINEL v0.7.1 ────────────────────────╮ │ │ │ docusaurus • 38 file (18 docs, 20 asset) • 0.9s │ │ │ @@ -498,9 +498,9 @@ Zenzic è nato da un percorso tecnico attraverso la fragilità dei moderni ecosi documentazione. Scopri la filosofia, l'assedio della sicurezza e l'ingegneria dietro il Sentinel nelle [**Engineering Chronicles**](https://zenzic.dev/blog/tags/chronicles) sul blog ufficiale. -La storia della release v0.7.1a1 — l'assedio red-team guidato dall'IA, 4 vettori di bypass +La storia della release v0.7.1 — l'assedio red-team guidato dall'IA, 4 vettori di bypass chiusi, e la strada verso la parità engine-agnostica — è documentata in -[**Beyond the Siege: Zenzic v0.7.1a1**](https://zenzic.dev/blog/beyond-the-siege-zenzic-v070-quartz). +[**Beyond the Siege: Zenzic v0.7.1**](https://zenzic.dev/blog/beyond-the-siege-zenzic-v070-quartz). --- diff --git a/README.md b/README.md index 8f9f993..1222a23 100644 --- a/README.md +++ b/README.md @@ -139,7 +139,7 @@ zenzic check all # Audit the current directory **Autofix:** `zenzic clean assets [-y] [--dry-run]` deletes unused images. -> 🚀 **v0.7.1a1 "Quartz Maturity" (Stable)** — Z104 proactive suggestions, Standalone +> 🚀 **v0.7.1 "Quartz Maturity" (Stable)** — Z104 proactive suggestions, Standalone > Mode truth audit, and Engineering Ledger hardening. See [CHANGELOG.md](CHANGELOG.md). --- @@ -234,7 +234,7 @@ severity = "warning" Rules fire identically across all adapters. No changes required after engine migration. -> **DFA Guarantee** (v0.7.1a1+): Custom rule patterns must be RE2-compatible — backreferences, +> **DFA Guarantee** (v0.7.1+): Custom rule patterns must be RE2-compatible — backreferences, > lookaheads, and lookbehinds are rejected at load time. See > [Architecture › DFA Guarantee](https://zenzic.dev/docs/explanation/architecture#dfa-guarantee). @@ -493,9 +493,9 @@ Zenzic was born from a technical journey through the fragility of modern documen ecosystems. Discover the philosophy, the security siege, and the engineering behind the Sentinel in the [**Engineering Chronicles**](https://zenzic.dev/blog/tags/chronicles) on the official blog. -The v0.7.1a1 release story — AI-driven red-team siege, 4 bypass vectors closed, and the +The v0.7.1 release story — AI-driven red-team siege, 4 bypass vectors closed, and the road to engine-agnostic parity — is documented in -[**Beyond the Siege: Zenzic v0.7.1a1**](https://zenzic.dev/blog/beyond-the-siege-zenzic-v070-quartz). +[**Beyond the Siege: Zenzic v0.7.1**](https://zenzic.dev/blog/beyond-the-siege-zenzic-v070-quartz). --- diff --git a/RELEASE.it.md b/RELEASE.it.md index 982340b..3bacffd 100644 --- a/RELEASE.it.md +++ b/RELEASE.it.md @@ -1,10 +1,10 @@ -# 💎 Zenzic v0.7.0 — L'Era del Quarzo (Quartz Maturity) +# 💎 Zenzic v0.7.1 — L'Era del Quarzo (Quartz Maturity) Questa release segna la nascita del Sistema di Conoscenza Sovrano. Dopo l'Epurazione del Quarzo, Zenzic abbandona definitivamente ogni residuo sperimentale per diventare un'infrastruttura deterministica di grado industriale. -## 🏛️ I Pilastri della v0.7.0 +## 🏛️ I Pilastri della v0.7.1 - **Integrità Deterministica**: Assenza integrale di ogni dipendenza o logica probabilistica. Zenzic opera ora esclusivamente su fatti strutturali e invarianti certe. - **Sentinel Seal**: Un sistema di validazione a 4 stadi (4-Gates Standard) che garantisce la qualità assoluta prima di ogni push. @@ -14,7 +14,7 @@ Questa release segna la nascita del Sistema di Conoscenza Sovrano. Dopo l'Epuraz ## ⚠️ Nota di Evoluzione (Breaking Changes) -La v0.7.0 è l'Anno Zero. Le versioni precedenti sono ufficialmente deprecate poiché non seguono l'attuale architettura Diátaxis. Ogni riferimento ai vecchi brand o alle architetture legacy è stato rimosso per far posto a un ecosistema snello e focalizzato sulla purezza della sorgente. +La v0.7.1 è l'Anno Zero. Le versioni precedenti sono ufficialmente deprecate poiché non seguono l'attuale architettura Diátaxis. Ogni riferimento ai vecchi brand o alle architetture legacy è stato rimosso per far posto a un ecosistema snello e focalizzato sulla purezza della sorgente. ## 🚀 Verso il Futuro diff --git a/RELEASE.md b/RELEASE.md index 1a8790e..a5f155c 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -1,10 +1,10 @@ -# 💎 Zenzic v0.7.1a1 — The Quartz Era (Quartz Maturity) +# 💎 Zenzic v0.7.1 — The Quartz Era (Quartz Maturity) This release marks the birth of the Sovereign Knowledge System. Following the Quartz Purgation, Zenzic definitively abandons all experimental residues to become a deterministic, industrial-grade infrastructure. -## 🏛️ The Pillars of v0.7.1a1 +## 🏛️ The Pillars of v0.7.1 - **Deterministic Integrity**: Complete absence of any probabilistic dependency or logic. Zenzic now operates exclusively on structural facts and certain invariants. - **Sentinel Seal**: A 4-stage validation system (4-Gates Standard) ensuring absolute quality before every push. @@ -17,7 +17,7 @@ This release marks the birth of the Sovereign Knowledge System. Following the Qu ## ⚠️ Evolution Note (Breaking Changes) -v0.7.1a1 is Year Zero. Previous versions are officially deprecated as they do not follow the current Diátaxis architecture. Every reference to old brands or legacy architectures has been removed to make way for a lean ecosystem focused on source purity. +v0.7.1 is Year Zero. Previous versions are officially deprecated as they do not follow the current Diátaxis architecture. Every reference to old brands or legacy architectures has been removed to make way for a lean ecosystem focused on source purity. ## 🚀 Towards the Future @@ -45,7 +45,7 @@ With this release, Zenzic is no longer just a tool, but a trust platform for doc ## 🛡️ EPOCH 4 — The Safe Port (4-Gates Standard) -v0.7.1a1 introduces the **atomic single entry-point** for quality: +v0.7.1 introduces the **atomic single entry-point** for quality: ```bash just verify # locale ≡ remote — same command in pre-push hook AND GitHub Actions @@ -77,7 +77,7 @@ harden the gate; a silent one is a betrayal of the Safe Port. ## 🌍 EPOCH 5 — Z907 I18N_PARITY (Cross-Language Integrity) -v0.7.1a1 closes the last gap in the documentation integrity story: +v0.7.1 closes the last gap in the documentation integrity story: **translation drift**. A new core scanner — `Z907 I18N_PARITY` — verifies that every base-language documentation file has a mirror in each configured target language root, and that key frontmatter fields @@ -125,7 +125,7 @@ The check integrates seamlessly into `zenzic check all` and respects Multi-instance Docusaurus setups (e.g. `/docs/*` user area + `/developers/*` contributor area) need legitimate cross-plugin links — but those links look absolute (`/developers/foo`) and would normally trip `Z105 ABSOLUTE_PATH`. -v0.7.1a1 introduces a **declarative trust contract**: +v0.7.1 introduces a **declarative trust contract**: ```toml # zenzic.toml — opt-in, empty by default @@ -176,7 +176,7 @@ read-only `zenzic inspect config` command. Documented in the ## 🌳 EPOCH 7a — Multi-Root Discovery (VSM Blindness Sealed) -For every release before v0.7.1a1 the VSM ingested **only** files under `docs_dir`. +For every release before v0.7.1 the VSM ingested **only** files under `docs_dir`. Modern static-site generators routinely manage content trees that live outside `docs/` — the textbook case is the Docusaurus `blog/` directory, materialised as live URLs at build time. A pre-EPOCH-7a `zenzic check all --strict` would never see those files: broken @@ -198,7 +198,7 @@ Adapters opt in by implementing the optional `get_extra_content_roots(repo_root) -> list[ContentRoot]` method. The Core discovers it via `hasattr()` — the same convention already used by `get_locale_source_roots` — so adapters that have nothing to declare need no stub. **The addition is non-breaking** for -third-party adapters built against the v0.7.1a1 Protocol. +third-party adapters built against the v0.7.1 Protocol. ### Four pipeline stages cooperate @@ -267,7 +267,7 @@ ever saying `where`. ## 🌿 EPOCH 7a.1 — Zero-Config Sovereignty (`absolute_path_allowlist` Purged) -EPOCH 7a.1 extends the Zero-Config invariant to one of v0.7.1a1's last residues of +EPOCH 7a.1 extends the Zero-Config invariant to one of v0.7.1's last residues of user-side coupling: the `[link_validation].absolute_path_allowlist` block. Multi-instance Docusaurus sites (one `@docusaurus/plugin-content-docs` instance per top-level URL prefix — e.g. `/docs/` for the user manual and @@ -388,7 +388,7 @@ all three. Zero asymmetries. ### Why Hard-Remove, Not Deprecate D002 introduced `.zenzic.dev.toml` as an Environmental Privacy Gate. v0.6.1 was never -published to end users; v0.7.1a1 is Year Zero. There are no production deployments to protect. +published to end users; v0.7.1 is Year Zero. There are no production deployments to protect. A deprecation warning would add scanning overhead and imply a support contract that does not exist. The Quartz Maturity standard admits no nostalgia. @@ -427,7 +427,7 @@ credential obfuscation via Base64 encoding, percent-encoding, and mixed-case nor (Shield — exit 2), Windows absolute path injection (`C:\`, UNC shares), and cross-line credential splitting via the ZRT-007 lookback buffer. -**Base64 Speculative Decoder (v0.7.1a1 D095):** The Shield now decodes candidate Base64 tokens +**Base64 Speculative Decoder (v0.7.1 D095):** The Shield now decodes candidate Base64 tokens and re-scans the decoded text. A GitHub PAT encoded as `Z2hwXzEyMzQ...` in frontmatter triggers Z201 and exits 2. Attack vector S2 sealed. @@ -436,7 +436,7 @@ so that mixed-case paths on APFS/NTFS no longer produce false-positive traversal **Known limitations:** The ReDoS canary (`_CANARY_STRINGS` / `_assert_regex_canary`) uses `SIGALRM` and is a **no-op on Windows** — the 50 ms interrupt is not available on that -platform. Plugin authors on Windows operate without startup ReDoS validation in v0.7.1a1. +platform. Plugin authors on Windows operate without startup ReDoS validation in v0.7.1. Deterministic enforcement via a process-based watchdog is planned for v0.8.0 "Basalt". Full audit report: [Quartz Tribunal Audit](https://zenzic.dev/docs/explanation/audit-v070-quartz-siege) diff --git a/justfile b/justfile index a0a4222..5de769e 100644 --- a/justfile +++ b/justfile @@ -90,6 +90,25 @@ _check-hooks: echo "" fi +# Release orchestration: explicit, transparent, and lockfile-first. +release part: + #!/usr/bin/env bash + set -euo pipefail + case "{{ part }}" in + patch|minor|major) ;; + *) echo "Invalid part '{{ part }}'. Use patch|minor|major"; exit 2 ;; + esac + uv run --active bump-my-version bump {{ part }} + uv sync + version="$(uv run --active bump-my-version show current_version)" + if git rev-parse "v${version}" >/dev/null 2>&1; then + echo "Tag v${version} already exists. Aborting." + exit 3 + fi + git add -u + git commit -m "release: bump version to ${version}" + git tag -a "v${version}" -m "Release v${version}" + # ─── Cleanup ────────────────────────────────────────────────────────────── # Remove generated artefacts (.nox is kept — reuse avoids reinstalling deps) diff --git a/noxfile.py b/noxfile.py index fdf9fe6..28f9d84 100644 --- a/noxfile.py +++ b/noxfile.py @@ -21,7 +21,6 @@ # Per-group sync tuples — each session installs only what it needs. _SYNC_TEST = ("uv", "sync", "--active", "--group", "test") _SYNC_LINT = ("uv", "sync", "--active", "--group", "lint") -_SYNC_RELEASE = ("uv", "sync", "--active", "--group", "release") @nox.session(python=PYTHONS) @@ -163,23 +162,3 @@ def dev(session: nox.Session) -> None: session.run("uv", "sync", "--group", "dev", external=True) session.run("uv", "run", "pre-commit", "install", external=True) session.run("uv", "run", "pre-commit", "install", "-t", "pre-push", external=True) - - -@nox.session(python="3.14", venv_backend="none") -def bump(session: nox.Session) -> None: - """Bump the project version and create a release commit + tag. - - Usage: - nox -s bump -- patch # 0.1.0 → 0.1.1 - nox -s bump -- minor # 0.1.0 → 0.2.0 - nox -s bump -- major # 0.1.0 → 1.0.0 - - After bumping, push with: - git push && git push --tags - """ - if not session.posargs: - session.error("Specify a bump type: nox -s bump -- patch|minor|major") - part = session.posargs[0] - if part not in ("patch", "minor", "major"): - session.error(f"Invalid bump type '{part}'. Use patch, minor, or major.") - session.run("bump-my-version", "bump", part, external=True) diff --git a/pyproject.toml b/pyproject.toml index ed5f05a..73ce063 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -14,7 +14,7 @@ build-backend = "hatchling.build" [project] name = "zenzic" -version = "0.7.1a1" +version = "0.7.1" description = "Engineering-grade, engine-agnostic linter and security shield for Markdown documentation" readme = "README.md" requires-python = ">=3.10" @@ -201,11 +201,7 @@ pytest_add_cli_args = ["--import-mode=prepend"] # ─── Version bumping ─────────────────────────────────────────────────────────── [tool.bumpversion] -current_version = "0.7.1a1" -commit = true -tag = true -tag_name = "v{new_version}" -message = "release: bump version {current_version} → {new_version}" +current_version = "0.7.1" parse = "(?P\\d+)\\.(?P\\d+)\\.(?P\\d+)((?Pa|b|rc)(?P\\d+))?" serialize = [ "{major}.{minor}.{patch}{pre_l}{pre_n}", @@ -279,6 +275,11 @@ filename = "RELEASE.md" search = "v{current_version}" replace = "v{new_version}" +[[tool.bumpversion.files]] +filename = "RELEASE.it.md" +search = "v{current_version}" +replace = "v{new_version}" + [[tool.bumpversion.files]] filename = ".github/ISSUE_TEMPLATE/security_vulnerability.yml" search = 'placeholder: "{current_version}"' diff --git a/src/zenzic/__init__.py b/src/zenzic/__init__.py index 981944e..7825f97 100644 --- a/src/zenzic/__init__.py +++ b/src/zenzic/__init__.py @@ -2,4 +2,4 @@ # SPDX-License-Identifier: Apache-2.0 """Zenzic — engine-agnostic linter and security shield for Markdown documentation.""" -__version__ = "0.7.1a1" +__version__ = "0.7.1" diff --git a/uv.lock b/uv.lock index fb353ea..4e2b790 100644 --- a/uv.lock +++ b/uv.lock @@ -2000,7 +2000,7 @@ wheels = [ [[package]] name = "zenzic" -version = "0.7.1a1" +version = "0.7.1" source = { editable = "." } dependencies = [ { name = "google-re2" }, From ef283d0e33724c103d6938d3a47fdd45d2887ab5 Mon Sep 17 00:00:00 2001 From: PythonWoods Date: Fri, 8 May 2026 18:52:45 +0200 Subject: [PATCH 08/13] feat(release): add version display and dry-run release bump functionality --- justfile | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/justfile b/justfile index 5de769e..778df8f 100644 --- a/justfile +++ b/justfile @@ -109,6 +109,15 @@ release part: git commit -m "release: bump version to ${version}" git tag -a "v${version}" -m "Release v${version}" +# Show the current project version +version: + @uv run --active bump-my-version show current_version + +# Simulate a release bump without modifying any files +# Usage: just release-dry patch|minor|major +release-dry part: + uv run --active bump-my-version bump {{part}} --dry-run --verbose + # ─── Cleanup ────────────────────────────────────────────────────────────── # Remove generated artefacts (.nox is kept — reuse avoids reinstalling deps) From 8ad76b62c5facb6267f6bf4b8cc0765ae9a95158 Mon Sep 17 00:00:00 2001 From: PythonWoods Date: Fri, 8 May 2026 19:26:20 +0200 Subject: [PATCH 09/13] fix: allow dirty state for dry-run release bump --- justfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/justfile b/justfile index 778df8f..03b2a70 100644 --- a/justfile +++ b/justfile @@ -116,7 +116,7 @@ version: # Simulate a release bump without modifying any files # Usage: just release-dry patch|minor|major release-dry part: - uv run --active bump-my-version bump {{part}} --dry-run --verbose + uv run --active bump-my-version bump {{part}} --dry-run --allow-dirty --verbose # ─── Cleanup ────────────────────────────────────────────────────────────── From a24958b812c019b3cc425db9427ab8fcb457ff9b Mon Sep 17 00:00:00 2001 From: PythonWoods Date: Fri, 8 May 2026 19:51:17 +0200 Subject: [PATCH 10/13] chore: add release-contracts guard to verify pipeline --- justfile | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/justfile b/justfile index 03b2a70..fe81e6a 100644 --- a/justfile +++ b/justfile @@ -76,7 +76,7 @@ lint: # Final Guard: atomic verification invoked by pre-push hook + GHA. # Sequence: pre-commit (all hooks) → test-cov (with coverage gate) → zenzic self-check. -verify: _check-hooks +verify: _check-hooks release-contracts uvx pre-commit run --all-files just test-cov just check @@ -90,6 +90,19 @@ _check-hooks: echo "" fi +# Enforce release contracts: dirty allowed only in release-dry. +release-contracts: + #!/usr/bin/env bash + set -euo pipefail + grep -qE '^version:' justfile + grep -qE '^release part:' justfile + grep -qE '^release-dry part:' justfile + grep -q -- '--dry-run --allow-dirty --verbose' justfile + if sed -n '/^release part:/,/^[^[:space:]].*:/p' justfile | tail -n +2 | grep -q -- '--allow-dirty'; then + echo "release-contracts failed: release part must not use --allow-dirty" + exit 1 + fi + # Release orchestration: explicit, transparent, and lockfile-first. release part: #!/usr/bin/env bash From 7e56f805ace4bcc9ac22a39979e4941e691e88ea Mon Sep 17 00:00:00 2001 From: PythonWoods Date: Fri, 8 May 2026 20:04:02 +0200 Subject: [PATCH 11/13] feat(dx): add --short flag to release-dry; add versions recipe --- justfile | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/justfile b/justfile index fe81e6a..0cf2471 100644 --- a/justfile +++ b/justfile @@ -96,7 +96,7 @@ release-contracts: set -euo pipefail grep -qE '^version:' justfile grep -qE '^release part:' justfile - grep -qE '^release-dry part:' justfile + grep -qE '^release-dry part' justfile grep -q -- '--dry-run --allow-dirty --verbose' justfile if sed -n '/^release part:/,/^[^[:space:]].*:/p' justfile | tail -n +2 | grep -q -- '--allow-dirty'; then echo "release-contracts failed: release part must not use --allow-dirty" @@ -127,9 +127,18 @@ version: @uv run --active bump-my-version show current_version # Simulate a release bump without modifying any files -# Usage: just release-dry patch|minor|major -release-dry part: - uv run --active bump-my-version bump {{part}} --dry-run --allow-dirty --verbose +# Usage: just release-dry patch|minor|major [--short] +release-dry part *args: + #!/usr/bin/env bash + set -euo pipefail + _short=false + for _arg in {{args}}; do [[ "$_arg" == "--short" ]] && _short=true; done + if $_short; then + uv run --active bump-my-version bump {{part}} --dry-run --allow-dirty --verbose 2>&1 \ + | grep -E 'current version|New version will be|Dry run' + else + uv run --active bump-my-version bump {{part}} --dry-run --allow-dirty --verbose + fi # ─── Cleanup ────────────────────────────────────────────────────────────── From 992f6a2b91910b2b0e0a5b82611ed3161f689e81 Mon Sep 17 00:00:00 2001 From: PythonWoods Date: Fri, 8 May 2026 20:11:46 +0200 Subject: [PATCH 12/13] docs: add DX release recipes to CHANGELOG and CONTRIBUTING --- CHANGELOG.it.md | 10 +++++++++- CHANGELOG.md | 9 +++++++++ CONTRIBUTING.it.md | 4 ++++ CONTRIBUTING.md | 4 ++++ 4 files changed, 26 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.it.md b/CHANGELOG.it.md index 7785687..252834c 100644 --- a/CHANGELOG.it.md +++ b/CHANGELOG.it.md @@ -17,7 +17,15 @@ Le versioni seguono il [Semantic Versioning](https://semver.org/). - **DX guard `_check-hooks`:** Aggiunta recipe nascosta `_check-hooks` come prima dipendenza di `just verify`. Emette un avviso se l’hook Final Guard pre-push (`pre-commit install - -t pre-push`) non è installato localmente, senza bloccare l’esecuzione della verifica. + -t pre-push`) non è installato localmente, senza bloccare l’esecuzione della verifica.- **Recipe `version`:** `just version` stampa la versione corrente del progetto direttamente + tramite `bump-my-version`. Alternativa rapida alla lettura manuale di `pyproject.toml`. +- **Flag `--short` per `release-dry`:** `just release-dry patch --short` filtra l'output + verbose di bump-my-version alle tre righe essenziali: versione corrente, nuova versione + e conferma dry-run. Il comportamento predefinito (diff verbose completo) è invariato. +- **DX guard `release-contracts`:** Nuova recipe che impone i contratti architetturali sul + justfile: presenza obbligatoria delle recipe `version`, `release` e `release-dry`; + `--allow-dirty` deve comparire solo in `release-dry`, mai in `release`. Inclusa in + `just verify` come controllo strutturale che fallisce immediatamente in caso di violazione. ### Modificato diff --git a/CHANGELOG.md b/CHANGELOG.md index e32136b..c194ee9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,15 @@ Versions follow [Semantic Versioning](https://semver.org/). - **`_check-hooks` DX guard:** Added hidden `_check-hooks` recipe as first dependency of `just verify`. Emits a warning if the pre-push Final Guard hook (`pre-commit install -t pre-push`) is not installed locally, without blocking the verification run. +- **`version` recipe:** `just version` prints the current project version directly from + `bump-my-version`. Fast alternative to reading `pyproject.toml` manually. +- **`release-dry --short` flag:** `just release-dry patch --short` filters the verbose + bump-my-version output to three essential lines: current version, new version, and + dry-run confirmation. Default behaviour (full verbose diff) is unchanged. +- **`release-contracts` DX guard:** New recipe enforces architectural contracts on the + justfile: mandatory presence of `version`, `release`, and `release-dry` recipes; + `--allow-dirty` must appear only in `release-dry`, never in `release`. Wired into + `just verify` as a structural pre-flight check that fails fast on violations. ### Changed diff --git a/CONTRIBUTING.it.md b/CONTRIBUTING.it.md index 9b64197..be696f9 100644 --- a/CONTRIBUTING.it.md +++ b/CONTRIBUTING.it.md @@ -59,6 +59,10 @@ I controlli di qualità e le attività di sviluppo sono guidati da **just** (per | `mutation` | — | `nox -s mutation` | mutmut su `rules.py`, `shield.py`, `reporter.py` | | `preflight` | `just preflight` | `nox -s preflight` | lint, typecheck, test, reuse, security | | **Pre-push gate** | **`just verify`** | — | **preflight + self-lint — esegui prima di ogni push** | +| Versione corrente | `just version` | — | Stampa la versione corrente tramite bump-my-version | +| Release dry-run | `just release-dry patch` | — | Simula un bump (output diff completo) | +| Release dry-run (compatto) | `just release-dry patch --short` | — | Simula un bump — solo riepilogo 3 righe | +| Controllo contratti | `just release-contracts` | — | Verifica i contratti architetturali del justfile (invocato da `verify`) | | `clean` | `just clean` | — | Rimuove `dist/`, `.hypothesis/`, cache | | `bump` | — | `nox -s bump -- patch` | avanza la versione + commit + tag | diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 095d889..9dd60d1 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -115,6 +115,10 @@ the exact same environment as CI. | Test (thorough) | `just test-full` | — | pytest with Hypothesis **ci** profile (500 examples) | | Mutation testing | — | `nox -s mutation` | mutmut on `rules.py`, `shield.py`, `reporter.py` | | **Final Guard** | **`just verify`** | — | **pre-commit + test-cov + check — runs automatically on `git push`** | +| Show version | `just version` | — | Print current version from bump-my-version | +| Release dry-run | `just release-dry patch` | — | Simulate a bump (full diff output) | +| Release dry-run (compact) | `just release-dry patch --short` | — | Simulate a bump — 3-line summary only | +| Contract check | `just release-contracts` | — | Verify justfile architectural contracts (run by `verify`) | | Clean | `just clean` | — | Remove `dist/`, `.hypothesis/`, caches | | Version bump | — | `nox -s bump -- patch` | bump version + commit + tag | From 46f47614c8f5d5ea6d6bfb559a5fa046472748dd Mon Sep 17 00:00:00 2001 From: PythonWoods Date: Sat, 9 May 2026 17:09:35 +0200 Subject: [PATCH 13/13] chore(ci): remove no-commit-to-branch --- .pre-commit-config.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index b606088..de6b4b4 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -16,9 +16,6 @@ repos: - id: check-merge-conflict - id: check-case-conflict - id: mixed-line-ending - - id: no-commit-to-branch - args: ["--branch", "main"] - stages: [pre-commit] # only at commit time — not during 'pre-commit run --all-files' in CI # 2. Markdown linting - repo: https://github.com/igorshubovych/markdownlint-cli