Skip to content

Latest commit

 

History

History
135 lines (103 loc) · 4.83 KB

File metadata and controls

135 lines (103 loc) · 4.83 KB

Maintainer Release Checklist

A pre-publish checklist for maintainers. Run through every item before pushing anything to a public branch. Nothing here is automated against the maintainer's wishes.

0. Credentials hygiene

  • If any earlier commit or local file contained a real credential, rotate it now before doing anything else.
  • Confirm no .env, *.pem, *.key, *.crt, or *.p12 file is tracked by git.
  • Confirm no real customer email, real phone number, real webhook URL, or real tenant ID appears in any tracked file.

1. Hard gates (must pass)

Run, in order:

python tools/audit_workflows.py
python tools/validate_generated_pack.py
python tools/build_unified_catalog.py
python tools/validate_schemas.py
python tools/build_review_queue.py
python tools/audit_public_claims.py
python tools/final_readiness_check.py

Hard gate criteria — all must hold:

  • reports/workflow-audit.json reports possibleSecretFindings = 0.
  • reports/workflow-audit.json reports invalidJsonFiles = 0.
  • validate_generated_pack.py exits 0 with ALL CHECKS PASSED.
  • validate_schemas.py exits 0 with all gates PASS.
  • A prompt-to-n8n smoke run completes without crashing and reports validation=PASS.
  • audit_public_claims.py reports no risky claims in tracked documentation (the file reports/public-claims-audit.{json,md} is produced).
  • final_readiness_check.py exits 0.

If any hard gate fails: stop. Fix the issue first.

2. Soft gates (review and proceed)

These are signals to read carefully but they do not block a release:

  • reports/review-queue.md is allowed to have pending items. Note the totals and severities in the release notes.
  • reports/duplicates-report.md may show clusters. Confirm intentionality for keep clusters, and decide on candidate-for-dedupe clusters per release cadence.
  • reports/runtime-proof/<slug>/validation.json may report warnings. Warnings are not failures.

3. Documentation truthfulness

  • README.md quickstart commands match the actual tools/ filenames and arguments.
  • README.md "Honest status" table reflects what is implemented in this commit (no aspirational claims).
  • docs/runtime-proof.md and docs/demo.md describe behaviour that matches the current tool output.
  • wiki/generated/runtime-proof-findings.md is regenerated if the runtime-proof outputs were re-run.
  • No new "production-ready", "fully autonomous", "self-healing", "behaviourally validated", "certified", or compliance-claim language was introduced.

4. No AI attribution in generated files

  • No generated workflow, no IR file, no report, and no doc carries AI attribution language (e.g. "Generated by Claude", "AI-assisted", "GPT-written"). Generated artefacts identify the deterministic tool that produced them, not any model.
  • No commit message includes AI attribution.

5. License and notices

  • LICENSE is unchanged unless the maintainer explicitly intends to change it.
  • docs/license-note.md reflects the current LICENSE content.
  • No new third-party code was added without a compatible license.

6. Git diff inspection

  • git status shows only the intended files.
  • git diff (or your reviewer's preferred diff view) is small enough to be reviewed file by file.
  • No binary blobs other than the existing assets are introduced.
  • No files were unintentionally deleted.

7. Commit strategy (recommended)

Break large changes into reviewable commits, for example:

  1. Schemas (if changed).
  2. New tools under tools/.
  3. Docs and CONTRIBUTING / SECURITY changes.
  4. CI workflow updates under .github/workflows/.
  5. README updates.
  6. Regenerated reports / catalogs.

Never commit:

  • raw secret values (always redacted in this repository by design)
  • local .env files
  • editor or IDE-specific dotfiles unless explicitly intended

Never amend a published commit. Always create a new commit.

8. Push checklist

  • All hard gates passed locally on the commit you intend to push.
  • No pre-commit hook was skipped (--no-verify not used).
  • No GPG signing was bypassed (--no-gpg-sign not used) unless that was an explicit maintainer decision.
  • You are pushing the intended branch to the intended remote.
  • The PR description references the relevant reports under reports/ and the relevant entries in docs/roadmap.md.

9. Things that are explicitly not claimed

A release of this repository must not claim:

  • production readiness
  • behavioural validation that did not actually happen
  • full multi-framework export support
  • autonomous self-improvement
  • regulatory compliance (HIPAA, SOC 2, GDPR, etc.)
  • clinical, legal, or financial advice

If a release note ever needs to use any of those phrases, stop and revise.