feat: v0.9 preview gates, package naming, and final audit cleanup

Author: tkdtaylor

.dockerignore

@@ -0,0 +1,45 @@
+.git/
+.github/
+
+# Local-only/private operator material
+.env
+.claude/
+CLAUDE.md
+AGENTS.md
+archive/
+docs/plans/
+docs/tasks/
+
+# Local development caches and virtualenvs
+.venv/
+__pycache__/
+*.py[cod]
+.pytest_cache/
+.coverage
+.coverage.*
+htmlcov/
+coverage.xml
+.mypy_cache/
+.ruff_cache/
+
+# Build/package outputs
+build/
+dist/
+*.egg-info/
+
+# Local databases and model/benchmark artifacts
+*.db
+*.db-journal
+*.db-wal
+*.db-shm
+models/
+*.gguf
+**/*.gguf
+docker/model.gguf
+artifacts/bench-results/
+
+# Editor/OS noise
+.idea/
+*.swp
+*.swo
+.DS_Store

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,6 +1,6 @@
 <!--
-This template encodes the milestone rules from CLAUDE.md. Do not delete
-sections — leave the unchecked checkboxes as a record of what does not
+This template encodes the project milestone rules from CONTRIBUTING.md. Do not
+delete sections — leave the unchecked checkboxes as a record of what does not
 apply, and explain why in a brief note.
 -->
 

.github/workflows/ci.yml

@@ -9,16 +9,16 @@ on:
 # Each gate runs in its own job so failures land on distinct rows in the PR
 # checks list — much easier to read than one giant `make check` log.
 #
-# `release.yml` (task 029) and `fuzz-nightly.yml` (task 027) are intentionally
-# unchanged by this workflow.
+# `release.yml` (tag-driven publish) and `fuzz-nightly.yml` (scheduled IPC
+# fuzzer) are intentionally unchanged by this workflow.
 
 jobs:
   lint:
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
-        python-version: ["3.12"]
+        python-version: ["3.12", "3.13"]
     steps:
       - uses: actions/checkout@v4
       - name: Install uv
@@ -37,7 +37,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        python-version: ["3.12"]
+        python-version: ["3.12", "3.13"]
     steps:
       - uses: actions/checkout@v4
       - name: Install uv
@@ -56,7 +56,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        python-version: ["3.12"]
+        python-version: ["3.12", "3.13"]
     steps:
       - uses: actions/checkout@v4
       - name: Install uv
@@ -75,7 +75,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        python-version: ["3.12"]
+        python-version: ["3.12", "3.13"]
     steps:
       - uses: actions/checkout@v4
       - name: Install uv
@@ -94,7 +94,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        python-version: ["3.12"]
+        python-version: ["3.12", "3.13"]
     steps:
       - uses: actions/checkout@v4
       - name: Install uv
@@ -110,14 +110,12 @@ jobs:
 
   fitness:
     runs-on: ubuntu-latest
-    # Fitness functions are advisory while the full suite is being filled in
-    # (task 021 et al.). Surface failures in the PR check list, but don't
-    # block a merge on them yet.
-    continue-on-error: true
+    # Pytest fitness job — the suite is fully filled in for v1.0; runs as a
+    # blocking gate alongside `make-fitness` below.
     strategy:
       fail-fast: false
       matrix:
-        python-version: ["3.12"]
+        python-version: ["3.12", "3.13"]
     steps:
       - uses: actions/checkout@v4
       - name: Install uv
@@ -135,12 +133,11 @@ jobs:
     runs-on: ubuntu-latest
     # Runs scripts/fitness.sh — the canonical fitness entry point per
     # docs/spec/fitness-functions.md, complementary to the pytest fitness job
-    # above (the two cover different invariants). Blocking per task 043
-    # (honeypot P95 latency regression resolved via budget update).
+    # above (the two cover different invariants). Blocking gate.
     strategy:
       fail-fast: false
       matrix:
-        python-version: ["3.12"]
+        python-version: ["3.12", "3.13"]
     steps:
       - uses: actions/checkout@v4
       - name: Install uv

.github/workflows/release.yml

@@ -75,7 +75,7 @@ jobs:
       - name: Publish to PyPI (OIDC trusted publishing)
         uses: pypa/gh-action-pypi-publish@release/v1
 
-  # Smoke test: pull the published image and run the e2e demo
+  # Smoke test: pull the published daemon image and verify health
   smoke-test:
     needs: build-image
     runs-on: ubuntu-latest
@@ -99,10 +99,25 @@ jobs:
         run: docker pull ghcr.io/${{ github.repository_owner }}/armor:${{ steps.meta.outputs.version }}
 
       - name: Test image help command
-        run: docker run --rm ghcr.io/${{ github.repository_owner }}/armor:${{ steps.meta.outputs.version }} --help
+        run: docker run --rm --entrypoint armor ghcr.io/${{ github.repository_owner }}/armor:${{ steps.meta.outputs.version }} --help
 
-      - name: Run e2e demo inside container
-        run: docker run --rm ghcr.io/${{ github.repository_owner }}/armor:${{ steps.meta.outputs.version }} armor health
+      - name: Start published daemon image
+        run: docker run -d --name armor-smoke ghcr.io/${{ github.repository_owner }}/armor:${{ steps.meta.outputs.version }}
+
+      - name: Smoke test daemon health inside container
+        run: |
+          for i in {1..30}; do
+            if docker exec armor-smoke armor health; then
+              exit 0
+            fi
+            sleep 2
+          done
+          docker logs armor-smoke
+          exit 1
+
+      - name: Clean up smoke container
+        if: always()
+        run: docker rm -f armor-smoke || true
 
   # Create GitHub Release with auto-generated notes
   create-release:
@@ -135,5 +150,5 @@ jobs:
           generateReleaseNotes: true
           body: |
             Multi-arch image: ghcr.io/${{ github.repository_owner }}/armor:${{ steps.meta.outputs.version }}
-            PyPI: pip install ai-armor==${{ steps.meta.outputs.version }}
+            PyPI: pip install armor-ai==${{ steps.meta.outputs.version }}
             See post-release checklist: docs/release/post-release-checklist.md

.gitignore

@@ -3,21 +3,26 @@
 archive/
 
 # Operator-private build process — task files, test specs, sprint plans, and
-# roadmap drafts. The build-process *workflow* (TDD spec-first, atomic commits,
-# task lifecycle) is documented publicly in CONTRIBUTING.md and CLAUDE.md, but
-# specific task/test-spec contents may include sensitive data, attack-corpus
-# instructions, or vendor-specific details that should not ship in the public
-# repo. Kept locally so the workflow keeps working on the operator's machine.
+# roadmap drafts. The build-process workflow is documented publicly in
+# CONTRIBUTING.md, but specific task/test-spec contents may include sensitive
+# data, attack-corpus instructions, or vendor-specific details that should not
+# ship in the public repo. Kept locally so the workflow keeps working on the
+# operator's machine.
 docs/plans/
 docs/tasks/
 
+# Local agent harnesses — keep public integration examples under examples/.
+.claude/
+CLAUDE.md
+AGENTS.md
+
 # Secrets
 .env
 
 # Python virtual environment (lives in the Docker volume — not part of the repo)
 .venv/
 
-# Python bytecode — also emitted by .claude/scripts/ hooks
+# Python bytecode
 __pycache__/
 *.pyc
 *.pyo
@@ -57,10 +62,6 @@ models/
 # are documented in docs/architecture/decisions/018-validator-model-choice.md.
 artifacts/bench-results/
 
-# Claude Code local state — not part of the reproducible environment
-.claude/settings.local.json
-.claude/.last-checkpoint
-
 # Design discussion artifacts — local reference, not part of public release
 discussion.md
 discussion-*.md