Skip to content

Chore(release): Prepare v0.11.0 — federal wave + pre-tag review fixes#199

Merged
allenfbyrd merged 3 commits into
mainfrom
release/v0.11.0-prep
Jul 17, 2026
Merged

Chore(release): Prepare v0.11.0 — federal wave + pre-tag review fixes#199
allenfbyrd merged 3 commits into
mainfrom
release/v0.11.0-prep

Conversation

@allenfbyrd

Copy link
Copy Markdown
Collaborator

Release prep: v0.11.0 — the federal wave

Prepares the v0.11.0 tag per docs/release-checklist.md. Feature scope is
already on main (PRs #194 / #195 / #196), joined this cycle by the
claim-accuracy sweep (#197) and the CR26 schema re-vendor at the SDR 1.0.0
graduation (#198).

What's in this PR

  • Version bump to 0.11.0 via scripts/bump_version.py (manifest-driven:
    24 files, 76 substitutions — all 8 pyprojects, package.json, inter-package
    pins, doc references, and the two prose currency anchors); uv.lock
    regenerated.
  • CHANGELOG: [Unreleased] cut to [0.11.0] - 2026-07-16 with the
    federal-wave theme paragraph and the ratified deferral record; all five
    cycle PR refs woven in — check_changelog_vs_commits.py reports every
    commit since v0.10.18 accounted for.
  • ROADMAP restructure: v0.11 umbrella → SHIPPED with a v0.11.0 release
    entry; new ## v0.12 — Pre-1.0 hardening + GUI parity — PLANNED open
    cycle linking the ratified v0.12-plan.md
    (disposition of the remaining v0.11 waves); medical-device line re-cut to
    v1.1+. check_roadmap_currency.py fully green including the backfill
    advisory.
  • capability-matrix: v0.11.0 PRE-TAG re-validation snapshot (federal-wave
    surface delta; parity stated honestly at 93.4% with the 7 api-only rows
    named and their v0.12 disposition linked).
  • threat-model: v0.11.0 attack-surface delta (the conmon ksi
    file-in/file-out surface + vendored-schema provenance; the M-25-21/22
    store + API mirrors on the hardened registry-store pattern; the read-only
    schema-watch sentinel).
  • README Recent-Releases block + wiki mirrors/reference/API docs
    regenerated.

Gates on this tree

pytest 4,939 passed (3-OS matrix re-runs in CI) · ruff · mypy 292 files ·
check_docs_health --strict 0 FAIL · doc-counts · parity (93.4%, all 5
checks) · version-consistency · roadmap-currency · workflow perms/tools
strict · uv build 8 wheels + twine PASSED · run_osv_scan.py PASS
(osv-scanner v2.4.0) · changelog-vs-commits advisory clean · Step-6 scour
clean (no live legacy-name refs; zero real emails in history; no new
packages).

Pre-tag review: pre-release-review v5.2 (per-run JSON in
.local/pre-release-review/runs/); Step 3–4 security fan-out results
recorded there. Tagging happens after this PR merges, as its own approved
step.


Update: pre-tag /pre-release-review fixes folded in

The v0.11.0 security fan-out (5 per-subsystem reviewers + adversarial verify)
surfaced a data-loss blocker plus hardening gaps in the just-merged Wave-2
code; all fixed on this branch before tag (see the Fix(ai-gov): commit):

  • BLOCKERai-gov set-high-impact silently destroyed recorded M-25-21
    practice status + CAIO waiver provenance on a bases/rationale amendment
    (contradicting the model's retention contract). Fixed on API + CLI; carried
    practices forward; regression test on each surface. Reproduced live before
    and after.
  • conmon ksi: rejects duplicate KSI keys (while honoring legal YAML merge
    keys), warns on unknown --state-file cadence slugs, atomic --out write
    with a clean error contract.
  • max_length bounds on the two unbounded operator-string fields.
  • Three self-inflicted doc claims in the release-prep additions corrected
    (threat-model idempotency; capability-matrix waiver-clock + gen---check
    wording).

Eight lower-severity findings dispositioned to v0.12 in the per-run review JSON.
Validated three times: full gate battery, live end-to-end exercise of every
fix, and an adversarial re-review of the fix diff (which itself caught + fixed
a merge-key regression). Full suite 4,947 passed.

…cture, v0.12 plan

Release prep per docs/release-checklist.md:

- scripts/bump_version.py --to 0.11.0 (manifest-driven: 24 files,
  76 substitutions — 8 pyprojects + package.json + inter-package pins
  + Dockerfile/demo pins + doc version references + the two prose
  currency anchors); uv.lock regenerated.
- CHANGELOG: [Unreleased] cut to [0.11.0] - 2026-07-16 with the
  federal-wave theme paragraph and the ratified deferral record;
  fresh [Unreleased] block opened; all five cycle PR refs woven in
  (#194 #195 #196 #197 #198) — check_changelog_vs_commits reports
  every commit accounted for.
- ROADMAP: v0.11 umbrella -> SHIPPED with a v0.11.0 release entry;
  NEW '## v0.12 - Pre-1.0 hardening + GUI parity - PLANNED' open
  cycle linking docs/releases/plans/v0.12-plan.md (ratified
  2026-07-16: disposition of the remaining v0.11 waves + the LEAN
  v0.12 scope); medical-device line re-cut to v1.1+.
- capability-matrix: v0.11.0 PRE-TAG re-validation snapshot (federal
  wave surface delta; parity 93.4% with the 7 api-only rows named);
  header re-validated-through bumped.
- threat-model: v0.11.0 attack-surface delta (conmon ksi file-in/
  file-out + vendored-schema provenance; the M-25-21/22 store + API
  mirrors on the hardened registry-store pattern; the read-only
  schema-watch sentinel).
- README Recent-Releases regenerated (gen_readme_releases.py); wiki
  mirrors + reference + API docs regenerated.

Gates on this tree: pytest full suite green; ruff; mypy 292 files;
docs-health --strict 0 FAIL; doc-counts; parity; version-consistency;
roadmap-currency (incl. A4 backfill clean); workflow perms/tools
strict; uv build 8 wheels + twine PASSED; run_osv_scan PASS
(osv-scanner v2.4.0).
The v0.11.0 /pre-release-review security fan-out (5 per-subsystem
reviewers + adversarial verification) surfaced a data-loss BLOCKER and
several hardening gaps in the just-merged Wave-2 code. All fixed before
the tag, with regression tests.

BLOCKER — set-high-impact destroyed recorded M-25-21 practices:
  `ai-gov set-high-impact` (the only verb that amends bases/rationale on
  an already-classified system) rebuilt OMBHighImpactAssessment from
  determination/bases/rationale only, resetting `practices` to {} and
  silently wiping every recorded practice status AND the CAIO waiver
  written-determination provenance (§4(a)(ii)/(iii) evidence trail) —
  contradicting the model's own retention contract. Reproduced live.
  Fix: both the API and CLI handlers carry `practices` forward across a
  re-determination. Regression tests on both surfaces.

Also fixed (same review):
  - conmon ksi now REJECTS duplicate KSI indicator keys in the status
    YAML (a duplicate ID was last-wins-merged, silently dropping the
    earlier block from the emitted federal SDR).
  - conmon ksi WARNS when a --state-file anchor keys a cadence slug that
    matches no bundled cadence (its last-completed/next-due dates would
    otherwise be silently absent from the SDR).
  - conmon ksi --out writes atomically (tmp + os.replace) with a clean
    exit-1 error contract instead of a raw pathlib traceback on a
    missing/unwritable path.
  - PracticeWaiver.issued_by and AIAcquisition.linked_system_id gained
    the max_length=256 bound every sibling operator-string field carries
    (API mirror field too).

Docs (self-inflicted in the release-prep commit, G28):
  - threat-model v0.11.0 delta no longer claims the new API mirrors
    inherit the idempotency-key body-hash mechanism (they do not; retry-
    dedup is a tracked v0.12 item).
  - capability-matrix: the "gen_fedramp_ksi.py --check CI drift gate" and
    "CAIO waiver clocks" rows reworded to match what actually ships.

Eight lower-severity findings (idempotency on the acquisition create
route, a shared-helper exit-code nit, an on-demand-only local schema
integrity check, the unwired waiver-clock helpers, a pre-existing
store temp-file race, two CI-sentinel hardening items) are dispositioned
to v0.12 in the per-run review JSON.

Tests: 6 new regression tests; full suite green; ruff; mypy 292 files;
docs-health --strict 0 FAIL.
@vercel

vercel Bot commented Jul 17, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
evidentia Ready Ready Preview, Comment Jul 17, 2026 9:15am

Request Review

@codspeed-hq

codspeed-hq Bot commented Jul 17, 2026

Copy link
Copy Markdown

Merging this PR will not alter performance

✅ 6 untouched benchmarks


Comparing release/v0.11.0-prep (01c567f) with main (430f300)

Open in CodSpeed

@codecov

codecov Bot commented Jul 17, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

…h bounds

The pre-tag review added max_length=256 to PracticeWaiver.issued_by and
AIAcquisition.linked_system_id (+ the API RegisterAcquisitionRequest
mirror); re-dump packages/evidentia-ui/openapi.json and regenerate the
typed client so the openapi-schema-drift gate stays green. Schema delta
is exactly the two maxLength additions; frontend typecheck + build pass.
@allenfbyrd
allenfbyrd added this pull request to the merge queue Jul 17, 2026
Merged via the queue into main with commit 8420cb4 Jul 17, 2026
38 checks passed
@allenfbyrd
allenfbyrd deleted the release/v0.11.0-prep branch July 17, 2026 09:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant