v0.4.0 Release Notes
Status: prepared release notes for the v0.4.0 GitHub Release and PyPI publication.
Version: 0.4.0.
GitHub Release: v0.4.0.
PyPI: agent-rules-kit==0.4.0.
Summary
agent-rules-kit v0.4.0 publishes the compatible command-surface additions that landed after v0.3.0.
The release keeps the project boundary unchanged:
- local-first;
- read-only by default;
- no runtime network access;
- no runtime LLM calls;
- no execution of commands from analyzed repositories;
- no security guarantees;
- no stable public API guarantee before v1.0.
Added
dedupe: read-only duplicate instruction-line detection across supported instruction files.conflicts: read-only contradictory-guidance detection using implemented deterministic pattern families.- Python 3.13 package metadata classifier and non-required CI compatibility coverage.
- CodeQL workflow for Python code scanning.
- Dependabot configuration for low-noise version update PRs.
- Private vulnerability reporting documentation and supply-chain evaluation records.
- GitHub Actions pinning policy decision record.
Changed
- Expanded local checks, CI smoke, wheel smoke, and post-release audit coverage for
dedupeandconflicts. - Synchronized README, SECURITY, SUPPORT, OUTPUTS, threat model, and product strategy wording with the v0.4.0 release boundary.
- Kept GitHub Actions references on approved tags for this release; SHA pinning remains a separate future supply-chain phase.
Security and safety boundary
This release does not turn the project into a security scanner.
A clean report still means only that the implemented checks completed and did not report a supported issue. It is not proof of repository safety, completeness, compliance, or production readiness.
Verification required before closing the release
The release is not closed until exact-SHA CI, CodeQL review, local checks, build, Twine check, wheel smoke, GitHub Release, PyPI publish workflow, clean PyPI install smoke, and post-release audit are verified.