Skip to content

Community v1.0.0 Release Candidate Hardening

Huzefaaa2 edited this page Jun 28, 2026 · 1 revision

Community v1.0.0 Release-Candidate Hardening

This packet hardens the public Community v1.0.0 release-candidate path after the completed Node 24 readiness baseline and the Community v1.0.0 stabilization plan.

Objective

Community v1.0.0 can move toward a public release candidate only when the release operator can prove artifact integrity, provenance, announcement readiness, final operator evidence, and public open-core boundaries without using Enterprise source code or private signing material.

Hardening Scope

Workstream RC Evidence Exit Condition
Signed artifacts Release artifact list, SHA-256 manifest, detached signature references, and keyless attestation references Every RC artifact is either signed or explicitly blocked before publication.
Reproducible provenance verification Build source commit, workflow run, SBOM reference, SLSA provenance reference, and verifier command output A maintainer can verify the RC from tagged public source and recorded build inputs.
GA announcement checklist README links, release notes draft, wiki navigation, release index, dashboard state, and announcement copy review Public users can understand install, verification, support boundary, and next action.
Final operator evidence Release verification runbook, Evidence Console path, boundary validation, CI checks, and release decision Operators, auditors, platform teams, and CISOs can follow one coherent RC evidence chain.
Public boundary Boundary validation output, Enterprise-folder warning, and trial-distribution documentation No Enterprise source, private policy pack, customer material, private key, license-service secret, or private registry credential is public.

Required RC Artifacts

  • docs/community-v1.0.0-release-candidate-hardening.md
  • docs/release-verifications/community-v1.0.0-release-candidate-hardening.json
  • docs/releases/community-v1.0.0.md before RC publication
  • docs/release-verifications/community-v1.0.0-maintenance-verification.md
  • docs/release-verifications/community-v1.0.0-post-release-verification.md
  • docs/community-release-index.md
  • docs/community-release-readiness-dashboard.md
  • docs/community-release-verification-runbook.md
  • .github/workflows/verify-community-release.yml
  • scripts/verify-community-release-artifacts.py
  • scripts/validate-community-v100-rc-hardening.py

Release-Candidate Gates

Gate Status Owner Evidence
Node 24 readiness baseline Ready release-agent Community CI, release, governance, and security workflows use Node 24-ready action versions.
Signed artifacts Planned for RC publication release-agent Final checksums, detached signatures, and attestation links are recorded after artifacts exist.
Reproducible provenance verification Planned for RC publication release-agent SLSA provenance, SBOM metadata, and rebuild inputs are recorded with the tagged RC.
GA announcement checklist Ready for RC draft docs-agent README, wiki navigation, release index, and readiness dashboard have public RC links.
Final operator evidence Ready for RC draft architect-agent Verification runbook, Evidence Console path, release dashboard, and CI validators are wired.
Public boundary Ready security-agent scripts/validate-boundaries.sh . remains the public boundary gate before RC publication.

Operator Checklist

  • Build the Community RC from a tagged public source commit.
  • Attach Community source distribution and wheel artifacts only.
  • Record SHA-256 checksums for every attached artifact.
  • Attach detached signatures or keyless attestation evidence for every artifact.
  • Attach SBOM and SLSA provenance references when generated by the release workflow.
  • Run scripts/verify-community-release-artifacts.py against the RC tag.
  • Run scripts/validate-community-v100-rc-hardening.py.
  • Run scripts/validate-boundaries.sh ..
  • Confirm README, release notes, release index, dashboard, and wiki navigation all reference the same RC.
  • Confirm the Evidence Console and release verification runbook describe the same operator path.
  • Confirm no Enterprise source code, private signing key, license-service secret, private registry token, private policy pack, or customer material is present.

User Stories

  • As a developer, I can install the Community release candidate and verify the package version, checksum, and public release notes before adoption.
  • As a platform engineer, I can validate signatures, provenance, and the release verifier output before adding CAVRA to CI runner images.
  • As a CISO, I can review a single public RC evidence packet before approving CAVRA for broader AI-agent governance pilots.
  • As an auditor, I can confirm that Community artifacts were built from public source and that Enterprise-only code was not included.

Current Decision

The Community v1.0.0 RC path is ready to prepare for publication, but it is not yet a tagged RC release. Final artifact checksums, signatures, provenance, and post-release verification must be recorded after the maintainer publishes the actual RC artifacts.

Boundary Notice

This packet is public Community release-candidate hardening only. It does not include Enterprise source code, private policy packs, private trial packages, license-service internals, SaaS backend implementation, private signing keys, private registry credentials, private customer templates, or customer records.

Next Recommendation

Prepare Community v1.0.0 release-candidate publication from the completed Node 24 readiness baseline with signed artifact verification, provenance evidence, release notes, and announcement readiness.

Clone this wiki locally