release: v1.0.0 — Quartz Maturity (Stable) — GitHub Action#1
Merged
Conversation
- ZENZIC_BRAIN.md: Trinity Mesh Synchronization policy added (CEO-235/236) - ZENZIC_BRAIN.md: Zone A/B markers (ZONE_B_START/ZONE_B_END) around [ACTIVE SPRINT] - ZENZIC_BRAIN.md: [ACTIVE SPRINT] D096 cross-repo governance entry - .github/copilot-instructions.md: shadow sync - .github/workflows/self-check.yml: full OS matrix [ubuntu, macos, windows] fail-fast: false - justfile: updated recipes - SECURITY.md: security policy
Red Team audit (CEO-250) confirmed that the sarif-file input accepted arbitrary paths, allowing writes outside the checkout directory. - zenzic-action-wrapper.sh: sandbox guard added after defaults (BUG-006). Absolute paths (/*) and traversal sequences (*../* | /..) are rejected with a fatal ::error annotation before any file redirection occurs. Output-first semantics preserved: guard fires BEFORE the > redirect. - action.yml: sarif-file description updated — 'relative path' constraint and forbidden patterns documented. - README.md: inputs table updated — sarif-file constraint documented. - ZENZIC_BRAIN.md: [POLICIES] SARIF Integrity — BUG-006 invariant added. Lesson: 'Inputs that define output paths are security vectors.' Smoke test: sarif-file=/etc/passwd → ::error + exit 1 ✅ sarif-file=../../evil → ::error + exit 1 ✅ sarif-file=valid.sarif → guard passes ✅ ALL BREACHES SEALED — branch: release/v1.0.0
…, noxfile.py, justfile, scripts/**, .github/** entries. All source files carry SPDX headers inline. Add zenzic-results.sarif (JSON/SARIF) to REUSE.toml.
Aligns zenzic-action with the v0.7.0 "Quartz Maturity" doctrine shared across the four-repo constellation. - justfile: collapse to single `just verify` entry-point (4-Gates Standard); honour `ZENZIC_PROJECT_PATH` for unreleased-core dogfooding. - noxfile.py: same canonical Sentinel invocation (`uv run --project ../zenzic zenzic check all --strict`); add `tests` session with shell `bash -n` validation of the wrapper. - .pre-commit-config.yaml: pre-push Final Guard mirrors `just verify` so locale ≡ remote (EPOCH 4 contract). - self-check.yml: GHA now runs the same `just verify` against an out-of-tree checkout of zenzic core — no more multi-OS divergence, one truth path. - README.md/README.it.md: 4-Gates Sentinel Seal + REUSE 3.x badges, Documentation Map "Quartz Promise" section linking ADR-0011 + Tech Debt Ledger; full IT mirror (parità linguistica).
Per CEO Zero-Brain Policy 2.0 — v0.7.0 is "Anno Zero": the existence of `scripts/map_action.py` (which generated `ZENZIC_BRAIN.md`) is itself a violation of the new deterministic policy. Changes: - git rm scripts/map_action.py (DELETION, not rename) - justfile: remove `map-update` recipe (no replacement — cartographer is gone) - .gitignore: add coverage artefacts block (Determinism Invariant) - .zenzic.dev.toml: extend forbidden_patterns blacklist (ZENZIC_BRAIN.md, zenzic brain map, brain-map-check, map_action.py, Sovereign Memory, Mnemonic) — Sentinel Guard firewall - Local .draft/ vault scrubbed of brain backups (untracked, but residue) After this commit, the zenzic-action perimeter contains zero references to probabilistic cartography or "brain" lexicon.
Aligns with Fase A housekeeping applied across all ecosystem repos (zenzic, zenzic-doc, zenzic-action). The dev-toml name was a pre-launch artefact; .zenzic.local.toml is the canonical name for the Zero-Config Sovereignty era (EPOCH 7a.1 / v0.7.0).
justfile: * Add 'lint' recipe (uvx pre-commit run --all-files) — 4-Gates Standard alignment: lint = fast pass without full test suite. CONTRIBUTING.md: * Add 'First-Time Setup' section with both pre-commit install commands: - commit stage: uvx pre-commit install - pre-push Final Guard: uvx pre-commit install -t pre-push * Expose just lint alongside just verify in the verification section.
Tagline: * EN: 'The official bridge...' → 'The deterministic enforcement point for documentation integrity in CI. Exit codes are contractual — exits 2 and 3 survive fail-on-error: false.' * IT: mirror Exit code contract paragraph (after opening image): * EN + IT: explicit statement that the wrapper propagates exit codes without remapping; exit 2/3 are never suppressible at the enforcement boundary regardless of fail-on-error or --exit-zero
Add ubuntu-latest + windows-latest matrix (fail-fast: false). Set defaults: run: shell: bash for cross-platform determinism. Inject ZENZIC_EXTRA_ARGS env block with --exclude-url entries for known pre-launch transient zenzic.dev/ URLs and v0.7.0 GitHub tag. Aligns self-check pipeline with Core and Doc Quartz Maturity standard.
…ations
Capture ZENZIC_EXTRA_ARGS into EXTRA_ARGS bash array (word-split
intentional for --exclude-url <url> pairs). Pass "${EXTRA_ARGS[@]}"
to both the SARIF and non-SARIF uvx zenzic check all calls.
Closes silent bypass: callers setting Sovereign Override 404 shield
in their workflow env now have it forwarded to the Zenzic CLI.
Add 'set shell := ["bash", "-c"]' for deterministic cross-platform
recipe execution. Expand check recipe to pass ${ZENZIC_EXTRA_ARGS:-}
so local runs honour the same 404 shield env var as CI.
…gelog .gitignore: add .zenzic.dev.toml explicitly (was ignored by pattern; now explicit to guard against accidental tracking post-v0.7.0 hard-fail). Local .zenzic.dev.toml purged (git-ignored, no commit needed). CHANGELOG.md: document Matrix CI, Sovereign Override passthrough, bash-first justfile, and .gitignore hardening under Changed section.
…ile, remove ZENZIC_EXTRA_ARGS from CI
check recipe: guard array bash inline; remove ${ZENZIC_EXTRA_ARGS:-} passthrough.
self-check.yml: drop env block — guard now lives in justfile, local == CI.
…10 Sovereign Parity
action.yml:
- New input: config-file (optional, default empty; auto-discovery when omitted)
- Passes ZENZIC_CONFIG_FILE env var to wrapper
zenzic-action-wrapper.sh:
- Root-First Sentinel: explicit config-file → zenzic.toml → .github/zenzic.toml → defaults
- Sandbox Guard on explicit path: reject absolute paths and path traversal ('..')
- Sovereign Intent Contract: explicit missing config suppresses auto-discovery
(strict=true → fatal error; default → ::warning)
- set -f / set +f around EXTRA_ARGS word-split (glob-safe URL construction)
- CONFIG_ARGS array passed before STRICT_FLAG and EXTRA_ARGS
README.md / README.it.md (bilingual parity):
- Quick Start section with minimal YAML example
- Configuration Discovery table (4 priority levels)
- Sovereign Override section documenting ZENZIC_EXTRA_ARGS pattern
- config-file input documented in Inputs table
- Deep Dive section linking to architecture docs
justfile / .pre-commit-config.yaml (ZRT-010):
- Pre-Launch Guard: add zenzic.dev/developers/ and /it/developers/
- pre-commit hook entry: just check (guard-aware)
Same pattern as zenzic core (227ab69): markdownlint-cli hooks create thousands of small files on NTFS, freezing the GHA Windows runner. Matrix now uses include format with lint: false on windows-latest. Windows validates action logic and path handling via: just check + just test. Linting is enforced exclusively by the Ubuntu slot.
Z906 NO_FILES_FOUND fired because zenzic defaulted to looking for a docs/ directory. zenzic-action has no docs tree; all documentation is root-level Markdown (README, CONTRIBUTING, CHANGELOG, SECURITY, RELEASE). Fix: docs_dir = "." + engine = "standalone" scans the root-level prose without any nav contract, matching the same pattern as zenzic-core.
Consistent with zenzic-core (c9a9d48) and zenzic-doc (ceab5f5). The stages: [pre-commit] scope prevents the hook from firing when pre-commit runs in --all-files mode on main during just verify.
excluded_file_patterns is checked by the document exclusion manager only. The asset scanner (Z903 source) checks excluded_build_artifacts against rel_posix via fnmatch. Moving *.sh to the correct field suppresses the false-positive on zenzic-action-wrapper.sh.
All zenzic.dev URLs now resolve (deployed via release-docs.yml). v0.7.0 tag is live on GitHub. Permanent exclusion retained: contributor-covenant.org (flaky third-party).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
https://github.com/PythonWoods/zenzic-doc/pull/45First stable release of the
zenzic-actioncomposite GitHub Action,tracking Zenzic Core v0.7.0 (Quartz Maturity).
What ships
action.yml— composite action: installsuv, runszenzic-action-wrapper.sh.Inputs:
version,format,sarif-file,upload-sarif,strict,fail-on-error,config-file.Outputs:
sarif-file,findings-count.zenzic-action-wrapper.sh— strict execution layer enforcing the Zenzic Exit Code Contract(exits 0/1/2/3), SARIF integrity check, SARIF Jailbreak guard, Config Jailbreak guard,
Root-First Sentinel config discovery, Sovereign Override passthrough (
ZENZIC_EXTRA_ARGS).zenzic.toml— standalone prose-only perimeter (engine = "standalone",docs_dir = ".").Fixes Z906 NO_FILES_FOUND. Excludes
*.shviaexcluded_build_artifacts(fixes Z903).self-check.yml) — 2-OS matrix (ubuntu-latestfull verify,windows-latestlint-free).no-commit-to-branchscoped tostages: [pre-commit].contributor-covenant.orgonly.zenzic.devandv0.7.0release tag are now live and validated unconditionally.Exit Code Contract
fail-on-error: falseVerification
just check→ ✨ Sentinel Seal (0 errors, 0 warnings)Full changelog: CHANGELOG.md