v0.23.0
·
621 commits
to master
since this release
version: 0.23.0
date: 2026-06-10
headline: "The public-repo era lands — registry-first installs, the repo-self DOS gate with a live badge, and a witness-gated publish pipeline."
themes: ["install", "gate", "publish", "readme", "quickstart", "docs"]
highlights:
- "Install flips registry-first — pip install dos-kernel is now the default everywhere"
- "Repo-self DOS gate: CI runs commit-audit + verify through the bundled verify-action"
- "README wears the live verified-by-DOS badge, and dos lint --strict reddens it on dead policy"
- "Publish pipeline gains the ci-green witness gate and a docs-aware test matrix"
- "README rebuilt for PyPI — absolute links, humanized prose, modular docs/readme/ source"
- "Quickstart demo reframed for the wider first-contact audience"
TL;DR — the first release cut from the public repo, on the heels of dos-kernel going live on PyPI. Every install channel now defaults to the registry, the repo verifies itself in CI with its own kernel (and wears the badge to prove it), and the publish pipeline refuses to upload any SHA without a green CI witness.
install — registry-first everywhere
- Every install channel defaults to
pip install dos-kernelnow that 0.22.0 is live on PyPI.- Why: the git+ form was the pre-publish stopgap; the registry is the honest default.
- How:
docs/INSTALL.md,README.md,install.sh/install.ps1, the plugin README, and thedos-setupskill all flipped in one sweep; the git+ form remains documented for tracking unreleasedmaster.
- The plugin build carries the public-repo
git+prerequisite into the authoreddos-setupsource, so the bundled skill never points at a private path.- How:
scripts/build_plugin.py.
- How:
gate — the repo verifies itself (docs/112 Phase 0)
- New
dos-gate.ymlworkflow runsdos commit-audit+dos verifyon every push, through the bundledverify-action— the kernel adjudicating its own repo in CI.- Why: "eat the dog food where the world can watch" — the badge is earned per-push, not asserted.
- How:
.github/workflows/dos-gate.yml+verify-action/action.yml.
dos lint --strictis the gate's third leg — dead policy indos.toml(a shadowed lane region, a dangling alias) now reddens the badge.- How:
.github/workflows/dos-gate.ymlleg 3;dos.tomlgained acilane.
- How:
- README wears the live verified-by-DOS badge, and
docs/BADGE.mddocuments the earn-it paths with agent examples. verify-actioncopy-paste refs retargeted at refs that actually exist (fix).
publish — the pipeline distrusts the tag
- The ci-green witness gate:
publish.ymlrefuses to upload any SHA without a completed greenci.ymlrun on those exact bytes — "I tagged it" is a forgeable claim; a CI run on the bytes is not.- How:
.github/workflows/publish.ymlpolls for the witness, then holds at the protectedpypienvironment for operator approval.
- How:
- Docs-aware CI matrix with timeouts on every job — prose-only pushes run a 2-leg matrix, code runs the full 4-leg grid plus the per-platform wheel build.
- How:
.github/workflows/ci.yml.
- How:
ci-ok— a single aggregator job for branch protection to require, instead of enumerating every matrix leg.- How:
.github/workflows/ci.yml.
- How:
readme — rebuilt for the registry
- README source split into modular
docs/readme/parts and assembled byscripts/build_readme.py, with the prose humanized for first contact.- How: twelve
docs/readme/NN_*.mdparts +tests/test_readme_assembly.pypinning the assembly.
- How: twelve
- All image/link targets absolutized — PyPI renders the long description from the registry, where relative paths 404.
- The value chain surfaced — the swarm-host row, the hermes dialect, and the downstream verdict flow.
quickstart — first contact, reframed
dos quickstartreframed for the wider audience — the 60-second caught-lie demo now reads for someone who has never met the substrate.- How:
src/dos/cli.py+docs/CLI.md, pinned bytests/test_cli_ergonomics.py.
- How:
docs — the public-repo contract
- The private sibling renamed
dos-strategy→dos-privateacross the living contract and every doc that names it. - The retired
anthony-chaudhary/dosslug retargeted atdos-kerneleverywhere it lingered (fix). SECURITY.mdgains the Publication gate section — the public stub for the maintainer-side leak scan.- Commits default to no agent co-author trailer — stated in the contract, public history stays clean.
- The release skills learned the public-repo era — a push is publication, the tag is the publish trigger, the leak gate is fail-closed.
- docs/292 planned — the README audience gradient, six reader on-ramps.