-
Notifications
You must be signed in to change notification settings - Fork 0
v0.5.0 release notes
Migrated from paxman repositorys docs/sprints/v0.5.0-release-notes.md as part of the Sprint 11 repo springclean.
Release date: 2026-06-26 Status: Published to TestPyPI (Sprint 9 deliverable D9.11) PyPI: https://test.pypi.org/project/paxman/ (TestPyPI) Branch:
sprint-9-production-hardeningSprint: Sprint 9 — Production Hardening
This is the v0.5.0 feature-complete beta release of Paxman, published to TestPyPI as part of Sprint 9. It includes all the production-hardening work: performance benchmarks, security audits, OIDC trusted publishing, and repository governance.
- Full V1 pipeline (Sprints 1-8): normalize, replay, evidence, confidence
- 5 V1 capabilities: text_extraction, regex_extraction, lookup, inference, validation
- 4 contract adapters: Pydantic, JSON Schema, Dict DSL, OpenAPI
-
Deterministic replay with SHA-256
replay_hash(byte-equal rehydration) - Performance benchmarks established — all runtime targets met
- Security clean — bandit 0 findings, pip-audit 0 Critical/High CVEs
- Trusted publishing via OIDC (no API tokens in the repo or environment)
| Operation | Baseline p50 | After D9.5 p50 | Target (p50) | Status |
|---|---|---|---|---|
| normalize() (20-field, 100 KB) | 24.30 ms | 6.32 ms (3.8x faster) | ≤200 ms | met with huge margin |
| replay() (standard 5 KB) | 1.17 ms | 1.17 ms (unchanged) | ≤50 ms | met |
| replay() (inflated 100 KB) | 0.90 ms | 0.90 ms (unchanged) | ≤50 ms | met |
| Cold import (paxman) | 341.20 ms | 341.20 ms (deferred) | ≤100 ms | missed (V2 work) |
D9.5 optimization: The dual-path density scan in planner/input_profile.py delivered a 3.8x speedup on the 100 KB normalize benchmark (24.30 ms → 6.32 ms). The fast path uses C-level bytes.count() over ASCII whitespace bytes for ASCII-only input; the slow path decodes and counts per-character using str.isspace() for non-ASCII input (preserving the documented "non-whitespace characters" contract for UTF-8 multi-byte sequences, CJK, NBSP, etc.). All 2356 tests pass; mypy --strict clean.
Note: Performance targets are aspirational, not SLOs (per ARCHITECTURE.md §14). All runtime operations meet targets by wide margins. The cold-import miss is documented in performance-baseline.md §3 and is on the v0.6.0 performance sprint backlog (per sprint risk register).
Full methodology and post-optimization results: performance-baseline.md.
| Check | Tool | Result |
|---|---|---|
| Source code security lint | bandit 1.9.4 | 0 findings (no High/Medium/Low) |
| Dependency vulnerabilities | pip-audit 2.10.1 | 0 Critical/High CVEs |
| Vulnerability disclosure | SECURITY.md §7 | Updated to security@nexusnv.net
|
Full reports:
Paxman is a pure-Python library with zero compiled extensions. hatchling produces a universal py3-none-any wheel that satisfies V1_ACCEPTANCE_CRITERIA.md §3.1 automatically:
linux/amd64linux/arm64osx/amd64osx/arm64win/amd64
No per-platform build matrix is required. The same wheel installs and runs on all platforms. This is documented per Oracle M6 review and avoids future confusion about why we don't have a matrix: block in the release workflow.
This release is published using PyPI Trusted Publishing (OpenID Connect):
- No API tokens are stored in the repo or the GitHub Actions environment
- The GitHub OIDC token authenticates the publish request via the PyPI trusted publisher configuration
- The release workflow is at
.github/workflows/release.ymland triggers on tag push (v*) - Fallback: TestPyPI first, then real PyPI in Sprint 10
New in Sprint 9:
-
.github/CODEOWNERS— all changes tosrc/paxman/require explicit review from the project owner (@nexusnv) -
.github/dependabot.yml— weekly dependency update PRs (pip + GitHub Actions) -
docs/MAINTAINERS.md— list of project maintainers and contact preferences -
SECURITY.md§7 — vulnerability disclosure email updated tosecurity@nexusnv.net
-
pytest-benchmarkharness forpaxman.normalize()(D9.1) -
pytest-benchmarkharness forpaxman.replay()(D9.2) - Cold-import time benchmark script (D9.3)
- Performance baseline report with post-optimization results (D9.4)
- Performance optimizations for input profiling, lazy imports, and replay hash caching (D9.5)
-
make benchmark,make benchmark-quick,make profiletargets (D9.17) -
make security-auditruns both bandit + pip-audit (D9.17) -
.github/workflows/release.ymlfor OIDC trusted publishing (D9.10) -
.github/CODEOWNERS(D9.13) -
.github/dependabot.yml(D9.14) -
docs/MAINTAINERS.md(D9.15) -
bandit-report.mdandpip-audit-report.md(D9.6, D9.7)
-
SECURITY.md§7: disclosure email →security@nexusnv.net(D9.16) -
Makefile:security-auditnow runs bandit + pip-audit (D9.17)
- (no public API bug fixes in Sprint 9)
# From TestPyPI
pip install -i https://test.pypi.org/simple/ paxman
# Verify the install
python -c "import paxman; print(f'paxman {paxman.__version__}')"The TestPyPI wheel was verified to install and import successfully on:
- Linux x86_64 — verified end-to-end (build → install → import → functional test).
-
macOS arm64 and Windows amd64 — formally waived for Sprint 9 (pure-Python
py3-none-anywheel; deferred to Sprint 10). Seecross-platform-verification.mdfor rationale.
- Real PyPI publish via OIDC
- External user validation (3+ target users)
- Performance optimization sprint (cold import time)
- Final pre-1.0 documentation pass
- GitHub release with full changelog
-
sprint-09-production-hardening.md— full sprint plan -
performance-baseline.md— performance benchmarks + profiling -
bandit-report.md— source code security audit -
pip-audit-report.md— dependency audit -
../CHANGELOG.md— version history -
../V1_ACCEPTANCE_CRITERIA.md— V1 definition of done