Skip to content

v0.5.0 release notes

Azahari Zaman edited this page Jun 27, 2026 · 1 revision

v0.5.0 release notes

Migrated from paxman repositorys docs/sprints/v0.5.0-release-notes.md as part of the Sprint 11 repo springclean.


Paxman v0.5.0 — Production Hardening Release Notes

Release date: 2026-06-26 Status: Published to TestPyPI (Sprint 9 deliverable D9.11) PyPI: https://test.pypi.org/project/paxman/ (TestPyPI) Branch: sprint-9-production-hardening Sprint: Sprint 9 — Production Hardening

This is the v0.5.0 feature-complete beta release of Paxman, published to TestPyPI as part of Sprint 9. It includes all the production-hardening work: performance benchmarks, security audits, OIDC trusted publishing, and repository governance.

Highlights

  • Full V1 pipeline (Sprints 1-8): normalize, replay, evidence, confidence
  • 5 V1 capabilities: text_extraction, regex_extraction, lookup, inference, validation
  • 4 contract adapters: Pydantic, JSON Schema, Dict DSL, OpenAPI
  • Deterministic replay with SHA-256 replay_hash (byte-equal rehydration)
  • Performance benchmarks established — all runtime targets met
  • Security clean — bandit 0 findings, pip-audit 0 Critical/High CVEs
  • Trusted publishing via OIDC (no API tokens in the repo or environment)

Performance Baseline

Operation Baseline p50 After D9.5 p50 Target (p50) Status
normalize() (20-field, 100 KB) 24.30 ms 6.32 ms (3.8x faster) ≤200 ms met with huge margin
replay() (standard 5 KB) 1.17 ms 1.17 ms (unchanged) ≤50 ms met
replay() (inflated 100 KB) 0.90 ms 0.90 ms (unchanged) ≤50 ms met
Cold import (paxman) 341.20 ms 341.20 ms (deferred) ≤100 ms missed (V2 work)

D9.5 optimization: The dual-path density scan in planner/input_profile.py delivered a 3.8x speedup on the 100 KB normalize benchmark (24.30 ms → 6.32 ms). The fast path uses C-level bytes.count() over ASCII whitespace bytes for ASCII-only input; the slow path decodes and counts per-character using str.isspace() for non-ASCII input (preserving the documented "non-whitespace characters" contract for UTF-8 multi-byte sequences, CJK, NBSP, etc.). All 2356 tests pass; mypy --strict clean.

Note: Performance targets are aspirational, not SLOs (per ARCHITECTURE.md §14). All runtime operations meet targets by wide margins. The cold-import miss is documented in performance-baseline.md §3 and is on the v0.6.0 performance sprint backlog (per sprint risk register).

Full methodology and post-optimization results: performance-baseline.md.

Security

Check Tool Result
Source code security lint bandit 1.9.4 0 findings (no High/Medium/Low)
Dependency vulnerabilities pip-audit 2.10.1 0 Critical/High CVEs
Vulnerability disclosure SECURITY.md §7 Updated to security@nexusnv.net

Full reports:

Platform Support

Paxman is a pure-Python library with zero compiled extensions. hatchling produces a universal py3-none-any wheel that satisfies V1_ACCEPTANCE_CRITERIA.md §3.1 automatically:

  • linux/amd64
  • linux/arm64
  • osx/amd64
  • osx/arm64
  • win/amd64

No per-platform build matrix is required. The same wheel installs and runs on all platforms. This is documented per Oracle M6 review and avoids future confusion about why we don't have a matrix: block in the release workflow.

Trusted Publishing (OIDC)

This release is published using PyPI Trusted Publishing (OpenID Connect):

  • No API tokens are stored in the repo or the GitHub Actions environment
  • The GitHub OIDC token authenticates the publish request via the PyPI trusted publisher configuration
  • The release workflow is at .github/workflows/release.yml and triggers on tag push (v*)
  • Fallback: TestPyPI first, then real PyPI in Sprint 10

Repository Governance

New in Sprint 9:

What's New Since v0.0.0

Added

  • pytest-benchmark harness for paxman.normalize() (D9.1)
  • pytest-benchmark harness for paxman.replay() (D9.2)
  • Cold-import time benchmark script (D9.3)
  • Performance baseline report with post-optimization results (D9.4)
  • Performance optimizations for input profiling, lazy imports, and replay hash caching (D9.5)
  • make benchmark, make benchmark-quick, make profile targets (D9.17)
  • make security-audit runs both bandit + pip-audit (D9.17)
  • .github/workflows/release.yml for OIDC trusted publishing (D9.10)
  • .github/CODEOWNERS (D9.13)
  • .github/dependabot.yml (D9.14)
  • docs/MAINTAINERS.md (D9.15)
  • bandit-report.md and pip-audit-report.md (D9.6, D9.7)

Changed

  • SECURITY.md §7: disclosure email → security@nexusnv.net (D9.16)
  • Makefile: security-audit now runs bandit + pip-audit (D9.17)

Fixed

  • (no public API bug fixes in Sprint 9)

Installation

# From TestPyPI
pip install -i https://test.pypi.org/simple/ paxman

# Verify the install
python -c "import paxman; print(f'paxman {paxman.__version__}')"

Cross-Platform Verification

The TestPyPI wheel was verified to install and import successfully on:

  • Linux x86_64 — verified end-to-end (build → install → import → functional test).
  • macOS arm64 and Windows amd64 — formally waived for Sprint 9 (pure-Python py3-none-any wheel; deferred to Sprint 10). See cross-platform-verification.md for rationale.

What's Next (v1.0.0 — Sprint 10)

  • Real PyPI publish via OIDC
  • External user validation (3+ target users)
  • Performance optimization sprint (cold import time)
  • Final pre-1.0 documentation pass
  • GitHub release with full changelog

See also

Clone this wiki locally