docs(changelog): populate [Unreleased] with audit + H-1 + RFC-011/012 work#116
Conversation
… work The [Unreleased] section was empty since v2.4.3 cut. Captures everything merged since: RFC-011 local LLM backend (#104), RFC-012 LiteLLM (#108), the H-1 Ruff ratchet (#106 #107 #109 #111 #113), the L-4 CI shell-precedence fix (#112), the spec-drift validator broadening + GOV-009 Snyk declarations (#114), and a CONTRIBUTING.md accuracy pass (#115). Adds a compliance-audit closure table mirroring the running scoreboard in TODO.md, scoped to what shipped — outstanding items (H-3 mypy, H-4 GOV-006, M-2 RFC template, M-4 lock file) listed below the table as remaining work for v2.5.x. Targets v2.5.0 release.
There was a problem hiding this comment.
Pull request overview
Populates the previously empty [Unreleased] section in CHANGELOG.md to reflect the work merged since v2.4.3 (audit remediation + RFC-011/012 features) and to prepare notes for the v2.5.0 release.
Changes:
- Add
[Unreleased]entries for RFC-011 (local backend selection), RFC-012 (LiteLLM provider), CI/audit-related updates, and CONTRIBUTING accuracy fixes. - Add a compliance-audit closure table plus a short list of remaining audit items.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - **RFC-011 — Local LLM backend selection** (#104). New `local_backend` | ||
| config knob picks between `llama-cpp-python` (GGUF) and | ||
| `onnxruntime-genai` (ONNX) at runtime. Both ship as optional extras | ||
| (`pip install zettelforge[local]` or `[local-onnx]`). |
There was a problem hiding this comment.
The install command example is inconsistent: pip install zettelforge[local] is executable, but the second example is just [local-onnx] (missing the zettelforge package name). Consider using pip install zettelforge[local-onnx] for symmetry and copy/pasteability.
| (`pip install zettelforge[local]` or `[local-onnx]`). | |
| (`pip install zettelforge[local]` or `pip install zettelforge[local-onnx]`). |
| (project hasn't used black for a while) and lists what CI actually | ||
| enforces so new contributors have a green-build target. | ||
|
|
||
| ### Compliance audit closure (`tasks/compliance-audit-2026-04-25.md`) |
There was a problem hiding this comment.
tasks/compliance-audit-2026-04-25.md appears to be a broken reference: there is no tasks/ directory (or that audit file) in the repository. Either add the referenced file/path, or adjust this heading/link to point at the actual location of the audit document.
| ### Compliance audit closure (`tasks/compliance-audit-2026-04-25.md`) | |
| ### Compliance audit closure (2026-04-25) |
Bump pyproject.toml 2.4.2 → 2.5.0 (the v2.4.3 tag was cut from a local dev tree but never landed a version-bump commit on master). Move CHANGELOG [Unreleased] → [2.5.0] - 2026-04-25 and add the three post-#116 sections that were missing: - RFC-013 Presidio PII detection (#118) - SECURITY.md + CODEOWNERS (#119/#120-equivalent) - SHA-pinned GitHub Actions (audit H-5 hardening) - H-4 closure now reflects #117 + the explanatory CODEOWNERS comment Outstanding audit work documented at the end: H-3 (mypy strict ratchet), M-2 (RFC template), M-4 (lock file), and H-1 ANN.
Summary
The `[Unreleased]` section of `CHANGELOG.md` has been empty since v2.4.3 was tagged. Captures everything merged since:
Adds a compliance-audit closure table that mirrors the running scoreboard in `TODO.md`, scoped to what's actually shipped. Outstanding items (H-3 mypy strict, H-4 GOV-006 amendment, M-2 RFC template, M-4 lock file) listed below the table as remaining v2.5.x work.
Targets v2.5.0 release.
Test plan
🤖 Generated with Claude Code