[063] Prepare source publication and release readiness

BUILD-GUIDE.md

@@ -65,6 +65,12 @@ npm run build:debug-artifacts
 
 The generated manifests are written to `dist/debug-artifacts/` and are uploaded by `.github/workflows/release-validation.yml`. They record the expected debug artifact paths without using signing secrets. Signed packages must be produced only in the protected `release-signing` environment after human release review. See `docs/release-packaging.md` for the artifact matrix, signing boundary, and publication steps.
 
+## Release Readiness
+
+Public release is blocked until the checklist in `docs/release-readiness.md` is complete for the reviewed commit. The checklist covers test evidence, license and source publication review, privacy review, security audit evidence, artifact review, documentation completeness, and explicit human release approval.
+
+Run `npm run validate:release` during release preparation to verify release metadata, artifact documentation, and the machine-readable readiness checklist in `src/foundation/release-readiness.mjs`. Automated validation does not replace the final human approval gate; package publication, app-store submission, signed artifact upload, and release tagging must wait until a human release approver records approval.
+
 ## Input Action Map
 
 The shared input action map in `src/platform/action-map.mjs` defines common messaging, Teleton Agent, and TON wallet routes once, then adapts them to desktop shortcuts and mobile gestures. The generated plans include collision reports, reserved mobile system gesture notes, accessibility requirements, and `input.riskyActionBindings.enabled` so risky agent or transaction bindings can be disabled without removing visible workflow controls.

CONTRIBUTING.md

@@ -90,6 +90,7 @@ Use these documents as the source of truth for foundation work:
 - `docs/security-audit.md` for secret scanning, credential rotation, and secure storage review requirements.
 - `docs/license-matrix.md` for TDLib, Telegram reference client, Teleton Agent, and TON SDK license obligations before release readiness.
 - `docs/release-packaging.md` for APK, IPA, DMG, EXE, and AppImage artifact targets, public debug manifests, and protected signing boundaries.
+- `docs/release-readiness.md` for the final release checklist covering tests, licenses, source publication, privacy, security, artifacts, documentation completeness, and human release approval.
 - `docs/architecture.md` for planned layers and integration boundaries.
 - `docs/tdlib-adapter.md` for TDLib adapter and credential handling rules.
 - `docs/release-strategy.md` for release metadata policy.

README.md

@@ -50,6 +50,7 @@ This repository is in the foundation phase. The current implementation establish
 - Upstream license matrix for TDLib, Telegram reference clients, Teleton Agent, and TON SDK release review.
 - Documented semantic version source of truth and release metadata validation.
 - Release artifact matrix for APK, IPA, DMG, EXE, and AppImage packaging, with unsigned debug artifact manifests built in public CI and signing reserved for protected environments.
+- Release readiness checklist that gates public publication on test evidence, license and source publication review, privacy review, security audit evidence, artifact review, documentation completeness, and human release approval.
 - Required project documents: `README.md`, `SECURITY.md`, `PRIVACY.md`, `LICENSE`, and `BUILD-GUIDE.md`.
 
 ## Quick Start
@@ -80,7 +81,7 @@ The project is intended to evolve through these layers:
 4. TON blockchain integrations for wallet, transfers, swaps, NFTs, staking, and DNS.
 5. Security and privacy controls for credentials, user consent, and auditability.
 
-See `SECURITY.md`, `docs/architecture.md`, `docs/backlog.md`, `docs/tdlib-adapter.md`, `docs/android-wrapper.md`, `docs/ios-wrapper.md`, `docs/desktop-wrapper.md`, `docs/tablet-layout.md`, `docs/web-pwa-wrapper.md`, `docs/security-audit.md`, `docs/license-matrix.md`, `docs/release-strategy.md`, and `docs/release-packaging.md` for the current foundation plan. The agent settings, local runtime, input action map, Android wrapper, iOS wrapper, desktop wrapper, tablet layout, PWA, message database encryption, secure data deletion, security policy, security audit, license matrix, and release packaging sections record the shared settings UI contract, supported runtime directions, platform execution boundaries, shortcut and gesture behavior, hardware security key capability checks, responsive tablet behavior, web installability behavior, vulnerability reporting expectations, credential rotation expectations, secure storage review requirements, upstream license obligations, protected signing boundaries, and remaining native packaging implementation gaps for Android, iOS, desktop, and web wrappers.
+See `SECURITY.md`, `docs/architecture.md`, `docs/backlog.md`, `docs/tdlib-adapter.md`, `docs/android-wrapper.md`, `docs/ios-wrapper.md`, `docs/desktop-wrapper.md`, `docs/tablet-layout.md`, `docs/web-pwa-wrapper.md`, `docs/security-audit.md`, `docs/license-matrix.md`, `docs/release-strategy.md`, `docs/release-packaging.md`, and `docs/release-readiness.md` for the current foundation plan. The agent settings, local runtime, input action map, Android wrapper, iOS wrapper, desktop wrapper, tablet layout, PWA, message database encryption, secure data deletion, security policy, security audit, license matrix, release packaging, and release readiness sections record the shared settings UI contract, supported runtime directions, platform execution boundaries, shortcut and gesture behavior, hardware security key capability checks, responsive tablet behavior, web installability behavior, vulnerability reporting expectations, credential rotation expectations, secure storage review requirements, upstream license obligations, source publication review, protected signing boundaries, human release approval, and remaining native packaging implementation gaps for Android, iOS, desktop, and web wrappers.
 
 ## Contribution Templates
 

docs/release-readiness.md

@@ -0,0 +1,56 @@
+# Release Readiness
+
+Teleton Client cannot be published publicly from the foundation repository until the release readiness checklist below is completed for the reviewed commit. The checklist is intentionally manual at the final gate: automated validation can prove the repository shape, but a human release approval is required before package publication, app-store submission, signed artifact upload, or release tagging.
+
+`src/foundation/release-readiness.mjs` is the machine-readable source for this gate. `npm run validate:release` verifies that the checklist and documentation inventory remain present before release readiness is claimed.
+
+## Release Gate Checklist
+
+| Gate | Required evidence | Human approver |
+| --- | --- | --- |
+| Tests and Validation Evidence | Record `npm test`, `npm run validate:secrets`, `npm run audit:security`, `npm run validate:foundation`, `npm run validate:release`, `npm run build:debug-artifacts`, and reviewed changelog check results for the exact commit. | Release manager |
+| License and Source Publication Review | Confirm `docs/license-matrix.md` matches shipped dependency versions, source URLs, license texts, notices, local patches, and source publication obligations for GPL, LGPL, unclear-license, and mixed-license inputs. | Legal or release maintainer |
+| Privacy Policy and Data Flow Review | Compare `PRIVACY.md` against shipped Telegram, proxy, Teleton Agent, settings sync, notification, and TON behavior. Confirm release notes, screenshots, fixtures, and logs do not expose private message content. | Privacy reviewer |
+| Security Audit and Vulnerability Intake Review | Attach `security-audit-report.md`, review `SECURITY.md`, confirm private advisory intake, coordinated disclosure, credential rotation, secure storage, diagnostics redaction, and CODEOWNERS review status. | Security maintainer |
+| Release Artifact and Signing Review | Attach unsigned public CI debug manifests for Android, iOS, macOS, Windows, and Linux. Confirm signed artifacts are built only from reviewed commits inside the protected `release-signing` environment. | Release manager |
+| Documentation Completeness Review | Compare shipped foundation modules and tests against README, BUILD-GUIDE, SECURITY, PRIVACY, architecture, release strategy, packaging, security audit, and license documentation. Current behavior must not be overstated as production behavior. | Documentation owner |
+| Human Release Approval | Record explicit human release approval only after every checklist item is complete. Publication, tags, app-store submission, and signed artifact upload stay blocked until this approval is recorded. | Human release approver |
+
+## Documentation Completeness
+
+Documentation is considered release-ready only when it matches the behavior present in the reviewed commit:
+
+- Current behavior must be documented in the same pull request that adds or changes it.
+- Planned behavior must be labeled as future work when no implementation exists yet.
+- Security, privacy, release automation, platform contracts, and user-visible workflows must link to the documents reviewers are expected to inspect.
+- Validation coverage must include either a focused test, release validation rule, foundation validation rule, or an explicit manual review item.
+- Screenshots, logs, fixtures, and release notes must be redacted before they are attached to review records.
+
+## Source Publication Requirements
+
+Before public release, reviewers must confirm that every distributed dependency, bundled binary, native library, WebAssembly module, generated SDK, copied reference asset, and local patch has a release record. The record must include the exact version or commit, source URL, license identifier, license text, notice requirements, and source publication decision.
+
+Copyleft and unclear-license inputs remain release-blocking until a human legal reviewer approves the exact reuse model. Reference-only Telegram clients, GPL or LGPL code, and mixed-license repositories must not be copied into distributed artifacts without a written compliance plan.
+
+## Current Behavior Inventory
+
+| Behavior group | Source of truth | Validation | Release documentation |
+| --- | --- | --- | --- |
+| Release metadata | `src/foundation/release-metadata.mjs` | `test/release-metadata.test.mjs` | `docs/release-strategy.md`, `BUILD-GUIDE.md` |
+| Release artifacts | `src/foundation/release-artifacts.mjs` | `test/release-artifacts.test.mjs` | `docs/release-packaging.md`, `BUILD-GUIDE.md` |
+| Release readiness | `src/foundation/release-readiness.mjs` | `test/release-readiness.test.mjs` | `docs/release-readiness.md` |
+| Security audit | `src/foundation/security-audit.mjs` | `test/security-audit-report.test.mjs` | `docs/security-audit.md` |
+| Secret audit | `src/foundation/secret-audit.mjs` | `test/secret-audit.test.mjs` | `docs/security-audit.md` |
+| License matrix | `docs/license-matrix.md` | `test/license-compliance.test.mjs` | `docs/license-matrix.md` |
+| Privacy policy | `PRIVACY.md` | `test/privacy-policy.test.mjs` | `PRIVACY.md` |
+| TDLib adapter | `src/tdlib/client-adapter.mjs` | `test/tdlib-adapter.test.mjs` | `docs/tdlib-adapter.md` |
+| Message database storage | `src/tdlib/message-database-storage.mjs` | `test/message-database-storage.test.mjs` | `docs/architecture.md` |
+| Settings model | `src/foundation/settings-model.mjs` | `test/settings-model.test.mjs` | `README.md` |
+| Proxy connectivity | `src/foundation/proxy-manager.mjs` | `test/proxy-manager.test.mjs` | `README.md` |
+| Agent settings | `src/foundation/agent-settings-view.mjs` | `test/agent-settings-view.test.mjs` | `docs/architecture.md` |
+| Agent runtime | `src/foundation/agent-runtime-supervisor.mjs` | `test/agent-runtime-supervisor.test.mjs` | `README.md` |
+| TON wallet | `src/ton/wallet-adapter.mjs` | `test/ton-adapter.test.mjs` | `README.md` |
+| Android wrapper | `src/platform/android-wrapper.mjs` | `test/android-wrapper.test.mjs` | `docs/android-wrapper.md` |
+| E2E workflow harness | `src/foundation/e2e-workflow-harness.mjs` | `test/e2e-workflow-harness.test.mjs` | `BUILD-GUIDE.md` |
+
+This inventory is not the full product roadmap. It is the release-review slice that proves current foundation behavior is documented, tested, and separated from future production implementation claims.

docs/release-strategy.md

@@ -16,6 +16,12 @@ The package remains private until a reviewed release workflow is introduced. Pul
 
 See `docs/release-packaging.md` for the artifact paths, runner matrix, protected signing boundary, and publication checklist. Pull requests do not receive signing secrets; signed packages must be produced only from reviewed commits inside the protected `release-signing` environment.
 
+## Release Readiness Gate
+
+`docs/release-readiness.md` is the final source publication, documentation completeness, and release approval checklist. Before public release, a human release approver must confirm test evidence, license and source publication review, privacy review, security audit evidence, artifact review, documentation completeness, and protected signing status for the exact commit being published.
+
+`npm run validate:release` verifies the machine-readable checklist in `src/foundation/release-readiness.mjs`, but automation does not approve a public release. Package publication, release tags, signed artifact uploads, and app-store submissions remain blocked until the human release approval is recorded in the release review.
+
 ## Semantic Versioning
 
 Versions must use stable semantic version format: `MAJOR.MINOR.PATCH`.

scripts/validate-foundation.mjs

@@ -25,6 +25,7 @@ const requiredFiles = [
   'docs/architecture.md',
   'docs/release-strategy.md',
   'docs/release-packaging.md',
+  'docs/release-readiness.md',
   'docs/security-audit.md',
   'docs/license-matrix.md',
   'docs/backlog.md',
@@ -43,7 +44,9 @@ const requiredFiles = [
   'test/agent-plugin-registry.test.mjs',
   'src/foundation/release-artifacts.mjs',
   'scripts/build-debug-artifacts.mjs',
-  'test/release-artifacts.test.mjs'
+  'test/release-artifacts.test.mjs',
+  'src/foundation/release-readiness.mjs',
+  'test/release-readiness.test.mjs'
 ];
 
 for (const requiredFile of requiredFiles) {
@@ -146,6 +149,7 @@ const requiredContributingPatterns = [
   /PRIVACY\.md/,
   /docs\/license-matrix\.md/,
   /docs\/release-packaging\.md/,
+  /docs\/release-readiness\.md/,
   /secrets/i,
   /credentials/i,
   /Telegram API IDs or hashes/i,
@@ -269,6 +273,26 @@ for (const pattern of requiredLicenseMatrixPatterns) {
   assert.match(licenseMatrix, pattern, `docs/license-matrix.md must include ${pattern}`);
 }
 
+const releaseReadiness = await readFile(new URL('docs/release-readiness.md', root), 'utf8');
+const requiredReleaseReadinessPatterns = [
+  /Tests and Validation Evidence/i,
+  /License and Source Publication Review/i,
+  /Privacy Policy and Data Flow Review/i,
+  /Security Audit and Vulnerability Intake Review/i,
+  /Release Artifact and Signing Review/i,
+  /Documentation Completeness Review/i,
+  /Human Release Approval/i,
+  /source publication/i,
+  /human release approval/i,
+  /npm run validate:release/,
+  /release-signing/,
+  /Current Behavior Inventory/i
+];
+
+for (const pattern of requiredReleaseReadinessPatterns) {
+  assert.match(releaseReadiness, pattern, `docs/release-readiness.md must include ${pattern}`);
+}
+
 const docsToScan = [
   'README.md',
   'CONTRIBUTING.md',
@@ -277,6 +301,7 @@ const docsToScan = [
   'BUILD-GUIDE.md',
   'docs/architecture.md',
   'docs/security-audit.md',
+  'docs/release-readiness.md',
   'docs/license-matrix.md',
   'docs/tdlib-adapter.md'
 ];

scripts/validate-release.mjs

@@ -4,12 +4,18 @@ import { readFile } from 'node:fs/promises';
 
 import { RELEASE_METADATA, VERSION_SOURCE_OF_TRUTH, isStableSemver } from '../src/foundation/release-metadata.mjs';
 import { assertReleaseArtifactMatrix, listReleaseArtifactTargets } from '../src/foundation/release-artifacts.mjs';
+import {
+  assertReleaseReadinessChecklist,
+  listReleaseDocumentationInventory,
+  listReleaseReadinessChecklist
+} from '../src/foundation/release-readiness.mjs';
 
 const root = new URL('../', import.meta.url);
 const packageJson = JSON.parse(await readFile(new URL('package.json', root), 'utf8'));
 const changelog = await readFile(new URL('CHANGELOG.md', root), 'utf8');
 const releaseWorkflow = await readFile(new URL('.github/workflows/release-validation.yml', root), 'utf8');
 const releasePackaging = await readFile(new URL('docs/release-packaging.md', root), 'utf8');
+const releaseReadiness = await readFile(new URL('docs/release-readiness.md', root), 'utf8');
 
 assert.equal(VERSION_SOURCE_OF_TRUTH, 'package.json', 'package.json must be the documented version source of truth');
 assert.equal(RELEASE_METADATA.sourceOfTruth, VERSION_SOURCE_OF_TRUTH, 'release metadata must name its source of truth');
@@ -26,6 +32,7 @@ assert.equal(
   'package.json must expose the public debug artifact manifest build command'
 );
 assertReleaseArtifactMatrix();
+assertReleaseReadinessChecklist();
 assert.match(releaseWorkflow, /debug-artifacts:/, 'release workflow must build debug artifact manifests');
 assert.match(releaseWorkflow, /npm run build:debug-artifacts/, 'release workflow must run the debug artifact builder');
 assert.match(releaseWorkflow, /actions\/upload-artifact@v4/, 'release workflow must upload debug artifact manifests');
@@ -38,4 +45,20 @@ for (const target of listReleaseArtifactTargets()) {
   assert.match(releasePackaging, new RegExp(target.debugBuild.id, 'i'), `${target.debugBuild.id} must be documented`);
 }
 
+assert.match(releaseReadiness, /^# Release Readiness$/m, 'release readiness documentation must exist');
+assert.match(releaseReadiness, /human release approval/i, 'release readiness must require human approval');
+assert.match(releaseReadiness, /source publication/i, 'release readiness must cover source publication obligations');
+assert.match(releaseReadiness, /Documentation Completeness/i, 'release readiness must cover documentation completeness');
+
+for (const item of listReleaseReadinessChecklist()) {
+  assert.match(releaseReadiness, new RegExp(item.title.replace(/[.*+?^${}()|[\]\\]/g, '\\$&'), 'i'));
+}
+
+for (const entry of listReleaseDocumentationInventory()) {
+  const sourcePattern = entry.source.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+  const testPattern = entry.test.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+  assert.match(releaseReadiness, new RegExp(sourcePattern), `${entry.source} must appear in release readiness docs`);
+  assert.match(releaseReadiness, new RegExp(testPattern), `${entry.test} must appear in release readiness docs`);
+}
+
 console.log(`Release validation passed for ${packageJson.name}@${packageJson.version}.`);