Skip to content

Release/v1.0.0 prep#4

Merged
apundhir merged 2 commits into
mainfrom
release/v1.0.0-prep
May 10, 2026
Merged

Release/v1.0.0 prep#4
apundhir merged 2 commits into
mainfrom
release/v1.0.0-prep

Conversation

@apundhir
Copy link
Copy Markdown
Contributor

@apundhir apundhir commented May 10, 2026

Summary

Type of change

  • Bug fix
  • New question or risk pattern (YAML only — no Python)
  • New feature
  • Refactor
  • Docs / tests

Checklist

  • make test passes (all 53+ tests)
  • make lint passes (no ruff errors)
  • New tests added for code changes
  • CHANGELOG.md updated
  • No business logic added to CLI commands
  • No imports across layer boundaries (CLI ↔ Engine ↔ Server)

For question bank changes

  • Question has id, text, guidance, article_refs, nist_rmf_ref, iso42001_ref, regulatory_status
  • Legal team notified (question bank changes require legal review gate)

Related issues

Closes #

apundhir added 2 commits May 10, 2026 20:42
@apundhir
release: v1.0.0 prep — Click 8.3 fix · LICENSE realign · audit-driven…
558793b 
… cleanup

Closes the 2026-05-10 Top-N=4 launch readiness audit. Full action list at
docs/audit/T-N4-readiness-2026-05-10.md in the aiexponent monorepo.

Production-affecting fix
- Click 8.3 broke the is_eager callback dispatch path Typer 0.12.3 relies
  on. `riskforge --version` (and any other Typer-dispatched output) silently
  produced no output on a fresh `pip install` after Click 8.3 shipped.
  Hard pin click>=8.1,<8.2 in pyproject.toml. Verified 2026-05-10 on
  Python 3.12.2 against click 8.3.3 (broken) and 8.1.7 (working).

Legal / supply-chain
- LICENSE replaced with the verbatim Apache-2.0 SPDX template (canonical
  from apache.org). The earlier file had material text drift in §8 and
  was missing the END OF TERMS line + Appendix template — the cause of
  GitHub surfacing 'NOASSERTION' instead of 'Apache-2.0'. Copyright moved
  to a NOTICE file per Apache 2.0 §4(d).
- Sigstore + CycloneDX SBOM provenance verified across all 5 prior
  releases (v0.1.0–v0.1.4): SBOM as GitHub release asset; Sigstore
  attestations live on PyPI integrity API.

Documentation authenticity (production surfaces)
- README + CHANGELOG: '50+ guided questions' → 37 questions (canonical
  count, matches 8 question_bank YAMLs). PyPI long-description for
  v0.1.4 still carries the old text per PyPI immutability — fix lands
  with this v1.0.0 publish.
- README: '20 Annex III scenarios' / '20 pre-built risk patterns' →
  6 patterns (canonical count, matches patterns.yaml). Future patterns
  via community contribution per docs/contributing/add-pattern.md.
- README: cost-comparison table footnoted as 'indicative market figures'
  rather than asserted.
- README: 'compound moat' Mermaid annotated <i>shipped</i> / <i>roadmap</i>
  per Steve Jobs critic-panel feedback (only show what ships).
- README + tests_cmd.py help: Article 9(7) → Article 9(6)–(8) per the
  regulation's actual structure.
- README: time-to-output standardised to ~30 minutes (was a mix of 25/30).
- README: v0.1.3 row added to Releases table (was a gap).

Reproducibility / contributor experience
- pyproject Documentation URL → aiexponent.com/docs/riskforge.
- pyproject coverage `fail_under` raised 24 → 55 (actual coverage 59%
  post-fix). PRD NFR-6's 80% target re-anchored to v1.1 milestone with
  the optional `riskforge.server` module test pass.
- CONTRIBUTING.md adds a section explaining why deps are hard-pinned
  (PRD NFR-6: regulatory-evidence reproducibility).
- SECURITY.md supported-versions table updated for 1.0.x.

Release metadata
- pyproject version 0.1.4 → 1.0.0
- pyproject classifier 'Development Status :: 3 - Alpha' →
  'Development Status :: 5 - Production/Stable'
- README footer / Releases table updated.

Tests / CI
- 57/57 tests pass after the click pin. Coverage 59% (over the 55%
  floor). ruff check + ruff format clean against pinned 0.4.4.

Not in this commit (pending follow-up)
- docs/article-9-mapping.md + docs/audit-chain-design.md — being
  authored in a parallel work-stream, will land in a separate commit.
- Branch protection on `main` — separately authorized config change,
  pending.
- vp-responsible-ai G6 sign-off — pending re-review after this lands.
- v1.0.0 git tag + PyPI publish — pending founder approval.
@apundhir
docs: add Article 9 mapping + audit-chain design deep-dives (RF-15)
285644e 
Closes the audit's RF-15 finding (RiskForge had 0 deep-dive `docs/*.md`
files vs RAG-Benchmarking's 6). Two new authoritative references for
practitioners and security/regulatory reviewers.

docs/article-9-mapping.md (728 lines)
- Paragraph-by-paragraph walk of Article 9(1)–(10) against the shipped
  question bank and the 8 G1–G8 validation gates
- Honest "what RiskForge does NOT do" callouts for each paragraph,
  including the website's `paragraph_refs_omitted` block (9(2)(c)
  post-market loopback; 9(2)(e)–(h) iterative testing)
- Annex IV documentation-pack mapping table — what RiskForge covers
  and what needs other tooling
- Cross-framework crosswalk: NIST AI RMF, ISO/IEC 42001, Colorado
  SB 24-205, Texas HB 1709
- All Article-9 quotes verified verbatim against EUR-Lex 2026-05-10.
  HS-006 in `health_safety.yaml` cites Art. 9(9) — confirmed correct
  against EUR-Lex (vulnerable-groups paragraph). Earlier draft of this
  doc had 9(7)/9(8)/9(9) numbering swapped from a pre-final draft of
  the regulation; corrected before commit.

docs/audit-chain-design.md (524 lines)
- Why the audit chain exists (Art. 12 + Annex IV(2)(g))
- Append-only `audit.jsonl` design read directly from
  `src/riskforge/engine/audit.py` and the v0.1.1 fix history
- Threat model: protects chronological integrity; does NOT protect
  the substantive judgement of the assessor (an honest framing the
  contrarian-challenger Domain Expert called out)
- `riskforge verify` command behaviour (exit 2 on tampering)
- Evidentiary value framing for BSI / TÜV / DEKRA reviewers
- Verification recipe — exact commands a regulator would run
- Roadmap: Sigstore audit-entry signing, key custody, key rotation
  (currently only release artefacts are Sigstore-signed)

Also fixed a numbering error introduced during drafting:
- §Article 9(7), 9(8), 9(9) sections in article-9-mapping.md had
  pre-final-draft numbering with vulnerable groups at 9(8) and a
  phantom "credit institutions" paragraph at 9(9). Verified against
  EUR-Lex CELEX:32024R1689 (2026-05-10 fetch): 9(7) is the one-sentence
  real-world testing reference to Art. 60; 9(8) carries the metrics-
  and-thresholds wording; 9(9) is the vulnerable-groups paragraph;
  9(10) is the other-Union-law fold-in. The phantom 9(9) credit-
  institutions paragraph does NOT exist in the final regulation;
  removed.
@apundhir apundhir merged commit 917f701 into main May 10, 2026
5 of 7 checks passed
@apundhir apundhir mentioned this pull request May 10, 2026
Merged
2 tasks
@apundhir apundhir deleted the release/v1.0.0-prep branch May 10, 2026 17:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@apundhir