release(v4.0.0): final GA release-prep (no publish, no tag, no Zenodo)

[Davincc77]

Summary

Release-prep for .klickd v4.0.0 (final, GA). This PR aligns versions, metadata, release notes, and a local bundle-inventory helper for the v4.0.0 final release.

Strict governance — what is NOT in this PR:

• No git tag v4.0.0
• No GitHub Release
• No npm publish and no @klickd/core latest dist-tag flip
• No PyPI publish for klickd==4.0.0
• No Zenodo deposit (no v4.0.0 version-specific DOI yet)
• No public announcement

Those remain final gated public actions for the maintainer after review.

What changes

• Versions bumped to 4.0.0
  • package.json (root): 4.0.0-preview.1 → 4.0.0
  • packages/@klickd/core/package.json: 4.0.0-preview.1 → 4.0.0
  • packages/pypi/klickd/pyproject.toml: 4.0.0a1 → 4.0.0; classifier bumped to Development Status :: 5 - Production/Stable
• CITATION.cff — version: \"4.0.0\", date-released: \"2026-05-25\", top-level DOI removed pending Zenodo deposit; identifiers retain concept DOI 10.5281/zenodo.20262530 and prior version DOI for v3.5.1.
• .zenodo.json — title/version updated to 4.0.0, plain-text description (no HTML), isNewVersionOf relation added pointing to v3.5.1 DOI.
• README.md — badge points to v4.0.0 + concept DOI; JSON example now shows klickd_version: \"3.0\" + payload_schema_version: \"4.0.0\" (matches normative wire envelope); install/cite/badge snippets updated; "Looking ahead" preview section replaced with "Current GA — .klickd v4.0.0" pointing at strict schemas, SDKs, migrator, vectors, and v4 release notes.
• CHANGELOG.md — new ## v4.0.0 (GA) — 2026-05-25 section: what ships, distribution version mapping, backward compatibility, what is explicitly NOT in this PR.
• docs/releases/v4.0.0.md — final GA release notes: TL;DR, what ships, install, migration snippet, validation matrix, compatibility tables, known limitations, final gated actions list.
• scripts/release_bundle_inventory.sh + .gitignore — local helper that builds the npm/PyPI artefacts, snapshots normative files, and emits a deterministic SHA256SUMS to release-artifacts/v4.0.0/. The output dir is gitignored.

Test plan

All suites green on this branch:

• Python vectors — python verify_vectors.py → 77/77 passed (0 failed)
• Node vectors — node verify_vectors.mjs → 60/60 passed (0 failed, 0 skipped)
• v4 strict schema validation — python scripts/validate_v4_schemas.py → All passes
• Python SDK pytest — pytest packages/pypi/klickd/tests/ → 98 passed, 1 skipped
• TypeScript SDK jest — npm test in packages/@klickd/core/ → 96/96 passed (4 suites)
• TypeScript SDK build — npm run build → ESM + CJS + DTS green
• Secret scan on git diff main — no matches against AWS keys / generic password= / token= / BEGIN PRIVATE KEY patterns

Remaining final gated public actions (after maintainer review)

1. Create annotated git tag v4.0.0 on merge commit.
2. Publish GitHub Release for v4.0.0 (marked Latest), pointing at docs/releases/v4.0.0.md.
3. npm publish @klickd/core@4.0.0 and flip dist-tag latest to 4.0.0.
4. twine upload klickd==4.0.0 to PyPI.
5. Zenodo deposit against concept DOI 10.5281/zenodo.20262530 (a new version-specific DOI for v4.0.0 will be minted at deposit time).
6. Public announcements.

---

Generated by Computer

[Davincc77]

Update — v4.0.0 final rebrand to .klickd / klickd.app

Adds commit 43d1039 on this branch:

What changed

Public release-facing surfaces now use .klickd / klickd.app consistently, with .klickd visible next to the creator identity. The personal Luxlearn@pm.me address has been replaced on release-facing surfaces by Klickd-domain addresses.

Final creator / affiliation fields (clean review proposal)

Field	Value
Zenodo creators[0].name	Cirilli, Vincenzo (.klickd)
Zenodo creators[0].affiliation	.klickd / klickd.app, Luxembourg
CITATION.cff family-names	Cirilli
CITATION.cff given-names	Vincenzo
CITATION.cff name-suffix	.klickd
CITATION.cff affiliation	.klickd / klickd.app, Luxembourg
npm @klickd/core author	Vincenzo Cirilli (.klickd) <hello@klickd.app> (https://klickd.app)
PyPI klickd author	name Vincenzo Cirilli (.klickd), email hello@klickd.app
Root package.json author	Vincenzo Cirilli (.klickd / klickd.app, Luxembourg)
paper.md affiliation	.klickd / klickd.app, Luxembourg
SPEC.md maintainer	.klickd / klickd.app (Luxembourg)
SKILL.md maintainer line	.klickd / klickd.app

Files changed in 43d1039

.zenodo.json, CITATION.cff, CONTRIBUTING.md, PITCH.md, SECURITY.md, SKILL.md, SPEC.md, package.json, packages/@klickd/core/README.md, packages/@klickd/core/package.json, packages/PACKAGE_SUMMARY.md, packages/pypi/klickd/README.md, packages/pypi/klickd/pyproject.toml, paper.md.

Public email addresses (need Vince's confirmation before publish)

• SECURITY.md → security@klickd.app
• CONTRIBUTING.md → hello@klickd.app
• PITCH.md → hello@klickd.app
• npm/PyPI author email → hello@klickd.app

These are proposed Klickd-domain alternatives. If Vince prefers different addresses (e.g., a dedicated vince@klickd.app, or keeping Luxlearn@pm.me for legal/historical security disclosures), the relevant lines should be adjusted before any package or Zenodo publish step.

Luxlearn mentions intentionally retained

23 files still contain Luxlearn. All are historical/internal and were left unchanged on purpose (rewriting would alter the archival record or has no public-release surface):

• Frozen prior spec snapshots: SKILL_v25.md, SKILL_v30.md
• Historical benchmark reports: benchmarks/v32/RAPPORT_LOT{2,4,5,9}.md, benchmarks/v32/REFERENTIELS_COMPETENCES_V33.md, benchmarks/v32/RAPPORT_CONSOLIDÉ_V32.md, benchmarks/v32/ANALYSE_AMELIORATIONS_V33_PRELIM.md, benchmarks/RAPPORT_CONSOLIDÉ.md, benchmarks/README.md, benchmarks/context_cost/RFC.md (the entity was named Luxlearn.app at the time of these runs — they are archival)
• RFC document headers (drafts/accepted, dated): docs/rfcs/RFC-001-media-profile-v1.md, docs/rfcs/RFC-002-verification-gates.md, docs/rfcs/RFC-004-migration-backward-compatibility.md, docs/rfcs/RFC-006-agent-core.md, docs/rfcs/RFC-007-usage-profile-skill-routing.md, docs/rfcs/RFC-008-core-update-watch.md, docs/rfcs/v4-media-test-pack.md
• RFC example payload: docs/rfcs/examples/agent_core-v1.example.json (illustrative published_by provenance string)
• Internal use-case docs: docs/use-cases/DOMAIN_PROFILE_CATALOG.md, docs/use-cases/CORE_KLICKD_B2B.md
• Audit record (intentionally frozen): docs/audits/V4_PRE_RELEASE_AUDIT.md documents Luxlearn@pm.me as the prior state — rewriting would falsify the audit trail.

If Vince later wants to scrub these too, a follow-up docs(brand): retire Luxlearn from historical docs PR is the safer path so the rebrand is reviewed in isolation.

Checks

Check	Result
python3 -c json.load(.zenodo.json) + package.json + npm @klickd/core/package.json	✅ parse
python3 -c yaml.safe_load(CITATION.cff)	✅ parse
python3 -c tomllib.load(pyproject.toml)	✅ parse
python3 scripts/validate_v4_schemas.py	✅ all green
python3 verify_vectors.py	✅ 77/77 passed
Secret scan on git diff main (AKIA, sk_live_, ghp_, xoxb-, AIza, BEGIN PRIVATE KEY, api_key=, password=, token=, secret=)	✅ clean

Strict governance reminders

• ❌ No git tag
• ❌ No GitHub release
• ❌ No npm publish / no dist-tag latest flip
• ❌ No twine upload to PyPI
• ❌ No Zenodo deposit
• ❌ No public announcement

Branch ready for maintainer review. Do not merge until Vince confirms the public email choices (hello@klickd.app, security@klickd.app) and the .klickd placement in name/affiliation.

— Generated by agent (Claude Code)