release: dorian v1.0.2 announcement hotfix

[ajaysurya1221]

Summary

Announcement-readiness hotfix on top of v1.0.1. No breaking changes — the warrant format, checker grammar, exit codes, and trust semantics are unchanged. The point is public-facing coherence (one version across PyPI, README, Action docs, and the GitHub release) plus two edge-case bug fixes, a real SCA-scope fix, and CI credential hardening.

Resolves the post-1.0.1 use-and-see validation findings (Codex GPT-5.5 HOTFIX_BEFORE_ANNOUNCE).

Findings closed

#	Sev	Fix
01	P1	publish 1.0.2 to PyPI so pip install dorian-vwp matches the documented command surface
02	P1	dorian/action@main → @v1.0.2 (README + action docs); guard added
03	P2	security.yml pip-audit now audits the project dep set (export + -r), with a scope-assert step
04	P2	persist-credentials: false on every checkout (none do authenticated git ops)
05	P2	export of an artifact literally named *.warrant no longer mis-strips the suffix
06	P2	suggest-claims parses file bytes → PEP 263 encoding cookies honored
07	P2	attestation-interop dorianVersion example is version-neutral; guarded
08	P2	in-toto determinism test asserts both CLI invocations succeed
09	P3	version-sync guard catches "until the PyPI release", action@main, hardcoded dorianVersion
—	P2	symbol_index.pyproject_script_definers guards git ls-files (non-git + precomputed definers no longer raises)

Test / gate evidence

• 874 tracked tests green (+5 new regression tests: export .warrant, PEP 263, unsupported-codec, two non-git symbol_index cases).
• ruff clean, bandit clean, project-scope pip-audit clean (asserts duckdb/anthropic/pytest present).
• wheel + sdist build + twine check pass.
• Both reproducible benchmark suites re-run at 1.0.2 reproduce the 1.0.1 figures exactly (large-mutation P=R=0.93; binding-lifecycle to the same content-derived run_id 168b50d9aa631d52) → the hotfix touches no checker numeric behavior.
• The documented encode/httpx real catch independently reproduced on this build: verify exit 0 → revalidate exit 4 → REVOKED, httpx-python-floor-38 BROKEN (1 selective candidate).

Honest scope

One documented, reproduced real cross-PR catch on frozen public SHAs — not broad real-world validation. --deny-exec/checker_trust: base are fail-closed controls, not sandboxes. suggest-claims checks existence/value, not behavior. The in-toto export is experimental, not a registered predicate.

PyPI plan

After merge: tag v1.0.2, GitHub Release, release-gate on the tag, then publish to PyPI via the publish.yml Trusted-Publisher (OIDC) workflow → pip install dorian-vwp == 1.0.2.

🤖 Generated with Claude Code

Summary by CodeRabbit

Release Notes – v1.0.2

• Bug Fixes

  • Fixed export handling for artifacts with names ending in .warrant
  • Fixed parsing of Python files with non-UTF8 encodings
  • Improved robustness when git is unavailable

• Documentation

  • Updated release notes and examples for v1.0.2

• Chores

  • Version bumped to v1.0.2
  • Enhanced CI security and dependency auditing

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: ece0fe4a-cd30-4368-a9b8-d281f77d33f8

📥 Commits

Reviewing files that changed from the base of the PR and between 84d6e05 and 76686e2.

📒 Files selected for processing (22)

• .github/workflows/ci.yml
• .github/workflows/public-microbench.yml
• .github/workflows/publish-testpypi.yml
• .github/workflows/publish.yml
• .github/workflows/release-gate.yml
• .github/workflows/security.yml
• .gitignore
• README.md
• action/README.md
• docs/ANNOUNCEMENT_READINESS.md
• docs/ATTESTATION_INTEROP.md
• docs/BENCHMARK_CURRENT.md
• docs/releases/v1.0.2.md
• pyproject.toml
• src/dorian/__init__.py
• src/dorian/commands.py
• src/dorian/suggestclaims.py
• src/dorian/symbol_index.py
• tests/test_intoto_export.py
• tests/test_suggest_claims.py
• tests/test_symbol_index.py
• tests/test_version_sync.py

---

📝 Walkthrough

Walkthrough

Version bump from 1.0.1 to 1.0.2 with three source bug fixes (cmd_export .warrant artifact handling, suggestclaims PEP 263 byte-level parsing, symbol_index non-git fallback), persist-credentials: false added to all CI workflow checkouts, corrected SCA audit scope, and corresponding tests, docs, and release notes.

Changes

dorian v1.0.2 Release

Layer / File(s)	Summary
Version bump to 1.0.2 pyproject.toml, src/dorian/__init__.py	version and __version__ updated from 1.0.1 to 1.0.2.
Source bug fixes: export, suggest-claims, symbol_index src/dorian/commands.py, src/dorian/suggestclaims.py, src/dorian/symbol_index.py	cmd_export now distinguishes artifact paths from .warrant sidecar paths; suggestclaims parses raw bytes to honor PEP 263 encoding cookies, updating caught exception types; pyproject_script_definers returns {} on GitError instead of propagating.
Tests for source bug fixes tests/test_intoto_export.py, tests/test_suggest_claims.py, tests/test_symbol_index.py	Regression tests added for .warrant-named artifact export determinism, PEP 263 Latin-1 and unsupported-codec suggest-claims, and non-git pyproject_script_definers/claim_symbol_watch_paths behavior.
CI checkout credential hardening .github/workflows/ci.yml, .github/workflows/public-microbench.yml, .github/workflows/publish-testpypi.yml, .github/workflows/publish.yml, .github/workflows/release-gate.yml	persist-credentials: false added to all actions/checkout steps across five workflows, including both the test and build-attest jobs in release-gate.yml.
SCA audit scope fix .github/workflows/security.yml	pip-audit step replaced with a sequence that syncs all extras, exports the resolved dependency set to a temp requirements file with package presence assertions, and audits that file rather than pip-audit's own environment.
Version-sync and release-hygiene tests tests/test_version_sync.py	New tests assert README PyPI latest version matches the package version, no dorian/action@main appears in public snippets, no hardcoded dorianVersion value exists in ATTESTATION_INTEROP.md, and extended stale-phrase vocabulary.
Docs, README, and release notes README.md, action/README.md, docs/ATTESTATION_INTEROP.md, docs/BENCHMARK_CURRENT.md, docs/releases/v1.0.2.md, docs/ANNOUNCEMENT_READINESS.md, .gitignore	README and action/README pinned to @v1.0.2 and updated with persist-credentials: false checkout examples; dorianVersion made version-neutral in interop doc; benchmark env stamped at 1.0.2; v1.0.2 release notes and announcement readiness guide added; .gitignore extended with research_packets/ and codex_validation/.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• ajaysurya1221/dorian#4: Touches the same symbol_index.pyproject_script_definers / script-to-definer binding logic that this PR guards with a GitError catch and regression-tests.
• ajaysurya1221/dorian#8: Introduced the cmd_export / --in-toto artifact/sidecar handling and test_intoto_export.py determinism coverage that this PR extends with the .warrant-named-artifact fix.

Poem

🐇 Hop, hop, credentials gone —
No tokens linger after dawn.
.warrant.warrant finds its place,
Latin-1 parsed with proper grace.
Non-git repos no longer break,
v1.0.2 for the project's sake! 🎉

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch v1.0.2-announcement-hotfix

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}