From ee206ed9b7b4aff0d71ff60096f6039bc123fee8 Mon Sep 17 00:00:00 2001 From: stacknil Date: Fri, 3 Jul 2026 19:14:35 +0800 Subject: [PATCH] docs(release): add v0.5 readiness checklist --- CHANGELOG.md | 2 ++ docs/parser-contract.md | 6 ++++++ docs/release-v0.5.0.md | 13 +++++++++++++ docs/reviewer-path.md | 4 ++++ 4 files changed, 25 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5f4a3f1..65a4ece 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -49,6 +49,8 @@ All notable user-visible changes should be recorded here. ### Docs - Added release notes for the v0.5 Evidence Explainability Release. +- Added a release readiness checklist that maps v0.5 requirements to reviewer + evidence and stopping points. - Added a one-page incident-style case that traces raw SSH evidence through normalized events and finding fields to a bounded conclusion. - Added a rule-by-rule false-positive taxonomy for NAT, bastion, internal scanner, diff --git a/docs/parser-contract.md b/docs/parser-contract.md index f13aae4..d85d57b 100644 --- a/docs/parser-contract.md +++ b/docs/parser-contract.md @@ -6,6 +6,12 @@ The guiding rule is: > Parser observability > silent detection claims. +For the v0.5 Evidence Explainability Release, this contract is part of the +release-facing reviewer path. Start with [`docs/release-v0.5.0.md`](./release-v0.5.0.md) +for the release checklist, then use this page to inspect supported inputs, +unsupported-line handling, parser warning categories, and the detection signal +boundary. + ## Supported input modes | Mode | Typical source | Timestamp behavior | Review anchor | diff --git a/docs/release-v0.5.0.md b/docs/release-v0.5.0.md index cb11ac1..103d333 100644 --- a/docs/release-v0.5.0.md +++ b/docs/release-v0.5.0.md @@ -18,6 +18,19 @@ for reviewers to verify. - Added false-positive taxonomy and forensic-style case-study documentation for evidence interpretation. +## Release readiness checklist + +| Requirement | Release-facing evidence | Reviewer check | +| --- | --- | --- | +| Changelog names v0.5.0 | [`CHANGELOG.md`](../CHANGELOG.md) | `v0.5.0` exists with explainability, parser observability, and case-study entries | +| Release note theme is Evidence Explainability Release | This document | Title and highlights frame v0.5 around explainability and verification, not new rule volume | +| Finding explainability fields are stable JSON contract | [`docs/report-artifacts.md`](./report-artifacts.md) and [`tests/fixtures/report_contracts/syslog_legacy/report.json`](../tests/fixtures/report_contracts/syslog_legacy/report.json) | Finding objects expose `rule_id`, `subject_kind`, `subject`, `grouping_key`, `window_start`, `window_end`, `threshold`, `observed_count`, `evidence_event_ids`, and `verdict_boundary` | +| Parser contract is release-facing | [`docs/reviewer-path.md`](./reviewer-path.md) and [`docs/parser-contract.md`](./parser-contract.md) | Reviewer path routes v0.5 review through parser behavior, parser warnings, and detection signal boundaries | +| Mixed corpus and parser coverage artifact are included | [`assets/mixed_auth_corpus.log`](../assets/mixed_auth_corpus.log) and [`assets/mixed_auth_parser_coverage.json`](../assets/mixed_auth_parser_coverage.json) | Reviewer can inspect dirty-input coverage without running the tool first | +| False-positive taxonomy is included | [`docs/false-positive-taxonomy.md`](./false-positive-taxonomy.md) | Rule-true evidence is separated from compromise, intent, attribution, and authorization claims | +| Forensic-style case study is included | [`docs/case-study-linux-auth-bruteforce.md`](./case-study-linux-auth-bruteforce.md) | Raw evidence, normalization, findings, warnings, and boundaries are explained as evidence interpretation | +| Non-claims are explicit | [Non-claims](#non-claims) | Release note states no compromise verdict, no attribution, no blocking recommendation, and no cross-host correlation | + ## Stable JSON contract `report.json` now identifies the report artifact contract with: diff --git a/docs/reviewer-path.md b/docs/reviewer-path.md index 1673c7d..8168741 100644 --- a/docs/reviewer-path.md +++ b/docs/reviewer-path.md @@ -54,6 +54,10 @@ fields, explain how parser coverage remains visible for unknown lines, and state that findings are bounded triage signals with no compromise verdict, attribution, blocking recommendation, or cross-host correlation claim. +Use the release note's +[`Release readiness checklist`](./release-v0.5.0.md#release-readiness-checklist) +as the compact pass/fail map for the v0.5 scope. + ## 5-minute artifact review Inspect: