chore(release): v1.4.0

.bumpversion.toml

@@ -2,15 +2,10 @@
 # SPDX-License-Identifier: Apache-2.0
 
 [tool.bumpversion]
-current_version = "1.3.5"
+current_version = "1.4.0"
 parse = "(?P<major>\\d+)\\.(?P<minor>\\d+)\\.(?P<patch>\\d+)"
 serialize = ["{major}.{minor}.{patch}"]
 
-[[tool.bumpversion.files]]
-filename = "CHANGELOG.md"
-search = "## [{current_version}]"
-replace = "## [{new_version}]"
-
 [[tool.bumpversion.files]]
 filename = "package.json"
 search = '"version": "{current_version}"'
@@ -28,4 +23,4 @@ regex = true
 # bump-my-version does NOT manage these files; they are listed here for discoverability.
 # ---------------------------------------------------------------------------
 [tool.bumpversion.custom_variables.core_version]
-current = "0.10.4"
+current = "0.11.0"

.gitignore

@@ -1,36 +1,70 @@
 # SPDX-FileCopyrightText: 2026 PythonWoods <dev@pythonwoods.dev>
 # SPDX-License-Identifier: Apache-2.0
 
-# Python bytecode
+# ============================================================================
+# Zenzic Action — Git Ignore Rules
+# ============================================================================
+
+# ────────────────────────────────────────────────────────────────────────────
+# Environment Configuration
+# ────────────────────────────────────────────────────────────────────────────
+.env
+.env.local
+.zenzic.local.toml
+.zenzic.dev.toml
+
+# ────────────────────────────────────────────────────────────────────────────
+# AI Orchestration & Private Workspace (Zero-Leak Governance)
+# ────────────────────────────────────────────────────────────────────────────
+# Private Tech Lead workspace
+.architect/
+# Local AI routing rules (Trade Secret)
+.clinerules
+# Cursor AI rules (Trade Secret)
+.cursorrules
+# AI Primers and Memory ledgers
+.github/agents/
+# Legacy draft vaults
+.draft/
+
+# ────────────────────────────────────────────────────────────────────────────
+# Python, Testing & Coverage
+# ────────────────────────────────────────────────────────────────────────────
 __pycache__/
 *.pyc
-
-# nox
 .nox/
-
-# Coverage artefacts (Determinism Invariant — never tracked)
+.pytest_cache/
+.hypothesis/
 coverage.json
 coverage.xml
 htmlcov/
 .coverage
 .coverage.*
+mutmut*
+.mutmut-cache/
 
-# Misc
-.DS_Store
-.zenzic.local.toml
-.zenzic.dev.toml
+# ────────────────────────────────────────────────────────────────────────────
+# Zenzic Artifacts (Machine Silence)
+# ────────────────────────────────────────────────────────────────────────────
+# e.g., zenzic-results.sarif
+*.sarif
+# Zenzic local cache (external links, etc.)
+.zenzic_cache/
+# Derived local metadata
+.zenzic-score.json
 
-# EPOCH 4 — draft vault (git-ignored, local reference only)
-.draft/
+# ────────────────────────────────────────────────────────────────────────────
+# IDEs & Operating System
+# ────────────────────────────────────────────────────────────────────────────
+.DS_Store
+.vscode/
+.idea/
+*.swp
 
-# --- Ephemeral Artifacts (Machine Silence) ---
-zenzic-results.sarif
-mutmut*
-.mutmut-cache/
-.pytest_cache/
-.hypothesis/
+# ============================================================================
+# End of .gitignore
+# ============================================================================
 
-# VS Code Copilot agent definitions (local-only)
+# AI Agent Private Memory
+.clinerules
 .github/agents/
-.zenzic_cache/
-.zenzic_cache/

.zenzic.toml

@@ -64,7 +64,7 @@ default_locale = "en"
 # --- BRAND INTEGRITY ---
 [project_metadata]
 release_name = "Magnetite"
-badge_stamp_files = ["README.md", "README.it.md"]
+badge_stamp_files = ["README.md"]
 
 [governance]
 # ---------------------------------------------------------------------------

CHANGELOG.md

@@ -3,9 +3,7 @@
 <!-- markdownlint-disable MD024 -->
 # Changelog
 
-All notable changes to zenzic-action are documented here.
-Format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
-Versions follow [Semantic Versioning](https://semver.org/).
+All notable changes to zenzic-action are documented in this file. The project adheres to Semantic Versioning. Major releases represent breaking changes to inputs/outputs, minor releases introduce new options or core package bumps, and patch releases address bug fixes. Format follows Keep a Changelog.
 
 ---
 
@@ -15,44 +13,7 @@ No changes yet.
 
 ---
 
-## [1.3.5] - 2026-06-09
+## Historical Releases
 
-### Changed
-
-- **Operational governance docs:** Added explicit branch-protection policy to `README.md` and `README.it.md`, including required checks for `main` (`Verify (ubuntu-latest, true)`, `Lint PR Title`, `Check DCO`) and fail-closed workflow selection rules.
-- **Core pin:** Zenzic Core pinned to `0.10.4`.
-
----
-
-## [1.3.5] - 2026-06-07
-
-### Changed
-
-- Disabled dependency caching in `setup-uv` to prevent noisy warnings on non-Python repositories.
-
----
-
-## [1.3.5] - 2026-06-07
-
-### Deprecated
-
-- **Versions v1.3.0 and older are officially deprecated.** They contained a critical bug in the bash wrapper that injected an invalid `--config` flag, causing false-positive Exit 2 crashes. Users pinned to exact patch versions must upgrade to `v1.3.1` or use the major tag `@v1`.
-
-### Added
-
-- `guard-scan` input: run `zenzic guard scan` before the main quality gate.
-- `cap-exceeded` output: exposes suppression-cap failures for downstream workflow logic.
-- Sovereign Job Summary output for every critical non-zero exit code.
-
-### Changed
-
-- Runtime governance parity: wrapper executes score governance checks after `check all`.
-- ADR-037 alignment: `release_name` in `.zenzic.toml` set to semantic version form.
-- ADR-089 alignment: GitHub Actions dependencies pinned to immutable SHA-40.
-- Final Guard documentation aligned to the actual `just verify` recipe sequence.
-
-### Security
-
-- Explicitly documented non-suppressible action boundary for exits 2 and 3.
-- Forwarding contract for security-related runtime flags is enforced end-to-end.
-- Inherited governance semantics from core: additive `brand_obsolescence` merge behavior.
+- v1.3.x archive: [changelogs/v1.3.md](./changelogs/v1.3.md)
+- Archive index: [changelogs/README.md](./changelogs/README.md)