release(RAN-66): cut snipIT v0.1.0 — CHANGELOG bump + bestpractices versioning evidence

[aksOps]

Summary

Stage the in-repo half of the v0.1.0 release. Once this lands on main, the signed v0.1.0 git tag + GitHub Release are cut from the squash commit (separate post-merge step), and bestpractices.dev autofill picks up the tag for the 4–5 versioning criteria the board called out in RAN-54 board comment f7b3e917.

Why now

Per the board:

snipIT has 0 GitHub Releases and 0 git tags. Several OSPS criteria still require actual versioning to flip to Met:

• release_notes (Unmet — autofill needs at least one tagged release to verify)
• version_unique (currently ?; flips to Met once a tag exists)
• version_semver, version_tags (SUGGESTED — Met requires SemVer-shaped tags + GitHub Releases)
• release_notes_vulns (MUST — Met requires vuln-aware release notes when applicable)

Tracked under RAN-66 (subtask under RAN-50 → RAN-54).

Changes

CHANGELOG.md

• [Unreleased] → [v0.1.0] - 2026-04-26 with full Added / Changed / Fixed / Security subsections covering everything that landed on main for the OpenSSF baseline:
  • PR feat(RAN-54): land OpenSSF Best Practices passing + Scorecard hardening #1 — RAN-54 baseline + Scorecard hardening (security workflows, dependabot, branch protection, signed-commit setup, engineering-standards runbook)
  • PR RAN-59: rewrite .bestpractices.json to canonical per-criterion schema #3 — RAN-59 canonical-schema rewrite of .bestpractices.json
  • PRs feat(RAN-54): add CHANGELOG.md + docs/README.md to clear bestpractices.dev autofill audit #4 / docs(readme): link Project files table to docs/, CHANGELOG, SECURITY (RAN-64) #5 — RAN-64 CHANGELOG.md + docs/ index
  • PR chore(RAN-54): flip 5 SUGGESTED bestpractices criteria from ? to Met #6 — 5 SUGGESTED criteria flips (version_semver, version_tags, test_most, dynamic_analysis, dynamic_analysis_enable_assertions)
  • PR chore(RAN-54): add CONTRIBUTING.md + retarget 4 _url fields to conventional paths #7 — CONTRIBUTING.md at repo root + conventional-URL retargets (autofill bot heuristic)
• Fresh empty [Unreleased] section opened at top per Keep-a-Changelog 1.1.0.
• Link refs retargeted: compare/v0.1.0...HEAD + releases/tag/v0.1.0.

.bestpractices.json

• version_unique_url + release_notes_vulns_url added (both → https://github.com/RandomCodeSpace/snipIT/releases/tag/v0.1.0) so the bestpractices.dev autofill bot has a concrete URL to verify alongside _status: Met.
• 5 versioning justifications refreshed to cite the concrete v0.1.0 tag instead of forward-looking commitments: version_unique, version_semver, version_tags, release_notes, release_notes_vulns.

Validation

• ✅ pwsh -NoProfile -File ./Test-SnipIT.ps1 → 84/84 pass
• ✅ pwsh -c "Invoke-ScriptAnalyzer -Path ./SnipIT.ps1 -Severity Error" → 0 errors
• ✅ jq empty .bestpractices.json → JSON valid (key count 157 → 159 — the two new _url fields)
• ✅ Signed commit (%G? = G)

Post-merge sequence

1. git tag -s v0.1.0 origin/main -m "snipIT v0.1.0 — initial signed release (OpenSSF Best Practices passing baseline)" then git push origin v0.1.0
2. gh release create v0.1.0 with substantive notes extracted from the v0.1.0 CHANGELOG section
3. Re-trigger bestpractices.dev autofill — board reflips passing once the autofill audit is clean
4. RAN-66 + RAN-54 stay in_review per the Best Practices board-gated done policy — no unilateral transition

Test plan

• Headless tests pass on Linux (84/84)
• PSScriptAnalyzer Error-severity = 0
• .bestpractices.json is valid JSON
• Commit signature verified
• CI gates green on PR (8 required contexts)
• Post-merge: v0.1.0 tag pushed, GitHub Release created, bestpractices.dev autofill re-run

🤖 Generated with Claude Code + Paperclip