release(RAN-66): cut snipIT v0.1.0 — CHANGELOG bump + bestpractices versioning evidence

.bestpractices.json

@@ -65,22 +65,24 @@
   "repo_distributed_justification": "git is a fully distributed VCS (each clone contains the full history and every operation works offline). Repo at https://github.com/RandomCodeSpace/snipIT is git-native.",
 
   "version_unique_status": "Met",
-  "version_unique_justification": "snipIT is a single-script project distributed via `git clone` of the main branch — the unique version identifier is the commit SHA on main, which is globally unique by git's content-addressable design and is the version recorded in any install. No tagged releases yet (single .ps1 with no compile/build step); when a tag-release flow is added, semver tags will be the user-facing identifier.",
+  "version_unique_justification": "snipIT v0.1.0 is the first tagged release — annotated, SSH-signed git tag `v0.1.0` on main, paired with GitHub Release `v0.1.0` at https://github.com/RandomCodeSpace/snipIT/releases/tag/v0.1.0. The tag is globally unique by git's content-addressable design and is the user-facing version identifier. CHANGELOG.md `[v0.1.0] - 2026-04-26` captures the release contents.",
+  "version_unique_url": "https://github.com/RandomCodeSpace/snipIT/releases/tag/v0.1.0",
 
   "version_semver_status": "Met",
-  "version_semver_justification": "CHANGELOG.md header explicitly commits the project to Semantic Versioning 2.0.0: 'this project adheres to Semantic Versioning 2.0.0' (https://semver.org/spec/v2.0.0.html). All future tags will be `vMAJOR.MINOR.PATCH` per SemVer. snipIT has no tagged releases yet — the [Unreleased] section captures pre-tag work; on first tag cut, the heading becomes `[vX.Y.Z] - YYYY-MM-DD` and a fresh [Unreleased] opens.",
-  "version_semver_url": "https://github.com/RandomCodeSpace/snipIT/blob/main/CHANGELOG.md",
+  "version_semver_justification": "CHANGELOG.md header explicitly commits the project to Semantic Versioning 2.0.0: 'this project adheres to Semantic Versioning 2.0.0' (https://semver.org/spec/v2.0.0.html). The first tagged release is `v0.1.0` (https://github.com/RandomCodeSpace/snipIT/releases/tag/v0.1.0) — `vMAJOR.MINOR.PATCH` SemVer-shaped. Future tags continue the same format; CHANGELOG.md `[v0.1.0] - 2026-04-26` is the canonical entry.",
+  "version_semver_url": "https://github.com/RandomCodeSpace/snipIT/releases/tag/v0.1.0",
 
   "version_tags_status": "Met",
-  "version_tags_justification": "CHANGELOG.md states 'Version numbers below correspond to git tags on main.' Each release will be cut as an annotated, GPG/SSH-signed git tag (`vX.Y.Z`). The signed-tag requirement is codified in shared/runbooks/engineering-standards.md §8 ('Commit identity and signed commits'): `tag.gpgsign=true` is set repo-locally by scripts/setup-git-signed.sh and enforced by branch protection on main. snipIT has no tagged releases yet — the [Unreleased] section captures pre-tag work.",
-  "version_tags_url": "https://github.com/RandomCodeSpace/snipIT/blob/main/CHANGELOG.md",
+  "version_tags_justification": "CHANGELOG.md states 'Version numbers below correspond to git tags on main.' First release is the annotated, SSH-signed git tag `v0.1.0` (https://github.com/RandomCodeSpace/snipIT/releases/tag/v0.1.0), cut from the `release(RAN-66): cut snipIT v0.1.0` PR squash commit. The signed-tag requirement is codified in shared/runbooks/engineering-standards.md §8 ('Commit identity and signed commits'): `tag.gpgsign=true` is set repo-locally by scripts/setup-git-signed.sh; branch protection on main enforces verified signatures.",
+  "version_tags_url": "https://github.com/RandomCodeSpace/snipIT/releases/tag/v0.1.0",
 
   "release_notes_status": "Met",
-  "release_notes_justification": "CHANGELOG.md at repo root, Keep-a-Changelog 1.1.0 format with `[Unreleased]` collecting pre-tag work and per-version sections opened on each tag. Captures Added / Changed / Fixed / Security entries for every merge to main. Until the first tag is cut (tracked under Scorecard `Packaging` in CLAUDE.md), the `[Unreleased]` section is the release-notes surface; on tag, the heading is replaced with the version + date and a fresh `[Unreleased]` opens. SECURITY.md §Changelog separately tracks disclosure-policy version history.",
-  "release_notes_url": "https://github.com/RandomCodeSpace/snipIT/blob/main/CHANGELOG.md",
+  "release_notes_justification": "CHANGELOG.md at repo root, Keep-a-Changelog 1.1.0 format. First tagged release `[v0.1.0] - 2026-04-26` captures the OpenSSF Best Practices `passing` baseline + supporting documentation surface under Added / Changed / Fixed / Security subsections. The corresponding GitHub Release at https://github.com/RandomCodeSpace/snipIT/releases/tag/v0.1.0 surfaces the same notes on the Releases page. A fresh `[Unreleased]` section sits at the top to collect post-v0.1.0 work; on each subsequent tag the `[Unreleased]` heading is replaced with the version + date and a new `[Unreleased]` opens.",
+  "release_notes_url": "https://github.com/RandomCodeSpace/snipIT/releases/tag/v0.1.0",
 
   "release_notes_vulns_status": "Met",
-  "release_notes_vulns_justification": "CHANGELOG.md reserves a dedicated `### Security` subsection inside every release entry (and the `[Unreleased]` working set) for non-trivial security fixes. The header text states explicitly: 'Each release MUST list any non-trivial security fixes under a dedicated Security subsection so downstream consumers can decide whether to upgrade.' Zero fixes to date — the current `[Unreleased]` Security subsection is honestly marked 'No security-relevant fixes shipped yet under this release line.' When a fix ships, the entry will reference the GHSA advisory + CVE per SECURITY.md §What you can expect.",
+  "release_notes_vulns_justification": "CHANGELOG.md reserves a dedicated `### Security` subsection inside every release entry (and the `[Unreleased]` working set) for non-trivial security fixes. The header text states explicitly: 'Each release MUST list any non-trivial security fixes under a dedicated Security subsection so downstream consumers can decide whether to upgrade.' v0.1.0 ships with zero security-relevant fixes — its Security subsection is honestly marked: 'No security-relevant fixes shipped under v0.1.0. The OSS-CLI security stack landed in `.github/workflows/security.yml` is the gating channel for all future fixes; advisories will appear in this section under each release where they apply, alongside a GHSA link.' The GitHub Release notes at https://github.com/RandomCodeSpace/snipIT/releases/tag/v0.1.0 mirror this content.",
+  "release_notes_vulns_url": "https://github.com/RandomCodeSpace/snipIT/releases/tag/v0.1.0",
 
   "report_process_status": "Met",
   "report_process_justification": "SECURITY.md §Reporting a vulnerability documents the private channel for security issues (GitHub private vulnerability report at /security/advisories/new, or `ak.nitrr13@gmail.com` with `[snipIT security]` subject; 72-hour ack SLA, 7-day triage, 90-day coordinated disclosure). CONTRIBUTING.md §Reporting documents the public channel for functional bugs and feature requests — GitHub Issues at https://github.com/RandomCodeSpace/snipIT/issues. Both channels are linked from README.md.",

CHANGELOG.md

@@ -12,6 +12,14 @@ Each release MUST list any non-trivial security fixes under a dedicated **Securi
 
 ## [Unreleased]
 
+_No changes yet._
+
+---
+
+## [v0.1.0] - 2026-04-26
+
+First tagged release. Establishes the OpenSSF Best Practices `passing` baseline + supporting documentation surface for snipIT.
+
 ### Added
 - OpenSSF Best Practices `passing` baseline ([RAN-54](https://github.com/RandomCodeSpace/snipIT/pull/1)):
   - `.github/workflows/scorecard.yml` — `ossf/scorecard-action` on push to `main` + Mondays 06:00 UTC, SARIF → Security tab.
@@ -25,19 +33,22 @@ Each release MUST list any non-trivial security fixes under a dedicated **Securi
   - Branch protection on `main` — required signed commits, linear history, force-push and deletion blocked, eight required CI status checks.
   - Repo-level Dependabot security updates enabled.
 - Canonical-schema rewrite of `.bestpractices.json` so the bestpractices.dev autofill robot can pre-fill the criteria page on board flip ([RAN-59](https://github.com/RandomCodeSpace/snipIT/pull/3)).
-- `CHANGELOG.md` (this file) and `docs/README.md` index — addresses the `release_notes` and `documentation_basics` gaps surfaced by the bestpractices.dev autofill audit.
+- `CHANGELOG.md` (this file) and `docs/README.md` index — addresses the `release_notes` and `documentation_basics` gaps surfaced by the bestpractices.dev autofill audit ([RAN-64](https://github.com/RandomCodeSpace/snipIT/pull/4) / [#5](https://github.com/RandomCodeSpace/snipIT/pull/5)).
+- `CONTRIBUTING.md` at repo root — conventional contribution-process entry point: §Reporting (Issues + SECURITY.md), §Development workflow, §What every PR must pass (8-row CI gate matrix with local commands), §Coding standards delegating to `shared/runbooks/engineering-standards.md` ([PR #7](https://github.com/RandomCodeSpace/snipIT/pull/7)).
 
 ### Changed
 - `.github/workflows/test.yml` — every action SHA-pinned (Scorecard `Pinned-Dependencies`); top-level `permissions: read-all`; PSScriptAnalyzer moved out into `security.yml` so the SAST/lint signals are co-located with the rest of the security stack.
-- `README.md` — OpenSSF Best Practices, OpenSSF Scorecard, and Security workflow badges added at the top of the badge row.
+- `README.md` — OpenSSF Best Practices, OpenSSF Scorecard, and Security workflow badges added at the top of the badge row; `Project files` table linked to `docs/`, `CHANGELOG.md`, `SECURITY.md`.
+- `.bestpractices.json` — 5 SUGGESTED criteria flipped from `?` to `Met` with concrete in-repo evidence (`version_semver`, `version_tags`, `test_most`, `dynamic_analysis`, `dynamic_analysis_enable_assertions`) ([PR #6](https://github.com/RandomCodeSpace/snipIT/pull/6)); 4 `_url` fields retargeted to conventional paths (`README.md`, `CONTRIBUTING.md`, `SECURITY.md`) so the bestpractices.dev autofill bot detects them ([PR #7](https://github.com/RandomCodeSpace/snipIT/pull/7)).
 
 ### Fixed
 - Capture flow — exclude SnipIT's own widget / preview / tray windows from the capture target so they aren't baked into the frame ([RAN-15](https://github.com/RandomCodeSpace/snipIT/issues)).
 - Color-bar interaction — update the active swatch in-place instead of rebuilding the bar; close `$pickColor` over the swatch handler so the closure resolves correctly at click time.
 
 ### Security
-- _No security-relevant fixes shipped yet under this release line._
+- _No security-relevant fixes shipped under v0.1.0._ The OSS-CLI security stack landed in `.github/workflows/security.yml` is the gating channel for all future fixes; advisories will appear in this section under each release where they apply, alongside a GHSA link.
 
 ---
 
-[Unreleased]: https://github.com/RandomCodeSpace/snipIT/commits/main
+[Unreleased]: https://github.com/RandomCodeSpace/snipIT/compare/v0.1.0...HEAD
+[v0.1.0]: https://github.com/RandomCodeSpace/snipIT/releases/tag/v0.1.0