chore(release): v0.13.0

.bumpversion.toml

@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 
 [tool.bumpversion]
-current_version = "0.12.0"
+current_version = "0.13.0"
 parse = "(?P<major>\\d+)\\.(?P<minor>\\d+)\\.(?P<patch>\\d+)((?P<pre_l>a|b|rc)(?P<pre_n>\\d+))?"
 serialize = [
     "{major}.{minor}.{patch}{pre_l}{pre_n}",

.github/ISSUE_TEMPLATE/security_vulnerability.yml

@@ -29,7 +29,7 @@ body:
     attributes:
       label: Zenzic version
       description: Output of `zenzic --version`
-      placeholder: "0.12.0"
+      placeholder: "0.13.0"
     validations:
       required: true
 

.gitignore

@@ -187,3 +187,6 @@ Desktop.ini
 # AI Agents Configuration
 .github/agents/
 .clinerules
+
+# Architect Planning Sandbox
+.architect/

.pre-commit-hooks.yaml

@@ -7,7 +7,7 @@
 #
 #   repos:
 #     - repo: https://github.com/PythonWoods/zenzic
-#       rev: v0.12.0
+#       rev: v0.13.0
 #       hooks:
 #         - id: zenzic-verify    # quality gate — corrisponde a `just verify` lato zenzic
 #         - id: zenzic-guard     # fast staged-file credential scan

.zenzic.toml

@@ -60,6 +60,15 @@ excluded_dirs = [
     "assets",
     "LICENSES",
 ]
+# excluded_file_patterns = ["*.tmp", "*.log"]
+# excluded_assets = ["favicon.ico"]
+# excluded_asset_dirs = ["theme/"]
+# excluded_build_artifacts = ["pdf/*.pdf"]
+# included_dirs = []
+# included_file_patterns = []
+
+# --- PLUGINS (Optional) ---
+# plugins = []
 
 # --- PLACEHOLDERS & CODE SNIPPETS (Optional) ---
 # Pattern matching disabled: the README, CHANGELOG, and CONTRIBUTING files
@@ -138,18 +147,7 @@ brand_obsolescence = [
 # Governance Playbook:
 # https://zenzic.dev/developers/how-to/release-governance-protocol
 
-# --- EXCLUSION ZONES (Full bypass — use sparingly) ---
-# Paths listed here are INVISIBLE to Zenzic: no findings, no audit trail.
-# Prefer [governance.per_file_ignores] for targeted suppression with an audit trail.
-# excluded_file_patterns = ["*.tmp", "*.log"]
-# excluded_assets = ["favicon.ico"]
-# excluded_asset_dirs = ["theme/"]
-# excluded_build_artifacts = ["pdf/*.pdf"]
-# included_dirs = []
-# included_file_patterns = []
 
-# --- PLUGINS (Optional) ---
-# plugins = []
 
 # --- CUSTOM RULES (Optional) ---
 # Declares project-specific regex-based lint rules applied line-by-line.

CHANGELOG.md

@@ -9,40 +9,32 @@
 
 ---
 
-## [0.12.0] - 2026-06-13
-
-### Removed
-
-- **Docusaurus adapter removed (`v0.12.0`)**
-  Forensic analysis of Docusaurus projects revealed two categories of structural invisibility incompatible with Zenzic's static analysis model:
-  - **React component-injected IDs**: anchors generated by components such as `<APITable>` exist only in the rendered DOM, not in Markdown source.
-  - **MDX partial merging**: anchors defined in imported `_partial-*.mdx` files are resolved at bundle time by Webpack, not statically traceable by a Python AST parser.
-
-  Both patterns are dominant in Docusaurus projects, not edge cases. An adapter that generates structural false positives on the primary usage patterns of its target framework is a reputational liability, not an asset.
-  Zenzic supports documentation engines whose anchor output is deterministically derivable from Markdown source without executing external runtime code. Docusaurus does not satisfy this criterion.
-
-## [0.11.0] - 2026-06-13
+## [0.13.0] - 2026-06-19
 
 ### Added
 
-- **Docusaurus Native Routing Emulation:** Full support for `routeBasePath` concatenation, Frontmatter `slug` absolute/relative parsing, and Blog Date Extraction (`YYYY-MM-DD-slug`) to accurately map Docusaurus URLs into the Virtual Site Map without false positive broken links.
-- **Dynamic Site Root:** Support for Docusaurus monorepos by dynamically searching upward from docs/ to repo root.
-- **RE2 Glob Translator:** High-performance glob translator compiled directly to Google RE2 syntax for compatibility on Python 3.12+.
-- **Partial Guard:** Logical routing exclusion of partial files (those starting with `_` or inside `_` folders) in Docusaurus.
-- **Breakdown Flag:** Option `--breakdown` for `zenzic score` to show detailed category breakdowns and transparent DQS math.
-- **Progress Bar:** Interactive progress indicator (`rich.progress.Progress`) during file scanning and parsing in `zenzic check all`.
+- **Active Defense:** Implemented strict TOML schema validation to instantly detect and reject root keys silently swallowed by nested `[tables]` in `.zenzic.toml` and `pyproject.toml`.
+- **D.I.A. Compliance:** Added the "TOML Root Key Law" documentation enforcing explicit ordering for configuration boundaries.
 
 ### Changed
 
-- **Path-aware Exclusion Engine upgrade (.gitignore semantics):** `excluded_dirs` now evaluates against the repository-relative path if the entry contains a slash (`/`), and globally against the directory basename if it does not.
-- **Severity Downgrade for Z106:** Downgraded `Z106` (circular link) severity to `note` and penalty to `0.0`, ensuring circular links never block strict pipelines.
-- **Core CI gate hardening:** Removed `pull_request.paths` filters from `.github/workflows/ci.yml` so required `Audit` checks are always created for every PR and cannot remain in expected/pending due to skipped workflow runs.
+- **Refined CLI UX:** `inspect codes` now displays Severity and explicit `FATAL`/`HALT` pipeline blockers instead of misleading `0.0` penalties for security and governance-gate codes. `check` command now explicitly prints the final DQS score and gate status (`DQS Final Score: X/100 (Gate Passed/Failed)`) in the report footer.
+- **Engine-Neutral Configuration Templates:** Removed Docusaurus from initialized `.zenzic.toml` templates and CLI help descriptions, defaulting to `mkdocs` and `zensical`.
+- **Simplification of VSM Routing:** Eradicated Docusaurus-specific slug map initialization and routing rules during Virtual Site Map (VSM) construction.
+- **Improved Resolver Robustness:** Standardized site root resolution and monorepo path checks inside `InMemoryPathResolver`.
+- **Full documentation migration to Zensical/MkDocs.**
+
+### Fixed
+
+- **REUSE compliance updates and Z-Code parity fixes across the bilingual documentation.**
 
 ---
 
 ## Historical Releases
 
+- v0.12.x archive: [changelogs/v0.12.md](./changelogs/v0.12.md)
+- v0.11.x archive: [changelogs/v0.11.md](./changelogs/v0.11.md)
 - v0.10.x archive: [changelogs/v0.10.md](./changelogs/v0.10.md)
 - v0.9.x archive: [changelogs/v0.9.md](./changelogs/v0.9.md)
 - v0.8.x archive: [changelogs/v0.8.md](./changelogs/v0.8.md)
 - v0.1.x–v0.7.x archive index: [changelogs/README.md](./changelogs/README.md)

CITATION.cff

@@ -15,8 +15,8 @@ abstract: >-
   performs deterministic static analysis using a two-pass reference
   pipeline and a RE2-backed credential scanner, with zero subprocess
   calls and full SARIF 2.1.0 support for CI/CD integration.
-version: 0.12.0
-date-released: 2026-06-13
+version: 0.13.0
+date-released: 2026-06-19
 url: "https://zenzic.dev"
 repository-code: "https://github.com/PythonWoods/zenzic"
 repository-artifact: "https://pypi.org/project/zenzic/"

RELEASE.md

@@ -2,15 +2,15 @@
 <!-- SPDX-License-Identifier: Apache-2.0 -->
 # Release Procedure — Zenzic Core
 
 > **[MAINTAINER SOP]** *This document contains the Standard Operating Procedure for Core Maintainers to cut and publish a new release. If you are an end-user looking for new features, please see the [CHANGELOG](./CHANGELOG.md).*
 
 ## Release Metadata
 
 | Field    | Value      |
 | :------- | :--------- |
-| Version  | v0.12.0     |
+| Version  | v0.13.0     |
 | Codename | Magnetite   |
-| Date     | 2026-06-13 |
+| Date     | 2026-06-17 |
 | Status   | Stable |
 
 ## Release Checklist
@@ -21,7 +21,7 @@
 - [ ] `zenzic lab all` — all 20 scenarios exit with expected code
 - [ ] `zenzic score --stamp` committed — badge in README.md reflects current score
 - [ ] `zenzic check all .` — zero findings in the repo root
-- [ ] `pyproject.toml` version matches the tag (`0.12.0`)
+- [ ] `pyproject.toml` version matches the tag (`0.13.0`)
 - [ ] `CITATION.cff` version and date updated
 - [ ] `CHANGELOG.md` — `[Unreleased]` section moved to the new version heading
 - [ ] Update SECURITY.md support table (Add new release, demote previous to Critical/EOL).
@@ -54,13 +54,13 @@
 git pull origin main
 
 # 3. Tag the main branch and push
-git tag v0.12.0
+git tag v0.13.0
 git push origin main --tags
 ```
 
-- [ ] Create GitHub Release from the tag, using the `## v0.12.0` CHANGELOG section as the release body.
+- [ ] Create GitHub Release from the tag, using the `## v0.13.0` CHANGELOG section as the release body.
 
 ## Changelog Reference
 
 For a detailed list of changes, see [CHANGELOG.md](./CHANGELOG.md).
 For full history, see [Historical Archives](./changelogs/README.md).

ROADMAP.md

@@ -10,7 +10,7 @@
 This document describes the planned milestone trajectory for Zenzic.
 Dates are targets, not commitments. All milestones are subject to revision.
 
 For the current release history, see [CHANGELOG.md](CHANGELOG.md).
 
 ---
 
@@ -125,6 +125,16 @@
 
 ---
 
+## v0.14.0 — The Bridge (planned)
+
+**Theme:** Inversion of Control via TS Plugins.
+
+### Planned
+
+- **The Bridge Architecture (Inversion of Control)**: Implementation of ADR-080. Introduces the PrebuiltVSMAdapter to ingest static `.zenzic-vsm.json` routing payloads from dynamic frameworks, and initializes the `@zenzic/plugin-docusaurus` TypeScript bridge.
+
+---
+
 ## v1.0.0 — Graphite LTS (planned)
 
 **Theme:** Long-Term Support release. Stability, portability, and production confidence.

changelogs/v0.11.md

@@ -0,0 +1,21 @@
+<!-- SPDX-FileCopyrightText: 2026 PythonWoods <dev@pythonwoods.dev> -->
+<!-- SPDX-License-Identifier: Apache-2.0 -->
+<!-- markdownlint-disable MD024 -->
+# Changelog Archive: v0.11.x
+
+## [0.11.0] - 2026-06-13
+
+### Added
+
+- **Docusaurus Native Routing Emulation:** Full support for `routeBasePath` concatenation, Frontmatter `slug` absolute/relative parsing, and Blog Date Extraction (`YYYY-MM-DD-slug`) to accurately map Docusaurus URLs into the Virtual Site Map without false positive broken links.
+- **Dynamic Site Root:** Support for Docusaurus monorepos by dynamically searching upward from docs/ to repo root.
+- **RE2 Glob Translator:** High-performance glob translator compiled directly to Google RE2 syntax for compatibility on Python 3.12+.
+- **Partial Guard:** Logical routing exclusion of partial files (those starting with `_` or inside `_` folders) in Docusaurus.
+- **Breakdown Flag:** Option `--breakdown` for `zenzic score` to show detailed category breakdowns and transparent DQS math.
+- **Progress Bar:** Interactive progress indicator (`rich.progress.Progress`) during file scanning and parsing in `zenzic check all`.
+
+### Changed
+
+- **Path-aware Exclusion Engine upgrade (.gitignore semantics):** `excluded_dirs` now evaluates against the repository-relative path if the entry contains a slash (`/`), and globally against the directory basename if it does not.
+- **Severity Downgrade for Z106:** Downgraded `Z106` (circular link) severity to `note` and penalty to `0.0`, ensuring circular links never block strict pipelines.
+- **Core CI gate hardening:** Removed `pull_request.paths` filters from `.github/workflows/ci.yml` so required `Audit` checks are always created for every PR and cannot remain in expected/pending due to skipped workflow runs.

changelogs/v0.12.md

@@ -0,0 +1,16 @@
+<!-- SPDX-FileCopyrightText: 2026 PythonWoods <dev@pythonwoods.dev> -->
+<!-- SPDX-License-Identifier: Apache-2.0 -->
+<!-- markdownlint-disable MD024 -->
+# Changelog Archive: v0.12.x
+
+## [0.12.0] - 2026-06-13
+
+### Removed
+
+- **Docusaurus adapter removed (`v0.12.0`)**
+  Forensic analysis of Docusaurus projects revealed two categories of structural invisibility incompatible with Zenzic's static analysis model:
+  - **React component-injected IDs**: anchors generated by components such as `<APITable>` exist only in the rendered DOM, not in Markdown source.
+  - **MDX partial merging**: anchors defined in imported `_partial-*.mdx` files are resolved at bundle time by Webpack, not statically traceable by a Python AST parser.
+
+  Both patterns are dominant in Docusaurus projects, not edge cases. An adapter that generates structural false positives on the primary usage patterns of its target framework is a reputational liability, not an asset.
+  Zenzic supports documentation engines whose anchor output is deterministically derivable from Markdown source without executing external runtime code. Docusaurus does not satisfy this criterion.

pyproject.toml

@@ -13,7 +13,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "zenzic"
-version = "0.12.0"
+version = "0.13.0"
 description = "Engineering-grade, engine-agnostic static analyzer and credential scanner for Markdown documentation"
 readme = "README.md"
 requires-python = ">=3.10"
@@ -58,7 +58,6 @@ dependencies = [
 zenzic = "zenzic.main:cli_main"
 
 [project.entry-points."zenzic.adapters"]
-docusaurus = "zenzic.core.adapters:DocusaurusAdapter"
 mkdocs     = "zenzic.core.adapters:MkDocsAdapter"
 zensical   = "zenzic.core.adapters:ZensicalAdapter"
 standalone = "zenzic.core.adapters:StandaloneAdapter"

src/zenzic/__init__.py

@@ -2,5 +2,5 @@
 # SPDX-License-Identifier: Apache-2.0
 """Zenzic — engine-agnostic static analyzer and credential scanner for Markdown documentation."""
 
-__version__ = "0.12.0"
+__version__ = "0.13.0"
 __version_name__ = "Basalt"  # Release codename stored separately from the package version.

src/zenzic/cli/_check.py

@@ -26,6 +26,7 @@
     find_unused_assets,
     scan_docs_references,
 )
+from zenzic.core.scorer import compute_score
 from zenzic.core.sovereign_context import sovereign_context
 from zenzic.core.ui import ZenzicPalette
 from zenzic.core.validator import (
@@ -1659,6 +1660,40 @@ def check_all(
                 f"Credential scanner (Z201) remains active.[/]"
             )
 
+        # ── DQS Score injection ────────────────────────────────────────────
+        _findings_counts: dict[str, int] = {}
+        for _f in all_findings:
+            _findings_counts[_f.code] = _findings_counts.get(_f.code, 0) + 1
+        _score_report = compute_score(
+            _findings_counts,
+            suppression_count=suppression_audit.total,
+            suppression_cap=suppression_audit.cap,
+        )
+        if _score_report.security_override:
+            _dqs_line = (
+                f"[bold red]DQS Final Score: 0/100[/bold red] "
+                f"[{ZenzicPalette.DIM}](Security Override — "
+                f"{_score_report.security_findings} non-suppressible finding"
+                f"{'s' if _score_report.security_findings != 1 else ''} detected)[/]"
+            )
+        else:
+            _pre_errors = sum(1 for _f in all_findings if _f.severity == "error")
+            _pre_breaches = sum(
+                1 for _f in all_findings if _f.severity in {"security_breach", "security_incident"}
+            )
+            _pre_warnings = sum(1 for _f in all_findings if _f.severity == "warning")
+            _gate_failed = (
+                _pre_breaches > 0 or _pre_errors > 0 or (effective_strict and _pre_warnings > 0)
+            )
+            _gate_label = "Gate Failed" if _gate_failed else "Gate Passed"
+            _gate_style = ZenzicPalette.ERROR if _gate_failed else ZenzicPalette.SUCCESS
+            _dqs_line = (
+                f"[bold {_gate_style}]DQS Final Score: "
+                f"{_score_report.score}/100[/bold {_gate_style}] "
+                f"[{ZenzicPalette.DIM}]({_gate_label})[/]"
+            )
+        _footer_lines.insert(0, _dqs_line)
+
         errors, warnings = reporter.render(
             all_findings,
             version=__version__,