chore(release): bump version to 0.10.4

.bumpversion.toml

@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 
 [tool.bumpversion]
-current_version = "0.10.3"
+current_version = "0.10.4"
 parse = "(?P<major>\\d+)\\.(?P<minor>\\d+)\\.(?P<patch>\\d+)((?P<pre_l>a|b|rc)(?P<pre_n>\\d+))?"
 serialize = [
     "{major}.{minor}.{patch}{pre_l}{pre_n}",

.github/ISSUE_TEMPLATE/security_vulnerability.yml

@@ -29,7 +29,7 @@ body:
     attributes:
       label: Zenzic version
       description: Output of `zenzic --version`
-      placeholder: "0.10.3"
+      placeholder: "0.10.4"
     validations:
       required: true
 

.github/workflows/ci.yml

@@ -13,12 +13,6 @@ on:
       - 'uv.lock'
       - '.github/workflows/ci.yml'
   pull_request:
-    paths:
-      - 'src/**'
-      - 'tests/**'
-      - 'pyproject.toml'
-      - 'uv.lock'
-      - '.github/workflows/ci.yml'
 
 permissions:
   contents: read

.github/workflows/compliance.yml

@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Validate PR Title
-        uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3
+        uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
@@ -26,7 +26,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           fetch-depth: 0
 

.pre-commit-hooks.yaml

@@ -7,7 +7,7 @@
 #
 #   repos:
 #     - repo: https://github.com/PythonWoods/zenzic
-#       rev: v0.10.3
+#       rev: v0.10.4
 #       hooks:
 #         - id: zenzic-verify    # quality gate — corrisponde a `just verify` lato zenzic
 #         - id: zenzic-guard     # fast staged-file credential scan

CHANGELOG.it.md

@@ -11,6 +11,10 @@
 
 ## [Unreleased]
 
+### Changed
+
+- **Hardening del gate CI core:** Rimossi i filtri `pull_request.paths` da `.github/workflows/ci.yml` in modo che i check `Audit` obbligatori vengano sempre creati su ogni PR, senza stati expected/pending dovuti a workflow saltati.
+
 ### Fixed
 
 - **Gli URL di loopback non vengono più segnalati come link esterni:** Gli URL `http://localhost`, `http://127.0.0.1`, `http://0.0.0.0` e `http://::1` (su qualsiasi porta) vengono ora ignorati silenziosamente dal validatore. In precedenza venivano raccolti come link esterni e provocavano un ping di rete o un errore `EXTERNAL_LINK` spurio, rendendo inutilizzabile la validazione in ambienti Docker che referenziano URL di servizi locali negli esempi di configurazione.
@@ -84,5 +88,5 @@
 
 ## Versioni precedenti
 
 - Archivio v0.8.x: [changelogs/v0.8.md](./changelogs/v0.8.md)
 - Indice archivi v0.1.x–v0.7.x: [changelogs/README.md](./changelogs/README.md)

CHANGELOG.md

@@ -11,7 +11,9 @@
 
 ## [Unreleased]
 
-No changes yet.
+### Changed
+
+- **Core CI gate hardening:** Removed `pull_request.paths` filters from `.github/workflows/ci.yml` so required `Audit` checks are always created for every PR and cannot remain in expected/pending due to skipped workflow runs.
 
 ---
 
@@ -59,5 +61,5 @@
 ## Historical Releases
 
 - v0.9.x archive: [changelogs/v0.9.md](./changelogs/v0.9.md)
 - v0.8.x archive: [changelogs/v0.8.md](./changelogs/v0.8.md)
 - v0.1.x–v0.7.x archive index: [changelogs/README.md](./changelogs/README.md)

CITATION.cff

@@ -15,8 +15,8 @@ abstract: >-
   performs deterministic static analysis using a two-pass reference
   pipeline and a RE2-backed credential scanner, with zero subprocess
   calls and full SARIF 2.1.0 support for CI/CD integration.
-version: 0.10.3
-date-released: 2026-06-08
+version: 0.10.4
+date-released: 2026-06-09
 url: "https://zenzic.dev"
 repository-code: "https://github.com/PythonWoods/zenzic"
 repository-artifact: "https://pypi.org/project/zenzic/"

README.it.md

@@ -21,7 +21,6 @@ SPDX-License-Identifier: Apache-2.0
   <img src="https://img.shields.io/badge/%F0%9F%9B%A1%EF%B8%8F_zenzic--audit-passing-22c55e?style=flat-square" alt="zenzic-audit">
   <!-- zenzic:score-badge -->
   <img src="https://img.shields.io/badge/%F0%9F%9B%A1%EF%B8%8F_zenzic--score-100_%2F_100-4f46e5?style=flat-square" alt="zenzic-score">
-
   <a href="https://reuse.software/">
     <img src="https://img.shields.io/badge/REUSE-3.x%20compliant-0d9488?style=flat-square" alt="REUSE 3.x compliant">
   </a>

README.md

@@ -21,7 +21,6 @@ SPDX-License-Identifier: Apache-2.0
   <img src="https://img.shields.io/badge/%F0%9F%9B%A1%EF%B8%8F_zenzic--audit-passing-22c55e?style=flat-square" alt="zenzic-audit">
   <!-- zenzic:score-badge -->
   <img src="https://img.shields.io/badge/%F0%9F%9B%A1%EF%B8%8F_zenzic--score-100_%2F_100-4f46e5?style=flat-square" alt="zenzic-score">
-
   <a href="https://reuse.software/">
     <img src="https://img.shields.io/badge/REUSE-3.x%20compliant-0d9488?style=flat-square" alt="REUSE 3.x compliant">
   </a>

RELEASE.md

@@ -2,15 +2,15 @@
 <!-- SPDX-License-Identifier: Apache-2.0 -->
 # Release Procedure — Zenzic Core
 
 > **[MAINTAINER SOP]** *This document contains the Standard Operating Procedure for Core Maintainers to cut and publish a new release. If you are an end-user looking for new features, please see the [CHANGELOG](./CHANGELOG.md).*
 
 ## Release Metadata
 
 | Field    | Value      |
 | :------- | :--------- |
-| Version  | v0.10.3     |
+| Version  | v0.10.4     |
 | Codename | Magnetite   |
-| Date     | 2026-06-08 |
+| Date     | 2026-06-09 |
 | Status   | Stable |
 
 ## Release Checklist
@@ -21,7 +21,7 @@
 - [ ] `zenzic lab all` — all 20 scenarios exit with expected code
 - [ ] `zenzic score --stamp` committed — badge in README.md and README.it.md reflects current score
 - [ ] `zenzic check all .` — zero findings in the repo root
-- [ ] `pyproject.toml` version matches the tag (`0.10.3`)
+- [ ] `pyproject.toml` version matches the tag (`0.10.4`)
 - [ ] `CITATION.cff` version and date updated
 - [ ] `CHANGELOG.md` — `[Unreleased]` section moved to the new version heading
 - [ ] Update SECURITY.md support table (Add new release, demote previous to Critical/EOL).
@@ -54,13 +54,13 @@
 git pull origin main
 
 # 3. Tag the main branch and push
-git tag v0.10.3
+git tag v0.10.4
 git push origin main --tags
 ```
 
-- [ ] Create GitHub Release from the tag, using the `## v0.10.3` CHANGELOG section as the release body.
+- [ ] Create GitHub Release from the tag, using the `## v0.10.4` CHANGELOG section as the release body.
 
 ## Changelog Reference
 
 For a detailed list of changes, see [CHANGELOG.md](./CHANGELOG.md).
 For full history, see [Historical Archives](./changelogs/README.md).

pyproject.toml

@@ -13,7 +13,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "zenzic"
-version = "0.10.3"
+version = "0.10.4"
 description = "Engineering-grade, engine-agnostic static analyzer and credential scanner for Markdown documentation"
 readme = "README.md"
 requires-python = ">=3.10"

src/zenzic/__init__.py

@@ -2,5 +2,5 @@
 # SPDX-License-Identifier: Apache-2.0
 """Zenzic — engine-agnostic static analyzer and credential scanner for Markdown documentation."""
 
-__version__ = "0.10.3"
+__version__ = "0.10.4"
 __version_name__ = "Basalt"  # Release codename stored separately from the package version.

src/zenzic/cli/_standalone.py

@@ -1270,7 +1270,7 @@ def _scaffold_plugin(repo_root: Path, plugin_name: str, force: bool) -> None:
 description = "Custom Zenzic plugin rule package"
 readme = "README.md"
 requires-python = ">=3.11"
-dependencies = ["zenzic>=0.10.3"]
+dependencies = ["zenzic>=0.10.4"]
 
 [project.entry-points."zenzic.rules"]
 {project_slug} = "{module_name}.rules:{class_name}"