release: 0.6.1 — contact email change + ship CF citation fixes to PyPI

.github/ISSUE_TEMPLATE/early-access.md

@@ -27,5 +27,5 @@ Skip any field that does not apply.
 <!--
 This issue will be visible publicly. Do not paste real PHI, customer
 names, or anything you would not put in a public LinkedIn post.
-For private correspondence, email plusultra.dev@proton.me directly.
+For private correspondence, email dcm.anonimizer@gmail.com directly.
 -->

CHANGELOG.md

@@ -4,6 +4,43 @@ Changelog for dcm-anon. Format follows [Keep a Changelog](https://keepachangelog
 
 ---
 
+## [0.6.1] - 2026-06-01
+
+Patch release. Compliance-citation correctness, independent-verifier test
+coverage, and a contact-email change. No behavioural change to the
+de-identification pipeline; output is byte-for-byte compatible with 0.6.0.
+
+### Fixed
+- **HIPAA Safe-Harbor citation errors in the compliance manifest.** The
+  free-text / quasi-identifier catch-all was mislabelled category `(Q)`
+  (full-face photographs); the catch-all is `(R)` ("any other unique
+  identifying number, characteristic, or code"). Relabelled 11 tags plus the
+  burned-in-pixel finding. `DeviceSerialNumber` was `(N)` (URLs); device
+  identifiers and serial numbers are `(M)`.
+- **Dropped a Recital-26 anonymisation overclaim** from the action-D GDPR
+  clause: a schema-preserving dummy neutralises a field but does NOT render the
+  dataset anonymous (it stays pseudonymous via the salted-hash UID remap).
+  Citation narrowed to GDPR Art. 32(1)(a).
+
+### Changed
+- **Qualified the ENS (RD 311/2022) citation:** the tool evidences op.exp.8
+  (audit log) and mp.info.6 (document cleaning); mp.info.3 (encryption) is NOT
+  implemented and remains the controller's responsibility.
+- **Gated EU AI Act Art. 10 applicability:** new manifest disclosure clarifies
+  that Art. 10 data-governance obligations bind only the provider of a high-risk
+  Annex III system, not anyone who de-identifies.
+- Added a machine-readable citation re-verification date (2026-06-01).
+- **Contact email is now `dcm.anonimizer@gmail.com`** (project author email,
+  SECURITY.md, early-access page).
+
+### Added
+- `tests/test_verify_output.py` (27 tests) covering the metadata-residual path,
+  sequence recursion, pixel-OCR via a fake engine, and the verifier's
+  conclusive/sampled/degraded status logic. `verify_output.py` coverage
+  74% → 91%.
+
+---
+
 ## [0.6.0] - 2026-05-29
 
 Major release. Inverts the de-identification model to deny-by-default, writes
@@ -225,7 +262,7 @@ No change to: PS3.15 tag table (143 entries), JSON manifest schema (v1.2), CLI s
 ### Changed
 
 - `LICENSE` copyright line now names the author (was blank).
-- `SECURITY.md` adds explicit contact email (`plusultra.dev@proton.me`) and
+- `SECURITY.md` adds explicit contact email (`dcm.anonimizer@gmail.com`) and
   uses singular first-person voice for a solo-author project.
 - README "What we do NOT do" section renamed to "Limitations (what this
   tool does NOT do)".

README.md

@@ -448,6 +448,14 @@ A hosted batch service is in preparation for teams that need S3/GCS sources, pri
 
 ---
 
+## Contact
+
+Questions, bug reports, security disclosures, or hosted-service / early-access
+enquiries: email **dcm.anonimizer@gmail.com** or open a
+[GitHub issue](https://github.com/Ces107/dcm-anon/issues).
+
+---
+
 ## License
 
 MIT.

SECURITY.md

@@ -49,7 +49,7 @@ cohorts while keeping it one-way for anyone without the salt. Consequences:
 
 ## Responsible disclosure
 
-Please report security issues by email to **plusultra.dev@proton.me** with subject
+Please report security issues by email to **dcm.anonimizer@gmail.com** with subject
 `[dcm-anon] security`, or via the GitHub Security Advisories tab on
 `https://github.com/Ces107/dcm-anon`.
 

dcm_anon/_version.py

@@ -7,4 +7,4 @@
 installs and silently mislabelled which code produced a compliance manifest.
 """
 
-__version__ = "0.6.0"
+__version__ = "0.6.1"

docs/index.html

@@ -38,7 +38,7 @@
 <body>
 <div class="wrap">
 
-<span class="kicker">v0.6.0 · MIT · open source · <a href="https://doi.org/10.5281/zenodo.20267651" style="color:inherit;text-decoration:underline">DOI 10.5281/zenodo.20267651</a></span>
+<span class="kicker">v0.6.1 · MIT · open source · <a href="https://doi.org/10.5281/zenodo.20267651" style="color:inherit;text-decoration:underline">DOI 10.5281/zenodo.20267651</a></span>
 
 <h1>DICOM anonymization with an audit trail your DPO can verify.</h1>
 
@@ -53,7 +53,7 @@ <h1>DICOM anonymization with an audit trail your DPO can verify.</h1>
 <h2>Compliance manifest</h2>
 <p>Every PS3.15 action (X / Z / U / D) that runs on your study is mapped to the literal text of the regulation that authorizes it — GDPR Art. 4(5), HIPAA Safe Harbor §164.514(b)(2), EU AI Act Art. 10. Re-verified against EUR-Lex / eCFR / gdpr-info.eu on 2026-05-13. SHA-256 chain over the audit log + manifest so an auditor can verify integrity from the JSON alone.</p>
 
-<h2>v0.6.0</h2>
+<h2>v0.6.1</h2>
 <p>Package restructure, AI-slop cleanup, PyPI rename to <code>dcm-anon</code>. No behavioural change to anonymisation. <a href="https://github.com/Ces107/dcm-anon/blob/main/CHANGELOG.md">Changelog.</a></p>
 
 <h2>v0.3.5 highlights</h2>
@@ -79,10 +79,10 @@ <h2 id="early-access">Reserve early access (hosted batch)</h2>
 
   <p style="margin:14px 0 6px" class="small muted">Drop me a line with a one-paragraph context: what you're trying to anonymize, what regulatory regime you're under, and what the gap is today. I read every one and reply within a week.</p>
   <p style="margin-top:14px">
-  <a class="cta" href="mailto:plusultra.dev@proton.me?subject=dcm-anon%20early%20access&amp;body=Org%20type%3A%20%0A%20%20(research%20lab%20%2F%20hospital%20%2F%20SaMD%20startup%20%2F%20vendor%20%2F%20consulting%20%2F%20other)%0A%0AVolume%20estimate%20(studies%2Fmo)%3A%20%0A%0AWhat%20problem%20were%20you%20solving%20when%20you%20found%20dcm-anon%3F%0A%0A%0AHow%20did%20you%20hear%20about%20it%3F%0A">Email reserve</a>
+  <a class="cta" href="mailto:dcm.anonimizer@gmail.com?subject=dcm-anon%20early%20access&amp;body=Org%20type%3A%20%0A%20%20(research%20lab%20%2F%20hospital%20%2F%20SaMD%20startup%20%2F%20vendor%20%2F%20consulting%20%2F%20other)%0A%0AVolume%20estimate%20(studies%2Fmo)%3A%20%0A%0AWhat%20problem%20were%20you%20solving%20when%20you%20found%20dcm-anon%3F%0A%0A%0AHow%20did%20you%20hear%20about%20it%3F%0A">Email reserve</a>
   <a class="cta alt" href="https://github.com/Ces107/dcm-anon/issues/new?template=early-access.md&title=Early+access+inquiry">Open an issue instead</a>
   </p>
-  <p class="muted small" style="margin-top:14px">Or email <a href="mailto:plusultra.dev@proton.me?subject=dcm-anon%20early%20access">plusultra.dev@proton.me</a> directly.</p>
+  <p class="muted small" style="margin-top:14px">Or email <a href="mailto:dcm.anonimizer@gmail.com?subject=dcm-anon%20early%20access">dcm.anonimizer@gmail.com</a> directly.</p>
 </div>
 
 <p class="small">This is an engineering tool. It implements PS3.15 correctly and produces auditable artifacts that your DPO / IRB / notified-body reviewer can verify. It is NOT legal advice and does NOT certify compliance — that's your QMS and counsel's call.</p>

pyproject.toml

@@ -10,7 +10,7 @@ readme = "README.md"
 license = {text = "MIT"}
 requires-python = ">=3.10"
 authors = [
-    {name = "César Pereiro García", email = "plusultra.dev@proton.me"},
+    {name = "César Pereiro García", email = "dcm.anonimizer@gmail.com"},
 ]
 keywords = [
     "dicom", "anonymization", "phi", "de-identification", "medical-imaging",