Add release checksum bundle

[punk6529]

Summary

• add a stdlib-only release checksum generator/checker that writes deterministic release-artifacts/latest/SHA256SUMS and release-artifacts/latest/release-checksums.json
• cover committed release artifact config, generated release artifacts, ABI baseline, deployment configs/examples, address books, and deployment schemas while excluding checksum outputs from self-referential hashes
• validate committed checksum entries before comparing regenerated outputs so hash drift, deleted covered files, missing generated files, missing roots, and empty covered sets fail loudly
• teach the release-artifact catalog check to ignore checksum-bundle outputs so both generated artifact families can coexist in release-artifacts/latest/
• wire checksum tests and --check into make check, Linux/Windows wrappers, and CI, and update release/deployment docs plus roadmap/run-state traceability

Closes #101

Validation

• python scripts\test_release_checksums.py
• python scripts\generate_release_checksums.py --check
• python scripts\test_release_artifacts.py
• python scripts\generate_release_artifacts.py --check
• python -m py_compile scripts\generate_release_artifacts.py scripts\test_release_artifacts.py scripts\check_abi_compatibility.py scripts\test_abi_compatibility.py scripts\generate_deployment_manifest.py scripts\test_deployment_manifest.py scripts\generate_address_books.py scripts\test_address_books.py scripts\generate_release_checksums.py scripts\test_release_checksums.py
• bash -n scripts/check.sh
• PowerShell parser validation for scripts\check.ps1
• JSON parse and line-format validation for release-artifacts\latest\release-checksums.json and release-artifacts\latest\SHA256SUMS
• make check
• powershell -ExecutionPolicy Bypass -File scripts\check.ps1
• rg traceability check for P1-RELEASE-004, generate_release_checksums, SHA256SUMS, and release-signature boundary wording
• git diff --check reported only line-ending warnings for touched scripts

Summary by CodeRabbit

• New Features

  • Added release checksum bundle generation and verification across release artifacts and deployment outputs.

• Tests

  • Added end-to-end and negative tests covering checksum generation, verification, and error conditions.

• Documentation

  • Updated docs and READMEs to document checksum generation, verification, and refresh steps in release workflows.

• CI/Build

  • CI and local check targets now run automated release checksum generation and validation as part of checks.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b12e7502-14f4-4de2-af0e-2264b3972445

📥 Commits

Reviewing files that changed from the base of the PR and between af3c2ef and a81b4fe.

📒 Files selected for processing (4)

• ops/AUTONOMOUS_RUN.md
• release-artifacts/README.md
• scripts/generate_release_checksums.py
• scripts/test_release_checksums.py

✅ Files skipped from review due to trivial changes (1)

• ops/AUTONOMOUS_RUN.md

🚧 Files skipped from review as they are similar to previous changes (3)

• scripts/test_release_checksums.py
• release-artifacts/README.md
• scripts/generate_release_checksums.py

---

📝 Walkthrough

Walkthrough

Deterministic release checksum bundle support: new generator/check CLI, comprehensive tests, excluded-bundle integration with artifact comparison, Makefile/CI/check-script wiring, committed checksum artifacts, and updated docs/ops traceability.

Changes

Release checksum bundle implementation

Layer / File(s)	Summary
Checksum bundle generator and check mode scripts/generate_release_checksums.py	New CLI that deterministically builds SHA256SUMS and release-checksums.json, collects covered paths, computes per-file SHA-256 digests, and offers a --check mode that validates committed bundles and detects drift or missing files.
Checksum generator unit tests scripts/test_release_checksums.py	Unittest suite importing the generator to test output writing, check-mode success, hash-drift detection, missing-file and missing-output failures, invalid coverage roots, empty coverage, and path-traversal rejection.
Release artifact compatibility and committed checksum outputs scripts/generate_release_artifacts.py, scripts/test_release_artifacts.py, release-artifacts/latest/SHA256SUMS, release-artifacts/latest/release-checksums.json, release-artifacts/README.md	Exclude checksum bundle files from artifact comparisons, adapt tests to accept committed checksum artifacts, and add committed SHA256SUMS and release-checksums.json listing tracked artifact hashes and sizes.
Makefile, shell, PowerShell, and CI wiring Makefile, scripts/check.sh, scripts/check.ps1, .github/workflows/ci.yml	Add release-checksums / release-checksums-check targets, run test_release_checksums.py and generate_release_checksums.py --check in check scripts, extend py_compile list, and add a CI step that executes checksum tests and --check, saving logs.
Repository and tooling docs README.md, deployments/README.md, docs/deployment.md, docs/status.md, docs/tooling.md, release-artifacts/README.md	Document the new generator/check commands in smoke checks and CI, enumerate covered paths and regeneration instructions, and note that detached signatures and signed tags remain future work.
Roadmap and autonomous-run traceability ops/AUTONOMOUS_RUN.md, ops/ROADMAP.md	Mark prior PR merged, activate checksum-bundle work in the queue, add roadmap item for checksum bundle generation, and update verification/test-matrix and decision log entries.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• 6529-Collections/6529Stream#100: Related CI/check orchestration changes for address-book generation and tests that were integrated alongside checksum work.
• 6529-Collections/6529Stream#4: Earlier changes adding check orchestration (scripts/check.sh, scripts/check.ps1) that this PR extends.
• 6529-Collections/6529Stream#92: Additions to make check/check scripts for deployment rehearsal that share CI entrypoints updated here.

Poem

🐰 I hopped through files with a careful nose,
Sorted each path where the checksum wind blows,
SHA256SUMS snug in a neat tidy line,
A manifest notes every hash that I find,
Soon signatures follow — for now, hashes shine.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add release checksum bundle' directly matches the main objective of generating deterministic checksum files for release artifacts.
Linked Issues check	✅ Passed	The PR implements all acceptance criteria from issue #101: deterministic sorted SHA256SUMS [#101], machine-readable manifest with schema/version/hashes [#101], --check mode in make/wrappers/CI [#101], tests for generation/drift/missing files [#101], and documentation [#101].
Out of Scope Changes check	✅ Passed	All changes align with issue #101 scope: stdlib-only scripts/tests, deterministic checksums, documentation updates, CI/make integration, and roadmap traceability; no detached signatures, tagging, or production artifacts are included.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/release-checksum-bundle

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[punk6529]

@coderabbitai review

Please review the release checksum bundle with special attention to:

• whether SHA256SUMS and release-checksums.json cover the right release/deployment artifact set,
• whether excluding checksum outputs from self-referential hashes is clear and safe,
• whether check mode catches hash drift, deleted covered files, missing outputs, missing/empty roots, and coexistence with the release-artifact generator,
• whether the docs correctly distinguish signable committed checksums from future detached signatures and signed tags.

[coderabbitai]

@punk6529 I’ll review the release checksum bundle with those focus areas in mind, especially the checksum coverage boundaries, self-reference exclusions, failure modes in --check, coexistence with release artifacts, and the documentation wording around checksums vs future signatures/tags.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

release-artifacts/README.md (1)

8-13: 🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Clarify the workflow scope or make it complete.

The workflow shown here includes generate_release_checksums.py but omits the deployment manifest and address book generation steps. Per lines 155-159 of docs/tooling.md, the checksum generator covers deployments/config/, deployments/examples/, deployments/address-books/, and deployments/schema/.

Users following only this workflow might run checksum generation over stale deployment artifacts, producing incorrect checksums.

Consider either:

1. Adding the missing steps to show the complete workflow (matching docs/tooling.md lines 116-121):

   python scripts/generate_deployment_manifest.py
   python scripts/generate_address_books.py
   python scripts/generate_release_checksums.py

2. Or clarifying that this is a partial workflow for release-artifact-only changes, with a note that deployment artifact changes require additional steps before checksum regeneration.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@release-artifacts/README.md` around lines 8 - 13, Update the README workflow
to prevent stale checksum generation by either (A) expanding the shown steps to
the full sequence used in docs/tooling.md — include running python
scripts/generate_deployment_manifest.py and python
scripts/generate_address_books.py before python
scripts/generate_release_checksums.py — or (B) explicitly mark the shown
sequence as a partial workflow for release-artifact-only changes and add a note
instructing users to run scripts/generate_deployment_manifest.py and
scripts/generate_address_books.py first when deployments/config/,
deployments/examples/, deployments/address-books/, or deployments/schema/ were
modified; reference the scripts generate_release_checksums.py,
generate_deployment_manifest.py, and generate_address_books.py and align the
README text with docs/tooling.md.

🧹 Nitpick comments (1)

scripts/generate_release_checksums.py (1)

187-188: 💤 Low value

Consider adding path traversal validation.

The current validation rejects absolute paths and backslashes, but doesn't reject paths containing "..". While the threat model is limited (requires commit access), adding a check like if ".." in relative_path would provide defense-in-depth against potential information disclosure if a malicious checksum file is committed.

🛡️ Proposed defense-in-depth enhancement

         if relative_path.startswith("/") or "\\" in relative_path:
             raise ChecksumError(f"malformed checksum line {line_number}: invalid path")
+        if ".." in relative_path:
+            raise ChecksumError(f"malformed checksum line {line_number}: path traversal not allowed")
         entries.append((digest, relative_path))

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/generate_release_checksums.py` around lines 187 - 188, The validation
for checksum file paths currently only rejects absolute paths and backslashes;
update the validation in the same block handling relative_path (used with
line_number and ChecksumError) to also reject path traversal by checking for
parent references (e.g., if ".." in relative_path) or by normalizing the path
with pathlib.Path(relative_path).parts and ensuring no part equals ".."; if a
traversal is detected raise ChecksumError with the same malformed checksum line
message.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@release-artifacts/README.md`:
- Around line 8-13: Update the README workflow to prevent stale checksum
generation by either (A) expanding the shown steps to the full sequence used in
docs/tooling.md — include running python scripts/generate_deployment_manifest.py
and python scripts/generate_address_books.py before python
scripts/generate_release_checksums.py — or (B) explicitly mark the shown
sequence as a partial workflow for release-artifact-only changes and add a note
instructing users to run scripts/generate_deployment_manifest.py and
scripts/generate_address_books.py first when deployments/config/,
deployments/examples/, deployments/address-books/, or deployments/schema/ were
modified; reference the scripts generate_release_checksums.py,
generate_deployment_manifest.py, and generate_address_books.py and align the
README text with docs/tooling.md.

---

Nitpick comments:
In `@scripts/generate_release_checksums.py`:
- Around line 187-188: The validation for checksum file paths currently only
rejects absolute paths and backslashes; update the validation in the same block
handling relative_path (used with line_number and ChecksumError) to also reject
path traversal by checking for parent references (e.g., if ".." in
relative_path) or by normalizing the path with pathlib.Path(relative_path).parts
and ensuring no part equals ".."; if a traversal is detected raise ChecksumError
with the same malformed checksum line message.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e2a096ec-dd17-4ea7-955a-7e9d9826398f

📥 Commits

Reviewing files that changed from the base of the PR and between ad6deea and af3c2ef.

📒 Files selected for processing (18)

• .github/workflows/ci.yml
• Makefile
• README.md
• deployments/README.md
• docs/deployment.md
• docs/status.md
• docs/tooling.md
• ops/AUTONOMOUS_RUN.md
• ops/ROADMAP.md
• release-artifacts/README.md
• release-artifacts/latest/SHA256SUMS
• release-artifacts/latest/release-checksums.json
• scripts/check.ps1
• scripts/check.sh
• scripts/generate_release_artifacts.py
• scripts/generate_release_checksums.py
• scripts/test_release_artifacts.py
• scripts/test_release_checksums.py

[punk6529]

@coderabbitai review

Addressed the PR #102 findings on latest head a81b4feacde241e2093b21b1b4eeaf8fead9caa7:

• expanded release-artifacts/README.md so the release workflow runs deployment manifest and address-book generation/checks before checksum generation/checks, avoiding stale deployment-derived checksum inputs;
• hardened parse_checksum_file to reject parent-directory path segments in committed SHA256SUMS entries;
• added test_checksum_parser_rejects_parent_directory_paths regression coverage.

Validation after the review fix:

• python scripts\test_release_checksums.py
• python scripts\generate_release_checksums.py --check
• python scripts\test_release_artifacts.py
• make check
• powershell -ExecutionPolicy Bypass -File scripts\check.ps1
• python -m py_compile scripts\generate_release_checksums.py scripts\test_release_checksums.py
• git diff --check (only known line-ending warnings for touched Python files)

[coderabbitai]

@punk6529 Thanks for the clear summary of the fixes. I'll review the updated head a81b4feacde241e2093b21b1b4eeaf8fead9caa7, paying particular attention to:

• the parse_checksum_file path-traversal hardening and the new regression test coverage,
• the README ordering fix ensuring deployment-derived inputs aren't stale when checksums are generated, and
• confirming all the focus areas from the original request (coverage boundaries, self-reference exclusion, --check failure modes, docs clarity on checksums vs. future signatures) are fully addressed.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[punk6529]

Merge evidence for PR #102:

• Final head: a81b4feacde241e2093b21b1b4eeaf8fead9caa7
• CI run 27342290072 completed successfully.
• CodeRabbit latest-head review finished with no actionable comments, and the CodeRabbit commit status is success.
• No open review threads remain.
• Local validation after the review fix: checksum tests/check, release artifact test, make check, Windows wrapper, py_compile, and diff hygiene.