Generate machine-readable release manifest

[punk6529]

Summary

Closes #105.

Adds a deterministic Gate G release manifest at release-artifacts/latest/release-manifest.json and wires it into local and CI checks before the release checksum bundle.

What Changed

• Added scripts/generate_release_manifest.py and focused stdlib tests.
• Generated release-artifacts/latest/release-manifest.json from committed release artifacts, ABI compatibility baseline, deployment configs/manifests, address books, schemas, changelog, and governance docs.
• Updated release checksum coverage so release-manifest.json is included in SHA256SUMS and release-checksums.json.
• Documented the self-reference policy: the checksum bundle covers the release manifest, so the manifest lists checksum-bundle output digests as not_available_self_referential instead of embedding an impossible hash cycle.
• Wired manifest tests/checks into Makefile, scripts/check.sh, scripts/check.ps1, and CI.
• Taught the release-artifact catalog drift check to ignore downstream Gate G outputs that share release-artifacts/latest/.
• Updated README, release artifact docs, tooling/deployment/status/release-policy docs, roadmap, changelog, and autonomous run state.

Validation

• python scripts\test_release_manifest.py
• python scripts\generate_release_manifest.py --check
• python scripts\test_release_checksums.py
• python scripts\generate_release_checksums.py --check
• python scripts\test_release_artifacts.py
• python scripts\generate_release_artifacts.py --check
• python scripts\test_changelog_check.py
• python scripts\check_changelog.py
• python -m py_compile scripts\generate_release_artifacts.py scripts\test_release_artifacts.py scripts\generate_release_manifest.py scripts\test_release_manifest.py scripts\generate_release_checksums.py scripts\test_release_checksums.py scripts\check_changelog.py scripts\test_changelog_check.py
• bash -n scripts/check.sh
• PowerShell parser check for scripts/check.ps1 and scripts/bootstrap-windows.ps1
• git diff --check
• make check
• powershell -ExecutionPolicy Bypass -File scripts\check.ps1

Summary by CodeRabbit

• New Features

  • Added a machine-readable release manifest as a deterministic top-level index of release artifacts, deployments, ABIs, and governance docs.

• Documentation

  • Updated README, deployment, tooling, status, and policy docs to describe manifest generation, validation, and its role in release checks.

• Chores

  • Integrated manifest generation/validation into CI and Makefile targets; updated release-artifacts layout and checksum bundles.

• Tests

  • Added unit tests and verification scripts to validate manifest generation and detection of drift.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c7bff734-80c2-4a24-9f8f-aaf81d951496

📥 Commits

Reviewing files that changed from the base of the PR and between e69ae96 and 7af47ba.

📒 Files selected for processing (2)

• ops/AUTONOMOUS_RUN.md
• scripts/test_release_manifest.py

✅ Files skipped from review due to trivial changes (1)

• ops/AUTONOMOUS_RUN.md

🚧 Files skipped from review as they are similar to previous changes (1)

• scripts/test_release_manifest.py

---

📝 Walkthrough

Walkthrough

Adds a deterministic release-manifest generator and tests, commits release-artifacts/latest/release-manifest.json with checksum integration, and wires generation/check into Makefile, check scripts, CI, tests, and documentation/gating.

Changes

Release Manifest Feature

Layer / File(s)	Summary
Release manifest generator scripts/generate_release_manifest.py	JSON utilities, file/record loaders, deployment and address-book aggregators, checksum-bundle construction, deterministic serialization, check-mode diff validation, and CLI with configurable paths and --check flag.
Release manifest unit tests scripts/test_release_manifest.py	Comprehensive test module with release-tree fixture; covers deterministic output, check-mode success/drift detection, missing artifact rejection, and schema validation errors.
Generated manifest artifact and checksums release-artifacts/latest/release-manifest.json, release-artifacts/latest/SHA256SUMS, release-artifacts/latest/release-checksums.json, scripts/generate_release_artifacts.py	Committed manifest containing release/artifact/deployment/policy/checksum metadata; SHA256SUMS and release-checksums.json updated; generate_release_artifacts.py renamed exclusion constant to include manifest.
Test fixture updates scripts/test_release_artifacts.py, scripts/test_release_checksums.py	Seeded release-manifest.json into artifact test fixtures and included manifest path in checksum coverage assertions.
Build system and check scripts Makefile, scripts/check.sh, scripts/check.ps1	Added release-manifest and release-manifest-check targets; release-checksums/release-checksums-check depend on manifest targets; bash and PowerShell check scripts invoke manifest test and check commands.
CI workflow integration .github/workflows/ci.yml	Added manifest generator and test to Python syntax-check list; new "Release manifest" workflow step runs test and check commands with logged output.
Documentation and release gates CHANGELOG.md, README.md, docs/deployment.md, docs/release-policy.md, docs/status.md, docs/tooling.md, release-artifacts/README.md	Added manifest to Gate G requirements, smoke-check commands, release steps, breaking-change surfaces, artifact-regeneration rules, and release checklist; documents checksum-cycle avoidance and manifest as deterministic index.
Operational state tracking ops/AUTONOMOUS_RUN.md, ops/ROADMAP.md	Updated PR branch/state, recorded merged PR and active queue item, added roadmap item P1-RELEASE-006, and logged merge/decision evidence.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• 6529-Collections/6529Stream#94: Adjusts release-artifact generation/testing and downstream exclusions that this manifest integration relies on.
• 6529-Collections/6529Stream#102: Related changes to release-checksum coverage and bundle handling impacted by adding the manifest.
• 6529-Collections/6529Stream#4: Earlier CI/check orchestration additions that this PR extends with manifest generation/check steps.

"I'm a rabbit with a tiny pen,
I stitched the manifest together then.
SHA-256s tidy in a row,
One JSON to let the whole release show.
Hooray for orderly release-day zen!"

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Generate machine-readable release manifest' directly and concisely describes the primary change—adding a deterministic release manifest as documented in issue #105.
Linked Issues check	✅ Passed	The PR fully satisfies issue #105 requirements: implements a deterministic generator script, commits release-manifest.json with comprehensive artifact metadata, includes it in checksum coverage, integrates into local/CI checks, and updates all specified documentation.
Out of Scope Changes check	✅ Passed	All changes directly support the release manifest generation objective. Documentation updates (README, tooling, status, policy docs) explain the new functionality; script/test additions implement the feature; makefile/CI/check-script updates wire it into gates; and manifest/checksum files contain generated outputs—all within scope.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/release-manifest

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[punk6529]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

🧹 Nitpick comments (1)

scripts/test_release_manifest.py (1)

22-26: 💤 Low value

Consider adding ensure_ascii=False for consistency.

The test helper write_json omits ensure_ascii=False, which the generator includes. While this doesn't affect current ASCII-only test data, adding it would make the helper match the generator's behavior exactly.

♻️ Optional consistency improvement

 def write_json(path: Path, value: object) -> None:
     path.parent.mkdir(parents=True, exist_ok=True)
     with path.open("w", encoding="utf-8", newline="\n") as handle:
-        json.dump(value, handle, indent=2)
+        json.dump(value, handle, indent=2, ensure_ascii=False)
         handle.write("\n")

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/test_release_manifest.py` around lines 22 - 26, The write_json helper
currently calls json.dump(value, handle, indent=2) which omits ensure_ascii and
therefore differs from the generator; update the write_json function to pass
ensure_ascii=False to json.dump (i.e., json.dump(value, handle, indent=2,
ensure_ascii=False)) so the helper matches the generator's behavior while
preserving the existing newline write and file creation in write_json.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@scripts/test_release_manifest.py`:
- Around line 22-26: The write_json helper currently calls json.dump(value,
handle, indent=2) which omits ensure_ascii and therefore differs from the
generator; update the write_json function to pass ensure_ascii=False to
json.dump (i.e., json.dump(value, handle, indent=2, ensure_ascii=False)) so the
helper matches the generator's behavior while preserving the existing newline
write and file creation in write_json.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1b82c286-7101-49ba-b62b-dc418eb30efc

📥 Commits

Reviewing files that changed from the base of the PR and between 012bea9 and e69ae96.

📒 Files selected for processing (21)

• .github/workflows/ci.yml
• CHANGELOG.md
• Makefile
• README.md
• docs/deployment.md
• docs/release-policy.md
• docs/status.md
• docs/tooling.md
• ops/AUTONOMOUS_RUN.md
• ops/ROADMAP.md
• release-artifacts/README.md
• release-artifacts/latest/SHA256SUMS
• release-artifacts/latest/release-checksums.json
• release-artifacts/latest/release-manifest.json
• scripts/check.ps1
• scripts/check.sh
• scripts/generate_release_artifacts.py
• scripts/generate_release_manifest.py
• scripts/test_release_artifacts.py
• scripts/test_release_checksums.py
• scripts/test_release_manifest.py