Generate source verification inputs

[punk6529]

Summary

Implements issue #107 / P1-RELEASE-007 by adding a deterministic source-verification input bundle for Gate G release readiness.

• Adds scripts/generate_source_verification_inputs.py and scripts/test_source_verification_inputs.py.
• Generates release-artifacts/latest/source-verification-inputs.json from production contract config, Foundry artifacts, Solidity source files, compiler settings, and ABI/bytecode checksum outputs.
• Records production source hashes, Solidity metadata source hashes, compiler/optimizer/via-IR settings, constructor ABI, bytecode/linking status, link references, and forge verify-contract command templates without claiming live explorer verification before broadcast artifacts exist.
• Wires the new self-test and drift check into make check, scripts/check.sh, scripts/check.ps1, and CI before release manifest/checksum validation.
• Includes the artifact in release-artifacts/latest/release-manifest.json and the signable checksum bundle.
• Updates README, release-artifact docs, tooling/deployment/release-policy/status docs, changelog, roadmap, and autonomous run state.

Closes #107.

Local Validation

• python scripts\test_source_verification_inputs.py
• python scripts\generate_source_verification_inputs.py --check
• python scripts\test_release_artifacts.py
• python scripts\generate_release_artifacts.py --check
• python scripts\test_release_manifest.py
• python scripts\generate_release_manifest.py --check
• python scripts\test_release_checksums.py
• python scripts\generate_release_checksums.py --check
• python scripts\test_changelog_check.py
• python scripts\check_changelog.py
• python -m py_compile scripts\generate_release_artifacts.py scripts\test_release_artifacts.py scripts\generate_source_verification_inputs.py scripts\test_source_verification_inputs.py scripts\generate_release_manifest.py scripts\test_release_manifest.py scripts\generate_release_checksums.py scripts\test_release_checksums.py scripts\check_changelog.py scripts\test_changelog_check.py
• bash -n scripts/check.sh
• PowerShell parser check for scripts/check.ps1 and scripts/bootstrap-windows.ps1
• git diff --check
• make check
• powershell -ExecutionPolicy Bypass -File scripts\check.ps1

Summary by CodeRabbit

• New Features

  • Added deterministic source-verification inputs as a new release artifact; generated and validated automatically in the release pipeline and included in the release manifest.

• Documentation

  • Updated changelog, README, deployment/release-policy/tooling/status docs and release-artifacts README to describe generation, checking, and gating for source-verification inputs.

• Tests

  • Added tests and CI/smoke-check steps to generate/check source-verification inputs.

• Release Artifacts

  • Updated checksums and manifest entries to include the new source-verification inputs artifact.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[punk6529]

@coderabbitai review

Please review the source-verification input generator, deterministic artifact output, local/CI gate wiring, release-manifest/checksum integration, and release docs updates. Claude is intentionally not requested for this PR.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 52d69e7f-51be-4ccc-8e95-95bd51c5d429

📥 Commits

Reviewing files that changed from the base of the PR and between 91f64ad and fa43b1c.

📒 Files selected for processing (7)

• ops/AUTONOMOUS_RUN.md
• release-artifacts/latest/SHA256SUMS
• release-artifacts/latest/release-checksums.json
• release-artifacts/latest/release-manifest.json
• release-artifacts/latest/source-verification-inputs.json
• scripts/generate_source_verification_inputs.py
• scripts/test_source_verification_inputs.py

✅ Files skipped from review due to trivial changes (2)

• release-artifacts/latest/release-manifest.json
• release-artifacts/latest/source-verification-inputs.json

🚧 Files skipped from review as they are similar to previous changes (4)

• release-artifacts/latest/SHA256SUMS
• scripts/test_source_verification_inputs.py
• ops/AUTONOMOUS_RUN.md
• scripts/generate_source_verification_inputs.py

---

📝 Walkthrough

Walkthrough

Adds a deterministic generator and tests for release-artifacts/latest/source-verification-inputs.json, integrates the artifact into release manifest/checksums, wires generation/check into Makefile and CI (with logs and syntax checks), updates shell/PowerShell check scripts, and updates documentation and operational state.

Changes

Source Verification Inputs Generation and Release Integration

Layer / File(s)	Summary
Generator core implementation scripts/generate_source_verification_inputs.py	Implements CLI utility to generate deterministic source-verification-inputs.json from Foundry artifacts and repo metadata, including utilities for JSON hashing, Foundry config parsing, artifact discovery, metadata normalization, constructor ABI extraction, library link reference handling, and forge verify-contract command template rendering. Supports --check validation mode that compares freshly generated output against committed artifact.
Generator test suite scripts/test_source_verification_inputs.py	Adds integration-style tests that seed temporary on-disk fixtures and assert deterministic output, --check acceptance/rejection, source-drift detection, missing-source/artifact errors, ABI checksum mismatch detection, and library-linking/template deduplication.
Release artifact integration scripts/generate_release_manifest.py, scripts/generate_release_artifacts.py, release-artifacts/latest/source-verification-inputs.json, release-artifacts/latest/release-manifest.json, release-artifacts/latest/release-checksums.json, release-artifacts/latest/SHA256SUMS, scripts/test_release_artifacts.py, scripts/test_release_manifest.py	Adds release_artifacts.source_verification_inputs entry to the release manifest (schema required), treats the new artifact as downstream for generated-file checks, updates checksums and manifest entries, and seeds test fixtures for manifest/check generation.
Build and check pipeline wiring Makefile, .github/workflows/ci.yml, scripts/check.sh, scripts/check.ps1	Adds source-verification-inputs and source-verification-inputs-check Makefile targets as prerequisites for check and release-manifest targets, introduces a CI step that runs tests and --check while teeing outputs to dedicated log files and adds Python syntax checks for the new scripts, and updates shell/PowerShell check wrappers to invoke the test and --check commands.
Documentation and status updates CHANGELOG.md, README.md, docs/deployment.md, docs/release-policy.md, docs/status.md, docs/tooling.md, release-artifacts/README.md, ops/AUTONOMOUS_RUN.md, ops/ROADMAP.md	Documents the new source-verification inputs artifact, adds generation/check commands to deployment and tooling docs, updates release gates and checklists to include source-verification input regeneration/check, and records autonomous run/roadmap state and changelog entries reflecting the integration.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• 6529-Collections/6529Stream#106: Adds release-manifest generation changes that this PR extends by including source-verification inputs in the manifest.
• 6529-Collections/6529Stream#4: Introduced baseline CI/check tooling and Makefile check targets that this PR augments to run the new generator tests and --check validation.

🐰 A rabbit's ode to verification

Sources now signed with hashes so true,
Bytecode and compilers in view,
Templates for forge verify to run,
Deterministic release, fully done! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Generate source verification inputs' directly and clearly describes the main change: creating a deterministic source verification artifact bundle as the PR's primary objective.
Linked Issues check	✅ Passed	All major requirements from issue #107 are met: deterministic source verification artifact generation, inclusion of source/ABI/bytecode hashes and compiler settings, focused generator tests, integration into make check/CI/scripts, release manifest/checksum bundle inclusion, and documentation updates.
Out of Scope Changes check	✅ Passed	All changes directly support source verification artifact generation and integration: new scripts, release artifacts, documentation updates, CI workflow additions, and Makefile targets are all aligned with issue #107 objectives.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/source-verification-inputs

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

@punk6529 I’ll review PR #108 with focus on the source-verification input generator, deterministic artifact output, local/CI gate wiring, release-manifest/checksum integration, and release documentation updates.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/generate_source_verification_inputs.py`:
- Around line 367-374: The deduplication currently uses JSON-stringified full
reference objects (all_links -> verification_links) which preserves different
position arrays and causes duplicate library entries; change the dedupe to key
by the (source, library) pair instead: after obtaining creation_links and
runtime_links from normalize_link_references, combine them and build a dict or
set keyed by (reference["source"], reference["library"]) keeping a single
representative reference for each key, then produce verification_links from
those unique entries so library_template (which consumes verification_links)
will no longer emit duplicate --libraries placeholders.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 57e235ae-0984-4de6-9fb6-6f778c7b3275

📥 Commits

Reviewing files that changed from the base of the PR and between 30bbf4b and 91f64ad.

📒 Files selected for processing (23)

• .github/workflows/ci.yml
• CHANGELOG.md
• Makefile
• README.md
• docs/deployment.md
• docs/release-policy.md
• docs/status.md
• docs/tooling.md
• ops/AUTONOMOUS_RUN.md
• ops/ROADMAP.md
• release-artifacts/README.md
• release-artifacts/latest/SHA256SUMS
• release-artifacts/latest/release-checksums.json
• release-artifacts/latest/release-manifest.json
• release-artifacts/latest/source-verification-inputs.json
• scripts/check.ps1
• scripts/check.sh
• scripts/generate_release_artifacts.py
• scripts/generate_release_manifest.py
• scripts/generate_source_verification_inputs.py
• scripts/test_release_artifacts.py
• scripts/test_release_manifest.py
• scripts/test_source_verification_inputs.py

[punk6529]

@coderabbitai review

Latest head fa43b1c9951d853ee076ded06c3f40277bbf4e8c addresses the duplicate linked-library placeholder finding by deduplicating verification command libraries by (source, library) while preserving distinct creation/runtime link-reference records. Local validation passed: source-verification tests/check, release manifest tests/check, release checksum tests/check, Python compile, git diff --check, make check, and powershell -ExecutionPolicy Bypass -File scripts\check.ps1. Claude remains intentionally not requested per current instruction.

[coderabbitai]

@punk6529 Understood — I'll review the latest head fa43b1c9951d853ee076ded06c3f40277bbf4e8c, focusing on the deduplication fix for linked-library placeholders in the verification command templates, the deterministic artifact output, local/CI gate wiring, release-manifest/checksum integration, and release docs updates.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.