Add deterministic Foundry broadcast manifest ingestion

[punk6529]

Summary

Implements P1-DEPLOY-004 by adding an offline, deterministic bridge from sanitized Foundry run-latest.json broadcast output into deployment-manifest evidence.

• Adds scripts/generate_broadcast_manifest_input.py and focused tests for chain ID, deployment contract set, receipt success, tx/address matching, duplicate/missing/unexpected deployments, secret-like key rejection, boolean receipt status rejection, and check-mode drift.
• Commits a sanitized Anvil broadcast fixture and generated broadcast-derived deployment config, manifest, and address book.
• Wires the new broadcast input into Makefile, Bash/PowerShell check wrappers, CI, release manifest generation, and release checksum coverage.
• Updates deployment/tooling/status/release docs, changelog, roadmap, and autonomous run-state traceability.

Closes #109.

Validation

• python scripts\test_broadcast_manifest_input.py
• python scripts\generate_broadcast_manifest_input.py --check
• python scripts\test_deployment_manifest.py
• python scripts\generate_deployment_manifest.py --check
• python scripts\generate_deployment_manifest.py --config deployments\config\anvil-6529stream-v0.1.0-001-broadcast.json --check
• python scripts\test_address_books.py
• python scripts\generate_address_books.py --check
• python scripts\test_release_manifest.py
• python scripts\generate_release_manifest.py --check
• python scripts\test_release_checksums.py
• python scripts\generate_release_checksums.py --check
• python scripts\test_changelog_check.py
• python scripts\check_changelog.py
• python -m py_compile ... for release/deployment helper scripts
• bash -n scripts/check.sh scripts/bootstrap-ec2.sh
• PowerShell parser check for scripts/check.ps1 and scripts/bootstrap-windows.ps1
• git diff --check (line-ending warnings only)
• make check
• powershell -ExecutionPolicy Bypass -File scripts\check.ps1

Notes

This PR intentionally does not add live fork/testnet broadcasting, explorer submission, production contract verification, detached checksum signatures, or signed tags. Those remain Gate E/G release-ceremony work.

Summary by CodeRabbit

• New Features

  • Added broadcast manifest ingestion to produce deterministic deployment manifests and address books from sanitized broadcast fixtures.

• Improvements

  • CI and local check pipelines now run broadcast-input generation/validation and include broadcast artifacts in release checksum coverage.
  • Release artifacts and manifest metadata updated to include broadcast configs, runs, examples, and address-books.

• Documentation

  • Deployment and release docs updated with broadcast-ingestion, generation, and check steps.

• Tests

  • Added unit tests for broadcast manifest input generation and validation.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a082ba6d-15c3-42a6-b531-b52c5c46a1fc

📥 Commits

Reviewing files that changed from the base of the PR and between 29412bd and 9f68031.

📒 Files selected for processing (1)

• ops/AUTONOMOUS_RUN.md

🚧 Files skipped from review as they are similar to previous changes (1)

• ops/AUTONOMOUS_RUN.md

---

📝 Walkthrough

Walkthrough

Adds deterministic ingestion of sanitized Foundry broadcast JSON: a generator CLI produces broadcast-derived deployment-manifest inputs (with a --check drift mode), a unittest suite validates generator behavior, CI/Makefile/scripts are wired to run the checks, broadcast-derived artifacts are committed and included in release-manifest/checksum outputs, and documentation/ops entries are updated.

Changes

Foundry Broadcast Manifest Ingestion

Layer / File(s)	Summary
Broadcast manifest input generator scripts/generate_broadcast_manifest_input.py	New CLI that reads a Foundry broadcast and a deployment template, validates chain/tx/receipt/address/contract-name consistency, rejects secret-like keys, injects broadcast_evidence, appends -broadcast to deployment_version, and supports --check for drift detection.
Broadcast manifest input tests scripts/test_broadcast_manifest_input.py	Unit tests that dynamically import the generator and cover successful generation, drift detection, and negative cases (wrong chain, missing/unexpected contracts, failed receipts, boolean receipt statuses, address/hash mismatches, duplicate names, secret-key detection).
Broadcast-derived deployment artifacts deployments/broadcasts/*.json, deployments/config/*-broadcast.json, deployments/examples/*-broadcast.json, deployments/address-books/*-broadcast.json	New committed fixture/config/example/address-book JSONs representing sanitized broadcast input, generated manifest input/config, example manifest, and address-book projection with ABI/runtime hashes and contract addresses.
Release manifest & checksum integration scripts/generate_release_manifest.py, scripts/generate_release_checksums.py, release-artifacts/latest/*	Release manifest generator threads --deployment-broadcast-dir through build/write/check paths and populates deployment_artifacts.broadcasts; checksum generator and release-checksums now include deployments/broadcasts; SHA256SUMS and release-manifest updated with broadcast artifact entries.
Tests & fixtures update scripts/test_release_manifest.py	Seed fixtures create deployments/broadcasts/run-latest.json; tests pass deployment_broadcast_dir into generator calls and assert broadcast entries appear in generated manifest and check-mode behavior.
Build, CI, and local check wiring Makefile, .github/workflows/ci.yml, scripts/check.sh, scripts/check.ps1	Make targets for broadcast-manifest-inputs/-inputs-check, CI py_compile includes new scripts, deployment-manifest CI step runs broadcast tests and generate_broadcast_manifest_input.py --check, and check scripts run broadcast input generation/check and config-specific deployment manifest --check.
Address book generator update scripts/generate_address_books.py	DEFAULT_MANIFESTS expanded to include the broadcast example manifest so address-book generation covers both placeholder and broadcast-derived manifests by default.
Documentation and ops CHANGELOG.md, deployments/README.md, docs/deployment.md, docs/release-policy.md, docs/status.md, docs/tooling.md, ops/ROADMAP.md, ops/AUTONOMOUS_RUN.md	Changelog, deployment docs, tooling, release policy, status, roadmap, and autonomous run state updated to document the broadcast-ingestion workflow, commands, gating, checksum coverage, and PR/milestone status.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• 6529-Collections/6529Stream#106: Related release-manifest generator changes that introduce threading for new artifact directories used here.
• 6529-Collections/6529Stream#102: Related checksum/release-artifact pipeline updates that expand coverage and CI wiring.
• 6529-Collections/6529Stream#96: Related CI/make check wiring for deployment-manifest generation; this PR extends that work for broadcast-config-specific checks.

"🐰 A broadcast now sings loud and clear,
Secret keys tucked safely, never near,
Transactions matched and checks run tight,
Deterministic proof by morning light,
One hop, one check — deployment delight!"

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add deterministic Foundry broadcast manifest ingestion' directly and clearly summarizes the main change: introducing a deterministic process to ingest Foundry broadcast output into deployment-manifest evidence.
Linked Issues check	✅ Passed	All coding requirements from #109 are met: broadcast JSON parsing script with stdlib Python, deployment transaction matching, comprehensive validation (chain ID, addresses, hashes, receipts, duplicates/missing/unexpected), deterministic JSON output with check-mode drift detection, secret-key rejection, focused tests, integration into local/CI gates, and documentation updates.
Out of Scope Changes check	✅ Passed	All changes align with the stated scope: broadcast ingestion scaffold, validation logic, test fixtures, integration into existing pipelines, and documentation. No out-of-scope work such as live fork/testnet broadcasting, secret commits, explorer submission, or signing infrastructure is present.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/broadcast-manifest-ingestion

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[punk6529]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

scripts/test_broadcast_manifest_input.py (1)

297-313: ⚡ Quick win

Add a regression test for secret-key casing/format variants.

Please extend this test to include at least one variant key (for example PrivateKey / RPCURL) so sanitization hardening is CI-protected.

Proposed test addition

     def test_generator_rejects_secret_like_keys(self) -> None:
@@
             with self.assertRaisesRegex(generator.BroadcastManifestError, "forbidden"):
                 generator.build_manifest_input(
                     template,
                     broadcast,
                     root / "out.json",
                     root / "manifest.json",
                 )
+
+    def test_generator_rejects_secret_like_key_variants(self) -> None:
+        with tempfile.TemporaryDirectory() as temp_dir:
+            root = Path(temp_dir)
+            template = template_config(root)
+            broadcast = broadcast_file(root)
+            data = generator.load_json(broadcast)
+            data["PrivateKey"] = "not-for-commit"
+            write_json(broadcast, data)
+
+            with self.assertRaisesRegex(generator.BroadcastManifestError, "forbidden"):
+                generator.build_manifest_input(
+                    template,
+                    broadcast,
+                    root / "out.json",
+                    root / "manifest.json",
+                )

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/test_broadcast_manifest_input.py` around lines 297 - 313, Extend
test_generator_rejects_secret_like_keys to add additional key-casing/format
variants (e.g., "PrivateKey", "RPCURL") to the broadcast JSON and assert
generator.build_manifest_input raises generator.BroadcastManifestError for each
variant; use generator.load_json and write_json as already used to mutate the
broadcast, and either loop over a list of forbidden variants or add separate
assertions to ensure sanitization rejects mixed-case and alternate-format
secret-like keys.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/generate_broadcast_manifest_input.py`:
- Around line 119-124: The current exact-string check in assert_no_secret_keys
allows casing/format variants to bypass forbidden-key detection; normalize keys
before comparison by creating a normalized forbidden set from
FORBIDDEN_SECRET_KEYS (e.g., lowercase and strip non-alphanumeric characters)
and compare against a similarly normalized form of each inspected key inside
assert_no_secret_keys (refer to the function name and FORBIDDEN_SECRET_KEYS
symbol). Ensure normalization is applied consistently (module-level normalized
set) and use that when raising BroadcastManifestError so keys like "PrivateKey",
"private_key", or "RPC-URL" are caught.

---

Nitpick comments:
In `@scripts/test_broadcast_manifest_input.py`:
- Around line 297-313: Extend test_generator_rejects_secret_like_keys to add
additional key-casing/format variants (e.g., "PrivateKey", "RPCURL") to the
broadcast JSON and assert generator.build_manifest_input raises
generator.BroadcastManifestError for each variant; use generator.load_json and
write_json as already used to mutate the broadcast, and either loop over a list
of forbidden variants or add separate assertions to ensure sanitization rejects
mixed-case and alternate-format secret-like keys.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4e5bb0b5-9914-4848-8b45-8deec66febcf

📥 Commits

Reviewing files that changed from the base of the PR and between 98696bf and 8c1b0dc.

📒 Files selected for processing (25)

• .github/workflows/ci.yml
• CHANGELOG.md
• Makefile
• deployments/README.md
• deployments/address-books/anvil-6529stream-v0.1.0-001-broadcast.json
• deployments/broadcasts/anvil-6529stream-v0.1.0-001-run-latest.json
• deployments/config/anvil-6529stream-v0.1.0-001-broadcast.json
• deployments/examples/anvil-6529stream-v0.1.0-001-broadcast.json
• docs/deployment.md
• docs/release-policy.md
• docs/status.md
• docs/tooling.md
• ops/AUTONOMOUS_RUN.md
• ops/ROADMAP.md
• release-artifacts/latest/SHA256SUMS
• release-artifacts/latest/release-checksums.json
• release-artifacts/latest/release-manifest.json
• scripts/check.ps1
• scripts/check.sh
• scripts/generate_address_books.py
• scripts/generate_broadcast_manifest_input.py
• scripts/generate_release_checksums.py
• scripts/generate_release_manifest.py
• scripts/test_broadcast_manifest_input.py
• scripts/test_release_manifest.py

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@ops/AUTONOMOUS_RUN.md`:
- Line 5071: Replace the non-deterministic placeholder line "Head SHA: latest
branch head after CodeRabbit-response push." with the concrete 40-character
commit SHA for the referenced head (or include both pre/post-change SHAs if
relevant) so the AUTONOMOUS_RUN entry is reproducible; locate the exact string
in AUTONOMOUS_RUN.md and substitute the placeholder with the actual commit
SHA(s) (e.g., "Head SHA: <40-char SHA>" or "Head SHA: <oldSHA> -> <newSHA>").

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 36219eb1-6236-4c81-a118-e859fcfd338e

📥 Commits

Reviewing files that changed from the base of the PR and between 8c1b0dc and 29412bd.

📒 Files selected for processing (3)

• ops/AUTONOMOUS_RUN.md
• scripts/generate_broadcast_manifest_input.py
• scripts/test_broadcast_manifest_input.py

🚧 Files skipped from review as they are similar to previous changes (2)

• scripts/test_broadcast_manifest_input.py
• scripts/generate_broadcast_manifest_input.py