Add dependency artifact manifest packaging

[punk6529]

Summary

Closes #117.

• add deterministic dependency artifact descriptors under release-artifacts/dependencies/ and generate release-artifacts/latest/dependency-artifact-manifest.json
• wire dependency artifact tests/checks into Makefile, Windows/Unix check wrappers, and CI
• include the dependency artifact manifest in the top-level release manifest and include dependency descriptor/source files in the release checksum bundle
• update release/metadata/status docs, changelog, roadmap traceability, and autonomous run state

Notes

• This is release/documentation/tooling only; no Solidity source or bytecode changes.
• Production dependency migration runbooks remain a follow-up; this PR establishes the deterministic packaging/checking baseline.
• The final local size gate still reports StreamCore at 24,135 runtime bytes with 441 bytes of EIP-170 headroom.

Validation

• python scripts\test_dependency_artifact_manifest.py
• python scripts\generate_dependency_artifact_manifest.py --check
• python scripts\test_release_manifest.py
• python scripts\generate_release_manifest.py --check
• python scripts\test_release_checksums.py
• python scripts\generate_release_checksums.py --check
• python -m py_compile scripts\generate_dependency_artifact_manifest.py scripts\test_dependency_artifact_manifest.py scripts\generate_release_artifacts.py scripts\generate_release_checksums.py scripts\generate_release_manifest.py scripts\test_release_manifest.py
• bash -n scripts/check.sh
• make check
• powershell -ExecutionPolicy Bypass -File scripts\check.ps1
• git diff --check (only known Windows line-ending warnings)

Summary by CodeRabbit

Release Notes

• New Features

  • Dependency artifact manifest now tracks and validates dependency source files with SHA-256 integrity verification, enabling comprehensive release artifact auditing beyond registry provenance alone.

• Chores

  • Enhanced CI pipeline and build system with automated dependency artifact validation.
  • Updated documentation with dependency packaging guidelines and release artifact verification procedures.

[punk6529]

@coderabbitai review

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 10da9aa0-75df-442e-b95f-db6f7e41ac50

📥 Commits

Reviewing files that changed from the base of the PR and between a6d9271 and 8b4d829.

📒 Files selected for processing (23)

• .github/workflows/ci.yml
• CHANGELOG.md
• Makefile
• docs/metadata.md
• docs/status.md
• ops/AUTONOMOUS_RUN.md
• ops/ROADMAP.md
• release-artifacts/README.md
• release-artifacts/dependencies/README.md
• release-artifacts/dependencies/anvil-6529stream-v0.1.0-001/local-rehearsal-dependency.dependency.json
• release-artifacts/dependencies/anvil-6529stream-v0.1.0-001/local-rehearsal-dependency.js
• release-artifacts/latest/SHA256SUMS
• release-artifacts/latest/dependency-artifact-manifest.json
• release-artifacts/latest/release-checksums.json
• release-artifacts/latest/release-manifest.json
• scripts/check.ps1
• scripts/check.sh
• scripts/generate_dependency_artifact_manifest.py
• scripts/generate_release_artifacts.py
• scripts/generate_release_checksums.py
• scripts/generate_release_manifest.py
• scripts/test_dependency_artifact_manifest.py
• scripts/test_release_manifest.py

---

📝 Walkthrough

Walkthrough

This PR adds deterministic dependency artifact manifest packaging to the release pipeline. A new generator script reads dependency descriptors from release-artifacts/dependencies/, validates schema and file integrity, computes SHA-256 hashes, and generates a consolidated manifest. The manifest is wired into the release bundle, checksum coverage, and build/CI checks. Initial rehearsal dependency descriptor and scripts are committed alongside updated documentation and release state.

Changes

Dependency artifact manifest

Layer / File(s)	Summary
Descriptor format and example packaging release-artifacts/dependencies/README.md, release-artifacts/dependencies/anvil-6529stream-v0.1.0-001/local-rehearsal-dependency.dependency.json, release-artifacts/dependencies/anvil-6529stream-v0.1.0-001/local-rehearsal-dependency.js	Introduces the dependency descriptor schema (6529stream.dependency-artifact.v1) with identity/metadata fields and artifact file references. Includes an example local-rehearsal dependency descriptor and its JavaScript source file.
Manifest generator with validation and tests scripts/generate_dependency_artifact_manifest.py, scripts/test_dependency_artifact_manifest.py	Implements a deterministic manifest generator that reads descriptors, validates schema/metadata/file boundaries, computes SHA-256 integrity records, enforces identity uniqueness across descriptors, and generates dependency-artifact-manifest.json. Test suite verifies determinism, drift detection, missing files, malformed dependency keys, duplicate identities, and path-boundary rejections.
Release manifest and checksum integration scripts/generate_release_manifest.py, scripts/generate_release_checksums.py, scripts/generate_release_artifacts.py, scripts/test_release_manifest.py	Extends release manifest generation to include dependency-artifact-manifest entry with schema validation. Adds release-artifacts/dependencies/ to default checksum coverage. Excludes the generated manifest from freshness checks. Updates manifest tests to verify the new entry.
Build system and CI wiring Makefile, .github/workflows/ci.yml, scripts/check.sh, scripts/check.ps1	Adds dependency-artifacts and dependency-artifacts-check make targets. Wires manifest generation/check into CI workflow step, shell, and PowerShell check sequences.
Generated manifest and artifact checksums release-artifacts/latest/dependency-artifact-manifest.json, release-artifacts/latest/SHA256SUMS, release-artifacts/latest/release-checksums.json, release-artifacts/latest/release-manifest.json	Commits the deterministic manifest with initial rehearsal dependency record. Updates checksum files and release manifest to include dependency artifact entries and integrity records.
Policy documentation and traceability release-artifacts/README.md, docs/metadata.md, docs/status.md, ops/ROADMAP.md, ops/AUTONOMOUS_RUN.md, CHANGELOG.md	Documents dependency packaging policy, manifest schema, and verification scope. Updates roadmap progress, operational status, and autonomous-run logs. Records feature completion in changelog.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• 6529-Collections/6529Stream#102: Modifies checksum bundle generation by extending DEFAULT_COVERED_PATHS to include release-artifacts/dependencies/, aligning with the same release checksum pipeline.
• 6529-Collections/6529Stream#106: Introduces the release-manifest generator and wires it into CI/Makefile; this PR extends that same manifest with dependency artifact coverage.

Poem

🐰 A manifest so fine, so deterministically true,
Dependencies now packaged with SHA-256 too,
No relying on provenance alone anymore,
Integrity and drift checks at every door!
Our releases are safer, audit trails are clear. ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'Add dependency artifact manifest packaging' directly and clearly summarizes the main change—introducing deterministic packaging for dependency artifacts with manifest generation.
Linked Issues check	✅ Passed	The PR implements all coding requirements from issue #117: descriptor format under release-artifacts/dependencies/, generator/check script with validation and SHA-256 records, focused tests for determinism/drift/errors, wired into make check/CI/release manifest/checksum bundle, and initial rehearsal dependency packaged.
Out of Scope Changes check	✅ Passed	All changes are scoped to dependency artifact packaging objectives: documentation updates (CHANGELOG/metadata/status/roadmap), Makefile targets, CI workflow steps, Python scripts for generation/testing, release artifact manifests/checksums, and dependency descriptor/source files. No Solidity or unrelated changes present.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/dependency-artifact-manifest

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}