Document dependency migration runbooks

[punk6529]

Summary

Closes #136.

This PR adds the production dependency operations runbook and wires it into the release evidence set.

• Adds docs/dependency-operations.md covering dependency version proposal, review, source packaging, registry registration, unfrozen collection repinning, deprecation, rollback by corrective version, frozen collection protection, and source-retention evidence.
• Links the runbook from metadata, deployment, release policy, release-artifact, dependency-artifact, status, known-blocker, roadmap, and autonomous-run docs.
• Includes the runbook in scripts/generate_release_manifest.py default governance docs and refreshes the generated release manifest/checksum bundle.
• Updates CHANGELOG.md and roadmap/state traceability for issue Document production dependency migration and source-retention runbooks #136.

Validation

• rg -n "dependency-operations|Dependency Operations|#136" docs release-artifacts ops CHANGELOG.md scripts
• stale blocker grep for old missing dependency-runbook language
• python scripts/test_dependency_artifact_manifest.py
• python scripts/generate_dependency_artifact_manifest.py --check
• python scripts/test_release_manifest.py
• python scripts/generate_release_manifest.py --check
• python scripts/test_release_checksums.py
• python scripts/generate_release_checksums.py --check
• python scripts/check_changelog.py
• git diff --check
• make check

Known pre-existing compiler/lint warnings remain unchanged.

Summary by CodeRabbit

• Documentation

  • Added a production runbook for dependency-version operations (proposal/review, packaging, registry registration, pinning, deprecation, rollback, frozen-collection protection, and source-retention gates).
  • Updated governance, deployment, metadata, status, known-blockers, and release-policy docs to reference the new runbook and checklist requirements.

• Chores

  • Updated release artifacts, checksums, and release manifest entries to reflect doc changes.
  • Updated ops/roadmap and internal run-state records and build tooling defaults to include the new runbook.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[punk6529]

@coderabbitai review

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c46d9323-6761-4761-a6d9-01d09e179ef4

📥 Commits

Reviewing files that changed from the base of the PR and between e519624 and 8d9bb83.

📒 Files selected for processing (1)

• ops/AUTONOMOUS_RUN.md

🚧 Files skipped from review as they are similar to previous changes (1)

• ops/AUTONOMOUS_RUN.md

---

📝 Walkthrough

Walkthrough

This PR adds docs/dependency-operations.md (a production dependency runbook) and integrates it into governance docs, release artifact manifests, manifest generation, and operational/roadmap records.

Changes

Dependency Operations Runbook

Layer / File(s)	Summary
Core dependency operations runbook docs/dependency-operations.md	Complete runbook specifying source-of-truth mappings, the Standard Dependency Version Ceremony (proposal, review, packaging, registry registration, pinning/repinning, manifest refresh), frozen collection protection, deprecation and rollback procedures, source-retention checklist, and local verification commands.
Governance and policy integration CHANGELOG.md, docs/deployment.md, docs/metadata.md, docs/release-policy.md, docs/status.md, docs/known-blockers.md	Cross-document updates reference and require the runbook for production dependency changes and refine blocker/status wording.
Release artifact and manifest wiring release-artifacts/README.md, release-artifacts/dependencies/README.md, scripts/generate_release_manifest.py, release-artifacts/latest/SHA256SUMS, release-artifacts/latest/release-checksums.json, release-artifacts/latest/release-manifest.json	Release README entries require runbook compliance; manifest generator includes the runbook by default; checksums and manifest metadata updated for affected governance docs and artifacts.
Operational state advancement ops/AUTONOMOUS_RUN.md, ops/ROADMAP.md	Autonomous run and roadmap records updated to reflect active runbook work (Queue Item tracking, issue reconciliation, and test-matrix evidence updates).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• 6529-Collections/6529Stream#137: Prior PR that tracked dependency migration/runbook work in the roadmap/autonomous run records; this PR implements the runbook and integrates it.

Poem

🐰 I hopped through docs with delight,
A runbook penned from day to night,
Propose, pin, and proofs in view,
Frozen hashes held true,
Operators rejoice—processes tight.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main addition: a new dependency migration runbooks document, which matches the primary change across the PR files.
Linked Issues check	✅ Passed	The PR fully addresses issue #136 requirements: runbook covers proposal/review/packaging/pinning/deprecation/rollback [#136], source-retention maps to artifact manifests [#136], and frozen/unfrozen collection behaviors are documented [#136].
Out of Scope Changes check	✅ Passed	All changes are scoped to dependency operations documentation and release manifest integration per issue #136; no out-of-scope modifications detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/dependency-migration-runbook

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[punk6529]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@ops/AUTONOMOUS_RUN.md`:
- Around line 135-137: The two wrapped lines starting with "#" (the lines
beginning "Issue `#136` selected after PR `#137` merged..." and "Branch
`codex/dependency-migration-runbook` started from `main` at PR `#137` merge
commit") are being parsed as ATX headings; fix by either escaping the leading
hashes (prefix each "#" with a backslash) or indenting the wrapped lines by at
least one space or four spaces so they render as plain text in
AUTONOMOUS_RUN.md; apply the same change to the other occurrences mentioned
(lines around the second block at 211-213).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d7955200-a6ec-483a-a1af-3fbe4d540efb

📥 Commits

Reviewing files that changed from the base of the PR and between 40ce3e3 and e519624.

📒 Files selected for processing (15)

• CHANGELOG.md
• docs/dependency-operations.md
• docs/deployment.md
• docs/known-blockers.md
• docs/metadata.md
• docs/release-policy.md
• docs/status.md
• ops/AUTONOMOUS_RUN.md
• ops/ROADMAP.md
• release-artifacts/README.md
• release-artifacts/dependencies/README.md
• release-artifacts/latest/SHA256SUMS
• release-artifacts/latest/release-checksums.json
• release-artifacts/latest/release-manifest.json
• scripts/generate_release_manifest.py

[punk6529]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.