Add local emergency redeployment rehearsal

[punk6529]

Summary

Closes #142.

Adds a local Anvil emergency redeployment rehearsal for the ADR 0007 / Gate E deployment evidence path. The rehearsal deploys an impacted old stack and a replacement stack with distinct deployment versions, manifest hashes, EIP-712 drop domains, and contract addresses; proves both ceremonies transfer control to the Safe placeholder and remove temporary deployer admin; and smoke-mints on the replacement stack through the signed fixed-price drop path.

This is intentionally local-only evidence. Fork/testnet/live emergency redeployment evidence remains a later Gate E blocker that should use real deployment inputs and retained broadcast artifacts.

Changes

• Add script/RehearseEmergencyRedeployment.s.sol for the local two-stack redeployment rehearsal.
• Extend test/StreamDeploymentManifest.t.sol with machine-checkable redeployment evidence assertions.
• Wire the rehearsal into make deploy-rehearsal, Linux/Windows local gates, and CI deployment-rehearsal logs.
• Update deployment/tooling/status/blocker/test/script docs, roadmap state, autonomous run state, changelog, and release checksum/manifest evidence.

Validation

• forge fmt script\RehearseEmergencyRedeployment.s.sol test\StreamDeploymentManifest.t.sol
• forge test --match-path test\StreamDeploymentManifest.t.sol -vvv
• forge script script\RehearseEmergencyRedeployment.s.sol:RehearseEmergencyRedeployment --sig "run()" --via-ir
• python scripts\generate_release_manifest.py
• python scripts\generate_release_checksums.py
• python scripts\generate_release_manifest.py --check
• python scripts\generate_release_checksums.py --check
• python scripts\test_changelog_check.py
• python scripts\check_changelog.py
• python scripts\test_release_manifest.py
• python scripts\test_release_checksums.py
• bash -n scripts/check.sh scripts/bootstrap-ec2.sh
• make check
• PowerShell parser check for scripts\check.ps1 and scripts\bootstrap-windows.ps1
• powershell -NoProfile -ExecutionPolicy Bypass -File scripts\check.ps1
• git diff --check

Summary by CodeRabbit

• New Features

  • Added a local emergency redeployment rehearsal to validate distinct old/replacement deployments, manifests, domains/addresses, admin ceremony state, and fixed-price mint smoke evidence.

• Documentation

  • Updated deployment, tooling, status, roadmap, and run docs to describe the emergency redeployment rehearsal and updated checklists.

• CI / Releases

  • CI now runs the emergency redeployment rehearsal and records its output; release artifact checksums updated.

• Tests

  • Added test coverage asserting emergency redeployment produces replacement evidence.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d24baa0e-95fa-4798-b342-41cdd3e8520f

📥 Commits

Reviewing files that changed from the base of the PR and between 5c8f537 and ed2a536.

📒 Files selected for processing (3)

• ops/AUTONOMOUS_RUN.md
• ops/ROADMAP.md
• script/RehearseEmergencyRedeployment.s.sol

✅ Files skipped from review due to trivial changes (1)

• ops/ROADMAP.md

🚧 Files skipped from review as they are similar to previous changes (2)

• script/RehearseEmergencyRedeployment.s.sol
• ops/AUTONOMOUS_RUN.md

---

📝 Walkthrough

Walkthrough

Adds a local Foundry-based emergency redeployment rehearsal script and test that deploy two distinct stacks, verify Safe-rooted admin ceremonies and manifest/address distinctness, perform a replacement-only smoke mint, integrate the rehearsal into CI/local checks and Makefile, and update documentation, roadmap, ops state, and release checksums.

Changes

Local Emergency Redeployment Rehearsal Implementation

Layer / File(s)	Summary
Emergency redeployment rehearsal script implementation script/RehearseEmergencyRedeployment.s.sol	Adds EmergencyRedeploymentVm cheatcode interface, EmergencyRedeploymentRandomizer deterministic-hash writer, and RehearseEmergencyRedeployment.run() orchestration that deploys old and replacement stacks, validates ceremony invariants and manifest/address distinctness, executes an EIP-712 fixed-price mint on the replacement stack, and returns an EmergencyRedeploymentResult with lifecycle and evidence hashes.
Rehearsal evidence validation test test/StreamDeploymentManifest.t.sol	Adds import and testLocalEmergencyRedeploymentRehearsalProducesReplacementEvidence which runs the rehearsal and asserts chain ID, evidence kind hash, lifecycle/deployment version hashes, non-zero manifest hashes, manifest/address distinctness, domain changes, and replacement token ownership/hash/epoch expectations.
CI and local check integration .github/workflows/ci.yml, Makefile, scripts/check.sh, scripts/check.ps1	Wires forge script script/RehearseEmergencyRedeployment.s.sol:RehearseEmergencyRedeployment --sig "run()" --via-ir into the deployment rehearsal CI step, make deploy-rehearsal, and both shell/PowerShell check scripts; logs CI output to ci-logs/forge-emergency-redeployment-rehearsal.log.
Governance and deployment documentation CHANGELOG.md, docs/deployment.md, docs/tooling.md, docs/status.md, docs/known-blockers.md, script/README.md, test/README.md	Adds changelog entry and docs describing the rehearsal command and scope, expands Admin Ceremony Checklist, clarifies local Anvil-only evidence vs. future fork/testnet/live Gate E work, and splits known-blockers into clearer categories.
Release artifact checksum updates release-artifacts/latest/SHA256SUMS, release-artifacts/latest/release-checksums.json, release-artifacts/latest/release-manifest.json	Updates SHA256 and size metadata for changed documentation artifacts referenced in the release manifest.
Operations state and roadmap updates ops/AUTONOMOUS_RUN.md, ops/ROADMAP.md	Records active PR/queue progress for the rehearsal and expands roadmap/verification metadata, Gate E criteria, first-implementation queue entry, and Appendix B test matrix to include the emergency redeployment rehearsal.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 I hopped through manifests, hashes bright,
Two stacks stood—one old, one right,
A signed small mint, a token borne,
Safe-owned hands at early morn,
Rehearsal proves redeploy's light.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely describes the main change: adding a local emergency redeployment rehearsal, which matches the primary objective of the entire changeset.
Linked Issues check	✅ Passed	All major objectives from issue #142 are satisfied: local Anvil rehearsal with two deployments, distinct versions/manifests, Safe-rooted ceremonies, admin removal, replacement smoke test, machine-checkable evidence, integration into CI/local gates, and updated documentation.
Out of Scope Changes check	✅ Passed	All code changes directly support emergency redeployment rehearsal implementation and integration; no unrelated modifications detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/emergency-redeployment-rehearsal

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[punk6529]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@script/RehearseEmergencyRedeployment.s.sol`:
- Around line 95-109: The rehearsal currently computes oldDeploymentVersionHash
and replacementDeploymentVersionHash but never asserts they differ, so add a
failing assertion in run() to reject a replacement that reuses the historical
deploymentVersion: after computing replacementDeploymentVersionHash (and before
or after deploying replacementDeployment) compare oldDeploymentVersionHash !=
replacementDeploymentVersionHash and revert/fail the script if equal; reference
the variables oldDeploymentVersionHash, replacementDeploymentVersionHash and the
run() flow (you can reuse the existing assertion pattern used by
_assertDeploymentCeremony/_assertDistinctDeployments to surface the failure).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2ce0215d-b424-4559-bc43-b2a1ca4de17e

📥 Commits

Reviewing files that changed from the base of the PR and between 1b3ad3d and 5c8f537.

📒 Files selected for processing (18)

• .github/workflows/ci.yml
• CHANGELOG.md
• Makefile
• docs/deployment.md
• docs/known-blockers.md
• docs/status.md
• docs/tooling.md
• ops/AUTONOMOUS_RUN.md
• ops/ROADMAP.md
• release-artifacts/latest/SHA256SUMS
• release-artifacts/latest/release-checksums.json
• release-artifacts/latest/release-manifest.json
• script/README.md
• script/RehearseEmergencyRedeployment.s.sol
• scripts/check.ps1
• scripts/check.sh
• test/README.md
• test/StreamDeploymentManifest.t.sol