Add deployment ceremony evidence bundle

[punk6529]

Summary

• add a no-secret deployment ceremony evidence schema and local Anvil evidence bundle
• validate retained artifact hashes, ceremony result evidence, verification status, non-local evidence requirements, and secret-like keys
• wire the evidence checker into Makefile, Linux/Windows check wrappers, CI, release manifest coverage, and release checksum coverage
• update deployment/tooling/status/release docs, changelog, roadmap, and autonomous run state

Closes #144

Validation

• python scripts\test_ceremony_evidence.py
• python scripts\check_ceremony_evidence.py
• python scripts\test_release_manifest.py
• python scripts\generate_release_manifest.py
• python scripts\generate_release_checksums.py
• python scripts\generate_release_manifest.py --check
• python scripts\test_release_checksums.py
• python scripts\generate_release_checksums.py --check
• python scripts\test_changelog_check.py
• python scripts\check_changelog.py
• python -m py_compile scripts\check_ceremony_evidence.py scripts\test_ceremony_evidence.py scripts\generate_release_manifest.py scripts\test_release_manifest.py scripts\generate_release_checksums.py
• bash -n scripts/check.sh scripts/bootstrap-ec2.sh
• make check
• PowerShell parser check for scripts\check.ps1 and scripts\bootstrap-windows.ps1
• powershell -NoProfile -ExecutionPolicy Bypass -File scripts\check.ps1

Summary by CodeRabbit

• New Features

  • Added a deployment ceremony evidence schema, a local Anvil evidence bundle, and validation tooling to record and verify rehearsal phases.
  • Integrated ceremony evidence into release manifests and checksum bundles.

• Documentation

  • Updated deployment, tooling, status, roadmap, and release-artifact docs to cover ceremony evidence generation, validation, and redaction guidance.

• Tests

  • Added unit tests and CI checks to validate ceremony evidence and enforce no-secret evidence rules.

• Chores

  • Wired ceremony-evidence validation into CI and build/check targets.

[punk6529]

@coderabbitai review

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e37450da-9e07-45cf-be11-4f16e8fa3c73

📥 Commits

Reviewing files that changed from the base of the PR and between 16f0a17 and 5006780.

📒 Files selected for processing (10)

• .github/workflows/ci.yml
• docs/known-blockers.md
• docs/tooling.md
• ops/AUTONOMOUS_RUN.md
• ops/ROADMAP.md
• release-artifacts/latest/SHA256SUMS
• release-artifacts/latest/release-checksums.json
• release-artifacts/latest/release-manifest.json
• scripts/check_ceremony_evidence.py
• scripts/test_ceremony_evidence.py

✅ Files skipped from review due to trivial changes (5)

• release-artifacts/latest/SHA256SUMS
• ops/AUTONOMOUS_RUN.md
• release-artifacts/latest/release-checksums.json
• docs/tooling.md
• docs/known-blockers.md

🚧 Files skipped from review as they are similar to previous changes (5)

• .github/workflows/ci.yml
• scripts/test_ceremony_evidence.py
• release-artifacts/latest/release-manifest.json
• scripts/check_ceremony_evidence.py
• ops/ROADMAP.md

---

📝 Walkthrough

Walkthrough

This PR adds a machine-verifiable JSON schema for deployment ceremony evidence bundles, implements a no-secret validator with unit tests, provides a local Anvil example bundle, and wires validation checks into the build system, release manifest generation, checksum bundles, CI, and documentation.

Changes

Ceremony Evidence Schema & Validation

Layer / File(s)	Summary
Schema definition and local evidence example deployments/schema/ceremony-evidence.schema.json, deployments/ceremony-evidence/anvil-6529stream-v0.1.0-001-local.json	Defines JSON schema for ceremony evidence contract including network, source, participants, artifacts, ceremony results (admin, signer, metadata browser, auction, emergency redeployment), verification status, retained artifacts, redaction policy, and operator notes. Provides concrete local Anvil bundle demonstrating schema structure with placeholder evidence references and no secrets.
Validator implementation scripts/check_ceremony_evidence.py	Implements the CLI validator enforcing schema-version, section shape/format, repo-bounded file reference resolution, SHA256 recomputation and verification, digest-status checks for checksum-bundle refs, ceremony-result and verification-status rules, retained-artifact/redaction policy, and rejection of secret-like keys/values. Exposes main(argv) -> int and CLI args.
Validator unit tests scripts/test_ceremony_evidence.py	Unit tests dynamically load the checker and cover valid evidence plus failure modes: missing required sections, invalid hashes, missing referenced files, non-local retained-artifact requirements, invalid verification enum usage, secret-like keys, and secret-like values in operator notes.
Release manifest ceremony evidence integration scripts/generate_release_manifest.py, scripts/test_release_manifest.py	Adds ceremony_evidence_record() and --ceremony-evidence-dir handling; includes ceremony evidence records in generated manifest, aggregates protocol/deployment versions, threads the directory through build/write/check flows, and updates tests to seed and validate ceremony evidence entries.
Checksum generator update scripts/generate_release_checksums.py	Adds deployments/ceremony-evidence to DEFAULT_COVERED_PATHS so ceremony evidence bundles are included in checksum generation and verification by default.
Makefile, CI, and local scripts wiring Makefile, .github/workflows/ci.yml, scripts/check.sh, scripts/check.ps1	Adds ceremony-evidence-check Make target that runs test + checker, updates CI with a "Ceremony evidence" step logging outputs to ci-logs/, and invokes the test/check scripts from local check scripts.
Release artifact files release-artifacts/latest/SHA256SUMS, release-artifacts/latest/release-checksums.json, release-artifacts/latest/release-manifest.json, release-artifacts/README.md	Adds checksums and manifest entries for the ceremony-evidence schema and local Anvil bundle; updates covered paths and adds file entries with sha256/size; documents ceremony evidence validation commands.
User and operational documentation CHANGELOG.md, docs/deployment.md, docs/tooling.md, docs/status.md, docs/known-blockers.md, deployments/README.md, ops/ROADMAP.md, ops/AUTONOMOUS_RUN.md	Documents the schema, example bundle, validation commands, admin ceremony checklist step, release/regeneration guidance, roadmap/queue updates, and clarifies fork/testnet/live evidence remain future work.

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly Related PRs

• 6529-Collections/6529Stream#106: Related changes to scripts/generate_release_manifest.py that extend manifest generation paths (adds ceremony_evidence_dir handling).

Poem

🐰 A schema hops out of the burrow at dawn,
Evidence bundled, no secrets drawn,
Anvil rehearsals set down in a file,
Checkers and tests make every step smile,
Release roads cleared for the ceremonial lawn.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'Add deployment ceremony evidence bundle' is concise, clear, and directly reflects the main focus of the changeset: introducing ceremony evidence schema, example bundles, and validation tooling.
Linked Issues check	✅ Passed	The PR comprehensively addresses all acceptance criteria from issue #144: schema and example bundle added, validator and tests implemented, integration into CI/make/deployment gates completed, and documentation updated to distinguish local evidence from future fork/testnet/live ceremonies.
Out of Scope Changes check	✅ Passed	All changes are tightly scoped to issue #144 objectives: ceremony evidence schema/bundle/validator, integration into existing deployment/release gates, and documentation updates reflecting the schema addition and future evidence roadmap.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/ceremony-evidence-schema

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (4)

.github/workflows/ci.yml (1)

187-193: ⚡ Quick win

Add the new scripts to the fast py_compile pass.

These entrypoints are now part of the smoke gate, but they aren't covered by the repository-hygiene compile list yet. Catching syntax errors here keeps failures in the cheap check instead of the long Foundry job.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 187 - 193, The fast py_compile pass is
missing the new entrypoints used by the "Ceremony evidence" step; add
scripts/test_ceremony_evidence.py and scripts/check_ceremony_evidence.py to the
py_compile check so their syntax is validated in the cheap gate. Update the
py_compile list or command (the job that currently compiles existing scripts) to
include these two paths or run python -m py_compile against them, ensuring the
same format/array used for other checked scripts is followed.

docs/tooling.md (1)

177-184: ⚡ Quick win

Include the test step in the manual release-artifact sequence.

This section currently lists only check_ceremony_evidence.py, but the new gate is wired everywhere else as test + check. Adding the test command keeps the docs aligned with CI/make and avoids skipping the negative-path coverage.

Proposed fix

 python scripts/generate_address_books.py
+python scripts/test_ceremony_evidence.py
 python scripts/check_ceremony_evidence.py
 python scripts/generate_release_manifest.py

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/tooling.md` around lines 177 - 184, Update the manual release-artifact
sequence to include the test step before the check step: add the test command
(e.g., run your test suite with `python -m pytest` or the repo's `make test`
equivalent) immediately before `python scripts/check_ceremony_evidence.py` so
the sequence follows the new gate convention of `test` + `check` and aligns with
CI; locate the insertion near the existing `python
scripts/check_ceremony_evidence.py` entry in the list of commands.

scripts/test_ceremony_evidence.py (1)

200-209: 💤 Low value

Minor style inconsistency: deepcopy usage.

Line 203 uses copy.deepcopy(valid_evidence(root)) while other tests (lines 137, 146, 157, 168, 179, 192) call valid_evidence(root) directly and mutate the returned dict. Since valid_evidence() creates a fresh dict each time, the deepcopy is unnecessary.

This is a minor style inconsistency with no functional impact.

♻️ Optional: Remove unnecessary deepcopy for consistency

-        evidence = copy.deepcopy(valid_evidence(root))
+        evidence = valid_evidence(root)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/test_ceremony_evidence.py` around lines 200 - 209, In
test_secret_like_keys_fail replace the unnecessary use of
copy.deepcopy(valid_evidence(root)) with a direct call to valid_evidence(root)
(the helper creates a fresh dict), i.e. in the test_secret_like_keys_fail
function remove the copy.deepcopy wrapper so you mutate the returned dict
directly before writing it and calling checker.validate_evidence; no other
changes needed.

scripts/check_ceremony_evidence.py (1)

282-291: 💤 Low value

Secret detection checks keys only, not values.

The reject_secret_like_keys function scans dictionary keys for secret-like patterns but does not inspect values. An operator could theoretically include a secret in a value like {"notes": "password=abc123"}.

However, this is acceptable as a best-effort heuristic check, backed by the explicit redaction_policy.no_secrets=true assertion. The design assumes operators review evidence before committing.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/check_ceremony_evidence.py` around lines 282 - 291, The current
reject_secret_like_keys function only inspects dict keys and skips string
values; update reject_secret_like_keys to also examine string (and possibly
bytes) values: when value is a str, lower-case it and raise
CeremonyEvidenceError if it contains any token from SECRET_KEY_PARTS or matches
common secret patterns (e.g., "password=...", "secret: ...", "api_key=...");
keep the existing path formatting and error message style; reference the
existing symbols reject_secret_like_keys, SECRET_KEY_PARTS, and
CeremonyEvidenceError when making the change.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/known-blockers.md`:
- Around line 140-147: Reword the two bullets so they clearly state that
detailed retained broadcast/verification artifacts are future non-local ceremony
requirements rather than missing parts of the current local Anvil bundle;
reference the checker’s current enforcement of the no-secret contract and
retained_artifacts contract (e.g., mention "no-secret / retained_artifacts" and
"local Anvil bundle") and change phrasing like "remain missing" to something
like "are planned for future non-local ceremonies" so readers don’t infer the
local bundle or current checker is incomplete.

In `@ops/ROADMAP.md`:
- Around line 277-278: Reword the roadmap line that currently reads "Local
ceremony evidence bundle is generated and checked; fork/testnet/live ceremony
evidence bundles are retained before public beta." to explicitly scope the
current gate to only the local, non-secret bundle (e.g., "Local ceremony
evidence bundle is generated and checked; only local/no-secret evidence is
retained for this release"), and remove or extract any mention of
fork/testnet/live retention into a separate follow-up gate entry; apply the same
change to the related lines referenced at 2161-2163 so all mentions of
fork/testnet/live retention are moved out of the immediate-release gate and into
a distinct future-facing gate description.

---

Nitpick comments:
In @.github/workflows/ci.yml:
- Around line 187-193: The fast py_compile pass is missing the new entrypoints
used by the "Ceremony evidence" step; add scripts/test_ceremony_evidence.py and
scripts/check_ceremony_evidence.py to the py_compile check so their syntax is
validated in the cheap gate. Update the py_compile list or command (the job that
currently compiles existing scripts) to include these two paths or run python -m
py_compile against them, ensuring the same format/array used for other checked
scripts is followed.

In `@docs/tooling.md`:
- Around line 177-184: Update the manual release-artifact sequence to include
the test step before the check step: add the test command (e.g., run your test
suite with `python -m pytest` or the repo's `make test` equivalent) immediately
before `python scripts/check_ceremony_evidence.py` so the sequence follows the
new gate convention of `test` + `check` and aligns with CI; locate the insertion
near the existing `python scripts/check_ceremony_evidence.py` entry in the list
of commands.

In `@scripts/check_ceremony_evidence.py`:
- Around line 282-291: The current reject_secret_like_keys function only
inspects dict keys and skips string values; update reject_secret_like_keys to
also examine string (and possibly bytes) values: when value is a str, lower-case
it and raise CeremonyEvidenceError if it contains any token from
SECRET_KEY_PARTS or matches common secret patterns (e.g., "password=...",
"secret: ...", "api_key=..."); keep the existing path formatting and error
message style; reference the existing symbols reject_secret_like_keys,
SECRET_KEY_PARTS, and CeremonyEvidenceError when making the change.

In `@scripts/test_ceremony_evidence.py`:
- Around line 200-209: In test_secret_like_keys_fail replace the unnecessary use
of copy.deepcopy(valid_evidence(root)) with a direct call to
valid_evidence(root) (the helper creates a fresh dict), i.e. in the
test_secret_like_keys_fail function remove the copy.deepcopy wrapper so you
mutate the returned dict directly before writing it and calling
checker.validate_evidence; no other changes needed.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 23478a7d-46d5-4400-96bb-ac08bd0f122e

📥 Commits

Reviewing files that changed from the base of the PR and between 6dd5846 and 16f0a17.

📒 Files selected for processing (23)

• .github/workflows/ci.yml
• CHANGELOG.md
• Makefile
• deployments/README.md
• deployments/ceremony-evidence/anvil-6529stream-v0.1.0-001-local.json
• deployments/schema/ceremony-evidence.schema.json
• docs/deployment.md
• docs/known-blockers.md
• docs/status.md
• docs/tooling.md
• ops/AUTONOMOUS_RUN.md
• ops/ROADMAP.md
• release-artifacts/README.md
• release-artifacts/latest/SHA256SUMS
• release-artifacts/latest/release-checksums.json
• release-artifacts/latest/release-manifest.json
• scripts/check.ps1
• scripts/check.sh
• scripts/check_ceremony_evidence.py
• scripts/generate_release_checksums.py
• scripts/generate_release_manifest.py
• scripts/test_ceremony_evidence.py
• scripts/test_release_manifest.py