Add randomizer operations evidence bundle

[punk6529]

Summary

Closes #154.

Adds a checkable, no-secret randomizer operations evidence bundle for deployment/release reviewers. This PR makes randomizer provider configuration, provider epochs, local funding status, request lifecycle controls, reserve policy, retained artifacts, and redaction rules part of the deterministic release surface.

Changes

• Add deployments/schema/randomizer-operations-evidence.schema.json.
• Add local Anvil evidence at deployments/randomizer-operations/anvil-6529stream-v0.1.0-001-local.json.
• Add scripts/check_randomizer_operations.py and scripts/test_randomizer_operations.py.
• Validate file-reference hashes, no-secret rules, deployment manifest/address-book alignment, provider funding status, lifecycle control evidence, retained artifact categories, and stricter production/mainnet evidence requirements.
• Wire the checker into Makefile, scripts/check.sh, scripts/check.ps1, and CI.
• Include randomizer operations evidence in release manifest and checksum coverage.
• Add docs/randomizer-operations.md and update deployment/release/status/roadmap/run-state docs.

Local Validation

• python scripts\test_randomizer_operations.py
• python scripts\check_randomizer_operations.py
• python scripts\test_release_manifest.py
• python scripts\generate_release_manifest.py --check
• python scripts\test_release_checksums.py
• python scripts\generate_release_checksums.py --check
• python scripts\test_changelog_check.py
• python scripts\check_changelog.py
• python -m py_compile scripts\check_randomizer_operations.py scripts\test_randomizer_operations.py scripts\generate_release_manifest.py scripts\test_release_manifest.py scripts\generate_release_checksums.py scripts\test_release_checksums.py
• bash -n scripts/check.sh
• git diff --check
• make check
• powershell -NoProfile -ExecutionPolicy Bypass -File scripts\check.ps1

Notes

No Solidity behavior changes. The committed evidence is explicitly local Anvil evidence only. Fork/testnet/live provider funding, request health, and retained provider proof remain future release ceremony work.

Summary by CodeRabbit

• New Features

  • Added a Randomizer Operations evidence framework with schema-backed validation for provider configuration, lifecycle controls, retained artifacts, and redaction rules.

• Documentation

  • New guide for Randomizer Operations evidence and updated deployment/release docs and checklists describing generation, retention, and validation steps.

• Tests

  • Added unit tests and CI checks to validate Randomizer Operations evidence and enforce environment-specific rules.

• Chores

  • Release manifest, checksum bundles, and CI/release workflows updated to include the new evidence artifacts and checks.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9ac82c5e-555a-4d00-9071-5e865d032a2b

📥 Commits

Reviewing files that changed from the base of the PR and between 3a91ded and d868555.

📒 Files selected for processing (3)

• ops/AUTONOMOUS_RUN.md
• scripts/check_randomizer_operations.py
• scripts/test_randomizer_operations.py

✅ Files skipped from review due to trivial changes (1)

• ops/AUTONOMOUS_RUN.md

🚧 Files skipped from review as they are similar to previous changes (2)

• scripts/test_randomizer_operations.py
• scripts/check_randomizer_operations.py

---

📝 Walkthrough

Walkthrough

This PR adds a randomizer operations evidence schema and a local Anvil evidence bundle, implements a Python validator with unit tests, integrates evidence into release manifest/checksum generation, wires tests and checks into CI and local Makefile/scripts, and updates documentation and release artifacts.

Changes

Randomizer operations evidence

Layer / File(s)	Summary
Evidence schema definition deployments/schema/randomizer-operations-evidence.schema.json	JSON Schema with required top-level fields, nested validation rules, enums/patterns, and reusable $defs for addresses, SHA-256, file refs, providers, and control results.
Local evidence bundle deployments/randomizer-operations/anvil-6529stream-v0.1.0-001-local.json	Anvil-local evidence recording schema/protocol/deployment metadata, network/source state, artifact refs with SHA-256, VRF/arRNG provider configuration and operator notes, lifecycle control statuses with evidence arrays, retained artifacts, redaction policy, and operator notes.
Evidence validator scripts/check_randomizer_operations.py	Standalone Python validator enforcing strict type checks, SHA-256 and commit/address formats, validating referenced files and checksum bundles, provider configuration and lifecycle-control constraints, retained artifact uniqueness, redaction policy, secret-like key/value rejection, deployment alignment (manifest/address-book), and environment-specific requirements.
Validator unit tests scripts/test_randomizer_operations.py	Deterministic unit tests that seed manifest/address-book/ABI/checksum placeholders and assert validator accepts valid evidence and rejects mutated cases: invalid addresses, adapter mismatch, missing evidence for passed controls, secret-like values, negative ints, environment/funding constraints, and duplicate retained categories.
Release manifest generation scripts/generate_release_manifest.py	Adds DEFAULT_RANDOMIZER_OPERATIONS_DIR, randomizer_operations_record() to extract evidence metadata and providers, wires --randomizer-operations-dir CLI arg, and includes randomizer_operations in manifest source and deployment_artifacts.
Release checksum integration scripts/generate_release_checksums.py	Adds deployments/randomizer-operations to DEFAULT_COVERED_PATHS so checksum bundles include randomizer operations files.
Release manifest test fixture scripts/test_release_manifest.py	Seeds docs and randomizer-operations schema/evidence in tests, returns randomizer_operations_dir, wires it through generator/check call sites, and adds assertions for evidence id and provider funding status.
Generated release artifacts release-artifacts/latest/release-manifest.json, release-artifacts/latest/SHA256SUMS, release-artifacts/latest/release-checksums.json	Manifest and checksum files updated to include randomizer_operations_dir, new schema descriptor and evidence entries, and updated governance doc entries and hashes/sizes.
CI and local check wiring Makefile, .github/workflows/ci.yml, scripts/check.sh, scripts/check.ps1	Makefile adds randomizer-operations-check target and prerequisites; CI workflow adds py_compile for the new scripts and a "Randomizer operations evidence" step that runs tests/checks and saves logs; shell and PowerShell check scripts invoke the test/check scripts.
Documentation and guidance docs/randomizer-operations.md, docs/deployment.md, docs/release-policy.md, docs/status.md, deployments/README.md, ops/AUTONOMOUS_RUN.md, ops/ROADMAP.md, CHANGELOG.md	New docs and updates describe the evidence bundle purpose, capture checklist, validation commands, release integration, checklists, roadmap/status updates, and autonomous-run tracking entries.

Sequence Diagram

sequenceDiagram
  participant CI as CI Workflow
  participant Runner as CI Job Runner
  participant Test as test_randomizer_operations.py
  participant Check as check_randomizer_operations.py
  participant Repo as Repository Files

  CI->>Runner: start "Randomizer operations evidence" step
  Runner->>Test: run tests (python scripts/test_randomizer_operations.py)
  Test->>Repo: write/seed deterministic manifest/address-book/checksum files
  Test->>Check: invoke checker.validate_evidence on seeded evidence
  Runner->>Check: run checker (python scripts/check_randomizer_operations.py)
  Check->>Repo: read evidence + manifest + address-book + checksum bundle
  Check->>Runner: exit 0 or error with message
  Runner->>CI: capture logs to ci-logs/*.log

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• 6529-Collections/6529Stream#106: Related changes to release-manifest generation and manifest-record wiring used by this PR.
• 6529-Collections/6529Stream#102: Related update to checksum coverage including deployment evidence directories.

"I hop through JSON trays of light,
I check each hash by moonlit night,
Validator nibs at every line,
Logs and docs in tidy sign,
A rabbit cheers: the evidence is right."

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'Add randomizer operations evidence bundle' clearly and concisely summarizes the main change—adding a new evidence bundle for randomizer operations validation.
Linked Issues check	✅ Passed	The PR comprehensively addresses all coding requirements from issue #154: schema creation, evidence bundle, validator implementation, tests, integration into checks, documentation updates, and release artifact inclusion.
Out of Scope Changes check	✅ Passed	All changes are directly related to the randomizer operations evidence bundle objective. Documentation, schema, validator, tests, integration, and release artifacts are all within scope of issue #154.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/randomizer-operations-evidence

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[punk6529]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[punk6529]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/check_randomizer_operations.py`:
- Line 218: Replace the current validation call that uses require_int for the
confirmation depth with require_nonnegative_int so negative values are rejected;
specifically change the call that passes network.get("confirmation_depth") and
the "network.confirmation_depth" key to use require_nonnegative_int instead of
require_int (update any references to confirmation_depth validation in the same
scope to use require_nonnegative_int).

In `@scripts/test_randomizer_operations.py`:
- Around line 247-258: The test test_production_requires_provider_funding_proof
currently fails early on missing retained categories; update the test to include
the required retained artifact categories so validate_evidence actually reaches
the evidence-count check: when building evidence via valid_evidence in
test_production_requires_provider_funding_proof, add the retained categories
list including "provider_configuration", "provider_funding", and
"provider_health" (where the code reads/uses
evidence["retained_artifact_categories"]) before writing the JSON, then keep the
assertRaisesRegex against checker.RandomizerOperationsError for the
provider_funding count check (adjust the regex only if the validator's error
text differs after adding the categories).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4ce111d3-b83d-4992-ae10-691be8401f6d

📥 Commits

Reviewing files that changed from the base of the PR and between 551185c and 3a91ded.

📒 Files selected for processing (22)

• .github/workflows/ci.yml
• CHANGELOG.md
• Makefile
• deployments/README.md
• deployments/randomizer-operations/anvil-6529stream-v0.1.0-001-local.json
• deployments/schema/randomizer-operations-evidence.schema.json
• docs/deployment.md
• docs/randomizer-operations.md
• docs/release-policy.md
• docs/status.md
• ops/AUTONOMOUS_RUN.md
• ops/ROADMAP.md
• release-artifacts/latest/SHA256SUMS
• release-artifacts/latest/release-checksums.json
• release-artifacts/latest/release-manifest.json
• scripts/check.ps1
• scripts/check.sh
• scripts/check_randomizer_operations.py
• scripts/generate_release_checksums.py
• scripts/generate_release_manifest.py
• scripts/test_randomizer_operations.py
• scripts/test_release_manifest.py

[punk6529]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.