Add release signature evidence baseline

[punk6529]

Summary

Closes #156.

Adds a no-secret, machine-checkable release signature evidence baseline for the release ceremony. This makes the missing detached checksum signature and signed Git tag work explicit without requiring production signing keys or claiming a real signature exists.

Changes

• Add release-artifacts/schema/release-signature-evidence.schema.json.
• Add local placeholder evidence at release-artifacts/signatures/anvil-6529stream-v0.1.0-001-local.json.
• Add scripts/check_release_signatures.py and scripts/test_release_signatures.py.
• Validate self-referential release manifest/checksum references, signer identity status, local/non-local placeholder boundaries, production signed-output requirements, retained artifact hashes, and no-secret redaction.
• Wire the checker into Makefile, scripts/check.sh, scripts/check.ps1, and CI.
• Include release signature evidence in the generated release manifest and release checksum coverage.
• Add docs/release-signatures.md and update release policy, status, release artifact docs, roadmap, changelog, and autonomous run state.

Local Validation

• python scripts\test_release_signatures.py
• python scripts\check_release_signatures.py
• python -m py_compile scripts\check_release_signatures.py scripts\test_release_signatures.py scripts\generate_release_manifest.py scripts\test_release_manifest.py
• python scripts\test_release_manifest.py
• python scripts\generate_release_manifest.py --check
• python scripts\test_release_checksums.py
• python scripts\generate_release_checksums.py --check
• python scripts\test_changelog_check.py
• python scripts\check_changelog.py
• bash -n scripts/check.sh
• git diff --check (passes with existing PowerShell line-ending warning for scripts/check.ps1)
• make check

Notes

No Solidity behavior changes. The committed evidence is intentionally local placeholder evidence only; real production detached signatures, signed tags, and signing-key custody remain future release ceremony work.

Summary by CodeRabbit

• New Features

  • Added structured release-signature evidence support: schema, example local evidence, and manifest integration to record signature status.

• Documentation

  • New guidance and policy updates covering release signature evidence, retention, redaction rules, and release checklist/roadmap updates.

• Chores

  • Integrated signature-evidence validation into CI and local verification flows and build targets.

• Tests

  • New unit/integration tests validating evidence rules and manifest generation.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1f34041c-0158-4327-8231-0d4ca7d795c5

📥 Commits

Reviewing files that changed from the base of the PR and between cb262f9 and 8af0026.

📒 Files selected for processing (10)

• ops/AUTONOMOUS_RUN.md
• release-artifacts/latest/SHA256SUMS
• release-artifacts/latest/release-checksums.json
• release-artifacts/latest/release-manifest.json
• scripts/check_release_signatures.py
• scripts/generate_release_checksums.py
• scripts/generate_release_manifest.py
• scripts/test_release_checksums.py
• scripts/test_release_manifest.py
• scripts/test_release_signatures.py

✅ Files skipped from review due to trivial changes (2)

• scripts/generate_release_checksums.py
• release-artifacts/latest/SHA256SUMS

🚧 Files skipped from review as they are similar to previous changes (4)

• release-artifacts/latest/release-manifest.json
• scripts/generate_release_manifest.py
• scripts/test_release_signatures.py
• scripts/check_release_signatures.py

---

📝 Walkthrough

Walkthrough

Adds a release signature evidence JSON Schema, a CLI validator and unit tests, seeds a local evidence JSON, integrates signature evidence into manifest/checksum generation, updates release artifacts and docs, and wires checks into Makefile, local wrappers, and CI with a dedicated logging step.

Changes

Release Signature Evidence Infrastructure

Layer / File(s)	Summary
Schema and validator implementation release-artifacts/schema/release-signature-evidence.schema.json, scripts/check_release_signatures.py	Adds JSON Schema for release signature evidence and implements a CLI validator enforcing formats, repository-relative file hash checks, environment-specific rules, secret-like content rejection, and overall evidence orchestration.
Validation test suite scripts/test_release_signatures.py	Unit tests dynamically load the validator and cover valid evidence plus negative cases: unexpected fields, confirmation_depth, secret-like values, stale retained hashes, non-local placeholder misuse, verification_command requirements, and production-signed-output mandates.
Manifest generation and checksum inclusion scripts/generate_release_manifest.py, scripts/generate_release_checksums.py	Adds DEFAULT_RELEASE_SIGNATURES_DIR and release_signature_record(), validates and loads signature evidence into build_manifest(), and extends checksum coverage to include schema and signatures paths.
Manifest and checksum tests / seeded fixtures scripts/test_release_manifest.py, scripts/test_release_checksums.py	Seeds signature fixtures, asserts manifest contains release_signature_evidence entries and operator notes, adds negative manifest tests for invalid evidence, and ensures DEFAULT_COVERED_PATHS includes schema/signatures.
Local evidence artifact and schema files release-artifacts/signatures/anvil-6529stream-v0.1.0-001-local.json, release-artifacts/schema/release-signature-evidence.schema.json	Commits a local placeholder release-signature evidence file and the formal schema artifact retained for verification.
Release artifacts and checksums updates release-artifacts/latest/release-manifest.json, release-artifacts/latest/SHA256SUMS, release-artifacts/latest/release-checksums.json	Updates manifest to record release_signatures_dir and release_signature_evidence, refreshes SHA256SUMS and release-checksums.json to include schema and signature evidence files and updated manifest integrity metadata.
Build system and CI integration Makefile, .github/workflows/ci.yml, scripts/check.sh, scripts/check.ps1	Adds release-signatures-check make target/prereqs, includes new scripts in py_compile checks, runs signature tests/checks in local wrappers, and inserts a CI workflow step that runs the tests/checks and writes logs to ci-logs/ files.
Release process and roadmap updates docs/release-signatures.md, docs/release-policy.md, docs/status.md, ops/ROADMAP.md, ops/AUTONOMOUS_RUN.md, CHANGELOG.md, release-artifacts/README.md	Adds documentation describing evidence handling, validation commands, production retention checklist, self-referential digest handling, and records PR worklog/decision-log updates and checklist wording changes.

Sequence Diagram

sequenceDiagram
  participant CI as CI workflow
  participant Test as scripts/test_release_signatures.py
  participant Check as scripts/check_release_signatures.py
  participant Logs as ci-logs/
  CI->>Test: run tests (capture stdout/stderr)
  CI->>Check: run checker (capture stdout/stderr)
  Test->>Logs: write release-signature-tests.log
  Check->>Logs: write release-signature-check.log
  CI-->>Logs: attach logs to job artifacts

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• 6529-Collections/6529Stream#106: Prior manifest generation work this PR extends to ingest additional evidence directories and records.
• 6529-Collections/6529Stream#155: Earlier evidence/manifest/CI plumbing that this PR reuses and extends for signature evidence.
• 6529-Collections/6529Stream#108: Related manifest-entry additions; overlaps in adding new release_artifacts sections.

Poem

🐰 I hopped through schema, logs, and tests,
I found the hashes, and chased the nests,
Local proof kept, no secrets to hide,
CI logs whisper that checks passed with pride,
A carrot of evidence—neatly verified.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main objective of the PR: adding a release signature evidence baseline to the codebase, which is the primary focus of all changes.
Linked Issues check	✅ Passed	The PR fully implements all acceptance criteria from issue #156: schema and local evidence added, validator and tests implemented, manifest/checksum coverage with cycle avoidance, checker wired into all required scripts and CI, and documentation updated.
Out of Scope Changes check	✅ Passed	All changes are directly aligned with issue #156 scope; no out-of-scope modifications to private key generation, production signatures, Git tags, or Solidity contracts are present.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/release-signature-evidence

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[punk6529]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[punk6529]

@coderabbitai review

Follow-up pushed after the initial CI hygiene failure. Please review the latest head cb262f9.

[coderabbitai]

@punk6529 On it! I'll review the latest head cb262f9 now.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

release-artifacts/latest/release-checksums.json (1)

5-25: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Include the new signature evidence artifacts in checksum coverage.

This regenerated checksum manifest still omits release-artifacts/signatures/anvil-6529stream-v0.1.0-001-local.json and release-artifacts/schema/release-signature-evidence.schema.json from both source.covered_paths and the files list. That leaves the committed evidence baseline outside the release checksum set, which contradicts the PR objective to include release signature evidence outputs in checksum generation.

Also applies to: 30-160

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@release-artifacts/latest/release-checksums.json` around lines 5 - 25, Add the
missing signature evidence artifacts to the checksum manifest by updating the
JSON keys: add the two missing signature evidence artifact entries into
source.covered_paths and append corresponding entries into the top-level files
list (each with path, format and sha256 fields consistent with the existing
text_checksum_file format), ensuring their sha256 values are computed and the
path strings exactly match the committed artifacts so they are included in
checksum coverage.

docs/release-signatures.md (1)

32-32: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Remove the extra blank line at EOF.

This trailing blank line is currently failing the repo’s lint/format gate, so CI will stay red until it’s removed.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/release-signatures.md` at line 32, Remove the extraneous blank line at
the end of docs/release-signatures.md by editing the file so its last character
is the final content character (no newline-only line after it); ensure the file
ends with a single newline if your formatter requires one but not an extra empty
line to satisfy the repo lint/format gate.

Source: Pipeline failures

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@ops/AUTONOMOUS_RUN.md`:
- Around line 142-147: The PR status block for "PR candidate: Add release
signature evidence baseline (Queue Item 81)" is stale: update the Status line in
AUTONOMOUS_RUN.md (the block containing "PR `#157` open; CodeRabbit review not yet
requested.") to reflect that CodeRabbit review has been requested (e.g., mention
"`@coderabbitai` review ping" or "CodeRabbit review requested/active") and adjust
any follow-up gating text so the next autonomous step will not wait on
CodeRabbit; locate the exact block by the heading text "PR candidate: Add
release signature evidence baseline (Queue Item 81)" and update the
Status/CodeRabbit request lines accordingly.

In `@scripts/check_release_signatures.py`:
- Around line 333-349: validate_evidence currently checks expected fields but
ignores extra properties; fix by validating the loaded JSON against the
canonical JSON Schema
(release-artifacts/schema/release-signature-evidence.schema.json) before the
per-field validators run: after evidence = require_dict(load_json(path), ...)
load the schema and run jsonschema.validate (or
Draft7Validator(schema).validate) so additionalProperties:false is enforced and
any unexpected top-level or nested keys cause an error; keep the existing
per-field calls (validate_network, validate_source, validate_artifacts,
validate_signing_identity, validate_signatures, validate_retained_artifacts,
validate_redaction_policy) but only after schema validation, and add a
regression test that injects an unknown field to ensure rejection.

In `@scripts/generate_release_manifest.py`:
- Around line 303-349: The release_signature_record function currently extracts
fields but never runs the release-signature validator, allowing invalid evidence
into the manifest; modify release_signature_record to validate the loaded JSON
with the same validator used by scripts/check_release_signatures.py (or call the
shared helper used by build_manifest) before serializing
release_signature_evidence: after loading data (and before building
record/update), call the validator (or shared validate_release_signature
function) on data, fail/raise on validation errors, and then include the
validated release_signature_evidence payload (not just a few fields) in the
record so build_manifest only emits validated evidence; reference
release_signature_record, file_record, release_signature_evidence, and the
validator in scripts/check_release_signatures.py when making the change.

---

Outside diff comments:
In `@docs/release-signatures.md`:
- Line 32: Remove the extraneous blank line at the end of
docs/release-signatures.md by editing the file so its last character is the
final content character (no newline-only line after it); ensure the file ends
with a single newline if your formatter requires one but not an extra empty line
to satisfy the repo lint/format gate.

In `@release-artifacts/latest/release-checksums.json`:
- Around line 5-25: Add the missing signature evidence artifacts to the checksum
manifest by updating the JSON keys: add the two missing signature evidence
artifact entries into source.covered_paths and append corresponding entries into
the top-level files list (each with path, format and sha256 fields consistent
with the existing text_checksum_file format), ensuring their sha256 values are
computed and the path strings exactly match the committed artifacts so they are
included in checksum coverage.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e6cf687f-854a-47df-9d3c-643434821dd0

📥 Commits

Reviewing files that changed from the base of the PR and between a63a52f and f94649d.

📒 Files selected for processing (20)

• .github/workflows/ci.yml
• CHANGELOG.md
• Makefile
• docs/release-policy.md
• docs/release-signatures.md
• docs/status.md
• ops/AUTONOMOUS_RUN.md
• ops/ROADMAP.md
• release-artifacts/README.md
• release-artifacts/latest/SHA256SUMS
• release-artifacts/latest/release-checksums.json
• release-artifacts/latest/release-manifest.json
• release-artifacts/schema/release-signature-evidence.schema.json
• release-artifacts/signatures/anvil-6529stream-v0.1.0-001-local.json
• scripts/check.ps1
• scripts/check.sh
• scripts/check_release_signatures.py
• scripts/generate_release_manifest.py
• scripts/test_release_manifest.py
• scripts/test_release_signatures.py

[punk6529]

@coderabbitai review

Addressed the release-signature evidence review findings in latest head 8af0026: exact-key evidence validation, manifest-side evidence validation, validated evidence retention, and checksum coverage for signature artifacts.

[coderabbitai]

@punk6529 On it! I'll review the latest head 8af0026 now, focusing on the addressed findings: exact-key evidence validation, manifest-side evidence validation, validated evidence retention, and checksum coverage for signature artifacts.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.