Add external audit package index

[punk6529]

Summary

Closes #158.

Adds a Gate F external audit package index for the current pre-audit local baseline, plus deterministic validation so the package does not silently lose required scope, maturity, evidence, or security-reporting links.

What changed

• Added docs/audit-package.md as the auditor-facing index over maturity/scope, reviewer entry points, ADRs, invariants/test evidence, Slither/static-analysis disposition, deployment/release evidence, known blockers vs accepted local-baseline dispositions, security reporting, and local verification commands.
• Added scripts/check_audit_package.py and scripts/test_audit_package.py to enforce required headings, required pre-audit/non-production language, required commands, required evidence links, and missing linked-file failures.
• Wired the audit-package checker into Makefile, scripts/check.sh, scripts/check.ps1, and CI.
• Added docs/audit-package.md to release-manifest governance docs and regenerated release-artifacts/latest/release-manifest.json, SHA256SUMS, and release-checksums.json.
• Updated README, tooling, status, release policy, release artifact docs, roadmap, changelog, and autonomous run state.

Non-goals

• No Solidity behavior changes.
• No ABI or bytecode changes.
• No claim of completed third-party audit, live deployment evidence, production signatures, or production readiness.

Local validation

• python scripts\test_audit_package.py
• python scripts\check_audit_package.py
• python -m py_compile scripts\check_audit_package.py scripts\test_audit_package.py scripts\generate_release_manifest.py scripts\test_release_manifest.py
• python scripts\test_release_manifest.py
• python scripts\generate_release_manifest.py --check
• python scripts\test_release_checksums.py
• python scripts\generate_release_checksums.py --check
• python scripts\test_changelog_check.py
• python scripts\check_changelog.py
• bash -n scripts/check.sh
• bash -n scripts/bootstrap-ec2.sh
• PowerShell parser check for scripts\check.ps1 and scripts\bootstrap-windows.ps1
• rg -n "^#|^##|^###" docs\audit-package.md ops\ROADMAP.md README.md docs\tooling.md docs\status.md release-artifacts\README.md
• git diff --check
• make check
• powershell -ExecutionPolicy Bypass -File scripts\check.ps1

Existing warning noise observed locally: Solidity selfdestruct warnings in forced-ETH test helpers, existing Foundry source-parser warnings for test helper/script files, and the existing Windows line-ending warning for scripts/check.ps1 during git diff --check.

Summary by CodeRabbit

• New Features

  • Added an auditor-facing audit package index and a dedicated audit-package verification step in CI.

• Documentation

  • Added a detailed audit-package guide and updated release, tooling, roadmap, README, status, and release-artifacts docs to reference it.

• Tests

  • Added unit tests to validate the audit-package verification behavior.

• Chores

  • Integrated audit-package checks into validation workflows, release manifest, and published release checksums.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[punk6529]

@coderabbitai review

Please review the Gate F audit-package index and checker wiring. Scope is documentation/tooling only: no Solidity behavior, ABI, or bytecode changes are intended.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: cfc62f25-4692-4202-a7e3-2de2e994b464

📥 Commits

Reviewing files that changed from the base of the PR and between 207ba0d and a62d15a.

📒 Files selected for processing (1)

• ops/AUTONOMOUS_RUN.md

✅ Files skipped from review due to trivial changes (1)

• ops/AUTONOMOUS_RUN.md

---

📝 Walkthrough

Walkthrough

Adds an auditor-facing index (docs/audit-package.md), a deterministic validator (scripts/check_audit_package.py) with tests, integrates the audit package into generated release manifests/checksums, and wires validation into CI, Makefile, and local check scripts while updating documentation and metadata.

Changes

Audit Package Feature

Layer / File(s)	Summary
Audit package documentation and validator docs/audit-package.md, scripts/check_audit_package.py, scripts/test_audit_package.py	docs/audit-package.md is an auditor-facing index of maturity, scope, ADRs, invariants, static-analysis and deployment evidence, blockers, accepted dispositions, reporting, and verification commands. check_audit_package.py enforces required headings, maturity wording, command substrings, and internal link targets (resolved against the repo). test_audit_package.py provides unit tests for acceptance and several rejection cases.
Release manifest integration scripts/generate_release_manifest.py, scripts/test_release_manifest.py, release-artifacts/latest/release-manifest.json, release-artifacts/latest/release-checksums.json, release-artifacts/latest/SHA256SUMS, release-artifacts/README.md	docs/audit-package.md is added to DEFAULT_GOVERNANCE_DOCS and seeded into manifest tests. The release manifest and checksum files are updated to include the audit package artifact and updated sha256/size_bytes metadata. Release-artifacts docs and refresh commands list the new audit-package checks.
CI and build pipeline verification .github/workflows/ci.yml, Makefile, scripts/check.sh, scripts/check.ps1	GitHub Actions adds py_compile coverage for the new scripts and a new "Audit package" step that runs test_audit_package.py and check_audit_package.py with logs. Makefile adds an audit-package-check target and wires it into check, release-manifest, and release-manifest-check. Shell and PowerShell check scripts invoke the test+check sequence.
Documentation and metadata updates README.md, CHANGELOG.md, docs/release-policy.md, docs/status.md, docs/tooling.md, ops/AUTONOMOUS_RUN.md, ops/ROADMAP.md	README and tooling docs update the canonical smoke-check and release-flow to include the audit-package step. CHANGELOG and release-policy record the feature and Gate F impact. Status, AUTONOMOUS_RUN, and ROADMAP are updated to reflect Gate F progress, worklog details, and governance document requirements.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• 6529-Collections/6529Stream#138: Extends DEFAULT_GOVERNANCE_DOCS in scripts/generate_release_manifest.py by adding a governance document entry (this PR adds docs/audit-package.md; #138 adds a different doc).

Poem

🐰 An index stitched with headings, links, and care,
The checker hums to show the path is fair.
From docs to manifest, each hash takes flight,
CI guards the gate through day and night.
A rabbit nods — the audit package is right.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'Add external audit package index' clearly and concisely summarizes the main change: adding a new auditor-facing documentation and tooling for Gate F audit package requirements.
Linked Issues check	✅ Passed	The PR fully implements all coding requirements from issue #158: adds docs/audit-package.md, implements check_audit_package.py and test_audit_package.py, wires checkers into Makefile/scripts/CI, includes audit package in release manifest, and generates updated artifacts with no Solidity changes.
Out of Scope Changes check	✅ Passed	All changes align with issue #158 scope: audit package documentation, Python validation tooling, CI/release integration, and documentation updates. No unrelated refactoring, dependency upgrades, or out-of-scope code changes are present.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/audit-package-index

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Get the list of changed files in the PR
gh pr view 159 --repo 6529-Collections/6529Stream --json files --jq '.files[].path'

Length of output: 677

---

🏁 Script executed:

#!/bin/bash
# Read the main new files
echo "=== docs/audit-package.md ==="
cat docs/audit-package.md

echo ""
echo "=== scripts/check_audit_package.py ==="
cat scripts/check_audit_package.py

echo ""
echo "=== scripts/test_audit_package.py ==="
cat scripts/test_audit_package.py

Length of output: 22080

---

🏁 Script executed:

#!/bin/bash
echo "=== Makefile (audit-package-related targets) ==="
grep -n "audit" Makefile || echo "No audit targets found"

echo ""
echo "=== scripts/check.sh (audit-package section) ==="
grep -n "audit" scripts/check.sh || echo "No audit references"

echo ""
echo "=== CI config changes ==="
fd -e yml -e yaml . .github/workflows/ | xargs grep -l "audit" 2>/dev/null | head -5
for f in $(fd -e yml -e yaml . .github/workflows/ | xargs grep -l "audit" 2>/dev/null | head -5); do
  echo "--- $f ---"
  cat "$f"
done

echo ""
echo "=== release-artifacts/latest/release-manifest.json ==="
cat release-artifacts/latest/release-manifest.json 2>/dev/null || echo "Not found"

echo ""
echo "=== release-artifacts/latest/SHA256SUMS ==="
cat release-artifacts/latest/SHA256SUMS 2>/dev/null || echo "Not found"

echo ""
echo "=== release-artifacts/latest/release-checksums.json ==="
cat release-artifacts/latest/release-checksums.json 2>/dev/null || echo "Not found"

Length of output: 43919

---

🏁 Script executed:

#!/bin/bash
echo "=== scripts/check.ps1 (audit section) ==="
grep -n "audit" scripts/check.ps1 || echo "No audit references"

echo ""
echo "=== scripts/generate_release_manifest.py (docs list) ==="
grep -n "audit" scripts/generate_release_manifest.py || echo "No audit references"

echo ""
echo "=== CHANGELOG or changelog references ==="
fd -e md changelog docs -d 2 | head -5
grep -rn "audit-package" docs/ --include="*.md" -l 2>/dev/null

echo ""
echo "=== README audit references ==="
grep -n "audit" README.md | head -20

echo ""
echo "=== Verify all linked files in audit-package.md exist ==="
# Extract markdown links from audit-package.md and check if files exist
python3 - <<'EOF'
import re, os

with open("docs/audit-package.md") as f:
    content = f.read()

# Find all markdown links
links = re.findall(r'\[.*?\]\((.*?)\)', content)
print("=== Links found in audit-package.md ===")
for link in links:
    # Skip anchors and external URLs
    if link.startswith('#') or link.startswith('http'):
        continue
    # Resolve relative to docs/
    resolved = os.path.normpath(os.path.join("docs", link))
    exists = os.path.exists(resolved)
    print(f"  {'OK' if exists else 'MISSING'}: {link} -> {resolved}")
EOF

Length of output: 5497

---

---

@punk6529 — review complete. Overall this is a solid, well-integrated Gate F artefact. All linked files resolve, the checker is correctly wired into every gate (Makefile, check.sh, check.ps1, CI), the release manifest captures docs/audit-package.md as a governance doc, and the CI step ordering is correct (audit-package runs before release-manifest and release-checksums). A few minor observations below.

---

scripts/check_audit_package.py — early-exit on first broken link

linked_repo_paths raises AuditPackageError on the very first missing file, while validate_audit_package accumulates all heading, phrase, and command failures before raising. The inconsistency means a maintainer who breaks two links simultaneously needs multiple runs to discover both. Consider collecting and reporting all missing files in one shot:

def linked_repo_paths(repo_root: Path, package_path: Path, text: str) -> set[str]:
    links: set[str] = set()
    missing: list[str] = []
    for match in LINK_RE.finditer(text):
        target = normalized_link_target(match.group(1))
        if target is None:
            continue
        target_path = Path(target)
        if not target_path.is_absolute():
            target_path = package_path.parent / target_path
        resolved = target_path.resolve()
        relative = normalize_repo_path(resolved, repo_root)
        if not resolved.exists():
            missing.append(relative)
        else:
            links.add(relative)
    if missing:
        raise AuditPackageError(
            "linked targets are missing: " + ", ".join(missing)
        )
    return links

---

scripts/test_audit_package.py — string replacement in test_rejects_missing_required_link is unguarded

The test removes a line with .replace("- [README.md](../README.md)\n", "") but doesn't assert the replacement actually changed the string. A future whitespace or format tweak to minimal_valid_package() could silently make this a no-op, turning the test into a false positive. A one-liner guard prevents that:

original = minimal_valid_package()
text = original.replace("- [README.md](../README.md)\n", "")
assert text != original, "replacement had no effect — update the test helper"
write_text(package_path, text)

---

docs/audit-package.md — ## Package Maintenance could clarify the generate vs. check distinction

The section lists two separate commands back-to-back:

python scripts/generate_release_manifest.py
python scripts/generate_release_manifest.py --check

The first call mutates the file; the second only verifies. A first-time maintainer may not realise this and skip the generate step if the manifest already exists, or wonder why running only --check fails after editing the audit doc. A single sentence before the command block (e.g. "The generate_* calls regenerate output files; the --check calls verify them.") removes ambiguity.

---

Nit — AuditPackageError(RuntimeError)

RuntimeError is semantically "something went wrong at runtime." For a validation error a more precise base would be ValueError (invalid input data). Not a functional issue; just idiomatic.

---

Summary table

Area	Finding	Severity
check_audit_package.py linked_repo_paths	Fails on first missing file; inconsistent with accumulate pattern	Minor
test_audit_package.py test_rejects_missing_required_link	Unguarded string replacement could produce false-positive	Nit
docs/audit-package.md ## Package Maintenance	generate vs. check distinction not explained	Nit
AuditPackageError base class	RuntimeError vs. ValueError	Nit

Everything else looks correct: the document content is accurate, every link resolves to an existing file, all wiring paths are consistent (Makefile / shell / PowerShell / CI), the CI step ordering is correct, and the release-manifest governance-doc entry and checksums are present and consistent.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.