Add architecture and threat model audit docs

[punk6529]

Summary

Closes #160.

Adds the Gate F architecture and threat-model audit docs, plus a deterministic checker/test pair so required headings, maturity warnings, core architecture terms, threat categories, maintenance commands, reciprocal links, evidence links, and missing linked files cannot silently regress.

This is documentation/tooling only. It does not change Solidity behavior, ABI, bytecode, deployment addresses, or production-readiness claims.

Changes

• Add docs/architecture.md and docs/threat-model.md as auditor-facing Gate F docs.
• Add scripts/check_architecture_threat_model.py and scripts/test_architecture_threat_model.py.
• Wire the checker into make check, Unix/Windows wrappers, and CI.
• Include architecture/threat-model docs in release-manifest governance hashes and refreshed checksum outputs.
• Link the new docs from the audit package, README, tooling/status/release docs, roadmap, changelog, and durable autonomous state.

Local Validation

• python scripts\test_architecture_threat_model.py
• python scripts\check_architecture_threat_model.py
• python scripts\test_audit_package.py
• python scripts\check_audit_package.py
• python -m py_compile scripts\check_architecture_threat_model.py scripts\test_architecture_threat_model.py scripts\check_audit_package.py scripts\test_audit_package.py scripts\generate_release_manifest.py scripts\test_release_manifest.py scripts\generate_release_checksums.py scripts\test_release_checksums.py scripts\check_changelog.py scripts\test_changelog_check.py
• python scripts\test_release_manifest.py
• python scripts\generate_release_manifest.py --check
• python scripts\test_release_checksums.py
• python scripts\generate_release_checksums.py --check
• python scripts\test_changelog_check.py
• python scripts\check_changelog.py
• bash -n scripts/check.sh
• PowerShell parser check for scripts\check.ps1
• git diff --check
• make check
• powershell -ExecutionPolicy Bypass -File scripts\check.ps1

Summary by CodeRabbit

• Documentation

  • Added comprehensive architecture doc detailing components, boundaries, flows, evidence, and maintenance guidance
  • Added threat model doc covering assets, actors, threat categories, residual risks, and reviewer entry links
  • Updated release/audit docs and README to reference the new docs and verification steps

• New Features

  • Added automated validation and tests that verify architecture and threat-model docs meet required headings, links, and content

• Chores

  • Integrated these checks into CI, local check scripts, make targets, and release manifest/checksum workflows

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[punk6529]

@coderabbitai review

Please review the Gate F architecture and threat-model docs/checker. Scope is documentation/tooling only: no Solidity behavior, ABI, bytecode, deployment addresses, or production evidence claims are intended.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6f68bf3c-f37b-4b4f-9784-f5815d90435f

📥 Commits

Reviewing files that changed from the base of the PR and between f0b4407 and 95a7090.

📒 Files selected for processing (2)

• ops/AUTONOMOUS_RUN.md
• ops/ROADMAP.md

✅ Files skipped from review due to trivial changes (2)

• ops/AUTONOMOUS_RUN.md
• ops/ROADMAP.md

---

📝 Walkthrough

Walkthrough

This PR adds auditor-facing architecture and threat-model baseline documents for the local pre-audit phase, implements deterministic validation for their required structure and cross-links, integrates the checks into build and CI workflows, updates release artifacts to include the new documents, and propagates references throughout supporting documentation and project state tracking.

Changes

Architecture and threat-model audit package

Layer / File(s)	Summary
Architecture and threat-model documentation docs/architecture.md, docs/threat-model.md	New governance documents define the local baseline architecture (components, actor/role boundaries, protocol and release flows, value/custody and randomness boundaries, deployment posture, invariants evidence, known pre-beta gaps) and threat model (protected assets, trusted/semi-trusted/untrusted actors and trust boundaries, assumptions and non-goals, threat categories matrix, existing controls and evidence links, residual risks and production blockers, maintenance commands).
Validator script and test suite scripts/check_architecture_threat_model.py, scripts/test_architecture_threat_model.py	New CLI validator enforces required markdown heading structure, maturity language, content phrases, command strings, and bidirectional cross-links between architecture and threat-model docs; comprehensive unittest module validates acceptance of well-formed documents and rejection of documents with missing/malformed structure, headings, links, or referenced files.
Build and CI workflow integration Makefile, scripts/check.sh, scripts/check.ps1, .github/workflows/ci.yml	Validator is wired into the Makefile check and release-manifest targets, shell and PowerShell check scripts, and GitHub CI pipeline (Python syntax-check and dedicated "Architecture and threat model" step with log tee), ensuring the validator runs alongside existing verification gates.
Release manifest and checksum regeneration scripts/check_audit_package.py, scripts/generate_release_manifest.py, scripts/test_release_manifest.py, release-artifacts/latest/SHA256SUMS, release-artifacts/latest/release-checksums.json, release-artifacts/latest/release-manifest.json	New docs are added to DEFAULT_GOVERNANCE_DOCS and required link targets; existing audit-package checker is extended to require architecture/threat-model links; test fixture includes the new docs; release artifacts (manifest, checksums, SHA256SUMS) are regenerated to capture updated governance-doc metadata (sha256, size_bytes) and checksum bundle changes.
Supporting documentation updates README.md, docs/audit-package.md, docs/release-policy.md, docs/status.md, docs/tooling.md, release-artifacts/README.md, CHANGELOG.md	README, audit-package index, release policy, pre-audit status, tooling documentation, release-artifacts README, and changelog are updated to link the new architecture and threat-model docs, describe their role in release evidence validation, add validator commands to documented Gate A smoke-checks and release-artifact workflows, and annotate them as governance documents required before public beta.
Roadmap and execution state tracking ops/ROADMAP.md, ops/AUTONOMOUS_RUN.md	ROADMAP is updated to reflect the new architecture/threat-model documentation in the machine-verifiable baseline and milestone exit evidence; AUTONOMOUS_RUN records the active PR, work-item queue status, decision log entries, and CI/review outcomes for this change.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related issues

• #160: Add architecture and threat model audit docs — The linked issue that defines the acceptance criteria and requirements implemented by this PR.

Possibly related PRs

• 6529-Collections/6529Stream#106 — Related: also extends release-manifest generation/fixtures used by governance-doc embedding.
• 6529-Collections/6529Stream#138 — Related: modifies DEFAULT_GOVERNANCE_DOCS to include additional governance documents.
• 6529-Collections/6529Stream#159 — Related: similar release-manifest/CI wiring for another governance-doc checker.

Poem

🐰 I hopped through docs and checks today,

Linked maps and threats to light the way;
Tests that bark and scripts that pry,
So auditors find truth, not sly;
A carrot for proof — hop, ship, and play!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately describes the main objective: adding architecture and threat model audit documentation with associated tooling.
Linked Issues check	✅ Passed	All linked issue #160 objectives are met: architecture.md and threat-model.md docs created with maturity statements; deterministic checker and tests implemented; checker integrated into Makefile, scripts/check.sh, scripts/check.ps1, and CI; docs included in release-manifest; cross-linked from audit-package.md and related docs; release artifacts regenerated.
Out of Scope Changes check	✅ Passed	All changes are within scope: documentation additions, checker/test scripts, build integration, and release-artifact updates directly support the linked issue objectives with no unrelated contract, ABI, or deployment changes.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/architecture-threat-model

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Read the main new documentation and checker files
echo "=== docs/architecture.md ==="
cat docs/architecture.md

echo ""
echo "=== docs/threat-model.md ==="
cat docs/threat-model.md

echo ""
echo "=== scripts/check_architecture_threat_model.py ==="
cat scripts/check_architecture_threat_model.py

echo ""
echo "=== scripts/test_architecture_threat_model.py ==="
cat scripts/test_architecture_threat_model.py

Length of output: 43491

---

🏁 Script executed:

#!/bin/bash
echo "=== .github/workflows (list) ==="
fd -e yml -e yaml . .github/workflows/ | sort

echo ""
echo "=== Makefile (relevant lines) ==="
grep -n "architecture\|threat.model\|check_arch" Makefile | head -40

echo ""
echo "=== scripts/check.sh (relevant lines) ==="
grep -n "architecture\|threat.model\|check_arch" scripts/check.sh | head -20

echo ""
echo "=== scripts/check.ps1 (relevant lines) ==="
grep -n "architecture\|threat.model\|check_arch" scripts/check.ps1 | head -20

echo ""
echo "=== README.md (links to architecture/threat-model) ==="
grep -n "architecture\|threat.model\|threat-model" README.md | head -20

echo ""
echo "=== CHANGELOG (links) ==="
grep -n "architecture\|threat.model\|threat-model" CHANGELOG.md 2>/dev/null | head -20

echo ""
echo "=== Check if CONTRIBUTING.md and SECURITY.md exist ==="
ls -la CONTRIBUTING.md SECURITY.md 2>/dev/null

echo ""
echo "=== Check all REQUIRED_LINK_TARGETS exist ==="
python3 - <<'EOF'
from pathlib import Path
targets = [
    "README.md", "CONTRIBUTING.md", "SECURITY.md",
    "ops/ROADMAP.md", "ops/AUTONOMOUS_RUN.md", "ops/SLITHER_BASELINE.md",
    "docs/architecture.md", "docs/threat-model.md", "docs/audit-package.md",
    "docs/status.md", "docs/known-blockers.md", "docs/slither.md",
    "docs/deployment.md", "docs/release-policy.md", "docs/release-signatures.md",
    "docs/dependency-operations.md", "docs/randomizer-operations.md",
    "docs/auction-custody.md", "docs/metadata.md", "docs/vendored-libraries.md",
    "docs/adr/README.md",
    "docs/adr/0001-drop-authorization.md", "docs/adr/0002-auction-custody.md",
    "docs/adr/0003-payment-accounting.md", "docs/adr/0004-admin-governance.md",
    "docs/adr/0005-randomness.md", "docs/adr/0006-metadata-freeze.md",
    "docs/adr/0007-upgrade-redeployment.md",
    "release-artifacts/README.md",
    "release-artifacts/latest/release-manifest.json",
    "release-artifacts/latest/SHA256SUMS",
    "release-artifacts/latest/release-checksums.json",
    "test/StreamPaymentsInvariant.t.sol",
    "test/StreamSupplyReplayFreezeInvariant.t.sol",
    "test/StreamAuctionInvariant.t.sol",
    "test/StreamRandomizerPayments.t.sol",
    "test/StreamDeploymentManifest.t.sol",
    "scripts/check_audit_package.py",
]
for t in targets:
    p = Path(t)
    print(f"{'OK' if p.exists() else 'MISSING'}: {t}")
EOF

echo ""
echo "=== CI workflow that runs checks ==="
fd -e yml -e yaml . .github/ | xargs grep -l "check_architecture\|architecture_threat" 2>/dev/null | head -5

Length of output: 6786

---

---

@punk6529 — this is a thorough, well-scoped Gate F documentation and tooling PR. Here is the full review.

---

Overall Assessment

The architecture and threat-model docs are clear, appropriately scoped, and honest about the local-baseline posture. The checker and tests are well-structured. All 38 REQUIRED_LINK_TARGETS resolve to files that actually exist on disk; CI, Makefile, check.sh, check.ps1, README, and CHANGELOG are all properly wired.

---

docs/architecture.md

Strengths:

• Maturity disclaimers are prominent and unambiguous ("pre-audit local baseline", "not production-ready", "not a security claim").
• The component table is accurate and each row links to the relevant ADR or evidence file.
• Protocol flows (Fixed-Price Drop, Auction Drop, Randomness, Dependency/Release) match what the contract tests cover.
• Known Gaps and Maintenance sections are actionable and honest about what remains open.

Minor observations:

• The StreamMinter row in the component table has no ADR link — only test file references. This is intentional if StreamMinter has no dedicated ADR, but worth noting for auditors as a gap. Consider adding a brief note like "see docs/adr/0001-drop-authorization.md for mint-authority flow" if there's a relevant ADR that covers it.
• NextGenRandomizerRNG references arRNG without expanding the acronym anywhere in the doc. Auditors unfamiliar with the stack may not know what arRNG stands for. One-line clarification ("arRNG: on-chain RNG using the ArweaveRNG oracle") would help.

---

docs/threat-model.md

Strengths:

• Threat categories table is well-structured: each row has threats, current controls, and residual risk — exactly what auditors need.
• The "Accepted local-baseline dispositions are not production risk acceptance" sentence is important and well-placed.
• All ADR links (0001–0007) appear in Existing Controls.
• Reciprocal link to architecture.md is present.

Minor observations:

• The "deployment ceremony" phrase in REQUIRED_THREAT_PHRASES is satisfied by the admin-controls row's residual-risk text ("production Safe deployment ceremony"). If that row is ever reworded (e.g., to "deployment multisig setup"), the checker will fail unexpectedly. This is low risk since the test suite exercises it, but consider whether "deployment ceremony" is the right anchor phrase — or whether "deployment" checked at the category level is sufficient.
• The Assumptions And Non-Goals section mentions "Solidity 0.8.19 arithmetic" — this is fine for now, but when the compiler version is updated, this section will need updating. Given that the checker doesn't verify compiler version mentions, this is a manual maintenance item. The Maintenance instructions are sufficient to catch it.

---

scripts/check_architecture_threat_model.py

Strengths:

• Clean separation of constants, helpers, and validate_architecture_threat_model.
• linked_repo_paths correctly resolves relative links relative to each document's own parent directory — this handles the ../ prefixes in the docs correctly.
• normalize_repo_path raises an ArchitectureThreatModelError on path escape, preventing directory-traversal edge cases.
• LINK_RE correctly handles both [text](target) and [text](target "title") forms.

One functional concern — redundant missing-file checks:

validate_architecture_threat_model calls linked_repo_paths three times:

links = linked_repo_paths(repo_root, documents)          # combined — validates all linked files exist
# ...
architecture_links = linked_repo_paths(repo_root, {architecture_path: ...})  # triggers missing-file check again
threat_links       = linked_repo_paths(repo_root, {threat_model_path: ...})  # and again

The second and third calls re-check for missing files. This is harmless but means a broken link in only one doc will be reported with a less informative error (pointing at the wrong call site). Consider passing a check_missing=False flag or pre-computing the per-document link sets as part of the first pass, using them for both the combined check and the reciprocal check:

# Suggested refactor (non-blocking):
arch_links  = linked_repo_paths(repo_root, {architecture_path: documents[architecture_path]})
threat_links = linked_repo_paths(repo_root, {threat_model_path: documents[threat_model_path]})
links = arch_links | threat_links
# Then use arch_links / threat_links for reciprocal check directly

Missing test for reciprocal-link failure:

The test suite covers heading, maturity, required-link, threat-phrase, and missing-file failures, but there is no test asserting that the checker rejects a pair of docs where architecture.md does not link to threat-model.md (or vice versa). This is a meaningful invariant enforced by the checker that is not exercised by the tests.

Suggested addition to test_architecture_threat_model.py:

def test_rejects_missing_reciprocal_link_architecture_to_threat(self) -> None:
    with tempfile.TemporaryDirectory() as temp_dir:
        root = Path(temp_dir)
        seed_required_targets(root)
        # Remove the link from architecture → threat-model
        text = minimal_architecture_doc().replace(
            "Read the [threat model](threat-model.md).\n", ""
        )
        write_text(root / checker.DEFAULT_ARCHITECTURE, text)
        write_text(root / checker.DEFAULT_THREAT_MODEL, minimal_threat_model_doc())

        with self.assertRaisesRegex(
            checker.ArchitectureThreatModelError, "must link to"
        ):
            checker.validate_architecture_threat_model(
                root,
                root / checker.DEFAULT_ARCHITECTURE,
                root / checker.DEFAULT_THREAT_MODEL,
            )

---

scripts/test_architecture_threat_model.py

Strengths:

• Dynamic module loading via importlib avoids import-path issues.
• seed_required_targets ensures the checker's file-existence checks don't interfere with the specific behavior being tested.
• redirect_stdout/redirect_stderr in test_accepts_* tests keeps output clean.

One fragility — test_accepts_committed_docs uses Path.cwd():

def test_accepts_committed_docs(self) -> None:
    repo_root = Path.cwd()

This passes only when the test is run from the repository root. If a CI runner or IDE invokes it from a different working directory, it will silently fail to find the committed docs. A more robust approach anchors to the script's own location:

repo_root = Path(__file__).resolve().parents[1]  # two levels up from scripts/

---

CI / Makefile / Wrappers

• make check → includes architecture-threat-model-check ✅
• architecture-threat-model-check → runs test then checker in order ✅
• release-manifest and release-manifest-check both depend on architecture-threat-model-check ✅
• check.sh and check.ps1 both call both scripts ✅
• .github/workflows/ci.yml picks up the checker via make check ✅

---

Summary

Area	Status
docs/architecture.md content	✅ Clear, appropriately scoped
docs/threat-model.md content	✅ Comprehensive threat categories, honest residual risks
Checker logic (check_architecture_threat_model.py)	✅ Sound; one minor redundancy in linked_repo_paths calls
Test coverage (test_architecture_threat_model.py)	✅ Good; missing reciprocal-link rejection test
All linked targets exist on disk	✅ All 38 verified
CI/Makefile/wrapper wiring	✅ Fully integrated
Scope boundary (no Solidity/ABI/bytecode changes)	✅ Confirmed

The two most actionable items are:

1. Add a reciprocal-link rejection test (the invariant is enforced but not tested).
2. Anchor test_accepts_committed_docs to Path(__file__).resolve().parents[1] rather than Path.cwd() for robustness.

Everything else is minor. The PR is in good shape for Gate F purposes.

[punk6529]

@coderabbitai review

Follow-up commit b5d531d addresses your review: added the StreamMinter ADR link, clarified arRNG, anchored deployment ceremony wording, removed redundant checker link scans, anchored committed-doc tests to the script path, and added reciprocal-link rejection tests. Please re-check the latest head.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
echo "=== docs/architecture.md: StreamMinter and arRNG sections ==="
grep -n "StreamMinter\|arRNG\|ArweaveRNG\|on-chain RNG\|adr/0001" docs/architecture.md | head -30

echo ""
echo "=== docs/threat-model.md: deployment ceremony wording ==="
grep -n "deployment ceremony\|deployment" docs/threat-model.md | head -20

echo ""
echo "=== scripts/check_architecture_threat_model.py: linked_repo_paths calls ==="
grep -n "linked_repo_paths\|arch_links\|threat_links" scripts/check_architecture_threat_model.py | head -30

echo ""
echo "=== scripts/test_architecture_threat_model.py: Path anchor and reciprocal tests ==="
grep -n "Path.cwd\|__file__\|parents\|reciprocal\|must link" scripts/test_architecture_threat_model.py | head -30

echo ""
echo "=== Show test class methods list ==="
grep -n "def test_" scripts/test_architecture_threat_model.py | head -30

echo ""
echo "=== Show the full linked_repo_paths / validate function in checker ==="
grep -n "def validate_architecture_threat_model\|linked_repo_paths\|arch_links\|threat_links\|reciprocal" scripts/check_architecture_threat_model.py | head -40

Length of output: 5995

---

---

@punk6529 — all five items from the previous review are confirmed addressed in commit b5d531d:

Prior item	Status
StreamMinter ADR link (adr/0001-drop-authorization.md)	✅ Added — architecture.md line 40
arRNG acronym clarification	✅ Added — "In this document, arRNG means the external randomness controller consumed…"
Deployment ceremony phrase anchored	✅ Confirmed — "production Safe deployment ceremony" retained in threat-model row
Redundant linked_repo_paths calls	✅ Refactored — now two per-doc calls combined via |, third combined call removed
Path.cwd() → Path(__file__).resolve().parents[1]	✅ Applied — line 147 of test file
Reciprocal-link rejection tests	✅ Both directions added — test_rejects_missing_architecture_to_threat_link and test_rejects_missing_threat_to_architecture_link, both asserting "must link to"

Everything checks out. The PR is clean for Gate F.

[approve]

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

scripts/test_architecture_threat_model.py (1)

145-273: ⚡ Quick win

Add an explicit regression test for missing reciprocal links.

The checker enforces bidirectional architecture↔threat-model linking, but there is no direct negative test asserting rejection when one side omits the reciprocal link.

Suggested test addition

 class ArchitectureThreatModelTests(unittest.TestCase):
+    def test_rejects_missing_reciprocal_link(self) -> None:
+        with tempfile.TemporaryDirectory() as temp_dir:
+            root = Path(temp_dir)
+            seed_required_targets(root)
+            arch = minimal_architecture_doc().replace(
+                "Read the [threat model](threat-model.md).\n", ""
+            )
+            write_text(root / checker.DEFAULT_ARCHITECTURE, arch)
+            write_text(root / checker.DEFAULT_THREAT_MODEL, minimal_threat_model_doc())
+
+            with self.assertRaisesRegex(
+                checker.ArchitectureThreatModelError, "must link to"
+            ):
+                checker.validate_architecture_threat_model(
+                    root,
+                    root / checker.DEFAULT_ARCHITECTURE,
+                    root / checker.DEFAULT_THREAT_MODEL,
+                )

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/test_architecture_threat_model.py` around lines 145 - 273, Add a new
unit test method on ArchitectureThreatModelTests (e.g.,
test_rejects_missing_reciprocal_link) that seeds required targets, writes a
minimal architecture doc that includes a link to the threat model but writes a
threat model doc that omits the reciprocal architecture link (and vice versa in
another subcase if desired), then call
checker.validate_architecture_threat_model(root, root /
checker.DEFAULT_ARCHITECTURE, root / checker.DEFAULT_THREAT_MODEL) inside
self.assertRaisesRegex(checker.ArchitectureThreatModelError, "missing required
links|reciprocal") to assert the checker rejects missing bidirectional links;
reference the existing helpers seed_required_targets, minimal_architecture_doc,
minimal_threat_model_doc, and constants checker.DEFAULT_ARCHITECTURE /
checker.DEFAULT_THREAT_MODEL to locate where to add the test.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@ops/ROADMAP.md`:
- Around line 76-81: The table's "CI run" cell still references PR `#160`; update
the "CI run" entry in the table (the row labeled CI run) to point to the actual
current PR or CI run ID for this change set (replace "TBD for PR `#160`" with "CI
run: PR #<current-number>" or the appropriate run URL/ID) so the verification
trail clearly references the correct PR; ensure you only edit the "CI run" cell
in the roadmap table text.

In `@scripts/test_architecture_threat_model.py`:
- Around line 146-151: The test uses Path.cwd() to set repo_root which breaks
when tests run outside the repo; change the setup in test_accepts_committed_docs
to derive the repo root from the test file location (use
Path(__file__).resolve().parent or appropriate ancestor) and pass that path to
checker.main(["--repo-root", str(repo_root)]) so the test always anchors to the
repository location relative to this test file rather than the process CWD.

---

Nitpick comments:
In `@scripts/test_architecture_threat_model.py`:
- Around line 145-273: Add a new unit test method on
ArchitectureThreatModelTests (e.g., test_rejects_missing_reciprocal_link) that
seeds required targets, writes a minimal architecture doc that includes a link
to the threat model but writes a threat model doc that omits the reciprocal
architecture link (and vice versa in another subcase if desired), then call
checker.validate_architecture_threat_model(root, root /
checker.DEFAULT_ARCHITECTURE, root / checker.DEFAULT_THREAT_MODEL) inside
self.assertRaisesRegex(checker.ArchitectureThreatModelError, "missing required
links|reciprocal") to assert the checker rejects missing bidirectional links;
reference the existing helpers seed_required_targets, minimal_architecture_doc,
minimal_threat_model_doc, and constants checker.DEFAULT_ARCHITECTURE /
checker.DEFAULT_THREAT_MODEL to locate where to add the test.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 51349d0a-4a47-4154-aabd-9acef8752505

📥 Commits

Reviewing files that changed from the base of the PR and between e2e9fcf and acc43fc.

📒 Files selected for processing (23)

• .github/workflows/ci.yml
• CHANGELOG.md
• Makefile
• README.md
• docs/architecture.md
• docs/audit-package.md
• docs/release-policy.md
• docs/status.md
• docs/threat-model.md
• docs/tooling.md
• ops/AUTONOMOUS_RUN.md
• ops/ROADMAP.md
• release-artifacts/README.md
• release-artifacts/latest/SHA256SUMS
• release-artifacts/latest/release-checksums.json
• release-artifacts/latest/release-manifest.json
• scripts/check.ps1
• scripts/check.sh
• scripts/check_architecture_threat_model.py
• scripts/check_audit_package.py
• scripts/generate_release_manifest.py
• scripts/test_architecture_threat_model.py
• scripts/test_release_manifest.py

[punk6529]

@coderabbitai review

Follow-up commit f0b4407 addresses the remaining roadmap metadata thread by updating the CI row to PR #161. The committed-doc test and reciprocal-link concerns were addressed in b5d531d. Please re-check the latest head.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
echo "=== git log last 3 commits ==="
git log --oneline -5

echo ""
echo "=== diff of f0b4407 ==="
git show f0b4407 --stat

echo ""
echo "=== full diff of f0b4407 ==="
git show f0b4407

echo ""
echo "=== ops/ROADMAP.md CI row context ==="
grep -n "CI\|`#161`\|PR `#161`\|161" ops/ROADMAP.md | head -30

Length of output: 7241

---

---

@punk6529 — commit f0b4407 is confirmed clean. The only substantive change is the single-cell correction in ops/ROADMAP.md:

Field	Before	After
CI run	TBD for PR #160``	TBD for PR #161``

That is the correct fix — #160 is the issue, #161 is the PR. The ops/AUTONOMOUS_RUN.md timestamp, status line, and decision log entry are all internally consistent. No other files were touched.

Combined with b5d531d, all review items are fully addressed. The PR remains clean for Gate F.

[approve]