Add public beta evidence status manifest

[punk6529]

Summary

Closes #164.

This adds a no-secret public-beta evidence status manifest and validation gate so public-beta and production-release blockers are tracked as machine-checkable release evidence instead of prose-only docs.

Changes

• Add release-artifacts/latest/public-beta-evidence.json with public beta and production release intentionally blocked.
• Add release-artifacts/schema/public-beta-evidence.schema.json plus docs/public-beta-evidence.md.
• Add scripts/check_public_beta_evidence.py and scripts/test_public_beta_evidence.py to validate required requirement rows, path boundaries, retained SHA256 hashes, no-secret policy, risk acceptance metadata, and blocked-vs-ready claims.
• Wire the gate into Makefile, Unix/Windows check wrappers, CI, release manifest/checksum coverage, release readiness/audit docs, README/status/tooling docs, changelog, roadmap, and the autonomous run state.
• Teach the lower-level release artifact generator to treat public-beta-evidence.json as a downstream release file, like checksum and manifest outputs.

Scope

Documentation/tooling/artifact-only. No Solidity source or protocol behavior changes.

Local validation

• python scripts\test_public_beta_evidence.py
• python scripts\check_public_beta_evidence.py
• python -m py_compile scripts\check_public_beta_evidence.py scripts\test_public_beta_evidence.py
• python scripts\test_release_readiness.py
• python scripts\test_audit_package.py
• python scripts\test_release_manifest.py
• python scripts\test_release_artifacts.py
• python scripts\generate_release_artifacts.py --check
• python scripts\generate_release_manifest.py --check
• python scripts\generate_release_checksums.py --check
• bash -n scripts/check.sh
• PowerShell parser check for scripts\check.ps1
• git diff --check passes with only existing Windows line-ending warning chatter
• make check
• powershell -ExecutionPolicy Bypass -File scripts\check.ps1

Release status

This PR does not claim public beta or production readiness. The committed evidence file keeps both public_beta and production_release blocked until external audit, fork/testnet/live deployment evidence, verified addresses, explorer verification, production signatures, signed tag evidence, production address books, retained broadcast outputs, live ceremony/randomizer evidence, and post-audit remediation evidence are retained or explicitly risk-accepted.

Summary by CodeRabbit

• New Features

  • Added a public-beta evidence validation and gating step that records per-requirement statuses and prevents marking releases ready until evidence or accepted risk is recorded.

• Documentation

  • Added a public-beta evidence specification, redaction rules, required evidence categories, and updated release policy, readiness, tooling, and audit docs to reference the new artifact and process.

• Tests

  • Added unit and CI tests to validate evidence documents, schema compliance, checksums, and integration with release artifacts.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[punk6529]

@coderabbitai review

Context: docs/tooling/release-artifact PR only. This adds a no-secret public-beta evidence status manifest, schema, checker/tests, local/CI wiring, release-manifest/checksum coverage, and docs. It intentionally does not change Solidity behavior and does not claim public beta or production readiness.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d3a2b386-cf57-4557-b28d-f03aab6b20b3

📥 Commits

Reviewing files that changed from the base of the PR and between 7aba4c7 and 54af773.

📒 Files selected for processing (1)

• ops/AUTONOMOUS_RUN.md

---

📝 Walkthrough

Walkthrough

Adds a public-beta evidence JSON Schema and baseline artifact, a strict Python validator with unit tests, release-manifest/checksum integration, CI/Makefile/local check wiring, and documentation and ops updates to track gating evidence for public-beta and production releases.

Changes

Public-beta evidence status system

Layer / File(s)	Summary
Evidence schema and committed baseline release-artifacts/schema/public-beta-evidence.schema.json, release-artifacts/latest/public-beta-evidence.json, docs/public-beta-evidence.md	Adds JSON Schema, a blocked baseline evidence artifact, and a spec that enumerates required evidence categories, allowed statuses, redaction/no-secret rules, and update procedures.
Core evidence validator scripts/check_public_beta_evidence.py	CLI validator enforcing exact top-level/nested fields, source metadata checks, status enums, per-phase requirement membership and uniqueness, repo-scoped file resolution and SHA256 verification, risk_acceptance rules, retained-artifacts/redaction checks, overall-status gating, and recursive secret-like scanning.
Validator unit tests scripts/test_public_beta_evidence.py	Unit tests and fixture helpers that exercise accepted blocked manifests and many rejection cases (missing/duplicate requirements, stale hashes, path-escape, invalid risk_acceptance, ready-with-blockers, secret-like content, etc.).
Release manifest & artifact integration scripts/generate_release_manifest.py, scripts/generate_release_artifacts.py, release-artifacts/latest/release-manifest.json, release-artifacts/latest/release-checksums.json, scripts/test_release_manifest.py, scripts/test_release_artifacts.py	Imports checker, defines expected evidence filename, validates evidence when building manifest, computes per-phase blocking counts, seeds schema/evidence into tests, updates generated manifest/checksum entries, and excludes downstream evidence from generated-file comparisons.
CI and local check wiring Makefile, scripts/check.sh, scripts/check.ps1, .github/workflows/ci.yml, scripts/check_audit_package.py, scripts/check_release_readiness.py	Adds public-beta-evidence-check Make target and hooks it into check and release targets, updates shell/PowerShell wrappers and CI to run the test/check scripts, and extends audit-package and release-readiness checkers to require the evidence commands/links.
Documentation and operational state README.md, CHANGELOG.md, docs/*, release-artifacts/README.md, ops/*	Adds docs/public-beta-evidence.md, updates changelog/README and multiple docs (audit-package, release-policy, release-readiness, status, tooling, known-blockers), updates release-artifacts README and SHASUMS, and records PR/worklog/decision-log state in ops files.

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• 6529-Collections/6529Stream#138: Overlaps on scripts/generate_release_manifest.py governance-docs list changes.
• 6529-Collections/6529Stream#163: Related release-readiness checker updates that this PR extends with public-beta evidence checks.
• 6529-Collections/6529Stream#157: Similar manifest/evidence wiring changes for another evidence bundle.

"🐰 A careful rabbit hops through the trees,
weaving hashes, docs, and no-secret decrees,
blockers on display,
checks run night and day,
so releases stay honest with ease."

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add public beta evidence status manifest' is clear, concise, and directly summarizes the main change: introduction of a public-beta evidence status manifest artifact and associated validation infrastructure.
Linked Issues check	✅ Passed	The PR fully implements all coding requirements from issue #164: machine-checkable evidence manifest (release-artifacts/latest/public-beta-evidence.json), JSON schema, validation checker (scripts/check_public_beta_evidence.py with unit tests), Makefile/CI wiring, release manifest/checksum integration, and conservative blocked-by-default baseline without secrets.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to documentation, tooling, artifacts, and validation infrastructure. No Solidity code, ABI changes, deployment addresses, protocol behavior, or production release claims are introduced. The PR stays within the requirements of issue #164.
Docstring Coverage	✅ Passed	Docstring coverage is 85.96% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/public-beta-evidence-status

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# List all changed files in PR `#165`
gh pr view 165 --repo 6529-Collections/6529Stream --json files --jq '.files[].path'

Length of output: 1044

---

🏁 Script executed:

#!/bin/bash
# Get PR diff for review
gh pr diff 165 --repo 6529-Collections/6529Stream 2>/dev/null | head -3000

Length of output: 122205

---

---

@punk6529 — reviewed. This is a well-structured docs/tooling/artifact-only PR. The evidence manifest, schema, checker, tests, CI wiring, and cross-doc references are all consistent with each other and with the existing release-evidence pattern established in earlier PRs. No Solidity changes; checksum/manifest/SHA256SUMS hashes are internally consistent across the three files.

A few observations worth noting before merge:

---

Missing docstring on public_beta_evidence_record

scripts/generate_release_manifest.py — the new public_beta_evidence_record function has no docstring. The previous PR (#163) required a follow-up commit to add docstrings after CodeRabbit flagged the same gap. Adding one now avoids the pattern repeating.

def public_beta_evidence_record(path: Path, repo_root: Path) -> dict[str, Any]:
    """Load, validate, and summarise the public-beta evidence status for the release manifest."""

---

accepted_at / expires_at are free-form strings

scripts/check_public_beta_evidence.py — validate_risk_acceptance accepts any non-empty string for accepted_at and expires_at. If a future operator writes "TBD" or "soon", the checker passes silently. A lightweight ISO-8601 date pattern (^\d{4}-\d{2}-\d{2}) would close that gap without adding a dependency.

_ISO_DATE_RE = re.compile(r"^\d{4}-\d{2}-\d{2}$")

def require_iso_date(value: Any, path: str) -> str:
    """Require an ISO-8601 date string (YYYY-MM-DD) at a JSON path."""
    text = require_string(value, path)
    if not _ISO_DATE_RE.fullmatch(text):
        raise PublicBetaEvidenceError(f"{path} must be an ISO-8601 date (YYYY-MM-DD)")
    return text

Then in validate_risk_acceptance:

require_iso_date(risk.get("accepted_at"), f"{path}.accepted_at")
require_iso_date(risk.get("expires_at"), f"{path}.expires_at")

---

minItems: 17 in the schema is a hardcoded count

release-artifacts/schema/public-beta-evidence.schema.json — "minItems": 17 will silently pass if someone adds a requirement to the checker's REQUIRED_BY_PHASE sets without updating the schema. The checker's exact-ID enforcement is the real gate, so this is low-risk, but a comment in the schema (or a brief note in docs/public-beta-evidence.md) that this count must be updated alongside REQUIRED_BY_PHASE would help future maintainers.

---

"secret" in SECRET_KEY_PARTS is broad

scripts/check_public_beta_evidence.py Line 70 — "secret" as a bare substring would flag any key whose lowercase form contains "secret" (e.g., "no_secrets_stored", "secret_free_note"). The exemption via SAFE_SECRET_POLICY_KEYS handles the known cases (no_secrets, redacted_fields, redaction_policy), but future schema extensions could introduce benign keys that collide. The SECRET_VALUE_RE pattern (which requires [:=] after the keyword) is tighter and less likely to false-positive than the key scan. This is not a blocker — the current committed document passes cleanly — but worth keeping in mind when the schema is extended.

---

Everything else looks good:

• All required requirement IDs are enforced via REQUIRED_BY_PHASE (exact sets), not just a count.
• Path-traversal prevention uses both ".." in candidate.parts and a post-resolve relative_to check — robust.
• SHA256 file-hash verification on retained_artifacts and evidence file refs is deterministic and correct.
• scan_for_secret_like_data correctly exempts SAFE_SECRET_POLICY_KEYS before the substring check.
• 11 focused unit tests cover the major failure modes.
• CI step, Makefile target, check.sh, and check.ps1 are all consistently wired in the same order.
• Checksum hashes are consistent across SHA256SUMS, release-checksums.json, and release-manifest.json.

The docstring gap is the only item that matches the PR #163 rework pattern and is worth fixing pre-merge. The date-format and minItems observations are lower priority but straightforward to address now or as follow-ups.

[punk6529]

Addressed CodeRabbit review in f586a99:

• Added the public_beta_evidence_record docstring.
• Enforced ISO YYYY-MM-DD dates for risk-acceptance accepted_at / expires_at fields and added regression coverage.
• Documented that schema requirements.minItems must move with the checker requirement sets.
• Tightened secret-key scanning to avoid benign future key-name collisions while still catching explicit secret-shaped keys.
• Regenerated the public-beta evidence hash, release manifest, and checksum bundle.

Focused validation passed locally for public-beta evidence, release manifest, release artifacts, release readiness, audit package, release checksums, and Python compilation.

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

docs/tooling.md (1)

159-167: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Align the public-beta evidence references in both docs.

docs/tooling.md still omits release-artifacts/latest/public-beta-evidence.json from the checksum-refresh contract, and release-artifacts/README.md still omits docs/public-beta-evidence.md from the governance-doc hash list. Since the new gate treats both as tracked release artifacts, please mention them in the same places so maintainers know to refresh the new manifest and its doc together.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/tooling.md` around lines 159 - 167, Update the release-checksum
description and README to include the new public-beta evidence artifact: add
release-artifacts/latest/public-beta-evidence.json to the list of inputs covered
by the release-checksum/release-checksums.json generation in docs/tooling.md
(the "release-checksum step"/"checksum-refresh contract" text) and add
docs/public-beta-evidence.md to the governance-doc hash list in
release-artifacts/README.md so both docs reference the same tracked artifact
set.

🧹 Nitpick comments (3)

release-artifacts/schema/public-beta-evidence.schema.json (1)

60-66: ⚡ Quick win

Keep requirements.minItems synchronized with checker-required IDs.

Line 65 hardcodes 17, while enforcement in scripts/check_public_beta_evidence.py is derived from PUBLIC_BETA_REQUIREMENTS and PRODUCTION_REQUIREMENTS. Add a contract test that asserts schema minItems equals the checker’s required-ID total to prevent silent drift.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@release-artifacts/schema/public-beta-evidence.schema.json` around lines 60 -
66, The schema's requirements.minItems is hardcoded to 17 and can drift from the
enforcement logic in scripts/check_public_beta_evidence.py; add a contract test
that loads release-artifacts/schema/public-beta-evidence.schema.json, reads the
requirements.minItems value, computes the expected total by importing or
referencing the same PUBLIC_BETA_REQUIREMENTS and PRODUCTION_REQUIREMENTS used
by check_public_beta_evidence.py (or by calling a function that returns that
combined list), and assert equality between schema requirements.minItems and the
computed required-ID total so any future change to
PUBLIC_BETA_REQUIREMENTS/PRODUCTION_REQUIREMENTS will fail the test until the
schema is updated.

scripts/test_release_manifest.py (1)

385-513: ⚡ Quick win

Add one regression test that uses a non-default release_artifacts_dir.

Current coverage exercises the default release-artifacts/latest layout only. A custom artifacts directory test would catch path-coupling regressions in public_beta_evidence resolution.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/test_release_manifest.py` around lines 385 - 513, The test suite
lacks coverage for using a custom release_artifacts_dir which can hide
path-coupling bugs in public_beta_evidence resolution; add a new regression test
(similar to test_generator_writes_deterministic_manifest) that calls
generator.write_output but passes a non-default release_artifacts_dir (e.g.,
different from "release-artifacts/latest") when seeding the tree and building
paths, then assert the manifest fields for
release_artifacts.public_beta_evidence and any paths/sha256 checks still resolve
correctly; locate helpers seed_release_tree, generator.write_output, and the
public_beta_checker usage to adjust the test setup so the generator uses the
custom directory and validate the same keys/assertions as in
test_generator_writes_deterministic_manifest.

docs/public-beta-evidence.md (1)

29-32: ⚡ Quick win

Avoid a second source of truth for the requirement count.

requirements.minItems duplicates the canonical requirement list in scripts/check_public_beta_evidence.py, so the schema can drift from the checker when rows are added or removed. Consider deriving the count from the same source or dropping the hard-coded count altogether.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/public-beta-evidence.md` around lines 29 - 32, The schema's
requirements.minItems is a hard-coded duplicate of the canonical requirement
list in scripts/check_public_beta_evidence.py; update the code so the schema's
minItems is derived from that canonical source (or remove the hard-coded count).
Modify the code that builds or validates the schema to import or read the
requirement list from scripts/check_public_beta_evidence.py (or a shared module)
and set requirements.minItems = len(requirement_list) at generation time,
ensuring the symbols scripts/check_public_beta_evidence.py and
requirements.minItems are the single source of truth.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/public-beta-evidence.md`:
- Around line 100-102: Update the public beta evidence documentation where
accepted_at and expires_at are described to state they must use the ISO date
format YYYY-MM-DD (match regex ^\d{4}-\d{2}-\d{2}$); mention that the checker
(scripts/check_public_beta_evidence.py) enforces this and tests reject non-ISO
values so authors must provide dates like 2024-06-12 rather than freeform text.

In `@scripts/check_public_beta_evidence.py`:
- Around line 190-195: The require_iso_date function only validates format via
ISO_DATE_RE but accepts invalid calendar dates; after the existing regex check
in require_iso_date, parse the text into a real date (e.g.,
datetime.date.fromisoformat or datetime.datetime.strptime) and catch ValueError,
then raise PublicBetaEvidenceError(f"{path} must be an ISO-8601 date
(YYYY-MM-DD)") on parse failure; ensure datetime is imported and keep the
existing error message and return the original text on success.

In `@scripts/generate_release_manifest.py`:
- Around line 601-604: The manifest builder currently constructs the public beta
evidence path using repo_root / DEFAULT_PUBLIC_BETA_EVIDENCE which ignores the
release_artifacts_dir flag; change the call to public_beta_evidence_record to
resolve the evidence file from release_artifacts_dir (e.g.,
release_artifacts_dir / DEFAULT_PUBLIC_BETA_EVIDENCE or otherwise join
DEFAULT_PUBLIC_BETA_EVIDENCE against release_artifacts_dir) so validation uses
the provided --release-artifacts-dir; update the invocation site where
public_beta_evidence_record(...) is called to pass the path rooted at
release_artifacts_dir instead of repo_root.

---

Outside diff comments:
In `@docs/tooling.md`:
- Around line 159-167: Update the release-checksum description and README to
include the new public-beta evidence artifact: add
release-artifacts/latest/public-beta-evidence.json to the list of inputs covered
by the release-checksum/release-checksums.json generation in docs/tooling.md
(the "release-checksum step"/"checksum-refresh contract" text) and add
docs/public-beta-evidence.md to the governance-doc hash list in
release-artifacts/README.md so both docs reference the same tracked artifact
set.

---

Nitpick comments:
In `@docs/public-beta-evidence.md`:
- Around line 29-32: The schema's requirements.minItems is a hard-coded
duplicate of the canonical requirement list in
scripts/check_public_beta_evidence.py; update the code so the schema's minItems
is derived from that canonical source (or remove the hard-coded count). Modify
the code that builds or validates the schema to import or read the requirement
list from scripts/check_public_beta_evidence.py (or a shared module) and set
requirements.minItems = len(requirement_list) at generation time, ensuring the
symbols scripts/check_public_beta_evidence.py and requirements.minItems are the
single source of truth.

In `@release-artifacts/schema/public-beta-evidence.schema.json`:
- Around line 60-66: The schema's requirements.minItems is hardcoded to 17 and
can drift from the enforcement logic in scripts/check_public_beta_evidence.py;
add a contract test that loads
release-artifacts/schema/public-beta-evidence.schema.json, reads the
requirements.minItems value, computes the expected total by importing or
referencing the same PUBLIC_BETA_REQUIREMENTS and PRODUCTION_REQUIREMENTS used
by check_public_beta_evidence.py (or by calling a function that returns that
combined list), and assert equality between schema requirements.minItems and the
computed required-ID total so any future change to
PUBLIC_BETA_REQUIREMENTS/PRODUCTION_REQUIREMENTS will fail the test until the
schema is updated.

In `@scripts/test_release_manifest.py`:
- Around line 385-513: The test suite lacks coverage for using a custom
release_artifacts_dir which can hide path-coupling bugs in public_beta_evidence
resolution; add a new regression test (similar to
test_generator_writes_deterministic_manifest) that calls generator.write_output
but passes a non-default release_artifacts_dir (e.g., different from
"release-artifacts/latest") when seeding the tree and building paths, then
assert the manifest fields for release_artifacts.public_beta_evidence and any
paths/sha256 checks still resolve correctly; locate helpers seed_release_tree,
generator.write_output, and the public_beta_checker usage to adjust the test
setup so the generator uses the custom directory and validate the same
keys/assertions as in test_generator_writes_deterministic_manifest.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e8ac2633-a9d8-4a81-97eb-ed1d48c32685

📥 Commits

Reviewing files that changed from the base of the PR and between cb01f46 and f586a99.

📒 Files selected for processing (30)

• .github/workflows/ci.yml
• CHANGELOG.md
• Makefile
• README.md
• docs/audit-package.md
• docs/known-blockers.md
• docs/public-beta-evidence.md
• docs/release-policy.md
• docs/release-readiness.md
• docs/status.md
• docs/tooling.md
• ops/AUTONOMOUS_RUN.md
• ops/ROADMAP.md
• release-artifacts/README.md
• release-artifacts/latest/SHA256SUMS
• release-artifacts/latest/public-beta-evidence.json
• release-artifacts/latest/release-checksums.json
• release-artifacts/latest/release-manifest.json
• release-artifacts/schema/public-beta-evidence.schema.json
• scripts/check.ps1
• scripts/check.sh
• scripts/check_audit_package.py
• scripts/check_public_beta_evidence.py
• scripts/check_release_readiness.py
• scripts/generate_release_artifacts.py
• scripts/generate_release_manifest.py
• scripts/test_public_beta_evidence.py
• scripts/test_release_artifacts.py
• scripts/test_release_manifest.py
• scripts/test_release_readiness.py

[punk6529]

Addressed the second CodeRabbit follow-up in 7aba4c7.

Changes made:

• accepted_at / expires_at risk-acceptance fields now parse as real ISO YYYY-MM-DD calendar dates, not just regex-shaped strings.
• docs/public-beta-evidence.md now explicitly documents the date format and example.
• scripts/generate_release_manifest.py now resolves public-beta-evidence.json from the configured --release-artifacts-dir instead of the default latest directory.
• Added a schema/checker contract test so schema requirements.minItems stays aligned with checker requirement sets.
• Added a release-manifest regression test for custom release_artifacts_dir handling.
• Updated tooling/checksum and release-artifact docs to include public-beta evidence and its governance doc hash coverage.
• Regenerated release-manifest.json and checksum outputs.

Focused validation passed locally:

• python scripts\test_public_beta_evidence.py
• python scripts\check_public_beta_evidence.py
• python scripts\test_release_manifest.py
• python -m py_compile scripts\check_public_beta_evidence.py scripts\test_public_beta_evidence.py scripts\generate_release_manifest.py scripts\test_release_manifest.py
• python scripts\generate_release_manifest.py --check
• python scripts\generate_release_checksums.py --check
• python scripts\test_release_readiness.py
• python scripts\check_release_readiness.py
• python scripts\test_audit_package.py
• python scripts\check_audit_package.py
• python scripts\test_release_artifacts.py
• python scripts\generate_release_artifacts.py --check
• git diff --check