Add non-local release evidence intake runbook

[punk6529]

Summary

Closes #168.

• Add docs/non-local-release-evidence.md as the no-secret intake runbook for fork/testnet/live, audit, explorer, gas, invariant, checksum-signature, and signed-tag evidence.
• Wire the runbook into release-readiness, public-beta evidence, release policy, tooling, release-artifact docs, roadmap, and durable autonomous run state.
• Treat the runbook as a release-manifest governance document and refresh the generated release manifest/checksum bundle.

Validation

• python scripts/test_release_readiness.py
• python scripts/check_release_readiness.py
• python scripts/test_release_manifest.py
• python scripts/generate_release_manifest.py --check
• python scripts/generate_release_checksums.py --check
• python scripts/check_public_beta_evidence.py
• python scripts/check_changelog.py
• python -m py_compile scripts\check_release_readiness.py scripts\test_release_readiness.py scripts\generate_release_manifest.py scripts\test_release_manifest.py
• rg -n "^#|^##|^###" docs\non-local-release-evidence.md docs\release-readiness.md docs\public-beta-evidence.md docs\release-policy.md docs\tooling.md ops\ROADMAP.md ops\AUTONOMOUS_RUN.md
• git diff --check
• make check

Notes

No Solidity behavior changes. This PR is documentation, release-check tooling, generated release evidence, roadmap, and run-state only.

Summary by CodeRabbit

• Documentation
  • Added a non-local release evidence intake runbook and integrated it into release policy, readiness, tooling, roadmap, and governance docs.
• Chores
  • Included the runbook in generated release manifests and updated release artifact checksums/manifest metadata.
• Tests
  • Expanded tests to cover runbook evidence requirements and adjusted fixtures/validators to enforce runbook-compliant evidence.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[punk6529]

@coderabbitai review

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a comprehensive non-local release evidence intake runbook (docs/non-local-release-evidence.md), wires it into release-policy/readiness/public-beta docs and tooling, updates release-manifest and checksums to include the new doc, and records related ops/roadmap state changes.

Changes

Non-Local Release Evidence Intake Runbook

Layer / File(s)	Summary
Non-local evidence runbook and changelog docs/non-local-release-evidence.md, CHANGELOG.md	Adds a 308-line operator runbook defining evidence families, required retained fields (environment, chain ID, block/reference, command/source, retained path, sha256, redaction statement, owner, reviewer), intake workflow, per-family checklists, a no-secret checklist, rules for updating public-beta-evidence.json, and a reviewer acceptance checklist; CHANGELOG documents the addition.
Release documentation integration docs/public-beta-evidence.md, docs/release-policy.md, docs/release-readiness.md, docs/tooling.md	Updates to require following the runbook before moving fork/testnet/live/audit/explorer/gas/invariant/signature/signed-tag evidence rows to complete; release-impacting file list and release checklist reference the runbook; readiness dashboard sections and tooling docs link to and enforce the runbook.
Release readiness tooling and test fixtures scripts/check_release_readiness.py, scripts/generate_release_manifest.py, scripts/test_release_manifest.py, scripts/test_release_readiness.py	check_release_readiness.py now requires the phrase "non-local release evidence" and a link to docs/non-local-release-evidence.md; generate_release_manifest.py adds the runbook to DEFAULT_GOVERNANCE_DOCS; tests seed the new doc and adjust a fixture line break.
Public-beta evidence checker and tests scripts/check_public_beta_evidence.py, scripts/test_public_beta_evidence.py	Checker adds runbook-review requirement constants, discovery and validation helpers, and requires reviewed runbook metadata for certain complete requirement IDs; tests add runbook-evidence helper and cases for missing/invalid/accepted_risk behaviors.
Release artifacts and manifests regenerated release-artifacts/README.md, release-artifacts/latest/SHA256SUMS, release-artifacts/latest/release-checksums.json, release-artifacts/latest/release-manifest.json	Release manifest and checksum files updated to include docs/non-local-release-evidence.md and refreshed sha256/size metadata for CHANGELOG and affected governance docs; README line-wrapping adjusted.
Repository roadmap and operations state ops/AUTONOMOUS_RUN.md, ops/ROADMAP.md	AUTONOMOUS_RUN updated to mark Queue Item 86 merged and Queue Item 87 in progress with PR #169 worklog; ROADMAP updated to include non-local evidence intake in smoke baseline, machine-verifiable baseline, Gate G required evidence, release checklist, and Appendix B test-matrix rows.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related issues

• #166: Both touch ops/ROADMAP.md and AUTONOMOUS_RUN.md to reconcile Gate G/public-beta evidence state.
• #164: Both modify the public-beta evidence workflow and integrate evidence manifests/checkers with release tooling.

Possibly related PRs

• 6529-Collections/6529Stream#165: Related release-evidence tooling work; connects to the public-beta evidence manifest/checkers.
• 6529-Collections/6529Stream#167: Prior ops/roadmap/autonomous-run updates that this PR builds on.
• 6529-Collections/6529Stream#138: Related manifest-generation change adding governance docs.

Poem

🐰 A runbook hops into place,
Evidence sorted, tracked with grace,
Redaction guards keep secrets tight,
Reviewers stamp the record right,
Releases breathe a little lighter.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add non-local release evidence intake runbook' directly describes the primary change: introducing a new documentation runbook for non-local release evidence intake.
Linked Issues check	✅ Passed	The PR fully implements the required changes from #168: adds the non-local release evidence intake runbook document covering all specified evidence families, defines required artifact fields, includes no-secret redaction rules, integrates the runbook into release-readiness/policy/tooling/roadmap/checkers, and updates generated release artifacts as required.
Out of Scope Changes check	✅ Passed	All changes are scoped to documentation, release-readiness/public-beta checkers, generated manifest/checksum artifacts, and autonomous run state—all directly supporting the non-local evidence runbook objective with no extraneous changes.
Docstring Coverage	✅ Passed	Docstring coverage is 94.12% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/nonlocal-release-evidence-runbook

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

docs/non-local-release-evidence.md (1)

308-309: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Remove the trailing blank line at EOF.

The extra newline is already failing the Foundry smoke formatting check in CI.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/non-local-release-evidence.md` around lines 308 - 309, The Markdown
document named non-local-release-evidence.md ends with an extra blank line that
fails the Foundry smoke formatter; open the document, remove the trailing empty
newline so the file ends immediately after the last content line (no extra blank
line or whitespace at EOF), save and commit the change so the formatter check
will pass.

Source: Pipeline failures

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/public-beta-evidence.md`:
- Around line 102-107: Update the intake gate so evidence families
"production_broadcast_retention" and "production_address_books" are treated like
the other retained families that require the non-local release evidence intake
runbook review: modify the docs step that lists the runbook check (the line
calling the "non-local release evidence intake runbook") to explicitly include
those two families, and update the enforcement logic in
check_public_beta_evidence.py to mark any requirement depending on
production_broadcast_retention or production_address_books as needing the
runbook (so they cannot reach "complete" without review); keep risk_acceptance
behavior unchanged and ensure the release manifest/checksum bundle regeneration
still runs.

In `@ops/ROADMAP.md`:
- Around line 2189-2193: Update the listed bullets that currently say generic
“signature” or “signed-tag” to explicitly call out the checksum-backed
production-signature family (e.g., “checksum-backed production-signature” or
“production-signature (checksum-backed)”) so the intake scope matches
docs/non-local-release-evidence.md; search for the phrases "signature" and
"signed-tag" in the affected bullets (including the repeated instance at the
other location) and replace or augment them with the explicit checksum-backed
production-signature wording to keep Gate G aligned with the runbook.
- Line 2402: The ROADMAP entry for "Release artifact catalog" incorrectly
implies docs/non-local-release-evidence.md is generated; update the table text
so the runbook is listed as an input (not a generated artifact). Edit the
"Release artifact catalog" row in ops/ROADMAP.md: change the phrase(s) that
suggest machine-generation (e.g., "non-local evidence intake" and the placement
of `docs/non-local-release-evidence.md`) to explicitly call it a maintained
governance input/runbook (for example "non-local release evidence runbook
(input): docs/non-local-release-evidence.md") so the docs file is not presented
as a generated artifact.

---

Outside diff comments:
In `@docs/non-local-release-evidence.md`:
- Around line 308-309: The Markdown document named non-local-release-evidence.md
ends with an extra blank line that fails the Foundry smoke formatter; open the
document, remove the trailing empty newline so the file ends immediately after
the last content line (no extra blank line or whitespace at EOF), save and
commit the change so the formatter check will pass.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 10cedc74-dbfe-485b-868d-2814cdb70335

📥 Commits

Reviewing files that changed from the base of the PR and between e11dc44 and 7e394ef.

📒 Files selected for processing (16)

• CHANGELOG.md
• docs/non-local-release-evidence.md
• docs/public-beta-evidence.md
• docs/release-policy.md
• docs/release-readiness.md
• docs/tooling.md
• ops/AUTONOMOUS_RUN.md
• ops/ROADMAP.md
• release-artifacts/README.md
• release-artifacts/latest/SHA256SUMS
• release-artifacts/latest/release-checksums.json
• release-artifacts/latest/release-manifest.json
• scripts/check_release_readiness.py
• scripts/generate_release_manifest.py
• scripts/test_release_manifest.py
• scripts/test_release_readiness.py

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@ops/AUTONOMOUS_RUN.md`:
- Around line 149-152: Update the Status line under the "PR candidate: Add
non-local release evidence intake runbook (Queue Item 87)" heading to reflect
the true phase for PR `#169` — replace "CodeRabbit follow-up implemented and
validated locally; ready to push follow-up commit and wait for final
CI/CodeRabbit rerun." with a clear state such as "follow-up pushed; awaiting
CI/CodeRabbit verification" or "follow-up merged; CI/CodeRabbit passed" as
appropriate, so the resume state is unambiguous for the next operator.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e2ba78f5-ae53-4d9b-8ac4-7510052e6016

📥 Commits

Reviewing files that changed from the base of the PR and between 333657d and 93917b2.

📒 Files selected for processing (8)

• docs/public-beta-evidence.md
• ops/AUTONOMOUS_RUN.md
• ops/ROADMAP.md
• release-artifacts/latest/SHA256SUMS
• release-artifacts/latest/release-checksums.json
• release-artifacts/latest/release-manifest.json
• scripts/check_public_beta_evidence.py
• scripts/test_public_beta_evidence.py

✅ Files skipped from review due to trivial changes (3)

• release-artifacts/latest/SHA256SUMS
• release-artifacts/latest/release-checksums.json
• ops/ROADMAP.md

🚧 Files skipped from review as they are similar to previous changes (2)

• docs/public-beta-evidence.md
• release-artifacts/latest/release-manifest.json

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Make the PR #169 status reflect the actual phase.

This says the follow-up is still “ready to push,” but the later notes already describe the follow-up fixes and regenerated artifacts. That makes the resume state ambiguous for the next operator.

Suggested cleanup

-Status: CodeRabbit follow-up implemented and validated locally; ready to push follow-up commit and wait for final CI/CodeRabbit rerun.
+Status: CodeRabbit follow-up is implemented locally; next step is to push the follow-up commit and rerun CI/CodeRabbit.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ops/AUTONOMOUS_RUN.md` around lines 149 - 152, Update the Status line under
the "PR candidate: Add non-local release evidence intake runbook (Queue Item
87)" heading to reflect the true phase for PR `#169` — replace "CodeRabbit
follow-up implemented and validated locally; ready to push follow-up commit and
wait for final CI/CodeRabbit rerun." with a clear state such as "follow-up
pushed; awaiting CI/CodeRabbit verification" or "follow-up merged; CI/CodeRabbit
passed" as appropriate, so the resume state is unambiguous for the next
operator.