Add non-local release evidence schema

[punk6529]

Summary

• Adds a machine-readable non-local release evidence metadata schema, checked template JSON, and retained placeholder artifact that is explicitly not completion evidence.
• Adds scripts/check_non_local_release_evidence.py plus focused tests for exact fields, environment/chain policy, public-beta requirement IDs, retained path/hash validation, review status, and secret-shaped metadata rejection.
• Wires the new gate into Makefile, shell/PowerShell wrappers, GitHub Actions, release manifest indexing, checksum coverage, docs, roadmap, changelog, and autonomous run state.

Validation

• python scripts/test_non_local_release_evidence.py
• python scripts/check_non_local_release_evidence.py
• python scripts/test_public_beta_evidence.py
• python scripts/check_public_beta_evidence.py
• python scripts/test_release_manifest.py
• python scripts/generate_release_manifest.py --check
• python scripts/test_release_checksums.py
• python scripts/generate_release_checksums.py --check
• python scripts/test_release_readiness.py
• python scripts/check_release_readiness.py
• python scripts/test_changelog_check.py
• python scripts/check_changelog.py
• bash -n scripts/check.sh
• PowerShell parser check for scripts/check.ps1
• python -m py_compile scripts\check_non_local_release_evidence.py scripts\test_non_local_release_evidence.py scripts\generate_release_manifest.py scripts\test_release_manifest.py scripts\generate_release_checksums.py scripts\test_release_checksums.py
• git diff --check
• make check

Closes #170

Summary by CodeRabbit

Release Notes

• New Features

  • Added validation infrastructure for non-local release evidence metadata, including schema-based validation and automated checking during the release preparation workflow.
  • Release artifacts now include evidence templates and schema definitions for standardized metadata validation.
  • Enhanced release checklist with machine-verifiable evidence validation gates.

• Documentation

  • Updated release readiness and tooling documentation to include non-local release evidence requirements and validation procedures.

• Tests

  • Added comprehensive test suites for evidence validation and schema compliance checking.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[punk6529]

@coderabbitai review

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 961bf2c3-5ec7-4c59-b598-aac75c7c2654

📥 Commits

Reviewing files that changed from the base of the PR and between 1d55df3 and 7050e0e.

📒 Files selected for processing (24)

• .github/workflows/ci.yml
• CHANGELOG.md
• Makefile
• docs/non-local-release-evidence.md
• docs/public-beta-evidence.md
• docs/release-readiness.md
• docs/tooling.md
• ops/AUTONOMOUS_RUN.md
• ops/ROADMAP.md
• release-artifacts/README.md
• release-artifacts/evidence/non-local-release-evidence-template.json
• release-artifacts/evidence/non-local-template-retained-artifact.txt
• release-artifacts/latest/SHA256SUMS
• release-artifacts/latest/release-checksums.json
• release-artifacts/latest/release-manifest.json
• release-artifacts/schema/non-local-release-evidence.schema.json
• scripts/check.ps1
• scripts/check.sh
• scripts/check_non_local_release_evidence.py
• scripts/generate_release_checksums.py
• scripts/generate_release_manifest.py
• scripts/test_non_local_release_evidence.py
• scripts/test_release_checksums.py
• scripts/test_release_manifest.py

---

📝 Walkthrough

Walkthrough

This PR implements non-local release evidence schema and validation by adding a JSON schema, checker script, comprehensive tests, template artifacts, and integrating validation into release manifest generation, CI workflows, and build gating. Evidence is wired into checksum coverage and documented across runbooks, release procedures, and operational state tracking.

Changes

Non-local Release Evidence Schema and Validation

Layer / File(s)	Summary
Schema definition and evidence templates release-artifacts/schema/non-local-release-evidence.schema.json, release-artifacts/evidence/non-local-release-evidence-template.json, release-artifacts/evidence/non-local-template-retained-artifact.txt	Defines JSON schema for evidence metadata including environment, chain ID, source, redaction policy, reviewer, and retained artifact hash. Provides a no-secret template marked explicitly as not completion evidence.
Validation logic and comprehensive tests scripts/check_non_local_release_evidence.py, scripts/test_non_local_release_evidence.py	Implements validator with type enforcement, enum/pattern constraints, path safety, hash verification, and secret detection. Test suite covers acceptance paths (template, reviewed evidence) and rejection scenarios (invalid requirements, missing files, stale hashes, secret patterns, path escapes).
Release manifest and checksum integration scripts/generate_release_manifest.py, scripts/generate_release_checksums.py, release-artifacts/latest/release-manifest.json, release-artifacts/latest/release-checksums.json, release-artifacts/latest/SHA256SUMS, scripts/test_release_manifest.py, scripts/test_release_checksums.py	Extends manifest generator to load and validate non-local evidence records via new non_local_release_evidence_record helper, updates function signatures with non_local_evidence_dir parameter, and includes evidence directory in checksum coverage defaults. Updates test fixtures and assertions to cover evidence generation and validation.
CI workflow and build target integration .github/workflows/ci.yml, Makefile, scripts/check.sh, scripts/check.ps1	Adds non-local evidence validation step to CI with log output, creates non-local-release-evidence-check Makefile target, updates wrapper scripts to invoke validation before manifest/checksum verification, and includes scripts in Python syntax checks.
Documentation and runbook updates docs/non-local-release-evidence.md, docs/public-beta-evidence.md, docs/release-readiness.md, docs/tooling.md, release-artifacts/README.md, CHANGELOG.md	Adds comprehensive runbook with machine-readable metadata instructions and validation sequence. Updates release procedures to reference schema/checker and include validation commands. Updates CHANGELOG with feature summary.
Operational and project state updates ops/AUTONOMOUS_RUN.md, ops/ROADMAP.md	Updates autonomous run worklog to track Queue Item 88 as active PR with goal and implementation notes. Updates roadmap to include schema/checker in release discipline baseline and test matrix; refreshes verification metadata.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related issues

• 6529-Collections/6529Stream#168: PR #169 added the non-local release evidence intake runbook; this PR extends it with machine-verifiable schema and validation logic to enforce the runbook's metadata structure.

Possibly related PRs

• 6529-Collections/6529Stream#169: Main PR #169's non-local release evidence runbook is directly extended by adding machine-verifiable metadata schema and check_non_local_release_evidence.py with integration into release-manifest/checksum gates.
• 6529-Collections/6529Stream#106: Main PR extends scripts/generate_release_manifest.py's manifest-building flow to include non-local release evidence records, building on the machine-readable release manifest implementation introduced in PR #106.
• 6529-Collections/6529Stream#102: Main PR extends release-checksum bundle generator by updating DEFAULT_COVERED_PATHS to include release-artifacts/evidence, building on the checksum-bundle implementation from PR #102.

🐰 A schema bounds the wild,
A checker finds the flawed,
Evidence sewn with care,
Release gates now stand guard.
No secrets slip through. ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 75.44% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add non-local release evidence schema' accurately describes the main change: introduction of a machine-readable schema and validation tooling for non-local release evidence metadata.
Linked Issues check	✅ Passed	The PR fully implements all required coding elements from issue #170: schema, no-secret template, checker script with tests, validation rules, and integration into gates/docs/manifest/checksums/roadmap/changelog.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to issue #170: schema definition, template creation, checker implementation, test suite, documentation updates, and integration into release workflows. No unrelated changes detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/nonlocal-evidence-schema-checker

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.