Add drop authorization payload generator

[punk6529]

Summary

• add a no-secret drop authorization payload generator for canonical unsigned fixed-price and auction EIP-712 payload artifacts
• add deterministic payload-generator input/output examples plus tests for drift, hash parity with signed fixtures, sale-mode constraints, missing fields, and secret-shaped input rejection
• wire generator checks through Makefile, shell/PowerShell gates, CI, docs checkers, release readiness/audit/incident docs, roadmap state, changelog, and release artifacts

Closes #180.

Local validation

• python -m py_compile scripts\generate_drop_authorization_payload.py scripts\test_drop_authorization_payload_generator.py scripts\check_drop_authorization_fixtures.py scripts\check_audit_package.py scripts\check_incident_response.py scripts\check_release_readiness.py
• python scripts\test_drop_authorization_payload_generator.py
• python scripts\generate_drop_authorization_payload.py --input test\fixtures\drop-authorization\payload-generator\fixed-price-input.json --output test\fixtures\drop-authorization\payload-generator\fixed-price-output.json --check
• python scripts\generate_drop_authorization_payload.py --input test\fixtures\drop-authorization\payload-generator\auction-input.json --output test\fixtures\drop-authorization\payload-generator\auction-output.json --check
• python scripts\test_drop_authorization_fixtures.py
• python scripts\check_drop_authorization_fixtures.py
• python scripts\test_audit_package.py
• python scripts\check_audit_package.py
• python scripts\test_incident_response.py
• python scripts\check_incident_response.py
• python scripts\test_release_readiness.py
• python scripts\check_release_readiness.py
• python scripts\generate_release_manifest.py --check
• python scripts\generate_release_checksums.py --check
• python scripts\check_changelog.py
• git diff --check passed with only the existing scripts/check.ps1 LF/CRLF warning
• make check

Summary by CodeRabbit

• New Features

  • Added a drop authorization payload generator that produces deterministic unsigned EIP-712 payloads from no-secret templates.

• Tests

  • Added tests validating generator outputs for fixed-price and auction templates and rejecting invalid or secret-like inputs.

• Documentation

  • Updated guides, runbooks, and readiness docs with generator usage, example inputs/outputs, verification commands, and incident guidance.

• Chores

  • Integrated generator checks and new example fixtures into CI, release artifacts, and local verification workflows.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a92c2636-e05c-4f08-89ca-fedc2918b5cd

📥 Commits

Reviewing files that changed from the base of the PR and between 6d3072a and 423988b.

📒 Files selected for processing (7)

• docs/audit-package.md
• docs/incident-response.md
• ops/AUTONOMOUS_RUN.md
• release-artifacts/latest/SHA256SUMS
• release-artifacts/latest/release-checksums.json
• release-artifacts/latest/release-manifest.json
• scripts/generate_drop_authorization_payload.py

✅ Files skipped from review due to trivial changes (4)

• release-artifacts/latest/SHA256SUMS
• release-artifacts/latest/release-checksums.json
• docs/audit-package.md
• release-artifacts/latest/release-manifest.json

🚧 Files skipped from review as they are similar to previous changes (3)

• docs/incident-response.md
• ops/AUTONOMOUS_RUN.md
• scripts/generate_drop_authorization_payload.py

---

📝 Walkthrough

Walkthrough

Adds a deterministic, no-secret Python CLI to generate canonical unsigned EIP-712 drop authorization payloads for fixed-price and auction templates, with unit tests, committed fixtures, CI/local check integration, documentation updates, and updated release metadata/checksums.

Changes

Drop Authorization Payload Generator

Layer / File(s)	Summary
Generator script implementation scripts/generate_drop_authorization_payload.py	Standalone CLI that generates canonical unsigned EIP-712 payloads from JSON input templates, enforcing a no-secret policy, normalizing numeric fields to decimal strings, hashing tokenData, deriving dropId, validating typed-data via fixture-checker, and writing or verifying deterministic JSON output.
Generator tests and fixtures scripts/test_drop_authorization_payload_generator.py, test/fixtures/drop-authorization/payload-generator/*	Unit tests exercising CLI check-mode and build_payload validations (fixed-price and auction), plus committed input/output fixtures for both sale modes used by tests and CI. Tests cover committed-output freshness, derived hash equality, and validation rejecting zero-address/secret-like/missing-field inputs.
Validation gates and CI integration .github/workflows/ci.yml, Makefile, scripts/check.{sh,ps1}, scripts/check_*.py	CI workflow, Makefile target, shell/PowerShell check scripts, and Python validation modules updated to run generator tests and generator --check invocations for fixed-price and auction fixtures; checkers now require generator command strings and fixture links in docs.
Documentation and user guides docs/drop-authorization-signing.md, docs/audit-package.md, docs/incident-response.md, docs/release-readiness.md, docs/tooling.md, docs/known-blockers.md, ops/ROADMAP.md	New "Unsigned Payload Generator" documentation and added local verification commands; incident-response updated to include generator usage for reissuing reviewed typed data; audit-package, tooling, release-readiness, known-blockers, and roadmap updated to reference unsigned payload-generator examples and required verification commands.
Release metadata and operational tracking release-artifacts/latest/*, CHANGELOG.md, ops/AUTONOMOUS_RUN.md, scripts/test_release_readiness.py	Release checksums/SHA256SUMS and manifest updated with four new fixture entries; CHANGELOG and ops files updated to reflect the PR and new artifacts; test_release_readiness adjusted to expect the new readiness phrase.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• 6529-Collections/6529Stream#179: Prior PR that added drop-authorization fixture checks; this PR wires the unsigned payload generator into that pipeline.

🐰 A tiny CLI hops, no keys in its sack,
It forms typed-data, hashes stacked on track,
Fixed-price and auction, neat fixtures aligned,
Deterministic outputs for signers to find.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'Add drop authorization payload generator' accurately summarizes the main change: introducing a new no-secret CLI tool that generates canonical unsigned EIP-712 payloads for drop authorizations.
Linked Issues check	✅ Passed	The PR successfully implements all required changes from issue #180: adds the payload generator script, sample input/output fixtures for fixed-price and auction modes, comprehensive tests validating drift/hash parity/constraints/secret-rejection, and integrates checks into CI/Makefile/docs/release artifacts.
Out of Scope Changes check	✅ Passed	All changes are directly aligned with issue #180 requirements: the payload generator, tests, documentation updates, CI/release-artifact wiring, and supporting checker updates all serve the core objective of providing production-safe local unsigned EIP-712 payload generation.
Docstring Coverage	✅ Passed	Docstring coverage is 96.88% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/drop-authorization-payload-generator

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[punk6529]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

scripts/generate_drop_authorization_payload.py (1)

309-315: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Preserve exception chain with raise ... from exc.

When re-raising in an exception handler, use raise SystemExit(1) from exc to preserve the chain or raise SystemExit(1) from None to suppress it explicitly.

🔗 Recommended fix

     except DropAuthorizationPayloadError as exc:
         print(f"drop authorization payload generation failed: {exc}", file=sys.stderr)
-        raise SystemExit(1)
+        raise SystemExit(1) from exc

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/generate_drop_authorization_payload.py` around lines 309 - 315, The
exception handler for DropAuthorizationPayloadError should preserve or
explicitly suppress the exception chain when re-raising SystemExit; update the
except block that catches DropAuthorizationPayloadError (referencing main() and
DropAuthorizationPayloadError) to use "raise SystemExit(1) from exc" to preserve
chaining (or "from None" if you intend to suppress it) instead of the current
plain "raise SystemExit(1)".

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/audit-package.md`:
- Around line 209-211: The maintenance checklist labeled "After editing this
file, run:" is missing the new payload-generator verification commands that were
added to the local verification block; update that checklist to include the
three commands — python scripts/test_drop_authorization_payload_generator.py,
python scripts/generate_drop_authorization_payload.py --input
test/fixtures/drop-authorization/payload-generator/fixed-price-input.json
--output
test/fixtures/drop-authorization/payload-generator/fixed-price-output.json
--check, and python scripts/generate_drop_authorization_payload.py --input
test/fixtures/drop-authorization/payload-generator/auction-input.json --output
test/fixtures/drop-authorization/payload-generator/auction-output.json --check —
so both sections list the same maintenance steps and keep the document
consistent.

In `@docs/incident-response.md`:
- Around line 282-286: Update the incident-response runbook wording so the
Recovery step instructs operators to hand the generated typed data (not just the
digest) to the approved signer; reference the no-secret unsigned payload
generator from docs/drop-authorization-signing.md and say to pass the generated
typed data to the signing system and optionally include the digest for
cross-checking/verification (e.g., for isValidSignature inputs), rather than
only “hand[ing] the generated digest to the approved signer.”

---

Outside diff comments:
In `@scripts/generate_drop_authorization_payload.py`:
- Around line 309-315: The exception handler for DropAuthorizationPayloadError
should preserve or explicitly suppress the exception chain when re-raising
SystemExit; update the except block that catches DropAuthorizationPayloadError
(referencing main() and DropAuthorizationPayloadError) to use "raise
SystemExit(1) from exc" to preserve chaining (or "from None" if you intend to
suppress it) instead of the current plain "raise SystemExit(1)".

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5422001b-13fe-4428-8114-1edfc6a8845c

📥 Commits

Reviewing files that changed from the base of the PR and between 3e0eedf and 058445a.

📒 Files selected for processing (27)

• .github/workflows/ci.yml
• CHANGELOG.md
• Makefile
• docs/audit-package.md
• docs/drop-authorization-signing.md
• docs/incident-response.md
• docs/known-blockers.md
• docs/release-readiness.md
• docs/tooling.md
• ops/AUTONOMOUS_RUN.md
• ops/ROADMAP.md
• release-artifacts/latest/SHA256SUMS
• release-artifacts/latest/release-checksums.json
• release-artifacts/latest/release-manifest.json
• scripts/check.ps1
• scripts/check.sh
• scripts/check_audit_package.py
• scripts/check_drop_authorization_fixtures.py
• scripts/check_incident_response.py
• scripts/check_release_readiness.py
• scripts/generate_drop_authorization_payload.py
• scripts/test_drop_authorization_payload_generator.py
• scripts/test_release_readiness.py
• test/fixtures/drop-authorization/payload-generator/auction-input.json
• test/fixtures/drop-authorization/payload-generator/auction-output.json
• test/fixtures/drop-authorization/payload-generator/fixed-price-input.json
• test/fixtures/drop-authorization/payload-generator/fixed-price-output.json