Add drop authorization signing evidence checks

[punk6529]

Summary

• Add a no-secret drop authorization signing evidence schema, checked local template, retained artifact placeholder, and validator/test suite.
• Wire the evidence checker into Makefile, shell/PowerShell wrappers, GitHub Actions, release manifest generation, and release checksum coverage.
• Update signing, audit, incident-response, release-readiness, public-beta, tooling, roadmap, run-state, and changelog docs while preserving the distinction between a local template and real production signing evidence.

Validation

• python -m py_compile scripts\check_drop_authorization_signing_evidence.py scripts\test_drop_authorization_signing_evidence.py scripts\generate_release_manifest.py scripts\test_release_manifest.py scripts\generate_release_checksums.py scripts\test_release_readiness.py
• python scripts\test_drop_authorization_signing_evidence.py
• python scripts\check_drop_authorization_signing_evidence.py
• python scripts\test_release_manifest.py
• python scripts\generate_release_manifest.py --check
• python scripts\test_release_checksums.py
• python scripts\generate_release_checksums.py --check
• python scripts\test_release_readiness.py
• python scripts\check_release_readiness.py
• python scripts\test_audit_package.py
• python scripts\check_audit_package.py
• python scripts\test_incident_response.py
• python scripts\check_incident_response.py
• python scripts\test_drop_authorization_payload_generator.py
• python scripts\test_drop_authorization_fixtures.py
• python scripts\check_drop_authorization_fixtures.py
• python scripts\test_public_beta_evidence.py
• python scripts\check_public_beta_evidence.py
• python scripts\test_non_local_release_evidence.py
• python scripts\check_non_local_release_evidence.py
• python scripts\test_changelog_check.py
• python scripts\check_changelog.py
• git diff --check
• make check
• powershell -ExecutionPolicy Bypass -File scripts\check.ps1

Closes #183

Summary by CodeRabbit

• New Features

  • Added a standardized drop-authorization signing evidence schema and a checked no-secret evidence template for capturing signing outputs.

• Chores

  • Integrated signing-evidence validation into CI/check and release manifest/checksum generation.
  • Included signing-evidence artifacts in release inputs and checksum bundles.

• Documentation

  • Expanded guides, runbooks, and release checklists with signing-evidence guidance and local verification commands.

• Tests

  • Added unit tests and CI test steps covering acceptance and rejection scenarios for signing evidence.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[punk6529]

@coderabbitai review

Please review this no-secret drop authorization signing evidence schema/checker PR. Scope is documentation, Python validators/tests, CI/local gate wiring, and release artifact manifest/checksum coverage only; no Solidity behavior changes are intended.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 088f9463-d621-4b3f-af02-e283a7758caf

📥 Commits

Reviewing files that changed from the base of the PR and between a45232d and fa1a6e9.

📒 Files selected for processing (9)

• docs/incident-response.md
• docs/tooling.md
• ops/AUTONOMOUS_RUN.md
• ops/ROADMAP.md
• release-artifacts/latest/SHA256SUMS
• release-artifacts/latest/release-checksums.json
• release-artifacts/latest/release-manifest.json
• scripts/check_drop_authorization_signing_evidence.py
• scripts/test_drop_authorization_signing_evidence.py

✅ Files skipped from review due to trivial changes (3)

• docs/incident-response.md
• docs/tooling.md
• ops/ROADMAP.md

🚧 Files skipped from review as they are similar to previous changes (4)

• release-artifacts/latest/SHA256SUMS
• release-artifacts/latest/release-checksums.json
• release-artifacts/latest/release-manifest.json
• ops/AUTONOMOUS_RUN.md

---

📝 Walkthrough

Walkthrough

This PR implements drop-authorization signing evidence: a strict JSON Schema, a checked no-secret template and retained-artifact placeholder, a CLI checker with deterministic tests, manifest and checksum integration, CI/Make gating, policy/docs updates, and ops state changes.

Changes

Drop Authorization Signing Evidence

Layer / File(s)	Summary
Schema and committed evidence template release-artifacts/schema/drop-authorization-signing-evidence.schema.json, release-artifacts/drop-authorization-signing/drop-authorization-signing-evidence-template.json, release-artifacts/drop-authorization-signing/drop-authorization-signing-retained-artifact.txt, release-artifacts/latest/SHA256SUMS, release-artifacts/latest/release-checksums.json	Defines the JSON Schema, commits a no-secret template and retained-artifact placeholder, and updates checksum entries for the new artifacts.
Checker implementation scripts/check_drop_authorization_signing_evidence.py	Implements a strict CLI validator that enforces exact top-level keys, typed-data/payload cross-checks, derived digest equality, retained-file path confinement and sha256 validation, signature/review/redaction rules, secret-like scanning, and CLI error handling.
Deterministic tests and fixtures scripts/test_drop_authorization_signing_evidence.py, scripts/test_release_manifest.py, scripts/test_release_checksums.py	Adds unit tests that seed deterministic payload/retained-artifact fixtures, exercise acceptance and many rejection cases (hash mismatch, path escape, payload/epoch/values, secret-like data), and extends manifest/checksum tests for the new evidence.
Manifest generation & checksum pipeline scripts/generate_release_manifest.py, scripts/generate_release_checksums.py, release-artifacts/latest/release-manifest.json	Adds drop_authorization_signing_record() validation/normalization, threads --drop-authorization-signing-dir through CLI paths, emits release.source.drop_authorization_signing_dir and drop_authorization_signing_evidence in manifest, and includes the evidence dir in checksum coverage.
CI, Make targets, and cross-platform check scripts .github/workflows/ci.yml, Makefile, scripts/check.sh, scripts/check.ps1	Byte-compiles and runs the new test/check scripts in CI, adds drop-authorization-signing-evidence-check Make target wired into check/release-manifest flows, and runs the test/check phase in local check scripts.
Docs, governance & policy validators CHANGELOG.md, docs/drop-authorization-signing.md, docs/incident-response.md, docs/audit-package.md, docs/known-blockers.md, docs/public-beta-evidence.md, docs/release-policy.md, docs/release-readiness.md, docs/status.md, docs/tooling.md, release-artifacts/README.md, scripts/check_audit_package.py, scripts/check_incident_response.py, scripts/check_release_readiness.py	Updates documentation to document the template, checker commands, and evidence expectations; extends validators and runbook checkers to require the new commands, phrases, and artifact links.
Autonomous run queue & roadmap state ops/AUTONOMOUS_RUN.md, ops/ROADMAP.md	Advances repository durable state and worklog to reflect the active PR and updates roadmap verification metadata and decision-log entries.

Estimated code review effort: 🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• 6529-Collections/6529Stream#184: Related ops/AUTONOMOUS_RUN.md transition and queue state updates referenced here.
• 6529-Collections/6529Stream#175: Overlapping updates to incident-response validator wiring and required command/link checks.
• 6529-Collections/6529Stream#171: Related manifest/checksum pipeline extensions for another evidence type; similar wiring patterns.

🐰 I hopped through schemas with hashes in paw,
I checked each payload, signature, and law.
Templates with no secrets, tests tidy and neat,
CI logs humming as checks all complete.
A rabbit cheers softly — release dance, repeat!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title clearly and specifically describes the main change: adding drop authorization signing evidence checks, which aligns with the primary objective and scope of issue #183.
Linked Issues check	✅ Passed	The PR comprehensively implements all coding requirements from issue #183: JSON schema, no-secret template, validator/checker, tests, CI/Makefile wiring, release manifest/checksum coverage, and documentation updates preserving local-vs-production distinction.
Out of Scope Changes check	✅ Passed	All changes align with the defined scope: JSON schema, Python validators/tests, CI/shell/PowerShell wiring, documentation, and release artifacts. No Solidity changes, private keys, or out-of-scope modifications are present.
Docstring Coverage	✅ Passed	Docstring coverage is 84.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/drop-signing-evidence-schema

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Get PR details and file list
gh pr view 185 --repo 6529-Collections/6529Stream --json title,body,files,additions,deletions,changedFiles 2>/dev/null | head -200

echo "=== FILES CHANGED ==="
gh pr diff 185 --repo 6529-Collections/6529Stream --name-only 2>/dev/null

Length of output: 6877

---

🏁 Script executed:

#!/bin/bash
# Get full diff of the PR
gh pr diff 185 --repo 6529-Collections/6529Stream 2>/dev/null | head -3000

Length of output: 159941

---

🏁 Script executed:

#!/bin/bash
# Get the rest of the diff
gh pr diff 185 --repo 6529-Collections/6529Stream 2>/dev/null | tail -n +3000

Length of output: 23123

---

🏁 Script executed:

#!/bin/bash
# Check the new scripts more carefully
cat scripts/check_drop_authorization_signing_evidence.py 2>/dev/null | grep -n "SECRET_KEY_RE\|SECRET_VALUE_RE\|scan_for_secret" | head -30

# Check the test file
cat scripts/test_drop_authorization_signing_evidence.py 2>/dev/null | grep -n "def test_" | head -50

# Check SHA256SUMS integrity - do the hashes in SHA256SUMS match actual files
echo "=== Checking SHA256SUMS alignment with release-checksums.json ==="
python3 -c "
import json, re
with open('release-artifacts/latest/SHA256SUMS') as f:
    lines = [l.strip() for l in f if l.strip()]
sums = {}
for line in lines:
    parts = line.split('  ', 1)
    if len(parts) == 2:
        sums[parts[1]] = parts[0]

with open('release-artifacts/latest/release-checksums.json') as f:
    checksums = json.load(f)

for entry in checksums.get('files', []):
    path = entry['path']
    sha = entry['sha256'].replace('sha256:', '')
    if path in sums:
        if sums[path] != sha:
            print(f'MISMATCH: {path}')
    else:
        print(f'MISSING from SHA256SUMS: {path}')
print('Cross-check done')
" 2>/dev/null || echo "Script failed"

# Look at the structure of the generate_release_manifest.py import to confirm it works
head -20 scripts/generate_release_manifest.py 2>/dev/null

Length of output: 3267

---

🏁 Script executed:

#!/bin/bash
# Check if there's a stale hash risk - does the checker verify hashes at runtime?
grep -n "stale\|hash.*check\|check.*hash\|file_sha256\|sha256_bytes" scripts/check_drop_authorization_signing_evidence.py | head -40

# Check that SHA256SUMS self-hash entry is updated
grep "SHA256SUMS\|release-checksums" release-artifacts/latest/SHA256SUMS 2>/dev/null

# Examine the validate_file_ref to see if it actually reads + verifies hashes at check time
grep -n "validate_file_ref\|validate_retained" scripts/check_drop_authorization_signing_evidence.py | head -20

# Check for self-referential SHA256 issue: does release-checksums.json hash itself?
grep "release-checksums.json" release-artifacts/latest/SHA256SUMS 2>/dev/null

# Check the drop-authorization-signing-evidence-template.json to understand retained artifact hashes
cat release-artifacts/drop-authorization-signing/drop-authorization-signing-evidence-template.json 2>/dev/null

Length of output: 5825

---

🏁 Script executed:

#!/bin/bash
# Check test file completeness
cat scripts/test_drop_authorization_signing_evidence.py 2>/dev/null

echo "=== test_release_manifest.py changes ==="
git diff origin/main...HEAD -- scripts/test_release_manifest.py 2>/dev/null | head -300

echo "=== test_release_readiness.py changes ==="
git diff origin/main...HEAD -- scripts/test_release_readiness.py 2>/dev/null | head -100

echo "=== test_release_checksums.py changes ==="
git diff origin/main...HEAD -- scripts/test_release_checksums.py 2>/dev/null | head -100

Length of output: 32248

---

---

@punk6529: Reviewed. The PR is clean and well-scoped — no Solidity changes, no production-readiness claims, and the committed template stays clearly local-only. Below is the detailed feedback.

---

Summary

Area	Verdict
Schema (drop-authorization-signing-evidence.schema.json)	✅ Sound — additionalProperties: false, correct $defs, const/enum constraints, proper regex patterns for sha256, address, bytes32
Checker (check_drop_authorization_signing_evidence.py)	✅ Logic is thorough — runtime file hashing, payload cross-validation, path boundary enforcement, non-local/production escalation gates, secret scanning
Test suite	✅ 13 tests; happy path + 11 rejection scenarios
CI / Makefile / shell / PowerShell wiring	✅ Consistent across all four surfaces
Release manifest / checksum coverage	✅ SHA256SUMS vs release-checksums.json cross-check: no mismatches
Documentation	✅ All affected docs updated; local-template vs production distinction preserved throughout

---

Minor findings

1. SECRET_KEY_RE false-positive risk on keys ending in _secret

File: scripts/check_drop_authorization_signing_evidence.py — lines 132–142 and 353–365

The final branch (^|[_\-\s])secret$ matches any key whose last segment is secret — for example a future key named no_secret (without the trailing s) would be flagged because _secret at end-of-string satisfies [_\-\s]secret$. SAFE_SECRET_POLICY_KEYS only whitelists "no_secrets" (with s).

In practice the committed key names are fully controlled and none collide, so this is not a live bug. It is worth a comment in case a future contributor adds a legitimate metadata key ending in _secret.

# Consider adding a code comment near SECRET_KEY_RE:
# NOTE: The (^|[_\-\s])secret$ branch catches any key whose last segment is
# "secret". If you add a metadata key whose name legitimately ends with the
# word "secret" (e.g., "no_secret"), add it to SAFE_SECRET_POLICY_KEYS.
SAFE_SECRET_POLICY_KEYS = frozenset({"redaction_policy", "no_secrets", "redacted_fields"})

2. Missing test for record_type="evidence" + review_status="template" cross-check

File: scripts/test_drop_authorization_signing_evidence.py

The checker at line ~676 rejects record_type="evidence" paired with review_status="template", but no test exercises that branch. Consider adding:

def test_rejects_evidence_record_with_template_review_status(self) -> None:
    """evidence records cannot carry template review_status."""
    with tempfile.TemporaryDirectory() as temp_dir:
        root = Path(temp_dir)
        evidence = valid_evidence(root)
        evidence["record_type"] = "evidence"
        evidence["review_status"] = "template"
        path = root / "release-artifacts/drop-authorization-signing/example.json"
        write_json(path, evidence)

        with self.assertRaisesRegex(
            checker.DropAuthorizationSigningEvidenceError,
            "evidence records cannot use template review_status",
        ):
            checker.validate_evidence(path, root)

3. Test fixture redacted_fields missing seed_phrase

File: scripts/test_release_manifest.py — the seed_release_tree fixture (redacted_fields list inside the drop-authorization signing template block)

The committed template at release-artifacts/drop-authorization-signing/drop-authorization-signing-evidence-template.json includes "seed_phrase" in redacted_fields; the test fixture omits it. This causes no failures today (schema only requires minItems: 1) but creates a drift between the fixture and the real template that could mask future regressions.

---

Observations (no action required)

• validate_file_ref correctly reads and re-hashes files at check time — stale hash detection works end-to-end, confirmed by test_rejects_stale_retained_hash.
• resolve_repo_file path-escape check (".." in candidate.parts) is correct for pathlib.Path on both platforms.
• validate_payload cross-validation (domain/message/derived fields against the actual referenced payload file) is solid and meaningfully tied to the upstream check_drop_authorization_fixtures output.
• Production gate (must be reviewed + approved + signed + verified + have signature_verification retained artifact) is correctly layered across validate_signing_identity, validate_signature, validate_review, and validate_retained_artifacts.
• Release manifest size grows from ~23 KB to ~31 KB due to full evidence document embedding — consistent with the existing non_local_release_evidence pattern.
• drop_authorization_signing_dir default alignment in test_generator_rejects_invalid_drop_authorization_signing_evidence works correctly because seed_release_tree places the template at the same relative path the manifest generator's default resolves to.

---

The three findings above are all minor (one documentation note, one missing negative test, one fixture inconsistency). The core validator, schema, template, and CI wiring are all correct as written. Approving is reasonable once you've considered the items above.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

docs/tooling.md (1)

357-365: ⚠️ Potential issue | 🟡 Minor

Fix docs: checksum generator already hashes release-artifacts/schema/drop-authorization-signing-evidence.schema.json
scripts/generate_release_checksums.py includes the whole release-artifacts/schema directory in DEFAULT_COVERED_PATHS, and for directories it hashes all files recursively (rglob("*")), so the drop-authorization-signing-evidence.schema.json file is covered in the generated checksums. Update the docs/tooling.md coverage list (lines 357-365) to also mention release-artifacts/schema/ for consistency with the generator.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/tooling.md` around lines 357 - 365, Update the documentation list to
reflect that scripts/generate_release_checksums.py (see DEFAULT_COVERED_PATHS
and its use of rglob("*")) includes the entire release-artifacts/schema
directory; specifically add "release-artifacts/schema/" to the coverage list in
the tooling docs where
release-artifacts/schema/drop-authorization-signing-evidence.schema.json is
currently omitted so the docs match the generator's behavior.

🧹 Nitpick comments (1)

docs/incident-response.md (1)

268-270: ⚡ Quick win

Reference the schema and retained-artifact hash anchor here too.

The signer-compromise checklist currently points responders at the template and checker, but it skips the schema and retained-artifact file that the checker uses to validate the evidence chain. Adding those links keeps the runbook aligned with the actual contract and avoids treating the local example as the source of truth.

Per the PR objectives, retained signing evidence must validate retained artifact paths/hashes separately from the template.

♻️ Suggested edit

 - Compare the payload and digest with
   [`docs/drop-authorization-signing.md`](drop-authorization-signing.md).
+- Compare retained signing evidence with
+  [`release-artifacts/schema/drop-authorization-signing-evidence.schema.json`](../release-artifacts/schema/drop-authorization-signing-evidence.schema.json)
+  and
+  [`release-artifacts/drop-authorization-signing/drop-authorization-signing-retained-artifact.txt`](../release-artifacts/drop-authorization-signing/drop-authorization-signing-retained-artifact.txt).
 - Compare retained signing ceremony metadata with
   [`release-artifacts/drop-authorization-signing/drop-authorization-signing-evidence-template.json`](../release-artifacts/drop-authorization-signing/drop-authorization-signing-evidence-template.json)
   and `python scripts/check_drop_authorization_signing_evidence.py`.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/incident-response.md` around lines 268 - 270, Update the
signer-compromise checklist to include direct links to the evidence schema and
the retained-artifact hash anchor that the checker uses: add references
alongside the existing template
(`release-artifacts/drop-authorization-signing/drop-authorization-signing-evidence-template.json`)
and the checker script (`python
scripts/check_drop_authorization_signing_evidence.py`), explicitly linking the
schema file used for validation and the retained-artifact hash/paths document
(the retained-artifact anchor) so responders validate retained artifact
paths/hashes against the canonical contract rather than only the local template.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@ops/ROADMAP.md`:
- Around line 103-104: Update the ROADMAP entry that currently uses the phrase
"externally reviewed" to avoid implying a completed third-party audit; locate
the table row containing the Docs column text and the phrase "externally
reviewed" and either remove that phrase or replace it with "merged/local
evidence only" (or equivalent wording) so it matches docs/audit-package.md's
description of a pre-audit local baseline; ensure the change appears in the same
table cell that lists `docs/audit-package.md` and related docs so the wording is
consistent with the stated scope.
- Around line 85-90: Replace the vague, time-relative CI/status wording and the
unsupported “audit docs merged and externally reviewed” claim in the ROADMAP
entry: locate the exact phrases "GitHub Actions and CodeRabbit pending until PR
creation" / "Pending … until PR creation" and replace them with concrete status
or a dated artifact reference (e.g., latest GitHub Actions run ID, CodeRabbit
report link, or a timestamped statement), and either remove or substantiate the
"audit docs merged and externally reviewed" sentence by adding links/evidence or
rephrasing to accurately reflect it as a pre-audit local baseline; update the CI
run / verification fields (the lines mentioning CI run and status) to match the
chosen concrete artifacts so the ROADMAP.md entries are factual and timestamped.

In `@scripts/check_drop_authorization_signing_evidence.py`:
- Around line 422-434: The numeric checks currently call require_int (and
require_positive_int for sale_mode) but the schema requires non-negative values
for collection_id, signer_epoch, nonce, deadline and
signing_identity.signer_epoch; update the validation so the numeric_comparisons
loop uses require_non_negative_int for those keys (keep sale_mode using
require_positive_int if intended), replacing require_int calls with
require_non_negative_int, and also replace the separate check for
signing_identity.signer_epoch to call require_non_negative_int instead of
require_int; refer to numeric_comparisons, require_int,
require_non_negative_int, require_positive_int, and the
"signing_identity.signer_epoch" check to locate and change the calls.

---

Outside diff comments:
In `@docs/tooling.md`:
- Around line 357-365: Update the documentation list to reflect that
scripts/generate_release_checksums.py (see DEFAULT_COVERED_PATHS and its use of
rglob("*")) includes the entire release-artifacts/schema directory; specifically
add "release-artifacts/schema/" to the coverage list in the tooling docs where
release-artifacts/schema/drop-authorization-signing-evidence.schema.json is
currently omitted so the docs match the generator's behavior.

---

Nitpick comments:
In `@docs/incident-response.md`:
- Around line 268-270: Update the signer-compromise checklist to include direct
links to the evidence schema and the retained-artifact hash anchor that the
checker uses: add references alongside the existing template
(`release-artifacts/drop-authorization-signing/drop-authorization-signing-evidence-template.json`)
and the checker script (`python
scripts/check_drop_authorization_signing_evidence.py`), explicitly linking the
schema file used for validation and the retained-artifact hash/paths document
(the retained-artifact anchor) so responders validate retained artifact
paths/hashes against the canonical contract rather than only the local template.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: fb06f0ca-f8dc-4a6e-add2-2867235787fe

📥 Commits

Reviewing files that changed from the base of the PR and between 1a6b069 and d72b58e.

📒 Files selected for processing (33)

• .github/workflows/ci.yml
• CHANGELOG.md
• Makefile
• docs/audit-package.md
• docs/drop-authorization-signing.md
• docs/incident-response.md
• docs/known-blockers.md
• docs/public-beta-evidence.md
• docs/release-policy.md
• docs/release-readiness.md
• docs/status.md
• docs/tooling.md
• ops/AUTONOMOUS_RUN.md
• ops/ROADMAP.md
• release-artifacts/README.md
• release-artifacts/drop-authorization-signing/drop-authorization-signing-evidence-template.json
• release-artifacts/drop-authorization-signing/drop-authorization-signing-retained-artifact.txt
• release-artifacts/latest/SHA256SUMS
• release-artifacts/latest/release-checksums.json
• release-artifacts/latest/release-manifest.json
• release-artifacts/schema/drop-authorization-signing-evidence.schema.json
• scripts/check.ps1
• scripts/check.sh
• scripts/check_audit_package.py
• scripts/check_drop_authorization_signing_evidence.py
• scripts/check_incident_response.py
• scripts/check_release_readiness.py
• scripts/generate_release_checksums.py
• scripts/generate_release_manifest.py
• scripts/test_drop_authorization_signing_evidence.py
• scripts/test_release_checksums.py
• scripts/test_release_manifest.py
• scripts/test_release_readiness.py