Add signer custody readiness evidence gate

[punk6529]

Summary

• Adds a no-secret signer custody readiness guide, JSON schema, checked template, retained-artifact hash proof, validator, and validator tests.
• Wires signer custody readiness into CI/local gates, make check, shell/PowerShell check wrappers, release manifest generation, release checksum coverage, release-readiness/audit/incident docs, tooling docs, roadmap, and autonomous run state.
• Keeps the committed artifact explicitly scoped as a local template, not public-beta or production completion evidence.

Closes #187.

Validation

• python -m py_compile scripts\check_signer_custody_readiness.py scripts\test_signer_custody_readiness.py scripts\generate_release_manifest.py scripts\test_release_manifest.py scripts\generate_release_checksums.py scripts\test_release_checksums.py scripts\check_release_readiness.py scripts\test_release_readiness.py scripts\check_audit_package.py scripts\check_incident_response.py
• python scripts\test_signer_custody_readiness.py
• python scripts\check_signer_custody_readiness.py
• python scripts\test_release_manifest.py
• python scripts\generate_release_manifest.py --check
• python scripts\test_release_checksums.py
• python scripts\generate_release_checksums.py --check
• python scripts\test_release_readiness.py
• python scripts\check_release_readiness.py
• python scripts\test_audit_package.py
• python scripts\check_audit_package.py
• python scripts\test_incident_response.py
• python scripts\check_incident_response.py
• python scripts\test_public_beta_evidence.py
• python scripts\check_public_beta_evidence.py
• python scripts\test_drop_authorization_signing_evidence.py
• python scripts\check_drop_authorization_signing_evidence.py
• python scripts\test_changelog_check.py
• python scripts\check_changelog.py
• git diff --check
• rg -n "^#|^##|^###" ops\AUTONOMOUS_RUN.md ops\ROADMAP.md
• make check
• powershell -ExecutionPolicy Bypass -File scripts\check.ps1

Summary by CodeRabbit

• New Features

  • Added signer custody readiness evidence support: schema, template, and strict validation for submitted evidence.
  • Release artifacts now include signer custody readiness records.

• Documentation

  • New signer custody readiness guide and cross-references across release, audit, incident-response, tooling, and status docs.

• Chores

  • Integrated signer custody readiness verification into CI, build, and release manifest/checksum workflows.

• Tests

  • Added unit and integration checks to validate evidence generation and enforcement.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[punk6529]

@coderabbitai review

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d682fb57-b2b5-4fb1-a368-75264620b498

📥 Commits

Reviewing files that changed from the base of the PR and between 0b49933 and e0c64d9.

📒 Files selected for processing (15)

• docs/incident-response.md
• docs/public-beta-evidence.md
• docs/signer-custody-readiness.md
• ops/AUTONOMOUS_RUN.md
• ops/ROADMAP.md
• release-artifacts/latest/SHA256SUMS
• release-artifacts/latest/release-checksums.json
• release-artifacts/latest/release-manifest.json
• release-artifacts/schema/signer-custody-readiness.schema.json
• release-artifacts/signer-custody-readiness/signer-custody-readiness-template.json
• scripts/check_incident_response.py
• scripts/check_signer_custody_readiness.py
• scripts/generate_release_manifest.py
• scripts/test_release_manifest.py
• scripts/test_signer_custody_readiness.py

✅ Files skipped from review due to trivial changes (4)

• docs/public-beta-evidence.md
• release-artifacts/latest/release-checksums.json
• docs/incident-response.md
• release-artifacts/latest/SHA256SUMS

🚧 Files skipped from review as they are similar to previous changes (10)

• release-artifacts/schema/signer-custody-readiness.schema.json
• docs/signer-custody-readiness.md
• release-artifacts/signer-custody-readiness/signer-custody-readiness-template.json
• ops/ROADMAP.md
• ops/AUTONOMOUS_RUN.md
• scripts/test_release_manifest.py
• release-artifacts/latest/release-manifest.json
• scripts/generate_release_manifest.py
• scripts/test_signer_custody_readiness.py
• scripts/check_signer_custody_readiness.py

---

📝 Walkthrough

Walkthrough

The PR adds a no-secret, machine-checkable signer custody readiness evidence system: a JSON schema, local template, comprehensive validator, unit tests, and integration into release manifest generation, checksums, CI/Make gates, and cross-referenced documentation that collectively define production signer readiness requirements without leaking sensitive credentials or signing data.

Changes

Signer Custody Readiness Evidence System

Layer / File(s)	Summary
JSON Schema definition and committed template release-artifacts/schema/signer-custody-readiness.schema.json, release-artifacts/signer-custody-readiness/signer-custody-readiness-template.json, release-artifacts/signer-custody-readiness/signer-custody-readiness-retained-artifact.txt	Define the signer-custody-readiness schema with required fields for source, signer identity, custody state, lifecycle readiness, operational references, review metadata, retained artifacts, and redaction policy. Include enum constraints, format validation, and field-level type checking. Seed a local template with placeholder values emphasizing no secrets and a retained artifact transcript listing what operators must retain separately before public beta.
Validation checker and core logic scripts/check_signer_custody_readiness.py	Implement comprehensive validation: load and validate JSON evidence against exact key-set requirements, type checks, format constraints (sha256 hashes, git commits, Ethereum addresses), file reference verification via hashing, recursive secret-like content scanning, and environment/record-type-specific rules for signer identity, custody, lifecycle, operations, review, retained artifacts, and redaction policy.
Comprehensive test coverage scripts/test_signer_custody_readiness.py	Add deterministic test fixtures and unit tests: validate committed templates, reviewed non-local EOA and ERC-1271 evidence, and rejection of missing required fields, invalid reviewers, disallowed placeholders, stale hashes, path escapes, negative epochs, invalid enums, missing production drills, and secret-like keys/values.
Release manifest generation integration scripts/generate_release_manifest.py	Thread signer_custody_readiness_dir parameter end-to-end through manifest generation: define DEFAULT_SIGNER_CUSTODY_READINESS_DIR, add signer_custody_readiness_record() helper to load and validate evidence, collect *.json files from the directory, and emit evidence records under release_artifacts.signer_custody_readiness. Wire CLI argument and include docs/signer-custody-readiness.md in governance docs list.
Release checksum and manifest updates scripts/generate_release_checksums.py, release-artifacts/latest/SHA256SUMS, release-artifacts/latest/release-checksums.json, release-artifacts/latest/release-manifest.json	Update default covered paths to include release-artifacts/signer-custody-readiness. Refresh checksum bundles with schema and template artifact hashes. Update manifest source directory mappings and evidence arrays, and refresh governance doc hashes including new docs/signer-custody-readiness.md entry.
CI/Make and script gate integration .github/workflows/ci.yml, Makefile, scripts/check.sh, scripts/check.ps1	Add signer-custody-readiness scripts to CI py_compile list and add CI step that runs test and check with log output. Create signer-custody-readiness-check Makefile target and wire into check, release-manifest, and release-manifest-check prerequisites. Update shell scripts to invoke test and check validators.
Release manifest test fixtures and validation scripts/test_release_manifest.py, scripts/test_release_checksums.py, scripts/test_release_readiness.py	Seed test release tree with signer-custody-readiness directory, schema, retained artifact, and evidence template. Assert manifest contains source.signer_custody_readiness_dir and release_artifacts.signer_custody_readiness with expected fields. Add negative test rejecting invalid evidence. Update test helpers and release-readiness fixture to include signer custody readiness phrase.
Documentation validation checkers scripts/check_audit_package.py, scripts/check_incident_response.py, scripts/check_release_readiness.py	Extend validation rules in three documentation checkers to require signer-custody-readiness test/check commands and add mandatory links to docs/signer-custody-readiness.md and signer-custody-readiness release artifacts (schema, template, retained artifact) in their respective REQUIRED_COMMANDS and REQUIRED_LINK_TARGETS constants.
New signer custody readiness guide docs/signer-custody-readiness.md	Add primary documentation explaining the no-secret evidence format, required fields, prohibited secret patterns, local template usage, public beta/production requirements, cross-references to related runbooks, and maintenance guidance for updating evidence formats.
Cross-reference and integration documentation docs/drop-authorization-signing.md, docs/release-readiness.md, docs/release-policy.md, docs/public-beta-evidence.md, docs/known-blockers.md, docs/incident-response.md, docs/tooling.md, docs/audit-package.md, docs/status.md, release-artifacts/README.md	Update ten documentation files to reference signer custody readiness, add verification commands to local validation and regeneration procedures, integrate into release checklists and known blockers, and document signer custody readiness in tooling workflows and status tracking.
Operations metadata and roadmap updates ops/AUTONOMOUS_RUN.md, ops/ROADMAP.md	Advance autonomous run state to reflect PR #188 merged and Queue Item 97 active with local-validation complete. Expand smoke baseline blocker narrative to include signer custody readiness scope. Refresh verification metadata and machine-verifiable baseline documentation expectations.
Changelog entry CHANGELOG.md	Add new bullet describing the no-secret signer custody readiness evidence schema with validation, checked template, local/CI checking, and production readiness validation, explicitly excluding private keys, HSM credentials, signer-service secrets, and unreleased payloads.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• 6529-Collections/6529Stream#185: Adds a similar evidence checker/template and wires it into release manifest/checksum/CI gating; structurally parallel to signer-custody readiness integration.
• 6529-Collections/6529Stream#106: Earlier changes to release manifest generation that this PR extends by adding a new evidence input and normalization.
• 6529-Collections/6529Stream#188: Ops/state reconciliation PR referenced by updated ops/AUTONOMOUS_RUN.md; this PR advances the queue based on that merge.

Poem

🐰 A signer stands ready, no secrets kept tight,
Templates and hashes show readiness in light.
Tests and checkers hop through each gate,
So manifests know what reviewers must rate. 🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add signer custody readiness evidence gate' accurately reflects the main objective of the changeset—introducing a new signer custody readiness validation gate with supporting schema, checker, tests, and comprehensive documentation/integration.
Linked Issues check	✅ Passed	The PR fulfills all coding objectives from issue #187: provides no-secret JSON schema and checked template [#187], implements comprehensive validator with required field/status/hash/path/secret-like rejection [#187], adds extensive documentation links across drop-authorization/release-readiness/known-blockers/public-beta/audit/incident/tooling docs [#187], wires checker into local/CI gates and release manifest/checksum generation [#187], and accepts criteria validation tests pass.
Out of Scope Changes check	✅ Passed	All changes align with issue #187 scope: signer-custody schema, checker, tests, documentation links, CI/Makefile integration, and release artifact wiring. No unrelated refactorings, infrastructure changes outside this gate, or scope creep detected.
Docstring Coverage	✅ Passed	Docstring coverage is 83.10% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/signer-custody-readiness-evidence

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

scripts/check_incident_response.py (1)

84-105: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Expand the signer-custody link coverage here.

This gate only enforces the guide and template links, so the incident-response runbook can drop the signer-custody schema or retained-artifact reference and still pass. That leaves this validator weaker than the other release/audit checks and misses the stated evidence-gate objective.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/check_incident_response.py` around lines 84 - 105, The
REQUIRED_LINK_TARGETS list in scripts/check_incident_response.py currently only
includes the signer-custody guide and template but omits the signer-custody
schema and any retained-artifact evidence paths, allowing the runbook to pass
without those required artifacts; update the REQUIRED_LINK_TARGETS constant to
also include the signer-custody schema file (e.g., the schema JSON/YAML used to
validate custody evidence) and any retained-artifact paths referenced by your
release process (e.g., retained-artifact manifest or evidence file names for
signer custody), ensuring the incident-response validator enforces both the
guide/template and the schema/retained-artifact artifacts (modify the
REQUIRED_LINK_TARGETS list shown in the diff to add the missing signer-custody
schema and retained-artifact entries).

🧹 Nitpick comments (4)

release-artifacts/schema/signer-custody-readiness.schema.json (1)

293-296: ⚡ Quick win

Constrain review.reviewed_at to a machine-parseable timestamp format.

reviewed_at currently accepts arbitrary text, which weakens the machine-checkable review trail. Consider enforcing RFC 3339/ISO-8601 (date-time) in schema and checker.

Suggested schema tightening

         "reviewed_at": {
           "type": "string",
-          "minLength": 1
+          "format": "date-time",
+          "minLength": 20
         }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@release-artifacts/schema/signer-custody-readiness.schema.json` around lines
293 - 296, The schema currently allows arbitrary text for review.reviewed_at;
change its JSON Schema to require an RFC3339/ISO‑8601 timestamp by adding the
"format": "date-time" constraint to the reviewed_at property in
signer-custody-readiness.schema.json and update any runtime validation/checker
that inspects review.reviewed_at to validate against the date-time format (or
parse with an ISO-8601/RFC3339 parser) so invalid freeform strings are rejected.

scripts/test_signer_custody_readiness.py (2)

117-117: ⚡ Quick win

Use a real non-local chain ID for production fixtures.

Line 117 maps every non-testnet environment to 31337, so valid_evidence(root, environment="production") still builds a semantically local fixture. That makes test_rejects_production_without_required_drills less focused, because any future environment-specific chain checks could fail this case before it reaches the production-drill branch.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/test_signer_custody_readiness.py` at line 117, The test fixture maps
any non-"testnet" environment to the local chain id 31337; update the chain id
selection used in the fixture (where "chain_id": 11155111 if environment ==
"testnet" else 31337) so that production environments get a real non-local chain
id (e.g., 1 for mainnet or another canonical production chain id) instead of
31337, ensuring calls like valid_evidence(root, environment="production")
produce a true production-like chain id and exercise the production-only branch
in test_rejects_production_without_required_drills.

---

215-218: ⚡ Quick win

Pin the template path in the CLI smoke test.

This test currently inherits whatever default evidence list check_signer_custody_readiness.py exposes through its CLI. Passing the committed template path explicitly would keep the assertion scoped to the template contract and avoid unrelated default-CLI changes breaking this test.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/test_signer_custody_readiness.py` around lines 215 - 218, Update the
test_accepts_committed_template to call checker.main with the committed template
path explicitly instead of relying on the CLI default: add the evidence-list CLI
argument when invoking checker.main (e.g. checker.main(["--repo-root",
str(REPO_ROOT), "--evidence-list", str(<committed-template-path-constant>)])),
using the existing committed-template test fixture/constant in this test file so
the assertion is pinned to the committed template; keep the
redirect_stdout/redirect_stderr wrapper unchanged.

docs/signer-custody-readiness.md (1)

62-66: ⚡ Quick win

Keep the ERC-1271 status path machine-checkable.

Requiring notes outside the template weakens the no-secret envelope, because that rationale is no longer validated by the schema/checker. If the status needs extra context, add a structured field to the template instead.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/signer-custody-readiness.md` around lines 62 - 66, The guidance asks to
keep ERC-1271 status machine-checkable instead of requiring freeform notes
outside the template; add a structured context field in the template (e.g.,
erc1271_status with enum values
supported|not_applicable|pending|blocked|unsupported and an accompanying
erc1271_status_detail or erc1271_evidence object for structured rationale) and
update the schema/checker to validate both the enum and the optional structured
detail (rather than external notes); ensure the template, README text (the
paragraph describing ERC-1271), and any validation logic reference the exact
field names (erc1271_status and erc1271_status_detail/erc1271_evidence) so the
status plus its context remain machine-checked.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/public-beta-evidence.md`:
- Around line 53-59: The paragraph currently misreferences the evidence family
for "non-local drop authorization signing"; update the cross-reference in the
signer-custody section so it points to the signer custody readiness evidence
(the schema file `release-artifacts/schema/signer-custody-readiness.schema.json`
and the template
`release-artifacts/signer-custody-readiness/signer-custody-readiness-template.json`)
instead of the incorrect family; ensure the text clearly states that signer
custody readiness must pass `python scripts/check_signer_custody_readiness.py`
before any public-beta or production row relies on non-local drop authorization
signing.

In `@ops/ROADMAP.md`:
- Around line 89-95: Update the "CI run" table row that currently contains the
phrase "Queue Item 97 branch CI is pending until PR open" so it is no longer
stale: locate the "CI run" row in the table (the row starting with "CI run" in
the roadmap content) and replace that clause with the actual Queue Item 97 CI
result (e.g., pass/fail and run ID/time) or a time-bounded note such as "pending
as of <UTC timestamp> awaiting final branch CI", ensuring the new text clearly
and unambiguously reflects the current status for Queue Item 97.

In `@scripts/check_signer_custody_readiness.py`:
- Around line 232-236: The require_string function currently treats
whitespace-only strings as valid; update require_string to reject strings that
are empty or contain only whitespace by checking value.strip() and raising
SignerCustodyReadinessError when value is not an instance of str or
value.strip() == "" so callers (e.g., validations relying on require_string)
don't accept placeholder/blank input.
- Around line 587-601: When review_status == "reviewed", strengthen validation
beyond reviewer and approval_status by ensuring review.owner,
review.approval_reference, and review.reviewed_at are not placeholders and are
well-formed: inside the reviewed branch (where reviewer and approval_status are
checked) add checks that require_string(review.get("owner")/ "review.owner") is
not a placeholder like "TBD" (e.g., owner.strip().upper() != "TBD"),
require_string(review.get("approval_reference"), "review.approval_reference") is
non-placeholder and non-empty, and validate review.reviewed_at is a parseable
timestamp (e.g., attempt to parse ISO8601 or use an existing datetime validator)
and raise SignerCustodyReadinessError with a clear message if any of these
checks fail; reference the existing variables reviewer, approval_status,
review_status and the SignerCustodyReadinessError class when implementing these
checks.

---

Outside diff comments:
In `@scripts/check_incident_response.py`:
- Around line 84-105: The REQUIRED_LINK_TARGETS list in
scripts/check_incident_response.py currently only includes the signer-custody
guide and template but omits the signer-custody schema and any retained-artifact
evidence paths, allowing the runbook to pass without those required artifacts;
update the REQUIRED_LINK_TARGETS constant to also include the signer-custody
schema file (e.g., the schema JSON/YAML used to validate custody evidence) and
any retained-artifact paths referenced by your release process (e.g.,
retained-artifact manifest or evidence file names for signer custody), ensuring
the incident-response validator enforces both the guide/template and the
schema/retained-artifact artifacts (modify the REQUIRED_LINK_TARGETS list shown
in the diff to add the missing signer-custody schema and retained-artifact
entries).

---

Nitpick comments:
In `@docs/signer-custody-readiness.md`:
- Around line 62-66: The guidance asks to keep ERC-1271 status machine-checkable
instead of requiring freeform notes outside the template; add a structured
context field in the template (e.g., erc1271_status with enum values
supported|not_applicable|pending|blocked|unsupported and an accompanying
erc1271_status_detail or erc1271_evidence object for structured rationale) and
update the schema/checker to validate both the enum and the optional structured
detail (rather than external notes); ensure the template, README text (the
paragraph describing ERC-1271), and any validation logic reference the exact
field names (erc1271_status and erc1271_status_detail/erc1271_evidence) so the
status plus its context remain machine-checked.

In `@release-artifacts/schema/signer-custody-readiness.schema.json`:
- Around line 293-296: The schema currently allows arbitrary text for
review.reviewed_at; change its JSON Schema to require an RFC3339/ISO‑8601
timestamp by adding the "format": "date-time" constraint to the reviewed_at
property in signer-custody-readiness.schema.json and update any runtime
validation/checker that inspects review.reviewed_at to validate against the
date-time format (or parse with an ISO-8601/RFC3339 parser) so invalid freeform
strings are rejected.

In `@scripts/test_signer_custody_readiness.py`:
- Line 117: The test fixture maps any non-"testnet" environment to the local
chain id 31337; update the chain id selection used in the fixture (where
"chain_id": 11155111 if environment == "testnet" else 31337) so that production
environments get a real non-local chain id (e.g., 1 for mainnet or another
canonical production chain id) instead of 31337, ensuring calls like
valid_evidence(root, environment="production") produce a true production-like
chain id and exercise the production-only branch in
test_rejects_production_without_required_drills.
- Around line 215-218: Update the test_accepts_committed_template to call
checker.main with the committed template path explicitly instead of relying on
the CLI default: add the evidence-list CLI argument when invoking checker.main
(e.g. checker.main(["--repo-root", str(REPO_ROOT), "--evidence-list",
str(<committed-template-path-constant>)])), using the existing
committed-template test fixture/constant in this test file so the assertion is
pinned to the committed template; keep the redirect_stdout/redirect_stderr
wrapper unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6cb01417-72ce-4775-8509-d92808943e9e

📥 Commits

Reviewing files that changed from the base of the PR and between 3601a0b and 0b49933.

📒 Files selected for processing (34)

• .github/workflows/ci.yml
• CHANGELOG.md
• Makefile
• docs/audit-package.md
• docs/drop-authorization-signing.md
• docs/incident-response.md
• docs/known-blockers.md
• docs/public-beta-evidence.md
• docs/release-policy.md
• docs/release-readiness.md
• docs/signer-custody-readiness.md
• docs/status.md
• docs/tooling.md
• ops/AUTONOMOUS_RUN.md
• ops/ROADMAP.md
• release-artifacts/README.md
• release-artifacts/latest/SHA256SUMS
• release-artifacts/latest/release-checksums.json
• release-artifacts/latest/release-manifest.json
• release-artifacts/schema/signer-custody-readiness.schema.json
• release-artifacts/signer-custody-readiness/signer-custody-readiness-retained-artifact.txt
• release-artifacts/signer-custody-readiness/signer-custody-readiness-template.json
• scripts/check.ps1
• scripts/check.sh
• scripts/check_audit_package.py
• scripts/check_incident_response.py
• scripts/check_release_readiness.py
• scripts/check_signer_custody_readiness.py
• scripts/generate_release_checksums.py
• scripts/generate_release_manifest.py
• scripts/test_release_checksums.py
• scripts/test_release_manifest.py
• scripts/test_release_readiness.py
• scripts/test_signer_custody_readiness.py