Add public beta evidence blocker report artifact

[punk6529]

Summary

Closes #191.

This PR adds a deterministic no-secret public-beta blocker report generated from release-artifacts/latest/public-beta-evidence.json without changing any public-beta or production readiness claims.

• Adds scripts/generate_public_beta_blocker_report.py and focused tests for deterministic output, missing/stale output, unknown status handling, path escape rejection, secret-shaped value rejection, Markdown table escaping, local-template-only posture, and reviewed external evidence posture.
• Commits release-artifacts/latest/public-beta-blockers.md, listing incomplete public-beta and production rows, evidence posture, future external evidence categories, maturity warning, and validation commands.
• Wires report drift checks into make check, scripts/check.sh, scripts/check.ps1, and CI.
• Includes the report in release manifest/checksum coverage and updates docs, changelog, roadmap, and autonomous run state.

Validation

• python -m py_compile scripts\generate_public_beta_blocker_report.py scripts\test_public_beta_blocker_report.py scripts\generate_release_manifest.py scripts\test_release_manifest.py scripts\generate_release_artifacts.py scripts\test_release_artifacts.py
• python scripts\test_public_beta_evidence.py
• python scripts\check_public_beta_evidence.py
• python scripts\test_public_beta_blocker_report.py
• python scripts\generate_public_beta_blocker_report.py --check
• python scripts\test_release_manifest.py
• python scripts\generate_release_manifest.py --check
• python scripts\test_release_artifacts.py
• python scripts\test_release_checksums.py
• python scripts\generate_release_checksums.py --check
• python scripts\test_release_readiness.py
• python scripts\check_release_readiness.py
• python scripts\test_changelog_check.py
• python scripts\check_changelog.py
• git diff --check
• rg -n "^#|^##|^###" ops\ROADMAP.md ops\AUTONOMOUS_RUN.md docs\public-beta-evidence.md docs\release-readiness.md release-artifacts\README.md release-artifacts\latest\public-beta-blockers.md
• bash -n scripts/check.sh
• PowerShell parser validation for scripts\check.ps1
• make check
• powershell -ExecutionPolicy Bypass -File scripts\check.ps1

Notes

The committed baseline remains intentionally blocked for public beta and production. This PR adds visibility and validation only; it does not add fork/testnet/live evidence, signatures, external audit evidence, or readiness approvals.

Summary by CodeRabbit

• New Features

  • Added a generated public-beta blocker report summarizing incomplete requirements, evidence posture, and validation commands.

• Documentation

  • Updated release-readiness, evidence, roadmap, and release-artifacts docs to reference the new blocker report and updated workflows.

• Chores

  • Integrated blocker report generation and verification into CI, release checks, and artifact generation/checksum workflows.

• Tests

  • Added tests validating report generation, determinism, and check-mode drift detection.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 99b2d806-1ba7-44be-9c5d-712501b7c380

📥 Commits

Reviewing files that changed from the base of the PR and between 56f62b9 and 61ed7e8.

📒 Files selected for processing (2)

• ops/AUTONOMOUS_RUN.md
• scripts/generate_public_beta_blocker_report.py

✅ Files skipped from review due to trivial changes (1)

• ops/AUTONOMOUS_RUN.md

🚧 Files skipped from review as they are similar to previous changes (1)

• scripts/generate_public_beta_blocker_report.py

---

📝 Walkthrough

Walkthrough

This PR adds a public-beta evidence blocker report generator that summarizes incompleteness from the committed evidence manifest. The new scripts/generate_public_beta_blocker_report.py creates a deterministic Markdown report listing incomplete requirements, evidence posture, and validation commands. The feature integrates into CI/local checks, release manifest tracking, and operational documentation without changing readiness claims.

Changes

Public Beta Evidence Blocker Report Artifact

Layer / File(s)	Summary
Generator Core Implementation scripts/generate_public_beta_blocker_report.py	Deterministically generates a Markdown blocker report from the public-beta evidence manifest. Loads and validates evidence JSON, derives evidence posture labels, builds Markdown tables for status counts and incomplete/reviewed rows, composes report metadata and validation commands, and supports write and --check verification modes.
Generator Test Suite scripts/test_public_beta_blocker_report.py	Unit tests that import the generator, create deterministic fixtures, assert deterministic rendering and expected sections (incomplete rows, reviewed external, posture labels), and validate failure modes and --check drift/missing-output behavior.
CI and Local Check Wiring .github/workflows/ci.yml, Makefile, scripts/check.sh, scripts/check.ps1	Adds generator and test scripts to CI syntax checks and extends the "Public beta evidence" step to run the test and generator --check, adds Makefile targets public-beta-blocker-report / public-beta-blocker-report-check and wires them into check and release-manifest prerequisites, and updates local shell/PowerShell check scripts.
Manifest & Artifact Wiring scripts/generate_release_manifest.py, scripts/generate_release_artifacts.py	Adds PUBLIC_BETA_BLOCKERS_FILENAME, wires release_artifacts.public_beta_blocker_report into the generated manifest using the committed artifact record, and excludes the generated file from downstream comparison logic.
Committed Artifact & Metadata release-artifacts/latest/public-beta-blockers.md, release-artifacts/latest/release-manifest.json, release-artifacts/latest/release-checksums.json, release-artifacts/latest/SHA256SUMS, CHANGELOG.md	Commits the generated blocker report and updates release metadata: adds the manifest entry and refreshed governance-doc checksums, updates SHA256SUMS and release-checksums.json with the new artifact checksum, and documents the addition in CHANGELOG.
Release Test Framework Updates scripts/test_release_artifacts.py, scripts/test_release_manifest.py	Adds write_text helper for deterministic UTF-8 writes, seeds public-beta-blockers.md in release-artifacts fixtures, and extends release-manifest tests to assert the public_beta_blocker_report path and SHA256 for default and custom artifact directories.
Public Documentation Updates docs/public-beta-evidence.md, docs/release-readiness.md, release-artifacts/README.md	Documents the blocker report in evidence validation/regeneration flows, references the generated artifact as the public-beta evidence source, adds validation commands and artifact lifecycle guidance, and adds the report to required evidence lists and maturity baselines.
Operational & Roadmap Updates ops/ROADMAP.md, ops/AUTONOMOUS_RUN.md	Updates roadmap and operational run-state to include blocker-report generation in the machine-verifiable baseline and Gate G required evidence; records queue/PR progression and decision-log entries for the blocker-report work.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related issues

• Reconcile autonomous run state after drop authorization payload generator merge #182 — Both PRs update durable run/state logs (AUTONOMOUS_RUN.md) to reconcile operational run state.

Possibly related PRs

• 6529-Collections/6529Stream#165: Evidence manifest validation/loading logic reused by this generator.
• 6529-Collections/6529Stream#106: Related release-manifest workflow changes that intersect with manifest wiring.
• 6529-Collections/6529Stream#192: Related ops/roadmap durable-run documentation updates.

Poem

I nibble lines and tally what's stuck,
A Markdown map of what we must pluck.
No secrets kept, just rows to unblock,
A rabbit's hop through evidence muck. 🐇

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely summarizes the main change: adding a public beta evidence blocker report artifact, which is the primary objective of this pull request.
Linked Issues check	✅ Passed	All coding requirements from issue #191 are met: deterministic Markdown report generation from evidence JSON, focused tests for output validation and security (no-secrets, path-boundaries), integration into local/CI gates, documentation updates, and release manifest/checksum coverage without changing readiness claims.
Out of Scope Changes check	✅ Passed	All changes are scoped to the stated objectives: new blocker report generator/tests, CI/Makefile integration, documentation updates, manifest/checksum coverage, and supporting script updates. No unrelated refactoring or scope creep detected.
Docstring Coverage	✅ Passed	Docstring coverage is 81.40% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/public-beta-blocker-report

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[punk6529]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

🧹 Nitpick comments (1)

scripts/generate_public_beta_blocker_report.py (1)

293-293: 💤 Low value

Consider extracting hard-coded script reference.

The generator script path and version are hard-coded here ("scripts/generate_public_beta_blocker_report.py:1"). While this matches GENERATOR_VERSION = "1" (line 14), consider whether this reference could be constructed programmatically to avoid drift if the script is moved or the version is updated.

♻️ Optional refactor to DRY the script reference

+SCRIPT_NAME = Path(__file__).name
+
 def build_output_text(repo_root: Path, evidence_path: Path, output_path: Path) -> str:
     """Build the Markdown blocker report."""
     data = load_evidence_document(evidence_path, repo_root)
     by_phase = canonical_requirements(data)
     redaction_policy = data["redaction_policy"]
     resolved_evidence = resolve_repo_path(repo_root, evidence_path)
     resolved_output = resolve_repo_path(repo_root, output_path)

     lines = [
         "# Public Beta Evidence Blocker Report",
         "",
         (
             "This generated report is derived only from the committed public-beta "
             "evidence manifest. It preserves the no-secret policy and does not "
             "change readiness claims."
         ),
         "",
         "The committed baseline remains intentionally blocked for public beta and production.",
         "",
         "## Report Metadata",
         "",
         markdown_table(
             ["Field", "Value"],
             [
-                ["Generated by", "`scripts/generate_public_beta_blocker_report.py:1`"],
+                ["Generated by", f"`scripts/{SCRIPT_NAME}:{GENERATOR_VERSION}`"],
                 ["Generator version", f"`{GENERATOR_VERSION}`"],

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/generate_public_beta_blocker_report.py` at line 293, The hard-coded
generator string should be built programmatically from the script name and the
existing GENERATOR_VERSION constant to avoid drift: replace the literal
"`scripts/generate_public_beta_blocker_report.py:1`" with a constructed value
(e.g., f"{os.path.basename(__file__)}:{GENERATOR_VERSION}" or equivalent) where
the metadata list is assembled, and ensure you import/use os and reference
GENERATOR_VERSION so the generated "Generated by" entry always reflects the
current script filename and version.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@scripts/generate_public_beta_blocker_report.py`:
- Line 293: The hard-coded generator string should be built programmatically
from the script name and the existing GENERATOR_VERSION constant to avoid drift:
replace the literal "`scripts/generate_public_beta_blocker_report.py:1`" with a
constructed value (e.g., f"{os.path.basename(__file__)}:{GENERATOR_VERSION}" or
equivalent) where the metadata list is assembled, and ensure you import/use os
and reference GENERATOR_VERSION so the generated "Generated by" entry always
reflects the current script filename and version.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 75194f07-3140-47c9-bd3f-17a920fb1060

📥 Commits

Reviewing files that changed from the base of the PR and between b222e7e and 56f62b9.

📒 Files selected for processing (20)

• .github/workflows/ci.yml
• CHANGELOG.md
• Makefile
• docs/public-beta-evidence.md
• docs/release-readiness.md
• ops/AUTONOMOUS_RUN.md
• ops/ROADMAP.md
• release-artifacts/README.md
• release-artifacts/latest/SHA256SUMS
• release-artifacts/latest/public-beta-blockers.md
• release-artifacts/latest/release-checksums.json
• release-artifacts/latest/release-manifest.json
• scripts/check.ps1
• scripts/check.sh
• scripts/generate_public_beta_blocker_report.py
• scripts/generate_release_artifacts.py
• scripts/generate_release_manifest.py
• scripts/test_public_beta_blocker_report.py
• scripts/test_release_artifacts.py
• scripts/test_release_manifest.py