diff --git a/CHANGELOG.md b/CHANGELOG.md index a301d3a2..0de96725 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -130,6 +130,10 @@ the release policy in `docs/release-policy.md`. `release-artifacts/evidence/public-beta-templates/`, with checker coverage proving every public-beta requirement has a template while readiness remains blocked until reviewed non-local evidence exists. +- Added checked per-requirement production-release evidence templates under + `release-artifacts/evidence/production-release-templates/`, with checker + coverage proving every production-release requirement has a template while + readiness remains blocked until reviewed non-local evidence exists. - Added a protocol incident-response runbook and local/CI checker covering stuck auctions, failed or stale randomness, bad Merkle roots, bad metadata or dependency configuration, signer compromise, and release artifact/evidence diff --git a/docs/non-local-release-evidence.md b/docs/non-local-release-evidence.md index 911c85a7..fa1a0caa 100644 --- a/docs/non-local-release-evidence.md +++ b/docs/non-local-release-evidence.md @@ -88,6 +88,10 @@ For public-beta blockers, start from the matching checked template under The checker requires one template for each public-beta requirement ID. These files are still `record_type: "template"` and `review_status: "template"`; they are operator starting points, not reviewed evidence. +For production-release blockers, start from the matching checked template under +[`release-artifacts/evidence/production-release-templates/`](../release-artifacts/evidence/production-release-templates/). +The checker requires one template for each production-release requirement ID +and rejects public-beta-only IDs in that directory. Validate metadata with: @@ -98,8 +102,8 @@ python scripts/check_non_local_release_evidence.py The checker validates the public-beta requirement ID, environment, chain ID policy, retained artifact path, SHA-256 digest, review status, source metadata, -public-beta template-set coverage, and no-secret boundary before release -manifest and checksum generation. +public-beta and production-release template-set coverage, and no-secret +boundary before release manifest and checksum generation. ## Public-Beta Requirement Mapping diff --git a/docs/public-beta-evidence.md b/docs/public-beta-evidence.md index 1f605b89..5586509d 100644 --- a/docs/public-beta-evidence.md +++ b/docs/public-beta-evidence.md @@ -55,6 +55,10 @@ under [`release-artifacts/evidence/public-beta-templates/`](../release-artifacts/evidence/public-beta-templates/). They map one checked template JSON to each public-beta requirement ID, but they are still template-only artifacts and do not make any status row `complete`. +Requirement-specific production-release templates live under +[`release-artifacts/evidence/production-release-templates/`](../release-artifacts/evidence/production-release-templates/). +They map one checked template JSON to each production-release requirement ID +and are also template-only artifacts. Drop authorization signing evidence should also follow [`release-artifacts/schema/drop-authorization-signing-evidence.schema.json`](../release-artifacts/schema/drop-authorization-signing-evidence.schema.json) @@ -134,7 +138,9 @@ To move a requirement to `complete`: 1. Start from the matching template under `release-artifacts/evidence/public-beta-templates/` when the row maps to a - public-beta requirement. + public-beta requirement, or under + `release-artifacts/evidence/production-release-templates/` when the row maps + to a production-release requirement. 2. Add the retained public evidence file to the repository. 3. Add the evidence file path and `sha256:` digest to the relevant requirement. 4. Confirm the evidence follows the non-local release evidence intake runbook diff --git a/docs/release-readiness.md b/docs/release-readiness.md index 893279e3..78016c8c 100644 --- a/docs/release-readiness.md +++ b/docs/release-readiness.md @@ -49,7 +49,7 @@ local tests prove protocol correctness. | Protocol maturity | Pre-audit, not production-ready, local baseline only | Yes | Yes | | External audit | Audit package exists; completed external audit report and post-audit remediation do not exist | Yes | Yes | | Deployment evidence | Local Anvil deployment, auction, metadata-browser, and emergency redeployment rehearsals exist | Fork/testnet/live evidence missing | Production broadcast retention, verified deployed addresses, and explorer verification missing | -| Release artifacts | Release manifest, checksum bundle, ABI baseline, gas snapshot, source verification inputs, address books, ceremony evidence, randomizer operations evidence, release-signature evidence, drop authorization signing fixtures, unsigned payload-generator examples, drop authorization signing evidence schema/template/checker, signer custody readiness schema/template/checker, public-beta evidence status, generated public-beta blocker report, and non-local release evidence runbook, schema, generic template, per-requirement public-beta templates, and checker exist for the local baseline | Live release artifacts, production signing evidence, reviewed signer custody readiness, and reviewed non-local evidence missing | Production signatures and signed Git tags missing | +| Release artifacts | Release manifest, checksum bundle, ABI baseline, gas snapshot, source verification inputs, address books, ceremony evidence, randomizer operations evidence, release-signature evidence, drop authorization signing fixtures, unsigned payload-generator examples, drop authorization signing evidence schema/template/checker, signer custody readiness schema/template/checker, public-beta evidence status, generated public-beta blocker report, and non-local release evidence runbook, schema, generic template, per-requirement public-beta and production-release templates, and checker exist for the local baseline | Live release artifacts, production signing evidence, reviewed signer custody readiness, and reviewed non-local evidence missing | Production signatures and signed Git tags missing | | Static analysis and tests | Slither baseline, test matrix, invariants, and local gas snapshot are tracked | Fork/testnet/live invariant and gas evidence missing | External audit and production evidence missing | ## Local Evidence Already Passing @@ -101,6 +101,7 @@ The current local baseline includes: [`release-artifacts/schema/non-local-release-evidence.schema.json`](../release-artifacts/schema/non-local-release-evidence.schema.json), [`release-artifacts/evidence/non-local-release-evidence-template.json`](../release-artifacts/evidence/non-local-release-evidence-template.json), [`release-artifacts/evidence/public-beta-templates/`](../release-artifacts/evidence/public-beta-templates/), + [`release-artifacts/evidence/production-release-templates/`](../release-artifacts/evidence/production-release-templates/), and [`scripts/check_non_local_release_evidence.py`](../scripts/check_non_local_release_evidence.py); - Slither baseline evidence in [`ops/SLITHER_BASELINE.md`](../ops/SLITHER_BASELINE.md) and [`docs/slither.md`](slither.md); @@ -203,6 +204,8 @@ Release artifacts: - [release-artifacts/schema/non-local-release-evidence.schema.json](../release-artifacts/schema/non-local-release-evidence.schema.json) - [release-artifacts/evidence/non-local-release-evidence-template.json](../release-artifacts/evidence/non-local-release-evidence-template.json) - [release-artifacts/evidence/non-local-template-retained-artifact.txt](../release-artifacts/evidence/non-local-template-retained-artifact.txt) +- [release-artifacts/evidence/public-beta-templates/](../release-artifacts/evidence/public-beta-templates/) +- [release-artifacts/evidence/production-release-templates/](../release-artifacts/evidence/production-release-templates/) - [release-artifacts/baselines/v0.1.0/abi-surface.json](../release-artifacts/baselines/v0.1.0/abi-surface.json) - [release-artifacts/baselines/v0.1.0/gas-snapshot.snap](../release-artifacts/baselines/v0.1.0/gas-snapshot.snap) - [deployments/ceremony-evidence/anvil-6529stream-v0.1.0-001-local.json](../deployments/ceremony-evidence/anvil-6529stream-v0.1.0-001-local.json) diff --git a/docs/tooling.md b/docs/tooling.md index 4ae76f42..b06eb275 100644 --- a/docs/tooling.md +++ b/docs/tooling.md @@ -216,10 +216,12 @@ The non-local release evidence checker validates `release-artifacts/evidence/non-local-release-evidence-template.json` against `release-artifacts/schema/non-local-release-evidence.schema.json`, validates every checked public-beta template under -`release-artifacts/evidence/public-beta-templates/`, confirms retained artifact -hashes, rejects secret-shaped metadata, and lets future reviewed evidence -become release-manifest and checksum inputs without treating templates as -completion evidence. +`release-artifacts/evidence/public-beta-templates/`, validates every checked +production-release template under +`release-artifacts/evidence/production-release-templates/`, confirms retained +artifact hashes, rejects secret-shaped metadata, and lets future reviewed +evidence become release-manifest and checksum inputs without treating templates +as completion evidence. The release-checksum step builds `release-artifacts/latest/SHA256SUMS` and `release-artifacts/latest/release-checksums.json` from the committed release diff --git a/ops/AUTONOMOUS_RUN.md b/ops/AUTONOMOUS_RUN.md index 423689fe..b83f3eed 100644 --- a/ops/AUTONOMOUS_RUN.md +++ b/ops/AUTONOMOUS_RUN.md @@ -32,13 +32,13 @@ tests, security hardening, deployment discipline, and release/audit readiness. | Field | Value | | --- | --- | | Remote | `https://github.com/6529-Collections/6529Stream.git` | -| Active PR branch | `codex/reconcile-public-beta-template-merge` | -| Last merged PR | `https://github.com/6529-Collections/6529Stream/pull/197` | -| Active issue | `https://github.com/6529-Collections/6529Stream/issues/198` | -| Active PR | `https://github.com/6529-Collections/6529Stream/pull/200` | +| Active PR branch | `codex/production-release-evidence-templates` | +| Last merged PR | `https://github.com/6529-Collections/6529Stream/pull/200` | +| Active issue | `https://github.com/6529-Collections/6529Stream/issues/199` | +| Active PR | `https://github.com/6529-Collections/6529Stream/pull/201` | | Roadmap file | `ops/ROADMAP.md` | | State file | `ops/AUTONOMOUS_RUN.md` | -| Last updated | `2026-06-13 06:31 UTC` | +| Last updated | `2026-06-13 07:14 UTC` | ## Packaging Notes @@ -157,36 +157,100 @@ The queue will evolve as PRs merge and bot feedback arrives. | 99 | Add public beta evidence blocker report artifact | Gate G support | Implement issue #191 by generating a deterministic no-secret report from `release-artifacts/latest/public-beta-evidence.json` that lists incomplete public-beta evidence rows and validation commands without changing readiness claims | Merged in PR #193 | | 100 | Reconcile public beta blocker report merge state | Gate G support | Implement issue #194 by recording PR #193 merge, CI, CodeRabbit, and next-target state without changing readiness claims | Merged in PR #196 | | 101 | Add per-requirement public beta evidence templates | Gate G support | Implement issue #195 by adding public-safe templates for each incomplete public-beta evidence row, with checks/docs and no fork/testnet/live/audit readiness claims | Merged in PR #197 | -| 102 | Reconcile public beta template merge state | Gate G support | Implement issue #198 by recording PR #197 merge, CI, CodeRabbit, and next-target state without changing readiness claims | Active | -| 103 | Add per-requirement production release evidence templates | Gate G support | Implement issue #199 by adding public-safe templates for each incomplete production-release evidence row, with checks/docs and no production readiness claims | Planned | +| 102 | Reconcile public beta template merge state | Gate G support | Implement issue #198 by recording PR #197 merge, CI, CodeRabbit, and next-target state without changing readiness claims | Merged in PR #200 | +| 103 | Add per-requirement production release evidence templates | Gate G support | Implement issue #199 by adding public-safe templates for each incomplete production-release evidence row, with checks/docs and no production readiness claims | Active | ## Current PR Worklog +### PR candidate: Add per-requirement production release evidence templates (Queue Item 103) + +Status: Open in PR #201; CI and CodeRabbit review pending. +Issue: `https://github.com/6529-Collections/6529Stream/issues/199`. +PR: `https://github.com/6529-Collections/6529Stream/pull/201`. +Branch: `codex/production-release-evidence-templates`. +Branch started from PR #200 squash merge commit +`728eb7161c80f6b3690de45caf11fd3c9e01e277`. + +Prior queue transition: + +- Queue Item 102 merged in PR #200 as squash commit + `728eb7161c80f6b3690de45caf11fd3c9e01e277`. +- PR #200 final implementation head was + `98b0a807a698a96748f312e0531a86991693a8c3`. +- PR #200 GitHub Actions CI run `27459177572` passed on the final head. +- PR #200 CodeRabbit status was success with no actionable comments or open + review threads. +- PR #200 closed issue #198 at merge. + +Goal: + +- Add one public-safe template per production-release evidence requirement so + future operators have issue-ready starting points for non-local production + evidence. +- Keep `release-artifacts/latest/public-beta-evidence.json` blocked/missing for + public beta and production release until real reviewed evidence exists. +- Extend the non-local evidence checker so default validation proves the + production-release template set is complete, unique, and limited to + production-release requirement IDs. +- Include the templates in deterministic release-manifest/checksum coverage. +- Update docs, changelog, roadmap, and durable run state without adding live, + audit, signer-service, private-key, or production readiness evidence. + +Implementation in this branch: + +- Added `release-artifacts/evidence/production-release-templates/` with one + JSON template for each production-release requirement ID and a shared + retained-artifact placeholder. +- Extended `scripts/check_non_local_release_evidence.py` and + `scripts/test_non_local_release_evidence.py` to validate production-release + template coverage, duplicates, and public-beta-only requirement mistakes. +- Updated `scripts/test_release_manifest.py` so nested production-release + evidence templates are explicitly covered by release manifest tests. +- Updated public-beta, non-local evidence, release-readiness, tooling, release + artifact, changelog, roadmap, and run-state docs. +- Regenerated `release-artifacts/latest/release-manifest.json`, + `release-artifacts/latest/SHA256SUMS`, and + `release-artifacts/latest/release-checksums.json`. + +Validation completed locally at `2026-06-13 07:11 UTC`: + +- `python -m py_compile scripts\check_non_local_release_evidence.py scripts\test_non_local_release_evidence.py scripts\generate_release_manifest.py scripts\test_release_manifest.py scripts\generate_release_checksums.py`. +- `python scripts\test_non_local_release_evidence.py`. +- `python scripts\check_non_local_release_evidence.py`. +- `python scripts\test_release_manifest.py`. +- `python scripts\generate_release_manifest.py`. +- `python scripts\generate_release_checksums.py` after manifest refresh. +- `python scripts\generate_release_manifest.py --check`. +- `python scripts\test_release_checksums.py`. +- `python scripts\generate_release_checksums.py --check`. +- `python scripts\test_public_beta_evidence.py`. +- `python scripts\check_public_beta_evidence.py`. +- `python scripts\test_public_beta_blocker_report.py`. +- `python scripts\generate_public_beta_blocker_report.py --check`. +- `python scripts\test_release_readiness.py`. +- `python scripts\check_release_readiness.py`. +- `python scripts\test_changelog_check.py`. +- `python scripts\check_changelog.py`. +- `rg -n "^#|^##|^###" docs\public-beta-evidence.md docs\non-local-release-evidence.md docs\release-readiness.md docs\tooling.md release-artifacts\README.md release-artifacts\evidence\production-release-templates\README.md ops\ROADMAP.md ops\AUTONOMOUS_RUN.md`. +- `git diff --check`. +- `make check`. +- `powershell -ExecutionPolicy Bypass -File scripts\check.ps1`. + +PR opened: + +- PR #201 opened against `main` on head + `f16075b6cb0c78cfa7c38d609019684e28559112`. +- CodeRabbit review requested in PR comment `4697838014`. + ### PR candidate: Reconcile public beta template merge state (Queue Item 102) -Status: Open in PR #200; CI and CodeRabbit review pending. +Status: Merged in PR #200 on `2026-06-13`. Issue: `https://github.com/6529-Collections/6529Stream/issues/198`. PR: `https://github.com/6529-Collections/6529Stream/pull/200`. Branch: `codex/reconcile-public-beta-template-merge`. Branch started from PR #197 squash merge commit `2bd94683414fb86e0f9172b96d52bfef7fb58742`. -Prior queue transition: - -- Queue Item 101 merged in PR #197 as squash commit - `2bd94683414fb86e0f9172b96d52bfef7fb58742`. -- PR #197 final implementation head was - `e3034c40b211497ccbb091c7b1fc318b28e2176d`. -- PR #197 GitHub Actions CI run `27458794705` passed on the final head. -- PR #197 CodeRabbit status was success; CodeRabbit marked the three earlier - actionable threads addressed in commit - `e3034c40b211497ccbb091c7b1fc318b28e2176d`, and the follow-up review - generated no actionable comments. -- PR #197 closed issue #195 at merge. -- Issue #199 is queued next for public-safe per-requirement production-release - evidence templates without changing public-beta or production readiness - claims. - Goal: - Mark Queue Item 101 merged in both durable state files. @@ -209,12 +273,15 @@ Validation completed locally at `2026-06-13 06:28 UTC`: - `rg -n "^#|^##|^###" ops\ROADMAP.md ops\AUTONOMOUS_RUN.md`. - `git diff --check`. -PR opened: +Final state before merge: -- PR #200 opened against `main` on head - `d9e472b161ef92f85be6edd8f02135ad29395340`. - This follow-up state commit records the concrete PR URL before CodeRabbit - review is requested. +- PR #200 final head `98b0a807a698a96748f312e0531a86991693a8c3` + passed GitHub Actions CI run `27459177572`. +- CodeRabbit status was success with no actionable comments or open review + threads. +- PR #200 squash-merged as + `728eb7161c80f6b3690de45caf11fd3c9e01e277`. +- Issue #198 closed completed. ### PR candidate: Add per-requirement public beta evidence templates (Queue Item 101) @@ -9069,6 +9136,10 @@ Outcome: | Time UTC | Decision | Rationale | | --- | --- | --- | +| 2026-06-13 07:14 | Open PR #201 and request CodeRabbit | Production-release evidence template PR opened against `main`, linked `Closes #199`, pushed head `f16075b6cb0c78cfa7c38d609019684e28559112`, and requested CodeRabbit review in comment `4697838014`; Claude intentionally skipped per current user instruction | +| 2026-06-13 07:11 | Finish Queue Item 103 local validation | Production-release evidence templates, checker/test coverage, manifest/checksum refresh, docs, roadmap, changelog, focused gates, heading scan, whitespace check, full `make check`, and the Windows PowerShell wrapper all pass locally without changing readiness claims | +| 2026-06-13 06:51 | Start Queue Item 103 | PR #200 merged cleanly, so issue #199 is now the active no-secret Gate G support slice for per-requirement production-release evidence templates without readiness claims | +| 2026-06-13 06:49 | Merge PR #200 | Public-beta template merge-state reconciliation merged as `728eb7161c80f6b3690de45caf11fd3c9e01e277`; final head `98b0a807a698a96748f312e0531a86991693a8c3` passed CI run `27459177572`, CodeRabbit status was success, and issue #198 closed completed | | 2026-06-13 06:31 | Open PR #200 | Public-beta template merge-state reconciliation PR opened against `main`, linked `Closes #198`, and will use CodeRabbit-only review per current user instruction | | 2026-06-13 06:26 | Create issue #198 and select Queue Item 102 | PR #197 merged cleanly, so the durable state needs to record its final CI/CodeRabbit/merge evidence before the next autonomous implementation slice | | 2026-06-13 06:26 | Create issue #199 and queue production-release templates | With public-beta templates merged and all production-release evidence rows still missing, the next no-secret Gate G support slice is per-requirement production-release evidence templates | diff --git a/ops/ROADMAP.md b/ops/ROADMAP.md index 39f4f263..a86e4529 100644 --- a/ops/ROADMAP.md +++ b/ops/ROADMAP.md @@ -19,7 +19,8 @@ order. generated metadata in the browser sandbox, enforces the production size gate, checks deterministic release artifacts, checks the release-readiness dashboard, public-beta evidence status, generated public-beta blocker - report, and per-requirement public-beta evidence templates, documents and checks non-local + report, per-requirement public-beta evidence templates, and per-requirement + production-release evidence templates, documents and checks non-local release evidence metadata intake, checks the protocol incident-response runbook, checks no-secret drop authorization signing fixtures, unsigned payload-generator examples, retained signing evidence template, and signer @@ -87,12 +88,12 @@ order. | Field | Value | | --- | --- | -| Last verified | `2026-06-13 06:23 UTC` after PR #197 merged Queue Item 101 per-requirement public-beta evidence templates, checker/tests, nested non-local evidence release-manifest coverage, release checksum coverage, docs/roadmap/run-state updates, focused evidence, public-beta, blocker-report, release-manifest, checksum, release-readiness, changelog, heading, syntax, and whitespace checks, full `make check`, the Windows PowerShell wrapper, GitHub Actions CI run `27458794705` passing on final head `e3034c40b211497ccbb091c7b1fc318b28e2176d`, CodeRabbit success, and squash merge commit `2bd94683414fb86e0f9172b96d52bfef7fb58742` | -| OS tested | Windows local for Queue Item 101 focused checks, full `make check`, and `powershell -ExecutionPolicy Bypass -File scripts\check.ps1`; Linux GitHub Actions passed for latest merged baseline PR #197 run `27458794705` on final head `e3034c40b211497ccbb091c7b1fc318b28e2176d`, with merged baseline commit `2bd94683414fb86e0f9172b96d52bfef7fb58742` | +| Last verified | `2026-06-13 06:49 UTC` after PR #200 merged Queue Item 102 public-beta template merge-state reconciliation, focused release-readiness, public-beta, non-local evidence, blocker-report, release-manifest, checksum, changelog, heading, and whitespace checks, GitHub Actions CI run `27459177572` passing on final head `98b0a807a698a96748f312e0531a86991693a8c3`, CodeRabbit success, and squash merge commit `728eb7161c80f6b3690de45caf11fd3c9e01e277` | +| OS tested | Windows local for Queue Item 102 focused checks; Linux GitHub Actions passed for latest merged baseline PR #200 run `27459177572` on final head `98b0a807a698a96748f312e0531a86991693a8c3`, with merged baseline commit `728eb7161c80f6b3690de45caf11fd3c9e01e277` | | Foundry version | `v1.7.1` | | Solidity compiler version | `0.8.19` | | Slither version | `0.11.5` | -| CI run | Latest merged baseline PR #197 final CI run `27458794705` passed on head `e3034c40b211497ccbb091c7b1fc318b28e2176d`; CodeRabbit status was success with the earlier actionable threads marked addressed and no actionable comments in the follow-up review before squash merge `2bd94683414fb86e0f9172b96d52bfef7fb58742` | +| CI run | Latest merged baseline PR #200 final CI run `27459177572` passed on head `98b0a807a698a96748f312e0531a86991693a8c3`; CodeRabbit status was success with no actionable comments or open review threads before squash merge `728eb7161c80f6b3690de45caf11fd3c9e01e277` | | Command transcript location | `ops/SLITHER_BASELINE.md` for Slither baseline; PR-local commands recorded in `ops/AUTONOMOUS_RUN.md` | ### Machine-Verifiable Baseline @@ -105,8 +106,8 @@ order. | Formatting | Fails broadly | `forge fmt --check smart-contracts` | Passing, or vendored exclusions documented | | Static analysis | Runs with a tracked high/medium baseline: 717 total findings, including 4 High, 19 Medium, and 93 Low; current high/medium rows are fixed, accepted, or documented false positives | `slither . --config-file slither.config.json --foundry-compile-all`, `ops/SLITHER_BASELINE.md`, and `docs/vendored-libraries.md` | High/medium findings fixed, accepted, or documented | | Deployment | Partial local baseline: deploy-and-wire rehearsal script, local auction ceremony rehearsal, local emergency redeployment rehearsal, deployment-rehearsal generated metadata browser sandbox proof, manifest schema, address-book schema, ceremony evidence schema, randomizer operations evidence schema, generated Anvil manifest config/example, sanitized Foundry broadcast fixture ingestion, generated Anvil and broadcast-derived address books, local Anvil ceremony evidence bundle, local Anvil randomizer operations evidence bundle, manifest parsing test, and generated ABI/bytecode checksum inputs exist; live fork/testnet rehearsal, production broadcast retention, fork/testnet/live ceremony evidence contents, and fork/testnet/live randomizer operations evidence contents remain missing | `forge script script/RehearseDeployment.s.sol:RehearseDeployment --sig "run()" --via-ir`, `forge script script/RehearseAuctionCeremony.s.sol:RehearseAuctionCeremony --sig "run()" --via-ir`, `forge script script/RehearseEmergencyRedeployment.s.sol:RehearseEmergencyRedeployment --sig "run()" --via-ir`, `scripts/check_rehearsal_metadata_browser_sandbox.py`, `test/StreamDeploymentManifest.t.sol`, `scripts/generate_broadcast_manifest_input.py --check`, `scripts/generate_deployment_manifest.py --check`, `scripts/generate_deployment_manifest.py --config deployments/config/anvil-6529stream-v0.1.0-001-broadcast.json --check`, `scripts/generate_address_books.py --check`, `scripts/test_ceremony_evidence.py`, `scripts/check_ceremony_evidence.py`, `scripts/test_randomizer_operations.py`, `scripts/check_randomizer_operations.py`, `deployments/broadcasts/`, `deployments/schema/deployment-manifest.schema.json`, `deployments/schema/address-book.schema.json`, `deployments/schema/ceremony-evidence.schema.json`, `deployments/schema/randomizer-operations-evidence.schema.json`, `deployments/address-books/`, `deployments/ceremony-evidence/`, `deployments/randomizer-operations/`, and `release-artifacts/latest/abi-checksums.json` | Anvil deployment, local metadata browser rehearsal, local auction ceremony rehearsal, local emergency redeployment rehearsal, local ceremony evidence, local randomizer operations evidence, and fork rehearsal pass | -| Docs | Architecture map, threat model, audit package, incident-response runbook, drop authorization signing guide with unsigned payload generator and retained signing evidence template, signer custody readiness guide/template, release-readiness dashboard, public-beta evidence status, generated blocker report, per-requirement public-beta evidence templates, non-local release evidence intake and metadata schema, status, known blockers, ADRs, security, deployment, release, metadata, dependency, randomizer, auction-custody, tooling, and release-policy docs exist for the local baseline; external audit report and actual fork/testnet/live retained evidence remain missing | `python scripts/check_architecture_threat_model.py`, `python scripts/check_audit_package.py`, `python scripts/check_incident_response.py`, `python scripts/check_drop_authorization_fixtures.py`, `python scripts/test_drop_authorization_signing_evidence.py`, `python scripts/check_drop_authorization_signing_evidence.py`, `python scripts/test_signer_custody_readiness.py`, `python scripts/check_signer_custody_readiness.py`, `python scripts/check_release_readiness.py`, `python scripts/test_public_beta_blocker_report.py`, `python scripts/generate_public_beta_blocker_report.py --check`, `python scripts/check_public_beta_evidence.py`, `python scripts/check_non_local_release_evidence.py`, `docs/architecture.md`, `docs/threat-model.md`, `docs/audit-package.md`, `docs/incident-response.md`, `docs/drop-authorization-signing.md`, `docs/signer-custody-readiness.md`, `docs/release-readiness.md`, `docs/public-beta-evidence.md`, `docs/non-local-release-evidence.md`, `release-artifacts/evidence/public-beta-templates/`, `docs/status.md`, `docs/known-blockers.md`, and `SECURITY.md` | Architecture, security, deployment, protocol, operations, incident response, drop authorization signing, payload generation, retained signing evidence, signer custody readiness evidence, public-beta evidence, per-requirement public-beta templates, generated blocker report, non-local release evidence, release-readiness, and audit docs merged as a local baseline, with external audit/review artifacts linked when available | -| Release artifacts | Partial deterministic baseline: ABI checksums, bytecode checksums, interface IDs, event topic catalog, source verification inputs, ABI compatibility baseline, focused local gas snapshot baseline, sanitized broadcast fixture ingestion, local and broadcast-derived deployment manifest checksums, local and broadcast-derived address books, local ceremony evidence schema/bundle/checker, local randomizer operations schema/bundle/checker, machine-readable release manifest, signable release checksum bundle, public-beta evidence status/checker, generated public-beta blocker report/checker, per-requirement public-beta evidence templates/checker, non-local release evidence runbook/schema/template/checker, incident-response runbook/checker, drop authorization signing guide/fixtures/payload-generator/checker, drop authorization signing evidence schema/template/checker, signer custody readiness schema/template/checker, release-readiness dashboard/checker, release change approval policy, architecture/threat-model checks, audit-package check, and changelog gate are generated or documented from committed inputs; detached signatures, signed release tags, production address books, live explorer verification, verified live addresses, reviewed signer custody readiness evidence, reviewed production signing evidence, fork/testnet/live ceremony evidence contents, and fork/testnet/live randomizer operations evidence contents remain missing | `python scripts/generate_release_artifacts.py --check`, `forge snapshot --match-path test/StreamGasSnapshot.t.sol --check release-artifacts/baselines/v0.1.0/gas-snapshot.snap`, `python scripts/generate_source_verification_inputs.py --check`, `python scripts/check_abi_compatibility.py --check`, `python scripts/generate_broadcast_manifest_input.py --check`, `python scripts/generate_deployment_manifest.py --check`, `python scripts/generate_deployment_manifest.py --config deployments/config/anvil-6529stream-v0.1.0-001-broadcast.json --check`, `python scripts/generate_address_books.py --check`, `python scripts/test_ceremony_evidence.py`, `python scripts/check_ceremony_evidence.py`, `python scripts/test_randomizer_operations.py`, `python scripts/check_randomizer_operations.py`, `python scripts/test_non_local_release_evidence.py`, `python scripts/check_non_local_release_evidence.py`, `python scripts/test_public_beta_evidence.py`, `python scripts/check_public_beta_evidence.py`, `python scripts/test_public_beta_blocker_report.py`, `python scripts/generate_public_beta_blocker_report.py --check`, `python scripts/test_drop_authorization_payload_generator.py`, `python scripts/test_drop_authorization_fixtures.py`, `python scripts/check_drop_authorization_fixtures.py`, `python scripts/test_drop_authorization_signing_evidence.py`, `python scripts/check_drop_authorization_signing_evidence.py`, `python scripts/test_signer_custody_readiness.py`, `python scripts/check_signer_custody_readiness.py`, `python scripts/check_architecture_threat_model.py`, `python scripts/check_audit_package.py`, `python scripts/test_incident_response.py`, `python scripts/check_incident_response.py`, `python scripts/test_release_readiness.py`, `python scripts/check_release_readiness.py`, `python scripts/generate_release_manifest.py --check`, `python scripts/generate_release_checksums.py --check`, `python scripts/check_changelog.py`, `release-artifacts/latest/`, `release-artifacts/latest/public-beta-evidence.json`, `release-artifacts/latest/public-beta-blockers.md`, `release-artifacts/latest/source-verification-inputs.json`, `release-artifacts/latest/release-manifest.json`, `release-artifacts/schema/public-beta-evidence.schema.json`, `release-artifacts/schema/non-local-release-evidence.schema.json`, `release-artifacts/schema/drop-authorization-signing-evidence.schema.json`, `release-artifacts/schema/signer-custody-readiness.schema.json`, `release-artifacts/evidence/non-local-release-evidence-template.json`, `release-artifacts/evidence/non-local-template-retained-artifact.txt`, `release-artifacts/evidence/public-beta-templates/`, `release-artifacts/drop-authorization-signing/drop-authorization-signing-evidence-template.json`, `release-artifacts/drop-authorization-signing/drop-authorization-signing-retained-artifact.txt`, `release-artifacts/signer-custody-readiness/signer-custody-readiness-template.json`, `release-artifacts/signer-custody-readiness/signer-custody-readiness-retained-artifact.txt`, `release-artifacts/baselines/v0.1.0/abi-surface.json`, `release-artifacts/baselines/v0.1.0/gas-snapshot.snap`, `deployments/broadcasts/`, `deployments/schema/address-book.schema.json`, `deployments/schema/ceremony-evidence.schema.json`, `deployments/schema/randomizer-operations-evidence.schema.json`, `deployments/examples/anvil-6529stream-v0.1.0-001.json`, `deployments/examples/anvil-6529stream-v0.1.0-001-broadcast.json`, `deployments/address-books/anvil-6529stream-v0.1.0-001.json`, `deployments/address-books/anvil-6529stream-v0.1.0-001-broadcast.json`, `deployments/ceremony-evidence/anvil-6529stream-v0.1.0-001-local.json`, `deployments/randomizer-operations/anvil-6529stream-v0.1.0-001-local.json`, `test/fixtures/drop-authorization/`, `CHANGELOG.md`, `docs/architecture.md`, `docs/threat-model.md`, `docs/audit-package.md`, `docs/incident-response.md`, `docs/drop-authorization-signing.md`, `docs/signer-custody-readiness.md`, `docs/public-beta-evidence.md`, `docs/non-local-release-evidence.md`, `docs/release-readiness.md`, `docs/release-policy.md`, and `docs/randomizer-operations.md` | ABIs, manifests, ceremony evidence, randomizer operations evidence, source verification inputs, checksums, incident response, drop authorization signing evidence, signer custody readiness evidence, public-beta evidence status, per-requirement public-beta templates, generated blocker report, non-local release evidence, release-readiness status, gas baseline, and verified addresses published | +| Docs | Architecture map, threat model, audit package, incident-response runbook, drop authorization signing guide with unsigned payload generator and retained signing evidence template, signer custody readiness guide/template, release-readiness dashboard, public-beta evidence status, generated blocker report, per-requirement public-beta and production-release evidence templates, non-local release evidence intake and metadata schema, status, known blockers, ADRs, security, deployment, release, metadata, dependency, randomizer, auction-custody, tooling, and release-policy docs exist for the local baseline; external audit report and actual fork/testnet/live retained evidence remain missing | `python scripts/check_architecture_threat_model.py`, `python scripts/check_audit_package.py`, `python scripts/check_incident_response.py`, `python scripts/check_drop_authorization_fixtures.py`, `python scripts/test_drop_authorization_signing_evidence.py`, `python scripts/check_drop_authorization_signing_evidence.py`, `python scripts/test_signer_custody_readiness.py`, `python scripts/check_signer_custody_readiness.py`, `python scripts/check_release_readiness.py`, `python scripts/test_public_beta_blocker_report.py`, `python scripts/generate_public_beta_blocker_report.py --check`, `python scripts/check_public_beta_evidence.py`, `python scripts/check_non_local_release_evidence.py`, `docs/architecture.md`, `docs/threat-model.md`, `docs/audit-package.md`, `docs/incident-response.md`, `docs/drop-authorization-signing.md`, `docs/signer-custody-readiness.md`, `docs/release-readiness.md`, `docs/public-beta-evidence.md`, `docs/non-local-release-evidence.md`, `release-artifacts/evidence/public-beta-templates/`, `release-artifacts/evidence/production-release-templates/`, `docs/status.md`, `docs/known-blockers.md`, and `SECURITY.md` | Architecture, security, deployment, protocol, operations, incident response, drop authorization signing, payload generation, retained signing evidence, signer custody readiness evidence, public-beta evidence, per-requirement public-beta and production-release templates, generated blocker report, non-local release evidence, release-readiness, and audit docs merged as a local baseline, with external audit/review artifacts linked when available | +| Release artifacts | Partial deterministic baseline: ABI checksums, bytecode checksums, interface IDs, event topic catalog, source verification inputs, ABI compatibility baseline, focused local gas snapshot baseline, sanitized broadcast fixture ingestion, local and broadcast-derived deployment manifest checksums, local and broadcast-derived address books, local ceremony evidence schema/bundle/checker, local randomizer operations schema/bundle/checker, machine-readable release manifest, signable release checksum bundle, public-beta evidence status/checker, generated public-beta blocker report/checker, per-requirement public-beta and production-release evidence templates/checker, non-local release evidence runbook/schema/template/checker, incident-response runbook/checker, drop authorization signing guide/fixtures/payload-generator/checker, drop authorization signing evidence schema/template/checker, signer custody readiness schema/template/checker, release-readiness dashboard/checker, release change approval policy, architecture/threat-model checks, audit-package check, and changelog gate are generated or documented from committed inputs; detached signatures, signed release tags, production address books, live explorer verification, verified live addresses, reviewed signer custody readiness evidence, reviewed production signing evidence, fork/testnet/live ceremony evidence contents, and fork/testnet/live randomizer operations evidence contents remain missing | `python scripts/generate_release_artifacts.py --check`, `forge snapshot --match-path test/StreamGasSnapshot.t.sol --check release-artifacts/baselines/v0.1.0/gas-snapshot.snap`, `python scripts/generate_source_verification_inputs.py --check`, `python scripts/check_abi_compatibility.py --check`, `python scripts/generate_broadcast_manifest_input.py --check`, `python scripts/generate_deployment_manifest.py --check`, `python scripts/generate_deployment_manifest.py --config deployments/config/anvil-6529stream-v0.1.0-001-broadcast.json --check`, `python scripts/generate_address_books.py --check`, `python scripts/test_ceremony_evidence.py`, `python scripts/check_ceremony_evidence.py`, `python scripts/test_randomizer_operations.py`, `python scripts/check_randomizer_operations.py`, `python scripts/test_non_local_release_evidence.py`, `python scripts/check_non_local_release_evidence.py`, `python scripts/test_public_beta_evidence.py`, `python scripts/check_public_beta_evidence.py`, `python scripts/test_public_beta_blocker_report.py`, `python scripts/generate_public_beta_blocker_report.py --check`, `python scripts/test_drop_authorization_payload_generator.py`, `python scripts/test_drop_authorization_fixtures.py`, `python scripts/check_drop_authorization_fixtures.py`, `python scripts/test_drop_authorization_signing_evidence.py`, `python scripts/check_drop_authorization_signing_evidence.py`, `python scripts/test_signer_custody_readiness.py`, `python scripts/check_signer_custody_readiness.py`, `python scripts/check_architecture_threat_model.py`, `python scripts/check_audit_package.py`, `python scripts/test_incident_response.py`, `python scripts/check_incident_response.py`, `python scripts/test_release_readiness.py`, `python scripts/check_release_readiness.py`, `python scripts/generate_release_manifest.py --check`, `python scripts/generate_release_checksums.py --check`, `python scripts/check_changelog.py`, `release-artifacts/latest/`, `release-artifacts/latest/public-beta-evidence.json`, `release-artifacts/latest/public-beta-blockers.md`, `release-artifacts/latest/source-verification-inputs.json`, `release-artifacts/latest/release-manifest.json`, `release-artifacts/schema/public-beta-evidence.schema.json`, `release-artifacts/schema/non-local-release-evidence.schema.json`, `release-artifacts/schema/drop-authorization-signing-evidence.schema.json`, `release-artifacts/schema/signer-custody-readiness.schema.json`, `release-artifacts/evidence/non-local-release-evidence-template.json`, `release-artifacts/evidence/non-local-template-retained-artifact.txt`, `release-artifacts/evidence/public-beta-templates/`, `release-artifacts/evidence/production-release-templates/`, `release-artifacts/drop-authorization-signing/drop-authorization-signing-evidence-template.json`, `release-artifacts/drop-authorization-signing/drop-authorization-signing-retained-artifact.txt`, `release-artifacts/signer-custody-readiness/signer-custody-readiness-template.json`, `release-artifacts/signer-custody-readiness/signer-custody-readiness-retained-artifact.txt`, `release-artifacts/baselines/v0.1.0/abi-surface.json`, `release-artifacts/baselines/v0.1.0/gas-snapshot.snap`, `deployments/broadcasts/`, `deployments/schema/address-book.schema.json`, `deployments/schema/ceremony-evidence.schema.json`, `deployments/schema/randomizer-operations-evidence.schema.json`, `deployments/examples/anvil-6529stream-v0.1.0-001.json`, `deployments/examples/anvil-6529stream-v0.1.0-001-broadcast.json`, `deployments/address-books/anvil-6529stream-v0.1.0-001.json`, `deployments/address-books/anvil-6529stream-v0.1.0-001-broadcast.json`, `deployments/ceremony-evidence/anvil-6529stream-v0.1.0-001-local.json`, `deployments/randomizer-operations/anvil-6529stream-v0.1.0-001-local.json`, `test/fixtures/drop-authorization/`, `CHANGELOG.md`, `docs/architecture.md`, `docs/threat-model.md`, `docs/audit-package.md`, `docs/incident-response.md`, `docs/drop-authorization-signing.md`, `docs/signer-custody-readiness.md`, `docs/public-beta-evidence.md`, `docs/non-local-release-evidence.md`, `docs/release-readiness.md`, `docs/release-policy.md`, and `docs/randomizer-operations.md` | ABIs, manifests, ceremony evidence, randomizer operations evidence, source verification inputs, checksums, incident response, drop authorization signing evidence, signer custody readiness evidence, public-beta evidence status, per-requirement public-beta and production-release templates, generated blocker report, non-local release evidence, release-readiness status, gas baseline, and verified addresses published | | Windows setup | Foundry installed under `~/.foundry/bin`, but current shell may not resolve `forge` from `PATH` | direct binary invocation | Bootstrap works in current and future shells, or limitation documented | ### Issue Tracker Reconciliation @@ -361,6 +362,8 @@ from PR #165, the generated [#191](https://github.com/6529-Collections/6529Stream/issues/191) / PR #193, the per-requirement public-beta evidence templates from issue [#195](https://github.com/6529-Collections/6529Stream/issues/195) / PR #197, +the per-requirement production-release evidence templates from issue +[#199](https://github.com/6529-Collections/6529Stream/issues/199), and the `docs/non-local-release-evidence.md` intake runbook from issue #168. [`#162`](https://github.com/6529-Collections/6529Stream/issues/162) @@ -373,8 +376,9 @@ evidence manifest without changing readiness claims. Issue [#195](https://github.com/6529-Collections/6529Stream/issues/195) is complete for public-safe per-requirement public-beta evidence templates without changing readiness claims. Issue -[#199](https://github.com/6529-Collections/6529Stream/issues/199) is queued next -for per-requirement production-release evidence templates. +[#199](https://github.com/6529-Collections/6529Stream/issues/199) is active for +public-safe per-requirement production-release evidence templates without +changing readiness claims. Exit criteria: @@ -2239,6 +2243,12 @@ No P0 contract PR may merge without: default non-local evidence checks prove the template set is complete, unique, and limited to public-beta requirements without marking any public-beta row complete. +- Add per-requirement production-release evidence templates. Initial + `release-artifacts/evidence/production-release-templates/` files provide a + public-safe starting point for every current production-release requirement + ID, and default non-local evidence checks prove the template set is complete, + unique, and limited to production-release requirements without marking any + production row complete. - Add storage layout snapshots if upgradeability is ever introduced. ### Release Checklist @@ -2268,6 +2278,11 @@ No P0 contract PR may merge without: exist under `release-artifacts/evidence/public-beta-templates/` and are validated by `scripts/check_non_local_release_evidence.py`; they are starting points for future retained evidence and do not mark any requirement complete. +- Production-release evidence templates checked. Initial per-requirement + templates exist under + `release-artifacts/evidence/production-release-templates/` and are validated + by `scripts/check_non_local_release_evidence.py`; they are starting points for + future retained production evidence and do not mark any requirement complete. - Source verification inputs generated. Initial deterministic verification input bundle exists under `release-artifacts/latest/source-verification-inputs.json`; live explorer @@ -2456,7 +2471,7 @@ Status values: `Missing`, `Planned`, `In Progress`, `Passing`, `Blocked`. | ERC-4906 metadata signaling | `supportsInterface(0x49064906)` succeeds and `MetadataUpdate` / `BatchMetadataUpdate` emit from metadata write paths that can change token JSON | `test/StreamMetadataEvents.t.sol` | Passing for current `StreamCore` behavior: ERC-4906 interface support succeeds, randomness fulfillment and token metadata input writes emit `MetadataUpdate`, collection-level metadata mode/base URI/display/script/dependency-reference writes emit `BatchMetadataUpdate` over the minted-ever range, empty collections do not emit empty batch events, and mint-only plus burn paths do not emit ERC-4906. Dependency registry version creation does not emit ERC-4906 for pinned collections because their output does not change; explicit repinning goes through `updateCollectionInfo` and emits the existing collection-range update. | [`P1-META-004`](https://github.com/6529-Collections/6529Stream/issues/49), [`P1-META-003`](https://github.com/6529-Collections/6529Stream/issues/48) | Gate D | TBD | | Dependency script packed encoding | Dependency script retrieval uses safe typed concatenation/hash encoding and cannot collide across script segments | `test/StreamMetadataEncoding.t.sol` | Passing: typed chunk/content hashes include dependency key, chunk count, chunk index, chunk byte length, and chunk content hash; ambiguous chunk splits that render the same JavaScript produce distinct content hashes while preserving rendered-script compatibility; zero-chunk dependency hashes are deterministic | [`P0-META-001`](https://github.com/6529-Collections/6529Stream/issues/9), [`P1-META-003`](https://github.com/6529-Collections/6529Stream/issues/48) | Gate C/Gate D | TBD | | Deployment redeployment rehearsal | Deployment manifests, broadcast-derived manifest inputs, address books, ABI hashes, source verification inputs, dependency artifact manifests, dependency operation runbooks, admin ceremony, signer setup, deprecation checks, generated metadata browser proof, local auction ceremony proof, emergency redeployment rehearsal, ceremony evidence bundle, and non-local release evidence intake/schema/checker follow ADR 0007 | `test/StreamDeploymentManifest.t.sol`, `script/RehearseDeployment.s.sol`, `script/RehearseMetadataBrowser.s.sol`, `script/RehearseAuctionCeremony.s.sol`, `script/RehearseEmergencyRedeployment.s.sol`, `scripts/test_rehearsal_metadata_browser_sandbox.py`, `scripts/check_rehearsal_metadata_browser_sandbox.py`, `scripts/generate_release_artifacts.py`, `scripts/test_release_artifacts.py`, `scripts/generate_source_verification_inputs.py`, `scripts/test_source_verification_inputs.py`, `scripts/generate_dependency_artifact_manifest.py`, `scripts/test_dependency_artifact_manifest.py`, `scripts/check_abi_compatibility.py`, `scripts/test_abi_compatibility.py`, `scripts/generate_broadcast_manifest_input.py`, `scripts/test_broadcast_manifest_input.py`, `scripts/generate_deployment_manifest.py`, `scripts/test_deployment_manifest.py`, `scripts/generate_address_books.py`, `scripts/test_address_books.py`, `scripts/test_ceremony_evidence.py`, `scripts/check_ceremony_evidence.py`, `scripts/test_release_signatures.py`, `scripts/check_release_signatures.py`, `scripts/test_non_local_release_evidence.py`, `scripts/check_non_local_release_evidence.py`, `docs/non-local-release-evidence.md`, `release-artifacts/schema/non-local-release-evidence.schema.json`, `release-artifacts/evidence/non-local-release-evidence-template.json`, `scripts/generate_release_manifest.py`, `scripts/test_release_manifest.py`, `scripts/generate_release_checksums.py`, and `scripts/test_release_checksums.py` | In Progress: local deploy-and-wire rehearsal, local deployment-rehearsal generated metadata browser proof, local auction ceremony from signed auction drop through bid, settlement, proceeds withdrawal, and zero owed funds, local emergency redeployment rehearsal with distinct old/replacement deployment versions, manifests, drop domains, core/drops/auction addresses, Safe-rooted ceremony state, deployer-admin removal, and replacement fixed-price mint smoke, Safe-placeholder ownership transfer, temporary admin revocation, manifest schema/example parsing, generated Anvil manifest config/example, sanitized Foundry broadcast fixture ingestion, generated broadcast-derived manifest config/example, generated local and broadcast-derived address books, local ceremony evidence schema/bundle/checker, local release signature evidence schema/bundle/checker, non-local release evidence schema/template/checker, deterministic source verification input bundle, deterministic dependency artifact manifest baseline for the local rehearsal dependency, production dependency operations runbook, deterministic top-level release manifest, deterministic manifest checksum, generated ABI/bytecode checksum baseline, generated interface ID catalog, event topic catalog, ABI compatibility baseline, signable checksum bundle, non-local evidence intake runbook, and default check-script gate added; live fork rehearsal, production broadcast retention, production address books, live explorer verification, retained fork/testnet/live ceremony evidence contents, retained fork/testnet/live emergency redeployment evidence contents, actual production checksum signatures and signed tags, and fork/testnet/live production metadata browser evidence remain open | [`P2-UPGRADE-ADR`](https://github.com/6529-Collections/6529Stream/issues/53), [`P1-DEPLOY-002`](https://github.com/6529-Collections/6529Stream/issues/91), [`P1-RELEASE-001`](https://github.com/6529-Collections/6529Stream/issues/93), [`P1-RELEASE-002`](https://github.com/6529-Collections/6529Stream/issues/97), [`P1-DEPLOY-003`](https://github.com/6529-Collections/6529Stream/issues/95), [`P1-RELEASE-003`](https://github.com/6529-Collections/6529Stream/issues/99), [`P1-RELEASE-004`](https://github.com/6529-Collections/6529Stream/issues/101), [`P1-RELEASE-006`](https://github.com/6529-Collections/6529Stream/issues/105), [`P1-RELEASE-007`](https://github.com/6529-Collections/6529Stream/issues/107), [`P1-DEPLOY-004`](https://github.com/6529-Collections/6529Stream/issues/109), [`P1-META-003 dependency artifact packaging`](https://github.com/6529-Collections/6529Stream/issues/117), [`Dependency migration runbooks`](https://github.com/6529-Collections/6529Stream/issues/136), [`Live/fork metadata browser execution`](https://github.com/6529-Collections/6529Stream/issues/135), [`Dry-run auction ceremony rehearsal`](https://github.com/6529-Collections/6529Stream/issues/140), [`Local emergency redeployment rehearsal`](https://github.com/6529-Collections/6529Stream/issues/142), [`Deployment ceremony evidence bundle schema`](https://github.com/6529-Collections/6529Stream/issues/144), [`#156`](https://github.com/6529-Collections/6529Stream/issues/156), [`#168`](https://github.com/6529-Collections/6529Stream/issues/168), [`#170`](https://github.com/6529-Collections/6529Stream/issues/170) | Gate E/Gate G | TBD | -| Release artifact catalog | ABI checksums, bytecode checksums, standard/custom interface IDs, event topics, source verification inputs, dependency artifact manifests, broadcast-derived manifest inputs, ABI compatibility, gas snapshot baseline, address books, ceremony evidence, release signature evidence, non-local release evidence metadata, per-requirement public-beta evidence templates, machine-readable release manifest, signable checksum files, incident-response runbook, release-readiness dashboard, release-impact changelog policy, and the maintained non-local release evidence runbook/schema/template/checker are generated, checked, or hashed deterministically from current committed inputs and Foundry/deployment artifacts | `scripts/generate_release_artifacts.py`, `scripts/test_release_artifacts.py`, `forge snapshot --match-path test/StreamGasSnapshot.t.sol --check release-artifacts/baselines/v0.1.0/gas-snapshot.snap`, `scripts/generate_source_verification_inputs.py`, `scripts/test_source_verification_inputs.py`, `scripts/generate_dependency_artifact_manifest.py`, `scripts/test_dependency_artifact_manifest.py`, `scripts/check_abi_compatibility.py`, `scripts/test_abi_compatibility.py`, `scripts/generate_broadcast_manifest_input.py`, `scripts/test_broadcast_manifest_input.py`, `scripts/generate_deployment_manifest.py`, `scripts/test_deployment_manifest.py`, `scripts/generate_address_books.py`, `scripts/test_address_books.py`, `scripts/test_ceremony_evidence.py`, `scripts/check_ceremony_evidence.py`, `scripts/test_release_signatures.py`, `scripts/check_release_signatures.py`, `scripts/test_non_local_release_evidence.py`, `scripts/check_non_local_release_evidence.py`, `scripts/test_incident_response.py`, `scripts/check_incident_response.py`, `scripts/test_release_readiness.py`, `scripts/check_release_readiness.py`, `scripts/generate_release_manifest.py`, `scripts/test_release_manifest.py`, `scripts/generate_release_checksums.py`, `scripts/test_release_checksums.py`, `scripts/check_changelog.py`, `scripts/test_changelog_check.py`, `release-artifacts/latest/`, `release-artifacts/latest/source-verification-inputs.json`, `release-artifacts/latest/dependency-artifact-manifest.json`, `release-artifacts/latest/release-manifest.json`, `release-artifacts/signatures/`, `release-artifacts/schema/release-signature-evidence.schema.json`, `release-artifacts/schema/non-local-release-evidence.schema.json`, `release-artifacts/evidence/non-local-release-evidence-template.json`, `release-artifacts/evidence/non-local-template-retained-artifact.txt`, `release-artifacts/evidence/public-beta-templates/`, `release-artifacts/dependencies/`, `release-artifacts/baselines/v0.1.0/abi-surface.json`, `release-artifacts/baselines/v0.1.0/gas-snapshot.snap`, `deployments/broadcasts/`, `deployments/address-books/`, `deployments/ceremony-evidence/`, `deployments/schema/ceremony-evidence.schema.json`, `CHANGELOG.md`, `docs/incident-response.md`, `docs/public-beta-evidence.md`, `docs/non-local-release-evidence.md`, `docs/release-readiness.md`, and `docs/release-policy.md` | In Progress locally for the deterministic Gate G baseline: generator self-tests cover ABI hashing, bytecode hashing, event topic generation, configured standard interface IDs, computed selector XOR traceability, and drift detection; local gas snapshot check covers fixed-price mint, auction bid, auction settlement, curator reward claim, final on-chain `tokenURI`, and dependency/script reads; source-verification self-tests cover deterministic generation, check-mode drift, missing source/artifact errors, linked-bytecode reporting, constructor ABI retention, verification command templates, and ABI checksum mismatches; dependency-artifact self-tests cover deterministic generation, check-mode drift, missing artifact files, malformed dependency keys, duplicate dependency identity, and descriptor path-boundary validation; ABI compatibility self-tests cover compatible, additive, removed, changed, missing-contract, and check-mode drift cases; broadcast-ingestion self-tests cover deterministic generation, check-mode drift, wrong-chain broadcasts, missing/unexpected deployments, failed receipts, boolean receipt status rejection, receipt address mismatch, duplicate deployment names, and secret-like key rejection; address-book self-tests cover deterministic generation, drift detection, missing output directories, duplicate/invalid addresses, `source_dirty`, chain ID, lifecycle state, git commit, verification status, hash-format validation, missing metadata, missing release contracts, and unknown contracts; ceremony-evidence self-tests cover deterministic local evidence validation, required sections, stale hashes, missing referenced files, non-local retained artifacts, testnet verification status, and secret-like key rejection; release-signature self-tests cover local placeholder evidence, non-local placeholder rejection, signed-output verification requirements, production signed-output requirements, stale retained hashes, malformed confirmation depth, and secret-like value rejection; non-local release evidence self-tests cover the committed template, public-beta template coverage, duplicate public-beta template rejection, production-only template rejection, reviewed evidence, template reviewer placeholders, invalid reviewers, unknown requirement IDs, unsupported environments, retained path/hash drift, path escape, and secret-like key/value rejection; incident-response self-tests cover required maturity language, required runbook sections, emergency pause, withdrawal availability, signer revocation, retry/recovery, evidence retention, required links, required commands, missing linked files, and path-boundary rejection; release-readiness self-tests cover required maturity language, local/public-beta/production blocker separation, required evidence links, required commands, missing linked files, and path-boundary rejection including the non-local release evidence runbook; release-manifest self-tests cover deterministic generation, check-mode drift, missing required artifacts, required JSON schema versions, governance-doc hashing, release/deployment/broadcast metadata, source-verification/dependency-artifact/ceremony-evidence/gas-snapshot/signature-evidence/non-local-evidence coverage including nested public-beta templates, and explicit checksum-bundle self-reference policy; checksum-bundle self-tests cover deterministic generation, sorted SHA256SUMS output, dependency source coverage, manifest coverage, ceremony evidence coverage, gas snapshot coverage, release signature evidence coverage, non-local evidence coverage, self-reference exclusion, drift detection, deleted covered files, missing generated outputs, and missing covered roots; changelog self-tests cover release-impacting path detection, missing changelog edits, missing `Unreleased`, placeholder entries, and valid release notes. Actual production detached checksum signatures, signed tags, production address books, live explorer verification, verified live deployment hashes, fork/testnet/live ceremony evidence contents, fork/testnet/live randomizer operations evidence contents, reviewed non-local evidence contents, and external audit completion remain future Gate G work | [`P1-RELEASE-001`](https://github.com/6529-Collections/6529Stream/issues/93), [`P1-RELEASE-002`](https://github.com/6529-Collections/6529Stream/issues/97), [`P1-RELEASE-003`](https://github.com/6529-Collections/6529Stream/issues/99), [`P1-RELEASE-004`](https://github.com/6529-Collections/6529Stream/issues/101), [`P1-RELEASE-005`](https://github.com/6529-Collections/6529Stream/issues/103), [`P1-RELEASE-006`](https://github.com/6529-Collections/6529Stream/issues/105), [`P1-RELEASE-007`](https://github.com/6529-Collections/6529Stream/issues/107), [`P1-DEPLOY-004`](https://github.com/6529-Collections/6529Stream/issues/109), [`P1-META-003 dependency artifact packaging`](https://github.com/6529-Collections/6529Stream/issues/117), [`Deployment ceremony evidence bundle schema`](https://github.com/6529-Collections/6529Stream/issues/144), [`Local gas snapshot baseline`](https://github.com/6529-Collections/6529Stream/issues/146), [`#156`](https://github.com/6529-Collections/6529Stream/issues/156), [`#162`](https://github.com/6529-Collections/6529Stream/issues/162), [`#168`](https://github.com/6529-Collections/6529Stream/issues/168), [`#170`](https://github.com/6529-Collections/6529Stream/issues/170), [`#173`](https://github.com/6529-Collections/6529Stream/issues/173), [`#195`](https://github.com/6529-Collections/6529Stream/issues/195) | Gate G | TBD | +| Release artifact catalog | ABI checksums, bytecode checksums, standard/custom interface IDs, event topics, source verification inputs, dependency artifact manifests, broadcast-derived manifest inputs, ABI compatibility, gas snapshot baseline, address books, ceremony evidence, release signature evidence, non-local release evidence metadata, per-requirement public-beta and production-release evidence templates, machine-readable release manifest, signable checksum files, incident-response runbook, release-readiness dashboard, release-impact changelog policy, and the maintained non-local release evidence runbook/schema/template/checker are generated, checked, or hashed deterministically from current committed inputs and Foundry/deployment artifacts | `scripts/generate_release_artifacts.py`, `scripts/test_release_artifacts.py`, `forge snapshot --match-path test/StreamGasSnapshot.t.sol --check release-artifacts/baselines/v0.1.0/gas-snapshot.snap`, `scripts/generate_source_verification_inputs.py`, `scripts/test_source_verification_inputs.py`, `scripts/generate_dependency_artifact_manifest.py`, `scripts/test_dependency_artifact_manifest.py`, `scripts/check_abi_compatibility.py`, `scripts/test_abi_compatibility.py`, `scripts/generate_broadcast_manifest_input.py`, `scripts/test_broadcast_manifest_input.py`, `scripts/generate_deployment_manifest.py`, `scripts/test_deployment_manifest.py`, `scripts/generate_address_books.py`, `scripts/test_address_books.py`, `scripts/test_ceremony_evidence.py`, `scripts/check_ceremony_evidence.py`, `scripts/test_release_signatures.py`, `scripts/check_release_signatures.py`, `scripts/test_non_local_release_evidence.py`, `scripts/check_non_local_release_evidence.py`, `scripts/test_incident_response.py`, `scripts/check_incident_response.py`, `scripts/test_release_readiness.py`, `scripts/check_release_readiness.py`, `scripts/generate_release_manifest.py`, `scripts/test_release_manifest.py`, `scripts/generate_release_checksums.py`, `scripts/test_release_checksums.py`, `scripts/check_changelog.py`, `scripts/test_changelog_check.py`, `release-artifacts/latest/`, `release-artifacts/latest/source-verification-inputs.json`, `release-artifacts/latest/dependency-artifact-manifest.json`, `release-artifacts/latest/release-manifest.json`, `release-artifacts/signatures/`, `release-artifacts/schema/release-signature-evidence.schema.json`, `release-artifacts/schema/non-local-release-evidence.schema.json`, `release-artifacts/evidence/non-local-release-evidence-template.json`, `release-artifacts/evidence/non-local-template-retained-artifact.txt`, `release-artifacts/evidence/public-beta-templates/`, `release-artifacts/evidence/production-release-templates/`, `release-artifacts/dependencies/`, `release-artifacts/baselines/v0.1.0/abi-surface.json`, `release-artifacts/baselines/v0.1.0/gas-snapshot.snap`, `deployments/broadcasts/`, `deployments/address-books/`, `deployments/ceremony-evidence/`, `deployments/schema/ceremony-evidence.schema.json`, `CHANGELOG.md`, `docs/incident-response.md`, `docs/public-beta-evidence.md`, `docs/non-local-release-evidence.md`, `docs/release-readiness.md`, and `docs/release-policy.md` | In Progress locally for the deterministic Gate G baseline: generator self-tests cover ABI hashing, bytecode hashing, event topic generation, configured standard interface IDs, computed selector XOR traceability, and drift detection; local gas snapshot check covers fixed-price mint, auction bid, auction settlement, curator reward claim, final on-chain `tokenURI`, and dependency/script reads; source-verification self-tests cover deterministic generation, check-mode drift, missing source/artifact errors, linked-bytecode reporting, constructor ABI retention, verification command templates, and ABI checksum mismatches; dependency-artifact self-tests cover deterministic generation, check-mode drift, missing artifact files, malformed dependency keys, duplicate dependency identity, and descriptor path-boundary validation; ABI compatibility self-tests cover compatible, additive, removed, changed, missing-contract, and check-mode drift cases; broadcast-ingestion self-tests cover deterministic generation, check-mode drift, wrong-chain broadcasts, missing/unexpected deployments, failed receipts, boolean receipt status rejection, receipt address mismatch, duplicate deployment names, and secret-like key rejection; address-book self-tests cover deterministic generation, drift detection, missing output directories, duplicate/invalid addresses, `source_dirty`, chain ID, lifecycle state, git commit, verification status, hash-format validation, missing metadata, missing release contracts, and unknown contracts; ceremony-evidence self-tests cover deterministic local evidence validation, required sections, stale hashes, missing referenced files, non-local retained artifacts, testnet verification status, and secret-like key rejection; release-signature self-tests cover local placeholder evidence, non-local placeholder rejection, signed-output verification requirements, production signed-output requirements, stale retained hashes, malformed confirmation depth, and secret-like value rejection; non-local release evidence self-tests cover the committed template, public-beta and production-release template coverage, duplicate public-beta and production-release template rejection, wrong-phase template rejection, reviewed evidence, template reviewer placeholders, invalid reviewers, unknown requirement IDs, unsupported environments, retained path/hash drift, path escape, and secret-like key/value rejection; incident-response self-tests cover required maturity language, required runbook sections, emergency pause, withdrawal availability, signer revocation, retry/recovery, evidence retention, required links, required commands, missing linked files, and path-boundary rejection; release-readiness self-tests cover required maturity language, local/public-beta/production blocker separation, required evidence links, required commands, missing linked files, and path-boundary rejection including the non-local release evidence runbook; release-manifest self-tests cover deterministic generation, check-mode drift, missing required artifacts, required JSON schema versions, governance-doc hashing, release/deployment/broadcast metadata, source-verification/dependency-artifact/ceremony-evidence/gas-snapshot/signature-evidence/non-local-evidence coverage including nested public-beta and production-release templates, and explicit checksum-bundle self-reference policy; checksum-bundle self-tests cover deterministic generation, sorted SHA256SUMS output, dependency source coverage, manifest coverage, ceremony evidence coverage, gas snapshot coverage, release signature evidence coverage, non-local evidence coverage, self-reference exclusion, drift detection, deleted covered files, missing generated outputs, and missing covered roots; changelog self-tests cover release-impacting path detection, missing changelog edits, missing `Unreleased`, placeholder entries, and valid release notes. Actual production detached checksum signatures, signed tags, production address books, live explorer verification, verified live deployment hashes, fork/testnet/live ceremony evidence contents, fork/testnet/live randomizer operations evidence contents, reviewed non-local evidence contents, and external audit completion remain future Gate G work | [`P1-RELEASE-001`](https://github.com/6529-Collections/6529Stream/issues/93), [`P1-RELEASE-002`](https://github.com/6529-Collections/6529Stream/issues/97), [`P1-RELEASE-003`](https://github.com/6529-Collections/6529Stream/issues/99), [`P1-RELEASE-004`](https://github.com/6529-Collections/6529Stream/issues/101), [`P1-RELEASE-005`](https://github.com/6529-Collections/6529Stream/issues/103), [`P1-RELEASE-006`](https://github.com/6529-Collections/6529Stream/issues/105), [`P1-RELEASE-007`](https://github.com/6529-Collections/6529Stream/issues/107), [`P1-DEPLOY-004`](https://github.com/6529-Collections/6529Stream/issues/109), [`P1-META-003 dependency artifact packaging`](https://github.com/6529-Collections/6529Stream/issues/117), [`Deployment ceremony evidence bundle schema`](https://github.com/6529-Collections/6529Stream/issues/144), [`Local gas snapshot baseline`](https://github.com/6529-Collections/6529Stream/issues/146), [`#156`](https://github.com/6529-Collections/6529Stream/issues/156), [`#162`](https://github.com/6529-Collections/6529Stream/issues/162), [`#168`](https://github.com/6529-Collections/6529Stream/issues/168), [`#170`](https://github.com/6529-Collections/6529Stream/issues/170), [`#173`](https://github.com/6529-Collections/6529Stream/issues/173), [`#195`](https://github.com/6529-Collections/6529Stream/issues/195), [`#199`](https://github.com/6529-Collections/6529Stream/issues/199) | Gate G | TBD | | Mint-accounting state | Dead counters are removed or retained counters initialize and update according to the accepted drop/mint accounting design | `test/StreamMintAccounting.t.sol` | Passing: removed never-written public/allowlist mint-count mappings and retrieval APIs; retained airdrop counter starts at zero, increments on authorized minter calls, and remains unchanged on unauthorized mint attempts | [`P0-CORE-001`](https://github.com/6529-Collections/6529Stream/issues/13) | Gate C | TBD | | Uninitialized local findings | First-party default-local behavior is explicit, removed, or covered by targeted regressions | `test/StreamInitialization.t.sol` | Passing: Bytes32 character counts, missing/matching delegation lookups, subdelegation register/revoke gates, empty-script generative rendering, and multi-recipient minter return indexes cover the remaining first-party production rows; Slither now reports only one accepted test-only `uninitialized-local` row | [`P0-INIT-001`](https://github.com/6529-Collections/6529Stream/issues/15) | Gate C | TBD | | Vendored library Slither findings | Retained OpenZeppelin utility files have provenance, local delta notes, and regressions for flagged math/encoding behavior | `test/StreamVendoredLibraries.t.sol` | Passing: Base64 golden/padding vectors, `Math.mulDiv` full-precision boundaries, rounding-up behavior, overflow, and zero-denominator reverts cover the current vendored false-positive rows | [`P0-LIB-001`](https://github.com/6529-Collections/6529Stream/issues/11) | Gate F | TBD | diff --git a/release-artifacts/README.md b/release-artifacts/README.md index 3da7227d..48c1c1d6 100644 --- a/release-artifacts/README.md +++ b/release-artifacts/README.md @@ -127,6 +127,11 @@ public-beta requirement ID plus a shared retained-artifact placeholder. These templates are release artifacts and checksum-covered operator starting points, not completion evidence. +`evidence/production-release-templates/` contains one checked template JSON for +each production-release requirement ID plus a shared retained-artifact +placeholder. These templates are release artifacts and checksum-covered +operator starting points, not completion evidence. + `drop-authorization-signing/drop-authorization-signing-evidence-template.json` is the checked no-secret template for future reviewed drop authorization signing ceremonies. Its schema lives at @@ -160,8 +165,8 @@ artifacts, dependency artifact descriptors/source files, ABI compatibility baseline, deployment manifest config/examples, address books, ceremony evidence bundles, randomizer operations evidence, release signature evidence, drop authorization signing evidence, signer custody readiness evidence, artifact -schemas, non-local release evidence metadata, public-beta evidence status, and -release manifest. Treat +schemas, non-local release evidence metadata and templates, public-beta +evidence status, and release manifest. Treat `SHA256SUMS` as the signable checksum file for a release; the committed local signature evidence records that production detached signatures and signed tags remain a maintainer release-ceremony step. diff --git a/release-artifacts/evidence/production-release-templates/README.md b/release-artifacts/evidence/production-release-templates/README.md new file mode 100644 index 00000000..0b0af9a2 --- /dev/null +++ b/release-artifacts/evidence/production-release-templates/README.md @@ -0,0 +1,21 @@ +# Production Release Evidence Templates + +These files are checked, public-safe templates for the production-release +requirement rows in `release-artifacts/latest/public-beta-evidence.json`. + +They are not completion evidence. Each JSON file uses +`record_type: "template"` and `review_status: "template"`, points at the +shared retained-artifact placeholder, and keeps production release blocked +until a future operator replaces the placeholder with reviewed no-secret +evidence. + +Before using a template for real evidence: + +1. Copy the matching JSON shape for the production requirement ID. +2. Replace the template-only environment, chain, command, reference, retained + path, digest, owner, reviewer, and notes with reviewed public data. +3. Keep raw operator logs, credentials, private URLs, signing material, and + unreleased drop payloads outside this repository. +4. Run `python scripts/check_non_local_release_evidence.py` on the evidence + JSON and `python scripts/check_public_beta_evidence.py` after linking it + from the public-beta evidence manifest. diff --git a/release-artifacts/evidence/production-release-templates/live-ceremony-evidence-template.json b/release-artifacts/evidence/production-release-templates/live-ceremony-evidence-template.json new file mode 100644 index 00000000..3af35e10 --- /dev/null +++ b/release-artifacts/evidence/production-release-templates/live-ceremony-evidence-template.json @@ -0,0 +1,35 @@ +{ + "schema_version": "6529stream.non-local-release-evidence.v1", + "evidence_id": "production-release-template-live-ceremony-evidence", + "record_type": "template", + "review_status": "template", + "environment": "live", + "chain_id": 1, + "block_or_reference": "template-only live ceremony transcript, multisig transaction set, or deployment version", + "command_or_source_system": "template-only ceremony transcript, multisig UI export, explorer source, or reviewer source", + "retained_path": "release-artifacts/evidence/production-release-templates/retained-artifact-template.txt", + "sha256": "sha256:14c52bd76a54d453a9cf33b70f0db1cc60545e3dfa224eb7b386ea988d3fbadf", + "redaction_statement": "Template only; no raw logs, credentials, signing material, private URLs, or unreleased drop payloads are present.", + "owner": "TBD", + "reviewer": "TBD", + "public_beta_requirement_id": "live_ceremony_evidence", + "source": { + "repository": "https://github.com/6529-Collections/6529Stream", + "git_commit": "0000000000000000000000000000000000000000", + "source_dirty": false, + "ci_run": "template" + }, + "redaction_policy": { + "no_secrets": true, + "redacted_fields": [ + "private_key", + "mnemonic", + "seed_phrase", + "api_key", + "rpc_url", + "unreleased_drop_payload" + ] + }, + "template_notice": "Template only. This file is not completion evidence and does not mark public beta or production ready.", + "operator_notes": "Replace this template with admin, signer, metadata, auction, and emergency ceremony evidence, ownership transfers, role grants, Safe or multisig transaction IDs, dry-run outputs, and reviewer confirmation." +} diff --git a/release-artifacts/evidence/production-release-templates/live-deployment-manifest-template.json b/release-artifacts/evidence/production-release-templates/live-deployment-manifest-template.json new file mode 100644 index 00000000..b1bdee75 --- /dev/null +++ b/release-artifacts/evidence/production-release-templates/live-deployment-manifest-template.json @@ -0,0 +1,35 @@ +{ + "schema_version": "6529stream.non-local-release-evidence.v1", + "evidence_id": "production-release-template-live-deployment-manifest", + "record_type": "template", + "review_status": "template", + "environment": "live", + "chain_id": 1, + "block_or_reference": "template-only live deployment version, release commit, or manifest reference", + "command_or_source_system": "template-only deployment manifest generation command, production input source, or reviewer source", + "retained_path": "release-artifacts/evidence/production-release-templates/retained-artifact-template.txt", + "sha256": "sha256:14c52bd76a54d453a9cf33b70f0db1cc60545e3dfa224eb7b386ea988d3fbadf", + "redaction_statement": "Template only; no raw logs, credentials, signing material, private URLs, or unreleased drop payloads are present.", + "owner": "TBD", + "reviewer": "TBD", + "public_beta_requirement_id": "live_deployment_manifest", + "source": { + "repository": "https://github.com/6529-Collections/6529Stream", + "git_commit": "0000000000000000000000000000000000000000", + "source_dirty": false, + "ci_run": "template" + }, + "redaction_policy": { + "no_secrets": true, + "redacted_fields": [ + "private_key", + "mnemonic", + "seed_phrase", + "api_key", + "rpc_url", + "unreleased_drop_payload" + ] + }, + "template_notice": "Template only. This file is not completion evidence and does not mark public beta or production ready.", + "operator_notes": "Replace this template with live deployment manifests generated from production inputs and broadcasts, deployment version, contract addresses, config digest, and reviewer confirmation." +} diff --git a/release-artifacts/evidence/production-release-templates/live-explorer-verification-template.json b/release-artifacts/evidence/production-release-templates/live-explorer-verification-template.json new file mode 100644 index 00000000..52b170c8 --- /dev/null +++ b/release-artifacts/evidence/production-release-templates/live-explorer-verification-template.json @@ -0,0 +1,35 @@ +{ + "schema_version": "6529stream.non-local-release-evidence.v1", + "evidence_id": "production-release-template-live-explorer-verification", + "record_type": "template", + "review_status": "template", + "environment": "live", + "chain_id": 1, + "block_or_reference": "template-only verified contract address, explorer submission ID, or deployment version", + "command_or_source_system": "template-only explorer verification output, source verification input, or reviewer source", + "retained_path": "release-artifacts/evidence/production-release-templates/retained-artifact-template.txt", + "sha256": "sha256:14c52bd76a54d453a9cf33b70f0db1cc60545e3dfa224eb7b386ea988d3fbadf", + "redaction_statement": "Template only; no raw logs, credentials, signing material, private URLs, or unreleased drop payloads are present.", + "owner": "TBD", + "reviewer": "TBD", + "public_beta_requirement_id": "live_explorer_verification", + "source": { + "repository": "https://github.com/6529-Collections/6529Stream", + "git_commit": "0000000000000000000000000000000000000000", + "source_dirty": false, + "ci_run": "template" + }, + "redaction_policy": { + "no_secrets": true, + "redacted_fields": [ + "private_key", + "mnemonic", + "seed_phrase", + "api_key", + "rpc_url", + "unreleased_drop_payload" + ] + }, + "template_notice": "Template only. This file is not completion evidence and does not mark public beta or production ready.", + "operator_notes": "Replace this template with explorer verification outputs and verified-source links for live contracts, compiler settings, source verification references, and reviewer confirmation." +} diff --git a/release-artifacts/evidence/production-release-templates/live-randomizer-operations-evidence-template.json b/release-artifacts/evidence/production-release-templates/live-randomizer-operations-evidence-template.json new file mode 100644 index 00000000..4038c23f --- /dev/null +++ b/release-artifacts/evidence/production-release-templates/live-randomizer-operations-evidence-template.json @@ -0,0 +1,35 @@ +{ + "schema_version": "6529stream.non-local-release-evidence.v1", + "evidence_id": "production-release-template-live-randomizer-operations-evidence", + "record_type": "template", + "review_status": "template", + "environment": "live", + "chain_id": 1, + "block_or_reference": "template-only live provider epoch, request health reference, or deployment version", + "command_or_source_system": "template-only randomizer provider source, operations transcript, monitoring source, or reviewer source", + "retained_path": "release-artifacts/evidence/production-release-templates/retained-artifact-template.txt", + "sha256": "sha256:14c52bd76a54d453a9cf33b70f0db1cc60545e3dfa224eb7b386ea988d3fbadf", + "redaction_statement": "Template only; no raw logs, credentials, signing material, private URLs, or unreleased drop payloads are present.", + "owner": "TBD", + "reviewer": "TBD", + "public_beta_requirement_id": "live_randomizer_operations_evidence", + "source": { + "repository": "https://github.com/6529-Collections/6529Stream", + "git_commit": "0000000000000000000000000000000000000000", + "source_dirty": false, + "ci_run": "template" + }, + "redaction_policy": { + "no_secrets": true, + "redacted_fields": [ + "private_key", + "mnemonic", + "seed_phrase", + "api_key", + "rpc_url", + "unreleased_drop_payload" + ] + }, + "template_notice": "Template only. This file is not completion evidence and does not mark public beta or production ready.", + "operator_notes": "Replace this template with provider configuration, funding and reserve status, request health, migration checks, stale or failed request handling, retry evidence, pause and emergency evidence, and reviewer confirmation." +} diff --git a/release-artifacts/evidence/production-release-templates/post-audit-remediation-template.json b/release-artifacts/evidence/production-release-templates/post-audit-remediation-template.json new file mode 100644 index 00000000..00e1f200 --- /dev/null +++ b/release-artifacts/evidence/production-release-templates/post-audit-remediation-template.json @@ -0,0 +1,35 @@ +{ + "schema_version": "6529stream.non-local-release-evidence.v1", + "evidence_id": "production-release-template-post-audit-remediation", + "record_type": "template", + "review_status": "template", + "environment": "audit", + "chain_id": "not_applicable", + "block_or_reference": "template-only audit report, remediation issue set, retest reference, or release note", + "command_or_source_system": "template-only audit tracker, public report, remediation review, or reviewer source", + "retained_path": "release-artifacts/evidence/production-release-templates/retained-artifact-template.txt", + "sha256": "sha256:14c52bd76a54d453a9cf33b70f0db1cc60545e3dfa224eb7b386ea988d3fbadf", + "redaction_statement": "Template only; no raw logs, credentials, signing material, private URLs, or unreleased drop payloads are present.", + "owner": "TBD", + "reviewer": "TBD", + "public_beta_requirement_id": "post_audit_remediation", + "source": { + "repository": "https://github.com/6529-Collections/6529Stream", + "git_commit": "0000000000000000000000000000000000000000", + "source_dirty": false, + "ci_run": "template" + }, + "redaction_policy": { + "no_secrets": true, + "redacted_fields": [ + "private_key", + "mnemonic", + "seed_phrase", + "api_key", + "rpc_url", + "unreleased_drop_payload" + ] + }, + "template_notice": "Template only. This file is not completion evidence and does not mark public beta or production ready.", + "operator_notes": "Replace this template with finding-by-finding remediation evidence, accepted risk records, retest status, release notes, and reviewer confirmation." +} diff --git a/release-artifacts/evidence/production-release-templates/production-address-books-template.json b/release-artifacts/evidence/production-release-templates/production-address-books-template.json new file mode 100644 index 00000000..f90696e4 --- /dev/null +++ b/release-artifacts/evidence/production-release-templates/production-address-books-template.json @@ -0,0 +1,35 @@ +{ + "schema_version": "6529stream.non-local-release-evidence.v1", + "evidence_id": "production-release-template-production-address-books", + "record_type": "template", + "review_status": "template", + "environment": "live", + "chain_id": 1, + "block_or_reference": "template-only live deployment version, chain ID, or address-book reference", + "command_or_source_system": "template-only address-book generation command, manifest source, or reviewer source", + "retained_path": "release-artifacts/evidence/production-release-templates/retained-artifact-template.txt", + "sha256": "sha256:14c52bd76a54d453a9cf33b70f0db1cc60545e3dfa224eb7b386ea988d3fbadf", + "redaction_statement": "Template only; no raw logs, credentials, signing material, private URLs, or unreleased drop payloads are present.", + "owner": "TBD", + "reviewer": "TBD", + "public_beta_requirement_id": "production_address_books", + "source": { + "repository": "https://github.com/6529-Collections/6529Stream", + "git_commit": "0000000000000000000000000000000000000000", + "source_dirty": false, + "ci_run": "template" + }, + "redaction_policy": { + "no_secrets": true, + "redacted_fields": [ + "private_key", + "mnemonic", + "seed_phrase", + "api_key", + "rpc_url", + "unreleased_drop_payload" + ] + }, + "template_notice": "Template only. This file is not completion evidence and does not mark public beta or production ready.", + "operator_notes": "Replace this template with production address books generated from live deployment manifests, chain IDs, release version, address checksum, and reviewer confirmation." +} diff --git a/release-artifacts/evidence/production-release-templates/production-broadcast-retention-template.json b/release-artifacts/evidence/production-release-templates/production-broadcast-retention-template.json new file mode 100644 index 00000000..11f8af4c --- /dev/null +++ b/release-artifacts/evidence/production-release-templates/production-broadcast-retention-template.json @@ -0,0 +1,35 @@ +{ + "schema_version": "6529stream.non-local-release-evidence.v1", + "evidence_id": "production-release-template-production-broadcast-retention", + "record_type": "template", + "review_status": "template", + "environment": "live", + "chain_id": 1, + "block_or_reference": "template-only live broadcast block, transaction hash set, or deployment version", + "command_or_source_system": "template-only Foundry broadcast source, broadcast manifest generator, or reviewer source", + "retained_path": "release-artifacts/evidence/production-release-templates/retained-artifact-template.txt", + "sha256": "sha256:14c52bd76a54d453a9cf33b70f0db1cc60545e3dfa224eb7b386ea988d3fbadf", + "redaction_statement": "Template only; no raw logs, credentials, signing material, private URLs, or unreleased drop payloads are present.", + "owner": "TBD", + "reviewer": "TBD", + "public_beta_requirement_id": "production_broadcast_retention", + "source": { + "repository": "https://github.com/6529-Collections/6529Stream", + "git_commit": "0000000000000000000000000000000000000000", + "source_dirty": false, + "ci_run": "template" + }, + "redaction_policy": { + "no_secrets": true, + "redacted_fields": [ + "private_key", + "mnemonic", + "seed_phrase", + "api_key", + "rpc_url", + "unreleased_drop_payload" + ] + }, + "template_notice": "Template only. This file is not completion evidence and does not mark public beta or production ready.", + "operator_notes": "Replace this template with sanitized live Foundry broadcast outputs, derived manifest inputs, redaction confirmation, and reviewer confirmation." +} diff --git a/release-artifacts/evidence/production-release-templates/production-signatures-template.json b/release-artifacts/evidence/production-release-templates/production-signatures-template.json new file mode 100644 index 00000000..8912c613 --- /dev/null +++ b/release-artifacts/evidence/production-release-templates/production-signatures-template.json @@ -0,0 +1,35 @@ +{ + "schema_version": "6529stream.non-local-release-evidence.v1", + "evidence_id": "production-release-template-production-signatures", + "record_type": "template", + "review_status": "template", + "environment": "release_signing", + "chain_id": "not_applicable", + "block_or_reference": "template-only checksum bundle, detached signature, signer fingerprint, or release reference", + "command_or_source_system": "template-only signature verification command, signing ceremony transcript, or release CI source", + "retained_path": "release-artifacts/evidence/production-release-templates/retained-artifact-template.txt", + "sha256": "sha256:14c52bd76a54d453a9cf33b70f0db1cc60545e3dfa224eb7b386ea988d3fbadf", + "redaction_statement": "Template only; no raw logs, credentials, signing material, private URLs, or unreleased drop payloads are present.", + "owner": "TBD", + "reviewer": "TBD", + "public_beta_requirement_id": "production_signatures", + "source": { + "repository": "https://github.com/6529-Collections/6529Stream", + "git_commit": "0000000000000000000000000000000000000000", + "source_dirty": false, + "ci_run": "template" + }, + "redaction_policy": { + "no_secrets": true, + "redacted_fields": [ + "private_key", + "mnemonic", + "seed_phrase", + "api_key", + "rpc_url", + "unreleased_drop_payload" + ] + }, + "template_notice": "Template only. This file is not completion evidence and does not mark public beta or production ready.", + "operator_notes": "Replace this template with detached checksum signature evidence, public key fingerprint, signing command, checksum bundle path and digest, custody summary, verification output, and reviewer confirmation." +} diff --git a/release-artifacts/evidence/production-release-templates/retained-artifact-template.txt b/release-artifacts/evidence/production-release-templates/retained-artifact-template.txt new file mode 100644 index 00000000..f1cddf35 --- /dev/null +++ b/release-artifacts/evidence/production-release-templates/retained-artifact-template.txt @@ -0,0 +1,11 @@ +Production release retained artifact template. + +This file is a public, sanitized placeholder used by the per-requirement +metadata templates in this directory. It is not completion evidence and does +not prove public beta or production readiness. + +For real evidence, replace this placeholder with a retained public artifact +that identifies the environment, chain or release reference, command or source +system, reviewer, redaction boundary, and matching production-release +requirement ID. Keep raw operator logs, credentials, private URLs, signing +material, and unreleased drop payloads outside the public repository. diff --git a/release-artifacts/evidence/production-release-templates/signed-git-tag-template.json b/release-artifacts/evidence/production-release-templates/signed-git-tag-template.json new file mode 100644 index 00000000..f2bfba4a --- /dev/null +++ b/release-artifacts/evidence/production-release-templates/signed-git-tag-template.json @@ -0,0 +1,35 @@ +{ + "schema_version": "6529stream.non-local-release-evidence.v1", + "evidence_id": "production-release-template-signed-git-tag", + "record_type": "template", + "review_status": "template", + "environment": "release_signing", + "chain_id": "not_applicable", + "block_or_reference": "template-only signed release tag, release commit, or verification reference", + "command_or_source_system": "template-only git verify-tag output, signing ceremony transcript, or release CI source", + "retained_path": "release-artifacts/evidence/production-release-templates/retained-artifact-template.txt", + "sha256": "sha256:14c52bd76a54d453a9cf33b70f0db1cc60545e3dfa224eb7b386ea988d3fbadf", + "redaction_statement": "Template only; no raw logs, credentials, signing material, private URLs, or unreleased drop payloads are present.", + "owner": "TBD", + "reviewer": "TBD", + "public_beta_requirement_id": "signed_git_tag", + "source": { + "repository": "https://github.com/6529-Collections/6529Stream", + "git_commit": "0000000000000000000000000000000000000000", + "source_dirty": false, + "ci_run": "template" + }, + "redaction_policy": { + "no_secrets": true, + "redacted_fields": [ + "private_key", + "mnemonic", + "seed_phrase", + "api_key", + "rpc_url", + "unreleased_drop_payload" + ] + }, + "template_notice": "Template only. This file is not completion evidence and does not mark public beta or production ready.", + "operator_notes": "Replace this template with signed Git tag evidence, git verify-tag output, release commit hash, tag signer and custody summary, and reviewer confirmation." +} diff --git a/release-artifacts/latest/SHA256SUMS b/release-artifacts/latest/SHA256SUMS index b19250bd..434f1bef 100644 --- a/release-artifacts/latest/SHA256SUMS +++ b/release-artifacts/latest/SHA256SUMS @@ -21,6 +21,17 @@ e072f786d66e7052ff1d63f1c5e6a3fc9ef46c986bd2f0a1843626a5dc21cccc release-artifa f0f190f1c87106e3a773735e03bda9c281f7c77e15dc8dfe5d83c431bf4f58a2 release-artifacts/drop-authorization-signing/drop-authorization-signing-retained-artifact.txt 577180f7815fe7ad8fc4d0ddd364824b4dcf7a1cb3c5ff4920f4e282d12fdec7 release-artifacts/evidence/non-local-release-evidence-template.json 62a31be301ecadcfa41b110289b992bf28b69990feaacf7dd823fd56d60eddbd release-artifacts/evidence/non-local-template-retained-artifact.txt +781f27485dfc84bd794a641451648214624ac11fcc787fbe886c898a17b721f0 release-artifacts/evidence/production-release-templates/README.md +c0b2cc5b0dc2cd09bf6f1e40b552594a73d3b9cc51be2b6315b7a89c0670056c release-artifacts/evidence/production-release-templates/live-ceremony-evidence-template.json +716fa053608bef3fadae7b7f93b106887d6591c034e79cc497105c23264d843c release-artifacts/evidence/production-release-templates/live-deployment-manifest-template.json +b2b2dda2e2b7b1d1c7d5904d5a7e73b08ce46d98a9cd7466a1f275b1dbdbf8d0 release-artifacts/evidence/production-release-templates/live-explorer-verification-template.json +96e77dc2756188225e16dc9b61622dd70d2b5b9899cc3d74d3602b0a7a4554a2 release-artifacts/evidence/production-release-templates/live-randomizer-operations-evidence-template.json +dcd8d2fea45da3bf5ad0e7ad33d29a89fb0b2384ee0b7daab3c6a7a84f5bffad release-artifacts/evidence/production-release-templates/post-audit-remediation-template.json +53a0f1e246d092a39076d06bb1e227f991e3e538ab7a1b4b61d666729f38051f release-artifacts/evidence/production-release-templates/production-address-books-template.json +840f065ddcbd06853dbe2a981a622f61ef5266d0c71bdab002fa1160a3f815b8 release-artifacts/evidence/production-release-templates/production-broadcast-retention-template.json +78dbbf46699762fbd67bc81df0058c1439ba156788871fafbfdc856f19c65920 release-artifacts/evidence/production-release-templates/production-signatures-template.json +14c52bd76a54d453a9cf33b70f0db1cc60545e3dfa224eb7b386ea988d3fbadf release-artifacts/evidence/production-release-templates/retained-artifact-template.txt +a07ca4585a2c5af083508ce92b37fac56dde4a4b0154dd6c72aeb7d72a747283 release-artifacts/evidence/production-release-templates/signed-git-tag-template.json 094bf96aaf399af4e8b5d85d70b7821f471648c64b91799b4c75950f58db5a03 release-artifacts/evidence/public-beta-templates/README.md f51dbdde6ec1a46707722883c97100f5dd025812f2a46cf7bafbceaeb98107c3 release-artifacts/evidence/public-beta-templates/explorer-verification-status-template.json d78918bf21de89e5d64a3d4963eae4583b3eccef1ba19cd459a0b97097b53d08 release-artifacts/evidence/public-beta-templates/external-audit-report-template.json @@ -38,7 +49,7 @@ eaf8b2f463512fb2ceecf19cb23da2d146583e6d6a3aeda0066172e71cbba089 release-artifa 3ac41c7b070d6ad6a858d2829d54d77b00dc44879058f60f3b01b20fce744a49 release-artifacts/latest/public-beta-blockers.md 3b75cde36f75662061011af793d4c9240a1fec6447294ce0e3ee1d331d729b4d release-artifacts/latest/public-beta-evidence.json 9ff4283a72a51f7b770b8a217b9f7f8b5dde793af14532c80572186bc7acf6d5 release-artifacts/latest/release-artifact-manifest.json -9d2429e8994eb2e1d16edf22df67663ec9c65cdc325ddcbeab80cadb0933a297 release-artifacts/latest/release-manifest.json +effbefa362e8298a8663b39ded6e8db8611cb573414104445bd3e8f9b27b806b release-artifacts/latest/release-manifest.json 374fce4bc46746d61cbae487cf6cb549cb40b5db5a95951568ed4455669af33a release-artifacts/latest/source-verification-inputs.json 60e0efe388b974d81bfad266a1c9fb10d55c3104ae24ba268e6e68441edc4370 release-artifacts/schema/drop-authorization-signing-evidence.schema.json 5a5aede0ab1b7bee194e495bdac98e0f37b814879be62a72ce819be07da82c1a release-artifacts/schema/non-local-release-evidence.schema.json diff --git a/release-artifacts/latest/release-checksums.json b/release-artifacts/latest/release-checksums.json index 155a01bd..49803c62 100644 --- a/release-artifacts/latest/release-checksums.json +++ b/release-artifacts/latest/release-checksums.json @@ -27,7 +27,7 @@ "text_checksum_file": { "path": "release-artifacts/latest/SHA256SUMS", "format": "sha256sum", - "sha256": "sha256:c49d3a538b6fd282ec2b92937b49a6b5352717b54e09e94ef687b8a4f680451c" + "sha256": "sha256:f5fcd2c78a6c42be08f22aeb3ed9aba301441fc46a70688042a7f868eedf4bf5" }, "manifest_file": { "path": "release-artifacts/latest/release-checksums.json", @@ -149,6 +149,61 @@ "sha256": "sha256:62a31be301ecadcfa41b110289b992bf28b69990feaacf7dd823fd56d60eddbd", "size_bytes": 285 }, + { + "path": "release-artifacts/evidence/production-release-templates/README.md", + "sha256": "sha256:781f27485dfc84bd794a641451648214624ac11fcc787fbe886c898a17b721f0", + "size_bytes": 1060 + }, + { + "path": "release-artifacts/evidence/production-release-templates/live-ceremony-evidence-template.json", + "sha256": "sha256:c0b2cc5b0dc2cd09bf6f1e40b552594a73d3b9cc51be2b6315b7a89c0670056c", + "size_bytes": 1681 + }, + { + "path": "release-artifacts/evidence/production-release-templates/live-deployment-manifest-template.json", + "sha256": "sha256:716fa053608bef3fadae7b7f93b106887d6591c034e79cc497105c23264d843c", + "size_bytes": 1659 + }, + { + "path": "release-artifacts/evidence/production-release-templates/live-explorer-verification-template.json", + "sha256": "sha256:b2b2dda2e2b7b1d1c7d5904d5a7e73b08ce46d98a9cd7466a1f275b1dbdbf8d0", + "size_bytes": 1662 + }, + { + "path": "release-artifacts/evidence/production-release-templates/live-randomizer-operations-evidence-template.json", + "sha256": "sha256:96e77dc2756188225e16dc9b61622dd70d2b5b9899cc3d74d3602b0a7a4554a2", + "size_bytes": 1728 + }, + { + "path": "release-artifacts/evidence/production-release-templates/post-audit-remediation-template.json", + "sha256": "sha256:dcd8d2fea45da3bf5ad0e7ad33d29a89fb0b2384ee0b7daab3c6a7a84f5bffad", + "size_bytes": 1628 + }, + { + "path": "release-artifacts/evidence/production-release-templates/production-address-books-template.json", + "sha256": "sha256:53a0f1e246d092a39076d06bb1e227f991e3e538ab7a1b4b61d666729f38051f", + "size_bytes": 1625 + }, + { + "path": "release-artifacts/evidence/production-release-templates/production-broadcast-retention-template.json", + "sha256": "sha256:840f065ddcbd06853dbe2a981a622f61ef5266d0c71bdab002fa1160a3f815b8", + "size_bytes": 1626 + }, + { + "path": "release-artifacts/evidence/production-release-templates/production-signatures-template.json", + "sha256": "sha256:78dbbf46699762fbd67bc81df0058c1439ba156788871fafbfdc856f19c65920", + "size_bytes": 1712 + }, + { + "path": "release-artifacts/evidence/production-release-templates/retained-artifact-template.txt", + "sha256": "sha256:14c52bd76a54d453a9cf33b70f0db1cc60545e3dfa224eb7b386ea988d3fbadf", + "size_bytes": 616 + }, + { + "path": "release-artifacts/evidence/production-release-templates/signed-git-tag-template.json", + "sha256": "sha256:a07ca4585a2c5af083508ce92b37fac56dde4a4b0154dd6c72aeb7d72a747283", + "size_bytes": 1624 + }, { "path": "release-artifacts/evidence/public-beta-templates/README.md", "sha256": "sha256:094bf96aaf399af4e8b5d85d70b7821f471648c64b91799b4c75950f58db5a03", @@ -236,8 +291,8 @@ }, { "path": "release-artifacts/latest/release-manifest.json", - "sha256": "sha256:9d2429e8994eb2e1d16edf22df67663ec9c65cdc325ddcbeab80cadb0933a297", - "size_bytes": 59348 + "sha256": "sha256:effbefa362e8298a8663b39ded6e8db8611cb573414104445bd3e8f9b27b806b", + "size_bytes": 83115 }, { "path": "release-artifacts/latest/source-verification-inputs.json", diff --git a/release-artifacts/latest/release-manifest.json b/release-artifacts/latest/release-manifest.json index 5b2d7db7..99d39fa6 100644 --- a/release-artifacts/latest/release-manifest.json +++ b/release-artifacts/latest/release-manifest.json @@ -249,6 +249,429 @@ "operator_notes": "Copy this shape for real retained evidence, replace every template value with reviewed no-secret data, and link the resulting JSON from release-artifacts/latest/public-beta-evidence.json only after review." } }, + { + "path": "release-artifacts/evidence/production-release-templates/live-ceremony-evidence-template.json", + "sha256": "sha256:c0b2cc5b0dc2cd09bf6f1e40b552594a73d3b9cc51be2b6315b7a89c0670056c", + "size_bytes": 1681, + "schema_version": "6529stream.non-local-release-evidence.v1", + "evidence_id": "production-release-template-live-ceremony-evidence", + "record_type": "template", + "review_status": "template", + "environment": "live", + "public_beta_requirement_id": "live_ceremony_evidence", + "retained_path": "release-artifacts/evidence/production-release-templates/retained-artifact-template.txt", + "evidence": { + "schema_version": "6529stream.non-local-release-evidence.v1", + "evidence_id": "production-release-template-live-ceremony-evidence", + "record_type": "template", + "review_status": "template", + "environment": "live", + "chain_id": 1, + "block_or_reference": "template-only live ceremony transcript, multisig transaction set, or deployment version", + "command_or_source_system": "template-only ceremony transcript, multisig UI export, explorer source, or reviewer source", + "retained_path": "release-artifacts/evidence/production-release-templates/retained-artifact-template.txt", + "sha256": "sha256:14c52bd76a54d453a9cf33b70f0db1cc60545e3dfa224eb7b386ea988d3fbadf", + "redaction_statement": "Template only; no raw logs, credentials, signing material, private URLs, or unreleased drop payloads are present.", + "owner": "TBD", + "reviewer": "TBD", + "public_beta_requirement_id": "live_ceremony_evidence", + "source": { + "repository": "https://github.com/6529-Collections/6529Stream", + "git_commit": "0000000000000000000000000000000000000000", + "source_dirty": false, + "ci_run": "template" + }, + "redaction_policy": { + "no_secrets": true, + "redacted_fields": [ + "private_key", + "mnemonic", + "seed_phrase", + "api_key", + "rpc_url", + "unreleased_drop_payload" + ] + }, + "template_notice": "Template only. This file is not completion evidence and does not mark public beta or production ready.", + "operator_notes": "Replace this template with admin, signer, metadata, auction, and emergency ceremony evidence, ownership transfers, role grants, Safe or multisig transaction IDs, dry-run outputs, and reviewer confirmation." + } + }, + { + "path": "release-artifacts/evidence/production-release-templates/live-deployment-manifest-template.json", + "sha256": "sha256:716fa053608bef3fadae7b7f93b106887d6591c034e79cc497105c23264d843c", + "size_bytes": 1659, + "schema_version": "6529stream.non-local-release-evidence.v1", + "evidence_id": "production-release-template-live-deployment-manifest", + "record_type": "template", + "review_status": "template", + "environment": "live", + "public_beta_requirement_id": "live_deployment_manifest", + "retained_path": "release-artifacts/evidence/production-release-templates/retained-artifact-template.txt", + "evidence": { + "schema_version": "6529stream.non-local-release-evidence.v1", + "evidence_id": "production-release-template-live-deployment-manifest", + "record_type": "template", + "review_status": "template", + "environment": "live", + "chain_id": 1, + "block_or_reference": "template-only live deployment version, release commit, or manifest reference", + "command_or_source_system": "template-only deployment manifest generation command, production input source, or reviewer source", + "retained_path": "release-artifacts/evidence/production-release-templates/retained-artifact-template.txt", + "sha256": "sha256:14c52bd76a54d453a9cf33b70f0db1cc60545e3dfa224eb7b386ea988d3fbadf", + "redaction_statement": "Template only; no raw logs, credentials, signing material, private URLs, or unreleased drop payloads are present.", + "owner": "TBD", + "reviewer": "TBD", + "public_beta_requirement_id": "live_deployment_manifest", + "source": { + "repository": "https://github.com/6529-Collections/6529Stream", + "git_commit": "0000000000000000000000000000000000000000", + "source_dirty": false, + "ci_run": "template" + }, + "redaction_policy": { + "no_secrets": true, + "redacted_fields": [ + "private_key", + "mnemonic", + "seed_phrase", + "api_key", + "rpc_url", + "unreleased_drop_payload" + ] + }, + "template_notice": "Template only. This file is not completion evidence and does not mark public beta or production ready.", + "operator_notes": "Replace this template with live deployment manifests generated from production inputs and broadcasts, deployment version, contract addresses, config digest, and reviewer confirmation." + } + }, + { + "path": "release-artifacts/evidence/production-release-templates/live-explorer-verification-template.json", + "sha256": "sha256:b2b2dda2e2b7b1d1c7d5904d5a7e73b08ce46d98a9cd7466a1f275b1dbdbf8d0", + "size_bytes": 1662, + "schema_version": "6529stream.non-local-release-evidence.v1", + "evidence_id": "production-release-template-live-explorer-verification", + "record_type": "template", + "review_status": "template", + "environment": "live", + "public_beta_requirement_id": "live_explorer_verification", + "retained_path": "release-artifacts/evidence/production-release-templates/retained-artifact-template.txt", + "evidence": { + "schema_version": "6529stream.non-local-release-evidence.v1", + "evidence_id": "production-release-template-live-explorer-verification", + "record_type": "template", + "review_status": "template", + "environment": "live", + "chain_id": 1, + "block_or_reference": "template-only verified contract address, explorer submission ID, or deployment version", + "command_or_source_system": "template-only explorer verification output, source verification input, or reviewer source", + "retained_path": "release-artifacts/evidence/production-release-templates/retained-artifact-template.txt", + "sha256": "sha256:14c52bd76a54d453a9cf33b70f0db1cc60545e3dfa224eb7b386ea988d3fbadf", + "redaction_statement": "Template only; no raw logs, credentials, signing material, private URLs, or unreleased drop payloads are present.", + "owner": "TBD", + "reviewer": "TBD", + "public_beta_requirement_id": "live_explorer_verification", + "source": { + "repository": "https://github.com/6529-Collections/6529Stream", + "git_commit": "0000000000000000000000000000000000000000", + "source_dirty": false, + "ci_run": "template" + }, + "redaction_policy": { + "no_secrets": true, + "redacted_fields": [ + "private_key", + "mnemonic", + "seed_phrase", + "api_key", + "rpc_url", + "unreleased_drop_payload" + ] + }, + "template_notice": "Template only. This file is not completion evidence and does not mark public beta or production ready.", + "operator_notes": "Replace this template with explorer verification outputs and verified-source links for live contracts, compiler settings, source verification references, and reviewer confirmation." + } + }, + { + "path": "release-artifacts/evidence/production-release-templates/live-randomizer-operations-evidence-template.json", + "sha256": "sha256:96e77dc2756188225e16dc9b61622dd70d2b5b9899cc3d74d3602b0a7a4554a2", + "size_bytes": 1728, + "schema_version": "6529stream.non-local-release-evidence.v1", + "evidence_id": "production-release-template-live-randomizer-operations-evidence", + "record_type": "template", + "review_status": "template", + "environment": "live", + "public_beta_requirement_id": "live_randomizer_operations_evidence", + "retained_path": "release-artifacts/evidence/production-release-templates/retained-artifact-template.txt", + "evidence": { + "schema_version": "6529stream.non-local-release-evidence.v1", + "evidence_id": "production-release-template-live-randomizer-operations-evidence", + "record_type": "template", + "review_status": "template", + "environment": "live", + "chain_id": 1, + "block_or_reference": "template-only live provider epoch, request health reference, or deployment version", + "command_or_source_system": "template-only randomizer provider source, operations transcript, monitoring source, or reviewer source", + "retained_path": "release-artifacts/evidence/production-release-templates/retained-artifact-template.txt", + "sha256": "sha256:14c52bd76a54d453a9cf33b70f0db1cc60545e3dfa224eb7b386ea988d3fbadf", + "redaction_statement": "Template only; no raw logs, credentials, signing material, private URLs, or unreleased drop payloads are present.", + "owner": "TBD", + "reviewer": "TBD", + "public_beta_requirement_id": "live_randomizer_operations_evidence", + "source": { + "repository": "https://github.com/6529-Collections/6529Stream", + "git_commit": "0000000000000000000000000000000000000000", + "source_dirty": false, + "ci_run": "template" + }, + "redaction_policy": { + "no_secrets": true, + "redacted_fields": [ + "private_key", + "mnemonic", + "seed_phrase", + "api_key", + "rpc_url", + "unreleased_drop_payload" + ] + }, + "template_notice": "Template only. This file is not completion evidence and does not mark public beta or production ready.", + "operator_notes": "Replace this template with provider configuration, funding and reserve status, request health, migration checks, stale or failed request handling, retry evidence, pause and emergency evidence, and reviewer confirmation." + } + }, + { + "path": "release-artifacts/evidence/production-release-templates/post-audit-remediation-template.json", + "sha256": "sha256:dcd8d2fea45da3bf5ad0e7ad33d29a89fb0b2384ee0b7daab3c6a7a84f5bffad", + "size_bytes": 1628, + "schema_version": "6529stream.non-local-release-evidence.v1", + "evidence_id": "production-release-template-post-audit-remediation", + "record_type": "template", + "review_status": "template", + "environment": "audit", + "public_beta_requirement_id": "post_audit_remediation", + "retained_path": "release-artifacts/evidence/production-release-templates/retained-artifact-template.txt", + "evidence": { + "schema_version": "6529stream.non-local-release-evidence.v1", + "evidence_id": "production-release-template-post-audit-remediation", + "record_type": "template", + "review_status": "template", + "environment": "audit", + "chain_id": "not_applicable", + "block_or_reference": "template-only audit report, remediation issue set, retest reference, or release note", + "command_or_source_system": "template-only audit tracker, public report, remediation review, or reviewer source", + "retained_path": "release-artifacts/evidence/production-release-templates/retained-artifact-template.txt", + "sha256": "sha256:14c52bd76a54d453a9cf33b70f0db1cc60545e3dfa224eb7b386ea988d3fbadf", + "redaction_statement": "Template only; no raw logs, credentials, signing material, private URLs, or unreleased drop payloads are present.", + "owner": "TBD", + "reviewer": "TBD", + "public_beta_requirement_id": "post_audit_remediation", + "source": { + "repository": "https://github.com/6529-Collections/6529Stream", + "git_commit": "0000000000000000000000000000000000000000", + "source_dirty": false, + "ci_run": "template" + }, + "redaction_policy": { + "no_secrets": true, + "redacted_fields": [ + "private_key", + "mnemonic", + "seed_phrase", + "api_key", + "rpc_url", + "unreleased_drop_payload" + ] + }, + "template_notice": "Template only. This file is not completion evidence and does not mark public beta or production ready.", + "operator_notes": "Replace this template with finding-by-finding remediation evidence, accepted risk records, retest status, release notes, and reviewer confirmation." + } + }, + { + "path": "release-artifacts/evidence/production-release-templates/production-address-books-template.json", + "sha256": "sha256:53a0f1e246d092a39076d06bb1e227f991e3e538ab7a1b4b61d666729f38051f", + "size_bytes": 1625, + "schema_version": "6529stream.non-local-release-evidence.v1", + "evidence_id": "production-release-template-production-address-books", + "record_type": "template", + "review_status": "template", + "environment": "live", + "public_beta_requirement_id": "production_address_books", + "retained_path": "release-artifacts/evidence/production-release-templates/retained-artifact-template.txt", + "evidence": { + "schema_version": "6529stream.non-local-release-evidence.v1", + "evidence_id": "production-release-template-production-address-books", + "record_type": "template", + "review_status": "template", + "environment": "live", + "chain_id": 1, + "block_or_reference": "template-only live deployment version, chain ID, or address-book reference", + "command_or_source_system": "template-only address-book generation command, manifest source, or reviewer source", + "retained_path": "release-artifacts/evidence/production-release-templates/retained-artifact-template.txt", + "sha256": "sha256:14c52bd76a54d453a9cf33b70f0db1cc60545e3dfa224eb7b386ea988d3fbadf", + "redaction_statement": "Template only; no raw logs, credentials, signing material, private URLs, or unreleased drop payloads are present.", + "owner": "TBD", + "reviewer": "TBD", + "public_beta_requirement_id": "production_address_books", + "source": { + "repository": "https://github.com/6529-Collections/6529Stream", + "git_commit": "0000000000000000000000000000000000000000", + "source_dirty": false, + "ci_run": "template" + }, + "redaction_policy": { + "no_secrets": true, + "redacted_fields": [ + "private_key", + "mnemonic", + "seed_phrase", + "api_key", + "rpc_url", + "unreleased_drop_payload" + ] + }, + "template_notice": "Template only. This file is not completion evidence and does not mark public beta or production ready.", + "operator_notes": "Replace this template with production address books generated from live deployment manifests, chain IDs, release version, address checksum, and reviewer confirmation." + } + }, + { + "path": "release-artifacts/evidence/production-release-templates/production-broadcast-retention-template.json", + "sha256": "sha256:840f065ddcbd06853dbe2a981a622f61ef5266d0c71bdab002fa1160a3f815b8", + "size_bytes": 1626, + "schema_version": "6529stream.non-local-release-evidence.v1", + "evidence_id": "production-release-template-production-broadcast-retention", + "record_type": "template", + "review_status": "template", + "environment": "live", + "public_beta_requirement_id": "production_broadcast_retention", + "retained_path": "release-artifacts/evidence/production-release-templates/retained-artifact-template.txt", + "evidence": { + "schema_version": "6529stream.non-local-release-evidence.v1", + "evidence_id": "production-release-template-production-broadcast-retention", + "record_type": "template", + "review_status": "template", + "environment": "live", + "chain_id": 1, + "block_or_reference": "template-only live broadcast block, transaction hash set, or deployment version", + "command_or_source_system": "template-only Foundry broadcast source, broadcast manifest generator, or reviewer source", + "retained_path": "release-artifacts/evidence/production-release-templates/retained-artifact-template.txt", + "sha256": "sha256:14c52bd76a54d453a9cf33b70f0db1cc60545e3dfa224eb7b386ea988d3fbadf", + "redaction_statement": "Template only; no raw logs, credentials, signing material, private URLs, or unreleased drop payloads are present.", + "owner": "TBD", + "reviewer": "TBD", + "public_beta_requirement_id": "production_broadcast_retention", + "source": { + "repository": "https://github.com/6529-Collections/6529Stream", + "git_commit": "0000000000000000000000000000000000000000", + "source_dirty": false, + "ci_run": "template" + }, + "redaction_policy": { + "no_secrets": true, + "redacted_fields": [ + "private_key", + "mnemonic", + "seed_phrase", + "api_key", + "rpc_url", + "unreleased_drop_payload" + ] + }, + "template_notice": "Template only. This file is not completion evidence and does not mark public beta or production ready.", + "operator_notes": "Replace this template with sanitized live Foundry broadcast outputs, derived manifest inputs, redaction confirmation, and reviewer confirmation." + } + }, + { + "path": "release-artifacts/evidence/production-release-templates/production-signatures-template.json", + "sha256": "sha256:78dbbf46699762fbd67bc81df0058c1439ba156788871fafbfdc856f19c65920", + "size_bytes": 1712, + "schema_version": "6529stream.non-local-release-evidence.v1", + "evidence_id": "production-release-template-production-signatures", + "record_type": "template", + "review_status": "template", + "environment": "release_signing", + "public_beta_requirement_id": "production_signatures", + "retained_path": "release-artifacts/evidence/production-release-templates/retained-artifact-template.txt", + "evidence": { + "schema_version": "6529stream.non-local-release-evidence.v1", + "evidence_id": "production-release-template-production-signatures", + "record_type": "template", + "review_status": "template", + "environment": "release_signing", + "chain_id": "not_applicable", + "block_or_reference": "template-only checksum bundle, detached signature, signer fingerprint, or release reference", + "command_or_source_system": "template-only signature verification command, signing ceremony transcript, or release CI source", + "retained_path": "release-artifacts/evidence/production-release-templates/retained-artifact-template.txt", + "sha256": "sha256:14c52bd76a54d453a9cf33b70f0db1cc60545e3dfa224eb7b386ea988d3fbadf", + "redaction_statement": "Template only; no raw logs, credentials, signing material, private URLs, or unreleased drop payloads are present.", + "owner": "TBD", + "reviewer": "TBD", + "public_beta_requirement_id": "production_signatures", + "source": { + "repository": "https://github.com/6529-Collections/6529Stream", + "git_commit": "0000000000000000000000000000000000000000", + "source_dirty": false, + "ci_run": "template" + }, + "redaction_policy": { + "no_secrets": true, + "redacted_fields": [ + "private_key", + "mnemonic", + "seed_phrase", + "api_key", + "rpc_url", + "unreleased_drop_payload" + ] + }, + "template_notice": "Template only. This file is not completion evidence and does not mark public beta or production ready.", + "operator_notes": "Replace this template with detached checksum signature evidence, public key fingerprint, signing command, checksum bundle path and digest, custody summary, verification output, and reviewer confirmation." + } + }, + { + "path": "release-artifacts/evidence/production-release-templates/signed-git-tag-template.json", + "sha256": "sha256:a07ca4585a2c5af083508ce92b37fac56dde4a4b0154dd6c72aeb7d72a747283", + "size_bytes": 1624, + "schema_version": "6529stream.non-local-release-evidence.v1", + "evidence_id": "production-release-template-signed-git-tag", + "record_type": "template", + "review_status": "template", + "environment": "release_signing", + "public_beta_requirement_id": "signed_git_tag", + "retained_path": "release-artifacts/evidence/production-release-templates/retained-artifact-template.txt", + "evidence": { + "schema_version": "6529stream.non-local-release-evidence.v1", + "evidence_id": "production-release-template-signed-git-tag", + "record_type": "template", + "review_status": "template", + "environment": "release_signing", + "chain_id": "not_applicable", + "block_or_reference": "template-only signed release tag, release commit, or verification reference", + "command_or_source_system": "template-only git verify-tag output, signing ceremony transcript, or release CI source", + "retained_path": "release-artifacts/evidence/production-release-templates/retained-artifact-template.txt", + "sha256": "sha256:14c52bd76a54d453a9cf33b70f0db1cc60545e3dfa224eb7b386ea988d3fbadf", + "redaction_statement": "Template only; no raw logs, credentials, signing material, private URLs, or unreleased drop payloads are present.", + "owner": "TBD", + "reviewer": "TBD", + "public_beta_requirement_id": "signed_git_tag", + "source": { + "repository": "https://github.com/6529-Collections/6529Stream", + "git_commit": "0000000000000000000000000000000000000000", + "source_dirty": false, + "ci_run": "template" + }, + "redaction_policy": { + "no_secrets": true, + "redacted_fields": [ + "private_key", + "mnemonic", + "seed_phrase", + "api_key", + "rpc_url", + "unreleased_drop_payload" + ] + }, + "template_notice": "Template only. This file is not completion evidence and does not mark public beta or production ready.", + "operator_notes": "Replace this template with signed Git tag evidence, git verify-tag output, release commit hash, tag signer and custody summary, and reviewer confirmation." + } + }, { "path": "release-artifacts/evidence/public-beta-templates/explorer-verification-status-template.json", "sha256": "sha256:f51dbdde6ec1a46707722883c97100f5dd025812f2a46cf7bafbceaeb98107c3", @@ -1145,8 +1568,8 @@ "release_notes_and_policy": { "changelog": { "path": "CHANGELOG.md", - "sha256": "sha256:e513a3f3b012a51c5390f895c96ff858ece0494e6f1891a0337eefcb5ef0d412", - "size_bytes": 14899 + "sha256": "sha256:f0cde856d37d3ea064251de90102070e60eed7215f63cc0e9f2cf30502f69bce", + "size_bytes": 15197 }, "governance_docs": [ { @@ -1176,13 +1599,13 @@ }, { "path": "docs/public-beta-evidence.md", - "sha256": "sha256:52f1d2b48cc4d42e7a6df2b311f400241cfd3329c5934e4a67d0cb3f431d6b11", - "size_bytes": 8099 + "sha256": "sha256:78cd9196503461a2d1256c0c6780223f7c7bced646b53e15e7edcc1f21a3d7c3", + "size_bytes": 8527 }, { "path": "docs/non-local-release-evidence.md", - "sha256": "sha256:e2806156c25a01e74eb0e459cf1549b4f19929a545ce09bd41d8fc732c88c1aa", - "size_bytes": 15157 + "sha256": "sha256:e7e74aab99f452901c0af3a0f68aa9a84aafa1137ffcbf664b05aad02e3f614a", + "size_bytes": 15512 }, { "path": "docs/architecture.md", @@ -1216,13 +1639,13 @@ }, { "path": "docs/release-readiness.md", - "sha256": "sha256:a40a750a7398dd69c6ef402d6f0cb466ed25f101fd014beaaa4a5931ffefe3ca", - "size_bytes": 17947 + "sha256": "sha256:6259e4d780fa7241053d5909228e61e0b075a0a14027ecc0afd4ff578fff1bf9", + "size_bytes": 18325 }, { "path": "docs/tooling.md", - "sha256": "sha256:0352139e6ef0123dce3df84a054025c8f55491d42dda8757bf1fb7aa77202e05", - "size_bytes": 21173 + "sha256": "sha256:f43c7daa4f84ef36d0978334243cd5f39ce0985b4e923b326671625b81632161", + "size_bytes": 21291 }, { "path": "docs/status.md", diff --git a/scripts/check_non_local_release_evidence.py b/scripts/check_non_local_release_evidence.py index 7e9c8d5f..dfa4c094 100644 --- a/scripts/check_non_local_release_evidence.py +++ b/scripts/check_non_local_release_evidence.py @@ -20,6 +20,12 @@ ] PUBLIC_BETA_TEMPLATE_DIR = Path("release-artifacts/evidence/public-beta-templates") PUBLIC_BETA_TEMPLATE_REQUIREMENTS = frozenset(public_beta_checker.PUBLIC_BETA_REQUIREMENTS) +PRODUCTION_RELEASE_TEMPLATE_DIR = Path( + "release-artifacts/evidence/production-release-templates" +) +PRODUCTION_RELEASE_TEMPLATE_REQUIREMENTS = frozenset( + public_beta_checker.PRODUCTION_REQUIREMENTS +) TOP_LEVEL_FIELDS = frozenset( { @@ -221,33 +227,52 @@ def valid_requirement_ids() -> frozenset[str]: ) -def public_beta_template_paths(repo_root: Path) -> list[Path]: - """Return committed public-beta template metadata files.""" - template_dir = repo_root / PUBLIC_BETA_TEMPLATE_DIR +def template_paths(repo_root: Path, template_dir_path: Path, label: str) -> list[Path]: + """Return committed template metadata files for one release phase.""" + template_dir = repo_root / template_dir_path if not template_dir.is_dir(): raise NonLocalReleaseEvidenceError( - f"missing public-beta template directory: {PUBLIC_BETA_TEMPLATE_DIR}" + f"missing {label} template directory: {template_dir_path}" ) - return sorted(template_dir.rglob("*.json")) + return sorted(path for path in template_dir.rglob("*.json") if path.is_file()) + + +def public_beta_template_paths(repo_root: Path) -> list[Path]: + """Return committed public-beta template metadata files.""" + return template_paths(repo_root, PUBLIC_BETA_TEMPLATE_DIR, "public-beta") + + +def production_release_template_paths(repo_root: Path) -> list[Path]: + """Return committed production-release template metadata files.""" + return template_paths( + repo_root, PRODUCTION_RELEASE_TEMPLATE_DIR, "production-release" + ) def default_evidence_paths(repo_root: Path) -> list[Path]: """Return the default non-local evidence files checked by the CLI.""" - return [repo_root / path for path in DEFAULT_EVIDENCE] + public_beta_template_paths( - repo_root + return ( + [repo_root / path for path in DEFAULT_EVIDENCE] + + public_beta_template_paths(repo_root) + + production_release_template_paths(repo_root) ) -def validate_public_beta_template_set(repo_root: Path) -> None: - """Require one template metadata file for each public-beta requirement.""" +def validate_template_set( + repo_root: Path, + paths: list[Path], + expected_requirements: frozenset[str], + label: str, +) -> None: + """Require one template metadata file for each release phase requirement.""" by_requirement: dict[str, Path] = {} - for path in public_beta_template_paths(repo_root): + for path in paths: evidence = require_dict(load_json(path), str(path)) try: validate_evidence_document(evidence, repo_root, str(path)) except NonLocalReleaseEvidenceError as exc: raise NonLocalReleaseEvidenceError( - f"invalid public-beta template {path}: {exc}" + f"invalid {label} template {path}: {exc}" ) from exc record_type = require_string(evidence.get("record_type"), f"{path}.record_type") @@ -266,24 +291,44 @@ def validate_public_beta_template_set(repo_root: Path) -> None: evidence.get("public_beta_requirement_id"), f"{path}.public_beta_requirement_id", ) - if requirement_id not in PUBLIC_BETA_TEMPLATE_REQUIREMENTS: + if requirement_id not in expected_requirements: raise NonLocalReleaseEvidenceError( - f"{path} maps to non-public-beta requirement: {requirement_id}" + f"{path} maps to non-{label} requirement: {requirement_id}" ) if requirement_id in by_requirement: raise NonLocalReleaseEvidenceError( - "duplicate public-beta template for " + f"duplicate {label} template for " f"{requirement_id}: {by_requirement[requirement_id]} and {path}" ) by_requirement[requirement_id] = path - missing = sorted(PUBLIC_BETA_TEMPLATE_REQUIREMENTS - set(by_requirement)) + missing = sorted(expected_requirements - set(by_requirement)) if missing: raise NonLocalReleaseEvidenceError( - "missing public-beta template(s): " + ", ".join(missing) + f"missing {label} template(s): " + ", ".join(missing) ) +def validate_public_beta_template_set(repo_root: Path) -> None: + """Require one template metadata file for each public-beta requirement.""" + validate_template_set( + repo_root, + public_beta_template_paths(repo_root), + PUBLIC_BETA_TEMPLATE_REQUIREMENTS, + "public-beta", + ) + + +def validate_production_release_template_set(repo_root: Path) -> None: + """Require one template metadata file for each production-release requirement.""" + validate_template_set( + repo_root, + production_release_template_paths(repo_root), + PRODUCTION_RELEASE_TEMPLATE_REQUIREMENTS, + "production-release", + ) + + def validate_chain_id(environment: str, value: Any) -> None: """Validate chain ID according to environment.""" if environment in CHAINLESS_ENVIRONMENTS: @@ -409,7 +454,8 @@ def parse_args(argv: list[str]) -> argparse.Namespace: type=Path, help=( "Evidence metadata JSON files to validate. Defaults to the generic " - "non-local template plus every public-beta template." + "non-local template plus every public-beta and production-release " + "template." ), ) return parser.parse_args(argv) @@ -431,6 +477,7 @@ def main(argv: list[str] | None = None) -> int: validate_evidence(path, repo_root) if not explicit_paths: validate_public_beta_template_set(repo_root) + validate_production_release_template_set(repo_root) except NonLocalReleaseEvidenceError as exc: print(f"non-local release evidence check failed: {exc}", file=sys.stderr) return 1 diff --git a/scripts/test_non_local_release_evidence.py b/scripts/test_non_local_release_evidence.py index 9aadb8b8..bc3345a4 100644 --- a/scripts/test_non_local_release_evidence.py +++ b/scripts/test_non_local_release_evidence.py @@ -103,6 +103,31 @@ def valid_public_beta_template(root: Path, requirement_id: str) -> dict[str, obj return evidence +def valid_production_release_template( + root: Path, requirement_id: str +) -> dict[str, object]: + """Build a valid production-release requirement template.""" + retained = seed_retained_artifact( + root, + "release-artifacts/evidence/production-release-templates/retained-artifact.txt", + ) + evidence = valid_evidence(root, record_type="template") + evidence.update( + { + "evidence_id": f"production-release-template-{requirement_id}", + "public_beta_requirement_id": requirement_id, + "retained_path": retained["path"], + "sha256": retained["sha256"], + "environment": "live", + "chain_id": 1, + "block_or_reference": "template-only production reference", + "command_or_source_system": "template-only production source", + "operator_notes": f"Template for {requirement_id}.", + } + ) + return evidence + + class NonLocalReleaseEvidenceTests(unittest.TestCase): """Checker behavior for non-local release evidence metadata.""" @@ -133,6 +158,24 @@ def test_committed_public_beta_templates_cover_required_ids(self) -> None: ) checker.validate_public_beta_template_set(repo_root) + def test_committed_production_release_templates_cover_required_ids(self) -> None: + """Default templates cover each production-release requirement exactly once.""" + repo_root = Path(__file__).resolve().parents[1] + + paths = checker.production_release_template_paths(repo_root) + requirements = {} + for path in paths: + data = checker.load_json(path) + requirements[data["public_beta_requirement_id"]] = data + self.assertEqual(data["record_type"], "template") + self.assertEqual(data["review_status"], "template") + + self.assertEqual( + set(requirements), + set(checker.PRODUCTION_RELEASE_TEMPLATE_REQUIREMENTS), + ) + checker.validate_production_release_template_set(repo_root) + def test_rejects_missing_public_beta_template(self) -> None: """The template set must include every public-beta requirement.""" with tempfile.TemporaryDirectory() as temp_dir: @@ -152,6 +195,25 @@ def test_rejects_missing_public_beta_template(self) -> None: ): checker.validate_public_beta_template_set(root) + def test_rejects_missing_production_release_template(self) -> None: + """The template set must include every production-release requirement.""" + with tempfile.TemporaryDirectory() as temp_dir: + root = Path(temp_dir) + template_dir = root / checker.PRODUCTION_RELEASE_TEMPLATE_DIR + template_dir.mkdir(parents=True) + write_json( + template_dir / "only-one.json", + valid_production_release_template( + root, sorted(checker.PRODUCTION_RELEASE_TEMPLATE_REQUIREMENTS)[0] + ), + ) + + with self.assertRaisesRegex( + checker.NonLocalReleaseEvidenceError, + "missing production-release template", + ): + checker.validate_production_release_template_set(root) + def test_rejects_duplicate_public_beta_template(self) -> None: """The template set cannot map two files to the same requirement.""" with tempfile.TemporaryDirectory() as temp_dir: @@ -174,6 +236,28 @@ def test_rejects_duplicate_public_beta_template(self) -> None: ): checker.validate_public_beta_template_set(root) + def test_rejects_duplicate_production_release_template(self) -> None: + """The production template set cannot map two files to the same row.""" + with tempfile.TemporaryDirectory() as temp_dir: + root = Path(temp_dir) + template_dir = root / checker.PRODUCTION_RELEASE_TEMPLATE_DIR + template_dir.mkdir(parents=True) + requirement_id = sorted(checker.PRODUCTION_RELEASE_TEMPLATE_REQUIREMENTS)[0] + write_json( + template_dir / "first.json", + valid_production_release_template(root, requirement_id), + ) + write_json( + template_dir / "second.json", + valid_production_release_template(root, requirement_id), + ) + + with self.assertRaisesRegex( + checker.NonLocalReleaseEvidenceError, + "duplicate production-release template", + ): + checker.validate_production_release_template_set(root) + def test_rejects_production_requirement_in_public_beta_template_set(self) -> None: """Production-only rows do not satisfy public-beta template coverage.""" with tempfile.TemporaryDirectory() as temp_dir: @@ -191,6 +275,23 @@ def test_rejects_production_requirement_in_public_beta_template_set(self) -> Non ): checker.validate_public_beta_template_set(root) + def test_rejects_public_beta_requirement_in_production_template_set(self) -> None: + """Public-beta rows do not satisfy production-release template coverage.""" + with tempfile.TemporaryDirectory() as temp_dir: + root = Path(temp_dir) + template_dir = root / checker.PRODUCTION_RELEASE_TEMPLATE_DIR + template_dir.mkdir(parents=True) + write_json( + template_dir / "public-beta.json", + valid_production_release_template(root, "external_audit_report"), + ) + + with self.assertRaisesRegex( + checker.NonLocalReleaseEvidenceError, + "non-production-release requirement", + ): + checker.validate_production_release_template_set(root) + def test_accepts_reviewed_evidence(self) -> None: """Reviewed non-local evidence accepts a real reviewer.""" with tempfile.TemporaryDirectory() as temp_dir: diff --git a/scripts/test_release_manifest.py b/scripts/test_release_manifest.py index 91e556cc..6d5ac67a 100644 --- a/scripts/test_release_manifest.py +++ b/scripts/test_release_manifest.py @@ -658,6 +658,50 @@ def seed_release_tree(root: Path) -> dict[str, Path]: "operator_notes": "nested local template only", }, ) + write_json( + non_local_evidence_dir + / "production-release-templates" + / "production-signatures-template.json", + { + "schema_version": "6529stream.non-local-release-evidence.v1", + "evidence_id": "production-release-template-production-signatures", + "record_type": "template", + "review_status": "template", + "environment": "release_signing", + "chain_id": "not_applicable", + "block_or_reference": "TBD", + "command_or_source_system": "TBD", + "retained_path": ( + "release-artifacts/evidence/non-local-template-retained-artifact.txt" + ), + "sha256": generator.file_sha256(non_local_retained_artifact), + "redaction_statement": "Template contains no secrets and no completion evidence.", + "owner": "TBD", + "reviewer": "TBD", + "public_beta_requirement_id": "production_signatures", + "source": { + "repository": "https://github.com/6529-Collections/6529Stream", + "git_commit": "0" * 40, + "source_dirty": False, + "ci_run": "local", + }, + "redaction_policy": { + "no_secrets": True, + "redacted_fields": [ + "private_key", + "mnemonic", + "api_key", + "rpc_url", + "unreleased_drop_payload", + ], + }, + "template_notice": ( + "This template is not completion evidence and must be replaced " + "by reviewed evidence before any production status changes." + ), + "operator_notes": "nested production local template only", + }, + ) write_json( non_local_evidence_dir / "public-beta-templates" / "operator-notes.json", { @@ -1036,6 +1080,20 @@ def test_generator_writes_deterministic_manifest(self) -> None: nested_template["public_beta_requirement_id"], "testnet_deployment_rehearsal", ) + production_template = { + row["evidence_id"]: row for row in non_local_evidence_rows + }["production-release-template-production-signatures"] + self.assertEqual( + production_template["path"], + ( + "release-artifacts/evidence/production-release-templates/" + "production-signatures-template.json" + ), + ) + self.assertEqual( + production_template["public_beta_requirement_id"], + "production_signatures", + ) self.assertNotIn( "release-artifacts/evidence/public-beta-templates/operator-notes.json", {row["path"] for row in non_local_evidence_rows},