Add non-local evidence generator

[punk6529]

Summary

• Add scripts/generate_non_local_release_evidence.py, a no-secret helper that builds checker-compatible evidence metadata from an existing requirement template plus a retained artifact and computes the retained artifact digest automatically.
• Add focused generator tests for pending evidence generation, --check drift detection, missing retained artifacts, and reviewed-evidence reviewer enforcement.
• Wire the generator test into local check scripts, document the safe operator workflow, refresh roadmap/run-state traceability, changelog, release manifest, and release checksums without changing readiness claims.

Closes #251.

Validation

• python -m py_compile scripts/generate_non_local_release_evidence.py scripts/test_non_local_release_evidence_generator.py
• python scripts/test_non_local_release_evidence_generator.py
• python scripts/test_non_local_release_evidence.py
• python scripts/check_non_local_release_evidence.py
• python scripts/test_release_readiness.py
• python scripts/check_release_readiness.py
• python scripts/test_release_manifest.py
• python scripts/generate_release_manifest.py --check
• python scripts/test_release_checksums.py
• python scripts/generate_release_checksums.py --check
• python scripts/test_changelog_check.py
• python scripts/check_changelog.py
• bash -n scripts/check.sh
• PowerShell parser syntax check for scripts/check.ps1
• rg -n "^#|^##|^###" ops\ROADMAP.md ops\AUTONOMOUS_RUN.md docs\non-local-release-evidence.md docs\tooling.md
• git diff --check

Summary by CodeRabbit

• New Features

  • Added a non-local release evidence metadata generator that produces validated metadata envelopes and supports a --check drift-detection mode.

• Documentation

  • Added a runbook and updated intake/tooling docs with usage examples, guidance on generating envelopes, review expectations, and intake workflow steps.

• Tests

  • Added unit/smoke tests for the generator and integrated them into local verification scripts.

• Chores

  • Updated release manifests and checksum records for affected artifacts.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1208bd1b-9bc6-46e6-a14e-46eba992a407

📥 Commits

Reviewing files that changed from the base of the PR and between a61b53b and ca1126e.

📒 Files selected for processing (9)

• docs/non-local-release-evidence.md
• ops/AUTONOMOUS_RUN.md
• release-artifacts/latest/SHA256SUMS
• release-artifacts/latest/release-checksums.json
• release-artifacts/latest/release-evidence-issue-backlog.json
• release-artifacts/latest/release-evidence-issue-body-sync.json
• release-artifacts/latest/release-evidence-issue-body-sync.md
• release-artifacts/latest/release-evidence-packet-index.json
• release-artifacts/latest/release-manifest.json

✅ Files skipped from review due to trivial changes (5)

• release-artifacts/latest/release-evidence-packet-index.json
• release-artifacts/latest/release-checksums.json
• release-artifacts/latest/release-evidence-issue-backlog.json
• release-artifacts/latest/release-manifest.json
• release-artifacts/latest/SHA256SUMS

🚧 Files skipped from review as they are similar to previous changes (3)

• release-artifacts/latest/release-evidence-issue-body-sync.json
• docs/non-local-release-evidence.md
• ops/AUTONOMOUS_RUN.md

---

📝 Walkthrough

Walkthrough

Adds a CLI and tests to generate checker-compatible non-local release evidence JSON from committed templates and retained artifacts (automatic SHA-256 computation and --check drift detection), integrates tests into check scripts, updates runbook/tooling docs and changelog, and refreshes release-artifact manifest checksums and ops/run state.

Changes

Evidence Generator Implementation, Testing, and CI Integration

Layer / File(s)	Summary
Generator implementation and utilities scripts/generate_non_local_release_evidence.py	Script imports, constants, error type, deterministic JSON I/O helpers, repo-relative path and git helpers, chain-id/template parsing, core evidence construction computing retained SHA-256, validation via checker, output --check comparison, and main() CLI wiring.
Generator unit tests and fixtures scripts/test_non_local_release_evidence_generator.py	Unittest suite that seeds templates and retained artifacts, runs the generator CLI, asserts generated evidence fields and sha256, exercises --check success/failure, and verifies error cases for missing retained files and reviewer requirements.
CI test script integration scripts/check.ps1, scripts/check.sh	Adds invocation of scripts/test_non_local_release_evidence_generator.py into both PowerShell and bash check pipelines so the tests run during local and CI check sequences.

Documentation and Intake Runbook Updates

Layer / File(s)	Summary
Runbook and changelog CHANGELOG.md, docs/non-local-release-evidence.md	Changelog entry for the generator. New runbook section describing generator usage, example invocation, --review-status/--check guidance, and statement that generation alone does not complete release evidence. Intake Workflow steps updated to add retained artifact into repo and then generate metadata envelope.
Tooling documentation updates docs/tooling.md	Adds the generator test to Gate A smoke-check and Release Artifacts verification sequences (normal and --check), and documents generator usage, digest validation, --check drift detection, and linking/review requirement prior to unblocking release rows.

Release Artifact Metadata Updates

Layer / File(s)	Summary
SHA256 checksum and manifest updates release-artifacts/latest/SHA256SUMS, release-artifacts/latest/release-checksums.json, release-artifacts/latest/release-manifest.json	Replaced SHA-256 entries in SHA256SUMS and corresponding text_checksum_file.sha256 and files[].sha256 values in release-checksums.json; updated sha256 and size_bytes fields in release-manifest.json and packet/index/backlog artifacts to reflect regenerated documentation and artifact contents.

Operational State and Roadmap Updates

Layer / File(s)	Summary
Autonomous run state tracking ops/AUTONOMOUS_RUN.md	Updates current repository state (Queue Item 120 active, branch and PR metadata), records PR #250 merge evidence, adds new Queue Item 120 worklog/checklist and final remote validation bullets, and appends decision log entries.
Roadmap and verification baseline updates ops/ROADMAP.md	Refines Current Status wording to include evidence generation, updates Verification Metadata timestamp/CI summary for a newer run, refreshes Machine-Verifiable Baseline docs row with expanded checks/scripts, and extends Appendix B Test Matrix coverage rows.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• 6529-Collections/6529Stream#171: Introduces the non-local evidence schema and checker that the generator validates against.
• 6529-Collections/6529Stream#250: The ops/AUTONOMOUS_RUN.md updates reference and build on the PR #250 reconciliation state recorded in that PR.
• 6529-Collections/6529Stream#197: Adds per-requirement public-beta templates that the generator consumes as inputs.

Poem

A rabbit hops through evidence trails,
Templates paired with artifacts and hashes,
Drift checked with care, no secret in tail,
CLI hums, tests pass in tiny flashes,
Release metadata snug in tidy stashes 🐰✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add non-local evidence generator' clearly and concisely summarizes the main change: introduction of the generator script and supporting infrastructure.
Linked Issues check	✅ Passed	The PR comprehensively implements all coding requirements from issue #251: generator script with SHA-256 computation, --check drift detection, targeted tests, and documentation updates without altering readiness claims.
Out of Scope Changes check	✅ Passed	All changes are directly aligned with issue #251 requirements: new generator/test scripts, documentation, operational traceability, and manifest/checksum updates are all within scope.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/non-local-evidence-generator

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[punk6529]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/non-local-release-evidence.md`:
- Around line 110-115: The text incorrectly implies the generator shells out to
the checker; update the sentence to clarify that
scripts/generate_non_local_release_evidence.py performs its own in-process
validation and does not call or run scripts/check_non_local_release_evidence.py
before writing, and state that running
scripts/check_non_local_release_evidence.py is a separate, optional post-write
verification step the operator can run manually; reference both script names in
the revised sentence so readers know which tool does in-process validation and
which is a separate checker.

In `@ops/AUTONOMOUS_RUN.md`:
- Line 39: The row text is imprecise: change the phrase "TBD after issue `#251`
merges" to a precise handoff trigger; update that cell to read either "TBD after
PR `#252` merges" or "TBD after issue `#251` closes" so the durable state is
accurate (edit the table row currently containing "Next issue | TBD after issue
`#251` merges" to use the chosen wording).
- Around line 217-234: The validation list is missing the generator's
drift-detection check; add the command "python
scripts/generate_non_local_release_evidence.py --check" into the Completed local
validation block so the audit trail records the generator's own --check run
(insert it alongside the other script checks in the same list).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: bc74d0be-79a9-4d81-a962-30d036fb89ab

📥 Commits

Reviewing files that changed from the base of the PR and between b4cde51 and b70edce.

📒 Files selected for processing (12)

• CHANGELOG.md
• docs/non-local-release-evidence.md
• docs/tooling.md
• ops/AUTONOMOUS_RUN.md
• ops/ROADMAP.md
• release-artifacts/latest/SHA256SUMS
• release-artifacts/latest/release-checksums.json
• release-artifacts/latest/release-manifest.json
• scripts/check.ps1
• scripts/check.sh
• scripts/generate_non_local_release_evidence.py
• scripts/test_non_local_release_evidence_generator.py

[punk6529]

Pushed a CI repair in a61b53b after GitHub Actions run 27473338066 failed in the Public beta evidence step. Root cause was stale generated release evidence packet/downstream artifacts after docs/non-local-release-evidence.md changed.

Local follow-up validation passed:

• python scripts/test_release_evidence_packet_index.py
• python scripts/generate_release_evidence_packet_index.py --check
• python scripts/test_release_evidence_issue_backlog.py
• python scripts/generate_release_evidence_issue_backlog.py --check
• python scripts/test_release_evidence_issue_body_sync.py
• python scripts/generate_release_evidence_issue_body_sync.py --check
• release manifest/checksum tests and --check gates
• non-local evidence generator/checker tests
• changelog, heading scan, and git diff --check