Skip to content

feat: stable release gates and integration evidence#488

Closed
jithinraj wants to merge 3 commits intomainfrom
feat/dd90-stable-gates
Closed

feat: stable release gates and integration evidence#488
jithinraj wants to merge 3 commits intomainfrom
feat/dd90-stable-gates

Conversation

@jithinraj
Copy link
Member

@jithinraj jithinraj commented Mar 7, 2026
edited
Loading

Summary

Wire all 4 stable-only gates in run-gates.sh and add machine-verifiable integration evidence infrastructure.

  • perf-benchmarks: runs tests/perf/wire02-slo.test.ts
  • ssrf-suite: runs SSRF expansion + no-fetch audit tests
  • fuzz-suite: runs pnpm test:property (11 files, 185 property/fuzz tests)
  • integration-evidence: runs node scripts/release/validate-adoption-evidence.mjs

Integration evidence

  • Structured JSON source (docs/adoption/integration-evidence.json): canonical data with PR numbers, commit SHAs, test file paths, spec refs
  • JSON Schema (docs/adoption/integration-evidence.schema.json): validated via Ajv 2020-12
  • Node validator (scripts/release/validate-adoption-evidence.mjs): validates schema, checks test_files and spec_refs exist on disk, verifies pr_commit hex SHA format, enforces confirmation field requirements
  • Markdown generation: integration-evidence.md generated from JSON; parity check fails on drift (--generate to regenerate)
  • 18 validator tests (tests/release/adoption-evidence-validator.test.ts)

Also in this PR

  • docs/VERIFY-RELEASE.md: release verification guide (current vs target OIDC state, --write-release-artifacts authoritative path)
  • docs/maintainers/SECURITY-POSTURE.md: current/transition/target OIDC separation
  • packages/adapters/eat/README.md: committed (was untracked)
  • .github/workflows/pr-metadata-lint.yml: CI check for PR title/body (guards against non-technical language in PR metadata)
  • scripts/check-public-artifacts.mjs: public artifact linter (commit messages, staged files, PR body files)
  • scripts/guard.sh: added SECURITY-POSTURE.md and VERIFY-RELEASE.md to allowlist
  • scripts/release/run-gates.sh: planning-leak gate now conditional (local-only script)
  • package.json: added test:property canonical script
  • vitest.config.ts: added tests/release/ to include paths

Test plan

  • node scripts/release/validate-adoption-evidence.mjs validates evidence structure
  • node scripts/release/validate-adoption-evidence.mjs --generate regenerates markdown from JSON
  • pnpm run test:property passes (185 tests, 11 files)
  • pnpm exec vitest run tests/release/adoption-evidence-validator.test.ts passes (18 tests)
  • bash scripts/guard.sh passes
  • Integration evidence JSON validates against schema with immutable pointer checks
  • node scripts/check-public-artifacts.mjs --no-staged --no-commit-msg passes
  • Working tree is clean

github-code-quality[bot]
github-code-quality bot found potential problems Mar 7, 2026
View reviewed changes
@jithinraj jithinraj changed the title feat: DD-90 stable gates and adoption evidence feat: stable gates and adoption evidence Mar 7, 2026
@jithinraj
feat: stable release gates and integration evidence
2cf5283 
Wire all 4 DD-90 stable-only gates in run-gates.sh with real
implementations (perf-benchmarks, ssrf-suite, fuzz-suite,
integration-evidence).

Add integration evidence infrastructure:
- Structured JSON source with immutable pointers (commit SHAs,
  test file paths, spec refs)
- JSON Schema (2020-12) validated via Ajv
- Node validator with schema, pointer, and parity checks
- Markdown generated from JSON with drift detection
- 18 validator tests

Add release verification and security posture docs.
Add public-artifact linter and PR metadata CI workflow.
Add test:property canonical script (11 files).
@jithinraj jithinraj force-pushed the feat/dd90-stable-gates branch from 5b59b45 to 2cf5283 Compare March 8, 2026 04:27
@jithinraj jithinraj changed the title feat: stable gates and adoption evidence feat: stable release gates and integration evidence Mar 8, 2026
jithinraj added 2 commits March 8, 2026 10:17
@jithinraj
chore: public artifact hygiene guards and PR template
bd489a6 
Add commit-msg hook reading local denylist for non-technical language.
Add hidden Unicode and MEMORY.md checks to public-artifact linter.
Update PR metadata CI workflow to generic-only checks (no code checkout).
Update PR template with technical-only sections.
Make pre-commit planning-leak check conditional (local-only script).
@jithinraj
fix: add hygiene scripts to guard exclusion list
c52e5bf 
Guard scripts that check for typos must exclude other scripts
that also check for the same patterns: commit-msg hook,
public-artifact linter, and PR metadata CI workflow.
@jithinraj jithinraj mentioned this pull request Mar 8, 2026
Merged
7 tasks
@jithinraj
Copy link
Member Author

jithinraj commented Mar 8, 2026

Replaced by #489 (clean single-commit branch with public-artifact hygiene guards).

@jithinraj jithinraj closed this Mar 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@github-code-quality github-code-quality[bot] github-code-quality[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jithinraj