Cursor/wasm consensus ga readiness 51ed

.github/workflows/ci.yml

@@ -45,9 +45,24 @@ jobs:
 
       - run: pnpm install --frozen-lockfile
 
+      - name: Validate docs links
+        run: pnpm docs:check-links
+
+      - name: Validate learning-path docs structure
+        run: pnpm docs:verify-learning-path
+
+      - name: Run release evidence unit tests
+        run: pnpm release-evidence:test
+
+      - name: Validate README quickstart script wiring
+        run: node tools/release-evidence/verify-readme-quickstart.mjs --skip-install --skip-emsdk-setup --skip-smoke-tests --skip-browser-tasks --skip-evidence
+
       - name: Install emsdk (pinned 3.1.56)
         run: bash tools/scripts/setup-emsdk.sh
 
+      - name: Verify generated gas schedule docs are in sync
+        run: node tools/gas-spec/render-gas-artifacts.mjs --check
+
       - name: Reset Nx state (just in case)
         run: pnpm exec nx reset
 
@@ -57,8 +72,24 @@ jobs:
       # - run: pnpm exec nx-cloud record -- echo Hello World
       - run: pnpm exec nx affected -t lint test build typecheck
 
-      - name: Install Playwright browsers (Chromium)
-        run: pnpm exec playwright install --with-deps chromium
+      - name: Verify generated playground data is fresh
+        run: pnpm playground:check-generated
+
+      - name: Install Playwright browsers (Chromium + Firefox)
+        run: pnpm exec playwright install --with-deps chromium firefox
 
       - name: Run smoke-web e2e
         run: pnpm nx run smoke-web:e2e
+
+      - name: Run ecosystem certifier e2e
+        run: pnpm nx run ecosystem-certifier:e2e
+
+      - name: Run BlueQuickjs playground e2e
+        run: pnpm nx run bluequickjs-playground:e2e
+
+      - name: Generate workload certification sanity artifacts
+        run: |
+          node apps/ecosystem-certifier/scripts/check-builder-determinism.mjs --out-dir artifacts/workload-certification-ci
+          node apps/ecosystem-certifier/scripts/archive-workload-certification-report.mjs --out-dir artifacts/workload-certification-ci
+          node apps/ecosystem-certifier/scripts/run-oog-boundary-certification.mjs --out-dir artifacts/workload-certification-ci --fixtures green-semver,green-markdown-it
+          node apps/ecosystem-certifier/scripts/run-seeded-property-corpus.mjs --out-dir artifacts/workload-certification-ci --seed-count 12

.github/workflows/release.yml

@@ -17,7 +17,7 @@ jobs:
   release:
     name: Release
     runs-on: ubuntu-latest
-    timeout-minutes: 10
+    timeout-minutes: 45
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -51,9 +51,153 @@ jobs:
       - name: Install emsdk (pinned 3.1.56)
         run: bash tools/scripts/setup-emsdk.sh
 
+      - name: Verify generated gas schedule docs are in sync
+        run: node tools/gas-spec/render-gas-artifacts.mjs --check
+
+      - name: Verify learning-path docs
+        run: |
+          pnpm docs:verify-learning-path
+
+      - name: Generate SBOM and dependency license reports
+        run: |
+          pnpm release-evidence:sbom -- --out-dir artifacts/security
+          pnpm release-evidence:licenses -- --out-dir artifacts/security
+
+      - name: Install Playwright browsers (Chromium + Firefox)
+        run: pnpm exec playwright install --with-deps chromium firefox
+
       - name: Print Environment Info
         run: pnpm exec nx report
 
+      - name: Run strict parity release gates (consensus executors)
+        run: |
+          pnpm nx test quickjs-runtime
+          pnpm nx test smoke-node
+          pnpm nx test test-harness
+          pnpm nx test bluequickjs-playground
+          pnpm nx run smoke-web:e2e
+          pnpm nx test ecosystem-certifier
+          pnpm nx run ecosystem-certifier:e2e
+          pnpm nx run bluequickjs-playground:e2e
+
+      - name: Generate consensus reproducibility report artifacts (Chromium + Firefox)
+        run: |
+          node tools/consensus-parity/scripts/archive-consensus-reproducibility-report.mjs --out-dir artifacts/reproducibility-consensus/chromium --browser chromium
+          node tools/consensus-parity/scripts/archive-consensus-reproducibility-report.mjs --out-dir artifacts/reproducibility-consensus/firefox --browser firefox
+
+      - name: Generate workload certification artifacts
+        run: |
+          node apps/ecosystem-certifier/scripts/check-builder-determinism.mjs --out-dir artifacts/workload-certification
+          node apps/ecosystem-certifier/scripts/archive-workload-certification-report.mjs --out-dir artifacts/workload-certification
+          node apps/ecosystem-certifier/scripts/generate-compatibility-delta-report.mjs --current-dir artifacts/workload-certification --out-dir artifacts/workload-certification
+          node apps/ecosystem-certifier/scripts/run-oog-boundary-certification.mjs --out-dir artifacts/workload-certification
+          node apps/ecosystem-certifier/scripts/run-seeded-property-corpus.mjs --out-dir artifacts/workload-certification --seed-count 80
+          node apps/ecosystem-certifier/scripts/run-repeatability-certification.mjs --out-dir artifacts/workload-certification --iterations 100 --flagship-iterations 40
+
+      - name: Validate public package release alignment
+        run: |
+          pnpm workload:check-public-package-versions
+          pnpm workload:check-pack-manifests -- --out-dir artifacts/consumer-proof/pack-manifests
+
+      - name: Run Verdaccio publish/install rehearsal (primary)
+        run: pnpm publish-rehearsal:verdaccio -- --out-dir artifacts/consumer-proof/verdaccio
+
+      - name: Generate downstream tarball reproducibility artifacts (secondary)
+        run: |
+          node tools/workload-certification/pack-public-tarballs.mjs --out-dir artifacts/consumer-proof/tarballs
+          pnpm --dir e2e/consumer-proof-app run install:tarballs -- --tarball-dir ../../artifacts/consumer-proof/tarballs
+          pnpm --dir e2e/consumer-proof-app exec playwright install --with-deps chromium
+          pnpm --dir e2e/consumer-proof-app run repro
+
+      - name: Run native diagnostics (non-blocking)
+        continue-on-error: true
+        run: |
+          pnpm nx build quickjs-native-harness
+          pnpm nx test quickjs-native-harness
+
+      - name: Generate native diagnostic reproducibility report artifact (non-blocking)
+        continue-on-error: true
+        run: node tools/quickjs-native-harness/scripts/archive-reproducibility-report.mjs
+
+      - name: Synthesize release evidence bundle
+        run: pnpm release-evidence:synthesize -- --out-dir artifacts/release-evidence
+
+      - name: Validate generated release evidence and docs freshness
+        run: |
+          EXPECTED_DATE=$(node -e "const fs=require('fs');console.log(JSON.parse(fs.readFileSync('artifacts/release-evidence/release-evidence-manifest.json','utf8')).date)")
+          pnpm docs:check-links
+          pnpm docs:verify-learning-path
+          pnpm docs:check-freshness -- --expected-branch "${GITHUB_REF_NAME}" --expected-date "${EXPECTED_DATE}"
+          pnpm playground:check-generated
+          pnpm release-evidence:synthesize -- --out-dir artifacts/release-evidence --check
+          pnpm release-evidence:verify -- --evidence-dir artifacts/release-evidence --expected-branch "${GITHUB_REF_NAME}" --expected-date "${EXPECTED_DATE}"
+
+      - name: Upload reproducibility artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: consensus-reproducibility-report
+          path: |
+            artifacts/reproducibility-consensus/**/*.json*
+            artifacts/reproducibility-consensus/**/*.md*
+            artifacts/reproducibility-consensus/**/*.sig
+          if-no-files-found: error
+
+      - name: Upload native diagnostic reproducibility artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: native-diagnostic-reproducibility-report
+          path: |
+            artifacts/reproducibility/*.json*
+            artifacts/reproducibility/*.md*
+            artifacts/reproducibility/*.sig
+          if-no-files-found: warn
+
+      - name: Upload workload certification artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: workload-certification-artifacts
+          path: artifacts/workload-certification/*
+          if-no-files-found: error
+
+      - name: Upload consumer-proof artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: consumer-proof-artifacts
+          path: |
+            artifacts/consumer-proof/tarballs/tarball-manifest.json
+            artifacts/consumer-proof/pack-manifests/pack-manifest.json
+            artifacts/consumer-proof/verdaccio/*.json
+            artifacts/consumer-proof/verdaccio/*.log
+            e2e/consumer-proof-app/reports/*.json*
+          if-no-files-found: error
+
+      - name: Upload release evidence bundle
+        uses: actions/upload-artifact@v4
+        with:
+          name: release-evidence-bundle
+          path: |
+            artifacts/release-evidence/release-evidence-summary.json
+            artifacts/release-evidence/release-evidence-summary.json.sha256
+            artifacts/release-evidence/release-evidence-summary.json.sig
+            artifacts/release-evidence/release-evidence-summary.md
+            artifacts/release-evidence/release-evidence-summary.md.sha256
+            artifacts/release-evidence/release-evidence-summary.md.sig
+            artifacts/release-evidence/release-evidence-manifest.json
+            artifacts/release-evidence/release-evidence-manifest.json.sha256
+            artifacts/release-evidence/release-evidence-manifest.json.sig
+            artifacts/release-evidence/inputs/*
+          if-no-files-found: error
+
+      - name: Upload security artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: release-security-artifacts
+          path: |
+            artifacts/security/sbom.cdx.json
+            artifacts/security/license-report.json
+            artifacts/security/license-report.md
+          if-no-files-found: error
+
       - name: Configure Git
         run: |
           git config --global user.email "github-actions[bot]@users.noreply.github.com"
@@ -63,3 +207,48 @@ jobs:
       - name: Release
         run: pnpm exec nx release --skip-publish --first-release
         shell: bash
+
+  verify-release-evidence:
+    name: Verify release evidence bundle
+    runs-on: ubuntu-latest
+    needs:
+      - release
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          submodules: recursive
+
+      - uses: pnpm/action-setup@v4
+        with:
+          version: 9.8.0
+          run_install: false
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: '.nvmrc'
+          cache: 'pnpm'
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Download release evidence bundle
+        uses: actions/download-artifact@v4
+        with:
+          name: release-evidence-bundle
+          path: artifacts/release-evidence
+
+      - name: Verify evidence checksums and signatures
+        run: |
+          EXPECTED_DATE=$(node -e "const fs=require('fs');console.log(JSON.parse(fs.readFileSync('artifacts/release-evidence/release-evidence-manifest.json','utf8')).date)")
+          pnpm release-evidence:verify -- --evidence-dir artifacts/release-evidence --expected-branch "${GITHUB_REF_NAME}" --expected-date "${EXPECTED_DATE}"
+
+      - name: Assert tamper detection fails verification
+        run: |
+          cp -R artifacts/release-evidence artifacts/release-evidence-tampered
+          node -e "const fs=require('fs');fs.appendFileSync('artifacts/release-evidence-tampered/inputs/consumer-reproducibility.json','\n')"
+          EXPECTED_DATE=$(node -e "const fs=require('fs');console.log(JSON.parse(fs.readFileSync('artifacts/release-evidence-tampered/release-evidence-manifest.json','utf8')).date)")
+          if pnpm release-evidence:verify -- --evidence-dir artifacts/release-evidence-tampered --expected-branch "${GITHUB_REF_NAME}" --expected-date "${EXPECTED_DATE}"; then
+            echo "tamper verification unexpectedly passed"
+            exit 1
+          fi