Artifact Integrity¶
WorldForge release artifacts must be inspectable from a clean checkout before a package, release note, provider promotion, or benchmark claim is published. The current integrity model is checkout-safe: it validates package contents, dependency advisories, generated docs, command drift, wrapper portability, core performance budgets, release evidence, and preserved artifact digests without requiring signing credentials or optional model runtimes.
Verified Today¶
| Surface | Current gate | Success signal | First triage step |
|---|---|---|---|
| Lockfile | uv lock --check |
dependency metadata is already locked | refresh lock metadata intentionally and inspect the diff |
| Wheel and sdist shape | bash scripts/test_package.sh |
wheel installs in an isolated venv; sdist contains docs, tests, examples, scripts, and metadata | inspect scripts/check_distribution.py for the missing or forbidden entry |
| Distribution metadata | uv run python scripts/check_distribution.py dist |
wheel metadata has Python >=3.13,<3.14, MIT license expression, extras, and console scripts |
fix pyproject.toml or package include rules |
| Dependency advisories | uvx --from pip-audit pip-audit ... |
audit exits zero against the frozen exported requirements | review the advisory and update or document the dependency decision |
| Generated provider docs | uv run python scripts/generate_provider_docs.py --check |
provider catalog docs match provider metadata | regenerate docs, inspect provider profile changes, then rerun |
| Documented command drift | uv run python scripts/check_docs_commands.py |
README, CLI docs, examples, operations, playbooks, and AGENTS commands resolve | fix the stale command or document the missing public entry point |
| Wrapper portability | uv run python scripts/check_wrapper_portability.py |
wrappers have expected shebangs, executable bits, Python 3.13 uv invocations, and docs | fix the named wrapper or documented command |
| Core checkout performance | uv run python scripts/check_core_performance.py |
report has passed: true for checkout-safe core paths |
inspect the failing row and fix the regression before changing budgets |
| Release evidence | uv run python scripts/generate_release_evidence.py --run-gates |
Markdown and JSON summaries link gate status, artifacts, hashes, and live-smoke manifests | inspect the failed gate row and its first triage step |
| Release provenance | .github/workflows/release.yml build provenance attestation |
tagged release builds upload distributions and request GitHub artifact provenance | inspect the release workflow run and attached GitHub attestation |
| Package publish identity | .github/workflows/release.yml PyPI environment with OIDC permissions |
uv publish dist/* runs from the protected pypi environment |
verify the release environment and PyPI trusted publishing configuration before tagging |
Hashes And Evidence Links¶
Before a release note cites package or evidence artifacts, generate local hashes:
uv build --out-dir dist --clear --no-build-logs
shasum -a 256 dist/worldforge_ai-*.whl dist/worldforge_ai-*.tar.gz
bash scripts/test_package.sh
uv run python scripts/generate_release_evidence.py --run-gates \
--artifact dist/worldforge_ai-<version>-py3-none-any.whl \
--artifact dist/worldforge_ai-<version>.tar.gz
The release evidence JSON records artifact paths and SHA-256 digests for linked artifacts. Evidence bundles, run manifests, benchmark reports, and live-smoke manifests should be linked from release notes instead of copied by hand.
Unsafe artifacts stay out of public bundles: .env files, credentials, signed URL query strings,
checkpoint archives, downloaded datasets, robot-controller logs, local cache directories, and
unredacted provider payloads. Use worldforge runs bundle <run-id> or
scripts/generate_evidence_bundle.py for sanitized issue and release artifacts.
Future Work¶
These are expected future hardening steps, not current release claims:
- generate and publish an SBOM for each release artifact;
- define a signing key policy before publishing signed artifacts;
- link GitHub attestations from release evidence once the report can resolve credentialed release artifacts directly.
Until those steps are implemented, do not claim signed artifacts, SBOM coverage, or a stronger SLSA level than the release workflow actually proves.