Robert/wasm consensus ga readiness 51ed evaluation

.gitattributes

@@ -0,0 +1 @@
+vendor/quickjs-patches/series/*.patch whitespace=-blank-at-eol,-blank-at-eof,-space-before-tab

.github/workflows/ci.yml

@@ -17,7 +17,6 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          submodules: recursive
 
       - uses: pnpm/action-setup@v4
         name: Install pnpm
@@ -45,20 +44,88 @@ jobs:
 
       - run: pnpm install --frozen-lockfile
 
+      - name: Validate docs links
+        uses: lycheeverse/lychee-action@v2
+        with:
+          args: >
+            --root-dir .
+            --offline
+            --no-progress
+            README.md
+            'docs/**/*.md'
+            examples/README.md
+          fail: true
+
+      - name: Run release evidence unit tests
+        run: pnpm release-evidence:test
+
       - name: Install emsdk (pinned 3.1.56)
         run: bash tools/scripts/setup-emsdk.sh
 
+      - name: Verify QuickJS source reconstruction
+        run: |
+          pnpm quickjs-source:test
+          bash tools/scripts/check-quickjs-source-prep.sh
+
+      - name: Verify generated gas schedule docs are in sync
+        run: |
+          pnpm gas-spec:test
+          node tools/gas-spec/render-gas-artifacts.mjs --check
+
       - name: Reset Nx state (just in case)
         run: pnpm exec nx reset
 
+      - name: Clear TypeScript build state
+        run: |
+          find libs apps tools -name '*.tsbuildinfo' -delete
+          rm -rf libs/*/out-tsc apps/*/out-tsc tools/*/out-tsc
+
       - uses: nrwl/nx-set-shas@v4
 
       # Prepend any command with "nx-cloud record --" to record its logs to Nx Cloud
       # - run: pnpm exec nx-cloud record -- echo Hello World
-      - run: pnpm exec nx affected -t lint test build typecheck
+      - run: NX_DAEMON=false NX_NO_CLOUD=true pnpm exec nx affected -t lint test build typecheck --skip-nx-cache --output-style=stream
+
+      - name: Run critical coverage threshold gate
+        run: NX_DAEMON=false NX_NO_CLOUD=true pnpm test:coverage:critical --skip-nx-cache --output-style=stream
 
-      - name: Install Playwright browsers (Chromium)
-        run: pnpm exec playwright install --with-deps chromium
+      - name: Upload critical coverage artifacts
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: critical-vitest-coverage
+          path: |
+            libs/quickjs-runtime/test-output/vitest/coverage
+            libs/deterministic-bundler/test-output/vitest/coverage
+            libs/deterministic-builder/test-output/vitest/coverage
+            libs/abi-manifest/test-output/vitest/coverage
+            tools/blue-quickjs-cli/test-output/vitest/coverage
+            apps/ecosystem-certifier/test-output/vitest/coverage
+          if-no-files-found: ignore
+
+      - name: Run native harness suites
+        run: |
+          pnpm nx test quickjs-native-harness
+          pnpm nx run quickjs-native-harness:test-legacy
+
+      - name: Verify generated playground data is fresh
+        run: pnpm playground:check-generated
+
+      - name: Install Playwright browsers (Chromium + Firefox)
+        run: pnpm exec playwright install --with-deps chromium firefox
 
       - name: Run smoke-web e2e
         run: pnpm nx run smoke-web:e2e
+
+      - name: Run ecosystem certifier e2e
+        run: pnpm nx run ecosystem-certifier:e2e
+
+      - name: Run BlueQuickjs playground e2e
+        run: pnpm nx run bluequickjs-playground:e2e
+
+      - name: Generate workload certification sanity artifacts
+        run: |
+          node apps/ecosystem-certifier/scripts/check-builder-determinism.mjs --out-dir artifacts/workload-certification-ci
+          node apps/ecosystem-certifier/scripts/archive-workload-certification-report.mjs --out-dir artifacts/workload-certification-ci
+          node apps/ecosystem-certifier/scripts/run-oog-boundary-certification.mjs --out-dir artifacts/workload-certification-ci --fixtures green-semver,green-markdown-it
+          node apps/ecosystem-certifier/scripts/run-seeded-property-corpus.mjs --out-dir artifacts/workload-certification-ci --seed-count 12

.github/workflows/publish.yml

@@ -26,14 +26,12 @@ jobs:
         with:
           ref: refs/tags/${{ inputs.tag }}
           fetch-depth: 0
-          submodules: recursive
 
       - name: 'Checkout repository (push: current ref)'
         if: ${{ github.event_name != 'workflow_dispatch' }}
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          submodules: recursive
 
       - uses: pnpm/action-setup@v4
         name: Install pnpm

.github/workflows/release.yml

@@ -17,13 +17,12 @@ jobs:
   release:
     name: Release
     runs-on: ubuntu-latest
-    timeout-minutes: 10
+    timeout-minutes: 45
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          submodules: recursive
           ref: ${{ github.ref }}
           token: ${{ secrets.RELEASE_PAT }}
 
@@ -51,9 +50,169 @@ jobs:
       - name: Install emsdk (pinned 3.1.56)
         run: bash tools/scripts/setup-emsdk.sh
 
+      - name: Verify QuickJS source reconstruction
+        run: |
+          pnpm quickjs-source:test
+          bash tools/scripts/check-quickjs-source-prep.sh
+
+      - name: Verify generated gas schedule docs are in sync
+        run: node tools/gas-spec/render-gas-artifacts.mjs --check
+
+      - name: Generate SBOM and dependency license reports
+        run: |
+          pnpm release-evidence:sbom -- --out-dir artifacts/security
+          pnpm release-evidence:licenses -- --out-dir artifacts/security
+
+      - name: Install Playwright browsers (Chromium + Firefox)
+        run: pnpm exec playwright install --with-deps chromium firefox
+
       - name: Print Environment Info
         run: pnpm exec nx report
 
+      - name: Run strict parity release gates (consensus executors)
+        run: |
+          pnpm nx test quickjs-runtime
+          pnpm nx test smoke-node
+          pnpm nx test test-harness
+          pnpm nx test bluequickjs-playground
+          pnpm nx run smoke-web:e2e
+          pnpm nx test ecosystem-certifier
+          pnpm nx run ecosystem-certifier:e2e
+          pnpm nx run bluequickjs-playground:e2e
+
+      - name: Generate consensus reproducibility report artifacts (Chromium + Firefox)
+        run: |
+          node tools/consensus-parity/scripts/archive-consensus-reproducibility-report.mjs --out-dir artifacts/reproducibility-consensus/chromium --browser chromium
+          node tools/consensus-parity/scripts/archive-consensus-reproducibility-report.mjs --out-dir artifacts/reproducibility-consensus/firefox --browser firefox
+
+      - name: Generate workload certification artifacts
+        run: |
+          node apps/ecosystem-certifier/scripts/check-builder-determinism.mjs --out-dir artifacts/workload-certification
+          node apps/ecosystem-certifier/scripts/archive-workload-certification-report.mjs --out-dir artifacts/workload-certification
+          node apps/ecosystem-certifier/scripts/generate-compatibility-delta-report.mjs --current-dir artifacts/workload-certification --out-dir artifacts/workload-certification
+          node apps/ecosystem-certifier/scripts/run-oog-boundary-certification.mjs --out-dir artifacts/workload-certification
+          node apps/ecosystem-certifier/scripts/run-seeded-property-corpus.mjs --out-dir artifacts/workload-certification --seed-count 80
+          node apps/ecosystem-certifier/scripts/run-repeatability-certification.mjs --out-dir artifacts/workload-certification --iterations 100 --flagship-iterations 40
+
+      - name: Build public packages for packaging checks
+        run: pnpm nx run-many -t build --projects abi-manifest,dv,execution-profiles,quickjs-wasm-constants,quickjs-wasm,quickjs-runtime,deterministic-bundler,deterministic-builder
+
+      - name: Validate public package release alignment
+        run: |
+          pnpm workload:check-public-package-coverage
+          pnpm workload:check-public-package-versions
+          pnpm workload:check-pack-manifests -- --out-dir artifacts/consumer-proof/pack-manifests
+
+      - name: Run Verdaccio publish/install rehearsal (primary)
+        run: pnpm publish-rehearsal:verdaccio -- --out-dir artifacts/consumer-proof/verdaccio
+
+      - name: Generate downstream tarball reproducibility artifacts (secondary)
+        run: |
+          node tools/workload-certification/pack-public-tarballs.mjs --out-dir artifacts/consumer-proof/tarballs
+          pnpm --dir e2e/consumer-proof-app run install:tarballs -- --tarball-dir ../../artifacts/consumer-proof/tarballs
+          node e2e/consumer-proof-app/node_modules/playwright/cli.js install --with-deps chromium
+          node e2e/consumer-proof-app/scripts/reproducibility-report.mjs
+
+      - name: Run native diagnostics (non-blocking)
+        continue-on-error: true
+        run: |
+          pnpm nx build quickjs-native-harness
+          pnpm nx test quickjs-native-harness
+          pnpm nx run quickjs-native-harness:test-legacy
+
+      - name: Generate native diagnostic reproducibility report artifact (non-blocking)
+        continue-on-error: true
+        run: node tools/quickjs-native-harness/scripts/archive-reproducibility-report.mjs
+
+      - name: Synthesize release evidence bundle
+        run: pnpm release-evidence:synthesize -- --out-dir artifacts/release-evidence
+
+      - name: Validate docs links
+        uses: lycheeverse/lychee-action@v2
+        with:
+          args: >
+            --root-dir .
+            --offline
+            --no-progress
+            README.md
+            'docs/**/*.md'
+            examples/README.md
+          fail: true
+
+      - name: Validate generated release evidence and docs freshness
+        run: |
+          EXPECTED_DATE=$(node -e "const fs=require('fs');console.log(JSON.parse(fs.readFileSync('artifacts/release-evidence/release-evidence-manifest.json','utf8')).date)")
+          pnpm docs:check-freshness -- --expected-branch "${GITHUB_REF_NAME}" --expected-date "${EXPECTED_DATE}"
+          pnpm playground:check-generated
+          pnpm release-evidence:synthesize -- --out-dir artifacts/release-evidence --check
+          pnpm release-evidence:verify -- --evidence-dir artifacts/release-evidence --expected-branch "${GITHUB_REF_NAME}" --expected-date "${EXPECTED_DATE}"
+
+      - name: Upload reproducibility artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: consensus-reproducibility-report
+          path: |
+            artifacts/reproducibility-consensus/**/*.json*
+            artifacts/reproducibility-consensus/**/*.md*
+            artifacts/reproducibility-consensus/**/*.sig
+          if-no-files-found: error
+
+      - name: Upload native diagnostic reproducibility artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: native-diagnostic-reproducibility-report
+          path: |
+            artifacts/reproducibility/*.json*
+            artifacts/reproducibility/*.md*
+            artifacts/reproducibility/*.sig
+          if-no-files-found: warn
+
+      - name: Upload workload certification artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: workload-certification-artifacts
+          path: artifacts/workload-certification/*
+          if-no-files-found: error
+
+      - name: Upload consumer-proof artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: consumer-proof-artifacts
+          path: |
+            artifacts/consumer-proof/tarballs/tarball-manifest.json
+            artifacts/consumer-proof/pack-manifests/pack-manifest.json
+            artifacts/consumer-proof/verdaccio/*.json
+            artifacts/consumer-proof/verdaccio/*.log
+            e2e/consumer-proof-app/reports/*.json*
+          if-no-files-found: error
+
+      - name: Upload release evidence bundle
+        uses: actions/upload-artifact@v4
+        with:
+          name: release-evidence-bundle
+          path: |
+            artifacts/release-evidence/release-evidence-summary.json
+            artifacts/release-evidence/release-evidence-summary.json.sha256
+            artifacts/release-evidence/release-evidence-summary.json.sig
+            artifacts/release-evidence/release-evidence-summary.md
+            artifacts/release-evidence/release-evidence-summary.md.sha256
+            artifacts/release-evidence/release-evidence-summary.md.sig
+            artifacts/release-evidence/release-evidence-manifest.json
+            artifacts/release-evidence/release-evidence-manifest.json.sha256
+            artifacts/release-evidence/release-evidence-manifest.json.sig
+            artifacts/release-evidence/inputs/*
+          if-no-files-found: error
+
+      - name: Upload security artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: release-security-artifacts
+          path: |
+            artifacts/security/sbom.cdx.json
+            artifacts/security/license-report.json
+            artifacts/security/license-report.md
+          if-no-files-found: error
+
       - name: Configure Git
         run: |
           git config --global user.email "github-actions[bot]@users.noreply.github.com"
@@ -63,3 +222,47 @@ jobs:
       - name: Release
         run: pnpm exec nx release --skip-publish --first-release
         shell: bash
+
+  verify-release-evidence:
+    name: Verify release evidence bundle
+    runs-on: ubuntu-latest
+    needs:
+      - release
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: pnpm/action-setup@v4
+        with:
+          version: 9.8.0
+          run_install: false
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: '.nvmrc'
+          cache: 'pnpm'
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Download release evidence bundle
+        uses: actions/download-artifact@v4
+        with:
+          name: release-evidence-bundle
+          path: artifacts/release-evidence
+
+      - name: Verify evidence checksums and signatures
+        run: |
+          EXPECTED_DATE=$(node -e "const fs=require('fs');console.log(JSON.parse(fs.readFileSync('artifacts/release-evidence/release-evidence-manifest.json','utf8')).date)")
+          pnpm release-evidence:verify -- --evidence-dir artifacts/release-evidence --expected-branch "${GITHUB_REF_NAME}" --expected-date "${EXPECTED_DATE}"
+
+      - name: Assert tamper detection fails verification
+        run: |
+          cp -R artifacts/release-evidence artifacts/release-evidence-tampered
+          node -e "const fs=require('fs');fs.appendFileSync('artifacts/release-evidence-tampered/inputs/consumer-reproducibility.json','\n')"
+          EXPECTED_DATE=$(node -e "const fs=require('fs');console.log(JSON.parse(fs.readFileSync('artifacts/release-evidence-tampered/release-evidence-manifest.json','utf8')).date)")
+          if pnpm release-evidence:verify -- --evidence-dir artifacts/release-evidence-tampered --expected-branch "${GITHUB_REF_NAME}" --expected-date "${EXPECTED_DATE}"; then
+            echo "tamper verification unexpectedly passed"
+            exit 1
+          fi