feat(evidence): add artifact capture for conformance evidence

Add diagnostic artifact capture mechanism so conformance checks can
record rich evidence (deployment status, metrics samples, test results)
during execution, flowing through the pipeline into evidence markdown.

The artifact pipeline: checks call ctx.Artifacts.Record() → Cancel()
emits base64-encoded ARTIFACT: lines via t.Logf → phases.go extracts
and populates CheckResult.Artifacts → evidence renderer outputs labeled
code blocks. Artifacts are ephemeral (json:"-") and never persisted.

Infrastructure (pkg/validator/checks/artifact.go):
- Artifact type with Encode/DecodeArtifact for base64 JSON transport
- ArtifactCollector with thread-safe Record/Drain, 8KB/20-count caps
- ValidationContext.Artifacts field, TestRunner init + Cancel() emit

Pipeline integration:
- phases.go: extract ARTIFACT: lines from test output, filter from reason
- evidence types/renderer/templates: pass artifacts through to markdown

All 9 submission requirement checks now record diagnostic artifacts:
- DRA: controller/DaemonSet status, ResourceSlice count
- Accelerator metrics: DCGM sample, required metrics presence
- AI service metrics: Prometheus query results, custom metrics API
- Inference gateway: GatewayClass/Gateway status, CRDs, data plane
- Robust controller: operator status, webhook config, rejection test
- Secure access: DRA pod status, access patterns, isolation test
- Gang scheduling: KAI components, GPU availability, co-scheduling
- Pod autoscaling: metrics APIs, HPA scale-up/down proof
- Cluster autoscaling: Karpenter status, NodePools, node provisioning

Author: dims

pkg/evidence/renderer.go

@@ -132,10 +132,11 @@ func (r *Renderer) buildEntries(conformance *validator.PhaseResult) []EvidenceEn
 		}
 
 		entry := CheckEntry{
-			Name:     check.Name,
-			Status:   cr.Status,
-			Reason:   cr.Reason,
-			Duration: cr.Duration,
+			Name:      check.Name,
+			Status:    cr.Status,
+			Reason:    cr.Reason,
+			Duration:  cr.Duration,
+			Artifacts: cr.Artifacts,
 		}
 
 		g, exists := groups[check.EvidenceFile]

pkg/evidence/renderer_test.go

@@ -23,6 +23,7 @@ import (
 	"time"
 
 	"github.com/NVIDIA/aicr/pkg/validator"
+	"github.com/NVIDIA/aicr/pkg/validator/checks"
 
 	// Import conformance checks to register them.
 	_ "github.com/NVIDIA/aicr/pkg/validator/checks/conformance"
@@ -337,3 +338,105 @@ func TestRenderIndexContent(t *testing.T) {
 		t.Error("index.md should contain run ID")
 	}
 }
+
+func TestRenderWithArtifacts(t *testing.T) {
+	dir := t.TempDir()
+	r := New(WithOutputDir(dir))
+
+	result := &validator.ValidationResult{
+		RunID: "test-artifacts",
+		Phases: map[string]*validator.PhaseResult{
+			"conformance": {
+				Checks: []validator.CheckResult{
+					{
+						Name:     "dra-support",
+						Status:   validator.ValidationStatusPass,
+						Reason:   "DRA controller healthy",
+						Duration: 5 * time.Second,
+						Artifacts: []checks.Artifact{
+							{Label: "DRA Controller Pods", Data: "NAME                   READY   STATUS\ndra-controller-abc12   1/1     Running"},
+							{Label: "ResourceSlice Count", Data: "Total ResourceSlices: 8"},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	if err := r.Render(context.Background(), result); err != nil {
+		t.Fatalf("Render() error = %v", err)
+	}
+
+	content, err := os.ReadFile(filepath.Join(dir, "dra-support.md"))
+	if err != nil {
+		t.Fatalf("failed to read dra-support.md: %v", err)
+	}
+
+	s := string(content)
+
+	// Verify artifact labels are present.
+	if !strings.Contains(s, "#### DRA Controller Pods") {
+		t.Error("evidence should contain artifact label 'DRA Controller Pods'")
+	}
+	if !strings.Contains(s, "#### ResourceSlice Count") {
+		t.Error("evidence should contain artifact label 'ResourceSlice Count'")
+	}
+
+	// Verify artifact data is present.
+	if !strings.Contains(s, "dra-controller-abc12") {
+		t.Error("evidence should contain artifact data")
+	}
+	if !strings.Contains(s, "Total ResourceSlices: 8") {
+		t.Error("evidence should contain ResourceSlice count data")
+	}
+
+	// Verify the reason is also present (artifacts don't replace reason).
+	if !strings.Contains(s, "DRA controller healthy") {
+		t.Error("evidence should still contain the reason text")
+	}
+}
+
+func TestRenderWithoutArtifacts(t *testing.T) {
+	dir := t.TempDir()
+	r := New(WithOutputDir(dir))
+
+	result := &validator.ValidationResult{
+		RunID: "test-no-artifacts",
+		Phases: map[string]*validator.PhaseResult{
+			"conformance": {
+				Checks: []validator.CheckResult{
+					{
+						Name:     "dra-support",
+						Status:   validator.ValidationStatusPass,
+						Reason:   "all healthy",
+						Duration: 3 * time.Second,
+					},
+				},
+			},
+		},
+	}
+
+	if err := r.Render(context.Background(), result); err != nil {
+		t.Fatalf("Render() error = %v", err)
+	}
+
+	content, err := os.ReadFile(filepath.Join(dir, "dra-support.md"))
+	if err != nil {
+		t.Fatalf("failed to read dra-support.md: %v", err)
+	}
+
+	s := string(content)
+
+	// Verify basic content is present.
+	if !strings.Contains(s, "dra-support") {
+		t.Error("evidence should contain check name")
+	}
+	if !strings.Contains(s, "all healthy") {
+		t.Error("evidence should contain reason")
+	}
+
+	// Verify no artifact headers appear.
+	if strings.Contains(s, "####") {
+		t.Error("evidence without artifacts should not contain #### headers")
+	}
+}

pkg/evidence/templates.go

@@ -54,5 +54,13 @@ const evidenceTemplate = `# {{ .Title }}
 {{ .Reason }}
 ` + "```" + `
 {{- end }}
+{{- range .Artifacts }}
+
+#### {{ .Label }}
+
+` + "```" + `
+{{ .Data }}
+` + "```" + `
+{{- end }}
 {{ end }}
 `

pkg/evidence/types.go

@@ -18,6 +18,7 @@ import (
 	"time"
 
 	"github.com/NVIDIA/aicr/pkg/validator"
+	"github.com/NVIDIA/aicr/pkg/validator/checks"
 )
 
 // EvidenceEntry holds all data needed to render a single evidence document.
@@ -58,4 +59,7 @@ type CheckEntry struct {
 
 	// Duration is how long the check took.
 	Duration time.Duration
+
+	// Artifacts contains diagnostic evidence captured during check execution.
+	Artifacts []checks.Artifact
 }

pkg/validator/checks/artifact.go

@@ -0,0 +1,108 @@
+// Copyright (c) 2025, NVIDIA CORPORATION.  All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package checks
+
+import (
+	"encoding/base64"
+	"encoding/json"
+	"sync"
+
+	"github.com/NVIDIA/aicr/pkg/errors"
+)
+
+const (
+	// MaxArtifactDataSize is the maximum size in bytes of a single artifact's Data field.
+	// Ensures each base64-encoded ARTIFACT: line stays well under the bufio.Scanner
+	// default 64KB limit (base64 expands ~4/3, so 8KB → ~11KB encoded).
+	MaxArtifactDataSize = 8 * 1024
+
+	// MaxArtifactsPerCheck is the maximum number of artifacts a single check can record.
+	MaxArtifactsPerCheck = 20
+)
+
+// Artifact represents a captured piece of diagnostic evidence from a conformance check.
+// Each artifact has a human-readable label and a data payload (kubectl output,
+// metric samples, resource YAML, etc.) that is rendered as a fenced code block
+// in evidence markdown.
+type Artifact struct {
+	// Label is the human-readable title (e.g., "DRA Driver Pods").
+	Label string `json:"label"`
+
+	// Data is the captured content (command output, metric text, YAML, etc.).
+	Data string `json:"data"`
+}
+
+// Encode returns a base64-encoded JSON representation of the artifact,
+// suitable for emission via t.Logf("ARTIFACT:%s", encoded).
+func (a Artifact) Encode() (string, error) {
+	jsonBytes, err := json.Marshal(a)
+	if err != nil {
+		return "", errors.Wrap(errors.ErrCodeInternal, "failed to marshal artifact", err)
+	}
+	return base64.StdEncoding.EncodeToString(jsonBytes), nil
+}
+
+// DecodeArtifact decodes a base64-encoded JSON artifact string.
+func DecodeArtifact(encoded string) (*Artifact, error) {
+	jsonBytes, err := base64.StdEncoding.DecodeString(encoded)
+	if err != nil {
+		return nil, errors.Wrap(errors.ErrCodeInternal, "failed to decode artifact base64", err)
+	}
+	var a Artifact
+	if err := json.Unmarshal(jsonBytes, &a); err != nil {
+		return nil, errors.Wrap(errors.ErrCodeInternal, "failed to unmarshal artifact JSON", err)
+	}
+	return &a, nil
+}
+
+// ArtifactCollector is a thread-safe accumulator for artifacts within a single check execution.
+// It enforces per-artifact size limits and per-check count limits.
+type ArtifactCollector struct {
+	mu        sync.Mutex
+	artifacts []Artifact
+}
+
+// NewArtifactCollector creates a new empty artifact collector.
+func NewArtifactCollector() *ArtifactCollector {
+	return &ArtifactCollector{}
+}
+
+// Record adds a labeled artifact. Data exceeding MaxArtifactDataSize is truncated.
+// Returns an error if the per-check artifact count limit is reached.
+func (c *ArtifactCollector) Record(label, data string) error {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	if len(c.artifacts) >= MaxArtifactsPerCheck {
+		return errors.New(errors.ErrCodeInvalidRequest, "artifact limit reached")
+	}
+
+	if len(data) > MaxArtifactDataSize {
+		data = data[:MaxArtifactDataSize] + "\n... [truncated]"
+	}
+
+	c.artifacts = append(c.artifacts, Artifact{Label: label, Data: data})
+	return nil
+}
+
+// Drain returns the collected artifacts and resets the internal list.
+// Returns nil if no artifacts were recorded.
+func (c *ArtifactCollector) Drain() []Artifact {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	arts := c.artifacts
+	c.artifacts = nil
+	return arts
+}