feat(evidence): add artifact capture for conformance evidence

[dims]

Summary

• Add diagnostic artifact capture mechanism so conformance checks record rich evidence (deployment status, metrics samples, test results) during execution, flowing through the pipeline into evidence markdown
• Artifacts are ephemeral (json:"-") and transported via base64-encoded ARTIFACT: lines in test output, decoded in phases.go, rendered as labeled code blocks in evidence templates
• All 9 submission requirement checks now record diagnostic artifacts covering deployment status, metrics presence, behavioral test results, and more

Design

Check → ctx.Artifacts.Record(label, data)
  → Cancel() emits t.Logf("ARTIFACT:<base64>")
    → phases.go extracts ARTIFACT: lines, populates CheckResult.Artifacts
      → evidence renderer outputs #### Label + fenced code block

Key constraints:

• Artifact type lives in checks/ (leaf package, no import cycles)
• Per-artifact: max 8KB data, max 20 per check, each base64 line under bufio.Scanner 64KB limit
• Artifacts are ephemeral (json:"-" yaml:"-") — never persisted in saved results
• Cancel() nil-guards both r.ctx and r.ctx.Artifacts

Files Changed

Area	Files	Change
Infrastructure	checks/artifact.go, checks/registry.go, checks/runner.go, result.go, phases.go	Artifact type, collector, transport, pipeline extraction
Evidence	evidence/types.go, evidence/renderer.go, evidence/templates.go	Pass artifacts through to markdown rendering
Static checks (4)	dra_support_check.go, accelerator_metrics_check.go, ai_service_metrics_check.go, inference_gateway_check.go	Record deployment/metrics/CRD evidence
Behavioral checks (5)	robust_controller_check.go, secure_access_check.go, gang_scheduling_check.go, pod_autoscaling_check.go, cluster_autoscaling_check.go	Record behavioral test results
Tests	artifact_test.go, runner_test.go, renderer_test.go, dra_support_check_unit_test.go	Round-trip, cap enforcement, thread safety, Cancel() emit, renderer with/without artifacts

Test plan

• make test passes with race detector (73.9% coverage)
• Artifact encode/decode round-trip test
• Cap enforcement (count limit, data truncation)
• Thread safety test (concurrent Record)
• Cancel() with nil ctx/Artifacts doesn't panic
• Cancel() emits artifacts via t.Logf
• Evidence renderer with artifacts: labeled code blocks appear
• Evidence renderer without artifacts: identical to current output
• All existing conformance tests pass unchanged

[mchmarny]

Clean architecture, good test coverage, and the ARTIFACT: transport mirrors the existing CONSTRAINT_RESULT: pattern well. Four items to address — see inline comments.

Superseded by review with inline comments

[mchmarny]

Thanks for resolving the previous comments, most of this looks good now.
There still seems to be a few test artifacts being hardcoded congratulatory strings rather than observed state:

• cluster_autoscaling_check.go:127 — “HPA: scaling intent detected\nKarpenter: new node(s) provisioned” — these are assertions restated as evidence, not captured state
• robust_controller_check.go:141 — “Result: PASS — webhook rejected invalid DynamoGraphDeployment”
• pod_autoscaling_check.go:152 — “Scale-up: PASS — HPA computed desiredReplicas > currentReplicas”
• secure_access_check.go:124 — “Result: PASS — pod without DRA claims cannot see GPU devices”

The DRA support check does it right now, it captures actual replica counts, image versions, and ResourceSlice counts.

May be better to capture actual HPA .status.desiredReplicas/.status.currentReplicas values, the actual pod scheduling timestamps, or the actual Karpenter node provisioning events rather than static pass/fail strings. Just na idea

[dims]

May be better to capture actual HPA .status.desiredReplicas/.status.currentReplicas values, the actual pod scheduling timestamps, or the actual Karpenter node provisioning events rather than static pass/fail strings. Just na idea

will iterate for sure! it's not done done yet :)