fix(os-rv64): keep release gates source-only honest

Author: NubsCarson

packages/chip/docs/project/prototype-status-dashboard.md

@@ -1,6 +1,6 @@
 # Prototype Status Dashboard
 
-Snapshot: updated 2026-05-21 after native-toolchain recovery; MVP rows mirror `scripts/check_mvp_status.py --json`.
+Snapshot: updated 2026-05-22 from a source-only checkout; volatile generated-artifact rows stay conservative until the local/CI run regenerates evidence.
 
 ## MVP Gate Snapshot
 
@@ -14,18 +14,18 @@ Snapshot: updated 2026-05-21 after native-toolchain recovery; MVP rows mirror `s
 | software-bsp | `BLOCK` | `scaffold_only` | `make software-bsp-evidence-check` |
 | real-world-release-gates | `PASS` | `command_pass` | `none` |
 | rtl-source | `PASS` | `source_present` | `none` |
-| synthesis | `PASS` | `generated_artifact` | `none` |
-| cocotb | `PASS` | `generated_artifact` | `none` |
-| verilator | `PASS` | `generated_artifact` | `none` |
+| synthesis | `BLOCK` | `tool_blocker` | `make synth` |
+| cocotb | `BLOCK` | `regen_required` | `make cocotb cocotb-npu cocotb-contract cocotb-cpu` |
+| verilator | `BLOCK` | `tool_blocker` | `make verilator` |
 | formal | `BLOCK` | `tool_blocker` | `make formal inside Docker/Nix` |
 | qemu | `BLOCK` | `tool_blocker` | `make qemu-check` |
 | renode | `BLOCK` | `tool_blocker` | `make renode-check` |
-| npu-ml-proof | `PASS` | `generated_artifact` | `none` |
+| npu-ml-proof | `BLOCK` | `tool_blocker` | `make mvp-npu-ml-evidence-check` |
 | minimum-linux-npu-target | `BLOCK` | `tool_blocker` | `make minimum-linux-npu-target-strict` |
 | pd-contract | `PASS` | `command_pass` | `none` |
 | product-package | `BLOCK` | `release_blocker` | `close package/FPGA/KiCad/PD/manufacturing release blockers or keep product claim below fabrication` |
 | benchmarks | `BLOCK` | `scaffold_only` | `python3 benchmarks/run_benchmarks.py run --metadata benchmarks/metadata/strict-blocked-template.json --strict-missing` |
-| release-pipeline | `PASS` | `generated_artifact` | `none` |
+| release-pipeline | `BLOCK` | `regen_required` | `make tool-versions pipeline-check` |
 
 ## Workstream Dashboard
 

packages/chip/scripts/check_prototype_status_dashboard.py

@@ -19,6 +19,7 @@
     "qemu",
     "renode",
     "benchmarks",
+    "npu-ml-proof",
     "release-pipeline",
 }
 

packages/chip/scripts/test_check_prototype_status_dashboard.py

@@ -87,6 +87,19 @@ def test_allows_benchmark_regen_to_remain_scaffold_only(self) -> None:
         }
         self.assertTrue(conservative_snapshot_allowed("benchmarks", status, row))
 
+    def test_allows_npu_ml_proof_to_remain_source_only_conservative(self) -> None:
+        status = {
+            "status": "pass",
+            "evidence_class": "generated_artifact",
+            "next_step": "none",
+        }
+        row = {
+            "Status": "`BLOCK`",
+            "Evidence class": "`tool_blocker`",
+            "Next action": "`make mvp-npu-ml-evidence-check`",
+        }
+        self.assertTrue(conservative_snapshot_allowed("npu-ml-proof", status, row))
+
 
 if __name__ == "__main__":
     unittest.main()

packages/os/linux/elizaos/Makefile

@@ -8,7 +8,7 @@
 #   make build ARCH=riscv64 DEBIAN_MIRROR=https://ftp.debian.org/debian
 #
 #   make qemu-boot ARCH=riscv64
-#   make release-check-strict ARCH=amd64
+#   make release-check-strict ARCH=riscv64
 #   make brand-assets
 
 ARCH    ?= amd64
@@ -23,13 +23,14 @@ AGENT_ARTIFACTS_MOUNT := $(if $(wildcard $(AGENT_ARTIFACTS)),-v "$(AGENT_ARTIFAC
 
 SUPPORTED_ARCHES := amd64 arm64 riscv64
 
-.PHONY: help build builder qemu-boot release-check-strict release-check brand-assets clean lint
+.PHONY: help build builder qemu-boot release-check-strict release-check check-riscv64-release-arch brand-assets clean lint
 
 help:
 	@echo "elizaOS Linux build targets:"
 	@echo "  make build [ARCH=amd64|arm64|riscv64] [PROFILE=default|secure]"
 	@echo "  make qemu-boot ARCH=<arch>"
-	@echo "  make release-check-strict ARCH=<arch>"
+	@echo "  make release-check ARCH=riscv64"
+	@echo "  make release-check-strict ARCH=riscv64"
 	@echo "  make brand-assets       # regenerate PNG branding from SVG sources"
 	@echo "  make lint               # static smoke checks"
 	@echo "  make clean              # remove out/ and live-build state"
@@ -75,11 +76,17 @@ build: builder check-arch
 qemu-boot: check-arch
 	scripts/boot-qemu.sh $(ARCH)
 
-release-check-strict: check-arch
-	scripts/release-check.sh --strict --arch $(ARCH)
+release-check-strict: check-riscv64-release-arch
+	scripts/check_release_manifest.py --strict
 
-release-check: check-arch
-	scripts/release-check.sh --arch $(ARCH)
+release-check: check-riscv64-release-arch
+	scripts/check_release_manifest.py
+
+check-riscv64-release-arch: check-arch
+	@if [ "$(ARCH)" != "riscv64" ]; then \
+	    echo "ERROR: release-check currently validates the riscv64 qemu-virt release manifest only; got ARCH=$(ARCH)" >&2; \
+	    exit 64; \
+	fi
 
 brand-assets:
 	scripts/generate-elizaos-brand-assets.sh

packages/os/linux/elizaos/README.md

@@ -89,10 +89,13 @@ No promoted artifact exists yet — the manifest template carries
 
 This is the active, canonical Linux build. The build pipeline, multi-arch
 config, branding overlay, `secure` hardening profile, and release-manifest
-gate are in the tree. A riscv64 candidate ISO has qemu-virt boot evidence
-under `evidence/qemu_virt_boot.json`, including GRUB EFI, Linux, local curl
-health, agent-ready, and terminal TUI smoke markers. amd64 and arm64 still
-need produced ISO evidence before release promotion. See
+gate are in the tree. The checked-in riscv64 release manifest is intentionally
+`planned`: promotion remains blocked until a local build fills artifact
+metadata and archives qemu-virt, GRUB EFI, local curl health, agent-ready, and
+terminal TUI smoke transcripts. The existing `evidence/qemu_virt_boot.json`
+records the prior local qemu-virt summary only; it is not promoted release
+evidence without its matching transcript and ISO artifact. amd64 and arm64
+still need produced ISO evidence before release promotion. See
 `packages/os/CLAUDE.md` for the distribution-channel and promotion policy.
 
 ## License

packages/os/linux/elizaos/build.sh

@@ -401,20 +401,20 @@ echo
 echo "--- step 5/5: manifest ---"
 TEMPLATE="${HERE}/manifest.json.template"
 if [ ! -f "${TEMPLATE}" ]; then
-    echo "WARN: ${TEMPLATE} missing — skipping manifest emission." >&2
-else
-    SHA256="$(awk '{print $1}' "${OUT}/${ARTIFACT_BASENAME}.iso.sha256")"
-    sed \
-        -e "s|@@ARCH@@|${ARCH}|g" \
-        -e "s|@@PROFILE@@|${PROFILE}|g" \
-        -e "s|@@FILENAME@@|${ARTIFACT_BASENAME}.iso|g" \
-        -e "s|@@BUILD_TIMESTAMP@@|${BUILD_TS}|g" \
-        -e "s|@@SHA256@@|${SHA256}|g" \
-        -e "s|@@SIZE_BYTES@@|${ISO_BYTES}|g" \
-        "${TEMPLATE}" > "${OUT}/${ARTIFACT_BASENAME}.manifest.json"
-    python3 -c "import json,sys; json.load(open('${OUT}/${ARTIFACT_BASENAME}.manifest.json'))"
-    echo "    manifest: ${OUT}/${ARTIFACT_BASENAME}.manifest.json"
+    echo "ERROR: ${TEMPLATE} missing; refusing to emit an ISO without release metadata." >&2
+    exit 3
 fi
+SHA256="$(awk '{print $1}' "${OUT}/${ARTIFACT_BASENAME}.iso.sha256")"
+sed \
+    -e "s|@@ARCH@@|${ARCH}|g" \
+    -e "s|@@PROFILE@@|${PROFILE}|g" \
+    -e "s|@@FILENAME@@|${ARTIFACT_BASENAME}.iso|g" \
+    -e "s|@@BUILD_TIMESTAMP@@|${BUILD_TS}|g" \
+    -e "s|@@SHA256@@|${SHA256}|g" \
+    -e "s|@@SIZE_BYTES@@|${ISO_BYTES}|g" \
+    "${TEMPLATE}" > "${OUT}/${ARTIFACT_BASENAME}.manifest.json"
+python3 -c "import json,sys; json.load(open('${OUT}/${ARTIFACT_BASENAME}.manifest.json'))"
+echo "    manifest: ${OUT}/${ARTIFACT_BASENAME}.manifest.json"
 
 echo
 echo "=== done ==="

packages/os/linux/elizaos/manifest.json

@@ -8,12 +8,12 @@
     "hypervisor": "qemu-virt",
     "firmware": "qemu-efi-riscv64/EDK2 + OpenSBI"
   },
-  "filename": "elizaos-linux-riscv64-default-20260521T131111Z.iso",
+  "filename": "elizaos-linux-riscv64-planned.iso",
   "downloadUrl": null,
-  "status": "candidate",
-  "sizeBytes": 427153408,
-  "sha256": "07519ebc789eb1cb83d9aea94a72265ca694e147af24d1f0d5070214450c1eb1",
-  "notes": "elizaOS Live (profile=default, built=20260521T131111Z); promotion blocked until qemu-virt, GRUB EFI RISC-V, and elizaOS agent boot evidence are collected.",
+  "status": "planned",
+  "sizeBytes": null,
+  "sha256": null,
+  "notes": "elizaOS Live riscv64 release manifest skeleton; promotion is blocked until a local build fills artifact metadata and qemu-virt, GRUB EFI RISC-V, and elizaOS agent boot evidence are collected with archived transcripts.",
   "validation": {
     "requiredEvidence": [
       "qemu-virt-boot",
@@ -23,18 +23,18 @@
     "evidence": [
       {
         "id": "qemu-virt-boot",
-        "status": "collected",
-        "path": "evidence/qemu_virt_boot.json"
+        "status": "missing",
+        "path": null
       },
       {
         "id": "grub-efi-riscv64-boot",
-        "status": "collected",
-        "path": "evidence/qemu_virt_boot.json"
+        "status": "missing",
+        "path": null
       },
       {
         "id": "elizaos-agent-live",
-        "status": "collected",
-        "path": "evidence/qemu_virt_boot.json"
+        "status": "missing",
+        "path": null
       }
     ]
   }

packages/os/linux/elizaos/scripts/check_release_manifest.py

@@ -207,8 +207,7 @@ def check_schema(manifest: dict, schema: dict) -> list[GateResult]:
             GateResult(
                 "BLOCKED",
                 "python dependency missing: jsonschema; run "
-                "`python3 -m pip install -r packages/os/linux/variants/"
-                "elizaos-linux/requirements.txt`",
+                "`python3 -m pip install jsonschema`",
             )
         ]
     artifact_schema = _artifact_schema(schema)

packages/os/linux/elizaos/scripts/static-smoke.sh

@@ -33,6 +33,20 @@ done < <(find scripts config/includes.chroot/usr/local/lib/elizaos config/includ
     \( -name "*.sh" -o -name "first-boot.sh" -o -name "start-launcher" -o -name "start-chat-overlay" \) \
     2>/dev/null)
 
+# Release-check Make targets must stay wired to the checked-in Python gate.
+# This is intentionally source-only: it catches stale deleted helper paths
+# without requiring a local ISO, QEMU transcript, or release artifact.
+python3 -m py_compile scripts/check_release_manifest.py \
+    || { echo "PY COMPILE FAIL: scripts/check_release_manifest.py"; fail=1; }
+if ! make -n release-check ARCH=riscv64 2>/dev/null | grep -q 'scripts/check_release_manifest.py'; then
+    echo "BAD RELEASE CHECK TARGET: release-check must invoke scripts/check_release_manifest.py"
+    fail=1
+fi
+if make -n release-check ARCH=riscv64 2>/dev/null | grep -q 'scripts/release-check.sh'; then
+    echo "STALE RELEASE CHECK TARGET: release-check references deleted scripts/release-check.sh"
+    fail=1
+fi
+
 # Systemd unit files have [Unit] + [Install] (or are .path/.target).
 for f in $(find config/includes.chroot/etc/systemd -name "*.service" 2>/dev/null); do
     grep -q '^\[Unit\]' "${f}" || { echo "BAD UNIT: ${f}"; fail=1; }