From 6c04ac944ddea7f2a92f1e6816f3c8701875fa46 Mon Sep 17 00:00:00 2001 From: rogu3bear Date: Tue, 12 May 2026 09:30:26 -0500 Subject: [PATCH] docs(pointer): align runbook evidence binding --- NORTH_STAR.md | 3 ++- apps/macos/RELEASE_RUNBOOK.md | 10 ++++++---- .../Tests/PointerDesignerTests/IdentityTests.swift | 3 +++ 3 files changed, 11 insertions(+), 5 deletions(-) diff --git a/NORTH_STAR.md b/NORTH_STAR.md index a874596..88f3cdc 100644 --- a/NORTH_STAR.md +++ b/NORTH_STAR.md @@ -181,7 +181,8 @@ proof for another. - Manual release evidence: from `apps/macos`, `make manual-release-evidence-check`; the evidence must come from `apps/macos/MANUAL_RELEASE_CHECKS.md` against the same Gatekeeper-accepted - DMG + DMG and must match its digest, commit, release tag, mounted app identity, + app version, app build, and executable digest - Final app readiness audit: from `apps/macos`, `make north-star-audit` - Website: Leptos/Cloudflare template checks, browser-visible proof, and live download metadata verification after a real `apps/website` exists diff --git a/apps/macos/RELEASE_RUNBOOK.md b/apps/macos/RELEASE_RUNBOOK.md index 08d8161..4db1b57 100644 --- a/apps/macos/RELEASE_RUNBOOK.md +++ b/apps/macos/RELEASE_RUNBOOK.md @@ -78,8 +78,9 @@ After `make release-readiness` passes, perform every row in `MANUAL_RELEASE_CHECKS.md` against the same Gatekeeper-accepted DMG. Record the observed values using that file's evidence template. -Generate the starting evidence record from the current artifact so the commit -and DMG digest are not hand-copied: +Generate the starting evidence record from the current artifact so the commit, +DMG digest, mounted app identity, app version, app build, and executable SHA-256 +are not hand-copied: ```bash make manual-release-evidence-template RELEASE_TAG="" > ReleaseEvidence/manual-release-evidence.txt @@ -91,8 +92,9 @@ Then verify the evidence is complete and bound to the artifact: make manual-release-evidence-check MANUAL_EVIDENCE="" ``` -The evidence check compares the recorded commit and DMG SHA-256 to the local -artifact under assessment. +The evidence check compares the recorded commit, release tag, DMG filename, +DMG SHA-256, mounted app bundle ID, app version, app build, and executable +SHA-256 to the local artifact under assessment. ## Final Audit diff --git a/apps/macos/Tests/PointerDesignerTests/IdentityTests.swift b/apps/macos/Tests/PointerDesignerTests/IdentityTests.swift index c98703d..5fb315a 100644 --- a/apps/macos/Tests/PointerDesignerTests/IdentityTests.swift +++ b/apps/macos/Tests/PointerDesignerTests/IdentityTests.swift @@ -825,6 +825,9 @@ final class IdentityTests: XCTestCase { XCTAssertTrue(runbook.contains("make release-readiness")) XCTAssertTrue(runbook.contains("make manual-release-evidence-template")) XCTAssertTrue(runbook.contains("make manual-release-evidence-check")) + XCTAssertTrue(runbook.contains("mounted app identity")) + XCTAssertTrue(runbook.contains("release tag")) + XCTAssertTrue(runbook.contains("executable SHA-256")) XCTAssertTrue(runbook.contains("make north-star-audit")) XCTAssertTrue(runbook.contains("MANUAL_RELEASE_CHECKS.md")) XCTAssertTrue(runbook.contains("stable GitHub release"))