Add release note claim evidence guard

repository-release-note-claim-guard/README.md

@@ -0,0 +1,36 @@
+# Repository Release Note Claim Guard
+
+This module is a focused Project Repository & Version Control slice for SCIBASE issue #10. It reviews tagged repository release packets before public release notes, citation badges, API exports, or archive bundles are published.
+
+The guard checks that every public release-note claim is backed by:
+
+- a concrete changed repository artifact
+- passed evidence of the right kind for the claim type
+- path-specific evidence coverage
+- fresh evidence within policy
+- export-manifest parity for release-note ids and changed artifact digests
+- explicit disclosure for breaking changes
+
+It is intentionally separate from broader repository ledgers, semantic version-tag governance, release signatures, merge queues, branch protection, component-owner approvals, external reference pinning, notebook diffs, fork provenance, restore rehearsals, compute sandbox policy, and review-decision provenance. This slice focuses only on whether public release notes overstate, omit, or misrepresent the actual release evidence.
+
+## Reviewer Path
+
+```bash
+npm run check
+npm test
+npm run demo
+npm run verify-video
+```
+
+Generated reviewer artifacts:
+
+- `reports/clean-packet.json`
+- `reports/risky-packet.json`
+- `reports/release-note-claim-report.md`
+- `reports/summary.svg`
+- `reports/demo-script.txt`
+- `reports/demo.mp4`
+
+## Safety
+
+All fixtures are synthetic. The module does not call Git providers, CI systems, DOI registries, object stores, private repositories, payment processors, payout accounts, credential stores, or external APIs.

repository-release-note-claim-guard/demo.js

@@ -0,0 +1,50 @@
+const fs = require("node:fs");
+const path = require("node:path");
+const { evaluateReleasePacket, renderMarkdownReport, renderSvgSummary } = require("./index");
+const { cleanReleasePacket, riskyReleasePacket } = require("./sample-data");
+
+const reportsDir = path.join(__dirname, "reports");
+fs.mkdirSync(reportsDir, { recursive: true });
+
+const cleanEvaluation = evaluateReleasePacket(cleanReleasePacket);
+const riskyEvaluation = evaluateReleasePacket(riskyReleasePacket);
+
+fs.writeFileSync(
+  path.join(reportsDir, "clean-packet.json"),
+  `${JSON.stringify({ input: cleanReleasePacket, evaluation: cleanEvaluation }, null, 2)}\n`
+);
+fs.writeFileSync(
+  path.join(reportsDir, "risky-packet.json"),
+  `${JSON.stringify({ input: riskyReleasePacket, evaluation: riskyEvaluation }, null, 2)}\n`
+);
+fs.writeFileSync(
+  path.join(reportsDir, "release-note-claim-report.md"),
+  renderMarkdownReport(riskyReleasePacket, riskyEvaluation)
+);
+fs.writeFileSync(
+  path.join(reportsDir, "summary.svg"),
+  renderSvgSummary(riskyEvaluation)
+);
+fs.writeFileSync(
+  path.join(reportsDir, "demo-script.txt"),
+  [
+    "Repository release-note claim evidence guard demo",
+    "",
+    "1. Clean packet: all release-note claims bind to changed artifacts, passed evidence, and export-manifest digests.",
+    `   Decision: ${cleanEvaluation.summary.decision}`,
+    `   Digest: ${cleanEvaluation.summary.auditDigest}`,
+    "",
+    "2. Risky packet: public release notes overclaim reproducibility, hide a breaking API change, cite a non-existent public dataset path, and omit changed data from the export manifest.",
+    `   Decision: ${riskyEvaluation.summary.decision}`,
+    `   Findings: ${riskyEvaluation.summary.findingCount}`,
+    `   Digest: ${riskyEvaluation.summary.auditDigest}`,
+    ""
+  ].join("\n")
+);
+
+console.log(JSON.stringify({
+  cleanDecision: cleanEvaluation.summary.decision,
+  riskyDecision: riskyEvaluation.summary.decision,
+  riskyFindings: riskyEvaluation.summary.findingCount,
+  report: "reports/release-note-claim-report.md"
+}, null, 2));