Add enterprise bundle and release quality gates

Author: RedteamNotes

.github/workflows/ci.yml

@@ -0,0 +1,60 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
+
+jobs:
+  test:
+    name: Python ${{ matrix.python-version }}
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version:
+          - "3.11"
+          - "3.12"
+          - "3.13"
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install RelayX
+        run: |
+          python -m pip install --upgrade pip
+          python -m pip install -e .
+
+      - name: Version smoke test
+        run: relayx --no-banner --version
+
+      - name: Unit tests
+        run: python -m unittest discover -s tests
+
+      - name: Quality gate
+        run: relayx --no-banner quality-gate --project-root . --format json --out relayx-quality-gate.json
+
+      - name: Wheel build smoke test
+        run: python -m pip wheel . --no-deps -w dist
+
+      - name: Wheel install smoke test
+        run: |
+          python -m pip install --force-reinstall dist/relayx-*.whl
+          relayx --no-banner --version
+
+      - name: Upload quality gate report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: relayx-quality-gate-${{ matrix.python-version }}
+          path: relayx-quality-gate.json

.github/workflows/release.yml

@@ -0,0 +1,63 @@
+name: Release Gate
+
+on:
+  push:
+    tags:
+      - "v*"
+  workflow_dispatch:
+
+jobs:
+  release-gate:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Install build tooling
+        run: |
+          python -m pip install --upgrade pip
+          python -m pip install build
+          python -m pip install -e .
+
+      - name: Check tag matches package version
+        if: startsWith(github.ref, 'refs/tags/')
+        run: |
+          python - <<'PY'
+          import pathlib
+          import tomllib
+          import os
+
+          tag = os.environ["GITHUB_REF_NAME"]
+          version = tomllib.loads(pathlib.Path("pyproject.toml").read_text())["project"]["version"]
+          expected = f"v{version}"
+          if tag != expected:
+              raise SystemExit(f"tag {tag!r} does not match package version {expected!r}")
+          PY
+
+      - name: Unit tests
+        run: python -m unittest discover -s tests
+
+      - name: Quality gate
+        run: relayx --no-banner quality-gate --project-root . --format json --out relayx-quality-gate.json
+
+      - name: Build source and wheel distributions
+        run: python -m build
+
+      - name: Install wheel smoke test
+        run: |
+          python -m pip install --force-reinstall dist/relayx-*.whl
+          relayx --no-banner --version
+
+      - name: Upload release artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: relayx-release-artifacts
+          path: |
+            dist/*
+            relayx-quality-gate.json

.gitignore

@@ -1,11 +1,12 @@
 __pycache__/
 *.py[cod]
 *.egg-info/
+build/
+dist/
 .pytest_cache/
 .mypy_cache/
 .ruff_cache/
 .venv/
 venv/
 .DS_Store
 work/
-

README.md

@@ -84,6 +84,11 @@ telemetry.
   CSV, OPSEC policy, and route report artifacts.
 - Enterprise outputs for graph analysis, SIEM ingestion, spreadsheet review,
   HTML/Markdown reporting, scan diffing, and remediation impact simulation.
+- Enterprise bundle generation with manifest, artifact hashes, schema status,
+  optional route report, and release-ready handoff metadata.
+- CI and release quality gates for package metadata, schema contracts, JSON
+  fixtures, enterprise docs, GitHub workflows, wheel builds, and install smoke
+  tests.
 
 ## Install
 
@@ -152,8 +157,10 @@ Export enterprise artifacts:
 ```bash
 relayx export --result result.json --format opengraph --out relayx-opengraph.json
 relayx export --result result.json --format jsonl --out relayx-events.jsonl
+relayx bundle --result result.json --out-dir relayx-bundle
 relayx diff old-result.json new-result.json --format json --out relayx-diff.json
 relayx simulate-fixes result.json --control smb_signing --format json
+relayx quality-gate --project-root .
 ```
 
 Validate schema and evidence contracts:
@@ -186,8 +193,10 @@ relayx lab-profile       Generate a calibration profile draft from corpuses
 relayx validate          Run guarded active validation for one path
 relayx profiles          List bundled RelayX profiles
 relayx export            Export graph, JSONL, CSV, report, or diagram artifacts
+relayx bundle            Write a validated enterprise handoff bundle
 relayx diff              Compare two RelayX result files
 relayx simulate-fixes    Simulate remediation impact on relay paths
+relayx quality-gate      Run local CI and release quality gates
 relayx schema            List or validate schema and evidence contracts
 relayx opsec             List or inspect OPSEC policies
 relayx modules           List execution module manifests
@@ -227,6 +236,10 @@ Markdown, Mermaid, and enterprise export payloads are kept machine-clean.
 - `jsonl`: one event per line for SIEM and blue-team pipelines.
 - `opengraph`: custom BloodHound/OpenGraph-style graph with RelayX node and
   edge kinds.
+- `bundle-manifest`: validated enterprise bundle manifest with hashes and
+  schema status.
+- `quality-gate`: CI and release gate report for package, fixture, docs, and
+  workflow checks.
 
 ## Schema Contracts
 
@@ -240,7 +253,7 @@ relayx schema validate --kind module-manifest fixtures/execution_modules
 
 Supported kinds include `result`, `evidence`, `lab-profile`, `lab-corpus`,
 `execution-record`, `module-manifest`, `opsec-policy`, `route-report`,
-`opengraph`, `jsonl`, and `csv`.
+`bundle-manifest`, `quality-gate`, `opengraph`, `jsonl`, and `csv`.
 Validation reports explain invalid fields by path and return exit code `2` when
 an artifact does not satisfy the selected contract.
 

docs/CLI.md

@@ -14,6 +14,8 @@ relayx help safety
 relayx help scan
 relayx help run
 relayx help schema
+relayx help bundle
+relayx help quality-gate
 relayx --no-banner help
 ```
 
@@ -30,7 +32,8 @@ relayx help export --format json
 - Analysis: `calculus`, `controls`, `fixes`, `plan`, `calibrate`,
   `compare-baseline`, `lab-corpus`, `lab-profile`
 - Validation: `validate`, `source-check`, `source-plan`, `run`
-- Enterprise: `profiles`, `report`, `export`, `diff`, `simulate-fixes`
+- Enterprise: `profiles`, `report`, `export`, `bundle`, `diff`,
+  `simulate-fixes`, `quality-gate`
 - Modules: `modules`, `module-plan`
 - Contracts: `schema`
 - Policy: `opsec`
@@ -60,9 +63,23 @@ relayx schema validate --kind jsonl relayx-events.jsonl
 
 Supported schema kinds are `result`, `evidence`, `lab-profile`, `lab-corpus`,
 `execution-record`, `module-manifest`, `opsec-policy`, `route-report`,
-`opengraph`, `jsonl`, and `csv`.
+`bundle-manifest`, `quality-gate`, `opengraph`, `jsonl`, and `csv`.
 Invalid artifacts return exit code `2`.
 
+## Enterprise Bundle And Quality Gate
+
+```bash
+relayx bundle --result result.json --out-dir relayx-bundle
+relayx bundle --result result.json --out-dir relayx-bundle --formats opengraph,jsonl,csv
+relayx quality-gate --project-root .
+relayx quality-gate --project-root . --format json --out relayx-quality-gate.json
+```
+
+`relayx bundle` writes a validated handoff directory with a manifest, artifact
+hashes, schema status, and optional route report. `relayx quality-gate` is the
+local CI/release gate for package metadata, fixtures, schema contracts,
+enterprise documentation, and GitHub workflow coverage.
+
 ## Execution Adapter SDK
 
 `relayx modules` and `relayx module-plan` expose both module manifests and the

docs/ENTERPRISE_OUTPUTS.md

@@ -9,13 +9,17 @@ defenders, reporting workflows, SIEM pipelines, and graph tooling.
 relayx export --result result.json --format opengraph --out relayx-opengraph.json
 relayx export --result result.json --format jsonl --out relayx-events.jsonl
 relayx export --result result.json --format csv --out relayx.csv
+relayx bundle --result result.json --out-dir relayx-bundle
 relayx diff old-result.json new-result.json --format json --out relayx-diff.json
 relayx simulate-fixes result.json --control smb_signing --format json
 relayx routes --result result.json --format json --out relayx-routes.json
+relayx quality-gate --project-root . --format json --out relayx-quality-gate.json
 relayx schema validate --kind opengraph relayx-opengraph.json
 relayx schema validate --kind jsonl relayx-events.jsonl
 relayx schema validate --kind csv relayx.csv
 relayx schema validate --kind route-report relayx-routes.json
+relayx schema validate --kind bundle-manifest relayx-bundle/manifest.json
+relayx schema validate --kind quality-gate relayx-quality-gate.json
 ```
 
 ## OpenGraph
@@ -37,6 +41,21 @@ relay readiness context does not collide with AD or Azure entity kinds.
 
 This is the preferred format for SIEM and blue-team pipelines.
 
+## Enterprise Bundle
+
+`relayx bundle` writes a complete handoff directory from one result file. The
+default bundle contains the canonical RelayX result, OpenGraph, JSONL, CSV,
+HTML, Markdown, Mermaid, and a route report when source metadata is available.
+
+The bundle also writes `manifest.json`. The manifest records each artifact's
+relative path, format, schema kind, schema validation status, byte size, and
+SHA256 hash. It is intended to be archived with the engagement evidence set and
+validated with:
+
+```bash
+relayx schema validate --kind bundle-manifest relayx-bundle/manifest.json
+```
+
 ## Route Reports
 
 `relayx routes` emits a route and pivot awareness report. It records modeled
@@ -57,6 +76,23 @@ relayx schema validate --kind csv relayx.csv
 Validation reports include path-level errors and warnings. Use `--format json`
 for CI and ingestion pipeline checks.
 
+## Quality Gate
+
+`relayx quality-gate` is the local CI and release gate. It validates package
+metadata, schema catalog coverage, JSON fixtures, schema fixture directories,
+enterprise output matrix coverage, documentation coverage, and GitHub Actions
+workflow presence. Failed gates return exit code `2`.
+
+```bash
+relayx quality-gate --project-root . --format json --out relayx-quality-gate.json
+relayx schema validate --kind quality-gate relayx-quality-gate.json
+```
+
+The GitHub CI workflow runs unit tests, the quality gate, wheel build smoke
+tests, and wheel install smoke tests. The release workflow repeats those gates
+and verifies that a `v*` tag matches the package version before building source
+and wheel distributions.
+
 ## Diff
 
 `relayx diff` compares stable path fingerprints:

docs/INSTALL.md

@@ -31,14 +31,20 @@ relayx --version
 
 1. Update `relayx.__version__` and `pyproject.toml`.
 2. Run the full unit test suite.
-3. Validate JSON fixtures.
+3. Run the RelayX quality gate.
 4. Build a wheel and source distribution.
-5. Smoke-test `pipx install dist/*.whl`.
+5. Smoke-test the generated wheel.
 6. Tag the release in GitHub.
 
 ```bash
 python3 -m unittest discover -s tests
-for f in fixtures/*.json fixtures/lab_profiles/*.json fixtures/execution_modules/*.json; do python3 -m json.tool "$f" >/dev/null; done
+relayx --no-banner quality-gate --project-root . --format json --out relayx-quality-gate.json
+relayx schema validate --kind quality-gate relayx-quality-gate.json
 python3 -m build
-pipx install --force dist/relayx-*.whl
+python3 -m pip install --force-reinstall dist/relayx-*.whl
+relayx --no-banner --version
 ```
+
+The GitHub CI workflow runs unit tests, `relayx quality-gate`, wheel build, and
+wheel install smoke tests. The release workflow repeats those checks and
+verifies that `v*` tags match the package version.

docs/README.fr.md

@@ -80,6 +80,11 @@ echec.
   CSV, OPSEC policy et route report.
 - Exports entreprise pour graph analysis, ingestion SIEM, revue CSV, rapports
   HTML/Markdown, scan diff et simulation d'impact de remediation.
+- Generation d'enterprise bundle avec manifest, hashes d'artefacts, schema
+  status, route report optionnel et metadonnees de handoff release-ready.
+- Quality gates CI/release pour package metadata, schema contracts, fixtures
+  JSON, documentation entreprise, GitHub workflows, wheel builds et install
+  smoke tests.
 
 ## Installation
 
@@ -148,8 +153,10 @@ Exporter des artefacts entreprise :
 ```bash
 relayx export --result result.json --format opengraph --out relayx-opengraph.json
 relayx export --result result.json --format jsonl --out relayx-events.jsonl
+relayx bundle --result result.json --out-dir relayx-bundle
 relayx diff old-result.json new-result.json --format json --out relayx-diff.json
 relayx simulate-fixes result.json --control smb_signing --format json
+relayx quality-gate --project-root .
 ```
 
 Valider les schemas et le contrat evidence :
@@ -182,8 +189,10 @@ relayx lab-profile       Genere un draft de calibration profile depuis corpus
 relayx validate          Lance une validation active controlee pour un chemin
 relayx profiles          Liste les profils RelayX integres
 relayx export            Exporte graph, JSONL, CSV, rapport ou diagramme
+relayx bundle            Ecrit un enterprise handoff bundle valide
 relayx diff              Compare deux resultats RelayX
 relayx simulate-fixes    Simule l'impact des remediations sur les chemins
+relayx quality-gate      Lance les quality gates CI et release locaux
 relayx schema            Liste ou valide schemas et contrats evidence
 relayx opsec             Liste ou inspecte les politiques OPSEC
 relayx modules           Liste les manifests de modules d'execution
@@ -224,6 +233,10 @@ pipelines.
 - `jsonl` : un evenement par ligne pour SIEM et pipelines blue team.
 - `opengraph` : graphe custom de style BloodHound/OpenGraph avec nodes et
   edges RelayX.
+- `bundle-manifest` : manifest d'enterprise bundle avec hashes et schema
+  status.
+- `quality-gate` : rapport de gate CI/release pour package, fixtures, docs et
+  workflows.
 
 ## Contrats de schema
 
@@ -237,9 +250,9 @@ relayx schema validate --kind module-manifest fixtures/execution_modules
 
 Les kinds supportes incluent `result`, `evidence`, `lab-profile`, `lab-corpus`,
 `execution-record`, `module-manifest`, `opsec-policy`, `route-report`,
-`opengraph`, `jsonl` et `csv`. Les rapports de validation expliquent les champs
-invalides par chemin et renvoient un exit code `2` lorsque l'artefact ne
-respecte pas le contrat choisi.
+`bundle-manifest`, `quality-gate`, `opengraph`, `jsonl` et `csv`. Les rapports
+de validation expliquent les champs invalides par chemin et renvoient un exit
+code `2` lorsque l'artefact ne respecte pas le contrat choisi.
 
 ## Calibration laboratoire