feat: add multi-arch desktop build baseline

[seonghobae]

Summary

• expand the desktop build baseline to explicit Windows amd64/arm64 and macOS amd64/arm64 runners while keeping stable merge-gate check names
• make packaged artifacts, manifests, and checksums architecture-aware so release evidence stays traceable across all four targets
• update supply-chain verification and security docs to enforce the new multi-arch baseline with targeted regression tests

Verification

• cd services/analysis-engine && uv run pytest tests/test_release_packaging.py tests/test_supply_chain_policy.py -q
• python3 scripts/checks/verify_supply_chain.py
• ./scripts/harness/quickcheck.sh

📝 Walkthrough

Walkthrough

멀티 아키텍처 빌드 지원을 위해 GitHub 워크플로우를 재구성했습니다. Windows와 macOS에 대해 amd64 및 arm64 아키텍처별 빌드 작업을 분리하고, 대응하는 게이트 작업을 추가하며, 아티팩트 명명과 패키징 로직을 아키텍처별로 업데이트했습니다.

Changes

Cohort / File(s)	요약
GitHub 워크플로우 설정 .github/workflows/build-baseline.yml	Windows 및 macOS 빌드를 amd64/arm64 아키텍처별 분리 작업으로 분할. 각 아키텍처별 전담 runner, 환경 변수, 타겟 트리플 및 빌드 단계 추가. gate-windows와 gate-macos 게이트 작업 추가하여 양쪽 아키텍처 빌드 완료 후 릴리스 단계 진행. 아티팩트 명명을 bandscope-{os}-{arch}-... 형식으로 변경.
보안 정책 및 아키텍처 문서 ARCHITECTURE.md, docs/security/cross-platform-build-policy.md, docs/security/github-required-checks.md	멀티 아키텍처 빌드 요구사항을 명시적으로 문서화. 보호된 브랜치와 릴리스 검증 기준에 Windows/macOS amd64+arm64 포함. 게이트 체크명, 아티팩트 검증, 워크플로우 runner 라벨링 가이드를 아키텍처별로 확장.
릴리스 아티팩트 패키징 scripts/release/package_desktop_artifact.py	플랫폼 및 아키텍처 정규화 함수 추가. artifact_identity() 함수로 표준 아티팩트 신원(플랫폼, 아치, 아카이브/매니페스트 명) 생성. 매니페스트 콘텐츠에 플랫폼, 아키텍처, 타겟 트리플 정보 포함.
공급망 검증 스크립트 scripts/checks/verify_supply_chain.py	runner 토큰을 windows-2025, windows-11-arm, macos-15-intel, macos-15로 명시적 업데이트. 아키텍처별 아티팩트 토큰 4개 추가(bandscope-{os}-{arch}-...). 구식 runner 사용 시 아키텍처 커버리지 검증 로직 추가.
릴리스 패키징 및 공급망 정책 테스트 services/analysis-engine/tests/test_release_packaging.py, services/analysis-engine/tests/test_supply_chain_policy.py	릴리스 패키징 흐름(환경 변수 기반 신원 파생, 타겟 트리플 경로 해석, Darwin→macOS 매핑) 검증 테스트 추가. 공급망 워크플로우 커버리지 강제(멀티 아치 토큰 검증 및 repo 다중 아치 워크플로우 승인).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related issues

• [Level 1] Windows/macOS arm64 + amd64 교차 아키텍처 빌드 지원 #38: 이 PR은 Windows/macOS amd64+arm64 멀티 아키텍처 빌드, 아티팩트 명명, 릴리스 첨부, 문서화, 패키징/테스트 변경 사항 등 해당 이슈에서 요청한 모든 사항을 구현합니다.

Poem

🐇 아키텍처 네 가지, 모두 함께 달려가고
Windows와 Mac, amd64, arm도 빠짐없이
게이트 우르르 열리면 릴리스는 확실하네
공급망 검증으로 신뢰 속 품질 담아내고
토끼도 박수를 칩니다, 빌드는 완벽하게! 🎯

[coderabbitai]

Warning

Rate limit exceeded

@seonghobae has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 2 minutes and 11 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 7071b465-8d04-4262-8936-1b7d629c8f84

📥 Commits

Reviewing files that changed from the base of the PR and between 9a3a677 and 9d9543e.

📒 Files selected for processing (8)

• .github/workflows/build-baseline.yml
• ARCHITECTURE.md
• docs/security/cross-platform-build-policy.md
• docs/security/github-required-checks.md
• scripts/checks/verify_supply_chain.py
• services/analysis-engine/tests/conftest.py
• services/analysis-engine/tests/test_release_packaging.py
• services/analysis-engine/tests/test_supply_chain_policy.py

📝 Walkthrough

Walkthrough

Windows 및 macOS에 대해 amd64/arm64 아키텍처별 빌드 작업과 게이트를 추가하고, 아티팩트 명명·패키징·검증 로직 및 관련 문서·테스트를 아키텍처별로 확장했습니다.

Changes

Cohort / File(s)	요약
GitHub 워크플로우 설정 \.github/workflows/build-baseline.yml	Windows/macOS 빌드를 아키텍처별(build-*-native/build-*-arm64)로 분리, 각 아키텍처 전용 runner/env/타겟트리플 설정 추가. 아키텍처별 게이트(gate-windows, gate-macos)와 아티팩트 네이밍(bandscope-{os}-{arch}-{sha})·릴리스 첨부 조정.
문서: 아키텍처·보안 요구사항 ARCHITECTURE.md, docs/security/cross-platform-build-policy.md, docs/security/github-required-checks.md	보호 브랜치·릴리스 검증 및 필수 체크에 Windows/macOS 각각 amd64·arm64 를 명시적으로 추가. 러너 라벨 안정성, Windows AV 증거 가이드 등 아키텍처 기반 요구사항 확장.
검증 스크립트 scripts/checks/verify_supply_chain.py	워크플로우 러너 토큰을 명시적 레이블(windows-2025, windows-11-arm, macos-15-intel, macos-15)로 업데이트하고, 아키텍처별 bandscope 토큰 4개 검사 및 구식 *-latest 사용 경고 로직 추가.
릴리스 패키징 스크립트 scripts/release/package_desktop_artifact.py	플랫폼/아키텍처 정규화 함수(normalized_platform, normalized_architecture) 추가, artifact_identity()로 표준 아티팩트 id/아카이브/매니페스트 생성. 매니페스트에 platform/arch/target_triple 포함.
테스트: 패키징·공급망 정책 services/analysis-engine/tests/test_release_packaging.py, services/analysis-engine/tests/test_supply_chain_policy.py, services/analysis-engine/tests/conftest.py	환경변수 기반 아티팩트 신원·타겟트리플 경로·Darwin→macos 매핑 및 매니페스트 생성 검증 테스트 추가. 멀티아키텍처 워크플로우 커버리지 검증 테스트 추가.

Sequence Diagram(s)

sequenceDiagram
    participant Dev as 개발자 (PR)
    participant GH as GitHub Actions
    participant RunnerA as Runner (amd64)
    participant RunnerB as Runner (arm64)
    participant Package as Packaging Script
    participant Store as Artifact Storage / Release

    Dev->>GH: PR 병합/워크플로우 트리거
    GH->>RunnerA: build-*-amd64 시작
    GH->>RunnerB: build-*-arm64 시작
    RunnerA-->>Store: 업로드 아티팩트 bandscope-{os}-amd64-{sha}
    RunnerB-->>Store: 업로드 아티팩트 bandscope-{os}-arm64-{sha}
    GH->>GH: gate-* (대기: amd64 & arm64 완료)
    GH->>Package: 아키텍처별 패키징 스크립트 실행 (manifest 포함)
    Package-->>Store: 매니페스트·아카이브 업로드
    GH->>Store: 릴리스에 아티팩트 첨부

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related issues

• [Level 1] Windows/macOS arm64 + amd64 교차 아키텍처 빌드 지원 #38: PR은 Windows/macOS 각각 amd64·arm64 멀티 아키텍처 빌드, 아티팩트 네이밍·릴리스 흐름, 문서화 및 테스트 요구사항을 구현함으로써 해당 이슈의 목적과 직접적으로 일치합니다.

Poem

🐇 네 갈래 길 따라 빌드가 달리고
amd64와 arm64, 창과 사과 모두 모여
게이트가 열리면 아티팩트 반짝이며
매니페스트엔 플랫폼과 아치가 적히고
토끼는 춤추며 배포를 축하하네 🎉

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: expanding desktop build baseline to support multiple architectures.
Description check	✅ Passed	설명은 변경 사항과 관련이 있으며, 멀티 아키텍처 빌드 지원 추가에 대한 명확한 개요를 제공합니다.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/issue-38-multi-arch-builds

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[seonghobae]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@services/analysis-engine/tests/test_supply_chain_policy.py`:
- Around line 8-16: The load_module helper is duplicated between
test_supply_chain_policy.py and test_release_packaging.py; extract the shared
function into services/analysis-engine/tests/conftest.py and remove the
duplicate definitions from both test files. In the new conftest.py define
load_module with the same signature (referencing load_module, module_from_spec,
spec_from_file_location, Path, ModuleType) and ensure the required imports are
present, then update the tests to import load_module from conftest (or rely on
pytest discovery) so both test_supply_chain_policy.py and
test_release_packaging.py use the centralized helper.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: c3893265-6227-4e9d-bb3a-6a64b4c27e91

📥 Commits

Reviewing files that changed from the base of the PR and between 8537a2e and 9a3a677.

📒 Files selected for processing (8)

• .github/workflows/build-baseline.yml
• ARCHITECTURE.md
• docs/security/cross-platform-build-policy.md
• docs/security/github-required-checks.md
• scripts/checks/verify_supply_chain.py
• scripts/release/package_desktop_artifact.py
• services/analysis-engine/tests/test_release_packaging.py
• services/analysis-engine/tests/test_supply_chain_policy.py

[seonghobae]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[seonghobae]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[seonghobae]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[seonghobae]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

✅ Actions performed

Full review triggered.

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.