Integrate artifact verification into the deployment pipeline

[temma02]

Description

apps/backend/tests/deployment/artifact-verification.test.ts covers artifact signing and checksum verification but these steps are not part of the live pipeline. Unverified artifacts could be tampered with between code generation and Vercel deployment.

Requirements and context

• Must be secure, tested, and documented where applicable
• Should stay reviewable and fit the current monorepo structure
• Relevant files: apps/backend/tests/deployment/artifact-verification.test.ts, apps/backend/src/services/deployment-pipeline.service.ts, apps/backend/src/services/code-generator.service.ts

Suggested execution

• Create branch: issue-022-artifact-verification-in-pipeline
• Keep changes scoped to the issue and reference the task IDs in the PR

Implement changes

• After CodeGeneratorService.generate(), call signArtifact with the platform signing secret
• Before GitHubPushService.pushGeneratedCode(), call verifyArtifact and abort on mismatch
• Store the artifact checksum in deployment_logs metadata for audit purposes

Test and commit

• Add pipeline tests for: valid artifact proceeds, tampered artifact aborts, missing signature aborts
• Include a request/response example showing the checksum in the log metadata
• Security note: signing secret must come from env, never hardcoded

Example commit message

feat(pipeline): add artifact signing and verification step

Guidelines

• Prefer small, reviewable PRs
• Keep naming and data contracts consistent with the spec docs

[Favourejiro]

@Favourejiro has applied to work on this issue as part of the Stellar Wave Program's 4th wave.

Hello maintainers, I would like to work on this issue because I am well-experienced in solving these types of issues.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Favourejiro to this issue.

[zeemscript]

@zeemscript has applied to work on this issue as part of the Stellar Wave Program's 4th wave.

I would like to work on this issue, kindly assign me please

ℹ️ Repo Maintainers: To accept this application, review their application or assign @zeemscript to this issue.

[drips-wave]

Congratulations, @Favourejiro! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on April 29, 2026.

🧑‍💻 @Favourejiro: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊