Close Windows release artifact verification gap

G009 Stream 8 acceptance requires a Windows release artifact quickstart with checksum evidence, not just source-build docs. Add Windows release asset packaging and make the release-readiness check assert the workflow/docs contract.

Constraint: Stream 8 requires release artifact quickstart with checksums and no-credential smoke paths.

Rejected: Documenting a future Windows asset without workflow support | would leave acceptance unverifiable.

Confidence: high

Scope-risk: narrow

Tested: python3 .github/scripts/check_release_readiness.py; python3 .github/scripts/check_doc_source_of_truth.py; git diff --check

Not-tested: actual GitHub release workflow execution on windows-latest.

Co-authored-by: OmX <omx@oh-my-codex.dev>

.github/scripts/check_release_readiness.py

@@ -151,11 +151,45 @@ def validate_command_examples(errors: list[str]) -> None:
                     )
 
 
+
+def validate_release_artifacts(errors: list[str]) -> None:
+    workflow = ROOT / ".github" / "workflows" / "release.yml"
+    release_doc = ROOT / "docs" / "windows-install-release.md"
+    if not workflow.is_file():
+        errors.append("missing release workflow: .github/workflows/release.yml")
+        return
+    workflow_text = workflow.read_text(encoding="utf-8")
+    required_workflow_terms = [
+        "windows-latest",
+        "claw.exe",
+        "claw-windows-x64.exe",
+        "sha256sum",
+        "${{ matrix.artifact_name }}.sha256",
+    ]
+    for term in required_workflow_terms:
+        if term not in workflow_text:
+            errors.append(f"release workflow missing Windows/checksum term: {term}")
+    if not release_doc.is_file():
+        errors.append("missing Windows release quickstart: docs/windows-install-release.md")
+        return
+    release_text = release_doc.read_text(encoding="utf-8")
+    required_doc_terms = [
+        "claw-windows-x64.exe",
+        "claw-windows-x64.exe.sha256",
+        "Get-FileHash",
+        "checksum mismatch",
+        "target\\release\\claw.exe",
+    ]
+    for term in required_doc_terms:
+        if term not in release_text:
+            errors.append(f"Windows release quickstart missing term: {term}")
+
 def main() -> int:
     errors: list[str] = []
     validate_policies(errors)
     validate_markdown_links(errors)
     validate_command_examples(errors)
+    validate_release_artifacts(errors)
     if errors:
         print("release-readiness check failed:", file=sys.stderr)
         for error in errors:

.github/workflows/release.yml

@@ -32,6 +32,10 @@ jobs:
             os: macos-14
             bin: claw
             artifact_name: claw-macos-arm64
+          - name: windows-x64
+            os: windows-latest
+            bin: claw.exe
+            artifact_name: claw-windows-x64.exe
     defaults:
       run:
         working-directory: rust
@@ -47,22 +51,27 @@ jobs:
       - name: Build release binary
         run: cargo build --release -p rusty-claude-cli
 
-      - name: Package artifact
+      - name: Package artifact and checksum
         shell: bash
         run: |
           mkdir -p dist
           cp "target/release/${{ matrix.bin }}" "dist/${{ matrix.artifact_name }}"
           chmod +x "dist/${{ matrix.artifact_name }}"
+          (cd dist && sha256sum "${{ matrix.artifact_name }}" > "${{ matrix.artifact_name }}.sha256")
 
       - name: Upload workflow artifact
         uses: actions/upload-artifact@v4
         with:
           name: ${{ matrix.artifact_name }}
-          path: rust/dist/${{ matrix.artifact_name }}
+          path: |
+            rust/dist/${{ matrix.artifact_name }}
+            rust/dist/${{ matrix.artifact_name }}.sha256
 
       - name: Upload release asset
         if: startsWith(github.ref, 'refs/tags/')
         uses: softprops/action-gh-release@v2
         with:
-          files: rust/dist/${{ matrix.artifact_name }}
+          files: |
+            rust/dist/${{ matrix.artifact_name }}
+            rust/dist/${{ matrix.artifact_name }}.sha256
           fail_on_unmatched_files: true