feat: build system transition to release fork + archive hardening

Release fork infrastructure:
- REDBEAR_RELEASE=0.1.1 with offline enforcement (fetch/distclean/unfetch blocked)
- 195 BLAKE3-verified source archives in standard format
- Atomic provisioning via provision-release.sh (staging + .complete sentry)
- 5-phase improvement plan: restore format auto-detection, source tree
  validation (validate-source-trees.py), archive-map.json, REPO_BINARY fallback

Archive normalization:
- Removed 87 duplicate/unversioned archives from shared pool
- Regenerated all archives in consistent format with source/ + recipe.toml
- BLAKE3SUMS and manifest.json generated from stable tarball set

Patch management:
- verify-patches.sh: pre-sync dry-run report (OK/REVERSED/CONFLICT)
- 121 upstream-absorbed patches moved to absorbed/ directories
- 43 active patches verified clean against rebased sources
- Stress test: base updated to upstream HEAD, relibc reset and patched

Compilation fixes:
- relibc: Vec imports in redox-rt (proc.rs, lib.rs, sys.rs)
- relibc: unsafe from_raw_parts in mod.rs (2024 edition)
- fetch.rs: rev comparison handles short/full hash prefixes
- kibi recipe: corrected rev mismatch

New scripts: restore-sources.sh, provision-release.sh, verify-sources-archived.sh,
check-upstream-releases.sh, validate-source-trees.py, verify-patches.sh,
repair-archive-format.sh, generate-manifest.py

Documentation: AGENTS.md, README.md, local/AGENTS.md updated for release fork model

local/scripts/verify-sources-archived.sh

@@ -0,0 +1,140 @@
+#!/usr/bin/env bash
+# verify-sources-archived.sh — Verify release archive integrity.
+#
+# Usage:
+#   ./local/scripts/verify-sources-archived.sh --release=0.1.0
+#
+# Checks that BLAKE3SUMS file exists and all archives match.
+# If archives are in sources/<target>/ format, verifies those too.
+# Returns non-zero if any archive is missing or corrupted.
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+RELEASE=""
+
+usage() {
+    cat <<EOF
+Usage: $(basename "$0") --release=<ver>
+
+Verify release archive integrity.
+
+Options:
+  --release=<ver>   Release version (e.g., 0.1.0)
+  -h, --help        Show this help
+EOF
+}
+
+while [ $# -gt 0 ]; do
+    case "$1" in
+        --release=*) RELEASE="${1#*=}" ;;
+        -h|--help)    usage; exit 0 ;;
+        *)            echo "Unknown: $1"; usage >&2; exit 1 ;;
+    esac
+    shift
+done
+
+if [ -z "$RELEASE" ]; then
+    echo "ERROR: --release is required" >&2
+    exit 1
+fi
+
+ARCHIVE_DIR="$PROJECT_ROOT/sources/redbear-$RELEASE"
+MANIFEST="$ARCHIVE_DIR/manifest.txt"
+
+GREEN='\033[1;32m'
+RED='\033[1;31m'
+NC='\033[0m'
+
+pass() { echo -e "${GREEN}PASS${NC}: $*"; }
+fail() { echo -e "${RED}FAIL${NC}: $*"; }
+
+errors=0
+
+# 1. Verify .complete sentry exists (release is sealed)
+if [ -f "$ARCHIVE_DIR/.complete" ]; then
+    pass ".complete sentry: $(cat "$ARCHIVE_DIR/.complete")"
+else
+    fail ".complete sentry NOT FOUND — release may be incomplete or corrupted"
+    errors=$((errors + 1))
+fi
+
+# 2. Verify configs
+if [ -d "$ARCHIVE_DIR/configs" ]; then
+    config_count=$(ls "$ARCHIVE_DIR/configs"/*.toml 2>/dev/null | wc -l)
+    pass "configs: $config_count files"
+else
+    fail "configs directory not found"
+    errors=$((errors + 1))
+fi
+
+# 3. Verify patches
+if [ -d "$ARCHIVE_DIR/patches" ]; then
+    patch_count=$(ls "$ARCHIVE_DIR/patches"/*.patch 2>/dev/null | wc -l)
+    pass "patches: $patch_count files"
+fi
+
+SOURCES_TARGET="$PROJECT_ROOT/sources/x86_64-unknown-redox"
+
+# 4. Check for BLAKE3SUMS
+if [ -f "$ARCHIVE_DIR/BLAKE3SUMS" ]; then
+    pass "BLAKE3SUMS present ($(wc -l < "$ARCHIVE_DIR/BLAKE3SUMS") entries)"
+    # Verify checksums against actual archive files
+    verified=0
+    failed_checksums=0
+    while read -r hash filename; do
+        [ -z "$hash" ] && continue
+        archive_path="$ARCHIVE_DIR/tarballs/$filename"
+        if [ ! -f "$archive_path" ]; then
+            archive_path="$ARCHIVE_DIR/snapshots/$filename"
+        fi
+        if [ ! -f "$archive_path" ]; then
+            fail "archive missing: $filename"
+            errors=$((errors + 1))
+            continue
+        fi
+        if command -v b3sum >/dev/null 2>&1; then
+            computed=$(b3sum "$archive_path" | awk '{print $1}')
+        else
+            fail "b3sum not available — cannot verify BLAKE3SUMS"
+            errors=$((errors + 1))
+            break
+        fi
+        if [ "$computed" != "$hash" ]; then
+            fail "checksum mismatch: $filename (expected $hash, got $computed)"
+            failed_checksums=$((failed_checksums + 1))
+            errors=$((errors + 1))
+        else
+            verified=$((verified + 1))
+        fi
+    done < "$ARCHIVE_DIR/BLAKE3SUMS"
+    if [ "$verified" -gt 0 ]; then
+        pass "checksums verified: $verified archives"
+    fi
+    if [ "$failed_checksums" -gt 0 ]; then
+        fail "$failed_checksums checksum mismatches"
+    fi
+else
+    fail "BLAKE3SUMS not found in $ARCHIVE_DIR"
+    errors=$((errors + 1))
+fi
+
+# 5. Count archives in sources/<target>/
+SOURCES_TARGET="$PROJECT_ROOT/sources/x86_64-unknown-redox"
+if [ -d "$ARCHIVE_DIR/tarballs" ]; then
+    archive_count=$(ls "$ARCHIVE_DIR/tarballs"/*.tar.gz 2>/dev/null | wc -l)
+    pass "source archives: $archive_count files in $ARCHIVE_DIR/tarballs/"
+fi
+
+echo ""
+if [ "$errors" -eq 0 ]; then
+    echo -e "${GREEN}=========================================${NC}"
+    echo -e "${GREEN}  Release $RELEASE: VERIFIED${NC}"
+    echo -e "${GREEN}=========================================${NC}"
+else
+    echo -e "${RED}=========================================${NC}"
+    echo -e "${RED}  Release $RELEASE: $errors error(s)${NC}"
+    echo -e "${RED}=========================================${NC}"
+    exit 1
+fi