7-Day Cold-Hash Challenge - One Validator Pass Per Day Before Q3 2026 Partner Upload

You bookmarked the SHA256 cold-validation drill. You starred the sixteen-tool listicle. Upload night still arrives with an empty SHA256SUMS.recomputed.txt and a receipt that cites last week’s commit.

Q3 2026 partner portals do not grade intentions—they re-hash on hardware that never saw your dev drive. This Challenges & Sprints guide is a seven-day, one-gate-per-weekday sprint that turns hash discipline into daily proof in release-evidence/05-operations/validation/ before you score mock audit dimension 2.

Who this is for

• 1–4 person teams shipping first cert or publisher evidence packets
• Studios that wrote BUILD_RECEIPT.json once but never repeated cold replay
• Anyone resubmitting after “checksum inconsistent” yellow flags

Time: ~45–60 minutes per weekday (~6 hours total). Weekends are evidence review only—no new gates.

Why this matters now (May 2026)

1. Partner cold-hash policy — Reviewer laptops unpack zips and recompute digests; your CI green badge is not their machine.
2. Receipt trilogy on the site — Tutorial, drill, listicle, and ZIP naming assume habits; this challenge installs them.
3. Overnight handoffs — Asia-EU envelopes fail when only the morning human knows which bytes were hashed.

Direct answer: Run one validator gate per weekday; each gate logs a pass/fail file; do not upload partner packets until Sunday’s read-aloud shows seven consecutive weekday passes on the same build_id lineage—or a documented build_id bump with new passes.

Before you start — readiness checklist

• [ ] release-evidence/ root exists per folder taxonomy
• [ ] BUILD_RECEIPT.template.json and upload_log.csv header row committed
• [ ] Second machine or VM available (laptop, old PC, cloud VM—must not be the compile box)
• [ ] sha256sum or PowerShell Get-FileHash installed on both machines
• [ ] jq installed on cold machine (or Python jsonschema fallback)
• [ ] Frozen build_id for challenge week—or agreement to bump id and restart gates when bytes change
• [ ] No scope creep: no new gameplay features during challenge week

Rules of the challenge

1. One owner signs each day’s log file (solo dev signs twice on Friday—writer + cold re-runner).
2. Fail stops the day—fix before marking pass; no “yellow pass.”
3. Artifacts land in validation/YYYY-MM-DD_gateN_pass.log—not Slack screenshots.
4. Pair with RC freeze only after this week if schedules collide—hash habits come first.
5. Add summary row to Friday Block 5 every week until upload.

How this differs from the SHA256 drill post

The cold-validation drill is a one-shot sixty-minute procedure. This challenge is muscle memory: seven gates that split drill blocks across weekdays so hash discipline survives upload-month chaos.

Challenge calendar at a glance

Teams uploading within one calendar week can compress days 6–7 into the first Friday afternoon after gate 5 passes.

Day 1 (Monday) — Freeze file list and paths

Goal: files_to_hash.txt matches disk; paths are zip-relative.

Pass criteria: Two independent lists identical; no .DS_Store or editor junk unless explicitly hashed.

Log line: gate1_files_frozen build_id=... file_count=N

Common fail: Mixing game/Riftbound.exe with 01_build/game/Riftbound.exe in the same list—pick zip interior convention and document in release-evidence/README.md.

Day 1 troubleshooting

Day 1 evidence snippet

Save in log file:

gate1 pass 2026-05-19T10:00:00Z
build_id=northlake_riftbound_steam_a1b2c3d_cert_20260519
file_count=47
list_sha256=e3b0c442...  # optional: hash the list file itself

Hashing the list file is optional but helps detect list tampering before day 2.

Day 2 (Tuesday) — SHA256SUMS.txt generation

Goal: GNU-format sidecar from frozen list.

cd release-evidence/01-build/game
sha256sum $(cat ../../files_to_hash.txt) > ../../SHA256SUMS.txt

Pass criteria: Lowercase hex; two spaces before path; every list entry present.

Log line: gate2_sums_written lines=N

Tool reference: Listicle tools 1–3 (sixteen free validators).

Common fail: Hashing before cloud sync finishes—file size still changing.

Day 2 Windows notes

PowerShell loop alternative when sha256sum is awkward:

$lines = Get-Content ..\..\files_to_hash.txt
$out = foreach ($rel in $lines) {
  $h = (Get-FileHash -Algorithm SHA256 $rel).Hash.ToLower()
  "$h  $rel"
}
$out | Set-Content ..\..\SHA256SUMS.txt -Encoding utf8NoBOM

UTF-8 without BOM prevents jq and diff tools from choking on day 3.

Day 2 troubleshooting

Day 3 (Wednesday) — MANIFEST.json parity

Goal: Every files[].sha256 matches SHA256SUMS.txt; primary_executable matches README bullet 1.

Use jq loop from listicle or:

jq -r '.files[] | "\(.path) \(.sha256)"' MANIFEST.json | while read -r p h; do
  grep -q "^$h  $p$" SHA256SUMS.txt || exit 1
done

Pass criteria: Script exit 0; build_id in manifest matches receipt plan.

Log line: gate3_manifest_parity ok

Pair with: Partner README bullet map—manifest paths must match bullets.

Day 3 manifest template (copy-paste starter)

{
  "manifest_version": "1.0",
  "build_id": "YOUR_BUILD_ID",
  "platform": "win64",
  "channel": "steam",
  "primary_executable": "YourGame.exe",
  "files": [],
  "hash_sidecar": "SHA256SUMS.txt"
}

Populate files[] by scripting from SHA256SUMS.txt—manual entry is fine for challenge week if file count stays under fifty.

Day 3 troubleshooting

Day 4 (Thursday) — BUILD_RECEIPT.json and archive

Goal: Receipt at zip root template ready; archived copy under 05-operations/receipts/.

Pass criteria: Receipt JSON validates; archived filename equals build_id.

Log line: gate4_receipt_archived path=receipts/...json

Follow one-evening BUILD_RECEIPT tutorial if templates are empty.

Day 4 solo-dev signoff pattern

When one person wears every hat, use two roles in human_signoff:

"human_signoff": {
  "writer": { "role": "release_owner", "signed_at_utc": "..." },
  "cold_reviewer": { "role": "cold_validator", "signed_at_utc": "..." }
}

Sign cold reviewer only after Friday gate 5—Thursday can leave cold_reviewer empty with "pending": true if documented.

Day 4 troubleshooting

Day 5 (Friday) — Cold machine replay (core gate)

Goal: Empty diff between SHA256SUMS.txt and SHA256SUMS.recomputed.txt on cold hardware.

1. Copy zip or folder to cold machine (USB > sync folder shortcuts).
2. Unpack to clean path.
3. Regenerate sums from files_to_hash.txt equivalent inside unpack.
4. diff -u — no output.

Pass criteria: Diff empty; cold machine hostname noted in log.

Log line: gate5_cold_replay pass host=kitchen-laptop

This is the gate partners simulate. Missing Friday pass invalidates the week even if Monday–Thursday were perfect.

Day 5 cold machine checklist (printable)

[ ] Copy via USB or portal download—not shared sync folder
[ ] Unpack to empty directory
[ ] cd to game root inside unpack
[ ] Regenerate SHA256SUMS.recomputed.txt
[ ] diff -u SHA256SUMS.txt SHA256SUMS.recomputed.txt
[ ] Log hostname + UTC timestamp
[ ] If fail: STOP—no upload—fix bytes or bump build_id

Day 5 troubleshooting

Weekend (Saturday–Sunday) — Evidence read-aloud, no new hashes

Saturday: Zip dry-run with naming standard; 7z t pass; do not change bytes.

Sunday: Read PARTNER_README.md aloud while clicking paths in an unpacked zip on cold machine. Log weekend_readaloud pass|fail.

If Saturday zip test fails, bump build_id Monday and restart weekday gates—do not patch silently.

Day 6 (Monday week 2) — upload_log.csv discipline

If challenge spans two calendar weeks, day 6 is upload log day for teams uploading during the sprint:

Append row with portal ticket placeholder even for dry-run:

2026-05-25T18:00:00Z,build_id_dryrun,internal_dryrun,filename.zip,DRY-RUN,submitted,dry run only

Pass criteria: CSV parses; column count stable; build_id matches receipt.

Day 7 (Tuesday week 2) — validate-packet.sh and mock audit dry score

Goal: Single script exits 0 on cold machine; mock audit dimension 2 self-score ≥ pass threshold.

Wire script from listicle skeleton; run shellcheck; execute end-to-end.

Pass criteria: Script in repo; log attached; dimension 2 marked pass in mock_audit_self_score.md.

Link Q3 templates resource for tabletop worksheet.

Evidence folder layout after seven days

release-evidence/05-operations/validation/
  2026-05-19_gate1_pass.log
  2026-05-20_gate2_pass.log
  ...
  2026-05-23_gate5_pass.log
  weekend_readaloud_pass.log
  validate-packet_exit0.log

Commit logs or store in artifact zip partners never see—internal discipline only.

Scoring yourself (honest rubric)

Challenge pass: Gate 5 pass and no gate below 0% (no skips). Weighted score is for self-improvement only—partners still judge bytes.

Pairing with other seven-day sprints

Hash first—store lies are worse when checksums also lie.

Two-storefront and annex variants

Under two-storefront rule, run gates 2–5 per channel zip—duplicate logs with channel=steam vs channel=epic suffix.

AI annex files: extend files_to_hash.txt on day 1 when 04_ai/ ships; restart gates if annex bytes change mid-week.

Common mistakes during the challenge

1. Skipping Friday cold gate — “CI already passed” is not cold.
2. Batching logs Sunday night — defeats daily habit goal.
3. Changing gameplay mid-week without build_id bump — invalidates sums silently.
4. Cold machine = second monitor on same PC — same sync client hides drift; use different hardware.
5. Passing gate 3 with hand-edited hashes — jq catches this; partners catch later.
6. No human_signoff — receipt looks automated and untrusted.
7. Upload before gate 7 — script never gets written.

Beginner quick start (minimum viable challenge)

Short on time? Run gates 1, 2, 5 only across three days—file list, sums, cold replay. Add gates 3–4 and 7 before real upload. Log which gates you deferred in validation/CHALLENGE_DEFERRED.md.

Pro tips for micro-studios

• Pin challenge week in calendar before fest crunch.
• Run operating review gate summary on day 7.
• Store cold laptop in kitchen—visibility beats basement test PC.
• Print gate checklist; physical checkbox beats Notion.
• When publisher asks for diligence, zip validation/ folder—shows habit not heroics.

Team roles when four people exist

Rotate roles next challenge month so bus factor drops.

Publisher diligence handoff

When publisher diligence requests integrity proof, zip:

• validation/ logs for challenge week
• receipts/{build_id}.json
• Empty diff capture from gate 5

Do not regenerate hashes on diligence eve—show habit logs.

Save repro and demo annex

If packet includes saves tested via save fuzz resources, add save files to day 1 list before day 2 hashing. Changing saves after day 2 restarts challenge at day 1.

Integration with handoff envelopes

Asia-EU handoff HANDOFF_NOTE.md should cite challenge gate 5 pass log path:

cold_validation: release-evidence/05-operations/validation/2026-05-23_gate5_pass.log

Morning reviewer uploads only when that file exists and says pass.

Failure recovery — mid-week byte change

Document restarts in validation/CHALLENGE_RESTART.md with reason and UTC.

Metrics you are not tracking (on purpose)

This challenge does not measure:

• Lines of code changed
• Social media impressions
• Wishlist velocity

It measures whether another machine can reproduce your hash story. Keep metrics narrow.

After the challenge — maintenance cadence

Challenge week installs default; maintenance prevents regression.

Key takeaways

• Seven weekday gates install hash, manifest, receipt, cold replay, upload log, and script habits before Q3 2026 upload.
• Gate 5 (cold replay) is non-negotiable—empty diff on second hardware.
• Log passes under 05-operations/validation/, not chat.
• Weekends are read-aloud and zip test—no silent byte changes.
• Pair with BUILD_RECEIPT tutorial, SHA256 drill, and validator listicle.
• Bump build_id and restart if bytes change mid-challenge.
• Score mock audit dimension 2 on day 7.

FAQ

Can we run the challenge during RC freeze?

Yes if bytes are frozen; note validator script commit in receipt extensions per RC post.

What if we have no second machine?

Borrow hardware, use a cloud VM, or a family laptop—must not share the same compile environment.

Is seven days too long for solo devs?

Use the three-day minimum (gates 1, 2, 5) before first upload; run full seven before publisher diligence.

Does this replace legal or AI disclosure review?

No. Hash integrity is necessary, not sufficient.

How does this relate to the sixteen-tool listicle?

Listicle names tools; challenge schedules when you run them.

Can contractors participate in the challenge?

They deliver bytes into 01_build/ only. Your release owner runs gates—contractors do not sign receipts unless contract says so.

What if gate 5 passes but portal still rejects?

Log portal self-download hash in upload_log.csv notes and open ticket—portal transcode is a different failure class. Re-run gate 5 on downloaded bytes.

Day 6 and 7 expanded (upload month)

Day 6 detail: Treat dry-run rows as first-class citizens. When you later upload for real, add a new row—never overwrite dry-run history. Auditors compare timelines.

Day 7 detail: Mock audit self-score file template:

# Mock audit self-score (dimension 2 only)
build_id: ...
cold_pass_log: validation/2026-05-23_gate5_pass.log
validate_packet_exit: 0
score: pass | fail
notes: ...

Bring this one-pager to the tabletop so dimension 2 discussion stays evidence-based.

Anti-patterns that fail the challenge

• Screenshot of hash in Discord — not searchable, not diffable
• “Looks fine” on primary monitor — not cold
• Regenerating sums without updating manifest — gate 3 failure waiting
• Uploading before README read-aloud — path lies survive hashes
• Skipping upload_log because “internal only” — you will forget ticket ids

Why seven days instead of one long Saturday

Saturday marathons do not survive crunch weeks. Weekday gates align with operating review rhythm and spread cognitive load. Friday cold gate becomes muscle memory because it repeats every week until upload—not once per project when exhausted.

Slack and chat boundaries during challenge week

Allowed: “Gate 5 pass—log at validation/2026-05-23_gate5_pass.log.”
Not allowed: pasting hash hex into chat as proof—chat is not versioned evidence.

Link logs in handoff notes; never replace logs with threads.

Steam Deck and handheld annex (optional gate extension)

If your packet includes Deck Verified evidence, add handheld captures to day 1 list as separate manifest roles after gameplay hashes pass. Do not block gate 5 on marketing videos—hash only files partners can reproduce.

Challenge completion certificate (internal)

Create validation/CHALLENGE_COMPLETE.md when all gates pass:

# Cold-hash challenge complete
build_id: ...
completed_utc: ...
gates_passed: 1-7
next_action: mock audit tabletop OR partner upload dry-run

No external certificate—this file is for your future self before crunch amnesia sets in. Store it beside upload_log.csv so upload night starts with reading completion status, not guessing which gates you skipped.

Conclusion

Cold-hash discipline is a weekday habit, not an upload-eve prayer. Q3 2026 partners will recompute your digests—run the seven gates so the result never surprises you on their laptop.

Start Monday with a frozen file list. End the week with a script that exits zero on cold metal and a validation folder you can hand to mock audit without apologizing for missing sidecars. That is the entire challenge thesis in one sentence—repeat it until it is boring, then upload.

Found this useful? Run the challenge the week before you zip the real packet—not the week after a yellow flag.