Skip to content

Add ReleaseSet and BootReleaseSet lifecycle contracts#10

Merged
mdheller merged 10 commits intomainfrom
feat/boot-release-set-lifecycle-contracts
May 2, 2026
Merged

Add ReleaseSet and BootReleaseSet lifecycle contracts#10
mdheller merged 10 commits intomainfrom
feat/boot-release-set-lifecycle-contracts

Conversation

@mdheller
Copy link
Copy Markdown
Member

@mdheller mdheller commented May 2, 2026

Summary

Adds SourceOS lifecycle control-plane contracts to NLBoot, connecting the existing signed manifest / token / BootPlan / artifact fetch / adapter evidence implementation to higher-level ReleaseSet and BootReleaseSet assignment flows.

Changes

Adds schemas:

  • schemas/release-set.schema.v0.1.json
  • schemas/boot-release-set.schema.v0.1.json
  • schemas/lifecycle-state-record.schema.v0.1.json

Adds M2 demo examples:

  • examples/release_set.m2_demo.json
  • examples/boot_release_set.m2_demo_recovery.json
  • examples/lifecycle_state_record.m2_demo_signed.json

Adds validation:

  • tools/validate_lifecycle_contracts.py
  • make validate-lifecycle-contracts
  • wires lifecycle validation into make validate

Adds docs:

  • docs/LIFECYCLE_CONTRACTS.md
  • README updates

Lifecycle model

ReleaseSet
  -> BootReleaseSet
  -> SignedBootManifest
  -> EnrollmentToken
  -> BootPlan
  -> fetch/cache evidence
  -> adapter evidence
  -> fingerprint/compliance/rollback evidence

State transitions

DraftProfile -> ResolvedBOM -> Built -> Signed -> Assigned -> Planned -> Fetched -> Loaded -> Executed -> Attested -> Compliant/Noncompliant -> RollbackAvailable -> RolledBack

Safety posture

  • Unsigned fallback is forbidden.
  • One-time enrollment token required.
  • Device claim required.
  • Last-known-good fallback required for recovery posture.
  • Host mutation remains explicit and evidence-backed.
  • M2 adapter remains dry-run only until reviewed platform-specific implementation exists.

Validation

Expected repo validation:

make validate
make validate-lifecycle-contracts

@mdheller mdheller merged commit 07fbe6f into main May 2, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mdheller