Add release/package evidence mapping for SourceOS product packaging surfaces

Casks/bearbrowser.rb

@@ -1,6 +1,7 @@
 cask "bearbrowser" do
   version "0.1.0-overlay"
   sha256 :no_check
+  RELEASE_EVIDENCE_RECORD = "https://github.com/SourceOS-Linux/homebrew-tap/blob/main/release-evidence/workspace-operations.json"
 
   # Scaffold only. Replace with the signed/notarized macOS app release asset once BearBrowser.app exists.
   url "https://github.com/SourceOS-Linux/BearBrowser/releases/download/v#{version}/BearBrowser-#{version}-macos-universal.dmg"
@@ -12,5 +13,8 @@
 
   caveats <<~EOS
     This cask is a release scaffold. Publish a signed and notarized BearBrowser.app DMG before promoting it into SourceOS-Linux/homebrew-tap.
+    Release package evidence: #{RELEASE_EVIDENCE_RECORD}
+    Checksum record: #{RELEASE_EVIDENCE_RECORD}
+    Rollback note: #{RELEASE_EVIDENCE_RECORD}
   EOS
 end

Formula/agent-machine.rb

@@ -6,6 +6,8 @@ class AgentMachine < Formula
   license "MIT"
   head "https://github.com/SourceOS-Linux/agent-machine.git", branch: "main"
 
+  RELEASE_EVIDENCE_RECORD = "https://github.com/SourceOS-Linux/homebrew-tap/blob/main/release-evidence/workspace-operations.json"
+
   def install
     bin.install "bin/agent-machine"
     chmod 0755, bin/"agent-machine"
@@ -40,6 +42,13 @@ def caveats
       Runtime directories are not created automatically yet. Future setup commands
       will manage /etc/agent-machine, /var/lib/agent-machine, and
       /run/agent-machine through SourceOS policy-aware activation flows.
+
+      Release package evidence:
+        #{RELEASE_EVIDENCE_RECORD}
+      Checksum record:
+        #{RELEASE_EVIDENCE_RECORD}
+      Rollback note:
+        #{RELEASE_EVIDENCE_RECORD}
     EOS
   end
 

Formula/bearbrowser.rb

@@ -6,6 +6,8 @@ class Bearbrowser < Formula
   license "MPL-2.0"
   head "https://github.com/SourceOS-Linux/BearBrowser.git", branch: "main"
 
+  RELEASE_EVIDENCE_RECORD = "https://github.com/SourceOS-Linux/homebrew-tap/blob/main/release-evidence/workspace-operations.json"
+
   depends_on "git"
   depends_on "python@3.12"
 
@@ -71,6 +73,13 @@ def caveats
       Run bearbrowser-emit-event, bearbrowser-propose-action, bearbrowser-resolve-action, bearbrowser-memory-candidate, bearbrowser-page-summary, bearbrowser-governance-queue, bearbrowser-sidecar-open, and bearbrowser-verify-agent-sidecar for the local provenance/policy/memory/summary/agent sidecar plane.
       Run bearbrowser-verify-interactive-sidecar and bearbrowser-verify-native-shell for product-surface checks.
       Run bearbrowser-doctor for system status and bearbrowser-verify-build-lane for build-lane readiness.
+
+      Release package evidence:
+        #{RELEASE_EVIDENCE_RECORD}
+      Checksum record:
+        #{RELEASE_EVIDENCE_RECORD}
+      Rollback note:
+        #{RELEASE_EVIDENCE_RECORD}
     EOS
   end
 

Formula/sourceos-devtools.rb

@@ -0,0 +1,36 @@
+class SourceosDevtools < Formula
+  desc "SourceOS devtools packaging scaffold"
+  homepage "https://github.com/SourceOS-Linux/sourceos-devtools"
+  url "https://github.com/SourceOS-Linux/sourceos-devtools.git", branch: "main"
+  version "0.1.0-dev"
+  license "MIT"
+  head "https://github.com/SourceOS-Linux/sourceos-devtools.git", branch: "main"
+
+  RELEASE_EVIDENCE_RECORD = "https://github.com/SourceOS-Linux/homebrew-tap/blob/main/release-evidence/workspace-operations.json"
+
+  def install
+    libexec.install Dir["*"]
+    (bin/"sourceos-devtools").write <<~EOS
+      #!/usr/bin/env bash
+      set -euo pipefail
+      echo "sourceos-devtools source staged at #{libexec}"
+    EOS
+  end
+
+  def caveats
+    <<~EOS
+      sourceos-devtools release/package scaffold only. Runtime governance remains in the source repository contracts and CI gates.
+
+      Release package evidence:
+        #{RELEASE_EVIDENCE_RECORD}
+      Checksum record:
+        #{RELEASE_EVIDENCE_RECORD}
+      Rollback note:
+        #{RELEASE_EVIDENCE_RECORD}
+    EOS
+  end
+
+  test do
+    assert_match "sourceos-devtools source staged", shell_output("#{bin}/sourceos-devtools")
+  end
+end

Formula/sourceos-syncd.rb

@@ -0,0 +1,36 @@
+class SourceosSyncd < Formula
+  desc "SourceOS sync daemon packaging scaffold"
+  homepage "https://github.com/SourceOS-Linux/sourceos-syncd"
+  url "https://github.com/SourceOS-Linux/sourceos-syncd.git", branch: "main"
+  version "0.1.0-dev"
+  license "MIT"
+  head "https://github.com/SourceOS-Linux/sourceos-syncd.git", branch: "main"
+
+  RELEASE_EVIDENCE_RECORD = "https://github.com/SourceOS-Linux/homebrew-tap/blob/main/release-evidence/workspace-operations.json"
+
+  def install
+    libexec.install Dir["*"]
+    (bin/"sourceos-syncd").write <<~EOS
+      #!/usr/bin/env bash
+      set -euo pipefail
+      echo "sourceos-syncd source staged at #{libexec}"
+    EOS
+  end
+
+  def caveats
+    <<~EOS
+      sourceos-syncd release/package scaffold only. Runtime governance remains in the source repository contracts and CI gates.
+
+      Release package evidence:
+        #{RELEASE_EVIDENCE_RECORD}
+      Checksum record:
+        #{RELEASE_EVIDENCE_RECORD}
+      Rollback note:
+        #{RELEASE_EVIDENCE_RECORD}
+    EOS
+  end
+
+  test do
+    assert_match "sourceos-syncd source staged", shell_output("#{bin}/sourceos-syncd")
+  end
+end

Formula/turtleterm.rb

@@ -0,0 +1,36 @@
+class Turtleterm < Formula
+  desc "SourceOS TurtleTerm product-surface packaging scaffold"
+  homepage "https://github.com/SourceOS-Linux/TurtleTerm"
+  url "https://github.com/SourceOS-Linux/TurtleTerm.git", branch: "main"
+  version "0.1.0-dev"
+  license "MIT"
+  head "https://github.com/SourceOS-Linux/TurtleTerm.git", branch: "main"
+
+  RELEASE_EVIDENCE_RECORD = "https://github.com/SourceOS-Linux/homebrew-tap/blob/main/release-evidence/workspace-operations.json"
+
+  def install
+    libexec.install Dir["*"]
+    (bin/"turtleterm").write <<~EOS
+      #!/usr/bin/env bash
+      set -euo pipefail
+      echo "TurtleTerm source staged at #{libexec}"
+    EOS
+  end
+
+  def caveats
+    <<~EOS
+      TurtleTerm release/package scaffold only. Runtime governance remains in the source repository contracts and CI gates.
+
+      Release package evidence:
+        #{RELEASE_EVIDENCE_RECORD}
+      Checksum record:
+        #{RELEASE_EVIDENCE_RECORD}
+      Rollback note:
+        #{RELEASE_EVIDENCE_RECORD}
+    EOS
+  end
+
+  test do
+    assert_match "TurtleTerm source staged", shell_output("#{bin}/turtleterm")
+  end
+end

README.md

@@ -0,0 +1,30 @@
+# SourceOS Homebrew Tap
+
+This repository is the SourceOS distribution surface for Homebrew formulas/casks. It is not a runtime governance authority.
+
+## Release evidence mapping
+
+Release/package operations and evidence for product surfaces are tracked in:
+
+- `release-evidence/workspace-operations.json`
+
+The evidence map includes:
+
+- operation types:
+  - `release.package.prepare`
+  - `release.formula.update`
+  - `release.checksum.verify`
+  - `release.evidence.attach`
+  - `release.rollback.record`
+- required release artifacts/evidence:
+  - package formula
+  - checksum record
+  - release note
+  - rollback note
+  - build/test evidence link
+  - source commit reference
+  - artifact provenance record
+
+## Governance boundary
+
+Hard rule: packaging is distribution, not runtime governance. Releases carried by this tap must map back to source repositories where contracts, tests, and policy gates are enforced.

release-evidence/workspace-operations.json

@@ -0,0 +1,123 @@
+{
+  "packagingAuthority": {
+    "repository": "SourceOS-Linux/homebrew-tap",
+    "role": "distribution",
+    "nonAuthorityNote": "Packaging is distribution, not runtime governance; source contracts, tests, and policy gates stay in each source repository."
+  },
+  "requiredOperationTypes": [
+    "release.package.prepare",
+    "release.formula.update",
+    "release.checksum.verify",
+    "release.evidence.attach",
+    "release.rollback.record"
+  ],
+  "integrationTargets": [
+    "https://github.com/SocioProphet/delivery-excellence/issues/8",
+    "https://github.com/SourceOS-Linux/sourceos-devtools/issues/19",
+    "https://github.com/SocioProphet/workspace-inventory/issues/4",
+    "https://github.com/SourceOS-Linux/BearBrowser/issues/20",
+    "https://github.com/SourceOS-Linux/agent-machine/issues/18",
+    "https://github.com/SourceOS-Linux/sourceos-syncd/issues/3",
+    "https://github.com/SocioProphet/prophet-core-ledger/issues/1"
+  ],
+  "workspaceOperations": [
+    {
+      "surface": "SourceOS-Linux/BearBrowser",
+      "operationTypes": [
+        "release.package.prepare",
+        "release.formula.update",
+        "release.checksum.verify",
+        "release.evidence.attach",
+        "release.rollback.record"
+      ],
+      "artifacts": {
+        "packageFormula": [
+          "Formula/bearbrowser.rb",
+          "Casks/bearbrowser.rb"
+        ],
+        "checksumRecord": "sha256:no_check (scaffold) with release checksum tracked in this record and source release assets",
+        "releaseNote": "https://github.com/SourceOS-Linux/BearBrowser/releases",
+        "rollbackNote": "If provenance/checksum/test evidence fails, keep existing formula version and revert cask/formula bump in homebrew-tap before republish.",
+        "buildTestEvidenceLink": "https://github.com/SourceOS-Linux/BearBrowser/actions",
+        "sourceCommitReference": "https://github.com/SourceOS-Linux/BearBrowser/commits/main",
+        "artifactProvenanceRecord": "https://github.com/SourceOS-Linux/BearBrowser"
+      }
+    },
+    {
+      "surface": "SourceOS-Linux/agent-machine",
+      "operationTypes": [
+        "release.package.prepare",
+        "release.formula.update",
+        "release.checksum.verify",
+        "release.evidence.attach",
+        "release.rollback.record"
+      ],
+      "artifacts": {
+        "packageFormula": "Formula/agent-machine.rb",
+        "checksumRecord": "git-source install at tagged commit; release checksum recorded alongside tagged source tarball in source repo release",
+        "releaseNote": "https://github.com/SourceOS-Linux/agent-machine/releases",
+        "rollbackNote": "Revert formula update to previous known-good commit and rerun source repo contract/test gates before publishing again.",
+        "buildTestEvidenceLink": "https://github.com/SourceOS-Linux/agent-machine/actions",
+        "sourceCommitReference": "https://github.com/SourceOS-Linux/agent-machine/commits/main",
+        "artifactProvenanceRecord": "https://github.com/SourceOS-Linux/agent-machine"
+      }
+    },
+    {
+      "surface": "SourceOS-Linux/TurtleTerm",
+      "operationTypes": [
+        "release.package.prepare",
+        "release.formula.update",
+        "release.checksum.verify",
+        "release.evidence.attach",
+        "release.rollback.record"
+      ],
+      "artifacts": {
+        "packageFormula": "Formula/turtleterm.rb",
+        "checksumRecord": "git-source install at tagged commit; release checksum tracked in source release artifacts",
+        "releaseNote": "https://github.com/SourceOS-Linux/TurtleTerm/releases",
+        "rollbackNote": "Revert formula update in homebrew-tap and restore prior package version until source contracts and tests pass.",
+        "buildTestEvidenceLink": "https://github.com/SourceOS-Linux/TurtleTerm/actions",
+        "sourceCommitReference": "https://github.com/SourceOS-Linux/TurtleTerm/commits/main",
+        "artifactProvenanceRecord": "https://github.com/SourceOS-Linux/TurtleTerm"
+      }
+    },
+    {
+      "surface": "SourceOS-Linux/sourceos-devtools",
+      "operationTypes": [
+        "release.package.prepare",
+        "release.formula.update",
+        "release.checksum.verify",
+        "release.evidence.attach",
+        "release.rollback.record"
+      ],
+      "artifacts": {
+        "packageFormula": "Formula/sourceos-devtools.rb",
+        "checksumRecord": "git-source install at tagged commit; release checksum tracked in source release artifacts",
+        "releaseNote": "https://github.com/SourceOS-Linux/sourceos-devtools/releases",
+        "rollbackNote": "Revert formula update and preserve last known-good package state until contracts/tests/policy gates succeed.",
+        "buildTestEvidenceLink": "https://github.com/SourceOS-Linux/sourceos-devtools/actions",
+        "sourceCommitReference": "https://github.com/SourceOS-Linux/sourceos-devtools/commits/main",
+        "artifactProvenanceRecord": "https://github.com/SourceOS-Linux/sourceos-devtools"
+      }
+    },
+    {
+      "surface": "SourceOS-Linux/sourceos-syncd",
+      "operationTypes": [
+        "release.package.prepare",
+        "release.formula.update",
+        "release.checksum.verify",
+        "release.evidence.attach",
+        "release.rollback.record"
+      ],
+      "artifacts": {
+        "packageFormula": "Formula/sourceos-syncd.rb",
+        "checksumRecord": "git-source install at tagged commit; release checksum tracked in source release artifacts",
+        "releaseNote": "https://github.com/SourceOS-Linux/sourceos-syncd/releases",
+        "rollbackNote": "Revert formula update and restore prior release until source repo gates and evidence pass.",
+        "buildTestEvidenceLink": "https://github.com/SourceOS-Linux/sourceos-syncd/actions",
+        "sourceCommitReference": "https://github.com/SourceOS-Linux/sourceos-syncd/commits/main",
+        "artifactProvenanceRecord": "https://github.com/SourceOS-Linux/sourceos-syncd"
+      }
+    }
+  ]
+}