feat: define M2 SourceOS Recovery/Installer packaging spec

[Copilot]

Defines packaging responsibilities and required inputs for the two SourceOS boot entries on Apple Silicon (M2): normal boot and Recovery/Installer. Adds dry-run fixtures only — no host mutation, boot-entry creation, or disk writes.

New doc

docs/M2_RECOVERY_INSTALLER_PACKAGING.md

• Two-entry model: live channel (normal boot, diskWrite: forbidden) vs recovery+installer channels (Recovery/Installer, diskWrite: installer-only)
• Required input → BootReleaseSet field mapping for both entry types: BootReleaseSet, ReleaseSet, NLBoot plan, artifact cache evidence, AppleSiliconAdapterEvidence, BootProofRecord
• Asahi-style boot picker integration design (side-effect-free, execute=false)
• Adapter flow, evidence model, non-Apple-Silicon platform coverage, known gaps

New fixtures

File	Channels	diskWrite
examples/m2-recovery-installer/normal-boot.example.json	live	forbidden
examples/m2-recovery-installer/recovery-installer.example.json	recovery, installer	installer-only

Both are minimal valid BootReleaseSet v1 documents validated by the existing validate_boot_release_set.py.

Makefile / maturity

• make validate now syntax-checks both new fixtures alongside existing examples
• repo.maturity.yaml: evidence items added for new doc and fixtures; next actions updated — generic "Add Apple Silicon M2 PAL design notes" replaced with specific AppleSiliconAdapterEvidence normalization and packaging adapter wiring items

Known gaps (explicit)

• AppleSiliconAdapterEvidence normalization is a design stub; no Secure Enclave interaction implemented
• nlboot RSA-PSS/SHA-256 manifest signature verification not yet wired into the adapter
• Artifact content-addressed cache fetch/verification not yet implemented; fixture digests use placeholders

[mdheller]

@copilot This PR is currently draft with zero changed files. Please complete the bounded issue #13 scope in this branch: packaging spec doc, dry-run fixtures, Makefile validation update, and repo.maturity.yaml next actions. Keep it docs/fixtures/validation only and include validation evidence, or report the blocker.

[Copilot]

@copilot This PR is currently draft with zero changed files. Please complete the bounded issue #13 scope in this branch: packaging spec doc, dry-run fixtures, Makefile validation update, and repo.matu...

All deliverables are complete in commit 66b8979 — the comment was posted while the PR was still being drafted. Here's the validation evidence:

make validate
PASS examples/boot-release-set.example.json
PASS examples/m2-recovery-installer/normal-boot.example.json
PASS examples/m2-recovery-installer/recovery-installer.example.json
[nlboot adapter output — exit 0]

python -m pytest
8 passed in 0.10s

Files changed:

• docs/M2_RECOVERY_INSTALLER_PACKAGING.md — packaging spec (entry types, required inputs, Asahi boot picker integration, evidence model, known gaps)
• examples/m2-recovery-installer/normal-boot.example.json — dry-run BootReleaseSet, channels: ["live"], diskWrite: "forbidden"
• examples/m2-recovery-installer/recovery-installer.example.json — dry-run BootReleaseSet, channels: ["recovery","installer"], diskWrite: "installer-only"
• Makefile — validate target now syntax-checks both new fixtures
• repo.maturity.yaml — evidence items and next actions updated

No host mutation, boot-entry creation, disk writes, or kexec implemented.

[mdheller]

Approved. Scope matches issue #13: M2 Recovery/Installer packaging spec, dry-run fixtures, Makefile validation update, and repo maturity next actions. This is docs/fixtures/validation only; no host-changing behavior, boot-entry mutation, disk write, rollback execution, or kexec behavior is introduced. CI is action_required, but the PR includes validation evidence and the change is non-mutating.