Target repo
SourceOS-Linux/sourceos-devtools
Context
sourceosctl read-only/dry-run scaffold is merged. SourceOS spec now has canonical schemas for NLBootPlan, ArtifactCacheRecord, BootProofRecord, AppleSiliconAdapterEvidence, ReleaseSet, Fingerprint, ConfigSource, TokenDoor, and GitRefBuild. Devtools should validate local evidence files against these schemas instead of only printing JSON summaries.
Scope
Implement the smallest bounded change that does the following:
- Add a schema-backed validation mode to
sourceosctl nlboot evidence inspect <path> or a new adjacent read-only command.
- Add fixtures for valid and invalid evidence records.
- Vendor/copy only the minimal schemas needed, or load repo-local schema fixtures; do not add network fetches.
- Update tests and
make validate.
- Update README/docs usage.
Acceptance criteria
make validate passes.- CLI remains read-only; no host mutation.
- Valid evidence fixture passes validation.
- Invalid fixture fails with a clear error.
- PR body includes validation evidence.
Validation commands
Boundaries / non-goals
- Do not implement backend services.
- Do not fetch schemas from the network at runtime.
- Do not implement real host mutation.
- Do not commit secrets, tokens, model weights, datasets, or training runs.
- One PR only.
Target repo
SourceOS-Linux/sourceos-devtoolsContext
sourceosctlread-only/dry-run scaffold is merged. SourceOS spec now has canonical schemas for NLBootPlan, ArtifactCacheRecord, BootProofRecord, AppleSiliconAdapterEvidence, ReleaseSet, Fingerprint, ConfigSource, TokenDoor, and GitRefBuild. Devtools should validate local evidence files against these schemas instead of only printing JSON summaries.Scope
Implement the smallest bounded change that does the following:
sourceosctl nlboot evidence inspect <path>or a new adjacent read-only command.make validate.Acceptance criteria
make validatepasses.Validation commands
Boundaries / non-goals