Codex: implement sourceos-ai CLI, release skeleton, and Homebrew-ready artifact contract

[mdheller]

Mission

Turn sourceos-model-carry from carry-reference contracts into the first boring real installable: sourceos-ai.

Context

PR #1 bootstraps SourceOS AI carry contracts and examples. This issue builds the first CLI around that contract.

Required commands

Implement a compiled or executable CLI named sourceos-ai with:

sourceos-ai --version
sourceos-ai doctor
sourceos-ai self-test
sourceos-ai emit-evidence
sourceos-ai carry list
sourceos-ai carry validate
sourceos-ai carry doctor

Behavior

• carry list reads examples/*-carry-ref.json by default and lists service refs.
• carry validate enforces the same boundary as tools/validate_carry_refs.py.
• doctor verifies examples, policy shape, and evidence sink shape.
• emit-evidence emits a local JSON evidence record with tool version, platform, repo, and validated carry refs.
• SourceOS role must remain carry-only.
• CLI must refuse any carry ref that grants local service artifact replacement authority.

Release skeleton

Add:

• Makefile targets: build, test, validate, dist, release-dry-run.
• basic CI workflow for validation.
• docs describing future GitHub Release artifact and Homebrew formula path.

Acceptance criteria

• make validate passes.
• make build produces a local sourceos-ai binary or executable in a predictable path.
• sourceos-ai --version works.
• sourceos-ai doctor works.
• sourceos-ai carry validate validates all examples.
• sourceos-ai emit-evidence produces JSON evidence.
• Tests cover invalid carry refs, especially artifact replacement attempts.

Out of scope

• Do not fetch model artifacts.
• Do not implement real remote service invocation.
• Do not add mutable model lifecycle authority.
• Do not bundle heavy lab dependencies.

Codex instructions

Open a focused PR against main or continue from PR #1 if appropriate. Include command output in the PR body.