spec(control-plane): add local-first release, enrollment, and fingerprint contract family

[mdheller]

Summary

Land the first machine-readable local-first SourceOS control-plane contract family in sourceos-spec.

This draft PR adds:

• docs/adr/ADR-0008-local-first-release-and-enrollment-contract-family.md
• schemas/control-plane/README.md
• schemas/control-plane/experience-profile.schema.json
• schemas/control-plane/isolation-profile.schema.json
• schemas/control-plane/release-set.schema.json
• schemas/control-plane/boot-release-set.schema.json
• schemas/control-plane/enrollment-token.schema.json
• schemas/control-plane/fingerprint.schema.json
• examples/control-plane/README.md
• examples/control-plane/experience-profile.sample.json
• examples/control-plane/isolation-profile.sample.json
• examples/control-plane/release-set.sample.json
• examples/control-plane/boot-release-set.sample.json
• examples/control-plane/enrollment-token.sample.json
• examples/control-plane/fingerprint.sample.json

Why

Recent upstream ADR and placement work already reserved the local-first control-node and image-promotion seam in this repo. What remained missing was the first typed object family needed to make the thin local-first lifecycle slice executable:

• choose experience posture
• choose isolation posture
• assign a release
• optionally authorize boot/recovery
• redeem a one-time enrollment token
• emit a post-apply fingerprint

Boundary

This PR keeps ownership split explicit:

• SourceOS-Linux/sourceos-spec owns the machine-readable schemas and examples
• SocioProphet/agentplane should consume these contracts for runtime evidence and rollback/apply semantics
• SocioProphet/sociosphere may reference them where needed, but should not become a second schema authority
• SocioProphet/TriTRPC should only bind transport-safe refs after these object semantics stabilize

Scope

This is intentionally a first-pass additive tranche, not the full lifecycle universe.

Not yet included:

• full audit-event extension family
• wider ConfigSource family
• runtime enforcement or transport bindings

Review focus

1. Are these six objects the right minimal seam for the local-first slice?
2. Are the field names and required sets lean enough for a first canonical landing?
3. Should any of these objects be widened or split before downstream adoption in agentplane?
4. Is the repo boundary here still correct given the recent merged ADRs?