feat: add ReleaseSet, Fingerprint, ConfigSource, TokenDoor, GitRefBuild schemas

examples/README.md

@@ -77,16 +77,28 @@ These examples illustrate artifact-versus-baseline evaluation using existing Sou
 
 ---
 
+## Recent additions — Release and build lifecycle examples
+
+These examples illustrate the release/build lifecycle schemas added in this slice:
+
+| File | Schema type | Description |
+|------|------------|-------------|
+| `release_set.json` | ReleaseSet | Assigned M2 demo release set with source Git ref, target, profile refs, and boot artifact refs |
+| `fingerprint.json` | Fingerprint | Post-apply device observation proving the realized state matches the assigned release set |
+| `config_source.json` | ConfigSource | Git-backed configuration source pinned to a specific commit, consumed by NLBoot/sourceos-boot |
+| `token_door.json` | TokenDoor | One-time recovery-access token door bound to the M2 demo device and release set |
+| `git_ref_build.json` | GitRefBuild | Build record linking the main-branch Git commit to OCI and ostree output artifacts |
+
+---
+
 ## Recent additions — Control-plane lifecycle and boot provisioning examples
 
 These examples illustrate the local-first control-plane lifecycle and secure boot/recovery family:
 
 | File | Schema type | Description |
 |------|------------|-------------|
-| `release_set.json` | ReleaseSet | Assigned M2 demo release set with source Git ref, target, profile refs, and boot artifact refs |
 | `boot_release_set.json` | BootReleaseSet | SourceOS Recovery Environment boot artifact set linked to the assigned ReleaseSet |
 | `enrollment_token.json` | EnrollmentToken | One-time recovery authorization token scoped to the M2 demo device and BootReleaseSet |
-| `fingerprint.json` | Fingerprint | Post-apply device observation proving the realized state matches the assigned release set |
 
 ---
 

examples/config_source.json

@@ -0,0 +1,15 @@
+{
+  "id": "urn:srcos:config-source:sourceos-main-boot-config-2026-04-26",
+  "type": "ConfigSource",
+  "specVersion": "2.0.0",
+  "sourceKind": "git",
+  "uri": "https://github.com/SourceOS-Linux/sourceos-boot-config",
+  "gitRef": "refs/heads/main",
+  "gitCommit": "9f49e42af46d84c189b6313f5c8962c6ecd5076b",
+  "contentHash": "sha256:4e2b2e2c6a843f8b8cf38f7b47c8f875f1f9e4c4206e1f8e9c9f0ec9a0f7a001",
+  "inlineContent": null,
+  "authRef": null,
+  "status": "active",
+  "createdAt": "2026-04-26T14:00:00Z",
+  "notes": "Primary boot configuration source for SourceOS M2 demo, pinned to the main branch at the demo commit."
+}

examples/fingerprint.json

@@ -1,25 +1,26 @@
 {
-  "fingerprint_id": "urn:srcos:fingerprint:m2-local-demo-2026-04-26T1418Z",
+  "id": "urn:srcos:fingerprint:m2-local-demo-2026-04-26T1418Z",
+  "type": "Fingerprint",
+  "specVersion": "2.0.0",
   "subject": {
-    "kind": "device",
-    "id": "urn:srcos:device:m2-local-demo"
+    "subjectKind": "device",
+    "subjectRef": "urn:srcos:asset:m2-local-demo"
   },
-  "release_set_ref": "urn:srcos:release-set:m2-demo-2026-04-26",
-  "experience_profile_ref": "urn:srcos:experience-profile:mac-like-gnome-demo",
-  "isolation_profile_ref": "urn:srcos:isolation-profile:standard-container-demo",
-  "observed_at": "2026-04-26T14:18:00Z",
+  "releaseSetRef": "urn:srcos:release-set:m2-demo-2026-04-26",
+  "experienceProfileRef": "urn:srcos:experience-profile:mac-like-gnome-demo",
+  "isolationProfileRef": "urn:srcos:isolation-profile:standard-container-demo",
+  "observedAt": "2026-04-26T14:18:00Z",
   "integrity": {
-    "boot_release_set_ref": "urn:srcos:boot-release-set:m2-demo-recovery-2026-04-26",
-    "image_ref": "oci://registry.example.invalid/sourceos/m2-system@sha256:8b3f06c9090ccf926fe6ddc6f3b4f49a13d4b8bb4cb4f5cf78e2d12e31b55aa1",
-    "store_closure_hash": "sha256-4e2b2e2c6a843f8b8cf38f7b47c8f875f1f9e4c4206e1f8e9c9f0ec9a0f7a001",
-    "boot_entry_label": "SourceOS Recovery Demo"
+    "bootReleaseSetRef": "urn:srcos:boot-release-set:m2-demo-recovery-2026-04-26",
+    "imageRef": "oci://registry.example.invalid/sourceos/m2-system@sha256:8b3f06c9090ccf926fe6ddc6f3b4f49a13d4b8bb4cb4f5cf78e2d12e31b55aa1",
+    "storeClosureHash": "sha256-4e2b2e2c6a843f8b8cf38f7b47c8f875f1f9e4c4206e1f8e9c9f0ec9a0f7a001",
+    "bootEntryLabel": "SourceOS Recovery Demo"
   },
-  "compliance": {
-    "status": "compliant",
-    "notes": "Observed state matches assigned release set, closure hash, and boot recovery reference."
-  },
-  "evidence_refs": [
+  "complianceStatus": "compliant",
+  "complianceNotes": "Observed state matches assigned release set, closure hash, and boot recovery reference.",
+  "evidenceRefs": [
     "urn:srcos:prov:m2-demo-apply-2026-04-26",
     "urn:srcos:release-receipt:m2-demo-2026-04-26"
-  ]
+  ],
+  "notes": null
 }

examples/git_ref_build.json

@@ -0,0 +1,27 @@
+{
+  "id": "urn:srcos:git-ref-build:m2-demo-main-2026-04-26",
+  "type": "GitRefBuild",
+  "specVersion": "2.0.0",
+  "repoUri": "https://github.com/SourceOS-Linux/sourceos",
+  "gitRef": "refs/heads/main",
+  "gitCommit": "9f49e42af46d84c189b6313f5c8962c6ecd5076b",
+  "outputs": [
+    {
+      "outputKind": "oci",
+      "artifactRef": "oci://registry.example.invalid/sourceos/m2-system@sha256:8b3f06c9090ccf926fe6ddc6f3b4f49a13d4b8bb4cb4f5cf78e2d12e31b55aa1",
+      "contentHash": "sha256:8b3f06c9090ccf926fe6ddc6f3b4f49a13d4b8bb4cb4f5cf78e2d12e31b55aa1"
+    },
+    {
+      "outputKind": "ostree",
+      "artifactRef": "urn:srcos:artifact:m2-demo-ostree-sha256-4e2b2e2c",
+      "contentHash": "sha256:4e2b2e2c6a843f8b8cf38f7b47c8f875f1f9e4c4206e1f8e9c9f0ec9a0f7a001"
+    }
+  ],
+  "releaseSetRef": "urn:srcos:release-set:m2-demo-2026-04-26",
+  "configSourceRef": "urn:srcos:config-source:sourceos-main-boot-config-2026-04-26",
+  "triggeredBy": "urn:srcos:party:sourceos-ci-bot",
+  "triggeredAt": "2026-04-26T13:00:00Z",
+  "completedAt": "2026-04-26T14:10:00Z",
+  "status": "succeeded",
+  "notes": "M2 demo build from main branch. Produced OCI image and ostree commit for the local-first demo release."
+}

examples/release_set.json

@@ -1,24 +1,27 @@
 {
-  "release_set_id": "urn:srcos:release-set:m2-demo-2026-04-26",
-  "release_version": "2026.04.26-demo.1",
+  "id": "urn:srcos:release-set:m2-demo-2026-04-26",
+  "type": "ReleaseSet",
+  "specVersion": "2.0.0",
+  "releaseVersion": "2026.04.26-demo.1",
   "status": "assigned",
   "source": {
-    "git_ref": "refs/heads/main",
-    "git_commit": "9f49e42af46d84c189b6313f5c8962c6ecd5076b"
+    "gitRef": "refs/heads/main",
+    "gitCommit": "9f49e42af46d84c189b6313f5c8962c6ecd5076b",
+    "gitRefBuildRef": "urn:srcos:git-ref-build:m2-demo-main-2026-04-26"
   },
   "targets": [
     {
-      "target_kind": "device",
-      "target_id": "urn:srcos:device:m2-local-demo"
+      "targetKind": "device",
+      "targetRef": "urn:srcos:asset:m2-local-demo"
     }
   ],
-  "experience_profile_ref": "urn:srcos:experience-profile:mac-like-gnome-demo",
-  "isolation_profile_ref": "urn:srcos:isolation-profile:standard-container-demo",
+  "experienceProfileRef": "urn:srcos:experience-profile:mac-like-gnome-demo",
+  "isolationProfileRef": "urn:srcos:isolation-profile:standard-container-demo",
   "artifacts": {
-    "store_closure_hash": "sha256-4e2b2e2c6a843f8b8cf38f7b47c8f875f1f9e4c4206e1f8e9c9f0ec9a0f7a001",
-    "image_ref": "oci://registry.example.invalid/sourceos/m2-system@sha256:8b3f06c9090ccf926fe6ddc6f3b4f49a13d4b8bb4cb4f5cf78e2d12e31b55aa1",
-    "boot_release_set_ref": "urn:srcos:boot-release-set:m2-demo-recovery-2026-04-26"
+    "storeClosureHash": "sha256-4e2b2e2c6a843f8b8cf38f7b47c8f875f1f9e4c4206e1f8e9c9f0ec9a0f7a001",
+    "imageRef": "oci://registry.example.invalid/sourceos/m2-system@sha256:8b3f06c9090ccf926fe6ddc6f3b4f49a13d4b8bb4cb4f5cf78e2d12e31b55aa1",
+    "bootReleaseSetRef": "urn:srcos:boot-release-set:m2-demo-recovery-2026-04-26"
   },
-  "created_at": "2026-04-26T14:15:00Z",
+  "createdAt": "2026-04-26T14:15:00Z",
   "notes": "Local-first M2 demo release assignment produced by the SourceOS control plane."
 }

examples/token_door.json

@@ -0,0 +1,16 @@
+{
+  "id": "urn:srcos:token-door:m2-demo-recovery-entry-2026-04-26",
+  "type": "TokenDoor",
+  "specVersion": "2.0.0",
+  "doorName": "boot-recovery-entry",
+  "requiredTokenKind": "recovery-access",
+  "boundDeviceRef": "urn:srcos:asset:m2-local-demo",
+  "boundReleaseSetRef": "urn:srcos:release-set:m2-demo-2026-04-26",
+  "policyRef": "urn:srcos:policy:boot-recovery-m2-demo-v1",
+  "maxPresentations": 1,
+  "presentationCount": 0,
+  "expiresAt": "2026-04-27T14:15:00Z",
+  "status": "open",
+  "createdAt": "2026-04-26T14:15:00Z",
+  "notes": "One-time recovery access door for the M2 demo device, valid for 24 hours. Issued alongside the EnrollmentToken."
+}

schemas/ConfigSource.json

@@ -0,0 +1,85 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://schemas.srcos.ai/v2/ConfigSource.json",
+  "title": "ConfigSource",
+  "description": "A typed reference to an external or inline configuration source consumed by NLBoot, sourceos-boot, or the control plane, specifying its kind, location, and optional integrity binding.",
+  "type": "object",
+  "additionalProperties": false,
+  "required": [
+    "id",
+    "type",
+    "specVersion",
+    "sourceKind",
+    "status",
+    "createdAt"
+  ],
+  "properties": {
+    "id": {
+      "type": "string",
+      "pattern": "^urn:srcos:config-source:[A-Za-z0-9._~-]+$",
+      "description": "Stable URN identifier. Pattern: urn:srcos:config-source:<local-id>"
+    },
+    "type": {
+      "const": "ConfigSource",
+      "description": "Discriminator constant — always \"ConfigSource\"."
+    },
+    "specVersion": {
+      "type": "string",
+      "description": "Spec version of this document, e.g. \"2.0.0\"."
+    },
+    "sourceKind": {
+      "type": "string",
+      "enum": [
+        "git",
+        "http",
+        "oci",
+        "inline",
+        "bundle"
+      ],
+      "description": "Transport mechanism or storage format: git repository, HTTP/HTTPS URL, OCI artifact, inline JSON/YAML, or an opaque bundle ref."
+    },
+    "uri": {
+      "type": ["string", "null"],
+      "description": "URI of the configuration source. Required for git, http, and oci kinds."
+    },
+    "gitRef": {
+      "type": ["string", "null"],
+      "description": "Git ref to check out when sourceKind is \"git\", e.g. \"refs/heads/main\" or \"refs/tags/v1.2.3\"."
+    },
+    "gitCommit": {
+      "type": ["string", "null"],
+      "description": "Pinned Git commit SHA. When present, the consumer must check out this exact commit."
+    },
+    "contentHash": {
+      "type": ["string", "null"],
+      "description": "Content-addressed digest of the config payload, e.g. \"sha256:...\". Used for integrity verification."
+    },
+    "inlineContent": {
+      "type": ["object", "null"],
+      "additionalProperties": true,
+      "description": "Inline configuration payload when sourceKind is \"inline\". Must be a valid JSON object."
+    },
+    "authRef": {
+      "type": ["string", "null"],
+      "description": "Optional URN reference to a CapabilityToken or credential object required to fetch this source."
+    },
+    "status": {
+      "type": "string",
+      "enum": [
+        "active",
+        "deprecated",
+        "revoked"
+      ],
+      "description": "Lifecycle state of the config source."
+    },
+    "createdAt": {
+      "type": "string",
+      "format": "date-time",
+      "description": "ISO 8601 date-time when this config source record was created."
+    },
+    "notes": {
+      "type": ["string", "null"],
+      "description": "Optional human-readable notes about this config source."
+    }
+  }
+}

schemas/Fingerprint.json

@@ -0,0 +1,108 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://schemas.srcos.ai/v2/Fingerprint.json",
+  "title": "Fingerprint",
+  "description": "A point-in-time observation of a device's realized state, capturing integrity evidence and compliance status relative to an assigned ReleaseSet.",
+  "type": "object",
+  "additionalProperties": false,
+  "required": [
+    "id",
+    "type",
+    "specVersion",
+    "subject",
+    "observedAt",
+    "complianceStatus"
+  ],
+  "properties": {
+    "id": {
+      "type": "string",
+      "pattern": "^urn:srcos:fingerprint:[A-Za-z0-9._~-]+$",
+      "description": "Stable URN identifier. Pattern: urn:srcos:fingerprint:<local-id>"
+    },
+    "type": {
+      "const": "Fingerprint",
+      "description": "Discriminator constant — always \"Fingerprint\"."
+    },
+    "specVersion": {
+      "type": "string",
+      "description": "Spec version of this document, e.g. \"2.0.0\"."
+    },
+    "subject": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["subjectKind", "subjectRef"],
+      "properties": {
+        "subjectKind": {
+          "type": "string",
+          "enum": ["device", "vm", "container"],
+          "description": "Kind of the entity whose state was fingerprinted."
+        },
+        "subjectRef": {
+          "type": "string",
+          "description": "URN reference to the device, VM, or container that was fingerprinted."
+        }
+      },
+      "description": "The entity whose realized state this fingerprint captures."
+    },
+    "releaseSetRef": {
+      "type": ["string", "null"],
+      "description": "Optional URN reference to the ReleaseSet against which compliance was evaluated."
+    },
+    "experienceProfileRef": {
+      "type": ["string", "null"],
+      "description": "Optional URN reference to the ExperienceProfile observed on the device."
+    },
+    "isolationProfileRef": {
+      "type": ["string", "null"],
+      "description": "Optional URN reference to the IsolationProfile observed on the device."
+    },
+    "observedAt": {
+      "type": "string",
+      "format": "date-time",
+      "description": "ISO 8601 date-time when the observation was taken."
+    },
+    "integrity": {
+      "type": ["object", "null"],
+      "additionalProperties": false,
+      "properties": {
+        "bootReleaseSetRef": {
+          "type": ["string", "null"],
+          "description": "URN reference to the BootReleaseSet whose artifacts were observed as active."
+        },
+        "imageRef": {
+          "type": ["string", "null"],
+          "description": "OCI image reference observed as the running system image."
+        },
+        "storeClosureHash": {
+          "type": ["string", "null"],
+          "description": "Content-addressed hash of the Nix/ostree store closure observed on the device."
+        },
+        "bootEntryLabel": {
+          "type": ["string", "null"],
+          "description": "Human-readable label of the active boot entry observed in the boot loader."
+        }
+      },
+      "description": "Integrity evidence collected during the observation."
+    },
+    "complianceStatus": {
+      "type": "string",
+      "enum": ["compliant", "non-compliant", "unknown"],
+      "description": "Overall compliance verdict: compliant if the observed state matches the assigned release set, non-compliant if drift was detected, or unknown if evaluation was incomplete."
+    },
+    "complianceNotes": {
+      "type": ["string", "null"],
+      "description": "Optional human-readable explanation of the compliance verdict."
+    },
+    "evidenceRefs": {
+      "type": "array",
+      "items": {
+        "type": "string"
+      },
+      "description": "URN references to ProvenanceRecord, ReleaseReceipt, or other evidence objects supporting this fingerprint."
+    },
+    "notes": {
+      "type": ["string", "null"],
+      "description": "Optional human-readable notes about this fingerprint."
+    }
+  }
+}