feat: publish lesser-body certification contracts and evidence

.github/workflows/managed-release-canary.yml

@@ -8,24 +8,24 @@ on:
         required: true
         type: string
       lesser_body_version:
-        description: Optional lesser-body release tag to require for the managed follow-on phases
+        description: lesser-body release tag to require for the managed follow-on phases; required when body or MCP checks are enabled
         required: false
         default: ""
         type: string
       require_lesser_body:
         description: Require the lesser-body follow-on phase to succeed
         required: true
-        default: true
+        default: false
         type: boolean
       require_mcp:
         description: Require the MCP follow-on wiring phase to succeed
         required: true
-        default: true
+        default: false
         type: boolean
       project_readiness_targets:
         description: Comma-separated parent issues to reflect project 17 readiness
         required: true
-        default: equaltoai/lesser-host#96,equaltoai/lesser#658,equaltoai/lesser-body#91
+        default: equaltoai/lesser#658,equaltoai/lesser-body#98,equaltoai/lesser-host#109,equaltoai/lesser-host#110
         type: string
       control_plane_base_url:
         description: lesser-host base URL

docs/README.md

@@ -22,6 +22,7 @@ This directory contains maintainer documentation for `lesser-host` (the `lesser.
 ## Managed provisioning
 
 - Lesser release contract: `docs/lesser-release-contract.md`
+- lesser-body release contract: `docs/lesser-body-release-contract.md`
 - Managed release certification gate: `docs/managed-release-certification.md`
 - Managed release readiness sync: `docs/managed-release-readiness.md`
 - Managed update recovery contract: `docs/managed-update-recovery.md`

docs/lesser-body-release-contract.md

@@ -0,0 +1,121 @@
+# lesser-body release contract (consumed by lesser.host)
+
+This document defines the `lesser-body` release surface that `lesser-host` consumes for managed body deploys.
+
+It is intentionally narrower than the full `lesser-body` producer contract. This doc covers only the release assets,
+manifest fields, runner expectations, and receipt provenance that the managed host path depends on.
+
+Managed rollout decisions for those releases are gated separately by `docs/managed-release-certification.md`.
+
+## Supported managed compatibility contract
+
+The canonical machine-readable compatibility boundary that `lesser-host` supports today lives at:
+
+- `docs/spec/lesser-body-managed-compatibility.json`
+
+That file is verified in CI against the same constants the managed body preflight uses, so operators and rollout
+automation can check support before starting a managed `lesser-body` update.
+
+## Required lesser-body release assets
+
+Every managed-consumable `lesser-body` release must publish:
+
+- `checksums.txt`
+- `lesser-body-release.json`
+- `lesser-body-deploy.json`
+- `lesser-body.zip`
+- `deploy-lesser-body-from-release.sh`
+- `lesser-body-managed-<stage>.template.json`
+
+The managed runner verifies the checksum coverage for:
+
+- `lesser-body-release.json`
+- `lesser-body-deploy.json`
+- `lesser-body.zip`
+- `deploy-lesser-body-from-release.sh`
+- `lesser-body-managed-<stage>.template.json`
+
+## Required release-manifest fields
+
+`lesser-body-release.json` must satisfy the managed compatibility contract and publish:
+
+- `name = "lesser-body"`
+- `version = <requested tag>`
+- `git_sha = <non-empty commit sha>`
+- `artifacts.checksums.path = "checksums.txt"`
+- `artifacts.checksums.algorithm = "sha256"`
+- `artifacts.deploy_manifest.path = "lesser-body-deploy.json"`
+- `artifacts.deploy_manifest.schema = 1`
+- `artifacts.lambda_zip.path = "lesser-body.zip"`
+- `artifacts.deploy_script.path = "deploy-lesser-body-from-release.sh"`
+- `artifacts.deploy_templates.<stage>.path = "lesser-body-managed-<stage>.template.json"`
+- `artifacts.deploy_templates.<stage>.format = "cloudformation-json"`
+- `deploy.schema = 1`
+- `deploy.manifest_path = "lesser-body-deploy.json"`
+- `deploy.template_selection = "by_stage"`
+- `deploy.source_checkout_required = false`
+- `deploy.npm_install_required = false`
+
+The managed runner currently normalizes the requested managed stage to `dev`, `staging`, or `live` and expects template
+metadata for the selected stage.
+
+## Managed runner execution model
+
+The managed `lesser-body` consumer path is `RUN_MODE=lesser-body`.
+
+The runner:
+
+1. downloads the published `lesser-body` release assets into a clean release directory
+2. verifies the release manifest, deploy manifest path, stage template path, and checksum coverage
+3. executes `deploy-lesser-body-from-release.sh` against the managed instance account
+4. reads the instance-scoped SSM export `/${app}/${stage}/lesser-body/exports/v1/mcp_lambda_arn`
+5. writes the managed receipt and uploads it back to the host artifacts bucket
+
+The managed runner does not require a `lesser-body` source checkout or `npm install` in the happy path.
+
+## lesser-body managed receipt contract
+
+Managed body deploys upload the host-enriched receipt to:
+
+- `managed/provisioning/<slug>/<jobId>/body-state.json`
+- `managed/updates/<slug>/<jobId>/body-state.json`
+
+The receipt preserves the native `lesser-body` deploy fields and adds host-side artifact provenance:
+
+```json
+{
+  "managed_deploy_artifacts": {
+    "mode": "release",
+    "checksums_path": "checksums.txt",
+    "release_manifest_path": "lesser-body-release.json",
+    "release": {
+      "name": "lesser-body",
+      "version": "v0.2.3",
+      "git_sha": "abc123",
+      "source_checkout_required": false,
+      "npm_install_required": false
+    },
+    "deploy_artifact": {
+      "kind": "lesser_body_managed_deploy",
+      "path": "lesser-body.zip",
+      "manifest_path": "lesser-body-deploy.json",
+      "script_path": "deploy-lesser-body-from-release.sh",
+      "template_path": "lesser-body-managed-dev.template.json"
+    }
+  }
+}
+```
+
+This provenance object is the canonical consumer-visible record of which verified `lesser-body` release assets were used
+for the managed deploy.
+
+## Follow-on MCP expectation
+
+The `RUN_MODE=lesser-mcp` phase does not consume the `lesser-body` release assets directly. It consumes the deployed body
+state indirectly through:
+
+- the body receipt uploaded by `RUN_MODE=lesser-body`
+- the instance-scoped SSM export `/${app}/${stage}/lesser-body/exports/v1/mcp_lambda_arn`
+
+That separation is intentional: the body deploy contract is release-asset driven, while the MCP follow-on contract is
+receipt and export driven.

docs/managed-instance-provisioning.md

@@ -55,6 +55,7 @@ It assumes:
    - read the deployment receipt `~/.lesser/<app>/<base-domain>/state.json`.
 
 6) **(Optional, default-on) Deploy lesser-body (AgentCore MCP) + wire `POST /mcp/{actor}`**
+   - see `docs/lesser-body-release-contract.md` for the canonical managed consumer contract
    - download and verify the managed `lesser-body` release assets:
      - `checksums.txt`
      - `lesser-body-release.json`

docs/managed-release-certification.md

@@ -19,6 +19,10 @@ This is the boundary that `M9` uses for project and rollout decisions.
 
 The downstream project-readiness sync lives in `docs/managed-release-readiness.md`.
 
+When body-enabled or MCP-enabled certification is requested, the certification input must include a concrete
+`lesser-body` release tag. The body release being validated is part of the certification evidence, not an implied host
+default.
+
 ## Certification checklist
 
 The managed release is only certified when every required check passes.
@@ -40,8 +44,14 @@ The managed release is only certified when every required check passes.
 
 ### Optional follow-on checks
 
+- `lesser_body_version_selected`
+  - required when the certification run includes `lesser-body` or MCP follow-on wiring
+- `lesser_body_compatibility_contract_valid`
+  - required when the certification run includes `lesser-body` or MCP follow-on wiring
 - `lesser_body_completed`
   - required when the certification run includes `lesser-body`
+- `lesser_body_runner_visibility_present`
+  - required when the certification run includes `lesser-body`
 - `lesser_body_receipt_key_defined`
   - required when the certification run includes `lesser-body`
 - `mcp_wiring_completed`
@@ -60,6 +70,13 @@ Required files:
 - `managed-release-certification.md`
   - operator-readable summary for release and project decisions
 
+Required when the certification run includes `lesser-body`:
+
+- `managed-release-certification-lesser-body.json`
+  - machine-readable lesser-body certification evidence extracted from the canonical body-enabled run
+- `managed-release-certification-lesser-body.md`
+  - operator-readable lesser-body certification summary
+
 Recommended companion artifacts:
 
 - raw API request/response captures if needed for debugging
@@ -76,9 +93,18 @@ An example report lives at:
 
 - `docs/spec/managed-release-certification.example.json`
 
+The body-enabled companion evidence schema lives at:
+
+- `docs/spec/managed-release-body-certification.schema.json`
+
+An example body-enabled companion report lives at:
+
+- `docs/spec/managed-release-body-certification.example.json`
+
 The report records:
 
 - requested Lesser and `lesser-body` versions
+- the explicit `lesser-body` release-selection and compatibility result for body-enabled certification runs
 - target `lesser-host` base URL and managed instance slug
 - every certification check and its pass/fail status
 - phase-level evidence for Lesser, `lesser-body`, and MCP, even when those phases share one managed update job id

docs/managed-release-readiness.md

@@ -8,6 +8,7 @@ Readiness is derived from the certification bundle produced by:
 
 - `docs/managed-release-certification.md`
 - `gov-infra/evidence/managed-release-certification/managed-release-certification.json`
+- `gov-infra/evidence/managed-release-certification/managed-release-certification-lesser-body.json` when `run_lesser_body=true`
 
 The derived readiness bundle is written alongside it:
 
@@ -37,6 +38,7 @@ comment with:
 
 - project number
 - requested Lesser and `lesser-body` versions
+- `lesser-body` certification status from the canonical body evidence bundle
 - current certification status
 - rollout readiness
 - blocking certification checks

docs/spec/lesser-body-managed-compatibility.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": 1,
+  "release_name": "lesser-body",
+  "minimum_release_version": "v0.2.3",
+  "release_manifest_asset": "lesser-body-release.json",
+  "release_manifest_schema": 1,
+  "checksums": {
+    "path": "checksums.txt",
+    "algorithm": "sha256"
+  },
+  "deploy_manifest": {
+    "path": "lesser-body-deploy.json",
+    "schema_version": 1
+  },
+  "deploy": {
+    "schema_version": 1,
+    "manifest_path": "lesser-body-deploy.json",
+    "template_selection": "by_stage",
+    "source_checkout_required": false,
+    "npm_install_required": false
+  },
+  "lambda_zip": {
+    "path": "lesser-body.zip"
+  },
+  "deploy_script": {
+    "path": "deploy-lesser-body-from-release.sh"
+  },
+  "supported_stages": [
+    "dev",
+    "staging",
+    "live"
+  ],
+  "deploy_templates": {
+    "format": "cloudformation-json"
+  }
+}

docs/spec/managed-release-body-certification.example.json

@@ -0,0 +1,54 @@
+{
+  "schema_version": 1,
+  "generated_at": "2026-03-30T16:45:00Z",
+  "lesser_host": {
+    "base_url": "https://lab.lesser.host",
+    "instance_slug": "simulacrum"
+  },
+  "requested_release": {
+    "lesser_version": "v1.2.6",
+    "lesser_body_version": "v0.2.3",
+    "run_lesser": true,
+    "run_lesser_body": true,
+    "run_mcp": true
+  },
+  "checks": [
+    {
+      "id": "lesser_body_version_selected",
+      "status": "pass",
+      "detail": "requested lesser-body release v0.2.3 will be validated for managed certification"
+    },
+    {
+      "id": "lesser_body_compatibility_contract_valid",
+      "status": "pass",
+      "detail": "requested lesser-body release matches the published lesser-host managed compatibility contract"
+    },
+    {
+      "id": "lesser_body_completed",
+      "status": "pass",
+      "detail": "lesser-body managed deploy completed"
+    },
+    {
+      "id": "lesser_body_runner_visibility_present",
+      "status": "pass",
+      "detail": "https://console.aws.amazon.com/codebuild/home?#/builds/job-update-1-body/view/new"
+    },
+    {
+      "id": "lesser_body_receipt_key_defined",
+      "status": "pass",
+      "detail": "managed/updates/simulacrum/job-update-1/body-state.json"
+    }
+  ],
+  "job": {
+    "kind": "lesser-body",
+    "job_id": "job-update-1",
+    "status": "ok",
+    "step": "done",
+    "note": "lesser-body updated",
+    "run_url": "https://console.aws.amazon.com/codebuild/home?#/builds/job-update-1-body/view/new",
+    "body_run_url": "https://console.aws.amazon.com/codebuild/home?#/builds/job-update-1-body/view/new",
+    "receipt_key": "managed/updates/simulacrum/job-update-1/body-state.json",
+    "requested_version": "v0.2.3"
+  },
+  "overall_status": "pass"
+}

docs/spec/managed-release-body-certification.schema.json

@@ -0,0 +1,47 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://equalto.ai/schemas/lesser-host/managed-release-body-certification.schema.json",
+  "title": "Managed Release lesser-body Certification Report",
+  "type": "object",
+  "additionalProperties": false,
+  "required": [
+    "schema_version",
+    "generated_at",
+    "lesser_host",
+    "requested_release",
+    "checks",
+    "job",
+    "overall_status"
+  ],
+  "properties": {
+    "schema_version": {
+      "const": 1
+    },
+    "generated_at": {
+      "type": "string",
+      "format": "date-time"
+    },
+    "lesser_host": {
+      "$ref": "managed-release-certification.schema.json#/$defs/target"
+    },
+    "requested_release": {
+      "$ref": "managed-release-certification.schema.json#/$defs/requested_release"
+    },
+    "checks": {
+      "type": "array",
+      "items": {
+        "$ref": "managed-release-certification.schema.json#/$defs/check"
+      }
+    },
+    "job": {
+      "$ref": "managed-release-certification.schema.json#/$defs/job"
+    },
+    "overall_status": {
+      "type": "string",
+      "enum": [
+        "pass",
+        "fail"
+      ]
+    }
+  }
+}