Agent task: define Recovery Installer artifact build lane

[mdheller]

Target repo

SourceOS-Linux/sourceos-boot

Context

NLBoot integration, M2 normal/Recovery packaging, and AppleSiliconAdapterEvidence normalization are merged. The next safe M2 platform-proof slice is a concrete artifact-build lane definition for SourceOS Recovery/Installer artifacts. This must remain docs/fixtures/validation only and must not implement host mutation.

Scope

Implement the smallest bounded change that does the following:

1. Add a design doc for the Recovery/Installer artifact build lane.
2. Define required artifact classes: bootstrap payload, recovery payload, installer payload, manifest, checksums, SBOM references, provenance references.
3. Add fixture manifest(s) for a dry-run Recovery/Installer artifact build result.
4. Add Makefile validation for the new fixture JSON.
5. Update repo.maturity.yaml next actions/evidence.
6. Reference the NLBoot release-candidate and SBOM proof status without inventing a tagged release.

Acceptance criteria

• make validate passes.
• PR body includes validation evidence.
• M2 is first-class but not the only platform target.
• No real boot-entry mutation, disk writes, installer execution, rollback execution, kexec behavior, Secure Enclave calls, or host-changing behavior is implemented.

Validation commands

make validate

Boundaries / non-goals

• Do not create real Apple Silicon boot entries.
• Do not implement installer disk writes.
• Do not publish artifacts or releases.
• Do not duplicate canonical schemas from SourceOS-Linux/sourceos-spec; reference them.
• One PR only.

[mdheller]

@codex Please take this in the SourceOS boot Codex environment. One PR for issue #18. Keep it docs/fixtures/validation only and include validation evidence.

[mdheller]

@copilot Assignment is active. Please open one bounded PR for issue #18 with validation evidence. No host-changing behavior, boot-entry mutation, disk writes, installer execution, rollback execution, kexec behavior, or Secure Enclave calls.

[chatgpt-codex-connector]

Summary

• Added a new bounded design doc for the Recovery/Installer artifact build lane, explicitly scoped to docs/fixtures/validation and explicitly excluding host-changing behavior. It defines the required artifact classes and records NLBoot release-candidate + SBOM/provenance reference status without claiming a tagged release. docs/RECOVERY_INSTALLER_ARTIFACT_BUILD_LANE.mdL1-L63
• Added a new dry-run fixture manifest for Recovery/Installer artifact build output, including required artifact classes (bootstrap-payload, recovery-payload, installer-payload, manifest, checksums, sbom-reference, provenance-reference) and multi-platform target matrix with M2 as first-class proof hardware (not sole target). examples/recovery-installer-artifact-lane/recovery-installer-artifact-build.example.jsonL1-L85
• Updated make validate to include JSON validation of the new fixture. MakefileL3-L18
• Updated repo maturity evidence/next actions to include the new design + fixture and the follow-up for canonical schema ownership in sourceos-spec. repo.maturity.yamlL11-L59

Git / PR actions

• Committed on current branch: cb545a2 with message “Add Recovery/Installer artifact build lane docs and fixture validation”.
• Created PR via make_pr with title: “Issue Agent task: define Recovery Installer artifact build lane #18: define Recovery/Installer artifact build lane (docs/fixtures/validation only)”.

Testing

• ✅ make validate

View task →