Implement Agent Machine local mount profiles for dev and document output roots

[mdheller]

Context

Agent Machine needs first-class local mount management for Mac/Windows/Linux Podman workspaces.

Immediate convention:

• ~/dev is the shared code/repository root.
• ~/Documents/SourceOS/agent-output is the default writeable document/report output root.

This must align with future TopoLVM-backed cluster-local persistent volume semantics without pretending TopoLVM is a cross-node shared filesystem.

Scope

Add CLI support under sourceosctl agent-machine:

sourceosctl agent-machine mounts plan --profile macos-podman
sourceosctl agent-machine mounts init --dev-root ~/dev --docs-root ~/Documents/SourceOS/agent-output --dry-run
sourceosctl agent-machine mounts inspect
sourceosctl agent-machine mounts evidence inspect <path>

Required behavior v0

• Render a mount plan from AgentMachineLocalDataPlane and AgentMachineMountPolicy once schemas land.
• Default to ~/dev as code root and ~/Documents/SourceOS/agent-output as document output root.
• Create the docs output root only when explicitly requested; support --dry-run.
• Mount code root into the agent container as /workspace/dev or declared equivalent.
• Mount document output root into the agent container as /workspace/output or declared equivalent.
• Deny host $HOME wholesale mounts.
• Deny known sensitive directories by default: .ssh, .gnupg, browser profiles, keychains, cloud credentials, token stores, password stores.
• Emit mount evidence containing host path, container path, access mode, git ref where applicable, policy hash, and denial summary.

Mac-specific posture

• Do not attempt to manage APFS with TopoLVM.
• For Mac/Podman, treat the Podman VM/container mount as the local workspace boundary.
• Mac Notes/Reminders/Photos/Voice Memos/TextEdit-style integrations are future app doors, not default raw mounts.

Acceptance criteria

• CLI help and tests added.
• make validate passes.
• Example profile uses placeholder paths, not user-specific secrets.
• Deny-by-default tests cover sensitive paths.

Non-goals

• Do not implement Kubernetes/TopoLVM controllers here.
• Do not mount Photos, Notes, Reminders, Voice Memos, or app databases directly.
• Do not store real local paths, tokens, credentials, or private keys in examples.

[mdheller]

Add Browser Downloads mount support to the local mount profile implementation.

Recommended local defaults:

• Host path: ~/Downloads/SourceOS/agent-downloads
• Container path: /workspace/downloads or /browser/downloads
• Browser process access: read/write
• Agent process access: read-only by default
• Direct execution from downloads: denied by default where enforceable

CLI updates:

sourceosctl agent-machine mounts init \
  --dev-root ~/dev \
  --docs-root ~/Documents/SourceOS/agent-output \
  --downloads-root ~/Downloads/SourceOS/agent-downloads \
  --dry-run

sourceosctl agent-machine mounts inspect --include-downloads

Implementation posture:

• Do not mount the whole ~/Downloads directory.
• Do not place browser downloads directly into repo roots.
• Hash downloaded artifacts and include them in mount/interface evidence.
• Treat promotion from downloads into ~/dev or docs output as an explicit copy/promote operation with evidence.

[mdheller]

Upstream contract objects are now available in SourceOS-Linux/sourceos-spec on main:

Schemas:

• schemas/AgentMachineLocalDataPlane.json
• schemas/AgentMachineMountPolicy.json
• schemas/TopoLVMPlacementProfile.json

Examples:

• examples/agent_machine_local_data_plane_macos.json
• examples/agent_machine_mount_policy_default.json
• examples/topolvm_placement_profile_agent_machine.json

Doc:

• docs/contract-additions/agent-machine-local-data-plane.md

Implementation guidance for this issue:

1. Load the macOS example and render a dry-run mount plan.
2. Implement deny-by-default checks from AgentMachineMountPolicy before any host mutation.
3. Add --downloads-root ~/Downloads/SourceOS/agent-downloads support.
4. Emit evidence containing host path, agent path, access mode, policy hash, storage backend, and git ref where available.
5. Keep TopoLVM realization out of sourceosctl; local CLI should only understand the logical contract and maybe inspect/print TopoLVM profile references.