[WIP] Add SourceOS local-first workspace operation contracts and sync semantics

examples/localoperationlog-terminal-command.json

@@ -0,0 +1,43 @@
+{
+  "id": "urn:srcos:local-operation-log:terminal-command-demo-0001",
+  "type": "LocalOperationLog",
+  "specVersion": "2.0.0",
+  "operationType": "terminal.command",
+  "surface": "turtleterm",
+  "occurredAt": "2026-05-06T14:23:00Z",
+  "actorRef": "urn:srcos:subject:operator-demo",
+  "agentRegistryRef": null,
+  "deviceRef": "urn:srcos:device-identity:workstation-demo-0001",
+  "sessionRef": "urn:srcos:shell-session:turtleterm-demo-0001",
+  "workspaceRef": "urn:srcos:workroom:professional-intelligence-demo",
+  "durabilityTier": "local-durable",
+  "replaySafe": false,
+  "replayConstraints": null,
+  "payloadMode": "metadata-only",
+  "payload": {
+    "commandClass": "build",
+    "commandHashRef": "urn:srcos:content-ref:sha256-demo-terminal-cmd-0001",
+    "exitCode": 0,
+    "rawCommandIncluded": false,
+    "rawOutputIncluded": false,
+    "durationMs": 1240
+  },
+  "artifactRefs": [],
+  "remoteOperationRef": null,
+  "workspaceOperationRef": "urn:prophet:workspace-operation:demo-ws-op-0001",
+  "operationTaskRef": "urn:prophet:operation-task:demo-task-0001",
+  "operationEventRef": "urn:prophet:operation-event:demo-event-0001",
+  "policyGateRecordRef": null,
+  "encryptionProfileRef": "urn:srcos:local-encryption-profile:workstation-demo-0001-default",
+  "policyDecisionRefs": [
+    "urn:srcos:policy-decision:terminal-metadata-only-export-0001"
+  ],
+  "evidenceRefs": [
+    "urn:srcos:evidence:shell-receipt-terminal-demo-0001"
+  ],
+  "redactionRefs": [],
+  "integrity": {
+    "entryHash": "sha256:aabbccdd0011223344556677889900aabbccdd0011223344556677889900aabb",
+    "signature": null
+  }
+}

schemas/DeviceIdentity.json

@@ -0,0 +1,102 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://schemas.srcos.ai/v2/DeviceIdentity.json",
+  "title": "DeviceIdentity",
+  "description": "Device identity and trust profile for a SourceOS local-first workstation or operator device. Governs admission, attestation, capability assignment, and local data plane access.",
+  "type": "object",
+  "additionalProperties": false,
+  "required": [
+    "id",
+    "type",
+    "specVersion",
+    "deviceName",
+    "platform",
+    "trustProfile",
+    "registeredAt"
+  ],
+  "properties": {
+    "id": {
+      "type": "string",
+      "pattern": "^urn:srcos:device-identity:",
+      "description": "Stable device identity URN. Must be unique per device."
+    },
+    "type": { "const": "DeviceIdentity" },
+    "specVersion": { "type": "string" },
+    "deviceName": {
+      "type": "string",
+      "description": "Human-readable device name. Must not include raw network addresses or PII."
+    },
+    "platform": {
+      "type": "string",
+      "enum": ["linux", "macos", "windows", "other"],
+      "description": "Host platform type."
+    },
+    "archClass": {
+      "type": ["string", "null"],
+      "enum": ["x86_64", "aarch64", "apple-silicon", "riscv64", "other", null],
+      "description": "CPU architecture class."
+    },
+    "trustProfile": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["trustLevel"],
+      "description": "Device trust posture evaluated at registration or last attestation.",
+      "properties": {
+        "trustLevel": {
+          "type": "string",
+          "enum": ["untrusted", "provisional", "trusted", "anchor"],
+          "description": "untrusted = not admitted; provisional = limited policy scope; trusted = full local data plane; anchor = quorum-eligible trust root."
+        },
+        "enrolledAt": { "type": ["string", "null"], "format": "date-time" },
+        "lastAttestedAt": { "type": ["string", "null"], "format": "date-time" },
+        "enrollmentRef": {
+          "type": ["string", "null"],
+          "description": "EnrollmentProfile URN governing this device's admission."
+        },
+        "attestationRefs": {
+          "type": "array",
+          "items": { "type": "string" },
+          "default": [],
+          "description": "AttestationEvidence URNs supporting the current trust level."
+        },
+        "trustExpiresAt": {
+          "type": ["string", "null"],
+          "format": "date-time",
+          "description": "Optional expiry for time-bounded trust grants."
+        },
+        "trustRevocationRef": {
+          "type": ["string", "null"],
+          "description": "RevocationEntry URN if trust has been revoked."
+        }
+      }
+    },
+    "capabilityProfileRef": {
+      "type": ["string", "null"],
+      "pattern": "^urn:srcos:workspace-capability-profile:",
+      "description": "WorkspaceCapabilityProfile URN describing surfaces available on this device."
+    },
+    "encryptionProfileRef": {
+      "type": ["string", "null"],
+      "pattern": "^urn:srcos:local-encryption-profile:",
+      "description": "LocalEncryptionProfile URN for this device's local data encryption posture."
+    },
+    "ownerRef": {
+      "type": ["string", "null"],
+      "description": "Subject or org authority reference for device ownership."
+    },
+    "registeredAt": {
+      "type": "string",
+      "format": "date-time"
+    },
+    "policyDecisionRefs": {
+      "type": "array",
+      "items": { "type": "string" },
+      "default": []
+    },
+    "evidenceRefs": {
+      "type": "array",
+      "items": { "type": "string" },
+      "default": []
+    }
+  }
+}

schemas/LocalArtifactRef.json

@@ -0,0 +1,114 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://schemas.srcos.ai/v2/LocalArtifactRef.json",
+  "title": "LocalArtifactRef",
+  "description": "Provisional local artifact reference capturing file availability state, content integrity, durability tier, and local-to-remote artifact mapping. Raw filesystem paths are never stored; only content hashes and opaque path hints are allowed.",
+  "type": "object",
+  "additionalProperties": false,
+  "required": [
+    "id",
+    "type",
+    "specVersion",
+    "deviceRef",
+    "contentHash",
+    "availabilityState",
+    "durabilityTier",
+    "operationLogRef",
+    "createdAt"
+  ],
+  "properties": {
+    "id": {
+      "type": "string",
+      "pattern": "^urn:srcos:local-artifact:",
+      "description": "Stable local-artifact URN. Must be unique per artifact."
+    },
+    "type": { "const": "LocalArtifactRef" },
+    "specVersion": { "type": "string" },
+    "deviceRef": {
+      "type": "string",
+      "pattern": "^urn:srcos:device-identity:",
+      "description": "DeviceIdentity URN for the device holding this artifact."
+    },
+    "artifactClass": {
+      "type": "string",
+      "enum": [
+        "terminal.output",
+        "browser.capture",
+        "agent.output",
+        "file.snapshot",
+        "model.output",
+        "diagnostic.export",
+        "sync.bundle",
+        "policy.record",
+        "other"
+      ],
+      "description": "Typed class of the local artifact."
+    },
+    "mimeType": {
+      "type": ["string", "null"],
+      "description": "MIME type of the artifact content if known."
+    },
+    "contentHash": {
+      "type": "string",
+      "description": "Content-addressed hash of the artifact. Must be a prefixed digest string (e.g. sha256:<hex>)."
+    },
+    "sizeBytes": {
+      "type": ["integer", "null"],
+      "minimum": 0
+    },
+    "availabilityState": {
+      "type": "string",
+      "enum": ["available", "evicted", "pinned", "pending-sync", "remote-only", "tombstoned"],
+      "description": "Current file availability state on this device."
+    },
+    "durabilityTier": {
+      "type": "string",
+      "enum": ["ephemeral", "local-durable", "synced", "archived"],
+      "description": "Artifact durability tier."
+    },
+    "pathHint": {
+      "type": ["string", "null"],
+      "description": "Opaque path hint (e.g. XDG-relative reference). Must not be an absolute filesystem path."
+    },
+    "operationLogRef": {
+      "type": "string",
+      "pattern": "^urn:srcos:local-operation-log:",
+      "description": "LocalOperationLog URN that produced or consumed this artifact."
+    },
+    "remoteArtifactRef": {
+      "type": ["string", "null"],
+      "description": "Remote canonical Artifact URN (e.g. prophet-core Artifact) if this local artifact has been synced."
+    },
+    "encryptionProfileRef": {
+      "type": ["string", "null"],
+      "pattern": "^urn:srcos:local-encryption-profile:",
+      "description": "LocalEncryptionProfile URN if this artifact is encrypted at rest."
+    },
+    "createdAt": {
+      "type": "string",
+      "format": "date-time"
+    },
+    "evictedAt": {
+      "type": ["string", "null"],
+      "format": "date-time"
+    },
+    "syncedAt": {
+      "type": ["string", "null"],
+      "format": "date-time"
+    },
+    "tombstonedAt": {
+      "type": ["string", "null"],
+      "format": "date-time"
+    },
+    "policyDecisionRefs": {
+      "type": "array",
+      "items": { "type": "string" },
+      "default": []
+    },
+    "evidenceRefs": {
+      "type": "array",
+      "items": { "type": "string" },
+      "default": []
+    }
+  }
+}

schemas/LocalEncryptionProfile.json

@@ -0,0 +1,86 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://schemas.srcos.ai/v2/LocalEncryptionProfile.json",
+  "title": "LocalEncryptionProfile",
+  "description": "Local encryption profile capturing the algorithm, key derivation posture, and scope for a SourceOS device's local-first data plane. Governs encrypted-at-rest and encrypted-in-transit posture for local operation logs, artifacts, and sync bundles.",
+  "type": "object",
+  "additionalProperties": false,
+  "required": [
+    "id",
+    "type",
+    "specVersion",
+    "deviceRef",
+    "algorithm",
+    "keyDerivation",
+    "encryptedAtRest",
+    "encryptedInTransit",
+    "capturedAt"
+  ],
+  "properties": {
+    "id": {
+      "type": "string",
+      "pattern": "^urn:srcos:local-encryption-profile:",
+      "description": "Stable local-encryption-profile URN."
+    },
+    "type": { "const": "LocalEncryptionProfile" },
+    "specVersion": { "type": "string" },
+    "deviceRef": {
+      "type": "string",
+      "pattern": "^urn:srcos:device-identity:",
+      "description": "DeviceIdentity URN this encryption profile is bound to."
+    },
+    "algorithm": {
+      "type": "string",
+      "enum": ["aes-256-gcm", "chacha20-poly1305", "aes-128-gcm", "other"],
+      "description": "Symmetric encryption algorithm used for local data at rest."
+    },
+    "keyDerivation": {
+      "type": "string",
+      "enum": ["argon2id", "pbkdf2", "hardware-backed", "os-keychain", "tpm", "other"],
+      "description": "Key derivation or key storage mechanism."
+    },
+    "encryptedAtRest": {
+      "type": "boolean",
+      "description": "Whether local operation logs and artifacts are encrypted at rest."
+    },
+    "encryptedInTransit": {
+      "type": "boolean",
+      "description": "Whether local-to-remote and peer sync transfers are encrypted in transit."
+    },
+    "scope": {
+      "type": "array",
+      "items": {
+        "type": "string",
+        "enum": ["operation-logs", "artifacts", "sync-bundles", "diagnostic-exports", "all"]
+      },
+      "description": "Data classes covered by this encryption profile. Defaults to all if omitted.",
+      "default": ["all"]
+    },
+    "keyRef": {
+      "type": ["string", "null"],
+      "description": "Opaque key or keyslot reference. Must not include raw key material."
+    },
+    "keyRotationPolicyRef": {
+      "type": ["string", "null"],
+      "description": "Optional policy URN governing key rotation schedule."
+    },
+    "fipsCompliant": {
+      "type": ["boolean", "null"],
+      "description": "Whether the algorithm and key derivation combination is FIPS-140 compliant."
+    },
+    "capturedAt": {
+      "type": "string",
+      "format": "date-time"
+    },
+    "policyDecisionRefs": {
+      "type": "array",
+      "items": { "type": "string" },
+      "default": []
+    },
+    "evidenceRefs": {
+      "type": "array",
+      "items": { "type": "string" },
+      "default": []
+    }
+  }
+}