ci: add M2 fixture validation for nlboot planner

[mdheller]

Summary

Adds a small, non-conflicting nlboot tranche for the SourceOS M2 lifecycle proof slice.

This PR does not add artifact fetching, disk writes, kexec execution, or host mutation. It keeps nlboot in the safe planning lane and strengthens validation around the existing verifier and planner.

Adds

• GitHub Actions validation workflow with dependency install
• M2 demo recovery manifest fixture
• M2 demo one-time enrollment token fixture
• M2 demo trusted-key fixture
• README usage path for CLI validation of the fixture

Why

This advances the weakest demo-critical lane without touching active prophet-platform or sociosphere PR surfaces.

It gives the M2 proof path a concrete signed manifest + token + trusted-key fixture that can be consumed by nlboot-plan under --require-fips.

Safety boundary

• execute=false remains the only plan output posture
• no artifact downloads
• no host mutation
• no disk writes
• no kexec
• no remote state mutation

Validation

The workflow runs:

make validate
nlboot-plan \
  --manifest examples/m2-demo/manifest.recovery.json \
  --token examples/m2-demo/enrollment-token.recovery.json \
  --trusted-keys examples/m2-demo/trusted-keys.json \
  --require-fips \
  --now 2026-04-26T14:35:00Z

Follow-on

• Add example fixture test coverage in-repo if connector safety allows the additive test file path later.
• Add SocioSphere build-intelligence registration after merge.
• Align fixture IDs with prophet-platform SourceOS contract examples if those IDs are updated.