ci: add M2 fixture validation for nlboot planner

.github/workflows/validate.yml

@@ -1,10 +1,25 @@
-name: validate
+name: nlboot validate
 
 on:
   pull_request:
+    paths:
+      - "src/**"
+      - "tests/**"
+      - "examples/**"
+      - "pyproject.toml"
+      - "Makefile"
+      - "README.md"
+      - ".github/workflows/validate.yml"
   push:
-    branches:
-      - main
+    branches: [main]
+    paths:
+      - "src/**"
+      - "tests/**"
+      - "examples/**"
+      - "pyproject.toml"
+      - "Makefile"
+      - "README.md"
+      - ".github/workflows/validate.yml"
 
 jobs:
   validate:
@@ -13,6 +28,16 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v5
         with:
-          python-version: '3.11'
-      - name: Validate
+          python-version: "3.11"
+      - name: Install nlboot
+        run: python -m pip install -e . pytest
+      - name: Run validation
         run: make validate
+      - name: Validate M2 demo fixture through CLI
+        run: |
+          nlboot-plan \
+            --manifest examples/m2-demo/manifest.recovery.json \
+            --token examples/m2-demo/enrollment-token.recovery.json \
+            --trusted-keys examples/m2-demo/trusted-keys.json \
+            --require-fips \
+            --now 2026-04-26T14:35:00Z

README.md

@@ -7,6 +7,7 @@ This repository implements the safe planning core for the SourceOS / SociOS boot
 ## What this slice does
 
 - validates signed-boot-manifest-shaped objects before planning boot/recovery
+- verifies RSA-PSS/SHA-256 manifest signatures against a trusted-key document
 - validates one-time enrollment token intent, expiry, audience, and release/boot-release binding
 - produces a boot plan as JSON
 - records `execute=false` in produced plans
@@ -25,6 +26,9 @@ This repository implements the safe planning core for the SourceOS / SociOS boot
 - `artifacts.rootfs_ref`
 - `signature_ref` using `urn:srcos:signature:*`
 - `signer_ref`
+- `signature_algorithm`: `rsa-pss-sha256`
+- `crypto_profile`: `fips-140-3-compatible`
+- `signature_hex`: RSA-PSS/SHA-256 signature over the canonical unsigned manifest payload
 
 `EnrollmentToken` requires:
 
@@ -35,11 +39,24 @@ This repository implements the safe planning core for the SourceOS / SociOS boot
 - matching `boot_release_set_ref`
 - purpose compatible with the boot mode
 
-## Usage
+## M2 demo fixture
+
+The repository carries a side-effect-free M2 recovery fixture under `examples/m2-demo/`:
+
+- `manifest.recovery.json`
+- `enrollment-token.recovery.json`
+- `trusted-keys.json`
+
+Run it through the planner:
 
 ```bash
 python3 -m pip install -e .
-nlboot-plan --manifest manifest.json --token token.json
+nlboot-plan \
+  --manifest examples/m2-demo/manifest.recovery.json \
+  --token examples/m2-demo/enrollment-token.recovery.json \
+  --trusted-keys examples/m2-demo/trusted-keys.json \
+  --require-fips \
+  --now 2026-04-26T14:35:00Z
 ```
 
 The command emits a safe plan only. Later implementation tranches can add verified artifact fetching and host execution behind explicit policy gates.
@@ -49,3 +66,5 @@ The command emits a safe plan only. Later implementation tranches can add verifi
 ```bash
 make validate
 ```
+
+The GitHub Actions validation lane runs `make validate` and a CLI smoke over the M2 fixture.

examples/m2-demo/enrollment-token.recovery.json

@@ -0,0 +1,14 @@
+{
+  "token_id": "urn:srcos:enrollment-token:m2-demo-recovery",
+  "purpose": "recovery",
+  "audience": {
+    "subject_kind": "device",
+    "subject_id": "urn:srcos:device:m2-local-demo"
+  },
+  "release_set_ref": "urn:srcos:release-set:m2-demo-2026-04-26",
+  "boot_release_set_ref": "urn:srcos:boot-release-set:m2-demo-recovery-2026-04-26",
+  "one_time_use": true,
+  "issued_at": "2026-04-26T14:31:00Z",
+  "expires_at": "2026-04-26T14:46:00Z",
+  "status": "issued"
+}

examples/m2-demo/manifest.recovery.json

@@ -0,0 +1,16 @@
+{
+  "manifest_id": "urn:srcos:boot-manifest:m2-demo-recovery",
+  "boot_release_set_id": "urn:srcos:boot-release-set:m2-demo-recovery-2026-04-26",
+  "base_release_set_ref": "urn:srcos:release-set:m2-demo-2026-04-26",
+  "boot_mode": "recovery",
+  "artifacts": {
+    "kernel_ref": "urn:srcos:artifact:m2-demo-kernel",
+    "initrd_ref": "urn:srcos:artifact:m2-demo-initrd",
+    "rootfs_ref": "urn:srcos:artifact:m2-demo-rootfs"
+  },
+  "signature_ref": "urn:srcos:signature:m2-demo-recovery",
+  "signer_ref": "urn:srcos:key:sourceos-demo-signing-key-v0",
+  "signature_algorithm": "rsa-pss-sha256",
+  "crypto_profile": "fips-140-3-compatible",
+  "signature_hex": "7335ffa2b904c00ddd62cf7ff6cfaeec6147454476b7acf6aedc537a541768be3b323e3d0493d4372a976945d9161e1faecf6cb77fdd09e897e14c7327895ae0c7c65179ff4fe900af547cf517903847e05b680c69711d40b0c5a3413e5e9708b1db3f866c94921bd3d21d37f6f3d299ea34432f0b0312717ea5cff76edc93a6d632f5263a89e8e6b62d2e2f78306c3c30577ee6c3d659d55da504736097b909c96362899685c1d3124d37e40afe3665889d51fc57a55bc36312d992777a469c4775849f0c4be1741f7b155b1f875d2cb32e19a80d12c86a85fb64b392e06ecbbf315882a92d2a695ac8b20b875c0bcf547834b461"
+}

examples/m2-demo/trusted-keys.json

@@ -0,0 +1,12 @@
+{
+  "keys": [
+    {
+      "key_ref": "urn:srcos:key:sourceos-demo-signing-key-v0",
+      "algorithm": "rsa-pss-sha256",
+      "public_key_pem": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvQjwCweO/3NxqmTSB3Vq\nYyDRFh2SkRT27ddqScUp1pD2l2wiCjAnAjwZf2mM9AfHH3Ur/qrzsmxB+bBs7nXB\nZT/xVSiUWGlB5/XogjpeHbH0SSr9u8O78AqlS3n7IO9tmEr2zIEG8MsLcGaxYYaQ\nK/2mS3QR+HHfsx+9eIKTUow38ewCnQ+ws4h2uL8TmJoJRcBFOM8fVM8J+gkMa/U5\nq+HGGh+F1apJGnrJQqYQ8CTU9EG/c71uRWABi1CzvOs6d4fz8wrvYFR+/xY9te/N\nQpxN2D3ZMlAmzD2HJ+K7zlr+VTIyzhW0EKQy5F+YHZHww8h0g7fXT+yeoxuR0mr7\nQwIDAQAB\n-----END PUBLIC KEY-----\n",
+      "status": "active",
+      "not_before": "2026-04-26T00:00:00Z",
+      "not_after": "2027-04-26T00:00:00Z"
+    }
+  ]
+}