Implement RuntimeInstallReceipt emission for runtime install/update flows

[mdheller]

Parent spec

SourceOS-Linux/sourceos-spec#99

Upstream contract source

The runtime observability and capability governance contract layer landed in SourceOS-Linux/sourceos-spec via PR #101, merged at commit 5e3ba19d54ba479c03088a6d504948f48f8dcb52.

Primary contract files to consume:

• schemas/RuntimeInstallReceipt.json
• examples/runtimeinstallreceipt.json
• docs/runtime-observability-contracts.md
• docs/adr/0012-runtime-observability-capability-governance.md

Intent

Agent Machine / runtime installer flows must emit RuntimeInstallReceipt records for runtime install, update, rollback, denial, deferred install, and partial install states. This closes the runtime-install observability portion of the SourceOS runtime observability contract family.

Required behavior

Emit RuntimeInstallReceipt for runtime installation lifecycle transitions with:

• sessionRef
• capabilityLedgerRef
• agentMachineReceiptRef where available
• runtimeRef, runtimeName, runtimeVersion
• targetRef
• platform
• installState
• manifest.manifestRef, manifest.manifestDigest, manifest.resolvedAt
• verified artifact refs and digests
• rollbackRef when rollback is available or executed
• failureReason for failed, partial, denied, or deferred states
• logMode
• policyDecisionRef
• non-empty evidenceRefs
• lifecycle timestamps

Install states to support

• requested
• manifest_resolved
• artifact_verified
• installing
• installed
• failed
• rolled_back
• partial
• denied
• deferred

Logging requirement

Default operational logs should emit compact receipt ids and evidence references. Full manifests and detailed artifact payloads should be stored in evidence bundles, not ordinary logs.

Acceptance criteria

• Runtime install/update flow emits a valid RuntimeInstallReceipt.
• Failed install emits failureReason and preserves evidence refs.
• Rollback-capable flow records rollbackRef.
• Artifact digest verification state is recorded.
• Default log mode is compact_receipt_ref.
• Tests cover at least: success, failed artifact verification, policy-denied install, partial install, rollback, and deferred install.
• Local validation consumes the upstream schema and canonical example from sourceos-spec rather than maintaining an unsynchronized local schema fork.

Notes

This issue complements:

• Implement BrowserAutomationReceipt and visible automation session controls BearBrowser#25
• Implement GitWorkspaceState classifier and Git probe severity discipline agent-term#39
• Implement CapabilityLedger contract and UI/runtime capability reconciliation sourceos-shell#12
• Implement OrphanEventReceipt and session-quarantine protocol SocioProphet/sociosphere#283

Together these implement the full runtime observability and capability governance contract family downstream.