Implement Host Runtime lifecycle coordinator contract

[mdheller]

Parent standard: SocioProphet/prophet-platform-standards#12

Purpose

SourceOS Shell should own the host-runtime lifecycle coordinator implied by Host Runtime Contract v0.1. This is the shell-level implementation issue for identity readiness, capability graph readiness, session readiness, local runtime coordination, diagnostic export, and shutdown choreography.

Required lifecycle states

BOOT
  -> LOCAL_READY
  -> IDENTITY_PENDING
  -> IDENTITY_CONFIRMED
  -> ORG_POLICY_LOADING
  -> ORG_POLICY_READY
  -> CAPABILITY_GRAPH_READY
  -> SESSION_READY
  -> RUNNING
  -> DRAINING
  -> CLEANUP_RUNNING
  -> QUIT_READY

Implementation scope

• Add lifecycle state machine module.
• Require each subsystem to declare its minimum readiness state.
• Block plugin/marketplace/scheduled-task/session restore operations until identity/org/policy prerequisites are satisfied.
• Add host runtime diagnostic redaction defaults.
• Add local-first/offline degraded mode states.
• Add ordered shutdown DAG for sessions, PTYs, MCP servers, file watchers, local runtime lanes, and receipt flushing.

Acceptance criteria

• Startup does not call org-bound services before org policy is ready.
• Subsystems cannot initialize before their declared readiness gate.
• Lifecycle transitions emit structured host lifecycle events.
• Diagnostic export hashes or elides local paths, account IDs, org IDs, token-cache keys, session IDs, and runtime IDs by default.
• Shutdown is a typed DAG with timeout/failure classification.
• Host lifecycle tests cover normal startup, delayed identity, offline startup, failed policy load, and graceful shutdown.