From fa6a00302267e42d08cffe06fd0fe44ff9f10fc2 Mon Sep 17 00:00:00 2001
From: Michael Heller <21163552+mdheller@users.noreply.github.com>
Date: Tue, 16 Jun 2026 12:16:58 -0400
Subject: [PATCH 1/2] feat(spec): add .sourceos/manifest.json

Declares this repo to sourceos-spec: domain boot, ownedSchemas
[BootReleaseSet], policyClass critical. Surfaces the efiVarsMutable
and rollback.forced dangerous surfaces.
---
 .sourceos/manifest.json | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 .sourceos/manifest.json

diff --git a/.sourceos/manifest.json b/.sourceos/manifest.json
new file mode 100644
index 0000000..de66270
--- /dev/null
+++ b/.sourceos/manifest.json
@@ -0,0 +1,25 @@
+{
+  "repo": "SourceOS-Linux/sourceos-boot",
+  "domain": "boot",
+  "specVersion": "0.1.0",
+  "ownedSchemas": [
+    "BootReleaseSet"
+  ],
+  "syncEngines": [],
+  "sourceChannels": [],
+  "policyClasses": [
+    "critical"
+  ],
+  "auditEvents": [
+    "boot.rollback.planned",
+    "boot.rollback.applied",
+    "boot.rollback.denied",
+    "boot.chain.validated"
+  ],
+  "dangerousSurfaces": [
+    "boot.efi_vars_mutable",
+    "boot.rollback.forced",
+    "boot.generation.deletion"
+  ],
+  "notes": "Asahi Linux boot chain model for Apple Silicon. efiVarsMutable must always be false — mutating EFI vars on M1/M2 can prevent macOS from booting."
+}

From 52034bffa010c506344469758f897edaf1acc6d7 Mon Sep 17 00:00:00 2001
From: Michael Heller <21163552+mdheller@users.noreply.github.com>
Date: Tue, 16 Jun 2026 12:19:48 -0400
Subject: [PATCH 2/2] fix(ci): add jsonschema to test dependencies

---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 0dac4eb..5136f57 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -24,5 +24,5 @@ jobs:
         run: python src/sourceos_boot/validate_boot_release_set.py examples/boot-release-set.example.json
       - name: Run tests
         run: |
-          python -m pip install --upgrade pip pytest
+          python -m pip install --upgrade pip pytest jsonschema
           python -m pytest