Define SourceOS/SociOS catalog publication authority for build evidence

[mdheller]

Summary

Define and implement the SourceOS/SociOS catalog publication authority boundary for build evidence produced by the smoke-runner image lane and future OS build lanes.

The current pipeline emits evidence and publication receipts, but it intentionally does not claim final catalog authority.

Background

Merged upstream work now provides:

• Foreman/Katello lifecycle scaffolding
• Smart Proxy/site-edge scaffolding
• live ISO smoke runner
• smoke-runner image build/SBOM/scan/provenance/evidence pipeline
• disabled-by-default promotion and publication receipts

What remains is deciding where publication authority lives and how the catalog accepts evidence.

Scope

Define:

• canonical catalog authority repo/service for SourceOS/SociOS build artifacts
• object shape for catalog publication requests
• evidence bundle requirements
• promotion/release gate requirements
• how publication relates to sourceos-spec CatalogEntry / EvidenceBundle objects
• whether publication is local-only, remote, or both
• how agentplane execution evidence references are carried into the catalog

Acceptance criteria

• Decision record or spec section defines catalog publication authority
• Publication request/receipt object shape is documented
• Required evidence set is enumerated
• Relationship to sourceos-spec CatalogEntry and EvidenceBundle is documented
• Relationship to agentplane validation/run/replay artifacts is documented
• Follow-on implementation PR is identified if this issue remains design-only

Non-goals

• Do not enable automatic publication by default
• Do not hardcode registry credentials or secrets
• Do not collapse SourceOS artifact truth into the automation repo

Progress impact

Completing this closes the remaining catalog-authority portion of SourceOS/SociOS OS build substrate v0.