Harden BootReleaseSet control-plane contract

[mdheller]

Summary

Hardens the control-plane BootReleaseSet contract so it can act as the SourceOS bootable ReleaseSet object for live, installer, rescue, rollback, and bootstrap lanes.

Scope

• Adds boot_channel to distinguish live/install/rescue/rollback/bootstrap semantics.
• Adds platform entrypoints for Apple Silicon and portable UEFI/iPXE-style targets.
• Adds signed manifest semantics with signer, signature algorithm, and manifest digest.
• Adds policy linkage via policy_ref.
• Adds explicit boot capabilities for disk write posture, network requirement, kexec posture, and recovery actions.
• Adds proof reporting requirements.
• Adds signed offline fallback posture.
• Updates the M2 demo boot_release_set.json example to prove the operational shape.

Non-goals

• Does not implement boot execution.
• Does not add host-mutating behavior.
• Does not claim production installer readiness.
• Does not change unrelated schema families.

Validation

Expected:

make validate

This is the contract required before SourceOS-Linux/sourceos-boot implements the live/recovery/proof path.