Latticra

Home / Local validation

Install Evidence and Package Guards

Local validation

Latticra validation records show what can be inspected locally, what has user-local install evidence, and which package lanes remain static, gated, or disposable-VM-only.

Validation Rule

Validate evidence, not production readiness.

The current validation surface is deliberately narrow. It includes user-local Panel install evidence, static package checks, dry-run contracts, and gated VM lanes. It does not claim root installation, distribution approval, daily-driver safety, runtime enforcement, or production security.

01

Read posture

Start from status, non-claims, and the validation source records before running commands.

02

Dry-run Panel

Use the workbench path to generate a local plan and inspect receipts before guarded writes.

03

Verify user-local evidence

Confirm wrappers, prefix, payload tree, desktop entry, icon, receipts, and Seal report-only output.

04

Run static package guards

Use Fedora, Ubuntu, Debian, FreeBSD, and OpenBSD package validation scripts without creating distribution artifacts.

05

Respect hard gates

Disposable VM lanes require snapshot, recovery, consent, and exact target evidence.

Panel Evidence

User-local install evidence exists, and stays narrow.

The current Panel evidence records a Fedora Workstation user-local install with local wrappers, local prefix, receipts, desktop entry, desktop icon, Panel launcher, and a Latticra Seal report-only local report.

verified user-local guarded writes not production
Latticra Panel visual asset for local install and evidence review.
Panel is the human-facing local workbench for plan, receipt, and evidence review.

Evidence Snapshot

The current install claim is bounded by exact fields.

These are the public-facing fields a reader should keep in mind when interpreting local install evidence.

panel_user_local_install_verified 1
seal_report_only_mode 1
root_authority 0
network_authority 0
runtime_enforcement_authority 0
fedora_approval_claimed 0
production_installer_ready 0
daily_driver_install_ready 0

Validation Lanes

Each lane has a different effect boundary.

The package and platform records are useful only when their scope is kept visible.

Panel

User-local install evidence

Fedora Workstation transcript evidence exists for local wrappers, prefix, payload, receipts, desktop entry, icon, launcher, and Seal report-only output.

Panel evidence status
Fedora

Static RPM and disposable VM lanes

Static local RPM validation does not create artifacts. VM RPM validation is gated to disposable Fedora targets with snapshot, recovery, and consent evidence.

RPM validation plan
Ubuntu

Local deb static validation

Checks local package shape for the no-effect CLI payload without running dpkg-buildpackage, debuild, lintian, sbuild, or pbuilder.

Deb static validation
Debian

Local deb static validation

Checks local Debian package shape for the no-effect CLI payload without claiming archive readiness, sponsorship, or ftp-master acceptance.

Debian static validation
FreeBSD

Port static validation

Checks local ports metadata without running make package, poudriere, portlint, or claiming ports-tree submission.

FreeBSD port validation
OpenBSD

Port static validation

Checks local ports metadata with package redistribution disabled until license, checksum, portcheck, and bulk-build evidence exist.

OpenBSD port validation
macOS

Reset/uninstall dry-run contract

Defines future managed-target removal order while deletion, receipt writes, absence verification, and host mutation remain disabled.

macOS dry-run contract

Gate Matrix

Host-facing validation must name its target.

A local command is not automatically an install claim. The gate has to state which target may be touched and what remains forbidden.

Allowed locally

Read status, run no-effect guards, inspect Panel dry-runs, verify user-local evidence, and run static package checks.

Guarded locally

Panel local-prefix writes require explicit local mode, receipts, visible prefix, and no root or network authority.

Disposable VM only

Fedora RPM install/removal validation requires disposable VM target evidence, clean snapshot, recovery path, and operator consent.

Blocked claims

Production installer readiness, distro approval, daily-driver eligibility, immutable host readiness, runtime enforcement, and security-product claims.

Local Commands

Use commands as evidence checks.

These commands are intentionally narrow. Run them from the repository root unless a command names a subdirectory.

Panel dry-run and verification

make -C installer dry-run
make -C installer verify-local

Package static guards

sh scripts/test-fedora-local-rpm-validation-plan.sh
sh scripts/test-ubuntu-local-deb-static-validation.sh

Install evidence and reset contracts

sh scripts/test-latticra-panel-local-install-evidence-status.sh
sh scripts/test-macos-reset-uninstall-dry-run-contract.sh

Source Records

Follow validation claims back to exact files.

These records define the validation boundaries more precisely than a summary page can.

Panel overviewGuided GUI workbench, dry-run-first installer flow, receipts, updater, and user-local evidence. Signed-updater delivery gateClosed signed-delivery gate, local-checkout updater policy, and no-effect update fixtures. Boot preview boundarySeaBIOS/GRUB fixture evidence, no-effect preflight, and blocked QEMU, GRUB, disk image, and bootable OS claims. Packaging readinessFedora, Ubuntu, openSUSE, Debian, BSD, and macOS package-shape lanes with release claims blocked. Panel READMEDry-run-first workbench flow, local install commands, and installed paths. Installer readinessDisposable VM CLI payload evidence, artifact manifest fixture, production gates, and release non-claims. Panel install evidenceFedora user-local install evidence and exact non-claims. Fedora RPM planStatic local RPM validation sequence without artifact creation. Disposable VM laneHard gates for Fedora RPM validation on a disposable VM only. Ubuntu deb static laneLocal-only deb shape checks and archive-readiness non-claims. Debian deb static laneLocal-only deb shape checks and Debian archive-readiness non-claims. FreeBSD port static laneLocal-only ports metadata checks without package or ports-tree claims. OpenBSD port static laneLocal-only ports metadata checks with package redistribution disabled. Debian/BSD source archive contractArchive, checksum, and distinfo blockers before build evidence. macOS reset dry-runManaged-target reset/uninstall contract while deletion remains disabled. Workbench overviewPanel, LC, Nadia, and local authority boundaries. Security boundariesSafe testing, effect gates, runtime boundary, and non-claims. Supply-chain gatesSBOM, artifact integrity, update delivery, runtime authority, and release publication blockers.