Handoff Package Baseline

Status: Locked.

Purpose

Freeze commissioning handoff package behavior so .anpkg export and validation remain explicit and test-backed.

Export core: anolis_workbench/core/exporter.py
Package validator: anolis_workbench/core/package_validator.py
Validation command: contracts/validate-handoff-packages.py
CLI wrapper: anolis_workbench/cli/package_cli.py
Workbench HTTP export route: POST /api/projects/{name}/export
Unit/route tests:
- tests/unit/test_exporter.py
- tests/unit/test_package_validator.py
- tests/unit/test_shell_route_support.py

Package format is zip distribution (.anpkg) of canonical v1 structure:
- machine-profile.yaml
- runtime/anolis-runtime.yaml
- runtime/behaviors/* (if referenced)
- providers/<provider-id>.yaml
- meta/provenance.json
- meta/checksums.sha256
Export is deterministic:
- stable file ordering
- stable zip metadata
- deterministic meta/provenance.json.exported_at derivation
Runtime provider config args are package-relative (providers/<id>.yaml).
Behavior references are package-relative under runtime/behaviors/.
Telemetry tokens are redacted from packaged runtime config content.
Validation enforces:
- structure + checksums
- package-root reference integrity
- runtime schema compatibility
- replay assumptions from clean extracted package root
- optional runtime --check-config replay check when runtime binary is provided

python3 contracts/validate-handoff-packages.py
python3 contracts/validate-handoff-packages.py --runtime-bin <runtime-binary> (optional replay hardening)
python3 -m pytest tests -q

Keep machine-profile schema reuse (schema_version: 1); do not fork a parallel manifest dialect.
Package layout/reference changes require synchronized updates to:
- exporter
- package validator
- contract docs
- tests
Secret handling rules are non-negotiable: token-like values must fail validation.