feat: initial contract — JSON schemas, fixtures, golden path test

Defines the shared API contracts between openboot CLI and openboot.dev:
- remote-config.json: GET /:user/:slug/config response shape
- snapshot.json: POST /api/configs/from-snapshot body shape
- packages.json: GET /api/packages response shape
- auth.json: CLI device auth flow request/response
- Fixtures with example payloads
- Golden path test script for round-trip integrity validation
- CI workflow to validate schemas and notify consumer repos

Author: fullstackjam

.github/workflows/validate.yml

@@ -0,0 +1,76 @@
+name: Validate Contract
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  validate-schemas:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+
+      - name: Install jsonschema
+        run: pip install jsonschema
+
+      - name: Validate fixtures against schemas
+        run: |
+          python3 -c "
+          import json, jsonschema, sys
+
+          checks = [
+            ('schemas/remote-config.json', 'fixtures/config-v1.json'),
+            ('schemas/snapshot.json', 'fixtures/snapshot-v1.json'),
+          ]
+
+          failed = 0
+          for schema_path, fixture_path in checks:
+            schema = json.load(open(schema_path))
+            data = json.load(open(fixture_path))
+            try:
+              jsonschema.validate(data, schema)
+              print(f'  ✓ {fixture_path} matches {schema_path}')
+            except jsonschema.ValidationError as e:
+              print(f'  ✗ {fixture_path}: {e.message}')
+              failed += 1
+
+          sys.exit(1 if failed else 0)
+          "
+
+      - name: Validate schema files are valid JSON Schema
+        run: |
+          python3 -c "
+          import json, glob, sys
+          failed = 0
+          for f in glob.glob('schemas/*.json'):
+            try:
+              schema = json.load(open(f))
+              assert '\$schema' in schema, 'missing \$schema'
+              print(f'  ✓ {f} is valid')
+            except Exception as e:
+              print(f'  ✗ {f}: {e}')
+              failed += 1
+          sys.exit(1 if failed else 0)
+          "
+
+  notify-consumers:
+    needs: validate-schemas
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        repo: [openboot, openboot.dev]
+    steps:
+      - name: Trigger consumer CI
+        uses: peter-evans/repository-dispatch@v3
+        with:
+          token: ${{ secrets.CONTRACT_DISPATCH_TOKEN }}
+          repository: openbootdotdev/${{ matrix.repo }}
+          event-type: contract-updated
+          client-payload: '{"ref": "${{ github.sha }}"}'

README.md

@@ -0,0 +1,48 @@
+# openboot-contract
+
+Shared API contracts between [openboot](https://github.com/openbootdotdev/openboot) (Go CLI) and [openboot.dev](https://github.com/openbootdotdev/openboot.dev) (SvelteKit server).
+
+## Why
+
+The CLI is a binary on users' machines — it can't be updated instantly when the server changes. This repo defines the data shapes both sides agree on, and CI enforces they stay in sync.
+
+## Structure
+
+```
+schemas/          JSON Schema definitions (source of truth)
+  remote-config.json    GET /:user/:slug/config response
+  snapshot.json         POST /api/configs/from-snapshot body
+  packages.json         GET /api/packages response
+  auth.json             CLI device auth flow
+
+fixtures/         Example payloads that match the schemas
+  config-v1.json
+  snapshot-v1.json
+
+golden-path/      End-to-end validation scripts
+  test.sh               Round-trip integrity + live API checks
+```
+
+## How it works
+
+1. **Contract changes** → PR to this repo → CI validates schemas + fixtures
+2. **On merge** → CI triggers both consumer repos via `repository_dispatch`
+3. **Consumer CI** → clones this repo, validates their responses against schemas
+4. **Any mismatch** → CI fails → change must be coordinated across repos
+
+## Local usage
+
+```bash
+# Validate fixtures against schemas (needs python3 + jsonschema)
+pip install jsonschema
+./golden-path/test.sh
+
+# With a running server
+SERVER_URL=http://localhost:5173 ./golden-path/test.sh
+```
+
+## Rules
+
+- **Only add fields, never remove** — CLI binaries in the wild depend on existing fields
+- **Schema changes require a PR** — no direct pushes to main
+- **Fixtures must always pass** — if you change a schema, update fixtures to match

fixtures/config-v1.json

@@ -0,0 +1,42 @@
+{
+  "username": "testuser",
+  "slug": "dev-setup",
+  "name": "Developer Setup",
+  "preset": "developer",
+  "packages": [
+    { "name": "git", "desc": "Distributed version control system" },
+    { "name": "curl", "desc": "Transfer data with URLs" },
+    { "name": "jq", "desc": "JSON processor for command line" },
+    { "name": "homebrew/cask-fonts/font-fira-code", "desc": "Fira Code font" }
+  ],
+  "casks": [
+    { "name": "visual-studio-code", "desc": "Code editor with extensions and debugging" },
+    { "name": "docker", "desc": "Platform for building and running containers" }
+  ],
+  "taps": [
+    "homebrew/cask-fonts"
+  ],
+  "npm": [
+    { "name": "typescript", "desc": "Typed superset of JavaScript" },
+    { "name": "eslint", "desc": "Linter for JavaScript and TypeScript" }
+  ],
+  "dotfiles_repo": "https://github.com/testuser/dotfiles",
+  "post_install": [
+    "echo 'Setup complete!'",
+    "mkdir -p ~/projects"
+  ],
+  "shell": {
+    "oh_my_zsh": true,
+    "theme": "robbyrussell",
+    "plugins": ["git", "zsh-autosuggestions"]
+  },
+  "macos_prefs": [
+    {
+      "domain": "com.apple.dock",
+      "key": "autohide",
+      "type": "bool",
+      "value": "true",
+      "desc": "Auto-hide the Dock"
+    }
+  ]
+}

fixtures/snapshot-v1.json

@@ -0,0 +1,48 @@
+{
+  "version": 1,
+  "captured_at": "2026-03-25T10:00:00Z",
+  "hostname": "test-mac",
+  "packages": {
+    "formulae": ["git", "curl", "jq", "node", "go"],
+    "casks": ["visual-studio-code", "docker", "warp"],
+    "taps": ["homebrew/cask-fonts", "openbootdotdev/tap"],
+    "npm": ["typescript", "eslint", "prettier"]
+  },
+  "macos_prefs": [
+    {
+      "domain": "com.apple.dock",
+      "key": "autohide",
+      "type": "bool",
+      "value": "true",
+      "desc": "Auto-hide the Dock"
+    },
+    {
+      "domain": "NSGlobalDomain",
+      "key": "AppleShowScrollBars",
+      "type": "string",
+      "value": "Always",
+      "desc": ""
+    }
+  ],
+  "git": {
+    "user_name": "Test User",
+    "user_email": "test@example.com"
+  },
+  "dotfiles": {
+    "repo_url": "https://github.com/testuser/dotfiles"
+  },
+  "dev_tools": [
+    { "name": "go", "version": "1.24.0" },
+    { "name": "node", "version": "22.0.0" }
+  ],
+  "matched_preset": "developer",
+  "catalog_match": {
+    "matched": ["git", "curl", "jq"],
+    "unmatched": ["custom-tool"],
+    "match_rate": 0.75
+  },
+  "health": {
+    "failed_steps": [],
+    "partial": false
+  }
+}

golden-path/test.sh

@@ -0,0 +1,163 @@
+#!/bin/bash
+# Golden path end-to-end test.
+# Validates that data survives the full CLI → Server → CLI round-trip.
+#
+# Prerequisites:
+#   - Server running at $SERVER_URL (default: http://localhost:5173)
+#   - CLI binary built at $CLI_BIN (default: openboot in PATH)
+#   - jq installed
+#
+# Usage:
+#   ./golden-path/test.sh
+#   SERVER_URL=https://openboot.dev ./golden-path/test.sh
+#
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+CONTRACT_DIR="$(dirname "$SCRIPT_DIR")"
+SERVER_URL="${SERVER_URL:-http://localhost:5173}"
+PASS=0
+FAIL=0
+
+pass() { PASS=$((PASS + 1)); echo "  ✓ $1"; }
+fail() { FAIL=$((FAIL + 1)); echo "  ✗ $1: $2"; }
+
+echo "Golden Path Test"
+echo "  Server: $SERVER_URL"
+echo "  Schemas: $CONTRACT_DIR/schemas/"
+echo ""
+
+# --- 1. Validate fixtures against schemas ---
+echo "=== Schema Validation ==="
+
+validate_schema() {
+  local schema="$1" fixture="$2" label="$3"
+  # Use ajv-cli if available, otherwise python jsonschema
+  if command -v ajv &>/dev/null; then
+    if ajv validate -s "$schema" -d "$fixture" --spec=draft2020 2>/dev/null; then
+      pass "$label"
+    else
+      fail "$label" "schema validation failed"
+    fi
+  elif python3 -c "import jsonschema" 2>/dev/null; then
+    if python3 -c "
+import json, jsonschema
+schema = json.load(open('$schema'))
+data = json.load(open('$fixture'))
+jsonschema.validate(data, schema)
+" 2>/dev/null; then
+      pass "$label"
+    else
+      fail "$label" "schema validation failed"
+    fi
+  else
+    echo "  - skipped $label (install ajv-cli or python3 jsonschema)"
+  fi
+}
+
+validate_schema \
+  "$CONTRACT_DIR/schemas/remote-config.json" \
+  "$CONTRACT_DIR/fixtures/config-v1.json" \
+  "config fixture matches schema"
+
+validate_schema \
+  "$CONTRACT_DIR/schemas/snapshot.json" \
+  "$CONTRACT_DIR/fixtures/snapshot-v1.json" \
+  "snapshot fixture matches schema"
+
+# --- 2. Live API checks (if server is reachable) ---
+echo ""
+echo "=== Live API Checks ==="
+
+if ! curl -sf "$SERVER_URL/api/health" >/dev/null 2>&1; then
+  echo "  - Server not reachable at $SERVER_URL, skipping live checks"
+else
+  # /api/packages schema check
+  PKGS_RESPONSE=$(curl -sf "$SERVER_URL/api/packages")
+  PKGS_TMP=$(mktemp)
+  echo "$PKGS_RESPONSE" > "$PKGS_TMP"
+  validate_schema \
+    "$CONTRACT_DIR/schemas/packages.json" \
+    "$PKGS_TMP" \
+    "/api/packages matches schema"
+  rm -f "$PKGS_TMP"
+
+  # /api/packages field spot-checks
+  if echo "$PKGS_RESPONSE" | python3 -c "
+import sys, json
+d = json.load(sys.stdin)
+p = d['packages']
+assert len(p) > 50, f'only {len(p)} packages'
+installers = set(x['installer'] for x in p)
+assert installers == {'formula','cask','npm'}, f'missing installer types: {installers}'
+" 2>/dev/null; then
+    pass "/api/packages has 50+ packages with all installer types"
+  else
+    fail "/api/packages" "insufficient packages or missing types"
+  fi
+
+  # Config endpoint check (try known public config)
+  CONFIG_RESPONSE=$(curl -sf "$SERVER_URL/openboot/developer/config" 2>/dev/null || echo '')
+  if [ -n "$CONFIG_RESPONSE" ] && [ "$CONFIG_RESPONSE" != "{}" ]; then
+    CONFIG_TMP=$(mktemp)
+    echo "$CONFIG_RESPONSE" > "$CONFIG_TMP"
+    validate_schema \
+      "$CONTRACT_DIR/schemas/remote-config.json" \
+      "$CONFIG_TMP" \
+      "live config response matches schema"
+    rm -f "$CONFIG_TMP"
+  else
+    echo "  - skipped config check (no public config at /openboot/developer)"
+  fi
+fi
+
+# --- 3. Data round-trip integrity (snapshot → config) ---
+echo ""
+echo "=== Data Round-Trip Integrity ==="
+
+# The critical invariant: fields present in snapshot must survive through
+# server storage and config retrieval. Test with fixture data.
+if python3 -c "
+import json
+
+snapshot = json.load(open('$CONTRACT_DIR/fixtures/snapshot-v1.json'))
+config = json.load(open('$CONTRACT_DIR/fixtures/config-v1.json'))
+
+# Every formulae in snapshot should have a corresponding entry in config.packages
+snap_formulae = set(snapshot['packages']['formulae'])
+config_pkg_names = set(p['name'] for p in config['packages'])
+
+# Every cask in snapshot should appear in config.casks
+snap_casks = set(snapshot['packages']['casks'])
+config_cask_names = set(p['name'] for p in config['casks'])
+
+# Every npm in snapshot should appear in config.npm
+snap_npm = set(snapshot['packages']['npm'])
+config_npm_names = set(p['name'] for p in config['npm'])
+
+# Config entries must have desc field (not empty for known packages)
+for entry in config['packages'] + config['casks'] + config['npm']:
+    assert 'name' in entry, f'missing name in {entry}'
+    assert 'desc' in entry, f'missing desc in {entry}'
+
+# macos_prefs must survive
+assert len(config.get('macos_prefs', [])) > 0, 'macos_prefs lost'
+assert config['macos_prefs'][0]['domain'] == snapshot['macos_prefs'][0]['domain'], 'macos_prefs domain mismatch'
+
+print('All round-trip invariants hold')
+" 2>/dev/null; then
+  pass "fixture data round-trip invariants"
+else
+  fail "round-trip" "data integrity check failed"
+fi
+
+# --- Summary ---
+echo ""
+TOTAL=$((PASS + FAIL))
+echo "Results: $PASS/$TOTAL passed"
+if [ "$FAIL" -gt 0 ]; then
+  echo "FAILED"
+  exit 1
+else
+  echo "ALL PASSED"
+fi