distribution/.agents/subplans/05-artifact-validation.md

# Subplan 05 - Artifact Validation

## Goal

Validate uploaded platform artifacts before publication and channel promotion.

## Common Validation

All artifacts:

- file exists
- size matches upload metadata
- SHA-256 matches
- content type is allowed
- extension matches platform policy
- archive is readable when applicable

## iOS IPA

Validate:

- zip structure
- `.app` bundle exists
- Info.plist can be read
- bundle id matches app policy
- version/build metadata matches release
- provisioning profile mode is classified
- install mode is classified as TestFlight, Enterprise/MDM, or Artifact only

Acceptance:

- The system never implies browser IPA install unless enterprise/MDM manifest
  requirements are met.

## Android APK

Validate:

- APK structure
- manifest package id
- version code/name
- min sdk
- signature presence
- basic metadata extraction

Acceptance:

- APK validator can reject package id mismatch before publication.

## macOS

Validate:

- archive opens
- app bundle or installer package exists
- Info.plist metadata when relevant
- code signing status if tool support exists
- notarization state when provided or checked

Acceptance:

- Notarization can be pending for beta but must satisfy stable policy if
  configured.

## Linux

Validate:

- archive/package opens
- architecture metadata when available
- executable presence
- optional package metadata for deb/rpm/appimage

Acceptance:

- Platform and architecture metadata can drive download labels.

## Windows

Validate:

- exe/msi/zip exists
- authenticode status if supported
- malware scan placeholder status
- architecture metadata when available

Acceptance:

- Stable promotion can require completed scan policy.

## Validation Pipeline

Statuses:

- pending
- passed
- failed
- warning
- skipped

Policy:

- beta/internal may allow warnings.
- stable requires all configured required checks.
- every validation result is auditable.