Vapora/.woodpecker.yaml

when:
  event: [push, tag, manual]
  branch: [main, "agent/**"]

steps:
  - name: test
    image: rust:1.85
    commands:
      - cargo test --workspace

  - name: lint
    image: rust:1.85
    commands:
      - cargo clippy --all-targets --all-features -- -D warnings

  - name: ontoref-validate
    image: ${CI_REGISTRY}/vapora-ci:latest
    environment:
      ONTOREF_ROOT: /workspace/.ontoref
    commands:
      - ontoref validate check-all --fmt json
      - ontoref sync diff --fail-on-drift

  - name: ontoref-gate
    image: ${CI_REGISTRY}/vapora-ci:latest
    environment:
      ONTOREF_ROOT: /workspace/.ontoref
    commands:
      - |
        ontoref describe state --fmt json | nu -c '
          $in | from json | get dimensions
          | where current_state != desired_state
          | each { |d| print $"WARNING: ($d.name) not at desired state: ($d.current_state) → ($d.desired_state)" }
        '

  - name: build-release
    image: rust:1.85
    commands:
      - cargo build --release
    when:
      branch: main

  # RAD_RUN_ID is injected by radicle-ci-broker from the RunResponse.run_id
  # written by radicle-nats-adapter to stdout when the pipeline is triggered.
  # The adapter subscribes to radicle.ci.result.<RAD_RUN_ID> — this subject
  # must match exactly or the adapter times out waiting for a result.
  # Configure the ci-broker to inject RAD_RUN_ID via the webhook env vars.
  - name: publish-result
    image: natsio/nats-box:latest
    secrets:
      - source: nats_auth_token
        target: NATS_AUTH_TOKEN
    environment:
      NATS_URL: nats://nats:4222
    commands:
      - |
        nats pub --server "${NATS_URL}" --creds /dev/stdin \
          "radicle.ci.result.${RAD_RUN_ID}" \
          "{\"run_id\":\"${RAD_RUN_ID}\",\"status\":\"passed\",\"url\":\"${CI_BUILD_LINK}\"}" \
          <<< "token:${NATS_AUTH_TOKEN}"
    when:
      status: success

  - name: publish-failure
    image: natsio/nats-box:latest
    secrets:
      - source: nats_auth_token
        target: NATS_AUTH_TOKEN
    environment:
      NATS_URL: nats://nats:4222
    commands:
      - |
        nats pub --server "${NATS_URL}" --creds /dev/stdin \
          "radicle.ci.result.${RAD_RUN_ID}" \
          "{\"run_id\":\"${RAD_RUN_ID}\",\"status\":\"failed\",\"url\":\"${CI_BUILD_LINK}\"}" \
          <<< "token:${NATS_AUTH_TOKEN}"
    when:
      status: failure
chore: ontology sync + 4 NCL ADRs + landing page update on+re: - core.ncl: 5 new Practice nodes (notification-channels, vapora-capabilities, agent-hot-reload-stable-identity, merkle-audit-trail, notification-channels) + 5 new edges; knowledge-graph-execution-history updated with HNSW+BM25+RRF - state.ncl: production-readiness blocker/catalyst updated (hot-reload complete, BudgetManager/LLMRouter still require restart); ontoref-integration catalyst updated (vapora-ontology/reflection crates, api-catalog.json, nickel contracts) ADRs (NCL): - adr-013: KG hybrid search — HNSW+BM25+RRF, rejected in-process scan - adr-014: capability packages — AgentDefinition→vapora-shared, DashMap shard-before-await constraint - adr-015: Merkle audit trail — SHA-256 hash chain, rejected HMAC - adr-016: agent hot-reload — stable_id=role, learning_profiles survive drain, BudgetManager excluded from reload scope landing page: - 2 new feature boxes: VCS-Agnostic Worktree (jj/git), Ontology Protocol - KG box: 20→28 tests, HNSW+BM25+RRF description - Agents box: 71→82 tests, hot-reload + stable_id - tech stack: Rust 21→23 crates, added jj, Radicle, ontoref badges - status badge: 620→691 tests 2026-04-07 21:06:48 +01:00			`when:`
			`event: [push, tag, manual]`
			`branch: [main, "agent/**"]`

			`steps:`
			`- name: test`
			`image: rust:1.85`
			`commands:`
			`- cargo test --workspace`

			`- name: lint`
			`image: rust:1.85`
			`commands:`
			`- cargo clippy --all-targets --all-features -- -D warnings`

			`- name: ontoref-validate`
			`image: ${CI_REGISTRY}/vapora-ci:latest`
			`environment:`
			`ONTOREF_ROOT: /workspace/.ontoref`
			`commands:`
			`- ontoref validate check-all --fmt json`
			`- ontoref sync diff --fail-on-drift`

			`- name: ontoref-gate`
			`image: ${CI_REGISTRY}/vapora-ci:latest`
			`environment:`
			`ONTOREF_ROOT: /workspace/.ontoref`
			`commands:`
			`- \|`
			`ontoref describe state --fmt json \| nu -c '`
			`$in \| from json \| get dimensions`
			`\| where current_state != desired_state`
			`\| each { \|d\| print $"WARNING: ($d.name) not at desired state: ($d.current_state) → ($d.desired_state)" }`
			`'`

			`- name: build-release`
			`image: rust:1.85`
			`commands:`
			`- cargo build --release`
			`when:`
			`branch: main`

			`# RAD_RUN_ID is injected by radicle-ci-broker from the RunResponse.run_id`
			`# written by radicle-nats-adapter to stdout when the pipeline is triggered.`
			`# The adapter subscribes to radicle.ci.result.<RAD_RUN_ID> — this subject`
			`# must match exactly or the adapter times out waiting for a result.`
			`# Configure the ci-broker to inject RAD_RUN_ID via the webhook env vars.`
			`- name: publish-result`
			`image: natsio/nats-box:latest`
			`secrets:`
			`- source: nats_auth_token`
			`target: NATS_AUTH_TOKEN`
			`environment:`
			`NATS_URL: nats://nats:4222`
			`commands:`
			`- \|`
			`nats pub --server "${NATS_URL}" --creds /dev/stdin \`
			`"radicle.ci.result.${RAD_RUN_ID}" \`
			`"{\"run_id\":\"${RAD_RUN_ID}\",\"status\":\"passed\",\"url\":\"${CI_BUILD_LINK}\"}" \`
			`<<< "token:${NATS_AUTH_TOKEN}"`
			`when:`
			`status: success`

			`- name: publish-failure`
			`image: natsio/nats-box:latest`
			`secrets:`
			`- source: nats_auth_token`
			`target: NATS_AUTH_TOKEN`
			`environment:`
			`NATS_URL: nats://nats:4222`
			`commands:`
			`- \|`
			`nats pub --server "${NATS_URL}" --creds /dev/stdin \`
			`"radicle.ci.result.${RAD_RUN_ID}" \`
			`"{\"run_id\":\"${RAD_RUN_ID}\",\"status\":\"failed\",\"url\":\"${CI_BUILD_LINK}\"}" \`
			`<<< "token:${NATS_AUTH_TOKEN}"`
			`when:`
			`status: failure`