ontoref/Dockerfile

ARG IMAGE_BASE=reg.librecloud.online/lamina
ARG RUST_VERSION=1.89

# Pull nickel binary from the lamina nickel layer — named stage makes ARG expansion reliable
FROM ${IMAGE_BASE}/nickel:${RUST_VERSION} AS nickel-layer

# Builder: lamina rust layer provides cargo, rustc, sccache, cargo-chef
FROM ${IMAGE_BASE}/rust:${RUST_VERSION} AS builder

WORKDIR /build
ENV CARGO_TARGET_DIR=/build/target

# stratumiops source injected via --build-context stratumiops=../stratumiops
# Resolves to /stratumiops — matches ../../../stratumiops relative path from crates/ontoref-daemon/
COPY --from=stratumiops . /stratumiops

COPY Cargo.toml Cargo.lock ./
COPY crates ./crates

RUN cargo build --release --bin ontoref-daemon

# Runtime: minimal base + nickel (for NCL export at runtime) + daemon binary
FROM alpine:3.21

RUN apk add --no-cache ca-certificates

COPY --from=nickel-layer /usr/local/bin/nickel /usr/local/bin/nickel
COPY --from=builder /build/target/release/ontoref-daemon /usr/local/bin/ontoref-daemon

EXPOSE 7891

ENTRYPOINT ["ontoref-daemon"]
feat: #[onto_mcp_tool] catalog, OCI credential vault layer, validate ADR-018 mode hierarchy ontoref-derive: #[onto_mcp_tool] attribute macro registers MCP tool unit-structs in the catalog at link time via inventory::submit!; annotated item is emitted unchanged, ToolBase/AsyncTool impls stay on the struct. All 34 tools migrated from manual wiring (net +5: ontoref_list_projects, ontoref_search, ontoref_describe, ontoref_list_ontology_extensions, ontoref_get_ontology_extension). validate modes (ADR-018): reads level_hierarchy from workflow.ncl and checks every .ncl mode for level declared, strategy declared, delegate chain coherent, compose extends valid. mode resolve <id> shows which hierarchy level handles a mode and why. --self-test generates synthetic fixtures in a temp dir for CI smoke-testing. validate run-cargo: two-step Cargo.toml resolution — workspace layout first (crates/<check.crate>/Cargo.toml), single-crate fallback by package name or repo basename. Lets the same ADR constraint shape apply to workspace and single-crate repos. ontology/schemas/manifest.ncl: registry_topology_type contract — multi-registry coordination, push targets, participant scopes, per-namespace capability. reflection/requirements/base.ncl: oras ≥1.2.0, cosign ≥2.0.0, sops ≥3.9.0, age ≥1.1.0, restic declared as Hard/Soft requirements with version_min, check_cmd, and install_hint (ADR-017 toolchain surface). ADR-019: per-file recipient routing for tenant isolation without multi-vault. Schema additions: sops.recipient_groups + sops.recipient_rules in ontoref-project.ncl. secrets-bootstrap generates .sops.yaml from project.ncl in declarative mode. Three new secrets-audit checks: recipient-routing-coherent, recipient-routing-coverage, no-multi-vault. Adoption templates: single-team/, multi-tenant/, agent-first/. Integration templates: domain-producer/, mode-producer/, mode-consumer/. UI: project_picker surfaces registry badge (⟳ participant) and vault badge (⛁ vault_id · N, green=declarative / amber=legacy) per project card. Expanded panel adds collapsible Registry section with namespace, endpoint, and push/pull capability. manage.html gains Runtime Services card — MCP and GraphQL toggleable without restart via HTMX POST /ui/manage/services/{service}/toggle. describe.nu: capabilities JSON includes registry_topology and vault_state per project. sync.nu: drift check extended to detect //! absence on newly registered crates. qa.ncl: six entries — credential-vault-best-practice (layered data-flow diagram), credential-vault-templates (paths A/B/C), credential-vault-troubleshooting (15 named errors), integration-what-and-why (ADR-042 OCI federation), integration-how-to-implement, integration-troubleshooting. on+re: core.ncl + manifest.ncl updated to reflect OCI, MCP, and mode-hierarchy nodes. Deleted stale presentation assets (2026-02 slides + voice notes). 2026-05-12 04:46:15 +01:00			`ARG IMAGE_BASE=reg.librecloud.online/lamina`
			`ARG RUST_VERSION=1.89`

			`# Pull nickel binary from the lamina nickel layer — named stage makes ARG expansion reliable`
			`FROM ${IMAGE_BASE}/nickel:${RUST_VERSION} AS nickel-layer`

			`# Builder: lamina rust layer provides cargo, rustc, sccache, cargo-chef`
			`FROM ${IMAGE_BASE}/rust:${RUST_VERSION} AS builder`

			`WORKDIR /build`
			`ENV CARGO_TARGET_DIR=/build/target`

			`# stratumiops source injected via --build-context stratumiops=../stratumiops`
			`# Resolves to /stratumiops — matches ../../../stratumiops relative path from crates/ontoref-daemon/`
			`COPY --from=stratumiops . /stratumiops`

			`COPY Cargo.toml Cargo.lock ./`
			`COPY crates ./crates`

			`RUN cargo build --release --bin ontoref-daemon`

			`# Runtime: minimal base + nickel (for NCL export at runtime) + daemon binary`
			`FROM alpine:3.21`

			`RUN apk add --no-cache ca-certificates`

			`COPY --from=nickel-layer /usr/local/bin/nickel /usr/local/bin/nickel`
			`COPY --from=builder /build/target/release/ontoref-daemon /usr/local/bin/ontoref-daemon`

			`EXPOSE 7891`

			`ENTRYPOINT ["ontoref-daemon"]`