ontoref/ontology/schemas/bootstrap.ncl

# bootstrap.ncl — contract for NCL configs delivered via pipe to a process.
#
# A Bootstrapable config satisfies three properties:
#   1. Exportable to JSON by `nickel export` without side effects or system calls
#   2. Contains no secret values — secrets are injected at bootstrap time (SOPS/Vault)
#   3. Declares _bootstrapable = true as a machine-checkable marker
#
# Usage in a config file:
#   let B = import "ontology/schemas/bootstrap.ncl" in
#   { ... } | B.Bootstrapable

{
  # Secret reference — a placeholder that the bootstrap pipeline resolves via SOPS or Vault.
  # The NCL file stores only the reference, never the value.
  SecretRef = {
    _secret_ref | Bool | default = true,
    source      | [| 'sops, 'vault, 'env |],
    path        | String,
  },

  # Core contract: any config NCL to be used with ncl-bootstrap must satisfy this.
  Bootstrapable = {
    _bootstrapable | Bool | default = true,
  },

  # Pipeline stage descriptor — documents what each stage does.
  # Used in ADR rationale and tooling introspection.
  Stage = {
    name        | String,
    command     | String,
    purpose     | String,
    secrets     | Bool | default = false,
    required    | Bool | default = true,
  },

  # Full bootstrap pipeline declaration — optional, for self-documenting configs.
  Pipeline = {
    stages  | Array Stage,
    target  | String,   # the final process command
    stdin_flag | String | default = "--config-stdin",
  },
}
feat: unified auth model, project onboarding, install pipeline, config management The full scope across this batch: POST /sessions key→token exchange, SessionStore dual-index with revoke_by_id, CLI Bearer injection (ONTOREF_TOKEN), ontoref setup --gen-keys, install scripts, daemon config form roundtrip, ADR-004/005, on+re self-description update (fully-self-described), and landing page refresh. 2026-03-13 20:56:31 +00:00			`# bootstrap.ncl — contract for NCL configs delivered via pipe to a process.`
			`#`
			`# A Bootstrapable config satisfies three properties:`
			# 1. Exportable to JSON by `nickel export` without side effects or system calls
			`# 2. Contains no secret values — secrets are injected at bootstrap time (SOPS/Vault)`
			`# 3. Declares _bootstrapable = true as a machine-checkable marker`
			`#`
			`# Usage in a config file:`
			`# let B = import "ontology/schemas/bootstrap.ncl" in`
			`# { ... } \| B.Bootstrapable`

			`{`
			`# Secret reference — a placeholder that the bootstrap pipeline resolves via SOPS or Vault.`
			`# The NCL file stores only the reference, never the value.`
			`SecretRef = {`
			`_secret_ref \| Bool \| default = true,`
			`source \| [\| 'sops, 'vault, 'env \|],`
			`path \| String,`
			`},`

			`# Core contract: any config NCL to be used with ncl-bootstrap must satisfy this.`
			`Bootstrapable = {`
			`_bootstrapable \| Bool \| default = true,`
			`},`

			`# Pipeline stage descriptor — documents what each stage does.`
			`# Used in ADR rationale and tooling introspection.`
			`Stage = {`
			`name \| String,`
			`command \| String,`
			`purpose \| String,`
			`secrets \| Bool \| default = false,`
			`required \| Bool \| default = true,`
			`},`

			`# Full bootstrap pipeline declaration — optional, for self-documenting configs.`
			`Pipeline = {`
			`stages \| Array Stage,`
			`target \| String, # the final process command`
			`stdin_flag \| String \| default = "--config-stdin",`
			`},`
			`}`