feat: unified auth model, project onboarding, install pipeline, config management
The full scope across this batch: POST /sessions key→token exchange, SessionStore dual-index with revoke_by_id, CLI Bearer injection (ONTOREF_TOKEN), ontoref setup
--gen-keys, install scripts, daemon config form roundtrip, ADR-004/005, on+re self-description update (fully-self-described), and landing page refresh.
2026-03-13 20:56:31 +00:00
|
|
|
# ~/.config/ontoref/config.ncl — ontoref-daemon runtime configuration
|
|
|
|
|
#
|
|
|
|
|
# Edit interactively:
|
|
|
|
|
# ontoref config-edit (typedialog-web roundtrip, browser form)
|
|
|
|
|
# Validate:
|
|
|
|
|
# nickel typecheck ~/.config/ontoref/config.ncl
|
|
|
|
|
# Apply (NCL pipe bootstrap, ADR-004):
|
|
|
|
|
# ontoref-daemon-boot
|
|
|
|
|
# ontoref-daemon-boot --dry-run # preview composed JSON
|
|
|
|
|
|
|
|
|
|
let Port = std.contract.from_predicate
|
|
|
|
|
(fun p => std.is_number p && p > 1024 && p < 65536)
|
|
|
|
|
in
|
|
|
|
|
|
feat: #[onto_mcp_tool] catalog, OCI credential vault layer, validate ADR-018 mode hierarchy
ontoref-derive: #[onto_mcp_tool] attribute macro registers MCP tool unit-structs in
the catalog at link time via inventory::submit!; annotated item is emitted unchanged,
ToolBase/AsyncTool impls stay on the struct. All 34 tools migrated from manual wiring
(net +5: ontoref_list_projects, ontoref_search, ontoref_describe,
ontoref_list_ontology_extensions, ontoref_get_ontology_extension).
validate modes (ADR-018): reads level_hierarchy from workflow.ncl and checks every
.ncl mode for level declared, strategy declared, delegate chain coherent, compose
extends valid. mode resolve <id> shows which hierarchy level handles a mode and why.
--self-test generates synthetic fixtures in a temp dir for CI smoke-testing.
validate run-cargo: two-step Cargo.toml resolution — workspace layout first
(crates/<check.crate>/Cargo.toml), single-crate fallback by package name or repo
basename. Lets the same ADR constraint shape apply to workspace and single-crate repos.
ontology/schemas/manifest.ncl: registry_topology_type contract — multi-registry
coordination, push targets, participant scopes, per-namespace capability.
reflection/requirements/base.ncl: oras ≥1.2.0, cosign ≥2.0.0, sops ≥3.9.0, age
≥1.1.0, restic declared as Hard/Soft requirements with version_min, check_cmd, and
install_hint (ADR-017 toolchain surface).
ADR-019: per-file recipient routing for tenant isolation without multi-vault. Schema
additions: sops.recipient_groups + sops.recipient_rules in ontoref-project.ncl.
secrets-bootstrap generates .sops.yaml from project.ncl in declarative mode. Three
new secrets-audit checks: recipient-routing-coherent, recipient-routing-coverage,
no-multi-vault. Adoption templates: single-team/, multi-tenant/, agent-first/.
Integration templates: domain-producer/, mode-producer/, mode-consumer/.
UI: project_picker surfaces registry badge (⟳ participant) and vault badge
(⛁ vault_id · N, green=declarative / amber=legacy) per project card. Expanded panel
adds collapsible Registry section with namespace, endpoint, and push/pull capability.
manage.html gains Runtime Services card — MCP and GraphQL toggleable without restart
via HTMX POST /ui/manage/services/{service}/toggle.
describe.nu: capabilities JSON includes registry_topology and vault_state per project.
sync.nu: drift check extended to detect //! absence on newly registered crates.
qa.ncl: six entries — credential-vault-best-practice (layered data-flow diagram),
credential-vault-templates (paths A/B/C), credential-vault-troubleshooting (15 named
errors), integration-what-and-why (ADR-042 OCI federation), integration-how-to-implement,
integration-troubleshooting.
on+re: core.ncl + manifest.ncl updated to reflect OCI, MCP, and mode-hierarchy nodes.
Deleted stale presentation assets (2026-02 slides + voice notes).
2026-05-12 04:46:15 +01:00
|
|
|
let LogLevel = [| 'trace, 'debug, 'info, 'warn, 'error |] in
|
|
|
|
|
let Rotation = [| 'daily, 'hourly, 'never |] in
|
|
|
|
|
let Actor = [| 'developer, 'agent, 'ci, 'admin |] in
|
|
|
|
|
let Severity = [| 'Hard, 'Soft |] in
|
|
|
|
|
let VaultBackend = [| 'restic, 'kopia |] in
|
feat: unified auth model, project onboarding, install pipeline, config management
The full scope across this batch: POST /sessions key→token exchange, SessionStore dual-index with revoke_by_id, CLI Bearer injection (ONTOREF_TOKEN), ontoref setup
--gen-keys, install scripts, daemon config form roundtrip, ADR-004/005, on+re self-description update (fully-self-described), and landing page refresh.
2026-03-13 20:56:31 +00:00
|
|
|
|
|
|
|
|
let KeyRole = [| 'admin, 'viewer |] in
|
|
|
|
|
let KeyEntry = { role | KeyRole, hash | String } in
|
feat: #[onto_mcp_tool] catalog, OCI credential vault layer, validate ADR-018 mode hierarchy
ontoref-derive: #[onto_mcp_tool] attribute macro registers MCP tool unit-structs in
the catalog at link time via inventory::submit!; annotated item is emitted unchanged,
ToolBase/AsyncTool impls stay on the struct. All 34 tools migrated from manual wiring
(net +5: ontoref_list_projects, ontoref_search, ontoref_describe,
ontoref_list_ontology_extensions, ontoref_get_ontology_extension).
validate modes (ADR-018): reads level_hierarchy from workflow.ncl and checks every
.ncl mode for level declared, strategy declared, delegate chain coherent, compose
extends valid. mode resolve <id> shows which hierarchy level handles a mode and why.
--self-test generates synthetic fixtures in a temp dir for CI smoke-testing.
validate run-cargo: two-step Cargo.toml resolution — workspace layout first
(crates/<check.crate>/Cargo.toml), single-crate fallback by package name or repo
basename. Lets the same ADR constraint shape apply to workspace and single-crate repos.
ontology/schemas/manifest.ncl: registry_topology_type contract — multi-registry
coordination, push targets, participant scopes, per-namespace capability.
reflection/requirements/base.ncl: oras ≥1.2.0, cosign ≥2.0.0, sops ≥3.9.0, age
≥1.1.0, restic declared as Hard/Soft requirements with version_min, check_cmd, and
install_hint (ADR-017 toolchain surface).
ADR-019: per-file recipient routing for tenant isolation without multi-vault. Schema
additions: sops.recipient_groups + sops.recipient_rules in ontoref-project.ncl.
secrets-bootstrap generates .sops.yaml from project.ncl in declarative mode. Three
new secrets-audit checks: recipient-routing-coherent, recipient-routing-coverage,
no-multi-vault. Adoption templates: single-team/, multi-tenant/, agent-first/.
Integration templates: domain-producer/, mode-producer/, mode-consumer/.
UI: project_picker surfaces registry badge (⟳ participant) and vault badge
(⛁ vault_id · N, green=declarative / amber=legacy) per project card. Expanded panel
adds collapsible Registry section with namespace, endpoint, and push/pull capability.
manage.html gains Runtime Services card — MCP and GraphQL toggleable without restart
via HTMX POST /ui/manage/services/{service}/toggle.
describe.nu: capabilities JSON includes registry_topology and vault_state per project.
sync.nu: drift check extended to detect //! absence on newly registered crates.
qa.ncl: six entries — credential-vault-best-practice (layered data-flow diagram),
credential-vault-templates (paths A/B/C), credential-vault-troubleshooting (15 named
errors), integration-what-and-why (ADR-042 OCI federation), integration-how-to-implement,
integration-troubleshooting.
on+re: core.ncl + manifest.ncl updated to reflect OCI, MCP, and mode-hierarchy nodes.
Deleted stale presentation assets (2026-02 slides + voice notes).
2026-05-12 04:46:15 +01:00
|
|
|
let ActorKeyBindings = { _ | String } in
|
|
|
|
|
let RecipientGroup = { _ | Array String } in
|
|
|
|
|
let RecipientRule = { path | String, groups | Array String } in
|
|
|
|
|
let SopsConfig = {
|
|
|
|
|
enabled | Bool | default = false,
|
|
|
|
|
vault_id | String | optional,
|
|
|
|
|
vault_backend | VaultBackend | default = 'restic,
|
|
|
|
|
registry_endpoint | String | optional,
|
|
|
|
|
age_key_paths | Array String | default = [],
|
|
|
|
|
master_key_path | String | optional,
|
|
|
|
|
actor_key_bindings | ActorKeyBindings | default = {},
|
|
|
|
|
recipient_groups | RecipientGroup | default = {},
|
|
|
|
|
recipient_rules | Array RecipientRule | default = [],
|
|
|
|
|
} in
|
feat: unified auth model, project onboarding, install pipeline, config management
The full scope across this batch: POST /sessions key→token exchange, SessionStore dual-index with revoke_by_id, CLI Bearer injection (ONTOREF_TOKEN), ontoref setup
--gen-keys, install scripts, daemon config form roundtrip, ADR-004/005, on+re self-description update (fully-self-described), and landing page refresh.
2026-03-13 20:56:31 +00:00
|
|
|
let ProjectEntry = {
|
|
|
|
|
slug | String,
|
|
|
|
|
root | String,
|
|
|
|
|
nickel_import_paths | Array String | default = [],
|
|
|
|
|
keys | Array KeyEntry | default = [],
|
|
|
|
|
remote_url | String | default = "",
|
|
|
|
|
push_only | Bool | default = false,
|
feat: #[onto_mcp_tool] catalog, OCI credential vault layer, validate ADR-018 mode hierarchy
ontoref-derive: #[onto_mcp_tool] attribute macro registers MCP tool unit-structs in
the catalog at link time via inventory::submit!; annotated item is emitted unchanged,
ToolBase/AsyncTool impls stay on the struct. All 34 tools migrated from manual wiring
(net +5: ontoref_list_projects, ontoref_search, ontoref_describe,
ontoref_list_ontology_extensions, ontoref_get_ontology_extension).
validate modes (ADR-018): reads level_hierarchy from workflow.ncl and checks every
.ncl mode for level declared, strategy declared, delegate chain coherent, compose
extends valid. mode resolve <id> shows which hierarchy level handles a mode and why.
--self-test generates synthetic fixtures in a temp dir for CI smoke-testing.
validate run-cargo: two-step Cargo.toml resolution — workspace layout first
(crates/<check.crate>/Cargo.toml), single-crate fallback by package name or repo
basename. Lets the same ADR constraint shape apply to workspace and single-crate repos.
ontology/schemas/manifest.ncl: registry_topology_type contract — multi-registry
coordination, push targets, participant scopes, per-namespace capability.
reflection/requirements/base.ncl: oras ≥1.2.0, cosign ≥2.0.0, sops ≥3.9.0, age
≥1.1.0, restic declared as Hard/Soft requirements with version_min, check_cmd, and
install_hint (ADR-017 toolchain surface).
ADR-019: per-file recipient routing for tenant isolation without multi-vault. Schema
additions: sops.recipient_groups + sops.recipient_rules in ontoref-project.ncl.
secrets-bootstrap generates .sops.yaml from project.ncl in declarative mode. Three
new secrets-audit checks: recipient-routing-coherent, recipient-routing-coverage,
no-multi-vault. Adoption templates: single-team/, multi-tenant/, agent-first/.
Integration templates: domain-producer/, mode-producer/, mode-consumer/.
UI: project_picker surfaces registry badge (⟳ participant) and vault badge
(⛁ vault_id · N, green=declarative / amber=legacy) per project card. Expanded panel
adds collapsible Registry section with namespace, endpoint, and push/pull capability.
manage.html gains Runtime Services card — MCP and GraphQL toggleable without restart
via HTMX POST /ui/manage/services/{service}/toggle.
describe.nu: capabilities JSON includes registry_topology and vault_state per project.
sync.nu: drift check extended to detect //! absence on newly registered crates.
qa.ncl: six entries — credential-vault-best-practice (layered data-flow diagram),
credential-vault-templates (paths A/B/C), credential-vault-troubleshooting (15 named
errors), integration-what-and-why (ADR-042 OCI federation), integration-how-to-implement,
integration-troubleshooting.
on+re: core.ncl + manifest.ncl updated to reflect OCI, MCP, and mode-hierarchy nodes.
Deleted stale presentation assets (2026-02 slides + voice notes).
2026-05-12 04:46:15 +01:00
|
|
|
sops | SopsConfig | optional,
|
feat: unified auth model, project onboarding, install pipeline, config management
The full scope across this batch: POST /sessions key→token exchange, SessionStore dual-index with revoke_by_id, CLI Bearer injection (ONTOREF_TOKEN), ontoref setup
--gen-keys, install scripts, daemon config form roundtrip, ADR-004/005, on+re self-description update (fully-self-described), and landing page refresh.
2026-03-13 20:56:31 +00:00
|
|
|
} in
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
# Nickel import paths used when exporting/typechecking configs that import schemas.
|
|
|
|
|
# Relative paths are resolved from the config file's directory.
|
|
|
|
|
nickel_import_paths | Array String = [],
|
|
|
|
|
|
|
|
|
|
# Registered projects served by this daemon instance.
|
|
|
|
|
# Local projects: populated from projects.ncl (ontoref project-add /path/to/project)
|
|
|
|
|
# Remote projects: populated from remote-projects.ncl (ontoref project-add-remote <url> <slug>)
|
|
|
|
|
projects | Array ProjectEntry = (import "./projects.ncl") @ (import "./remote-projects.ncl"),
|
|
|
|
|
|
|
|
|
|
daemon = {
|
|
|
|
|
port | Port = 7890,
|
|
|
|
|
host | String = "127.0.0.1",
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
db = {
|
|
|
|
|
enabled | Bool = false,
|
|
|
|
|
url | String = "http://localhost:8000/ontoref",
|
|
|
|
|
pool_max | Number = 5,
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
nats_events = {
|
|
|
|
|
enabled | Bool = false,
|
|
|
|
|
url | String = "nats://localhost:4222",
|
|
|
|
|
streams_config | String = "",
|
|
|
|
|
emit | Array String = [],
|
|
|
|
|
subscribe | Array String = [],
|
|
|
|
|
handlers_dir | String = "reflection/handlers",
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
log = {
|
|
|
|
|
level | LogLevel = 'info,
|
|
|
|
|
rotation | Rotation = 'daily,
|
|
|
|
|
max_files | Number = 7,
|
|
|
|
|
compress | Bool = false,
|
|
|
|
|
archive | String = "",
|
|
|
|
|
# Resolved by daemon from platform conventions when empty:
|
|
|
|
|
# macOS: ~/Library/Logs/ontoref/ Linux: ~/.local/state/ontoref/logs/
|
|
|
|
|
path | String = "",
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
cache = {
|
|
|
|
|
# Resolved by daemon from platform conventions when empty:
|
|
|
|
|
# macOS: ~/Library/Caches/ontoref/ Linux: ~/.cache/ontoref/
|
|
|
|
|
path | String = "",
|
|
|
|
|
},
|
|
|
|
|
|
feat: #[onto_mcp_tool] catalog, OCI credential vault layer, validate ADR-018 mode hierarchy
ontoref-derive: #[onto_mcp_tool] attribute macro registers MCP tool unit-structs in
the catalog at link time via inventory::submit!; annotated item is emitted unchanged,
ToolBase/AsyncTool impls stay on the struct. All 34 tools migrated from manual wiring
(net +5: ontoref_list_projects, ontoref_search, ontoref_describe,
ontoref_list_ontology_extensions, ontoref_get_ontology_extension).
validate modes (ADR-018): reads level_hierarchy from workflow.ncl and checks every
.ncl mode for level declared, strategy declared, delegate chain coherent, compose
extends valid. mode resolve <id> shows which hierarchy level handles a mode and why.
--self-test generates synthetic fixtures in a temp dir for CI smoke-testing.
validate run-cargo: two-step Cargo.toml resolution — workspace layout first
(crates/<check.crate>/Cargo.toml), single-crate fallback by package name or repo
basename. Lets the same ADR constraint shape apply to workspace and single-crate repos.
ontology/schemas/manifest.ncl: registry_topology_type contract — multi-registry
coordination, push targets, participant scopes, per-namespace capability.
reflection/requirements/base.ncl: oras ≥1.2.0, cosign ≥2.0.0, sops ≥3.9.0, age
≥1.1.0, restic declared as Hard/Soft requirements with version_min, check_cmd, and
install_hint (ADR-017 toolchain surface).
ADR-019: per-file recipient routing for tenant isolation without multi-vault. Schema
additions: sops.recipient_groups + sops.recipient_rules in ontoref-project.ncl.
secrets-bootstrap generates .sops.yaml from project.ncl in declarative mode. Three
new secrets-audit checks: recipient-routing-coherent, recipient-routing-coverage,
no-multi-vault. Adoption templates: single-team/, multi-tenant/, agent-first/.
Integration templates: domain-producer/, mode-producer/, mode-consumer/.
UI: project_picker surfaces registry badge (⟳ participant) and vault badge
(⛁ vault_id · N, green=declarative / amber=legacy) per project card. Expanded panel
adds collapsible Registry section with namespace, endpoint, and push/pull capability.
manage.html gains Runtime Services card — MCP and GraphQL toggleable without restart
via HTMX POST /ui/manage/services/{service}/toggle.
describe.nu: capabilities JSON includes registry_topology and vault_state per project.
sync.nu: drift check extended to detect //! absence on newly registered crates.
qa.ncl: six entries — credential-vault-best-practice (layered data-flow diagram),
credential-vault-templates (paths A/B/C), credential-vault-troubleshooting (15 named
errors), integration-what-and-why (ADR-042 OCI federation), integration-how-to-implement,
integration-troubleshooting.
on+re: core.ncl + manifest.ncl updated to reflect OCI, MCP, and mode-hierarchy nodes.
Deleted stale presentation assets (2026-02 slides + voice notes).
2026-05-12 04:46:15 +01:00
|
|
|
# Default vault settings (ADR-017). Per-project override in <project>/.ontoref/project.ncl::sops.
|
|
|
|
|
vault = {
|
|
|
|
|
# Path to the master age private key (.kage) used to open project vaults.
|
|
|
|
|
# Empty here = each project must declare sops.master_key_path explicitly.
|
|
|
|
|
master_key_path | String = "",
|
|
|
|
|
# Default vault backend tool. Switching requires re-initializing local repos.
|
|
|
|
|
backend | VaultBackend = 'restic,
|
|
|
|
|
# Cosign keypair for signing/verifying src-vault OCI artifacts.
|
|
|
|
|
# Empty paths = cosign operations error explicitly. No env-var fallback.
|
|
|
|
|
cosign = {
|
|
|
|
|
key_path | String = "", # cosign.key — used by `secrets push` to sign
|
|
|
|
|
pub_path | String = "", # cosign.pub — used by `secrets sync` and verify
|
|
|
|
|
# Upload signature metadata to Rekor (sigstore public transparency log).
|
|
|
|
|
# Default false (private self-hosted model). Set true only if you publish
|
|
|
|
|
# artifacts that need globally verifiable, tamper-evident audit trail.
|
|
|
|
|
# Verification side propagates: false → cosign verify uses --insecure-ignore-tlog.
|
|
|
|
|
tlog | Bool = false,
|
|
|
|
|
# Cosign 2+ requires a --signing-config without Rekor URLs when tlog=false.
|
|
|
|
|
# Generate once with:
|
|
|
|
|
# curl https://raw.githubusercontent.com/sigstore/root-signing/refs/heads/main/targets/signing_config.v0.2.json \
|
|
|
|
|
# | jq 'del(.rekorTlogUrls) | del(.rekorTlogConfig)' > <path>
|
|
|
|
|
signing_config_path | String = "",
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
|
feat: unified auth model, project onboarding, install pipeline, config management
The full scope across this batch: POST /sessions key→token exchange, SessionStore dual-index with revoke_by_id, CLI Bearer injection (ONTOREF_TOKEN), ontoref setup
--gen-keys, install scripts, daemon config form roundtrip, ADR-004/005, on+re self-description update (fully-self-described), and landing page refresh.
2026-03-13 20:56:31 +00:00
|
|
|
ui = {
|
|
|
|
|
# Resolved from platform data dir when empty:
|
|
|
|
|
# macOS: ~/Library/Application Support/ontoref/templates
|
|
|
|
|
# Linux: ~/.local/share/ontoref/templates
|
|
|
|
|
templates_dir | String = "",
|
|
|
|
|
public_dir | String = "",
|
|
|
|
|
logo | String = "ontoref-logo.svg",
|
|
|
|
|
tls_cert | String = "",
|
|
|
|
|
tls_key | String = "",
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
mode_run = {
|
|
|
|
|
rules | Array {
|
|
|
|
|
when | { mode_id | String | optional, actor | String | optional },
|
|
|
|
|
allow | Bool,
|
|
|
|
|
reason | String,
|
|
|
|
|
} = [
|
|
|
|
|
{ when = { mode_id = "validate-ontology" }, allow = true, reason = "validation always allowed" },
|
|
|
|
|
{ when = { actor = "agent" }, allow = true, reason = "agent actor always allowed" },
|
|
|
|
|
{ when = { actor = "ci" }, allow = true, reason = "ci actor always allowed" },
|
|
|
|
|
],
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
actor_init | Array {
|
|
|
|
|
actor | String,
|
|
|
|
|
mode | String,
|
|
|
|
|
auto_run | Bool,
|
|
|
|
|
} = [
|
|
|
|
|
{ actor = "agent", mode = "describe capabilities", auto_run = true },
|
|
|
|
|
{ actor = "developer", mode = "", auto_run = false },
|
|
|
|
|
{ actor = "ci", mode = "", auto_run = false },
|
|
|
|
|
],
|
|
|
|
|
|
|
|
|
|
quick_actions | Array {
|
|
|
|
|
id | String,
|
|
|
|
|
label | String,
|
|
|
|
|
icon | String,
|
|
|
|
|
category | String,
|
|
|
|
|
mode | String,
|
|
|
|
|
actors | Array String,
|
|
|
|
|
} = [
|
|
|
|
|
{
|
|
|
|
|
id = "gen-docs",
|
|
|
|
|
label = "Generate documentation",
|
|
|
|
|
icon = "book-open",
|
|
|
|
|
category = "docs",
|
|
|
|
|
mode = "generate-mdbook",
|
|
|
|
|
actors = ["developer", "agent"],
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
id = "sync-onto",
|
|
|
|
|
label = "Sync ontology",
|
|
|
|
|
icon = "refresh",
|
|
|
|
|
category = "sync",
|
|
|
|
|
mode = "sync-ontology",
|
|
|
|
|
actors = ["developer", "ci", "agent"],
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
id = "coder-workflow",
|
|
|
|
|
label = "Coder workflow",
|
|
|
|
|
icon = "code",
|
|
|
|
|
category = "process",
|
|
|
|
|
mode = "coder-workflow",
|
|
|
|
|
actors = ["developer", "agent"],
|
|
|
|
|
},
|
|
|
|
|
],
|
|
|
|
|
}
|