ontoref/install/resources/schemas/ontoref-project.ncl

# ~/.config/ontoref/schemas/ontoref-project.ncl — ProjectEntry contract.
# Installed by `just install-daemon`. Imported by per-project .ontoref/project.ncl files.

let KeyRole = [| 'admin, 'viewer |] in

let KeyEntry = {
  role  | KeyRole,
  hash  | String,
  label | String | default = "",
} in

# Maps ONTOREF_ACTOR value → role name declared in scopes/<role>.ncl.
# Example: { developer = "developer", ci = "cdci", ontoref = "ontoref" }
let actor_key_bindings_type = { _ | String } in

let VaultBackend = [| 'restic, 'kopia |] in

# Per-file recipient routing (optional). When `recipient_rules` is declared,
# bootstrap generates <vault_dir>/.sops.yaml from these definitions and sops
# encrypts each file with the union of recipient groups matching its path.
# Use case: multi-tenant projects where different clients/agents/teams
# decrypt different credential files within the same vault.
let recipient_group_type = { _ | Array String } in   # group → list of age1... pubkeys

let recipient_rule_type = {
  path   | String,                                   # path_regex relative to vault dir
  groups | Array String,                             # union of these recipient_groups
} in

let SopsConfig = {
  enabled | Bool | default = false,
  # Slug used for ~/.config/ontoref/vaults/<vault_id>/. Defaults to project slug when absent.
  vault_id | String | optional,
  # Restic or kopia. Switching requires re-initializing the local repo.
  vault_backend | VaultBackend | default = 'restic,
  # ZOT registry endpoint where src-vault/<vault_id>:latest is pushed/pulled.
  registry_endpoint | String | optional,
  # Paths to age public key files for each declared recipient (relative or absolute).
  age_key_paths | Array String | default = [],
  # Path to the master age private key (.kage). Overrides the global path in config.ncl.
  # Never store this inside the vault directory or the project root.
  master_key_path | String | optional,
  # ONTOREF_ACTOR → role name binding. Used by credential resolution to select the correct
  # sops-encrypted file in scopes/<role>.ncl before calling oras.
  actor_key_bindings | actor_key_bindings_type | default = {},
  # Per-file recipient routing — empty = use SOPS_AGE_RECIPIENTS env (legacy mode).
  recipient_groups | recipient_group_type    | default = {},
  recipient_rules  | Array recipient_rule_type | default = [],
} in

let ProjectEntry = {
  slug                | String,
  # Absolute local path to the project root. Empty string for push_only projects.
  root                | String,
  # Import paths for nickel export on this project's NCL files (local projects only).
  nickel_import_paths | Array String | default = [],
  # Auth keys for this project. Empty = no auth required.
  keys                | Array KeyEntry | default = [],
  # Remote URL for push_only projects (git, SSH, HTTPS). Informational — not accessed by daemon.
  remote_url          | String | default = "",
  # When true: no local file watch, no NCL import. Project pushes ontology via POST /sync.
  push_only           | Bool   | default = false,
  # Registry credential vault configuration. Absent = no registry credentials declared.
  sops                | SopsConfig | optional,
} in

{
  make_project        = fun fields => fields | ProjectEntry,
  make_remote_project = fun fields => (fields & { push_only = true, root = "", nickel_import_paths = [] }) | ProjectEntry,
}
feat: unified auth model, project onboarding, install pipeline, config management The full scope across this batch: POST /sessions key→token exchange, SessionStore dual-index with revoke_by_id, CLI Bearer injection (ONTOREF_TOKEN), ontoref setup --gen-keys, install scripts, daemon config form roundtrip, ADR-004/005, on+re self-description update (fully-self-described), and landing page refresh. 2026-03-13 20:56:31 +00:00			`# ~/.config/ontoref/schemas/ontoref-project.ncl — ProjectEntry contract.`
			# Installed by `just install-daemon`. Imported by per-project .ontoref/project.ncl files.

			`let KeyRole = [\| 'admin, 'viewer \|] in`

			`let KeyEntry = {`
			`role \| KeyRole,`
			`hash \| String,`
			`label \| String \| default = "",`
			`} in`

feat: #[onto_mcp_tool] catalog, OCI credential vault layer, validate ADR-018 mode hierarchy ontoref-derive: #[onto_mcp_tool] attribute macro registers MCP tool unit-structs in the catalog at link time via inventory::submit!; annotated item is emitted unchanged, ToolBase/AsyncTool impls stay on the struct. All 34 tools migrated from manual wiring (net +5: ontoref_list_projects, ontoref_search, ontoref_describe, ontoref_list_ontology_extensions, ontoref_get_ontology_extension). validate modes (ADR-018): reads level_hierarchy from workflow.ncl and checks every .ncl mode for level declared, strategy declared, delegate chain coherent, compose extends valid. mode resolve <id> shows which hierarchy level handles a mode and why. --self-test generates synthetic fixtures in a temp dir for CI smoke-testing. validate run-cargo: two-step Cargo.toml resolution — workspace layout first (crates/<check.crate>/Cargo.toml), single-crate fallback by package name or repo basename. Lets the same ADR constraint shape apply to workspace and single-crate repos. ontology/schemas/manifest.ncl: registry_topology_type contract — multi-registry coordination, push targets, participant scopes, per-namespace capability. reflection/requirements/base.ncl: oras ≥1.2.0, cosign ≥2.0.0, sops ≥3.9.0, age ≥1.1.0, restic declared as Hard/Soft requirements with version_min, check_cmd, and install_hint (ADR-017 toolchain surface). ADR-019: per-file recipient routing for tenant isolation without multi-vault. Schema additions: sops.recipient_groups + sops.recipient_rules in ontoref-project.ncl. secrets-bootstrap generates .sops.yaml from project.ncl in declarative mode. Three new secrets-audit checks: recipient-routing-coherent, recipient-routing-coverage, no-multi-vault. Adoption templates: single-team/, multi-tenant/, agent-first/. Integration templates: domain-producer/, mode-producer/, mode-consumer/. UI: project_picker surfaces registry badge (⟳ participant) and vault badge (⛁ vault_id · N, green=declarative / amber=legacy) per project card. Expanded panel adds collapsible Registry section with namespace, endpoint, and push/pull capability. manage.html gains Runtime Services card — MCP and GraphQL toggleable without restart via HTMX POST /ui/manage/services/{service}/toggle. describe.nu: capabilities JSON includes registry_topology and vault_state per project. sync.nu: drift check extended to detect //! absence on newly registered crates. qa.ncl: six entries — credential-vault-best-practice (layered data-flow diagram), credential-vault-templates (paths A/B/C), credential-vault-troubleshooting (15 named errors), integration-what-and-why (ADR-042 OCI federation), integration-how-to-implement, integration-troubleshooting. on+re: core.ncl + manifest.ncl updated to reflect OCI, MCP, and mode-hierarchy nodes. Deleted stale presentation assets (2026-02 slides + voice notes). 2026-05-12 04:46:15 +01:00			`# Maps ONTOREF_ACTOR value → role name declared in scopes/<role>.ncl.`
			`# Example: { developer = "developer", ci = "cdci", ontoref = "ontoref" }`
			`let actor_key_bindings_type = { _ \| String } in`

			`let VaultBackend = [\| 'restic, 'kopia \|] in`

			# Per-file recipient routing (optional). When `recipient_rules` is declared,
			`# bootstrap generates <vault_dir>/.sops.yaml from these definitions and sops`
			`# encrypts each file with the union of recipient groups matching its path.`
			`# Use case: multi-tenant projects where different clients/agents/teams`
			`# decrypt different credential files within the same vault.`
			`let recipient_group_type = { _ \| Array String } in # group → list of age1... pubkeys`

			`let recipient_rule_type = {`
			`path \| String, # path_regex relative to vault dir`
			`groups \| Array String, # union of these recipient_groups`
			`} in`

			`let SopsConfig = {`
			`enabled \| Bool \| default = false,`
			`# Slug used for ~/.config/ontoref/vaults/<vault_id>/. Defaults to project slug when absent.`
			`vault_id \| String \| optional,`
			`# Restic or kopia. Switching requires re-initializing the local repo.`
			`vault_backend \| VaultBackend \| default = 'restic,`
			`# ZOT registry endpoint where src-vault/<vault_id>:latest is pushed/pulled.`
			`registry_endpoint \| String \| optional,`
			`# Paths to age public key files for each declared recipient (relative or absolute).`
			`age_key_paths \| Array String \| default = [],`
			`# Path to the master age private key (.kage). Overrides the global path in config.ncl.`
			`# Never store this inside the vault directory or the project root.`
			`master_key_path \| String \| optional,`
			`# ONTOREF_ACTOR → role name binding. Used by credential resolution to select the correct`
			`# sops-encrypted file in scopes/<role>.ncl before calling oras.`
			`actor_key_bindings \| actor_key_bindings_type \| default = {},`
			`# Per-file recipient routing — empty = use SOPS_AGE_RECIPIENTS env (legacy mode).`
			`recipient_groups \| recipient_group_type \| default = {},`
			`recipient_rules \| Array recipient_rule_type \| default = [],`
			`} in`

feat: unified auth model, project onboarding, install pipeline, config management The full scope across this batch: POST /sessions key→token exchange, SessionStore dual-index with revoke_by_id, CLI Bearer injection (ONTOREF_TOKEN), ontoref setup --gen-keys, install scripts, daemon config form roundtrip, ADR-004/005, on+re self-description update (fully-self-described), and landing page refresh. 2026-03-13 20:56:31 +00:00			`let ProjectEntry = {`
			`slug \| String,`
			`# Absolute local path to the project root. Empty string for push_only projects.`
			`root \| String,`
			`# Import paths for nickel export on this project's NCL files (local projects only).`
			`nickel_import_paths \| Array String \| default = [],`
			`# Auth keys for this project. Empty = no auth required.`
			`keys \| Array KeyEntry \| default = [],`
			`# Remote URL for push_only projects (git, SSH, HTTPS). Informational — not accessed by daemon.`
			`remote_url \| String \| default = "",`
			`# When true: no local file watch, no NCL import. Project pushes ontology via POST /sync.`
			`push_only \| Bool \| default = false,`
feat: #[onto_mcp_tool] catalog, OCI credential vault layer, validate ADR-018 mode hierarchy ontoref-derive: #[onto_mcp_tool] attribute macro registers MCP tool unit-structs in the catalog at link time via inventory::submit!; annotated item is emitted unchanged, ToolBase/AsyncTool impls stay on the struct. All 34 tools migrated from manual wiring (net +5: ontoref_list_projects, ontoref_search, ontoref_describe, ontoref_list_ontology_extensions, ontoref_get_ontology_extension). validate modes (ADR-018): reads level_hierarchy from workflow.ncl and checks every .ncl mode for level declared, strategy declared, delegate chain coherent, compose extends valid. mode resolve <id> shows which hierarchy level handles a mode and why. --self-test generates synthetic fixtures in a temp dir for CI smoke-testing. validate run-cargo: two-step Cargo.toml resolution — workspace layout first (crates/<check.crate>/Cargo.toml), single-crate fallback by package name or repo basename. Lets the same ADR constraint shape apply to workspace and single-crate repos. ontology/schemas/manifest.ncl: registry_topology_type contract — multi-registry coordination, push targets, participant scopes, per-namespace capability. reflection/requirements/base.ncl: oras ≥1.2.0, cosign ≥2.0.0, sops ≥3.9.0, age ≥1.1.0, restic declared as Hard/Soft requirements with version_min, check_cmd, and install_hint (ADR-017 toolchain surface). ADR-019: per-file recipient routing for tenant isolation without multi-vault. Schema additions: sops.recipient_groups + sops.recipient_rules in ontoref-project.ncl. secrets-bootstrap generates .sops.yaml from project.ncl in declarative mode. Three new secrets-audit checks: recipient-routing-coherent, recipient-routing-coverage, no-multi-vault. Adoption templates: single-team/, multi-tenant/, agent-first/. Integration templates: domain-producer/, mode-producer/, mode-consumer/. UI: project_picker surfaces registry badge (⟳ participant) and vault badge (⛁ vault_id · N, green=declarative / amber=legacy) per project card. Expanded panel adds collapsible Registry section with namespace, endpoint, and push/pull capability. manage.html gains Runtime Services card — MCP and GraphQL toggleable without restart via HTMX POST /ui/manage/services/{service}/toggle. describe.nu: capabilities JSON includes registry_topology and vault_state per project. sync.nu: drift check extended to detect //! absence on newly registered crates. qa.ncl: six entries — credential-vault-best-practice (layered data-flow diagram), credential-vault-templates (paths A/B/C), credential-vault-troubleshooting (15 named errors), integration-what-and-why (ADR-042 OCI federation), integration-how-to-implement, integration-troubleshooting. on+re: core.ncl + manifest.ncl updated to reflect OCI, MCP, and mode-hierarchy nodes. Deleted stale presentation assets (2026-02 slides + voice notes). 2026-05-12 04:46:15 +01:00			`# Registry credential vault configuration. Absent = no registry credentials declared.`
			`sops \| SopsConfig \| optional,`
feat: unified auth model, project onboarding, install pipeline, config management The full scope across this batch: POST /sessions key→token exchange, SessionStore dual-index with revoke_by_id, CLI Bearer injection (ONTOREF_TOKEN), ontoref setup --gen-keys, install scripts, daemon config form roundtrip, ADR-004/005, on+re self-description update (fully-self-described), and landing page refresh. 2026-03-13 20:56:31 +00:00			`} in`

			`{`
			`make_project = fun fields => fields \| ProjectEntry,`
			`make_remote_project = fun fields => (fields & { push_only = true, root = "", nickel_import_paths = [] }) \| ProjectEntry,`
			`}`