ontoref/install/resources/templates/sops/agent-first/manifest.ncl.snippet

# ───── Path C: agent-first manifest snippet ─────
# Two RegistryEntries: 'primary' for humans (full RW), 'agent-ro' for agents (RO).
# Agent role's scope file should declare ops = ['pull, 'verify, 'list] and
# namespaces restricted to what agents may read.

  registry_provides = m.make_registry_provides {
    participant = "<your-slug>",
    registries  = m.make_registries_config {
      default    = "primary",
      registries = [
        m.make_registry_entry {
          id                 = "primary",
          endpoint           = "<your-zot-host>",
          role               = 'primary,
          tls                = true,
          namespaces = {
            own      = ["domains/<your-slug>/", "modes/<your-slug>/"],
            prefixes = ["domains/<your-slug>/", "modes/<your-slug>/"],
          },
          credential_sops    = "registry/developer-ro.sops.yaml",
          credential_sops_rw = "registry/admin-rw.sops.yaml",
        },
        m.make_registry_entry {
          id                 = "agent-ro",
          endpoint           = "<your-zot-host>",
          role               = 'dev,
          tls                = true,
          namespaces = {
            own      = [],
            prefixes = ["domains/<your-slug>/"],
          },
          credential_sops    = "registry/agent-readonly.sops.yaml",
          # No credential_sops_rw — agents cannot push, full stop.
        },
      ],
    },
  },
feat: #[onto_mcp_tool] catalog, OCI credential vault layer, validate ADR-018 mode hierarchy ontoref-derive: #[onto_mcp_tool] attribute macro registers MCP tool unit-structs in the catalog at link time via inventory::submit!; annotated item is emitted unchanged, ToolBase/AsyncTool impls stay on the struct. All 34 tools migrated from manual wiring (net +5: ontoref_list_projects, ontoref_search, ontoref_describe, ontoref_list_ontology_extensions, ontoref_get_ontology_extension). validate modes (ADR-018): reads level_hierarchy from workflow.ncl and checks every .ncl mode for level declared, strategy declared, delegate chain coherent, compose extends valid. mode resolve <id> shows which hierarchy level handles a mode and why. --self-test generates synthetic fixtures in a temp dir for CI smoke-testing. validate run-cargo: two-step Cargo.toml resolution — workspace layout first (crates/<check.crate>/Cargo.toml), single-crate fallback by package name or repo basename. Lets the same ADR constraint shape apply to workspace and single-crate repos. ontology/schemas/manifest.ncl: registry_topology_type contract — multi-registry coordination, push targets, participant scopes, per-namespace capability. reflection/requirements/base.ncl: oras ≥1.2.0, cosign ≥2.0.0, sops ≥3.9.0, age ≥1.1.0, restic declared as Hard/Soft requirements with version_min, check_cmd, and install_hint (ADR-017 toolchain surface). ADR-019: per-file recipient routing for tenant isolation without multi-vault. Schema additions: sops.recipient_groups + sops.recipient_rules in ontoref-project.ncl. secrets-bootstrap generates .sops.yaml from project.ncl in declarative mode. Three new secrets-audit checks: recipient-routing-coherent, recipient-routing-coverage, no-multi-vault. Adoption templates: single-team/, multi-tenant/, agent-first/. Integration templates: domain-producer/, mode-producer/, mode-consumer/. UI: project_picker surfaces registry badge (⟳ participant) and vault badge (⛁ vault_id · N, green=declarative / amber=legacy) per project card. Expanded panel adds collapsible Registry section with namespace, endpoint, and push/pull capability. manage.html gains Runtime Services card — MCP and GraphQL toggleable without restart via HTMX POST /ui/manage/services/{service}/toggle. describe.nu: capabilities JSON includes registry_topology and vault_state per project. sync.nu: drift check extended to detect //! absence on newly registered crates. qa.ncl: six entries — credential-vault-best-practice (layered data-flow diagram), credential-vault-templates (paths A/B/C), credential-vault-troubleshooting (15 named errors), integration-what-and-why (ADR-042 OCI federation), integration-how-to-implement, integration-troubleshooting. on+re: core.ncl + manifest.ncl updated to reflect OCI, MCP, and mode-hierarchy nodes. Deleted stale presentation assets (2026-02 slides + voice notes). 2026-05-12 04:46:15 +01:00			`# ───── Path C: agent-first manifest snippet ─────`
			`# Two RegistryEntries: 'primary' for humans (full RW), 'agent-ro' for agents (RO).`
			`# Agent role's scope file should declare ops = ['pull, 'verify, 'list] and`
			`# namespaces restricted to what agents may read.`

			`registry_provides = m.make_registry_provides {`
			`participant = "<your-slug>",`
			`registries = m.make_registries_config {`
			`default = "primary",`
			`registries = [`
			`m.make_registry_entry {`
			`id = "primary",`
			`endpoint = "<your-zot-host>",`
			`role = 'primary,`
			`tls = true,`
			`namespaces = {`
			`own = ["domains/<your-slug>/", "modes/<your-slug>/"],`
			`prefixes = ["domains/<your-slug>/", "modes/<your-slug>/"],`
			`},`
			`credential_sops = "registry/developer-ro.sops.yaml",`
			`credential_sops_rw = "registry/admin-rw.sops.yaml",`
			`},`
			`m.make_registry_entry {`
			`id = "agent-ro",`
			`endpoint = "<your-zot-host>",`
			`role = 'dev,`
			`tls = true,`
			`namespaces = {`
			`own = [],`
			`prefixes = ["domains/<your-slug>/"],`
			`},`
			`credential_sops = "registry/agent-readonly.sops.yaml",`
			`# No credential_sops_rw — agents cannot push, full stop.`
			`},`
			`],`
			`},`
			`},`