ontoref/install/resources/templates/sops/multi-tenant/project.ncl.snippet

# ───── Path B: multi-tenant ─────
# Multiple clients share the vault; their credentials are encrypted to disjoint
# recipient sets. Paste inside s.make_project { ... }. Adapt groups + rules.

  sops = {
    enabled            = true,
    vault_id           = "<your-slug>",
    vault_backend      = 'restic,
    registry_endpoint  = "<your-zot-host>",

    actor_key_bindings = {
      developer = "developer",
      ci        = "cdci",
      agent     = "ontoref",
      admin     = "admin",
    },

    # Recipient groups — each is a list of age public keys. Use empty [] for
    # placeholder groups you populate later.
    recipient_groups = {
      admin   = ["age1admin..."],
      ops     = ["age1ops..."],
      clientA = ["age1clientA-lead..."],
      clientB = ["age1clientB-lead..."],
    },

    # Path-to-recipient-set rules. Each *.sops.yaml created in the vault is
    # encrypted with the union of its rule's groups. Order matters — first match wins.
    recipient_rules = [
      { path = "access\\.sops\\.yaml$",                   groups = ["admin", "ops"] },
      { path = "registry/clientA-.*\\.sops\\.yaml$",      groups = ["admin", "clientA"] },
      { path = "registry/clientB-.*\\.sops\\.yaml$",      groups = ["admin", "clientB"] },
    ],
  },
feat: #[onto_mcp_tool] catalog, OCI credential vault layer, validate ADR-018 mode hierarchy ontoref-derive: #[onto_mcp_tool] attribute macro registers MCP tool unit-structs in the catalog at link time via inventory::submit!; annotated item is emitted unchanged, ToolBase/AsyncTool impls stay on the struct. All 34 tools migrated from manual wiring (net +5: ontoref_list_projects, ontoref_search, ontoref_describe, ontoref_list_ontology_extensions, ontoref_get_ontology_extension). validate modes (ADR-018): reads level_hierarchy from workflow.ncl and checks every .ncl mode for level declared, strategy declared, delegate chain coherent, compose extends valid. mode resolve <id> shows which hierarchy level handles a mode and why. --self-test generates synthetic fixtures in a temp dir for CI smoke-testing. validate run-cargo: two-step Cargo.toml resolution — workspace layout first (crates/<check.crate>/Cargo.toml), single-crate fallback by package name or repo basename. Lets the same ADR constraint shape apply to workspace and single-crate repos. ontology/schemas/manifest.ncl: registry_topology_type contract — multi-registry coordination, push targets, participant scopes, per-namespace capability. reflection/requirements/base.ncl: oras ≥1.2.0, cosign ≥2.0.0, sops ≥3.9.0, age ≥1.1.0, restic declared as Hard/Soft requirements with version_min, check_cmd, and install_hint (ADR-017 toolchain surface). ADR-019: per-file recipient routing for tenant isolation without multi-vault. Schema additions: sops.recipient_groups + sops.recipient_rules in ontoref-project.ncl. secrets-bootstrap generates .sops.yaml from project.ncl in declarative mode. Three new secrets-audit checks: recipient-routing-coherent, recipient-routing-coverage, no-multi-vault. Adoption templates: single-team/, multi-tenant/, agent-first/. Integration templates: domain-producer/, mode-producer/, mode-consumer/. UI: project_picker surfaces registry badge (⟳ participant) and vault badge (⛁ vault_id · N, green=declarative / amber=legacy) per project card. Expanded panel adds collapsible Registry section with namespace, endpoint, and push/pull capability. manage.html gains Runtime Services card — MCP and GraphQL toggleable without restart via HTMX POST /ui/manage/services/{service}/toggle. describe.nu: capabilities JSON includes registry_topology and vault_state per project. sync.nu: drift check extended to detect //! absence on newly registered crates. qa.ncl: six entries — credential-vault-best-practice (layered data-flow diagram), credential-vault-templates (paths A/B/C), credential-vault-troubleshooting (15 named errors), integration-what-and-why (ADR-042 OCI federation), integration-how-to-implement, integration-troubleshooting. on+re: core.ncl + manifest.ncl updated to reflect OCI, MCP, and mode-hierarchy nodes. Deleted stale presentation assets (2026-02 slides + voice notes). 2026-05-12 04:46:15 +01:00			`# ───── Path B: multi-tenant ─────`
			`# Multiple clients share the vault; their credentials are encrypted to disjoint`
			`# recipient sets. Paste inside s.make_project { ... }. Adapt groups + rules.`

			`sops = {`
			`enabled = true,`
			`vault_id = "<your-slug>",`
			`vault_backend = 'restic,`
			`registry_endpoint = "<your-zot-host>",`

			`actor_key_bindings = {`
			`developer = "developer",`
			`ci = "cdci",`
			`agent = "ontoref",`
			`admin = "admin",`
			`},`

			`# Recipient groups — each is a list of age public keys. Use empty [] for`
			`# placeholder groups you populate later.`
			`recipient_groups = {`
			`admin = ["age1admin..."],`
			`ops = ["age1ops..."],`
			`clientA = ["age1clientA-lead..."],`
			`clientB = ["age1clientB-lead..."],`
			`},`

			`# Path-to-recipient-set rules. Each *.sops.yaml created in the vault is`
			`# encrypted with the union of its rule's groups. Order matters — first match wins.`
			`recipient_rules = [`
			`{ path = "access\\.sops\\.yaml$", groups = ["admin", "ops"] },`
			`{ path = "registry/clientA-.*\\.sops\\.yaml$", groups = ["admin", "clientA"] },`
			`{ path = "registry/clientB-.*\\.sops\\.yaml$", groups = ["admin", "clientB"] },`
			`],`
			`},`