let d = import "../ontology/defaults/state.ncl" in

{
  dimensions = [

    d.make_dimension {
      id          = "protocol-maturity",
      name        = "Protocol Maturity",
      description = "Completeness of the ontoref protocol specification — schemas, ADRs, modes, Rust crates, daemon, and adoption tooling.",
      current_state = "adoption-tooling-complete",
      desired_state = "protocol-stable",
      horizon    = 'Months,
      states     = [],
      transitions = [
        d.make_transition {
          from      = "tooling-migrated",
          to        = "adoption-tooling-complete",
          condition = "adopt_ontoref mode, templates, daemon crate, landing page all present and validated.",
          catalyst  = "Daemon extracted from stratumiops; adoption templates created.",
          blocker   = "none",
          horizon   = 'Months,
        },
        d.make_transition {
          from      = "adoption-tooling-complete",
          to        = "protocol-stable",
          condition = "ADR-001 accepted, ontoref.dev published, at least two external projects consuming the protocol. ADR-017 credential vault hardened end-to-end: per-file recipient routing for multi-tenant isolation, vault lock OCI artifact with TTL, impact analysis on close, 14/14 named-error tests, 6 templates (3 sops + 3 integration) for adoption.",
          catalyst  = "10 projects consuming the protocol: vapora, stratumiops, kogral, typedialog, secretumvault, rustelo, librecloud_renew, website-impl, jpl_ontology, provisioning. ADR-001 Accepted. Auth model, install pipeline, personal/career schemas, content modes, API catalog (#[onto_api], ADR-007), config surface (ADR-008), manifest self-interrogation (ADR-009), protocol migration system (ADR-010), mode guards and convergence (ADR-011) all complete. Session 2026-03-30: manifest expanded to 19 capabilities; manifest coverage validation (audit + pre-commit + SessionStart); 3 new migrations (0010-0012). Session 2026-04-05: domain extension system (ADR-012) — bash-layer dispatch for repo_kind-conditional CLI domains; personal domain (PersonalOntology: career, cfp + Sessionize integration, opportunities, content) and provisioning domain (DevWorkspace/Mixed: state, connections, gates, card, backlog); short_alias wrappers (personal, prov); ore help and describe capabilities domain-aware. Session 2026-04-06: typed link schema (ontology/schemas/links.ncl — LinkKind enum + Link record) replacing raw string arrays (urls/docs/emails/slides_url/video_url/repository) across personal/career/core schemas and backlog; error UX in domain commands (print --stderr + exit 1 replacing error make); dispatch hardening for bare subcommand arms. Session 2026-04-07: 'Framework RepoKind added — ontoref declares its own kind; no domain activates for the framework itself. VCS abstraction layer (reflection/modules/vcs.nu) — uniform jj/git API used by all modules; jj is opt-in, git is the default. Agent workspace orchestration (reflection/bin/jjw.nu + jjw-ncl-merge.nu) — jj + ontoref + Radicle lifecycle wrapper; jj/rad requirements not propagated to consumer projects. ADR-013: VCS abstraction layer — filesystem detection, single-module contract, opt-in jj/rad. manifest: 21 capabilities (vcs-abstraction, agent-workspace-orchestration added). Session 2026-05-01: Registry credential vault (ADR-017) — per-project sops multi-recipient OCI vaults in ZOT; daemon structurally excluded from credential resolution; cosign signs src-vault on push and verifies on pull; DOCKER_CONFIG isolated per oras call; vault_key ephemeral in env only; vault.nu and secrets.nu added to reflection/modules; secrets.just (12 recipes) added; migration 0016 added; oras/cosign/sops/age declared as Hard prerequisites in requirements/base.ncl and manifest.ncl. Level hierarchy and mode resolution formalized (ADR-018) — three-level Base/Domain/Instance hierarchy; per-mode strategy (Override/Delegate/Merge/Compose) declared on _ModeBase schema; manifest.ncl gains level_type and LevelIndex; reflection/schema.ncl gains ResolutionStrategy; migration 0017 applied to provisioning (Domain, parent=ontoref-base, 12 modes), libre-daoshi (Instance, parent=provisioning-domain, 4 modes), libre-wuji (Instance, parent=provisioning-domain, 6 modes) — all modes declared Override. Session 2026-05-01 (cont): ore validate modes --check (level-declared|strategy-declared|delegate-chain|compose-extends|all) implemented in validate.nu — source-grep approach bypasses local NCL normalizers; local/inherited mode split excludes inherited base modes from strategy-declared check. ore mode resolve <id> implemented — reports effective strategy and answered_by level. All three consumer projects pass validate modes with 0 Hard failures. Session 2026-05-01 (cont2): ADR-018 gaps fully closed — parent_path field added to level_type in manifest.ncl enabling cross-project delegate-chain verification (Hard failure if parent_path declared but parent does not have the mode); ore validate modes --self-test implemented with 9 assertions covering all 4 check variants on positive and negative synthetic fixtures. All checks verified end-to-end. Session 2026-05-03: ADR-017 credential vault end-to-end hardening — sentinel pattern + DOCKER_CONFIG isolation across 6 oras commands (domain_client.nu); credentials.nu portable Layer-2 helper in provisioning/core; assert-actor-authorized + assert-target-in-scope two-level enforcement (scope.bound_actor + scope.namespaces); ore secrets {bootstrap,sync,push,open,close,describe,force-unlock,audit,gen-key,add-key,remove-key,rekey} dispatcher wired; vault lock OCI artifact (src-vault/<id>:lock) with TTL 60min and force-unlock auditable; impact analysis on secrets-close (diff sops files since last snapshot, map to RegistryEntry IDs, prompt confirm or ONTOREF_SECRETS_YES skip); cosign 2+ compatibility (signing-config replaces deprecated --tlog-upload); cosign_password 4th field in access.sops.yaml for non-interactive CI; per-file recipient routing via recipient_groups + recipient_rules (sops creation_rules) for multi-tenant isolation without multi-vault; 6 templates added (install/resources/templates/sops/{single-team,multi-tenant,agent-first}/ and integration/{domain-producer,mode-producer,mode-consumer}/); reflection/qa.ncl FAQ — 6 entries with diagrams covering credential vault best practice, templates, troubleshooting (15 named errors), integration what/why/how, integration troubleshooting; reflection/tests/test_secrets.nu with 14/14 named-error tests passing.",
          blocker   = "ontoref.dev not yet published.",
          horizon   = 'Months,
        },
      ],
    },

    d.make_dimension {
      id          = "self-description-coverage",
      name        = "Self-Description Coverage",
      description = "How completely ontoref describes itself using its own protocol.",
      current_state = "fully-self-described",
      desired_state = "fully-self-described",
      horizon    = 'Weeks,
      states     = [],
      transitions = [
        d.make_transition {
          from      = ".ontology-bootstrapped",
          to        = "modes-and-web-present",
          condition = "adopt_ontoref mode, landing page, and all core.ncl nodes reflect current artifact set.",
          catalyst  = "Web presence and adoption tooling added in session 2026-03-12.",
          blocker   = "none",
          horizon   = 'Weeks,
        },
        d.make_transition {
          from      = "modes-and-web-present",
          to        = "fully-self-described",
          condition = "At least 3 ADRs accepted, reflection/backlog.ncl present, describe project returns complete picture.",
          catalyst  = "ADR-001–ADR-006 authored (6 ADRs present). Auth model, project onboarding, and session management nodes added in 2026-03-13. Personal/career/project-card schemas, 5 content modes, search bookmarks, and ADR-006 (Nu 0.111 compat) added in session 2026-03-15. Session 2026-03-23: api-catalog-surface node added (#[onto_api] proc-macro + inventory catalog), describe-query-layer updated (diff + api subcommands), adopt-ontoref-tooling updated (update_ontoref mode + manifest/connections templates + enrichment prompt), ontoref-daemon updated (11 pages, 29 MCP tools, per-file versioning, API catalog endpoint). Session 2026-03-26: config-surface node added — typed DaemonNclConfig (parse-at-boundary pattern), #[derive(ConfigFields)] coherence registry, override-layer mutation API (PUT /config/{section}), NCL contracts (.ontoref/contracts.ncl: LogConfig + DaemonConfig), manifest config_surface with multi-consumer sections. ADR-007 (inventory/onto_api) extended to ConfigFields; ADR-008 (NCL-first config validation + override-layer mutation). Session 2026-03-26 (2nd): manifest-self-description node added. ADR-009. Session 2026-03-29: browser-style panel navigation. Session 2026-03-30: manifest expanded 3→19 capabilities (complete action surface: modes, compose, plans, backlog graduation, notifications, coder pipeline, forms, templates, drift, quick actions, migration, config, search bookmarks, onboarding, web presence). audit-manifest-coverage validator + pre-commit hook + SessionStart hook. Mode schema extended: Guard type (Block/Warn severity pre-flight checks), Converge type (RetryFailed/RetryAll post-execution loops). ADR-011. Migrations 0010-0012. Bug fix: find-unclaimed-artifacts absolute vs relative path comparison. Justfile split (build/test/dev/ci/assets). Anti-slop novelty-check in coder pipeline (Jaccard overlap against published+QA). Health 43%→100%. Session 2026-04-05: domain-extension-system node added. ADR-012. personal domain (jpl_ontology PersonalOntology: cfp/Sessionize integration, opportunities arrays, career, content) and provisioning domain (DevWorkspace/Mixed: state, card, connections, gates, capabilities, backlog). Bash-layer dispatch + ore help + describe capabilities domain-aware. Short alias system (personal, prov). Session 2026-04-06: personal-ontology-schemas node updated — links.ncl typed link schema; typed link migration across personal/career/core/backlog schemas. Session 2026-04-07: vcs-abstraction node (reflection/modules/vcs.nu) and agent-workspace-orchestration node (reflection/bin/jjw.nu + jjw-ncl-merge.nu) added. 'Framework RepoKind: ontoref self-identifies as framework, no domain activates. manifest: 21 capabilities (vcs-abstraction, agent-workspace-orchestration added). Session 2026-05-01: registry-credential-vault node added (ADR-017). level-hierarchy-resolution node added (ADR-018). adr-lifecycle node updated through ADR-018. manifest.ncl gains level_type + LevelIndex export; reflection/schema.ncl gains ResolutionStrategy + strategy + extends on _ModeBase. Migrations 0016-0017 added. 18 ADRs total.",
          blocker   = "none",
          horizon   = 'Weeks,
        },
      ],
    },

    d.make_dimension {
      id          = "ecosystem-integration",
      name        = "Ecosystem Integration",
      description = "Degree to which other ecosystem projects (stratumiops, syntaxis, vapora, kogral) consume the ontoref protocol.",
      current_state = "stratumiops-integrated",
      desired_state = "multi-project",
      horizon    = 'Months,
      coupled_with = ["protocol-maturity"],
      states     = [],
      transitions = [
        d.make_transition {
          from      = "source-only",
          to        = "stratumiops-integrated",
          condition = "stratumiops has .ontoref/config.ncl and scripts/ontoref wrapper functional; ADR-007 marked Superseded pointing to ontoref:adr-002.",
          catalyst  = "Ontoref extraction and stratumiops migration session 2026-03-12.",
          blocker   = "none",
          horizon   = 'Months,
        },
        d.make_transition {
          from      = "stratumiops-integrated",
          to        = "multi-project",
          condition = "At least one additional project (vapora, kogral, or syntaxis) has .ontoref/config.ncl and scripts/ontoref. Syntaxis parses ontoref Core type.",
          catalyst  = "Syntaxis integration spike or vapora/kogral onboarding.",
          blocker   = "Syntaxis syntaxis-ontology crate has ES→EN migration errors pending. vapora/kogral not yet initialized with .ontoref/.",
          horizon   = 'Months,
        },
      ],
    },

    d.make_dimension {
      id            = "operational-mode",
      name          = "Operational Mode",
      description   = "Runtime connectivity mode: local (files only) or daemon (push-based DB projection). Auto-detected on each command; transitions trigger hook updates and sync. Daemon launched via ADR-004 NCL pipe bootstrap (ontoref-daemon-boot); NATS topology resolved from NATS_STREAMS_CONFIG env var (global ~/.config/ontoref/streams.json) or project-local nats/streams.json.",
      current_state = "local",
      desired_state = "daemon",
      horizon       = 'Continuous,
      states        = [
        d.make_state {
          id          = "local",
          name        = "Local",
          description = "No daemon. All operations read from files. Hooks are no-ops. Safe for offline or repo-only work.",
          tension     = 'Low,
        },
        d.make_state {
          id          = "daemon",
          name        = "Daemon",
          description = "Daemon reachable. Ontology projected into DB on each sync. Hooks push on git merge/checkout. NATS events available.",
          tension     = 'Low,
        },
      ],
      transitions = [
        d.make_transition {
          from      = "local",
          to        = "daemon",
          condition = "Daemon reachable at ONTOREF_DAEMON_URL and DB available (if db feature enabled).",
          catalyst  = "Daemon started, network restored, or first onboarding after install.",
          blocker   = "Daemon not running or DB not configured.",
          horizon   = 'Continuous,
        },
        d.make_transition {
          from      = "daemon",
          to        = "local",
          condition = "Daemon unreachable or DB unavailable.",
          catalyst  = "Network loss, daemon stopped, or offline work.",
          blocker   = "none",
          horizon   = 'Continuous,
        },
      ],
    },

  ],
}