82a358f18d
ontoref-derive: #[onto_mcp_tool] attribute macro registers MCP tool unit-structs in
the catalog at link time via inventory::submit!; annotated item is emitted unchanged,
ToolBase/AsyncTool impls stay on the struct. All 34 tools migrated from manual wiring
(net +5: ontoref_list_projects, ontoref_search, ontoref_describe,
ontoref_list_ontology_extensions, ontoref_get_ontology_extension).
validate modes (ADR-018): reads level_hierarchy from workflow.ncl and checks every
.ncl mode for level declared, strategy declared, delegate chain coherent, compose
extends valid. mode resolve <id> shows which hierarchy level handles a mode and why.
--self-test generates synthetic fixtures in a temp dir for CI smoke-testing.
validate run-cargo: two-step Cargo.toml resolution — workspace layout first
(crates/<check.crate>/Cargo.toml), single-crate fallback by package name or repo
basename. Lets the same ADR constraint shape apply to workspace and single-crate repos.
ontology/schemas/manifest.ncl: registry_topology_type contract — multi-registry
coordination, push targets, participant scopes, per-namespace capability.
reflection/requirements/base.ncl: oras ≥1.2.0, cosign ≥2.0.0, sops ≥3.9.0, age
≥1.1.0, restic declared as Hard/Soft requirements with version_min, check_cmd, and
install_hint (ADR-017 toolchain surface).
ADR-019: per-file recipient routing for tenant isolation without multi-vault. Schema
additions: sops.recipient_groups + sops.recipient_rules in ontoref-project.ncl.
secrets-bootstrap generates .sops.yaml from project.ncl in declarative mode. Three
new secrets-audit checks: recipient-routing-coherent, recipient-routing-coverage,
no-multi-vault. Adoption templates: single-team/, multi-tenant/, agent-first/.
Integration templates: domain-producer/, mode-producer/, mode-consumer/.
UI: project_picker surfaces registry badge (⟳ participant) and vault badge
(⛁ vault_id · N, green=declarative / amber=legacy) per project card. Expanded panel
adds collapsible Registry section with namespace, endpoint, and push/pull capability.
manage.html gains Runtime Services card — MCP and GraphQL toggleable without restart
via HTMX POST /ui/manage/services/{service}/toggle.
describe.nu: capabilities JSON includes registry_topology and vault_state per project.
sync.nu: drift check extended to detect //! absence on newly registered crates.
qa.ncl: six entries — credential-vault-best-practice (layered data-flow diagram),
credential-vault-templates (paths A/B/C), credential-vault-troubleshooting (15 named
errors), integration-what-and-why (ADR-042 OCI federation), integration-how-to-implement,
integration-troubleshooting.
on+re: core.ncl + manifest.ncl updated to reflect OCI, MCP, and mode-hierarchy nodes.
Deleted stale presentation assets (2026-02 slides + voice notes).
133 lines
14 KiB
Text
133 lines
14 KiB
Text
let d = import "../ontology/defaults/state.ncl" in
|
||
|
||
{
|
||
dimensions = [
|
||
|
||
d.make_dimension {
|
||
id = "protocol-maturity",
|
||
name = "Protocol Maturity",
|
||
description = "Completeness of the ontoref protocol specification — schemas, ADRs, modes, Rust crates, daemon, and adoption tooling.",
|
||
current_state = "adoption-tooling-complete",
|
||
desired_state = "protocol-stable",
|
||
horizon = 'Months,
|
||
states = [],
|
||
transitions = [
|
||
d.make_transition {
|
||
from = "tooling-migrated",
|
||
to = "adoption-tooling-complete",
|
||
condition = "adopt_ontoref mode, templates, daemon crate, landing page all present and validated.",
|
||
catalyst = "Daemon extracted from stratumiops; adoption templates created.",
|
||
blocker = "none",
|
||
horizon = 'Months,
|
||
},
|
||
d.make_transition {
|
||
from = "adoption-tooling-complete",
|
||
to = "protocol-stable",
|
||
condition = "ADR-001 accepted, ontoref.dev published, at least two external projects consuming the protocol. ADR-017 credential vault hardened end-to-end: per-file recipient routing for multi-tenant isolation, vault lock OCI artifact with TTL, impact analysis on close, 14/14 named-error tests, 6 templates (3 sops + 3 integration) for adoption.",
|
||
catalyst = "10 projects consuming the protocol: vapora, stratumiops, kogral, typedialog, secretumvault, rustelo, librecloud_renew, website-impl, jpl_ontology, provisioning. ADR-001 Accepted. Auth model, install pipeline, personal/career schemas, content modes, API catalog (#[onto_api], ADR-007), config surface (ADR-008), manifest self-interrogation (ADR-009), protocol migration system (ADR-010), mode guards and convergence (ADR-011) all complete. Session 2026-03-30: manifest expanded to 19 capabilities; manifest coverage validation (audit + pre-commit + SessionStart); 3 new migrations (0010-0012). Session 2026-04-05: domain extension system (ADR-012) — bash-layer dispatch for repo_kind-conditional CLI domains; personal domain (PersonalOntology: career, cfp + Sessionize integration, opportunities, content) and provisioning domain (DevWorkspace/Mixed: state, connections, gates, card, backlog); short_alias wrappers (personal, prov); ore help and describe capabilities domain-aware. Session 2026-04-06: typed link schema (ontology/schemas/links.ncl — LinkKind enum + Link record) replacing raw string arrays (urls/docs/emails/slides_url/video_url/repository) across personal/career/core schemas and backlog; error UX in domain commands (print --stderr + exit 1 replacing error make); dispatch hardening for bare subcommand arms. Session 2026-04-07: 'Framework RepoKind added — ontoref declares its own kind; no domain activates for the framework itself. VCS abstraction layer (reflection/modules/vcs.nu) — uniform jj/git API used by all modules; jj is opt-in, git is the default. Agent workspace orchestration (reflection/bin/jjw.nu + jjw-ncl-merge.nu) — jj + ontoref + Radicle lifecycle wrapper; jj/rad requirements not propagated to consumer projects. ADR-013: VCS abstraction layer — filesystem detection, single-module contract, opt-in jj/rad. manifest: 21 capabilities (vcs-abstraction, agent-workspace-orchestration added). Session 2026-05-01: Registry credential vault (ADR-017) — per-project sops multi-recipient OCI vaults in ZOT; daemon structurally excluded from credential resolution; cosign signs src-vault on push and verifies on pull; DOCKER_CONFIG isolated per oras call; vault_key ephemeral in env only; vault.nu and secrets.nu added to reflection/modules; secrets.just (12 recipes) added; migration 0016 added; oras/cosign/sops/age declared as Hard prerequisites in requirements/base.ncl and manifest.ncl. Level hierarchy and mode resolution formalized (ADR-018) — three-level Base/Domain/Instance hierarchy; per-mode strategy (Override/Delegate/Merge/Compose) declared on _ModeBase schema; manifest.ncl gains level_type and LevelIndex; reflection/schema.ncl gains ResolutionStrategy; migration 0017 applied to provisioning (Domain, parent=ontoref-base, 12 modes), libre-daoshi (Instance, parent=provisioning-domain, 4 modes), libre-wuji (Instance, parent=provisioning-domain, 6 modes) — all modes declared Override. Session 2026-05-01 (cont): ore validate modes --check (level-declared|strategy-declared|delegate-chain|compose-extends|all) implemented in validate.nu — source-grep approach bypasses local NCL normalizers; local/inherited mode split excludes inherited base modes from strategy-declared check. ore mode resolve <id> implemented — reports effective strategy and answered_by level. All three consumer projects pass validate modes with 0 Hard failures. Session 2026-05-01 (cont2): ADR-018 gaps fully closed — parent_path field added to level_type in manifest.ncl enabling cross-project delegate-chain verification (Hard failure if parent_path declared but parent does not have the mode); ore validate modes --self-test implemented with 9 assertions covering all 4 check variants on positive and negative synthetic fixtures. All checks verified end-to-end. Session 2026-05-03: ADR-017 credential vault end-to-end hardening — sentinel pattern + DOCKER_CONFIG isolation across 6 oras commands (domain_client.nu); credentials.nu portable Layer-2 helper in provisioning/core; assert-actor-authorized + assert-target-in-scope two-level enforcement (scope.bound_actor + scope.namespaces); ore secrets {bootstrap,sync,push,open,close,describe,force-unlock,audit,gen-key,add-key,remove-key,rekey} dispatcher wired; vault lock OCI artifact (src-vault/<id>:lock) with TTL 60min and force-unlock auditable; impact analysis on secrets-close (diff sops files since last snapshot, map to RegistryEntry IDs, prompt confirm or ONTOREF_SECRETS_YES skip); cosign 2+ compatibility (signing-config replaces deprecated --tlog-upload); cosign_password 4th field in access.sops.yaml for non-interactive CI; per-file recipient routing via recipient_groups + recipient_rules (sops creation_rules) for multi-tenant isolation without multi-vault; 6 templates added (install/resources/templates/sops/{single-team,multi-tenant,agent-first}/ and integration/{domain-producer,mode-producer,mode-consumer}/); reflection/qa.ncl FAQ — 6 entries with diagrams covering credential vault best practice, templates, troubleshooting (15 named errors), integration what/why/how, integration troubleshooting; reflection/tests/test_secrets.nu with 14/14 named-error tests passing.",
|
||
blocker = "ontoref.dev not yet published.",
|
||
horizon = 'Months,
|
||
},
|
||
],
|
||
},
|
||
|
||
d.make_dimension {
|
||
id = "self-description-coverage",
|
||
name = "Self-Description Coverage",
|
||
description = "How completely ontoref describes itself using its own protocol.",
|
||
current_state = "fully-self-described",
|
||
desired_state = "fully-self-described",
|
||
horizon = 'Weeks,
|
||
states = [],
|
||
transitions = [
|
||
d.make_transition {
|
||
from = ".ontology-bootstrapped",
|
||
to = "modes-and-web-present",
|
||
condition = "adopt_ontoref mode, landing page, and all core.ncl nodes reflect current artifact set.",
|
||
catalyst = "Web presence and adoption tooling added in session 2026-03-12.",
|
||
blocker = "none",
|
||
horizon = 'Weeks,
|
||
},
|
||
d.make_transition {
|
||
from = "modes-and-web-present",
|
||
to = "fully-self-described",
|
||
condition = "At least 3 ADRs accepted, reflection/backlog.ncl present, describe project returns complete picture.",
|
||
catalyst = "ADR-001–ADR-006 authored (6 ADRs present). Auth model, project onboarding, and session management nodes added in 2026-03-13. Personal/career/project-card schemas, 5 content modes, search bookmarks, and ADR-006 (Nu 0.111 compat) added in session 2026-03-15. Session 2026-03-23: api-catalog-surface node added (#[onto_api] proc-macro + inventory catalog), describe-query-layer updated (diff + api subcommands), adopt-ontoref-tooling updated (update_ontoref mode + manifest/connections templates + enrichment prompt), ontoref-daemon updated (11 pages, 29 MCP tools, per-file versioning, API catalog endpoint). Session 2026-03-26: config-surface node added — typed DaemonNclConfig (parse-at-boundary pattern), #[derive(ConfigFields)] coherence registry, override-layer mutation API (PUT /config/{section}), NCL contracts (.ontoref/contracts.ncl: LogConfig + DaemonConfig), manifest config_surface with multi-consumer sections. ADR-007 (inventory/onto_api) extended to ConfigFields; ADR-008 (NCL-first config validation + override-layer mutation). Session 2026-03-26 (2nd): manifest-self-description node added. ADR-009. Session 2026-03-29: browser-style panel navigation. Session 2026-03-30: manifest expanded 3→19 capabilities (complete action surface: modes, compose, plans, backlog graduation, notifications, coder pipeline, forms, templates, drift, quick actions, migration, config, search bookmarks, onboarding, web presence). audit-manifest-coverage validator + pre-commit hook + SessionStart hook. Mode schema extended: Guard type (Block/Warn severity pre-flight checks), Converge type (RetryFailed/RetryAll post-execution loops). ADR-011. Migrations 0010-0012. Bug fix: find-unclaimed-artifacts absolute vs relative path comparison. Justfile split (build/test/dev/ci/assets). Anti-slop novelty-check in coder pipeline (Jaccard overlap against published+QA). Health 43%→100%. Session 2026-04-05: domain-extension-system node added. ADR-012. personal domain (jpl_ontology PersonalOntology: cfp/Sessionize integration, opportunities arrays, career, content) and provisioning domain (DevWorkspace/Mixed: state, card, connections, gates, capabilities, backlog). Bash-layer dispatch + ore help + describe capabilities domain-aware. Short alias system (personal, prov). Session 2026-04-06: personal-ontology-schemas node updated — links.ncl typed link schema; typed link migration across personal/career/core/backlog schemas. Session 2026-04-07: vcs-abstraction node (reflection/modules/vcs.nu) and agent-workspace-orchestration node (reflection/bin/jjw.nu + jjw-ncl-merge.nu) added. 'Framework RepoKind: ontoref self-identifies as framework, no domain activates. manifest: 21 capabilities (vcs-abstraction, agent-workspace-orchestration added). Session 2026-05-01: registry-credential-vault node added (ADR-017). level-hierarchy-resolution node added (ADR-018). adr-lifecycle node updated through ADR-018. manifest.ncl gains level_type + LevelIndex export; reflection/schema.ncl gains ResolutionStrategy + strategy + extends on _ModeBase. Migrations 0016-0017 added. 18 ADRs total.",
|
||
blocker = "none",
|
||
horizon = 'Weeks,
|
||
},
|
||
],
|
||
},
|
||
|
||
d.make_dimension {
|
||
id = "ecosystem-integration",
|
||
name = "Ecosystem Integration",
|
||
description = "Degree to which other ecosystem projects (stratumiops, syntaxis, vapora, kogral) consume the ontoref protocol.",
|
||
current_state = "stratumiops-integrated",
|
||
desired_state = "multi-project",
|
||
horizon = 'Months,
|
||
coupled_with = ["protocol-maturity"],
|
||
states = [],
|
||
transitions = [
|
||
d.make_transition {
|
||
from = "source-only",
|
||
to = "stratumiops-integrated",
|
||
condition = "stratumiops has .ontoref/config.ncl and scripts/ontoref wrapper functional; ADR-007 marked Superseded pointing to ontoref:adr-002.",
|
||
catalyst = "Ontoref extraction and stratumiops migration session 2026-03-12.",
|
||
blocker = "none",
|
||
horizon = 'Months,
|
||
},
|
||
d.make_transition {
|
||
from = "stratumiops-integrated",
|
||
to = "multi-project",
|
||
condition = "At least one additional project (vapora, kogral, or syntaxis) has .ontoref/config.ncl and scripts/ontoref. Syntaxis parses ontoref Core type.",
|
||
catalyst = "Syntaxis integration spike or vapora/kogral onboarding.",
|
||
blocker = "Syntaxis syntaxis-ontology crate has ES→EN migration errors pending. vapora/kogral not yet initialized with .ontoref/.",
|
||
horizon = 'Months,
|
||
},
|
||
],
|
||
},
|
||
|
||
d.make_dimension {
|
||
id = "operational-mode",
|
||
name = "Operational Mode",
|
||
description = "Runtime connectivity mode: local (files only) or daemon (push-based DB projection). Auto-detected on each command; transitions trigger hook updates and sync. Daemon launched via ADR-004 NCL pipe bootstrap (ontoref-daemon-boot); NATS topology resolved from NATS_STREAMS_CONFIG env var (global ~/.config/ontoref/streams.json) or project-local nats/streams.json.",
|
||
current_state = "local",
|
||
desired_state = "daemon",
|
||
horizon = 'Continuous,
|
||
states = [
|
||
d.make_state {
|
||
id = "local",
|
||
name = "Local",
|
||
description = "No daemon. All operations read from files. Hooks are no-ops. Safe for offline or repo-only work.",
|
||
tension = 'Low,
|
||
},
|
||
d.make_state {
|
||
id = "daemon",
|
||
name = "Daemon",
|
||
description = "Daemon reachable. Ontology projected into DB on each sync. Hooks push on git merge/checkout. NATS events available.",
|
||
tension = 'Low,
|
||
},
|
||
],
|
||
transitions = [
|
||
d.make_transition {
|
||
from = "local",
|
||
to = "daemon",
|
||
condition = "Daemon reachable at ONTOREF_DAEMON_URL and DB available (if db feature enabled).",
|
||
catalyst = "Daemon started, network restored, or first onboarding after install.",
|
||
blocker = "Daemon not running or DB not configured.",
|
||
horizon = 'Continuous,
|
||
},
|
||
d.make_transition {
|
||
from = "daemon",
|
||
to = "local",
|
||
condition = "Daemon unreachable or DB unavailable.",
|
||
catalyst = "Network loss, daemon stopped, or offline work.",
|
||
blocker = "none",
|
||
horizon = 'Continuous,
|
||
},
|
||
],
|
||
},
|
||
|
||
],
|
||
}
|