jesus/ontoref
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ontoref/assets/work-group-ore/demo/option-b-layers/README.md
Jesús Pérez 82a358f18d
Some checks failed
Nickel Type Check / Nickel Type Checking (push) Has been cancelled
Details
Rust CI / Security Audit (push) Has been cancelled
Details
Rust CI / Check + Test + Lint (push) Has been cancelled
Details
feat: #[onto_mcp_tool] catalog, OCI credential vault layer, validate ADR-018 mode hierarchy 
ontoref-derive: #[onto_mcp_tool] attribute macro registers MCP tool unit-structs in
  the catalog at link time via inventory::submit!; annotated item is emitted unchanged,
  ToolBase/AsyncTool impls stay on the struct. All 34 tools migrated from manual wiring
  (net +5: ontoref_list_projects, ontoref_search, ontoref_describe,
  ontoref_list_ontology_extensions, ontoref_get_ontology_extension).

  validate modes (ADR-018): reads level_hierarchy from workflow.ncl and checks every
  .ncl mode for level declared, strategy declared, delegate chain coherent, compose
  extends valid. mode resolve <id> shows which hierarchy level handles a mode and why.
  --self-test generates synthetic fixtures in a temp dir for CI smoke-testing.

  validate run-cargo: two-step Cargo.toml resolution — workspace layout first
  (crates/<check.crate>/Cargo.toml), single-crate fallback by package name or repo
  basename. Lets the same ADR constraint shape apply to workspace and single-crate repos.

  ontology/schemas/manifest.ncl: registry_topology_type contract — multi-registry
  coordination, push targets, participant scopes, per-namespace capability.

  reflection/requirements/base.ncl: oras ≥1.2.0, cosign ≥2.0.0, sops ≥3.9.0, age
  ≥1.1.0, restic declared as Hard/Soft requirements with version_min, check_cmd, and
  install_hint (ADR-017 toolchain surface).

  ADR-019: per-file recipient routing for tenant isolation without multi-vault. Schema
  additions: sops.recipient_groups + sops.recipient_rules in ontoref-project.ncl.
  secrets-bootstrap generates .sops.yaml from project.ncl in declarative mode. Three
  new secrets-audit checks: recipient-routing-coherent, recipient-routing-coverage,
  no-multi-vault. Adoption templates: single-team/, multi-tenant/, agent-first/.
  Integration templates: domain-producer/, mode-producer/, mode-consumer/.

  UI: project_picker surfaces registry badge (⟳ participant) and vault badge
  (⛁ vault_id · N, green=declarative / amber=legacy) per project card. Expanded panel
  adds collapsible Registry section with namespace, endpoint, and push/pull capability.
  manage.html gains Runtime Services card — MCP and GraphQL toggleable without restart
  via HTMX POST /ui/manage/services/{service}/toggle.

  describe.nu: capabilities JSON includes registry_topology and vault_state per project.
  sync.nu: drift check extended to detect //! absence on newly registered crates.
  qa.ncl: six entries — credential-vault-best-practice (layered data-flow diagram),
  credential-vault-templates (paths A/B/C), credential-vault-troubleshooting (15 named
  errors), integration-what-and-why (ADR-042 OCI federation), integration-how-to-implement,
  integration-troubleshooting.

  on+re: core.ncl + manifest.ncl updated to reflect OCI, MCP, and mode-hierarchy nodes.
  Deleted stale presentation assets (2026-02 slides + voice notes).
2026-05-12 04:46:15 +01:00

2.8 KiB
Raw Blame History

Opción B — Capas sin acople (alternativa rustacean)

Demo alternativa, más sofisticada. Modela la regla de arquitectura hexagonal "el dominio no depende de infraestructura, la aplicación no depende de infraestructura" como contrato Nickel custom, y muestra el typecheck rechazando una dependencia ilegal.

Cuándo usar esta en vez de A

  • Audiencia con experiencia previa en arquitectura limpia / hexagonal
  • Cohorte que ya pasó por el WG y vuelve para repetir con tema más denso
  • Sesión más larga (15 min en vez de 8) donde da tiempo a explicar las capas

Para la primera sesión con audiencia mixta: usa la opción A.

Archivos

Archivo Paso de la demo Resultado de nickel export
core.start.ncl Paso 2 — sin contrato custom ✓ exporta JSON (estructura básica)
core.with-contract.ncl Paso 3 — contrato ValidLayerDependency aplicado ✓ exporta JSON (todas las dependencias son legales)
core.broken.ncl Paso 4 — dependencia ilegal ✗ error: Layer violation: user (Domain) cannot depend on db_pool (Infrastructure)

Composición de contratos: los dos contratos (Dependency para la forma del record y ValidLayerDependency para la regla de capas) se aplican encadenados con | Array Dependency | Array ValidLayerDependency. No se mergean con & porque uno es record-shape y el otro es custom contract — el | los aplica secuencialmente al mismo valor.

Concepto modelado

Tres capas:

  • 'Domain — lógica pura, no debe conocer infraestructura
  • 'Application — orquesta dominio, no debe conocer infraestructura
  • 'Infrastructure — adaptadores, puede depender de cualquier capa

Reglas codificadas en allowed_dependency:

Source Targets permitidos
'Domain 'Domain solamente
'Application 'Domain y 'Application
'Infrastructure cualquiera

Verificación rápida (ensayo)

cd /Users/Akasha/Development/ontoref/assets/work-group-ore/demo/option-b-layers
nickel export core.start.ncl           # exporta JSON
nickel export core.with-contract.ncl   # exporta JSON
nickel export core.broken.ncl          # falla — Layer violation: user (Domain) cannot depend on db_pool (Infrastructure)

Adaptación del guion

El guion en ../script.md está escrito para opción A. Para opción B, los cambios:

  • Paso 2: tecleas la lista de dependencias sin contrato custom
  • Paso 3: tecleas el let allowed_dependency = ... y el ValidLayerDependency con std.contract.custom
  • Paso 4: añades una dependencia 'Domain -> 'Infrastructure y el typecheck rechaza con el mensaje del custom contract
  • Paso 5: arreglarlo significa o cambiar la capa del módulo origen, o refactorizar para introducir un puerto/adapter

Tiempo: ~12-15 min en vez de 8-10.