jesus/ontoref
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ontoref/justfiles/ci.just
Jesús Pérez 82a358f18d
Some checks failed
Nickel Type Check / Nickel Type Checking (push) Has been cancelled
Details
Rust CI / Security Audit (push) Has been cancelled
Details
Rust CI / Check + Test + Lint (push) Has been cancelled
Details
feat: #[onto_mcp_tool] catalog, OCI credential vault layer, validate ADR-018 mode hierarchy 
ontoref-derive: #[onto_mcp_tool] attribute macro registers MCP tool unit-structs in
  the catalog at link time via inventory::submit!; annotated item is emitted unchanged,
  ToolBase/AsyncTool impls stay on the struct. All 34 tools migrated from manual wiring
  (net +5: ontoref_list_projects, ontoref_search, ontoref_describe,
  ontoref_list_ontology_extensions, ontoref_get_ontology_extension).

  validate modes (ADR-018): reads level_hierarchy from workflow.ncl and checks every
  .ncl mode for level declared, strategy declared, delegate chain coherent, compose
  extends valid. mode resolve <id> shows which hierarchy level handles a mode and why.
  --self-test generates synthetic fixtures in a temp dir for CI smoke-testing.

  validate run-cargo: two-step Cargo.toml resolution — workspace layout first
  (crates/<check.crate>/Cargo.toml), single-crate fallback by package name or repo
  basename. Lets the same ADR constraint shape apply to workspace and single-crate repos.

  ontology/schemas/manifest.ncl: registry_topology_type contract — multi-registry
  coordination, push targets, participant scopes, per-namespace capability.

  reflection/requirements/base.ncl: oras ≥1.2.0, cosign ≥2.0.0, sops ≥3.9.0, age
  ≥1.1.0, restic declared as Hard/Soft requirements with version_min, check_cmd, and
  install_hint (ADR-017 toolchain surface).

  ADR-019: per-file recipient routing for tenant isolation without multi-vault. Schema
  additions: sops.recipient_groups + sops.recipient_rules in ontoref-project.ncl.
  secrets-bootstrap generates .sops.yaml from project.ncl in declarative mode. Three
  new secrets-audit checks: recipient-routing-coherent, recipient-routing-coverage,
  no-multi-vault. Adoption templates: single-team/, multi-tenant/, agent-first/.
  Integration templates: domain-producer/, mode-producer/, mode-consumer/.

  UI: project_picker surfaces registry badge (⟳ participant) and vault badge
  (⛁ vault_id · N, green=declarative / amber=legacy) per project card. Expanded panel
  adds collapsible Registry section with namespace, endpoint, and push/pull capability.
  manage.html gains Runtime Services card — MCP and GraphQL toggleable without restart
  via HTMX POST /ui/manage/services/{service}/toggle.

  describe.nu: capabilities JSON includes registry_topology and vault_state per project.
  sync.nu: drift check extended to detect //! absence on newly registered crates.
  qa.ncl: six entries — credential-vault-best-practice (layered data-flow diagram),
  credential-vault-templates (paths A/B/C), credential-vault-troubleshooting (15 named
  errors), integration-what-and-why (ADR-042 OCI federation), integration-how-to-implement,
  integration-troubleshooting.

  on+re: core.ncl + manifest.ncl updated to reflect OCI, MCP, and mode-hierarchy nodes.
  Deleted stale presentation assets (2026-02 slides + voice notes).
2026-05-12 04:46:15 +01:00

227 lines
8.3 KiB
Text
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# CI/CD Just Recipes
# Generated by dev-system/ci - Dynamic template
# Provides `just` recipes for running CI checks locally
# Based on detected languages and enabled tools
# Show CI help
[doc("Show ci help")]
help:
@echo "CI/CD Just Recipes"
@echo ""
@echo "Main Commands:"
@echo " just ci-full - Run all CI checks"
@echo " just ci-fmt - Format code"
@echo " just ci-lint - Run all linting checks"
@echo " just ci-test - Run all tests"
@echo " just ci-audit - Run security audits"
@echo ""
@echo "Language-Specific:"
@echo " just ci-lint-rust - Lint Rust (clippy)"
@echo " just ci-fmt-toml - Check TOML formatting"
@echo " just ci-lint-toml - Lint TOML files (taplo)"
@echo " just ci-lint-nickel - Type check Nickel"
@echo " just ci-lint-markdown - Lint Markdown (markdownlint-cli2)"
@echo " just ci-lint-prose - Lint prose (Vale)"
@echo ""
@echo "Other:"
@echo " just ci-check-config-sync - Verify form/template parity"
@echo " just ci-sbom - Generate SBOM"
@echo " just ci-test-coverage - Run tests with coverage"
@echo " just setup-hooks - Install pre-commit hooks"
@echo " just hooks-run-all - Run pre-commit on all files"
@echo " just clean - Clean build artifacts"
# Run all CI checks
ci-full: ci-lint-rust ci-fmt-toml ci-lint-toml ci-lint-nickel ci-lint-markdown ci-lint-prose ci-test ci-secrets-error-fixtures ci-secrets-smoke ci-vault-lock-smoke ci-audit ci-check-config-sync ci-docs
@echo "✅ All CI checks passed!"
# ==============================================================================
# Formatting Checks
# ==============================================================================
# Check Rust code formatting
ci-fmt:
@echo "📝 Checking Rust code formatting..."
cargo fmt --all -- --check
# Check TOML file formatting
ci-fmt-toml:
@echo "📝 Checking TOML formatting..."
@command -v taplo >/dev/null || (echo "❌ taplo not installed: cargo install taplo-cli"; exit 1)
taplo format --check
# Format all code (alias — prefer dev-fmt)
fmt:
just dev-fmt
# ==============================================================================
# Linting
# ==============================================================================
# Run all linting checks
ci-lint: ci-lint-rust ci-lint-toml ci-lint-nickel ci-lint-markdown ci-lint-prose ci-check-config-sync
@echo "✅ All lint checks passed!"
# Lint Rust code
ci-lint-rust:
@echo "🔍 Linting Rust (clippy)..."
cargo clippy --all-targets --all-features -- -D warnings
# Lint TOML files
ci-lint-toml:
@echo "🔍 Linting TOML files..."
@command -v taplo >/dev/null || (echo "❌ taplo not installed: cargo install taplo-cli"; exit 1)
taplo lint
# Lint Nickel schemas
ci-lint-nickel:
#!/usr/bin/env bash
echo "🔍 Type checking Nickel..."
SCHEMAS=$(find . -name "*.ncl" -type f \
! -path "./target/*" \
! -path "./.git/*" \
! -path "./node_modules/*" \
| head -20)
if [ -z "$SCHEMAS" ]; then
echo " No Nickel schemas found"
exit 0
fi
export NICKEL_IMPORT_PATH="/Users/Akasha/Tools/dev-system/ci/schemas:/Users/Akasha/Tools/dev-system/ci/validators:/Users/Akasha/Tools/dev-system/ci/defaults:."
for schema in $SCHEMAS; do
echo " Checking: $schema"
nickel typecheck "$schema" || exit 1
done
echo " ✓ All Nickel schemas valid"
# Lint Markdown files
ci-lint-markdown:
@echo "🔍 Linting Markdown files..."
@command -v markdownlint-cli2 >/dev/null || (echo "❌ markdownlint-cli2 not installed: npm install markdownlint-cli2"; exit 1)
markdownlint-cli2 "**/*.md" "#node_modules" "#.git"
# Lint prose/documentation
ci-lint-prose:
@echo "🔍 Linting prose with Vale..."
@command -v vale >/dev/null || (echo "❌ vale not installed: brew install vale"; exit 1)
vale sync
vale .
# ==============================================================================
# Testing
# ==============================================================================
# Run all tests
ci-test:
@echo "🧪 Running tests..."
cargo test --workspace --all-features
# Run tests with coverage (requires cargo-llvm-cov)
ci-test-coverage:
@echo "📊 Running tests with coverage..."
cargo llvm-cov --all-features --lcov --output-path lcov.info
# End-to-end credential chain smoke (ADR-017 + ADR-019).
# Pushes a throwaway vault to ZOT, pulls it back from an isolated HOME, decrypts.
# Skipped automatically when ZOT credentials are not exported — keeps `ci-full`
# green on CI workers without registry access. To run it: export
# RECOVERY_ZOT_USER and RECOVERY_ZOT_PASS, then `just ci-secrets-smoke`.
ci-secrets-smoke:
#!/usr/bin/env bash
set -euo pipefail
if [[ -z "${RECOVERY_ZOT_USER:-}${ZOT_USER:-}" ]] || [[ -z "${RECOVERY_ZOT_PASS:-}${ZOT_PASS:-}" ]]; then
echo "🔐 ci-secrets-smoke: skipped (RECOVERY_ZOT_USER/PASS not set)"
exit 0
fi
echo "🔐 Running credential chain smoke..."
bash reflection/tests/test_credential_chain.sh
# Vault lock concurrency smoke (ADR-017 G1). Same skip-when-unauth behavior.
ci-vault-lock-smoke:
#!/usr/bin/env bash
set -euo pipefail
if [[ -z "${RECOVERY_ZOT_USER:-}${ZOT_USER:-}" ]] || [[ -z "${RECOVERY_ZOT_PASS:-}${ZOT_PASS:-}" ]]; then
echo "🔐 ci-vault-lock-smoke: skipped (RECOVERY_ZOT_USER/PASS not set)"
exit 0
fi
echo "🔐 Running vault lock concurrency smoke..."
bash reflection/tests/test_vault_lock.sh
# Named-error fixture coverage (15 [error-tag] cases — protocol baseline).
# Always runs — the fixtures are local, no registry needed.
ci-secrets-error-fixtures:
@echo "🔐 Running named-error fixture coverage..."
nu reflection/tests/test_secrets.nu
# ==============================================================================
# Security Auditing
# ==============================================================================
# Run all security audits
ci-audit: ci-audit-rust
@echo "✅ All security audits passed!"
# Audit Rust dependencies
ci-audit-rust:
@echo "🔒 Auditing Rust dependencies..."
cargo audit
cargo deny check licenses
cargo deny check advisories
# Assert reflection/forms/config.ncl and config.ncl.j2 have matching fields
ci-check-config-sync:
@echo "🔍 Checking config form/template sync..."
nu install/check-config-sync.nu
# Generate SBOM
ci-sbom:
@echo "📦 Generating Software Bill of Materials..."
cargo sbom > sbom.json
@echo "✓ SBOM generated: sbom.json"
# ==============================================================================
# Documentation
# ==============================================================================
# Generate documentation (alias — prefer dev-docs)
docs:
just dev-docs
# Check documentation — broken intra-doc links are compile errors, not warnings.
# RUSTDOCFLAGS are inherited by cargo doc; -D flags turn lint groups into hard errors.
ci-docs:
RUSTDOCFLAGS="-D rustdoc::broken-intra-doc-links -D rustdoc::private-intra-doc-links" \
cargo doc --all-features --no-deps --workspace 2>&1
# ==============================================================================
# Pre-commit Setup
# ==============================================================================
# Install pre-commit hooks (alias — prefer dev-setup-hooks)
setup-hooks:
just dev-setup-hooks
# Run pre-commit on all files (alias — prefer dev-hooks-run-all)
hooks-run-all:
just dev-hooks-run-all
# ==============================================================================
# Install
# ==============================================================================
# Build and install ontoref locally (binary + CLI wrapper + data + nulib + config dir).
# Despite the name, this installs the full ontoref distribution — see install/install.nu.
install-daemon:
just build-daemon
# Alias for install-daemon — clearer name for the full local install.
install:
just install-daemon
# ==============================================================================
# Utility Commands
# ==============================================================================
# Clean build artifacts (alias — prefer dev-clean)
clean:
just dev-clean
Reference in a new issue View git blame Copy permalink