jesus/ontoref
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ontoref/reflection/nulib/bootstrap.nu
Jesús Pérez 82a358f18d
Some checks failed
Nickel Type Check / Nickel Type Checking (push) Has been cancelled
Details
Rust CI / Security Audit (push) Has been cancelled
Details
Rust CI / Check + Test + Lint (push) Has been cancelled
Details
feat: #[onto_mcp_tool] catalog, OCI credential vault layer, validate ADR-018 mode hierarchy 
ontoref-derive: #[onto_mcp_tool] attribute macro registers MCP tool unit-structs in
  the catalog at link time via inventory::submit!; annotated item is emitted unchanged,
  ToolBase/AsyncTool impls stay on the struct. All 34 tools migrated from manual wiring
  (net +5: ontoref_list_projects, ontoref_search, ontoref_describe,
  ontoref_list_ontology_extensions, ontoref_get_ontology_extension).

  validate modes (ADR-018): reads level_hierarchy from workflow.ncl and checks every
  .ncl mode for level declared, strategy declared, delegate chain coherent, compose
  extends valid. mode resolve <id> shows which hierarchy level handles a mode and why.
  --self-test generates synthetic fixtures in a temp dir for CI smoke-testing.

  validate run-cargo: two-step Cargo.toml resolution — workspace layout first
  (crates/<check.crate>/Cargo.toml), single-crate fallback by package name or repo
  basename. Lets the same ADR constraint shape apply to workspace and single-crate repos.

  ontology/schemas/manifest.ncl: registry_topology_type contract — multi-registry
  coordination, push targets, participant scopes, per-namespace capability.

  reflection/requirements/base.ncl: oras ≥1.2.0, cosign ≥2.0.0, sops ≥3.9.0, age
  ≥1.1.0, restic declared as Hard/Soft requirements with version_min, check_cmd, and
  install_hint (ADR-017 toolchain surface).

  ADR-019: per-file recipient routing for tenant isolation without multi-vault. Schema
  additions: sops.recipient_groups + sops.recipient_rules in ontoref-project.ncl.
  secrets-bootstrap generates .sops.yaml from project.ncl in declarative mode. Three
  new secrets-audit checks: recipient-routing-coherent, recipient-routing-coverage,
  no-multi-vault. Adoption templates: single-team/, multi-tenant/, agent-first/.
  Integration templates: domain-producer/, mode-producer/, mode-consumer/.

  UI: project_picker surfaces registry badge (⟳ participant) and vault badge
  (⛁ vault_id · N, green=declarative / amber=legacy) per project card. Expanded panel
  adds collapsible Registry section with namespace, endpoint, and push/pull capability.
  manage.html gains Runtime Services card — MCP and GraphQL toggleable without restart
  via HTMX POST /ui/manage/services/{service}/toggle.

  describe.nu: capabilities JSON includes registry_topology and vault_state per project.
  sync.nu: drift check extended to detect //! absence on newly registered crates.
  qa.ncl: six entries — credential-vault-best-practice (layered data-flow diagram),
  credential-vault-templates (paths A/B/C), credential-vault-troubleshooting (15 named
  errors), integration-what-and-why (ADR-042 OCI federation), integration-how-to-implement,
  integration-troubleshooting.

  on+re: core.ncl + manifest.ncl updated to reflect OCI, MCP, and mode-hierarchy nodes.
  Deleted stale presentation assets (2026-02 slides + voice notes).
2026-05-12 04:46:15 +01:00

105 lines
4.3 KiB
Text
Raw Blame History

#!/usr/bin/env nu
# reflection/nulib/bootstrap.nu — NCL pipe bootstrap helper for development use.
#
# Implements ADR-004: validates config via nickel export and pipes JSON to a
# target process via --config-stdin. For interactive/dev use only — system
# service launchers must use scripts/ontoref-daemon-start (bash, zero deps).
#
# Usage:
# use reflection/nulib/bootstrap.nu *
# ncl-bootstrap "~/.config/ontoref/config.ncl" "ontoref-daemon" --port 7890
# ncl-bootstrap "config.ncl" "myapp" --sops "secrets.enc.json"
# ncl-bootstrap "config.ncl" "myapp" --dry-run # print composed JSON
# Resolve NICKEL_IMPORT_PATH: config dir + platform data dir schemas.
# Prepended to any existing value so external overrides are preserved.
def nickel-import-path [ncl_file: string]: nothing -> string {
let config_dir = ($ncl_file | path dirname | path expand)
let data_dir = if ((sys host | get name) | str starts-with "Mac") {
$"($env.HOME)/Library/Application Support/ontoref"
} else {
$"($env.HOME)/.local/share/ontoref"
}
let extra = $"($config_dir):($data_dir)/schemas:($data_dir)"
let existing = ($env | get -i NICKEL_IMPORT_PATH | default "")
if ($existing | is-empty) { $extra } else { $"($extra):($existing)" }
}
# Default NATS_STREAMS_CONFIG to ~/.config/ontoref/streams.json if not already set.
# Allows the daemon to pick up the global topology without a project-local streams.json.
def nats-streams-config [ncl_file: string]: nothing -> string {
let existing = ($env | get -i NATS_STREAMS_CONFIG | default "")
if ($existing | is-not-empty) { return $existing }
let config_dir = ($ncl_file | path dirname | path expand)
$"($config_dir)/streams.json"
}
# Validate and export a Bootstrapable NCL config to JSON.
# Fails with a structured error if the export fails — the target never starts.
def ncl-export-bootstrapable [ncl_file: string]: nothing -> string {
if not ($ncl_file | path exists) {
error make { msg: $"config not found: ($ncl_file)" }
}
let import_path = (nickel-import-path $ncl_file)
let r = (do { with-env { NICKEL_IMPORT_PATH: $import_path } { ^nickel export --format json $ncl_file } } | complete)
if $r.exit_code != 0 {
error make { msg: $"config validation failed — daemon not started:\n($r.stderr | str trim)" }
}
$r.stdout
}
# Merge two JSON strings (struct config + secrets). Requires jq.
def json-merge [base: string, overlay: string]: nothing -> string {
let r = (do { echo $"($base)\n($overlay)" | ^jq -s '.[0] * .[1]' } | complete)
if $r.exit_code != 0 {
error make { msg: $"JSON merge failed:\n($r.stderr | str trim)" }
}
$r.stdout
}
# Bootstrap a process from a Bootstrapable NCL config file.
#
# Stages:
# 1. nickel export <ncl_file> → validated JSON
# 2a. sops --decrypt <sops_file> → secret merge (if --sops)
# 2b. vault kv get <vault_path> → secret merge (if --vault)
# 3. <command> --config-stdin [args] → process reads JSON from stdin
export def ncl-bootstrap [
ncl_file: string, # Bootstrapable NCL config (source of truth)
command: string, # target binary to launch
--sops: string = "", # path to SOPS-encrypted secrets file
--vault: string = "", # Vault kv path for secrets
--dry-run = false, # print composed JSON to stdout, don't launch
--stdin-flag: string = "--config-stdin",
...args: string,
]: nothing -> nothing {
let struct_json = (ncl-export-bootstrapable $ncl_file)
let composed = if ($sops | is-not-empty) {
let r = (do { ^sops --decrypt $sops } | complete)
if $r.exit_code != 0 {
error make { msg: $"SOPS decrypt failed:\n($r.stderr | str trim)" }
}
json-merge $struct_json $r.stdout
} else if ($vault | is-not-empty) {
let r = (do { ^vault kv get -format=json $vault | ^jq '.data.data' } | complete)
if $r.exit_code != 0 {
error make { msg: $"Vault lookup failed:\n($r.stderr | str trim)" }
}
json-merge $struct_json $r.stdout
} else {
$struct_json
}
if $dry_run {
print $composed
return
}
if not (which $command | is-not-empty) {
error make { msg: $"command not found: ($command)" }
}
let streams_cfg = (nats-streams-config $ncl_file)
$composed | with-env { NATS_STREAMS_CONFIG: $streams_cfg } { ^$command $stdin_flag ...$args }
}
Reference in a new issue View git blame Copy permalink