d59644b96f
The full scope across this batch: POST /sessions key→token exchange, SessionStore dual-index with revoke_by_id, CLI Bearer injection (ONTOREF_TOKEN), ontoref setup --gen-keys, install scripts, daemon config form roundtrip, ADR-004/005, on+re self-description update (fully-self-described), and landing page refresh.
43 lines
1.4 KiB
Plaintext
43 lines
1.4 KiB
Plaintext
# bootstrap.ncl — contract for NCL configs delivered via pipe to a process.
|
|
#
|
|
# A Bootstrapable config satisfies three properties:
|
|
# 1. Exportable to JSON by `nickel export` without side effects or system calls
|
|
# 2. Contains no secret values — secrets are injected at bootstrap time (SOPS/Vault)
|
|
# 3. Declares _bootstrapable = true as a machine-checkable marker
|
|
#
|
|
# Usage in a config file:
|
|
# let B = import "ontology/schemas/bootstrap.ncl" in
|
|
# { ... } | B.Bootstrapable
|
|
|
|
{
|
|
# Secret reference — a placeholder that the bootstrap pipeline resolves via SOPS or Vault.
|
|
# The NCL file stores only the reference, never the value.
|
|
SecretRef = {
|
|
_secret_ref | Bool | default = true,
|
|
source | [| 'sops, 'vault, 'env |],
|
|
path | String,
|
|
},
|
|
|
|
# Core contract: any config NCL to be used with ncl-bootstrap must satisfy this.
|
|
Bootstrapable = {
|
|
_bootstrapable | Bool | default = true,
|
|
},
|
|
|
|
# Pipeline stage descriptor — documents what each stage does.
|
|
# Used in ADR rationale and tooling introspection.
|
|
Stage = {
|
|
name | String,
|
|
command | String,
|
|
purpose | String,
|
|
secrets | Bool | default = false,
|
|
required | Bool | default = true,
|
|
},
|
|
|
|
# Full bootstrap pipeline declaration — optional, for self-documenting configs.
|
|
Pipeline = {
|
|
stages | Array Stage,
|
|
target | String, # the final process command
|
|
stdin_flag | String | default = "--config-stdin",
|
|
},
|
|
}
|