provisioning/schemas/lib/integration/oci_artifact_format.ncl

# schemas/lib/integration/oci_artifact_format.ncl
#
# OCI artifact descriptors for the federated integration-modes protocol.
# Two artifact kinds:
#   DomainArtifact  — typed contract pushed by the domain owner
#   ModeArtifact    — integration mode manifest pushed by the participant
#
# Also exports:
#   Invocation  — how a mode step binary is invoked
#   DomainLock  — per-workspace lock file written after `prvng integration pull`

let _binary_source = [| 'path_assumed, 'cargo_install, 'oci_blob |] in

let _invocation_method = [| 'stdin_context, 'argv_context_file |] in

# How a mode step binary is resolved and invoked.
let _Invocation = {
  method | _invocation_method
         | doc "stdin_context: JSON piped to stdin; argv_context_file: path written to a temp file, passed as $1",
  binary | {
    source      | _binary_source,
    name        | String,
    version     | String | optional,
    cargo_crate | String | optional
                | doc "Required when source = 'cargo_install",
    oci_layer   | String | optional
                | doc "OCI blob reference when source = 'oci_blob — e.g. reg.librecloud.online/binaries/lian-build:0.3.0",
  },
  args | Array String | default = [],
  env  | { _ | String } | default = {},
} in

# A single OCI layer descriptor inside an artifact manifest.
let _LayerDescriptor = {
  media_type  | String,
  description | String,
  required    | Bool | default = true,
} in

# DomainArtifact — pushed to reg.librecloud.online/domains/<id>:<semver>
# mediaType: application/vnd.ontoref.domain.v1
let _DomainArtifact = {
  media_type | String
             | default = "application/vnd.ontoref.domain.v1",
  id         | String
             | doc "Stable domain identifier, e.g. 'secret-delivery'",
  version    | String
             | doc "Semver of the domain contract",
  description | String,
  layers | Array _LayerDescriptor
        | doc "Expected layers in the OCI image. 'contract.ncl' layer is always required.",
  # ADR-017 G2 — explicit dependency declaration. References a RegistryEntry.id
  # in the consuming project's manifest.registry_provides.registries[]. Enables
  # impact analysis on `ore secrets close`: which artifacts are affected by a
  # credential change. Empty = artifact does not consume registry credentials.
  uses_registry | String | optional
                | doc "RegistryEntry.id this artifact's runtime depends on",
} in

# ModeArtifact — pushed to reg.librecloud.online/modes/<id>:<semver>
# mediaType: application/vnd.ontoref.mode.v1
let _ModeArtifact = {
  media_type | String
             | default = "application/vnd.ontoref.mode.v1",
  id         | String,
  version    | String,
  description | String,
  participant | String
             | doc "Originating project/workspace that owns this mode",
  layers | Array _LayerDescriptor,
  uses_registry | String | optional
                | doc "RegistryEntry.id this mode's runtime depends on (ADR-017 G2)",
} in

# Written to infra/<ws>/integrations/<mode-id>.lock.ncl after successful pull.
# Keyed by domain id, records the resolved version + digest for reproducibility.
let _DomainLockEntry = {
  version    | String,
  digest     | String
             | doc "OCI manifest digest, sha256:...",
  pulled_at  | String
             | doc "ISO-8601 timestamp",
  media_type | String,
} in

let _DomainLock = {
  schema_version | String | default = "0.1.0",
  domains | { _ | _DomainLockEntry },
} in

{
  Invocation       = _Invocation,
  DomainArtifact   = _DomainArtifact,
  ModeArtifact     = _ModeArtifact,
  DomainLockEntry  = _DomainLockEntry,
  DomainLock       = _DomainLock,
  LayerDescriptor  = _LayerDescriptor,
}
docs: update README and CHANGELOG for nickel branch (2026-05-12) 2026-05-12 02:23:01 +01:00			`# schemas/lib/integration/oci_artifact_format.ncl`
			`#`
			`# OCI artifact descriptors for the federated integration-modes protocol.`
			`# Two artifact kinds:`
			`# DomainArtifact — typed contract pushed by the domain owner`
			`# ModeArtifact — integration mode manifest pushed by the participant`
			`#`
			`# Also exports:`
			`# Invocation — how a mode step binary is invoked`
			# DomainLock — per-workspace lock file written after `prvng integration pull`

			`let _binary_source = [\| 'path_assumed, 'cargo_install, 'oci_blob \|] in`

			`let _invocation_method = [\| 'stdin_context, 'argv_context_file \|] in`

			`# How a mode step binary is resolved and invoked.`
			`let _Invocation = {`
			`method \| _invocation_method`
			`\| doc "stdin_context: JSON piped to stdin; argv_context_file: path written to a temp file, passed as $1",`
			`binary \| {`
			`source \| _binary_source,`
			`name \| String,`
			`version \| String \| optional,`
			`cargo_crate \| String \| optional`
			`\| doc "Required when source = 'cargo_install",`
			`oci_layer \| String \| optional`
			`\| doc "OCI blob reference when source = 'oci_blob — e.g. reg.librecloud.online/binaries/lian-build:0.3.0",`
			`},`
			`args \| Array String \| default = [],`
			`env \| { _ \| String } \| default = {},`
			`} in`

			`# A single OCI layer descriptor inside an artifact manifest.`
			`let _LayerDescriptor = {`
			`media_type \| String,`
			`description \| String,`
			`required \| Bool \| default = true,`
			`} in`

			`# DomainArtifact — pushed to reg.librecloud.online/domains/<id>:<semver>`
			`# mediaType: application/vnd.ontoref.domain.v1`
			`let _DomainArtifact = {`
			`media_type \| String`
			`\| default = "application/vnd.ontoref.domain.v1",`
			`id \| String`
			`\| doc "Stable domain identifier, e.g. 'secret-delivery'",`
			`version \| String`
			`\| doc "Semver of the domain contract",`
			`description \| String,`
			`layers \| Array _LayerDescriptor`
			`\| doc "Expected layers in the OCI image. 'contract.ncl' layer is always required.",`
			`# ADR-017 G2 — explicit dependency declaration. References a RegistryEntry.id`
			`# in the consuming project's manifest.registry_provides.registries[]. Enables`
			# impact analysis on `ore secrets close`: which artifacts are affected by a
			`# credential change. Empty = artifact does not consume registry credentials.`
			`uses_registry \| String \| optional`
			`\| doc "RegistryEntry.id this artifact's runtime depends on",`
			`} in`

			`# ModeArtifact — pushed to reg.librecloud.online/modes/<id>:<semver>`
			`# mediaType: application/vnd.ontoref.mode.v1`
			`let _ModeArtifact = {`
			`media_type \| String`
			`\| default = "application/vnd.ontoref.mode.v1",`
			`id \| String,`
			`version \| String,`
			`description \| String,`
			`participant \| String`
			`\| doc "Originating project/workspace that owns this mode",`
			`layers \| Array _LayerDescriptor,`
			`uses_registry \| String \| optional`
			`\| doc "RegistryEntry.id this mode's runtime depends on (ADR-017 G2)",`
			`} in`

			`# Written to infra/<ws>/integrations/<mode-id>.lock.ncl after successful pull.`
			`# Keyed by domain id, records the resolved version + digest for reproducibility.`
			`let _DomainLockEntry = {`
			`version \| String,`
			`digest \| String`
			`\| doc "OCI manifest digest, sha256:...",`
			`pulled_at \| String`
			`\| doc "ISO-8601 timestamp",`
			`media_type \| String,`
			`} in`

			`let _DomainLock = {`
			`schema_version \| String \| default = "0.1.0",`
			`domains \| { _ \| _DomainLockEntry },`
			`} in`

			`{`
			`Invocation = _Invocation,`
			`DomainArtifact = _DomainArtifact,`
			`ModeArtifact = _ModeArtifact,`
			`DomainLockEntry = _DomainLockEntry,`
			`DomainLock = _DomainLock,`
			`LayerDescriptor = _LayerDescriptor,`
			`}`