provisioning/schemas/lib/capabilities.ncl

# schemas/lib/capabilities.ncl — InfraCapabilities contract
#
# Declares what the infrastructure provides: cluster runtime, storage classes,
# ingress, TLS, volumes, networking, and registry topology.
# Source of truth for cross-validation against component requires.* fields
# and for registry resolution by integration tooling (prvng i).
#
# Usage:
#   let cap = import "schemas/lib/capabilities.ncl" in
#   { provides | cap.InfraCapabilities = { ... } }

{
  # Registry roles — determines namespace ownership and sync direction.
  #   'primary  canonical store; other registries replicate FROM it
  #   'build    builder-local store; owns ephemeral cache namespaces
  #   'dev      developer workstation; on-demand mirror of primary
  #   'mirror   read-only replica with no own namespaces
  RegistryRole = [| 'primary, 'build, 'dev, 'mirror |],

  # Per-registry namespace policy.
  #   own          — namespaces this registry is authoritative for
  #   replicate_to — ids of other registries that should receive sync of `prefixes`
  #   mirror_from  — id of upstream registry to mirror `prefixes` from (on-demand)
  #   prefixes     — which namespace prefixes are synced (cross-registry contracts)
  RegistryNamespaces = {
    own          | Array String | default = [],
    replicate_to | Array String | default = [],
    mirror_from  | String       | optional,
    prefixes     | Array String | default = [],
  },

  RegistryEntry = {
    id         | String,
    endpoint   | String,
    role       | RegistryRole,
    tls        | Bool   | default = true,
    namespaces | RegistryNamespaces | default = {},
  },

  # Multi-registry topology for a workspace.
  #   registries — ordered list; first 'primary entry is the canonical store
  #   default    — id of the registry used by integration tooling when no
  #                --registry flag or PROVISIONING_REGISTRY env is set
  RegistriesConfig = {
    registries | Array RegistryEntry | default = [],
    default    | String | optional,
  },

  InfraCapabilities = {
    cluster | {
      name    | String,
      runtime | String,
      ..
    } | optional,
    storage_classes   | Array String | default = [],
    ingress_class     | String | optional,
    container_runtime | String | optional,
    volumes           | { _ | { mount | String, size_gb | Number } } | default = {},
    networking | {
      private_network | String | optional,
      subnet          | String | optional,
      floating_ip     | String | optional,
      ..
    } | default = {},
    tls | {
      cluster_issuer | String | optional,
      available      | Bool | default = false,
      ..
    } | default = {},
    registries | RegistriesConfig | default = {},
    ..
  },
}
docs: update README and CHANGELOG for nickel branch (2026-05-12) 2026-05-12 02:23:01 +01:00			`# schemas/lib/capabilities.ncl — InfraCapabilities contract`
			`#`
			`# Declares what the infrastructure provides: cluster runtime, storage classes,`
			`# ingress, TLS, volumes, networking, and registry topology.`
			`# Source of truth for cross-validation against component requires.* fields`
			`# and for registry resolution by integration tooling (prvng i).`
			`#`
			`# Usage:`
			`# let cap = import "schemas/lib/capabilities.ncl" in`
			`# { provides \| cap.InfraCapabilities = { ... } }`

			`{`
			`# Registry roles — determines namespace ownership and sync direction.`
			`# 'primary canonical store; other registries replicate FROM it`
			`# 'build builder-local store; owns ephemeral cache namespaces`
			`# 'dev developer workstation; on-demand mirror of primary`
			`# 'mirror read-only replica with no own namespaces`
			`RegistryRole = [\| 'primary, 'build, 'dev, 'mirror \|],`

			`# Per-registry namespace policy.`
			`# own — namespaces this registry is authoritative for`
			# replicate_to — ids of other registries that should receive sync of `prefixes`
			# mirror_from — id of upstream registry to mirror `prefixes` from (on-demand)
			`# prefixes — which namespace prefixes are synced (cross-registry contracts)`
			`RegistryNamespaces = {`
			`own \| Array String \| default = [],`
			`replicate_to \| Array String \| default = [],`
			`mirror_from \| String \| optional,`
			`prefixes \| Array String \| default = [],`
			`},`

			`RegistryEntry = {`
			`id \| String,`
			`endpoint \| String,`
			`role \| RegistryRole,`
			`tls \| Bool \| default = true,`
			`namespaces \| RegistryNamespaces \| default = {},`
			`},`

			`# Multi-registry topology for a workspace.`
			`# registries — ordered list; first 'primary entry is the canonical store`
			`# default — id of the registry used by integration tooling when no`
			`# --registry flag or PROVISIONING_REGISTRY env is set`
			`RegistriesConfig = {`
			`registries \| Array RegistryEntry \| default = [],`
			`default \| String \| optional,`
			`},`

			`InfraCapabilities = {`
			`cluster \| {`
			`name \| String,`
			`runtime \| String,`
			`..`
			`} \| optional,`
			`storage_classes \| Array String \| default = [],`
			`ingress_class \| String \| optional,`
			`container_runtime \| String \| optional,`
			`volumes \| { _ \| { mount \| String, size_gb \| Number } } \| default = {},`
			`networking \| {`
			`private_network \| String \| optional,`
			`subnet \| String \| optional,`
			`floating_ip \| String \| optional,`
			`..`
			`} \| default = {},`
			`tls \| {`
			`cluster_issuer \| String \| optional,`
			`available \| Bool \| default = false,`
			`..`
			`} \| default = {},`
			`registries \| RegistriesConfig \| default = {},`
			`..`
			`},`
			`}`