provisioning/reflection/modes/validate-ops-contract.ncl

{
  id          = "validate-ops-contract",
  strategy    = 'Override,
  description = "Verify NATS JetStream streams for the ops contract exist with required configuration and that ops-controller is registered as the sole WorkQueue consumer (ADR-037).",
  version = "1.0",
  params = {
    workspace | String | doc "Workspace name used to derive stream names (e.g. 'libre-wuji')" | default = "libre-wuji",
    nats_url | String | doc "NATS server URL" | default = "nats://127.0.0.1:4222",
    nats_creds_path | String | doc "Path to NATS credentials file; leave empty for unauthenticated" | default = "",
  },
  steps = [
    {
      id = "check_streams_exist",
      actor = 'Agent,
      name = "Verify OPS_PENDING / OPS_CMD / OPS_AUDIT streams exist",
      cmd = "nats stream info OPS_PENDING_{workspace} OPS_CMD_{workspace} OPS_AUDIT_{workspace} --server={nats_url}",
      depends_on = [],
      on_error = "abort",
    },
    {
      id = "check_pending_retention",
      actor = 'Agent,
      name = "OPS_PENDING stream uses WorkQueue retention",
      cmd = "nats stream info OPS_PENDING_{workspace} --server={nats_url} --json | jq -e '.config.retention == \"workqueue\"'",
      depends_on = ["check_streams_exist"],
      on_error = "abort",
    },
    {
      id = "check_audit_retention",
      actor = 'Agent,
      name = "OPS_AUDIT stream uses Limits retention with replay=instant",
      cmd = "nats stream info OPS_AUDIT_{workspace} --server={nats_url} --json | jq -e '.config.retention == \"limits\" and .config.storage == \"file\"'",
      depends_on = ["check_streams_exist"],
      on_error = "warn",
    },
    {
      id = "check_single_consumer",
      actor = 'Agent,
      name = "Verify ops-controller is the only active WorkQueue consumer on OPS_CMD",
      cmd = "nats consumer ls OPS_CMD_{workspace} --server={nats_url} --json | jq -e 'length == 1'",
      depends_on = ["check_streams_exist"],
      on_error = "abort",
    },
    {
      id = "check_consumer_ack_policy",
      actor = 'Agent,
      name = "ops-controller consumer must use AckPolicy=explicit",
      cmd = "nats consumer info OPS_CMD_{workspace} {workspace}-ops-controller --server={nats_url} --json | jq -e '.config.ack_policy == \"explicit\"'",
      depends_on = ["check_single_consumer"],
      on_error = "abort",
    },
    {
      id = "summary_report",
      actor = 'Agent,
      name = "Emit validation summary",
      cmd = "echo 'ops-contract validation complete for workspace={workspace}'",
      depends_on = [
        "check_pending_retention",
        "check_audit_retention",
        "check_consumer_ack_policy",
      ],
      on_error = "warn",
    },
  ],
}
chore: add ontology reflection 2026-05-12 02:40:14 +01:00			`{`
			`id = "validate-ops-contract",`
			`strategy = 'Override,`
			`description = "Verify NATS JetStream streams for the ops contract exist with required configuration and that ops-controller is registered as the sole WorkQueue consumer (ADR-037).",`
			`version = "1.0",`
			`params = {`
			`workspace \| String \| doc "Workspace name used to derive stream names (e.g. 'libre-wuji')" \| default = "libre-wuji",`
			`nats_url \| String \| doc "NATS server URL" \| default = "nats://127.0.0.1:4222",`
			`nats_creds_path \| String \| doc "Path to NATS credentials file; leave empty for unauthenticated" \| default = "",`
			`},`
			`steps = [`
			`{`
			`id = "check_streams_exist",`
			`actor = 'Agent,`
			`name = "Verify OPS_PENDING / OPS_CMD / OPS_AUDIT streams exist",`
			`cmd = "nats stream info OPS_PENDING_{workspace} OPS_CMD_{workspace} OPS_AUDIT_{workspace} --server={nats_url}",`
			`depends_on = [],`
			`on_error = "abort",`
			`},`
			`{`
			`id = "check_pending_retention",`
			`actor = 'Agent,`
			`name = "OPS_PENDING stream uses WorkQueue retention",`
			`cmd = "nats stream info OPS_PENDING_{workspace} --server={nats_url} --json \| jq -e '.config.retention == \"workqueue\"'",`
			`depends_on = ["check_streams_exist"],`
			`on_error = "abort",`
			`},`
			`{`
			`id = "check_audit_retention",`
			`actor = 'Agent,`
			`name = "OPS_AUDIT stream uses Limits retention with replay=instant",`
			`cmd = "nats stream info OPS_AUDIT_{workspace} --server={nats_url} --json \| jq -e '.config.retention == \"limits\" and .config.storage == \"file\"'",`
			`depends_on = ["check_streams_exist"],`
			`on_error = "warn",`
			`},`
			`{`
			`id = "check_single_consumer",`
			`actor = 'Agent,`
			`name = "Verify ops-controller is the only active WorkQueue consumer on OPS_CMD",`
			`cmd = "nats consumer ls OPS_CMD_{workspace} --server={nats_url} --json \| jq -e 'length == 1'",`
			`depends_on = ["check_streams_exist"],`
			`on_error = "abort",`
			`},`
			`{`
			`id = "check_consumer_ack_policy",`
			`actor = 'Agent,`
			`name = "ops-controller consumer must use AckPolicy=explicit",`
			`cmd = "nats consumer info OPS_CMD_{workspace} {workspace}-ops-controller --server={nats_url} --json \| jq -e '.config.ack_policy == \"explicit\"'",`
			`depends_on = ["check_single_consumer"],`
			`on_error = "abort",`
			`},`
			`{`
			`id = "summary_report",`
			`actor = 'Agent,`
			`name = "Emit validation summary",`
			`cmd = "echo 'ops-contract validation complete for workspace={workspace}'",`
			`depends_on = [`
			`"check_pending_retention",`
			`"check_audit_retention",`
			`"check_consumer_ack_policy",`
			`],`
			`on_error = "warn",`
			`},`
			`],`
			`}`