provisioning/schemas/platform/validators/vault-service-validator.ncl

# Vault Service Validator

let vault_schema = import "../schemas/vault-service.ncl" in
let constraints = import "../constraints/constraints.toml" in

{
  validate_vault_config | vault_schema.VaultServiceConfig -> Array String = fun config =>
    let errors = [] in
    let errors = if config.server.port < constraints.vault_service.port.min
                 then errors @ ["Server port below minimum (#{constraints.vault_service.port.min})"]
                 else if config.server.port > constraints.vault_service.port.max
                      then errors @ ["Server port above maximum (#{constraints.vault_service.port.max})"]
                      else errors in
    let errors = if std.array.length config.vault.mount_point == 0
                 then errors @ ["Mount point cannot be empty"]
                 else errors in
    let errors = if config.vault.key_name |> std.array.length < 1
                 then errors @ ["Key name is required"]
                 else errors in
    let errors = if config.vault.storage_backend == "surrealdb"
                 then if std.is_null (std.string.contains ":" config.vault.server_url)
                      then errors @ ["SurrealDB mode requires valid server URL"]
                      else errors
                 else errors in
    let errors = if config.vault.tls_verify == true
                 then if std.is_null config.vault.tls_ca_cert
                      then errors @ ["TLS verification enabled but CA cert not provided"]
                      else errors
                 else errors in
    errors,
}
chore: complete nickel migration and consolidate legacy configs - Remove KCL ecosystem (~220 files deleted) - Migrate all infrastructure to Nickel schema system - Consolidate documentation: legacy docs → provisioning/docs/src/ - Add CI/CD workflows (.github/) and Rust build config (.cargo/) - Update core system for Nickel schema parsing - Update README.md and CHANGES.md for v5.0.0 release - Fix pre-commit hooks: end-of-file, trailing-whitespace - Breaking changes: KCL workspaces require migration - Migration bridge available in docs/src/development/ 2026-01-08 09:55:37 +00:00			`# Vault Service Validator`

			`let vault_schema = import "../schemas/vault-service.ncl" in`
			`let constraints = import "../constraints/constraints.toml" in`

			`{`
			`validate_vault_config \| vault_schema.VaultServiceConfig -> Array String = fun config =>`
			`let errors = [] in`
			`let errors = if config.server.port < constraints.vault_service.port.min`
			`then errors @ ["Server port below minimum (#{constraints.vault_service.port.min})"]`
			`else if config.server.port > constraints.vault_service.port.max`
			`then errors @ ["Server port above maximum (#{constraints.vault_service.port.max})"]`
			`else errors in`
			`let errors = if std.array.length config.vault.mount_point == 0`
			`then errors @ ["Mount point cannot be empty"]`
			`else errors in`
			`let errors = if config.vault.key_name \|> std.array.length < 1`
			`then errors @ ["Key name is required"]`
			`else errors in`
			`let errors = if config.vault.storage_backend == "surrealdb"`
			`then if std.is_null (std.string.contains ":" config.vault.server_url)`
			`then errors @ ["SurrealDB mode requires valid server URL"]`
			`else errors`
			`else errors in`
			`let errors = if config.vault.tls_verify == true`
			`then if std.is_null config.vault.tls_ca_cert`
			`then errors @ ["TLS verification enabled but CA cert not provided"]`
			`else errors`
			`else errors in`
			`errors,`
			`}`