provisioning/reflection/modes/provisioning-audit.ncl

let s = import "reflection/schema.ncl" in

# Mode: provisioning-audit
# Validates an existing workspace against:
#   1. Its own config schema (nickel typecheck)
#   2. Declared taskservs existence in catalog/taskservs/
#   3. Provider capability requirements
#   4. Coherence with axioms from provisioning core.ncl
#
# Required params:
#   {workspace_dir}  — absolute path to workspace root
#   {workspace_name} — slug of the workspace

{
  id       = "provisioning-audit",
  trigger  = "Audit an existing workspace for config validity, extension completeness, and axiom coherence",
  strategy = 'Override,

  preconditions = [
    "{workspace_dir} exists and is a directory",
    "nickel is available in PATH",
    "{workspace_dir}/config/ contains at least one .ncl file",
    "./scripts/ontoref is executable",
  ],

  steps = [

    {
      id         = "validate_workspace_config",
      action     = "nickel_typecheck_workspace",
      actor      = 'Agent,
      cmd        = "find {workspace_dir}/config -name '*.ncl' | xargs -I{} nickel typecheck {}",
      depends_on = [],
      on_error   = { strategy = 'Stop },
      note       = "Validate all workspace Nickel configs parse and typecheck. Hard failure — a workspace with invalid config cannot be certified.",
    },

    {
      id         = "list_declared_taskservs",
      action     = "extract_taskservs_from_config",
      actor      = 'Agent,
      cmd        = "nickel export {workspace_dir}/config/workspace.ncl | jq -r '.taskservs // [] | .[]'",
      depends_on = [
        { step = "validate_workspace_config", kind = 'OnSuccess },
      ],
      on_error   = { strategy = 'Stop },
      note       = "Extract the list of taskservs declared in the workspace config.",
    },

    {
      id         = "verify_taskservs_exist",
      action     = "check_taskserv_presence",
      actor      = 'Agent,
      cmd        = "nickel export {workspace_dir}/config/workspace.ncl | jq -r '.taskservs // [] | .[]' | while read ts; do test -d catalog/taskservs/$ts || echo \"MISSING taskserv: $ts\"; done",
      depends_on = [
        { step = "list_declared_taskservs", kind = 'OnSuccess },
      ],
      on_error   = { strategy = 'Continue },
      note       = "Verify each declared taskserv has a corresponding directory in catalog/taskservs/.",
    },

    {
      id         = "check_taskserv_contracts",
      action     = "verify_taskserv_metadata",
      actor      = 'Agent,
      cmd        = "nickel export {workspace_dir}/config/workspace.ncl | jq -r '.taskservs // [] | .[]' | while read ts; do test -f catalog/taskservs/$ts/metadata.ncl || echo \"MISSING metadata.ncl: $ts\"; done",
      depends_on = [
        { step = "verify_taskservs_exist", kind = 'Always },
      ],
      on_error   = { strategy = 'Continue },
      note       = "Verify each taskserv has metadata.ncl declaring its capabilities and contracts.",
    },

    {
      id         = "verify_provider_capabilities",
      action     = "check_provider_capability_match",
      actor      = 'Agent,
      cmd        = "nickel export {workspace_dir}/config/workspace.ncl | jq -r '.provider // empty' | xargs -I{} test -d catalog/providers/{} || echo 'MISSING or mismatched provider'",
      depends_on = [
        { step = "validate_workspace_config", kind = 'OnSuccess },
      ],
      on_error   = { strategy = 'Continue },
      note       = "Verify the declared provider exists in catalog/providers/ and supports the workspace's required capabilities.",
    },

    {
      id         = "check_axiom_coherence",
      action     = "verify_provisioning_axioms",
      actor      = 'Agent,
      cmd        = "./scripts/ontoref describe {workspace_name} --check-axioms provisioning:config-driven-always,provisioning:type-safety-nickel",
      depends_on = [
        { step = "validate_workspace_config",   kind = 'OnSuccess },
        { step = "check_taskserv_contracts",    kind = 'Always },
        { step = "verify_provider_capabilities", kind = 'Always },
      ],
      on_error   = { strategy = 'Continue },
      note       = "Verify the workspace config does not violate provisioning axioms — no hardcoded values, all config via typed Nickel.",
    },

    {
      id         = "generate_audit_report",
      action     = "write_audit_output",
      actor      = 'Agent,
      cmd        = "./scripts/ontoref describe {workspace_name} --format audit",
      depends_on = [
        { step = "check_axiom_coherence", kind = 'Always },
      ],
      on_error   = { strategy = 'Stop },
      note       = "Generate the compliance report: pass/fail per check, missing extensions, axiom violations.",
    },

  ],

  postconditions = [
    "Workspace config validates against Nickel schemas without errors",
    "All declared taskservs exist and have metadata.ncl",
    "Provider capabilities match workspace requirements",
    "No provisioning axiom violations detected",
    "Audit report generated with pass/fail per check",
  ],
} | (s.Mode String)
chore: add ontology reflection 2026-05-12 02:40:14 +01:00			`let s = import "reflection/schema.ncl" in`

			`# Mode: provisioning-audit`
			`# Validates an existing workspace against:`
			`# 1. Its own config schema (nickel typecheck)`
			`# 2. Declared taskservs existence in catalog/taskservs/`
			`# 3. Provider capability requirements`
			`# 4. Coherence with axioms from provisioning core.ncl`
			`#`
			`# Required params:`
			`# {workspace_dir} — absolute path to workspace root`
			`# {workspace_name} — slug of the workspace`

			`{`
			`id = "provisioning-audit",`
			`trigger = "Audit an existing workspace for config validity, extension completeness, and axiom coherence",`
			`strategy = 'Override,`

			`preconditions = [`
			`"{workspace_dir} exists and is a directory",`
			`"nickel is available in PATH",`
			`"{workspace_dir}/config/ contains at least one .ncl file",`
			`"./scripts/ontoref is executable",`
			`],`

			`steps = [`

			`{`
			`id = "validate_workspace_config",`
			`action = "nickel_typecheck_workspace",`
			`actor = 'Agent,`
			`cmd = "find {workspace_dir}/config -name '*.ncl' \| xargs -I{} nickel typecheck {}",`
			`depends_on = [],`
			`on_error = { strategy = 'Stop },`
			`note = "Validate all workspace Nickel configs parse and typecheck. Hard failure — a workspace with invalid config cannot be certified.",`
			`},`

			`{`
			`id = "list_declared_taskservs",`
			`action = "extract_taskservs_from_config",`
			`actor = 'Agent,`
			`cmd = "nickel export {workspace_dir}/config/workspace.ncl \| jq -r '.taskservs // [] \| .[]'",`
			`depends_on = [`
			`{ step = "validate_workspace_config", kind = 'OnSuccess },`
			`],`
			`on_error = { strategy = 'Stop },`
			`note = "Extract the list of taskservs declared in the workspace config.",`
			`},`

			`{`
			`id = "verify_taskservs_exist",`
			`action = "check_taskserv_presence",`
			`actor = 'Agent,`
			`cmd = "nickel export {workspace_dir}/config/workspace.ncl \| jq -r '.taskservs // [] \| .[]' \| while read ts; do test -d catalog/taskservs/$ts \|\| echo \"MISSING taskserv: $ts\"; done",`
			`depends_on = [`
			`{ step = "list_declared_taskservs", kind = 'OnSuccess },`
			`],`
			`on_error = { strategy = 'Continue },`
			`note = "Verify each declared taskserv has a corresponding directory in catalog/taskservs/.",`
			`},`

			`{`
			`id = "check_taskserv_contracts",`
			`action = "verify_taskserv_metadata",`
			`actor = 'Agent,`
			`cmd = "nickel export {workspace_dir}/config/workspace.ncl \| jq -r '.taskservs // [] \| .[]' \| while read ts; do test -f catalog/taskservs/$ts/metadata.ncl \|\| echo \"MISSING metadata.ncl: $ts\"; done",`
			`depends_on = [`
			`{ step = "verify_taskservs_exist", kind = 'Always },`
			`],`
			`on_error = { strategy = 'Continue },`
			`note = "Verify each taskserv has metadata.ncl declaring its capabilities and contracts.",`
			`},`

			`{`
			`id = "verify_provider_capabilities",`
			`action = "check_provider_capability_match",`
			`actor = 'Agent,`
			`cmd = "nickel export {workspace_dir}/config/workspace.ncl \| jq -r '.provider // empty' \| xargs -I{} test -d catalog/providers/{} \|\| echo 'MISSING or mismatched provider'",`
			`depends_on = [`
			`{ step = "validate_workspace_config", kind = 'OnSuccess },`
			`],`
			`on_error = { strategy = 'Continue },`
			`note = "Verify the declared provider exists in catalog/providers/ and supports the workspace's required capabilities.",`
			`},`

			`{`
			`id = "check_axiom_coherence",`
			`action = "verify_provisioning_axioms",`
			`actor = 'Agent,`
			`cmd = "./scripts/ontoref describe {workspace_name} --check-axioms provisioning:config-driven-always,provisioning:type-safety-nickel",`
			`depends_on = [`
			`{ step = "validate_workspace_config", kind = 'OnSuccess },`
			`{ step = "check_taskserv_contracts", kind = 'Always },`
			`{ step = "verify_provider_capabilities", kind = 'Always },`
			`],`
			`on_error = { strategy = 'Continue },`
			`note = "Verify the workspace config does not violate provisioning axioms — no hardcoded values, all config via typed Nickel.",`
			`},`

			`{`
			`id = "generate_audit_report",`
			`action = "write_audit_output",`
			`actor = 'Agent,`
			`cmd = "./scripts/ontoref describe {workspace_name} --format audit",`
			`depends_on = [`
			`{ step = "check_axiom_coherence", kind = 'Always },`
			`],`
			`on_error = { strategy = 'Stop },`
			`note = "Generate the compliance report: pass/fail per check, missing extensions, axiom violations.",`
			`},`

			`],`

			`postconditions = [`
			`"Workspace config validates against Nickel schemas without errors",`
			`"All declared taskservs exist and have metadata.ncl",`
			`"Provider capabilities match workspace requirements",`
			`"No provisioning axiom violations detected",`
			`"Audit report generated with pass/fail per check",`
			`],`
			`} \| (s.Mode String)`