provisioning/schemas/modes/contracts.ncl

# Execution Mode Contracts - Contract Definitions
# Provides type contracts for all execution mode schemas

let lib = import "../lib/main.ncl" in
let oci_contracts = import "../oci_registry/contracts.ncl" in

{
  # Authentication type enum (documented via comments)
  # Values: "none" | "token" | "mtls" | "oauth" | "kms"
  AuthType = fun label value =>
    if std.array.elem value ["none", "token", "mtls", "oauth", "kms"] then
      value
    else
      std.contract.blame_with_message "auth_type must be one of: none, token, mtls, oauth, kms" label,

  # Deployment type enum
  # Values: "local" | "remote" | "k8s" | "disabled"
  DeploymentType = fun label value =>
    if std.array.elem value ["local", "remote", "k8s", "disabled"] then
      value
    else
      std.contract.blame_with_message "deployment must be one of: local, remote, k8s, disabled" label,

  # Mode name enum
  # Values: "solo" | "multi-user" | "cicd" | "enterprise"
  ModeName = fun label value =>
    if std.array.elem value ["solo", "multi-user", "cicd", "enterprise"] then
      value
    else
      std.contract.blame_with_message "mode_name must be one of: solo, multi-user, cicd, enterprise" label,

  # Extension source enum
  # Values: "local" | "gitea" | "oci" | "mixed"
  ExtensionSource = fun label value =>
    if std.array.elem value ["local", "gitea", "oci", "mixed"] then
      value
    else
      std.contract.blame_with_message "source must be one of: local, gitea, oci, mixed" label,

  # Locking strategy enum
  # Values: "disabled" | "enabled" | "required"
  LockingStrategy = fun label value =>
    if std.array.elem value ["disabled", "enabled", "required"] then
      value
    else
      std.contract.blame_with_message "locking must be one of: disabled, enabled, required" label,

  # Git integration enum
  # Values: "disabled" | "optional" | "required"
  GitIntegration = fun label value =>
    if std.array.elem value ["disabled", "optional", "required"] then
      value
    else
      std.contract.blame_with_message "git_integration must be one of: disabled, optional, required" label,

  # Isolation level enum
  # Values: "none" | "user" | "strict"
  IsolationLevel = fun label value =>
    if std.array.elem value ["none", "user", "strict"] then
      value
    else
      std.contract.blame_with_message "isolation must be one of: none, user, strict" label,

  # DNS modification enum
  # Values: "none" | "coredns" | "system"
  DnsModification = fun label value =>
    if std.array.elem value ["none", "coredns", "system"] then
      value
    else
      std.contract.blame_with_message "dns_modification must be one of: none, coredns, system" label,

  # Token format enum
  # Values: "jwt" | "opaque"
  TokenFormat = fun label value =>
    if std.array.elem value ["jwt", "opaque"] then
      value
    else
      std.contract.blame_with_message "token_format must be one of: jwt, opaque" label,

  # Image pull policy enum
  # Values: "Always" | "IfNotPresent" | "Never"
  ImagePullPolicy = fun label value =>
    if std.array.elem value ["Always", "IfNotPresent", "Never"] then
      value
    else
      std.contract.blame_with_message "image_pull_policy must be one of: Always, IfNotPresent, Never" label,

  TokenConfig = {
    token_path | String,
    token_format | TokenFormat | optional = "jwt",
    expiry_seconds | lib.PositiveNumber | optional = 86400,
    refresh_enabled | Bool | optional = true,
  },

  MTLSConfig = {
    client_cert_path | String,
    client_key_path | String,
    ca_cert_path | String,
    verify_server | Bool | optional = true,
  },

  OAuthConfig = {
    provider_url | String,
    client_id | String,
    client_secret_path | String,
    scopes | Array String | optional = ["read", "write"],
    redirect_uri | String | optional,
  },

  AuthenticationStrategy = {
    auth_type | AuthType,
    token_config | TokenConfig | optional,
    mtls_config | MTLSConfig | optional,
    oauth_config | OAuthConfig | optional,
    ssh_key_storage | String | optional = "local",
  },

  HealthCheck = {
    enabled | Bool | optional = true,
    endpoint | String | optional = "/health",
    interval | lib.PositiveNumber | optional = 10,
    timeout | lib.PositiveNumber | optional = 5,
    healthy_threshold | lib.PositiveNumber | optional = 2,
    unhealthy_threshold | lib.PositiveNumber | optional = 3,
  },

  LocalServiceConfig = {
    binary_path | String | optional,
    config_path | String | optional,
    data_dir | String,
    port | lib.PortNumber,
    bind_address | String | optional = "127.0.0.1",
    tls_enabled | Bool | optional = false,
  },

  RemoteServiceConfig = {
    endpoint | String,
    port | lib.PortNumber | optional,
    tls_enabled | Bool | optional = true,
    verify_ssl | Bool | optional = true,
    timeout | lib.PositiveNumber | optional = 30,
    retries | lib.PositiveNumber | optional = 3,
  },

  K8sResources = {
    cpu_request | String | optional = "100m",
    cpu_limit | String | optional = "500m",
    memory_request | String | optional = "128Mi",
    memory_limit | String | optional = "512Mi",
  },

  K8sServiceConfig = {
    namespace | String | optional = "provisioning",
    deployment_name | String,
    service_name | String,
    replicas | lib.PositiveNumber | optional = 1,
    image | String,
    image_pull_policy | ImagePullPolicy | optional = "IfNotPresent",
    resources | K8sResources | optional,
  },

  ServiceConfig = {
    deployment | DeploymentType,
    local_config | LocalServiceConfig | optional,
    remote_config | RemoteServiceConfig | optional,
    k8s_config | K8sServiceConfig | optional,
    auto_start | Bool | optional = false,
    health_check | HealthCheck | optional,
  },

  ServiceDeployments = {
    orchestrator | ServiceConfig,
    control_center | ServiceConfig | optional,
    coredns | ServiceConfig | optional,
    gitea | ServiceConfig | optional,
    oci_registry | oci_contracts.OCIRegistryConfig,
    custom_services | {_: ServiceConfig} | optional,
  },

  GiteaConfig = {
    url | String,
    organization | String | optional = "provisioning",
    username | String | optional,
    token_path | String | optional,
    verify_ssl | Bool | optional = true,
  },

  OCIExtensionConfig = {
    enabled | Bool | optional = true,
    endpoint | String,
    namespace | String | optional = "provisioning-extensions",
    auth_token_path | String | optional,
    tls_enabled | Bool | optional = true,
    verify_ssl | Bool | optional = true,
    cache_dir | String | optional = "~/.provisioning/oci-cache",
  },

  ExtensionConfig = {
    source | ExtensionSource,
    local_path | String | optional,
    gitea_config | GiteaConfig | optional,
    oci_registry | OCIExtensionConfig | optional,
    allow_mixed | Bool | optional = false,
  },

  WorkspacePolicy = {
    locking | LockingStrategy,
    lock_provider | String | optional,
    git_integration | GitIntegration,
    isolation | IsolationLevel | optional = "user",
    max_workspaces_per_user | lib.PositiveNumber | optional,
  },

  SecurityConfig = {
    encryption_at_rest | Bool | optional = false,
    encryption_in_transit | Bool | optional = false,
    secret_provider | {..} | optional,
    dns_modification | DnsModification | optional = "none",
    audit_logging | Bool | optional = false,
    audit_log_path | String | optional,
    network_isolation | Bool | optional = false,
  },

  ResourceLimits = {
    max_servers_per_user | lib.PositiveNumber | optional = 10,
    max_cpu_cores_per_user | lib.PositiveNumber | optional = 32,
    max_memory_gb_per_user | lib.PositiveNumber | optional = 128,
    max_storage_gb_per_user | lib.PositiveNumber | optional = 500,
    max_total_servers | lib.PositiveNumber | optional,
    max_total_cpu_cores | lib.PositiveNumber | optional,
    max_total_memory_gb | lib.PositiveNumber | optional,
  },

  ExecutionMode = {
    mode_name | ModeName,
    description | String,
    authentication | AuthenticationStrategy,
    services | ServiceDeployments,
    extensions | ExtensionConfig,
    workspaces | WorkspacePolicy,
    security | SecurityConfig,
    resource_limits | ResourceLimits | optional,
  },
}
chore: complete nickel migration and consolidate legacy configs - Remove KCL ecosystem (~220 files deleted) - Migrate all infrastructure to Nickel schema system - Consolidate documentation: legacy docs → provisioning/docs/src/ - Add CI/CD workflows (.github/) and Rust build config (.cargo/) - Update core system for Nickel schema parsing - Update README.md and CHANGES.md for v5.0.0 release - Fix pre-commit hooks: end-of-file, trailing-whitespace - Breaking changes: KCL workspaces require migration - Migration bridge available in docs/src/development/ 2026-01-08 09:55:37 +00:00			`# Execution Mode Contracts - Contract Definitions`
			`# Provides type contracts for all execution mode schemas`

			`let lib = import "../lib/main.ncl" in`
			`let oci_contracts = import "../oci_registry/contracts.ncl" in`

			`{`
			`# Authentication type enum (documented via comments)`
			`# Values: "none" \| "token" \| "mtls" \| "oauth" \| "kms"`
			`AuthType = fun label value =>`
			`if std.array.elem value ["none", "token", "mtls", "oauth", "kms"] then`
			`value`
			`else`
			`std.contract.blame_with_message "auth_type must be one of: none, token, mtls, oauth, kms" label,`

			`# Deployment type enum`
			`# Values: "local" \| "remote" \| "k8s" \| "disabled"`
			`DeploymentType = fun label value =>`
			`if std.array.elem value ["local", "remote", "k8s", "disabled"] then`
			`value`
			`else`
			`std.contract.blame_with_message "deployment must be one of: local, remote, k8s, disabled" label,`

			`# Mode name enum`
			`# Values: "solo" \| "multi-user" \| "cicd" \| "enterprise"`
			`ModeName = fun label value =>`
			`if std.array.elem value ["solo", "multi-user", "cicd", "enterprise"] then`
			`value`
			`else`
			`std.contract.blame_with_message "mode_name must be one of: solo, multi-user, cicd, enterprise" label,`

			`# Extension source enum`
			`# Values: "local" \| "gitea" \| "oci" \| "mixed"`
			`ExtensionSource = fun label value =>`
			`if std.array.elem value ["local", "gitea", "oci", "mixed"] then`
			`value`
			`else`
			`std.contract.blame_with_message "source must be one of: local, gitea, oci, mixed" label,`

			`# Locking strategy enum`
			`# Values: "disabled" \| "enabled" \| "required"`
			`LockingStrategy = fun label value =>`
			`if std.array.elem value ["disabled", "enabled", "required"] then`
			`value`
			`else`
			`std.contract.blame_with_message "locking must be one of: disabled, enabled, required" label,`

			`# Git integration enum`
			`# Values: "disabled" \| "optional" \| "required"`
			`GitIntegration = fun label value =>`
			`if std.array.elem value ["disabled", "optional", "required"] then`
			`value`
			`else`
			`std.contract.blame_with_message "git_integration must be one of: disabled, optional, required" label,`

			`# Isolation level enum`
			`# Values: "none" \| "user" \| "strict"`
			`IsolationLevel = fun label value =>`
			`if std.array.elem value ["none", "user", "strict"] then`
			`value`
			`else`
			`std.contract.blame_with_message "isolation must be one of: none, user, strict" label,`

			`# DNS modification enum`
			`# Values: "none" \| "coredns" \| "system"`
			`DnsModification = fun label value =>`
			`if std.array.elem value ["none", "coredns", "system"] then`
			`value`
			`else`
			`std.contract.blame_with_message "dns_modification must be one of: none, coredns, system" label,`

			`# Token format enum`
			`# Values: "jwt" \| "opaque"`
			`TokenFormat = fun label value =>`
			`if std.array.elem value ["jwt", "opaque"] then`
			`value`
			`else`
			`std.contract.blame_with_message "token_format must be one of: jwt, opaque" label,`

			`# Image pull policy enum`
			`# Values: "Always" \| "IfNotPresent" \| "Never"`
			`ImagePullPolicy = fun label value =>`
			`if std.array.elem value ["Always", "IfNotPresent", "Never"] then`
			`value`
			`else`
			`std.contract.blame_with_message "image_pull_policy must be one of: Always, IfNotPresent, Never" label,`

			`TokenConfig = {`
			`token_path \| String,`
			`token_format \| TokenFormat \| optional = "jwt",`
			`expiry_seconds \| lib.PositiveNumber \| optional = 86400,`
			`refresh_enabled \| Bool \| optional = true,`
			`},`

			`MTLSConfig = {`
			`client_cert_path \| String,`
			`client_key_path \| String,`
			`ca_cert_path \| String,`
			`verify_server \| Bool \| optional = true,`
			`},`

			`OAuthConfig = {`
			`provider_url \| String,`
			`client_id \| String,`
			`client_secret_path \| String,`
			`scopes \| Array String \| optional = ["read", "write"],`
			`redirect_uri \| String \| optional,`
			`},`

			`AuthenticationStrategy = {`
			`auth_type \| AuthType,`
			`token_config \| TokenConfig \| optional,`
			`mtls_config \| MTLSConfig \| optional,`
			`oauth_config \| OAuthConfig \| optional,`
			`ssh_key_storage \| String \| optional = "local",`
			`},`

			`HealthCheck = {`
			`enabled \| Bool \| optional = true,`
			`endpoint \| String \| optional = "/health",`
			`interval \| lib.PositiveNumber \| optional = 10,`
			`timeout \| lib.PositiveNumber \| optional = 5,`
			`healthy_threshold \| lib.PositiveNumber \| optional = 2,`
			`unhealthy_threshold \| lib.PositiveNumber \| optional = 3,`
			`},`

			`LocalServiceConfig = {`
			`binary_path \| String \| optional,`
			`config_path \| String \| optional,`
			`data_dir \| String,`
			`port \| lib.PortNumber,`
			`bind_address \| String \| optional = "127.0.0.1",`
			`tls_enabled \| Bool \| optional = false,`
			`},`

			`RemoteServiceConfig = {`
			`endpoint \| String,`
			`port \| lib.PortNumber \| optional,`
			`tls_enabled \| Bool \| optional = true,`
			`verify_ssl \| Bool \| optional = true,`
			`timeout \| lib.PositiveNumber \| optional = 30,`
			`retries \| lib.PositiveNumber \| optional = 3,`
			`},`

			`K8sResources = {`
			`cpu_request \| String \| optional = "100m",`
			`cpu_limit \| String \| optional = "500m",`
			`memory_request \| String \| optional = "128Mi",`
			`memory_limit \| String \| optional = "512Mi",`
			`},`

			`K8sServiceConfig = {`
			`namespace \| String \| optional = "provisioning",`
			`deployment_name \| String,`
			`service_name \| String,`
			`replicas \| lib.PositiveNumber \| optional = 1,`
			`image \| String,`
			`image_pull_policy \| ImagePullPolicy \| optional = "IfNotPresent",`
			`resources \| K8sResources \| optional,`
			`},`

			`ServiceConfig = {`
			`deployment \| DeploymentType,`
			`local_config \| LocalServiceConfig \| optional,`
			`remote_config \| RemoteServiceConfig \| optional,`
			`k8s_config \| K8sServiceConfig \| optional,`
			`auto_start \| Bool \| optional = false,`
			`health_check \| HealthCheck \| optional,`
			`},`

			`ServiceDeployments = {`
			`orchestrator \| ServiceConfig,`
			`control_center \| ServiceConfig \| optional,`
			`coredns \| ServiceConfig \| optional,`
			`gitea \| ServiceConfig \| optional,`
			`oci_registry \| oci_contracts.OCIRegistryConfig,`
			`custom_services \| {_: ServiceConfig} \| optional,`
			`},`

			`GiteaConfig = {`
			`url \| String,`
			`organization \| String \| optional = "provisioning",`
			`username \| String \| optional,`
			`token_path \| String \| optional,`
			`verify_ssl \| Bool \| optional = true,`
			`},`

			`OCIExtensionConfig = {`
			`enabled \| Bool \| optional = true,`
			`endpoint \| String,`
			`namespace \| String \| optional = "provisioning-extensions",`
			`auth_token_path \| String \| optional,`
			`tls_enabled \| Bool \| optional = true,`
			`verify_ssl \| Bool \| optional = true,`
			`cache_dir \| String \| optional = "~/.provisioning/oci-cache",`
			`},`

			`ExtensionConfig = {`
			`source \| ExtensionSource,`
			`local_path \| String \| optional,`
			`gitea_config \| GiteaConfig \| optional,`
			`oci_registry \| OCIExtensionConfig \| optional,`
			`allow_mixed \| Bool \| optional = false,`
			`},`

			`WorkspacePolicy = {`
			`locking \| LockingStrategy,`
			`lock_provider \| String \| optional,`
			`git_integration \| GitIntegration,`
			`isolation \| IsolationLevel \| optional = "user",`
			`max_workspaces_per_user \| lib.PositiveNumber \| optional,`
			`},`

			`SecurityConfig = {`
			`encryption_at_rest \| Bool \| optional = false,`
			`encryption_in_transit \| Bool \| optional = false,`
			`secret_provider \| {..} \| optional,`
			`dns_modification \| DnsModification \| optional = "none",`
			`audit_logging \| Bool \| optional = false,`
			`audit_log_path \| String \| optional,`
			`network_isolation \| Bool \| optional = false,`
			`},`

			`ResourceLimits = {`
			`max_servers_per_user \| lib.PositiveNumber \| optional = 10,`
			`max_cpu_cores_per_user \| lib.PositiveNumber \| optional = 32,`
			`max_memory_gb_per_user \| lib.PositiveNumber \| optional = 128,`
			`max_storage_gb_per_user \| lib.PositiveNumber \| optional = 500,`
			`max_total_servers \| lib.PositiveNumber \| optional,`
			`max_total_cpu_cores \| lib.PositiveNumber \| optional,`
			`max_total_memory_gb \| lib.PositiveNumber \| optional,`
			`},`

			`ExecutionMode = {`
			`mode_name \| ModeName,`
			`description \| String,`
			`authentication \| AuthenticationStrategy,`
			`services \| ServiceDeployments,`
			`extensions \| ExtensionConfig,`
			`workspaces \| WorkspacePolicy,`
			`security \| SecurityConfig,`
			`resource_limits \| ResourceLimits \| optional,`
			`},`
			`}`