let s = import "reflection/schema.ncl" in

# Mode: provisioning-audit
# Validates an existing workspace against:
#   1. Its own config schema (nickel typecheck)
#   2. Declared taskservs existence in catalog/taskservs/
#   3. Provider capability requirements
#   4. Coherence with axioms from provisioning core.ncl
#
# Required params:
#   {workspace_dir}  — absolute path to workspace root
#   {workspace_name} — slug of the workspace

{
  id       = "provisioning-audit",
  trigger  = "Audit an existing workspace for config validity, extension completeness, and axiom coherence",
  strategy = 'Override,

  preconditions = [
    "{workspace_dir} exists and is a directory",
    "nickel is available in PATH",
    "{workspace_dir}/config/ contains at least one .ncl file",
    "./scripts/ontoref is executable",
  ],

  steps = [

    {
      id         = "validate_workspace_config",
      action     = "nickel_typecheck_workspace",
      actor      = 'Agent,
      cmd        = "find {workspace_dir}/config -name '*.ncl' | xargs -I{} nickel typecheck {}",
      depends_on = [],
      on_error   = { strategy = 'Stop },
      note       = "Validate all workspace Nickel configs parse and typecheck. Hard failure — a workspace with invalid config cannot be certified.",
    },

    {
      id         = "list_declared_taskservs",
      action     = "extract_taskservs_from_config",
      actor      = 'Agent,
      cmd        = "nickel export {workspace_dir}/config/workspace.ncl | jq -r '.taskservs // [] | .[]'",
      depends_on = [
        { step = "validate_workspace_config", kind = 'OnSuccess },
      ],
      on_error   = { strategy = 'Stop },
      note       = "Extract the list of taskservs declared in the workspace config.",
    },

    {
      id         = "verify_taskservs_exist",
      action     = "check_taskserv_presence",
      actor      = 'Agent,
      cmd        = "nickel export {workspace_dir}/config/workspace.ncl | jq -r '.taskservs // [] | .[]' | while read ts; do test -d catalog/taskservs/$ts || echo \"MISSING taskserv: $ts\"; done",
      depends_on = [
        { step = "list_declared_taskservs", kind = 'OnSuccess },
      ],
      on_error   = { strategy = 'Continue },
      note       = "Verify each declared taskserv has a corresponding directory in catalog/taskservs/.",
    },

    {
      id         = "check_taskserv_contracts",
      action     = "verify_taskserv_metadata",
      actor      = 'Agent,
      cmd        = "nickel export {workspace_dir}/config/workspace.ncl | jq -r '.taskservs // [] | .[]' | while read ts; do test -f catalog/taskservs/$ts/metadata.ncl || echo \"MISSING metadata.ncl: $ts\"; done",
      depends_on = [
        { step = "verify_taskservs_exist", kind = 'Always },
      ],
      on_error   = { strategy = 'Continue },
      note       = "Verify each taskserv has metadata.ncl declaring its capabilities and contracts.",
    },

    {
      id         = "verify_provider_capabilities",
      action     = "check_provider_capability_match",
      actor      = 'Agent,
      cmd        = "nickel export {workspace_dir}/config/workspace.ncl | jq -r '.provider // empty' | xargs -I{} test -d catalog/providers/{} || echo 'MISSING or mismatched provider'",
      depends_on = [
        { step = "validate_workspace_config", kind = 'OnSuccess },
      ],
      on_error   = { strategy = 'Continue },
      note       = "Verify the declared provider exists in catalog/providers/ and supports the workspace's required capabilities.",
    },

    {
      id         = "check_axiom_coherence",
      action     = "verify_provisioning_axioms",
      actor      = 'Agent,
      cmd        = "./scripts/ontoref describe {workspace_name} --check-axioms provisioning:config-driven-always,provisioning:type-safety-nickel",
      depends_on = [
        { step = "validate_workspace_config",   kind = 'OnSuccess },
        { step = "check_taskserv_contracts",    kind = 'Always },
        { step = "verify_provider_capabilities", kind = 'Always },
      ],
      on_error   = { strategy = 'Continue },
      note       = "Verify the workspace config does not violate provisioning axioms — no hardcoded values, all config via typed Nickel.",
    },

    {
      id         = "generate_audit_report",
      action     = "write_audit_output",
      actor      = 'Agent,
      cmd        = "./scripts/ontoref describe {workspace_name} --format audit",
      depends_on = [
        { step = "check_axiom_coherence", kind = 'Always },
      ],
      on_error   = { strategy = 'Stop },
      note       = "Generate the compliance report: pass/fail per check, missing extensions, axiom violations.",
    },

  ],

  postconditions = [
    "Workspace config validates against Nickel schemas without errors",
    "All declared taskservs exist and have metadata.ncl",
    "Provider capabilities match workspace requirements",
    "No provisioning axiom violations detected",
    "Audit report generated with pass/fail per check",
  ],
} | (s.Mode String)