stratumiops/scripts/nu/publish-ncl-lib.nu

#!/usr/bin/env nu
# publish-ncl-lib.nu — Publish a Nickel library as an OCI artifact to Zot registry.
# Usage: nu publish-ncl-lib.nu --lib-dir <path> --registry <url> --name <name> --tag <tag>

def main [
  --lib-dir: string,   # directory containing the .ncl file
  --registry: string,  # OCI registry URL e.g. localhost:5000
  --name: string,      # library name e.g. stratum-base
  --tag: string,       # version tag e.g. 0.1.0
]: nothing -> nothing {
  print $"Publishing Nickel lib [$name]:[$tag] to [$registry]"

  let ncl_file = ($lib_dir | path join $"($name).ncl")

  # Step 1: typecheck
  let check = (do { ^nickel typecheck $ncl_file } | complete)
  if ($check.exit_code != 0) {
    error make { msg: $"nickel typecheck failed:\n($check.stderr)" }
  }
  print "typecheck passed"

  # Step 2: gitleaks secret scan
  let leak = (do { ^gitleaks detect --source $lib_dir --no-git } | complete)
  if ($leak.exit_code != 0) {
    error make { msg: $"gitleaks detected secrets in [$lib_dir]:\n($leak.stdout)" }
  }
  print "gitleaks clean"

  # Step 3: export JSON artifact
  let export_path = ($nu.temp-dir | path join $"($name)-export.json")
  let export = (do { ^nickel export --format json $ncl_file } | complete)
  if ($export.exit_code != 0) {
    error make { msg: $"nickel export failed:\n($export.stderr)" }
  }
  $export.stdout | save --force $export_path
  print $"nickel export → [$export_path]"

  # Step 4: sha256
  let sha_result = (do { ^sha256sum $export_path } | complete)
  if ($sha_result.exit_code != 0) {
    error make { msg: $"sha256sum failed: ($sha_result.stderr)" }
  }
  let sha = ($sha_result.stdout | split row " " | first)
  print $"sha256: [$sha]"

  # Step 5: oras push
  let image_ref = $"($registry)/($name):($tag)"
  let nickel_ver_result = (do { ^nickel --version } | complete)
  let nickel_ver = if ($nickel_ver_result.exit_code == 0) {
    $nickel_ver_result.stdout | str trim
  } else {
    "unknown"
  }

  let push = (do {
    ^oras push $image_ref
      $"($export_path):application/vnd.stratumiops.ncl.export.v1+json"
      --annotation $"org.stratumiops.lib.name=($name)"
      --annotation $"org.stratumiops.lib.sha256=($sha)"
      --annotation $"org.stratumiops.lib.tag=($tag)"
      --annotation $"org.stratumiops.lib.nickel-version=($nickel_ver)"
  } | complete)

  if ($push.exit_code != 0) {
    error make { msg: $"oras push failed:\n($push.stderr)" }
  }
  print $"pushed [$image_ref]"
}
feat: add stratum-orchestrator with graph, state, NATS, and Nickel action nodes New crates: stratum-orchestrator (Cedar authz, Vault secrets, Nu/agent executors, saga runner), stratum-graph (petgraph DAG + SurrealDB repo), stratum-state (SurrealDB tracker), platform-nats (NKey auth client), ncl-import-resolver. Updates: stratum-embeddings (SurrealDB store + persistent cache), stratum-llm circuit breaker. Adds Nickel action-nodes, schemas, config, Nushell scripts, docker-compose dev stack, and ADR-003. 2026-02-22 21:33:26 +00:00			`#!/usr/bin/env nu`
			`# publish-ncl-lib.nu — Publish a Nickel library as an OCI artifact to Zot registry.`
			`# Usage: nu publish-ncl-lib.nu --lib-dir <path> --registry <url> --name <name> --tag <tag>`

			`def main [`
			`--lib-dir: string, # directory containing the .ncl file`
			`--registry: string, # OCI registry URL e.g. localhost:5000`
			`--name: string, # library name e.g. stratum-base`
			`--tag: string, # version tag e.g. 0.1.0`
			`]: nothing -> nothing {`
			`print $"Publishing Nickel lib [$name]:[$tag] to [$registry]"`

			`let ncl_file = ($lib_dir \| path join $"($name).ncl")`

			`# Step 1: typecheck`
			`let check = (do { ^nickel typecheck $ncl_file } \| complete)`
			`if ($check.exit_code != 0) {`
			`error make { msg: $"nickel typecheck failed:\n($check.stderr)" }`
			`}`
			`print "typecheck passed"`

			`# Step 2: gitleaks secret scan`
			`let leak = (do { ^gitleaks detect --source $lib_dir --no-git } \| complete)`
			`if ($leak.exit_code != 0) {`
			`error make { msg: $"gitleaks detected secrets in [$lib_dir]:\n($leak.stdout)" }`
			`}`
			`print "gitleaks clean"`

			`# Step 3: export JSON artifact`
			`let export_path = ($nu.temp-dir \| path join $"($name)-export.json")`
			`let export = (do { ^nickel export --format json $ncl_file } \| complete)`
			`if ($export.exit_code != 0) {`
			`error make { msg: $"nickel export failed:\n($export.stderr)" }`
			`}`
			`$export.stdout \| save --force $export_path`
			`print $"nickel export → [$export_path]"`

			`# Step 4: sha256`
			`let sha_result = (do { ^sha256sum $export_path } \| complete)`
			`if ($sha_result.exit_code != 0) {`
			`error make { msg: $"sha256sum failed: ($sha_result.stderr)" }`
			`}`
			`let sha = ($sha_result.stdout \| split row " " \| first)`
			`print $"sha256: [$sha]"`

			`# Step 5: oras push`
			`let image_ref = $"($registry)/($name):($tag)"`
			`let nickel_ver_result = (do { ^nickel --version } \| complete)`
			`let nickel_ver = if ($nickel_ver_result.exit_code == 0) {`
			`$nickel_ver_result.stdout \| str trim`
			`} else {`
			`"unknown"`
			`}`

			`let push = (do {`
			`^oras push $image_ref`
			`$"($export_path):application/vnd.stratumiops.ncl.export.v1+json"`
			`--annotation $"org.stratumiops.lib.name=($name)"`
			`--annotation $"org.stratumiops.lib.sha256=($sha)"`
			`--annotation $"org.stratumiops.lib.tag=($tag)"`
			`--annotation $"org.stratumiops.lib.nickel-version=($nickel_ver)"`
			`} \| complete)`

			`if ($push.exit_code != 0) {`
			`error make { msg: $"oras push failed:\n($push.stderr)" }`
			`}`
			`print $"pushed [$image_ref]"`
			`}`