State hub update and Containerization

2026-05-07 20:27:03 +02:00
parent b77da0daab
commit d61bc078fd
6 changed files with 158 additions and 1 deletions
--- a/docs/ARCHITECTURE-BLUEPRINT.md
+++ b/docs/ARCHITECTURE-BLUEPRINT.md
@@ -726,6 +726,10 @@ Recommended container model:
 - Restricted tools are mounted from licensed local paths.
 - Network access is declared per extension and per assessment profile.

+The baseline `Containerfile` packages the local CLI, schemas, sample profiles,
+and incubating extensions. See `docs/CONTAINER.md` for mount contracts and the
+extension-specific image path.
+
 Optional service model:

 - service lists extensions and profiles,
--- a/docs/CONTAINER.md
+++ b/docs/CONTAINER.md
@@ -0,0 +1,98 @@
+# Guide Board Container Baseline
+
+Status: draft
+Created: 2026-05-07
+
+## Purpose
+
+The first container image packages the local CLI contracts, schemas, bundled
+profiles, and incubating extensions. It is not a certification appliance and it
+does not include restricted third-party harnesses unless a downstream image or
+runtime mount provides them.
+
+## Image Roles
+
+Use `guide-board-core` for dependency-light checks:
+
+- extension discovery,
+- profile validation,
+- run planning,
+- sample/no-op assessments,
+- extensions whose runners use only the core Python runtime.
+
+Use extension-specific images when a harness needs additional dependencies such
+as Java, Maven, browser engines, vendor tools, or licensed test suites. Those
+images should extend `guide-board-core` or mount the core as a package, but they
+must keep restricted assets outside the public core image.
+
+## Build
+
+```sh
+podman build -t guide-board-core:local -f Containerfile .
+```
+
+Docker can be used with the same arguments.
+
+## Local Baseline Run
+
+```sh
+mkdir -p runs
+podman run --rm \
+  -v "$PWD/runs:/runs" \
+  guide-board-core:local \
+  --root /opt/guide-board run \
+  --target /opt/guide-board/profiles/targets/sample-repository.json \
+  --assessment /opt/guide-board/profiles/assessments/sample-noop.json \
+  --output-dir /runs/sample-noop
+```
+
+The run output remains on the host under `runs/sample-noop`.
+
+## External Profiles
+
+Mount project-specific profiles read-only:
+
+```sh
+podman run --rm \
+  -v "$PWD/profiles:/profiles:ro" \
+  -v "$PWD/runs:/runs" \
+  guide-board-core:local \
+  --root /opt/guide-board run \
+  --target /profiles/targets/example.json \
+  --assessment /profiles/assessments/example.json \
+  --output-dir /runs/example
+```
+
+## Credentials And Restricted Assets
+
+Credentials and licensed harness material should be mounted explicitly:
+
+```text
+/credentials   runtime secrets or references
+/assets        licensed or locally provided harness assets
+/profiles      target and assessment profiles
+/runs          generated outputs
+```
+
+Assessment profiles should declare offline/network expectations. Extension
+runners should fail as `blocked` or `infrastructure_error` when required mounted
+assets are absent.
+
+## CMIS Extension Path
+
+The core image includes the incubating `open-cmis-tck` extension metadata,
+preflight runner, command wrapper, and mappings. It does not include the final
+Apache Chemistry TCK dependency graph. A future CMIS image should add Java/Maven
+and document how the OpenCMIS TCK artifacts are resolved or mounted.
+
+## Service Path
+
+A service image should call the same CLI contracts used here:
+
+- validate profiles,
+- build run plans,
+- execute runs,
+- read run metadata, evidence, reports, retention summaries, trends, and gates.
+
+The service layer may add job tracking and HTTP transport, but it should not
+create separate execution semantics.