open-cmis-tck/docs/CMIS-PROFILES.md

# CMIS Profiles

Status: draft
Created: 2026-05-07

## Purpose

`open-cmis-tck` uses guide-board target and assessment profiles without adding a
separate persisted profile format. This keeps the extension compatible with the
guide-board planner while still giving CMIS-specific diagnostics through
`open_cmis_tck.profile.validate_cmis_profile_config`.

## Target Profile Fields

The CMIS target profile uses the guide-board `target-profile` schema:

- `subject_type`: use `cmis-browser-binding-endpoint`.
- `endpoints`: include one endpoint with `binding` set to `cmis-browser` and
  `url` set to the Browser Binding service document URL.
- `credentials_ref`: use `null` for anonymous/local development targets, or a
  secret reference for authenticated repositories.
- `declared_capabilities`: list the CMIS requirement refs the target claims to
  support, such as `cmis.repository-info`, `cmis.type-definitions`,
  `cmis.object-services`, `cmis.content-streams`, `cmis.query`, `cmis.acl`, and
  `cmis.versioning`.
- `known_gaps`: list unsupported optional requirements with a stable gap ID,
  requirement refs, reason, and status such as `unsupported_by_design`.

Templates live under `profiles/targets/templates/`:

- `cmis-browser-anonymous.json`
- `cmis-browser-basic-auth-env.json`
- `cmis-browser-basic-auth-file.json`

## Credential References

Secrets should not be committed to the repository or preserved in guide-board
artifacts.

Supported credential reference forms:

```text
null
env:CMIS_TCK_USER,CMIS_TCK_PASSWORD
file:/absolute/path/to/cmis-tck-credentials.json
```

Environment variables are useful for local runs:

```sh
export CMIS_TCK_USER='alice'
export CMIS_TCK_PASSWORD='local-secret'
```

File credentials use JSON:

```json
{
  "user": "alice",
  "password": "local-secret"
}
```

The ConsoleRunner adapter writes a private session properties file only for the
duration of the run and retains `session.properties.redacted` as the artifact.

Validate target profiles through guide-board before running:

```sh
cd ../guide-board
PYTHONPATH=src python3 -m guide_board \
  profile validate-target \
  ../open-cmis-tck/profiles/targets/kontextual-cmis-compat.json
```

## Assessment Runtime Fields

Repository selection and harness execution settings live in the assessment
profile because they are run policy, not target identity:

```json
{
  "runtime_policy": {
    "offline": false,
    "timeout_seconds": 300,
    "opencmis_tck": {
      "repository_id": "compat-tck",
      "requires_java_maven": true,
      "command": [
        "python3",
        "{extension_path}/adapters/opencmis_console_adapter.py",
        "--browser-url",
        "{browser_url}",
        "--repository-id",
        "{repository_id}",
        "--check-group",
        "{check_group}",
        "--artifact-dir",
        "{artifact_dir}",
        "--run-dir",
        "{run_dir}",
        "--extension-path",
        "{extension_path}",
        "--credentials-ref",
        "{credentials_ref}",
        "--target-profile-dir",
        "{target_profile_dir}",
        "--timeout-seconds",
        "{timeout_seconds}"
      ]
    }
  }
}
```

`repository_id` is optional for preflight. If omitted, preflight selects the
first repository from the Browser Binding service document. A real TCK command
usually needs it.

`command` is optional. When absent, the wrapper reports
`tck_invocation_not_configured` as a structured, expected bootstrap blocker.

## Diagnostics

Use the extension helper from tests or local scripts:

```python
from open_cmis_tck.profile import validate_cmis_profile_config

diagnostics = validate_cmis_profile_config(target_profile, assessment_profile)
```

The result contains `status`, `diagnostics`, and the interpreted `cmis_config`.
Diagnostics are intentionally actionable: they point to the field that should be
changed and explain what the extension expects.