Declare forge graph contracts

catalog/capability-types.yaml

@@ -87,6 +87,80 @@ spec:
         - sts-token
       tags: [storage, credentials, security]
 
+    - id: kubernetes-runtime
+      name: Kubernetes runtime
+      lifecycle: active
+      description: Provides the Kubernetes API, namespaces, workloads, Services, Ingresses, and runtime primitives consumed by Railiance services.
+      default_criticality: critical
+      default_data_classification: restricted
+      expected_interface_types:
+        - kubernetes-api
+        - kubernetes-crd
+      tags: [kubernetes, cluster, runtime]
+
+    - id: ci-cd-template-catalog
+      name: CI/CD template catalog
+      lifecycle: planned
+      description: Provides reusable workflow templates, release gates, and delivery conventions for Railiance workloads.
+      default_criticality: medium
+      default_data_classification: internal
+      expected_interface_types:
+        - workflow-template-contract
+        - cli
+      tags: [ci, cd, gitops, enablement]
+
+    - id: source-hosting
+      name: Source hosting
+      lifecycle: active
+      description: Hosts Git repositories, repository metadata, review surfaces, and source-forge web/API access.
+      default_criticality: high
+      default_data_classification: confidential
+      expected_interface_types:
+        - web-ui
+        - http-api
+        - git-ssh
+      tags: [forge, git, source]
+
+    - id: container-registry
+      name: Container registry
+      lifecycle: active
+      description: Publishes and serves OCI container images for Railiance workloads.
+      default_criticality: high
+      default_data_classification: confidential
+      expected_interface_types:
+        - oci-registry
+      tags: [forge, registry, container-image]
+
+    - id: python-package-registry
+      name: Python package registry
+      lifecycle: active
+      description: Publishes and serves Python package artifacts for Railiance source and app builds.
+      default_criticality: high
+      default_data_classification: confidential
+      expected_interface_types:
+        - python-package-index
+      tags: [forge, registry, python, package]
+
+    - id: workflow-runner-substrate
+      name: Workflow runner substrate
+      lifecycle: planned
+      description: Provides forge-backed runner infrastructure, labels, placement, and credential boundaries for workflows.
+      default_criticality: high
+      default_data_classification: restricted
+      expected_interface_types:
+        - workflow-runner-label-contract
+      tags: [forge, runner, actions, automation]
+
+    - id: artifact-promotion-evidence
+      name: Artifact promotion evidence
+      lifecycle: active
+      description: Provides release artifact identity, provenance, publish, restore, and readiness evidence for consumers.
+      default_criticality: high
+      default_data_classification: internal
+      expected_interface_types:
+        - evidence-contract
+      tags: [forge, evidence, provenance, release]
+
     - id: audit-event-sink
       name: Audit/event sink
       lifecycle: planned

catalog/interface-types.yaml

@@ -57,6 +57,14 @@ spec:
       typical_auth_methods: [kubernetes_service_account]
       versioning: group, version, and kind.
 
+    - id: kubernetes-api
+      name: Kubernetes API
+      lifecycle: active
+      description: Kubernetes API server surface consumed by operators, controllers, and automation.
+      category: kubernetes
+      typical_auth_methods: [kubernetes_service_account, oidc, static_secret]
+      versioning: Kubernetes version, API groups, RBAC contract, and kubeconfig delivery path.
+
     - id: helm-release
       name: Helm release
       lifecycle: active
@@ -81,6 +89,54 @@ spec:
       typical_auth_methods: [database_role, static_secret, openbao_token]
       versioning: engine version, connection contract, and migration compatibility.
 
+    - id: git-ssh
+      name: Git SSH
+      lifecycle: active
+      description: Git-over-SSH repository access endpoint.
+      category: source-control
+      typical_auth_methods: [static_secret, unknown]
+      versioning: hostname, port, SSH host key, authorized key scope, and Git server compatibility.
+
+    - id: oci-registry
+      name: OCI registry
+      lifecycle: active
+      description: OCI distribution-compatible container image registry endpoint.
+      category: registry
+      typical_auth_methods: [api_key, static_secret, none]
+      versioning: registry host, API behavior, package visibility, and tag/digest semantics.
+
+    - id: python-package-index
+      name: Python package index
+      lifecycle: active
+      description: Python package index endpoint compatible with pip/uv simple API consumption.
+      category: registry
+      typical_auth_methods: [api_key, static_secret, none]
+      versioning: package index URL, package visibility, token scope, and package version semantics.
+
+    - id: workflow-runner-label-contract
+      name: Workflow runner label contract
+      lifecycle: planned
+      description: Published runner label, placement, and trust contract consumed by CI/CD workflows.
+      category: automation
+      typical_auth_methods: [none, kubernetes_service_account, static_secret]
+      versioning: semantic label names, trust level, credential purpose, and runner replacement rules.
+
+    - id: workflow-template-contract
+      name: Workflow template contract
+      lifecycle: planned
+      description: Reusable CI/CD workflow template or template catalog contract.
+      category: automation
+      typical_auth_methods: [none]
+      versioning: template id, input schema, runner labels, and release gate semantics.
+
+    - id: evidence-contract
+      name: Evidence contract
+      lifecycle: active
+      description: Documented evidence bundle or machine-readable evidence contract for release, restore, or readiness decisions.
+      category: evidence
+      typical_auth_methods: [none, api_key]
+      versioning: evidence schema version, required fields, source links, and retention policy.
+
     - id: object-storage-bucket
       name: Object-storage bucket
       lifecycle: planned

fabric/bindings/railiance-apps-artifact-evidence-forge.yaml

@@ -0,0 +1,16 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: BindingAssertion
+metadata:
+  id: railiance-apps.s5-releases.artifact-evidence-to-forge
+  name: S5 artifact evidence binding
+  owner: railiance-apps
+  repo: railiance-apps
+  domain: railiance
+spec:
+  lifecycle: active
+  environments: [dev, staging, prod]
+  dependency_id: railiance-apps.s5-releases.needs-artifact-evidence
+  provider_capability_id: railiance-forge.source-forge.artifact-promotion-evidence
+  provider_interface_id: railiance-forge.source-forge.evidence-contract
+  status: compatible
+  rationale: S5 release readiness should cite forge-owned artifact publish, restore, and operating evidence.

fabric/bindings/railiance-apps-container-registry-forge.yaml

@@ -0,0 +1,16 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: BindingAssertion
+metadata:
+  id: railiance-apps.s5-releases.container-registry-to-forge
+  name: S5 container registry binding
+  owner: railiance-apps
+  repo: railiance-apps
+  domain: railiance
+spec:
+  lifecycle: active
+  environments: [dev, staging, prod]
+  dependency_id: railiance-apps.s5-releases.needs-container-registry
+  provider_capability_id: railiance-forge.source-forge.container-registry
+  provider_interface_id: railiance-forge.source-forge.oci-registry
+  status: compatible
+  rationale: S5 releases consume already-published app images from the forge-owned OCI registry.

fabric/bindings/railiance-enablement-runner-substrate-forge.yaml

@@ -0,0 +1,16 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: BindingAssertion
+metadata:
+  id: railiance-enablement.delivery-templates.runner-substrate-to-forge
+  name: Enablement runner substrate binding
+  owner: railiance-enablement
+  repo: railiance-enablement
+  domain: railiance
+spec:
+  lifecycle: planned
+  environments: [dev, staging, prod]
+  dependency_id: railiance-enablement.delivery-templates.needs-runner-substrate
+  provider_capability_id: railiance-forge.source-forge.workflow-runner-substrate
+  provider_interface_id: railiance-forge.source-forge.runner-label-contract
+  status: compatible
+  rationale: S4 reusable templates should consume forge-owned runner labels, trust posture, and runner evidence.

fabric/bindings/railiance-forge-kubernetes-runtime-cluster.yaml

@@ -0,0 +1,16 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: BindingAssertion
+metadata:
+  id: railiance-forge.source-forge.kubernetes-runtime-to-cluster
+  name: Forge Kubernetes runtime binding
+  owner: railiance-forge
+  repo: railiance-forge
+  domain: railiance
+spec:
+  lifecycle: active
+  environments: [dev, staging, prod]
+  dependency_id: railiance-forge.source-forge.needs-kubernetes-runtime
+  provider_capability_id: railiance-cluster.kubernetes.runtime
+  provider_interface_id: railiance-cluster.kubernetes.api
+  status: compatible
+  rationale: The forge runtime is deployed on the Railiance Kubernetes runtime provided by railiance-cluster.

fabric/bindings/railiance-forge-object-storage-artifact-store.yaml

@@ -0,0 +1,16 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: BindingAssertion
+metadata:
+  id: railiance-forge.source-forge.object-storage-to-artifact-store
+  name: Forge object storage binding
+  owner: railiance-forge
+  repo: railiance-forge
+  domain: railiance
+spec:
+  lifecycle: planned
+  environments: [dev, staging, prod]
+  dependency_id: railiance-forge.source-forge.needs-object-storage
+  provider_capability_id: artifact-store.object-storage
+  provider_interface_id: artifact-store.object-storage.bucket
+  status: compatible
+  rationale: Durable forge artifact/blob preservation should use the planned Railiance object-storage provider rather than ad hoc forge-local storage.

fabric/bindings/railiance-forge-postgresql-cnpg.yaml

@@ -0,0 +1,16 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: BindingAssertion
+metadata:
+  id: railiance-forge.source-forge.postgresql-to-cnpg
+  name: Forge PostgreSQL binding
+  owner: railiance-forge
+  repo: railiance-forge
+  domain: railiance
+spec:
+  lifecycle: active
+  environments: [dev, staging, prod]
+  dependency_id: railiance-forge.source-forge.needs-postgresql
+  provider_capability_id: railiance-platform.cnpg.postgresql
+  provider_interface_id: railiance-platform.cnpg.database-connection
+  status: compatible
+  rationale: Current Gitea database state is backed by the Railiance platform CNPG PostgreSQL service.

fabric/bindings/railiance-forge-runtime-secrets-openbao.yaml

@@ -0,0 +1,16 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: BindingAssertion
+metadata:
+  id: railiance-forge.source-forge.runtime-secrets-to-openbao
+  name: Forge runtime secrets binding
+  owner: railiance-forge
+  repo: railiance-forge
+  domain: railiance
+spec:
+  lifecycle: active
+  environments: [dev, staging, prod]
+  dependency_id: railiance-forge.source-forge.needs-runtime-secrets
+  provider_capability_id: railiance-platform.openbao.runtime-secrets
+  provider_interface_id: railiance-platform.openbao.kv-v2
+  status: compatible
+  rationale: Runtime secret custody for forge workloads belongs to the platform OpenBao path; SOPS/age remains bootstrap only.

fabric/capabilities/railiance-cluster-kubernetes-runtime.yaml

@@ -0,0 +1,21 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: CapabilityDeclaration
+metadata:
+  id: railiance-cluster.kubernetes.runtime
+  name: Kubernetes runtime
+  owner: railiance-cluster
+  repo: railiance-cluster
+  domain: railiance
+  source_links:
+    - label: Cluster scope
+      path: /home/worsch/railiance-cluster/SCOPE.md
+spec:
+  lifecycle: active
+  environments: [dev, staging, prod]
+  description: Provides Kubernetes runtime primitives and API access consumed by Railiance platform, forge, and app workloads.
+  capability_type: kubernetes-runtime
+  service_id: railiance-cluster.kubernetes
+  interface_ids:
+    - railiance-cluster.kubernetes.api
+  criticality: critical
+  data_classification: restricted

fabric/capabilities/railiance-enablement-ci-cd-templates.yaml

@@ -0,0 +1,23 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: CapabilityDeclaration
+metadata:
+  id: railiance-enablement.delivery-templates.ci-cd-templates
+  name: CI/CD workflow templates
+  owner: railiance-enablement
+  repo: railiance-enablement
+  domain: railiance
+  source_links:
+    - label: Enablement scope
+      path: /home/worsch/railiance-enablement/SCOPE.md
+    - label: Enablement intent
+      path: /home/worsch/railiance-enablement/INTENT.md
+spec:
+  lifecycle: planned
+  environments: [dev, staging, prod]
+  description: Reusable Railiance workflow templates, promotion conventions, and delivery gates that consume forge runner labels and artifact evidence.
+  capability_type: ci-cd-template-catalog
+  service_id: railiance-enablement.delivery-templates
+  interface_ids:
+    - railiance-enablement.delivery-templates.workflow-template-contract
+  criticality: medium
+  data_classification: internal

fabric/capabilities/railiance-forge-artifact-promotion-evidence.yaml

@@ -0,0 +1,23 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: CapabilityDeclaration
+metadata:
+  id: railiance-forge.source-forge.artifact-promotion-evidence
+  name: Artifact promotion evidence
+  owner: railiance-forge
+  repo: railiance-forge
+  domain: railiance
+  source_links:
+    - label: Observability and evidence contract
+      path: /home/worsch/railiance-forge/docs/observability-operating-evidence.md
+    - label: Backup and restore handoff
+      path: /home/worsch/railiance-forge/docs/backup-restore-secret-handoff.md
+spec:
+  lifecycle: active
+  environments: [dev, staging, prod]
+  description: Provides artifact identity, provenance, publish, restore, and release-readiness evidence that downstream releases can cite.
+  capability_type: artifact-promotion-evidence
+  service_id: railiance-forge.source-forge
+  interface_ids:
+    - railiance-forge.source-forge.evidence-contract
+  criticality: high
+  data_classification: internal

fabric/capabilities/railiance-forge-container-registry.yaml

@@ -0,0 +1,21 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: CapabilityDeclaration
+metadata:
+  id: railiance-forge.source-forge.container-registry
+  name: Container registry
+  owner: railiance-forge
+  repo: railiance-forge
+  domain: railiance
+  source_links:
+    - label: Container registry docs
+      path: /home/worsch/railiance-forge/docs/gitea-container-registry.md
+spec:
+  lifecycle: active
+  environments: [dev, staging, prod]
+  description: Provides the Gitea OCI container registry endpoint used by Railiance workloads.
+  capability_type: container-registry
+  service_id: railiance-forge.source-forge
+  interface_ids:
+    - railiance-forge.source-forge.oci-registry
+  criticality: high
+  data_classification: confidential

fabric/capabilities/railiance-forge-python-package-registry.yaml

@@ -0,0 +1,21 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: CapabilityDeclaration
+metadata:
+  id: railiance-forge.source-forge.python-package-registry
+  name: Python package registry
+  owner: railiance-forge
+  repo: railiance-forge
+  domain: railiance
+  source_links:
+    - label: Package registry docs
+      path: /home/worsch/railiance-forge/docs/gitea-package-registry.md
+spec:
+  lifecycle: active
+  environments: [dev, staging, prod]
+  description: Provides the Gitea Python package registry endpoint used by Railiance source and app builds.
+  capability_type: python-package-registry
+  service_id: railiance-forge.source-forge
+  interface_ids:
+    - railiance-forge.source-forge.python-package-index
+  criticality: high
+  data_classification: confidential

fabric/capabilities/railiance-forge-source-hosting.yaml

@@ -0,0 +1,22 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: CapabilityDeclaration
+metadata:
+  id: railiance-forge.source-forge.source-hosting
+  name: Source hosting
+  owner: railiance-forge
+  repo: railiance-forge
+  domain: railiance
+  source_links:
+    - label: Forge scope
+      path: /home/worsch/railiance-forge/SCOPE.md
+spec:
+  lifecycle: active
+  environments: [dev, staging, prod]
+  description: Hosts Railiance Git repositories, review surfaces, repository metadata, and source-forge access paths.
+  capability_type: source-hosting
+  service_id: railiance-forge.source-forge
+  interface_ids:
+    - railiance-forge.source-forge.web-ui
+    - railiance-forge.source-forge.git-ssh
+  criticality: high
+  data_classification: confidential

fabric/capabilities/railiance-forge-workflow-runner-substrate.yaml

@@ -0,0 +1,21 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: CapabilityDeclaration
+metadata:
+  id: railiance-forge.source-forge.workflow-runner-substrate
+  name: Workflow runner substrate
+  owner: railiance-forge
+  repo: railiance-forge
+  domain: railiance
+  source_links:
+    - label: Runner ownership contract
+      path: /home/worsch/railiance-forge/docs/ci-runner-actions-gitops-ownership.md
+spec:
+  lifecycle: planned
+  environments: [dev, staging, prod]
+  description: Provides forge-backed runner labels, placement, credential boundaries, and runner health evidence consumed by workflow templates and release checks.
+  capability_type: workflow-runner-substrate
+  service_id: railiance-forge.source-forge
+  interface_ids:
+    - railiance-forge.source-forge.runner-label-contract
+  criticality: high
+  data_classification: restricted

fabric/dependencies/railiance-apps-artifact-evidence.yaml

@@ -0,0 +1,30 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: DependencyDeclaration
+metadata:
+  id: railiance-apps.s5-releases.needs-artifact-evidence
+  name: S5 artifact evidence dependency
+  owner: railiance-apps
+  repo: railiance-apps
+  domain: railiance
+  source_links:
+    - label: Apps scope
+      path: /home/worsch/railiance-apps/SCOPE.md
+    - label: Observability and evidence contract
+      path: /home/worsch/railiance-forge/docs/observability-operating-evidence.md
+spec:
+  lifecycle: active
+  environments: [dev, staging, prod]
+  consumer_service_id: railiance-apps.s5-releases
+  requires:
+    capability_type: artifact-promotion-evidence
+    capability_id: railiance-forge.source-forge.artifact-promotion-evidence
+  interface:
+    type: evidence-contract
+    version_constraint: ">=v1"
+  auth:
+    method: none
+  criticality: high
+  data_classification: internal
+  fallback:
+    mode: manual
+    description: App operators can record manual evidence, but S5 should cite forge-owned artifact readiness when promoting releases.

fabric/dependencies/railiance-apps-container-registry.yaml

@@ -0,0 +1,30 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: DependencyDeclaration
+metadata:
+  id: railiance-apps.s5-releases.needs-container-registry
+  name: S5 container registry dependency
+  owner: railiance-apps
+  repo: railiance-apps
+  domain: railiance
+  source_links:
+    - label: Apps scope
+      path: /home/worsch/railiance-apps/SCOPE.md
+    - label: Container registry docs
+      path: /home/worsch/railiance-forge/docs/gitea-container-registry.md
+spec:
+  lifecycle: active
+  environments: [dev, staging, prod]
+  consumer_service_id: railiance-apps.s5-releases
+  requires:
+    capability_type: container-registry
+    capability_id: railiance-forge.source-forge.container-registry
+  interface:
+    type: oci-registry
+    version_constraint: ">=registry-v2"
+  auth:
+    method: api_key
+  criticality: high
+  data_classification: confidential
+  fallback:
+    mode: none
+    description: S5 releases require a reachable container registry for private or internal app images.

fabric/dependencies/railiance-enablement-runner-substrate.yaml

@@ -0,0 +1,30 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: DependencyDeclaration
+metadata:
+  id: railiance-enablement.delivery-templates.needs-runner-substrate
+  name: Enablement runner substrate dependency
+  owner: railiance-enablement
+  repo: railiance-enablement
+  domain: railiance
+  source_links:
+    - label: Enablement scope
+      path: /home/worsch/railiance-enablement/SCOPE.md
+    - label: Runner ownership contract
+      path: /home/worsch/railiance-forge/docs/ci-runner-actions-gitops-ownership.md
+spec:
+  lifecycle: planned
+  environments: [dev, staging, prod]
+  consumer_service_id: railiance-enablement.delivery-templates
+  requires:
+    capability_type: workflow-runner-substrate
+    capability_id: railiance-forge.source-forge.workflow-runner-substrate
+  interface:
+    type: workflow-runner-label-contract
+    version_constraint: ">=v1"
+  auth:
+    method: none
+  criticality: high
+  data_classification: internal
+  fallback:
+    mode: manual
+    description: Reusable templates can remain draft-only until forge publishes runner labels and trust evidence.

fabric/dependencies/railiance-forge-kubernetes-runtime.yaml

@@ -0,0 +1,28 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: DependencyDeclaration
+metadata:
+  id: railiance-forge.source-forge.needs-kubernetes-runtime
+  name: Forge Kubernetes runtime dependency
+  owner: railiance-forge
+  repo: railiance-forge
+  domain: railiance
+  source_links:
+    - label: Forge scope
+      path: /home/worsch/railiance-forge/SCOPE.md
+spec:
+  lifecycle: active
+  environments: [dev, staging, prod]
+  consumer_service_id: railiance-forge.source-forge
+  requires:
+    capability_type: kubernetes-runtime
+    capability_id: railiance-cluster.kubernetes.runtime
+  interface:
+    type: kubernetes-api
+    version_constraint: ">=v1"
+  auth:
+    method: kubernetes_service_account
+  criticality: critical
+  data_classification: restricted
+  fallback:
+    mode: none
+    description: The forge runtime cannot operate without the Railiance Kubernetes runtime.

fabric/dependencies/railiance-forge-object-storage.yaml

@@ -0,0 +1,30 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: DependencyDeclaration
+metadata:
+  id: railiance-forge.source-forge.needs-object-storage
+  name: Forge object storage dependency
+  owner: railiance-forge
+  repo: railiance-forge
+  domain: railiance
+  source_links:
+    - label: Backup and restore handoff
+      path: /home/worsch/railiance-forge/docs/backup-restore-secret-handoff.md
+    - label: Platform OpenBao object-storage handoff
+      path: /home/worsch/railiance-platform/docs/openbao.md
+spec:
+  lifecycle: planned
+  environments: [dev, staging, prod]
+  consumer_service_id: railiance-forge.source-forge
+  requires:
+    capability_type: object-storage
+    capability_id: artifact-store.object-storage
+  interface:
+    type: object-storage-bucket
+    version_constraint: ">=v1"
+  auth:
+    method: sts_token
+  criticality: high
+  data_classification: confidential
+  fallback:
+    mode: manual
+    description: Current Gitea package blobs remain on PVC until durable object-storage backup or artifact preservation is proven.

fabric/dependencies/railiance-forge-postgresql.yaml

@@ -0,0 +1,28 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: DependencyDeclaration
+metadata:
+  id: railiance-forge.source-forge.needs-postgresql
+  name: Forge PostgreSQL dependency
+  owner: railiance-forge
+  repo: railiance-forge
+  domain: railiance
+  source_links:
+    - label: Backup and restore handoff
+      path: /home/worsch/railiance-forge/docs/backup-restore-secret-handoff.md
+spec:
+  lifecycle: active
+  environments: [dev, staging, prod]
+  consumer_service_id: railiance-forge.source-forge
+  requires:
+    capability_type: postgresql-database-service
+    capability_id: railiance-platform.cnpg.postgresql
+  interface:
+    type: database-connection
+    version_constraint: ">=v16"
+  auth:
+    method: database_role
+  criticality: critical
+  data_classification: confidential
+  fallback:
+    mode: none
+    description: The forge runtime requires the Gitea database state and cannot degrade safely without it.

fabric/dependencies/railiance-forge-runtime-secrets.yaml

@@ -0,0 +1,28 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: DependencyDeclaration
+metadata:
+  id: railiance-forge.source-forge.needs-runtime-secrets
+  name: Forge runtime secrets dependency
+  owner: railiance-forge
+  repo: railiance-forge
+  domain: railiance
+  source_links:
+    - label: Backup and restore handoff
+      path: /home/worsch/railiance-forge/docs/backup-restore-secret-handoff.md
+spec:
+  lifecycle: active
+  environments: [dev, staging, prod]
+  consumer_service_id: railiance-forge.source-forge
+  requires:
+    capability_type: runtime-secrets
+    capability_id: railiance-platform.openbao.runtime-secrets
+  interface:
+    type: openbao-kv-v2-mount
+    version_constraint: ">=v1 <v2"
+  auth:
+    method: kubernetes_service_account
+  criticality: critical
+  data_classification: secret
+  fallback:
+    mode: manual
+    description: SOPS/age bootstrap can carry encrypted deploy input, but runtime secret custody belongs to the platform path.

fabric/interfaces/railiance-cluster-kubernetes-api.yaml

@@ -0,0 +1,23 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: InterfaceDeclaration
+metadata:
+  id: railiance-cluster.kubernetes.api
+  name: Kubernetes API
+  owner: railiance-cluster
+  repo: railiance-cluster
+  domain: railiance
+  source_links:
+    - label: Cluster scope
+      path: /home/worsch/railiance-cluster/SCOPE.md
+spec:
+  lifecycle: active
+  environments: [dev, staging, prod]
+  description: Kubernetes API surface and RBAC-controlled runtime contract consumed by Railiance workloads and operators.
+  interface_type: kubernetes-api
+  version: v1
+  service_id: railiance-cluster.kubernetes
+  capability_ids:
+    - railiance-cluster.kubernetes.runtime
+  auth:
+    method: kubernetes_service_account
+  data_classification: restricted

fabric/interfaces/railiance-enablement-workflow-template-contract.yaml

@@ -0,0 +1,23 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: InterfaceDeclaration
+metadata:
+  id: railiance-enablement.delivery-templates.workflow-template-contract
+  name: Workflow template contract
+  owner: railiance-enablement
+  repo: railiance-enablement
+  domain: railiance
+  source_links:
+    - label: Enablement scope
+      path: /home/worsch/railiance-enablement/SCOPE.md
+spec:
+  lifecycle: planned
+  environments: [dev, staging, prod]
+  description: Template contract for reusable Railiance CI/CD and GitOps workflow patterns.
+  interface_type: workflow-template-contract
+  version: v1
+  service_id: railiance-enablement.delivery-templates
+  capability_ids:
+    - railiance-enablement.delivery-templates.ci-cd-templates
+  auth:
+    method: none
+  data_classification: internal

fabric/interfaces/railiance-forge-evidence-contract.yaml

@@ -0,0 +1,23 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: InterfaceDeclaration
+metadata:
+  id: railiance-forge.source-forge.evidence-contract
+  name: Forge evidence contract
+  owner: railiance-forge
+  repo: railiance-forge
+  domain: railiance
+  source_links:
+    - label: Observability and evidence contract
+      path: /home/worsch/railiance-forge/docs/observability-operating-evidence.md
+spec:
+  lifecycle: active
+  environments: [dev, staging, prod]
+  description: Release-readiness, artifact promotion, restore, storage, and operating evidence contract for forge consumers.
+  interface_type: evidence-contract
+  version: v1
+  service_id: railiance-forge.source-forge
+  capability_ids:
+    - railiance-forge.source-forge.artifact-promotion-evidence
+  auth:
+    method: none
+  data_classification: internal

fabric/interfaces/railiance-forge-git-ssh.yaml

@@ -0,0 +1,25 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: InterfaceDeclaration
+metadata:
+  id: railiance-forge.source-forge.git-ssh
+  name: Git SSH endpoint
+  owner: railiance-forge
+  repo: railiance-forge
+  domain: railiance
+  source_links:
+    - label: Observability and evidence contract
+      path: /home/worsch/railiance-forge/docs/observability-operating-evidence.md
+spec:
+  lifecycle: planned
+  environments: [dev, staging, prod]
+  description: Git-over-SSH endpoint contract for repository clone, fetch, and push operations when exposed.
+  interface_type: git-ssh
+  version: gitea-current
+  service_id: railiance-forge.source-forge
+  capability_ids:
+    - railiance-forge.source-forge.source-hosting
+  endpoint:
+    notes: Record the published SSH host and port once the endpoint is verified.
+  auth:
+    method: static_secret
+  data_classification: confidential

fabric/interfaces/railiance-forge-oci-registry.yaml

@@ -0,0 +1,28 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: InterfaceDeclaration
+metadata:
+  id: railiance-forge.source-forge.oci-registry
+  name: Gitea OCI registry
+  owner: railiance-forge
+  repo: railiance-forge
+  domain: railiance
+  source_links:
+    - label: Container registry docs
+      path: /home/worsch/railiance-forge/docs/gitea-container-registry.md
+spec:
+  lifecycle: active
+  environments: [dev, staging, prod]
+  description: OCI registry endpoint served by current Gitea for Railiance container images.
+  interface_type: oci-registry
+  version: registry-v2
+  service_id: railiance-forge.source-forge
+  capability_ids:
+    - railiance-forge.source-forge.container-registry
+  endpoint:
+    url: https://gitea.coulomb.social/v2/
+  auth:
+    method: api_key
+    scopes:
+      - package:read
+      - package:write
+  data_classification: confidential

fabric/interfaces/railiance-forge-python-package-index.yaml

@@ -0,0 +1,28 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: InterfaceDeclaration
+metadata:
+  id: railiance-forge.source-forge.python-package-index
+  name: Gitea Python package index
+  owner: railiance-forge
+  repo: railiance-forge
+  domain: railiance
+  source_links:
+    - label: Package registry docs
+      path: /home/worsch/railiance-forge/docs/gitea-package-registry.md
+spec:
+  lifecycle: active
+  environments: [dev, staging, prod]
+  description: Python package index endpoint served by current Gitea for internal Railiance packages.
+  interface_type: python-package-index
+  version: simple-api
+  service_id: railiance-forge.source-forge
+  capability_ids:
+    - railiance-forge.source-forge.python-package-registry
+  endpoint:
+    url: https://gitea.coulomb.social/api/packages/coulomb/pypi/simple/
+  auth:
+    method: api_key
+    scopes:
+      - package:read
+      - package:write
+  data_classification: confidential

fabric/interfaces/railiance-forge-runner-label-contract.yaml

@@ -0,0 +1,23 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: InterfaceDeclaration
+metadata:
+  id: railiance-forge.source-forge.runner-label-contract
+  name: Runner label contract
+  owner: railiance-forge
+  repo: railiance-forge
+  domain: railiance
+  source_links:
+    - label: Runner ownership contract
+      path: /home/worsch/railiance-forge/docs/ci-runner-actions-gitops-ownership.md
+spec:
+  lifecycle: planned
+  environments: [dev, staging, prod]
+  description: Semantic runner labels, placement, trust levels, and credential boundaries consumed by workflow templates and release checks.
+  interface_type: workflow-runner-label-contract
+  version: v1
+  service_id: railiance-forge.source-forge
+  capability_ids:
+    - railiance-forge.source-forge.workflow-runner-substrate
+  auth:
+    method: none
+  data_classification: internal

fabric/interfaces/railiance-forge-web-ui.yaml

@@ -0,0 +1,25 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: InterfaceDeclaration
+metadata:
+  id: railiance-forge.source-forge.web-ui
+  name: Source forge web UI
+  owner: railiance-forge
+  repo: railiance-forge
+  domain: railiance
+  source_links:
+    - label: Observability and evidence contract
+      path: /home/worsch/railiance-forge/docs/observability-operating-evidence.md
+spec:
+  lifecycle: active
+  environments: [dev, staging, prod]
+  description: Current Gitea web UI and HTTP endpoint for source hosting and package workflows.
+  interface_type: web-ui
+  version: gitea-current
+  service_id: railiance-forge.source-forge
+  capability_ids:
+    - railiance-forge.source-forge.source-hosting
+  endpoint:
+    url: https://gitea.coulomb.social/
+  auth:
+    method: unknown
+  data_classification: confidential

fabric/services/railiance-apps-s5-releases.yaml

@@ -0,0 +1,18 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: ServiceDeclaration
+metadata:
+  id: railiance-apps.s5-releases
+  name: Railiance S5 app releases
+  owner: railiance-apps
+  repo: railiance-apps
+  domain: railiance
+  source_links:
+    - label: Apps scope
+      path: /home/worsch/railiance-apps/SCOPE.md
+spec:
+  lifecycle: active
+  environments: [dev, staging, prod]
+  description: S5 application release surface that consumes forge artifacts, app manifests, runbooks, dry-runs, and smoke evidence.
+  service_type: app-release-surface
+  provides_capabilities: []
+  exposes_interfaces: []

fabric/services/railiance-cluster-kubernetes.yaml

@@ -0,0 +1,20 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: ServiceDeclaration
+metadata:
+  id: railiance-cluster.kubernetes
+  name: Railiance Kubernetes runtime
+  owner: railiance-cluster
+  repo: railiance-cluster
+  domain: railiance
+  source_links:
+    - label: Cluster scope
+      path: /home/worsch/railiance-cluster/SCOPE.md
+spec:
+  lifecycle: active
+  environments: [dev, staging, prod]
+  description: Kubernetes runtime layer that provides the API server, namespaces, workloads, Services, Ingresses, and controller substrate for Railiance services.
+  service_type: cluster-runtime
+  provides_capabilities:
+    - railiance-cluster.kubernetes.runtime
+  exposes_interfaces:
+    - railiance-cluster.kubernetes.api

fabric/services/railiance-enablement-delivery-templates.yaml

@@ -0,0 +1,22 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: ServiceDeclaration
+metadata:
+  id: railiance-enablement.delivery-templates
+  name: Railiance delivery templates
+  owner: railiance-enablement
+  repo: railiance-enablement
+  domain: railiance
+  source_links:
+    - label: Enablement scope
+      path: /home/worsch/railiance-enablement/SCOPE.md
+    - label: Enablement intent
+      path: /home/worsch/railiance-enablement/INTENT.md
+spec:
+  lifecycle: planned
+  environments: [dev, staging, prod]
+  description: Reusable CI/CD and GitOps workflow template surface for Railiance workload delivery.
+  service_type: enablement-template-surface
+  provides_capabilities:
+    - railiance-enablement.delivery-templates.ci-cd-templates
+  exposes_interfaces:
+    - railiance-enablement.delivery-templates.workflow-template-contract

fabric/services/railiance-forge-source-forge.yaml

@@ -0,0 +1,31 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: ServiceDeclaration
+metadata:
+  id: railiance-forge.source-forge
+  name: Railiance source forge
+  owner: railiance-forge
+  repo: railiance-forge
+  domain: railiance
+  source_links:
+    - label: Forge scope
+      path: /home/worsch/railiance-forge/SCOPE.md
+    - label: Forge intent
+      path: /home/worsch/railiance-forge/INTENT.md
+spec:
+  lifecycle: active
+  environments: [dev, staging, prod]
+  description: Current Gitea source forge and future Forgejo migration surface for source hosting, registries, runner substrate, and release artifact evidence.
+  service_type: forge-runtime
+  provides_capabilities:
+    - railiance-forge.source-forge.source-hosting
+    - railiance-forge.source-forge.container-registry
+    - railiance-forge.source-forge.python-package-registry
+    - railiance-forge.source-forge.workflow-runner-substrate
+    - railiance-forge.source-forge.artifact-promotion-evidence
+  exposes_interfaces:
+    - railiance-forge.source-forge.web-ui
+    - railiance-forge.source-forge.git-ssh
+    - railiance-forge.source-forge.oci-registry
+    - railiance-forge.source-forge.python-package-index
+    - railiance-forge.source-forge.runner-label-contract
+    - railiance-forge.source-forge.evidence-contract