Establish Railiance Fabric graph model

This commit is contained in:
2026-05-17 19:47:37 +02:00
parent 9c1f4d1381
commit 19f9fddc35
89 changed files with 5007 additions and 2 deletions

11
catalog/README.md Normal file
View File

@@ -0,0 +1,11 @@
# Type Catalog
This directory contains the first Railiance Fabric type catalog.
- `capability-types.yaml` defines stable semantic capabilities.
- `interface-types.yaml` defines concrete integration surfaces.
Declaration schemas keep `capability_type` and `interface_type` as strings so
the core document shape stays decoupled from catalog evolution. The validator
planned in `RAIL-FAB-WP-0001-T05` should load these catalogs and reject unknown
types unless an explicit experimental override is added later.

View File

@@ -0,0 +1,121 @@
apiVersion: railiance.fabric/v1alpha1
kind: CapabilityTypeCatalog
metadata:
id: railiance-fabric.capability-types
name: Railiance capability type catalog
owner: railiance-fabric
repo: railiance-fabric
domain: railiance
spec:
version: v1alpha1
types:
- id: runtime-secrets
name: Runtime secrets
lifecycle: active
description: Stores or vends runtime secrets needed by workloads after deployment.
default_criticality: critical
default_data_classification: secret
expected_interface_types:
- openbao-kv-v2-mount
- kubernetes-secret
tags: [security, platform, secrets]
- id: iam-profile-issuer
name: IAM Profile issuer
lifecycle: active
description: Issues or serves identity profile claims used by Railiance services.
default_criticality: critical
default_data_classification: restricted
expected_interface_types:
- oidc-discovery
- http-api
tags: [identity, security]
- id: authorization-decision-service
name: Authorization decision service
lifecycle: active
description: Evaluates authorization policy and returns allow/deny decisions with context.
default_criticality: critical
default_data_classification: restricted
expected_interface_types:
- http-api
- policy-package
tags: [authorization, policy, security]
- id: postgresql-database-service
name: PostgreSQL database service
lifecycle: active
description: Provides PostgreSQL databases, roles, and connection endpoints for workloads.
default_criticality: high
default_data_classification: confidential
expected_interface_types:
- database-connection
- openbao-dynamic-credential-role
tags: [database, platform]
- id: redis-compatible-cache
name: Redis-compatible cache
lifecycle: active
description: Provides Redis protocol compatible caching or ephemeral data storage.
default_criticality: medium
default_data_classification: internal
expected_interface_types:
- database-connection
- kubernetes-secret
tags: [cache, platform]
- id: object-storage
name: Object storage
lifecycle: planned
description: Provides bucket-style durable object storage for Railiance workloads.
default_criticality: high
default_data_classification: confidential
expected_interface_types:
- object-storage-bucket
- http-api
tags: [storage, platform]
- id: object-storage-credential-vending
name: Object-storage credential vending
lifecycle: planned
description: Issues scoped temporary credentials for object-storage access.
default_criticality: high
default_data_classification: secret
expected_interface_types:
- http-api
- openbao-dynamic-credential-role
- sts-token
tags: [storage, credentials, security]
- id: audit-event-sink
name: Audit/event sink
lifecycle: planned
description: Accepts audit, operational, or domain events for durable recording or routing.
default_criticality: high
default_data_classification: confidential
expected_interface_types:
- event-stream
- http-api
tags: [events, audit, observability]
- id: scope-generation
name: Scope generation
lifecycle: active
description: Produces repo or project scope descriptions used by humans and agents.
default_criticality: medium
default_data_classification: internal
expected_interface_types:
- cli
- http-api
tags: [planning, agents, documentation]
- id: coordination-read-model
name: Coordination read model
lifecycle: active
description: Exposes coordination state for repos, workstreams, tasks, decisions, and progress.
default_criticality: high
default_data_classification: internal
expected_interface_types:
- http-api
- event-stream
tags: [coordination, state-hub, planning]

View File

@@ -0,0 +1,114 @@
apiVersion: railiance.fabric/v1alpha1
kind: InterfaceTypeCatalog
metadata:
id: railiance-fabric.interface-types
name: Railiance interface type catalog
owner: railiance-fabric
repo: railiance-fabric
domain: railiance
spec:
version: v1alpha1
types:
- id: http-api
name: HTTP API
lifecycle: active
description: Request/response HTTP interface, usually JSON over HTTPS.
category: api
typical_auth_methods: [none, oidc, jwt, mtls, api_key]
versioning: path, header, media-type, or documented semantic version.
- id: oidc-discovery
name: OIDC discovery
lifecycle: active
description: OpenID Connect discovery metadata and JWKS endpoints.
category: identity
typical_auth_methods: [none]
versioning: issuer URL and advertised metadata.
- id: kubernetes-secret
name: Kubernetes Secret
lifecycle: active
description: Kubernetes Secret object consumed by workloads in a namespace.
category: kubernetes
typical_auth_methods: [kubernetes_service_account]
versioning: object name, key schema, and owner annotations.
- id: kubernetes-crd
name: Kubernetes CRD
lifecycle: active
description: Kubernetes custom resource definition and versioned resource schema.
category: kubernetes
typical_auth_methods: [kubernetes_service_account]
versioning: group, version, and kind.
- id: helm-release
name: Helm release
lifecycle: active
description: Helm chart/release interface used to install or configure a service.
category: deployment
typical_auth_methods: [kubernetes_service_account]
versioning: chart version and values schema.
- id: cli
name: CLI
lifecycle: active
description: Command-line interface consumed by humans, agents, or automation.
category: tooling
typical_auth_methods: [none, oidc, api_key, unknown]
versioning: command version and documented flags.
- id: database-connection
name: Database connection
lifecycle: active
description: Network database endpoint plus credentials and connection parameters.
category: data
typical_auth_methods: [database_role, static_secret, openbao_token]
versioning: engine version, connection contract, and migration compatibility.
- id: object-storage-bucket
name: Object-storage bucket
lifecycle: planned
description: Bucket, prefix, policy, and endpoint contract for object storage.
category: storage
typical_auth_methods: [sts_token, static_secret, openbao_token]
versioning: bucket policy version and object layout contract.
- id: event-stream
name: Event stream
lifecycle: planned
description: Pub/sub or streaming interface for audit, operational, or domain events.
category: events
typical_auth_methods: [jwt, mtls, api_key, unknown]
versioning: subject/topic names and event envelope schema.
- id: policy-package
name: Policy package
lifecycle: active
description: Versioned policy bundle consumed by an authorization runtime.
category: policy
typical_auth_methods: [none, oidc, jwt]
versioning: package version and policy input/output schema.
- id: openbao-kv-v2-mount
name: OpenBao KV v2 mount
lifecycle: active
description: OpenBao KV v2 mount path and secret layout contract.
category: secrets
typical_auth_methods: [kubernetes_service_account, openbao_token]
versioning: mount path, key layout, and policy version.
- id: openbao-dynamic-credential-role
name: OpenBao dynamic credential role
lifecycle: active
description: OpenBao role that issues dynamic credentials for another service.
category: credentials
typical_auth_methods: [kubernetes_service_account, openbao_token]
versioning: role name, policy, lease semantics, and backend version.
- id: sts-token
name: STS token
lifecycle: planned
description: Temporary scoped credential issued for object storage or similar services.
category: credentials
typical_auth_methods: [oidc, jwt, mtls]
versioning: token claim schema, audience, and lease semantics.