generated from coulomb/repo-seed
Establish Railiance Fabric graph model
This commit is contained in:
11
catalog/README.md
Normal file
11
catalog/README.md
Normal file
@@ -0,0 +1,11 @@
|
||||
# Type Catalog
|
||||
|
||||
This directory contains the first Railiance Fabric type catalog.
|
||||
|
||||
- `capability-types.yaml` defines stable semantic capabilities.
|
||||
- `interface-types.yaml` defines concrete integration surfaces.
|
||||
|
||||
Declaration schemas keep `capability_type` and `interface_type` as strings so
|
||||
the core document shape stays decoupled from catalog evolution. The validator
|
||||
planned in `RAIL-FAB-WP-0001-T05` should load these catalogs and reject unknown
|
||||
types unless an explicit experimental override is added later.
|
||||
121
catalog/capability-types.yaml
Normal file
121
catalog/capability-types.yaml
Normal file
@@ -0,0 +1,121 @@
|
||||
apiVersion: railiance.fabric/v1alpha1
|
||||
kind: CapabilityTypeCatalog
|
||||
metadata:
|
||||
id: railiance-fabric.capability-types
|
||||
name: Railiance capability type catalog
|
||||
owner: railiance-fabric
|
||||
repo: railiance-fabric
|
||||
domain: railiance
|
||||
spec:
|
||||
version: v1alpha1
|
||||
types:
|
||||
- id: runtime-secrets
|
||||
name: Runtime secrets
|
||||
lifecycle: active
|
||||
description: Stores or vends runtime secrets needed by workloads after deployment.
|
||||
default_criticality: critical
|
||||
default_data_classification: secret
|
||||
expected_interface_types:
|
||||
- openbao-kv-v2-mount
|
||||
- kubernetes-secret
|
||||
tags: [security, platform, secrets]
|
||||
|
||||
- id: iam-profile-issuer
|
||||
name: IAM Profile issuer
|
||||
lifecycle: active
|
||||
description: Issues or serves identity profile claims used by Railiance services.
|
||||
default_criticality: critical
|
||||
default_data_classification: restricted
|
||||
expected_interface_types:
|
||||
- oidc-discovery
|
||||
- http-api
|
||||
tags: [identity, security]
|
||||
|
||||
- id: authorization-decision-service
|
||||
name: Authorization decision service
|
||||
lifecycle: active
|
||||
description: Evaluates authorization policy and returns allow/deny decisions with context.
|
||||
default_criticality: critical
|
||||
default_data_classification: restricted
|
||||
expected_interface_types:
|
||||
- http-api
|
||||
- policy-package
|
||||
tags: [authorization, policy, security]
|
||||
|
||||
- id: postgresql-database-service
|
||||
name: PostgreSQL database service
|
||||
lifecycle: active
|
||||
description: Provides PostgreSQL databases, roles, and connection endpoints for workloads.
|
||||
default_criticality: high
|
||||
default_data_classification: confidential
|
||||
expected_interface_types:
|
||||
- database-connection
|
||||
- openbao-dynamic-credential-role
|
||||
tags: [database, platform]
|
||||
|
||||
- id: redis-compatible-cache
|
||||
name: Redis-compatible cache
|
||||
lifecycle: active
|
||||
description: Provides Redis protocol compatible caching or ephemeral data storage.
|
||||
default_criticality: medium
|
||||
default_data_classification: internal
|
||||
expected_interface_types:
|
||||
- database-connection
|
||||
- kubernetes-secret
|
||||
tags: [cache, platform]
|
||||
|
||||
- id: object-storage
|
||||
name: Object storage
|
||||
lifecycle: planned
|
||||
description: Provides bucket-style durable object storage for Railiance workloads.
|
||||
default_criticality: high
|
||||
default_data_classification: confidential
|
||||
expected_interface_types:
|
||||
- object-storage-bucket
|
||||
- http-api
|
||||
tags: [storage, platform]
|
||||
|
||||
- id: object-storage-credential-vending
|
||||
name: Object-storage credential vending
|
||||
lifecycle: planned
|
||||
description: Issues scoped temporary credentials for object-storage access.
|
||||
default_criticality: high
|
||||
default_data_classification: secret
|
||||
expected_interface_types:
|
||||
- http-api
|
||||
- openbao-dynamic-credential-role
|
||||
- sts-token
|
||||
tags: [storage, credentials, security]
|
||||
|
||||
- id: audit-event-sink
|
||||
name: Audit/event sink
|
||||
lifecycle: planned
|
||||
description: Accepts audit, operational, or domain events for durable recording or routing.
|
||||
default_criticality: high
|
||||
default_data_classification: confidential
|
||||
expected_interface_types:
|
||||
- event-stream
|
||||
- http-api
|
||||
tags: [events, audit, observability]
|
||||
|
||||
- id: scope-generation
|
||||
name: Scope generation
|
||||
lifecycle: active
|
||||
description: Produces repo or project scope descriptions used by humans and agents.
|
||||
default_criticality: medium
|
||||
default_data_classification: internal
|
||||
expected_interface_types:
|
||||
- cli
|
||||
- http-api
|
||||
tags: [planning, agents, documentation]
|
||||
|
||||
- id: coordination-read-model
|
||||
name: Coordination read model
|
||||
lifecycle: active
|
||||
description: Exposes coordination state for repos, workstreams, tasks, decisions, and progress.
|
||||
default_criticality: high
|
||||
default_data_classification: internal
|
||||
expected_interface_types:
|
||||
- http-api
|
||||
- event-stream
|
||||
tags: [coordination, state-hub, planning]
|
||||
114
catalog/interface-types.yaml
Normal file
114
catalog/interface-types.yaml
Normal file
@@ -0,0 +1,114 @@
|
||||
apiVersion: railiance.fabric/v1alpha1
|
||||
kind: InterfaceTypeCatalog
|
||||
metadata:
|
||||
id: railiance-fabric.interface-types
|
||||
name: Railiance interface type catalog
|
||||
owner: railiance-fabric
|
||||
repo: railiance-fabric
|
||||
domain: railiance
|
||||
spec:
|
||||
version: v1alpha1
|
||||
types:
|
||||
- id: http-api
|
||||
name: HTTP API
|
||||
lifecycle: active
|
||||
description: Request/response HTTP interface, usually JSON over HTTPS.
|
||||
category: api
|
||||
typical_auth_methods: [none, oidc, jwt, mtls, api_key]
|
||||
versioning: path, header, media-type, or documented semantic version.
|
||||
|
||||
- id: oidc-discovery
|
||||
name: OIDC discovery
|
||||
lifecycle: active
|
||||
description: OpenID Connect discovery metadata and JWKS endpoints.
|
||||
category: identity
|
||||
typical_auth_methods: [none]
|
||||
versioning: issuer URL and advertised metadata.
|
||||
|
||||
- id: kubernetes-secret
|
||||
name: Kubernetes Secret
|
||||
lifecycle: active
|
||||
description: Kubernetes Secret object consumed by workloads in a namespace.
|
||||
category: kubernetes
|
||||
typical_auth_methods: [kubernetes_service_account]
|
||||
versioning: object name, key schema, and owner annotations.
|
||||
|
||||
- id: kubernetes-crd
|
||||
name: Kubernetes CRD
|
||||
lifecycle: active
|
||||
description: Kubernetes custom resource definition and versioned resource schema.
|
||||
category: kubernetes
|
||||
typical_auth_methods: [kubernetes_service_account]
|
||||
versioning: group, version, and kind.
|
||||
|
||||
- id: helm-release
|
||||
name: Helm release
|
||||
lifecycle: active
|
||||
description: Helm chart/release interface used to install or configure a service.
|
||||
category: deployment
|
||||
typical_auth_methods: [kubernetes_service_account]
|
||||
versioning: chart version and values schema.
|
||||
|
||||
- id: cli
|
||||
name: CLI
|
||||
lifecycle: active
|
||||
description: Command-line interface consumed by humans, agents, or automation.
|
||||
category: tooling
|
||||
typical_auth_methods: [none, oidc, api_key, unknown]
|
||||
versioning: command version and documented flags.
|
||||
|
||||
- id: database-connection
|
||||
name: Database connection
|
||||
lifecycle: active
|
||||
description: Network database endpoint plus credentials and connection parameters.
|
||||
category: data
|
||||
typical_auth_methods: [database_role, static_secret, openbao_token]
|
||||
versioning: engine version, connection contract, and migration compatibility.
|
||||
|
||||
- id: object-storage-bucket
|
||||
name: Object-storage bucket
|
||||
lifecycle: planned
|
||||
description: Bucket, prefix, policy, and endpoint contract for object storage.
|
||||
category: storage
|
||||
typical_auth_methods: [sts_token, static_secret, openbao_token]
|
||||
versioning: bucket policy version and object layout contract.
|
||||
|
||||
- id: event-stream
|
||||
name: Event stream
|
||||
lifecycle: planned
|
||||
description: Pub/sub or streaming interface for audit, operational, or domain events.
|
||||
category: events
|
||||
typical_auth_methods: [jwt, mtls, api_key, unknown]
|
||||
versioning: subject/topic names and event envelope schema.
|
||||
|
||||
- id: policy-package
|
||||
name: Policy package
|
||||
lifecycle: active
|
||||
description: Versioned policy bundle consumed by an authorization runtime.
|
||||
category: policy
|
||||
typical_auth_methods: [none, oidc, jwt]
|
||||
versioning: package version and policy input/output schema.
|
||||
|
||||
- id: openbao-kv-v2-mount
|
||||
name: OpenBao KV v2 mount
|
||||
lifecycle: active
|
||||
description: OpenBao KV v2 mount path and secret layout contract.
|
||||
category: secrets
|
||||
typical_auth_methods: [kubernetes_service_account, openbao_token]
|
||||
versioning: mount path, key layout, and policy version.
|
||||
|
||||
- id: openbao-dynamic-credential-role
|
||||
name: OpenBao dynamic credential role
|
||||
lifecycle: active
|
||||
description: OpenBao role that issues dynamic credentials for another service.
|
||||
category: credentials
|
||||
typical_auth_methods: [kubernetes_service_account, openbao_token]
|
||||
versioning: role name, policy, lease semantics, and backend version.
|
||||
|
||||
- id: sts-token
|
||||
name: STS token
|
||||
lifecycle: planned
|
||||
description: Temporary scoped credential issued for object storage or similar services.
|
||||
category: credentials
|
||||
typical_auth_methods: [oidc, jwt, mtls]
|
||||
versioning: token claim schema, audience, and lease semantics.
|
||||
Reference in New Issue
Block a user