Establish Railiance Fabric graph model

examples/declarations/README.md

@@ -0,0 +1,15 @@
+# Declaration Fixtures
+
+These fixtures support the T02 schema baseline and give the future validator
+real inputs to exercise.
+
+`valid/` contains a coherent mini-graph:
+
+- OpenBao service
+- OpenBao runtime-secrets capability
+- OpenBao KV v2 interface
+- flex-auth runtime-secrets dependency
+- binding assertion from flex-auth to OpenBao
+
+`invalid/` contains schema-level failures. The future validator should report
+clear errors for these before it attempts graph-level checks.

examples/declarations/invalid/binding-bad-status.yaml

@@ -0,0 +1,15 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: BindingAssertion
+metadata:
+  id: flex-auth.api.bad-binding-status
+  name: Bad binding status
+  owner: flex-auth
+  repo: flex-auth
+  domain: railiance
+spec:
+  lifecycle: active
+  environments: [dev]
+  dependency_id: flex-auth.api.needs-runtime-secrets
+  provider_capability_id: railiance-platform.openbao.runtime-secrets
+  status: accepted
+  rationale: Invalid because accepted is not a binding status.

examples/declarations/invalid/capability-bad-lifecycle.yaml

@@ -0,0 +1,16 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: CapabilityDeclaration
+metadata:
+  id: railiance-platform.openbao.bad-lifecycle
+  name: Bad lifecycle capability
+  owner: railiance-platform
+  repo: railiance-platform
+  domain: railiance
+spec:
+  lifecycle: started
+  environments: [dev]
+  description: Invalid because lifecycle must use the shared enum.
+  capability_type: runtime-secrets
+  service_id: railiance-platform.openbao
+  criticality: high
+  data_classification: secret

examples/declarations/invalid/dependency-bad-environment.yaml

@@ -0,0 +1,16 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: DependencyDeclaration
+metadata:
+  id: flex-auth.api.bad-environment
+  name: Bad environment dependency
+  owner: flex-auth
+  repo: flex-auth
+  domain: railiance
+spec:
+  lifecycle: active
+  environments: [production]
+  consumer_service_id: flex-auth.api
+  requires:
+    capability_type: runtime-secrets
+  criticality: high
+  data_classification: secret

examples/declarations/invalid/interface-bad-auth.yaml

@@ -0,0 +1,18 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: InterfaceDeclaration
+metadata:
+  id: railiance-platform.openbao.bad-auth
+  name: Bad auth interface
+  owner: railiance-platform
+  repo: railiance-platform
+  domain: railiance
+spec:
+  lifecycle: active
+  environments: [dev]
+  description: Invalid because oauth2 is not in the initial auth-method enum.
+  interface_type: http-api
+  version: v1
+  service_id: railiance-platform.openbao
+  auth:
+    method: oauth2
+  data_classification: internal

examples/declarations/invalid/service-missing-id.yaml

@@ -0,0 +1,11 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: ServiceDeclaration
+metadata:
+  name: Missing ID Service
+  owner: railiance-platform
+  repo: railiance-platform
+  domain: railiance
+spec:
+  lifecycle: active
+  environments: [dev]
+  description: Invalid because metadata.id is required.

examples/declarations/valid/binding-flex-auth-openbao.yaml

@@ -0,0 +1,23 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: BindingAssertion
+metadata:
+  id: flex-auth.api.runtime-secrets-to-openbao
+  name: flex-auth runtime secrets binding
+  owner: flex-auth
+  repo: flex-auth
+  domain: railiance
+  source_links:
+    - label: Runtime secrets binding note
+      path: docs/runtime-secrets.md
+spec:
+  lifecycle: active
+  environments: [dev, staging, prod]
+  dependency_id: flex-auth.api.needs-runtime-secrets
+  provider_capability_id: railiance-platform.openbao.runtime-secrets
+  provider_interface_id: railiance-platform.openbao.kv-v2
+  status: exact
+  rationale: flex-auth uses the OpenBao KV v2 mount as its runtime secrets provider.
+  compatibility:
+    version: v1
+    compatible_with:
+      - railiance-platform.openbao.kv-v2

examples/declarations/valid/capability-runtime-secrets.yaml

@@ -0,0 +1,26 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: CapabilityDeclaration
+metadata:
+  id: railiance-platform.openbao.runtime-secrets
+  name: Runtime secrets
+  owner: railiance-platform
+  repo: railiance-platform
+  domain: railiance
+  source_links:
+    - label: Runtime secrets workplan
+      path: workplans/RAIL-PLAT-WP-openbao-runtime-secrets.md
+spec:
+  lifecycle: active
+  environments: [dev, staging, prod]
+  description: Stores and serves workload runtime secrets through OpenBao.
+  capability_type: runtime-secrets
+  service_id: railiance-platform.openbao
+  interface_ids:
+    - railiance-platform.openbao.kv-v2
+  criticality: critical
+  data_classification: secret
+  compatibility:
+    version: v1
+    compatible_with:
+      - railiance-platform.openbao.kv-v2
+    notes: Initial runtime secrets capability for Railiance workloads.

examples/declarations/valid/dependency-flex-auth-runtime-secrets.yaml

@@ -0,0 +1,31 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: DependencyDeclaration
+metadata:
+  id: flex-auth.api.needs-runtime-secrets
+  name: flex-auth runtime secrets dependency
+  owner: flex-auth
+  repo: flex-auth
+  domain: railiance
+  source_links:
+    - label: flex-auth deployment values
+      path: deploy/values.yaml
+spec:
+  lifecycle: active
+  environments: [dev, staging, prod]
+  consumer_service_id: flex-auth.api
+  requires:
+    capability_type: runtime-secrets
+  interface:
+    type: openbao-kv-v2-mount
+    version_constraint: ">=v1 <v2"
+  auth:
+    method: kubernetes_service_account
+    audience: openbao
+  criticality: critical
+  data_classification: secret
+  fallback:
+    mode: none
+    description: flex-auth cannot start without runtime secrets.
+  compatibility:
+    requires:
+      - openbao-kv-v2-mount v1

examples/declarations/valid/interface-openbao-kv-v2.yaml

@@ -0,0 +1,29 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: InterfaceDeclaration
+metadata:
+  id: railiance-platform.openbao.kv-v2
+  name: OpenBao KV v2 mount
+  owner: railiance-platform
+  repo: railiance-platform
+  domain: railiance
+  source_links:
+    - label: OpenBao KV mount manifest
+      path: manifests/openbao/kv-v2.yaml
+spec:
+  lifecycle: active
+  environments: [dev, staging, prod]
+  description: KV v2 secret mount exposed to approved Railiance workloads.
+  interface_type: openbao-kv-v2-mount
+  version: v1
+  service_id: railiance-platform.openbao
+  capability_ids:
+    - railiance-platform.openbao.runtime-secrets
+  endpoint:
+    path: secret/data/railiance
+  auth:
+    method: kubernetes_service_account
+    audience: openbao
+  data_classification: secret
+  compatibility:
+    version: v1
+    notes: Consumers must use workload service-account authentication.

examples/declarations/valid/service-openbao.yaml

@@ -0,0 +1,20 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: ServiceDeclaration
+metadata:
+  id: railiance-platform.openbao
+  name: OpenBao
+  owner: railiance-platform
+  repo: railiance-platform
+  domain: railiance
+  source_links:
+    - label: OpenBao platform chart
+      path: charts/openbao/values.yaml
+spec:
+  lifecycle: active
+  environments: [dev, staging, prod]
+  description: OpenBao service used by Railiance workloads for runtime secrets.
+  service_type: platform-service
+  provides_capabilities:
+    - railiance-platform.openbao.runtime-secrets
+  exposes_interfaces:
+    - railiance-platform.openbao.kv-v2