Establish Railiance Fabric graph model

examples/declarations/valid/binding-flex-auth-openbao.yaml

@@ -0,0 +1,23 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: BindingAssertion
+metadata:
+  id: flex-auth.api.runtime-secrets-to-openbao
+  name: flex-auth runtime secrets binding
+  owner: flex-auth
+  repo: flex-auth
+  domain: railiance
+  source_links:
+    - label: Runtime secrets binding note
+      path: docs/runtime-secrets.md
+spec:
+  lifecycle: active
+  environments: [dev, staging, prod]
+  dependency_id: flex-auth.api.needs-runtime-secrets
+  provider_capability_id: railiance-platform.openbao.runtime-secrets
+  provider_interface_id: railiance-platform.openbao.kv-v2
+  status: exact
+  rationale: flex-auth uses the OpenBao KV v2 mount as its runtime secrets provider.
+  compatibility:
+    version: v1
+    compatible_with:
+      - railiance-platform.openbao.kv-v2

examples/declarations/valid/capability-runtime-secrets.yaml

@@ -0,0 +1,26 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: CapabilityDeclaration
+metadata:
+  id: railiance-platform.openbao.runtime-secrets
+  name: Runtime secrets
+  owner: railiance-platform
+  repo: railiance-platform
+  domain: railiance
+  source_links:
+    - label: Runtime secrets workplan
+      path: workplans/RAIL-PLAT-WP-openbao-runtime-secrets.md
+spec:
+  lifecycle: active
+  environments: [dev, staging, prod]
+  description: Stores and serves workload runtime secrets through OpenBao.
+  capability_type: runtime-secrets
+  service_id: railiance-platform.openbao
+  interface_ids:
+    - railiance-platform.openbao.kv-v2
+  criticality: critical
+  data_classification: secret
+  compatibility:
+    version: v1
+    compatible_with:
+      - railiance-platform.openbao.kv-v2
+    notes: Initial runtime secrets capability for Railiance workloads.

examples/declarations/valid/dependency-flex-auth-runtime-secrets.yaml

@@ -0,0 +1,31 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: DependencyDeclaration
+metadata:
+  id: flex-auth.api.needs-runtime-secrets
+  name: flex-auth runtime secrets dependency
+  owner: flex-auth
+  repo: flex-auth
+  domain: railiance
+  source_links:
+    - label: flex-auth deployment values
+      path: deploy/values.yaml
+spec:
+  lifecycle: active
+  environments: [dev, staging, prod]
+  consumer_service_id: flex-auth.api
+  requires:
+    capability_type: runtime-secrets
+  interface:
+    type: openbao-kv-v2-mount
+    version_constraint: ">=v1 <v2"
+  auth:
+    method: kubernetes_service_account
+    audience: openbao
+  criticality: critical
+  data_classification: secret
+  fallback:
+    mode: none
+    description: flex-auth cannot start without runtime secrets.
+  compatibility:
+    requires:
+      - openbao-kv-v2-mount v1

examples/declarations/valid/interface-openbao-kv-v2.yaml

@@ -0,0 +1,29 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: InterfaceDeclaration
+metadata:
+  id: railiance-platform.openbao.kv-v2
+  name: OpenBao KV v2 mount
+  owner: railiance-platform
+  repo: railiance-platform
+  domain: railiance
+  source_links:
+    - label: OpenBao KV mount manifest
+      path: manifests/openbao/kv-v2.yaml
+spec:
+  lifecycle: active
+  environments: [dev, staging, prod]
+  description: KV v2 secret mount exposed to approved Railiance workloads.
+  interface_type: openbao-kv-v2-mount
+  version: v1
+  service_id: railiance-platform.openbao
+  capability_ids:
+    - railiance-platform.openbao.runtime-secrets
+  endpoint:
+    path: secret/data/railiance
+  auth:
+    method: kubernetes_service_account
+    audience: openbao
+  data_classification: secret
+  compatibility:
+    version: v1
+    notes: Consumers must use workload service-account authentication.

examples/declarations/valid/service-openbao.yaml

@@ -0,0 +1,20 @@
+apiVersion: railiance.fabric/v1alpha1
+kind: ServiceDeclaration
+metadata:
+  id: railiance-platform.openbao
+  name: OpenBao
+  owner: railiance-platform
+  repo: railiance-platform
+  domain: railiance
+  source_links:
+    - label: OpenBao platform chart
+      path: charts/openbao/values.yaml
+spec:
+  lifecycle: active
+  environments: [dev, staging, prod]
+  description: OpenBao service used by Railiance workloads for runtime secrets.
+  service_type: platform-service
+  provides_capabilities:
+    - railiance-platform.openbao.runtime-secrets
+  exposes_interfaces:
+    - railiance-platform.openbao.kv-v2