boj-server/stapeln.toml at main · hyperpolymath/boj-server · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
# SPDX-License-Identifier: PMPL-1.0-or-later
# stapeln.toml — Layer-based container build for boj-server
#
# stapeln builds containers as composable layers (German: "to stack").
# Each layer is independently cacheable, verifiable, and signable.

[metadata]
name = "boj-server"
version = "0.3.1"
description = "Bundle of Joy Server — unified MCP capability catalogue with formally verified Zig/Idris2 cartridges"
author = "Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>"
license = "PMPL-1.0-or-later"
registry = "ghcr.io/hyperpolymath"

[build]
containerfile = "container/Containerfile"
context = "."
runtime = "podman"

# ── Layer Definitions ──────────────────────────────────────────
#
# Architecture: Zig FFI → Idris2-verified ABI → Zig adapter binary.
# No JavaScript/TypeScript/Node.js in the production path.
# (The MCP bridge Containerfile at root/ is transitional until
# typed-wasm-mcp lands — see docs/architecture/TYPED-WASM-MCP-BRIDGE.md.)

[layers.base]
description = "Chainguard Wolfi minimal base"
from = "cgr.dev/chainguard/wolfi-base:latest"
cache = true
verify = true

[layers.zig-toolchain]
description = "Zig toolchain + build-base + sqlite headers"
extends = "base"
packages = ["build-base", "zig", "sqlite-dev"]
cache = true

[layers.ffi-build]
description = "Compile core FFI + all cartridge FFI shared libraries"
extends = "zig-toolchain"
commands = [
    "cd ffi/zig && zig build -Doptimize=ReleaseFast",
    "for d in cartridges/*/ffi; do [ -f \"$d/build.zig\" ] && (cd \"$d\" && zig build -Doptimize=ReleaseFast) || true; done",
]

[layers.adapter-build]
description = "Compile Zig adapter binary (boj-server) linking all FFI libs"
extends = "ffi-build"
commands = [
    "cd adapter/zig && zig build -Doptimize=ReleaseFast",
]

[layers.runtime]
description = "Minimal Chainguard runtime — binary + FFI libs only, no build toolchain"
from = "cgr.dev/chainguard/wolfi-base:latest"
packages = ["ca-certificates", "curl"]
copy-from = [
    { layer = "adapter-build", src = "/build/adapter/zig/zig-out/bin/boj-server", dst = "/app/boj-server" },
    { layer = "ffi-build",     src = "/build/ffi/zig/zig-out/",                   dst = "/app/lib/core/" },
]
entrypoint = ["/app/entrypoint.sh"]
cmd = ["/app/boj-server"]
user = "appuser"

# ── Security ───────────────────────────────────────────────────

[security]
non-root = true
read-only-root = false
no-new-privileges = true
cap-drop = ["ALL"]
seccomp-profile = "container/seccomp-boj.json"

[security.signing]
algorithm = "ML-DSA-87"
provider = "cerro-torre"

[security.sbom]
format = "spdx-json"
output = "sbom.spdx.json"
include-deps = true

# ── Verification ───────────────────────────────────────────────

[verify]
vordr = true
svalinn = true
scan-on-build = true
fail-on = ["critical", "high"]

# ── Targets ────────────────────────────────────────────────────

[targets.development]
layers = ["base", "zig-toolchain", "ffi-build", "adapter-build"]
env = { LOG_LEVEL = "debug", BOJ_DEV_MODE = "true" }

[targets.production]
layers = ["runtime"]
env = { LOG_LEVEL = "info", APP_HOST = "[::]", APP_PORT = "7700" }

[targets.test]
layers = ["base", "zig-toolchain", "ffi-build", "adapter-build"]
env = { LOG_LEVEL = "debug", BOJ_TEST_MODE = "true" }

[targets.ci]
layers = ["base", "zig-toolchain", "ffi-build", "adapter-build"]
env = { LOG_LEVEL = "debug" }
commands = [
    "cd ffi/zig && zig build test",
    "zig test tests/smoke_test.zig",
    "zig test tests/e2e_mcp_test.zig",
    "zig test tests/aspect_security_test.zig",
    "zig test tests/p2p_cartridge_properties_test.zig",
]