schemaforge/Taskfile.yml at main · Govcraft/schemaforge · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
version: '3'

# Project task runner. Reflects the current shape of the repo:
# - Binary is `schemaforge` (defined in crates/schema-forge-cli/Cargo.toml).
# - Default backend is `surrealdb`; alternate is `postgres` (mutually
#   exclusive with the default — opt in by setting FEATURES=postgres).
# - The React `/app` surface lives in `site/`, scaffolded by
#   `schemaforge site generate` and served by Vite. The legacy Tera +
#   Tailwind `admin-ui` is gone; there is no embedded HTML template
#   pipeline to compile any more. The runtime-dynamic admin console moved
#   to the schemaforge-console repo.

vars:
  # Override on the CLI to swap backends, e.g. `FEATURES=postgres task serve`.
  # Empty by default → uses the crate's default features (surrealdb).
  FEATURES: ""
  PORT: 3000
  ADMIN_PASSWORD: changeme
  BASE_URL: "http://127.0.0.1:{{.PORT}}"
  SITE_DIR: site
  SCHEMA_DIR: schemas
  SITE_DEV_PORT: 5173
  # Release config for the embedded ops console (read by the `demo` task when
  # the CONSOLE env var is set — see below).
  CONSOLE_VERSION: v0.1.0
  CONSOLE_REPO: Govcraft/schemaforge-console
  CONSOLE_IDENTITY: '^https://github\.com/Govcraft/schemaforge-console/\.github/workflows/release\.yml@'

tasks:
  build:
    desc: Build the schemaforge binary (debug)
    cmds:
      - cargo build -p schema-forge-cli {{if .FEATURES}}--no-default-features --features {{.FEATURES}}{{end}}

  install:
    desc: Build release binary and install to ~/.cargo/bin/schemaforge
    cmds:
      - cargo install --path crates/schema-forge-cli {{if .FEATURES}}--no-default-features --features {{.FEATURES}}{{end}}

  serve:
    desc: Start the SchemaForge server (Ctrl+C to stop)
    cmds:
      # Pass --config explicitly: acton-service's auto-discovery walks XDG +
      # /etc but doesn't reliably pick up the project root's `config.toml`
      # under all `cargo run` cwd contexts. Explicit beats implicit.
      - >-
        cargo run -p schema-forge-cli {{if .FEATURES}}--no-default-features --features {{.FEATURES}}{{end}} -- --config config.toml serve
        --port {{.PORT}}
        --schemas {{.SCHEMA_DIR}}
        --admin-password {{.ADMIN_PASSWORD}}
        --dev-cors

  seed:
    desc: Seed demo data (expects server already running on $BASE_URL)
    cmds:
      - bash scripts/seed-demo-data.sh
    env:
      BASE_URL: "{{.BASE_URL}}"

  demo:
    desc: "Build, serve (in-memory DB) backend + ops console at /console, seed demo data, keep running. CONSOLE=0 for API-only."
    cmds:
      - |
        set -euo pipefail

        # The ops console at /console is served by DEFAULT. CONSOLE is a real
        # environment variable read by this shell (not a go-task var); run
        # `CONSOLE=0 task demo` to start the backend API only.
        CONSOLE="${CONSOLE:-1}"
        FEATURES="{{.FEATURES}}"

        # Base feature args (backend selection).
        feature_args=""
        if [ -n "$FEATURES" ]; then
          feature_args="--no-default-features --features $FEATURES"
        fi

        # Console enabled (default): fetch + verify the signed console bundle,
        # then add the embedded-console feature so `serve` mounts it at /console.
        # Mirrors the release pipeline (download → identity-pinned cosign verify
        # → sha256 → embed), so it also exercises the supply-chain path locally.
        if [ "$CONSOLE" != "0" ]; then
          for tool in gh cosign; do
            command -v "$tool" >/dev/null 2>&1 || { echo "ERROR: serving the console needs '$tool' on PATH — install it, or run 'CONSOLE=0 task demo' for API-only."; exit 1; }
          done
          console_dist="$PWD/target/console-dist"
          echo "Fetching signed console bundle {{.CONSOLE_VERSION}} from {{.CONSOLE_REPO}}..."
          tmp="$(mktemp -d)"
          gh release download "{{.CONSOLE_VERSION}}" --repo "{{.CONSOLE_REPO}}" \
            --pattern 'console-dist-*.tar.gz' --pattern 'SHA256SUMS' \
            --pattern 'SHA256SUMS.sig' --pattern 'SHA256SUMS.pem' \
            --dir "$tmp" --clobber
          # Identity-pinned keyless verification — fails closed if the bundle was
          # signed by any other repo/workflow, or the manifest was tampered.
          cosign verify-blob \
            --certificate "$tmp/SHA256SUMS.pem" --signature "$tmp/SHA256SUMS.sig" \
            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
            --certificate-identity-regexp '{{.CONSOLE_IDENTITY}}' \
            "$tmp/SHA256SUMS"
          ( cd "$tmp" && sha256sum -c SHA256SUMS )
          rm -rf "$console_dist" && mkdir -p "$console_dist"
          tar -xzf "$tmp"/console-dist-*.tar.gz -C "$console_dist"
          rm -rf "$tmp"
          export SCHEMAFORGE_CONSOLE_DIST="$console_dist"
          if [ -n "$FEATURES" ]; then
            feature_args="--no-default-features --features ${FEATURES},embedded-console"
          else
            feature_args="--features embedded-console"
          fi
          echo "Verified console bundle -> $console_dist"
        fi

        # Build the CLI
        cargo build -p schema-forge-cli $feature_args

        # Start server in background with in-memory DB.
        # `--config config.toml` is explicit so the project's [rate_limit]
        # block applies; acton-service's auto-discovery doesn't always pick
        # up the project root.
        ./target/debug/schemaforge --config config.toml serve \
          --port {{.PORT}} \
          --schemas {{.SCHEMA_DIR}} \
          --admin-password {{.ADMIN_PASSWORD}} \
          --seed-demo-users \
          --db-url "mem://" \
          --dev-cors &
        SERVER_PID=$!
        trap 'kill $SERVER_PID 2>/dev/null' EXIT

        # Wait for health endpoint (30s timeout)
        echo "Waiting for server to start..."
        for i in $(seq 1 30); do
          if curl -sf {{.BASE_URL}}/health > /dev/null 2>&1; then
            echo "Server is ready."
            break
          fi
          if [ "$i" -eq 30 ]; then
            echo "ERROR: Server failed to start within 30 seconds."
            exit 1
          fi
          sleep 1
        done

        # Seed demo data
        BASE_URL="{{.BASE_URL}}" bash scripts/seed-demo-data.sh

        echo ""
        echo "============================================================"
        echo "  Demo backend running at {{.BASE_URL}}"
        echo "============================================================"
        echo ""
        echo "  Sign in:"
        echo "    username:  admin"
        echo "    password:  {{.ADMIN_PASSWORD}}"
        echo ""
        echo "  Endpoints:"
        echo "    health:    {{.BASE_URL}}/health"
        echo "    meta:      {{.BASE_URL}}/api/v1/forge/meta"
        echo "    schemas:   {{.BASE_URL}}/api/v1/forge/schemas"
        echo ""
        if [ "$CONSOLE" != "0" ]; then
          echo "  Ops console (embedded, served same-origin):"
          echo "    {{.BASE_URL}}/console"
          echo ""
          echo "  (API-only: CONSOLE=0 task demo)"
        else
          echo "  Console disabled (API-only). Other UI options:"
          echo "    task site:dev   # regenerate site/ and start Vite on :{{.SITE_DEV_PORT}}"
        fi
        echo ""
        echo "  Press Ctrl+C to stop the backend."
        echo "============================================================"
        wait $SERVER_PID

  site:
    desc: Regenerate the React site scaffold from the schema directory
    cmds:
      - cargo run -p schema-forge-cli --quiet -- site generate --schema-dir {{.SCHEMA_DIR}} --out-dir {{.SITE_DIR}}

  site:dev:
    desc: Regenerate the React site and start the Vite dev server
    cmds:
      - cargo run -p schema-forge-cli --quiet -- site generate --schema-dir {{.SCHEMA_DIR}} --out-dir {{.SITE_DIR}}
      - pnpm --dir {{.SITE_DIR}} install
      - pnpm --dir {{.SITE_DIR}} dev --port {{.SITE_DEV_PORT}}

  site:build:
    desc: Type-check and bundle the React site for production
    cmds:
      - cargo run -p schema-forge-cli --quiet -- site generate --schema-dir {{.SCHEMA_DIR}} --out-dir {{.SITE_DIR}}
      - pnpm --dir {{.SITE_DIR}} install
      - pnpm --dir {{.SITE_DIR}} build

  test:
    desc: Run all workspace tests with cargo nextest
    cmds:
      - cargo nextest run --workspace {{if .FEATURES}}--no-default-features --features {{.FEATURES}}{{end}}

  check:
    desc: Run clippy and format checks
    cmds:
      - cargo clippy --workspace --all-targets {{if .FEATURES}}--no-default-features --features {{.FEATURES}}{{end}} -- -D warnings
      - cargo fmt --all -- --check