feat: wire conflow config validation pipeline

Author: hyperpolymath

.conflow.yaml

@@ -0,0 +1,38 @@
+# conflow pipeline - Full generate → validate → export
+version: "1"
+name: "echidna"
+
+stages:
+  - name: "generate"
+    description: "Generate configuration using Nickel"
+    tool:
+      type: nickel
+      command: export
+      file: configs/config.ncl
+      format: json
+    input: "configs/config.ncl"
+    output: generated/config.json
+
+  - name: "validate"
+    description: "Validate against CUE schema"
+    tool:
+      type: cue
+      command: vet
+      schemas:
+        - schemas/config.cue
+    input:
+      from_stage: generate
+    depends_on:
+      - generate
+
+  - name: "export"
+    description: "Export final configuration as YAML"
+    tool:
+      type: cue
+      command: export
+      out_format: yaml
+    input:
+      from_stage: generate
+    output: deploy/config.yaml
+    depends_on:
+      - validate

alloyiser.toml

@@ -0,0 +1,40 @@
+# SPDX-License-Identifier: PMPL-1.0-or-later
+# alloyiser manifest for echidna
+# Echidna has REST, GraphQL, and gRPC interfaces under src/interfaces/
+
+[project]
+name = "echidna"
+
+[[specs]]
+name = "echidna-rest"
+source = "/var/mnt/eclipse/repos/echidna/src/interfaces/rest/models.rs"
+format = "openapi"
+
+[[specs]]
+name = "echidna-graphql"
+source = "/var/mnt/eclipse/repos/echidna/src/interfaces/graphql/schema.rs"
+format = "graphql"
+
+[[specs]]
+name = "echidna-grpc"
+source = "/var/mnt/eclipse/repos/echidna/src/interfaces/grpc/proto/echidna.proto"
+format = "openapi"
+
+[[assertions]]
+name = "no-orphan-records"
+check = "all r: Record | some r.owner"
+scope = 5
+
+[[assertions]]
+name = "proof-integrity"
+check = "all p: Proof | p.status = Verified implies some p.theorem"
+scope = 5
+
+[[assertions]]
+name = "rule-determinism"
+check = "all r: Rule, s: State | lone r.apply[s]"
+scope = 6
+
+[alloy]
+solver = "sat4j"
+max-scope = 6

configs/config.ncl

@@ -0,0 +1,11 @@
+# Configuration generation
+{
+  name = "my-app",
+  replicas =
+    let env = "dev" in
+    if env == "prod" then 5
+    else if env == "staging" then 3
+    else 1,
+  port = 8080,
+  env = "dev",
+}

generated/alloyiser/echidna.als

@@ -0,0 +1,21 @@
+module echidna
+
+// Formal model generated by alloyiser from project 'echidna'.
+// Verify with: java -jar alloy.jar echidna.als
+assert no_orphan_records {
+    all r: Record | some r.owner
+}
+check no_orphan_records for 5
+
+assert proof_integrity {
+    all p: Proof | p.status = Verified implies some p.theorem
+}
+check proof_integrity for 5
+
+assert rule_determinism {
+    all r: Rule, s: State | lone r.apply[s]
+}
+check rule_determinism for 6
+
+// Visualise a sample instance
+run {} for 5

generated/alloyiser/run-analysis.sh

@@ -0,0 +1,28 @@
+#!/bin/sh
+# SPDX-License-Identifier: PMPL-1.0-or-later
+# Generated by alloyiser — Alloy analysis script
+# Requires: java, alloy.jar
+
+ALLOY_JAR="alloy.jar"
+MODEL="/var/mnt/eclipse/repos/echidna/generated/alloyiser/echidna.als"
+SOLVER="sat4j"
+TIMEOUT="300"
+
+echo "=== alloyiser analysis ==="
+echo "Model: $MODEL"
+echo "Solver: $SOLVER"
+echo "Assertions: 3"
+
+echo "Checking: no_orphan_records..."
+timeout "$TIMEOUT" java -jar "$ALLOY_JAR" -batch -solver "$SOLVER" "$MODEL" 2>&1 | grep -A5 "no_orphan_records"
+echo ""
+
+echo "Checking: proof_integrity..."
+timeout "$TIMEOUT" java -jar "$ALLOY_JAR" -batch -solver "$SOLVER" "$MODEL" 2>&1 | grep -A5 "proof_integrity"
+echo ""
+
+echo "Checking: rule_determinism..."
+timeout "$TIMEOUT" java -jar "$ALLOY_JAR" -batch -solver "$SOLVER" "$MODEL" 2>&1 | grep -A5 "rule_determinism"
+echo ""
+
+echo "=== analysis complete ==="

schemas/config.cue

@@ -0,0 +1,9 @@
+// Configuration schema
+package config
+
+#Config: {
+    name:     string
+    replicas: int & >=1
+    port:     int & >=1 & <=65535
+    env:      string
+}