feat(catalog): configurable cartridges root + canonical schema + category field sweep#158
Merged
Merged
Conversation
…gory field sweep
Three changes that together prepare boj-server to consume cartridges from
the new hyperpolymath/boj-server-cartridges repository on demand instead
of bundling them in-tree:
1. **Configurable cartridges root** — `elixir/lib/boj_rest/application.ex`
gains a fallback chain for the catalog root:
Application env (:boj_rest, :cartridges_root)
→ BOJ_CARTRIDGES_PATH environment variable
→ default "./cartridges" (preserves historical bundled behaviour)
Operators wanting on-demand fetch from boj-server-cartridges set
BOJ_CARTRIDGES_PATH to their local cache (e.g. "~/.boj/cartridges")
and arrange for tray to populate that path. No runtime-behaviour
change unless the env var is set.
2. **Canonical schema mirror** — `schemas/cartridge-v1.json` is replaced
with a vendored copy of the canonical schema filed as standards#200
(which expanded the original `-mcp`-only `name` regex to admit the
full BoJ server-role taxonomy: mcp/lsp/dap/bsp/debug/format/lint/
build/nesy/agentic/fleet, and added `category`, `states`, `source`
fields). `schemas/SCHEMA-MIRROR.md` documents the mirror discipline
and the pending SHA-pinning ceremony (executes once standards#200
merges).
3. **`category` field sweep on 125 cartridge manifests** — the new
schema makes `category` required. A mechanical sweep assigns
`"category": "template"` (1: gossamer-mcp), `"category":
"cross-cutting"` (11: agent-mcp, claude-agents-power-mcp,
claude-ai-mcp, local-coord-mcp, model-router-mcp, nesy-mcp, ml-mcp,
fleet-mcp, boj-health, dap-mcp, bsp-mcp), and `"category": "domain"`
(113) — matching the taxonomy ratified in
hyperpolymath/boj-server-cartridges ADR-001. The cross-cutting list
here is the source of truth that the migrate_cartridges.py script in
boj-server-cartridges already used for placement; keeping the two
maps in sync is a manual-discipline obligation flagged in both
repos' CHANGELOGs.
Deferred to follow-up PRs (separate issues to file):
* tray → boj-server-cartridges on-demand fetch wiring (tray already has
the cartridge-source subscription concept with GitHub URL + download
timeout in tray/src/main.rs and server.rs; needs default registry
hard-coded or configured).
* BojRest.Catalog reload-without-restart (currently "fleet change
requires a restart" per the catalog's own moduledoc).
* `boj-server/schemas/cartridge-v1.json` → strict SHA-pin to a specific
standards commit + sha256 (PINNED-SHA file). Pending standards#200
merging.
Closes-after-merge: nothing yet. Unblocks: removal of bundled
`cartridges/` directory (separate PR, gated on this one burning in
plus the remote-fetch wiring landing).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
🔍 Hypatia Security ScanFindings: 151 issues detected
View findings[
{
"reason": "Stale AI session file -- delete",
"type": "stale",
"file": "GEMINI.md",
"action": "delete",
"rule_module": "root_hygiene",
"severity": "medium"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/sanctify-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/academic-workflow-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/fireflag-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/ephapax-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/bofig-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/hesiod-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/mcp-bridge/main.d.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "believe_me undermines formal verification (1 occurrences, CWE-704)",
"type": "believe_me",
"file": "/home/runner/work/boj-server/boj-server/src/abi/Boj/SafeHTTP.idr",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
🏁 path-claims benchCommit NumbersHost-dependent — compare deltas across commits, not absolute values. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Three changes that prepare boj-server to consume cartridges from the new
hyperpolymath/boj-server-cartridgesrepository on demand instead of bundling them in-tree:1. Configurable cartridges root
elixir/lib/boj_rest/application.exgains a fallback chain:Operators wanting on-demand fetch set
BOJ_CARTRIDGES_PATHto their local cache (e.g.~/.boj/cartridges/) and arrange for tray to populate it. No runtime change unless the env var is set.2. Canonical schema mirror
schemas/cartridge-v1.jsonis replaced with a vendored copy of the canonical schema filed as standards#200 — which expands the original-mcp-onlynameregex to admit the full BoJ server-role taxonomy:(mcp|lsp|dap|bsp|debug|format|lint|build|nesy|agentic|fleet), and addscategory,states,sourcefields.schemas/SCHEMA-MIRROR.mddocuments the mirror discipline + the pending SHA-pinning ceremony (executes once standards#200 merges).3.
categoryfield sweep on 125 cartridge manifestsThe new schema makes
categoryrequired. Mechanical sweep assigns:"category": "template"(1: gossamer-mcp)"category": "cross-cutting"(11: agent-mcp, claude-agents-power-mcp, claude-ai-mcp, local-coord-mcp, model-router-mcp, nesy-mcp, ml-mcp, fleet-mcp, boj-health, dap-mcp, bsp-mcp)"category": "domain"(113)Matches the taxonomy ratified in boj-server-cartridges ADR-001.
Deferred to follow-up PRs
tray/src/main.rs/server.rs; needs default registry configured).BojRest.Catalogreload-without-restart.Test plan
categoryfield at correct valueBOJ_CARTRIDGES_PATH=/foo bin/boj-serverwould read from/foo(manual trace)🤖 Generated with Claude Code