stapeln.toml

# SPDX-License-Identifier: PMPL-1.0-or-later
# stapeln.toml — Layer-based container build for pandoc-k9
#
# stapeln builds containers as composable layers (German: "to stack").
# Each layer is independently cacheable, verifiable, and signable.

[metadata]
name = "pandoc-k9"
version = "0.1.0"
description = "pandoc-k9 container service"
author = "Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>"
license = "PMPL-1.0-or-later"
registry = "ghcr.io/hyperpolymath"

[build]
containerfile = "Containerfile"
context = "."
runtime = "podman"

# ── Layer Definitions ──────────────────────────────────────────

[layers.base]
description = "Chainguard Wolfi minimal base"
from = "cgr.dev/chainguard/wolfi-base:latest"
cache = true
verify = true

[layers.toolchain]
description = "Build tools"
extends = "base"
packages = []
cache = true

[layers.build]
description = "pandoc-k9 build"
extends = "toolchain"
commands = []

[layers.runtime]
description = "Minimal runtime"
from = "cgr.dev/chainguard/wolfi-base:latest"
packages = ["ca-certificates", "curl"]
copy-from = [
    { layer = "build", src = "/app/", dst = "/app/" },
]
entrypoint = ["/app/pandoc-k9"]
user = "nonroot"

# ── Security ───────────────────────────────────────────────────

[security]
non-root = true
read-only-root = false
no-new-privileges = true
cap-drop = ["ALL"]
seccomp-profile = "default"

[security.signing]
algorithm = "ML-DSA-87"
provider = "cerro-torre"

[security.sbom]
format = "spdx-json"
output = "sbom.spdx.json"
include-deps = true

# ── Verification ───────────────────────────────────────────────

[verify]
vordr = true
svalinn = true
scan-on-build = true
fail-on = ["critical", "high"]

# ── Targets ────────────────────────────────────────────────────

[targets.development]
layers = ["base", "chainguard-toolchain", "build"]
env = { LOG_LEVEL = "debug" }

[targets.production]
layers = ["runtime"]
env = { LOG_LEVEL = "info" }

[targets.test]
layers = ["base", "chainguard-toolchain", "build"]
env = { LOG_LEVEL = "debug" }