feat: add stapeln.toml layer-based container definition\n\nConverted from existing Containerfile to stapeln format.\nIncludes Chainguard base, security hardening, SBOM generation.\n\nCo-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

hyperpolymath · hyperpolymath · commit 1d187545ae8e · 2026-03-28T08:32:57.000Z
diff --git a/stapeln.toml b/stapeln.toml
@@ -0,0 +1,96 @@
+# SPDX-License-Identifier: PMPL-1.0-or-later
+# stapeln.toml — Layer-based container build for palimpsest-license
+#
+# stapeln builds containers as composable layers (German: "to stack").
+# Each layer is independently cacheable, verifiable, and signable.
+
+[metadata]
+name = "palimpsest-license"
+version = "0.1.0"
+description = "palimpsest-license container service"
+author = "Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>"
+license = "PMPL-1.0-or-later"
+registry = "ghcr.io/hyperpolymath"
+
+[build]
+containerfile = "Containerfile"
+context = "."
+runtime = "podman"
+
+# ── Layer Definitions ──────────────────────────────────────────
+
+[layers.base]
+description = "Chainguard Wolfi minimal base"
+from = "cgr.dev/chainguard/wolfi-base:latest"
+cache = true
+verify = true
+
+[layers.haskell-toolchain]
+description = "GHC and Cabal"
+extends = "base"
+packages = ["ghc", "cabal-install"]
+cache = true
+
+[layers.haskell-deps]
+description = "Cabal dependency fetch"
+extends = "haskell-toolchain"
+commands = ["cabal update", "cabal build --only-dependencies"]
+cache-key = "*.cabal"
+cache = true
+
+[layers.build]
+description = "palimpsest-license Haskell compilation"
+extends = "haskell-deps"
+commands = ["cabal build"]
+
+[layers.runtime]
+description = "Minimal runtime"
+from = "cgr.dev/chainguard/wolfi-base:latest"
+packages = ["ca-certificates", "curl"]
+copy-from = [
+    { layer = "build", src = "/app/", dst = "/app/" },
+]
+entrypoint = ["["/app/bin/palimpsest-validator", "--help"]"]
+user = "validator:validator"
+expose = [8000]
+env = { LANG = "en_GB.UTF-8", SOURCE_DATE_EPOCH = "1609459200", LC_ALL = "en_GB.UTF-8", NODE_ENV = "production", PYTHONUNBUFFERED = "1" }
+
+# ── Security ───────────────────────────────────────────────────
+
+[security]
+non-root = true
+read-only-root = false
+no-new-privileges = true
+cap-drop = ["ALL"]
+seccomp-profile = "default"
+
+[security.signing]
+algorithm = "ML-DSA-87"
+provider = "cerro-torre"
+
+[security.sbom]
+format = "spdx-json"
+output = "sbom.spdx.json"
+include-deps = true
+
+# ── Verification ───────────────────────────────────────────────
+
+[verify]
+vordr = true
+svalinn = true
+scan-on-build = true
+fail-on = ["critical", "high"]
+
+# ── Targets ────────────────────────────────────────────────────
+
+[targets.development]
+layers = ["base", "haskell-toolchain", "build"]
+env = { LOG_LEVEL = "debug" }
+
+[targets.production]
+layers = ["runtime"]
+env = { LOG_LEVEL = "info" }
+
+[targets.test]
+layers = ["base", "haskell-toolchain", "build"]
+env = { LOG_LEVEL = "debug" }
