deployment only.Expand description
Contract Identity Annotation Scheme v1.
Stamps every deployment artefact (OCI image, Helm chart, ArgoCD Application) with three uniform, greppable identity annotations:
| Key | Meaning | Format |
|---|---|---|
io.hyperi.contract.version | Contract schema version | Literal string v1 |
io.hyperi.contract.source-commit | Git SHA of the consumer app’s HEAD | 40-char lowercase hex |
io.hyperi.contract.image-ref | Intended pull reference for the image | <reg>/<repo>:<tag> or @<digest> |
Same key string on every surface (image label, Chart.yaml annotation,
Application annotation). The grep payoff: grep -r 'io.hyperi.contract' .
finds every contract-emitted artefact regardless of format.
§Pre-push vs post-push image_ref
At Dockerfile-emit time the image isn’t built yet, let alone pushed, so
its content digest is unknown. The image label therefore carries the
TAG form (<reg>/<repo>:<tag>). The push step is responsible for
re-rendering Chart.yaml and the ArgoCD Application with the DIGEST
form (<reg>/<repo>@sha256:<hex>) returned by the registry, because
those manifests are written after the push completes and benefit from
digest-pinning for reproducibility.
§Rollout phase
Phase 1 (this commit): generators accept Option<&ContractIdentity>.
When Some(id), the three annotations are emitted; when None, the
generator is silent (backwards-compat for consumers that haven’t
adopted yet). Phase 2 flips the parameter to required once all six
DFE consumers pass identity at every call site. Phase 3 removes the
Option<> wrapper and the silent-on-None branch.
Structs§
- Contract
Identity - Three-key identity stamped on every deployment artefact.
Enums§
- Identity
Error - Errors from constructing or detecting a
ContractIdentity.
Constants§
- KEY_
PREFIX - Annotation key prefix shared across all three keys.
- VERSION
- Schema version literal. Bumps only when the contract format itself breaks, NOT when the consumer’s app version moves.