feat: add stapeln.toml layer-based container definition\n\nConverted from existing Containerfile to stapeln format.\nIncludes Chainguard base, security hardening, SBOM generation.\n\nCo-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

hyperpolymath · hyperpolymath · commit 87c2e1f39bc2 · 2026-03-28T08:32:57.000Z
diff --git a/stapeln.toml b/stapeln.toml
@@ -0,0 +1,99 @@
+# SPDX-License-Identifier: PMPL-1.0-or-later
+# stapeln.toml — Layer-based container build for presswerk
+#
+# stapeln builds containers as composable layers (German: "to stack").
+# Each layer is independently cacheable, verifiable, and signable.
+
+[metadata]
+name = "presswerk"
+version = "0.1.0"
+description = "presswerk container service"
+author = "Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>"
+license = "PMPL-1.0-or-later"
+registry = "ghcr.io/hyperpolymath"
+
+[build]
+containerfile = "Containerfile"
+context = "."
+runtime = "podman"
+
+# ── Layer Definitions ──────────────────────────────────────────
+
+[layers.base]
+description = "Chainguard Wolfi minimal base"
+from = "cgr.dev/chainguard/wolfi-base:latest"
+cache = true
+verify = true
+
+[layers.rust-toolchain]
+description = "Rust compiler and build dependencies"
+extends = "base"
+packages = ["rust", "pkgconf", "build-base"]
+cache = true
+
+[layers.rust-deps]
+description = "Cargo dependency fetch"
+extends = "rust-toolchain"
+commands = ["cargo fetch --locked"]
+cache-key = "Cargo.lock"
+cache = true
+
+[layers.build]
+description = "presswerk Rust compilation"
+extends = "rust-deps"
+commands = ["cargo build --release"]
+artifacts = [
+    { src = "target/release/presswerk", dst = "/app/presswerk" },
+]
+
+[layers.runtime]
+description = "Minimal runtime"
+from = "cgr.dev/chainguard/wolfi-base:latest"
+packages = ["ca-certificates", "curl"]
+copy-from = [
+    { layer = "build", src = "/app/", dst = "/app/" },
+]
+entrypoint = ["["/app/presswerk"]"]
+user = "presswerk"
+expose = [631, 8000]
+env = { PRESSWERK_HEADLESS = "true", PRESSWERK_PORT = "631", VORDR_ENDPOINT = "selur://unix:///run/presswerk.sock", CT_TRUST_STORE = "/etc/presswerk/trust-store", PRESSWERK_DATA_DIR = "/var/lib/presswerk", PRESSWERK_LOG_LEVEL = "info", SVALINN_POLICY = "/etc/presswerk/svalinn-policy.yaml", SVALINN_PORT = "8000", SELUR_WASM = "/app/lib/presswerk-bridge.wasm" }
+
+# ── Security ───────────────────────────────────────────────────
+
+[security]
+non-root = true
+read-only-root = false
+no-new-privileges = true
+cap-drop = ["ALL"]
+seccomp-profile = "default"
+
+[security.signing]
+algorithm = "ML-DSA-87"
+provider = "cerro-torre"
+
+[security.sbom]
+format = "spdx-json"
+output = "sbom.spdx.json"
+include-deps = true
+
+# ── Verification ───────────────────────────────────────────────
+
+[verify]
+vordr = true
+svalinn = true
+scan-on-build = true
+fail-on = ["critical", "high"]
+
+# ── Targets ────────────────────────────────────────────────────
+
+[targets.development]
+layers = ["base", "rust-toolchain", "build"]
+env = { LOG_LEVEL = "debug" }
+
+[targets.production]
+layers = ["runtime"]
+env = { LOG_LEVEL = "info" }
+
+[targets.test]
+layers = ["base", "rust-toolchain", "build"]
+env = { LOG_LEVEL = "debug" }
