Context
The dogfood-gate k9-validate job started working once its YAML startup bug was fixed (#45), which surfaced pre-existing K9 contract debt. #46 fixed the a2ml errors and added K9!/pedigree scaffolding, but 3 k9 files still fail validation on main. Capturing the exact remaining fixes here (rather than a churn PR) since #46 is merged.
Remaining k9-validate failures (on main)
1–2. coordination.k9 and session/custom-checks.k9 — trivial
Both carry security_level = "data-only", which the validator rejects: "Invalid security level 'data-only'. Must be one of: kennel, yard, hunt." They already have leash = "Kennel".
Fix (1 line each): security_level = "data-only" → security_level = "kennel".
3. container/deploy.k9.ncl — validator-vs-Nickel mismatch
Error: "Pedigree block missing 'name' field (in pedigree.metadata.name or pedigree.name)."
Root cause: the pedigree is defined as let component_pedigree = { name = …, metadata = { name = … } } (line 17) and referenced indirectly at line 156 as pedigree = component_pedigree. The k9 validator is text-based — it matches the pedigree = site but cannot resolve the Nickel let indirection to reach name. (It also still contains {{SERVICE_NAME}}/{{VERSION}} placeholders — it's a template.)
Fix options:
- (a) Inline
metadata = { name = "…" } (and name) at the pedigree = site so a text scan finds it, instead of pedigree = component_pedigree; or
- (b) teach
k9-validate-action to resolve .ncl let-indirection (the more general fix).
⚠️ Estate-wide / upstream
coordination.k9 and session/custom-checks.k9 are byte-identical and unfixed across the org, including rsr-template-repo — so this is template debt that will recur in every repo until fixed upstream (alongside the dogfood-gate YAML + banned-Python template defects already flagged).
Coordination note
nextgen-typing governance is being actively worked by an estate-standardization effort; this should be folded into that to avoid conflicts.
Filed after #45/#46; the trivial security_level fixes are ready to drop in.
Context
The dogfood-gate
k9-validatejob started working once its YAML startup bug was fixed (#45), which surfaced pre-existing K9 contract debt. #46 fixed the a2ml errors and addedK9!/pedigree scaffolding, but 3 k9 files still fail validation onmain. Capturing the exact remaining fixes here (rather than a churn PR) since #46 is merged.Remaining
k9-validatefailures (onmain)1–2.
coordination.k9andsession/custom-checks.k9— trivialBoth carry
security_level = "data-only", which the validator rejects: "Invalid security level 'data-only'. Must be one of: kennel, yard, hunt." They already haveleash = "Kennel".Fix (1 line each):
security_level = "data-only"→security_level = "kennel".3.
container/deploy.k9.ncl— validator-vs-Nickel mismatchError: "Pedigree block missing 'name' field (in pedigree.metadata.name or pedigree.name)."
Root cause: the pedigree is defined as
let component_pedigree = { name = …, metadata = { name = … } }(line 17) and referenced indirectly at line 156 aspedigree = component_pedigree. The k9 validator is text-based — it matches thepedigree =site but cannot resolve the Nickelletindirection to reachname. (It also still contains{{SERVICE_NAME}}/{{VERSION}}placeholders — it's a template.)Fix options:
metadata = { name = "…" }(andname) at thepedigree =site so a text scan finds it, instead ofpedigree = component_pedigree; ork9-validate-actionto resolve.ncllet-indirection (the more general fix).coordination.k9andsession/custom-checks.k9are byte-identical and unfixed across the org, includingrsr-template-repo— so this is template debt that will recur in every repo until fixed upstream (alongside the dogfood-gate YAML + banned-Python template defects already flagged).Coordination note
nextgen-typing governance is being actively worked by an estate-standardization effort; this should be folded into that to avoid conflicts.
Filed after #45/#46; the trivial security_level fixes are ready to drop in.