Merge branch 'master' into docs-guide-rate-limit

Author: christopher-hakkaart

.github/workflows/build.yml

@@ -82,11 +82,16 @@ jobs:
       - name: Release
         if: "contains(github.event.head_commit.message, '[release]')"
         run: |
+          bash publish.sh wave-api
+          bash publish.sh wave-utils
           bash tag-and-push.sh
         env:
           GRADLE_OPTS: '-Dorg.gradle.daemon=false'
           AWS_ACCESS_KEY_ID: ${{secrets.TOWER_CI_AWS_ACCESS}}
           AWS_SECRET_ACCESS_KEY: ${{secrets.TOWER_CI_AWS_SECRET}}
+          AWS_JAVA_V1_DISABLE_DEPRECATION_ANNOUNCEMENT: true
+          AWS_DEFAULT_REGION: 'eu-west-1'
+          PUBLISH_REPO_URL: "s3://maven.seqera.io/releases"
           DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
           DOCKER_PAT: ${{ secrets.DOCKER_PAT }}
           QUAY_PAT: ${{ secrets.QUAY_PAT }}

.gitignore

@@ -1,5 +1,6 @@
 Thumbs.db
 .DS_Store
+.claude
 .gradle
 .cache
 .nextflow*
@@ -26,6 +27,7 @@ wave.log
 build-workspace/
 scan-workspace/
 /k8s/dev/config-k3d.yml
+/.wave-test
 
 # Docs
 .vercel

.specify/memory/constitution.md

@@ -0,0 +1,155 @@
+<!--
+Sync Impact Report:
+- Version change: [unversioned template] → 1.0.0
+- Modified principles: All (initialized from template)
+- Added sections: All core principles and governance sections
+- Removed sections: None
+- Templates requiring updates:
+  ✅ plan-template.md - Reviewed, Constitution Check section aligns
+  ✅ spec-template.md - Reviewed, requirement structure aligns
+  ✅ tasks-template.md - Reviewed, task organization aligns
+  ✅ checklist-template.md - Reviewed, compatible with principles
+- Follow-up TODOs: None
+-->
+
+# Wave Containers Constitution
+
+## Core Principles
+
+### I. Service-Oriented Architecture
+
+Wave MUST maintain a clear separation of concerns through distinct service boundaries. Each service (ContainerBuildService,
+ContainerMirrorService, ContainerScanService, RegistryProxyService, BlobCacheService) MUST be independently testable and
+have a single, well-defined responsibility. Controllers MUST remain thin, delegating business logic to services.
+
+**Rationale**: Microservices architecture enables independent scaling, testing, and maintenance of distinct container
+provisioning capabilities. Clear boundaries prevent coupling and facilitate parallel development.
+
+### II. Container Platform Agnosticism
+
+Wave MUST support multiple container platforms (Docker, Kubernetes, Singularity) and registries (Docker Hub, Quay.io,
+AWS ECR, Azure CR) without hardcoding platform-specific assumptions into core logic. Platform-specific strategies
+MUST be isolated behind abstract interfaces.
+
+**Rationale**: Container ecosystem diversity requires flexible provisioning that adapts to client infrastructure without
+forcing migration or lock-in.
+
+### III. Ephemeral-First Design
+
+All container operations MUST assume ephemeral lifecycle by default. Containers, build contexts, and intermediate
+artifacts MUST be automatically garbage-collected. Long-term persistence MUST be explicit opt-in through user-provided
+registry credentials and push operations.
+
+**Rationale**: Wave's core value is on-demand provisioning without manual registry management. Ephemeral-first design
+prevents storage bloat and reduces operational overhead.
+
+### IV. Proxy Transparency
+
+When acting as a registry proxy, Wave MUST remain transparent to Docker clients and comply strictly with the Docker
+Registry v2 API specification. Manifest instrumentation and layer injection MUST appear seamless to standard container
+tooling.
+
+**Rationale**: Compatibility with existing container toolchains (docker pull, kubectl, etc.) is non-negotiable for adoption.
+Protocol compliance prevents breaking changes in client workflows.
+
+### V. Async-by-Default Operations
+
+All I/O-bound operations (registry pulls, builds, scans, blob storage) MUST use Micronaut Reactor non-blocking patterns.
+Blocking calls are prohibited in HTTP request handlers. Long-running operations MUST use JobManager for background processing.
+
+**Rationale**: Container operations involve large data transfers and external API calls. Blocking threads under load
+causes cascading failures. Reactive patterns ensure resource efficiency and throughput under concurrency.
+
+### VI. Security Scanning Integration
+
+Container security scanning MUST be an opt-in, asynchronous operation that never blocks image provisioning. Scan results
+MUST be persisted independently and queryable after container delivery. Scanning failures MUST NOT prevent container access.
+
+**Rationale**: Security scanning adds latency. Making it non-blocking preserves Wave's primary value (fast provisioning)
+while enabling security workflows for teams that require them.
+
+### VII. Multi-Platform Build Support
+
+Container builds MUST support cross-platform compilation (linux/amd64, linux/arm64) without requiring users to manage
+build infrastructure. Platform selection MUST be declarative via API parameters. Build strategy selection (Docker vs Kubernetes)
+MUST be transparent to users.
+
+**Rationale**: ARM64 adoption in cloud and edge requires transparent multi-platform support. Kubernetes-based builds
+provide scalability and isolation that local Docker daemon cannot.
+
+## Storage & Persistence Requirements
+
+### Data Layer Principles
+
+- PostgreSQL MUST be used for structured metadata (build records, scan results, job state)
+- Redis MUST be used for ephemeral caching and rate-limiting state
+- Object storage (S3-compatible) MUST be used for blobs, layers, and build contexts
+- Database migrations MUST be versioned and reversible
+- No business logic in SQL; use application-layer queries via Micronaut Data JDBC
+
+**Rationale**: Clear storage tier separation prevents cross-cutting concerns. Postgres handles ACID requirements, Redis
+handles high-frequency ephemeral state, S3 handles blob scale.
+
+### Authentication & Authorization
+
+- Registry credentials MUST be encrypted at rest
+- JWT tokens MUST be used for Tower integration authentication
+- Rate limiting MUST be enforced per-user via Spillway library
+- Service-to-service calls within Kubernetes MUST use pod identity where available
+
+**Rationale**: Wave handles sensitive registry credentials and must prevent credential leakage. Rate limiting prevents
+abuse of compute-intensive build operations.
+
+## Testing & Quality Standards
+
+### Testing Requirements
+
+- All services MUST have unit tests using Spock 2 framework
+- Integration tests MUST use Testcontainers for external dependencies (Postgres, Redis)
+- Controller tests MUST mock service layer dependencies
+- Test coverage MUST be measured via JaCoCo and reported after test runs
+- Tests MUST NOT depend on external registries; use local registry containers or mocks
+
+**Rationale**: Groovy + Spock provide expressive BDD-style tests. Testcontainers ensure consistent CI/CD environments.
+External registry dependencies cause flaky tests and rate-limiting issues.
+
+### Performance Standards
+
+- HTTP endpoints MUST respond within 200ms p95 for proxy operations (excluding upstream registry latency)
+- Build operations MUST queue within 100ms and report job ID
+- Blob cache MUST serve layers with 90%+ hit rate under normal load
+- Memory usage MUST remain under 2GB heap for typical workloads
+
+**Rationale**: Wave sits in the critical path for container pulls. Latency directly impacts developer and CI/CD workflows.
+Performance budgets prevent regressions.
+
+## Governance
+
+### Amendment Process
+
+Constitution changes MUST be documented in Git commit messages with rationale. MAJOR changes (removing principles,
+incompatible policy shifts) require version bump to next major. MINOR changes (new principles, expanded guidance) require
+minor version bump. PATCH changes (clarifications, wording) require patch version bump.
+
+### Compliance Review
+
+All pull requests MUST be reviewed against constitution principles. Violations MUST be explicitly justified with
+"Why Needed" and "Simpler Alternative Rejected" documentation in design docs. Unjustified complexity MUST be rejected.
+
+### Versioning Policy
+
+Wave follows semantic versioning (MAJOR.MINOR.PATCH):
+- MAJOR: Breaking API changes, incompatible registry protocol changes
+- MINOR: New features (new registry support, new build capabilities)
+- PATCH: Bug fixes, performance improvements, security patches
+
+Release process:
+1. Update VERSION file
+2. Update changelog.txt with changes since last release
+3. Commit with `[release]` tag in first line of commit message
+4. Push to upstream master branch
+
+**Rationale**: Semantic versioning provides clear upgrade expectations. Tagged release commits enable automated CI/CD
+release workflows.
+
+**Version**: 1.0.0 | **Ratified**: 2025-10-28 | **Last Amended**: 2025-10-28

.specify/scripts/bash/check-prerequisites.sh

@@ -0,0 +1,166 @@
+#!/usr/bin/env bash
+
+# Consolidated prerequisite checking script
+#
+# This script provides unified prerequisite checking for Spec-Driven Development workflow.
+# It replaces the functionality previously spread across multiple scripts.
+#
+# Usage: ./check-prerequisites.sh [OPTIONS]
+#
+# OPTIONS:
+#   --json              Output in JSON format
+#   --require-tasks     Require tasks.md to exist (for implementation phase)
+#   --include-tasks     Include tasks.md in AVAILABLE_DOCS list
+#   --paths-only        Only output path variables (no validation)
+#   --help, -h          Show help message
+#
+# OUTPUTS:
+#   JSON mode: {"FEATURE_DIR":"...", "AVAILABLE_DOCS":["..."]}
+#   Text mode: FEATURE_DIR:... \n AVAILABLE_DOCS: \n ✓/✗ file.md
+#   Paths only: REPO_ROOT: ... \n BRANCH: ... \n FEATURE_DIR: ... etc.
+
+set -e
+
+# Parse command line arguments
+JSON_MODE=false
+REQUIRE_TASKS=false
+INCLUDE_TASKS=false
+PATHS_ONLY=false
+
+for arg in "$@"; do
+    case "$arg" in
+        --json)
+            JSON_MODE=true
+            ;;
+        --require-tasks)
+            REQUIRE_TASKS=true
+            ;;
+        --include-tasks)
+            INCLUDE_TASKS=true
+            ;;
+        --paths-only)
+            PATHS_ONLY=true
+            ;;
+        --help|-h)
+            cat << 'EOF'
+Usage: check-prerequisites.sh [OPTIONS]
+
+Consolidated prerequisite checking for Spec-Driven Development workflow.
+
+OPTIONS:
+  --json              Output in JSON format
+  --require-tasks     Require tasks.md to exist (for implementation phase)
+  --include-tasks     Include tasks.md in AVAILABLE_DOCS list
+  --paths-only        Only output path variables (no prerequisite validation)
+  --help, -h          Show this help message
+
+EXAMPLES:
+  # Check task prerequisites (plan.md required)
+  ./check-prerequisites.sh --json
+  
+  # Check implementation prerequisites (plan.md + tasks.md required)
+  ./check-prerequisites.sh --json --require-tasks --include-tasks
+  
+  # Get feature paths only (no validation)
+  ./check-prerequisites.sh --paths-only
+  
+EOF
+            exit 0
+            ;;
+        *)
+            echo "ERROR: Unknown option '$arg'. Use --help for usage information." >&2
+            exit 1
+            ;;
+    esac
+done
+
+# Source common functions
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$SCRIPT_DIR/common.sh"
+
+# Get feature paths and validate branch
+eval $(get_feature_paths)
+check_feature_branch "$CURRENT_BRANCH" "$HAS_GIT" || exit 1
+
+# If paths-only mode, output paths and exit (support JSON + paths-only combined)
+if $PATHS_ONLY; then
+    if $JSON_MODE; then
+        # Minimal JSON paths payload (no validation performed)
+        printf '{"REPO_ROOT":"%s","BRANCH":"%s","FEATURE_DIR":"%s","FEATURE_SPEC":"%s","IMPL_PLAN":"%s","TASKS":"%s"}\n' \
+            "$REPO_ROOT" "$CURRENT_BRANCH" "$FEATURE_DIR" "$FEATURE_SPEC" "$IMPL_PLAN" "$TASKS"
+    else
+        echo "REPO_ROOT: $REPO_ROOT"
+        echo "BRANCH: $CURRENT_BRANCH"
+        echo "FEATURE_DIR: $FEATURE_DIR"
+        echo "FEATURE_SPEC: $FEATURE_SPEC"
+        echo "IMPL_PLAN: $IMPL_PLAN"
+        echo "TASKS: $TASKS"
+    fi
+    exit 0
+fi
+
+# Validate required directories and files
+if [[ ! -d "$FEATURE_DIR" ]]; then
+    echo "ERROR: Feature directory not found: $FEATURE_DIR" >&2
+    echo "Run /speckit.specify first to create the feature structure." >&2
+    exit 1
+fi
+
+if [[ ! -f "$IMPL_PLAN" ]]; then
+    echo "ERROR: plan.md not found in $FEATURE_DIR" >&2
+    echo "Run /speckit.plan first to create the implementation plan." >&2
+    exit 1
+fi
+
+# Check for tasks.md if required
+if $REQUIRE_TASKS && [[ ! -f "$TASKS" ]]; then
+    echo "ERROR: tasks.md not found in $FEATURE_DIR" >&2
+    echo "Run /speckit.tasks first to create the task list." >&2
+    exit 1
+fi
+
+# Build list of available documents
+docs=()
+
+# Always check these optional docs
+[[ -f "$RESEARCH" ]] && docs+=("research.md")
+[[ -f "$DATA_MODEL" ]] && docs+=("data-model.md")
+
+# Check contracts directory (only if it exists and has files)
+if [[ -d "$CONTRACTS_DIR" ]] && [[ -n "$(ls -A "$CONTRACTS_DIR" 2>/dev/null)" ]]; then
+    docs+=("contracts/")
+fi
+
+[[ -f "$QUICKSTART" ]] && docs+=("quickstart.md")
+
+# Include tasks.md if requested and it exists
+if $INCLUDE_TASKS && [[ -f "$TASKS" ]]; then
+    docs+=("tasks.md")
+fi
+
+# Output results
+if $JSON_MODE; then
+    # Build JSON array of documents
+    if [[ ${#docs[@]} -eq 0 ]]; then
+        json_docs="[]"
+    else
+        json_docs=$(printf '"%s",' "${docs[@]}")
+        json_docs="[${json_docs%,}]"
+    fi
+    
+    printf '{"FEATURE_DIR":"%s","AVAILABLE_DOCS":%s}\n' "$FEATURE_DIR" "$json_docs"
+else
+    # Text output
+    echo "FEATURE_DIR:$FEATURE_DIR"
+    echo "AVAILABLE_DOCS:"
+    
+    # Show status of each potential document
+    check_file "$RESEARCH" "research.md"
+    check_file "$DATA_MODEL" "data-model.md"
+    check_dir "$CONTRACTS_DIR" "contracts/"
+    check_file "$QUICKSTART" "quickstart.md"
+    
+    if $INCLUDE_TASKS; then
+        check_file "$TASKS" "tasks.md"
+    fi
+fi