ONT Schema Specification

What This Is

This is the versioned, importable community standard that defines the contract surface for every ONT platform layer. It covers shared reusable types, Layer 0 domain-core abstract primitives, Seam Core infrastructure CRDs, and app-core application CRDs.

All schemas follow JSON Schema Draft 2020-12 and use structured cross-schema references in the form {"group": "...", "kind": "...", "version": "v1alpha1"}.

This is a publication artifact, not an implementation artifact. Import individual schemas or the full index to validate instances, generate clients, or declare compatibility.

How to Import

Reference a single schema in another JSON Schema

// Use the $id URI directly in any $ref field
{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "properties": {
    "domainIdentityRef": {
      "$ref": "https://schema.ontai.dev/v1alpha1/domain-core/DomainIdentity.json"
    }
  }
}

Fetch the full schema index

GET https://schema.ontai.dev/v1alpha1/index.json

// Response shape
{
  "version": "v1alpha1",
  "publishedAt": "2026-04-18",
  "stability": "alpha",
  "layers": {
    "shared": [ { "kind": "...", "file": "...", ... } ],
    "domain-core": [ ... ],
    "seam-core": [ ... ],
    "app-core": [ ... ]
  }
}

Layer dependency order

app-core  -->  domain-core  -->  shared
seam-core -->  domain-core  -->  shared

Layer: shared

Reusable embedded types. No API group. No controllers.

KubernetesMetadata Standard Kubernetes ObjectMeta used as a $ref target by all CRD schemas. JSON

SealedCausalChain Immutable causal chain record linking a derived object to its root declaration. All fields required and immutable after creation. JSON

BindingStability Binding stability descriptor for cross-operator relationship wiring with SnapshotBinding and ContinuousBinding types. JSON

PhaseModel Eight-phase lifecycle model (ScopeEstablishment through ProfileCompletion) used by AppProfile. JSON

RationaleField Structured rationale type for governance events. Not a CRD spec field. JSON

GovernanceEvent Layer One and Layer Two change event record with actor, changeType, and rationale. JSON

Layer: domain-core

Layer 0 abstract domain primitives. API group: core.ontai.dev/v1alpha1. No controllers at this layer.

DomainIdentity Named principal with SPIFFE trust domain and ONT web subject. Root anchor for all derivation trees. JSON

DomainBoundary Organizational scope and cluster placement authority for a domain identity. JSON

DomainPolicy Ceilings for retry, circuit breaker, rate limit, and cardinality. Guardian validates AppPolicy against these. JSON

DomainRelationship Typed directional association using controlled vocabulary: signs, provisions, delegates, governs, observes, depends-on, extends. JSON

DomainEvent Event type contract with producer authority, schema version, and retention policy. JSON

DomainWorkflow Lifecycle phase sequence with entry conditions, terminal states, and transition authority. JSON

DomainResource Compute and storage ceilings with Kueue resource flavor constraints. JSON

DomainAudit Minimum granularity floor, retention requirement, and mandatory event types for audit compliance. JSON

DomainSemanticNameService DSNS zone declaration with record types and resolution tier registry. JSON

Layer: seam-core

Seam infrastructure domain CRDs. API group: infrastructure.ontai.dev/v1alpha1.

InfrastructureLineageIndex Sealed causal chain index; one instance per root declaration, controller-authored exclusively. JSON

SeamMembership Formal operator join declaration with tier (infrastructure, application) and 7-step validation loop. JSON

DSNSZone DNS zone with controller-authored A, TXT, SOA, NS records linked to owning resources. JSON

Layer: app-core

Application layer CRDs for community operators. API group: app.ontai.dev/v1alpha1.

AppBoundary Namespace and cluster scope gate; must be Ready before AppIdentity creation is permitted. JSON

AppIdentity Root anchor for all sibling app-core CRDs; issues a SPIFFE ID on admission. JSON

AppPolicy Application policy bounded by DomainPolicy ceilings; Guardian enforces compliance at admission. JSON

AppTopology Application wirings, each required to trace back to a DomainRelationship. JSON

AppEventSchema Producer/consumer registration for a DomainEvent type with schema version compatibility check. JSON

AppWorkflow Kueue Job bindings per workflow phase with temporal relationship declarations. JSON

AppResourceProfile Compute and storage claims bounded by DomainResource ceilings; immutable after Running state. JSON

AppAuditPolicy Emitted event types and granularity; floor enforced by Guardian against DomainAudit minimum. JSON

AppProfile Aggregate root composing all app-core CRDs; Ready only after all eight phase gates complete. JSON

Stability Policy

Value	Meaning
`alpha`	Under active development. Breaking changes may occur between releases.
`beta`	Feature-complete. Breaking changes require a deprecation notice one release prior.
`stable`	Production-ready. No breaking changes without a new version directory.
`deprecated`	Superseded. Consumers must migrate before the next major release.

All schemas in v1alpha1 carry x-ont-stability: "alpha".

Pin to a specific git commit for stability during alpha. See README for the full contribution and versioning policy.