feat(lance-graph-ontology): OpenProjectBridge — impl NamespaceBridge (Northstar C4)

Sibling of MedcareBridge / WoaBridge. Locks to the `OpenProject`
namespace; supplies the OpenProject port (`openproject-nexgen-rs` +
`op-canon`) with the scoped registry view every consumer that
touches OpenProject data on the unified bridge goes through.

Tests cover the same contract `bridge_scope_lock.rs` pins for
Woa/Medcare — scope lock both ways (OpenProject ↔ Healthcare),
bridge_id, g_lock matching the registered namespace id, and
construction failure when the namespace is missing.

Files:
- crates/lance-graph-ontology/src/bridges/openproject_bridge.rs (new)
- crates/lance-graph-ontology/src/bridges/mod.rs (add re-export)
- crates/lance-graph-ontology/tests/openproject_bridge_scope_lock.rs (new)

Author: AdaWorldAPI

crates/lance-graph-ontology/src/bridges/mod.rs

@@ -1,6 +1,6 @@
 //! Default tenant bridge implementations.
 //!
-//! Five bridges ship today:
+//! Six bridges ship today:
 //!
 //! - [`OgitBridge`]: pass-through bridge for tools that already speak raw
 //!   OGIT URIs. `bridge_id = "ogit"`. Locks to whatever namespace its
@@ -17,19 +17,27 @@
 //!   the Sharepoint→smb-office-rs content orchestrator (UploadIntent /
 //!   DriveScope / ComplianceTagging) — distinct from EmailCorrespondance:
 //!   one covers documents / drives / sites, the other covers mail.
+//! - [`OpenProjectBridge`]: locks to the `OpenProject` namespace.
+//!   Public names like `WorkPackage` / `TimeEntry` / `Project` resolve
+//!   to `ogit.OpenProject:*` URIs. Northstar plan §3 C4 — supplies the
+//!   port (`openproject-nexgen-rs` + `op-canon`) with the scoped
+//!   registry view every consumer that touches OpenProject data on the
+//!   unified bridge goes through.
 //!
 //! The `smb-bridge` and `callcenter-bridge` are NOT created in this
 //! session: smb stays on its native ontology fallback, callcenter has its
 //! own auth + per-customer scoping concerns that need a separate design pass.
 
 mod medcare_bridge;
 mod ogit_bridge;
+mod openproject_bridge;
 mod sharepoint_bridge;
 mod spear_bridge;
 mod woa_bridge;
 
 pub use medcare_bridge::MedcareBridge;
 pub use ogit_bridge::OgitBridge;
+pub use openproject_bridge::OpenProjectBridge;
 pub use sharepoint_bridge::SharePointBridge;
 pub use spear_bridge::SpearBridge;
 pub use woa_bridge::WoaBridge;

crates/lance-graph-ontology/src/bridges/openproject_bridge.rs

@@ -0,0 +1,88 @@
+//! OpenProject tenant bridge — locks to the `OpenProject` namespace.
+//!
+//! Northstar plan §3, C4. Sibling of [`crate::bridges::MedcareBridge`] and
+//! [`crate::bridges::WoaBridge`]; supplies the OpenProject port
+//! (`openproject-nexgen-rs` + `op-canon`) with the scoped registry view
+//! every consumer that touches OpenProject data on the unified bridge
+//! goes through.
+//!
+//! # Scope
+//!
+//! The `OpenProject` namespace covers the **32 promoted concepts** from
+//! the OGAR codebook that the OpenProject corpus owns or shares — see
+//! `ogar_vocab::class_ids::ALL`. Public-name resolution
+//! (`bridge.entity("WorkPackage")` etc.) returns the `EntityRef` whose
+//! `entity_type_id()` is the codebook id (e.g. `0x0102` for
+//! `project_work_item`), so downstream consumers reach the same
+//! `OgarClassView` arm as Redmine or any other port that emits through
+//! the same codebook.
+//!
+//! # Sibling work
+//!
+//! - **C5** (RedmineBridge, redmine-rs) — symmetric "Redmine" namespace
+//!   bridge, same codebook ids.
+//! - **C2** (op-canon::class_view) — the run-time projection layer over
+//!   the same canonical concepts the bridge resolves names against.
+
+use crate::bridge::{BridgeFromRegistry, NamespaceBridge};
+use crate::error::{Error, Result};
+use crate::namespace::NamespaceId;
+use crate::registry::OntologyRegistry;
+use std::sync::Arc;
+
+/// Canonical namespace name for OpenProject. Matches the
+/// `ogit.OpenProject:` TTL prefix the corpus's per-entity files use.
+pub const NAMESPACE: &str = "OpenProject";
+
+/// Scoped registry view locked to the `OpenProject` namespace. Built
+/// over an [`OntologyRegistry`] that has already hydrated the
+/// OpenProject namespace (via [`OntologyRegistry::hydrate_once_sync`]
+/// or a programmatic `register_*` call).
+pub struct OpenProjectBridge {
+    registry: Arc<OntologyRegistry>,
+    g_lock: NamespaceId,
+}
+
+impl OpenProjectBridge {
+    /// New bridge over the given registry. Returns
+    /// [`Error::UnknownNamespace`] if the `OpenProject` namespace
+    /// is not registered yet — callers must hydrate before
+    /// constructing the bridge.
+    ///
+    /// # Errors
+    ///
+    /// - [`Error::UnknownNamespace`] when the registry has no
+    ///   `OpenProject` namespace registered.
+    pub fn new(registry: Arc<OntologyRegistry>) -> Result<Self> {
+        let g_lock = registry
+            .namespace_id(NAMESPACE)
+            .ok_or_else(|| Error::UnknownNamespace(NAMESPACE.to_string()))?;
+        Ok(Self { registry, g_lock })
+    }
+}
+
+impl NamespaceBridge for OpenProjectBridge {
+    fn bridge_id(&self) -> &'static str {
+        "openproject"
+    }
+    fn registry(&self) -> &OntologyRegistry {
+        &self.registry
+    }
+    fn g_lock(&self) -> NamespaceId {
+        self.g_lock
+    }
+}
+
+impl BridgeFromRegistry for OpenProjectBridge {
+    fn from_registry(registry: Arc<OntologyRegistry>) -> Result<Self> {
+        Self::new(registry)
+    }
+}
+
+// Compile-only check that BridgeError is reachable through the entity
+// resolution path (matches the convention WoaBridge / MedcareBridge use).
+#[allow(dead_code)]
+fn _compile_check(b: &OpenProjectBridge) -> std::result::Result<(), crate::bridge::BridgeError> {
+    let _ = b.entity("WorkPackage")?;
+    Ok(())
+}

crates/lance-graph-ontology/tests/openproject_bridge_scope_lock.rs

@@ -0,0 +1,139 @@
+// Skip under Miri — TTL fixtures use `tempfile::tempdir()` +
+// `std::fs::create_dir_all/write`, both blocked by Miri's isolation.
+#![cfg(not(miri))]
+
+//! `OpenProjectBridge` scope-lock test — Northstar plan §3 C4.
+//!
+//! Verifies that a bridge locked to the `OpenProject` namespace
+//! resolves an OpenProject entity by URI, and that the same bridge
+//! refuses a `Healthcare` entity (cross-namespace leak refused).
+//! Mirrors the contract pinned by `bridge_scope_lock.rs` for the
+//! Woa/Medcare pair — symmetric coverage so the addition can't
+//! silently relax the scope-lock guarantee.
+
+use lance_graph_ontology::bridges::{MedcareBridge, OpenProjectBridge};
+use lance_graph_ontology::{NamespaceBridge, OgitUri, OntologyRegistry};
+use std::fs;
+use std::sync::Arc;
+
+const TTL: &str = r#"
+@prefix ogit:                <http://www.purl.org/ogit/> .
+@prefix ogit.OpenProject:    <http://www.purl.org/ogit/OpenProject/> .
+@prefix ogit.Healthcare:     <http://www.purl.org/ogit/Healthcare/> .
+@prefix rdfs:                <http://www.w3.org/2000/01/rdf-schema#> .
+
+ogit.OpenProject:WorkPackage
+    a rdfs:Class;
+    rdfs:subClassOf ogit:Entity;
+    rdfs:label "WorkPackage";
+    ogit:scope "NTO";
+    ogit:parent ogit:Node;
+    ogit:mandatory-attributes (
+        ogit:id
+    );
+    ogit:optional-attributes ( ) ;
+.
+
+ogit.Healthcare:Patient
+    a rdfs:Class;
+    rdfs:subClassOf ogit:Entity;
+    rdfs:label "Patient";
+    ogit:scope "NTO";
+    ogit:parent ogit:Node;
+    ogit:mandatory-attributes (
+        ogit:id
+    );
+    ogit:optional-attributes ( ) ;
+.
+"#;
+
+fn make_registry() -> Arc<OntologyRegistry> {
+    let tmp = tempfile::tempdir().unwrap();
+    fs::create_dir_all(tmp.path().join("OpenProject")).unwrap();
+    fs::create_dir_all(tmp.path().join("Healthcare")).unwrap();
+    fs::write(tmp.path().join("OpenProject").join("ents.ttl"), TTL).unwrap();
+    fs::write(tmp.path().join("Healthcare").join("ents.ttl"), TTL).unwrap();
+    let registry = Arc::new(OntologyRegistry::new_in_memory());
+    registry
+        .hydrate_once_sync(tmp.path(), &["OpenProject", "Healthcare"])
+        .unwrap();
+    // Keep the tempdir alive for the duration of the test by leaking; the
+    // test process exits shortly after.
+    std::mem::forget(tmp);
+    registry
+}
+
+#[test]
+fn openproject_bridge_resolves_openproject_entity_by_uri() {
+    let registry = make_registry();
+    let bridge = OpenProjectBridge::new(registry).unwrap();
+    let uri = OgitUri::parse("ogit.OpenProject:WorkPackage").unwrap();
+    let entity = bridge.entity_by_uri(&uri).expect("scoped URI resolution");
+    assert_eq!(entity.schema_ptr.namespace_id(), bridge.g_lock());
+}
+
+#[test]
+fn openproject_bridge_rejects_healthcare_entity_by_uri() {
+    let registry = make_registry();
+    let bridge = OpenProjectBridge::new(registry).unwrap();
+    let uri = OgitUri::parse("ogit.Healthcare:Patient").unwrap();
+    let result = bridge.entity_by_uri(&uri);
+    assert!(
+        result.is_err(),
+        "expected scope lock to refuse cross-namespace, got {result:?}",
+    );
+    let err = result.unwrap_err();
+    let msg = format!("{err:?}");
+    assert!(
+        msg.contains("CrossNamespaceLeak") || msg.contains("NotInScope"),
+        "expected CrossNamespaceLeak or NotInScope, got {msg}",
+    );
+}
+
+#[test]
+fn medcare_bridge_rejects_openproject_entity_by_uri() {
+    // Symmetry pin: the Healthcare bridge equally refuses an OpenProject
+    // entity. Together with the previous test, the cross-namespace lock
+    // is bidirectional.
+    let registry = make_registry();
+    let bridge = MedcareBridge::new(registry).unwrap();
+    let uri = OgitUri::parse("ogit.OpenProject:WorkPackage").unwrap();
+    let result = bridge.entity_by_uri(&uri);
+    assert!(
+        result.is_err(),
+        "expected medcare scope lock to refuse OpenProject URI, got {result:?}",
+    );
+    let err = result.unwrap_err();
+    let msg = format!("{err:?}");
+    assert!(
+        msg.contains("CrossNamespaceLeak") || msg.contains("NotInScope"),
+        "expected CrossNamespaceLeak or NotInScope, got {msg}",
+    );
+}
+
+#[test]
+fn openproject_bridge_id_is_lowercase_openproject() {
+    let registry = make_registry();
+    let bridge = OpenProjectBridge::new(registry).unwrap();
+    assert_eq!(bridge.bridge_id(), "openproject");
+}
+
+#[test]
+fn openproject_bridge_g_lock_matches_openproject_namespace_id() {
+    let registry = make_registry();
+    let expected = registry.namespace_id("OpenProject").unwrap();
+    let bridge = OpenProjectBridge::new(registry).unwrap();
+    assert_eq!(bridge.g_lock(), expected);
+}
+
+#[test]
+fn openproject_bridge_construction_fails_when_namespace_missing() {
+    // No hydration -> no OpenProject namespace -> constructor returns
+    // Error::UnknownNamespace.
+    let registry = Arc::new(OntologyRegistry::new_in_memory());
+    let result = OpenProjectBridge::new(registry);
+    assert!(
+        result.is_err(),
+        "expected UnknownNamespace error, got {result:?}",
+    );
+}