Add validator plugin infrastructure

Introduces the validator plugin system parallel to the existing transform
plugin system:

- _plugin_harness.py: subprocess harness for validator plugin discovery
  and execution (mirrors the transform plugin harness pattern)
- permissions.py: prompt and allowlist support for validator plugin modules
- models.py: expose validation_resources and pre_baseurl_metadata on
  BuildingBlock for use by plugin validators
- transform.py / transformers/plugin.py: extract read_plugin_entries()
  helper shared by both transform and validator plugin loading
- entrypoint.py: thread allowed_validator_modules through from CLI
- bblocks-config.schema.yaml: document the plugins.transforms /
  plugins.validators structure (replaces standalone transform-plugins.yml)
- transform-plugins.schema.yaml: update to reflect shared plugin-entry
  schema used by both transform and validator sections
- validate-and-process.yml: wire skip_permissions for validator plugins

Author: avillar

.github/workflows/validate-and-process.yml

@@ -207,13 +207,13 @@ jobs:
           
           echo "Repositories cloned and mapped in $RANDOM_DIR — output saved to $MAPPINGS_YML"
 
-      - name: Restore transforms sandbox cache
+      - name: Restore bblocks sandbox cache
         uses: actions/cache/restore@v4
         with:
-          path: .transforms-sandbox
-          key: transforms-sandbox-${{ runner.os }}-${{ github.run_id }}
+          path: .bblocks-sandbox
+          key: bblocks-sandbox-${{ runner.os }}-${{ github.run_id }}
           restore-keys: |
-            transforms-sandbox-${{ runner.os }}-
+            bblocks-sandbox-${{ runner.os }}-
       - name: Before postprocess
         if: ${{inputs.before_postprocess}}
         run: ${{inputs.before_postprocess}}
@@ -247,17 +247,17 @@ jobs:
         uses: EndBug/add-and-commit@v9
         with:
           message: Building blocks postprocessing
-      - name: Save transforms sandbox cache
+      - name: Save bblocks sandbox cache
         if: ${{ !inputs.skip-build }}
         uses: actions/cache/save@v4
         with:
-          path: .transforms-sandbox
-          key: transforms-sandbox-${{ runner.os }}-${{ github.run_id }}
+          path: .bblocks-sandbox
+          key: bblocks-sandbox-${{ runner.os }}-${{ github.run_id }}
       - name: Remove build artifacts from pages
         run: |
           sudo find "${{ inputs.annotated_path }}" -name _visited_properties.tsv -delete || true
           sudo find "${{ inputs.annotated_path }}" -name _visited_properties.tsv.gz -delete || true
-          rm -rf .transforms-sandbox
+          rm -rf .bblocks-sandbox
           # Remove LLM tool configuration files
           rm -rf .claude CLAUDE.md AGENTS.md GEMINI.md .cursor .cursorrules .windsurfrules .ruler .continue
           find . -maxdepth 1 -name '.aider*' -exec rm -rf {} + || true

ogc/bblocks/entrypoint.py

@@ -16,7 +16,9 @@
 from ogc.bblocks.postprocess import postprocess
 from ogc.na import ingest_json, update_vocabs
 
-from ogc.bblocks.util import get_github_repo, load_yaml
+import jsonschema
+
+from ogc.bblocks.util import get_github_repo, load_yaml, get_schema
 
 MAIN_BBR = 'https://opengeospatial.github.io/bblocks/register.json'
 DEFAULT_IMPORT_MARKER = 'default'
@@ -219,6 +221,11 @@
             bb_config.update(load_yaml(filename=bb_override_config_file) or {})
             break
     if bb_config:
+        try:
+            jsonschema.validate(bb_config, get_schema('bblocks-config'))
+        except jsonschema.ValidationError as e:
+            raise ValueError(f"Invalid bblocks-config.yaml: {e.message} (at {' > '.join(str(p) for p in e.absolute_path)})") from e
+
         id_prefix = bb_config.get('identifier-prefix', id_prefix)
         if id_prefix and id_prefix[-1] != '.':
             id_prefix += '.'

ogc/bblocks/models.py

@@ -75,6 +75,12 @@ def __init__(self, identifier: str, metadata_file: Path,
             }
 
         self._lazy_properties = {}
+        # Snapshot resource refs before postprocess.py rewrites them to published URLs.
+        self._raw_resources: list[dict] = [dict(r) for r in self.metadata.get('resources', [])]
+        # Set by postprocess.py just before with_base_url rewrites start.
+        # Standard path fields are translated to cwd-relative; custom fields remain
+        # as declared in bblock.json (bblock-source-relative).
+        self.pre_baseurl_metadata: dict | None = None
 
         self.subdirs = rel_path
         if '.' in self.identifier:
@@ -354,6 +360,32 @@ def transforms(self) -> list:
             self._lazy_properties['transforms'] = transforms
         return self._lazy_properties['transforms']
 
+    @property
+    def validation_resources(self) -> list[dict]:
+        """Resources with role 'validation', with refs resolved to local paths or kept as URLs.
+
+        Reads from the snapshot taken at construction time so the result is stable
+        even after postprocess.py rewrites resource refs to published URLs.
+        Local refs are resolved to absolute paths; remote refs are kept as URLs.
+        Callers serializing these into a subprocess wire format should convert to
+        cwd-relative paths (see _to_wire_path in validation/plugin.py).
+        """
+        result = []
+        for r in self._raw_resources:
+            if r.get('role') != 'validation':
+                continue
+            ref = r.get('ref')
+            if not ref:
+                continue
+            entry = {
+                'ref': ref if is_url(ref) else str(self.files_path / ref),
+                'format': r.get('format'),
+            }
+            if r.get('conformsTo'):
+                entry['conformsTo'] = r['conformsTo']
+            result.append(entry)
+        return result
+
     def get_extra_test_resources(self) -> Generator[dict, None, None]:
         extra_tests_file = self.files_path / 'tests.yaml'
         try:

ogc/bblocks/permissions.py

@@ -6,7 +6,7 @@
 
 import yaml
 
-from ogc.bblocks.transform import _PERMISSION_CHECKED_TYPES as _RISKY_TRANSFORM_TYPES
+from ogc.bblocks.transform import _PERMISSION_CHECKED_TYPES as _RISKY_TRANSFORM_TYPES, read_plugin_entries
 _PERMISSIONS_FILE = 'permissions.json'
 
 
@@ -47,19 +47,6 @@ def _ask_yes_no(prompt: str) -> bool:
         print("  Please answer y or n.")
 
 
-def _read_plugin_configs() -> list[dict]:
-    """Read transform-plugins.yml without installing anything."""
-    plugins_path = Path('transform-plugins.yml')
-    if not plugins_path.exists():
-        return []
-    try:
-        with open(plugins_path) as f:
-            config = yaml.safe_load(f)
-        if not config or 'plugins' not in config:
-            return []
-        return config.get('plugins', []) or []
-    except Exception:
-        return []
 
 
 def _scan_risky_transforms(items_dir: Path) -> dict[str, list[tuple[str, str]]]:
@@ -98,23 +85,68 @@ def _plugin_version_key(plugin: dict) -> str:
     return ','.join(sorted(pip))
 
 
+def _check_plugin_permissions(
+    plugin_entries: list[dict],
+    cache_key: str,
+    cache: dict,
+    label: str,
+) -> tuple[set[str], bool]:
+    """Prompt for permissions for a list of plugin entries.
+
+    Returns (allowed_modules, cache_was_modified).
+    """
+    cached: dict[str, str] = dict(cache.get(cache_key, {}))
+    allowed: set[str] = set()
+    dirty = False
+
+    for plugin in plugin_entries:
+        modules = plugin.get('modules', [])
+        if isinstance(modules, str):
+            modules = [modules]
+        version_key = _plugin_version_key(plugin)
+        pip_deps = plugin.get('pip', [])
+        if isinstance(pip_deps, str):
+            pip_deps = [pip_deps]
+
+        for module in modules:
+            if cached.get(module) == version_key:
+                allowed.add(module)
+                continue
+
+            _require_tty()
+            print()
+            print(f"╔══ {label} plugin permission required")
+            print(f"║ Plugin: {module}")
+            if pip_deps:
+                print(f"║ Dependencies: {', '.join(pip_deps)}")
+            print()
+            if _ask_yes_no(f"Allow {label.lower()} plugin '{module}' to be installed and run?"):
+                cached[module] = version_key
+                allowed.add(module)
+                cache[cache_key] = cached
+                dirty = True
+
+    return allowed, dirty
+
+
 def check_permissions(
     sandbox_dir: Path,
     items_dir: Path,
-) -> tuple[set[str], set[str]]:
+) -> tuple[set[str], set[str], set[str]]:
     """Check and prompt for permissions for risky transforms and plugins.
 
-    Must be called before load_transform_plugins and before apply_transforms.
+    Must be called before load_transform_plugins, load_validation_plugins,
+    and apply_transforms.
     Returns:
-        allowed_transform_types: set of approved type strings
-        allowed_plugin_modules:  set of approved module paths
+        allowed_transform_types:    set of approved type strings
+        allowed_plugin_modules:     set of approved transform plugin module paths
+        allowed_validator_modules:  set of approved validator plugin module paths
     Raises RuntimeError if stdin is not a TTY and permissions are needed.
     """
     cache = _load_cache(sandbox_dir)
     cache_dirty = False
 
     cached_types: set[str] = set(cache.get('transform-types', []))
-    cached_plugins: dict[str, str] = dict(cache.get('plugins', {}))
 
     # --- Transform types ---
     needed_types = _scan_risky_transforms(items_dir)
@@ -139,38 +171,19 @@ def check_permissions(
 
     allowed_transform_types = cached_types
 
-    # --- Plugins ---
-    plugin_configs = _read_plugin_configs()
-    allowed_plugin_modules: set[str] = set()
-
-    for plugin in plugin_configs:
-        modules = plugin.get('modules', [])
-        if isinstance(modules, str):
-            modules = [modules]
-        version_key = _plugin_version_key(plugin)
-        pip_deps = plugin.get('pip', [])
-        if isinstance(pip_deps, str):
-            pip_deps = [pip_deps]
-
-        for module in modules:
-            if cached_plugins.get(module) == version_key:
-                allowed_plugin_modules.add(module)
-                continue
+    # --- Transform plugins ---
+    allowed_plugin_modules, dirty = _check_plugin_permissions(
+        read_plugin_entries('transforms'), 'plugins', cache, 'Transform',
+    )
+    cache_dirty = cache_dirty or dirty
 
-            _require_tty()
-            print()
-            print(f"╔══ Plugin permission required")
-            print(f"║ Plugin: {module}")
-            if pip_deps:
-                print(f"║ Dependencies: {', '.join(pip_deps)}")
-            print()
-            if _ask_yes_no(f"Allow plugin '{module}' to be installed and run?"):
-                cached_plugins[module] = version_key
-                allowed_plugin_modules.add(module)
-                cache['plugins'] = cached_plugins
-                cache_dirty = True
+    # --- Validator plugins ---
+    allowed_validator_modules, dirty = _check_plugin_permissions(
+        read_plugin_entries('validators'), 'validator-plugins', cache, 'Validator',
+    )
+    cache_dirty = cache_dirty or dirty
 
     if cache_dirty:
         _save_cache(sandbox_dir, cache)
 
-    return allowed_transform_types, allowed_plugin_modules
+    return allowed_transform_types, allowed_plugin_modules, allowed_validator_modules

ogc/bblocks/schemas/bblocks-config.schema.yaml

@@ -0,0 +1,132 @@
+$schema: https://json-schema.org/draft/2020-12/schema
+title: bblocks-config.yaml
+description: Per-repository configuration for the OGC Building Blocks postprocessor.
+type: object
+properties:
+
+  identifier-prefix:
+    type: string
+    description: >
+      Dot-separated prefix prepended to all building block identifiers in this repository
+      (e.g. "ogc.geo"). A trailing dot is added automatically if omitted.
+
+  imports:
+    description: >
+      List of external building block register URLs to import. Use the special value
+      "default" to include the main OGC Building Blocks register. Omitting this key
+      also defaults to the main register.
+    oneOf:
+      - type: array
+        items:
+          type: string
+      - type: 'null'
+
+  name:
+    type: string
+    description: Human-readable name for this register.
+
+  abstract:
+    type: string
+    description: Short description of this register.
+
+  description:
+    type: string
+    description: Full description of this register.
+
+  schema-oas30-downcompile:
+    type: boolean
+    default: false
+    description: >
+      When true, JSON Schemas are downcompiled to OpenAPI 3.0 format during annotation.
+
+  sparql:
+    type: object
+    description: SPARQL endpoint configuration for semantic publishing.
+    properties:
+      query:
+        type: string
+        description: SPARQL query endpoint URL. Exposed as sparqlEndpoint in register.json.
+      push:
+        type: string
+        description: >
+          SPARQL Graph Store Protocol endpoint URL. When --enable-sparql is set, the
+          register Turtle is pushed here.
+      graph:
+        type: string
+        description: >
+          Named graph URI to use when pushing to the GSP endpoint. Defaults to the
+          register base URL if omitted.
+      resources:
+        type: object
+        description: Additional resources to upload to the triplestore beyond building block metadata.
+        properties:
+          ontologies:
+            type: boolean
+            description: When true, ontology files from building blocks are uploaded to the triplestore.
+
+  viewer:
+    type: object
+    description: Configuration for the Building Blocks viewer.
+    properties:
+      show-imported-depth:
+        description: >
+          Controls which imported building blocks are shown in the viewer.
+          0 (default): only local building blocks.
+          N (positive integer): local + imported up to N levels deep.
+          -1 (any negative integer): show all imported building blocks.
+          null or false: disable.
+        oneOf:
+          - type: integer
+          - type: 'null'
+          - type: boolean
+            enum: [false]
+
+  plugins:
+    type: object
+    description: >
+      External plugin configuration. Replaces the standalone transform-plugins.yml file.
+    properties:
+      transforms:
+        type: array
+        description: External transformer plugins.
+        items:
+          $ref: '#/$defs/plugin-entry'
+      validators:
+        type: array
+        description: External validator plugins.
+        items:
+          $ref: '#/$defs/plugin-entry'
+
+$defs:
+  plugin-entry:
+    type: object
+    required:
+      - modules
+    properties:
+      pip:
+        description: >
+          One or more pip install specifiers for packages that provide the plugin modules.
+          Accepts any specifier that `pip install` understands (package name, version
+          constraint, GitHub URL, etc.).
+        oneOf:
+          - type: string
+          - type: array
+            items:
+              type: string
+            minItems: 1
+      modules:
+        description: >
+          One or more dotted Python module paths to import. Each module is scanned for
+          plugin classes (transformers or validators depending on context).
+        oneOf:
+          - type: string
+          - type: array
+            items:
+              type: string
+            minItems: 1
+      url:
+        type: string
+        format: uri
+        description: >
+          URL for this plugin (e.g. its repository or PyPI page). If omitted, the
+          postprocessor attempts to derive one automatically from the pip specifier.