From 18dbcafc0f3213b8296b4756e4948229ae05f6a3 Mon Sep 17 00:00:00 2001 From: Jeremi Joslin Date: Fri, 10 Jul 2026 21:18:07 +0700 Subject: [PATCH] Prepare RegistryStack v0.9.0 release Signed-off-by: Jeremi Joslin --- CONTRIBUTING.md | 2 +- Cargo.lock | 76 +-- Cargo.toml | 46 +- SECURITY.md | 10 +- crates/registry-relay/CHANGELOG.md | 49 +- crates/registry-relay/docs/release-notes.md | 54 ++ .../openapi/registry-relay.openapi.json | 502 +++++++++++++++++- crates/registry-relay/src/api/governed.rs | 10 +- crates/registry-relay/src/api/openapi.rs | 236 +++++++- .../registry-relay/tests/postgres_snapshot.rs | 9 + crates/registryctl/CHANGELOG.md | 7 + crates/registryctl/README.md | 10 +- crates/registryctl/install.sh | 4 +- docs/site/astro.config.mjs | 15 +- .../scripts/check-registryctl-tutorials.sh | 4 +- docs/site/src/content/docs/changelog.mdx | 29 +- .../docs/decisions/rename-2026-05-23.mdx | 2 +- docs/site/src/content/docs/index.mdx | 11 +- .../content/docs/map/boundaries-and-map.mdx | 22 +- .../docs/operate/upgrade-and-rollback.mdx | 43 +- .../content/docs/reference/api-stability.mdx | 2 +- .../content/docs/reference/registryctl.mdx | 6 +- .../docs/security/hardening-checklist.mdx | 8 +- .../docs/security/report-a-vulnerability.mdx | 2 +- .../content/docs/security/support-window.mdx | 2 +- .../src/content/docs/spec/rs-pr-notary.mdx | 12 +- .../content/docs/start/credential-tour.mdx | 19 +- .../src/content/docs/start/quickstart.mdx | 17 +- .../src/content/docs/start/when-to-use.mdx | 3 +- .../deploy-standalone-with-own-data.mdx | 72 +-- .../tutorials/first-run-with-solmara-lab.mdx | 18 +- ...blish-spreadsheet-secured-registry-api.mdx | 24 +- .../run-notary-standalone-for-api.mdx | 2 +- .../tutorials/verify-claim-registry-api.mdx | 14 +- .../docs/tutorials/verify-opencrvs-claims.mdx | 12 +- docs/site/src/data/contracts.yaml | 18 +- docs/site/src/data/docsets.yaml | 47 +- docs/site/src/data/generated/contracts.json | 18 +- docs/site/src/data/generated/docsets.json | 60 ++- docs/site/src/data/generated/projects.json | 20 +- docs/site/src/data/generated/standards.json | 106 ++-- docs/site/src/data/projects.yaml | 20 +- docs/site/src/data/repo-docs.yaml | 96 ++-- docs/site/src/data/standards.yaml | 106 ++-- lab/CHANGELOG.md | 2 + lab/scripts/smoke-oidc-relay.sh | 3 + products/manifest/CHANGELOG.md | 29 + products/manifest/docs/release-notes.md | 12 + products/manifest/fuzz/Cargo.lock | 4 +- products/notary/CHANGELOG.md | 37 ++ products/notary/docs/release-notes.md | 47 +- products/notary/fuzz/Cargo.lock | 28 +- .../openapi/registry-notary.openapi.json | 4 +- products/platform/CHANGELOG.md | 22 + products/platform/fuzz/Cargo.lock | 16 +- release/READINESS.md | 6 +- release/exercises/upgrade-v0.8.4-to-v0.9.0.md | 179 +++++++ release/manifests/registry-stack-beta-11.yaml | 36 ++ release/notes/v0.9.0.md | 119 +++++ release/scripts/registry-release | 17 +- release/scripts/test_registry_release.py | 35 +- 61 files changed, 1988 insertions(+), 453 deletions(-) create mode 100644 release/exercises/upgrade-v0.8.4-to-v0.9.0.md create mode 100644 release/manifests/registry-stack-beta-11.yaml create mode 100644 release/notes/v0.9.0.md diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 3b36cb029..ae58ff699 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -139,7 +139,7 @@ Release source checks: ```bash python3 -m unittest release/scripts/test_registry_release.py -release/scripts/registry-release validate release/manifests/registry-stack-beta-10.yaml +release/scripts/registry-release validate release/manifests/registry-stack-beta-11.yaml release/scripts/registry-release audit release/manifests/import-map-2026-06-24.yaml REGISTRY_RELEASE_SOURCE_MODE=monorepo release/scripts/check-release-source-model.sh python3 -m unittest release/scripts/test_check_release_source_model.py diff --git a/Cargo.lock b/Cargo.lock index ac6d055e7..4b1581bb0 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -5022,7 +5022,7 @@ checksum = "d6f6ff9a378485b298a5286656da665ba74413d36db0979633275d2e708145d4" [[package]] name = "registry-config-report" -version = "0.8.4" +version = "0.9.0" dependencies = [ "jsonschema 0.46.6", "serde", @@ -5031,7 +5031,7 @@ dependencies = [ [[package]] name = "registry-manifest-cli" -version = "0.8.4" +version = "0.9.0" dependencies = [ "registry-manifest-core", "serde", @@ -5042,7 +5042,7 @@ dependencies = [ [[package]] name = "registry-manifest-core" -version = "0.8.4" +version = "0.9.0" dependencies = [ "oxiri", "oxjsonld", @@ -5056,7 +5056,7 @@ dependencies = [ [[package]] name = "registry-notary" -version = "0.8.4" +version = "0.9.0" dependencies = [ "axum", "axum-test", @@ -5092,7 +5092,7 @@ dependencies = [ [[package]] name = "registry-notary-client" -version = "0.8.4" +version = "0.9.0" dependencies = [ "async-trait", "axum", @@ -5119,7 +5119,7 @@ dependencies = [ [[package]] name = "registry-notary-core" -version = "0.8.4" +version = "0.9.0" dependencies = [ "base64", "humantime-serde", @@ -5143,7 +5143,7 @@ dependencies = [ [[package]] name = "registry-notary-server" -version = "0.8.4" +version = "0.9.0" dependencies = [ "async-trait", "aws-lc-rs", @@ -5196,7 +5196,7 @@ dependencies = [ [[package]] name = "registry-notary-source-adapter-rhai" -version = "0.8.4" +version = "0.9.0" dependencies = [ "async-trait", "crosswalk-functions", @@ -5208,7 +5208,7 @@ dependencies = [ [[package]] name = "registry-notary-source-adapter-sidecar" -version = "0.8.4" +version = "0.9.0" dependencies = [ "async-trait", "axum", @@ -5240,7 +5240,7 @@ dependencies = [ [[package]] name = "registry-notary-worker-harness" -version = "0.8.4" +version = "0.9.0" dependencies = [ "libc", "serde", @@ -5252,7 +5252,7 @@ dependencies = [ [[package]] name = "registry-platform-audit" -version = "0.8.4" +version = "0.9.0" dependencies = [ "async-trait", "hmac 0.13.0", @@ -5272,7 +5272,7 @@ dependencies = [ [[package]] name = "registry-platform-authcommon" -version = "0.8.4" +version = "0.9.0" dependencies = [ "proptest", "serde", @@ -5286,7 +5286,7 @@ dependencies = [ [[package]] name = "registry-platform-cache" -version = "0.8.4" +version = "0.9.0" dependencies = [ "async-trait", "redis", @@ -5298,7 +5298,7 @@ dependencies = [ [[package]] name = "registry-platform-config" -version = "0.8.4" +version = "0.9.0" dependencies = [ "base64", "registry-platform-crypto", @@ -5313,7 +5313,7 @@ dependencies = [ [[package]] name = "registry-platform-crypto" -version = "0.8.4" +version = "0.9.0" dependencies = [ "async-trait", "aws-lc-rs", @@ -5335,7 +5335,7 @@ dependencies = [ [[package]] name = "registry-platform-httpsec" -version = "0.8.4" +version = "0.9.0" dependencies = [ "axum", "http", @@ -5350,7 +5350,7 @@ dependencies = [ [[package]] name = "registry-platform-httputil" -version = "0.8.4" +version = "0.9.0" dependencies = [ "axum", "bytes", @@ -5364,7 +5364,7 @@ dependencies = [ [[package]] name = "registry-platform-oid4vci" -version = "0.8.4" +version = "0.9.0" dependencies = [ "base64", "registry-platform-crypto", @@ -5379,7 +5379,7 @@ dependencies = [ [[package]] name = "registry-platform-oidc" -version = "0.8.4" +version = "0.9.0" dependencies = [ "axum", "base64", @@ -5395,7 +5395,7 @@ dependencies = [ [[package]] name = "registry-platform-ops" -version = "0.8.4" +version = "0.9.0" dependencies = [ "fs2", "jsonschema 0.46.6", @@ -5412,14 +5412,14 @@ dependencies = [ [[package]] name = "registry-platform-pdp" -version = "0.8.4" +version = "0.9.0" dependencies = [ "serde", ] [[package]] name = "registry-platform-replay" -version = "0.8.4" +version = "0.9.0" dependencies = [ "async-trait", "getrandom 0.4.3", @@ -5431,7 +5431,7 @@ dependencies = [ [[package]] name = "registry-platform-sdjwt" -version = "0.8.4" +version = "0.9.0" dependencies = [ "async-trait", "base64", @@ -5446,33 +5446,9 @@ dependencies = [ "ulid", ] -[[package]] -name = "registry-platform-sts" -version = "0.8.4" -dependencies = [ - "async-trait", - "axum", - "base64", - "hmac 0.13.0", - "http", - "jsonwebtoken", - "registry-platform-audit", - "registry-platform-crypto", - "registry-platform-oidc", - "serde", - "serde_json", - "sha2 0.11.0", - "subtle", - "thiserror 2.0.18", - "time", - "tokio", - "tower", - "ulid", -] - [[package]] name = "registry-platform-testing" -version = "0.8.4" +version = "0.9.0" dependencies = [ "async-trait", "axum", @@ -5498,7 +5474,7 @@ dependencies = [ [[package]] name = "registry-relay" -version = "0.8.4" +version = "0.9.0" dependencies = [ "arc-swap", "assert-json-diff", @@ -5570,7 +5546,7 @@ dependencies = [ [[package]] name = "registryctl" -version = "0.8.4" +version = "0.9.0" dependencies = [ "anyhow", "base64", diff --git a/Cargo.toml b/Cargo.toml index 07316aa51..d0b190957 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -40,7 +40,7 @@ exclude = [ resolver = "2" [workspace.package] -version = "0.8.4" +version = "0.9.0" edition = "2021" rust-version = "1.95" license = "Apache-2.0" @@ -51,28 +51,28 @@ repository = "https://github.com/registrystack/registry-stack" unsafe_code = "forbid" [workspace.dependencies] -registry-config-report = { path = "crates/registry-config-report", version = "0.8.4" } -registry-manifest-core = { path = "crates/registry-manifest-core", version = "0.8.4" } -registry-notary-client = { path = "crates/registry-notary-client", version = "0.8.4" } -registry-notary-core = { path = "crates/registry-notary-core", version = "0.8.4" } -registry-notary-server = { path = "crates/registry-notary-server", version = "0.8.4", default-features = false } -registry-notary-source-adapter-rhai = { path = "crates/registry-notary-source-adapter-rhai", version = "0.8.4" } -registry-notary-source-adapter-sidecar = { path = "crates/registry-notary-source-adapter-sidecar", version = "0.8.4" } -registry-notary-worker-harness = { path = "crates/registry-notary-worker-harness", version = "0.8.4" } -registry-platform-audit = { path = "crates/registry-platform-audit", version = "0.8.4" } -registry-platform-authcommon = { path = "crates/registry-platform-authcommon", version = "0.8.4" } -registry-platform-cache = { path = "crates/registry-platform-cache", version = "0.8.4" } -registry-platform-config = { path = "crates/registry-platform-config", version = "0.8.4" } -registry-platform-crypto = { path = "crates/registry-platform-crypto", version = "0.8.4" } -registry-platform-httpsec = { path = "crates/registry-platform-httpsec", version = "0.8.4" } -registry-platform-httputil = { path = "crates/registry-platform-httputil", version = "0.8.4" } -registry-platform-oid4vci = { path = "crates/registry-platform-oid4vci", version = "0.8.4" } -registry-platform-oidc = { path = "crates/registry-platform-oidc", version = "0.8.4" } -registry-platform-ops = { path = "crates/registry-platform-ops", version = "0.8.4" } -registry-platform-pdp = { path = "crates/registry-platform-pdp", version = "0.8.4" } -registry-platform-replay = { path = "crates/registry-platform-replay", version = "0.8.4" } -registry-platform-sdjwt = { path = "crates/registry-platform-sdjwt", version = "0.8.4" } -registry-platform-testing = { path = "crates/registry-platform-testing", version = "0.8.4" } +registry-config-report = { path = "crates/registry-config-report", version = "0.9.0" } +registry-manifest-core = { path = "crates/registry-manifest-core", version = "0.9.0" } +registry-notary-client = { path = "crates/registry-notary-client", version = "0.9.0" } +registry-notary-core = { path = "crates/registry-notary-core", version = "0.9.0" } +registry-notary-server = { path = "crates/registry-notary-server", version = "0.9.0", default-features = false } +registry-notary-source-adapter-rhai = { path = "crates/registry-notary-source-adapter-rhai", version = "0.9.0" } +registry-notary-source-adapter-sidecar = { path = "crates/registry-notary-source-adapter-sidecar", version = "0.9.0" } +registry-notary-worker-harness = { path = "crates/registry-notary-worker-harness", version = "0.9.0" } +registry-platform-audit = { path = "crates/registry-platform-audit", version = "0.9.0" } +registry-platform-authcommon = { path = "crates/registry-platform-authcommon", version = "0.9.0" } +registry-platform-cache = { path = "crates/registry-platform-cache", version = "0.9.0" } +registry-platform-config = { path = "crates/registry-platform-config", version = "0.9.0" } +registry-platform-crypto = { path = "crates/registry-platform-crypto", version = "0.9.0" } +registry-platform-httpsec = { path = "crates/registry-platform-httpsec", version = "0.9.0" } +registry-platform-httputil = { path = "crates/registry-platform-httputil", version = "0.9.0" } +registry-platform-oid4vci = { path = "crates/registry-platform-oid4vci", version = "0.9.0" } +registry-platform-oidc = { path = "crates/registry-platform-oidc", version = "0.9.0" } +registry-platform-ops = { path = "crates/registry-platform-ops", version = "0.9.0" } +registry-platform-pdp = { path = "crates/registry-platform-pdp", version = "0.9.0" } +registry-platform-replay = { path = "crates/registry-platform-replay", version = "0.9.0" } +registry-platform-sdjwt = { path = "crates/registry-platform-sdjwt", version = "0.9.0" } +registry-platform-testing = { path = "crates/registry-platform-testing", version = "0.9.0" } crosswalk-core = { git = "https://github.com/PublicSchema/crosswalk", rev = "1d44ec735fdc8a7c719264b339574371e8330337", version = "0.2.0" } crosswalk-functions = { git = "https://github.com/PublicSchema/crosswalk", rev = "1d44ec735fdc8a7c719264b339574371e8330337", version = "0.2.0" } diff --git a/SECURITY.md b/SECURITY.md index f492a2644..51ccacbcd 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -44,14 +44,14 @@ include cosign signatures without SLSA provenance. For each signed release asset, download three files from the GitHub Release: -- The asset, for example `registryctl-v0.8.4-linux-amd64` -- The matching signature, for example `registryctl-v0.8.4-linux-amd64.sig` -- The matching certificate, for example `registryctl-v0.8.4-linux-amd64.pem` +- The asset, for example `registryctl-v0.9.0-linux-amd64` +- The matching signature, for example `registryctl-v0.9.0-linux-amd64.sig` +- The matching certificate, for example `registryctl-v0.9.0-linux-amd64.pem` Then verify the asset: ```bash -asset=registryctl-v0.8.4-linux-amd64 +asset=registryctl-v0.9.0-linux-amd64 cosign verify-blob \ --certificate "${asset}.pem" \ @@ -69,7 +69,7 @@ For releases with SLSA provenance, download the provenance asset and verify the artifact against the release tag: ```bash -tag=v0.8.4 +tag=v0.9.0 asset=registryctl-${tag}-linux-amd64 provenance=registry-stack-${tag}-release-provenance.intoto.jsonl diff --git a/crates/registry-relay/CHANGELOG.md b/crates/registry-relay/CHANGELOG.md index 3d08b65e8..1aab2d3d8 100644 --- a/crates/registry-relay/CHANGELOG.md +++ b/crates/registry-relay/CHANGELOG.md @@ -2,12 +2,14 @@ ## Unreleased +## 0.9.0 - 2026-07-10 + ### Added -- Boot is now loud about reduced posture: warn logs for waiver-suppressed - deployment gate findings, expired waivers, and an undeclared deployment - profile, plus a boot-time operational audit record (`deployment.gate_waived`) - per waived gate. +- Accepted boots are now loud about reduced posture: warn logs identify + waiver-suppressed deployment gate findings and expired waivers, and a + boot-time operational audit record (`deployment.gate_waived`) is written per + waived gate. - Local, in-process auth-failure throttle (`auth.failure_throttle`), disabled by default. When enabled, repeated authentication failures from one client address within a configured window return a stable 429 @@ -72,17 +74,46 @@ ### Changed +- BREAKING: `deployment.profile` is required and must be one of `local`, + `hosted_lab`, `production`, or `evidence_grade`. Relay does not infer a + profile and refuses startup when it is absent. Add the explicit profile that + matches the deployment before upgrading. +- BREAKING: The TUF-era `/admin/v1/config/verify`, + `/admin/v1/config/dry-run`, and `/admin/v1/config/apply` endpoints are + removed, as is the CLI `config apply-bundle` command. First run + `registryctl bundle verify` for stateless signature and binding verification, + then place the signed Registry Config Bundle v1 on the Relay node. For a + genuinely absent, version-specific antirollback state path, start Relay with + `--initialize-state`; that boot verifies the bundle and initializes state. + Relay's read-only `config verify-bundle` command remains, but it requires + accepted state to exist, so use it only for later candidate validation and + restarts. Replace retired TUF-era fields inside `config_trust` with the + current Config Bundle v1 trust fields; strict parsing rejects the old + schema. There is no hot-apply path. Back up + `config_trust.antirollback_state_path` before upgrading and keep + release-specific restore sets. Before rollback, restore the antirollback + state matching that release. Never delete or reinitialize state to force an + older bundle to load. - BREAKING: `audit.include_health: true` now includes `/healthz` only. `/ready` is always excluded because appending a readiness audit record after its zero-backlog comparison would invalidate the next readiness probe. + Evidence consumers must capture the readiness response, authenticated + posture, and acknowledgement cursor instead of expecting a `/ready` audit + record. - BREAKING: Governed reads now ignore `x-registry-subject-ref`, `x-registry-relationship`, `x-registry-on-behalf-of`, and - `x-registry-credential-format` unless the authenticated principal has the - exact `registry:trust::` scope. These optional trust-context - fields are now scope-gated before policy evaluation. Audit records retain - ordinary route scopes in `scopes_used`, replace each value-bearing trust - scope with a field-bound + `x-registry-credential-format`, and + `x-registry-source-observed-at-unix-seconds` unless the authenticated + principal has the corresponding exact value-bound scope: + `registry:trust:subject_ref:`, + `registry:trust:relationship:`, + `registry:trust:on_behalf_of:`, + `registry:trust:requested_credential_format:`, or + `registry:trust:source_observed_at_unix_seconds:`. These optional + trust-context fields are scope-gated before policy evaluation. Audit records + retain ordinary route scopes in `scopes_used`, replace each value-bearing + trust scope with a field-bound `registry:trust::hmac-sha256:` handle under the deployment audit key, and record authenticated trust-context field names in `pdp_trust_provenance` without their values. diff --git a/crates/registry-relay/docs/release-notes.md b/crates/registry-relay/docs/release-notes.md index 60d494cd9..5aa1f5207 100644 --- a/crates/registry-relay/docs/release-notes.md +++ b/crates/registry-relay/docs/release-notes.md @@ -1,5 +1,59 @@ # Release Notes +## 0.9.0 + +- BREAKING: Relay-local credential issuance and its `provenance` and entity + `publicschema` configuration are removed. Deploy credential issuance and + verification through Registry Notary. +- BREAKING: `deployment.profile` is required and must be one of `local`, + `hosted_lab`, `production`, or `evidence_grade`. Relay refuses startup when + it is absent instead of inferring a profile. +- BREAKING: the TUF-era `/admin/v1/config/verify`, + `/admin/v1/config/dry-run`, and `/admin/v1/config/apply` endpoints are + removed, as is the CLI `config apply-bundle` command. First run + `registryctl bundle verify` for stateless signature and binding verification, + then place the signed Registry Config Bundle v1 on the Relay node. For a + genuinely absent, version-specific antirollback state path, start Relay with + `--initialize-state`; that boot verifies the bundle and initializes state. + Relay's read-only `config verify-bundle` command remains, but it requires + accepted state to exist, so use it only for later candidate validation and + restarts. Replace retired TUF-era fields inside `config_trust` with current + Config Bundle v1 trust fields because strict parsing rejects the old schema. + Hot apply is not supported. Back up + `config_trust.antirollback_state_path` before upgrading and keep + release-specific restore sets. Before rollback, restore the antirollback + state matching that release. Never delete or reinitialize state to force an + older bundle to load. +- BREAKING: governed reads honor `x-registry-subject-ref`, + `x-registry-relationship`, `x-registry-on-behalf-of`, and + `x-registry-credential-format`, and + `x-registry-source-observed-at-unix-seconds` only when the authenticated + principal carries the corresponding exact value-bound scope: + `registry:trust:subject_ref:`, + `registry:trust:relationship:`, + `registry:trust:on_behalf_of:`, + `registry:trust:requested_credential_format:`, or + `registry:trust:source_observed_at_unix_seconds:`. Without that scope, + the header is treated as absent before policy evaluation. +- BREAKING: hard deployment gates cannot be waived. Production and + evidence-grade operators must correct the failing condition, configure + off-host audit shipping, and provide a fresh acknowledgement cursor where + required. +- The beta attribute-release API is excluded from default builds and requires + the `attribute-release` Cargo feature. +- The committed OpenAPI artifact now matches the default build and no longer + advertises the feature-gated OGC API or SP DCI routes. Deployments using + those routes must enable the matching Cargo features and publish an OpenAPI + document generated from that build. +- Added local authentication-failure throttling, retained-chain verification + and quarantine recovery, audit-shipping health, and generated config-bundle + acceptance evidence. +- BREAKING: `audit.include_health: true` includes `/healthz` only. `/ready` is + always excluded because logging readiness would invalidate the next + zero-backlog comparison. Evidence consumers must capture the readiness + response, authenticated posture, and acknowledgement cursor instead of + expecting a `/ready` audit record. + ## 0.8.4 - Added `registry-relay --version` and `registry-relay -V` output, matching the stack's diff --git a/crates/registry-relay/openapi/registry-relay.openapi.json b/crates/registry-relay/openapi/registry-relay.openapi.json index f1641ae85..8b291e0c7 100644 --- a/crates/registry-relay/openapi/registry-relay.openapi.json +++ b/crates/registry-relay/openapi/registry-relay.openapi.json @@ -1993,7 +1993,7 @@ }, "summary": "Read-only data gateway exposing entity records, catalog metadata, and SHACL/DCAT-AP shapes for governed datasets.", "title": "Registry Relay API", - "version": "0.8.4" + "version": "0.9.0" }, "openapi": "3.1.0", "paths": { @@ -4746,6 +4746,106 @@ "type": "string" } }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:legal_basis:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-trust-legal-basis", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:consent:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-trust-consent", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:assurance:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-trust-assurance", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:jurisdiction:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-trust-jurisdiction", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:subject_ref:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-subject-ref", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:relationship:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-relationship", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:on_behalf_of:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-on-behalf-of", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:requested_credential_format:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-credential-format", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:source_observed_at_unix_seconds:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-source-observed-at-unix-seconds", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:source_observed_age_seconds:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-source-observed-age-seconds", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, { "description": "Dataset identifier", "in": "path", @@ -4958,6 +5058,106 @@ "type": "string" } }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:legal_basis:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-trust-legal-basis", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:consent:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-trust-consent", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:assurance:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-trust-assurance", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:jurisdiction:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-trust-jurisdiction", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:subject_ref:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-subject-ref", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:relationship:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-relationship", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:on_behalf_of:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-on-behalf-of", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:requested_credential_format:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-credential-format", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:source_observed_at_unix_seconds:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-source-observed-at-unix-seconds", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:source_observed_age_seconds:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-source-observed-age-seconds", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, { "description": "Dataset identifier", "in": "path", @@ -5382,6 +5582,106 @@ "type": "string" } }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:legal_basis:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-trust-legal-basis", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:consent:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-trust-consent", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:assurance:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-trust-assurance", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:jurisdiction:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-trust-jurisdiction", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:subject_ref:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-subject-ref", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:relationship:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-relationship", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:on_behalf_of:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-on-behalf-of", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:requested_credential_format:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-credential-format", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:source_observed_at_unix_seconds:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-source-observed-at-unix-seconds", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:source_observed_age_seconds:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-source-observed-age-seconds", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, { "description": "Dataset identifier", "in": "path", @@ -5507,6 +5807,106 @@ "type": "string" } }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:legal_basis:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-trust-legal-basis", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:consent:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-trust-consent", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:assurance:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-trust-assurance", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:jurisdiction:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-trust-jurisdiction", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:subject_ref:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-subject-ref", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:relationship:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-relationship", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:on_behalf_of:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-on-behalf-of", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:requested_credential_format:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-credential-format", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:source_observed_at_unix_seconds:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-source-observed-at-unix-seconds", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:source_observed_age_seconds:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-source-observed-age-seconds", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, { "description": "Dataset identifier", "in": "path", @@ -5646,6 +6046,106 @@ "type": "string" } }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:legal_basis:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-trust-legal-basis", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:consent:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-trust-consent", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:assurance:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-trust-assurance", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:jurisdiction:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-trust-jurisdiction", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:subject_ref:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-subject-ref", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:relationship:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-relationship", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:on_behalf_of:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-on-behalf-of", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:requested_credential_format:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-credential-format", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:source_observed_at_unix_seconds:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-source-observed-at-unix-seconds", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, + { + "description": "Optional PDP trust context. Relay passes this value to policy evaluation only when the authenticated principal has the exact value-bound `registry:trust:source_observed_age_seconds:` scope. Without that scope, Relay treats the header as absent. Header names are case-insensitive.", + "in": "header", + "name": "x-registry-source-observed-age-seconds", + "required": false, + "schema": { + "minLength": 1, + "type": "string" + } + }, { "description": "Dataset identifier", "in": "path", diff --git a/crates/registry-relay/src/api/governed.rs b/crates/registry-relay/src/api/governed.rs index a86a11a25..ce0b6583f 100644 --- a/crates/registry-relay/src/api/governed.rs +++ b/crates/registry-relay/src/api/governed.rs @@ -29,11 +29,11 @@ pub(crate) const TRUST_JURISDICTION_HEADER: &str = "x-registry-trust-jurisdictio pub(crate) const TRUST_ASSURANCE_HEADER: &str = "x-registry-trust-assurance"; pub(crate) const TRUST_LEGAL_BASIS_HEADER: &str = "x-registry-trust-legal-basis"; pub(crate) const TRUST_CONSENT_HEADER: &str = "x-registry-trust-consent"; -const TRUST_SUBJECT_REF_HEADER: &str = "x-registry-subject-ref"; -const TRUST_RELATIONSHIP_HEADER: &str = "x-registry-relationship"; -const TRUST_ON_BEHALF_OF_HEADER: &str = "x-registry-on-behalf-of"; -const TRUST_REQUESTED_CREDENTIAL_FORMAT_HEADER: &str = "x-registry-credential-format"; -const TRUST_SOURCE_OBSERVED_AT_UNIX_SECONDS_HEADER: &str = +pub(crate) const TRUST_SUBJECT_REF_HEADER: &str = "x-registry-subject-ref"; +pub(crate) const TRUST_RELATIONSHIP_HEADER: &str = "x-registry-relationship"; +pub(crate) const TRUST_ON_BEHALF_OF_HEADER: &str = "x-registry-on-behalf-of"; +pub(crate) const TRUST_REQUESTED_CREDENTIAL_FORMAT_HEADER: &str = "x-registry-credential-format"; +pub(crate) const TRUST_SOURCE_OBSERVED_AT_UNIX_SECONDS_HEADER: &str = "x-registry-source-observed-at-unix-seconds"; pub(crate) const TRUST_SOURCE_OBSERVED_AGE_SECONDS_HEADER: &str = "x-registry-source-observed-age-seconds"; diff --git a/crates/registry-relay/src/api/openapi.rs b/crates/registry-relay/src/api/openapi.rs index a74ebd6cc..f51f32d0c 100644 --- a/crates/registry-relay/src/api/openapi.rs +++ b/crates/registry-relay/src/api/openapi.rs @@ -8,6 +8,12 @@ use axum::{Extension, Router}; use serde_json::{json, Map, Value}; use std::collections::BTreeSet; +use crate::api::governed::{ + TRUST_ASSURANCE_HEADER, TRUST_CONSENT_HEADER, TRUST_JURISDICTION_HEADER, + TRUST_LEGAL_BASIS_HEADER, TRUST_ON_BEHALF_OF_HEADER, TRUST_RELATIONSHIP_HEADER, + TRUST_REQUESTED_CREDENTIAL_FORMAT_HEADER, TRUST_SOURCE_OBSERVED_AGE_SECONDS_HEADER, + TRUST_SOURCE_OBSERVED_AT_UNIX_SECONDS_HEADER, TRUST_SUBJECT_REF_HEADER, +}; use crate::audit::ErrorCodeExt; use crate::auth::Principal; use crate::config::{AuthMode, Config, DatasetConfig, EntityConfig, FilterOp}; @@ -48,6 +54,28 @@ const INFO_DESCRIPTION: &str = "Read-only HTTP gateway over governed datasets. \ Serves entity records, catalog metadata, and SHACL/DCAT-AP shapes, with API \ discovery through the RFC 9727 catalog endpoint."; +const VALUE_BOUND_TRUST_HEADERS: [(&str, &str); 10] = [ + (TRUST_LEGAL_BASIS_HEADER, "legal_basis"), + (TRUST_CONSENT_HEADER, "consent"), + (TRUST_ASSURANCE_HEADER, "assurance"), + (TRUST_JURISDICTION_HEADER, "jurisdiction"), + (TRUST_SUBJECT_REF_HEADER, "subject_ref"), + (TRUST_RELATIONSHIP_HEADER, "relationship"), + (TRUST_ON_BEHALF_OF_HEADER, "on_behalf_of"), + ( + TRUST_REQUESTED_CREDENTIAL_FORMAT_HEADER, + "requested_credential_format", + ), + ( + TRUST_SOURCE_OBSERVED_AT_UNIX_SECONDS_HEADER, + "source_observed_at_unix_seconds", + ), + ( + TRUST_SOURCE_OBSERVED_AGE_SECONDS_HEADER, + "source_observed_age_seconds", + ), +]; + /// Sub-router for the best-effort OpenAPI document. pub fn router() -> Router where @@ -623,6 +651,7 @@ fn openapi_document(catalog: &CatalogDocument, config: &Config) -> Value { if entity_config.api.require_purpose_header { add_purpose_header_parameter(&mut paths, &collection_path, "get"); } + add_value_bound_trust_header_parameters(&mut paths, &collection_path, "get"); tag(&mut paths, &collection_path, "get", &entity_tag); // Get record by id @@ -673,6 +702,7 @@ fn openapi_document(catalog: &CatalogDocument, config: &Config) -> Value { if entity_config.api.require_purpose_header { add_purpose_header_parameter(&mut paths, &record_path, "get"); } + add_value_bound_trust_header_parameters(&mut paths, &record_path, "get"); tag(&mut paths, &record_path, "get", &entity_tag); // Field schema (JSON Schema view) @@ -744,6 +774,7 @@ fn openapi_document(catalog: &CatalogDocument, config: &Config) -> Value { if entity_config.api.require_purpose_header || target_requires_purpose { add_purpose_header_parameter(&mut paths, &relationship_path, "get"); } + add_value_bound_trust_header_parameters(&mut paths, &relationship_path, "get"); tag(&mut paths, &relationship_path, "get", &entity_tag); } } @@ -795,6 +826,7 @@ fn openapi_document(catalog: &CatalogDocument, config: &Config) -> Value { if dataset_aggregates_require_purpose(dataset_config) { add_purpose_header_parameter(&mut paths, &aggregate_run_path, "get"); } + add_value_bound_trust_header_parameters(&mut paths, &aggregate_run_path, "get"); tag(&mut paths, &aggregate_run_path, "get", &aggregate_tag); let aggregate_query_path = format!( @@ -820,6 +852,7 @@ fn openapi_document(catalog: &CatalogDocument, config: &Config) -> Value { if dataset_aggregates_require_purpose(dataset_config) { add_purpose_header_parameter(&mut paths, &aggregate_query_path, "post"); } + add_value_bound_trust_header_parameters(&mut paths, &aggregate_query_path, "post"); tag(&mut paths, &aggregate_query_path, "post", &aggregate_tag); let aggregate_structure_path = format!( @@ -1673,6 +1706,40 @@ fn set_response_example( /// declares the header. The parameter is required by the gateway when /// the entity has `api.require_purpose_header: true`. fn add_purpose_header_parameter(paths: &mut Map, path: &str, method: &str) { + add_header_parameter(paths, path, method, purpose_header_parameter()); +} + +/// Document the client-supplied trust context that Relay can pass to the PDP. +/// Each header is optional and ignored unless the authenticated principal has +/// the exact value-bound scope described by the parameter. +fn add_value_bound_trust_header_parameters( + paths: &mut Map, + path: &str, + method: &str, +) { + for (name, scope_field) in VALUE_BOUND_TRUST_HEADERS { + add_header_parameter( + paths, + path, + method, + value_bound_trust_header_parameter(name, scope_field), + ); + } +} + +fn add_header_parameter( + paths: &mut Map, + path: &str, + method: &str, + parameter: Value, +) { + let Some(name) = parameter + .get("name") + .and_then(Value::as_str) + .map(str::to_string) + else { + return; + }; let Some(op) = op_at(paths, path, method) else { return; }; @@ -1686,11 +1753,11 @@ fn add_purpose_header_parameter(paths: &mut Map, path: &str, meth let already_declared = parameters.iter().any(|p| { p.get("name") .and_then(Value::as_str) - .is_some_and(|n| n.eq_ignore_ascii_case("Data-Purpose")) + .is_some_and(|declared| declared.eq_ignore_ascii_case(&name)) && p.get("in").and_then(Value::as_str) == Some("header") }); if !already_declared { - parameters.push(purpose_header_parameter()); + parameters.push(parameter); } } @@ -3454,6 +3521,7 @@ fn insert_spdci_paths(paths: &mut Map) { path.to_string(), spdci_path_item(op_id, summary, description), ); + add_value_bound_trust_header_parameters(paths, path, "post"); tag(paths, path, "post", TAG_SPD_CI); } } @@ -3552,6 +3620,11 @@ fn insert_attribute_release_paths(paths: &mut Map) { } }), ); + add_value_bound_trust_header_parameters( + paths, + "/v1/attribute-releases/{profile_id}/versions/{version}/resolve", + "post", + ); tag( paths, "/v1/attribute-releases/{profile_id}/versions/{version}/resolve", @@ -3664,6 +3737,11 @@ fn insert_ogc_paths(paths: &mut Map) { "get", "list_dataset_ogc_features", ); + add_value_bound_trust_header_parameters( + paths, + "/ogc/v1/datasets/{dataset_id}/collections/{collection_id}/items", + "get", + ); paths.insert( "/ogc/v1/datasets/{dataset_id}/collections/{collection_id}/items/{feature_id}".to_string(), @@ -3691,6 +3769,11 @@ fn insert_ogc_paths(paths: &mut Map) { "get", "get_dataset_ogc_feature", ); + add_value_bound_trust_header_parameters( + paths, + "/ogc/v1/datasets/{dataset_id}/collections/{collection_id}/items/{feature_id}", + "get", + ); } #[cfg(feature = "ogcapi-records")] @@ -3904,6 +3987,8 @@ fn insert_ogc_edr_paths(paths: &mut Map) { } }), ); + add_value_bound_trust_header_parameters(paths, area_path, "get"); + add_value_bound_trust_header_parameters(paths, area_path, "post"); tag(paths, area_path, "get", TAG_OGC_EDR); tag(paths, area_path, "post", TAG_OGC_EDR); } @@ -4506,6 +4591,21 @@ fn purpose_header_parameter_with_required(required: bool) -> Value { }) } +fn value_bound_trust_header_parameter(name: &str, scope_field: &str) -> Value { + json!({ + "name": name, + "in": "header", + "required": false, + "description": format!( + "Optional PDP trust context. Relay passes this value to policy evaluation only when \ + the authenticated principal has the exact value-bound \ + `registry:trust:{scope_field}:` scope. Without that scope, Relay treats the \ + header as absent. Header names are case-insensitive." + ), + "schema": { "type": "string", "minLength": 1 }, + }) +} + fn enum_query_parameter(name: &str, description: &str, values: Vec<&str>) -> Value { json!({ "name": name, @@ -4870,6 +4970,111 @@ mod tests { } } + const EXPECTED_VALUE_BOUND_TRUST_HEADERS: [(&str, &str); 10] = [ + ("x-registry-trust-legal-basis", "legal_basis"), + ("x-registry-trust-consent", "consent"), + ("x-registry-trust-assurance", "assurance"), + ("x-registry-trust-jurisdiction", "jurisdiction"), + ("x-registry-subject-ref", "subject_ref"), + ("x-registry-relationship", "relationship"), + ("x-registry-on-behalf-of", "on_behalf_of"), + ( + "x-registry-credential-format", + "requested_credential_format", + ), + ( + "x-registry-source-observed-at-unix-seconds", + "source_observed_at_unix_seconds", + ), + ( + "x-registry-source-observed-age-seconds", + "source_observed_age_seconds", + ), + ]; + + fn assert_value_bound_trust_headers(operation: &Value) { + let parameters = operation["parameters"] + .as_array() + .expect("operation parameters"); + let expected_names = EXPECTED_VALUE_BOUND_TRUST_HEADERS + .iter() + .map(|(name, _)| *name) + .collect::>(); + let documented_names = parameters + .iter() + .filter(|parameter| parameter["in"] == "header") + .filter_map(|parameter| parameter["name"].as_str()) + .filter(|name| name.starts_with("x-registry-")) + .collect::>(); + assert_eq!(documented_names, expected_names); + + for (name, scope_field) in EXPECTED_VALUE_BOUND_TRUST_HEADERS { + let matching = parameters + .iter() + .filter(|parameter| parameter["name"] == name && parameter["in"] == "header") + .collect::>(); + assert_eq!(matching.len(), 1, "{name} must be declared exactly once"); + let parameter = matching[0]; + assert_eq!(parameter["required"], false, "{name} must stay optional"); + assert_eq!(parameter["schema"]["type"], "string"); + assert_eq!(parameter["schema"]["minLength"], 1); + assert!( + parameter["description"] + .as_str() + .expect("trust header description") + .contains(&format!("registry:trust:{scope_field}:")), + "{name} must document its exact value-bound scope" + ); + } + } + + #[test] + fn governed_read_operations_document_value_bound_trust_headers() { + let config = load_example_config(); + let doc = openapi_document(&catalog_with_individual(), &config); + + for (path, method) in [ + ( + "/v1/datasets/social_registry/entities/individual/records", + "get", + ), + ( + "/v1/datasets/social_registry/entities/individual/records/{id}", + "get", + ), + ( + "/v1/datasets/social_registry/aggregates/{aggregate_id}", + "get", + ), + ( + "/v1/datasets/social_registry/aggregates/{aggregate_id}/query", + "post", + ), + ] { + assert_value_bound_trust_headers(&doc["paths"][path][method]); + } + } + + #[test] + fn value_bound_trust_header_mutator_is_idempotent() { + let mut paths = Map::from_iter([( + "/governed".to_string(), + json!({ "get": { "parameters": [] } }), + )]); + + add_value_bound_trust_header_parameters(&mut paths, "/governed", "get"); + add_value_bound_trust_header_parameters(&mut paths, "/governed", "get"); + + assert_value_bound_trust_headers(&paths["/governed"]["get"]); + assert_eq!( + paths["/governed"]["get"]["parameters"] + .as_array() + .expect("operation parameters") + .len(), + 10 + ); + } + #[test] fn public_openapi_ignores_present_principal_scope_filtering() { let mut config = load_example_config(); @@ -5386,6 +5591,7 @@ mod tests { resolve_op["responses"]["200"]["content"]["application/json"]["schema"]["$ref"], "#/components/schemas/AttributeReleaseResolveResponse" ); + assert_value_bound_trust_headers(resolve_op); // Standard denial responses must be present assert!( resolve_op["responses"]["400"].is_object(), @@ -5505,8 +5711,34 @@ mod tests { op["responses"]["200"]["content"]["application/json"]["schema"]["$ref"], "#/components/schemas/SpdciSyncResponse" ); + assert_value_bound_trust_headers(op); } assert!(doc["components"]["schemas"]["SpdciSyncRequest"].is_object()); assert!(doc["components"]["schemas"]["SpdciSyncResponse"].is_object()); } + + #[cfg(feature = "ogcapi-features")] + #[test] + fn ogc_feature_data_paths_document_value_bound_trust_headers() { + let mut paths = Map::new(); + insert_ogc_paths(&mut paths); + + for path in [ + "/ogc/v1/datasets/{dataset_id}/collections/{collection_id}/items", + "/ogc/v1/datasets/{dataset_id}/collections/{collection_id}/items/{feature_id}", + ] { + assert_value_bound_trust_headers(&paths[path]["get"]); + } + } + + #[cfg(feature = "ogcapi-edr")] + #[test] + fn ogc_edr_data_paths_document_value_bound_trust_headers() { + let mut paths = Map::new(); + insert_ogc_edr_paths(&mut paths); + let area = &paths["/ogc/edr/v1/collections/{collection_id}/area"]; + + assert_value_bound_trust_headers(&area["get"]); + assert_value_bound_trust_headers(&area["post"]); + } } diff --git a/crates/registry-relay/tests/postgres_snapshot.rs b/crates/registry-relay/tests/postgres_snapshot.rs index bd47dde46..6f031595d 100644 --- a/crates/registry-relay/tests/postgres_snapshot.rs +++ b/crates/registry-relay/tests/postgres_snapshot.rs @@ -206,6 +206,9 @@ async fn run_ingest(db_url: &str, schema_name: &str) -> Result<(), Box&2 exit 1 @@ -297,7 +297,7 @@ run_relay_tutorial() { cd "$tutorial_root" printf '\nrelease installer skipped: this gate uses the checked-out registryctl; GH#198 verifies release assets\n' run_block 'Relay 1: source registryctl version' "$version_block" success - assert_contains "$LAST_OUTPUT" 'registryctl 0.8.4' + assert_contains "$LAST_OUTPUT" 'registryctl 0.9.0' run_block 'Relay 2: Create the sample project' "$blocks/02.sh" success CURRENT_SECRET_FILE="$PWD/secrets/local.env" run_block 'Relay 3: Start the local stack' "$blocks/03.sh" success diff --git a/docs/site/src/content/docs/changelog.mdx b/docs/site/src/content/docs/changelog.mdx index 7ac7271f3..05ffa6cce 100644 --- a/docs/site/src/content/docs/changelog.mdx +++ b/docs/site/src/content/docs/changelog.mdx @@ -5,7 +5,7 @@ status: current owner: registry-docs source_repos: - registry-docs -last_reviewed: "2026-07-07" +last_reviewed: "2026-07-10" doc_type: reference locale: en standards_referenced: [] @@ -16,6 +16,33 @@ documents. Per-product release notes live in each product repository; the entries below link to the relevant product pages on this site rather than duplicating release notes. +## 2026-07-10 + +Documentation updates for the v0.9.0 beta-11 release: + +- Advanced the active monorepo docs and source citations to RegistryStack `v0.9.0`. +- Added the `v0.9.0` archived docset pinned to the beta-11 freeze source ref. +- Updated registryctl install examples and current deployment tutorials to the `v0.9.0` release + tag while retaining the published v0.8.4 stale-digest workaround until tagged artifact proof + closes it. +- Kept hosted first-run publication held while the credential failure in + [GH#330](https://github.com/registrystack/registry-stack/issues/330) and the complete + [GH#198](https://github.com/registrystack/registry-stack/issues/198) fresh-reader run remain open. + +Migration notes: + +- Registryctl project generation now requires the strict image lock from the same release beside + the binary, or at an explicitly verified `REGISTRYCTL_IMAGE_LOCK` path. Existing projects still + run from their stored immutable pins. See + [GH#339](https://github.com/registrystack/registry-stack/pull/339). +- Relay passes a client-supplied trust-context header to the PDP only when the caller has the exact + `registry:trust::` scope. Update caller scopes before relying on those fields; + their value-bearing audit scopes are now pseudonymized. See + [GH#338](https://github.com/registrystack/registry-stack/pull/338). +- Notary federation denials now preserve their audit context. No new client request field is + required, but operators should retain the enriched denial records. See + [GH#337](https://github.com/registrystack/registry-stack/pull/337). + ## 2026-07-04 Documentation updates for the v0.8.4 beta-10 release: diff --git a/docs/site/src/content/docs/decisions/rename-2026-05-23.mdx b/docs/site/src/content/docs/decisions/rename-2026-05-23.mdx index 283af77e8..adafae3ba 100644 --- a/docs/site/src/content/docs/decisions/rename-2026-05-23.mdx +++ b/docs/site/src/content/docs/decisions/rename-2026-05-23.mdx @@ -154,7 +154,7 @@ The registry-lab evidence packet notes that functional identifiers baked into cr log correlation, and spec URLs (`decentralized-demo-correlation-001`, `decentralized-demo-static-publication`) are intentionally stable and do not require change when the directory is renamed. -Docstrings and comments are residual and could be updated to say "[Registry Lab](https://github.com/registrystack/registry-stack/tree/v0.8.4/lab) demo" +Docstrings and comments are residual and could be updated to say "[Registry Lab](https://github.com/registrystack/registry-stack/tree/v0.9.0/lab) demo" without affecting machine contracts. `projects.yaml` `rename_status`: "Local checkout renamed to `registry-lab`; some scripts and fixtures may still reference the old `decentralized-evidence-demo` name." diff --git a/docs/site/src/content/docs/index.mdx b/docs/site/src/content/docs/index.mdx index ff6c27dff..a5c7bff04 100644 --- a/docs/site/src/content/docs/index.mdx +++ b/docs/site/src/content/docs/index.mdx @@ -17,14 +17,19 @@ Registry Stack adds registry-facing services, protected reads, records, over data an institution already holds. The data never leaves the source system. -Start with the [quickstart](start/quickstart/): no install required, about five minutes. -Then take the [credential tour](start/credential-tour/). +Start with [your first registry API](tutorials/publish-spreadsheet-secured-registry-api/), then +[evaluate a claim](tutorials/verify-claim-registry-api/) against that local API. + +The hosted Relay quickstart passed its latest check, but the hosted credential continuation is not +the promoted first-run route while [GH#330](https://github.com/registrystack/registry-stack/issues/330) +remains open and the complete [GH#198](https://github.com/registrystack/registry-stack/issues/198) +fresh-reader run is unfinished. ## Two products Registry Relay protects what an institution already holds. Registry Notary certifies answers drawn from that data. -Take the quickstart first; the tutorials here are the follow-up, on your own machine. +Use the local tutorials below for the current first-run path. ### Registry Relay diff --git a/docs/site/src/content/docs/map/boundaries-and-map.mdx b/docs/site/src/content/docs/map/boundaries-and-map.mdx index 321f063ec..86b89f024 100644 --- a/docs/site/src/content/docs/map/boundaries-and-map.mdx +++ b/docs/site/src/content/docs/map/boundaries-and-map.mdx @@ -54,7 +54,7 @@ For how the five projects connect at runtime, see the [architecture overview](.. | How is a CSV, XLSX, Parquet, or PostgreSQL source exposed as authorized entity routes? | [Registry Relay](../../products/registry-relay/) | | How is `metadata.yaml` validated or rendered into standards-facing artifacts? | [Registry Manifest](https://github.com/registrystack/registry-stack) | | How is a claim evaluated, delegated to a trusted Notary, or turned into an attestation or credential? | [Registry Notary](../../products/registry-notary/) | -| How do the services run together in a local demo? | [Registry Lab](https://github.com/registrystack/registry-stack/blob/v0.8.4/lab/README.md) | +| How do the services run together in a local demo? | [Registry Lab](https://github.com/registrystack/registry-stack/blob/v0.9.0/lab/README.md) | Cross-project explanation, standards evidence, and contract indexes live in these docs (not in any one project repo). @@ -86,10 +86,10 @@ Registry Manifest is a pure library and CLI with no runtime data dependencies. doesn't run inside a gateway. {/* Evidence: Boundary section, "must not depend on Registry Relay, Axum, DataFusion, Postgres, auth, audit, observability, runtime row access", - crates/registry-manifest-core/README.md:33-41 at tag v0.8.4. */} + crates/registry-manifest-core/README.md:33-41 at tag v0.9.0. */} - Auth, audit, observability, or secret handling. These are intentionally excluded so the library can be used without running any runtime service. - {/* Evidence: Boundary section, crates/registry-manifest-core/README.md:33-41 at tag v0.8.4. */} + {/* Evidence: Boundary section, crates/registry-manifest-core/README.md:33-41 at tag v0.9.0. */} - Production source configuration. Source paths, table IDs, scopes, cache paths, and backend runtime details belong in Registry Relay configuration, not in portable manifests. {/* Evidence: contracts.yaml, registry-manifest.metadata-yaml consumer note. */} @@ -106,11 +106,11 @@ Registry Relay exposes protected read-only APIs over registry sources. It does n - Record provisioning or writes. The README explicitly states write operations are out of scope for v1. {/* Evidence: "Provisioning and Write are intentionally out of scope for V1", - crates/registry-relay/README.md:20 at tag v0.8.4. */} + crates/registry-relay/README.md:20 at tag v0.9.0. */} - Portable metadata schema ownership. The `metadata.yaml` manifest format and its renderers are owned by Registry Manifest. Registry Relay may serve compiled artifacts over HTTP and scope them for callers, but the schema is defined and versioned in Registry Manifest. - {/* Evidence: crates/registry-manifest-core/README.md:7-9 at tag v0.8.4 (schema ownership); + {/* Evidence: crates/registry-manifest-core/README.md:7-9 at tag v0.9.0 (schema ownership); registry-relay evidence packet, metadata publication section. */} - Standalone claim service internals owned by Registry Notary. Registry Relay can declare evidence offerings and route clients to a Registry Notary endpoint, but claim evaluation, @@ -125,7 +125,7 @@ Registry Relay exposes protected read-only APIs over registry sources. It does n configuration surface. */} Registry Relay is not an open-data portal. It publishes restricted consultation APIs for authorized -systems only. {/* Evidence: crates/registry-relay/README.md:16 at tag v0.8.4. */} +systems only. {/* Evidence: crates/registry-relay/README.md:16 at tag v0.9.0. */} ## Registry Notary @@ -135,9 +135,9 @@ Registry Notary evaluates claims and issues SD-JWT VC credentials. It does not o HTTP using a source connector; it does not import or link Registry Relay libraries. Both services can depend on Registry Platform. {/* Evidence: the registry_data_api HTTP source connector is SourceConnectorKind::RegistryDataApi, - crates/registry-notary-core/src/config.rs:6175-6180 at tag v0.8.4; no registry-relay + crates/registry-notary-core/src/config.rs:6353-6360 at tag v0.9.0; no registry-relay dependency appears in any registry-notary* Cargo.toml, while registry-platform-* deps do, - crates/registry-notary-server/Cargo.toml:22-34 at tag v0.8.4. */} + crates/registry-notary-server/Cargo.toml:22-34 at tag v0.9.0. */} - Portable metadata renderers owned by Registry Manifest. Registry Notary does not produce DCAT, SHACL, BRegDCAT-AP, or OGC Records artifacts. {/* Evidence: registry-notary evidence packet, standards not found in code section: "DCAT: no @@ -150,7 +150,7 @@ Registry Notary evaluates claims and issues SD-JWT VC credentials. It does not o static-peer delegated evaluation only. {/* Evidence: FederationRuntimeState::from_config iterates config.peers with no dynamic discovery path, crates/registry-notary-server/src/federation/runtime.rs:32-50 at - tag v0.8.4. */} + tag v0.9.0. */} - Registry Notary does not inspect published discovery artifacts, parse DCAT catalogs, or run capability queries. @@ -167,8 +167,8 @@ Registry Lab is a compose-based local demo. It does not own: - Production deployment guidance. The demo uses CSV, XLSX, and Parquet fixtures and demo-grade credentials. It is not a reference for production configuration. {/* Evidence: "pre-1.0 technical release for evaluation and integration pilots", - lab/README.md:3-5 at tag v0.8.4; synthetic CSV, XLSX, and Parquet fixtures, - lab/README.md:692-695; demo credentials, lab/README.md:742-744; projects.yaml, + lab/README.md:3-5 at tag v0.9.0; synthetic CSV, XLSX, and Parquet fixtures, + lab/README.md:659-670; demo credentials, lab/README.md:707-728; projects.yaml, registry-lab does_not_own "Production deployment guidance". */} - Normative API or metadata contracts. API contracts are owned by Registry Relay and Registry Notary; metadata contracts are owned by Registry Manifest. diff --git a/docs/site/src/content/docs/operate/upgrade-and-rollback.mdx b/docs/site/src/content/docs/operate/upgrade-and-rollback.mdx index 71a694886..43b443835 100644 --- a/docs/site/src/content/docs/operate/upgrade-and-rollback.mdx +++ b/docs/site/src/content/docs/operate/upgrade-and-rollback.mdx @@ -19,8 +19,10 @@ It applies to deployments that consume release artifacts (binaries or the One term needs disambiguating up front. This page uses "roll back" for redeploying the previous release of the software. The governed-configuration feature has a separate control called anti-rollback, which rejects config bundles older than the last applied sequence. -The two interact: rolling back the software does not permit activating an older config -sequence. The [revert section](#roll-back-to-the-previous-release) covers this. +The two interact, but anti-rollback state formats can also change between releases. Keep +version-specific config and state restore sets, and restore the previous release's exact +anti-rollback state before starting its binary. The +[revert section](#roll-back-to-the-previous-release) covers this. {/* TODO[review]: GH#203 requires this procedure to be exercised at least once against a real topology. A partial exercise record now exists at @@ -31,15 +33,16 @@ sequence. The [revert section](#roll-back-to-the-previous-release) covers this. ## Prerequisites -- Your deployment pins a version tag (`v0.8.4`) or an image digest, never `latest`. +- Your deployment pins a version tag (`v0.9.0`) or an image digest, never `latest`. - You know where your deployment keeps its persistent state. At minimum: the audit log directory of each product, the anti-rollback state file if `config_trust` is enabled (`antirollback_state_path`), the Redis instance backing replay and nonce state for Registry Notary, and your config files and secrets. For generated and single-node Compose deployments, follow [Back up and restore a deployment](../backup-and-restore/) - before changing the running containers. + before changing the running containers. Store each release's config and anti-rollback + state as a separate restore set; do not overwrite an older set with a newer file. - You can run the release-verification steps in - [SECURITY.md](https://github.com/registrystack/registry-stack/blob/v0.8.4/SECURITY.md) + [SECURITY.md](https://github.com/registrystack/registry-stack/blob/v0.9.0/SECURITY.md) (cosign, and slsa-verifier for releases with provenance). ## Upgrade @@ -77,7 +80,9 @@ sequence. The [revert section](#roll-back-to-the-previous-release) covers this. 4. Back up state that a failed upgrade must not lose: `secrets/local.env`, the audit log directory (copy, never truncate or edit; the hash chain makes hand-edited files unverifiable), the anti-rollback state file, Redis replay and nonce state, and your - config and source files as currently deployed. + config and source files as currently deployed. Record hashes and permissions without + printing secrets, label the restore set with the running release, and leave it unchanged + when the target release creates or updates its own anti-rollback state. 5. Deploy the new release alongside or in place of the old one, per your orchestration. Keep the old release's binary or image reference and config available until the soak @@ -103,22 +108,25 @@ sequence. The [revert section](#roll-back-to-the-previous-release) covers this. issuance, metrics, Redis replay/nonce survival, and anti-rollback monotonicity were not exercised by that run. -7. Keep the previous release's artifacts and config until the new release has run through - your soak period. Only then remove them. +7. Keep the previous release's artifacts, config, and exact anti-rollback state restore set + until the new release has run through your soak period. Only then remove them under your + retention policy. ## Roll back to the previous release If the new release misbehaves and the cause is not a config error you can fix forward: -1. Redeploy the previous release's binary or image (the one you kept in the upgrade - procedure) with the config that was running before the upgrade. +1. Stop the target release. Restore the previous release's binary or image, the config that + was running before the upgrade, and that release's exact anti-rollback state at its + configured path. Retain the target release's state separately. Never start the previous + binary against a newer release's state file. 2. Respect the constraints that survive a software roll-back: - - Anti-rollback state is monotonic. If you activated a new signed config bundle after - upgrading, the previous software with the previous config still loads, but you cannot - activate an older bundle over a newer sequence number. Roll back the software, not the - accepted config sequence. + - Anti-rollback state is release-specific durable evidence. Restore the exact prior + release file, including its hash and permissions. Do not delete or reinitialize either + release's state to make a bundle boot, and do not copy a newer state file over the + prior restore set. Sequence monotonicity continues within each retained state lineage. - The audit chain must stay continuous. Never truncate or rewrite audit files to "match" the previous state; the chain verifies across the retained files, and the record of the failed upgrade is evidence, not noise. @@ -145,9 +153,10 @@ If the new release misbehaves and the cause is not a config error you can fix fo the problem body reports the generic code `readiness.not_ready` for any failing readiness check, including a profile gate; check the admin posture surface's deployment object to confirm whether a gate finding is the cause. -- Config bundle activation is rejected with a rollback outcome after reverting: expected. The - anti-rollback store saw a newer sequence. Issue a new bundle with a higher sequence - instead of activating the old one. +- Config bundle activation is rejected with a rollback outcome after reverting: confirm the + previous release's exact config and anti-rollback state restore set is in place. Do not + delete or reinitialize state. If the restored lineage itself has already accepted a newer + sequence, issue a valid bundle with a higher sequence instead of activating an older one. ## Next diff --git a/docs/site/src/content/docs/reference/api-stability.mdx b/docs/site/src/content/docs/reference/api-stability.mdx index 6dec43428..2d9079e11 100644 --- a/docs/site/src/content/docs/reference/api-stability.mdx +++ b/docs/site/src/content/docs/reference/api-stability.mdx @@ -61,7 +61,7 @@ The enforcement column names the repository CI checks so the mechanism is audita | Registry Manifest schema and rendered artifacts | `registry-manifest/v1` and the rendered artifact schema versions, governed by [RS-DM-MANIFEST](../../spec/rs-dm-manifest/) | `validate_manifest` accepts only `registry-manifest/v1`; REQ-DM-MANIFEST-013 requires strict unknown-key rejection at parse time | | Source-adapter integration surfaces | The sidecar Registry Data API HTTP contract (`crates/registry-notary-source-adapter-sidecar/README.md`) and the Rhai `lookup(ctx)` scripting API | Contract described in the sidecar README; exposure manifest lists the sidecar routes | | Command-line interfaces | Documented commands and flags of `registryctl`, `registry-relay`, `registry-notary`, and `registry-manifest`, and their machine-readable output modes (`--format json`, `openapi`, `schema`) | CLI reference pages; `registryctl` version test | -| Release artifacts and verification interface | Released binary and image names (`ghcr.io/registrystack/registry-relay`, `ghcr.io/registrystack/registry-notary`, `ghcr.io/registrystack/registry-notary-source-adapter-sidecar`), signature and provenance layout per `release/VERIFY.md` | Release workflow; signed assets verified as documented in [SECURITY.md](https://github.com/registrystack/registry-stack/blob/v0.8.4/SECURITY.md) | +| Release artifacts and verification interface | Released binary and image names (`ghcr.io/registrystack/registry-relay`, `ghcr.io/registrystack/registry-notary`, `ghcr.io/registrystack/registry-notary-source-adapter-sidecar`), signature and provenance layout per `release/VERIFY.md` | Release workflow; signed assets verified as documented in [SECURITY.md](https://github.com/registrystack/registry-stack/blob/v0.9.0/SECURITY.md) | {/* TODO[review]: Prometheus metric names are not in this table. Operators build dashboards on them and both products have renamed metrics pre-1.0. Decide the tier: covered like an diff --git a/docs/site/src/content/docs/reference/registryctl.mdx b/docs/site/src/content/docs/reference/registryctl.mdx index 9acd67425..8338cb8b8 100644 --- a/docs/site/src/content/docs/reference/registryctl.mdx +++ b/docs/site/src/content/docs/reference/registryctl.mdx @@ -13,12 +13,12 @@ standards_referenced: [] `registryctl` is the local adopter command-line tool for Registry Stack. It creates a local project, starts and stops the generated services, and runs validation and smoke checks against them. -This page lists the commands, subcommands, and flags released in registryctl `v0.8.4`. Run `registryctl --help` for the built-in usage text. Most human-facing commands also perform a once-per-day update check; see [Update check](#update-check). +This page lists the commands, subcommands, and flags released in registryctl `v0.9.0`. Run `registryctl --help` for the built-in usage text. Most human-facing commands also perform a once-per-day update check; see [Update check](#update-check). ## Project setup `init` creates a local project. `add` adds a product to the current project. -Beginning with registryctl `v0.9.0`, both generation commands require the strict +In registryctl `v0.9.0`, both generation commands require the strict `registryctl-vX.Y.Z-image-lock.json` from the same release beside the running binary. Set `REGISTRYCTL_IMAGE_LOCK` only when an operator has verified the same file at a separate explicit path. Registryctl does not search the current @@ -159,4 +159,4 @@ Related environment variables are listed in the [environment variable reference] ## Source -The command tree, subcommands, and flags above come from the registryctl source. For the canonical definitions, read the [registryctl command tree in `src/main.rs`](https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registryctl/src/main.rs). +The command tree, subcommands, and flags above come from the registryctl source. For the canonical definitions, read the [registryctl command tree in `src/main.rs`](https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registryctl/src/main.rs). diff --git a/docs/site/src/content/docs/security/hardening-checklist.mdx b/docs/site/src/content/docs/security/hardening-checklist.mdx index 957c5a53d..5c920bcc3 100644 --- a/docs/site/src/content/docs/security/hardening-checklist.mdx +++ b/docs/site/src/content/docs/security/hardening-checklist.mdx @@ -129,9 +129,9 @@ or the [Registry Notary operator configuration reference](../../products/registr ## Deployment profile and posture endpoint -- Declare `deployment.profile` explicitly. An omitted profile binds no gates and only raises a - `deployment.profile_undeclared` warning, so a silent gap stays silent until you declare a - profile. +- Declare `deployment.profile` explicitly. An omitted profile produces the + `deployment.profile_undeclared` startup failure in both Relay and Notary. Neither product + infers `local` or another profile from its hostname, listener, or network placement. - Treat `evidence_grade` as requiring a signed local config bundle: running it from a plain local YAML file trips `relay.config.unsigned` / `notary.config.unsigned` and the process refuses to start. @@ -177,7 +177,7 @@ or the [Registry Notary operator configuration reference](../../products/registr | Symptom | Cause | Fix | | --- | --- | --- | | Process refuses to start after declaring `production` or `evidence_grade` | A `startup_fail` gate tripped (for example missing audit sink or unsigned config) | Check the posture or startup log for the finding id, then fix the underlying condition; `startup_fail` gates cannot be waived | -| Posture reports `deployment.profile_undeclared` | No `deployment.profile` set | Declare a profile explicitly; an omitted profile is not the same as `local` | +| Startup reports `deployment.profile_undeclared` | No `deployment.profile` is set | Declare the actual profile explicitly before restarting; an omitted profile is not the same as `local` | | Posture reports `deployment.waiver_expired` | A waiver's `expires` date passed | Re-review the finding and either fix it or issue a new waiver with a new expiry | ## Next diff --git a/docs/site/src/content/docs/security/report-a-vulnerability.mdx b/docs/site/src/content/docs/security/report-a-vulnerability.mdx index 76eda8c09..e0ad2cec1 100644 --- a/docs/site/src/content/docs/security/report-a-vulnerability.mdx +++ b/docs/site/src/content/docs/security/report-a-vulnerability.mdx @@ -65,7 +65,7 @@ For each signed release asset, download the asset, its `.sig` signature, and its certificate from the GitHub Release, then verify: ```bash -asset=registryctl-v0.8.4-linux-amd64 # replace with the asset you downloaded +asset=registryctl-v0.9.0-linux-amd64 # replace with the asset you downloaded cosign verify-blob \ --certificate "${asset}.pem" \ diff --git a/docs/site/src/content/docs/security/support-window.mdx b/docs/site/src/content/docs/security/support-window.mdx index ed7f97761..32b1520d2 100644 --- a/docs/site/src/content/docs/security/support-window.mdx +++ b/docs/site/src/content/docs/security/support-window.mdx @@ -49,7 +49,7 @@ always in a newer release. - A security fix ships as a release with signed artifacts and provenance, verifiable as documented in - [SECURITY.md](https://github.com/registrystack/registry-stack/blob/v0.8.4/SECURITY.md). + [SECURITY.md](https://github.com/registrystack/registry-stack/blob/v0.9.0/SECURITY.md). - Release notes identify security-relevant changes. When a fix required tightening covered surface, the notes say so explicitly, per the security exception in the [deprecation policy](../../reference/deprecation-policy/). diff --git a/docs/site/src/content/docs/spec/rs-pr-notary.mdx b/docs/site/src/content/docs/spec/rs-pr-notary.mdx index 91873d55e..8c3914edb 100644 --- a/docs/site/src/content/docs/spec/rs-pr-notary.mdx +++ b/docs/site/src/content/docs/spec/rs-pr-notary.mdx @@ -269,12 +269,12 @@ This specification is `verified`: every requirement describes shipped behavior a - [Evidence issuance, end to end](../../explanation/evidence-issuance/) walks the claim pipeline, the four consume paths, and the selective-disclosure mechanics that Sections 4 through 9 make precise. - The [standards register](../../reference/standards/) records the adoption mode for SD-JWT VC, OID4VCI, CCCEV, and the other standards listed in `standards_referenced`, including the profiled-subset claims this document refers to. - [RS-ARC-G](../rs-arc-g/) Section 3 and Section 5 hold the architectural invariants (REQ-ARC-G-004/007/008/009) that this document refines. -- Delegated self-attestation access modes, source capabilities, stored metadata, and denial reasons are implemented in [`model.rs`](https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-core/src/model.rs). -- Delegated relationship configuration validation is implemented in [`config.rs`](https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-core/src/config.rs). -- Request context derivation, stored-evaluation revalidation, OID4VCI delegated-token rejection, explicit target binding, and proof-gated source reads are implemented in [`api.rs`](https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-server/src/api.rs) and [`runtime.rs`](https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-server/src/runtime.rs). -- OIDC principal derivation from the configured principal claim, without client id, authorized party, or audience fallback (REQ-PR-NOTARY-034), is implemented in [`standalone.rs`](https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-server/src/standalone.rs)'s `principal_from_oidc` function and its `oidc_principal_requires_configured_principal_claim` test. -- The issuer-bound self-attestation transaction-token gate (REQ-PR-NOTARY-035) is implemented in [`api.rs`](https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-server/src/api.rs)'s `self_attestation_requires_authorization_details` function. -- The issuer-bound OID4VCI transaction-detail gate (REQ-PR-NOTARY-036) is implemented in [`api.rs`](https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-server/src/api.rs)'s `oid4vci_requires_authorization_details` and `require_oid4vci_issuance_authorization_details` functions. +- Delegated self-attestation access modes, source capabilities, stored metadata, and denial reasons are implemented in [`model.rs`](https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-notary-core/src/model.rs). +- Delegated relationship configuration validation is implemented in [`config.rs`](https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-notary-core/src/config.rs). +- Request context derivation, stored-evaluation revalidation, OID4VCI delegated-token rejection, explicit target binding, and proof-gated source reads are implemented in [`api.rs`](https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-notary-server/src/api.rs) and [`runtime.rs`](https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-notary-server/src/runtime.rs). +- OIDC principal derivation from the configured principal claim, without client id, authorized party, or audience fallback (REQ-PR-NOTARY-034), is implemented in [`standalone.rs`](https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-notary-server/src/standalone.rs)'s `principal_from_oidc` function and its `oidc_principal_requires_configured_principal_claim` test. +- The issuer-bound self-attestation transaction-token gate (REQ-PR-NOTARY-035) is implemented in [`api.rs`](https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-notary-server/src/api.rs)'s `self_attestation_requires_authorization_details` function. +- The issuer-bound OID4VCI transaction-detail gate (REQ-PR-NOTARY-036) is implemented in [`api.rs`](https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-notary-server/src/api.rs)'s `oid4vci_requires_authorization_details` and `require_oid4vci_issuance_authorization_details` functions. ## Next diff --git a/docs/site/src/content/docs/start/credential-tour.mdx b/docs/site/src/content/docs/start/credential-tour.mdx index 93e3ff0d5..4d9e4ad0e 100644 --- a/docs/site/src/content/docs/start/credential-tour.mdx +++ b/docs/site/src/content/docs/start/credential-tour.mdx @@ -1,6 +1,6 @@ --- title: Get a verifiable credential from the hosted lab -description: In the hosted lab, watch Registry Notary issue a signed, privacy-preserving verifiable credential to a hosted demo wallet, with zero install. +description: Held hosted-lab guide for Registry Notary credential issuance; use the local Notary tutorial for the current first-run route. status: current owner: registry-docs source_repos: @@ -16,7 +16,16 @@ standards_referenced: import QuickstartMeta from '../../../components/QuickstartMeta.astro'; -In the hosted lab, **Registry Notary** issues a signed verifiable credential to a hosted demo wallet that +:::caution[Hosted first-run publication held] +Do not use this page as the current first-run route. The documented demo identity is refused with +`relay_auth_subject_denied` in +[GH#330](https://github.com/registrystack/registry-stack/issues/330), and the complete +[GH#198](https://github.com/registrystack/registry-stack/issues/198) fresh-reader run is unfinished. +Use [the local Notary tutorial](../../tutorials/verify-claim-registry-api/) instead. +::: + +When the hosted identity failure is resolved and this path passes its fresh-reader gate, +**Registry Notary** issues a signed verifiable credential to a hosted demo wallet that answers a question without exposing the underlying record. This is a guided browser flow, not a curl sequence: a real [OID4VCI](../../reference/glossary/) issuance needs a holder key and a sign-in, which is wallet territory. You do not need to install a wallet: the lab hosts a demo @@ -25,9 +34,9 @@ the credential end to end in the browser. Everything runs in the hosted lab at [lab.registrystack.org](https://lab.registrystack.org), so this page has no setup on your machine. @@ -109,4 +118,4 @@ not vouch for a subject you did not authenticate as. | Symptom | Cause | Fix | | --- | --- | --- | | The hosted lab or a service URL does not respond | n/a | [First run with Solmara Lab](../../tutorials/first-run-with-solmara-lab/) runs a separate, fully local multi-service demo if the hosted lab is unavailable | -| Sign-in refuses the documented demo identity (`relay_auth_subject_denied`) | The hosted deployment's identity set has drifted from these instructions. | File a [registry-stack issue](https://github.com/registrystack/registry-stack/issues); in the meantime, [First run with Solmara Lab](../../tutorials/first-run-with-solmara-lab/) walks through an equivalent evidence flow entirely locally. | +| Sign-in refuses the documented demo identity (`relay_auth_subject_denied`) | The hosted deployment's identity set has drifted from these instructions. | Track [GH#330](https://github.com/registrystack/registry-stack/issues/330); in the meantime, [First run with Solmara Lab](../../tutorials/first-run-with-solmara-lab/) walks through an equivalent evidence flow entirely locally. | diff --git a/docs/site/src/content/docs/start/quickstart.mdx b/docs/site/src/content/docs/start/quickstart.mdx index 7c096f5f2..38ac8e1e9 100644 --- a/docs/site/src/content/docs/start/quickstart.mdx +++ b/docs/site/src/content/docs/start/quickstart.mdx @@ -14,6 +14,15 @@ standards_referenced: [] import QuickstartMeta from '../../../components/QuickstartMeta.astro'; +:::caution[Hosted first-run publication held] +The Relay-only steps passed their latest verification, but this hosted page is not the promoted +first-run route while the credential failure in +[GH#330](https://github.com/registrystack/registry-stack/issues/330) remains open and the complete +[GH#198](https://github.com/registrystack/registry-stack/issues/198) fresh-reader run is unfinished. +Use [the local Registry Relay tutorial](../../tutorials/publish-spreadsheet-secured-registry-api/) +for the current first run. +::: + In about five minutes you can read a protected registry API from your terminal, with zero install, against a public hosted lab. You will call **Registry Relay**, which returns records to authorized callers, and watch it enforce scope: the same API answers some requests and refuses others, @@ -35,8 +44,8 @@ Do not reuse anything you copy here outside the lab. The lab runs a civil-registry **Relay** you will call directly in this tutorial: a protected, scoped, read-only HTTP API over a civil registry source, at [civil-relay.lab.registrystack.org](https://civil-relay.lab.registrystack.org). The lab also runs -**Registry Notary** services for the next step in this journey; see -[Get a verifiable credential from the hosted lab](../credential-tour/). For how these connect to the rest of +**Registry Notary** services for the held credential path; see the +[hosted credential tour (held)](../credential-tour/). For how these connect to the rest of the stack, see the [architecture overview](../../explanation/architecture/). For the full set of live demo credentials, identities, and ready-made requests, open the lab homepage at [lab.registrystack.org](https://lab.registrystack.org). @@ -136,10 +145,10 @@ read one record (`200`), and the same metadata-scope token was refused at the ro ## Next -- [Get a verifiable credential from the hosted lab](../credential-tour/): continue in the same hosted - lab and see Registry Notary issue a privacy-preserving credential. - [Run a protected registry API locally](../../tutorials/publish-spreadsheet-secured-registry-api/): stand up your own protected Relay from a sample workbook. +- [Hosted credential tour (held)](../credential-tour/): this continuation remains available for + inspection but is not the promoted first-run path. ## Troubleshooting diff --git a/docs/site/src/content/docs/start/when-to-use.mdx b/docs/site/src/content/docs/start/when-to-use.mdx index d314bec8d..cb78060ed 100644 --- a/docs/site/src/content/docs/start/when-to-use.mdx +++ b/docs/site/src/content/docs/start/when-to-use.mdx @@ -93,6 +93,7 @@ Registry Stack deliberately leaves these to other systems: ## Next -- [Quickstart](../quickstart/) +- [Run a protected registry API locally](../../tutorials/publish-spreadsheet-secured-registry-api/) +- [Evaluate a claim with Registry Notary](../../tutorials/verify-claim-registry-api/) - [Choose by question (homepage router)](../../) - [Architecture overview](../../explanation/architecture/) diff --git a/docs/site/src/content/docs/tutorials/deploy-standalone-with-own-data.mdx b/docs/site/src/content/docs/tutorials/deploy-standalone-with-own-data.mdx index 19dc2b317..52738d9d5 100644 --- a/docs/site/src/content/docs/tutorials/deploy-standalone-with-own-data.mdx +++ b/docs/site/src/content/docs/tutorials/deploy-standalone-with-own-data.mdx @@ -39,7 +39,7 @@ published at [Run single-node Compose behind your reverse proxy](../../operate/single-node-compose-behind-proxy/). Kubernetes and high-availability profiles are outside the 1.0 deployment profile. Before exposing any deployment beyond local evaluation, work through that guide and the -[Relay operations runbook](https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/docs/ops.md) +[Relay operations runbook](https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/docs/ops.md) production hardening checklist. ## Before you start @@ -57,22 +57,22 @@ Replace every `example.gov` value, dataset id, field name, and credential with y ## Get the Registry Relay image Registry Relay release images publish to `ghcr.io/registrystack/registry-relay` from stable -release tags such as `v0.8.4`. +release tags such as `v0.9.0`. Consume a version tag or an image digest, not `latest`, so your deployment is reproducible and you can roll back. The published versions are listed on the [Relay releases page](https://github.com/registrystack/registry-stack/releases). -The current Registry Stack release is `v0.8.4`, so the following examples use that tag. +The current Registry Stack release is `v0.9.0`, so the following examples use that tag. Replace it with a newer release tag when you intentionally upgrade. For the image signing policy, see the Relay -[security assurance notes](https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/docs/security-assurance.md) -and the [build and release section](https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/docs/ops.md#build-and-release) +[security assurance notes](https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/docs/security-assurance.md) +and the [build and release section](https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/docs/ops.md#build-and-release) of the operations runbook. Pull the version you intend to run: ```sh -docker pull ghcr.io/registrystack/registry-relay:v0.8.4 +docker pull ghcr.io/registrystack/registry-relay:v0.9.0 ``` The images are published for `linux/amd64` only; on an Arm host (Apple silicon), prefix @@ -84,7 +84,7 @@ You can override the config path with the `--config` flag or the `REGISTRY_RELAY environment variable. If you build from source instead of consuming a published image, follow the -[build and release section](https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/docs/ops.md#build-and-release) +[build and release section](https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/docs/ops.md#build-and-release) of the operations runbook; the source build needs the pinned sibling checkouts it documents. ## Lay out the deployment directory @@ -105,18 +105,21 @@ Mount the data directory read-only and keep a separate writable cache directory; ## Write the minimal Relay config Start from the canonical -[`config/example.yaml`](https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/config/example.yaml) +[`config/example.yaml`](https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/config/example.yaml) and the -[configuration guide](https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/docs/configuration.md), +[configuration guide](https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/docs/configuration.md), which is the authoritative reference for every block. -A minimal deployment needs five blocks: `server` (a listener), `catalog` (public metadata -base), `auth` (one auth mode), `audit` (a sink and hash secret), and at least one -entry in `datasets`. Every other root block is optional. +A minimal deployment needs six blocks: `deployment` (an explicit profile), `server` (a +listener), `catalog` (public metadata base), `auth` (one auth mode), `audit` (a sink and +hash secret), and at least one entry in `datasets`. Every other root block is optional. The following example exposes one dataset backed by a CSV file with a `person` entity. Adapt the ids, fields, and scopes to your data. ```yaml +deployment: + profile: local + server: bind: 0.0.0.0:8080 cache_dir: /var/lib/registry-relay/cache @@ -231,7 +234,7 @@ Key points the configuration guide spells out in full: For aggregates, relationships, OIDC auth, Postgres sources, live materialization, and provenance signing, follow the corresponding sections of the -[configuration guide](https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/docs/configuration.md). +[configuration guide](https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/docs/configuration.md). ## Provision the API-key fingerprint @@ -244,7 +247,7 @@ The Relay binary generates the raw key and fingerprint together. Run it through the same container image, passing the `id` from your `api_keys` entry: ```sh -docker run --rm ghcr.io/registrystack/registry-relay:v0.8.4 generate-api-key --id program_system +docker run --rm ghcr.io/registrystack/registry-relay:v0.9.0 generate-api-key --id program_system ``` The command emits three shell-friendly lines: @@ -273,7 +276,7 @@ restart or roll Relay so it resolves the new fingerprint. For governed rotation, publish the new fingerprint under a new immutable or versioned reference, update `fingerprint.name` or `fingerprint.path`, and apply that signed config change with the new binary. -The [API keys section](https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/docs/configuration.md#api-keys) +The [API keys section](https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/docs/configuration.md#api-keys) of the configuration guide documents the underlying contract. ## Run the container @@ -300,7 +303,7 @@ docker run --rm \ -v "$(pwd)/cache:/var/lib/registry-relay/cache" \ -e PROGRAM_SYSTEM_API_KEY_HASH="sha256:" \ -e REGISTRY_RELAY_AUDIT_HASH_SECRET="$REGISTRY_RELAY_AUDIT_HASH_SECRET" \ - ghcr.io/registrystack/registry-relay:v0.8.4 + ghcr.io/registrystack/registry-relay:v0.9.0 ``` Relay exits non-zero if config parsing or validation fails, if a required API-key fingerprint @@ -378,7 +381,7 @@ If you point API tooling at the deployment, note that `/openapi.json` is auth-ga If `/ready` returns `503`, the source failed to ingest; check the container logs for the failing table and the declared schema. The -[readiness and probes section](https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/docs/ops.md) +[readiness and probes section](https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/docs/ops.md) of the operations runbook explains the readiness contract. ## Add a standalone Registry Notary alongside @@ -397,15 +400,15 @@ layer; the reference pages at the [end of this section](#go-deeper-on-notary) co ### Get the Registry Notary image Registry Notary release images publish to `ghcr.io/registrystack/registry-notary` from stable -release tags such as `v0.8.4`. +release tags such as `v0.9.0`. As with Relay, consume a version tag or an image digest, not `latest`. The published versions are listed on the [Notary releases page](https://github.com/registrystack/registry-stack/releases). -The current Registry Stack release is `v0.8.4`, so the following examples use that tag. +The current Registry Stack release is `v0.9.0`, so the following examples use that tag. Replace it with a newer release tag when you intentionally upgrade. ```sh -docker pull ghcr.io/registrystack/registry-notary:v0.8.4 +docker pull ghcr.io/registrystack/registry-notary:v0.9.0 ``` The container listens on port 8080. Unlike Relay, the Notary entrypoint does not @@ -431,7 +434,7 @@ read scope: Generate the key material the same way as before, with the matching `--id`: ```sh -docker run --rm ghcr.io/registrystack/registry-relay:v0.8.4 generate-api-key --id notary_source +docker run --rm ghcr.io/registrystack/registry-relay:v0.9.0 generate-api-key --id notary_source ``` Store the emitted `fingerprint` for the Relay container's `NOTARY_SOURCE_API_KEY_HASH` @@ -464,7 +467,7 @@ docker run --rm \ -e PROGRAM_SYSTEM_API_KEY_HASH="sha256:" \ -e NOTARY_SOURCE_API_KEY_HASH="sha256:" \ -e REGISTRY_RELAY_AUDIT_HASH_SECRET="$REGISTRY_RELAY_AUDIT_HASH_SECRET" \ - ghcr.io/registrystack/registry-relay:v0.8.4 + ghcr.io/registrystack/registry-relay:v0.9.0 ``` On this network, Notary reaches Relay at `http://relay:8080`; the host keeps using @@ -477,7 +480,7 @@ evaluate claims) with the same fingerprint pattern as Relay. Generate a caller key with the Notary CLI: ```sh -docker run --rm ghcr.io/registrystack/registry-notary:v0.8.4 hash-api-key --print-secret +docker run --rm ghcr.io/registrystack/registry-notary:v0.9.0 hash-api-key --print-secret ``` The command prints two lines: `api_key=` and @@ -502,6 +505,9 @@ with the source connection pointed at the Relay from `registry_data_api` contract: ```yaml +deployment: + profile: local + server: bind: 0.0.0.0:8080 @@ -584,7 +590,7 @@ docker run --rm \ -e REGISTRY_NOTARY_API_KEY_HASH="sha256:" \ -e REGISTRY_NOTARY_AUDIT_HASH_SECRET="$REGISTRY_NOTARY_AUDIT_HASH_SECRET" \ -e RELAY_SOURCE_TOKEN="$RELAY_SOURCE_TOKEN" \ - ghcr.io/registrystack/registry-notary:v0.8.4 \ + ghcr.io/registrystack/registry-notary:v0.9.0 \ --config /etc/registry-notary/config.yaml ``` @@ -604,15 +610,15 @@ docker run --rm \ -e REGISTRY_NOTARY_API_KEY_HASH="sha256:" \ -e REGISTRY_NOTARY_AUDIT_HASH_SECRET="$REGISTRY_NOTARY_AUDIT_HASH_SECRET" \ -e RELAY_SOURCE_TOKEN="$RELAY_SOURCE_TOKEN" \ - ghcr.io/registrystack/registry-notary:v0.8.4 \ + ghcr.io/registrystack/registry-notary:v0.9.0 \ doctor --config /etc/registry-notary/config.yaml --format json ``` `doctor --format json` emits `schema_version: registry.config.diagnostic_report.v1` with a `status` of `ok`, `warning`, or `error`, and reports missing environment variables, malformed -fingerprints, and broken source references. With this guide's minimal config the expected result -is `status: warning` with a single `deployment.profile_undeclared` finding, because the config -declares no deployment profile; declare `deployment.profile: local` to silence it. +fingerprints, broken source references, and deployment-profile failures. This guide declares +`deployment.profile: local` explicitly. Removing it produces `status: error`, and the v0.9.0 +server refuses to start rather than inferring a profile. `explain-config --format json` prints the resolved configuration and the env vars it requires. For exercising the claim end to end (request shapes, outcomes, and credential issuance on top), work through [Evaluate a claim with Registry Notary](../verify-claim-registry-api/), which runs @@ -633,7 +639,7 @@ Notary's own operator documentation is the authoritative own-keys path: [Write the minimal Notary config](#write-the-minimal-notary-config). The -[Operating with Registry Notary section](https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/docs/ops.md#operating-with-registry-notary) +[Operating with Registry Notary section](https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/docs/ops.md#operating-with-registry-notary) of the Relay runbook documents the credential handshake the two services use, matching the steps this guide followed: a narrowly scoped Relay key for the Notary source caller, a separate Notary caller key, and `_env` secret indirection on both sides so raw tokens stay out of YAML. @@ -654,19 +660,19 @@ Your config files, data, generated keys, and the `cache` directory stay on disk. | Symptom | Cause | Fix | | --- | --- | --- | -| The Relay container exits immediately after `docker run` | Config parsing or validation failed, a required API-key fingerprint environment variable is missing, or the listener could not bind. | Run `docker logs` on the container and fix the field or environment variable named in the error. | +| The Relay container exits immediately after `docker run` | Config parsing or validation failed, `deployment.profile` is missing, a required API-key fingerprint environment variable is missing, or the listener could not bind. | Keep `deployment.profile: local` for this tutorial, run `docker logs` on the container, and fix the field or environment variable named in the error. | | `/ready` returns `503` | A configured source failed to ingest. | Check the container logs for the failing table and compare it against the declared `schema` in `config.yaml`. | | The Relay container exits at startup citing the audit hash secret | `REGISTRY_RELAY_AUDIT_HASH_SECRET` is missing or under 32 bytes. | Generate one with `openssl rand -hex 32`, export it, and rerun the container. | | Ingestion fails on the first cache write | The cache mount is missing, or its host path does not match `server.cache_dir`. | Create the `cache` directory and mount it read-write at the path named in `server.cache_dir`. | | `curl .../v1/datasets` returns `401 Unauthorized` | No `Authorization` header was sent, or the wrong raw key was used. | Send `Authorization: Bearer $RAW_KEY` with the key matching the fingerprint you provisioned. | -| Notary `doctor --format json` reports `status: error` | A required environment variable is missing, a fingerprint is malformed, or a source reference is broken. | Read the reported field, fix `notary-config.yaml` or the environment variable, and rerun `doctor`. | +| Notary `doctor --format json` reports `status: error` | `deployment.profile` is missing, a required environment variable is missing, a fingerprint is malformed, or a source reference is broken. | Keep `deployment.profile: local` for this tutorial, read the reported field, fix `notary-config.yaml` or the environment variable, and rerun `doctor`. | | The Notary container cannot reach Relay at `http://relay:8080` | Relay and Notary are not on the same Docker network. | Confirm both containers run with `--network registry-net` and that the Relay container is named `relay`. | ## Next -- [Relay configuration guide](https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/docs/configuration.md): +- [Relay configuration guide](https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/docs/configuration.md): the full block-by-block reference for aggregates, OIDC, Postgres, and provenance. -- [Relay operations runbook](https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/docs/ops.md): +- [Relay operations runbook](https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/docs/ops.md): the production hardening checklist to work through before exposing the deployment. - [Consultation flow](../../explanation/consultation-flow/): how Relay binds a source, applies scopes, serves entity routes, and audits every request. diff --git a/docs/site/src/content/docs/tutorials/first-run-with-solmara-lab.mdx b/docs/site/src/content/docs/tutorials/first-run-with-solmara-lab.mdx index ec1154635..74c4e14a5 100644 --- a/docs/site/src/content/docs/tutorials/first-run-with-solmara-lab.mdx +++ b/docs/site/src/content/docs/tutorials/first-run-with-solmara-lab.mdx @@ -35,12 +35,13 @@ evaluation route directly so you touch the protected API surface, not only the p This tutorial uses synthetic data and local demo credentials. Do not use the generated local keys in production. -If you only want the shortest hosted path before running anything locally, start with the -[Quickstart](../../start/quickstart/) instead. For a standalone local project generated from your -own data, use the `registryctl` tutorials: +For a standalone local project generated from your own data, use the `registryctl` tutorials: [run a protected registry API](../publish-spreadsheet-secured-registry-api/) or [evaluate a claim with Registry Notary](../verify-claim-registry-api/). Clone Solmara Lab when you -want the full multi-service country demo. +want the full multi-service country demo. The hosted path remains visible for inspection, but its +credential continuation is held by [GH#330](https://github.com/registrystack/registry-stack/issues/330) +and the incomplete [GH#198](https://github.com/registrystack/registry-stack/issues/198) +fresh-reader run. ## Prerequisites @@ -240,9 +241,12 @@ confirm what you ran by hand against what the lab publishes. ## Next -- [Quickstart](../../start/quickstart/): the shortest hosted path, no install needed. -- [Get a verifiable credential from the hosted lab](../../start/credential-tour/): watch Registry - Notary issue a signed credential in the browser. +- [Run a protected registry API locally](../publish-spreadsheet-secured-registry-api/): generate a + smaller local Relay project from a sample workbook. +- [Evaluate a claim with Registry Notary](../verify-claim-registry-api/): add Notary to that local + project. +- [Hosted Relay demo (held)](../../start/quickstart/): inspect the zero-install Relay path. +- [Hosted credential tour (held)](../../start/credential-tour/): inspect the browser issuance path. - [When to use Registry Stack](../../start/when-to-use/): decide whether Relay, Notary, or both fit your integration. - [Registry Relay](../../products/registry-relay/): route reference, auth scopes, and configuration diff --git a/docs/site/src/content/docs/tutorials/publish-spreadsheet-secured-registry-api.mdx b/docs/site/src/content/docs/tutorials/publish-spreadsheet-secured-registry-api.mdx index 356a5de11..ab88d033d 100644 --- a/docs/site/src/content/docs/tutorials/publish-spreadsheet-secured-registry-api.mdx +++ b/docs/site/src/content/docs/tutorials/publish-spreadsheet-secured-registry-api.mdx @@ -25,26 +25,32 @@ allowed request, and inspect the contract Registry Stack generated. outcome="A protected local API over a benefits workbook, with anonymous access denied, an authorized record read succeeding, and an edited disclosure rule enforced." time="About 15 minutes after Docker is installed" level="Local single-node" - prerequisites={['registryctl 0.8.4+', 'A Docker Compose provider', 'curl']} + prerequisites={['registryctl 0.9.0', 'A Docker Compose provider', 'curl']} /> This tutorial uses synthetic data and local demo credentials. Do not use the generated local keys in production. +:::note[Current first-run route] +The v0.9.0 source beta and this local tutorial can be used while hosted credential publication is +held by [GH#330](https://github.com/registrystack/registry-stack/issues/330) and the incomplete +[GH#198](https://github.com/registrystack/registry-stack/issues/198) fresh-reader run. +::: + ## Install registryctl Install `registryctl` without cloning the repository: The quick installer verifies downloaded release assets against the release's -`SHA256SUMS`. The pinned `v0.8.4` installer installs the binary; beginning with -`v0.9.0`, the matching installer installs the binary and release image lock. It +`SHA256SUMS`. The pinned `v0.9.0` installer installs the binary and matching +release image lock beside each other. It does not authenticate the installer script or release. Before running it, review the available signature and provenance evidence in the canonical [`release/VERIFY.md`](https://github.com/registrystack/registry-stack/blob/main/release/VERIFY.md) guide. Evidence availability varies by release, and `v0.8.0` is unsigned. ```sh -curl -fsSL https://raw.githubusercontent.com/registrystack/registry-stack/refs/tags/v0.8.4/crates/registryctl/install.sh | REGISTRYCTL_VERSION=v0.8.4 bash +curl -fsSL https://raw.githubusercontent.com/registrystack/registry-stack/refs/tags/v0.9.0/crates/registryctl/install.sh | REGISTRYCTL_VERSION=v0.9.0 bash registryctl --version ``` @@ -55,7 +61,7 @@ Prebuilt `registryctl` assets exist for Linux x86_64, Linux arm64, and macOS arm On Intel macOS, the installer stops after printing the pinned `cargo install` command. It does not run the source build automatically. After installing a Rust toolchain, run the command printed by the installer. For -`v0.9.0` or later, also checksum-verify the matching release image lock and +`v0.9.0`, also checksum-verify the matching release image lock and place it beside the Cargo-installed binary, as described in the troubleshooting table. ## Create the sample project @@ -346,8 +352,8 @@ Relay refused to start when the floor dropped under 2 on personal data. project and answer a narrow question without exposing the source row. - [Connect Notary to a Registry Data API source](../run-notary-standalone-for-api/): run Notary separately from a Registry Data API-shaped source. -- [Credential tour](../../start/credential-tour/): watch the hosted lab issue a privacy-preserving - credential, no install needed. +- [Hosted credential tour (held)](../../start/credential-tour/): inspect the hosted issuance path; + it is not the promoted first-run route. ## Troubleshooting @@ -356,10 +362,10 @@ Relay refused to start when the floor dropped under 2 on personal data. | `registryctl` is not found | The install directory is not on `PATH`. | Add the directory printed by the installer, usually `~/.local/bin`, to `PATH`. | | The installer reports an unsupported platform | No binary is published for that OS or CPU. | Run the pinned `cargo install` command printed by the installer. For `v0.9.0` or later, also checksum-verify the matching `registryctl-vX.Y.Z-image-lock.json` release asset and place it beside the installed binary. | | `registryctl start` cannot find Docker | Docker or another Compose provider is not installed or running. | Start Docker Desktop, OrbStack, Colima, Podman, or your supported provider, then run `registryctl start` again. | -| Docker reports no `linux/arm64` manifest for a Registry Stack image | The v0.8.4 Relay and Notary images are published for `linux/amd64` only. | Start with `DOCKER_DEFAULT_PLATFORM=linux/amd64 registryctl start`. | +| Docker reports no `linux/arm64` manifest for a Registry Stack image | The v0.9.0 Relay and Notary images are published for `linux/amd64` only. | Start with `DOCKER_DEFAULT_PLATFORM=linux/amd64 registryctl start`. | | `registryctl start` fails and the container log shows `failed to parse config YAML ... unknown field` | The locally cached container image does not match the digest-pinned image in the generated `compose.yaml`. | Run `docker compose pull` in the project directory (on Apple silicon, prefix it with `DOCKER_DEFAULT_PLATFORM=linux/amd64`), then `registryctl start` again. | | `registryctl start` times out and the container log shows `missing field \`commitment\`` | registryctl v0.8.4 pins a service image older than its own generated config format ([GH#278](https://github.com/registrystack/registry-stack/issues/278)). | Pin the project's `compose.yaml` to the published v0.8.4 release digests: `ghcr.io/registrystack/registry-relay@sha256:93e194500a3500ba3f6331d5a0a9a3069127c48a709beccb083a5fcbdbc3ec61` and, when present, `ghcr.io/registrystack/registry-notary@sha256:0cf05184885d7ed17dd9889e20f3797eb2a9ad07517f4ac7c05c03b774a00b8f`. Then run `docker compose pull`; reapply the pins after a generation command rewrites `compose.yaml`. | -| With registryctl `v0.9.0` or later, `registryctl init` reports that its image lock is missing or invalid | The binary was moved or built without the strict image lock from the same release, or the file failed its release, source, platform, or digest checks. Registryctl `v0.8.4` does not use this lock. | Rerun the installer from the same pinned target tag so it checksum-verifies and installs both files. For an operator-managed or source-test location, set `REGISTRYCTL_IMAGE_LOCK` to the checksum-verified lock from that exact release. Do not substitute a lock from another version or a mutable image tag. | +| `registryctl init` reports that its image lock is missing or invalid | The binary was moved or built without the strict image lock from the same release, or the file failed its release, source, platform, or digest checks. | Rerun the installer from the same pinned target tag so it checksum-verifies and installs both files. For an operator-managed or source-test location, set `REGISTRYCTL_IMAGE_LOCK` to the checksum-verified lock from that exact release. Do not substitute a lock from another version or a mutable image tag. | | `registryctl start` fails with `Relay did not become healthy and ready before timeout` after a config edit | The edited `relay/config.yaml` fails validation, so the container exits at startup. | Run `registryctl logs`, fix the field named in the `ERROR` line, then run `registryctl stop` and `registryctl start` again. | | A row read returns `403 Forbidden` | The key is valid but lacks the row-read scope. | Use `ROW_READER_RAW` for row reads. | | A row read returns `400 auth.purpose_required` | The entity requires a `Data-Purpose` header. | Send `Data-Purpose: https://example.local/purpose/tutorial` or another purpose URI. | diff --git a/docs/site/src/content/docs/tutorials/run-notary-standalone-for-api.mdx b/docs/site/src/content/docs/tutorials/run-notary-standalone-for-api.mdx index 902a8ae36..049520743 100644 --- a/docs/site/src/content/docs/tutorials/run-notary-standalone-for-api.mdx +++ b/docs/site/src/content/docs/tutorials/run-notary-standalone-for-api.mdx @@ -223,4 +223,4 @@ stayed private, and only the claim's disclosed predicate crossed the API boundar | Claim evaluation returns a source auth error | Notary cannot authenticate to the source. | Confirm the source token in `secrets/local.env` and restart Notary. | | Claim evaluation returns `409 Evidence not available` | The target id is not available from the source, or the dataset, entity, or lookup field does not match the source contract. | Use a known target id or inspect the Registry Data API source contract. | | `registryctl start` times out and the container log shows `missing field \`commitment\`` | registryctl v0.8.4 pins a service image older than its own generated config format ([GH#278](https://github.com/registrystack/registry-stack/issues/278)). | Pin `compose.yaml` to the published v0.8.4 Notary digest `ghcr.io/registrystack/registry-notary@sha256:0cf05184885d7ed17dd9889e20f3797eb2a9ad07517f4ac7c05c03b774a00b8f` and, when the project includes Relay, `ghcr.io/registrystack/registry-relay@sha256:93e194500a3500ba3f6331d5a0a9a3069127c48a709beccb083a5fcbdbc3ec61`. Then run `docker compose pull`; reapply the pins after a generation command rewrites `compose.yaml`. | -| With registryctl `v0.9.0` or later, `registryctl init notary` reports that its image lock is missing or invalid | The binary is not paired with the strict image lock from the same release, or the lock failed its release and digest checks. Registryctl `v0.8.4` does not use this lock. | Rerun the installer from the same pinned target tag so it checksum-verifies and installs both files. If the lock is intentionally stored elsewhere, set `REGISTRYCTL_IMAGE_LOCK` to that exact verified file. Do not replace the digest pin with a mutable tag. | +| `registryctl init notary` reports that its image lock is missing or invalid | The binary is not paired with the strict image lock from the same release, or the lock failed its release and digest checks. | Rerun the installer from the same pinned target tag so it checksum-verifies and installs both files. If the lock is intentionally stored elsewhere, set `REGISTRYCTL_IMAGE_LOCK` to that exact verified file. Do not replace the digest pin with a mutable tag. | diff --git a/docs/site/src/content/docs/tutorials/verify-claim-registry-api.mdx b/docs/site/src/content/docs/tutorials/verify-claim-registry-api.mdx index b552673e4..910182a8c 100644 --- a/docs/site/src/content/docs/tutorials/verify-claim-registry-api.mdx +++ b/docs/site/src/content/docs/tutorials/verify-claim-registry-api.mdx @@ -29,6 +29,12 @@ between a source row read and a minimized claim result. This tutorial uses synthetic data and local demo credentials. Do not use the generated local keys in production. +:::note[Current first-run route] +The v0.9.0 source beta and this local tutorial can be used while hosted credential publication is +held by [GH#330](https://github.com/registrystack/registry-stack/issues/330) and the incomplete +[GH#198](https://github.com/registrystack/registry-stack/issues/198) fresh-reader run. +::: + ## Start from the local API Complete [Run a protected registry API locally](../publish-spreadsheet-secured-registry-api/) @@ -369,8 +375,8 @@ It does not delete your workbook, generated configs, local keys, or smoke result inspection. - [Connect Notary to a Registry Data API source](../run-notary-standalone-for-api/): run Notary in a separate project against a Registry Data API-shaped source. -- [Credential tour](../../start/credential-tour/): explore the hosted demo to see credential issuance and - cross-authority flows. +- [Hosted credential tour (held)](../../start/credential-tour/): inspect credential issuance and + cross-authority flows; this is not the promoted first-run route. ## Troubleshooting @@ -379,11 +385,11 @@ It does not delete your workbook, generated configs, local keys, or smoke result | `registryctl add notary --from local-relay` cannot find a Relay project | The current directory does not contain a generated `registryctl.yaml` with a Relay section. | Run the command from the Relay tutorial project directory. | | `registryctl add notary --from local-relay` cannot find a source token | `secrets/local.env` is missing or does not contain the Relay row-reader key. | Recreate the Relay project or restore the generated local env file. | | `registryctl start` starts Relay but Notary is not ready | Notary config, source token, or Compose service wiring is invalid. | Run `registryctl status`, then `registryctl logs` and check the Notary service errors. | -| Docker reports no `linux/arm64` manifest for a Registry Stack image | The v0.8.4 Relay and Notary images are published for `linux/amd64` only. | Start with `DOCKER_DEFAULT_PLATFORM=linux/amd64 registryctl start`. | +| Docker reports no `linux/arm64` manifest for a Registry Stack image | The v0.9.0 Relay and Notary images are published for `linux/amd64` only. | Start with `DOCKER_DEFAULT_PLATFORM=linux/amd64 registryctl start`. | | `registryctl notary smoke` returns `401` for authorized calls | The Notary evaluator key was not loaded or does not match the generated Notary fingerprint. | Run `. secrets/local.env`, then retry. | | Claim evaluation returns a source auth error | Notary cannot authenticate to Relay with `EVIDENCE_SOURCE_REGISTRY_RELAY_TOKEN`. | Confirm `secrets/local.env` has the source token and Relay is running. | | Claim evaluation returns `409 Evidence not available` | The target id is not in the sample workbook or the Relay entity lookup changed. | Use `per-2001` for the tutorial target, or inspect the Relay `person` entity. | | `registryctl doctor` reports `not_run` and asks you to install `registry-relay` | `doctor` validates configs with native product binaries, which this Docker-based tutorial does not install. | Use `registryctl notary smoke` and `registryctl logs` to check a config edit, or install the `registry-relay` and `registry-notary` binaries. | | `registryctl start` times out and the container log shows `missing field \`commitment\`` | registryctl v0.8.4 pins a service image older than its own generated config format ([GH#278](https://github.com/registrystack/registry-stack/issues/278)). | Pin `compose.yaml` to the published v0.8.4 digests `ghcr.io/registrystack/registry-relay@sha256:93e194500a3500ba3f6331d5a0a9a3069127c48a709beccb083a5fcbdbc3ec61` and `ghcr.io/registrystack/registry-notary@sha256:0cf05184885d7ed17dd9889e20f3797eb2a9ad07517f4ac7c05c03b774a00b8f`, then run `docker compose pull`. `registryctl add notary` regenerates `compose.yaml`, so reapply the pins after it runs. | -| With registryctl `v0.9.0` or later, `registryctl add notary` reports that its image lock is missing or invalid | The binary and strict release image lock are no longer installed together, or the lock does not match the CLI release and tag-built image evidence. Registryctl `v0.8.4` does not use this lock. | Rerun the installer from the same pinned target tag so it checksum-verifies and installs both files. For an operator-managed or source-test location, set `REGISTRYCTL_IMAGE_LOCK` to the checksum-verified lock from that exact release. Existing projects can still start from their stored pins, but generation commands fail closed. | +| `registryctl add notary` reports that its image lock is missing or invalid | The binary and strict release image lock are no longer installed together, or the lock does not match the CLI release and tag-built image evidence. | Rerun the installer from the same pinned target tag so it checksum-verifies and installs both files. For an operator-managed or source-test location, set `REGISTRYCTL_IMAGE_LOCK` to the checksum-verified lock from that exact release. Existing projects can still start from their stored pins, but generation commands fail closed. | | `registryctl start` replaces containers you did not expect | Docker Compose derives the project name from the directory basename only, so two differently located `my-first-api` directories share one Compose project. | Give each project directory a unique name, or stop the other project first. | diff --git a/docs/site/src/content/docs/tutorials/verify-opencrvs-claims.mdx b/docs/site/src/content/docs/tutorials/verify-opencrvs-claims.mdx index eb89b499b..0afa5843d 100644 --- a/docs/site/src/content/docs/tutorials/verify-opencrvs-claims.mdx +++ b/docs/site/src/content/docs/tutorials/verify-opencrvs-claims.mdx @@ -28,7 +28,7 @@ OpenCRVS remains the evidence source, and Registry Notary evaluates the claim lo You need: - Docker with Compose v2.20 or later. -- `registryctl` 0.8.4 or newer, with `init notary --source-kind opencrvs-dci` support. +- `registryctl` 0.9.0, with `init notary --source-kind opencrvs-dci` support. - `curl` and `jq` for the explicit evaluation check. - The HTTPS base URL of your OpenCRVS test environment. - OpenCRVS OAuth client credentials for that environment. @@ -36,14 +36,14 @@ You need: Install `registryctl` if you have not already: -The quick installer verifies the downloaded binary against the release's +The quick installer verifies the downloaded binary and release image lock against the release's `SHA256SUMS`; it does not authenticate the installer script or release. Before running it, review the available signature and provenance evidence in the canonical [`release/VERIFY.md`](https://github.com/registrystack/registry-stack/blob/main/release/VERIFY.md) guide. Evidence availability varies by release, and `v0.8.0` is unsigned. ```sh -curl -fsSL https://raw.githubusercontent.com/registrystack/registry-stack/refs/tags/v0.8.4/crates/registryctl/install.sh | REGISTRYCTL_VERSION=v0.8.4 bash +curl -fsSL https://raw.githubusercontent.com/registrystack/registry-stack/refs/tags/v0.9.0/crates/registryctl/install.sh | REGISTRYCTL_VERSION=v0.9.0 bash registryctl --version ``` @@ -119,7 +119,7 @@ Start the generated stack: registryctl start ``` -On Apple silicon, v0.8.4 images are published for linux/amd64 only. `registryctl start` +On Apple silicon, v0.9.0 images are published for linux/amd64 only. `registryctl start` applies the amd64 platform override automatically and prints a notice; you can also set it explicitly: @@ -256,8 +256,8 @@ For the mental model behind these blocks, see the Registry Notary | `registryctl notary smoke` or the explicit evaluation returns a source auth error | Registry Notary could not authenticate to OpenCRVS with the configured OAuth client credentials. | Confirm `DCI_CLIENT_ID` and `DCI_CLIENT_SECRET` in `secrets/local.env` match a valid OpenCRVS OAuth client for the target environment. | | The smoke or evaluation returns `source.unavailable` (HTTP 503) and the logs show a DNS lookup failure | The `--source-url` host does not resolve; the placeholder was left in, or the URL is wrong. | Rerun `registryctl init notary` with your real OpenCRVS base URL, or fix `source.url` in `notary/config.yaml`. | | `registryctl start` times out and the container log shows `missing field \`commitment\`` | registryctl v0.8.4 pins a service image older than its own generated config format ([GH#278](https://github.com/registrystack/registry-stack/issues/278)). | Replace the Notary image in `compose.yaml` with the published v0.8.4 digest `ghcr.io/registrystack/registry-notary@sha256:0cf05184885d7ed17dd9889e20f3797eb2a9ad07517f4ac7c05c03b774a00b8f`, run `docker compose pull`, and start again; reapply after any command that regenerates `compose.yaml`. | -| With registryctl `v0.9.0` or later, `registryctl init notary` reports that its image lock is missing or invalid | The binary was moved or built without the strict image lock from the same release, or the lock does not match the CLI release and tag-built digest evidence. Registryctl `v0.8.4` does not use this lock. | Rerun the installer from the same pinned target tag so it checksum-verifies and installs both files. For an intentionally separate location, set `REGISTRYCTL_IMAGE_LOCK` to the exact verified lock. Never replace the digest reference with a mutable image tag. | -| Docker reports no `linux/arm64` manifest for a v0.8.4 image | v0.8.4 images publish for `linux/amd64` only. | Start with `DOCKER_DEFAULT_PLATFORM=linux/amd64 registryctl start`, as shown in [Validate and start](#validate-and-start). | +| `registryctl init notary` reports that its image lock is missing or invalid | The binary was moved or built without the strict image lock from the same release, or the lock does not match the CLI release and tag-built digest evidence. | Rerun the installer from the same pinned target tag so it checksum-verifies and installs both files. For an intentionally separate location, set `REGISTRYCTL_IMAGE_LOCK` to the exact verified lock. Never replace the digest reference with a mutable image tag. | +| Docker reports no `linux/arm64` manifest for a v0.9.0 image | v0.9.0 images publish for `linux/amd64` only. | Start with `DOCKER_DEFAULT_PLATFORM=linux/amd64 registryctl start`, as shown in [Validate and start](#validate-and-start). | | `registryctl init notary` fails with `--source-token-from-env is not used with --source-kind opencrvs_dci` | `--source-token-from-env` was passed alongside `--source-kind opencrvs-dci`. | Configure `DCI_CLIENT_ID` and `DCI_CLIENT_SECRET` directly in `secrets/local.env` instead. | ## Next diff --git a/docs/site/src/data/contracts.yaml b/docs/site/src/data/contracts.yaml index 1906c3153..dcbbf85b3 100644 --- a/docs/site/src/data/contracts.yaml +++ b/docs/site/src/data/contracts.yaml @@ -5,7 +5,7 @@ surface: Shared Rust crate APIs for auth helpers, OIDC verification, audit envelopes and sinks, HTTP security middleware, outbound HTTP policy, Ed25519 JWK and DID helpers, SD-JWT VC issuance, and testing fixtures. source_of_truth: label: Registry Platform crates - url: https://github.com/registrystack/registry-stack/tree/v0.8.4/crates + url: https://github.com/registrystack/registry-stack/tree/v0.9.0/crates consumer_note: Relay, Notary, and future registry services should consume these primitives instead of reimplementing security or operational behavior locally. - id: registry-relay.openapi name: Registry Relay OpenAPI @@ -14,7 +14,7 @@ surface: "Protected Registry Data API, metadata API, evidence offering discovery, aggregates, health and readiness, plus optional standards adapters (OGC API Features, OGC API Records, OGC API EDR, SP DCI)." source_of_truth: label: Registry Relay abstract OpenAPI contract - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/openapi/registry-relay.openapi.json + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/openapi/registry-relay.openapi.json consumer_note: Hand-authored from `docs/api.md` and the runtime route table. Uses templated paths and capability tags. For instance-specific shape of `{dataset_id}` and `{entity}`, fetch `GET /openapi.json` from a configured gateway. Runtime deployments gate that route by default unless `openapi_requires_auth` is disabled for demos or controlled tooling. - id: registry-notary.openapi name: Registry Notary OpenAPI @@ -23,7 +23,7 @@ surface: Claim discovery, claim evaluation, batch evaluation, federated delegated evaluation, rendering, JWKS, service metadata, and credential issuance. source_of_truth: label: Registry Notary OpenAPI generator - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-server/src/openapi.rs + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-notary-server/src/openapi.rs consumer_note: Generate with `cargo run -p registry-notary -- openapi`. - id: registry-notary.oid4vci name: Registry Notary OID4VCI surface @@ -32,7 +32,7 @@ surface: OID4VCI offer start and callback (`/oid4vci/offer/start`, `/oid4vci/offer/callback`), credential offer (`GET /oid4vci/credential-offer`), nonce (`POST /oid4vci/nonce`), token (`POST /oid4vci/token`), credential request (`POST /oid4vci/credential`), VCT credential and metadata routes (`/credentials/{vct_path}`, `/.well-known/vct/{vct_path}`), and issuer metadata (`GET /.well-known/openid-credential-issuer`). Primitives sourced from the `registry-platform-oid4vci` crate. source_of_truth: label: Registry Notary OID4VCI routes - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-server/src/api.rs + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-notary-server/src/api.rs consumer_note: OID4VCI flow advertising `dc+sd-jwt` credential format. Registry Lab exercises the full path through the `just citizen-oid4vci-*` recipes. Full OID4VCI Draft 13 `vc+sd-jwt` wallet conformance is not asserted at this version. - id: registry-notary.federated-evaluation name: Registry Notary Federated Evaluation MVP @@ -41,7 +41,7 @@ surface: Static-peer delegated evaluation over `POST /federation/v1/evaluations`, compact JWS request and response JWTs, peer policy checks, pairwise subject handles, replay protection, and federation audit fields. source_of_truth: label: Registry Notary federation module - url: https://github.com/registrystack/registry-stack/tree/v0.8.4/crates/registry-notary-server/src/federation + url: https://github.com/registrystack/registry-stack/tree/v0.9.0/crates/registry-notary-server/src/federation consumer_note: This is delegated evaluation only. Open federation, trust-chain discovery, shared replay storage, audit checkpoint exchange, and federated credential issuance are outside the MVP. - id: registry-manifest.metadata-yaml name: Metadata Manifest @@ -50,7 +50,7 @@ surface: Portable `metadata.yaml` documents, compiled metadata model, public services, forms, policies, requirements, evidence type lists, evidence offering metadata, public federation metadata, and evaluation profile metadata. source_of_truth: label: Registry Manifest core - url: https://github.com/registrystack/registry-stack/tree/v0.8.4/crates/registry-manifest-core + url: https://github.com/registrystack/registry-stack/tree/v0.9.0/crates/registry-manifest-core consumer_note: Runtime source paths, scopes, table names, backend URLs, peer allowlists, replay storage, and federation secrets belong in runtime service config, not manifests. - id: registry-manifest.cpsv-ap-service-catalogue name: CPSV-AP Service Catalogue Render Contract @@ -59,7 +59,7 @@ surface: CPSV-AP JSON-LD service catalogue, CCCEV requirements, grouped evidence type lists, local form-definition links, DCAT data services, and form JSON Schemas. source_of_truth: label: Registry Manifest CPSV-AP fixture - url: https://github.com/registrystack/registry-stack/tree/v0.8.4/products/manifest/fixtures/cpsv-ap + url: https://github.com/registrystack/registry-stack/tree/v0.9.0/products/manifest/fixtures/cpsv-ap consumer_note: Each CCCEV evidence type list is one grouped option; multiple lists on a requirement are alternatives. - id: registry-manifest.static-publication name: Static Metadata Publication Bundle @@ -68,7 +68,7 @@ surface: Static index, catalog JSON, evidence offerings, policies, DCAT, CPSV-AP, BRegDCAT-AP, SHACL, OGC Records item collection, entity JSON Schemas, form JSON Schemas, and embedded SKOS-shaped codelist nodes. source_of_truth: label: Registry Manifest CLI - url: https://github.com/registrystack/registry-stack/tree/v0.8.4/crates/registry-manifest-cli + url: https://github.com/registrystack/registry-stack/tree/v0.9.0/crates/registry-manifest-cli consumer_note: The bundle can be hosted as static files without running Registry Relay. - id: registry-lab.release-check name: Registry Lab Release Check @@ -77,5 +77,5 @@ surface: Compose build, fixture generation, secret generation, static metadata publication, core smoke checks, live Postgres checks, live Zitadel and OIDC checks, source adapter sidecar smoke checks, raw-secret log checks, and narrated demo flows. source_of_truth: label: Registry Lab README - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/lab/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/lab/README.md consumer_note: Use as a demo acceptance path only; production contracts remain in the owning repos. diff --git a/docs/site/src/data/docsets.yaml b/docs/site/src/data/docsets.yaml index 41af64ad0..10725425b 100644 --- a/docs/site/src/data/docsets.yaml +++ b/docs/site/src/data/docsets.yaml @@ -9,17 +9,56 @@ docsets: description: Current RegistryStack monorepo documentation build. products: registry-stack: - version: v0.8.4 + version: v0.9.0 ref: HEAD registry-relay: - version: v0.8.4 + version: v0.9.0 ref: HEAD registry-notary: - version: v0.8.4 + version: v0.9.0 ref: HEAD registry-manifest: - version: v0.8.4 + version: v0.9.0 ref: HEAD + - id: v0.9.0 + label: v0.9.0 + path: /v/0.9.0/ + status: archived + source: registry-stack-v0.9.0 + repo_docs_source: monorepo + published_at: 2026-07-10 + description: RegistryStack v0.9.0 beta-11 documentation set. + products: + registry-stack: + version: v0.9.0 + ref: 705ed0b33490f0494cc60eb4786093e364000b4f + registry-platform: + version: v0.9.0 + ref: 705ed0b33490f0494cc60eb4786093e364000b4f + registry-manifest: + version: v0.9.0 + ref: 705ed0b33490f0494cc60eb4786093e364000b4f + registry-notary: + version: v0.9.0 + ref: 705ed0b33490f0494cc60eb4786093e364000b4f + registry-relay: + version: v0.9.0 + ref: 705ed0b33490f0494cc60eb4786093e364000b4f + registry-lab: + version: v0.9.0 + ref: 705ed0b33490f0494cc60eb4786093e364000b4f + registry-registryctl: + version: v0.9.0 + ref: 705ed0b33490f0494cc60eb4786093e364000b4f + crosswalk: + version: crosswalk-core-v0.2.0 + ref: 1d44ec735fdc8a7c719264b339574371e8330337 + registry-atlas: + version: beta-11 held lab input + ref: d46f943b9fdcbab787d1d4eed114058aa43980be + esignet-relay-authenticator: + version: beta-11 held lab input + ref: 23cc0abb6469e0d18c8e6776f87de1691bdf40ee - id: v0.8.4 label: v0.8.4 path: /v/0.8.4/ diff --git a/docs/site/src/data/generated/contracts.json b/docs/site/src/data/generated/contracts.json index a7a6af352..a52bf814d 100644 --- a/docs/site/src/data/generated/contracts.json +++ b/docs/site/src/data/generated/contracts.json @@ -7,7 +7,7 @@ "surface": "Shared Rust crate APIs for auth helpers, OIDC verification, audit envelopes and sinks, HTTP security middleware, outbound HTTP policy, Ed25519 JWK and DID helpers, SD-JWT VC issuance, and testing fixtures.", "source_of_truth": { "label": "Registry Platform crates", - "url": "https://github.com/registrystack/registry-stack/tree/v0.8.4/crates" + "url": "https://github.com/registrystack/registry-stack/tree/v0.9.0/crates" }, "consumer_note": "Relay, Notary, and future registry services should consume these primitives instead of reimplementing security or operational behavior locally." }, @@ -19,7 +19,7 @@ "surface": "Protected Registry Data API, metadata API, evidence offering discovery, aggregates, health and readiness, plus optional standards adapters (OGC API Features, OGC API Records, OGC API EDR, SP DCI).", "source_of_truth": { "label": "Registry Relay abstract OpenAPI contract", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/openapi/registry-relay.openapi.json" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/openapi/registry-relay.openapi.json" }, "consumer_note": "Hand-authored from `docs/api.md` and the runtime route table. Uses templated paths and capability tags. For instance-specific shape of `{dataset_id}` and `{entity}`, fetch `GET /openapi.json` from a configured gateway. Runtime deployments gate that route by default unless `openapi_requires_auth` is disabled for demos or controlled tooling." }, @@ -31,7 +31,7 @@ "surface": "Claim discovery, claim evaluation, batch evaluation, federated delegated evaluation, rendering, JWKS, service metadata, and credential issuance.", "source_of_truth": { "label": "Registry Notary OpenAPI generator", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-server/src/openapi.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-notary-server/src/openapi.rs" }, "consumer_note": "Generate with `cargo run -p registry-notary -- openapi`." }, @@ -43,7 +43,7 @@ "surface": "OID4VCI offer start and callback (`/oid4vci/offer/start`, `/oid4vci/offer/callback`), credential offer (`GET /oid4vci/credential-offer`), nonce (`POST /oid4vci/nonce`), token (`POST /oid4vci/token`), credential request (`POST /oid4vci/credential`), VCT credential and metadata routes (`/credentials/{vct_path}`, `/.well-known/vct/{vct_path}`), and issuer metadata (`GET /.well-known/openid-credential-issuer`). Primitives sourced from the `registry-platform-oid4vci` crate.", "source_of_truth": { "label": "Registry Notary OID4VCI routes", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-server/src/api.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-notary-server/src/api.rs" }, "consumer_note": "OID4VCI flow advertising `dc+sd-jwt` credential format. Registry Lab exercises the full path through the `just citizen-oid4vci-*` recipes. Full OID4VCI Draft 13 `vc+sd-jwt` wallet conformance is not asserted at this version." }, @@ -55,7 +55,7 @@ "surface": "Static-peer delegated evaluation over `POST /federation/v1/evaluations`, compact JWS request and response JWTs, peer policy checks, pairwise subject handles, replay protection, and federation audit fields.", "source_of_truth": { "label": "Registry Notary federation module", - "url": "https://github.com/registrystack/registry-stack/tree/v0.8.4/crates/registry-notary-server/src/federation" + "url": "https://github.com/registrystack/registry-stack/tree/v0.9.0/crates/registry-notary-server/src/federation" }, "consumer_note": "This is delegated evaluation only. Open federation, trust-chain discovery, shared replay storage, audit checkpoint exchange, and federated credential issuance are outside the MVP." }, @@ -67,7 +67,7 @@ "surface": "Portable `metadata.yaml` documents, compiled metadata model, public services, forms, policies, requirements, evidence type lists, evidence offering metadata, public federation metadata, and evaluation profile metadata.", "source_of_truth": { "label": "Registry Manifest core", - "url": "https://github.com/registrystack/registry-stack/tree/v0.8.4/crates/registry-manifest-core" + "url": "https://github.com/registrystack/registry-stack/tree/v0.9.0/crates/registry-manifest-core" }, "consumer_note": "Runtime source paths, scopes, table names, backend URLs, peer allowlists, replay storage, and federation secrets belong in runtime service config, not manifests." }, @@ -79,7 +79,7 @@ "surface": "CPSV-AP JSON-LD service catalogue, CCCEV requirements, grouped evidence type lists, local form-definition links, DCAT data services, and form JSON Schemas.", "source_of_truth": { "label": "Registry Manifest CPSV-AP fixture", - "url": "https://github.com/registrystack/registry-stack/tree/v0.8.4/products/manifest/fixtures/cpsv-ap" + "url": "https://github.com/registrystack/registry-stack/tree/v0.9.0/products/manifest/fixtures/cpsv-ap" }, "consumer_note": "Each CCCEV evidence type list is one grouped option; multiple lists on a requirement are alternatives." }, @@ -91,7 +91,7 @@ "surface": "Static index, catalog JSON, evidence offerings, policies, DCAT, CPSV-AP, BRegDCAT-AP, SHACL, OGC Records item collection, entity JSON Schemas, form JSON Schemas, and embedded SKOS-shaped codelist nodes.", "source_of_truth": { "label": "Registry Manifest CLI", - "url": "https://github.com/registrystack/registry-stack/tree/v0.8.4/crates/registry-manifest-cli" + "url": "https://github.com/registrystack/registry-stack/tree/v0.9.0/crates/registry-manifest-cli" }, "consumer_note": "The bundle can be hosted as static files without running Registry Relay." }, @@ -103,7 +103,7 @@ "surface": "Compose build, fixture generation, secret generation, static metadata publication, core smoke checks, live Postgres checks, live Zitadel and OIDC checks, source adapter sidecar smoke checks, raw-secret log checks, and narrated demo flows.", "source_of_truth": { "label": "Registry Lab README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/lab/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/lab/README.md" }, "consumer_note": "Use as a demo acceptance path only; production contracts remain in the owning repos." } diff --git a/docs/site/src/data/generated/docsets.json b/docs/site/src/data/generated/docsets.json index 72e599160..eb1d06e72 100644 --- a/docs/site/src/data/generated/docsets.json +++ b/docs/site/src/data/generated/docsets.json @@ -11,23 +11,75 @@ "description": "Current RegistryStack monorepo documentation build.", "products": { "registry-stack": { - "version": "v0.8.4", + "version": "v0.9.0", "ref": "HEAD" }, "registry-relay": { - "version": "v0.8.4", + "version": "v0.9.0", "ref": "HEAD" }, "registry-notary": { - "version": "v0.8.4", + "version": "v0.9.0", "ref": "HEAD" }, "registry-manifest": { - "version": "v0.8.4", + "version": "v0.9.0", "ref": "HEAD" } } }, + { + "id": "v0.9.0", + "label": "v0.9.0", + "path": "/v/0.9.0/", + "status": "archived", + "source": "registry-stack-v0.9.0", + "repo_docs_source": "monorepo", + "published_at": "2026-07-10", + "description": "RegistryStack v0.9.0 beta-11 documentation set.", + "products": { + "registry-stack": { + "version": "v0.9.0", + "ref": "705ed0b33490f0494cc60eb4786093e364000b4f" + }, + "registry-platform": { + "version": "v0.9.0", + "ref": "705ed0b33490f0494cc60eb4786093e364000b4f" + }, + "registry-manifest": { + "version": "v0.9.0", + "ref": "705ed0b33490f0494cc60eb4786093e364000b4f" + }, + "registry-notary": { + "version": "v0.9.0", + "ref": "705ed0b33490f0494cc60eb4786093e364000b4f" + }, + "registry-relay": { + "version": "v0.9.0", + "ref": "705ed0b33490f0494cc60eb4786093e364000b4f" + }, + "registry-lab": { + "version": "v0.9.0", + "ref": "705ed0b33490f0494cc60eb4786093e364000b4f" + }, + "registry-registryctl": { + "version": "v0.9.0", + "ref": "705ed0b33490f0494cc60eb4786093e364000b4f" + }, + "crosswalk": { + "version": "crosswalk-core-v0.2.0", + "ref": "1d44ec735fdc8a7c719264b339574371e8330337" + }, + "registry-atlas": { + "version": "beta-11 held lab input", + "ref": "d46f943b9fdcbab787d1d4eed114058aa43980be" + }, + "esignet-relay-authenticator": { + "version": "beta-11 held lab input", + "ref": "23cc0abb6469e0d18c8e6776f87de1691bdf40ee" + } + } + }, { "id": "v0.8.4", "label": "v0.8.4", diff --git a/docs/site/src/data/generated/projects.json b/docs/site/src/data/generated/projects.json index b93b1f4a8..e61fd9696 100644 --- a/docs/site/src/data/generated/projects.json +++ b/docs/site/src/data/generated/projects.json @@ -19,11 +19,11 @@ "source_docs": [ { "label": "README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/products/platform/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/products/platform/README.md" }, { "label": "Registry Platform crates", - "url": "https://github.com/registrystack/registry-stack/tree/v0.8.4/crates" + "url": "https://github.com/registrystack/registry-stack/tree/v0.9.0/crates" } ], "rename_status": "New shared workspace; not part of the 2026-05-23 rename wave." @@ -48,11 +48,11 @@ "source_docs": [ { "label": "README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/products/manifest/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/products/manifest/README.md" }, { "label": "Local examples", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/products/manifest/examples/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/products/manifest/examples/README.md" } ], "rename_status": "Already using the target repo name locally." @@ -81,15 +81,15 @@ "source_docs": [ { "label": "README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/README.md" }, { "label": "Local API docs", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/docs/api.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/docs/api.md" }, { "label": "Local metadata docs", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/docs/metadata.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/docs/metadata.md" } ], "rename_status": "Local checkout renamed to `registry-relay`; old worktrees under `registry_relay-*` remain for historical evidence." @@ -119,11 +119,11 @@ "source_docs": [ { "label": "README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/products/notary/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/products/notary/README.md" }, { "label": "OpenAPI source", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-server/src/openapi.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-notary-server/src/openapi.rs" } ], "rename_status": "Already using the target repo name locally." @@ -148,7 +148,7 @@ "source_docs": [ { "label": "README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/lab/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/lab/README.md" }, { "label": "Rename plan", diff --git a/docs/site/src/data/generated/standards.json b/docs/site/src/data/generated/standards.json index f7368e1e1..bba07652f 100644 --- a/docs/site/src/data/generated/standards.json +++ b/docs/site/src/data/generated/standards.json @@ -20,15 +20,15 @@ "evidence_docs": [ { "label": "Registry Relay README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/README.md" }, { "label": "Registry Manifest README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/products/manifest/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/products/manifest/README.md" }, { "label": "Registry Relay DCAT catalog tests", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/tests/catalog_entity.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/tests/catalog_entity.rs" } ], "last_checked": "2026-06-13", @@ -54,15 +54,15 @@ "evidence_docs": [ { "label": "Registry Relay README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/README.md" }, { "label": "Registry Manifest README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/products/manifest/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/products/manifest/README.md" }, { "label": "Registry Relay BRegDCAT-AP route tests", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/tests/catalog_entity.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/tests/catalog_entity.rs" } ], "last_checked": "2026-06-13", @@ -89,7 +89,7 @@ "evidence_docs": [ { "label": "Registry Manifest CPSV-AP fixture", - "url": "https://github.com/registrystack/registry-stack/tree/v0.8.4/products/manifest/fixtures/cpsv-ap" + "url": "https://github.com/registrystack/registry-stack/tree/v0.9.0/products/manifest/fixtures/cpsv-ap" }, { "label": "Registry Lab service-first discovery docs", @@ -119,15 +119,15 @@ "evidence_docs": [ { "label": "Registry Relay README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/README.md" }, { "label": "Registry Manifest README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/products/manifest/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/products/manifest/README.md" }, { "label": "Registry Relay OGC records API tests", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/tests/ogc_records_api.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/tests/ogc_records_api.rs" } ], "last_checked": "2026-06-13", @@ -152,11 +152,11 @@ "evidence_docs": [ { "label": "Registry Relay README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/README.md" }, { "label": "Registry Relay OGC Features API tests", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/tests/ogc_api.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/tests/ogc_api.rs" } ], "last_checked": "2026-06-20", @@ -181,7 +181,7 @@ "evidence_docs": [ { "label": "Registry Relay OGC EDR API tests", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/tests/ogc_edr_api.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/tests/ogc_edr_api.rs" } ], "last_checked": "2026-06-20", @@ -207,19 +207,19 @@ "evidence_docs": [ { "label": "Registry Relay README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/README.md" }, { "label": "Registry Notary README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/products/notary/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/products/notary/README.md" }, { "label": "Registry Relay generated OpenAPI document (pinned)", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/openapi/registry-relay.openapi.json" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/openapi/registry-relay.openapi.json" }, { "label": "Registry Notary generated OpenAPI document (pinned)", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/products/notary/openapi/registry-notary.openapi.json" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/products/notary/openapi/registry-notary.openapi.json" } ], "last_checked": "2026-06-13", @@ -245,15 +245,15 @@ "evidence_docs": [ { "label": "Registry Relay README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/README.md" }, { "label": "Registry Manifest README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/products/manifest/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/products/manifest/README.md" }, { "label": "Registry Relay SHACL document structure tests", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/tests/catalog_entity.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/tests/catalog_entity.rs" } ], "last_checked": "2026-06-13", @@ -279,11 +279,11 @@ "evidence_docs": [ { "label": "Registry Manifest codelist renderer", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-manifest-core/src/lib.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-manifest-core/src/lib.rs" }, { "label": "Registry Manifest codelist tests", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-manifest-core/tests/metadata_core.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-manifest-core/tests/metadata_core.rs" } ], "last_checked": "2026-06-20", @@ -309,15 +309,15 @@ "evidence_docs": [ { "label": "Registry Relay README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/README.md" }, { "label": "Registry Manifest README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/products/manifest/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/products/manifest/README.md" }, { "label": "Registry Manifest form schema fixture (Draft 2020-12)", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/products/manifest/fixtures/cpsv-ap/health-linked-child-support.form.schema.json" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/products/manifest/fixtures/cpsv-ap/health-linked-child-support.form.schema.json" } ], "last_checked": "2026-06-13", @@ -346,15 +346,15 @@ "evidence_docs": [ { "label": "Registry Relay JSON-LD renderers", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/src/metadata/shacl.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/src/metadata/shacl.rs" }, { "label": "Registry Notary CCCEV renderer", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-server/src/runtime.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-notary-server/src/runtime.rs" }, { "label": "Registry Manifest CPSV-AP JSON-LD fixture", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/products/manifest/fixtures/cpsv-ap/health-linked-child-support.cpsv-ap.jsonld" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/products/manifest/fixtures/cpsv-ap/health-linked-child-support.cpsv-ap.jsonld" } ], "last_checked": "2026-06-13", @@ -381,15 +381,15 @@ "evidence_docs": [ { "label": "Registry Notary SD-JWT VC conformance profile", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/products/notary/docs/sd-jwt-vc-conformance-profile.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/products/notary/docs/sd-jwt-vc-conformance-profile.md" }, { "label": "Registry Notary format constants", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-core/src/model.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-notary-core/src/model.rs" }, { "label": "Registry Platform SD-JWT crate", - "url": "https://github.com/registrystack/registry-stack/tree/v0.8.4/crates/registry-platform-sdjwt" + "url": "https://github.com/registrystack/registry-stack/tree/v0.9.0/crates/registry-platform-sdjwt" } ], "last_checked": "2026-06-13", @@ -414,7 +414,7 @@ "evidence_docs": [ { "label": "Registry Notary README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/products/notary/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/products/notary/README.md" } ], "last_checked": "2026-05-23", @@ -444,15 +444,15 @@ "evidence_docs": [ { "label": "Registry Manifest grouped evidence fixture", - "url": "https://github.com/registrystack/registry-stack/tree/v0.8.4/products/manifest/fixtures/cpsv-ap" + "url": "https://github.com/registrystack/registry-stack/tree/v0.9.0/products/manifest/fixtures/cpsv-ap" }, { "label": "Registry Notary CCCEV renderer", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-server/src/runtime.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-notary-server/src/runtime.rs" }, { "label": "Registry Notary media type constants", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-core/src/model.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-notary-core/src/model.rs" } ], "last_checked": "2026-05-25", @@ -480,23 +480,23 @@ "evidence_docs": [ { "label": "Registry Relay README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/README.md" }, { "label": "Registry Manifest README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/products/manifest/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/products/manifest/README.md" }, { "label": "Registry Relay catalog tests (ODRL offer assertions)", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/tests/catalog_entity.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/tests/catalog_entity.rs" }, { "label": "Registry Platform PDP ODRL enforcement profile constants", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-platform-pdp/src/lib.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-platform-pdp/src/lib.rs" }, { "label": "Registry Relay governed evidence PDP path", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/src/api/governed.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/src/api/governed.rs" } ], "last_checked": "2026-07-09", @@ -521,11 +521,11 @@ "evidence_docs": [ { "label": "Registry Relay client integration guide", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/docs/client-integration.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/docs/client-integration.md" }, { "label": "Registry Relay aggregates tests (schema-validated SDMX-JSON output)", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/tests/aggregates_entity.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/tests/aggregates_entity.rs" } ], "last_checked": "2026-06-13", @@ -550,7 +550,7 @@ "evidence_docs": [ { "label": "Registry Notary claim model", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-core/src/model.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-notary-core/src/model.rs" } ], "last_checked": "2026-05-23", @@ -575,11 +575,11 @@ "evidence_docs": [ { "label": "Registry Notary FHIR source adapter guide", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/products/notary/docs/fhir-source-adapter-guide.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/products/notary/docs/fhir-source-adapter-guide.md" }, { "label": "Registry Notary FHIR adapter contract tests", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-source-adapter-sidecar/tests/fhir_contract.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-notary-source-adapter-sidecar/tests/fhir_contract.rs" } ], "last_checked": "2026-07-09", @@ -604,7 +604,7 @@ "evidence_docs": [ { "label": "Registry Relay README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/README.md" } ], "last_checked": "2026-05-23", @@ -657,11 +657,11 @@ "evidence_docs": [ { "label": "Registry Relay README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/README.md" }, { "label": "Registry Notary source connector", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-core/src/config.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-notary-core/src/config.rs" } ], "last_checked": "2026-05-23", @@ -691,15 +691,15 @@ "evidence_docs": [ { "label": "Registry Notary OID4VCI routes", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-server/src/api.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-notary-server/src/api.rs" }, { "label": "Registry Platform OID4VCI crate", - "url": "https://github.com/registrystack/registry-stack/tree/v0.8.4/crates/registry-platform-oid4vci" + "url": "https://github.com/registrystack/registry-stack/tree/v0.9.0/crates/registry-platform-oid4vci" }, { "label": "Registry Lab citizen OID4VCI smoke script", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/lab/scripts/smoke-citizen-oid4vci.sh" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/lab/scripts/smoke-citizen-oid4vci.sh" }, { "label": "Hosted lab issuer metadata", @@ -730,11 +730,11 @@ "evidence_docs": [ { "label": "Registry Notary did:jwk handling", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-server/src/api.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-notary-server/src/api.rs" }, { "label": "Registry Platform crypto crate", - "url": "https://github.com/registrystack/registry-stack/tree/v0.8.4/crates/registry-platform-crypto" + "url": "https://github.com/registrystack/registry-stack/tree/v0.9.0/crates/registry-platform-crypto" } ], "last_checked": "2026-06-13", diff --git a/docs/site/src/data/projects.yaml b/docs/site/src/data/projects.yaml index f1fa916bd..d041b1bd9 100644 --- a/docs/site/src/data/projects.yaml +++ b/docs/site/src/data/projects.yaml @@ -14,9 +14,9 @@ - Product-level authorization policy, tenant isolation, audit retention, secret provisioning, or deployment configuration. source_docs: - label: README - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/products/platform/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/products/platform/README.md - label: Registry Platform crates - url: https://github.com/registrystack/registry-stack/tree/v0.8.4/crates + url: https://github.com/registrystack/registry-stack/tree/v0.9.0/crates rename_status: New shared workspace; not part of the 2026-05-23 rename wave. - id: registry-manifest name: Registry Manifest @@ -34,9 +34,9 @@ - Production source configuration. source_docs: - label: README - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/products/manifest/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/products/manifest/README.md - label: Local examples - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/products/manifest/examples/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/products/manifest/examples/README.md rename_status: Already using the target repo name locally. - id: registry-relay name: Registry Relay @@ -58,11 +58,11 @@ - Storage table ids or arbitrary SQL in public APIs. source_docs: - label: README - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/README.md - label: Local API docs - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/docs/api.md + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/docs/api.md - label: Local metadata docs - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/docs/metadata.md + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/docs/metadata.md rename_status: Local checkout renamed to `registry-relay`; old worktrees under `registry_relay-*` remain for historical evidence. - id: registry-notary name: Registry Notary @@ -85,9 +85,9 @@ - Browser inspection workflows outside the current formal v1 stack scope. source_docs: - label: README - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/products/notary/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/products/notary/README.md - label: OpenAPI source - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-server/src/openapi.rs + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-notary-server/src/openapi.rs rename_status: Already using the target repo name locally. - id: registry-lab name: Registry Lab @@ -105,7 +105,7 @@ - Real product integrations for OpenCRVS, OpenSPP, DHIS2, OpenIMIS, MOSIP, or other systems. source_docs: - label: README - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/lab/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/lab/README.md - label: Rename plan url: https://github.com/jeremi/registry-docs/blob/e926f05441f39eb2d633979c3bc5a3552f5cf6e2/rename-plan-2026-05-23.md rename_status: Local checkout renamed to `registry-lab`; stable demo identifiers may still contain `decentralized-demo` as protocol and artifact values. diff --git a/docs/site/src/data/repo-docs.yaml b/docs/site/src/data/repo-docs.yaml index 7bdaf1bbe..bcd034684 100644 --- a/docs/site/src/data/repo-docs.yaml +++ b/docs/site/src/data/repo-docs.yaml @@ -8,7 +8,7 @@ repos: registry-relay: remote: https://github.com/registrystack/registry-stack ref: HEAD - version: v0.8.4 + version: v0.9.0 local: ../.. openapi: crates/registry-relay/openapi/registry-relay.openapi.json archive_remote: https://github.com/jeremi/registry-relay @@ -23,6 +23,9 @@ repos: last_reviewed: unreviewed standards_referenced: [openapi, ogc-api-records, ogc-api-features, ogc-api-edr, odrl, sp-dci] docset_overrides: + - docsets: [v0.9.0] + standards_referenced: [openapi, ogc-api-records, ogc-api-features, ogc-api-edr, odrl, sp-dci] + last_reviewed: unreviewed - docsets: [v0.8.4, v0.8.3, v0.8.2, v0.8.1, beta-5, beta-4, beta-3, beta-2026-06-12] standards_referenced: [openapi, ogc-api-records, ogc-api-features, ogc-api-edr, odrl, sp-dci, w3c-did] last_reviewed: unreviewed @@ -36,6 +39,9 @@ repos: last_reviewed: unreviewed standards_referenced: [openapi, sdmx, w3c-did] docset_overrides: + - docsets: [v0.9.0] + standards_referenced: [openapi, sdmx, w3c-did] + last_reviewed: unreviewed - docsets: [v0.8.4, v0.8.3, v0.8.2, v0.8.1, beta-5, beta-4, beta-3, beta-2026-06-12] standards_referenced: [openapi, verifiable-credentials, sdmx, prov-o, w3c-did] last_reviewed: unreviewed @@ -48,6 +54,9 @@ repos: last_reviewed: unreviewed standards_referenced: [openapi, ogc-api-features, ogc-api-edr, odrl, sp-dci, w3c-did] docset_overrides: + - docsets: [v0.9.0] + standards_referenced: [openapi, ogc-api-features, ogc-api-edr, odrl, sp-dci, w3c-did] + last_reviewed: unreviewed - docsets: [v0.8.4, v0.8.3, v0.8.2, v0.8.1, beta-5, beta-4, beta-3, beta-2026-06-12] standards_referenced: [openapi, ogc-api-features, ogc-api-edr, json-schema, json-ld, verifiable-credentials, odrl, prov-o, sp-dci, w3c-did] last_reviewed: unreviewed @@ -59,6 +68,9 @@ repos: last_reviewed: unreviewed standards_referenced: [dcat, bregdcat-ap, ogc-api-records, ogc-api-features, ogc-api-edr, openapi, shacl, json-schema, sdmx, sp-dci, w3c-did] docset_overrides: + - docsets: [v0.9.0] + standards_referenced: [dcat, bregdcat-ap, ogc-api-records, ogc-api-features, ogc-api-edr, openapi, shacl, json-schema, sdmx, sp-dci, w3c-did] + last_reviewed: unreviewed - docsets: [v0.8.4, v0.8.3, v0.8.2, v0.8.1] standards_referenced: [dcat, bregdcat-ap, ogc-api-records, ogc-api-features, ogc-api-edr, openapi, shacl, json-schema, verifiable-credentials, sdmx, sp-dci, w3c-did] last_reviewed: unreviewed @@ -72,7 +84,7 @@ repos: standards_referenced: [dcat, bregdcat-ap, cpsv-ap, ogc-api-records, ogc-api-features, shacl, json-schema, json-ld, odrl, sp-dci, w3c-did] exclude_docsets: [beta-5, beta-4, beta-3, beta-2026-06-12] docset_overrides: - - docsets: [v0.8.4, v0.8.3, v0.8.2, v0.8.1] + - docsets: [v0.9.0, v0.8.4, v0.8.3, v0.8.2, v0.8.1] standards_referenced: [dcat, bregdcat-ap, cpsv-ap, ogc-api-records, ogc-api-features, shacl, json-schema, json-ld, odrl, sp-dci, w3c-did] last_reviewed: unreviewed - src: crates/registry-relay/docs/ops.md @@ -83,6 +95,9 @@ repos: last_reviewed: unreviewed standards_referenced: [dcat, bregdcat-ap, ogc-api-edr, sp-dci, w3c-did] docset_overrides: + - docsets: [v0.9.0] + standards_referenced: [dcat, bregdcat-ap, ogc-api-edr, sp-dci, w3c-did] + last_reviewed: unreviewed - docsets: [v0.8.4, v0.8.3, v0.8.2, v0.8.1] standards_referenced: [dcat, bregdcat-ap, ogc-api-edr, verifiable-credentials, sp-dci, w3c-did] last_reviewed: unreviewed @@ -95,6 +110,9 @@ repos: last_reviewed: unreviewed standards_referenced: [json-ld, w3c-did] docset_overrides: + - docsets: [v0.9.0] + standards_referenced: [json-ld, w3c-did] + last_reviewed: unreviewed - docsets: [v0.8.4, v0.8.3, v0.8.2, v0.8.1] standards_referenced: [json-schema, json-ld, sd-jwt-vc, verifiable-credentials, prov-o, w3c-did] last_reviewed: unreviewed @@ -108,7 +126,7 @@ repos: standards_referenced: [] exclude_docsets: [beta-5, beta-4, beta-3, beta-2026-06-12] docset_overrides: - - docsets: [v0.8.4, v0.8.3, v0.8.2, v0.8.1] + - docsets: [v0.9.0, v0.8.4, v0.8.3, v0.8.2, v0.8.1] standards_referenced: [] last_reviewed: unreviewed - src: crates/registry-relay/docs/standards-adapter-operator-guide.md @@ -119,6 +137,9 @@ repos: last_reviewed: unreviewed standards_referenced: [ogc-api-records, ogc-api-features, ogc-api-edr, sp-dci] docset_overrides: + - docsets: [v0.9.0] + standards_referenced: [ogc-api-records, ogc-api-features, ogc-api-edr, sp-dci] + last_reviewed: unreviewed - docsets: [v0.8.4, v0.8.3, v0.8.2, v0.8.1] standards_referenced: [ogc-api-records, ogc-api-features, ogc-api-edr, json-schema, sp-dci] last_reviewed: unreviewed @@ -132,7 +153,7 @@ repos: standards_referenced: [] exclude_docsets: [beta-5, beta-4, beta-3, beta-2026-06-12] docset_overrides: - - docsets: [v0.8.4, v0.8.3, v0.8.2, v0.8.1] + - docsets: [v0.9.0, v0.8.4, v0.8.3, v0.8.2, v0.8.1] standards_referenced: [] last_reviewed: unreviewed - src: crates/registry-relay/STANDARDS_ASSUMPTIONS.md @@ -144,7 +165,7 @@ repos: standards_referenced: [dcat, bregdcat-ap, cpsv-ap, ogc-api-records, shacl, json-schema, odrl, sp-dci, w3c-did] exclude_docsets: [beta-5, beta-4, beta-3, beta-2026-06-12] docset_overrides: - - docsets: [v0.8.4, v0.8.3, v0.8.2, v0.8.1] + - docsets: [v0.9.0, v0.8.4, v0.8.3, v0.8.2, v0.8.1] standards_referenced: [dcat, bregdcat-ap, cpsv-ap, ogc-api-records, shacl, json-schema, odrl, sp-dci, w3c-did] last_reviewed: unreviewed - src: crates/registry-relay/docs/relay-scenario-catalog.md @@ -156,7 +177,7 @@ repos: standards_referenced: [dcat, ogc-api-records, ogc-api-features, openapi, shacl, sp-dci] exclude_docsets: [beta-5, beta-4, beta-3, beta-2026-06-12] docset_overrides: - - docsets: [v0.8.4, v0.8.3, v0.8.2, v0.8.1] + - docsets: [v0.9.0, v0.8.4, v0.8.3, v0.8.2, v0.8.1] standards_referenced: [dcat, ogc-api-records, ogc-api-features, openapi, shacl, sp-dci] last_reviewed: unreviewed - src: crates/registry-relay/docs/release-notes.md @@ -167,6 +188,9 @@ repos: last_reviewed: unreviewed standards_referenced: [dcat, ogc-api-edr, openapi, shacl, json-ld, sdmx, sp-dci, w3c-did] docset_overrides: + - docsets: [v0.9.0] + standards_referenced: [dcat, ogc-api-edr, openapi, shacl, json-ld, sdmx, sp-dci, w3c-did] + last_reviewed: unreviewed - docsets: [v0.8.4, v0.8.3, v0.8.2, v0.8.1] standards_referenced: [dcat, bregdcat-ap, ogc-api-records, ogc-api-features, ogc-api-edr, openapi, shacl, verifiable-credentials, odrl, sp-dci, w3c-did] last_reviewed: unreviewed @@ -174,7 +198,7 @@ repos: registry-notary: remote: https://github.com/registrystack/registry-stack ref: HEAD - version: v0.8.4 + version: v0.9.0 local: ../.. openapi: products/notary/openapi/registry-notary.openapi.json archive_remote: https://github.com/jeremi/registry-notary @@ -192,7 +216,7 @@ repos: - docsets: [beta-2026-06-12] standards_referenced: [sd-jwt-vc, oid4vci] last_reviewed: unreviewed - - docsets: [v0.8.4, v0.8.3, v0.8.2, v0.8.1, beta-5, beta-4, beta-3] + - docsets: [v0.9.0, v0.8.4, v0.8.3, v0.8.2, v0.8.1, beta-5, beta-4, beta-3] standards_referenced: [sd-jwt-vc, oid4vci, fhir-r4] last_reviewed: unreviewed description: Integrator and operator documentation for Registry Notary. @@ -208,7 +232,7 @@ repos: - docsets: [beta-4, beta-3, beta-2026-06-12] standards_referenced: [sd-jwt-vc, oid4vci, w3c-did] last_reviewed: unreviewed - - docsets: [v0.8.4, v0.8.3, v0.8.2, v0.8.1, beta-5] + - docsets: [v0.9.0, v0.8.4, v0.8.3, v0.8.2, v0.8.1, beta-5] standards_referenced: [sd-jwt-vc, oid4vci, w3c-did, fhir-r4] last_reviewed: unreviewed - src: products/notary/docs/client-sdk-guide.md @@ -223,7 +247,7 @@ repos: - docsets: [beta-2026-06-12] standards_referenced: [sd-jwt-vc, oid4vci] last_reviewed: unreviewed - - docsets: [v0.8.4, v0.8.3, v0.8.2, v0.8.1, beta-5, beta-4, beta-3] + - docsets: [v0.9.0, v0.8.4, v0.8.3, v0.8.2, v0.8.1, beta-5, beta-4, beta-3] standards_referenced: [sd-jwt-vc, oid4vci, w3c-did] last_reviewed: unreviewed - src: products/notary/docs/identity-and-record-matching.md @@ -235,7 +259,7 @@ repos: last_reviewed: unreviewed standards_referenced: [sd-jwt-vc, verifiable-credentials] docset_overrides: - - docsets: [v0.8.4, v0.8.3, v0.8.2, v0.8.1, beta-5, beta-4, beta-3, beta-2026-06-12] + - docsets: [v0.9.0, v0.8.4, v0.8.3, v0.8.2, v0.8.1, beta-5, beta-4, beta-3, beta-2026-06-12] standards_referenced: [sd-jwt-vc, verifiable-credentials] last_reviewed: unreviewed - src: products/notary/docs/source-claim-modeling-guide.md @@ -250,7 +274,7 @@ repos: - docsets: [beta-4, beta-3, beta-2026-06-12] standards_referenced: [sd-jwt-vc] last_reviewed: unreviewed - - docsets: [v0.8.4, v0.8.3, v0.8.2, v0.8.1, beta-5] + - docsets: [v0.9.0, v0.8.4, v0.8.3, v0.8.2, v0.8.1, beta-5] standards_referenced: [sd-jwt-vc, fhir-r4] last_reviewed: unreviewed - src: products/notary/docs/operator-config-reference.md @@ -262,6 +286,9 @@ repos: last_reviewed: unreviewed standards_referenced: [openapi, sd-jwt-vc, sp-dci, oid4vci, w3c-did, fhir-r4] docset_overrides: + - docsets: [v0.9.0] + standards_referenced: [openapi, sd-jwt-vc, sp-dci, oid4vci, w3c-did, fhir-r4] + last_reviewed: unreviewed - docsets: [v0.8.4, v0.8.3, v0.8.2, v0.8.1, beta-5, beta-4, beta-3] standards_referenced: [openapi, sd-jwt-vc, oid4vci, w3c-did, fhir-r4] last_reviewed: unreviewed @@ -277,7 +304,7 @@ repos: last_reviewed: unreviewed standards_referenced: [sd-jwt-vc, w3c-did] docset_overrides: - - docsets: [v0.8.4, v0.8.3, v0.8.2, v0.8.1, beta-5, beta-4, beta-3, beta-2026-06-12] + - docsets: [v0.9.0, v0.8.4, v0.8.3, v0.8.2, v0.8.1, beta-5, beta-4, beta-3, beta-2026-06-12] standards_referenced: [sd-jwt-vc, w3c-did] last_reviewed: unreviewed - src: products/notary/docs/signing-key-provider.md @@ -289,7 +316,7 @@ repos: last_reviewed: unreviewed standards_referenced: [sd-jwt-vc, w3c-did] docset_overrides: - - docsets: [v0.8.4, v0.8.3, v0.8.2, v0.8.1, beta-5, beta-4, beta-3, beta-2026-06-12] + - docsets: [v0.9.0, v0.8.4, v0.8.3, v0.8.2, v0.8.1, beta-5, beta-4, beta-3, beta-2026-06-12] standards_referenced: [sd-jwt-vc, w3c-did] last_reviewed: unreviewed - src: products/notary/docs/sd-jwt-vc-conformance-profile.md @@ -301,7 +328,7 @@ repos: last_reviewed: unreviewed standards_referenced: [json-ld, sd-jwt-vc, verifiable-credentials, oid4vci, w3c-did] docset_overrides: - - docsets: [v0.8.4, v0.8.3, v0.8.2, v0.8.1, beta-5, beta-4, beta-3, beta-2026-06-12] + - docsets: [v0.9.0, v0.8.4, v0.8.3, v0.8.2, v0.8.1, beta-5, beta-4, beta-3, beta-2026-06-12] standards_referenced: [json-ld, sd-jwt-vc, verifiable-credentials, oid4vci, w3c-did] last_reviewed: unreviewed - src: products/notary/docs/notary-capability-matrix.md @@ -313,7 +340,7 @@ repos: standards_referenced: [sd-jwt-vc, w3c-did] exclude_docsets: [beta-5, beta-4, beta-3, beta-2026-06-12] docset_overrides: - - docsets: [v0.8.4, v0.8.3, v0.8.2, v0.8.1] + - docsets: [v0.9.0, v0.8.4, v0.8.3, v0.8.2, v0.8.1] standards_referenced: [sd-jwt-vc, w3c-did] last_reviewed: unreviewed - src: products/notary/docs/notary-scenario-patterns.md @@ -325,7 +352,7 @@ repos: standards_referenced: [sd-jwt-vc, w3c-did] exclude_docsets: [beta-5, beta-4, beta-3, beta-2026-06-12] docset_overrides: - - docsets: [v0.8.4, v0.8.3, v0.8.2, v0.8.1] + - docsets: [v0.9.0, v0.8.4, v0.8.3, v0.8.2, v0.8.1] standards_referenced: [sd-jwt-vc, w3c-did] last_reviewed: unreviewed - src: products/notary/docs/fhir-source-adapter-guide.md @@ -337,7 +364,7 @@ repos: standards_referenced: [fhir-r4] exclude_docsets: [beta-5, beta-4, beta-3, beta-2026-06-12] docset_overrides: - - docsets: [v0.8.4, v0.8.3, v0.8.2, v0.8.1] + - docsets: [v0.9.0, v0.8.4, v0.8.3, v0.8.2, v0.8.1] standards_referenced: [fhir-r4] last_reviewed: unreviewed - src: products/notary/docs/script-rhai-source-adapter-guide.md @@ -349,7 +376,7 @@ repos: standards_referenced: [openapi, fhir-r4] exclude_docsets: [beta-5, beta-4, beta-3, beta-2026-06-12] docset_overrides: - - docsets: [v0.8.4, v0.8.3, v0.8.2, v0.8.1] + - docsets: [v0.9.0, v0.8.4, v0.8.3, v0.8.2, v0.8.1] standards_referenced: [openapi, fhir-r4] last_reviewed: unreviewed - src: products/notary/docs/opencrvs-onboarding.md @@ -360,6 +387,9 @@ repos: last_reviewed: unreviewed standards_referenced: [sd-jwt-vc, w3c-did] docset_overrides: + - docsets: [v0.9.0] + standards_referenced: [sd-jwt-vc, w3c-did] + last_reviewed: unreviewed - docsets: [v0.8.4, v0.8.3, v0.8.2, v0.8.1] standards_referenced: [sd-jwt-vc] last_reviewed: unreviewed @@ -375,7 +405,7 @@ repos: - docsets: [v0.8.3, v0.8.2, v0.8.1] standards_referenced: [sd-jwt-vc, verifiable-credentials] last_reviewed: unreviewed - - docsets: [v0.8.4] + - docsets: [v0.9.0, v0.8.4] standards_referenced: [sd-jwt-vc, verifiable-credentials, w3c-did] last_reviewed: unreviewed exclude_docsets: [beta-5, beta-4, beta-3, beta-2026-06-12] @@ -388,7 +418,7 @@ repos: standards_referenced: [w3c-did] exclude_docsets: [beta-5, beta-4, beta-3, beta-2026-06-12] docset_overrides: - - docsets: [v0.8.4, v0.8.3, v0.8.2, v0.8.1] + - docsets: [v0.9.0, v0.8.4, v0.8.3, v0.8.2, v0.8.1] standards_referenced: [w3c-did] last_reviewed: unreviewed - src: products/notary/docs/self-attestation-operator-guide.md @@ -400,7 +430,7 @@ repos: standards_referenced: [sd-jwt-vc, oid4vci, w3c-did] exclude_docsets: [beta-5, beta-4, beta-3, beta-2026-06-12] docset_overrides: - - docsets: [v0.8.4, v0.8.3, v0.8.2, v0.8.1] + - docsets: [v0.9.0, v0.8.4, v0.8.3, v0.8.2, v0.8.1] standards_referenced: [sd-jwt-vc, oid4vci, w3c-did] last_reviewed: unreviewed - src: products/notary/docs/sidecar-trust-and-secrets.md @@ -412,7 +442,7 @@ repos: standards_referenced: [sd-jwt-vc, fhir-r4] exclude_docsets: [beta-5, beta-4, beta-3, beta-2026-06-12] docset_overrides: - - docsets: [v0.8.4, v0.8.3, v0.8.2, v0.8.1] + - docsets: [v0.9.0, v0.8.4, v0.8.3, v0.8.2, v0.8.1] standards_referenced: [sd-jwt-vc, fhir-r4] last_reviewed: unreviewed - src: products/notary/docs/deployment-hardening-runbook.md @@ -424,7 +454,7 @@ repos: standards_referenced: [sd-jwt-vc, oid4vci] exclude_docsets: [beta-5, beta-4, beta-3, beta-2026-06-12] docset_overrides: - - docsets: [v0.8.4, v0.8.3, v0.8.2, v0.8.1] + - docsets: [v0.9.0, v0.8.4, v0.8.3, v0.8.2, v0.8.1] standards_referenced: [sd-jwt-vc, oid4vci] last_reviewed: unreviewed - src: products/notary/docs/api-reference.md @@ -436,7 +466,7 @@ repos: standards_referenced: [openapi, sd-jwt-vc, cccev, oid4vci, fhir-r4] exclude_docsets: [beta-5, beta-4, beta-3, beta-2026-06-12] docset_overrides: - - docsets: [v0.8.4, v0.8.3, v0.8.2, v0.8.1] + - docsets: [v0.9.0, v0.8.4, v0.8.3, v0.8.2, v0.8.1] standards_referenced: [openapi, sd-jwt-vc, cccev, oid4vci, fhir-r4] last_reviewed: unreviewed - src: products/notary/docs/oid4vci-wallet-interop.md @@ -448,7 +478,7 @@ repos: standards_referenced: [sd-jwt-vc, oid4vci, w3c-did] exclude_docsets: [beta-5, beta-4, beta-3, beta-2026-06-12] docset_overrides: - - docsets: [v0.8.4, v0.8.3, v0.8.2, v0.8.1] + - docsets: [v0.9.0, v0.8.4, v0.8.3, v0.8.2, v0.8.1] standards_referenced: [sd-jwt-vc, oid4vci, w3c-did] last_reviewed: unreviewed - src: products/notary/docs/release-notes.md @@ -460,13 +490,13 @@ repos: standards_referenced: [openapi, sd-jwt-vc, oid4vci, fhir-r4] exclude_docsets: [beta-5, beta-4, beta-3, beta-2026-06-12] docset_overrides: - - docsets: [v0.8.4, v0.8.3, v0.8.2, v0.8.1] + - docsets: [v0.9.0, v0.8.4, v0.8.3, v0.8.2, v0.8.1] standards_referenced: [openapi, sd-jwt-vc, oid4vci, fhir-r4] last_reviewed: unreviewed registry-manifest: remote: https://github.com/registrystack/registry-stack ref: HEAD - version: v0.8.4 + version: v0.9.0 local: ../.. archive_remote: https://github.com/jeremi/registry-manifest docs: @@ -479,7 +509,7 @@ repos: last_reviewed: unreviewed standards_referenced: [dcat, bregdcat-ap, cpsv-ap, ogc-api-records, shacl, skos, json-schema, json-ld, odrl, sp-dci, w3c-did, prov-o, govstack-digital-registries] docset_overrides: - - docsets: [v0.8.4, v0.8.3, v0.8.2, v0.8.1, beta-5, beta-4, beta-3] + - docsets: [v0.9.0, v0.8.4, v0.8.3, v0.8.2, v0.8.1, beta-5, beta-4, beta-3] standards_referenced: [dcat, bregdcat-ap, cpsv-ap, ogc-api-records, shacl, skos, json-schema, json-ld, odrl, sp-dci, w3c-did, prov-o, govstack-digital-registries] last_reviewed: unreviewed - docsets: [beta-2026-06-12] @@ -498,7 +528,7 @@ repos: - docsets: [beta-2026-06-12] standards_referenced: [dcat, bregdcat-ap, cpsv-ap, ogc-api-records, shacl, json-schema, json-ld, odrl] last_reviewed: unreviewed - - docsets: [v0.8.4, v0.8.3, v0.8.2, v0.8.1, beta-5, beta-4, beta-3] + - docsets: [v0.9.0, v0.8.4, v0.8.3, v0.8.2, v0.8.1, beta-5, beta-4, beta-3] standards_referenced: [dcat, bregdcat-ap, cpsv-ap, ogc-api-records, shacl, skos, json-schema, json-ld, odrl] last_reviewed: unreviewed - src: products/manifest/docs/profile-fixtures.md @@ -510,7 +540,7 @@ repos: last_reviewed: unreviewed standards_referenced: [sp-dci] docset_overrides: - - docsets: [v0.8.4, v0.8.3, v0.8.2, v0.8.1, beta-5, beta-4, beta-3, beta-2026-06-12] + - docsets: [v0.9.0, v0.8.4, v0.8.3, v0.8.2, v0.8.1, beta-5, beta-4, beta-3, beta-2026-06-12] standards_referenced: [sp-dci] last_reviewed: unreviewed - src: products/manifest/docs/reference.md @@ -525,7 +555,7 @@ repos: - docsets: [beta-2026-06-12] standards_referenced: [dcat, bregdcat-ap, cpsv-ap, ogc-api-records, shacl, json-schema, json-ld, cccev, odrl, w3c-did] last_reviewed: unreviewed - - docsets: [v0.8.4, v0.8.3, v0.8.2, v0.8.1, beta-5, beta-4, beta-3] + - docsets: [v0.9.0, v0.8.4, v0.8.3, v0.8.2, v0.8.1, beta-5, beta-4, beta-3] standards_referenced: [dcat, bregdcat-ap, cpsv-ap, ogc-api-records, shacl, skos, json-schema, json-ld, cccev, odrl, w3c-did] last_reviewed: unreviewed - src: products/manifest/docs/itb-semic-validation.md @@ -537,6 +567,6 @@ repos: standards_referenced: [dcat, bregdcat-ap, shacl, skos, json-schema, json-ld] exclude_docsets: [beta-5, beta-4, beta-3, beta-2026-06-12] docset_overrides: - - docsets: [v0.8.4, v0.8.3, v0.8.2, v0.8.1] + - docsets: [v0.9.0, v0.8.4, v0.8.3, v0.8.2, v0.8.1] standards_referenced: [dcat, bregdcat-ap, shacl, skos, json-schema, json-ld] last_reviewed: unreviewed diff --git a/docs/site/src/data/standards.yaml b/docs/site/src/data/standards.yaml index 533623e0e..e9c05997c 100644 --- a/docs/site/src/data/standards.yaml +++ b/docs/site/src/data/standards.yaml @@ -15,11 +15,11 @@ - access service metadata evidence_docs: - label: Registry Relay README - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/README.md - label: Registry Manifest README - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/products/manifest/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/products/manifest/README.md - label: Registry Relay DCAT catalog tests - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/tests/catalog_entity.rs + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/tests/catalog_entity.rs last_checked: 2026-06-13 notes: Relay and Manifest emit DCAT-shaped metadata; the emitted catalog structure is asserted by Relay's catalog tests. Profile conformance claims still require profile-specific validation evidence (no DCAT validator output is pinned). - id: bregdcat-ap @@ -38,11 +38,11 @@ - embedded SHACL entity shapes evidence_docs: - label: Registry Relay README - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/README.md - label: Registry Manifest README - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/products/manifest/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/products/manifest/README.md - label: Registry Relay BRegDCAT-AP route tests - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/tests/catalog_entity.rs + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/tests/catalog_entity.rs last_checked: 2026-06-13 notes: Manifest and Relay emit BRegDCAT-shaped registry and data-service metadata; the `/metadata/dcat/bregdcat-ap` route output is asserted by Relay's catalog tests. CPSV-AP is now the service-discovery layer; BRegDCAT-AP remains the registry and data-service discovery layer. Later BRegDCAT-AP releases require a separate renderer review. - id: cpsv-ap @@ -62,7 +62,7 @@ - competent authority and requirement links evidence_docs: - label: Registry Manifest CPSV-AP fixture - url: https://github.com/registrystack/registry-stack/tree/v0.8.4/products/manifest/fixtures/cpsv-ap + url: https://github.com/registrystack/registry-stack/tree/v0.9.0/products/manifest/fixtures/cpsv-ap - label: Registry Lab service-first discovery docs url: https://github.com/jeremi/registry-lab/blob/5bb84d5b2500a8d37b989e0959e22287250d1e40/docs/service-first-discovery.md last_checked: 2026-05-25 @@ -83,11 +83,11 @@ - OGC records item bodies evidence_docs: - label: Registry Relay README - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/README.md - label: Registry Manifest README - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/products/manifest/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/products/manifest/README.md - label: Registry Relay OGC records API tests - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/tests/ogc_records_api.rs + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/tests/ogc_records_api.rs last_checked: 2026-06-13 notes: Relay exposes records routes behind the ogcapi-records feature (route output asserted by the OGC records API tests), and Manifest renders and publishes static OGC Records item collections. - id: ogc-api-features @@ -105,9 +105,9 @@ - dataset-scoped feature items evidence_docs: - label: Registry Relay README - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/README.md - label: Registry Relay OGC Features API tests - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/tests/ogc_api.rs + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/tests/ogc_api.rs last_checked: 2026-06-20 notes: Relay exposes OGC API Features routes behind the ogcapi-features feature. The claim is scoped to the profiled route output tested in Registry Relay, not full OGC conformance. - id: ogc-api-edr @@ -125,7 +125,7 @@ - EDR collection discovery evidence_docs: - label: Registry Relay OGC EDR API tests - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/tests/ogc_edr_api.rs + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/tests/ogc_edr_api.rs last_checked: 2026-06-20 notes: Relay exposes OGC API EDR area routes behind the ogcapi-edr feature for configured spatial aggregates. The claim is scoped to the tested adapter surface, not full OGC conformance. - id: openapi @@ -144,13 +144,13 @@ - native OpenAPI publication evidence_docs: - label: Registry Relay README - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/README.md - label: Registry Notary README - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/products/notary/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/products/notary/README.md - label: Registry Relay generated OpenAPI document (pinned) - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/openapi/registry-relay.openapi.json + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/openapi/registry-relay.openapi.json - label: Registry Notary generated OpenAPI document (pinned) - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/products/notary/openapi/registry-notary.openapi.json + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/products/notary/openapi/registry-notary.openapi.json last_checked: 2026-06-13 notes: Relay and Notary generate OpenAPI; the pinned generated documents are cited directly. These docs publish the same pinned artifacts as native API reference pages. - id: shacl @@ -169,11 +169,11 @@ - entity node shapes evidence_docs: - label: Registry Relay README - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/README.md - label: Registry Manifest README - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/products/manifest/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/products/manifest/README.md - label: Registry Relay SHACL document structure tests - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/tests/catalog_entity.rs + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/tests/catalog_entity.rs last_checked: 2026-06-13 notes: Relay emits SHACL/JSON-LD documents whose structure is asserted by its catalog tests, and Manifest renders SHACL. No SHACL validator run against the emitted shapes is pinned. - id: skos @@ -192,9 +192,9 @@ - BRegDCAT/DCAT dataset codelist references evidence_docs: - label: Registry Manifest codelist renderer - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-manifest-core/src/lib.rs + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-manifest-core/src/lib.rs - label: Registry Manifest codelist tests - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-manifest-core/tests/metadata_core.rs + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-manifest-core/tests/metadata_core.rs last_checked: 2026-06-20 notes: Registry Manifest emits flat SKOS-shaped `skos:ConceptScheme` and `skos:Concept` nodes for manifest codelists inside SHACL and BRegDCAT/DCAT-shaped outputs. It does not yet publish a standalone SKOS artifact or claim full SKOS conformance. - id: json-schema @@ -213,11 +213,11 @@ - static discovery bundle evidence_docs: - label: Registry Relay README - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/README.md - label: Registry Manifest README - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/products/manifest/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/products/manifest/README.md - label: Registry Manifest form schema fixture (Draft 2020-12) - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/products/manifest/fixtures/cpsv-ap/health-linked-child-support.form.schema.json + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/products/manifest/fixtures/cpsv-ap/health-linked-child-support.form.schema.json last_checked: 2026-06-13 notes: Manifest renders entity JSON Schemas (the pinned fixture declares Draft 2020-12) and Relay exposes entity schema endpoints. - id: json-ld @@ -239,11 +239,11 @@ - CCCEV render output evidence_docs: - label: Registry Relay JSON-LD renderers - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/src/metadata/shacl.rs + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/src/metadata/shacl.rs - label: Registry Notary CCCEV renderer - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-server/src/runtime.rs + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-notary-server/src/runtime.rs - label: Registry Manifest CPSV-AP JSON-LD fixture - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/products/manifest/fixtures/cpsv-ap/health-linked-child-support.cpsv-ap.jsonld + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/products/manifest/fixtures/cpsv-ap/health-linked-child-support.cpsv-ap.jsonld last_checked: 2026-06-13 notes: The projects emit JSON-LD artifacts and contexts; a pinned JSON-LD fixture is cited as a concrete emitted artifact. No broad RDF dataset conformance claim is made here. - id: sd-jwt-vc @@ -263,11 +263,11 @@ - shared SD-JWT VC issuance and holder-proof helpers evidence_docs: - label: Registry Notary SD-JWT VC conformance profile - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/products/notary/docs/sd-jwt-vc-conformance-profile.md + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/products/notary/docs/sd-jwt-vc-conformance-profile.md - label: Registry Notary format constants - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-core/src/model.rs + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-notary-core/src/model.rs - label: Registry Platform SD-JWT crate - url: https://github.com/registrystack/registry-stack/tree/v0.8.4/crates/registry-platform-sdjwt + url: https://github.com/registrystack/registry-stack/tree/v0.9.0/crates/registry-platform-sdjwt last_checked: 2026-06-13 notes: >- Registry Platform owns reusable SD-JWT VC issuance and holder-proof helpers. @@ -291,7 +291,7 @@ - SD-JWT VC credential issuance evidence_docs: - label: Registry Notary README - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/products/notary/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/products/notary/README.md last_checked: 2026-05-23 notes: Registry Notary issues SD-JWT VC. Relay no longer emits or hosts VC artifacts. - id: cccev @@ -314,11 +314,11 @@ - evidence node JSON-LD evidence_docs: - label: Registry Manifest grouped evidence fixture - url: https://github.com/registrystack/registry-stack/tree/v0.8.4/products/manifest/fixtures/cpsv-ap + url: https://github.com/registrystack/registry-stack/tree/v0.9.0/products/manifest/fixtures/cpsv-ap - label: Registry Notary CCCEV renderer - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-server/src/runtime.rs + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-notary-server/src/runtime.rs - label: Registry Notary media type constants - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-core/src/model.rs + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-notary-core/src/model.rs last_checked: 2026-05-25 notes: Manifest emits CCCEV requirement and evidence type list metadata. Notary renders CCCEV-shaped claim results. Profile conformance is not claimed. - id: odrl @@ -339,15 +339,15 @@ - governed evidence PDP constraint terms evidence_docs: - label: Registry Relay README - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/README.md - label: Registry Manifest README - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/products/manifest/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/products/manifest/README.md - label: Registry Relay catalog tests (ODRL offer assertions) - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/tests/catalog_entity.rs + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/tests/catalog_entity.rs - label: Registry Platform PDP ODRL enforcement profile constants - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-platform-pdp/src/lib.rs + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-platform-pdp/src/lib.rs - label: Registry Relay governed evidence PDP path - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/src/api/governed.rs + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/src/api/governed.rs last_checked: 2026-07-09 notes: Relay catalog JSON-LD can include dataset-scoped ODRL Offers, and Manifest renders ODRL policy metadata. That publication surface is descriptive and is not itself an access grant. The shared governed Evidence Gateway profile vocabulary includes `odrl:purpose` and `odrl:spatial`, but Relay's governed runtime path currently enforces `odrl:purpose` only; `odrl:spatial` and other unsupported ODRL terms are denied fail-closed rather than treated as enforced. - id: sdmx @@ -365,9 +365,9 @@ - content negotiation delivery evidence_docs: - label: Registry Relay client integration guide - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/docs/client-integration.md + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/docs/client-integration.md - label: Registry Relay aggregates tests (schema-validated SDMX-JSON output) - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/tests/aggregates_entity.rs + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/tests/aggregates_entity.rs last_checked: 2026-06-13 notes: >- Relay serves configured aggregates as SDMX-JSON 2.1 data messages via @@ -393,7 +393,7 @@ - provenance-shaped claim fields evidence_docs: - label: Registry Notary claim model - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-core/src/model.rs + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-notary-core/src/model.rs last_checked: 2026-05-23 notes: The code uses provenance concepts, but current evidence does not show a PROV-O vocabulary emission surface. Keep this as design influence until PROV-O terms are emitted or mapped. - id: fhir-r4 @@ -411,9 +411,9 @@ - configured GET graph projections evidence_docs: - label: Registry Notary FHIR source adapter guide - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/products/notary/docs/fhir-source-adapter-guide.md + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/products/notary/docs/fhir-source-adapter-guide.md - label: Registry Notary FHIR adapter contract tests - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-source-adapter-sidecar/tests/fhir_contract.rs + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-notary-source-adapter-sidecar/tests/fhir_contract.rs last_checked: 2026-07-09 notes: Registry Notary maps a bounded FHIR R4 GET graph through the governed source-adapter runtime. The adapter projects selected FHIR fields into Notary-ready source facts and does not expose raw FHIR Bundles, implement a FHIR server, or claim broad FHIR conformance. - id: govstack-digital-registries @@ -431,7 +431,7 @@ - capability boundary evidence_docs: - label: Registry Relay README - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/README.md last_checked: 2026-05-23 notes: Relay explores a protected consultation gateway model rather than the current single uniform CRUD platform. - id: universal-dpi-safeguards @@ -475,9 +475,9 @@ - HTTP source connector evidence_docs: - label: Registry Relay README - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-relay/README.md - label: Registry Notary source connector - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-core/src/config.rs + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-notary-core/src/config.rs last_checked: 2026-05-23 notes: Relay exposes an SP-DCI sync adapter behind `spdci-api-standards`. Notary ships an HTTP source connector that maps SP-DCI search and sync responses into claim evaluation inputs. - id: oid4vci @@ -500,11 +500,11 @@ - wallet-facing citizen self-attestation flow evidence_docs: - label: Registry Notary OID4VCI routes - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-server/src/api.rs + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-notary-server/src/api.rs - label: Registry Platform OID4VCI crate - url: https://github.com/registrystack/registry-stack/tree/v0.8.4/crates/registry-platform-oid4vci + url: https://github.com/registrystack/registry-stack/tree/v0.9.0/crates/registry-platform-oid4vci - label: Registry Lab citizen OID4VCI smoke script - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/lab/scripts/smoke-citizen-oid4vci.sh + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/lab/scripts/smoke-citizen-oid4vci.sh - label: Hosted lab issuer metadata url: https://citizen-notary.lab.registrystack.org/.well-known/openid-credential-issuer last_checked: 2026-06-13 @@ -535,8 +535,8 @@ - shared DID validation and Ed25519 JWK helpers evidence_docs: - label: Registry Notary did:jwk handling - url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-server/src/api.rs + url: https://github.com/registrystack/registry-stack/blob/v0.9.0/crates/registry-notary-server/src/api.rs - label: Registry Platform crypto crate - url: https://github.com/registrystack/registry-stack/tree/v0.8.4/crates/registry-platform-crypto + url: https://github.com/registrystack/registry-stack/tree/v0.9.0/crates/registry-platform-crypto last_checked: 2026-06-13 notes: Notary parses did:jwk values for credential subjects, and Platform owns shared DID and Ed25519 JWK helpers. Relay no longer hosts a did:web document. No DID resolver, DID URL dereferencing, or DID Core conformance class is implemented, so the claim stays at emits. The site does not claim conformance to the wider DID method registry beyond did:jwk. diff --git a/lab/CHANGELOG.md b/lab/CHANGELOG.md index 820c03853..fcbf82366 100644 --- a/lab/CHANGELOG.md +++ b/lab/CHANGELOG.md @@ -2,6 +2,8 @@ ## Unreleased +## registry-stack-beta-11-2026-07-10 + - Added a pinned OpenID Foundation conformance-suite wrapper, OID4VCI issuer plan mapping, and an initial #205 Registry Notary metadata conformance run report. diff --git a/lab/scripts/smoke-oidc-relay.sh b/lab/scripts/smoke-oidc-relay.sh index 37a00b752..6fc5008d8 100755 --- a/lab/scripts/smoke-oidc-relay.sh +++ b/lab/scripts/smoke-oidc-relay.sh @@ -74,6 +74,9 @@ write_config() { local audience_block audience_block="$(audience_yaml "${token}")" cat >"${config_path}" <.lock` (refusing to start if another process holds it) and verifies the on-disk @@ -48,6 +65,11 @@ ### Changed +- Operators must back up antirollback state before an upgrade and keep + release-specific bundle and state restore sets. A rollback restores the + antirollback state belonging to that release. Deleting or reinitializing + state to force an older bundle to load breaks the antirollback guarantee and + is not a supported recovery procedure. - Parked `registry-platform-sts` outside the active workspace until Assisted Access or delegation-profile work promotes a release-surface consumer (#298). The source remains in git, but the crate is no longer built as part of diff --git a/products/platform/fuzz/Cargo.lock b/products/platform/fuzz/Cargo.lock index fdf9b43f2..974754201 100644 --- a/products/platform/fuzz/Cargo.lock +++ b/products/platform/fuzz/Cargo.lock @@ -1089,7 +1089,7 @@ dependencies = [ [[package]] name = "registry-platform-authcommon" -version = "0.8.4" +version = "0.9.0" dependencies = [ "serde", "sha2 0.11.0", @@ -1100,7 +1100,7 @@ dependencies = [ [[package]] name = "registry-platform-cache" -version = "0.8.4" +version = "0.9.0" dependencies = [ "async-trait", "sha2 0.11.0", @@ -1111,7 +1111,7 @@ dependencies = [ [[package]] name = "registry-platform-crypto" -version = "0.8.4" +version = "0.9.0" dependencies = [ "async-trait", "aws-lc-rs", @@ -1150,7 +1150,7 @@ dependencies = [ [[package]] name = "registry-platform-httputil" -version = "0.8.4" +version = "0.9.0" dependencies = [ "bytes", "http", @@ -1162,7 +1162,7 @@ dependencies = [ [[package]] name = "registry-platform-oid4vci" -version = "0.8.4" +version = "0.9.0" dependencies = [ "base64", "registry-platform-crypto", @@ -1175,7 +1175,7 @@ dependencies = [ [[package]] name = "registry-platform-oidc" -version = "0.8.4" +version = "0.9.0" dependencies = [ "base64", "jsonwebtoken", @@ -1190,7 +1190,7 @@ dependencies = [ [[package]] name = "registry-platform-replay" -version = "0.8.4" +version = "0.9.0" dependencies = [ "async-trait", "getrandom 0.4.3", @@ -1201,7 +1201,7 @@ dependencies = [ [[package]] name = "registry-platform-sdjwt" -version = "0.8.4" +version = "0.9.0" dependencies = [ "base64", "getrandom 0.4.3", diff --git a/release/READINESS.md b/release/READINESS.md index 5768a2ce8..04c0c4026 100644 --- a/release/READINESS.md +++ b/release/READINESS.md @@ -109,7 +109,11 @@ What 1.0 promises the institutions that run this. anti-rollback monotonic rejection remain outside this run). Backup and restore guidance for generated and single-node deployments is documented in [`backup-and-restore.mdx`](../docs/site/src/content/docs/operate/backup-and-restore.mdx) - (#226). + (#226). The + [v0.8.4 -> v0.9.0 -> v0.8.4 procedure](exercises/upgrade-v0.8.4-to-v0.9.0.md) + records the beta-11 migration and rollback gate; it does not claim a + successful run until finalized-source and published-asset evidence are + added. - [ ] Single-node Compose deployment behind an institution-owned reverse proxy, IAM, and front rate limiter documented. Evidence: [`single-node-compose-behind-proxy.mdx`](../docs/site/src/content/docs/operate/single-node-compose-behind-proxy.mdx) diff --git a/release/exercises/upgrade-v0.8.4-to-v0.9.0.md b/release/exercises/upgrade-v0.8.4-to-v0.9.0.md new file mode 100644 index 000000000..c12564488 --- /dev/null +++ b/release/exercises/upgrade-v0.8.4-to-v0.9.0.md @@ -0,0 +1,179 @@ +# Upgrade and rollback: v0.8.4 -> v0.9.0 -> v0.8.4 + +Status: release-gate procedure prepared on 2026-07-10. No successful execution +is claimed by this prepare change. The source release must not be tagged until +the candidate upgrade and rollback run is recorded against the finalized source +ref; published-asset verification is repeated after the tag workflow completes. + +## Purpose + +Prove that an operator can identify every intentional compatibility break, +migrate a backed-up v0.8.4 deployment to v0.9.0, verify the protected read and +evidence paths, and restore the v0.8.4 images and configuration without losing +operator-owned data or evidence. + +## Fixed Inputs + +- Baseline source and images: annotated tag `v0.8.4`. +- Candidate source: the finalized beta-11 manifest source ref. +- Candidate images: source-built before tagging, then the immutable digests + published by the `v0.9.0` tag workflow for the post-tag verification pass. +- Crosswalk: `1d44ec735fdc8a7c719264b339574371e8330337`. +- Topology: the repository's `lab/compose.upgrade-ex.yaml` with isolated + volumes and ports. This topology declares `deployment.profile: local`; it + does not prove evidence-grade signed-bundle, signer-custody, anti-rollback, + or stale-shipping-cursor behavior. + +Record the exact source refs, image ids or digests, Compose version, Docker +version, host architecture, and timestamps in the run evidence. Do not use +`latest` or another mutable tag. + +## Back Up Before Upgrade + +1. Copy Relay and Notary YAML, signed config bundles and trust anchors, secret + references, Compose overrides, source files, Redis data, audit files, and + each configured `config_trust.antirollback_state_path` to an operator-owned + backup directory. Record an absent state file as absent rather than creating + one during backup. +2. Record SHA-256 hashes and permissions for the backed-up configuration and + audit and anti-rollback files without printing secret values. Keep + version-separated v0.8.4 and v0.9.0 restore sets; never overwrite one with + the other. +3. Record the running v0.8.4 image ids, health/readiness results, and a redacted + successful Relay read plus Notary evaluation. +4. Stop the v0.8.4 services cleanly while retaining data volumes and the backup. + +## Migrate Configuration + +Apply only the changes required by the v0.9.0 changelogs and release notes: + +- Add `deployment.profile: local` to both products for this local exercise. + For a non-local deployment, select its actual `hosted_lab`, `production`, or + `evidence_grade` profile. An absent profile refuses startup. +- Remove Relay-local credential issuance configuration (`provenance` and entity + `publicschema`) and route credential workflows through Registry Notary. +- Enable the matching Relay Cargo features for any OGC API or SP DCI routes in + use and publish the OpenAPI document generated by that build. The committed + artifact describes the default build only. +- Remove hard-gate waivers and configure the required durable audit sink, + off-host shipping declaration, and acknowledgement cursor for the selected + deployment profile. +- Correct Notary claim ids, default disclosure modes, and rule source bindings + that fail the new load-time validation. Remove unknown keys from + source-adapter sidecar YAML and governed runtime targets. +- Stop calling the Relay and Notary TUF-era admin config verify, dry-run, and + apply routes, and stop invoking the removed CLI `config apply-bundle` + command. Run `registryctl bundle verify` for stateless signature and binding + verification before first boot. For genuinely absent, version-specific + antirollback state, place the signed bundle on the node and use + `--initialize-state` on the first product server boot; that boot verifies the + bundle and initializes state. Use the product's read-only + `config verify-bundle` command only after accepted state exists, for later + validation and restarts. Replace retired TUF-era fields inside `config_trust` + with current Config Bundle v1 trust fields; strict parsing rejects the old + schema. +- Review the custody of every Notary credential, access-token, and federation + signer. For production or evidence-grade only, set + `deployment.evidence.signer_custody_approved: true` after the review is + recorded; do not use the flag to waive an unreviewed custody condition. +- Move unknown Manifest keys to documented extension points. +- Add exact value-bound trust scopes for callers that send the five newly gated + trust-context headers, including + `registry:trust:source_observed_at_unix_seconds:` for + `x-registry-source-observed-at-unix-seconds`. +- Keep `registryctl.yaml` at `schema_version: registryctl/v1`, remove unknown + project keys, and set `notary.source` to `registry_data_api`, `relay`, + `fhir_source_adapter_sidecar`, or `opencrvs_dci`. +- Install the registryctl v0.9.0 binary together with its checksum-verified + `registryctl-v0.9.0-image-lock.json`. + +Run Relay and Notary `doctor` against the migrated files before starting the +services. Any unclassified startup or readiness failure stops the exercise. + +## Local Upgrade Proof + +Start the candidate services and record all of the following: + +- Relay and Notary report version `0.9.0`, health succeeds, and readiness + matches the selected deployment profile. +- A protected Relay read without credentials is denied; an authorized read + succeeds; a required filter remains principal-bound. +- Each governed trust header is ignored without its exact value-bound scope and + is honored with that scope. Audit output contains only keyed handles for + value-bearing trust scopes. +- A permitted Notary evaluation succeeds and a post-verification federation + denial records the available redacted peer/profile/purpose/JTI/subject + context without raw identifiers. +- Audit-chain verification succeeds for the local topology. Do not claim that + this proves evidence-grade shipping-cursor behavior; that is a separate gate + below. +- With Relay `audit.include_health: true`, `/healthz` produces the configured + liveness evidence while `/ready` produces no audit record. Record the + readiness HTTP response and relevant posture output instead. +- `registryctl init` uses the exact Relay and Notary digest references from the + matching image lock. Moving or removing the lock makes generation fail before + creating the target, while a runtime command on an existing project still + uses its stored pins. +- No raw secrets, credentials, subject identifiers, or trust-header values + appear in logs or recorded evidence. + +## Separate Evidence-Grade Pre-Tag Gate + +This gate is not satisfied by the local topology and has not been executed by +this prepare change. Run it for both products against the finalized candidate +before tagging, using isolated evidence-grade instances and an independent +off-host audit shipper: + +1. Configure `deployment.profile: evidence_grade`, a durable audit sink, + off-host shipping, and a shipper-maintained acknowledgement cursor. For + Notary, record the signer-custody review and set + `deployment.evidence.signer_custody_approved: true` only when that review + supports the claim. +2. Run `registryctl bundle verify` against the signed Registry Config Bundle v1 + to verify signatures and bindings without product antirollback state. Place + that bundle on the node and configure a durable, genuinely absent, + version-specific `config_trust.antirollback_state_path` for each product. +3. On the first v0.9.0 boot only, pass the product's `--initialize-state` flag + so the server verifies the bundle and initializes the absent v0.9.0 + anti-rollback state file. Capture `config.bundle_accepted`, then let the + independent shipper acknowledge the new chain tail before expecting + `/ready` to return 200. +4. After accepted state exists, run the product's read-only + `config verify-bundle` command against the accepted candidate. Restart the + same bundle without `--initialize-state` and prove the durable anti-rollback + record is reused. Present a lower sequence, or a different bundle at the + accepted sequence, and prove boot rejects it as non-monotonic without + changing the accepted state. +5. Make the acknowledgement cursor stale and prove `/ready` fails closed; then + advance a valid cursor to the live keyed tail and prove readiness recovers. + Capture readiness responses and posture/cursor evidence because `/ready` is + never written to Relay's audit stream. + +Deleting the anti-rollback file or reusing `--initialize-state` to make a +rollback pass invalidates the gate. + +## Rollback Proof + +1. Stop the candidate services without deleting volumes or audit evidence. +2. Restore the backed-up v0.8.4 configuration and secret references before + selecting the v0.8.4 images. Restore the matching v0.8.4 anti-rollback state + at its configured path while retaining the v0.9.0 state in its separate + restore set. Do not run v0.8.4 against v0.9.0-only config or state. +3. Restore the v0.8.4 image ids or digests and start the baseline topology. +4. Re-run the baseline health, readiness, protected Relay read, and Notary + evaluation checks. +5. Verify the backup hashes and prove that operator-owned source data and the + retained audit and anti-rollback files were not deleted, reinitialized, or + silently rewritten. + +The rollback succeeds only when the restored v0.8.4 topology reaches the same +baseline checks recorded before the upgrade. A failed rollback or any secret +leak is a release blocker. + +## Post-Tag Repeat + +After `v0.9.0` publishes, repeat the registryctl installation and generated +project proof using downloaded release assets. Verify `SHA256SUMS`, the image +lock's source and digest lineage, representative cosign signatures, SLSA +provenance, and the final GHCR digests before accepting the exercise as release +evidence. diff --git a/release/manifests/registry-stack-beta-11.yaml b/release/manifests/registry-stack-beta-11.yaml new file mode 100644 index 000000000..4b70d36f1 --- /dev/null +++ b/release/manifests/registry-stack-beta-11.yaml @@ -0,0 +1,36 @@ +stack: + release: beta-11 + version: 0.9.0 + source_repo: registrystack/registry-stack + source_ref: 705ed0b33490f0494cc60eb4786093e364000b4f + source_tag: v0.9.0 + status: release-candidate + +artifacts: + registry-notary: 0.9.0 + registry-notary-source-adapter-sidecar: 0.9.0 + registry-relay: 0.9.0 + registry-manifest-cli: 0.9.0 + registryctl: 0.9.0 + registryctl-image-lock: 0.9.0 + registry-lab: 0.9.0 + registry-docs: 0.9.0 + +external: + crosswalk: + repo: PublicSchema/crosswalk + ref: 1d44ec735fdc8a7c719264b339574371e8330337 + status: tested external input + registry-atlas: + repo: jeremi/registry-atlas + ref: d46f943b9fdcbab787d1d4eed114058aa43980be + status: held lab-only external input + esignet-relay-authenticator: + repo: jeremi/esignet-relay-authenticator + ref: 23cc0abb6469e0d18c8e6776f87de1691bdf40ee + status: held lab-only external input + +warnings: + - code: hosted-publication-held + classification: hosted-gate-held + detail: Source beta may ship; hosted/public announcement remains held pending separate hosted-state proof, including #330 and #198. diff --git a/release/notes/v0.9.0.md b/release/notes/v0.9.0.md new file mode 100644 index 000000000..b90da0482 --- /dev/null +++ b/release/notes/v0.9.0.md @@ -0,0 +1,119 @@ +# RegistryStack v0.9.0 + +RegistryStack v0.9.0 is the beta-11 release candidate after v0.8.4. This is a +pre-1.0 minor release because it deliberately changes Relay, Notary, Manifest, +and registryctl compatibility surfaces that cannot ship as a backward-compatible +v0.8 patch. + +## Highlights + +- Removes Relay-local credential issuance and keeps Registry Notary as the + credential issuance and verification boundary. +- Hardens Relay and Notary audit retention with single-writer chains, declared + off-host shipping, acknowledgement cursors, live shipping-health gates, and + signed-config acceptance evidence. Relay additionally gains offline + quarantine recovery for an inconsistent retained chain. +- Preserves redacted federation denial context after request verification, + including response-signing failures, without exposing raw peer, JTI, or + subject identifiers. +- Scope-gates Relay trust-context headers before PDP evaluation and records + value-bearing trust scopes only as keyed audit handles. +- Makes Manifest validation reject unknown keys and unsupported core schema + versions, backed by new fuzz targets. +- Ships registryctl with a strict release image lock built from the exact Relay + and Notary image digests produced by the tag workflow. Project generation no + longer depends on compiled stale pins, mutable image tags, or live registry + lookup. +- Parks `registry-platform-sts` outside active workspace and Lab release gates + until a release-surface consumer is named. + +## Migration From v0.8.4 + +- Add an explicit `deployment.profile` to every Relay and Notary config. + Profiles are never inferred; use `local` only for development, or select + `hosted_lab`, `production`, or `evidence_grade` to match the deployment. + Both products refuse startup when the profile is absent. +- Remove Relay `provenance` and entity `publicschema` configuration and move + credential workflows to Registry Notary. +- Enable Relay's beta attribute-release surface explicitly with the + `attribute-release` Cargo feature if it remains required. +- Enable the matching Relay Cargo features for OGC API or SP DCI deployments + and publish an OpenAPI document from that build. The committed v0.9.0 Relay + OpenAPI artifact describes the default build and no longer advertises those + opt-in routes. +- Grant the exact value-bound scope before relying on any newly gated Relay + header: `x-registry-subject-ref` uses `registry:trust:subject_ref:`, + `x-registry-relationship` uses `registry:trust:relationship:`, + `x-registry-on-behalf-of` uses `registry:trust:on_behalf_of:`, + `x-registry-credential-format` uses + `registry:trust:requested_credential_format:`, and + `x-registry-source-observed-at-unix-seconds` uses + `registry:trust:source_observed_at_unix_seconds:`. A header without its + matching scope is treated as absent. +- Remove waivers for hard deployment gates. Production and evidence-grade + deployments must correct the underlying condition. Audit shipping deployments + must declare the shipping target and configure a fresh acknowledgement cursor + where the active profile requires one. +- Correct duplicate Notary claim ids, invalid default disclosure modes, and + claim rules that refer to undeclared source bindings before startup. +- Review Notary custody for every configured credential, access-token, and + federation signer. Set + `deployment.evidence.signer_custody_approved: true` for `production` or + `evidence_grade` only after that review produces evidence; it is not a + bypass for an unreviewed software key. +- Stop calling both products' removed TUF-era `/admin/v1/config/verify`, + `/admin/v1/config/dry-run`, and `/admin/v1/config/apply` routes, and stop + invoking the removed CLI `config apply-bundle` command. First run + `registryctl bundle verify` for stateless signature and binding verification, + then place the signed Registry Config Bundle v1 on the node. For a genuinely + absent, version-specific antirollback state path, start the product server + with `--initialize-state`; that boot verifies the bundle and initializes + state. The product's read-only `config verify-bundle` command remains, but it + requires accepted state to exist, so use it only for later candidate + validation and restarts. + Replace retired TUF-era fields inside `config_trust` with the current Config + Bundle v1 trust fields because strict parsing rejects the old schema. v0.9.0 + has no hot-apply path. +- Treat each product's `config_trust.antirollback_state_path` as durable state. + Back it up with the matching release configuration, preserve separate + version-specific restore sets, and restore the matching state during + rollback. Do not delete or reinitialize state to force an older bundle to + boot. +- Remove unknown keys from source-adapter sidecar YAML and governed runtime + targets; v0.9.0 rejects them instead of silently ignoring them. +- Move Manifest data carried in unknown keys into documented extension points. +- Keep generated or hand-edited `registryctl.yaml` files on + `schema_version: registryctl/v1`, remove unknown keys, and ensure + `notary.source` is one of `registry_data_api`, `relay`, + `fhir_source_adapter_sidecar`, or `opencrvs_dci`. +- Install registryctl v0.9.0 with its matching + `registryctl-v0.9.0-image-lock.json`. Existing projects can still run from + their stored digest pins, but `registryctl init` and `registryctl add` fail + closed when the matching lock is missing or invalid. +- If `audit.include_health: true` is set on Relay, update evidence consumers to + expect `/healthz` records only. `/ready` is always excluded; capture the + readiness response, posture, and shipping-cursor evidence instead of waiting + for a readiness audit record. + +The upgrade and rollback procedure is recorded in +[`release/exercises/upgrade-v0.8.4-to-v0.9.0.md`](../exercises/upgrade-v0.8.4-to-v0.9.0.md). +Its local-profile topology and separate evidence-grade Config Bundle, +anti-rollback, signer-custody, and stale-cursor gate are explicit pre-tag runs; +this prepare change does not claim either run succeeded. + +## Release Evidence + +The tag workflow publishes binaries, three GHCR images, exact image digest +evidence, `SHA256SUMS`, the registryctl image lock, file and image SBOMs, Grype +reports, the release capsule, keyless cosign signatures for GitHub Release +assets, and release-level SLSA provenance. The image lock is classified as a +release file, not a binary, and is included in checksums, SBOM, capsule, +signature, provenance, upload, and reconciliation steps. + +Crosswalk remains pinned at +`1d44ec735fdc8a7c719264b339574371e8330337`. Registry Atlas and the eSignet +Relay authenticator remain held as Lab-only external inputs. + +The source beta can ship while hosted publication remains held. Do not announce +the hosted first-run path until the separate hosted-state proof, including #330 +and #198, passes against the published v0.9.0 assets. diff --git a/release/scripts/registry-release b/release/scripts/registry-release index ace30804a..2174a2c81 100755 --- a/release/scripts/registry-release +++ b/release/scripts/registry-release @@ -29,13 +29,19 @@ RELEASE_IMAGE_LOCK_REPOSITORIES = { } -def require_registryctl_image_lock_release_version(version: str) -> None: +def release_version_tuple(version: str) -> tuple[int, int, int] | None: if re.fullmatch(r"[0-9]+\.[0-9]+\.[0-9]+", version) is None: + return None + return tuple(int(part) for part in version.split(".")) + + +def require_registryctl_image_lock_release_version(version: str) -> None: + parsed = release_version_tuple(version) + if parsed is None: raise ValueError( "registryctl image lock release version must be semantic version text, " f"got {version!r}" ) - parsed = tuple(int(part) for part in version.split(".")) if parsed < RELEASE_IMAGE_LOCK_MINIMUM_VERSION: raise ValueError("registryctl image lock releases require version 0.9.0 or later") @@ -315,6 +321,13 @@ def validate(manifest_path: Path) -> int: errors.append("stack.source_ref must be HEAD for a draft or a 40-character commit") if source_ref == "HEAD" and status != "draft": errors.append("stack.source_ref may be HEAD only when stack.status is draft") + parsed_version = release_version_tuple(version) + if ( + parsed_version is not None + and parsed_version >= RELEASE_IMAGE_LOCK_MINIMUM_VERSION + and "registryctl-image-lock" not in artifacts + ): + errors.append("artifact registryctl-image-lock is required for version 0.9.0 or later") for name, artifact_version in sorted(artifacts.items()): if str(artifact_version) != version: errors.append(f"artifact {name} version {artifact_version} does not match stack version {version}") diff --git a/release/scripts/test_registry_release.py b/release/scripts/test_registry_release.py index 4bfcb9769..06911e6dd 100755 --- a/release/scripts/test_registry_release.py +++ b/release/scripts/test_registry_release.py @@ -161,6 +161,25 @@ def test_validate_rejects_head_for_non_draft_release(self) -> None: self.assertNotEqual(0, result.returncode) self.assertIn("stack.source_ref may be HEAD only", result.stderr) + def test_validate_requires_registryctl_image_lock_for_v0_9_and_later(self) -> None: + with tempfile.TemporaryDirectory() as tmp: + root = Path(tmp) + missing = write_manifest( + root, + version="0.9.0", + include_registryctl_image_lock=False, + ) + rejected = run_tool("validate", str(missing)) + included = write_manifest(root, version="0.9.0") + accepted = run_tool("validate", str(included)) + + self.assertNotEqual(0, rejected.returncode) + self.assertIn( + "artifact registryctl-image-lock is required for version 0.9.0 or later", + rejected.stderr, + ) + self.assertEqual(0, accepted.returncode, accepted.stderr) + def test_render_registryctl_image_lock_from_exact_release_evidence(self) -> None: with tempfile.TemporaryDirectory() as tmp: root = Path(tmp) @@ -991,9 +1010,20 @@ def write_manifest( source_tag: str | None = None, status: str = "release-candidate", version: str = "0.8.0", + include_registryctl_image_lock: bool | None = None, ) -> Path: if source_tag is None: source_tag = f"v{version}" + artifacts = { + "registry-notary": version, + "registry-relay": version, + } + if include_registryctl_image_lock is None: + include_registryctl_image_lock = tuple( + int(part) for part in version.split(".") + ) >= (0, 9, 0) + if include_registryctl_image_lock: + artifacts["registryctl-image-lock"] = version manifest = { "stack": { "release": "beta-6", @@ -1003,10 +1033,7 @@ def write_manifest( "source_tag": source_tag, "status": status, }, - "artifacts": { - "registry-notary": version, - "registry-relay": version, - }, + "artifacts": artifacts, "external": { "crosswalk": { "repo": "PublicSchema/crosswalk",