From 5182ac0b7e039ce1487d38ea00c47bd258e3efaf Mon Sep 17 00:00:00 2001 From: Jeremi Joslin Date: Sat, 4 Jul 2026 16:58:03 +0700 Subject: [PATCH 1/3] Prepare registry-stack v0.8.4 beta-10 Signed-off-by: Jeremi Joslin --- CONTRIBUTING.md | 2 +- Cargo.lock | 54 ++++----- Cargo.toml | 46 +++---- SECURITY.md | 10 +- crates/registry-relay/CHANGELOG.md | 2 + .../evidence/civil-registry-notary.yaml | 2 +- .../shared-eligibility-registry-notary.yaml | 2 +- .../social-protection-registry-notary.yaml | 2 +- crates/registryctl/CHANGELOG.md | 2 + crates/registryctl/README.md | 10 +- crates/registryctl/install.sh | 4 +- docs/site/src/content/docs/changelog.mdx | 9 ++ .../docs/decisions/rename-2026-05-23.mdx | 2 +- .../docs/security/openssf-evidence.mdx | 6 +- .../docs/security/report-a-vulnerability.mdx | 2 +- .../src/content/docs/spec/rs-pr-notary.mdx | 6 +- .../deploy-standalone-with-own-data.mdx | 50 ++++---- .../tutorials/first-run-with-registry-lab.mdx | 8 +- ...blish-spreadsheet-secured-registry-api.mdx | 6 +- .../docs/tutorials/verify-opencrvs-claims.mdx | 8 +- docs/site/src/data/contracts.yaml | 18 +-- docs/site/src/data/docsets.yaml | 47 +++++++- docs/site/src/data/generated/contracts.json | 18 +-- docs/site/src/data/generated/docsets.json | 60 +++++++++- docs/site/src/data/generated/projects.json | 20 ++-- docs/site/src/data/generated/standards.json | 112 +++++++++--------- docs/site/src/data/projects.yaml | 20 ++-- docs/site/src/data/repo-docs.yaml | 6 +- docs/site/src/data/standards.yaml | 112 +++++++++--------- lab/CHANGELOG.md | 9 ++ lab/Dockerfile.registry-notary-openfn-sidecar | 2 +- lab/README.md | 13 +- .../coolify/notary/dhis2-health-notary.yaml | 2 +- .../notary/nagdi-agriculture-notary.yaml | 2 +- .../notary/shared-eligibility-notary.yaml | 2 +- .../notary/social-protection-notary.yaml | 2 +- lab/config/notary/civil-notary.yaml | 2 +- lab/config/notary/dhis2-health-notary.yaml | 2 +- lab/config/notary/fhir-health-notary.yaml | 2 +- .../notary/nagdi-agriculture-notary.yaml | 2 +- lab/config/notary/openfn-civil-notary.yaml | 2 +- .../notary/shared-eligibility-notary.yaml | 2 +- .../notary/social-protection-notary.yaml | 2 +- lab/data/civil/civil-persons.csv | 30 ++--- lab/data/health/health-facilities.parquet | Bin 3402 -> 3402 bytes .../social-protection/social-protection.xlsx | Bin 17316 -> 17311 bytes lab/scripts/release-check.sh | 32 ++++- lab/scripts/smoke-notary-client.py | 17 ++- lab/scripts/smoke-opencrvs-dci.sh | 25 +++- lab/tools/lab2-governed-config/Cargo.lock | 8 +- products/notary/CHANGELOG.md | 2 + products/notary/docs/release-notes.md | 2 + products/notary/fuzz/Cargo.lock | 20 ++-- products/platform/fuzz/Cargo.lock | 14 +-- release/VERIFY.md | 4 +- release/manifests/registry-stack-beta-10.yaml | 35 ++++++ release/manifests/registry-stack-beta-8.yaml | 2 +- release/manifests/registry-stack-beta-9.yaml | 2 +- release/notes/v0.8.4.md | 45 +++++++ 59 files changed, 593 insertions(+), 337 deletions(-) create mode 100644 release/manifests/registry-stack-beta-10.yaml create mode 100644 release/notes/v0.8.4.md diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 7349f09a..8cc87bfe 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -127,7 +127,7 @@ Release and lab source checks: ```bash python3 -m unittest release/scripts/test_registry_release.py -release/scripts/registry-release validate release/manifests/registry-stack-beta-9.yaml +release/scripts/registry-release validate release/manifests/registry-stack-beta-10.yaml release/scripts/registry-release audit release/manifests/import-map-2026-06-24.yaml REGISTRY_LAB_RELEASE_SOURCE_MODE=monorepo lab/scripts/check-release-source-model.sh python3 -m unittest lab/scripts/test_check_release_source_model.py diff --git a/Cargo.lock b/Cargo.lock index e8431a3f..86c7ec57 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -5097,7 +5097,7 @@ checksum = "d6f6ff9a378485b298a5286656da665ba74413d36db0979633275d2e708145d4" [[package]] name = "registry-config-report" -version = "0.8.3" +version = "0.8.4" dependencies = [ "jsonschema 0.46.6", "serde", @@ -5106,7 +5106,7 @@ dependencies = [ [[package]] name = "registry-manifest-cli" -version = "0.8.3" +version = "0.8.4" dependencies = [ "registry-manifest-core", "serde", @@ -5117,7 +5117,7 @@ dependencies = [ [[package]] name = "registry-manifest-core" -version = "0.8.3" +version = "0.8.4" dependencies = [ "oxiri", "oxjsonld", @@ -5131,7 +5131,7 @@ dependencies = [ [[package]] name = "registry-notary" -version = "0.8.3" +version = "0.8.4" dependencies = [ "axum", "axum-test", @@ -5168,7 +5168,7 @@ dependencies = [ [[package]] name = "registry-notary-client" -version = "0.8.3" +version = "0.8.4" dependencies = [ "async-trait", "axum", @@ -5195,7 +5195,7 @@ dependencies = [ [[package]] name = "registry-notary-core" -version = "0.8.3" +version = "0.8.4" dependencies = [ "base64", "humantime-serde", @@ -5217,7 +5217,7 @@ dependencies = [ [[package]] name = "registry-notary-server" -version = "0.8.3" +version = "0.8.4" dependencies = [ "async-trait", "aws-lc-rs", @@ -5271,7 +5271,7 @@ dependencies = [ [[package]] name = "registry-notary-source-adapter-rhai" -version = "0.8.3" +version = "0.8.4" dependencies = [ "async-trait", "crosswalk-functions", @@ -5283,7 +5283,7 @@ dependencies = [ [[package]] name = "registry-notary-source-adapter-sidecar" -version = "0.8.3" +version = "0.8.4" dependencies = [ "async-trait", "axum", @@ -5315,7 +5315,7 @@ dependencies = [ [[package]] name = "registry-notary-worker-harness" -version = "0.8.3" +version = "0.8.4" dependencies = [ "libc", "serde", @@ -5327,7 +5327,7 @@ dependencies = [ [[package]] name = "registry-platform-audit" -version = "0.8.3" +version = "0.8.4" dependencies = [ "async-trait", "hmac 0.13.0", @@ -5345,7 +5345,7 @@ dependencies = [ [[package]] name = "registry-platform-authcommon" -version = "0.8.3" +version = "0.8.4" dependencies = [ "proptest", "serde", @@ -5359,7 +5359,7 @@ dependencies = [ [[package]] name = "registry-platform-cache" -version = "0.8.3" +version = "0.8.4" dependencies = [ "async-trait", "redis", @@ -5371,7 +5371,7 @@ dependencies = [ [[package]] name = "registry-platform-config" -version = "0.8.3" +version = "0.8.4" dependencies = [ "async-trait", "aws-lc-rs", @@ -5393,7 +5393,7 @@ dependencies = [ [[package]] name = "registry-platform-crypto" -version = "0.8.3" +version = "0.8.4" dependencies = [ "async-trait", "aws-lc-rs", @@ -5415,7 +5415,7 @@ dependencies = [ [[package]] name = "registry-platform-httpsec" -version = "0.8.3" +version = "0.8.4" dependencies = [ "axum", "http", @@ -5430,7 +5430,7 @@ dependencies = [ [[package]] name = "registry-platform-httputil" -version = "0.8.3" +version = "0.8.4" dependencies = [ "axum", "bytes", @@ -5444,7 +5444,7 @@ dependencies = [ [[package]] name = "registry-platform-oid4vci" -version = "0.8.3" +version = "0.8.4" dependencies = [ "base64", "registry-platform-crypto", @@ -5459,7 +5459,7 @@ dependencies = [ [[package]] name = "registry-platform-oidc" -version = "0.8.3" +version = "0.8.4" dependencies = [ "axum", "base64", @@ -5475,7 +5475,7 @@ dependencies = [ [[package]] name = "registry-platform-ops" -version = "0.8.3" +version = "0.8.4" dependencies = [ "fs2", "jsonschema 0.46.6", @@ -5488,14 +5488,14 @@ dependencies = [ [[package]] name = "registry-platform-pdp" -version = "0.8.3" +version = "0.8.4" dependencies = [ "serde", ] [[package]] name = "registry-platform-replay" -version = "0.8.3" +version = "0.8.4" dependencies = [ "async-trait", "getrandom 0.4.3", @@ -5507,7 +5507,7 @@ dependencies = [ [[package]] name = "registry-platform-sdjwt" -version = "0.8.3" +version = "0.8.4" dependencies = [ "async-trait", "base64", @@ -5524,7 +5524,7 @@ dependencies = [ [[package]] name = "registry-platform-sts" -version = "0.8.3" +version = "0.8.4" dependencies = [ "async-trait", "axum", @@ -5548,7 +5548,7 @@ dependencies = [ [[package]] name = "registry-platform-testing" -version = "0.8.3" +version = "0.8.4" dependencies = [ "async-trait", "axum", @@ -5574,7 +5574,7 @@ dependencies = [ [[package]] name = "registry-relay" -version = "0.8.3" +version = "0.8.4" dependencies = [ "arc-swap", "assert-json-diff", @@ -5649,7 +5649,7 @@ dependencies = [ [[package]] name = "registryctl" -version = "0.8.3" +version = "0.8.4" dependencies = [ "anyhow", "base64", diff --git a/Cargo.toml b/Cargo.toml index c06b7a12..b7a34919 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -36,7 +36,7 @@ exclude = [ resolver = "2" [workspace.package] -version = "0.8.3" +version = "0.8.4" edition = "2021" rust-version = "1.95" license = "Apache-2.0" @@ -47,28 +47,28 @@ repository = "https://github.com/registrystack/registry-stack" unsafe_code = "forbid" [workspace.dependencies] -registry-config-report = { path = "crates/registry-config-report", version = "0.8.3" } -registry-manifest-core = { path = "crates/registry-manifest-core", version = "0.8.3" } -registry-notary-client = { path = "crates/registry-notary-client", version = "0.8.3" } -registry-notary-core = { path = "crates/registry-notary-core", version = "0.8.3" } -registry-notary-server = { path = "crates/registry-notary-server", version = "0.8.3", default-features = false } -registry-notary-source-adapter-rhai = { path = "crates/registry-notary-source-adapter-rhai", version = "0.8.3" } -registry-notary-source-adapter-sidecar = { path = "crates/registry-notary-source-adapter-sidecar", version = "0.8.3" } -registry-notary-worker-harness = { path = "crates/registry-notary-worker-harness", version = "0.8.3" } -registry-platform-audit = { path = "crates/registry-platform-audit", version = "0.8.3" } -registry-platform-authcommon = { path = "crates/registry-platform-authcommon", version = "0.8.3" } -registry-platform-cache = { path = "crates/registry-platform-cache", version = "0.8.3", features = ["redis"] } -registry-platform-config = { path = "crates/registry-platform-config", version = "0.8.3" } -registry-platform-crypto = { path = "crates/registry-platform-crypto", version = "0.8.3" } -registry-platform-httpsec = { path = "crates/registry-platform-httpsec", version = "0.8.3" } -registry-platform-httputil = { path = "crates/registry-platform-httputil", version = "0.8.3" } -registry-platform-oid4vci = { path = "crates/registry-platform-oid4vci", version = "0.8.3" } -registry-platform-oidc = { path = "crates/registry-platform-oidc", version = "0.8.3" } -registry-platform-ops = { path = "crates/registry-platform-ops", version = "0.8.3" } -registry-platform-pdp = { path = "crates/registry-platform-pdp", version = "0.8.3" } -registry-platform-replay = { path = "crates/registry-platform-replay", version = "0.8.3", features = ["redis"] } -registry-platform-sdjwt = { path = "crates/registry-platform-sdjwt", version = "0.8.3" } -registry-platform-testing = { path = "crates/registry-platform-testing", version = "0.8.3" } +registry-config-report = { path = "crates/registry-config-report", version = "0.8.4" } +registry-manifest-core = { path = "crates/registry-manifest-core", version = "0.8.4" } +registry-notary-client = { path = "crates/registry-notary-client", version = "0.8.4" } +registry-notary-core = { path = "crates/registry-notary-core", version = "0.8.4" } +registry-notary-server = { path = "crates/registry-notary-server", version = "0.8.4", default-features = false } +registry-notary-source-adapter-rhai = { path = "crates/registry-notary-source-adapter-rhai", version = "0.8.4" } +registry-notary-source-adapter-sidecar = { path = "crates/registry-notary-source-adapter-sidecar", version = "0.8.4" } +registry-notary-worker-harness = { path = "crates/registry-notary-worker-harness", version = "0.8.4" } +registry-platform-audit = { path = "crates/registry-platform-audit", version = "0.8.4" } +registry-platform-authcommon = { path = "crates/registry-platform-authcommon", version = "0.8.4" } +registry-platform-cache = { path = "crates/registry-platform-cache", version = "0.8.4", features = ["redis"] } +registry-platform-config = { path = "crates/registry-platform-config", version = "0.8.4" } +registry-platform-crypto = { path = "crates/registry-platform-crypto", version = "0.8.4" } +registry-platform-httpsec = { path = "crates/registry-platform-httpsec", version = "0.8.4" } +registry-platform-httputil = { path = "crates/registry-platform-httputil", version = "0.8.4" } +registry-platform-oid4vci = { path = "crates/registry-platform-oid4vci", version = "0.8.4" } +registry-platform-oidc = { path = "crates/registry-platform-oidc", version = "0.8.4" } +registry-platform-ops = { path = "crates/registry-platform-ops", version = "0.8.4" } +registry-platform-pdp = { path = "crates/registry-platform-pdp", version = "0.8.4" } +registry-platform-replay = { path = "crates/registry-platform-replay", version = "0.8.4", features = ["redis"] } +registry-platform-sdjwt = { path = "crates/registry-platform-sdjwt", version = "0.8.4" } +registry-platform-testing = { path = "crates/registry-platform-testing", version = "0.8.4" } crosswalk-core = { git = "https://github.com/PublicSchema/crosswalk", rev = "1d44ec735fdc8a7c719264b339574371e8330337", version = "0.2.0" } crosswalk-functions = { git = "https://github.com/PublicSchema/crosswalk", rev = "1d44ec735fdc8a7c719264b339574371e8330337", version = "0.2.0" } diff --git a/SECURITY.md b/SECURITY.md index cfc6f555..f492a264 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -44,14 +44,14 @@ include cosign signatures without SLSA provenance. For each signed release asset, download three files from the GitHub Release: -- The asset, for example `registryctl-v0.8.3-linux-amd64` -- The matching signature, for example `registryctl-v0.8.3-linux-amd64.sig` -- The matching certificate, for example `registryctl-v0.8.3-linux-amd64.pem` +- The asset, for example `registryctl-v0.8.4-linux-amd64` +- The matching signature, for example `registryctl-v0.8.4-linux-amd64.sig` +- The matching certificate, for example `registryctl-v0.8.4-linux-amd64.pem` Then verify the asset: ```bash -asset=registryctl-v0.8.3-linux-amd64 +asset=registryctl-v0.8.4-linux-amd64 cosign verify-blob \ --certificate "${asset}.pem" \ @@ -69,7 +69,7 @@ For releases with SLSA provenance, download the provenance asset and verify the artifact against the release tag: ```bash -tag=v0.8.3 +tag=v0.8.4 asset=registryctl-${tag}-linux-amd64 provenance=registry-stack-${tag}-release-provenance.intoto.jsonl diff --git a/crates/registry-relay/CHANGELOG.md b/crates/registry-relay/CHANGELOG.md index 2740eb47..6b62a552 100644 --- a/crates/registry-relay/CHANGELOG.md +++ b/crates/registry-relay/CHANGELOG.md @@ -2,6 +2,8 @@ ## Unreleased +## 0.8.4 - 2026-07-04 + ### Added - `registry-relay --version` and `registry-relay -V` output so the Relay binary diff --git a/crates/registry-relay/demo/decentralized/config/evidence/civil-registry-notary.yaml b/crates/registry-relay/demo/decentralized/config/evidence/civil-registry-notary.yaml index 049ff921..4dbd34ab 100644 --- a/crates/registry-relay/demo/decentralized/config/evidence/civil-registry-notary.yaml +++ b/crates/registry-relay/demo/decentralized/config/evidence/civil-registry-notary.yaml @@ -14,7 +14,7 @@ auth: scopes: - civil_registry:evidence_verification bearer_tokens: - - id: civil_evidence_client + - id: civil_evidence_client_bearer fingerprint: provider: env name: CIVIL_EVIDENCE_CLIENT_BEARER_HASH diff --git a/crates/registry-relay/demo/decentralized/config/evidence/shared-eligibility-registry-notary.yaml b/crates/registry-relay/demo/decentralized/config/evidence/shared-eligibility-registry-notary.yaml index 95fc15d7..6dd327b7 100644 --- a/crates/registry-relay/demo/decentralized/config/evidence/shared-eligibility-registry-notary.yaml +++ b/crates/registry-relay/demo/decentralized/config/evidence/shared-eligibility-registry-notary.yaml @@ -16,7 +16,7 @@ auth: - social_protection_registry:evidence_verification - health_registry:evidence_verification bearer_tokens: - - id: shared_evidence_client + - id: shared_evidence_client_bearer fingerprint: provider: env name: SHARED_EVIDENCE_CLIENT_BEARER_HASH diff --git a/crates/registry-relay/demo/decentralized/config/evidence/social-protection-registry-notary.yaml b/crates/registry-relay/demo/decentralized/config/evidence/social-protection-registry-notary.yaml index e1c6f610..4219149c 100644 --- a/crates/registry-relay/demo/decentralized/config/evidence/social-protection-registry-notary.yaml +++ b/crates/registry-relay/demo/decentralized/config/evidence/social-protection-registry-notary.yaml @@ -14,7 +14,7 @@ auth: scopes: - social_protection_registry:evidence_verification bearer_tokens: - - id: social_protection_evidence_client + - id: social_protection_evidence_client_bearer fingerprint: provider: env name: SOCIAL_EVIDENCE_CLIENT_BEARER_HASH diff --git a/crates/registryctl/CHANGELOG.md b/crates/registryctl/CHANGELOG.md index 1b7f0d1d..520ee20a 100644 --- a/crates/registryctl/CHANGELOG.md +++ b/crates/registryctl/CHANGELOG.md @@ -6,6 +6,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## [Unreleased] +## [0.8.4] - 2026-07-04 + ### Added - `registryctl init notary --source-kind fhir-sidecar` - scaffold a standalone Notary diff --git a/crates/registryctl/README.md b/crates/registryctl/README.md index fdd60cf0..ce5287be 100644 --- a/crates/registryctl/README.md +++ b/crates/registryctl/README.md @@ -5,7 +5,7 @@ Install a pinned release without cloning this repo: ```sh -curl -fsSL https://raw.githubusercontent.com/registrystack/registry-stack/v0.8.3/crates/registryctl/install.sh | sh +curl -fsSL https://raw.githubusercontent.com/registrystack/registry-stack/v0.8.4/crates/registryctl/install.sh | sh ``` Then create and start your first secured spreadsheet API: @@ -44,16 +44,16 @@ source-adapter contract and defaults the sidecar URL to `http://host.docker.internal:4360`. It does not start a FHIR server or the FHIR sidecar for you. -The installer defaults to `v0.8.3`. To install a different pinned release, set +The installer defaults to `v0.8.4`. To install a different pinned release, set `REGISTRYCTL_VERSION`: ```sh -REGISTRYCTL_VERSION=vX.Y.Z curl -fsSL https://raw.githubusercontent.com/registrystack/registry-stack/v0.8.3/crates/registryctl/install.sh | sh +REGISTRYCTL_VERSION=vX.Y.Z curl -fsSL https://raw.githubusercontent.com/registrystack/registry-stack/v0.8.4/crates/registryctl/install.sh | sh ``` -Prebuilt binaries are published for the `v0.8.3` stack release on Linux x86_64, +Prebuilt binaries are published for the `v0.8.4` stack release on Linux x86_64, Linux arm64, and macOS arm64. On other platforms, install from source with -`cargo install --git https://github.com/registrystack/registry-stack --tag v0.8.3 registryctl --locked`. +`cargo install --git https://github.com/registrystack/registry-stack --tag v0.8.4 registryctl --locked`. ## Update checks diff --git a/crates/registryctl/install.sh b/crates/registryctl/install.sh index 8fd1b46c..09bc84e9 100755 --- a/crates/registryctl/install.sh +++ b/crates/registryctl/install.sh @@ -2,7 +2,7 @@ set -euo pipefail repo="registrystack/registry-stack" -default_version="v0.8.3" +default_version="v0.8.4" version="${REGISTRYCTL_VERSION:-$default_version}" install_dir="${REGISTRYCTL_INSTALL_DIR:-$HOME/.local/bin}" @@ -11,7 +11,7 @@ usage() { Install registryctl. Environment: - REGISTRYCTL_VERSION Pinned release tag to install. Defaults to v0.8.3. + REGISTRYCTL_VERSION Pinned release tag to install. Defaults to v0.8.4. REGISTRYCTL_INSTALL_DIR Install directory. Defaults to ~/.local/bin. EOF } diff --git a/docs/site/src/content/docs/changelog.mdx b/docs/site/src/content/docs/changelog.mdx index e2bded48..f502d534 100644 --- a/docs/site/src/content/docs/changelog.mdx +++ b/docs/site/src/content/docs/changelog.mdx @@ -13,6 +13,15 @@ standards_referenced: [] This page records notable changes to the documentation site and the product versions it documents. Per-product release notes live in each product repository; the entries below link to the relevant product pages on this site rather than duplicating release notes. +## 2026-07-04 + +Documentation updates prepared for the v0.8.4 beta-10 release: + +- Advanced the active monorepo docs and source citations to RegistryStack `v0.8.4`. +- Added the `v0.8.4` archived docset pinned to the beta-10 manifest candidate source ref. +- Updated registryctl install examples and current deployment tutorials to the `v0.8.4` release tag. +- Recorded v0.8.3 as the first provenance-bearing root release while keeping hosted/public announcement as a separate gate. + ## 2026-06-26 Documentation updates prepared for the v0.8.3 security and release-trust patch: diff --git a/docs/site/src/content/docs/decisions/rename-2026-05-23.mdx b/docs/site/src/content/docs/decisions/rename-2026-05-23.mdx index 100a2d41..21446b8f 100644 --- a/docs/site/src/content/docs/decisions/rename-2026-05-23.mdx +++ b/docs/site/src/content/docs/decisions/rename-2026-05-23.mdx @@ -156,7 +156,7 @@ The registry-lab evidence packet notes that functional identifiers baked into cr log correlation, and spec URLs (`decentralized-demo-correlation-001`, `decentralized-demo-static-publication`) are intentionally stable and do not require change when the directory is renamed. -Docstrings and comments are residual and could be updated to say "[Registry Lab](https://github.com/registrystack/registry-stack/tree/v0.8.3/lab) demo" +Docstrings and comments are residual and could be updated to say "[Registry Lab](https://github.com/registrystack/registry-stack/tree/v0.8.4/lab) demo" without affecting machine contracts. `projects.yaml` `rename_status`: "Local checkout renamed to `registry-lab`; some scripts and fixtures may still reference the old `decentralized-evidence-demo` name." diff --git a/docs/site/src/content/docs/security/openssf-evidence.mdx b/docs/site/src/content/docs/security/openssf-evidence.mdx index 0e596caa..a2a49427 100644 --- a/docs/site/src/content/docs/security/openssf-evidence.mdx +++ b/docs/site/src/content/docs/security/openssf-evidence.mdx @@ -24,7 +24,7 @@ For release signature and provenance verification commands, use | Are GitHub Release assets signed? | Yes, for release assets produced after keyless cosign signing landed. Each signed asset has a matching `.sig` and `.pem` file. | [`SECURITY.md`](https://github.com/registrystack/registry-stack/blob/main/SECURITY.md) and [release workflow](https://github.com/registrystack/registry-stack/blob/main/.github/workflows/release.yml) | | Is `v0.8.0` signed? | No. The `v0.8.0` prerelease was published before release-asset signing was added and has not been backfilled with `.sig` and `.pem` assets. | [GitHub Release assets](https://github.com/registrystack/registry-stack/releases/tag/v0.8.0) | | Are release Git tags signed? | Not yet. The release workflow checks source-tag consistency, but Git tag objects are not yet GPG-, SSH-, or Sigstore-signed. | [Release workflow](https://github.com/registrystack/registry-stack/blob/main/.github/workflows/release.yml) | -| Are provenance attestations published? | Enabled for tag-triggered releases produced by the current workflow. `v0.8.3` is the first planned provenance-bearing root release. Existing releases produced before this workflow change, including `v0.8.2`, may not include `.intoto.jsonl` provenance assets. | [Release workflow](https://github.com/registrystack/registry-stack/blob/main/.github/workflows/release.yml) and [`release/VERIFY.md`](https://github.com/registrystack/registry-stack/blob/main/release/VERIFY.md) | +| Are provenance attestations published? | Enabled for tag-triggered releases produced by the current workflow. `v0.8.3` is the first provenance-bearing root release. Existing releases produced before this workflow change, including `v0.8.2`, may not include `.intoto.jsonl` provenance assets. | [Release workflow](https://github.com/registrystack/registry-stack/blob/main/.github/workflows/release.yml) and [`release/VERIFY.md`](https://github.com/registrystack/registry-stack/blob/main/release/VERIFY.md) | ## Scorecard @@ -59,7 +59,7 @@ Current user-visible status: | Vulnerability reporting | Private reporting policy is published. | [`SECURITY.md`](https://github.com/registrystack/registry-stack/blob/main/SECURITY.md) | | CI and tests | CI runs on the public repository. | [CI workflow](https://github.com/registrystack/registry-stack/blob/main/.github/workflows/ci.yml) | | Release process | Releases are built by the tag-driven release workflow and checked against release manifests. | [Release workflow](https://github.com/registrystack/registry-stack/blob/main/.github/workflows/release.yml) and [release manifests](https://github.com/registrystack/registry-stack/tree/main/release/manifests) | -| Signed releases | Newly produced release assets are signed with keyless cosign and include `.sig` and `.pem` files. Tag-triggered releases produced by the current workflow also include release-level SLSA provenance. `v0.8.0` is not signed unless it is backfilled later, and `v0.8.2` does not include tag-bound SLSA provenance unless a separate backfill decision is made. `v0.8.3` is expected to exercise the provenance path. | [`release/VERIFY.md`](https://github.com/registrystack/registry-stack/blob/main/release/VERIFY.md) and [GitHub Releases](https://github.com/registrystack/registry-stack/releases) | +| Signed releases | Newly produced release assets are signed with keyless cosign and include `.sig` and `.pem` files. Tag-triggered releases produced by the current workflow also include release-level SLSA provenance. `v0.8.0` is not signed unless it is backfilled later, and `v0.8.2` does not include tag-bound SLSA provenance unless a separate backfill decision is made. `v0.8.3` exercised the provenance path; `v0.8.4` is expected to use the same tag-triggered workflow path. | [`release/VERIFY.md`](https://github.com/registrystack/registry-stack/blob/main/release/VERIFY.md) and [GitHub Releases](https://github.com/registrystack/registry-stack/releases) | | Signed version tags | Not implemented. Git tag objects are not yet cryptographically signed. | [Release workflow](https://github.com/registrystack/registry-stack/blob/main/.github/workflows/release.yml) | | Dependency policy | Dependency-deny configuration is present; root CI enforcement is tracked separately. | [`deny.toml`](https://github.com/registrystack/registry-stack/blob/main/deny.toml) | | Source release evidence | Releases include release assets and generated release capsules. Later signed releases add signature assets, and tag-triggered releases produced after the provenance workflow change add `.intoto.jsonl` provenance. | [GitHub Releases](https://github.com/registrystack/registry-stack/releases) | @@ -79,7 +79,7 @@ legacy imported product controls. | Release artifacts | Checksums, image digests, image SBOMs, vulnerability scans, release capsules | Published for `v0.8.0`; signature assets are release-workflow gated | | Signed releases | Keyless cosign signing for GitHub Release assets with `.sig` and `.pem` verification material | Implemented for newly produced release assets | | Signed version tags | Cryptographic Git tag signatures | Not implemented | -| Provenance attestations | Release-level SLSA provenance for non-signature GitHub Release assets | Workflow enabled; v0.8.3 expected to be first provenance-bearing root release | +| Provenance attestations | Release-level SLSA provenance for non-signature GitHub Release assets | Workflow enabled; v0.8.3 is the first provenance-bearing root release | ## Legacy product controls diff --git a/docs/site/src/content/docs/security/report-a-vulnerability.mdx b/docs/site/src/content/docs/security/report-a-vulnerability.mdx index 30c57f96..76eda8c0 100644 --- a/docs/site/src/content/docs/security/report-a-vulnerability.mdx +++ b/docs/site/src/content/docs/security/report-a-vulnerability.mdx @@ -65,7 +65,7 @@ For each signed release asset, download the asset, its `.sig` signature, and its certificate from the GitHub Release, then verify: ```bash -asset=registryctl-v0.8.3-linux-amd64 # replace with the asset you downloaded +asset=registryctl-v0.8.4-linux-amd64 # replace with the asset you downloaded cosign verify-blob \ --certificate "${asset}.pem" \ diff --git a/docs/site/src/content/docs/spec/rs-pr-notary.mdx b/docs/site/src/content/docs/spec/rs-pr-notary.mdx index 10b62917..72a020a1 100644 --- a/docs/site/src/content/docs/spec/rs-pr-notary.mdx +++ b/docs/site/src/content/docs/spec/rs-pr-notary.mdx @@ -268,9 +268,9 @@ This specification is `verified`: every requirement describes shipped behavior a - [Evidence issuance, end to end](../../explanation/evidence-issuance/) walks the claim pipeline, the four consume paths, and the selective-disclosure mechanics that Sections 4 through 9 make precise. - The [standards register](../../reference/standards/) records the adoption mode for SD-JWT VC, OID4VCI, CCCEV, and the other standards listed in `standards_referenced`, including the profiled-subset claims this document refers to. - [RS-ARC-G](../rs-arc-g/) Section 3 and Section 5 hold the architectural invariants (REQ-ARC-G-004/007/008/009) that this document refines. -- Delegated self-attestation access modes, source capabilities, stored metadata, and denial reasons are implemented in [`model.rs`](https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-notary-core/src/model.rs). -- Delegated relationship configuration validation is implemented in [`config.rs`](https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-notary-core/src/config.rs). -- Request context derivation, stored-evaluation revalidation, OID4VCI delegated-token rejection, explicit target binding, and proof-gated source reads are implemented in [`api.rs`](https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-notary-server/src/api.rs) and [`runtime.rs`](https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-notary-server/src/runtime.rs). +- Delegated self-attestation access modes, source capabilities, stored metadata, and denial reasons are implemented in [`model.rs`](https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-core/src/model.rs). +- Delegated relationship configuration validation is implemented in [`config.rs`](https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-core/src/config.rs). +- Request context derivation, stored-evaluation revalidation, OID4VCI delegated-token rejection, explicit target binding, and proof-gated source reads are implemented in [`api.rs`](https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-server/src/api.rs) and [`runtime.rs`](https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-server/src/runtime.rs). ## Next diff --git a/docs/site/src/content/docs/tutorials/deploy-standalone-with-own-data.mdx b/docs/site/src/content/docs/tutorials/deploy-standalone-with-own-data.mdx index 7e8a9aa9..677ff253 100644 --- a/docs/site/src/content/docs/tutorials/deploy-standalone-with-own-data.mdx +++ b/docs/site/src/content/docs/tutorials/deploy-standalone-with-own-data.mdx @@ -37,7 +37,7 @@ It is not a formal production deployment profile. Deployment-profile formalization (Compose and Kubernetes shapes, sizing, and a hardening baseline) is tracked separately and is not part of this guide. Before exposing any deployment beyond local evaluation, work through the -[Relay operations runbook](https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/docs/ops.md) +[Relay operations runbook](https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/docs/ops.md) production hardening checklist. ## Before you start @@ -55,22 +55,22 @@ Replace every `example.gov` value, dataset id, field name, and credential with y ## Get the Registry Relay image Registry Relay release images publish to `ghcr.io/registrystack/registry-relay` from stable -release tags such as `v0.8.3`. +release tags such as `v0.8.4`. Consume a version tag or an image digest, not `latest`, so your deployment is reproducible and you can roll back. The published versions are listed on the [Relay releases page](https://github.com/registrystack/registry-stack/releases). -The current RegistryStack release is `v0.8.3`, so the examples below use that tag. +The current RegistryStack release is `v0.8.4`, so the examples below use that tag. Replace it with a newer release tag when you intentionally upgrade. For the image signing policy, see the Relay -[security assurance notes](https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/docs/security-assurance.md) -and the [build and release section](https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/docs/ops.md#build-and-release) +[security assurance notes](https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/docs/security-assurance.md) +and the [build and release section](https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/docs/ops.md#build-and-release) of the operations runbook. Pull the version you intend to run: ```sh -docker pull ghcr.io/registrystack/registry-relay:v0.8.3 +docker pull ghcr.io/registrystack/registry-relay:v0.8.4 ``` The container runs `registry-relay --config /etc/registry-relay/config.yaml` by default. @@ -78,7 +78,7 @@ You can override the config path with the `--config` flag or the `REGISTRY_RELAY environment variable. If you build from source instead of consuming a published image, follow the -[build and release section](https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/docs/ops.md#build-and-release) +[build and release section](https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/docs/ops.md#build-and-release) of the operations runbook; the source build needs the pinned sibling checkouts it documents. ## Lay out the deployment directory @@ -99,9 +99,9 @@ Mount the data directory read-only and keep a separate writable cache directory; ## Write the minimal Relay config Start from the canonical -[`config/example.yaml`](https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/config/example.yaml) +[`config/example.yaml`](https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/config/example.yaml) and the -[configuration guide](https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/docs/configuration.md), +[configuration guide](https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/docs/configuration.md), which is the authoritative reference for every block. A minimal deployment needs five blocks: `server` (a listener), `catalog` (public metadata base), `auth` (one auth mode), `audit` (a sink and hash secret), and at least one @@ -224,7 +224,7 @@ Key points the configuration guide spells out in full: For aggregates, relationships, OIDC auth, Postgres sources, live materialization, and provenance signing, follow the corresponding sections of the -[configuration guide](https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/docs/configuration.md). +[configuration guide](https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/docs/configuration.md). ## Provision the API-key fingerprint @@ -237,7 +237,7 @@ The Relay binary generates the raw key and fingerprint together. Run it through the same container image, passing the `id` from your `api_keys` entry: ```sh -docker run --rm ghcr.io/registrystack/registry-relay:v0.8.3 generate-api-key --id program_system +docker run --rm ghcr.io/registrystack/registry-relay:v0.8.4 generate-api-key --id program_system ``` The command emits three shell-friendly lines: @@ -266,7 +266,7 @@ restart or roll Relay so it resolves the new fingerprint. For governed rotation, publish the new fingerprint under a new immutable or versioned reference, update `fingerprint.name` or `fingerprint.path`, and apply that signed config change with the new binary. -The [API keys section](https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/docs/configuration.md#api-keys) +The [API keys section](https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/docs/configuration.md#api-keys) of the configuration guide documents the underlying contract. ## Run the container @@ -293,7 +293,7 @@ docker run --rm \ -v "$(pwd)/cache:/var/lib/registry-relay/cache" \ -e PROGRAM_SYSTEM_API_KEY_HASH="sha256:" \ -e REGISTRY_RELAY_AUDIT_HASH_SECRET="$REGISTRY_RELAY_AUDIT_HASH_SECRET" \ - ghcr.io/registrystack/registry-relay:v0.8.3 + ghcr.io/registrystack/registry-relay:v0.8.4 ``` Relay exits non-zero if config parsing or validation fails, if a required API-key fingerprint @@ -370,7 +370,7 @@ If you point API tooling at the deployment, note that `/openapi.json` is auth-ga If `/ready` returns `503`, the source failed to ingest; check the container logs for the failing table and the declared schema. The -[readiness and probes section](https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/docs/ops.md) +[readiness and probes section](https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/docs/ops.md) of the operations runbook explains the readiness contract. ## Add a standalone Registry Notary alongside @@ -388,15 +388,15 @@ layer; the reference pages at the [end of this section](#go-deeper-on-notary) co ### Get the Registry Notary image Registry Notary release images publish to `ghcr.io/registrystack/registry-notary` from stable -release tags such as `v0.8.3`. +release tags such as `v0.8.4`. As with Relay, consume a version tag or an image digest, not `latest`. The published versions are listed on the [Notary releases page](https://github.com/registrystack/registry-stack/releases). -The current RegistryStack release is `v0.8.3`, so the examples below use that tag. +The current RegistryStack release is `v0.8.4`, so the examples below use that tag. Replace it with a newer release tag when you intentionally upgrade. ```sh -docker pull ghcr.io/registrystack/registry-notary:v0.8.3 +docker pull ghcr.io/registrystack/registry-notary:v0.8.4 ``` The container listens on port 8080 and runs @@ -423,7 +423,7 @@ read scope: Generate the key material the same way as before, with the matching `--id`: ```sh -docker run --rm ghcr.io/registrystack/registry-relay:v0.8.3 generate-api-key --id notary_source +docker run --rm ghcr.io/registrystack/registry-relay:v0.8.4 generate-api-key --id notary_source ``` Store the emitted `fingerprint` for the Relay container's `NOTARY_SOURCE_API_KEY_HASH` @@ -455,7 +455,7 @@ docker run --rm \ -e PROGRAM_SYSTEM_API_KEY_HASH="sha256:" \ -e NOTARY_SOURCE_API_KEY_HASH="sha256:" \ -e REGISTRY_RELAY_AUDIT_HASH_SECRET="$REGISTRY_RELAY_AUDIT_HASH_SECRET" \ - ghcr.io/registrystack/registry-relay:v0.8.3 + ghcr.io/registrystack/registry-relay:v0.8.4 ``` On this network, Notary reaches Relay at `http://relay:8080`; the host keeps using @@ -468,7 +468,7 @@ evaluate claims) with the same fingerprint pattern as Relay. Generate a caller key with the Notary CLI: ```sh -docker run --rm ghcr.io/registrystack/registry-notary:v0.8.3 hash-api-key --print-secret +docker run --rm ghcr.io/registrystack/registry-notary:v0.8.4 hash-api-key --print-secret ``` The command prints two lines: `api_key=` and @@ -573,7 +573,7 @@ docker run --rm \ -e REGISTRY_NOTARY_API_KEY_HASH="sha256:" \ -e REGISTRY_NOTARY_AUDIT_HASH_SECRET="$REGISTRY_NOTARY_AUDIT_HASH_SECRET" \ -e RELAY_SOURCE_TOKEN="$RELAY_SOURCE_TOKEN" \ - ghcr.io/registrystack/registry-notary:v0.8.3 + ghcr.io/registrystack/registry-notary:v0.8.4 ``` Check liveness: @@ -592,7 +592,7 @@ docker run --rm \ -e REGISTRY_NOTARY_API_KEY_HASH="sha256:" \ -e REGISTRY_NOTARY_AUDIT_HASH_SECRET="$REGISTRY_NOTARY_AUDIT_HASH_SECRET" \ -e RELAY_SOURCE_TOKEN="$RELAY_SOURCE_TOKEN" \ - ghcr.io/registrystack/registry-notary:v0.8.3 \ + ghcr.io/registrystack/registry-notary:v0.8.4 \ doctor --config /etc/registry-notary/config.yaml --format json ``` @@ -618,16 +618,16 @@ Notary's own operator documentation is the authoritative own-keys path: designing source connectors and claim boundaries beyond the single claim above. The -[Operating with Registry Notary section](https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/docs/ops.md#operating-with-registry-notary) +[Operating with Registry Notary section](https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/docs/ops.md#operating-with-registry-notary) of the Relay runbook documents the credential handshake the two services use, which the steps above followed: a narrowly scoped Relay key for the Notary source caller, a separate Notary caller key, and `_env` secret indirection on both sides so raw tokens stay out of YAML. ## Next -- [Relay configuration guide](https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/docs/configuration.md): +- [Relay configuration guide](https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/docs/configuration.md): the full block-by-block reference for aggregates, OIDC, Postgres, and provenance. -- [Relay operations runbook](https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/docs/ops.md): +- [Relay operations runbook](https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/docs/ops.md): the production hardening checklist to work through before exposing the deployment. - [Consultation flow](../../explanation/consultation-flow/): how Relay binds a source, applies scopes, serves entity routes, and audits every request. diff --git a/docs/site/src/content/docs/tutorials/first-run-with-registry-lab.mdx b/docs/site/src/content/docs/tutorials/first-run-with-registry-lab.mdx index fa6df922..a916c0c1 100644 --- a/docs/site/src/content/docs/tutorials/first-run-with-registry-lab.mdx +++ b/docs/site/src/content/docs/tutorials/first-run-with-registry-lab.mdx @@ -117,7 +117,7 @@ The default topology runs three Relay instances (civil `4311`, social protection `4323`), live Postgres and Zitadel services, the source adapter sidecar, the static metadata publisher (`4331`), and a profile-gated narrated demo client. For the full service inventory with host ports and network layout, see the -[Registry Lab directory](https://github.com/registrystack/registry-stack/tree/v0.8.3/lab). +[Registry Lab directory](https://github.com/registrystack/registry-stack/tree/v0.8.4/lab). ## Expected output @@ -225,7 +225,7 @@ This scenario exercises the static metadata publisher (port `4331`), the shared What this proves: the Notary fans out to all three Relay services using per-source bearer tokens configured in -[`config/notary/shared-eligibility-notary.yaml`](https://github.com/registrystack/registry-stack/blob/v0.8.3/lab/config/notary/shared-eligibility-notary.yaml). +[`config/notary/shared-eligibility-notary.yaml`](https://github.com/registrystack/registry-stack/blob/v0.8.4/lab/config/notary/shared-eligibility-notary.yaml). The result carries `provenance.used.source_count >= 2` once at least two sources contribute. A single Notary aggregates evidence across independently operated registries and reports how many authorities contributed, without merging or exposing the underlying rows. @@ -256,7 +256,7 @@ issuer and key configuration, and the wallet-driven OID4VCI alternative, see [Registry Notary](../../products/registry-notary/). The lab also drives an end-to-end citizen wallet flow through the `just citizen-oid4vci-login`, `just citizen-oid4vci-code`, `just citizen-oid4vci-token`, and `just citizen-oid4vci-report` recipes; see the -[Registry Lab directory](https://github.com/registrystack/registry-stack/tree/v0.8.3/lab) for that path and its extra +[Registry Lab directory](https://github.com/registrystack/registry-stack/tree/v0.8.4/lab) for that path and its extra services. ## Cross-authority evaluation @@ -372,7 +372,7 @@ just down ## Next -- [Registry Lab](https://github.com/registrystack/registry-stack/tree/v0.8.3/lab): the full demo topology, fixture data +- [Registry Lab](https://github.com/registrystack/registry-stack/tree/v0.8.4/lab): the full demo topology, fixture data contract, and per-scenario tutorials. - [Registry Relay](../../products/registry-relay/): route reference, auth scopes, and configuration guide. diff --git a/docs/site/src/content/docs/tutorials/publish-spreadsheet-secured-registry-api.mdx b/docs/site/src/content/docs/tutorials/publish-spreadsheet-secured-registry-api.mdx index 5b6f3af3..7df2c038 100644 --- a/docs/site/src/content/docs/tutorials/publish-spreadsheet-secured-registry-api.mdx +++ b/docs/site/src/content/docs/tutorials/publish-spreadsheet-secured-registry-api.mdx @@ -25,7 +25,7 @@ allowed request, and inspect the contract Registry Stack generated. outcome="A protected local API over a benefits workbook, with anonymous access denied and an authorized record read succeeding." time="About 10 minutes after Docker is installed" level="Local single-node" - prerequisites={['registryctl 0.8.3+', 'A Docker Compose provider', 'curl']} + prerequisites={['registryctl 0.8.4+', 'A Docker Compose provider', 'curl']} /> This tutorial uses synthetic data and local demo credentials. @@ -36,7 +36,7 @@ Do not use the generated local keys in production. Install `registryctl` without cloning the repository: ```sh -curl -fsSL https://raw.githubusercontent.com/registrystack/registry-stack/v0.8.3/crates/registryctl/install.sh | REGISTRYCTL_VERSION=v0.8.3 sh +curl -fsSL https://raw.githubusercontent.com/registrystack/registry-stack/v0.8.4/crates/registryctl/install.sh | REGISTRYCTL_VERSION=v0.8.4 sh registryctl --version ``` @@ -242,7 +242,7 @@ stayed where it started, and only an authorized, scoped request got an answer ou | Symptom | Cause | Resolution | | --- | --- | --- | | `registryctl` is not found | The install directory is not on `PATH`. | Add the directory printed by the installer, usually `~/.local/bin`, to `PATH`. | -| The installer reports an unsupported platform | No binary is published for that OS or CPU. | Install Rust with [`rustup`](https://rustup.rs), then run `cargo install --git https://github.com/registrystack/registry-stack --tag v0.8.3 registryctl --locked`. | +| The installer reports an unsupported platform | No binary is published for that OS or CPU. | Install Rust with [`rustup`](https://rustup.rs), then run `cargo install --git https://github.com/registrystack/registry-stack --tag v0.8.4 registryctl --locked`. | | `registryctl start` cannot find Docker | Docker or another Compose provider is not installed or running. | Start Docker Desktop, OrbStack, Colima, Podman, or your supported provider, then run `registryctl start` again. | | `registryctl start` fails and the container log shows `failed to parse config YAML ... unknown field` | The locally cached container image does not match the digest-pinned image in the generated `compose.yaml`. | Run `docker compose pull` in the project directory, then `registryctl start` again. | | A row read returns `403 Forbidden` | The key is valid but lacks the row-read scope. | Use `ROW_READER_RAW` for row reads. | diff --git a/docs/site/src/content/docs/tutorials/verify-opencrvs-claims.mdx b/docs/site/src/content/docs/tutorials/verify-opencrvs-claims.mdx index ad7d5e66..f663b522 100644 --- a/docs/site/src/content/docs/tutorials/verify-opencrvs-claims.mdx +++ b/docs/site/src/content/docs/tutorials/verify-opencrvs-claims.mdx @@ -30,7 +30,7 @@ Estimated time: about 10 minutes after you have credentials and a test UIN. You need: - Docker with Compose v2.20 or later. -- `registryctl` 0.8.3 or newer, with `init notary --source-kind opencrvs-dci` support. +- `registryctl` 0.8.4 or newer, with `init notary --source-kind opencrvs-dci` support. - `curl` and `jq` for the explicit evaluation check. - OpenCRVS OAuth client credentials for a test environment. - A known test UIN for the live smoke test. @@ -38,7 +38,7 @@ You need: Install `registryctl` if you have not already: ```sh -curl -fsSL https://raw.githubusercontent.com/registrystack/registry-stack/v0.8.3/crates/registryctl/install.sh | REGISTRYCTL_VERSION=v0.8.3 sh +curl -fsSL https://raw.githubusercontent.com/registrystack/registry-stack/v0.8.4/crates/registryctl/install.sh | REGISTRYCTL_VERSION=v0.8.4 sh registryctl --version ``` @@ -70,7 +70,7 @@ DCI_CLIENT_SECRET= Keep `secrets/local.env` private. Use the exact `DCI_CLIENT_ID` and `DCI_CLIENT_SECRET` names. -The 0.8.3 generator does not read `OPENCRVS_DCI_*` aliases or a DCI SHA secret. +The 0.8.4 generator does not read `OPENCRVS_DCI_*` aliases or a DCI SHA secret. Do not paste bearer tokens into the file. Registry Notary uses the OAuth client-credentials settings to fetch a source token. @@ -114,7 +114,7 @@ Start the generated stack: registryctl start ``` -On Apple silicon, v0.8.3 images are published for linux/amd64. +On Apple silicon, v0.8.4 images are published for linux/amd64. If Docker reports that no linux/arm64 manifest exists, start with the amd64 platform override: ```sh diff --git a/docs/site/src/data/contracts.yaml b/docs/site/src/data/contracts.yaml index 6f074e70..0978cfa9 100644 --- a/docs/site/src/data/contracts.yaml +++ b/docs/site/src/data/contracts.yaml @@ -5,7 +5,7 @@ surface: Shared Rust crate APIs for auth helpers, OIDC verification, audit envelopes and sinks, HTTP security middleware, outbound HTTP policy, Ed25519 JWK and DID helpers, SD-JWT VC issuance, and testing fixtures. source_of_truth: label: Registry Platform crates - url: https://github.com/registrystack/registry-stack/tree/v0.8.3/crates + url: https://github.com/registrystack/registry-stack/tree/v0.8.4/crates consumer_note: Relay, Notary, and future registry services should consume these primitives instead of reimplementing security or operational behavior locally. - id: registry-relay.openapi name: Registry Relay OpenAPI @@ -14,7 +14,7 @@ surface: "Protected Registry Data API, metadata API, evidence offering discovery, aggregates, health and readiness, plus optional standards adapters (OGC API Features, OGC API Records, OGC API EDR, SP DCI) and signed response credential routes (config key: provenance)." source_of_truth: label: Registry Relay abstract OpenAPI contract - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/openapi/registry-relay.openapi.json + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/openapi/registry-relay.openapi.json consumer_note: Hand-authored from `docs/api.md` and the runtime route table. Uses templated paths and capability tags. For instance-specific shape of `{dataset_id}` and `{entity}`, fetch `GET /openapi.json` from a configured gateway. Runtime deployments gate that route by default unless `openapi_requires_auth` is disabled for demos or controlled tooling. - id: registry-notary.openapi name: Registry Notary OpenAPI @@ -23,7 +23,7 @@ surface: Claim discovery, claim evaluation, batch evaluation, federated delegated evaluation, rendering, JWKS, service metadata, and credential issuance. source_of_truth: label: Registry Notary OpenAPI generator - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-notary-server/src/openapi.rs + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-server/src/openapi.rs consumer_note: Generate with `cargo run -p registry-notary -- openapi`. - id: registry-notary.oid4vci name: Registry Notary OID4VCI surface @@ -32,7 +32,7 @@ surface: OID4VCI offer start and callback (`/oid4vci/offer/start`, `/oid4vci/offer/callback`), credential offer (`GET /oid4vci/credential-offer`), nonce (`POST /oid4vci/nonce`), token (`POST /oid4vci/token`), credential request (`POST /oid4vci/credential`), VCT credential and metadata routes (`/credentials/{vct_path}`, `/.well-known/vct/{vct_path}`), and issuer metadata (`GET /.well-known/openid-credential-issuer`). Primitives sourced from the `registry-platform-oid4vci` crate. source_of_truth: label: Registry Notary OID4VCI routes - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-notary-server/src/api.rs + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-server/src/api.rs consumer_note: OID4VCI flow advertising `dc+sd-jwt` credential format. Registry Lab exercises the full path through the `just citizen-oid4vci-*` recipes. Full OID4VCI Draft 13 `vc+sd-jwt` wallet conformance is not asserted at this version. - id: registry-notary.federated-evaluation name: Registry Notary Federated Evaluation MVP @@ -41,7 +41,7 @@ surface: Static-peer delegated evaluation over `POST /federation/v1/evaluations`, compact JWS request and response JWTs, peer policy checks, pairwise subject handles, replay protection, and federation audit fields. source_of_truth: label: Registry Notary federation module - url: https://github.com/registrystack/registry-stack/tree/v0.8.3/crates/registry-notary-server/src/federation + url: https://github.com/registrystack/registry-stack/tree/v0.8.4/crates/registry-notary-server/src/federation consumer_note: This is delegated evaluation only. Open federation, trust-chain discovery, shared replay storage, audit checkpoint exchange, and federated credential issuance are outside the MVP. - id: registry-manifest.metadata-yaml name: Metadata Manifest @@ -50,7 +50,7 @@ surface: Portable `metadata.yaml` documents, compiled metadata model, public services, forms, policies, requirements, evidence type lists, evidence offering metadata, public federation metadata, and evaluation profile metadata. source_of_truth: label: Registry Manifest core - url: https://github.com/registrystack/registry-stack/tree/v0.8.3/crates/registry-manifest-core + url: https://github.com/registrystack/registry-stack/tree/v0.8.4/crates/registry-manifest-core consumer_note: Runtime source paths, scopes, table names, backend URLs, peer allowlists, replay storage, and federation secrets belong in runtime service config, not manifests. - id: registry-manifest.cpsv-ap-service-catalogue name: CPSV-AP Service Catalogue Render Contract @@ -59,7 +59,7 @@ surface: CPSV-AP JSON-LD service catalogue, CCCEV requirements, grouped evidence type lists, local form-definition links, DCAT data services, and form JSON Schemas. source_of_truth: label: Registry Manifest CPSV-AP fixture - url: https://github.com/registrystack/registry-stack/tree/v0.8.3/products/manifest/fixtures/cpsv-ap + url: https://github.com/registrystack/registry-stack/tree/v0.8.4/products/manifest/fixtures/cpsv-ap consumer_note: Each CCCEV evidence type list is one grouped option; multiple lists on a requirement are alternatives. - id: registry-manifest.static-publication name: Static Metadata Publication Bundle @@ -68,7 +68,7 @@ surface: Static index, catalog JSON, evidence offerings, policies, DCAT, CPSV-AP, BRegDCAT-AP, SHACL, OGC Records item collection, entity JSON Schemas, form JSON Schemas, and embedded SKOS-shaped codelist nodes. source_of_truth: label: Registry Manifest CLI - url: https://github.com/registrystack/registry-stack/tree/v0.8.3/crates/registry-manifest-cli + url: https://github.com/registrystack/registry-stack/tree/v0.8.4/crates/registry-manifest-cli consumer_note: The bundle can be hosted as static files without running Registry Relay. - id: registry-lab.release-check name: Registry Lab Release Check @@ -77,5 +77,5 @@ surface: Compose build, fixture generation, secret generation, static metadata publication, core smoke checks, live Postgres checks, live Zitadel and OIDC checks, source adapter sidecar smoke checks, raw-secret log checks, and narrated demo flows. source_of_truth: label: Registry Lab README - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/lab/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/lab/README.md consumer_note: Use as a demo acceptance path only; production contracts remain in the owning repos. diff --git a/docs/site/src/data/docsets.yaml b/docs/site/src/data/docsets.yaml index de1d59ee..10853131 100644 --- a/docs/site/src/data/docsets.yaml +++ b/docs/site/src/data/docsets.yaml @@ -9,17 +9,56 @@ docsets: description: Current RegistryStack monorepo documentation build. products: registry-stack: - version: v0.8.3 + version: v0.8.4 ref: HEAD registry-relay: - version: v0.8.3 + version: v0.8.4 ref: HEAD registry-notary: - version: v0.8.3 + version: v0.8.4 ref: HEAD registry-manifest: - version: v0.8.3 + version: v0.8.4 ref: HEAD + - id: v0.8.4 + label: v0.8.4 + path: /v/0.8.4/ + status: archived + source: registry-stack-v0.8.4 + repo_docs_source: monorepo + published_at: 2026-07-04 + description: RegistryStack v0.8.4 beta-10 documentation set. + products: + registry-stack: + version: v0.8.4 + ref: ebe613a7e712341884d10bf4e5c64e48b2591bad + registry-platform: + version: v0.8.4 + ref: ebe613a7e712341884d10bf4e5c64e48b2591bad + registry-manifest: + version: v0.8.4 + ref: ebe613a7e712341884d10bf4e5c64e48b2591bad + registry-notary: + version: v0.8.4 + ref: ebe613a7e712341884d10bf4e5c64e48b2591bad + registry-relay: + version: v0.8.4 + ref: ebe613a7e712341884d10bf4e5c64e48b2591bad + registry-lab: + version: v0.8.4 + ref: ebe613a7e712341884d10bf4e5c64e48b2591bad + registry-registryctl: + version: v0.8.4 + ref: ebe613a7e712341884d10bf4e5c64e48b2591bad + crosswalk: + version: crosswalk-core-v0.2.0 + ref: 1d44ec735fdc8a7c719264b339574371e8330337 + registry-atlas: + version: beta-10 held lab input + ref: d46f943b9fdcbab787d1d4eed114058aa43980be + esignet-relay-authenticator: + version: beta-10 held lab input + ref: 23cc0abb6469e0d18c8e6776f87de1691bdf40ee - id: v0.8.3 label: v0.8.3 path: /v/0.8.3/ diff --git a/docs/site/src/data/generated/contracts.json b/docs/site/src/data/generated/contracts.json index a1b6292f..ad336c0f 100644 --- a/docs/site/src/data/generated/contracts.json +++ b/docs/site/src/data/generated/contracts.json @@ -7,7 +7,7 @@ "surface": "Shared Rust crate APIs for auth helpers, OIDC verification, audit envelopes and sinks, HTTP security middleware, outbound HTTP policy, Ed25519 JWK and DID helpers, SD-JWT VC issuance, and testing fixtures.", "source_of_truth": { "label": "Registry Platform crates", - "url": "https://github.com/registrystack/registry-stack/tree/v0.8.3/crates" + "url": "https://github.com/registrystack/registry-stack/tree/v0.8.4/crates" }, "consumer_note": "Relay, Notary, and future registry services should consume these primitives instead of reimplementing security or operational behavior locally." }, @@ -19,7 +19,7 @@ "surface": "Protected Registry Data API, metadata API, evidence offering discovery, aggregates, health and readiness, plus optional standards adapters (OGC API Features, OGC API Records, OGC API EDR, SP DCI) and signed response credential routes (config key: provenance).", "source_of_truth": { "label": "Registry Relay abstract OpenAPI contract", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/openapi/registry-relay.openapi.json" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/openapi/registry-relay.openapi.json" }, "consumer_note": "Hand-authored from `docs/api.md` and the runtime route table. Uses templated paths and capability tags. For instance-specific shape of `{dataset_id}` and `{entity}`, fetch `GET /openapi.json` from a configured gateway. Runtime deployments gate that route by default unless `openapi_requires_auth` is disabled for demos or controlled tooling." }, @@ -31,7 +31,7 @@ "surface": "Claim discovery, claim evaluation, batch evaluation, federated delegated evaluation, rendering, JWKS, service metadata, and credential issuance.", "source_of_truth": { "label": "Registry Notary OpenAPI generator", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-notary-server/src/openapi.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-server/src/openapi.rs" }, "consumer_note": "Generate with `cargo run -p registry-notary -- openapi`." }, @@ -43,7 +43,7 @@ "surface": "OID4VCI offer start and callback (`/oid4vci/offer/start`, `/oid4vci/offer/callback`), credential offer (`GET /oid4vci/credential-offer`), nonce (`POST /oid4vci/nonce`), token (`POST /oid4vci/token`), credential request (`POST /oid4vci/credential`), VCT credential and metadata routes (`/credentials/{vct_path}`, `/.well-known/vct/{vct_path}`), and issuer metadata (`GET /.well-known/openid-credential-issuer`). Primitives sourced from the `registry-platform-oid4vci` crate.", "source_of_truth": { "label": "Registry Notary OID4VCI routes", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-notary-server/src/api.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-server/src/api.rs" }, "consumer_note": "OID4VCI flow advertising `dc+sd-jwt` credential format. Registry Lab exercises the full path through the `just citizen-oid4vci-*` recipes. Full OID4VCI Draft 13 `vc+sd-jwt` wallet conformance is not asserted at this version." }, @@ -55,7 +55,7 @@ "surface": "Static-peer delegated evaluation over `POST /federation/v1/evaluations`, compact JWS request and response JWTs, peer policy checks, pairwise subject handles, replay protection, and federation audit fields.", "source_of_truth": { "label": "Registry Notary federation module", - "url": "https://github.com/registrystack/registry-stack/tree/v0.8.3/crates/registry-notary-server/src/federation" + "url": "https://github.com/registrystack/registry-stack/tree/v0.8.4/crates/registry-notary-server/src/federation" }, "consumer_note": "This is delegated evaluation only. Open federation, trust-chain discovery, shared replay storage, audit checkpoint exchange, and federated credential issuance are outside the MVP." }, @@ -67,7 +67,7 @@ "surface": "Portable `metadata.yaml` documents, compiled metadata model, public services, forms, policies, requirements, evidence type lists, evidence offering metadata, public federation metadata, and evaluation profile metadata.", "source_of_truth": { "label": "Registry Manifest core", - "url": "https://github.com/registrystack/registry-stack/tree/v0.8.3/crates/registry-manifest-core" + "url": "https://github.com/registrystack/registry-stack/tree/v0.8.4/crates/registry-manifest-core" }, "consumer_note": "Runtime source paths, scopes, table names, backend URLs, peer allowlists, replay storage, and federation secrets belong in runtime service config, not manifests." }, @@ -79,7 +79,7 @@ "surface": "CPSV-AP JSON-LD service catalogue, CCCEV requirements, grouped evidence type lists, local form-definition links, DCAT data services, and form JSON Schemas.", "source_of_truth": { "label": "Registry Manifest CPSV-AP fixture", - "url": "https://github.com/registrystack/registry-stack/tree/v0.8.3/products/manifest/fixtures/cpsv-ap" + "url": "https://github.com/registrystack/registry-stack/tree/v0.8.4/products/manifest/fixtures/cpsv-ap" }, "consumer_note": "Each CCCEV evidence type list is one grouped option; multiple lists on a requirement are alternatives." }, @@ -91,7 +91,7 @@ "surface": "Static index, catalog JSON, evidence offerings, policies, DCAT, CPSV-AP, BRegDCAT-AP, SHACL, OGC Records item collection, entity JSON Schemas, form JSON Schemas, and embedded SKOS-shaped codelist nodes.", "source_of_truth": { "label": "Registry Manifest CLI", - "url": "https://github.com/registrystack/registry-stack/tree/v0.8.3/crates/registry-manifest-cli" + "url": "https://github.com/registrystack/registry-stack/tree/v0.8.4/crates/registry-manifest-cli" }, "consumer_note": "The bundle can be hosted as static files without running Registry Relay." }, @@ -103,7 +103,7 @@ "surface": "Compose build, fixture generation, secret generation, static metadata publication, core smoke checks, live Postgres checks, live Zitadel and OIDC checks, source adapter sidecar smoke checks, raw-secret log checks, and narrated demo flows.", "source_of_truth": { "label": "Registry Lab README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/lab/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/lab/README.md" }, "consumer_note": "Use as a demo acceptance path only; production contracts remain in the owning repos." } diff --git a/docs/site/src/data/generated/docsets.json b/docs/site/src/data/generated/docsets.json index f565bbb0..2983a69e 100644 --- a/docs/site/src/data/generated/docsets.json +++ b/docs/site/src/data/generated/docsets.json @@ -11,23 +11,75 @@ "description": "Current RegistryStack monorepo documentation build.", "products": { "registry-stack": { - "version": "v0.8.3", + "version": "v0.8.4", "ref": "HEAD" }, "registry-relay": { - "version": "v0.8.3", + "version": "v0.8.4", "ref": "HEAD" }, "registry-notary": { - "version": "v0.8.3", + "version": "v0.8.4", "ref": "HEAD" }, "registry-manifest": { - "version": "v0.8.3", + "version": "v0.8.4", "ref": "HEAD" } } }, + { + "id": "v0.8.4", + "label": "v0.8.4", + "path": "/v/0.8.4/", + "status": "archived", + "source": "registry-stack-v0.8.4", + "repo_docs_source": "monorepo", + "published_at": "2026-07-04", + "description": "RegistryStack v0.8.4 beta-10 documentation set.", + "products": { + "registry-stack": { + "version": "v0.8.4", + "ref": "ebe613a7e712341884d10bf4e5c64e48b2591bad" + }, + "registry-platform": { + "version": "v0.8.4", + "ref": "ebe613a7e712341884d10bf4e5c64e48b2591bad" + }, + "registry-manifest": { + "version": "v0.8.4", + "ref": "ebe613a7e712341884d10bf4e5c64e48b2591bad" + }, + "registry-notary": { + "version": "v0.8.4", + "ref": "ebe613a7e712341884d10bf4e5c64e48b2591bad" + }, + "registry-relay": { + "version": "v0.8.4", + "ref": "ebe613a7e712341884d10bf4e5c64e48b2591bad" + }, + "registry-lab": { + "version": "v0.8.4", + "ref": "ebe613a7e712341884d10bf4e5c64e48b2591bad" + }, + "registry-registryctl": { + "version": "v0.8.4", + "ref": "ebe613a7e712341884d10bf4e5c64e48b2591bad" + }, + "crosswalk": { + "version": "crosswalk-core-v0.2.0", + "ref": "1d44ec735fdc8a7c719264b339574371e8330337" + }, + "registry-atlas": { + "version": "beta-10 held lab input", + "ref": "d46f943b9fdcbab787d1d4eed114058aa43980be" + }, + "esignet-relay-authenticator": { + "version": "beta-10 held lab input", + "ref": "23cc0abb6469e0d18c8e6776f87de1691bdf40ee" + } + } + }, { "id": "v0.8.3", "label": "v0.8.3", diff --git a/docs/site/src/data/generated/projects.json b/docs/site/src/data/generated/projects.json index 289b72ee..0fda9866 100644 --- a/docs/site/src/data/generated/projects.json +++ b/docs/site/src/data/generated/projects.json @@ -19,11 +19,11 @@ "source_docs": [ { "label": "README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/products/platform/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/products/platform/README.md" }, { "label": "Registry Platform crates", - "url": "https://github.com/registrystack/registry-stack/tree/v0.8.3/crates" + "url": "https://github.com/registrystack/registry-stack/tree/v0.8.4/crates" } ], "rename_status": "New shared workspace; not part of the 2026-05-23 rename wave." @@ -48,11 +48,11 @@ "source_docs": [ { "label": "README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/products/manifest/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/products/manifest/README.md" }, { "label": "Local examples", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/products/manifest/examples/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/products/manifest/examples/README.md" } ], "rename_status": "Already using the target repo name locally." @@ -80,15 +80,15 @@ "source_docs": [ { "label": "README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/README.md" }, { "label": "Local API docs", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/docs/api.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/docs/api.md" }, { "label": "Local metadata docs", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/docs/metadata.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/docs/metadata.md" } ], "rename_status": "Local checkout renamed to `registry-relay`; old worktrees under `registry_relay-*` remain for historical evidence." @@ -118,11 +118,11 @@ "source_docs": [ { "label": "README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/products/notary/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/products/notary/README.md" }, { "label": "OpenAPI source", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-notary-server/src/openapi.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-server/src/openapi.rs" } ], "rename_status": "Already using the target repo name locally." @@ -147,7 +147,7 @@ "source_docs": [ { "label": "README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/lab/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/lab/README.md" }, { "label": "Rename plan", diff --git a/docs/site/src/data/generated/standards.json b/docs/site/src/data/generated/standards.json index c3293c43..5b0b4c04 100644 --- a/docs/site/src/data/generated/standards.json +++ b/docs/site/src/data/generated/standards.json @@ -20,15 +20,15 @@ "evidence_docs": [ { "label": "Registry Relay README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/README.md" }, { "label": "Registry Manifest README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/products/manifest/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/products/manifest/README.md" }, { "label": "Registry Relay DCAT catalog tests", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/tests/catalog_entity.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/tests/catalog_entity.rs" } ], "last_checked": "2026-06-13", @@ -54,15 +54,15 @@ "evidence_docs": [ { "label": "Registry Relay README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/README.md" }, { "label": "Registry Manifest README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/products/manifest/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/products/manifest/README.md" }, { "label": "Registry Relay BRegDCAT-AP route tests", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/tests/catalog_entity.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/tests/catalog_entity.rs" } ], "last_checked": "2026-06-13", @@ -89,7 +89,7 @@ "evidence_docs": [ { "label": "Registry Manifest CPSV-AP fixture", - "url": "https://github.com/registrystack/registry-stack/tree/v0.8.3/products/manifest/fixtures/cpsv-ap" + "url": "https://github.com/registrystack/registry-stack/tree/v0.8.4/products/manifest/fixtures/cpsv-ap" }, { "label": "Registry Lab service-first discovery docs", @@ -119,15 +119,15 @@ "evidence_docs": [ { "label": "Registry Relay README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/README.md" }, { "label": "Registry Manifest README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/products/manifest/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/products/manifest/README.md" }, { "label": "Registry Relay OGC records API tests", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/tests/ogc_records_api.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/tests/ogc_records_api.rs" } ], "last_checked": "2026-06-13", @@ -152,11 +152,11 @@ "evidence_docs": [ { "label": "Registry Relay README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/README.md" }, { "label": "Registry Relay OGC Features API tests", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/tests/ogc_api.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/tests/ogc_api.rs" } ], "last_checked": "2026-06-20", @@ -181,7 +181,7 @@ "evidence_docs": [ { "label": "Registry Relay OGC EDR API tests", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/tests/ogc_edr_api.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/tests/ogc_edr_api.rs" } ], "last_checked": "2026-06-20", @@ -207,19 +207,19 @@ "evidence_docs": [ { "label": "Registry Relay README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/README.md" }, { "label": "Registry Notary README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/products/notary/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/products/notary/README.md" }, { "label": "Registry Relay generated OpenAPI document (pinned)", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/openapi/registry-relay.openapi.json" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/openapi/registry-relay.openapi.json" }, { "label": "Registry Notary generated OpenAPI document (pinned)", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/products/notary/openapi/registry-notary.openapi.json" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/products/notary/openapi/registry-notary.openapi.json" } ], "last_checked": "2026-06-13", @@ -245,15 +245,15 @@ "evidence_docs": [ { "label": "Registry Relay README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/README.md" }, { "label": "Registry Manifest README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/products/manifest/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/products/manifest/README.md" }, { "label": "Registry Relay SHACL document structure tests", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/tests/catalog_entity.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/tests/catalog_entity.rs" } ], "last_checked": "2026-06-13", @@ -279,11 +279,11 @@ "evidence_docs": [ { "label": "Registry Manifest codelist renderer", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-manifest-core/src/lib.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-manifest-core/src/lib.rs" }, { "label": "Registry Manifest codelist tests", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-manifest-core/tests/metadata_core.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-manifest-core/tests/metadata_core.rs" } ], "last_checked": "2026-06-20", @@ -309,15 +309,15 @@ "evidence_docs": [ { "label": "Registry Relay README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/README.md" }, { "label": "Registry Manifest README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/products/manifest/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/products/manifest/README.md" }, { "label": "Registry Manifest form schema fixture (Draft 2020-12)", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/products/manifest/fixtures/cpsv-ap/health-linked-child-support.form.schema.json" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/products/manifest/fixtures/cpsv-ap/health-linked-child-support.form.schema.json" } ], "last_checked": "2026-06-13", @@ -347,15 +347,15 @@ "evidence_docs": [ { "label": "Registry Relay JSON-LD renderers", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/src/metadata/shacl.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/src/metadata/shacl.rs" }, { "label": "Registry Notary CCCEV renderer", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-notary-server/src/runtime.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-server/src/runtime.rs" }, { "label": "Registry Manifest CPSV-AP JSON-LD fixture", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/products/manifest/fixtures/cpsv-ap/health-linked-child-support.cpsv-ap.jsonld" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/products/manifest/fixtures/cpsv-ap/health-linked-child-support.cpsv-ap.jsonld" } ], "last_checked": "2026-06-13", @@ -382,15 +382,15 @@ "evidence_docs": [ { "label": "Registry Notary SD-JWT VC conformance profile", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/products/notary/docs/sd-jwt-vc-conformance-profile.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/products/notary/docs/sd-jwt-vc-conformance-profile.md" }, { "label": "Registry Notary format constants", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-notary-core/src/model.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-core/src/model.rs" }, { "label": "Registry Platform SD-JWT crate", - "url": "https://github.com/registrystack/registry-stack/tree/v0.8.3/crates/registry-platform-sdjwt" + "url": "https://github.com/registrystack/registry-stack/tree/v0.8.4/crates/registry-platform-sdjwt" } ], "last_checked": "2026-06-13", @@ -417,15 +417,15 @@ "evidence_docs": [ { "label": "Registry Relay provenance context tests", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/tests/provenance_contexts_endpoint.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/tests/provenance_contexts_endpoint.rs" }, { "label": "Registry Relay VC fixtures", - "url": "https://github.com/registrystack/registry-stack/tree/v0.8.3/crates/registry-relay/tests/fixtures/vc" + "url": "https://github.com/registrystack/registry-stack/tree/v0.8.4/crates/registry-relay/tests/fixtures/vc" }, { "label": "Registry Notary README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/products/notary/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/products/notary/README.md" } ], "last_checked": "2026-05-23", @@ -455,15 +455,15 @@ "evidence_docs": [ { "label": "Registry Manifest grouped evidence fixture", - "url": "https://github.com/registrystack/registry-stack/tree/v0.8.3/products/manifest/fixtures/cpsv-ap" + "url": "https://github.com/registrystack/registry-stack/tree/v0.8.4/products/manifest/fixtures/cpsv-ap" }, { "label": "Registry Notary CCCEV renderer", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-notary-server/src/runtime.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-server/src/runtime.rs" }, { "label": "Registry Notary media type constants", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-notary-core/src/model.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-core/src/model.rs" } ], "last_checked": "2026-05-25", @@ -491,23 +491,23 @@ "evidence_docs": [ { "label": "Registry Relay README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/README.md" }, { "label": "Registry Manifest README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/products/manifest/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/products/manifest/README.md" }, { "label": "Registry Relay catalog tests (ODRL offer assertions)", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/tests/catalog_entity.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/tests/catalog_entity.rs" }, { "label": "Registry Platform PDP ODRL enforcement profile constants", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-platform-pdp/src/lib.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-platform-pdp/src/lib.rs" }, { "label": "Registry Relay governed evidence PDP path", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/src/api/governed.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/src/api/governed.rs" } ], "last_checked": "2026-06-20", @@ -532,11 +532,11 @@ "evidence_docs": [ { "label": "Registry Relay client integration guide", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/docs/client-integration.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/docs/client-integration.md" }, { "label": "Registry Relay aggregates tests (schema-validated SDMX-JSON output)", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/tests/aggregates_entity.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/tests/aggregates_entity.rs" } ], "last_checked": "2026-06-13", @@ -562,11 +562,11 @@ "evidence_docs": [ { "label": "Registry Relay provenance configuration", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/src/config/provenance.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/src/config/provenance.rs" }, { "label": "Registry Notary claim model", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-notary-core/src/model.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-core/src/model.rs" } ], "last_checked": "2026-05-23", @@ -591,7 +591,7 @@ "evidence_docs": [ { "label": "Registry Relay README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/README.md" } ], "last_checked": "2026-05-23", @@ -644,11 +644,11 @@ "evidence_docs": [ { "label": "Registry Relay README", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/README.md" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/README.md" }, { "label": "Registry Notary source connector", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-notary-core/src/config.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-core/src/config.rs" } ], "last_checked": "2026-05-23", @@ -678,15 +678,15 @@ "evidence_docs": [ { "label": "Registry Notary OID4VCI routes", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-notary-server/src/api.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-server/src/api.rs" }, { "label": "Registry Platform OID4VCI crate", - "url": "https://github.com/registrystack/registry-stack/tree/v0.8.3/crates/registry-platform-oid4vci" + "url": "https://github.com/registrystack/registry-stack/tree/v0.8.4/crates/registry-platform-oid4vci" }, { "label": "Registry Lab citizen OID4VCI smoke script", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/lab/scripts/smoke-citizen-oid4vci.sh" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/lab/scripts/smoke-citizen-oid4vci.sh" }, { "label": "Hosted lab issuer metadata", @@ -719,19 +719,19 @@ "evidence_docs": [ { "label": "Registry Relay did:web document builder", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/src/provenance/did_web.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/src/provenance/did_web.rs" }, { "label": "Registry Relay DID route", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/src/api/did.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/src/api/did.rs" }, { "label": "Registry Notary did:jwk handling", - "url": "https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-notary-server/src/api.rs" + "url": "https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-server/src/api.rs" }, { "label": "Registry Platform crypto crate", - "url": "https://github.com/registrystack/registry-stack/tree/v0.8.3/crates/registry-platform-crypto" + "url": "https://github.com/registrystack/registry-stack/tree/v0.8.4/crates/registry-platform-crypto" } ], "last_checked": "2026-06-13", diff --git a/docs/site/src/data/projects.yaml b/docs/site/src/data/projects.yaml index 9b80aa4a..f2adc87d 100644 --- a/docs/site/src/data/projects.yaml +++ b/docs/site/src/data/projects.yaml @@ -14,9 +14,9 @@ - Product-level authorization policy, tenant isolation, audit retention, secret provisioning, or deployment configuration. source_docs: - label: README - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/products/platform/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/products/platform/README.md - label: Registry Platform crates - url: https://github.com/registrystack/registry-stack/tree/v0.8.3/crates + url: https://github.com/registrystack/registry-stack/tree/v0.8.4/crates rename_status: New shared workspace; not part of the 2026-05-23 rename wave. - id: registry-manifest name: Registry Manifest @@ -34,9 +34,9 @@ - Production source configuration. source_docs: - label: README - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/products/manifest/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/products/manifest/README.md - label: Local examples - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/products/manifest/examples/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/products/manifest/examples/README.md rename_status: Already using the target repo name locally. - id: registry-relay name: Registry Relay @@ -57,11 +57,11 @@ - Storage table ids or arbitrary SQL in public APIs. source_docs: - label: README - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/README.md - label: Local API docs - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/docs/api.md + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/docs/api.md - label: Local metadata docs - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/docs/metadata.md + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/docs/metadata.md rename_status: Local checkout renamed to `registry-relay`; old worktrees under `registry_relay-*` remain for historical evidence. - id: registry-notary name: Registry Notary @@ -84,9 +84,9 @@ - Browser inspection workflows outside the current formal v1 stack scope. source_docs: - label: README - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/products/notary/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/products/notary/README.md - label: OpenAPI source - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-notary-server/src/openapi.rs + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-server/src/openapi.rs rename_status: Already using the target repo name locally. - id: registry-lab name: Registry Lab @@ -104,7 +104,7 @@ - Real product integrations for OpenCRVS, OpenSPP, DHIS2, OpenIMIS, MOSIP, or other systems. source_docs: - label: README - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/lab/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/lab/README.md - label: Rename plan url: https://github.com/jeremi/registry-docs/blob/e926f05441f39eb2d633979c3bc5a3552f5cf6e2/rename-plan-2026-05-23.md rename_status: Local checkout renamed to `registry-lab`; stable demo identifiers may still contain `decentralized-demo` as protocol and artifact values. diff --git a/docs/site/src/data/repo-docs.yaml b/docs/site/src/data/repo-docs.yaml index 1f2b39d2..1b614bcd 100644 --- a/docs/site/src/data/repo-docs.yaml +++ b/docs/site/src/data/repo-docs.yaml @@ -2,7 +2,7 @@ repos: registry-relay: remote: https://github.com/registrystack/registry-stack ref: HEAD - version: v0.8.3 + version: v0.8.4 local: ../.. openapi: crates/registry-relay/openapi/registry-relay.openapi.json archive_remote: https://github.com/jeremi/registry-relay @@ -90,7 +90,7 @@ repos: registry-notary: remote: https://github.com/registrystack/registry-stack ref: HEAD - version: v0.8.3 + version: v0.8.4 local: ../.. openapi: products/notary/openapi/registry-notary.openapi.json archive_remote: https://github.com/jeremi/registry-notary @@ -232,7 +232,7 @@ repos: registry-manifest: remote: https://github.com/registrystack/registry-stack ref: HEAD - version: v0.8.3 + version: v0.8.4 local: ../.. archive_remote: https://github.com/jeremi/registry-manifest docs: diff --git a/docs/site/src/data/standards.yaml b/docs/site/src/data/standards.yaml index 318e7d3e..d7377604 100644 --- a/docs/site/src/data/standards.yaml +++ b/docs/site/src/data/standards.yaml @@ -15,11 +15,11 @@ - access service metadata evidence_docs: - label: Registry Relay README - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/README.md - label: Registry Manifest README - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/products/manifest/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/products/manifest/README.md - label: Registry Relay DCAT catalog tests - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/tests/catalog_entity.rs + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/tests/catalog_entity.rs last_checked: 2026-06-13 notes: Relay and Manifest emit DCAT-shaped metadata; the emitted catalog structure is asserted by Relay's catalog tests. Profile conformance claims still require profile-specific validation evidence (no DCAT validator output is pinned). - id: bregdcat-ap @@ -38,11 +38,11 @@ - embedded SHACL entity shapes evidence_docs: - label: Registry Relay README - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/README.md - label: Registry Manifest README - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/products/manifest/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/products/manifest/README.md - label: Registry Relay BRegDCAT-AP route tests - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/tests/catalog_entity.rs + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/tests/catalog_entity.rs last_checked: 2026-06-13 notes: Manifest and Relay emit BRegDCAT-shaped registry and data-service metadata; the `/metadata/dcat/bregdcat-ap` route output is asserted by Relay's catalog tests. CPSV-AP is now the service-discovery layer; BRegDCAT-AP remains the registry and data-service discovery layer. Later BRegDCAT-AP releases require a separate renderer review. - id: cpsv-ap @@ -62,7 +62,7 @@ - competent authority and requirement links evidence_docs: - label: Registry Manifest CPSV-AP fixture - url: https://github.com/registrystack/registry-stack/tree/v0.8.3/products/manifest/fixtures/cpsv-ap + url: https://github.com/registrystack/registry-stack/tree/v0.8.4/products/manifest/fixtures/cpsv-ap - label: Registry Lab service-first discovery docs url: https://github.com/jeremi/registry-lab/blob/5bb84d5b2500a8d37b989e0959e22287250d1e40/docs/service-first-discovery.md last_checked: 2026-05-25 @@ -83,11 +83,11 @@ - OGC records item bodies evidence_docs: - label: Registry Relay README - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/README.md - label: Registry Manifest README - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/products/manifest/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/products/manifest/README.md - label: Registry Relay OGC records API tests - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/tests/ogc_records_api.rs + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/tests/ogc_records_api.rs last_checked: 2026-06-13 notes: Relay exposes records routes behind the ogcapi-records feature (route output asserted by the OGC records API tests), and Manifest renders and publishes static OGC Records item collections. - id: ogc-api-features @@ -105,9 +105,9 @@ - dataset-scoped feature items evidence_docs: - label: Registry Relay README - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/README.md - label: Registry Relay OGC Features API tests - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/tests/ogc_api.rs + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/tests/ogc_api.rs last_checked: 2026-06-20 notes: Relay exposes OGC API Features routes behind the ogcapi-features feature. The claim is scoped to the profiled route output tested in Registry Relay, not full OGC conformance. - id: ogc-api-edr @@ -125,7 +125,7 @@ - EDR collection discovery evidence_docs: - label: Registry Relay OGC EDR API tests - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/tests/ogc_edr_api.rs + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/tests/ogc_edr_api.rs last_checked: 2026-06-20 notes: Relay exposes OGC API EDR area routes behind the ogcapi-edr feature for configured spatial aggregates. The claim is scoped to the tested adapter surface, not full OGC conformance. - id: openapi @@ -144,13 +144,13 @@ - native OpenAPI publication evidence_docs: - label: Registry Relay README - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/README.md - label: Registry Notary README - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/products/notary/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/products/notary/README.md - label: Registry Relay generated OpenAPI document (pinned) - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/openapi/registry-relay.openapi.json + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/openapi/registry-relay.openapi.json - label: Registry Notary generated OpenAPI document (pinned) - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/products/notary/openapi/registry-notary.openapi.json + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/products/notary/openapi/registry-notary.openapi.json last_checked: 2026-06-13 notes: Relay and Notary generate OpenAPI; the pinned generated documents are cited directly. These docs publish the same pinned artifacts as native API reference pages. - id: shacl @@ -169,11 +169,11 @@ - entity node shapes evidence_docs: - label: Registry Relay README - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/README.md - label: Registry Manifest README - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/products/manifest/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/products/manifest/README.md - label: Registry Relay SHACL document structure tests - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/tests/catalog_entity.rs + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/tests/catalog_entity.rs last_checked: 2026-06-13 notes: Relay emits SHACL/JSON-LD documents whose structure is asserted by its catalog tests, and Manifest renders SHACL. No SHACL validator run against the emitted shapes is pinned. - id: skos @@ -192,9 +192,9 @@ - BRegDCAT/DCAT dataset codelist references evidence_docs: - label: Registry Manifest codelist renderer - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-manifest-core/src/lib.rs + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-manifest-core/src/lib.rs - label: Registry Manifest codelist tests - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-manifest-core/tests/metadata_core.rs + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-manifest-core/tests/metadata_core.rs last_checked: 2026-06-20 notes: Registry Manifest emits flat SKOS-shaped `skos:ConceptScheme` and `skos:Concept` nodes for manifest codelists inside SHACL and BRegDCAT/DCAT-shaped outputs. It does not yet publish a standalone SKOS artifact or claim full SKOS conformance. - id: json-schema @@ -213,11 +213,11 @@ - static publication bundle evidence_docs: - label: Registry Relay README - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/README.md - label: Registry Manifest README - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/products/manifest/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/products/manifest/README.md - label: Registry Manifest form schema fixture (Draft 2020-12) - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/products/manifest/fixtures/cpsv-ap/health-linked-child-support.form.schema.json + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/products/manifest/fixtures/cpsv-ap/health-linked-child-support.form.schema.json last_checked: 2026-06-13 notes: Manifest renders entity JSON Schemas (the pinned fixture declares Draft 2020-12) and Relay exposes entity schema endpoints. - id: json-ld @@ -240,11 +240,11 @@ - provenance contexts evidence_docs: - label: Registry Relay JSON-LD renderers - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/src/metadata/shacl.rs + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/src/metadata/shacl.rs - label: Registry Notary CCCEV renderer - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-notary-server/src/runtime.rs + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-server/src/runtime.rs - label: Registry Manifest CPSV-AP JSON-LD fixture - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/products/manifest/fixtures/cpsv-ap/health-linked-child-support.cpsv-ap.jsonld + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/products/manifest/fixtures/cpsv-ap/health-linked-child-support.cpsv-ap.jsonld last_checked: 2026-06-13 notes: The projects emit JSON-LD artifacts and contexts; a pinned JSON-LD fixture is cited as a concrete emitted artifact. No broad RDF dataset conformance claim is made here. - id: sd-jwt-vc @@ -264,11 +264,11 @@ - shared SD-JWT VC issuance and holder-proof helpers evidence_docs: - label: Registry Notary SD-JWT VC conformance profile - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/products/notary/docs/sd-jwt-vc-conformance-profile.md + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/products/notary/docs/sd-jwt-vc-conformance-profile.md - label: Registry Notary format constants - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-notary-core/src/model.rs + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-core/src/model.rs - label: Registry Platform SD-JWT crate - url: https://github.com/registrystack/registry-stack/tree/v0.8.3/crates/registry-platform-sdjwt + url: https://github.com/registrystack/registry-stack/tree/v0.8.4/crates/registry-platform-sdjwt last_checked: 2026-06-13 notes: >- Registry Platform owns reusable SD-JWT VC issuance and holder-proof helpers. @@ -294,11 +294,11 @@ - credential issuance positioning evidence_docs: - label: Registry Relay provenance context tests - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/tests/provenance_contexts_endpoint.rs + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/tests/provenance_contexts_endpoint.rs - label: Registry Relay VC fixtures - url: https://github.com/registrystack/registry-stack/tree/v0.8.3/crates/registry-relay/tests/fixtures/vc + url: https://github.com/registrystack/registry-stack/tree/v0.8.4/crates/registry-relay/tests/fixtures/vc - label: Registry Notary README - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/products/notary/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/products/notary/README.md last_checked: 2026-05-23 notes: Relay has VC-oriented provenance fixtures and contexts, and Notary issues SD-JWT VC. Keep this below an emits claim until a reviewed VC profile and validation fixtures are pinned. - id: cccev @@ -321,11 +321,11 @@ - evidence node JSON-LD evidence_docs: - label: Registry Manifest grouped evidence fixture - url: https://github.com/registrystack/registry-stack/tree/v0.8.3/products/manifest/fixtures/cpsv-ap + url: https://github.com/registrystack/registry-stack/tree/v0.8.4/products/manifest/fixtures/cpsv-ap - label: Registry Notary CCCEV renderer - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-notary-server/src/runtime.rs + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-server/src/runtime.rs - label: Registry Notary media type constants - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-notary-core/src/model.rs + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-core/src/model.rs last_checked: 2026-05-25 notes: Manifest emits CCCEV requirement and evidence type list metadata. Notary renders CCCEV-shaped claim results. Profile conformance is not claimed. - id: odrl @@ -346,15 +346,15 @@ - governed evidence PDP constraint terms evidence_docs: - label: Registry Relay README - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/README.md - label: Registry Manifest README - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/products/manifest/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/products/manifest/README.md - label: Registry Relay catalog tests (ODRL offer assertions) - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/tests/catalog_entity.rs + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/tests/catalog_entity.rs - label: Registry Platform PDP ODRL enforcement profile constants - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-platform-pdp/src/lib.rs + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-platform-pdp/src/lib.rs - label: Registry Relay governed evidence PDP path - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/src/api/governed.rs + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/src/api/governed.rs last_checked: 2026-06-20 notes: Relay catalog JSON-LD can include dataset-scoped ODRL Offers, and Manifest renders ODRL policy metadata. That publication surface is descriptive and is not itself an access grant. Separately, Relay's governed Evidence Gateway runtime path can select a governed-evidence binding and call the shared PDP using the `registry-evidence-gateway-pdp/v1` profile; the implemented runtime enforcement terms are currently `odrl:purpose` and `odrl:spatial`, while unsupported ODRL terms are denied rather than treated as enforced. - id: sdmx @@ -372,9 +372,9 @@ - content negotiation delivery evidence_docs: - label: Registry Relay client integration guide - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/docs/client-integration.md + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/docs/client-integration.md - label: Registry Relay aggregates tests (schema-validated SDMX-JSON output) - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/tests/aggregates_entity.rs + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/tests/aggregates_entity.rs last_checked: 2026-06-13 notes: >- Relay serves configured aggregates as SDMX-JSON 2.1 data messages via @@ -401,9 +401,9 @@ - provenance-shaped audit and claim fields evidence_docs: - label: Registry Relay provenance configuration - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/src/config/provenance.rs + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/src/config/provenance.rs - label: Registry Notary claim model - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-notary-core/src/model.rs + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-core/src/model.rs last_checked: 2026-05-23 notes: The code uses provenance concepts, but current evidence does not show a PROV-O vocabulary emission surface. Keep this as design influence until PROV-O terms are emitted or mapped. - id: govstack-digital-registries @@ -421,7 +421,7 @@ - capability boundary evidence_docs: - label: Registry Relay README - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/README.md last_checked: 2026-05-23 notes: Relay explores a protected consultation gateway model rather than the current single uniform CRUD platform. - id: universal-dpi-safeguards @@ -465,9 +465,9 @@ - HTTP source connector evidence_docs: - label: Registry Relay README - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/README.md + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/README.md - label: Registry Notary source connector - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-notary-core/src/config.rs + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-core/src/config.rs last_checked: 2026-05-23 notes: Relay exposes an SP-DCI sync adapter behind `spdci-api-standards`. Notary ships an HTTP source connector that maps SP-DCI search and sync responses into claim evaluation inputs. - id: oid4vci @@ -490,11 +490,11 @@ - wallet-facing citizen self-attestation flow evidence_docs: - label: Registry Notary OID4VCI routes - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-notary-server/src/api.rs + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-server/src/api.rs - label: Registry Platform OID4VCI crate - url: https://github.com/registrystack/registry-stack/tree/v0.8.3/crates/registry-platform-oid4vci + url: https://github.com/registrystack/registry-stack/tree/v0.8.4/crates/registry-platform-oid4vci - label: Registry Lab citizen OID4VCI smoke script - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/lab/scripts/smoke-citizen-oid4vci.sh + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/lab/scripts/smoke-citizen-oid4vci.sh - label: Hosted lab issuer metadata url: https://citizen-notary.lab.registrystack.org/.well-known/openid-credential-issuer last_checked: 2026-06-13 @@ -527,12 +527,12 @@ - shared DID validation and Ed25519 JWK helpers evidence_docs: - label: Registry Relay did:web document builder - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/src/provenance/did_web.rs + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/src/provenance/did_web.rs - label: Registry Relay DID route - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-relay/src/api/did.rs + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-relay/src/api/did.rs - label: Registry Notary did:jwk handling - url: https://github.com/registrystack/registry-stack/blob/v0.8.3/crates/registry-notary-server/src/api.rs + url: https://github.com/registrystack/registry-stack/blob/v0.8.4/crates/registry-notary-server/src/api.rs - label: Registry Platform crypto crate - url: https://github.com/registrystack/registry-stack/tree/v0.8.3/crates/registry-platform-crypto + url: https://github.com/registrystack/registry-stack/tree/v0.8.4/crates/registry-platform-crypto last_checked: 2026-06-13 notes: Relay publishes a did:web document, Notary parses did:jwk values for credential subjects, and Platform owns shared DID and Ed25519 JWK helpers. No DID resolver, DID URL dereferencing, or DID Core conformance class is implemented, so the claim stays at emits. The site does not claim conformance to the wider DID method registry beyond did:web and did:jwk. diff --git a/lab/CHANGELOG.md b/lab/CHANGELOG.md index f121dba9..ed6705ce 100644 --- a/lab/CHANGELOG.md +++ b/lab/CHANGELOG.md @@ -2,6 +2,15 @@ ## Unreleased +## registry-stack-beta-10-2026-07-04 + +- Removed `fingerprint.commitment` from Lab Relay and Notary demo configs in + favor of fingerprint references. +- Aligned Lab source-adapter, hosted validation, and demo secret-generation + paths with the v0.8.4 Relay and Notary configuration model. +- Kept Registry Atlas and the eSignet Relay authenticator held as lab-only + external inputs for the source release. + ## registry-stack-beta-4-2026-06-22 - Advanced vendor pins for Platform, Manifest, Notary, and Relay to the beta-4 diff --git a/lab/Dockerfile.registry-notary-openfn-sidecar b/lab/Dockerfile.registry-notary-openfn-sidecar index b082dff0..0d9e60a5 100644 --- a/lab/Dockerfile.registry-notary-openfn-sidecar +++ b/lab/Dockerfile.registry-notary-openfn-sidecar @@ -36,7 +36,7 @@ WORKDIR /opt/openfn COPY --from=builder /usr/local/bin/registry-notary-openfn-sidecar /usr/local/bin/registry-notary-openfn-sidecar # Mock civil registry server for the demo (vendored here; formerly shipped by # registry-notary). Pure node:http with no npm dependencies, so no npm install. -COPY lab/config/openfn/mock-registry-server.mjs ./mock-registry-server.mjs +COPY config/openfn/mock-registry-server.mjs ./mock-registry-server.mjs USER node EXPOSE 8080 diff --git a/lab/README.md b/lab/README.md index 270eb6c4..d660b2a6 100644 --- a/lab/README.md +++ b/lab/README.md @@ -94,7 +94,9 @@ just release-fast Plain `just quick` runs the same monorepo defaults for generate, build, smoke, OpenFn, and client checks. `just release-fast` runs `scripts/release-check.sh`, which defaults to `REGISTRY_LAB_RELEASE_SOURCE_MODE=monorepo` and also gates -the release source model. +the release source model. The live OpenCRVS DCI smoke runs during release +checks only when `.env.local` or exported `OPENCRVS_DCI_CLIENT_ID` and +`OPENCRVS_DCI_CLIENT_SECRET` values are available. If you still have sibling Platform, Relay, and Notary checkouts and want to validate against them directly, `commons-check` remains available: @@ -267,6 +269,8 @@ OPENCRVS_DCI_NOTARY_PORT=4352 Registry Notary fetches OpenCRVS source tokens with OAuth client credentials. The smoke script also fetches a short-lived token to discover a seeded demo UIN when `OPENCRVS_DEMO_SUBJECT_UIN` is unset, but it does not store that token. +The default release check auto-skips this live smoke when those credentials are +not configured. Set `REGISTRY_LAB_CHECK_OPENCRVS_DCI=1` to require it. It derives local Registry Notary API-key hashes from the corresponding token values when the hash env vars are unset or still contain placeholder zero digests. @@ -680,9 +684,10 @@ source checkout and runs it against the default lab Notary services. It looks at `REGISTRY_NOTARY_CLIENT_SOURCE_DIR` first, then `REGISTRY_NOTARY_SOURCE_DIR` (which the justfile and `release-check.sh` default to this monorepo checkout), then falls back to the standalone sibling paths `../registry-notary` and -`vendor/registry-notary`. Use `REGISTRY_NOTARY_CLIENT_SOURCE_DIR` when -validating a client SDK branch. This smoke is explicit and is not part of -`just quick`. +`vendor/registry-notary`. Each source candidate may use either the split-repo +`bindings/python` layout or the monorepo `products/notary/bindings/python` +layout. Use `REGISTRY_NOTARY_CLIENT_SOURCE_DIR` when validating a client SDK +branch. This smoke is explicit and is not part of `just quick`. ## Fixture data diff --git a/lab/config/coolify/notary/dhis2-health-notary.yaml b/lab/config/coolify/notary/dhis2-health-notary.yaml index c4f08b94..0676102e 100644 --- a/lab/config/coolify/notary/dhis2-health-notary.yaml +++ b/lab/config/coolify/notary/dhis2-health-notary.yaml @@ -17,7 +17,7 @@ auth: scopes: - dhis2_health:evidence_verification bearer_tokens: - - id: dhis2_evidence_client + - id: dhis2_evidence_client_bearer fingerprint: provider: env name: DHIS2_EVIDENCE_CLIENT_BEARER_HASH diff --git a/lab/config/coolify/notary/nagdi-agriculture-notary.yaml b/lab/config/coolify/notary/nagdi-agriculture-notary.yaml index 401ffab9..3f3b0745 100644 --- a/lab/config/coolify/notary/nagdi-agriculture-notary.yaml +++ b/lab/config/coolify/notary/nagdi-agriculture-notary.yaml @@ -17,7 +17,7 @@ auth: scopes: - agri_registry:evidence_verification bearer_tokens: - - id: nagdi_agriculture_evidence_client + - id: nagdi_agriculture_evidence_client_bearer fingerprint: provider: env name: AGRI_EVIDENCE_CLIENT_BEARER_HASH diff --git a/lab/config/coolify/notary/shared-eligibility-notary.yaml b/lab/config/coolify/notary/shared-eligibility-notary.yaml index c3404e82..7005bf1d 100644 --- a/lab/config/coolify/notary/shared-eligibility-notary.yaml +++ b/lab/config/coolify/notary/shared-eligibility-notary.yaml @@ -26,7 +26,7 @@ auth: jurisdiction: ZZ assurance_level: substantial bearer_tokens: - - id: shared_evidence_client + - id: shared_evidence_client_bearer fingerprint: provider: env name: SHARED_EVIDENCE_CLIENT_BEARER_HASH diff --git a/lab/config/coolify/notary/social-protection-notary.yaml b/lab/config/coolify/notary/social-protection-notary.yaml index 01656af2..37f63c45 100644 --- a/lab/config/coolify/notary/social-protection-notary.yaml +++ b/lab/config/coolify/notary/social-protection-notary.yaml @@ -24,7 +24,7 @@ auth: jurisdiction: ZZ assurance_level: substantial bearer_tokens: - - id: social_protection_evidence_client + - id: social_protection_evidence_client_bearer fingerprint: provider: env name: SOCIAL_EVIDENCE_CLIENT_BEARER_HASH diff --git a/lab/config/notary/civil-notary.yaml b/lab/config/notary/civil-notary.yaml index 075c6f76..eab0d8fc 100644 --- a/lab/config/notary/civil-notary.yaml +++ b/lab/config/notary/civil-notary.yaml @@ -31,7 +31,7 @@ auth: jurisdiction: ZZ assurance_level: substantial bearer_tokens: - - id: civil_evidence_client + - id: civil_evidence_client_bearer fingerprint: provider: env name: CIVIL_EVIDENCE_CLIENT_BEARER_HASH diff --git a/lab/config/notary/dhis2-health-notary.yaml b/lab/config/notary/dhis2-health-notary.yaml index 866a1a78..e4b3ee2d 100644 --- a/lab/config/notary/dhis2-health-notary.yaml +++ b/lab/config/notary/dhis2-health-notary.yaml @@ -17,7 +17,7 @@ auth: scopes: - dhis2_health:evidence_verification bearer_tokens: - - id: dhis2_evidence_client + - id: dhis2_evidence_client_bearer fingerprint: provider: env name: DHIS2_EVIDENCE_CLIENT_BEARER_HASH diff --git a/lab/config/notary/fhir-health-notary.yaml b/lab/config/notary/fhir-health-notary.yaml index ba0233e1..7016518e 100644 --- a/lab/config/notary/fhir-health-notary.yaml +++ b/lab/config/notary/fhir-health-notary.yaml @@ -17,7 +17,7 @@ auth: scopes: - health_registry:evidence_verification bearer_tokens: - - id: fhir_health_evidence_client + - id: fhir_health_evidence_client_bearer fingerprint: provider: env name: FHIR_EVIDENCE_CLIENT_BEARER_HASH diff --git a/lab/config/notary/nagdi-agriculture-notary.yaml b/lab/config/notary/nagdi-agriculture-notary.yaml index fec3e5de..4b2ab384 100644 --- a/lab/config/notary/nagdi-agriculture-notary.yaml +++ b/lab/config/notary/nagdi-agriculture-notary.yaml @@ -17,7 +17,7 @@ auth: scopes: - agri_registry:evidence_verification bearer_tokens: - - id: nagdi_agriculture_evidence_client + - id: nagdi_agriculture_evidence_client_bearer fingerprint: provider: env name: AGRI_EVIDENCE_CLIENT_BEARER_HASH diff --git a/lab/config/notary/openfn-civil-notary.yaml b/lab/config/notary/openfn-civil-notary.yaml index 506a9a55..b76effa2 100644 --- a/lab/config/notary/openfn-civil-notary.yaml +++ b/lab/config/notary/openfn-civil-notary.yaml @@ -17,7 +17,7 @@ auth: scopes: - civil_registry:evidence_verification bearer_tokens: - - id: openfn_civil_evidence_client + - id: openfn_civil_evidence_client_bearer fingerprint: provider: env name: CIVIL_EVIDENCE_CLIENT_BEARER_HASH diff --git a/lab/config/notary/shared-eligibility-notary.yaml b/lab/config/notary/shared-eligibility-notary.yaml index 1f7f284e..df410097 100644 --- a/lab/config/notary/shared-eligibility-notary.yaml +++ b/lab/config/notary/shared-eligibility-notary.yaml @@ -84,7 +84,7 @@ auth: jurisdiction: ZZ assurance_level: substantial bearer_tokens: - - id: shared_evidence_client + - id: shared_evidence_client_bearer fingerprint: provider: env name: SHARED_EVIDENCE_CLIENT_BEARER_HASH diff --git a/lab/config/notary/social-protection-notary.yaml b/lab/config/notary/social-protection-notary.yaml index a42f1a3d..d4fb9987 100644 --- a/lab/config/notary/social-protection-notary.yaml +++ b/lab/config/notary/social-protection-notary.yaml @@ -24,7 +24,7 @@ auth: jurisdiction: ZZ assurance_level: substantial bearer_tokens: - - id: social_protection_evidence_client + - id: social_protection_evidence_client_bearer fingerprint: provider: env name: SOCIAL_EVIDENCE_CLIENT_BEARER_HASH diff --git a/lab/data/civil/civil-persons.csv b/lab/data/civil/civil-persons.csv index c9381df2..81d90b03 100644 --- a/lab/data/civil/civil-persons.csv +++ b/lab/data/civil/civil-persons.csv @@ -1,17 +1,17 @@ national_id,given_name,surname,birth_date,life_stage,deceased,district,observed_at -NID-1001,Miguel,Santos,2016-01-15,child,false,north,2026-06-19T06:11:12Z -NID-1002,Maria,Dela Cruz,2018-01-15,child,false,south,2026-06-19T06:11:12Z -NID-1003,Cara,Okafor,1957-02-14,adult,true,central,2026-06-19T06:11:12Z -NID-1004,Rafael,Aquino,2019-01-15,child,false,east,2026-06-19T06:11:12Z -NID-1005,Rosalie,Bautista,2013-01-15,child,false,west,2026-06-19T06:11:12Z -NID-1006,Miguel,Martinez,2014-01-15,child,false,north,2026-06-19T06:11:12Z -NID-1007,Lola,Santos,1958-01-15,elderly,false,north,2026-06-19T06:11:12Z -NID-1008,Rosa,Garcia,1954-01-15,elderly,false,west,2026-06-19T06:11:12Z -NID-1009,Ana,Mendoza,1998-01-15,adult,false,east,2026-06-19T06:11:12Z -NID-1010,Pedro,Reyes,1971-01-15,adult,false,central,2026-06-17T06:11:12Z -NID-2001,Maria,Santos,1984-01-15,adult,false,north,2026-06-19T06:11:12Z -NID-2002,Juan,Dela Cruz,1988-01-15,adult,false,south,2026-06-19T06:11:12Z -NID-2004,Rosario,Aquino,1988-01-15,adult,false,east,2026-06-19T06:11:12Z -NID-2005,Eduardo,Bautista,1978-01-15,adult,false,west,2026-06-19T06:11:12Z -NID-2006,David,Martinez,1978-01-15,adult,false,north,2026-06-19T06:11:12Z +NID-1001,Miguel,Santos,2016-01-15,child,false,north,2026-07-04T09:45:02Z +NID-1002,Maria,Dela Cruz,2018-01-15,child,false,south,2026-07-04T09:45:02Z +NID-1003,Cara,Okafor,1957-02-14,adult,true,central,2026-07-04T09:45:02Z +NID-1004,Rafael,Aquino,2019-01-15,child,false,east,2026-07-04T09:45:02Z +NID-1005,Rosalie,Bautista,2013-01-15,child,false,west,2026-07-04T09:45:02Z +NID-1006,Miguel,Martinez,2014-01-15,child,false,north,2026-07-04T09:45:02Z +NID-1007,Lola,Santos,1958-01-15,elderly,false,north,2026-07-04T09:45:02Z +NID-1008,Rosa,Garcia,1954-01-15,elderly,false,west,2026-07-04T09:45:02Z +NID-1009,Ana,Mendoza,1998-01-15,adult,false,east,2026-07-04T09:45:02Z +NID-1010,Pedro,Reyes,1971-01-15,adult,false,central,2026-07-02T09:45:02Z +NID-2001,Maria,Santos,1984-01-15,adult,false,north,2026-07-04T09:45:02Z +NID-2002,Juan,Dela Cruz,1988-01-15,adult,false,south,2026-07-04T09:45:02Z +NID-2004,Rosario,Aquino,1988-01-15,adult,false,east,2026-07-04T09:45:02Z +NID-2005,Eduardo,Bautista,1978-01-15,adult,false,west,2026-07-04T09:45:02Z +NID-2006,David,Martinez,1978-01-15,adult,false,north,2026-07-04T09:45:02Z NID-1011,Miguel,Santos,2016-01-15,child,false,south, diff --git a/lab/data/health/health-facilities.parquet b/lab/data/health/health-facilities.parquet index fe32f8d9371cee095a349f6b35e68561f0217c9a..ffa81f0a436dd3d8df1303072b502d360a84d019 100644 GIT binary patch delta 63 xcmX>lbxLYOA`8E{u7OF2fu)s+sg;3Il+ok@7F8Z(vCRuv4zr+&6mZ^R1^^yt5X}Gp delta 63 xcmX>lbxLYOA`8EnuAya!fti(|p_QRgl=&3^&$l)n!3FT*AOViUdyp;uPj}XAx(ldi^mdkW{Kc2M;SK|wCEmX>m3sl=QbLo+v4Knys@VKH3 zwj+^L7j(IG^%+u|a);{~tk!Cdr=N+?D>?>YfBcAeWrUh@PdrwlevnLO9Hjh`oo*NZ zJmk--qty1R&z`U@=RKR-6s)Nj&ILN_xqfu@Ul9$DMBUaB3b8h;m%)hHj-_u_4YP9YWA`vV^QY7{o$J8#aeYx2RB z^PN+u*{94~R%ej(+4Bjd$!OL*Q(ZcoG`5ZjRrZY|&MlB>%H=g!A%Eu_C3pD|7IOXJ z$q}`FR&IshTggx1%BgwX!DOIabn`^Hxc6J`78c6s8?5CJ4pg|bSUo4+t6wwh}PuZpO6gK>G`qSfu6;Edym*wF~9xl%Sxq5%7RgszPJYEMIPYSyiWZ@8#-wjPj<(<=IeA8=0rkPCf2wq3P-gXzm>_ zE!*iBHeY^KSQSe6rZ*YN$BH2y>cJn&q5P><0pxyeVeV2M?rvfC$*pTN z>K5<@6-lH}3F*X5S(r!Dt5}8x+gFAs{Jw}d8@^cqX}+r+v=*(Z3Vpx=t-M!mExKo< z=}sS&Nmzua0nfneaXmlDvX9NAW90(l&Klh`Szq>3YZOzk7_qUwK4^0z3!T&+1`vtW z-9qvTQGY)H3MekRnwuMDs?bFxa zEOj~_-3gJRJyM|mG;~3@8Ek!FD{tLdU~TZ+2+$Y&UHFew|8n*~Q z007|j&BF;uV=U*a#0LNi z-YRSDY4KVfCrN1@i8X%^2 z;YuD?Tas*ld$fU@4vLiZx@|6j*aFoCKhj(9!|(6NoL`9Sx}j*YNJhQ+kJ*9 zAHZ}`dTD*)Ff^abl3?d8?BbSg>DiW4LdTZM@M`>gWPGQ1z%M!OTkQo zc708@KI7v?;wAQ=H1)8k5XXF58cB|~c^pCqnY2ZT?;-g+bj4&fIlP1k5;;(=Ut^4) zHHnQ4a3~YjsK;TgjbS`y7#1;>R|{`%d%1eaZ8tcZRnXTe>L)YO z)H=&*mL?S@4C4oxJ~UQxry;$1srH2h?an;A{>v`KAH?n)|9Rkg{kY(SO46*+PS)m` zQhK%))n>~<9s>nBY_-n~PMmMXA0vSPJ03(;0VS;(b6U_bp zlZaKy9uNEPgf%bvC;o&MI{}$8M24SLOU^cct~sz)-*GSqZgIc%Xc zUY#|h&CcCFR^|;r`vWxZ8}yn*yO|aRIXsCj%{{Qit=DW1)KsxEJ>cL_#)gbo5$RKPSab2VQL0^?D3iaK3DiJO z?q;u*rAE91$-js=n`%35A(MPhe+oIFbeq!Of3gz8sbR@`k|mb@U}YRWkO=y$@e7@p zr89ykP8R6{AnBT|RSu$`xd#>W3=nPyx42i)LH0t5U|U|ie7jQv;Z;n}-yvF!a%R6s z7AIJg30-DlCcO;Q!b_7loeHbVUhZ4^XdXD#=~h?jP;S0!LcyR@bK!TU61*NgCZ~5; z&Ra7Mok4!EJf$Z6ET>B8^_p!5aflw+&@Pi?RZsUZ9XLE5>DGKQFnKo6J&-ZeVCx9` zj95T94yV1A^20uN@hG%3DCB8@rH7i5^*b0CN-k36rq8}YJjd=Oy2v}#ubTVp(3(7i zZ=qw-O!8-1;&e$pPHwyMd&U`7W*?@4(ETN}j)!JQpYvzEZ+Ame54Z;$EUe z@>94}{nZM{?&UO2_4$%l!INc@bAz*gLRj;|9=E zhv=n(EnMDt_&XutI(~Dd7oDYe$$Uq~g->NXxtI(bqac`~RDE|M8+^M!ZeBK-B6YSu z42f<3t;Cu$Mqzw{X{>837Rn-q-(G<=XJJOG7zYf^Dn*yRbwl(N=e%GtYPLN);nFK% zxop!IU9klxuV4GY1tb$@2)m1&D)d^`q`&we-z{#;>Q)UIP_Zd}wB})bCN@Lpe%BQC zI$L(_i?TNai!h)(%R%gVBd@(n6L*hnArbQOzA^Q>FD}h%O?N}f&Wrlnj_>9yzScs| z60c^eV-Oldjef0+*L>xM<^C}&hG#O5D#CyI>0C*Dhh98wIb&KN%iPg;hjQ+BU=F_i zmG|Re;=}Y&v-LK=($1nf^|T7K%k{6HM8k`&te_p3#&uMuSQF!5M5vA|QDi~Dz*EDL z>*AiThQC9_j9`bmUh#&1_B^WIJ$;yr_UlHJ1s1y6l*`9?={L@mHh&&1MwrH^UrCfu zs;1xd#3<@|Lmnpaa%O&1YJ|THe8Z7zB^SLeAPvMo7HAv&lg8qsCgeLOXvs0R1CYTY zun@0|uJu`cUEq2yM~5J2@LPDl*~3#%(q>hHtq(p#8^Aj?*m<>@?8bupsg#PID2dit z(^-kDkaPH{YfIZr+2j1uYPV_vXZ#qZJrq@OcH$pqy^i)YziRiAY=q{xT!Sy=nYqQ4Squ{NQiOPq0{8Sb5K~|r0PyaN1X~A*?QV&PBO08k#DN43N*p&3azLA7 zNu}L2{=7o=r658+GCcmib_9%BDTQ7s z8#{RlRw6=~7w{<_or-kDaE!t|rzJi6(2RHAhfbdRiFr+&}a|HBcUc96Cn`-Z)?>-1i@I-ZS zZNn2N)tc^o6j_k#OUx+fRBVX*&9hyd;Mu3q#377or&0<_@vOc{cGjzR+fPl#c#F3y zsc5#<#%%Jp6URL9wEQjZ)28BcWfX<7u}6@|hVbkV54LKIO%yW_2@g(K@Q00JOTY9? z@b2#{X=2=u7=t=K-bIX|L&^t#@D)|W347BHPFisCSRQ$uIii@%QZgz?*SKOTxVbVa z{zg2wwrFZ<2CEbUw98@4hAGXZq=&|wWTJ3iLw^4Nu!9Tj!n=8);N6>&K%$szD7dvg^!QQM!b6E- z)#5kufd6i6tKO6Y`UC(#J;UEqJoX_s4f=qSJx%Np?`M=lY!!UEY&S~TlKCCpjQx!D z@uF*}Y?s9X(W)-0!Tx}TQ}%Lc#lOl%(>u`C{;8=?z21*W|J^COjht}qp)))f21n#L{A1r*bbu7|F(Pd+KVK!1-_ zKKzh8!Q5llfLWYM>?_VB8PC(*f0k(t6{gAZA(%DwaeZIHO!b}spD61!i;{E+UK!_%XRd3329z$-x5y&XU6 z8vB0zxM_CZ`Aq0bt6|Cusr3P^+bl-aqtb%xq59EnDD2@|g?e0Dm%HH@D+09M( zx}!5(J(xZEuzus^xR3CB?$5yYC65>;;?!FbR{dQ5oRo3F-#gDNgm0VS2J@vGJmv() zuIrU+3>}Y+;m*diyy{pO{zJ6ggY;2U?6-n6DhYlGUEJDKjStF3QpBIYcBqaSXE!b` zn#nX~-@ZG7gXrQssdE&qjv<=kcA6!`%L(C9W4(P2Okb}_Oms&m2>cCwdXvrNkE6`T zotFmftGsT{wo2Pg<+TshdO4cZcYn)u*3EO;=28g%-~}-mw=*dr)Z`ts@5&S^0}oNflh*R6xSiHbX8JNVP4;%zP-qTm1mk@tW%1x+YwuYw(he|sVaFc6jF}H86 zX^9I%e^yj_S#EqjpBW!v=Qb4YrAu{(FPdoCE%vSm^3J3n zZne7IdGV-auG;r2sxjEOZQ1l2>AJ{~>D3mx<~@HgnDC!jh&56`vi#R|xG^IB&lMD` z1N!Gd^efP_{5|;j-dGbdH%6^pEN?!v;6%r9|HmaDiQzy z_&+=y%ReX^Nyq&EK6U>;#D*P0D&rUP|3d{8h4F2L{z-R5VZ0q|uA(yj8~DGDtDARv YQvalqk}$rU%s&~WLSD)Pis&Dq~*(Yn|AA1Z2PQpohHsAXLgv}PZ+O6RjJ z4*JTNw(HKnv|$e*5gW7$#NQ}#-fJ$iY}gknqC0F6i;I<3YgwY4+2~D-i-IeG10J%I z^VthHJKv!W>v99SG*1*L92&lXoRvCHjwac1Ct>waT}g+vE2~A!{;m2=)j>s#Oc%}` zoB<~>uZJi_hEdpGg61g8PreF_-XHcafICw*!&;54fj0ZX8XuXwWGn|;Gus=j{6n>3 zCus^v+xIJeOEkH0N84hz@oSam_gk-G z?LsTg~jSy$W47fv$pn&2v8(l7FMsZ%nbz+qJ zfckw+9uVcql;`^fWG9QW{m>(${@?a&AQ9fgE8ENJyt^U1Jt+ei-i!hbiST3$%Unh~ z&O}jE#d)`Fz^Ym3nJ~SEa1spLPu9Pr4*Ar^-EQ860O^j@L~}thR&;G3pGwJNq&Nr& zNz?L1iCQyRTfaq2=&}b-+;N+2VvQySl2PzDMOhd@d%{3Saz?yo2CS@DKux0{G#bJL z1q{aTE070Ke6*6w zGO<{p0yzKqz%ry>ev8=(5X;eco-AS-D>G+<*3ybR4o}>XHSKJ(a`@6{ehxCwAtMKq zkdOecIv2^FS>(k#QW6q6D*Rn$7JL|(38ZalcHJp5xXSrP7(NdyO3F%!9|p5w(ZdWg zCr(dhR=5+6EyQO!tb9G^kZMiVWJ|MMJEv~6Ad87UB)QYq6zcT6TzT>;7B+9{8Rc7o zZc5ke7qLH+H~>)yrQmyC`Ug-T0FXQn<&?(DQ+AMWx)qrWT1OW zAfL*Uyxv~i09oyNd-+Ivc?xRv&$`Fx=F;{D^9hR2ZV*w2MO*gAM$D2v;zQ4ym#dj0 zM}}7nh(x)72)Unr~4jXlSXWd}jll_EZyidx*Ao^JSjS0Fmh+IM6#DR{qd*ByDg^~|TkEIj-j zfB<#DNT!2kSo?c)tp?`Jq#ZVF^;umo;*#PykC038l@A&pPqxetPtjU(>`~&pvpm2Nat!`GMH@nTG zs?Xal`Bpa!Mwl9%{{C6B?oUXF@;kB8?utC`oU<-rjaaDTGpVaN_#AX%#o6+|L z24|SQw45iB71g>FZr=~ga63~t{;5@s-!Nw;Svwa*7vX|K&FI6FA5*01KI~%=$}-ov zFF~xFA#XHk+k*(9hp9TP4J53OokkNs8)x+bDBfa<73b3UjKrRE{&>2kak1H!<3|02 z5*vmrn+8Ba7FSLfoC;OX zMe6`X4~Bawewx~LBqlt7x>O~{F2zwaUVdFcN<68J#JcY`mbsLsQvvM-9?0reI@aWp~>RSHb2nwc=i`}*J zU>wP>_50X8u)Qkk@WZx6zem(zYrIFw(nFwjy55qrdzUeX>w6 zm^aH|_25!|33s%HJ8I&v&E~KgXvfk^U)iJ!t`dJ#Qg?Y6e(OFzvA7eD0(he>UB9c| zGN0DpcyzXd+nSF!r!THT9|Y`D8U+eDZ`?aFHzF56e*{m6>ALzBDP42vW3{$6a=Lda z^nPbJ#_@gyZ-MZvgGx6njVkZ>eVXr9hLGRcL(NOl|BA$#-!~DY)O-a8_r?GuBlhHvL;_InBh+|lkSUtX`lJ$bL2gl6O0;9_0= zcs@Tg|MY%N%Y1zI(JE!qh^VkWhptI~c&pKZ@$Qrg<^HTzGxindOgV4Ts9jpwYWA+% zqQC2GNw3q3R-S__*0&nV*cz>|o#pJe?VrC0wWh^R)WJV|-@GHXq2KM%Ab5WNqP$N2 zsYO5W_+)kE4k4K2{9HP?a(ncM0Ec&E?*=MTkJn)1<38^DRJ_JI&jg}}#LgxpbRKG$ zA1_p<&+ehk%dn>Lse7g;CUz&kHDzv;hxhFv{bIwGiNg;I&)lmkR6oGM#UHIAo!EvO z6w-9g_8#v(l3&R;D_%50&=-=W{G%a9n`w3~X{9t-72U=R1{Qo>Q1dWuQd*9D$mYe} zr2gF-U%rK=xEt)jp6&QdO4*z&4WmGRm}J^fP2Np!KZ)IxP)$L_+-dPI?M7v~Lc77M zr-#Z7mo0B1E?C6)UmZqfA4abBx8xP`>cQPzYFlcF0rm~1w!0bz?Z)&4CDIuj7yk5PV* zzbDz~lEAH`HQ;<*GB}x2D=(g(%jr7YkoG#3mntok=V0L5FgwhF24EcV2T&V)7w|i) zJ%gA$4u&YZ0?92}1)|Zkw(T70PpHZJFbr@*So*)7 zn=ycxx@swG+yBD?+DHK$cj0WKB!GA{RlU|+Ji@_K(;7VPeQua z>d4%^kEDazRJnXb`E;>Ux$kY+56q5g2g-zv*nCCC(+hq;ygFTc zqwPLQ3*t%%t+hnXi^zA)^2H!l5~96JW&U+WCYSK(`RNaB_dm3ooJpZ)mPk@jd77LY zwg|2$4O}>WEF96bD_i3}veND(`zBlwQ0+eASiknm-5>c_4I4=9>zyI1lyzw0VbfS& zHH(yG#n~tKDBl)k;bMlV>yKg5*hbdeJ+pdnM5_#wZL4^Wob*mrO*>9;=7h{RIw=BP z4JxCdCjTR6V;2)GV7t*UmfLb8hwzt!dYO>lPltM#Jaq&`QL15x+^Pq@h^~0fQKa{@ zwD+f*Sot^MQzrlk?`de`51P3;@`I)M4u;NfN$=q+*FJW7dyha=1!dWPW!+vBPbTOr zU6B19{?SVR!3%?Q1le(F zy-XnLSdUWpaZyJ>xtoZ1C3c!!HC?^uGg+c?dbr5sUga!NR=t-w#US??5Gt#ehT%IB zw(pBb+hpW5x$FMtL00AMe`I|I^aCP%4s<@i48I_`9QH+BVHaCgl$>se$ z6MQ=xVNE7L6b0%rG^{_TUZEWJ%_; z%&l|3SBElae_5rZTCF(lIf8XmAHA_jW!}p>B~FH|f-V~xB_?-B{_BM!sUdw6hDY#- zV@ZS_3O>3Yrc0cJ>fq=4a?N<_Qdsg{73(=%o=bm0v8@Cl*wGQ$05QhVPI}Q6X3HMC z)yL^8-9FE6EpPWBVy8s<7Z+1^%ql0J)c4w!LAtXIx5(qB?xz*04ZP8eM#_*yeYd^L5q!olx56yR4QH$F)YG7RZhBH~9Ev zbjR;RO!nq>g3k@}W}!0aV+9+I?vYJ>KWVWXtQd2_fzOmMeQeRz{q)o53Bq$o6;kAR z5#2Iw-sRA1yjn5%+~siLHN7%yLC2~pq~wyX zS7f2S7-3wVPKVcN&#)te>WkdAlcSSF7;|790-?*#+XUbAgbK|QJ))IZIi zQZBo6YIS{?2n(q&RTQWO+Mg9+F^doEJsu%ZBU2a6Gp&?=mI{ zCn8Ga%3?ZrKjxnE2-Sp63m{IPy$y{~S7P!qctmG`I7RYngZUqjmkwtHQ8P)g;GI={ z?Y@8B_o&WNuW9WtF|H+RpP!iX;QNvk#0~Xft!J(MLI<=Q+GnkE{3Yr7b7u1CJJ@g? z+_27@F;8`t4sJQ_X!)87Yv{G7isow3{mBFGceb4Y7t1(e3Jiz3yq$GRD8`D#4GR$K z+{%$XwSv0ij=Ha@485*1MMB5q!aTFm>3k>;vY#6u*D}+ex~|um$=C8}r}6!}#&kOS z7#3Hpt3B%(*;|p$QcoIk%`5H6+uog6mnOtmX?uS|s*RLBj>Y=FFP-Av7%hOe->okl zE)eC5Wf9Sq;!@09m$lL*nErOJi)VKL3uw>g#x|uZlxVo0EPEZhf7k3)teu-M#7R~+CK$*6xC}8fR{E)cZcgK8g z#T88FU%5Hbbv-M8SQ3O3jYVLBNYhS|0UuiB+&n8xEe!3S=g>fEO>$n1KYnBnh`k($p_~DPvYVE ztLdAH*tIu!230hvi^yNW6IC(N9mHQ)eFd|Tf8o&;G?n=aZ==LWQ3`*dn*s$s2E_o- Jx&5#G{{bF8-BSPn diff --git a/lab/scripts/release-check.sh b/lab/scripts/release-check.sh index 73e40998..e3e7fa6c 100755 --- a/lab/scripts/release-check.sh +++ b/lab/scripts/release-check.sh @@ -66,6 +66,34 @@ cleanup() { } trap cleanup EXIT +has_opencrvs_dci_credentials() { + [[ -f "${demo_dir}/.env.local" ]] && return 0 + [[ -n "${OPENCRVS_DCI_CLIENT_ID:-}" && -n "${OPENCRVS_DCI_CLIENT_SECRET:-}" ]] +} + +run_opencrvs_dci_check() { + local mode="${REGISTRY_LAB_CHECK_OPENCRVS_DCI:-auto}" + case "${mode}" in + 1|true|yes) + scripts/smoke-opencrvs-dci.sh + ;; + 0|false|no) + echo "skipping OpenCRVS DCI smoke: disabled by REGISTRY_LAB_CHECK_OPENCRVS_DCI=${mode}" + ;; + auto|"") + if has_opencrvs_dci_credentials; then + scripts/smoke-opencrvs-dci.sh + else + echo "skipping OpenCRVS DCI smoke: provide lab/.env.local or OPENCRVS_DCI_CLIENT_ID/OPENCRVS_DCI_CLIENT_SECRET to enable it" + fi + ;; + *) + echo "REGISTRY_LAB_CHECK_OPENCRVS_DCI must be 1, 0, or auto, got ${mode}" >&2 + exit 2 + ;; + esac +} + cd "${demo_dir}" scripts/check-release-source-model.sh "${source_mode}" @@ -98,8 +126,6 @@ if [[ "${REGISTRY_LAB_CHECK_OPENFN:-1}" == "1" ]]; then scripts/smoke-openfn.sh fi -if [[ "${REGISTRY_LAB_CHECK_OPENCRVS_DCI:-1}" == "1" ]]; then - scripts/smoke-opencrvs-dci.sh -fi +run_opencrvs_dci_check echo "release check OK" diff --git a/lab/scripts/smoke-notary-client.py b/lab/scripts/smoke-notary-client.py index f1ccf2bb..f9cec831 100755 --- a/lab/scripts/smoke-notary-client.py +++ b/lab/scripts/smoke-notary-client.py @@ -68,15 +68,20 @@ def resolve_client_source(demo_dir: Path) -> Path: if not candidate: continue source = Path(candidate).expanduser().resolve() - package_dir = source / "bindings" / "python" - checked.append(str(package_dir)) - if (package_dir / "registry_notary" / "__init__.py").exists(): - sys.path.insert(0, str(package_dir)) - return source + package_dirs = [ + source / "bindings" / "python", + source / "products" / "notary" / "bindings" / "python", + ] + for package_dir in package_dirs: + checked.append(str(package_dir)) + if (package_dir / "registry_notary" / "__init__.py").exists(): + sys.path.insert(0, str(package_dir)) + return source fail( "Registry Notary Python client was not found. " "Set REGISTRY_NOTARY_CLIENT_SOURCE_DIR to a Registry Notary checkout " - f"that contains bindings/python. Checked: {', '.join(checked)}" + "or registry-stack monorepo checkout that contains the Python bindings. " + f"Checked: {', '.join(checked)}" ) diff --git a/lab/scripts/smoke-opencrvs-dci.sh b/lab/scripts/smoke-opencrvs-dci.sh index 689eed2b..54ef5b35 100755 --- a/lab/scripts/smoke-opencrvs-dci.sh +++ b/lab/scripts/smoke-opencrvs-dci.sh @@ -32,6 +32,17 @@ load_env_file() { fi } +restore_optional_env() { + local key="$1" + local value="$2" + if [[ -n "${value}" ]]; then + printf -v "${key}" '%s' "${value}" + export "${key}" + else + unset "${key}" + fi +} + has_custom_cel_mapping_source_dir() { case "${CEL_MAPPING_SOURCE_DIR:-}" in ""|"./vendor/cel-mapping"|"vendor/cel-mapping"|"${demo_dir}/vendor/cel-mapping") @@ -155,6 +166,12 @@ require_tool docker require_tool jq require_tool python +provided_opencrvs_dci_base_url="${OPENCRVS_DCI_BASE_URL:-}" +provided_opencrvs_dci_client_id="${OPENCRVS_DCI_CLIENT_ID:-}" +provided_opencrvs_dci_client_secret="${OPENCRVS_DCI_CLIENT_SECRET:-}" +provided_opencrvs_dci_notary_port="${OPENCRVS_DCI_NOTARY_PORT:-}" +provided_opencrvs_demo_subject_uin="${OPENCRVS_DEMO_SUBJECT_UIN:-}" + if [[ -f "${demo_dir}/.env" ]]; then load_env_file "${demo_dir}/.env" else @@ -167,10 +184,16 @@ demo_opencrvs_evidence_deny_jurisdiction_token="${OPENCRVS_EVIDENCE_DENY_JURISDI demo_opencrvs_evidence_deny_legal_basis_token="${OPENCRVS_EVIDENCE_DENY_LEGAL_BASIS_TOKEN:-}" demo_opencrvs_evidence_deny_consent_token="${OPENCRVS_EVIDENCE_DENY_CONSENT_TOKEN:-}" +restore_optional_env "OPENCRVS_DCI_BASE_URL" "${provided_opencrvs_dci_base_url}" +restore_optional_env "OPENCRVS_DCI_CLIENT_ID" "${provided_opencrvs_dci_client_id}" +restore_optional_env "OPENCRVS_DCI_CLIENT_SECRET" "${provided_opencrvs_dci_client_secret}" +restore_optional_env "OPENCRVS_DCI_NOTARY_PORT" "${provided_opencrvs_dci_notary_port}" +restore_optional_env "OPENCRVS_DEMO_SUBJECT_UIN" "${provided_opencrvs_demo_subject_uin}" + if [[ -f "${local_env}" ]]; then load_env_file "${local_env}" elif [[ -z "${OPENCRVS_DCI_CLIENT_ID:-}" || -z "${OPENCRVS_DCI_CLIENT_SECRET:-}" ]]; then - fail "missing .env.local; copy .env.example OpenCRVS values or create it with OPENCRVS_DCI_CLIENT_ID and OPENCRVS_DCI_CLIENT_SECRET" + fail "missing OpenCRVS DCI credentials; create .env.local or export OPENCRVS_DCI_CLIENT_ID and OPENCRVS_DCI_CLIENT_SECRET" fi OPENCRVS_EVIDENCE_CLIENT_TOKEN="${demo_opencrvs_evidence_client_token:-${OPENCRVS_EVIDENCE_CLIENT_TOKEN:-}}" diff --git a/lab/tools/lab2-governed-config/Cargo.lock b/lab/tools/lab2-governed-config/Cargo.lock index 526c91d8..a3aa0ea2 100644 --- a/lab/tools/lab2-governed-config/Cargo.lock +++ b/lab/tools/lab2-governed-config/Cargo.lock @@ -1300,7 +1300,7 @@ checksum = "d6f6ff9a378485b298a5286656da665ba74413d36db0979633275d2e708145d4" [[package]] name = "registry-platform-config" -version = "0.8.3" +version = "0.8.4" dependencies = [ "async-trait", "aws-lc-rs", @@ -1319,7 +1319,7 @@ dependencies = [ [[package]] name = "registry-platform-crypto" -version = "0.8.3" +version = "0.8.4" dependencies = [ "async-trait", "aws-lc-rs", @@ -1339,7 +1339,7 @@ dependencies = [ [[package]] name = "registry-platform-httputil" -version = "0.8.3" +version = "0.8.4" dependencies = [ "bytes", "http", @@ -1351,7 +1351,7 @@ dependencies = [ [[package]] name = "registry-platform-ops" -version = "0.8.3" +version = "0.8.4" dependencies = [ "fs2", "registry-platform-crypto", diff --git a/products/notary/CHANGELOG.md b/products/notary/CHANGELOG.md index 5a9f15c3..05eaaa84 100644 --- a/products/notary/CHANGELOG.md +++ b/products/notary/CHANGELOG.md @@ -7,6 +7,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## [0.8.4] - 2026-07-04 + ### Fixed - Corrected the `GET /admin/v1/posture` OpenAPI example to include the diff --git a/products/notary/docs/release-notes.md b/products/notary/docs/release-notes.md index d3b57484..963fcccc 100644 --- a/products/notary/docs/release-notes.md +++ b/products/notary/docs/release-notes.md @@ -2,6 +2,8 @@ ## Unreleased +## 0.8.4 + - BREAKING: Static API-key and bearer-token config no longer accepts `fingerprint.commitment`. Remove that field from Notary YAML. diff --git a/products/notary/fuzz/Cargo.lock b/products/notary/fuzz/Cargo.lock index 5e548294..e5fea00d 100644 --- a/products/notary/fuzz/Cargo.lock +++ b/products/notary/fuzz/Cargo.lock @@ -1438,7 +1438,7 @@ checksum = "d6f6ff9a378485b298a5286656da665ba74413d36db0979633275d2e708145d4" [[package]] name = "registry-notary-core" -version = "0.8.3" +version = "0.8.4" dependencies = [ "base64", "humantime-serde", @@ -1467,10 +1467,9 @@ dependencies = [ [[package]] name = "registry-platform-authcommon" -version = "0.8.3" +version = "0.8.4" dependencies = [ "serde", - "serde_json", "sha2 0.11.0", "subtle", "thiserror", @@ -1479,7 +1478,7 @@ dependencies = [ [[package]] name = "registry-platform-cache" -version = "0.8.3" +version = "0.8.4" dependencies = [ "async-trait", "redis", @@ -1491,7 +1490,7 @@ dependencies = [ [[package]] name = "registry-platform-config" -version = "0.8.3" +version = "0.8.4" dependencies = [ "async-trait", "aws-lc-rs", @@ -1510,7 +1509,7 @@ dependencies = [ [[package]] name = "registry-platform-crypto" -version = "0.8.3" +version = "0.8.4" dependencies = [ "async-trait", "aws-lc-rs", @@ -1530,7 +1529,7 @@ dependencies = [ [[package]] name = "registry-platform-httputil" -version = "0.8.3" +version = "0.8.4" dependencies = [ "bytes", "http", @@ -1542,7 +1541,7 @@ dependencies = [ [[package]] name = "registry-platform-oid4vci" -version = "0.8.3" +version = "0.8.4" dependencies = [ "base64", "registry-platform-crypto", @@ -1555,9 +1554,10 @@ dependencies = [ [[package]] name = "registry-platform-replay" -version = "0.8.3" +version = "0.8.4" dependencies = [ "async-trait", + "getrandom 0.4.3", "registry-platform-cache", "thiserror", "time", @@ -1565,7 +1565,7 @@ dependencies = [ [[package]] name = "registry-platform-sdjwt" -version = "0.8.3" +version = "0.8.4" dependencies = [ "base64", "getrandom 0.4.3", diff --git a/products/platform/fuzz/Cargo.lock b/products/platform/fuzz/Cargo.lock index 9a18d3da..039cd225 100644 --- a/products/platform/fuzz/Cargo.lock +++ b/products/platform/fuzz/Cargo.lock @@ -951,10 +951,9 @@ dependencies = [ [[package]] name = "registry-platform-authcommon" -version = "0.8.3" +version = "0.8.4" dependencies = [ "serde", - "serde_json", "sha2 0.11.0", "subtle", "thiserror", @@ -963,7 +962,7 @@ dependencies = [ [[package]] name = "registry-platform-cache" -version = "0.8.3" +version = "0.8.4" dependencies = [ "async-trait", "redis", @@ -975,7 +974,7 @@ dependencies = [ [[package]] name = "registry-platform-crypto" -version = "0.8.3" +version = "0.8.4" dependencies = [ "async-trait", "aws-lc-rs", @@ -1012,7 +1011,7 @@ dependencies = [ [[package]] name = "registry-platform-oid4vci" -version = "0.8.3" +version = "0.8.4" dependencies = [ "base64", "registry-platform-crypto", @@ -1025,9 +1024,10 @@ dependencies = [ [[package]] name = "registry-platform-replay" -version = "0.8.3" +version = "0.8.4" dependencies = [ "async-trait", + "getrandom 0.4.3", "registry-platform-cache", "thiserror", "time", @@ -1035,7 +1035,7 @@ dependencies = [ [[package]] name = "registry-platform-sdjwt" -version = "0.8.3" +version = "0.8.4" dependencies = [ "base64", "getrandom 0.4.3", diff --git a/release/VERIFY.md b/release/VERIFY.md index e0f7dcb0..e452892e 100644 --- a/release/VERIFY.md +++ b/release/VERIFY.md @@ -8,7 +8,7 @@ release workflow also include a release-level SLSA provenance asset named Earlier releases, including `v0.8.2`, may include cosign signatures but no SLSA provenance asset. The commands below verify a tag-triggered release that -includes provenance. Replace `v0.8.3` and the asset name with the release you +includes provenance. Replace `v0.8.4` and the asset name with the release you are checking. Repeatable build evidence for the `v0.8.3` Linux amd64 binary assets is @@ -17,7 +17,7 @@ documented in [`release/REPEATABLE-BUILDS.md`](REPEATABLE-BUILDS.md). ## Download Assets ```bash -tag=v0.8.3 +tag=v0.8.4 asset=registryctl-${tag}-linux-amd64 provenance=registry-stack-${tag}-release-provenance.intoto.jsonl diff --git a/release/manifests/registry-stack-beta-10.yaml b/release/manifests/registry-stack-beta-10.yaml new file mode 100644 index 00000000..1d2075d2 --- /dev/null +++ b/release/manifests/registry-stack-beta-10.yaml @@ -0,0 +1,35 @@ +stack: + release: beta-10 + version: 0.8.4 + source_repo: registrystack/registry-stack + source_ref: ebe613a7e712341884d10bf4e5c64e48b2591bad + source_tag: v0.8.4 + status: release-candidate + +artifacts: + registry-notary: 0.8.4 + registry-notary-source-adapter-sidecar: 0.8.4 + registry-relay: 0.8.4 + registry-manifest-cli: 0.8.4 + registryctl: 0.8.4 + registry-lab: 0.8.4 + registry-docs: 0.8.4 + +external: + crosswalk: + repo: PublicSchema/crosswalk + ref: 1d44ec735fdc8a7c719264b339574371e8330337 + status: tested external input + registry-atlas: + repo: jeremi/registry-atlas + ref: d46f943b9fdcbab787d1d4eed114058aa43980be + status: held lab-only external input + esignet-relay-authenticator: + repo: jeremi/esignet-relay-authenticator + ref: 23cc0abb6469e0d18c8e6776f87de1691bdf40ee + status: held lab-only external input + +warnings: + - code: hosted-publication-held + classification: hosted-gate-held + detail: Hosted/public announcement requires separate hosted-state proof after source release. diff --git a/release/manifests/registry-stack-beta-8.yaml b/release/manifests/registry-stack-beta-8.yaml index 95d60a87..d482631d 100644 --- a/release/manifests/registry-stack-beta-8.yaml +++ b/release/manifests/registry-stack-beta-8.yaml @@ -4,7 +4,7 @@ stack: source_repo: registrystack/registry-stack source_ref: ed24c1829f0ba00633f2a7a927afaeafe50a593e source_tag: v0.8.2 - status: release-candidate + status: released artifacts: registry-notary: 0.8.2 diff --git a/release/manifests/registry-stack-beta-9.yaml b/release/manifests/registry-stack-beta-9.yaml index 4e09796c..a243de46 100644 --- a/release/manifests/registry-stack-beta-9.yaml +++ b/release/manifests/registry-stack-beta-9.yaml @@ -4,7 +4,7 @@ stack: source_repo: registrystack/registry-stack source_ref: 4507906491e4a580295a9221e60d1ac6ae541c33 source_tag: v0.8.3 - status: release-candidate + status: released artifacts: registry-notary: 0.8.3 diff --git a/release/notes/v0.8.4.md b/release/notes/v0.8.4.md new file mode 100644 index 00000000..bafcd3ca --- /dev/null +++ b/release/notes/v0.8.4.md @@ -0,0 +1,45 @@ +# RegistryStack v0.8.4 + +RegistryStack v0.8.4 is the beta-10 release candidate after v0.8.3. +It carries the post-v0.8.3 security, configuration, docs, and release-trust +hardening wave into the public stack release train. + +## Scope + +- Keeps the stack release in the public `registrystack/registry-stack` + monorepo. +- Defaults Registry Notary credential profiles to holder binding with + `did:jwk`, with explicit opt-out warnings for deployments that intentionally + issue unbound credentials. +- Removes `fingerprint.commitment` from current Relay, Notary, Lab, and + registryctl-generated static credential configuration. +- Hardens authorization and audit boundaries: scoped OID4VCI issuance tokens, + nonce expiry rejection, required-filter principal binding, approval reference + validation, break-glass emergency-class binding, and pre-mutation config-apply + intent audit events. +- Moves RegistryStack identifiers to the owned `id.registrystack.org` domain + and refreshes Notary OpenAPI/problem response documentation. +- Adds registryctl support for FHIR source-adapter sidecar Notary scaffolding, + richer generated spreadsheet samples, and corrected generated Notary policy + purposes. +- Reworks the docs onboarding path, trust/security pages, release-trust + evidence, and dependency-gate descriptions for the current monorepo release + process. +- Keeps Crosswalk as the tested pinned product input. +- Keeps Registry Atlas and the eSignet Relay authenticator held as lab-only + external inputs. + +## Release Gates + +The source release is expected to pass: + +- release manifest validation; +- import-map audit; +- Rust workspace checks; +- Lab monorepo source proof; +- full docs checks, archive builds, SEO, and built-link validation. + +The tag-driven release workflow publishes final binaries, GHCR images, image +digests, SBOMs, Grype reports, keyless cosign signatures, release capsules, and +release-level SLSA provenance. Hosted/public announcement remains a separate +gate after hosted-state proof. From a7a2b88ff261db6142eef7f261c6cf04e4c29f39 Mon Sep 17 00:00:00 2001 From: Jeremi Joslin Date: Sat, 4 Jul 2026 17:06:29 +0700 Subject: [PATCH 2/3] Regenerate notary OpenAPI for v0.8.4 Signed-off-by: Jeremi Joslin --- products/notary/openapi/registry-notary.openapi.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/products/notary/openapi/registry-notary.openapi.json b/products/notary/openapi/registry-notary.openapi.json index 9671377d..2691f30b 100644 --- a/products/notary/openapi/registry-notary.openapi.json +++ b/products/notary/openapi/registry-notary.openapi.json @@ -1802,7 +1802,7 @@ }, "summary": "Standalone evidence evaluation, rendering, and credential issuance service.", "title": "Registry Notary API", - "version": "0.8.3" + "version": "0.8.4" }, "openapi": "3.1.0", "paths": { @@ -3652,7 +3652,7 @@ "example": { "info": { "title": "Registry Notary API", - "version": "0.8.3" + "version": "0.8.4" }, "openapi": "3.1.0", "paths": { From 717aaeb0d7e8c5306b7fabbcd16acb0ab7247ef2 Mon Sep 17 00:00:00 2001 From: Jeremi Joslin Date: Sat, 4 Jul 2026 17:15:37 +0700 Subject: [PATCH 3/3] Regenerate relay OpenAPI for v0.8.4 Signed-off-by: Jeremi Joslin --- crates/registry-relay/openapi/registry-relay.openapi.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crates/registry-relay/openapi/registry-relay.openapi.json b/crates/registry-relay/openapi/registry-relay.openapi.json index 8c704f58..4ec5d7c2 100644 --- a/crates/registry-relay/openapi/registry-relay.openapi.json +++ b/crates/registry-relay/openapi/registry-relay.openapi.json @@ -2257,7 +2257,7 @@ }, "summary": "Read-only data gateway exposing entity records, catalog metadata, and SHACL/DCAT-AP shapes for governed datasets.", "title": "Registry Relay API", - "version": "0.8.3" + "version": "0.8.4" }, "openapi": "3.1.0", "paths": {