Preview release.These docs are a work in progress. Pages are still being written, links may break, and structure may shift without notice. Treat everything here as a draft and report issues onGitHub.
- Added
registry-relay --versionandregistry-relay -Voutput, matching the stack’s version command convention. - BREAKING: API-key fingerprint config no longer accepts
fingerprint.commitment. Remove that field from Relay YAML. Config must keepfingerprint.providerwithfingerprint.nameorfingerprint.path, and the referenced env var or file must containsha256:<64 lowercase hex chars>.
- Added governed identity attribute release profiles for Evidence Gateway and cross-registry attribute-release scenarios.
- Added a config-schema command and shared config-report output, aligned with the beta-3 Platform config contracts.
- Advanced the Crosswalk input to 0.2.0, Registry Platform to 0.3.1, and Registry Manifest to 0.2.1, the versions used by the 0.4.0 release.
- Updated Relay operational docs and API description text alongside the release.
- BREAKING: Audit write failures now default to fail-closed.
availability_firstis an explicit best-effort opt-out. - Fail closed when source size is unknown.
- Capped CSV column and cell counts, capped SP DCI search-request item fan-out, and bounded OGC EDR area geometry scans.
- Redacted URL userinfo and hard secret markers in config explanation output.
- Added deployment profile gates, deployment posture findings, and a configurable
audit write policy (
availability_firstdefault,fail_closed). Adoctorcommand reports gate status. - Added durable break-glass approvals: emergency approvals backed by a durable multi-approver store. The default tier emits the emergency posture block without reason or identity material.
- Fail and redact
doctorreadiness-gate findings; preflight fail-closed admin mutations; authorize admin JSON before parsing; harden static-metadata server concurrency. - Fixed release-pipeline ancestry verification and several build and environment
issues, including non-Unix file ETags, curated manifest preference for the base
DCAT, and preserved
=handling in perf env exports.
- BREAKING: Aggregate and StatDCAT responses adopt SDMX/StatDCAT-aligned
vocabulary throughout. The aggregate payload renames
datatoobservations,schematostructure, andindicatortomeasures. Aggregates can negotiate an SDMX-JSON 2.1 representation (Accept: application/vnd.sdmx.data+json;version=2.1or?f=sdmx-json), and DCAT advertises a separate distribution per visible aggregate representation./metadataremains a deprecated alias for aggregate/structure, andindicatorsremains a deprecated request alias where accepted. - BREAKING:
/metricson the admin listener now requires authentication with theregistry_relay:metrics_readscope. The route was previously served unauthenticated on the admin socket. Existing Prometheus scrapers must present a credential carrying that scope. - BREAKING: Health and readiness response bodies changed shape.
/healthz(and the liveness route) previously returned{"status":"ok"}; it now returns{"status":"ok","checks":{"total":...,"ok":...,"failed":...}}./readypreviously included"counts":{"ready":N}in the 200 body; that field is replaced by the samechecksstructure. - BREAKING: Measure discovery responses spell the unit-multiplier field
unit_multiplier, matching the aggregate list and structure responses. The previousunit_multkey on/v1/datasets/{dataset_id}/measuresand/v1/datasets/{dataset_id}/measures/{measure_id}is removed. - BREAKING: The aggregate
disclosure_controlblock reports suppression counts only undersuppressed_observations. The duplicatesuppressed_rowskey is removed from both the native aggregate JSON responses and the OGC EDR GeoJSON responses. - BREAKING: Aggregate JSON responses now include an
alternatelink pointing at the SDMX representation, alongside the existingselfanddescribedbylinks. - ProblemDetails error bodies now always include a
request_idfield (a server-minted ULID; client-suppliedx-request-idheaders are stripped before processing). The OpenAPIProblemDetailsschema marksrequest_idrequired. - Renamed OIDC config fields to the shared Registry service convention:
auth.oidc.audiencetoauth.oidc.audiences,auth.oidc.algorithmstoauth.oidc.allowed_algorithms, andauth.oidc.token_typestoauth.oidc.allowed_token_types. Old names fail config load with an error naming the replacement. - Added
${VAR},${VAR:-default}, and${VAR:?message}expansion,--env-fileandREGISTRY_RELAY_ENV_FILE, and--bindandREGISTRY_RELAY_BINDsupport. The bind override applies after YAML validation;server.bindremains required in config. - Aggregate queries now support CSV and SDMX JSON 2.1 representations, including
Accept: text/csvandAccept: application/vnd.sdmx.data+json;version=2.1. Truncated aggregate results carry an explicit completeness signal. - DCAT aggregate distributions now advertise each visible aggregate representation
separately, including OGC EDR
/arealinks for configured spatial aggregates when theogcapi-edrfeature is enabled. /.well-known/api-catalogis now served publicly, without authentication, per RFC 9727.- Live config apply now compares config sections semantically rather than byte-for-byte, so equivalent reorderings no longer force a restart.
- The file-watch signer now derives content identity from a SHA-256 hash of the key file, detecting same-mtime key replacements that the previous mtime check missed.
- Added an API-key commitment generator CLI for minting reviewed key commitments without exposing raw keys.
- Added an OpenAPI contract gate: the runtime OpenAPI document is committed as an
artifact, and CI fails on undocumented drift, with
oasdiffbreaking-change detection and aredocly lintgate. - Added a performance gate: CI enforces relay perf thresholds and runs a k6 perf smoke test.
- Added governed runtime configuration apply, an operations posture endpoint, and listener topology capability reporting.
- Image supply-chain hardening: distroless release image, signed and verified release publishing, SHA-pinned workflow actions, and reviewed advisory ratchet gates.
- Tightened admin auth extractors and enforced admin route hygiene.
- Aligned the OpenAPI auth surface: the docs shell declares
security: [], and the API-key header casing is normalized to lowercasex-api-key. - Security headers, including CSP, are emitted from both the demo static metadata server and relay responses, with end-to-end pins.
- Route-metrics classification corrected:
measuresanddimensionsroute patterns classify as dataset routes, and the unmounted verify and aggregate-POST routes are no longer classified or advertised.
Initial V1 release of registry-relay, a controlled, read-only registry relay for
publishing protected, entity-shaped APIs over local CSV, XLSX, and Parquet sources.
- Added config-driven datasets, private storage tables, public domain entities, field projection, relationships, required filters, and scope-separated metadata, row, aggregate, evidence-verification, and admin capabilities.
- Added API-key authentication with SHA-256 fingerprints supplied through environment variables. Raw keys never appear in config.
- Added entity collection, record, relationship, schema, evidence-offering metadata, and configured aggregate endpoints with per-entity authorization and purpose-header enforcement.
- Added catalog, DCAT-AP JSON-LD, embedded SHACL shape metadata, best-effort
OpenAPI 3.1 generation, and the local
/docsScalar API reference shell. - Added startup ingest, refresh loops, manual table reload, readiness reporting, source size guards, and local-file metadata captured from opened file handles.
- Added JSON operational logging and JSONL audit sinks for stdout, file, and syslog, with optional hash chaining and redacted sensitive query values.
- Added container build support, operations documentation, demo configuration/data, Bruno demo requests, and focused integration/security regression tests.
Known limits:
- Registry Relay does not execute claim or evidence verification. Evidence offerings are discovery records for Registry Notary.
- Admin reload reloads runtime resources, not
config.yaml; config and keyring changes require a restart or rolling deploy. - Row-level authorization is not available. Use dataset/entity scopes, required filters, purpose headers, explicit field projections, and audit redaction.
sensitive: truecontrols audit redaction only; it does not hide fields from authorized API responses.- Registry Relay does not issue response credentials or host DID documents. Use Registry Notary for credential issuance and verification.
- The static OpenAPI artifact is an abstract contract. Deployments fetch
/openapi.jsonfor their concrete dataset/entity shape. The route is auth-gated by default unlessserver.openapi_requires_authis disabled for demos or controlled tooling.