Skip to content
Registry stack docs v0 · draft
Search

Registry Platform overview

Registry Platform is the shared Rust workspace for behavior that must stay consistent across registry services. It is not a runtime service and does not expose an HTTP API by itself. Relay, Notary, and future registry services consume its crates for security, operational, and test primitives.

The workspace exists so fixes in authentication, audit chaining, outbound HTTP policy, OIDC verification, crypto, HTTP security, and SD-JWT VC handling land once and are reused everywhere.

Stack commitments: safeguards (shared primitives).

What it owns

Section titled “What it owns”

Registry Platform owns reusable crate APIs:

  • registry-platform-authcommon: Bearer-token parsing and API-key fingerprint helpers.
  • registry-platform-audit: tamper-evident audit envelopes, JSONL sinks, chain verification, and redaction helpers.
  • registry-platform-crypto: Ed25519 JWK parsing, signing, verification, DID validation, and JSON canonicalization helpers.
  • registry-platform-httpsec: Axum/Tower security headers, CORS validation, request body limits, and RFC 7807 Problem Details helpers.
  • registry-platform-httputil: outbound HTTP clients, bounded reads, URL construction, and SSRF-resistant fetch validation.
  • registry-platform-oidc: OIDC discovery, JWKS caching, and JWT verification.
  • registry-platform-sdjwt: SD-JWT VC issuance and holder-proof validation helpers.
  • registry-platform-testing: mock identity providers, mock HTTP upstreams, key fixtures, and cross-crate assertions.

What consumers still own

Section titled “What consumers still own”

Registry Platform deliberately does not decide product policy. Consumers still own their application boundaries:

  • Registry Relay owns runtime config, entity routes, caller-scoped metadata publication, Relay-native evidence offering verification, and route-level scope checks.
  • Registry Notary owns claim definitions, evaluation rules, disclosure policy decisions, service routes, and claim-to-credential mapping.
  • Operators own tenant isolation, audit retention, secret provisioning, deployment configuration, and incident response.

Current consumers

Section titled “Current consumers”

Registry Relay depends on Platform crates for auth helpers, audit envelopes, crypto, HTTP security, outbound HTTP utilities, OIDC, and SD-JWT support.

Registry Notary depends on Platform crates for auth helpers, audit envelopes, crypto, HTTP security, outbound HTTP utilities, OIDC, SD-JWT support, and integration-test fixtures.

Next

Section titled “Next”