{"id":51277781,"url":"https://github.com/jeremi/registry-relay","last_synced_at":"2026-06-29T22:31:53.922Z","repository":{"id":358416596,"uuid":"1241323675","full_name":"jeremi/registry-relay","owner":"jeremi","description":"Registry Relay: config-driven, read-only APIs over sensitive registry and tabular files.","archived":false,"fork":false,"pushed_at":"2026-06-18T20:16:35.000Z","size":5245,"stargazers_count":0,"open_issues_count":18,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-18T22:15:59.519Z","etag":null,"topics":["arrow","axum","datafusion","digital-public-infrastructure","govstack","govtech","registry","rust"],"latest_commit_sha":null,"homepage":null,"language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jeremi.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2026-05-17T08:34:08.000Z","updated_at":"2026-06-18T20:13:19.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/jeremi/registry-relay","commit_stats":null,"previous_names":["jeremi/registry_relay","jeremi/registry-relay"],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/jeremi/registry-relay","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jeremi%2Fregistry-relay","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jeremi%2Fregistry-relay/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jeremi%2Fregistry-relay/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jeremi%2Fregistry-relay/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jeremi","download_url":"https://codeload.github.com/jeremi/registry-relay/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jeremi%2Fregistry-relay/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34945707,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-29T02:00:05.398Z","response_time":58,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["arrow","axum","datafusion","digital-public-infrastructure","govstack","govtech","registry","rust"],"created_at":"2026-06-29T22:31:53.821Z","updated_at":"2026-06-29T22:31:53.913Z","avatar_url":"https://github.com/jeremi.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Registry Relay\n\n**Moved:** Active development has moved to the public monorepo:\n[`registrystack/registry-stack`](https://github.com/registrystack/registry-stack).\n\nThis repository is retained for pre-monorepo history and release tags. File new\nissues and pull requests in the monorepo.\n\nCurrent source at monorepo ref `ab5a1d46df8715539f15d398804611e8ca9c52d9`:\n\n- [`crates/registry-relay/`](https://github.com/registrystack/registry-stack/tree/ab5a1d46df8715539f15d398804611e8ca9c52d9/crates/registry-relay)\n- [`products/relay/`](https://github.com/registrystack/registry-stack/tree/ab5a1d46df8715539f15d398804611e8ca9c52d9/products/relay)\n\n**Legacy status:** Pre-monorepo releases were experimental pre-1.0 evaluation\nbuilds. Current API evolution happens in the monorepo.\n\nRelease label: pre-1.0 technical release for evaluation and integration pilots.\n\n[Public test coverage dashboard](https://docs.registrystack.org/reference/test-coverage/) tracks the CI line-coverage signal for this repository.\n\nRegistry Relay is a config-driven Rust service that turns sensitive government tabular files and selected database tables into protected, read-only, domain-oriented APIs.\n\nV1 is built around two layers:\n\n- Storage tables read local CSV, XLSX, Parquet, or PostgreSQL sources into Arrow/DataFusion. Table ids are private implementation detail.\n- Entities expose domain resources such as `household` or `individual`, with field projection, relationships, scopes, configured aggregates, semantic metadata, and audit records.\n\nThis is not an open-data portal and not a spreadsheet wrapper. It publishes restricted consultation APIs for authorized systems. For what ships today and the known limits, see [docs/release-notes.md](docs/release-notes.md) and the [scenario catalog](docs/relay-scenario-catalog.md).\n\n## Background\n\nRegistry Relay is an experiment toward a redesigned [GovStack](https://govstack.global/) Digital Registries Building Block. The current BB spec defines a single uniform CRUD platform; this project explores the BB instead as a protected consultation gateway with optional capability families (evidence-offering discovery, aggregates, standards adapters) over a shared entity model. Provisioning and Write are intentionally out of scope for V1; conformance is by capability, not by a single mandatory interface.\n\nStandards integrations such as DCAT-AP, OGC API Records, OGC API Features, PublicSchema, signed response credentials (W3C VCDM 2.0 VC-JWT), and the optional [Social Protection Digital Convergence Initiative (SP DCI)](https://spdci.org/) sync adapter are layered on top of the core gateway. [STANDARDS_ASSUMPTIONS.md](STANDARDS_ASSUMPTIONS.md) states precisely what Relay publishes versus what downstream tools may infer.\n\n## Get Started\n\nWithout cloning this repository, use the Registry Docs tutorials. They create a Relay project from a sample workbook with `registryctl`, start the protected API, and run smoke checks:\n\n- [See it live](https://docs.registrystack.org/start/see-it-live/): hosted lab, zero install.\n- [Publish a spreadsheet as a secured registry API](https://docs.registrystack.org/tutorials/publish-spreadsheet-secured-registry-api/)\n- [Verify a claim from your registry API](https://docs.registrystack.org/tutorials/verify-claim-registry-api/)\n\nFrom this repository, the demo pack is the fastest local run. It generates scoped demo API keys on first use and starts a server with five synthetic datasets and the standards adapters enabled:\n\n```sh\njust setup\njust demo-run\n```\n\nHealth endpoints are unauthenticated:\n\n```sh\ncurl -i http://127.0.0.1:4242/healthz\n```\n\nProtected endpoints need one of the generated demo keys. List the personas and the operations each key unlocks:\n\n```sh\njust demo-keys-list\n```\n\nSee [demo/README.md](demo/README.md) for the datasets, personas, Bruno collection, and worked scenarios, and [demo/decentralized/README.md](demo/decentralized/README.md) for the multi-service compose demo.\n\n## Documentation\n\n[docs/README.md](docs/README.md) is the documentation map. The main references:\n\n- [API guide](docs/api.md): auth, scopes, filters, pagination, error contract, and standards surfaces. The curated public OpenAPI surface lives in [openapi/registry-relay.openapi.json](openapi/registry-relay.openapi.json) and at the served `/docs` and `/openapi.json`.\n- [Client integration guide](docs/client-integration.md): caller behavior, discovery, retries, and the Registry Notary handoff.\n- [Configuration guide](docs/configuration.md): the full YAML contract. The binary reads `--config \u003cpath\u003e`, then `REGISTRY_RELAY_CONFIG`, then `./config/example.yaml`; [config/example.yaml](config/example.yaml) is the canonical example. API keys are never stored in YAML: configs reference environment-backed SHA-256 fingerprints, and `auth.mode: oidc` validates bearer JWTs against an external IdP.\n- [Portable metadata](docs/metadata.md): `metadata.yaml` manifests, the metadata CLI, static publication, ODRL policy metadata, and DCAT-AP/SHACL validation. Manifests can outlive Relay itself and be published as static files.\n- [Operations runbook](docs/ops.md): deployment, hardening checklist, key rotation, audit handling, reloads, probes, and troubleshooting.\n- [Signed response credentials](docs/provenance.md): opt-in W3C VCDM 2.0 VC-JWT signed response credentials (`Accept: application/vc+jwt`), issuer modes, and verification. The config key is `provenance` for compatibility.\n- [Development guide](docs/development.md): local setup, verification commands, project layout, and the OpenAPI release policy.\n\n## Build\n\nPrerequisites: Rust stable toolchain and `just`.\n\n```sh\njust setup\njust build\n```\n\nThe release binary is written to `target/release/registry-relay`. The full local CI gate is `just ci`.\nBefore opening a PR that changes Rust, Cargo, Docker, workflow, perf, or\ncompanion-repo references, run `just ci-preflight` to check the workflow-pinned\n`registry-platform`, `registry-manifest`, and `crosswalk` commits with locked\nCargo resolution. During coordinated local multi-repo work, run\n`just ci-preflight-worktree` to check the current sibling working trees before\nthose dependency refs are committed and repinned.\n\n## Container Image\n\n```sh\nscripts/build-image.sh registry-relay:local\n```\n\nThe production image is distroless, non-root, and built with no optional Cargo features; standards-enabled images opt in through `REGISTRY_RELAY_FEATURES`. Build steps, sibling-checkout requirements, and promotion gates are in [docs/ops.md](docs/ops.md#build-and-release); image publication, tagging, and signing policy are in [docs/security-assurance.md](docs/security-assurance.md). Release images publish to `ghcr.io/jeremi/registry-relay` from stable `vX.Y.Z` tags and `registry-stack-technical-preview-\u003cdate-or-version\u003e` tags; consume release tags or digests, not `latest`, for rollback guarantees. `Dockerfile.demo` is demo-only and is not release evidence.\n\n## Operating With Registry Notary\n\nRelay is the protected consultation API; [Registry Notary](https://github.com/jeremi/registry-notary) is the claim evaluation and credential issuance service. Relay publishes evidence offerings that point callers to Notary and never executes verification itself; Notary calls Relay as an HTTP source. Credential and port conventions for running both are in [docs/ops.md](docs/ops.md).\n\n## Performance Testing\n\nk6 scenarios, synthetic fixtures, and Criterion microbenchmarks live under [perf/](perf/) and [benches/](benches/); the local workflow is documented in [perf/README.md](perf/README.md).\n\n## Security\n\nSee [SECURITY.md](SECURITY.md) for the disclosure policy and [docs/security-assurance.md](docs/security-assurance.md) for the CI security gates. To contribute, start with [CONTRIBUTING.md](CONTRIBUTING.md).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjeremi%2Fregistry-relay","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjeremi%2Fregistry-relay","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjeremi%2Fregistry-relay/lists"}