Skip to content

Remove self-attested credential issuance from the 1.0 product surface #384

Description

@jeremi

Decision

Maintainer decision, 2026-07-17: Registry Stack 1.0 credentials must be derived from registry-backed claims evaluated through an exact, compiler-pinned Registry Relay consultation.

Source-free or self-attested declaration credentials will not ship as a stable 1.0 capability. A correctly signed declaration can otherwise be mistaken by an operator or verifier for authoritative registry evidence.

This issue is the removal and enforcement companion to #57. Issue #57 separately owns the complete registry-backed OID4VCI transaction and external interoperability proof.

Required invariant

Every Registry Notary credential issuance path must materialize only a stored evaluation whose claim evidence mode is registry_backed and whose exact Relay consultation provenance is present and valid.

Authentication, holder proof, an issuer signature, or a relationship proof does not substitute for registry-backed claim evidence.

Scope

  • Enforce the invariant in Registry project validation, generated configuration, Notary configuration validation, stored-evaluation metadata, and runtime credential issuance.
  • Require both direct POST /v1/credentials issuance and OID4VCI credential issuance to reject source-free or self_attested evaluations.
  • Require an OID4VCI credential configuration to select a registry-backed claim with an exact compiler-pinned Relay consultation contract.
  • Remove the notary-only-self-attested starter and any credential tour, example, fixture, generated snippet, or support claim that presents source-free declaration credentials as a Registry Stack product journey.
  • Remove or narrow configuration and code paths that exist only to issue self-attested credentials.
  • If non-credential source-free evaluation remains for another reviewed use case, prevent it from declaring a credential profile or appearing as an issuance capability.
  • Add a pre-1.0 migration note for removed configuration and generated-project behavior.
  • Regenerate affected schemas, OpenAPI documents, and generated documentation in the same change.

Acceptance criteria

  • Registry project authoring and compiler output cannot produce a credential profile or OID4VCI issuer for a source-free claim.
  • Hand-authored Notary configuration, delegated context, and stored evaluation cannot produce a direct or OID4VCI credential unless the selected claim is registry-backed and contains valid Relay provenance.
  • Relay denial, unavailability, contract mismatch, purpose mismatch, Notary policy denial, or missing provenance fails closed without a source-free fallback.
  • Capability discovery and documentation do not advertise self-attested or source-free credential issuance.
  • The source-free declaration starter and its credential-facing tests and documentation are removed.
  • Focused negative tests cover both direct and OID4VCI credential issuance attempts from non-registry-backed evaluations.
  • The generated Notary runtime configuration schema exposes and guards the narrowed credential trust surface.

Ownership boundary

Non-goals

  • Restoring direct registry source connectors in Notary.
  • Treating OIDC authentication or wallet proof of possession as evidence of the credential claim.
  • Removing a non-credential source-free evaluation mode without a separate product decision.
  • Closing the broader OID4VCI implementation and interoperability work tracked by Implement and prove registry-backed OID4VCI issuance for 1.0 #57.

Security note

This changes a credential trust boundary and is security-sensitive. Review notes must show that every issuance path enforces the registry-backed provenance invariant and that denial paths cannot fall back to a weaker evidence mode. Suspected vulnerabilities belong in SECURITY.md, not public issue discussion.

Metadata

Metadata

Assignees

No one assigned

    Labels

    1.0-blockerBlocks the 1.0 release intent.agent-queuedQueued for agent work.agent-readyReady for an implementation agent.area:docsDocumentation site ownership.area:notaryRegistry Notary ownership.area:registryctlregistryctl ownership.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions