You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Maintainer decision, 2026-07-17: Registry Stack 1.0 credentials must be derived from registry-backed claims evaluated through an exact, compiler-pinned Registry Relay consultation.
Source-free or self-attested declaration credentials will not ship as a stable 1.0 capability. A correctly signed declaration can otherwise be mistaken by an operator or verifier for authoritative registry evidence.
This issue is the removal and enforcement companion to #57. Issue #57 separately owns the complete registry-backed OID4VCI transaction and external interoperability proof.
Required invariant
Every Registry Notary credential issuance path must materialize only a stored evaluation whose claim evidence mode is registry_backed and whose exact Relay consultation provenance is present and valid.
Authentication, holder proof, an issuer signature, or a relationship proof does not substitute for registry-backed claim evidence.
Scope
Enforce the invariant in Registry project validation, generated configuration, Notary configuration validation, stored-evaluation metadata, and runtime credential issuance.
Require both direct POST /v1/credentials issuance and OID4VCI credential issuance to reject source-free or self_attested evaluations.
Require an OID4VCI credential configuration to select a registry-backed claim with an exact compiler-pinned Relay consultation contract.
Remove the notary-only-self-attested starter and any credential tour, example, fixture, generated snippet, or support claim that presents source-free declaration credentials as a Registry Stack product journey.
Remove or narrow configuration and code paths that exist only to issue self-attested credentials.
If non-credential source-free evaluation remains for another reviewed use case, prevent it from declaring a credential profile or appearing as an issuance capability.
Add a pre-1.0 migration note for removed configuration and generated-project behavior.
Regenerate affected schemas, OpenAPI documents, and generated documentation in the same change.
Acceptance criteria
Registry project authoring and compiler output cannot produce a credential profile or OID4VCI issuer for a source-free claim.
Hand-authored Notary configuration, delegated context, and stored evaluation cannot produce a direct or OID4VCI credential unless the selected claim is registry-backed and contains valid Relay provenance.
Relay denial, unavailability, contract mismatch, purpose mismatch, Notary policy denial, or missing provenance fails closed without a source-free fallback.
Capability discovery and documentation do not advertise self-attested or source-free credential issuance.
The source-free declaration starter and its credential-facing tests and documentation are removed.
Focused negative tests cover both direct and OID4VCI credential issuance attempts from non-registry-backed evaluations.
The generated Notary runtime configuration schema exposes and guards the narrowed credential trust surface.
This changes a credential trust boundary and is security-sensitive. Review notes must show that every issuance path enforces the registry-backed provenance invariant and that denial paths cannot fall back to a weaker evidence mode. Suspected vulnerabilities belong in SECURITY.md, not public issue discussion.
Decision
Maintainer decision, 2026-07-17: Registry Stack 1.0 credentials must be derived from registry-backed claims evaluated through an exact, compiler-pinned Registry Relay consultation.
Source-free or self-attested declaration credentials will not ship as a stable 1.0 capability. A correctly signed declaration can otherwise be mistaken by an operator or verifier for authoritative registry evidence.
This issue is the removal and enforcement companion to #57. Issue #57 separately owns the complete registry-backed OID4VCI transaction and external interoperability proof.
Required invariant
Every Registry Notary credential issuance path must materialize only a stored evaluation whose claim evidence mode is
registry_backedand whose exact Relay consultation provenance is present and valid.Authentication, holder proof, an issuer signature, or a relationship proof does not substitute for registry-backed claim evidence.
Scope
POST /v1/credentialsissuance and OID4VCI credential issuance to reject source-free orself_attestedevaluations.notary-only-self-attestedstarter and any credential tour, example, fixture, generated snippet, or support claim that presents source-free declaration credentials as a Registry Stack product journey.Acceptance criteria
Ownership boundary
Non-goals
Security note
This changes a credential trust boundary and is security-sensitive. Review notes must show that every issuance path enforces the registry-backed provenance invariant and that denial paths cannot fall back to a weaker evidence mode. Suspected vulnerabilities belong in
SECURITY.md, not public issue discussion.