feat(registryctl): add registry-backed Notary tutorial#407
Conversation
|
Review disposition: keep this PR in draft and do not merge the current head. Two blockers remain:
The registry-backed trust review is otherwise clean: I found no source-free or self-attested issuance path. Relay owns registry access, Notary consumes minimized consultation output, and the documented result remains predicate-only. Required before ready-for-review: focused permission fix, current-base rebase, green source tutorial and full remote matrix, then independent exact-head re-review. |
|
Updated repair scope after independent security and DX review: The previously proposed runtime-UID change is necessary but not sufficient. Required focused repair:
Acceptance gates:
Both independent reviews found no source-free/self-attested issuance regression and approved this bounded repair plan. The PR remains draft until the rebase, repair, exact-head checks, and independent re-review are complete. |
Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
cd7b0a8 to
2ce0837
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 2ce0837633
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| "/v1/datasets/benefits_casework/entities/person_identity/records?id=per-2001", | ||
| 403, | ||
| &[ | ||
| bearer_header(secrets.value("IDENTITY_READER_RAW")), |
There was a problem hiding this comment.
Gate identity smoke checks on generated identity support
For projects initialized before this change, registryctl.yaml still has schema registryctl/v1 but secrets/local.env has no IDENTITY_READER_RAW and relay/config.yaml has no person_identity entity. registryctl smoke now unconditionally sends this identity-reader request, so upgrading the CLI makes otherwise valid older sample projects fail smoke instead of either skipping these probes or requiring a manifest/schema migration.
Useful? React with 👍 / 👎.
| "scope": "registry:consult:registration-verification", | ||
| "iat": now, | ||
| "nbf": now.saturating_sub(5), | ||
| "exp": now.saturating_add(3600), |
There was a problem hiding this comment.
Keep the workload token valid for long-lived local stacks
When the local Notary stack is left running for more than an hour, this static Relay workload JWT expires. registryctl only rewrites secrets/notary-relay.jwt during start/restart preparation, while Notary reloads that token file for each Relay operation and Relay validates exp, so evaluations that need the consultation Relay start failing until the user restarts the stack. For the tutorial stack, mint for the expected local lifetime or add a refresh path that updates the running mount.
Useful? React with 👍 / 👎.
| project.project.products.push("registry-notary".to_string()); | ||
| project.runtime.notary_image = Some(image_lock.notary_image().to_string()); | ||
| project.runtime.notary_base_url = Some(NOTARY_BASE_URL.to_string()); | ||
| project.notary = Some(ProjectNotary { |
There was a problem hiding this comment.
Include Notary in doctor reports after adding it
Once this writes a Notary section into registryctl.yaml, registryctl doctor --format json still only builds product doctor invocations for project.relay in product_doctor_invocations, so an add-on project can report OK while the generated Notary config or mounted Relay token is missing/invalid. Add a registry-notary doctor invocation for project.notary or surface that the Notary add-on is not covered.
Useful? React with 👍 / 👎.
Summary
date_of_birth, remove unused and derived person/application fields, and separate operational records from restricted identity and address projectionsregistryctl add notarywith an editable authored project, generated local consultation path, credentials, fixtures, rollback protection, and lifecycle rebuildsImplementation gaps found and fixed
state/relay-consultation/cacheVerification
2ce08376330e47bfde65a58f27959bc5c1f2969d0aef9cf329e5b31e530ca383da86b66e519b3d87cargo fmt --all -- --checkcargo clippy --locked -p registryctl --all-targets -- -D warningscargo test --locked -p registryctl(239 tests)npm run test:tutorial:registryctl(9/9)npm run check:tutorial:dry-runnpm run check:tutorial:registryctl(full live Relay and registry-backed Notary edit journey)Remaining release gate
Keep this PR in draft until every applicable exact-head GitHub check is green. Matching published 1.0 CLI, images, and image lock still require release-candidate verification before this tutorial is advertised as the runnable release path.