Skip to content

Publish & Sign

Publishing adds a UKS packet to the registry. Every publish passes the same safety gate, and packets can be cryptographically signed to carry a verifiable publisher identity.

Publish

The easiest path is the CLI:

bash
uks config generate-key                 # how to get a registry API key (st_live_*)
uks config set registry.apiKey st_live_xxxx
uks publish my-packet.uks.json

Or POST directly:

POST /api/registry/packets        (requires an API key with write scope)

Signing binds a packet to a publisher identity. The CLI produces a detached Ed25519 signature; the registry verifies it server-side and records a W3C did:key identity on the packet.

bash
uks publish --sign --sign-key ./my-key.pem my-packet.uks.json
  • A valid signature → the packet is recorded as verified, bound to that key.
  • No signature → it still publishes, as an unsigned ("raw") tier packet.
  • An invalid signature, or re-publishing under a different signer → rejected.

The publish gate

Every publish (and every revert) runs the same checks before anything is written:

  • Schema validation — must be a valid UKS v3.0 packet.
  • Secret scanning — embedded credentials are rejected.
  • Clinical policy — genotype-guided dosing (MTHFR/COMT/APOE) asserted as validated is rejected (ACMG); contested without a flag directive warns. See Evidence grading.
  • Prompt-injection scan — flagged content is recorded and vetoed at serve time.
  • Content addressing — a CID, an ETag, and per-source content hashes are stamped, and the action is appended to a tamper-evident audit chain.

Visibility

Packets default to public, but you can publish privately:

bash
# Private packets are invisible to everyone but their owner, across every read path
uks publish --visibility private my-packet.uks.json

Visibility is registry-side metadata and is sticky across re-publishes.

Lifecycle

ActionEndpointWho
Preview (dry-run the gate, no write)POST /api/registry/packets/previewowner
Revert to a prior version (re-gated)POST /api/registry/packets/:id/revert/:versionowner
Unpublish your packetDELETE /api/registry/packets/:idowner
Takedown (abuse control)POST /api/registry/packets/:id/takedownadmin
Restore a taken-down packetPOST /api/registry/packets/:id/restoreadmin

Takedown is a soft delete an administrator can apply to any packet regardless of owner — it's for abuse control, distinct from the owner-only DELETE unpublish above. The packet row is kept (so history and the audit trail survive) but it 410s on every read path, disappears from all listings, and its normalized rows (sources, entities, edges) are removed so it can't surface through cross-packet search either. Body: { "reason": "optional string, ≤500 chars" }.

Restore reverses a takedown: it re-explodes the packet's sources/entities/edges from the stored raw packet (including re-resolving canonical entity links) and clears the takedown flag. A packet that isn't currently taken down just returns { "taken_down": false, "packet_id": "…" } as a no-op.

Both actions are appended to the tamper-evident audit log (takedown / restore).

→ Related: Trust & safety · CLI · Query

Released under the MIT License.