Publish & Sign
Publishing adds a UKS packet to the registry. Every publish passes the same safety gate, and packets can be cryptographically signed to carry a verifiable publisher identity.
Publish
The easiest path is the CLI:
uks config generate-key # how to get a registry API key (st_live_*)
uks config set registry.apiKey st_live_xxxx
uks publish my-packet.uks.jsonOr POST directly:
POST /api/registry/packets (requires an API key with write scope)Sign (recommended)
Signing binds a packet to a publisher identity. The CLI produces a detached Ed25519 signature; the registry verifies it server-side and records a W3C did:key identity on the packet.
uks publish --sign --sign-key ./my-key.pem my-packet.uks.json- A valid signature → the packet is recorded as verified, bound to that key.
- No signature → it still publishes, as an unsigned ("raw") tier packet.
- An invalid signature, or re-publishing under a different signer → rejected.
The publish gate
Every publish (and every revert) runs the same checks before anything is written:
- Schema validation — must be a valid UKS v3.0 packet.
- Secret scanning — embedded credentials are rejected.
- Clinical policy — genotype-guided dosing (MTHFR/COMT/APOE) asserted as
validatedis rejected (ACMG);contestedwithout a flag directive warns. See Evidence grading. - Prompt-injection scan — flagged content is recorded and vetoed at serve time.
- Content addressing — a CID, an ETag, and per-source content hashes are stamped, and the action is appended to a tamper-evident audit chain.
Visibility
Packets default to public, but you can publish privately:
# Private packets are invisible to everyone but their owner, across every read path
uks publish --visibility private my-packet.uks.jsonVisibility is registry-side metadata and is sticky across re-publishes.
Lifecycle
| Action | Endpoint | Who |
|---|---|---|
| Preview (dry-run the gate, no write) | POST /api/registry/packets/preview | owner |
| Revert to a prior version (re-gated) | POST /api/registry/packets/:id/revert/:version | owner |
| Unpublish your packet | DELETE /api/registry/packets/:id | owner |
| Takedown (abuse control) | POST /api/registry/packets/:id/takedown | admin |
| Restore a taken-down packet | POST /api/registry/packets/:id/restore | admin |
Takedown is a soft delete an administrator can apply to any packet regardless of owner — it's for abuse control, distinct from the owner-only DELETE unpublish above. The packet row is kept (so history and the audit trail survive) but it 410s on every read path, disappears from all listings, and its normalized rows (sources, entities, edges) are removed so it can't surface through cross-packet search either. Body: { "reason": "optional string, ≤500 chars" }.
Restore reverses a takedown: it re-explodes the packet's sources/entities/edges from the stored raw packet (including re-resolving canonical entity links) and clears the takedown flag. A packet that isn't currently taken down just returns { "taken_down": false, "packet_id": "…" } as a no-op.
Both actions are appended to the tamper-evident audit log (takedown / restore).
→ Related: Trust & safety · CLI · Query