Publish & Sign
Publishing adds a UKS packet to the registry. Every publish passes the same safety gate, and packets can be cryptographically signed to carry a verifiable publisher identity.
Publish
The easiest path is the CLI:
bash
uks config generate-key # how to get a registry API key (st_live_*)
uks config set registry.apiKey st_live_xxxx
uks publish my-packet.uks.jsonOr POST directly:
POST /api/registry/packets (requires an API key with write scope)Sign (recommended)
Signing binds a packet to a publisher identity. The CLI produces a detached Ed25519 signature; the registry verifies it server-side and records a W3C did:key identity on the packet.
bash
uks publish --sign --sign-key ./my-key.pem my-packet.uks.json- A valid signature → the packet is recorded as verified, bound to that key.
- No signature → it still publishes, as an unsigned ("raw") tier packet.
- An invalid signature, or re-publishing under a different signer → rejected.
The publish gate
Every publish (and every revert) runs the same checks before anything is written:
- Schema validation — must be a valid UKS v3.0 packet.
- Secret scanning — embedded credentials are rejected.
- Clinical policy — genotype-guided dosing (MTHFR/COMT/APOE) asserted as
validatedis rejected (ACMG);contestedwithout a flag directive warns. See Evidence grading. - Prompt-injection scan — flagged content is recorded and vetoed at serve time.
- Content addressing — a CID, an ETag, and per-source content hashes are stamped, and the action is appended to a tamper-evident audit chain.
Visibility
Packets default to public, but you can publish privately:
bash
# Private packets are invisible to everyone but their owner, across every read path
uks publish --visibility private my-packet.uks.jsonVisibility is registry-side metadata and is sticky across re-publishes.
Lifecycle
| Action | Endpoint |
|---|---|
| Preview (dry-run the gate, no write) | POST /api/registry/packets/preview |
| Revert to a prior version (re-gated) | POST /api/registry/packets/:id/revert/:version |
| Unpublish your packet | DELETE /api/registry/packets/:id |
→ Related: Trust & safety · CLI · Query