registry-cli

module
v0.13.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 13, 2026 License: BSD-2-Clause

README

registry-cli

CI Security Go Report Card License

A CLI tool for building TS11-compliant Catalogue of Attestations sites from credential schemas discovered across GitHub repositories.

Overview

registry-cli discovers credential type metadata (VCTMs) from configured source repositories, validates them against the TS11 schema-meta model, and produces a static site with:

  • Per-credential detail pages with TS11 metadata
  • Rendered rulebooks (from co-located rulebook.md)
  • A JSON API (/api/v1/schemas.json) with per-schema endpoints
  • An OpenAPI specification
  • Optional JWS signing of all API responses

Installation

go install github.com/sirosfoundation/registry-cli/cmd/registry-cli@latest

Usage

Build a site
registry-cli build \
  --sources sources.yaml \
  --output dist \
  --base-url https://registry.siros.org \
  --templates templates-go \
  --static static
Sign API responses (requires PKCS#11 or dev key)
registry-cli sign \
  --input dist/api/v1 \
  --key-mode dev

Sources manifest

The sources.yaml file declares where to find credential repositories:

defaults:
  branch: vctm

sources:
  # Auto-discover by GitHub topic
  - "github:topic/vctm?org=sirosfoundation"

  # Explicit repository
  - "git:https://github.com/org/repo.git"

  # Local directory with explicit organization label
  - url: "file:///path/to/local/credentials"
    organization: "MyOrg"

  # Remote repo with custom org label
  - url: "git:https://github.com/other/repo.git"
    organization: "CustomLabel"

Source entries can be plain strings or structs with url and optional organization fields. Local (file://) sources default to organization "Local" if no label is provided.

Schema-meta: TS11 Governance Metadata

Each credential must have a co-located .schema-meta.yaml file (or .schema-meta.json) providing TS11 Catalogue of Attestations compliance metadata. Only two fields are required; all others are inferred automatically.

Required Fields
Field Values Description
attestation_los iso_18045_high, iso_18045_moderate, iso_18045_enhanced-basic, iso_18045_basic Attestation Level of Surety per ISO 18045. Friendly aliases (high, moderate, enhanced-basic, basic, substantial, low) are normalized automatically.
binding_type key, biometric, claim, none How the credential is bound to the holder. Friendly aliases (cnfkey, holderkey) are normalized.
Optional Fields
Field Type Default Description
version string "0.1.0" Schema version (semver). Can also be derived from git tags.
rulebook_uri string (auto-generated) URL to attestation rulebook. If omitted, registry-cli auto-detects from co-located rulebook.md.
trusted_authorities array (empty) Trust framework references per TS11 §4.3.3. See Trusted Authorities below.
Auto-Generated Fields (do NOT set these)

The following fields are inferred automatically at build time:

Field Source
id UUID v5 deterministically derived from org/slug
supportedFormats Detected from co-located files: .vctm.jsondc+sd-jwt, .mdoc.jsonmso_mdoc, .vc.jsonjwt_vc_json
schemaURIs Generated from supportedFormats and registry base URL
Minimal Example
attestation_los: iso_18045_high
binding_type: key
Full Example
attestation_los: iso_18045_high
binding_type: key
version: "1.0.0"
rulebook_uri: https://example.com/credentials/my-credential/rulebook
trusted_authorities:
  - framework_type: etsi_tl
    value: "https://tl.etsi.org/export/trustlist.xml"
    is_lote: false
  - framework_type: eidas
    value: "https://eidas.ec.europa.eu"
    is_lote: false
    trust_mark_id: "https://eidas.ec.europa.eu/markers/high"
    trust_mark_issuers:
      - "https://issuer.example.com"
Trusted Authorities

Trusted authority entries define governance frameworks and trust marks:

Field Type Required Description
framework_type string Yes Identifier for the trust framework (e.g., etsi_tl, eidas, custom-scheme)
value string Yes Trust list URL or authority endpoint
is_lote boolean No Whether this is a List of Trusted Entities (LOTE)
trust_mark_id string No URI identifying the trust mark
trust_mark_issuers array of strings No URLs of entities authorized to issue this trust mark
File Placement

Place the .schema-meta.yaml file in the same directory and with the same base name as your credential files:

credentials/
├── my-credential.md              (markdown source)
├── my-credential.schema-meta.yaml (TS11 metadata)
├── my-credential.vctm.json       (auto-generated or pre-built)
├── my-credential.mdoc.json       (auto-generated or pre-built)
└── my-credential.vc.json         (auto-generated or pre-built)
Publishing Without Schema-Meta

Credentials discovered without a .schema-meta.yaml file appear in the human-readable site but are excluded from TS11 API responses (/api/v1/schemas.json). This allows incremental migration to TS11 compliance.

Packages

Package Purpose
pkg/discovery Source resolution, GitHub topic search, repo cloning
pkg/schemameta TS11 schema-meta parsing, inference, validation
pkg/render HTML template rendering, markdown conversion
pkg/jwssign JWS signing (dev, SoftHSM, YubiHSM) via PKCS#11
pkg/apihandler TS11 REST API with filtering, pagination, JWS-signed responses
pkg/ts11compliance TS11 specification compliance test suite
pkg/mdcred Markdown-based credential conversion

Output Formats

registry-cli convert transforms Markdown credential definitions into the following formats:

Format Aliases Output file Description
vctm sd-jwt, sdjwt .vctm.json SD-JWT VC Type Metadata
mddl mdoc, mso_mdoc .mdoc.json mDOC MDDL (ISO 18013-5)
w3c jwt_vc_json .vc.json W3C VCDM 2.0 credential schema
jsonschema json-schema, schema .schema.json Standalone JSON Schema (draft-07)

By default all formats are generated. Use --format or formats: front matter to select specific formats.

Serve (development)

registry-cli serve --sources sources.yaml --output dist --port 8080

Docker

# Build and run with docker compose
docker compose up --build

# Or build the image directly
docker build -t registry-cli:latest .
docker run -p 8080:8080 -v ./sources:/data/sources:ro registry-cli:latest

Security

Markdown and Content Sanitization

registry-cli processes potentially untrusted content from external credential repositories (rulebooks, VCTM metadata). All user-generated content is sanitized to prevent XSS attacks:

Rulebook Markdown Sanitization

Attestation rulebooks are converted from Markdown to HTML and sanitized using a strict content security policy:

Allowed elements: paragraphs, headings, bold, italic, links, tables, lists, code blocks, blockquotes

Blocked elements: script tags, objects, embeds, SVGs, style tags, iframe, form

Blocked attributes: event handlers (onclick, onerror, etc.), style attributes, javascript: URIs, data: URIs

Example attack prevention:

<!-- Blocked: scripts are stripped -->
<script>alert('xss')</script>

<!-- Blocked: event handlers are removed -->
<img src=x onerror="alert(1)">

<!-- Blocked: style attributes prevent CSS injection -->
<p style="position:fixed;...">Overlay</p>

<!-- Blocked: javascript: URIs are filtered -->
[Click me](javascript:alert(1))

<!-- Allowed: safe links are preserved -->
[Documentation](https://example.com/docs)
SVG and Image URI Validation

Credential metadata (VCTM) may reference images for logos and backgrounds:

  • Allowed: https:// and http:// URIs pointing to external image files
  • Blocked: data: URIs (inline data), blob: URIs, javascript: protocols, file:// URIs

Invalid image URIs are silently removed from rendered credential pages. The implementation is in pkg/render/vctm.go::SanitizeVCTM().

Testing

Comprehensive security tests verify sanitization effectiveness:

go test ./pkg/render -run "Sanitize" -v

Tests cover:

  • XSS via script tags and event handlers
  • CSS injection via style attributes
  • SVG and object attacks
  • Data URI attacks
  • JavaScript protocol handlers
  • Safe content preservation (links, tables, lists)
Recommendations for Repository Maintainers

When publishing credentials with rulebooks:

  1. Avoid HTML in Markdown: Write rulebooks using standard Markdown syntax
  2. Don't embed SVGs: Reference SVGs via URLs only, never inline
  3. Use safe links: Only use https:// links to trusted documentation
  4. No styling: Don't use HTML style attributes or CSS; format using Markdown
  5. No JavaScript: Avoid any JavaScript references or data URIs

Example safe rulebook structure:

# PID Attestation Rulebook

## Overview
This rulebook governs Personal ID credentials.

- [Framework documentation](https://example.com/pid-framework)
- [Technical specifications](https://example.com/pid-spec)

## Requirements
- Attestation LoS: high
- Binding type: key

## See also
- [PID Rulebook v1.5](https://example.com/pid-rulebook-1.5)

Testing

make test              # Unit tests
make test-softhsm      # Include SoftHSM PKCS#11 integration tests
make coverage           # Coverage report
make lint               # Run linter

License

See LICENSE.

Directories

Path Synopsis
cmd
registry-cli command
pkg
attributes
Package attributes implements the TS11 §2 Catalogue of Attributes.
Package attributes implements the TS11 §2 Catalogue of Attributes.
jwssign
Package jwssign implements JWS compact serialization signing.
Package jwssign implements JWS compact serialization signing.
mdcred
Package mdcred converts markdown credential definitions to VCTM format files.
Package mdcred converts markdown credential definitions to VCTM format files.
mtcvctm/config
Package config provides configuration handling for mtcvctm
Package config provides configuration handling for mtcvctm
mtcvctm/formats
Package formats provides the interface and registry for credential metadata format generators
Package formats provides the interface and registry for credential metadata format generators
mtcvctm/formats/jsonschema
Package jsonschema provides a standalone JSON Schema format generator.
Package jsonschema provides a standalone JSON Schema format generator.
mtcvctm/formats/mddl
Package mddl provides the MDDL format generator for mso_mdoc credentials (ISO 18013-5)
Package mddl provides the MDDL format generator for mso_mdoc credentials (ISO 18013-5)
mtcvctm/formats/schema
Package schema provides shared JSON Schema building utilities used by format generators that produce JSON Schema output.
Package schema provides shared JSON Schema building utilities used by format generators that produce JSON Schema output.
mtcvctm/formats/vctmfmt
Package vctmfmt provides the VCTM format generator for SD-JWT VC credentials
Package vctmfmt provides the VCTM format generator for SD-JWT VC credentials
mtcvctm/formats/w3c
Package w3c provides the W3C VC format generator for W3C VCDM 2.0 credentials
Package w3c provides the W3C VC format generator for W3C VCDM 2.0 credentials
mtcvctm/parser
Package parser provides markdown parsing and VCTM generation
Package parser provides markdown parsing and VCTM generation
mtcvctm/rules
Package rules provides an extensible rules engine for normalizing VCTM data.
Package rules provides an extensible rules engine for normalizing VCTM data.
mtcvctm/vctm
Package vctm provides data structures and utilities for Verifiable Credential Type Metadata as specified in Section 6 of draft-ietf-oauth-sd-jwt-vc-12.
Package vctm provides data structures and utilities for Verifiable Credential Type Metadata as specified in Section 6 of draft-ietf-oauth-sd-jwt-vc-12.
render
Package render handles HTML template rendering and markdown-to-HTML conversion for the registry site.
Package render handles HTML template rendering and markdown-to-HTML conversion for the registry site.
repoplugin
Package repoplugin defines the interface for repository layout plugins.
Package repoplugin defines the interface for repository layout plugins.
repoplugin/defaultlayout
Package defaultlayout implements the repo plugin for the standard SIROS credential repository layout (co-located schema-meta + format files).
Package defaultlayout implements the repo plugin for the standard SIROS credential repository layout (co-located schema-meta + format files).
repoplugin/rulebookcatalog
Package rulebookcatalog implements the repo plugin for EUDI-style attestation rulebook catalog repositories (e.g., webuild-attestation-rulebooks-catalog).
Package rulebookcatalog implements the repo plugin for EUDI-style attestation rulebook catalog repositories (e.g., webuild-attestation-rulebooks-catalog).
schemameta
Package schemameta handles parsing, inference, and validation of TS11 SchemaMeta objects.
Package schemameta handles parsing, inference, and validation of TS11 SchemaMeta objects.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL