Extract registry to standalone repo (SecAI-Hub/ai-model-registry)

Update build-services.sh to clone from the standalone ai-model-registry
repo with graceful fallback, remove registry from Go build matrix and
securectl CI job (both have their own CI now).

The standalone repo includes P0 security hardening per the split-out
preservation plan: fail-closed auth, explicit artifact states (trusted/
revoked), revoke endpoint, and path guard for revoked artifacts.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: SecAI-Hub

.github/workflows/ci.yml

@@ -26,7 +26,7 @@ jobs:
       contents: read
     strategy:
       matrix:
-        service: [registry, airlock]
+        service: [airlock]
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
@@ -46,22 +46,6 @@ jobs:
         working-directory: services/${{ matrix.service }}
         run: go vet ./...
 
-  go-securectl:
-    name: Build securectl CLI
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
-        with:
-          go-version: "1.23"
-          cache-dependency-path: services/registry/go.sum
-
-      - name: Build securectl
-        working-directory: services/registry
-        run: CGO_ENABLED=0 go build -ldflags="-s -w" -o /dev/null ./cmd/securectl/
-
   python-test:
     name: Python Test & Lint
     runs-on: ubuntu-latest

files/scripts/build-services.sh

@@ -16,19 +16,29 @@ dnf install -y golang python3 python3-pip cmake gcc gcc-c++ 2>/dev/null || true
 mkdir -p "$INSTALL_DIR" "$SRC_DIR"
 
 # --- Go services (built from monorepo) ---
-for svc in registry airlock; do
+for svc in airlock; do
     echo "Building: $svc"
     cp -r /tmp/services/${svc} "${SRC_DIR}/${svc}"
     cd "${SRC_DIR}/${svc}"
     CGO_ENABLED=0 go build -ldflags="-s -w" -o "${INSTALL_DIR}/${svc}" .
     echo "  -> ${INSTALL_DIR}/${svc}"
 done
 
-# Build securectl CLI
-echo "Building: securectl"
-cd "${SRC_DIR}/registry"
-CGO_ENABLED=0 go build -ldflags="-s -w" -o /usr/local/bin/securectl ./cmd/securectl/
-echo "  -> /usr/local/bin/securectl"
+# --- ai-model-registry (standalone: security-first artifact registry) ---
+echo "Building: ai-model-registry"
+if [ -d "/tmp/ai-model-registry" ]; then
+    cp -r /tmp/ai-model-registry "${SRC_DIR}/ai-model-registry"
+else
+    git clone --depth 1 https://github.com/SecAI-Hub/ai-model-registry.git "${SRC_DIR}/ai-model-registry" 2>/dev/null || \
+        echo "WARNING: ai-model-registry clone failed — registry will not be available"
+fi
+if [ -d "${SRC_DIR}/ai-model-registry" ]; then
+    cd "${SRC_DIR}/ai-model-registry"
+    CGO_ENABLED=0 go build -ldflags="-s -w" -o "${INSTALL_DIR}/registry" .
+    CGO_ENABLED=0 go build -ldflags="-s -w" -o /usr/local/bin/securectl ./cmd/securectl/
+    echo "  -> ${INSTALL_DIR}/registry"
+    echo "  -> /usr/local/bin/securectl"
+fi
 
 # --- agent-tool-firewall (standalone: policy gateway for LLM tool calls) ---
 echo "Building: agent-tool-firewall"