Skip to content

Commit c90f686

Browse files
authored
Merge pull request #47 from federated-catalogue-enhancements-2026/feature/CAT-FR-LM-02-align-provenance
Reflect PROV-O alignment, cascade-by-IRI, version-counter semantics
2 parents 4310978 + 0a94422 commit c90f686

2 files changed

Lines changed: 25 additions & 12 deletions

File tree

federated-catalogue/src/docs/architecture/chapters/05_building_block_view.adoc

Lines changed: 14 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1049,6 +1049,10 @@ Key IRI-based operations:
10491049
The `deleteAsset(hash)` and `changeLifeCycleStatus(hash, status)` methods are the deliberate exceptions — both remain hash-based to guarantee unambiguous single-row targeting.
10501050
See ADR 7, Hash-Based Mutation Operations Exception. `deleteAsset` publishes an `AssetDeletedEvent` after the row deletion, triggering cascade cleanup of associated validation results and provenance credentials (see <<_validation_result_storage>>).
10511051

1052+
In addition to the hash-based path, the asset store exposes `deleteByAssetId(id)` — an idempotent cascade keyed by the asset IRI. It removes the live row, its human-readable companion, and (via the same `AssetDeletedEvent`) the validation-result and provenance-credential rows attached to the asset. A second call against the same identifier resolves to a no-op so that demo scripts and integration test fixtures can reset state without environment teardown. Cross-participant access is gated on the live row's issuer when present; an unknown identifier always succeeds with `204` and reveals nothing about the catalogue's contents. The underlying audit log of past content revisions is preserved.
1053+
1054+
The asset version counter is defined as the number of distinct content hashes observed across the entity's audit history. Saves that change non-content fields (linking a human-readable companion, lifecycle-status transitions, last-modified bookkeeping) reuse an existing hash and therefore do not advance the counter. This matches the SRS rule that linking a sub-resource to an asset must not produce a new asset version.
1055+
10521056
The `IriGenerator` assigns IRIs before storage: it extracts IRIs from RDF content (`credentialSubject.id`, `@id`, ontology/shapes/vocabulary IRIs) or generates UUID URNs (RFC 4122) for non-RDF assets and as fallback. The `IriValidator` checks all assigned IRIs against supported formats (DIDs, UUID URNs, generic URNs, HTTP/HTTPS IRIs) — returning `true`/`false`. Callers decide how to handle invalid IRIs (fallback to UUID URN, or reject the request).
10531057

10541058
Asset metadata is persisted in the relational metadata store.
@@ -1575,17 +1579,18 @@ Two content-retrieval endpoints serve the linked counterpart from either directi
15751579
The linked asset IRI is surfaced in each side's metadata response under fields that identify the counterpart asset.
15761580
The OpenAPI specification is authoritative for the exact paths, request bodies, and error contracts.
15771581

1578-
Accepted content types for human-readable representations:
1582+
Accepted content types for human-readable representations are governed by a configurable two-layer scheme:
15791583

1580-
[options="header",cols="1,2"]
1581-
|===
1582-
| MIME type | Format
1583-
| `application/pdf` | PDF
1584-
| `application/vnd.openxmlformats-officedocument.wordprocessingml.document` | DOCX
1585-
| `text/html` | HTML
1586-
| `text/plain` | Plain text
1587-
|===
1584+
* an **allowlist** that admits broad MIME families typically used for human-facing attachments (textual formats, common office and document formats), and
1585+
* a **denylist** that explicitly rejects scripting and active-content subtypes — `image/svg+xml`, JavaScript/ECMAScript/VBScript flavours, and similar — even when they would otherwise match the family allowlist.
15881586

1587+
The same scheme is enforced for both `POST /assets/{mrId}/human-readable` and
1588+
`PUT /assets/{mrId}/human-readable`.
1589+
Validation is strict against the configured `Content-Type`
1590+
header; unsupported or denylisted types are rejected with `400 Bad Request`.
1591+
A missing
1592+
`Content-Type` is treated as `application/octet-stream`, which is not accepted by default.
1593+
The current default allowlist, denylist and the configuration keys that override them are documented in the OpenAPI specification.
15891594
The allowlist is operator-configurable and is enforced for both the create and replace operations on the human-readable link endpoint.
15901595

15911596
* PDF and DOCX cover the main document formats typically exchanged as human-facing attachments.

federated-catalogue/src/docs/architecture/chapters/06_runtime_view.adoc

Lines changed: 11 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -788,11 +788,16 @@ sequenceDiagram
788788

789789
==== Attaching a Provenance Credential
790790

791-
Stores a W3C VC 2.0 JSON-LD or VC-JWT provenance credential against a specific asset version. The optional `?version=X` query parameter targets a historical version (1-based ordinal); omitting it targets the current version. The write does **not** produce a new Envers revision on the asset.
791+
Stores a W3C VC 2.0 JSON-LD or VC-JWT provenance credential against a specific asset version. The optional `?version=X` query parameter targets a historical version (1-based ordinal); omitting it targets the current version. Attaching a provenance credential does **not** advance the asset's version counter — the counter reflects distinct content hashes, not metadata or sub-resource events.
792792

793-
`credentialSubject.id` in the VC must equal `{assetId}:v{N}` — any mismatch returns 400. VC 1.1 payloads and payloads using the CAT-internal namespace are also rejected with 400. A duplicate `credentialId` (VC `id` field) returns 409.
793+
Two W3C-PROV-O credential shapes are accepted:
794794

795-
When a graph store is active, the corresponding PROV-O triple is written under the versioned asset IRI `{assetId}:v{N}` as a side-effect.
795+
* **Entity-centric** — `credentialSubject.id` is the versioned asset IRI itself, and PROV-O predicates describe the asset as the subject (e.g. `prov:wasGeneratedBy`, `prov:wasDerivedFrom`).
796+
* **Activity-centric** — `credentialSubject.id` is the activity's own IRI, and at least one PROV-O predicate (typically `prov:generated` or `prov:used`) points back at the versioned asset so the activity is reachable from it.
797+
798+
Each shape is projected to the graph under the IRI of its own `credentialSubject`.
799+
The list of recognised PROV-O predicates and their accepted forms (compact or expanded) is documented in the OpenAPI specification.
800+
VC 1.1 payloads and payloads using the CAT-internal namespace are rejected with 400; a duplicate `credentialId` (VC `id` field) returns 409.
796801

797802
[mermaid, width=2000]
798803
....
@@ -1154,6 +1159,9 @@ When the graph store is disabled, queries are rejected with a "service unavailab
11541159
Only read queries are allowed.
11551160
Write queries (e.g., `CREATE`/`DELETE` in openCypher, `INSERT`/`DELETE` in SPARQL) are rejected.
11561161

1162+
For SPARQL queries the response format is content-negotiated via the `Accept` header: the catalogue's own paginated envelope (`application/json`) remains the default, and the W3C SPARQL 1.1 Results JSON format (`application/sparql-results+json`) is offered as an alternative for SPARQL-tooling compatibility.
1163+
Backends that cannot produce the standard format respond with HTTP 406 to the alternative request.
1164+
11571165
[mermaid, width=2000]
11581166
....
11591167
sequenceDiagram

0 commit comments

Comments
 (0)