-
Notifications
You must be signed in to change notification settings - Fork 0
/
index.html
1 lines (1 loc) · 43 KB
/
index.html
1
<html><head><meta content="text/html; charset=UTF-8" http-equiv="content-type"><style type="text/css">@import url('https://themes.googleusercontent.com/fonts/css?kit=fpjTOVmNbO4Lz34iLyptLTi9jKYd1gJzj5O2gWsEpXoyck2WCYPEMNySjZN0CHedXUiLXDrKjJ-HZ12gdSWW_7k19HnzO8O6rd5KLwHyN2s');.lst-kix_texyhxtn8mxf-1>li:before{content:"\0025cb "}.lst-kix_texyhxtn8mxf-0>li:before{content:"\0025cf "}.lst-kix_texyhxtn8mxf-2>li:before{content:"\0025a0 "}.lst-kix_texyhxtn8mxf-3>li:before{content:"\0025cf "}ul.lst-kix_texyhxtn8mxf-0{list-style-type:none}.lst-kix_texyhxtn8mxf-5>li:before{content:"\0025a0 "}ul.lst-kix_texyhxtn8mxf-1{list-style-type:none}.lst-kix_texyhxtn8mxf-4>li:before{content:"\0025cb "}.lst-kix_texyhxtn8mxf-6>li:before{content:"\0025cf "}li.li-bullet-0:before{margin-left:-18pt;white-space:nowrap;display:inline-block;min-width:18pt}ul.lst-kix_texyhxtn8mxf-8{list-style-type:none}ul.lst-kix_texyhxtn8mxf-6{list-style-type:none}.lst-kix_texyhxtn8mxf-8>li:before{content:"\0025a0 "}ul.lst-kix_texyhxtn8mxf-7{list-style-type:none}ul.lst-kix_texyhxtn8mxf-4{list-style-type:none}.lst-kix_texyhxtn8mxf-7>li:before{content:"\0025cb "}ul.lst-kix_texyhxtn8mxf-5{list-style-type:none}ul.lst-kix_texyhxtn8mxf-2{list-style-type:none}ul.lst-kix_texyhxtn8mxf-3{list-style-type:none}ol{margin:0;padding:0}table td,table th{padding:0}.c12{padding-top:12pt;padding-bottom:2pt;line-height:1.15;page-break-after:avoid;orphans:2;widows:2;text-align:left}.c16{padding-top:18pt;padding-bottom:4pt;line-height:1.15;page-break-after:avoid;orphans:2;widows:2;text-align:left}.c9{color:#666666;font-weight:700;text-decoration:none;vertical-align:baseline;font-size:12pt;font-family:"Calibri";font-style:normal}.c1{color:#000000;font-weight:400;text-decoration:none;vertical-align:baseline;font-size:9pt;font-family:"Consolas";font-style:normal}.c18{color:#000000;font-weight:700;text-decoration:none;vertical-align:baseline;font-size:14pt;font-family:"Calibri";font-style:normal}.c7{color:#000000;font-weight:400;text-decoration:none;vertical-align:baseline;font-size:8pt;font-family:"Consolas";font-style:normal}.c0{padding-top:0pt;padding-bottom:10pt;line-height:1.15;orphans:2;widows:2;text-align:left;height:11pt}.c23{padding-top:24pt;padding-bottom:6pt;line-height:1.15;page-break-after:avoid;orphans:2;widows:2;text-align:left}.c15{color:#000000;font-weight:700;text-decoration:none;vertical-align:baseline;font-size:18pt;font-family:"Cambria";font-style:normal}.c10{padding-top:14pt;padding-bottom:4pt;line-height:1.15;page-break-after:avoid;orphans:2;widows:2;text-align:left}.c4{color:#000000;font-weight:400;text-decoration:none;vertical-align:baseline;font-size:11pt;font-family:"Calibri";font-style:normal}.c27{color:#666666;font-weight:400;text-decoration:none;vertical-align:baseline;font-size:12pt;font-family:"Cambria"}.c13{color:#666666;font-weight:400;text-decoration:none;vertical-align:baseline;font-size:11pt;font-family:"Calibri"}.c2{padding-top:0pt;padding-bottom:10pt;line-height:1.15;orphans:2;widows:2;text-align:left}.c17{color:#000000;font-weight:400;text-decoration:none;vertical-align:baseline;font-size:11pt;font-family:"Calibri"}.c3{padding-top:0pt;padding-bottom:0pt;line-height:1.15;orphans:2;widows:2;text-align:left}.c11{text-decoration-skip-ink:none;-webkit-text-decoration-skip:none;color:#1155cc;text-decoration:underline}.c26{background-color:#ffffff;max-width:451.4pt;padding:72pt 72pt 72pt 72pt}.c8{font-size:9pt;font-family:"Consolas";font-weight:400}.c25{padding:0;margin:0}.c5{color:inherit;text-decoration:inherit}.c22{font-size:9pt;font-family:"Consolas"}.c24{margin-left:36pt;padding-left:0pt}.c6{font-style:italic}.c21{height:11pt}.c20{font-weight:700}.c19{background-color:#ffff00}.c14{text-indent:36pt}.title{padding-top:24pt;color:#000000;font-weight:700;font-size:18pt;padding-bottom:6pt;font-family:"Cambria";line-height:1.15;page-break-after:avoid;orphans:2;widows:2;text-align:left}.subtitle{padding-top:18pt;color:#666666;font-size:12pt;padding-bottom:4pt;font-family:"Cambria";line-height:1.15;page-break-after:avoid;font-style:italic;orphans:2;widows:2;text-align:left}li{color:#000000;font-size:11pt;font-family:"Calibri"}p{margin:0;color:#000000;font-size:11pt;font-family:"Calibri"}h1{padding-top:24pt;color:#000000;font-weight:700;font-size:18pt;padding-bottom:6pt;font-family:"Calibri";line-height:1.15;page-break-after:avoid;orphans:2;widows:2;text-align:left}h2{padding-top:18pt;color:#000000;font-weight:700;font-size:14pt;padding-bottom:4pt;font-family:"Calibri";line-height:1.15;page-break-after:avoid;orphans:2;widows:2;text-align:left}h3{padding-top:14pt;color:#666666;font-weight:700;font-size:12pt;padding-bottom:4pt;font-family:"Calibri";line-height:1.15;page-break-after:avoid;orphans:2;widows:2;text-align:left}h4{padding-top:12pt;color:#666666;font-size:11pt;padding-bottom:2pt;font-family:"Calibri";line-height:1.15;page-break-after:avoid;font-style:italic;orphans:2;widows:2;text-align:left}h5{padding-top:11pt;color:#666666;font-weight:700;font-size:10pt;padding-bottom:2pt;font-family:"Calibri";line-height:1.15;page-break-after:avoid;orphans:2;widows:2;text-align:left}h6{padding-top:10pt;color:#666666;font-size:10pt;padding-bottom:2pt;font-family:"Calibri";line-height:1.15;page-break-after:avoid;font-style:italic;orphans:2;widows:2;text-align:left}</style></head><body class="c26 doc-content"><p class="c23 title" id="h.e7q5jxhg3ig3"><span>Five Safes</span><span class="c15"> Crate profile</span></p><p class="c16 subtitle" id="h.dqceevkr3ulc"><span class="c6 c27">TRE-FX draft in development </span></p><p class="c2"><span class="c17 c6">(comments and suggestions welcome)</span></p><p class="c2"><span>Permalink: </span><span class="c11 c8"><a class="c5" href="https://www.google.com/url?q=https://w3id.org/ro/five-safes/0.1-DRAFT&sa=D&source=editors&ust=1683740290866174&usg=AOvVaw2nDwxrDOtcr_I-c-fcXyl9">https://w3id.org/ro/five-safes/0.1-DRAFT</a></span><span class="c8"> </span><span class="c8 c19">(TODO)</span></p><p class="c2"><span>This document specifies a draft profile of </span><span class="c11"><a class="c5" href="https://www.google.com/url?q=https://w3id.org/ro/crate&sa=D&source=editors&ust=1683740290866643&usg=AOvVaw1XIJ9G6BcqYsJJjRU1Qwtu">RO-Crate</a></span><span> for the purpose of </span><span class="c11"><a class="c5" href="https://www.google.com/url?q=https://trefx.uk/implementation&sa=D&source=editors&ust=1683740290866823&usg=AOvVaw3vO-OklWcgASqJCvZmWSQ0">TRE-FX implementation</a></span><span class="c4"> of workflow execution in a distributed trusted research environment. </span></p><p class="c2"><span class="c6">The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [</span><span class="c11 c6"><a class="c5" href="https://www.google.com/url?q=https://doi.org/10.17487/RFC2119&sa=D&source=editors&ust=1683740290867172&usg=AOvVaw360V4vxOsT_qNgn0SokaxL">RFC2119</a></span><span class="c6">] [</span><span class="c11 c6"><a class="c5" href="https://www.google.com/url?q=https://doi.org/10.17487/RFC8174&sa=D&source=editors&ust=1683740290867367&usg=AOvVaw1e-wD_2jVvYNrGZhhe_Hdz">RFC8174</a></span><span class="c6 c17">] when, and only when, they appear in all capitals, as shown here.</span></p><h2 class="c16" id="h.akgun1xbdqy2"><span class="c18">Archive serialisation</span></h2><p class="c2"><span>A compliant Five Safes Crate SHOULD be stored and transferred as an </span><span class="c11"><a class="c5" href="https://www.google.com/url?q=http://www.pkware.com/documents/casestudies/APPNOTE.TXT&sa=D&source=editors&ust=1683740290867819&usg=AOvVaw185d-RLHce6KzCumqt9W9p">ZIP archive</a></span><span> containing a single </span><span class="c11"><a class="c5" href="https://www.google.com/url?q=https://www.researchobject.org/ro-crate/1.1/appendix/implementation-notes.html%23combining-with-other-packaging-schemes&sa=D&source=editors&ust=1683740290868079&usg=AOvVaw30i33mGgQji0DoKf-38D--">BagIt directory</a></span><span> (</span><span class="c6">bag</span><span>) of an arbitrary name,</span><span class="c6"> </span><span>which payload </span><span class="c6">data/</span><span> contains the RO-Crate Metadata File </span><span class="c6">ro-crate-metadata.json</span><span class="c4"> and any required data files (e.g. inputs). </span></p><p class="c2"><span>The BagIt </span><span class="c11"><a class="c5" href="https://www.google.com/url?q=https://www.rfc-editor.org/rfc/rfc8493.html%23section-2.1.3&sa=D&source=editors&ust=1683740290868588&usg=AOvVaw1gwLBnLkqNteOwVBSvzD6Q">payload manifest</a></span><span> [</span><span class="c11"><a class="c5" href="https://www.google.com/url?q=https://doi.org/10.17487/rfc8493&sa=D&source=editors&ust=1683740290868764&usg=AOvVaw1GQ3FL1gLInkjSJD47r7SP">RFC8493</a></span><span>] MUST be present using sha-512 checksums, and the </span><span class="c11"><a class="c5" href="https://www.google.com/url?q=https://www.rfc-editor.org/rfc/rfc8493.html%23section-2.2.1&sa=D&source=editors&ust=1683740290868960&usg=AOvVaw1nvHrc1uAp8mgo9zvREmft">tag manifest</a></span><span> SHOULD be included as sha-512 [</span><span class="c11"><a class="c5" href="https://www.google.com/url?q=https://doi.org/10.6028/NIST.FIPS.180-4&sa=D&source=editors&ust=1683740290869145&usg=AOvVaw3893vVF7GBjmG9T9dG3Iq4">FIPS 180-4</a></span><span>]. Payload and tag manifests using other checksums MAY be included, taking care to exclude </span><span class="c6">tagmanifest-*</span><span class="c4"> from their checksums.</span></p><p class="c2"><span class="c4">Example:</span></p><p class="c3"><span class="c7">query-12389/</span></p><p class="c3"><span class="c7"> | bagit.txt # MUST indicate BagIt 1.0 or later</span></p><p class="c3"><span class="c7"> | bag-info.txt # As per BagIt specification</span></p><p class="c3"><span class="c7"> | manifest-sha512.txt # As per BagIt specification</span></p><p class="c3"><span class="c7"> | tagmanifest-sha512.txt # As per BagIt specification</span></p><p class="c3"><span class="c7"> | fetch.txt # Optional, per BagIt Specification</span></p><p class="c3"><span class="c7"> | data/ # Payload: RO-Crate root directory</span></p><p class="c3"><span class="c7"> | ro-crate-metadata.json # RO-Crate Metadata File MUST be present</span></p><p class="c3"><span class="c7"> | [payload files and directories] # 1 or more SHOULD be present</span></p><p class="c0"><span class="c4"></span></p><h3 class="c10" id="h.a47dfsnz074v"><span class="c9">BagIt expectations</span></h3><p class="c2"><span>The </span><span class="c11"><a class="c5" href="https://www.google.com/url?q=https://www.researchobject.org/ro-crate/1.1/appendix/implementation-notes.html%23combining-with-other-packaging-schemes&sa=D&source=editors&ust=1683740290870581&usg=AOvVaw0AHA0z_TvtmsHXVx1PgGNc">RO-Crate BagIt expectations</a></span><span> for </span><span class="c6">Adding RO-Crate to Bagit </span><span> MUST be followed. The </span><span class="c6">bag-info.txt</span><span> MUST include a generated </span><span class="c6">External-Identifier:</span><span> field which SHOULD be a UUID URN [</span><span class="c11"><a class="c5" href="https://www.google.com/url?q=https://doi.org/10.17487/rfc4122&sa=D&source=editors&ust=1683740290870943&usg=AOvVaw0CnANsNBwcyzAek_kMapVj">rfc4122</a></span><span class="c4">], e.g.:</span></p><p class="c2"><span class="c4">External-Identifier: urn:uuid:9796155a-fe44-4614-89b8-71945f718ffb</span></p><p class="c2"><span>It is RECOMMENDED to </span><span class="c6">not</span><span class="c4"> modify this identifier as the Five Safes Crate progresses through the distributed TRE processing.</span></p><h3 class="c10" id="h.i3ip973mivji"><span class="c9">Zip expectations</span></h3><p class="c2"><span>The ZIP archive MUST only contain a single top-level entry for the bag directory, identified by the </span><span class="c6">bagit.txt</span><span> marker. For interoperability in terms of ZIP features, implementations SHOULD follow </span><span class="c11"><a class="c5" href="https://www.google.com/url?q=https://www.w3.org/publishing/epub32/epub-ocf.html%23sec-zip-container-zipreqs&sa=D&source=editors&ust=1683740290871688&usg=AOvVaw3a411cLvvpmY09-AcvAeZK">guidance for an OSF ZIP Container</a></span><span> (ignoring </span><span class="c6">OCF Abstract Container </span><span class="c4">content).</span></p><h2 class="c16" id="h.u751x9rwgfgv"><span class="c18">Metadata file expectations</span></h2><p class="c3"><span>The RO-Crate Metadata File MUST conform to </span><span class="c11"><a class="c5" href="https://www.google.com/url?q=https://www.google.com/url?q%3Dhttps://www.researchobject.org/ro-crate/1.2-DRAFT/%26sa%3DD%26source%3Ddocs%26ust%3D1680005136018780%26usg%3DAOvVaw0olz0R6RJatjMIFdYoAWhW&sa=D&source=editors&ust=1683740290872274&usg=AOvVaw3zh6FkRJqlDA7IqSJOueT2">RO-Crate 1.2</a></span><span> (or later minor version). The compliant version MUST be declared in the </span><span class="c11"><a class="c5" href="https://www.google.com/url?q=https://www.researchobject.org/ro-crate/1.2-DRAFT/root-data-entity.html%23ro-crate-metadata-file-descriptor&sa=D&source=editors&ust=1683740290872737&usg=AOvVaw0Pad9irCDrISCs5VfyWsFy">metadata file descriptor</a></span><span>:<br><br></span><span class="c1"> {</span></p><p class="c3"><span class="c1"> "@type": "CreativeWork",</span></p><p class="c3"><span class="c1"> "@id": "ro-crate-metadata.json",</span></p><p class="c3"><span class="c1"> "about": {"@id": "./"},</span></p><p class="c3"><span class="c1"> "conformsTo": {"@id": "https://w3id.org/ro/crate/1.2-DRAFT"}</span></p><p class="c3"><span class="c1"> }</span></p><p class="c3 c21"><span class="c1"></span></p><p class="c2"><span>The </span><span class="c11"><a class="c5" href="https://www.google.com/url?q=https://www.researchobject.org/ro-crate/1.2-DRAFT/root-data-entity.html%23direct-properties-of-the-root-data-entity&sa=D&source=editors&ust=1683740290873587&usg=AOvVaw1vvlZekFH-mSwltxzf2bgO">root data entity</a></span><span> of a Five Saves Crate MUST have the @id equal "./" (as it is stored within the BagIt ZIP archive).</span></p><h3 class="c10" id="h.p9qcf7kions2"><span class="c9">Profile</span></h3><p class="c2"><span class="c4">Crates conforming to this profile specification SHOULD indicate this on the Root Data Entity:</span></p><p class="c3"><span class="c1"> {</span></p><p class="c3"><span class="c1"> "@id": "./",</span></p><p class="c3"><span class="c1"> "@type": "Dataset",</span></p><p class="c3"><span class="c1"> "conformsTo": {"@id": "https://w3id.org/ro/five-safes/0.1-DRAFT"},</span></p><p class="c3"><span class="c1"> "hasPart": [</span></p><p class="c3"><span class="c1"> ],<br> "mainEntity": {"@id": "https://workflowhub.eu/workflows/289?version=1"},</span></p><p class="c3"><span class="c1"> "mentions": {"@id": "#query-37252371-c937-43bd-a0a7-3680b48c0538"},</span></p><p class="c3"><span class="c1"> "sourceOrganization": <br> {"@id": "#project-be6ffb55-4f5a-4c14-b60e-47e0951090c70"}</span></p><p class="c3"><span class="c1"> },</span></p><p class="c0"><span class="c4"></span></p><h3 class="c10" id="h.vt9rb4cwhsa5"><span class="c9">Referencing a Workflow Crate</span></h3><p class="c2"><span>The metadata file MUST reference a </span><span class="c11"><a class="c5" href="https://www.google.com/url?q=https://w3id.org/workflowhub/workflow-ro-crate/1.0&sa=D&source=editors&ust=1683740290875011&usg=AOvVaw3wRMiiKpH9kHZD_Z4szjdz">Workflow RO-Crate</a></span><span> </span><span class="c6">Dataset </span><span>as its </span><span class="c6">mainEntity</span><span class="c4">, indicating the workflow to execute. </span></p><p class="c2"><span>The identifier SHOULD be a permalink or versioned URL (e.g. </span><span class="c11"><a class="c5" href="https://www.google.com/url?q=https://workflowhub.eu/workflows/289?version%3D1&sa=D&source=editors&ust=1683740290875460&usg=AOvVaw0dp2R24H7GZkyxqBECWjgW">https://workflowhub.eu/workflows/289?version=1</a></span><span class="c4">) or MAY be a nested directory within the BagIt payload directory (e.g. "data/workflow289.1/").</span></p><p class="c2"><span class="c20">Note</span><span>: unlike in the </span><span class="c11"><a class="c5" href="https://www.google.com/url?q=https://www.researchobject.org/workflow-run-crate/profiles/0.1/workflow_run_crate&sa=D&source=editors&ust=1683740290875825&usg=AOvVaw365jiboQSQvQE_O7KcMwEW">Workflow Run profile</a></span><span>, the programming language of the workflow and its other metadata are not expressed in this RO-Crate, but within the referenced Workflow RO-Crate. The </span><span class="c6">programmingLanguage</span><span> inside the Workflow RO-Crate SHOULD be either </span><span class="c11"><a class="c5" href="https://www.google.com/url?q=https://w3id.org/workflowhub/workflow-ro-crate%23cwl&sa=D&source=editors&ust=1683740290876120&usg=AOvVaw3xEGFudNLBGV5q9MmSyYuM">https://w3id.org/workflowhub/workflow-ro-crate#cwl</a></span><span> or </span><span class="c11"><a class="c5" href="https://www.google.com/url?q=https://w3id.org/workflowhub/workflow-ro-crate%23nextflow&sa=D&source=editors&ust=1683740290876325&usg=AOvVaw3sI0YS6UpuYcTatN9o6-W9">https://w3id.org/workflowhub/workflow-ro-crate#nextflow</a></span><span class="c4">.</span></p><h4 class="c12" id="h.svx3e0hfb6k9"><span class="c13 c6">Finding the RO-Crate archive</span></h4><p class="c2"><span>If the identifier is a URI, an URL to the downloadable Workflow RO-Crate ZIP archive SHOULD be included with distribution, otherwise clients SHOULD </span><span class="c11"><a class="c5" href="https://www.google.com/url?q=https://signposting.org/adopters/%23workflowhub&sa=D&source=editors&ust=1683740290876767&usg=AOvVaw2Ufezsq0ir8_yZN4_bjG1N">use Signposting</a></span><span> to find the link to the RO-Crate by looking for the link with </span><span class="c8">rel="item" type="application/zip" profile="</span><span class="c8">https://w3id.org/ro/crate</span><span class="c8">"</span><span> - for instance:</span></p><p class="c3"><span class="c1">curl -I "https://workflowhub.eu/workflows/419"</span></p><p class="c3 c21"><span class="c1"></span></p><p class="c3"><span class="c1">HTTP/1.1 200 OK</span></p><p class="c3"><span class="c1">Content-Type: text/html; charset=UTF-8</span></p><p class="c3"><span class="c8"><</span><span class="c20 c22">https://workflowhub.eu/workflows/419/ro_crate?version=1</span><span class="c1">> ;</span></p><p class="c3"><span class="c1"> rel="item" ;</span></p><p class="c3"><span class="c1"> type="application/zip" ;</span></p><p class="c3"><span class="c1"> profile="https://w3id.org/ro/crate" </span></p><h4 class="c12" id="h.oevsrkcy98c4"><span class="c6 c13">Example:</span></h4><p class="c3"><span class="c1"> {</span></p><p class="c3"><span class="c8"> "@id": "</span><span class="c8">https://workflowhub.eu/workflows/289?version=1</span><span class="c1">",</span></p><p class="c3"><span class="c1"> "@type": "Dataset",</span></p><p class="c3"><span class="c1"> "name": "CWL Protein MD Setup tutorial with mutations",</span></p><p class="c3"><span class="c1"> "conformsTo": {"@id": "https://w3id.org/workflowhub/workflow-ro-crate/1.0"},</span></p><p class="c3"><span class="c1"> "distribution": {"@id": "https://workflowhub.eu/workflows/289/ro_crate?version=1"}</span></p><p class="c3"><span class="c1"> },</span></p><p class="c3"><span class="c1"> {</span></p><p class="c3"><span class="c1"> "@id": "https://workflowhub.eu/workflows/289/ro_crate?version=1",</span></p><p class="c3"><span class="c1"> "@type": "DataDownload",</span></p><p class="c3"><span class="c1"> "conformsTo": {"@id": "https://w3id.org/ro/crate"},</span></p><p class="c3"><span class="c1"> "encodingFormat": "application/zip"</span></p><p class="c3"><span class="c1"> }</span></p><p class="c0"><span class="c4"></span></p><h3 class="c10" id="h.zcl7pu7kd4k0"><span class="c9">Requested Workflow Run</span></h3><p class="c2"><span>The metadata file MUST include a </span><span class="c11"><a class="c5" href="https://www.google.com/url?q=https://schema.org/CreateAction&sa=D&source=editors&ust=1683740290879446&usg=AOvVaw0mAe5smMTY-F5OdJQIHK9j">CreateAction</a></span><span>, which MUST be referenced from </span><span class="c6">mentions</span><span class="c4"> of the root entity. The identifier SHOULD be based on a UUID (different from the BagIt External-Identifier).</span></p><p class="c2"><span>The CreateAction MUST reference the Workflow Crate using </span><span class="c6">instrument</span><span class="c4">.</span></p><h4 class="c12" id="h.5lws8vt29mzw"><span class="c13 c6">Example:</span></h4><p class="c3"><span class="c1"> {</span></p><p class="c3"><span class="c1"> "@id": "#query-37252371-c937-43bd-a0a7-3680b48c0538",</span></p><p class="c3"><span class="c1"> "@type": "CreateAction",<br> "actionStatus": "https://schema.org/PotentialActionStatus", </span></p><p class="c3"><span class="c1"> "agent": {"@id": "https://orcid.org/0000-0001-9842-9718"},</span></p><p class="c3"><span class="c1"> "instrument": {"@id": "https://workflowhub.eu/workflows/289?version=1"},</span></p><p class="c3"><span class="c1"> "name": "Execute query 12389 on workflow ",</span></p><p class="c3"><span class="c1"> "object": [</span></p><p class="c3"><span class="c1"> {"@id": "input1.txt"}</span></p><p class="c3"><span class="c1"> ]</span></p><p class="c3"><span class="c1"> },</span></p><p class="c0"><span class="c4"></span></p><h4 class="c12" id="h.byrges19zp0h"><span class="c13 c6">Execution state</span></h4><p class="c2"><span>The main purpose of a Five Safes Crate is to trigger and communicate a workflow execution within a distributed TRE. </span><span>The states of the Five Safes Crate is indicated by the </span><span class="c6">actionStatus</span><span class="c4"> of this main action:</span></p><ul class="c25 lst-kix_texyhxtn8mxf-0 start"><li class="c2 c24 li-bullet-0"><span class="c11"><a class="c5" href="https://www.google.com/url?q=https://schema.org/PotentialActionStatus&sa=D&source=editors&ust=1683740290881335&usg=AOvVaw0SgvGRHeSjxR6COwzHo2kO">https://schema.org/PotentialActionStatus</a></span><span> – </span><span>The request is queued to be executed</span></li><li class="c2 c24 li-bullet-0"><span class="c11"><a class="c5" href="https://www.google.com/url?q=https://schema.org/ActiveActionStatus&sa=D&source=editors&ust=1683740290881753&usg=AOvVaw1LI86USAPijog0buIvEdzo">https://schema.org/ActiveActionStatus</a></span><span class="c4"> – The request is currently executing</span></li><li class="c2 c24 li-bullet-0"><span class="c11"><a class="c5" href="https://www.google.com/url?q=https://schema.org/CompletedActionStatus&sa=D&source=editors&ust=1683740290882097&usg=AOvVaw2Mgcn1nqPyAEO5oGkbytdo">https://schema.org/CompletedActionStatus</a></span><span> – </span><span>The request has finished successfully</span></li><li class="c2 c24 li-bullet-0"><span class="c11"><a class="c5" href="https://www.google.com/url?q=https://schema.org/FailedActionStatus&sa=D&source=editors&ust=1683740290882473&usg=AOvVaw2Ss8jWnW-q9u5aFwgR83eS">https://schema.org/FailedActionStatus</a></span><span class="c4"> – The success failed, see </span></li></ul><p class="c2"><span>When the execution is in CompletedActionStatus or FailedActionStatus, the crate SHOULD also follow the </span><span class="c11"><a class="c5" href="https://www.google.com/url?q=https://w3id.org/ro/wfrun/provenance/0.1&sa=D&source=editors&ust=1683740290882802&usg=AOvVaw3xKl_OP-GtZIEzKjednwtg">Provenance Crate</a></span><span> profile, e.g. the workflow outputs will be listed as </span><span class="c6">result.</span></p><h3 class="c10" id="h.lum49c9zz5an"><span class="c9">Requesting Agent</span></h3><p class="c2"><span>The individual person who is requesting the run MUST be indicated as an </span><span class="c6">agent</span><span> from the </span><span class="c6">CreateAction</span><span>, which SHOULD have an </span><span class="c6">affiliation</span><span class="c4"> to the organization they are representing for access control purposes.</span></p><p class="c3"><span class="c1"> {</span></p><p class="c3"><span class="c1"> "@id": "https://orcid.org/0000-0001-9842-9718",</span></p><p class="c3"><span class="c1"> "@type": "Person",</span></p><p class="c3"><span class="c1"> "name": "Stian Soiland-Reyes",</span></p><p class="c3"><span class="c1"> "affiliation": { "@id": "https://ror.org/027m9bs27"}</span></p><p class="c3"><span class="c1"> },</span></p><p class="c3"><span class="c1"> {</span></p><p class="c3"><span class="c1"> "@id": "https://ror.org/027m9bs27",</span></p><p class="c3"><span class="c1"> "@type": "Organization",</span></p><p class="c3"><span class="c1"> "name": "The University of Manchester"</span></p><p class="c3"><span class="c1"> },</span></p><p class="c0"><span class="c4"></span></p><p class="c2"><span class="c20">Note</span><span>: The organisation under </span><span class="c6">affiliation</span><span> is typically the employing organization, e.g. a university or hospital. Virtual organisations such as research projects can be listed using </span><span class="c6">memberOf</span><span> (see also </span><span class="c6">Responsible Project</span><span class="c4"> below).</span></p><h3 class="c10" id="h.x4bgb1x4iw6e"><span class="c9">Responsible Project</span></h3><p class="c2"><span>The project that the request is sent on behalf of, typically related to permission to use a TRE, MUST be indicated from the root dataset using </span><span class="c6">sourceOrganization</span><span> to a </span><span class="c11 c6"><a class="c5" href="https://www.google.com/url?q=https://schema.org/Project&sa=D&source=editors&ust=1683740290885149&usg=AOvVaw2wUW_X2cHOB4aSbQeE_W1Z">Project</a></span><span class="c4">. </span></p><p class="c2"><span class="c20">Note</span><span>: The </span><span class="c6">responsible project</span><span> is not necessarily a </span><span class="c11"><a class="c5" href="https://www.google.com/url?q=https://schema.org/ResearchProject&sa=D&source=editors&ust=1683740290885562&usg=AOvVaw3XVSXW8VcTfsmSrtu2UwA-">ResearchProject</a></span><span class="c4"> corresponding to a funded grant, but may be more specific studies within such a project. Various TREs may have different granularity and identifiers for such projects.</span></p><p class="c2"><span>It is RECOMMENDED to include TRE-specific ids under </span><span class="c6">identifier </span><span>(which MAY be an array). If the identifier is not globally unique (e.g. a PID), it is RECOMMENDED to use a </span><span class="c11"><a class="c5" href="https://www.google.com/url?q=https://www.researchobject.org/ro-crate/1.1/appendix/implementation-notes.html%23repository-specific-identifiers&sa=D&source=editors&ust=1683740290885997&usg=AOvVaw2IgvC73M7Jh32pzEM3TBcg">repository-specific identifier</a></span><span class="c4"> with an PropertyValue entity.</span></p><p class="c2"><span>The project MAY indicate the </span><span class="c6">member</span><span> organisations, in which case one of them SHOULD match the </span><span class="c6">affiliation</span><span> of the </span><span class="c6">Requesting Agent</span><span class="c4">.</span></p><p class="c3"><span class="c1">{"@id": "#project-be6ffb55-4f5a-4c14-b60e-47e0951090c70",</span></p><p class="c3"><span class="c1"> "@type": "Project",</span></p><p class="c3"><span class="c1"> "name": "Investigation of cancer",</span></p><p class="c3"><span class="c1"> "identifier": [</span></p><p class="c3 c14"><span class="c8">"</span><span class="c11 c8"><a class="c5" href="https://www.google.com/url?q=https://doi.org/10.3030/101057344&sa=D&source=editors&ust=1683740290887001&usg=AOvVaw2c0S529iISNJVBZEA1s7Yb">https://doi.org/10.3030/101057344</a></span><span>",<br> "</span><span class="c11 c8"><a class="c5" href="https://www.google.com/url?q=https://gtr.ukri.org/projects?ref%3D10038992&sa=D&source=editors&ust=1683740290887263&usg=AOvVaw3NU-RD1-qkXe3l4aqDWcC0">https://gtr.ukri.org/projects?ref=10038992</a></span><span class="c8">"</span></p><p class="c3"><span class="c8"> </span><span class="c1">],<br> "member": [<br> {"@id": "https://ror.org/027m9bs27"},</span></p><p class="c3"><span class="c1"> {"@id": "https://ror.org/01ee9ar58"},</span></p><p class="c3"><span class="c1"> ]</span></p><p class="c3"><span class="c1">}</span></p><h3 class="c10" id="h.s12z41ajfn2b"><span class="c9">Inputs</span></h3><p class="c2"><span>Requested inputs SHOULD be set on the </span><span class="c6">CreateAction</span><span> using the </span><span class="c6">object</span><span> property:<br></span><span class="c1">{</span></p><p class="c3"><span class="c1"> "@id": "#query-37252371-c937-43bd-a0a7-3680b48c0538",</span></p><p class="c3"><span class="c1"> "@type": "CreateAction",<br> "object": [</span></p><p class="c3"><span class="c1"> {"@id": "input1.txt"},</span></p><p class="c3"><span class="c1"> {"@id": "#enableFastMode"}</span></p><p class="c3"><span class="c1"> ],<br> "…": {}<br>}</span></p><p class="c3 c21"><span class="c1"></span></p><p class="c2"><span class="c4">Each input MUST have a corresponding data entity:</span></p><p class="c3"><span class="c1">{ "@id": "input1.txt",<br> "@type": "File",<br> "name": "input1"<br>}<br>{</span></p><p class="c3"><span class="c1"> "@id": "#enableFastMode",</span></p><p class="c3"><span class="c1"> "@type": "PropertyValue",</span></p><p class="c3"><span class="c1"> "name": "--fast-mode",</span></p><p class="c3"><span class="c1"> "value": "True"</span></p><p class="c3"><span class="c1">},</span></p><p class="c0"><span class="c4"></span></p><p class="c2"><span class="c19">TODO</span><span class="c4">: How to reference existing secure TRE data? Do we have an identifier scheme?</span></p><p class="c2"><span class="c19">TODO</span><span>: Link up inputs to corresponding FormalParameter to indicate their input port binding. How to import these from the Workflow Bundle?</span></p><h3 class="c10" id="h.qhzqt6p4xojs"><span class="c9">Outputs</span></h3><p class="c2"><span>If the workflow has successfully executed, that is the </span><span class="c6">CreateAction</span><span> has </span><span class="c6">actionStatus</span><span> set to </span><span class="c6">CompletedActionStatus</span><span>, the output data entities SHOULD be referenced from the </span><span class="c6">results </span><span class="c4">array.</span></p><p class="c2"><span>Output entities MUST be described as in the </span><span class="c11"><a class="c5" href="https://www.google.com/url?q=https://w3id.org/ro/wfrun/workflow/0.1&sa=D&source=editors&ust=1683740290890204&usg=AOvVaw2Bb6SC5hGcc2KGwXeVNxxR">Workflow Run Crate profile</a></span><span>, with type SHOULD be </span><span class="c6">File</span><span>, </span><span class="c6">Dataset</span><span>, </span><span class="c6">Collection</span><span>, </span><span class="c6">DigitalDocument </span><span>or </span><span class="c6">PropertyValue</span><span class="c4">.</span></p><p class="c2"><span>Implementations MAY include the outputs within the Crate BagIt archive, in which case it is RECOMMENDED to use the folder </span><span class="c6">outputs/</span><span> to avoid conflict with other files in the crate.</span></p><p class="c2"><span class="c1">{</span></p><p class="c3"><span class="c1"> "@id": "#query-37252371-c937-43bd-a0a7-3680b48c0538",</span></p><p class="c3"><span class="c1"> "@type": "CreateAction",<br> "result": [</span></p><p class="c3"><span class="c1"> {"@id": "outputs/table.csv"},</span></p><p class="c3"><span class="c1"> {"@id": "outputs/diagrams/"}</span></p><p class="c3"><span class="c1"> ],<br> "…": {}<br>},</span></p><p class="c3"><span class="c1">{</span></p><p class="c3 c14"><span class="c1">"@id": "outputs/qa.csv",</span></p><p class="c3 c14"><span class="c1">"@type": "File",</span></p><p class="c3 c14"><span class="c1">"encodingFormat": "text/csv",</span></p><p class="c3 c14"><span class="c1">"name": "Tabular listing of quality assessment"</span></p><p class="c3"><span class="c1">},</span></p><p class="c3"><span class="c1">{</span></p><p class="c3 c14"><span class="c1">"@id": "outputs/diagrams/",</span></p><p class="c3 c14"><span class="c1">"@type": "Dataset",</span></p><p class="c3 c14"><span class="c1">"name": "Diagrams of regions of interest"</span></p><p class="c3"><span class="c1">}</span></p><p class="c3 c21"><span class="c1"></span></p><p class="c2"><span class="c20">Tip:</span><span> Implementations may need to inspect the FormalParameter of the Workflow Crate to propagate a human readable </span><span class="c6">name</span><span> and </span><span class="c6">encodingFormat</span><span class="c4"> file format of the inputs and output.</span></p><h4 class="c12" id="h.41jkpsfb8xw9"><span class="c13 c6">Sensitive data</span></h4><p class="c2"><span>Outputs MAY include references to sensitive data that is only accessible from within the TRE or through URIs that require authentication. The requirement for permission SHOULD be indicated by typing the data entity as a </span><span class="c11"><a class="c5" href="https://www.google.com/url?q=https://schema.org/DigitalDocument&sa=D&source=editors&ust=1683740290892811&usg=AOvVaw2aNsd3JY2xmF_0IWr5brGN">DigitalDocument</a></span><span> that use </span><span class="c6">hasDigitalDocumentPermission</span><span> to reference the </span><span class="c11"><a class="c5" href="https://www.google.com/url?q=https://schema.org/DigitalDocumentPermission&sa=D&source=editors&ust=1683740290893077&usg=AOvVaw2-THJhkg8NrbGrcvn9RKqH">DigitalDocumentPermission</a></span><span> entity, typically assigning </span><span class="c11 c8"><a class="c5" href="https://www.google.com/url?q=https://schema.org/ReadPermission&sa=D&source=editors&ust=1683740290893282&usg=AOvVaw2cNdpZ7dqMc_hBsjH74MKn">https://schema.org/ReadPermission</a></span><span class="c8"> </span><span>with </span><span class="c6">grantee</span><span> to only to the </span><span class="c6">Responsible Project</span><span>.</span></p><p class="c3"><span class="c1">{</span></p><p class="c3 c14"><span class="c1">"@id": "urn:uuid:07b81e0f-7ac4-5428-9940-878b241e2397",</span></p><p class="c3 c14"><span class="c1">"@type": "DigitalDocument",</span></p><p class="c3 c14"><span class="c1">"encodingFormat": "text/csv",</span></p><p class="c3 c14"><span class="c1">"name": "Patient measurement 07b81e0f-7ac4-5428-9940-878b241e2397",</span></p><p class="c3 c14"><span class="c1">"hasDigitalDocumentPermission": {"@id": "#permissions-07b81e0f"},</span></p><p class="c3"><span class="c1">},</span></p><p class="c3"><span class="c1">{ "@id": "#permissions-07b81e0f",</span></p><p class="c3"><span class="c1"> "@type": "DigitalDocumentPermission",</span></p><p class="c3"><span class="c1"> "permissionType": "https://schema.org/ReadPermission",</span></p><p class="c3"><span class="c1"> "grantee": { "@id": "#project-be6ffb55-4f5a-4c14-b60e-47e0951090c70"}</span></p><p class="c3"><span class="c8">}</span></p><h2 class="c16" id="h.nq7kiyxq67m3"><span>Security considerations</span></h2><p class="c2"><span>Allowing execution of any Workflow Crate effectively allows execution of arbitrary code. It is RECOMMENDED that implementers apply strong access control</span><span class="c4">. </span></p><p class="c2"><span>It is currently out of scope for this specification how to verify that Five Saves Crate was requested by the given person, or how to verify if the person has access to a particular TRE. It is therefore RECOMMENDED that implementers check authentication and authorization of a submitted query and use strong encryption. Implementers SHOULD check that the @id and affiliation of the </span><span class="c6">Requesting Agent</span><span> and </span><span class="c6">Responsible Project c</span><span class="c4">orresponds to the authentication, and MAY inject/overwrite this.</span></p><p class="c2"><span>Malicious clients submitting a Five Safes Crate may have included additional entities, properties and @types, which may cause security concerns in an implementation. Implementers SHOULD sanity check inputs, including ensuring that all paths are relative within the bag or absolute URIs. Malicious clients MAY attempt to reference URLs that are only accessible within a TRE. Implementers MUST perform any URL downloads (such as Workflow RO-Crates or required Containers) from within a </span><span class="c6">DMZ</span><span class="c4"> firewalled from the TRE.</span></p><p class="c2"><span class="c4">As an executed Five Saves Crate may be intended for publishing (possibly following an embargo period), it SHOULD NOT include sensitive data or security tokens within the metadata file or the BagIt archive. </span></p><p class="c2"><span>The crate MAY include references (e.g. S3 URIs) to sensitive data, in which case the implementation and executed workflow SHOULD protect against divulging sensitive data (directly or indirectly) in the </span><span class="c6">File</span><span> identifiers, e.g. the example below use </span><span>UUID v5 hashing </span><span>[</span><span class="c11"><a class="c5" href="https://www.google.com/url?q=https://doi.org/10.17487/rfc4122&sa=D&source=editors&ust=1683740290895852&usg=AOvVaw2XJrRH1zTMXRIVSd3G1_As">RFC4122</a></span><span>] to hide sensitive identifier </span><span class="c8">patient-d373740c3fd2 </span><span>(Note: predictive identifiers like </span><span class="c8">patient-456</span><span> would still be vulnerable here due to iteration attacks):<br><br></span><span class="c1">$ uuidgen --sha1 --namespace @url --name file://tre.example.com/project-123/patient-d373740c3fd2.txt</span></p><p class="c2"><span class="c1">07b81e0f-7ac4-5428-9940-878b241e2397</span></p><h2 class="c16" id="h.gt4cqu5xnzyv"><span class="c18">Media type and profiles</span></h2><p class="c2"><span class="c4">When transferring a HTTP Five Safes Crate using HTTP, implementations SHOULD use the following HTTP headers for content-type and profile:</span></p><p class="c2"><span class="c8">Content-Type: application/zip<br>Link: <https://w3id.org/ro/crate>; rel="profile"</span><span class="c4"><br></span></p><p class="c2"><span>HTML landing pages that reference a Five Safes Crate SHOULD include </span><span class="c11"><a class="c5" href="https://www.google.com/url?q=https://signposting.org/&sa=D&source=editors&ust=1683740290896882&usg=AOvVaw2ERwUMJ4igFaUDg-pJeSgy">Signposting</a></span><span class="c4"> using HTTP Link headers:</span></p><p class="c2"><span class="c8">Link: <https://example.com/query-12389.zip>; rel="item", type="application/zip"<br>Link: <https://w3id.org/ro/crate>; rel="profile"; type="application/zip";<br> anchor="https://example.com/query-12389.zip"</span><span class="c4"><br></span></p><p class="c0"><span class="c4"></span></p></body></html>