Introduction
Jenesis Repository is an artifact repository built from discovered plug-ins over a thin core. It hosts and proxies many package formats (Maven, npm, PyPI, Docker/OCI, and more), screens what passes through a supply-chain gate, and persists everything through a single storage abstraction - with no database: the store (a filesystem, S3, or Azure) is the only durable state.
The principles
Five convictions run through the whole system. They are worth knowing up front because every chapter comes back to them:
- Stream, never buffer. An artifact is never fully read into memory on an upload, download, or proxy path - only small metadata is ever parsed whole.
- Persist only through the store. Every durable thing - a blob, an index, a counter, a config document - is an object written through the storage abstraction. There is no second database.
- A thin core with pluggable SPIs. Each capability (a format, a storage backend, a gate policy, an auth
mechanism) is a
ServiceLoader-discovered module. The core knows the seam, not the implementation. - Optional modules degrade gracefully. A capability that is not installed simply isn't there; the surface that needed it reports so, and the rest keeps working.
- Read-first, libraries over hand-rolled. Work is pre-computed on write or in a background sweep so reads are cheap, and a maintained library is preferred to a bespoke algorithm.
How these docs are organised
Because the system is its capabilities, each chapter is written the same way, in this order:
- The capability (its SPI) - what it does, and that it is a discovered, swappable plug-in point: a provider supplies it, so it can be replaced with another implementation or simply be absent.
- The implementations - the ones you can choose from (for example, the storage chapter's filesystem, S3, and Azure backends), and how they differ.
- The settings - the configuration keys that turn it on and tune it.
Read the capability overview first even if you only mean to run a built-in: it is the shortest explanation of
what the feature does and what you are choosing between.
What's in this section
- Introduction - you are here.
- Getting started - run the server, publish and consume an artifact, point it at a store.
- Architecture - the plug-in model,
ServiceLoaderdiscovery, and the publication path. - Storage - the
ArtifactStoreSPI, then the filesystem, S3, and Azure backends. - Formats - the format SPIs, then the built-in ecosystems (Maven, npm, PyPI, OCI, …).
- Proxying & groups - the fetcher SPI, pull-through caching, and group repositories.
- The compliance gate - the publication-interceptor and policy SPIs, then licence, vulnerability, and malware screening.
- Provenance - the signer SPI, then keyless (Sigstore) signing and attestation.
- Search & inventory - the search SPI, then the index and licence inventory.
- Maintenance - the sweep SPI, then cleanup, retention, scanning, and reclamation.
- Multi-tenancy & authentication - the tenants and auth SPIs, then key, OIDC, SAML, and SCIM.
- Publish-through forwarding - the transport SPI and its implementations.
- Migration & import - the import-source SPI, then the Nexus, Artifactory, and Jenesis importers.
- Observability - metrics and tracing.
- The console - the web UI and its contribution seams.
- Configuration reference - every setting in one place.