Regixo docs
Data catalog · engineer

Keep it current

Schemas drift, so your data catalog has to keep up. This page shows how to re-scan on a schedule, read exactly what changed, and never let the map go stale in silence. If you also keep the optional EU compliance record, the same loop flags what needs re-signing and pulls your compliance team's work back home — that part is under its own marked section at the end.

▤ In the dashboard

Two screens keep you oriented. What changed is a dated timeline of what moved; when a signed record has drifted it shows a gold Review & re-sign → banner. Settings → Keep it current lists each source's last-scanned age and hands you a copy-ready GitHub Actions snippet, with a cron fallback below it. A tour: the free portal tour.

The dashboard can help you schedule regixo watch, but it can't run a scan itself — a scan is a command: your coding agent runs it in the project shell, or you do, or CI does.

✦ A connected assistant

A different surface. An assistant registered against the read-only regixo mcp server reads the change log (get_changes) and how stale each source is (get_provenance). To have an agent run the re-scan, ask your coding agent — that is regixo watch, below. See Use an AI agent.

The dashboard gathers all of this on one screen. Settings runs down a section nav — Mode · Connections · DORA scope · Keep it current · About this install — and Keep it current is the one that matters here: every source with the age of its last scan, a copy-ready GitHub Actions recipe pre-filled with the env vars your regixo.yml names, and — folded under it — a cron one-liner for when there is no CI. It is honest about what it is: Regixo can't schedule itself.

what you’ll see — Settings › Keep it current: the last-scan age of every source (3 of 10 here), the CI recipe, and the cron fallback under it
Regixo data catalog · free & local

Settings

Keep it current

Regixo can’t schedule itself — your scheduler runs regixo watch, which re-scans your sources, updates the map, the record and the change log, then exits.

app-dbPostgres · last scanned 28h ago
bigqueryBigQuery · last scanned 28h ago
ecommerce-loyaltyManual import · last scanned 4 days ago
Recommended

Scheduled CI

A scheduled CI job re-scans every weekday morning, whether or not this machine is on. Add this workflow to your repository:

name: regixo watch
on:
  schedule:
    - cron: '0 6 * * 1-5' # weekday mornings — tune to your change rate
jobs:
  watch:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 22
      - run: npx regixo watch
        env: # from your regixo.yml — set these as repository secrets
          DATABASE_URL: ${{ secrets.DATABASE_URL }}
          BIGQUERY_URL: ${{ secrets.BIGQUERY_URL }}
          HUBSPOT_TOKEN: ${{ secrets.HUBSPOT_TOKEN }}
          MYSQL_URL: ${{ secrets.MYSQL_URL }}
          SNOWFLAKE_URL: ${{ secrets.SNOWFLAKE_URL }}
          SQLSERVER_URL: ${{ secrets.SQLSERVER_URL }}
          STRIPE_API_KEY: ${{ secrets.STRIPE_API_KEY }}

The full recipe ships in the Regixo repo: examples/github-actions/regixo-watch.yml — it adds the change summary and the re-sign warning.

No CI? Run it from this machine

One line in your crontab (crontab -e):

say

“Schedule Regixo to re-scan my data automatically and tell me when something changes.”

Show the commandHide the commandShow the sentenceHide the sentence
run

Runs only while this machine is awake.

Re-scan on demand — regixo watch

One run re-scans your sources, appends the change log, re-drafts the RoPA (and the DORA register, if it's in scope), and reports which sources are getting stale.

say

“Re-scan my data with Regixo and tell me what changed since last time.”

Show the commandHide the commandShow the sentenceHide the sentence
run
$ regixo watch
then

It re-scans once, then exits. regixo watch is not a daemon — it does not keep running in the background, and nothing schedules it for you. It updates the map, the paperwork and the change log, and stops.

Check it worked: it prints what moved — added, removed, reclassified. If a core field of a signed activity moved, it says so, and that record needs re-signing by a person. To have it run on a schedule you need CI or cron; the recipe is below.

Show what it prints in the terminalHide the terminal outputShow what your agent reportsHide what your agent reports
example output
▸ This checks for changes ONCE and then stops — it does not keep running in the background.
12 change(s): 3 column(s) added, 1 removed; appended to the change log.
review suggested for: Billing & payments (core fields changed; sign in the portal to make it official).
↳ re-draft written · view the changes:  regixo log
Not a daemon regixo watch checks once and exits — it does not run in the background. To keep the map current you run it again, which is what a schedule is for (below). This keeps it safe to call from CI or cron with no lingering process.

Run it on a schedule

Add --ci and the run prints a markdown summary to stdout (pipe it into a CI step summary) and signals a core-field change through its exit code, so a pipeline can block or warn on a merge. There's a ready-made recipe at examples/github-actions/regixo-watch.yml; the load-bearing step is:

.github/workflows/regixo-watch.yml (excerpt)
- name: Re-scan and summarise what changed
  env:
    DATABASE_URL: ${{ secrets.DATABASE_URL }}   # the env var(s) your regixo.yml names
  run: |
    set +e
    npx regixo watch --ci >> "$GITHUB_STEP_SUMMARY"
    code=$?
    set -e
    if [ "$code" -eq 3 ]; then
      echo "::warning::Core RoPA fields changed — review and re-sign if the record is sealed."
    elif [ "$code" -ne 0 ]; then
      exit "$code"
    fi

The exit code is the contract:

ExitMeaningWhen
0Clean — re-scan finished.Both modes.
1A paired cloud sync failed (the local re-scan still completed).Both modes.
3A core RoPA field changed — a signed record would need re-signing.Only under --ci.

Plain regixo watch keeps the historic 0/1 contract, so an existing cron job never breaks. Exit 3 exists only under --ci, where a script is watching for it.

No CI? A crontab entry does the same job — hourly here:

crontab -e (hourly)
0 * * * *  cd /path/to/your/app && regixo watch

To notify another system on every run, POST the change summary to a URL. The egress is announced first and honestly scoped — dataset and column names plus change kinds only, never row values — and a delivery failure is a warning that never fails the local run:

say

“When Regixo re-scans, post what changed to our webhook.”

Show the commandHide the commandShow the sentenceHide the sentence
run
$ regixo watch --webhook https://hooks.example.com/regixo

--json works on every mode for machine-readable output.

Read the change log — regixo log

The change log is append-only — a dated record of what moved in the map, and when. It's part of your evidence trail. Newest first:

say

“Show me what’s changed in my Regixo catalog over time.”

Show the commandHide the commandShow the sentenceHide the sentence
run
$ regixo log
then

The running history of your data — what changed, when, and what kind of change it was.

Check it worked: this is the feed you hand an auditor, so it is worth a look after any big migration. Nothing here is inferred — every row is something a scan actually observed.

Show what it prints in the terminalHide the terminal outputShow what your agent reportsHide what your agent reports
example output
Change log (4 most recent, last watched 2 hours ago):
  2 hours ago       added              column:app-db/public/orders.refund_reason
  2 hours ago       core-field-changed activity:billing  retention: 24 months → 36 months
  yesterday         removed            column:app-db/public/users.legacy_ip
  3 days ago        metadata-refresh   activity:analytics

Narrow the window with --since (an ISO timestamp) and cap the rows with --limit:

say

“Show me the 20 most recent changes Regixo recorded since the 1st of July.”

Show the commandHide the commandShow the sentenceHide the sentence
run
$ regixo log --since 2026-07-01T00:00:00Z --limit 20

The same history renders in the browser at /ui/changes, grouped by date.


Optional · EU compliance — from here on Everything below is only for EU companies that keep a signed GDPR RoPA or DORA record. If you use Regixo purely as a data catalog, you are done above — with the schedule in place, each run refreshes the map.

What counts as a change — and when you re-sign

Not every schema edit invalidates a signature. Regixo splits changes into two kinds:

The seven core fields that trigger a re-sign flag:

Regixo never re-signs for you A moved core field is flagged, never re-signed automatically — re-signing is a human act in the portal (Hard Rule #4). A metadata-only change is not a re-sign at all: the signature stands and the change just lands in the log. The full re-sign flow, and what the compliance team sees, is in Unlock, sign & maintain.

Bring the team's work home — dora pull & seal pull

The handoff is a round trip. Your compliance team fills legal and DORA fields on the forwarded claim link, and signs there. Two commands bring their work back to your machine. In both, the claim token is the capability — the same secret your regixo invite link carried.

Pull the filled-in fields

regixo dora pull fetches the RoPA legal fields and DORA cells your team entered and merges them with eyes — a per-field diff, and it skips a field where your local answer is newer (never a blind overwrite). Preview with --dry-run; take the claim side on a conflict with --force:

say

“Pull the answers our compliance team filled in on the forwarded link back into my local Regixo catalog.”

Show the commandHide the commandShow the sentenceHide the sentence
run
$ regixo dora pull clm_7f3a9c2e4b1d8056
then

The answers your compliance team filled in on the forwarded link, merged into your local draft. A field they confirmed is carried as confirmed — never re-derived, never fabricated.

Check it worked: it reports how many merged and how many were skipped (already merged, or your local copy is newer). If it says anything else — or nothing — check for yourself with regixo dora status.

Show what it prints in the terminalHide the terminal outputShow what your agent reportsHide what your agent reports
example output
 merged 5 fills from claim clm_7f3a9c2e4b1d8056 · 2 skipped (already merged or local is newer).
↳ see them:  regixo dora status   ·   regixo annotate list

A field your team confirmed is carried as confirmed, never fabricated — that was a human approver's decision on the portal, and the pull only transports it (Hard Rule #4).

Pull the signed seal

Once the team has signed and sealed, regixo seal pull checks the claim's status and, when it's sealed, downloads the official artifacts — the PDF, the record JSON, the attestation and the offline verifier — into <data-dir>/remote-seal/, so you hold the evidence locally:

say

“Pull our signed, sealed record from the portal onto this machine.”

Show the commandHide the commandShow the sentenceHide the sentence
run
$ regixo seal pull clm_7f3a9c2e4b1d8056
then

The sealed record comes home: the official PDF, the record, and the attestation, so the proof lives next to the source it describes.

Check it worked: it names who signed it and when. Not signed yet? It says so, and changes nothing — that is not a failure, it means your compliance team hasn't got there.

Show what it prints in the terminalHide the terminal outputShow what your agent reportsHide what your agent reports
example output
 pulled 4/4 sealed artifact(s) → .regixo/remote-seal
  signed & sealed by Anna Kessler (Data Protection Officer, Northwind Data BV) on 2026-07-03 · valid until 2027-07-03
  verify offline:  node .regixo/remote-seal/verify-attestation.mjs

If the record isn't signed yet, the command says so plainly and exits without error — "not yet" is a normal answer. Nothing is ever overwritten blindly.

Next That's the engineer's loop. To see it from the other side — how the compliance team reads, fills and signs the record you forwarded — continue to Understand the record.
REGIXO — documentation · a core-field change is flagged, never re-signed for you · Command reference