You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The OCI 1.1 Referrers API requires registry support. Per ADR adr_oci_referrers_signing_v1.md, OCX is referrers-only: there is no tag-schema fallback and none will be added (cosign >= 3.0 defaults to referrers mode; pre-3.0 compat is explicitly dropped). That makes the user-visible error on an unsupported registry the entire UX for this failure mode — it must be clear, cached, and cheap.
The detection design is already shipped.crates/ocx_lib/src/oci/referrer/capability.rs implements it per ADR Amendment 3:
Lazy probe: GET /v2/{name}/referrers/{digest}, mapping ClientError::ReferrersUnsupported.
Cache: $OCX_HOME/state/referrers/<registry_slug>.json, written via atomic rename, 6h TTL.
Unsupported registry maps to exit code 84.
This issue is the remaining wiring, not the design. (Earlier drafts of this issue described a /v2/_catalog header probe, a capabilities.toml cache, and a 24h TTL — none of that exists or will; this body supersedes it.)
What
Consult the capability cache in SignPipeline and VerifyPipeline before any referrers operation (the no_cache seam already exists in capability.rs).
Finalize the user-facing error text; baseline: registry <host> does not support OCI Referrers API (requires OCI Distribution 1.1+). Supply-chain commands unavailable for this registry. Exit code 84.
Probe-digest caveat: some registries return 400 on a synthetic all-zero digest — probe with the real subject digest of the operation, never a fabricated one.
Acceptance criteria
test/tests/test_referrers_capability.py: ocx package sign / ocx package verify against a stubbed registry returning 404 on the referrers endpoint → error text above, exit 84, no retry storm.
Cached capability is used on subsequent invocations within the 6h TTL (no second probe request observed).
No tag fallback anywhere in the code path; failure is terminal.
Sequencing
After #194 lands its first end-to-end slice — until then ocx package sign/verify exit 78 before reaching this error surface, so the wiring is untestable.
Part of #24.
Why
The OCI 1.1 Referrers API requires registry support. Per ADR
adr_oci_referrers_signing_v1.md, OCX is referrers-only: there is no tag-schema fallback and none will be added (cosign >= 3.0 defaults to referrers mode; pre-3.0 compat is explicitly dropped). That makes the user-visible error on an unsupported registry the entire UX for this failure mode — it must be clear, cached, and cheap.The detection design is already shipped.
crates/ocx_lib/src/oci/referrer/capability.rsimplements it per ADR Amendment 3:GET /v2/{name}/referrers/{digest}, mappingClientError::ReferrersUnsupported.$OCX_HOME/state/referrers/<registry_slug>.json, written via atomic rename, 6h TTL.This issue is the remaining wiring, not the design. (Earlier drafts of this issue described a
/v2/_catalogheader probe, acapabilities.tomlcache, and a 24h TTL — none of that exists or will; this body supersedes it.)What
SignPipelineandVerifyPipelinebefore any referrers operation (theno_cacheseam already exists incapability.rs).registry <host> does not support OCI Referrers API (requires OCI Distribution 1.1+). Supply-chain commands unavailable for this registry.Exit code 84.Acceptance criteria
test/tests/test_referrers_capability.py:ocx package sign/ocx package verifyagainst a stubbed registry returning 404 on the referrers endpoint → error text above, exit 84, no retry storm.registry:2negative fixture from Acceptance harness: referrers-capable registry (registry:3 or zot) #195 (a real registry without the Referrers API) → same clean error.Sequencing
After #194 lands its first end-to-end slice — until then
ocx package sign/verifyexit 78 before reaching this error surface, so the wiring is untestable.References
adr_oci_referrers_signing_v1.md, Amendment 3.crates/ocx_lib/src/oci/referrer/capability.rs(shipped detection + cache).