{
  "slug": "code/registry",
  "title": "Code Registry",
  "description": "Use Cuitty Code Registry for npm, Cargo, OCI, and PyPI packages.",
  "url": "https://cuitty.com/docs/code/registry",
  "markdown_url": "https://cuitty.com/docs/code/registry.md",
  "json_url": "https://cuitty.com/docs/code/registry.json",
  "frontmatter": {
    "title": "Code Registry",
    "description": "Use Cuitty Code Registry for npm, Cargo, OCI, and PyPI packages.",
    "order": 20,
    "section": "Code",
    "updatedAt": "2026-05-24"
  },
  "headings": [
    {
      "depth": 2,
      "slug": "required-services",
      "text": "Required services"
    },
    {
      "depth": 2,
      "slug": "environment-variables",
      "text": "Environment variables"
    },
    {
      "depth": 2,
      "slug": "permissions-model",
      "text": "Permissions model"
    },
    {
      "depth": 2,
      "slug": "npm",
      "text": "npm"
    },
    {
      "depth": 2,
      "slug": "cargo",
      "text": "Cargo"
    },
    {
      "depth": 2,
      "slug": "pypi",
      "text": "PyPI"
    },
    {
      "depth": 2,
      "slug": "docker-and-oci",
      "text": "Docker and OCI"
    },
    {
      "depth": 2,
      "slug": "common-workflows",
      "text": "Common workflows"
    },
    {
      "depth": 2,
      "slug": "failure-modes-and-recovery",
      "text": "Failure modes and recovery"
    },
    {
      "depth": 2,
      "slug": "related-pages",
      "text": "Related pages"
    }
  ],
  "body_markdown": "Cuitty Code Registry stores packages and artifacts owned by Cuitty users and organizations. It uses the same users, organizations, slugs, teams, apps, audit logs, and SpiceDB permissions as repositories.\n\nPackages default to private. Moving a package to organization or public visibility requires an explicit Cuitty visibility change and audit event.\n\n## Required services\n\n- Cuitty Git API for package metadata and protocol endpoints.\n- Database for package records, versions, dist tags, visibility, ownership, and artifact references.\n- SpiceDB for namespace, package, publish, install, and view permissions.\n- Registry artifact storage for tarballs, crates, wheels, and image layers.\n- Airflow for publish validation, scans, provenance, index updates, and replication when enabled.\n- Optional object storage for larger deployments.\n\n## Environment variables\n\n```bash\nPUBLIC_API_URL=http://localhost:4351\nAUTH_ISSUER=http://localhost:7705\nAUTH_CLIENT_ID=cuitty-git\nSPICEDB_ENDPOINT=http://localhost:50051\nSPICEDB_PRESHARED_KEY=dev-secret\nAIRFLOW_URL=http://localhost:8080\nREGISTRY_STORAGE_URL=file:///var/lib/cuitty/registry\n```\n\n## Permissions model\n\nRegistry namespaces and packages have separate relationships. Namespace owners can administer the namespace and publish packages. Package owners and package maintainers can manage package metadata and versions. Public and organization visibility map to explicit SpiceDB relationships, and unauthorized callers may receive `404` for private packages.\n\n## npm\n\nUse the npm endpoint for scoped and unscoped package metadata, publish, and tarball download:\n\n```bash\nnpm config set @acme:registry http://localhost:4351/api/v1/npm/\nnpm login --registry http://localhost:4351/api/v1/npm/\nnpm publish --registry http://localhost:4351/api/v1/npm/\nnpm install @acme/button --registry http://localhost:4351/api/v1/npm/\n```\n\nFor scoped packages, the npm scope must match the Cuitty owner namespace. For example, `@acme/button` must publish under the `acme` owner.\n\n## Cargo\n\nConfigure a sparse registry:\n\n```toml\n[registries.cuitty]\nindex = \"sparse+http://localhost:4351/api/v1/cargo/index/\"\n```\n\nThen publish or install with:\n\n```bash\ncargo publish --registry cuitty\ncargo add package-name --registry cuitty\n```\n\n## PyPI\n\nUpload with Twine and install from the simple index:\n\n```bash\ntwine upload --repository-url http://localhost:4351/api/v1/pypi/ dist/*\npip install --index-url http://localhost:4351/api/v1/pypi/simple/ package-name\n```\n\nPackage names should be normalized consistently between upload metadata, simple index pages, and install URLs.\n\n## Docker and OCI\n\nPush images through the registry host:\n\n```bash\ndocker login localhost:4351\ndocker tag image localhost:4351/acme/image:tag\ndocker push localhost:4351/acme/image:tag\ndocker pull localhost:4351/acme/image:tag\n```\n\nOperators should decide whether tags are mutable, immutable, or protected by policy before opening production pushes.\n\n## Common workflows\n\n1. Create or claim a registry namespace for a user or organization.\n2. Publish a package version through the native package manager.\n3. Store package metadata, files, checksums, and visibility.\n4. Update protocol indexes or tags.\n5. Install through the native package manager using the same registry URL.\n\n## Failure modes and recovery\n\n- `404` for a private package can be intentional when the caller lacks view permission.\n- `403` means the package exists but the caller is authenticated without the required permission.\n- Artifact storage failures can leave metadata and files out of sync; check API logs, package version records, and storage references before allowing new publishes.\n- Scope mismatch errors mean the package name does not match the target Cuitty owner namespace.\n\n## Related pages\n\n- [npm Packages](/docs/code/npm)\n- [Cargo Crates](/docs/code/cargo)\n- [PyPI Packages](/docs/code/pypi)\n- [OCI and Docker Images](/docs/code/oci)\n- [Authorization with SpiceDB](/docs/code/authz-spicedb)\n- [Operator runbook](/docs/code/operator-runbook)",
  "body_html": "<p>Cuitty Code Registry stores packages and artifacts owned by Cuitty users and organizations. It uses the same users, organizations, slugs, teams, apps, audit logs, and SpiceDB permissions as repositories.</p>\n<p>Packages default to private. Moving a package to organization or public visibility requires an explicit Cuitty visibility change and audit event.</p>\n<h2 id=\"required-services\">Required services</h2>\n<ul>\n<li>Cuitty Git API for package metadata and protocol endpoints.</li>\n<li>Database for package records, versions, dist tags, visibility, ownership, and artifact references.</li>\n<li>SpiceDB for namespace, package, publish, install, and view permissions.</li>\n<li>Registry artifact storage for tarballs, crates, wheels, and image layers.</li>\n<li>Airflow for publish validation, scans, provenance, index updates, and replication when enabled.</li>\n<li>Optional object storage for larger deployments.</li>\n</ul>\n<h2 id=\"environment-variables\">Environment variables</h2>\n<pre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\"><code><span class=\"line\"><span style=\"color:#E1E4E8\">PUBLIC_API_URL</span><span style=\"color:#F97583\">=</span><span style=\"color:#9ECBFF\">http://localhost:4351</span></span>\n<span class=\"line\"><span style=\"color:#E1E4E8\">AUTH_ISSUER</span><span style=\"color:#F97583\">=</span><span style=\"color:#9ECBFF\">http://localhost:7705</span></span>\n<span class=\"line\"><span style=\"color:#E1E4E8\">AUTH_CLIENT_ID</span><span style=\"color:#F97583\">=</span><span style=\"color:#9ECBFF\">cuitty-git</span></span>\n<span class=\"line\"><span style=\"color:#E1E4E8\">SPICEDB_ENDPOINT</span><span style=\"color:#F97583\">=</span><span style=\"color:#9ECBFF\">http://localhost:50051</span></span>\n<span class=\"line\"><span style=\"color:#E1E4E8\">SPICEDB_PRESHARED_KEY</span><span style=\"color:#F97583\">=</span><span style=\"color:#9ECBFF\">dev-secret</span></span>\n<span class=\"line\"><span style=\"color:#E1E4E8\">AIRFLOW_URL</span><span style=\"color:#F97583\">=</span><span style=\"color:#9ECBFF\">http://localhost:8080</span></span>\n<span class=\"line\"><span style=\"color:#E1E4E8\">REGISTRY_STORAGE_URL</span><span style=\"color:#F97583\">=</span><span style=\"color:#9ECBFF\">file:///var/lib/cuitty/registry</span></span></code></pre>\n<h2 id=\"permissions-model\">Permissions model</h2>\n<p>Registry namespaces and packages have separate relationships. Namespace owners can administer the namespace and publish packages. Package owners and package maintainers can manage package metadata and versions. Public and organization visibility map to explicit SpiceDB relationships, and unauthorized callers may receive <code>404</code> for private packages.</p>\n<h2 id=\"npm\">npm</h2>\n<p>Use the npm endpoint for scoped and unscoped package metadata, publish, and tarball download:</p>\n<pre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\"><code><span class=\"line\"><span style=\"color:#B392F0\">npm</span><span style=\"color:#9ECBFF\"> config</span><span style=\"color:#9ECBFF\"> set</span><span style=\"color:#9ECBFF\"> @acme:registry</span><span style=\"color:#9ECBFF\"> http://localhost:4351/api/v1/npm/</span></span>\n<span class=\"line\"><span style=\"color:#B392F0\">npm</span><span style=\"color:#9ECBFF\"> login</span><span style=\"color:#79B8FF\"> --registry</span><span style=\"color:#9ECBFF\"> http://localhost:4351/api/v1/npm/</span></span>\n<span class=\"line\"><span style=\"color:#B392F0\">npm</span><span style=\"color:#9ECBFF\"> publish</span><span style=\"color:#79B8FF\"> --registry</span><span style=\"color:#9ECBFF\"> http://localhost:4351/api/v1/npm/</span></span>\n<span class=\"line\"><span style=\"color:#B392F0\">npm</span><span style=\"color:#9ECBFF\"> install</span><span style=\"color:#9ECBFF\"> @acme/button</span><span style=\"color:#79B8FF\"> --registry</span><span style=\"color:#9ECBFF\"> http://localhost:4351/api/v1/npm/</span></span></code></pre>\n<p>For scoped packages, the npm scope must match the Cuitty owner namespace. For example, <code>@acme/button</code> must publish under the <code>acme</code> owner.</p>\n<h2 id=\"cargo\">Cargo</h2>\n<p>Configure a sparse registry:</p>\n<pre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"toml\"><code><span class=\"line\"><span style=\"color:#E1E4E8\">[</span><span style=\"color:#B392F0\">registries</span><span style=\"color:#E1E4E8\">.</span><span style=\"color:#B392F0\">cuitty</span><span style=\"color:#E1E4E8\">]</span></span>\n<span class=\"line\"><span style=\"color:#E1E4E8\">index = </span><span style=\"color:#9ECBFF\">\"sparse+http://localhost:4351/api/v1/cargo/index/\"</span></span></code></pre>\n<p>Then publish or install with:</p>\n<pre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\"><code><span class=\"line\"><span style=\"color:#B392F0\">cargo</span><span style=\"color:#9ECBFF\"> publish</span><span style=\"color:#79B8FF\"> --registry</span><span style=\"color:#9ECBFF\"> cuitty</span></span>\n<span class=\"line\"><span style=\"color:#B392F0\">cargo</span><span style=\"color:#9ECBFF\"> add</span><span style=\"color:#9ECBFF\"> package-name</span><span style=\"color:#79B8FF\"> --registry</span><span style=\"color:#9ECBFF\"> cuitty</span></span></code></pre>\n<h2 id=\"pypi\">PyPI</h2>\n<p>Upload with Twine and install from the simple index:</p>\n<pre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\"><code><span class=\"line\"><span style=\"color:#B392F0\">twine</span><span style=\"color:#9ECBFF\"> upload</span><span style=\"color:#79B8FF\"> --repository-url</span><span style=\"color:#9ECBFF\"> http://localhost:4351/api/v1/pypi/</span><span style=\"color:#9ECBFF\"> dist/</span><span style=\"color:#79B8FF\">*</span></span>\n<span class=\"line\"><span style=\"color:#B392F0\">pip</span><span style=\"color:#9ECBFF\"> install</span><span style=\"color:#79B8FF\"> --index-url</span><span style=\"color:#9ECBFF\"> http://localhost:4351/api/v1/pypi/simple/</span><span style=\"color:#9ECBFF\"> package-name</span></span></code></pre>\n<p>Package names should be normalized consistently between upload metadata, simple index pages, and install URLs.</p>\n<h2 id=\"docker-and-oci\">Docker and OCI</h2>\n<p>Push images through the registry host:</p>\n<pre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\"><code><span class=\"line\"><span style=\"color:#B392F0\">docker</span><span style=\"color:#9ECBFF\"> login</span><span style=\"color:#9ECBFF\"> localhost:4351</span></span>\n<span class=\"line\"><span style=\"color:#B392F0\">docker</span><span style=\"color:#9ECBFF\"> tag</span><span style=\"color:#9ECBFF\"> image</span><span style=\"color:#9ECBFF\"> localhost:4351/acme/image:tag</span></span>\n<span class=\"line\"><span style=\"color:#B392F0\">docker</span><span style=\"color:#9ECBFF\"> push</span><span style=\"color:#9ECBFF\"> localhost:4351/acme/image:tag</span></span>\n<span class=\"line\"><span style=\"color:#B392F0\">docker</span><span style=\"color:#9ECBFF\"> pull</span><span style=\"color:#9ECBFF\"> localhost:4351/acme/image:tag</span></span></code></pre>\n<p>Operators should decide whether tags are mutable, immutable, or protected by policy before opening production pushes.</p>\n<h2 id=\"common-workflows\">Common workflows</h2>\n<ol>\n<li>Create or claim a registry namespace for a user or organization.</li>\n<li>Publish a package version through the native package manager.</li>\n<li>Store package metadata, files, checksums, and visibility.</li>\n<li>Update protocol indexes or tags.</li>\n<li>Install through the native package manager using the same registry URL.</li>\n</ol>\n<h2 id=\"failure-modes-and-recovery\">Failure modes and recovery</h2>\n<ul>\n<li><code>404</code> for a private package can be intentional when the caller lacks view permission.</li>\n<li><code>403</code> means the package exists but the caller is authenticated without the required permission.</li>\n<li>Artifact storage failures can leave metadata and files out of sync; check API logs, package version records, and storage references before allowing new publishes.</li>\n<li>Scope mismatch errors mean the package name does not match the target Cuitty owner namespace.</li>\n</ul>\n<h2 id=\"related-pages\">Related pages</h2>\n<ul>\n<li><a href=\"/docs/code/npm\">npm Packages</a></li>\n<li><a href=\"/docs/code/cargo\">Cargo Crates</a></li>\n<li><a href=\"/docs/code/pypi\">PyPI Packages</a></li>\n<li><a href=\"/docs/code/oci\">OCI and Docker Images</a></li>\n<li><a href=\"/docs/code/authz-spicedb\">Authorization with SpiceDB</a></li>\n<li><a href=\"/docs/code/operator-runbook\">Operator runbook</a></li>\n</ul>",
  "links_out": [
    "/docs/code/npm",
    "/docs/code/cargo",
    "/docs/code/pypi",
    "/docs/code/oci",
    "/docs/code/authz-spicedb",
    "/docs/code/operator-runbook"
  ]
}