autonomy policy fetch

Fetch a policy bundle from an OCI registry and cache it locally

Synopsis

Pulls the signed policy bundle attached to <oci-ref>, verifies the cosign
signature, extracts the bundle into the local cache at
$XDG_CACHE_HOME/autonomyops/policy (or --cache-dir), and prints the inspect
command that operates on the cached artifact.

Stale-tag aware: the cached entry's .digest sidecar is compared against the
resolved digest before deciding whether to pull. A moving tag (same ref,
new digest in the registry) is detected and the cache is auto-refreshed —
no --force needed. Pass --force to bypass the digest check and re-pull
even when the cached and resolved digests match.

Cache layout matches policy.NewCache().Store(...) so subsequent reads via
'autonomy policy cache --list' and 'autonomy policy inspect --dir <path>'
find the entry without further hints.

Usage

autonomy policy fetch <oci-ref> [flags]

Options

      --allow-insecure     Skip TLS and cosign verification (local dev only; do not use against production registries)
      --cache-dir string   Cache directory for the fetched bundle (default: $XDG_CACHE_HOME/autonomyops/policy)
      --force              Re-fetch even when the cached digest matches the resolved digest

See also

• autonomy policy — Manage policy bundles