`autonomy registry seed`¶

Replicate + verify a bundle into a destination registry, emitting a seed manifest

Synopsis¶

Seeds a destination (edge / air-gapped) registry from a source registry.

The flow, in order:
  1. skopeo copy --all          replicate the image, preserving the multi-arch
                                manifest list
  2. (--copy-policy)            replicate the <tag>-lock / <tag>-policy sidecars
  3. resolve digests            pin the immutable source + destination digests
  4. bundle verify (4-step)     fail-closed signature/digest/fingerprint/semver
                                verification of the destination (requires
                                --pub-key, unless --skip-verify is given)
  5. emit seed-manifest.json    + a digest-pinned seed.lock, into --out

Requires 'skopeo' on PATH (install: https://github.com/containers/skopeo).
Verification is fail-closed: you must pass --pub-key or explicitly --skip-verify.

Usage¶

autonomy registry seed --from <src-ref> --to <dst-ref> [flags]

Examples¶

# Seed from a tag, copying the lock/policy sidecars, verifying the result.
  # --copy-policy needs tag-based --from/--to (it derives <tag>-lock/<tag>-policy).
  autonomy registry seed \
      --from registry.upstream.example.com/robot-behavior:v1 \
      --to   localhost:5000/robot-behavior:v1 \
      --copy-policy --pub-key ./cosign.pub --out ./seed

  # Seed from an immutable digest (image only; --copy-policy is not valid with a
  # digest source in Phase 1 — referrers-from-digest copy is a later phase).
  autonomy registry seed \
      --from registry.upstream.example.com/robot-behavior@sha256:... \
      --to   localhost:5000/robot-behavior:v1 \
      --pub-key ./cosign.pub --out ./seed

  # Unsigned dev flow against two local insecure registries
  autonomy registry seed \
      --from localhost:5001/demo:v1 --to localhost:5000/demo:v1 \
      --allow-insecure-registry --skip-verify

Options¶

      --allow-insecure-registry   permit plain-HTTP registries (e.g. localhost)
      --copy-policy               also replicate the <tag>-lock / <tag>-policy sidecars
      --from string               source OCI reference (tag or digest); required
      --out string                directory for seed-manifest.json + seed.lock (default ".")
      --pub-key string            cosign public key (SPKI PEM) for fail-closed destination verification
      --skip-verify               bypass destination verification (fail-open; dev only)
      --to string                 destination OCI reference (tag); required

See also¶

autonomy registry — Seed and govern OCI registries for edge / air-gapped deployments