Code

Code Registry

Use Cuitty Code Registry for npm, Cargo, OCI, and PyPI packages.

Cuitty Code Registry stores packages and artifacts owned by Cuitty users and organizations. It uses the same users, organizations, slugs, teams, apps, audit logs, and SpiceDB permissions as repositories.

Packages default to private. Moving a package to organization or public visibility requires an explicit Cuitty visibility change and audit event.

Required services

Environment variables

PUBLIC_API_URL=http://localhost:4351
AUTH_ISSUER=http://localhost:7705
AUTH_CLIENT_ID=cuitty-git
SPICEDB_ENDPOINT=http://localhost:50051
SPICEDB_PRESHARED_KEY=dev-secret
AIRFLOW_URL=http://localhost:8080
REGISTRY_STORAGE_URL=file:///var/lib/cuitty/registry

Permissions model

Registry namespaces and packages have separate relationships. Namespace owners can administer the namespace and publish packages. Package owners and package maintainers can manage package metadata and versions. Public and organization visibility map to explicit SpiceDB relationships, and unauthorized callers may receive 404 for private packages.

npm

Use the npm endpoint for scoped and unscoped package metadata, publish, and tarball download:

npm config set @acme:registry http://localhost:4351/api/v1/npm/
npm login --registry http://localhost:4351/api/v1/npm/
npm publish --registry http://localhost:4351/api/v1/npm/
npm install @acme/button --registry http://localhost:4351/api/v1/npm/

For scoped packages, the npm scope must match the Cuitty owner namespace. For example, @acme/button must publish under the acme owner.

Cargo

Configure a sparse registry:

[registries.cuitty]
index = "sparse+http://localhost:4351/api/v1/cargo/index/"

Then publish or install with:

cargo publish --registry cuitty
cargo add package-name --registry cuitty

PyPI

Upload with Twine and install from the simple index:

twine upload --repository-url http://localhost:4351/api/v1/pypi/ dist/*
pip install --index-url http://localhost:4351/api/v1/pypi/simple/ package-name

Package names should be normalized consistently between upload metadata, simple index pages, and install URLs.

Docker and OCI

Push images through the registry host:

docker login localhost:4351
docker tag image localhost:4351/acme/image:tag
docker push localhost:4351/acme/image:tag
docker pull localhost:4351/acme/image:tag

Operators should decide whether tags are mutable, immutable, or protected by policy before opening production pushes.

Common workflows

  1. Create or claim a registry namespace for a user or organization.
  2. Publish a package version through the native package manager.
  3. Store package metadata, files, checksums, and visibility.
  4. Update protocol indexes or tags.
  5. Install through the native package manager using the same registry URL.

Failure modes and recovery