Access control
A public namespace serves anonymous pulls like any open registry. A private one checks the same security groups as the rest of Bosca. And for machines, a token can be narrowed until it can do exactly one thing.
Namespaces
The namespace is the unit of visibility and the unit of access — everything inside one answers to the same rules.
library for images, com.acme for Maven groups, @scope for npm.Group permissions
No registry user directory, no second set of accounts — grants pair a Bosca security group with an action on a namespace.
Scoped tokens
A registry token carries artifacts scopes — format, namespace and repository, version or tag pattern, and action — so a leaked CI credential is a small problem, not a master key.
artifacts:type:namespace/repository:version:action, with wildcards and globs at every level — every repo in a namespace, or only versions matching v3.*.pull, push, and admin — and push implies pull, so a publisher can read what it wrote.artifacts:pull, artifacts:push, artifacts:admin.docker login or npm login as the credential — the registry challenges and accepts it like any registry auth.# training may publish models artifacts:ml:model/*:*:push # agents may pull any library image artifacts:docker:library/*:*:pull # only 3.x of one package artifacts:npm:@acme/ui:v3.*:pull
Keep exploring
Six registry formats behind one namespace and permission model.
Docker, Helm, Maven, npm, ML models, and raw files — native protocols.
Content-addressed blobs, digest verification, reference-counted cleanup.
Publish events, CI requirement gates, ML model serving, and admin APIs.