[subtask] [Subtask 1/4] Add OCI authentication infrastructure and Docker config support

[github-actions]

Parent Issue: #559

Objective

Implement Docker config file authentication support for OCI component loading, providing the foundation for private registry access.

Context

Currently, Wassette hardcodes RegistryAuth::Anonymous when pulling components from OCI registries (see crates/wassette/src/loader.rs:206 and crates/wassette/src/oci_multi_layer.rs:110). This prevents loading components from private registries that require authentication.

The oci-client crate (v0.15) already supports various authentication methods including reading Docker config files (~/.docker/config.json), which is the standard way container tools authenticate to registries.

Implementation Details

Files to Modify

1. crates/wassette/src/loader.rs:

   • Add function fn get_registry_auth(reference: &Reference) -> Result(RegistryAuth)
   • This should read ~/.docker/config.json and extract credentials for the registry
   • Update line 206 to use get_registry_auth(&reference)? instead of RegistryAuth::Anonymous
   • Update line 238-239 (multi-layer path) to pass auth through

2. crates/wassette/src/oci_multi_layer.rs:

   • Update pull_multi_layer_artifact_with_progress() signature to accept auth: &RegistryAuth parameter
   • Change line 110 from hardcoded Anonymous to use the passed auth parameter
   • Update line 118 to pass auth to pull_manifest()

3. Add new module crates/wassette/src/oci_auth.rs:

   • Create a new file for OCI authentication logic
   • Implement Docker config parsing using the oci_client::secrets module
   • Handle missing config file gracefully (fall back to Anonymous)
   • Add proper error context for authentication failures

Key Implementation Notes

• Use oci_client::secrets::RegistryAuth::from_docker_config() or similar
• Look for Docker config at:
  • $DOCKER_CONFIG/config.json (if env var set)
  • ~/.docker/config.json (standard location)
• Parse the auths section to find credentials for the registry
• Handle base64-encoded auth strings in the config file
• Fall back to Anonymous if no credentials found (backward compatibility)

Acceptance Criteria

• get_registry_auth() function reads Docker config file successfully
• Credentials are extracted correctly for matching registries
• Authentication is passed through both single-layer and multi-layer OCI pulls
• Missing Docker config file falls back to Anonymous without error
• Invalid credentials produce clear error messages
• Tests added for Docker config parsing
• Existing anonymous pulls continue to work

Testing Strategy

1. Unit tests in oci_auth.rs:

   • Test Docker config parsing with sample config files
   • Test fallback to Anonymous when config missing
   • Test registry matching logic

2. Integration tests:

   • Test loading from public registry (anonymous) still works
   • Manual test with a private registry using Docker config

Dependencies

None - this is the foundation subtask.

Implementation Guidance

Reference the oci-client documentation for RegistryAuth usage. The crate already handles Docker config parsing - we just need to integrate it.

Example Docker config structure:

{
  "auths": {
    "ghcr.io": {
      "auth": "base64encodedcredentials"
    }
  }
}

Related to #559

AI generated by Plan for #559

[asw101]

Closing [subtask]s of parent issues.