[subtask] [Subtask 2/4] Add CLI flags for explicit OCI authentication credentials #562
Description
Parent Issue: #559
Objective
Add CLI flags to the component load command to support explicit authentication credentials for OCI registries.
Context
Building on Subtask 1 which implemented Docker config authentication, this subtask adds explicit CLI options for users to provide credentials directly via command-line flags or environment variables. This is useful in CI/CD environments or when Docker config is not available.
Implementation Details
Files to Modify
-
src/commands.rs(line 141-149):- Add new optional fields to
ComponentCommands::Load:Load { /// Path to the component ((redacted) or (redacted)) path: String, /// Directory where components are stored #[arg(long)] component_dir: Option(PathBuf), /// Registry username for OCI authentication #[arg(long, env = "OCI_REGISTRY_USER")] registry_user: Option(String), /// Registry password for OCI authentication (use --registry-password-stdin for better security) #[arg(long, env = "OCI_REGISTRY_PASSWORD")] registry_password: Option(String), /// Read registry password from stdin #[arg(long, conflicts_with = "registry_password")] registry_password_stdin: bool, }
- Add new optional fields to
-
src/cli_handlers.rs:- Update component load handler to extract auth flags
- Pass credentials to the lifecycle manager's load function
- Handle
--registry-password-stdinby reading from stdin
-
crates/mcp-server/src/components.rs(line 44-86):- Update
handle_load_component()to accept optional credentials - Pass credentials through to
lifecycle_manager.load_component()
- Update
-
crates/wassette/src/lib.rs(LifecycleManager):- Update
load_component()signature to accept optionalOciCredentialsstruct - Pass credentials to loader functions
- Update
-
crates/wassette/src/oci_auth.rs(from Subtask 1):- Add new function:
fn get_registry_auth_with_credentials(reference: &Reference, user: Option(String), password: Option(String)) -> Result(RegistryAuth) - Priority: explicit credentials > Docker config > Anonymous
- If both explicit creds and Docker config exist, use explicit creds
- Add new function:
Key Implementation Notes
- Use environment variables (
OCI_REGISTRY_USER,OCI_REGISTRY_PASSWORD) for CI/CD friendliness - Implement
--registry-password-stdinfor better security (avoids password in shell history) - Validate that username and password are both provided if one is specified
- Clear error message if credentials are invalid
- Consider adding
--insecure-skip-tls-verifyflag for development (optional)
Acceptance Criteria
-
--registry-userand--registry-passwordflags work for explicit auth -
--registry-password-stdinreads password securely from stdin - Environment variables
OCI_REGISTRY_USERandOCI_REGISTRY_PASSWORDwork - Explicit credentials take priority over Docker config
- Docker config still works as fallback (from Subtask 1)
- Clear error message when only username or password provided (not both)
- Tests added for CLI argument parsing
- Documentation updated in
--helpoutput
Testing Strategy
-
Unit tests:
- Test CLI argument parsing with various flag combinations
- Test precedence: explicit > Docker config > Anonymous
-
Integration tests:
- Test loading with explicit username/password
- Test loading with environment variables
- Test stdin password reading
- Test fallback behavior
-
Manual testing:
- Verify against a real private registry (e.g., private GHCR repo)
- Test error messages with invalid credentials
Dependencies
Depends on Subtask 1 being completed (Docker config support and oci_auth.rs module).
Example Usage
# Using flags
wassette component load (redacted) \
--registry-user myuser \
--registry-password mypass
# Using stdin for password
echo "mypassword" | wassette component load (redacted) \
--registry-user myuser \
--registry-password-stdin
# Using environment variables
export OCI_REGISTRY_USER=myuser
export OCI_REGISTRY_PASSWORD=mypass
wassette component load (redacted)
# Fallback to Docker config (Subtask 1)
wassette component load (redacted)Related to #559