Add Docker config authentication for OCI registry pulls

[Copilot]

Wassette hardcoded RegistryAuth::Anonymous for all OCI registry pulls, preventing access to private registries.

Changes

New oci_auth module (crates/wassette/src/oci_auth.rs)

• get_registry_auth() reads Docker config from standard locations ($DOCKER_CONFIG/config.json, ~/.docker/config.json)
• Uses docker_credential crate for credential extraction
• Falls back to Anonymous when config missing or credentials not found
• Handles base64-encoded auth, registry matching, identity tokens (with fallback)

Updated OCI pull flow

• loader.rs: Calls get_registry_auth() before pulls, passes auth to both single-layer (oci-wasm) and multi-layer paths
• oci_multi_layer.rs: All functions now accept &RegistryAuth parameter

Example usage:

// Before: hardcoded Anonymous
let result = wasm_client.pull(&reference, &RegistryAuth::Anonymous).await;

// After: reads from Docker config
let auth = get_registry_auth(&reference)?;
let result = wasm_client.pull(&reference, &auth).await;

Testing

• 5 new unit tests verify config parsing, credential extraction, fallback behavior
• All 97 existing tests pass (backward compatible)

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• registry.mcpsearchtool.com
  • Triggering command: /home/REDACTED/work/wassette/wassette/target/debug/deps/oci_integration_test-644033edc17adf35 (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[subtask] [Subtask 1/4] Add OCI authentication infrastructure and Docker config support</issue_title>
<issue_description>Parent Issue: #559

Objective

Implement Docker config file authentication support for OCI component loading, providing the foundation for private registry access.

Context

Currently, Wassette hardcodes RegistryAuth::Anonymous when pulling components from OCI registries (see crates/wassette/src/loader.rs:206 and crates/wassette/src/oci_multi_layer.rs:110). This prevents loading components from private registries that require authentication.

The oci-client crate (v0.15) already supports various authentication methods including reading Docker config files (~/.docker/config.json), which is the standard way container tools authenticate to registries.

Implementation Details

Files to Modify

1. crates/wassette/src/loader.rs:

   • Add function fn get_registry_auth(reference: &Reference) -> Result(RegistryAuth)
   • This should read ~/.docker/config.json and extract credentials for the registry
   • Update line 206 to use get_registry_auth(&reference)? instead of RegistryAuth::Anonymous
   • Update line 238-239 (multi-layer path) to pass auth through

2. crates/wassette/src/oci_multi_layer.rs:

   • Update pull_multi_layer_artifact_with_progress() signature to accept auth: &RegistryAuth parameter
   • Change line 110 from hardcoded Anonymous to use the passed auth parameter
   • Update line 118 to pass auth to pull_manifest()

3. Add new module crates/wassette/src/oci_auth.rs:

   • Create a new file for OCI authentication logic
   • Implement Docker config parsing using the oci_client::secrets module
   • Handle missing config file gracefully (fall back to Anonymous)
   • Add proper error context for authentication failures

Key Implementation Notes

• Use oci_client::secrets::RegistryAuth::from_docker_config() or similar
• Look for Docker config at:
  • $DOCKER_CONFIG/config.json (if env var set)
  • ~/.docker/config.json (standard location)
• Parse the auths section to find credentials for the registry
• Handle base64-encoded auth strings in the config file
• Fall back to Anonymous if no credentials found (backward compatibility)

Acceptance Criteria

• get_registry_auth() function reads Docker config file successfully
• Credentials are extracted correctly for matching registries
• Authentication is passed through both single-layer and multi-layer OCI pulls
• Missing Docker config file falls back to Anonymous without error
• Invalid credentials produce clear error messages
• Tests added for Docker config parsing
• Existing anonymous pulls continue to work

Testing Strategy

1. Unit tests in oci_auth.rs:

   • Test Docker config parsing with sample config files
   • Test fallback to Anonymous when config missing
   • Test registry matching logic

2. Integration tests:

   • Test loading from public registry (anonymous) still works
   • Manual test with a private registry using Docker config

Dependencies

None - this is the foundation subtask.

Implementation Guidance

Reference the oci-client documentation for RegistryAuth usage. The crate already handles Docker config parsing - we just need to integrate it.

Example Docker config structure:

{
  "auths": {
    "ghcr.io": {
      "auth": "base64encodedcredentials"
    }
  }
}

Related to #559

AI generated by Plan for #559</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [subtask] [Subtask 1/4] Add OCI authentication infrastructure and Docker config support #561

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[Copilot]

Pull Request Overview

This PR adds Docker config authentication support for OCI registry pulls, enabling Wassette to access private registries. The implementation reads credentials from standard Docker config locations and falls back gracefully to anonymous access when credentials are not found.

Key Changes:

• New oci_auth module with get_registry_auth() function that reads Docker config files
• Updated OCI pull flow to use authentication for both single-layer and multi-layer artifacts
• Added 5 unit tests for config parsing, credential extraction, and fallback behavior

Reviewed Changes

Copilot reviewed 6 out of 7 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
crates/wassette/src/oci_auth.rs	New authentication module implementing Docker config parsing with docker_credential crate
crates/wassette/src/loader.rs	Updated to call get_registry_auth() before OCI pulls and pass auth to both pull paths
crates/wassette/src/oci_multi_layer.rs	All functions updated to accept auth parameter instead of hardcoded Anonymous
crates/wassette/src/lib.rs	Exposed oci_auth module as public API
crates/wassette/Cargo.toml	Added docker_credential 1.3 dependency
tests/oci_integration_test.rs	Updated test to pass auth parameter to multi-layer pull function
Cargo.lock	Dependency lock file updated with new docker_credential crate

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.