diff --git a/client/realms/docker.go b/client/realms/docker.go new file mode 100644 index 00000000..887e4f24 --- /dev/null +++ b/client/realms/docker.go @@ -0,0 +1,69 @@ +// Package realms exposes the canonical set of Docker realm patterns that +// clients use to scope secret queries. +// +// A realm is a path-pattern contract - not a permission boundary. Clients use +// realms to declare which set of secrets they care about (e.g. Hub auth, +// registry auth, MCP OAuth). Once a realm is established its pattern MUST NOT +// change; clients may pin to a realm and treat it as a stable interface. +// +// The Docker realm hierarchy is: +// +// docker/ – all Docker secrets +// docker/auth/hub/** – Docker Hub authentication (OAuth login) +// docker/auth/hub-staging/** – Docker Hub staging authentication +// docker/auth/registry/docker/** – Docker Registry authentication +// docker/auth/metadata/hub/** – metadata for the default Hub user +// docker/mcp/** – MCP-related secrets +// docker/mcp/oauth/** – MCP OAuth credentials +// docker/mcp/oauth-dcr/** – MCP Dynamic Client Registration configs +// docker/sandbox/** – Sandbox-related secrets +// docker/sandbox/oauth/** – Sandbox third-party OAuth tokens +// +// All variables in this package are re-exported from +// github.com/docker/secrets-engine/x/realms and are provided here as a +// stable, versioned surface for external consumers. +package realms + +import xrealms "github.com/docker/secrets-engine/x/realms" + +// Docker realms all start with `docker/` as the prefix. +// +// Authentication flows done by the Docker CLI, Docker Desktop and Docker related +// products must go through `docker/auth`. +// +// Docker Hub authentication (browser based OAuth login) will be prefixed +// with `docker/auth/hub/`. +// +// Docker Registry authentication will be prefixed with +// `docker/auth/registry/docker/`. +var ( + DockerHubAuthentication = xrealms.DockerHubAuthentication + DockerHubStagingAuthentication = xrealms.DockerHubStagingAuthentication + DockerRegistryAuthentication = xrealms.DockerRegistryAuthentication + DockerRegistryStagingAuthentication = xrealms.DockerRegistryStagingAuthentication +) + +var ( + // DockerHubAuthenticationMetadata is a pointer to the default user signed in to Docker + DockerHubAuthenticationMetadata = xrealms.DockerHubAuthenticationMetadata + // DockerHubStagingAuthenticationMetadata is a pointer to the default staging user signed in to Docker + DockerHubStagingAuthenticationMetadata = xrealms.DockerHubStagingAuthenticationMetadata +) + +var ( + // DockerMCPDefault is the default realm used for MCP related secrets + DockerMCPDefault = xrealms.DockerMCPDefault + // DockerMCPOAuth is the realm used for all MCP OAuth credentials retrieved by Docker. + DockerMCPOAuth = xrealms.DockerMCPOAuth + // DockerMCPOAuthDCR is the realm used to hold Dynamic Client Registered (DCR) + // OAuth configurations for supported MCP servers. + DockerMCPOAuthDCR = xrealms.DockerMCPOAuthDCR +) + +var ( + // DockerSandbox is the default realm used for Sandbox related secrets + DockerSandbox = xrealms.DockerSandbox + // DockerSandboxOAuth is the realm used for all Sandbox OAuth credentials + // such as third-party tokens - this does not store the Docker Auth tokens. + DockerSandboxOAuth = xrealms.DockerSandboxOAuth +)