atcr.io

module

v0.1.3 Latest Latest Go to latest Published: May 9, 2026 License: MIT

README ¶

ATCR - ATProto Container Registry

https://atcr.io

An OCI-compliant container registry that uses the AT Protocol for manifest storage and S3 for blob storage.

What is ATCR?

ATCR integrates container registries with the AT Protocol ecosystem. Container image manifests are stored as ATProto records in your Personal Data Server (PDS), while layers are stored in S3-compatible storage.

Image names use your ATProto identity:

atcr.io/alice.bsky.social/myapp:latest
atcr.io/did:plc:xyz123/myapp:latest

Architecture

Three components:

AppView - Registry API + web UI
- Serves OCI Distribution API (Docker push/pull)
- Resolves handles/DIDs to PDS endpoints
- Routes manifests to user's PDS, blobs to hold services
- Web interface for browsing/search
Hold Service - Storage service with embedded PDS (optional BYOS)
- Each hold has a full ATProto PDS for access control (captain + crew records)
- Identified by did:web (e.g., did:web:hold01.atcr.io)
- Generates presigned URLs for S3/Storj/Minio/etc.
- Users can deploy their own storage and control access via crew membership
Credential Helper - Client authentication
- ATProto OAuth (DPoP handled transparently)
- Automatic authentication on first push/pull

Storage model:

Manifests → ATProto records in user's PDS (small JSON, includes holdDid reference)
Blobs → Hold services via XRPC multipart upload (large binaries, stored in S3/etc.)
AppView uses service tokens to communicate with holds on behalf of users

Features

✅ OCI-compliant - Works with Docker, containerd, podman
✅ Decentralized - You own your manifest data via your PDS
✅ ATProto OAuth - Secure authentication (DPoP-compliant)
✅ BYOS - Deploy your own storage service
✅ Web UI - Browse, search, star repositories
✅ Multi-backend - S3, Storj, Minio, Azure, GCS, filesystem

Quick Start

Using the Registry

1. Install credential helper:

curl -fsSL https://atcr.io/static/install.sh | bash

2. Configure Docker (add to ~/.docker/config.json):

{
  "credHelpers": {
    "atcr.io": "atcr"
  }
}

3. Push/pull images:

docker tag myapp:latest atcr.io/yourhandle/myapp:latest
docker push atcr.io/yourhandle/myapp:latest  # Authenticates automatically
docker pull atcr.io/yourhandle/myapp:latest

See INSTALLATION.md for detailed installation instructions.

Running Your Own AppView

# Build
go build -o bin/atcr-appview ./cmd/appview

# Generate a config file with all defaults
./bin/atcr-appview config init config-appview.yaml
# Edit config-appview.yaml — set server.default_hold_did at minimum

# Run
./bin/atcr-appview serve --config config-appview.yaml

Using Docker:

docker build -f Dockerfile.appview -t atcr-appview:latest .
docker run -d -p 5000:5000 \
  -v ./config-appview.yaml:/config.yaml:ro \
  -v atcr-data:/var/lib/atcr \
  atcr-appview:latest serve --config /config.yaml

See deploy/README.md for production deployment.

Running Your Own Hold (BYOS Storage)

See docs/hold.md for deploying your own storage backend.

Development

Building from Source

# Build all binaries
go build -o bin/atcr-appview ./cmd/appview
go build -o bin/atcr-hold ./cmd/hold
go build -o bin/docker-credential-atcr ./cmd/credential-helper

# Run tests
go test ./...
go test -race ./...

Project Structure

cmd/
├── appview/           # Registry server + web UI
├── hold/              # Storage service (BYOS)
├── credential-helper/ # Docker credential helper
├── oauth-helper/      # OAuth debug tool
├── healthcheck/       # HTTP health check (for Docker)
├── db-migrate/        # SQLite → libsql migration
├── usage-report/      # Hold storage usage report
├── record-query/      # Query ATProto relay by collection
└── s3-test/           # S3 connectivity test

pkg/
├── appview/
│   ├── db/            # SQLite database (migrations, queries, stores)
│   ├── handlers/      # HTTP handlers (home, repo, search, auth, settings)
│   ├── holdhealth/    # Hold service health checker
│   ├── jetstream/     # ATProto Jetstream consumer
│   ├── middleware/    # Auth & registry middleware
│   ├── ogcard/        # OpenGraph image generation
│   ├── readme/        # Repository README fetcher
│   ├── routes/        # HTTP route registration
│   ├── storage/       # Storage routing (blob proxy, manifest store)
│   ├── public/        # Static assets (JS, CSS, install scripts)
│   └── templates/     # HTML templates
├── atproto/           # ATProto client, records, manifest/tag stores
├── auth/
│   ├── oauth/         # OAuth client, refresher, storage
│   ├── token/         # JWT issuer, validator, claims
│   └── holdlocal/     # Local hold authorization
├── config/            # Config marshaling (commented YAML)
├── hold/
│   ├── admin/         # Admin web UI
│   ├── billing/       # Stripe billing integration
│   ├── db/            # Vendored carstore (go-libsql)
│   ├── gc/            # Garbage collection
│   ├── oci/           # OCI upload endpoints
│   ├── pds/           # Embedded PDS (DID, captain, crew, stats, scans)
│   └── quota/         # Storage quotas
├── logging/           # Structured logging + remote shipping
└── s3/                # S3 client utilities

License

MIT

Contributing

Contributions welcome! Please open an issue or PR.

Directories ¶

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL

Path	Synopsis
cmd
appview command
credential-helper command
db-migrate command db-migrate copies all tables and data from a local SQLite database to a remote libsql database (e.g.	db-migrate copies all tables and data from a local SQLite database to a remote libsql database (e.g.
healthcheck command Minimal HTTP health check binary for scratch Docker images.	Minimal HTTP health check binary for scratch Docker images.
hold command
image-advisor command image-advisor fetches OCI image config, SBOM, and vulnerability data from the ATCR system and outputs a structured markdown report suitable for LLM analysis of container image improvements.	image-advisor fetches OCI image config, SBOM, and vulnerability data from the ATCR system and outputs a structured markdown report suitable for LLM analysis of container image improvements.
labeler command
oauth-helper command
record-query command record-query queries the ATProto relay to find all users with records in a given collection, fetches the records from each user's PDS, and optionally filters them.	record-query queries the ATProto relay to find all users with records in a given collection, fetches the records from each user's PDS, and optionally filters them.
relay-compare command relay-compare compares ATProto relays by querying listReposByCollection for all io.atcr.* record types and showing what's missing from each relay.	relay-compare compares ATProto relays by querying listReposByCollection for all io.atcr.* record types and showing what's missing from each relay.
s3-test command Command s3-test is a diagnostic tool that tests S3 connectivity using both AWS SDK v1 (used by distribution's storage driver) and AWS SDK v2 (used by ATCR's presigned URL service).	Command s3-test is a diagnostic tool that tests S3 connectivity using both AWS SDK v1 (used by distribution's storage driver) and AWS SDK v2 (used by ATCR's presigned URL service).
usage-report command usage-report queries a hold service and generates a storage usage report grouped by user, with unique layers and totals.	usage-report queries a hold service and generates a storage usage report grouped by user, with unique layers and totals.
pkg
appview Package appview implements the ATCR AppView component, which serves as the main OCI Distribution API server.	Package appview implements the ATCR AppView component, which serves as the main OCI Distribution API server.
appview/db Package db provides the database layer for the AppView web UI, including SQLite schema initialization, migrations, and query functions for OAuth sessions, device flows, repository metadata, stars, pull counts, and user profiles.	Package db provides the database layer for the AppView web UI, including SQLite schema initialization, migrations, and query functions for OAuth sessions, device flows, repository metadata, stars, pull counts, and user profiles.
appview/handlers Package handlers provides HTTP handlers for the AppView web UI, including home page, repository browsing, search, user authentication, settings, device management, and API endpoints for the web interface.	Package handlers provides HTTP handlers for the AppView web UI, including home page, repository browsing, search, user authentication, settings, device management, and API endpoints for the web interface.
appview/holdclient Package holdclient provides client functions for the appview to call hold XRPC endpoints.	Package holdclient provides client functions for the appview to call hold XRPC endpoints.
appview/holdhealth Package holdhealth provides health checking for hold service endpoints.	Package holdhealth provides health checking for hold service endpoints.
appview/jetstream Package jetstream provides an ATProto Jetstream consumer for real-time updates.	Package jetstream provides an ATProto Jetstream consumer for real-time updates.
appview/labeler Package labeler provides a subscription client for consuming labels from an ATProto labeler service.	Package labeler provides a subscription client for consuming labels from an ATProto labeler service.
appview/licenses Package licenses provides SPDX license validation and parsing for container image annotations.	Package licenses provides SPDX license validation and parsing for container image annotations.
appview/middleware Package middleware provides HTTP middleware for AppView, including authentication (session-based for web UI, token-based for registry), identity resolution (handle/DID to PDS endpoint), and hold discovery for routing blobs to storage endpoints.	Package middleware provides HTTP middleware for AppView, including authentication (session-based for web UI, token-based for registry), identity resolution (handle/DID to PDS endpoint), and hold discovery for routing blobs to storage endpoints.
appview/ogcard Package ogcard provides OpenGraph card image generation for ATCR.	Package ogcard provides OpenGraph card image generation for ATCR.
appview/readme Package readme provides fetching and rendering of README files from Git hosting platforms.	Package readme provides fetching and rendering of README files from Git hosting platforms.
appview/routes Package routes provides route registration for the AppView web UI and API endpoints.	Package routes provides route registration for the AppView web UI and API endpoints.
appview/storage Package storage implements the storage routing layer for AppView.	Package storage implements the storage routing layer for AppView.
appview/webhooks Package webhooks provides webhook dispatch and formatting for push and scan notifications.	Package webhooks provides webhook dispatch and formatting for push and scan notifications.
atproto Package atproto provides constants for XRPC endpoint paths used throughout ATCR.	Package atproto provides constants for XRPC endpoint paths used throughout ATCR.
atproto/did Package did provides shared did:web and did:plc identity management for ATCR services.	Package did provides shared did:web and did:plc identity management for ATCR services.
auth Package auth provides service token caching and management for AppView.	Package auth provides service token caching and management for AppView.
auth/holdlocal Package holdlocal provides a HoldAuthorizer implementation that queries the hold's own embedded PDS directly.	Package holdlocal provides a HoldAuthorizer implementation that queries the hold's own embedded PDS directly.
auth/oauth Package oauth provides OAuth client configuration and helper functions for ATCR.	Package oauth provides OAuth client configuration and helper functions for ATCR.
auth/token Package token provides JWT claims and token handling for registry authentication.	Package token provides JWT claims and token handling for registry authentication.
billing Package billing provides optional Stripe billing integration for the appview.	Package billing provides optional Stripe billing integration for the appview.
config Package config provides shared configuration types and Viper helpers used by both the AppView and Hold services.	Package config provides shared configuration types and Viper helpers used by both the AppView and Hold services.
hold Package hold implements the ATCR hold service, which provides BYOS (Bring Your Own Storage) functionality.	Package hold implements the ATCR hold service, which provides BYOS (Bring Your Own Storage) functionality.
hold/admin Package admin provides an owner-only web UI for managing the hold service.	Package admin provides an owner-only web UI for managing the hold service.
hold/db Package db contains a vendored from github.com/bluesky-social/indigo/carstore/sqlite_store.go Source: github.com/bluesky-social/indigo@v0.0.0-20260203235305-a86f3ae1f8ec/carstore/ Reason: indigo's carstore hardcodes mattn/go-sqlite3, which conflicts with go-libsql (both bundle SQLite C libraries and cannot coexist in the same binary).	Package db contains a vendored from github.com/bluesky-social/indigo/carstore/sqlite_store.go Source: github.com/bluesky-social/indigo@v0.0.0-20260203235305-a86f3ae1f8ec/carstore/ Reason: indigo's carstore hardcodes mattn/go-sqlite3, which conflicts with go-libsql (both bundle SQLite C libraries and cannot coexist in the same binary).
hold/gc Package gc implements garbage collection for the hold service.	Package gc implements garbage collection for the hold service.
hold/labeler Package labeler provides a labeler subscription client for the hold service.	Package labeler provides a labeler subscription client for the hold service.
hold/oci Package oci provides OCI registry endpoints for the hold service.	Package oci provides OCI registry endpoints for the hold service.
hold/pds Package pds implements a minimal ATProto PDS for the hold service.	Package pds implements a minimal ATProto PDS for the hold service.
hold/quota Package quota provides storage quota management for hold services.	Package quota provides storage quota management for hold services.
labeler Package labeler implements the ATCR labeler service, an ATProto-compatible content moderation service for issuing takedown labels on container registry content.	Package labeler implements the ATCR labeler service, an ATProto-compatible content moderation service for issuing takedown labels on container registry content.
logging Package logging provides centralized structured logging using slog with configurable log levels.	Package logging provides centralized structured logging using slog with configurable log levels.
s3 Package s3 provides S3 client initialization and presigned URL generation for hold services.	Package s3 provides S3 client initialization and presigned URL generation for hold services.
themes
seamark Package seamark provides the Seamark visual theme for the ATCR AppView.	Package seamark provides the Seamark visual theme for the ATCR AppView.