Why
marketplace-02 enables custom registries with a trust level, but any operator can claim any trust level without verification. Without a certificate layer, the CLI cannot distinguish between a NOLD AI-certified third-party registry and an arbitrary self-hosted index. This change adds CA-style registry certificate verification.
What Changes
- NEW:
src/specfact_cli/trust/registry_cert.py — registry certificate fetcher, verifier, and local registry store manager
- MODIFY:
src/specfact_cli/registry/custom_registries.py — extend add_registry() to fetch and verify certificate; add --trust-local flag for air-gapped registries
- MODIFY:
src/specfact_cli/trust/resolver.py — integrate registry tier into effective tier calculation (min(publisher_tier, registry_tier))
- MODIFY:
src/specfact_cli/modules/module_registry/src/ — registry-tier-aware badges in search; effective tier used for install policy
- MODIFY:
docs/guides/custom-registries.md — certificate requirements, --trust-local, tier propagation
Acceptance Criteria
specfact module add-registry https://registry.acme.com/specfact verifies NOLD AI-signed registry certificate- Uncertified registries receive
community tier with a warning
--trust-local adds air-gapped registry with [local] tier (no cert required)- Effective module trust =
min(publisher_tier, registry_tier) in search output and install policy
[local] badges cannot be promoted to [community] or above without central registration- Certificate expiry triggers community-tier downgrade with renewal prompt
OpenSpec Change Proposal: marketplace-05-registry-federation
Why
marketplace-02 enables custom registries with a trust level, but any operator can claim any trust level without verification. Without a certificate layer, the CLI cannot distinguish between a NOLD AI-certified third-party registry and an arbitrary self-hosted index. This change adds CA-style registry certificate verification.
What Changes
src/specfact_cli/trust/registry_cert.py— registry certificate fetcher, verifier, and local registry store managersrc/specfact_cli/registry/custom_registries.py— extendadd_registry()to fetch and verify certificate; add--trust-localflag for air-gapped registriessrc/specfact_cli/trust/resolver.py— integrate registry tier into effective tier calculation (min(publisher_tier, registry_tier))src/specfact_cli/modules/module_registry/src/— registry-tier-aware badges in search; effective tier used for install policydocs/guides/custom-registries.md— certificate requirements, --trust-local, tier propagationAcceptance Criteria
specfact module add-registry https://registry.acme.com/specfactverifies NOLD AI-signed registry certificatecommunitytier with a warning--trust-localadds air-gapped registry with[local]tier (no cert required)min(publisher_tier, registry_tier)in search output and install policy[local]badges cannot be promoted to[community]or above without central registrationOpenSpec Change Proposal: marketplace-05-registry-federation