Skip to content

Instantly share code, notes, and snippets.

@afflom

afflom/iot-prs.md

Created March 4, 2025 17:46
Show Gist options
  • Save afflom/67e663321d91292cfb341f3d85d27c25 to your computer and use it in GitHub Desktop.
Save afflom/67e663321d91292cfb341f3d85d27c25 to your computer and use it in GitHub Desktop.
Download ZIP
Prime Framework OCI Extensions
Raw
iot-prs.md

OCI Package Resolution System for Internet of Things (IoT-PRS)

1. Abstract

This document defines the OCI Package Resolution System for Internet of Things (IoT-PRS), an extension of the OCI artifact model that transforms registries into a stateful message bus for IoT operations and management. By employing a canonical encoding approach to represent artifacts in a consistent, immutable format, IoT-PRS enables reliable content resolution, schema discovery, and decentralized state mutation. This specification outlines how IoT devices download system images, subscribe to state changes, and perform logic operations based on declarative state mutations—all through existing OCI distribution mechanisms.

2. Introduction

The IoT-PRS specification provides detailed guidance for implementors who wish to build an end-to-end, cloud native IoT management solution using OCI registries as stateful message buses. In this model, every artifact—whether it is a system image, device configuration, or sensor data record—is encoded in a canonical format that maps namespaces to device or application state, tags to keys, and the manifest’s single layer to the current value. This approach supports:

  • Stateful Content Resolution: IoT devices use built-in resolver functions to download system images and query for state changes.
  • Declarative Device Management: Users declare desired state changes which are communicated through registries to IoT devices.
  • Decentralized Messaging and Mutation: Registries act as federated, stateful message buses, allowing devices and users to exchange multi-modal information reliably.

3. Terminology

  • Namespace: A dedicated OCI domain representing a publisher’s ledger of IoT artifacts (e.g., system images, state records). Each namespace acts as a logical container for device or application state.
  • Artifact: An IoT package or asset stored in OCI, encoded in a canonical format. Artifacts include system images, configuration files, and state update records.
  • Tag: A label used to denote specific versions or attributes of an artifact. In IoT-PRS, tags serve as keys in a key–value mapping.
  • Manifest Layer: The content layer of an OCI artifact that holds the actual package payload, such as a JSON document with device state or configuration data.
  • Resolver Function: A client-side function that interprets the encoded artifact format, mapping namespaces and tags to retrieve the manifest layer and assemble a complete state record.
  • Schema Discovery: The mechanism by which a client retrieves the authoritative schema for a given namespace, enabling proper interpretation and validation of IoT artifacts.
  • Nameserver: A special namespace that functions as an index and state registry; it maps content names to artifacts and provides the associated schema for that domain.
  • State Mutation: A declared change in the state of a device or application, recorded and propagated through OCI registries.

4. Architectural Overview

IoT-PRS builds on existing OCI registry infrastructure by applying a standardized encoding format that transforms registries into a stateful message bus for IoT operations. The key architectural components are:

  • Artifact Encoding: IoT system images, configuration updates, and state changes are published in a canonical, immutable format as single-layer manifests.
  • Namespace Ledger: Each OCI namespace serves as a ledger for a specific domain (e.g., a fleet of smart lights). Publishers register their namespace with one or more centralized indexes (similar to app stores) for discovery.
  • Key–Value Mapping: Tags are used as keys and the manifest layer as the value, resulting in structured records akin to JSON objects.
  • Resolver Functions: IoT devices and management systems use resolver functions to query registries for state changes, download system images, and validate state updates.
  • Schema Discovery: Nameservers provide authoritative schemas that describe the structure and semantics of the IoT artifacts in a namespace, ensuring that devices can correctly parse and act on the data.

5. Data Model

IoT-PRS defines a meta-component model that standardizes how IoT device state, application assets, and user commands are packaged. The core elements include:

  • Object (Namespace): Represents a domain or ledger for IoT artifacts.
  • Key (Tag): Denotes metadata fields such as firmware version, configuration parameters, or sensor type.
  • Value (Manifest Layer): Contains the actual content—whether it is a system image, a state record, or a configuration update.
  • Schema: An extensible metadata model (e.g., based on Schema.org) that describes the expected structure and semantics of the artifacts, allowing for automated validation and processing.

6. Detailed Encoding Format

IoT-PRS employs a canonical encoding scheme to represent IoT artifacts in a deterministic and verifiable manner. The encoding consists of two main components:

6.1 Header and Metadata

  • Canonical Header:

    • Collect all OCI tags associated with the IoT artifact.
    • Normalize the order and format of these tags to ensure a consistent header.
    • Assemble a JSON object that includes key metadata fields such as deviceID, firmwareVersion, configuration, and contentType.
    • Generate a digital fingerprint of the header to support integrity checks.

  • Key–Value Mapping:

    • In the header, tags act as keys and their associated values (e.g., version numbers, configuration parameters) are organized in a consistent JSON-based structure.

6.2 Payload Encoding

  • Manifest Layer as Payload:
    • The artifact’s payload is contained within a single manifest layer. This layer stores the IoT data (e.g., system image, sensor reading, configuration update) in a structured format, typically JSON.
  • Content Hashing:
    • Process the payload with a content-addressable hash function to ensure any change results in a new artifact.
  • Normalization:
    • Normalize the payload (e.g., standardizing formatting and ordering) so that the same logical content always produces the same hash.

This encoding guarantees that every IoT artifact is immutable and verifiable, simplifying state resolution and integrity checking.

7. Resolver API Specification for IoT

The Resolver API is a client-side interface that adapts the OCI distribution API for IoT operations. It allows devices and management systems to resolve, retrieve, and act on state changes. The API operates locally or remotely and includes the following methods:

7.1 API Endpoints and Methods

  • QueryNamespace(namespace: string) → ArtifactList

    • Description: Retrieves a list of IoT artifacts within the specified OCI namespace.
    • Details: Calls the OCI distribution API to list all artifacts and returns their identifiers along with metadata.

  • LookupTag(namespace: string, tag: string) → ArtifactID

    • Description: Searches within the namespace for an artifact that contains the specified tag (key).
    • Details: Performs a key-based lookup in the canonical header to find the matching artifact.

  • RetrieveManifest(artifactID: string) → Manifest

    • Description: Downloads the manifest for the given artifact ID.
    • Details: Expects the manifest to contain a single layer with the IoT data payload. Validates the payload against the header’s content hash.

  • DownloadSchema(nameserver: string) → SchemaDefinition

    • Description: Retrieves the authoritative schema for the domain managed by the nameserver.
    • Details: Returns a machine-readable schema (e.g., JSON Schema) describing the structure of the IoT records in that namespace.

7.2 Resolver Function Workflow

The resolver function for IoT devices follows these steps:

  1. Namespace Query:

    • The device calls QueryNamespace(namespace) to obtain a list of relevant artifacts (e.g., state updates).

  2. Key-Based Lookup:

    • For a specific state variable (tag), the device invokes LookupTag(namespace, tag) to identify the corresponding artifact.

  3. Manifest Retrieval and Validation:

    • The device uses RetrieveManifest(artifactID) to download the manifest. It then validates the payload by comparing the computed content hash with that in the header.

  4. Schema Discovery and Record Assembly:

    • The device calls DownloadSchema(nameserver) to fetch the authoritative schema. Using this schema, it parses the canonical header and payload to assemble a complete record.

  5. State Mutation and Action:

    • The resolved record is processed locally to update device state or trigger actions (e.g., change brightness on smart lights, update sensor readings).

  6. Local Caching and Optimization:

    • The API supports local caching of frequently accessed artifacts and schemas to improve performance and reduce redundant remote calls.

7.3 Implementation Considerations

  • Client-Side Integration:

    • The Resolver API is entirely implemented on the client side, integrated into IoT device firmware or management applications.

  • OCI Distribution API Compatibility:

    • The Resolver API works as an adapter to the existing OCI distribution API without altering current OCI specifications.

  • Modularity and Extensibility:

    • The API design is modular, allowing future enhancements such as support for multi-layer manifests or advanced query capabilities.

  • Performance:

    • Optimized for asynchronous queries, local caching, and batch processing to handle real-time IoT state updates across federated registries.

8. IoT Operation Workflow

In an IoT-PRS-based system, registries function as a stateful message bus that delivers multi-modal information to devices. The workflow includes:

  1. System Image Deployment:

    • An IoT device downloads its system image (which includes its workload and configuration) from an OCI registry.

  2. State Subscription:

    • The device subscribes to one or more OCI namespaces for state changes. Resolver functions continuously monitor for new artifacts indicating state mutations.

  3. Declarative State Management:

    • Users declare state changes (e.g., adjusting light brightness or color) through an interface. These changes are encoded as artifacts and pushed to the registry.

  4. State Mutation and Resolution:

    • IoT devices retrieve the updated state via the Resolver API, validate the changes using the canonical encoding and schema, and update their local state accordingly.

  5. Local Action Execution:

    • Devices execute logic operations based on state changes, performing sensory measurements or imperative actions such as controlling smart lights or digital assistants.

9. Declarative IoT Management and Mutation

The IoT management solution is fully declarative:

  • User-Driven State Changes:

    • Users indicate desired state changes (e.g., setting a preferred brightness level) via an application interface.

  • Registry as a Message Bus:

    • OCI registries store both static assets (system images) and dynamic state records, serving as a federated message bus.

  • Mutability through Resolution:

    • Devices and users communicate state mutations through standard mutation and resolution operations, ensuring that updates propagate through the system in a controlled, verifiable manner.

10. Example: "brightidea"

The "brightidea" example illustrates a user’s interaction with smart light bulbs and sensors:

  • Scenario Overview:
    A user installs smart light bulbs equipped with IoT-PRS-based state resolution. Initially, the user manually adjusts brightness and color settings via a mobile application.

  • State Encoding:
    Each light bulb publishes its current state (e.g., brightness, color temperature, power status) as an artifact in its dedicated namespace. Tags such as brightness and color act as keys, while the manifest layer contains the actual state values.

  • Schema Discovery:
    The nameserver for the smart lighting domain provides a JSON Schema that defines the structure of these state records.

  • Automated Adaptation:
    Over time, the Resolver API on each bulb retrieves updated state artifacts from the registry. As the device accumulates historical state data, it begins to automatically adjust its behavior to match the user's preferences.

  • Diminishing Manual Intervention:
    Gradually, the manual controls become less necessary. The smart light’s state recognition system learns from the user’s historical interactions, adjusting brightness and color in anticipation of the user’s needs—embodying the "brightidea" where intelligence is built into the system.

  • Declarative Updates:
    Users continue to interact with the system declaratively, declaring new desired states when needed. These updates are encoded and pushed to the registry, with the Resolver API ensuring that the latest state is always resolved on the device.

11. Security and Integrity

The security of the IoT-PRS system is ensured by:

  • Immutable and Verifiable Encoding:
    Every artifact is encoded in a canonical, immutable format. Any change produces a new artifact with a distinct content address.

  • Content Addressability:
    Artifacts are retrieved by their content-based addresses, ensuring integrity and tamper-evidence.

  • Access Control:
    Namespaces and indexes enforce robust access controls to protect sensitive IoT data and maintain ledger integrity.

  • Schema Validation:
    Automated schema discovery and validation ensure that only well-formed, authorized state records are processed.

12. Conformance and Implementation Guidelines

Implementors of IoT-PRS must ensure:

  • Canonical Encoding Compliance:
    All IoT artifacts must be encoded as specified, with namespaces as objects, tags as keys, and the manifest layer as the value.

  • Resolver API Integration:
    Devices and management systems must implement the Resolver API endpoints precisely, ensuring seamless interaction with the OCI distribution API.

  • Schema Publication:
    Publishers must register a machine-readable schema for their namespace using established metadata vocabularies.

  • Interoperability Testing:
    Rigorous testing for compatibility with existing OCI registries and cloud native tooling is required.

  • Security Best Practices:
    Follow recommended guidelines for content signing, integrity verification, and access control.

13. Conclusion

IoT-PRS transforms OCI registries into a stateful message bus for comprehensive IoT management. By encoding IoT artifacts in a canonical, self-describing format and incorporating built-in schema discovery, IoT-PRS provides a robust framework for managing system images, device state, and user-declared mutations. This declarative, federated approach enables smart, adaptive operations—exemplified by the "brightidea" scenario—while maintaining compatibility with existing OCI standards. This specification serves as a comprehensive guide for implementors and maintainers in the cloud native and IoT communities.

For further details and implementation examples, please refer to the accompanying implementation guide and reference repositories provided by the OCI working group.

Raw
oci-prs.md

OCI Package Resolution Specification (OCI-PRS)

1. Abstract

This document defines the OCI Package Resolution System (OCI-PRS), a specification that extends the current OCI artifact model into a full-fledged package management framework. OCI-PRS leverages a first principles encoding approach to represent artifacts in a canonical form, enabling reliable content resolution, schema discovery, and decentralized indexing. By mapping namespaces to objects, tags to keys, and using the manifest’s single layer as the value, OCI-PRS transforms the traditional OCI registry into a federated package store similar to modern app stores.

2. Introduction

The OCI Package Resolution Specification (OCI-PRS) provides detailed guidance for implementors who wish to build cloud native package management systems on top of OCI registries. In this model, each artifact is assigned a unique, immutable representation based on a standardized encoding scheme. This design enables:

  • Consistent Content Resolution: Built-in resolver functions allow clients to query and retrieve artifacts reliably.
  • Schema Discovery: Each namespace serves as a ledger for a specific domain; authoritative schemas (extensible via Schema.org and similar standards) are discoverable for each domain.
  • Decentralized and Federated Indexing: Multiple indexes (or nameservers) may coexist, enabling publishers to manage their own namespaces while supporting cross-domain discovery akin to app store ecosystems.

3. Terminology

  • Namespace: A dedicated OCI domain representing a publisher’s ledger of artifacts. Each namespace encapsulates a unique collection of packages.
  • Artifact: A package or asset stored in OCI, encoded in a canonical format. Artifacts are the “objects” managed within a namespace.
  • Tag: A label used to identify specific versions or attributes of an artifact. In OCI-PRS, tags function as keys in a key–value mapping.
  • Manifest Layer: The content layer of an OCI artifact that holds the actual package payload. When a manifest is limited to one layer, that layer is treated as the value.
  • Resolver Function: A client-side function that interprets the encoded artifact format, maps namespaces and tags to retrieve the manifest layer, and returns the corresponding record.
  • Schema Discovery: The mechanism by which a client retrieves the authoritative schema for a given namespace to enable proper interpretation and validation of artifacts.
  • Nameserver: A special namespace functioning as an index, mapping content names to artifacts and providing the associated schema for that domain.

4. Architectural Overview

OCI-PRS builds on existing OCI registry infrastructure by enforcing a standardized encoding format. The system architecture includes:

  • Artifact Encoding: Artifacts are published using a canonical encoding scheme. Each artifact’s unique representation is established during publishing and stored as a single-layer manifest.
  • Namespace Ledger: Each OCI namespace serves as a ledger that organizes artifacts. Publishers register their namespace with one or more centralized indexes (app store–like portals) for discovery.
  • Key–Value Mapping: Tags act as keys and the manifest layer as the corresponding value, creating a structured storage model akin to JSON records.
  • Resolver Functions: Clients integrate resolver functions that query OCI registries. These functions interpret namespace, tag, and manifest data to retrieve the desired artifact.
  • Schema Discovery: Nameservers provide not only artifact content but also the authoritative schema for the domain they govern, allowing clients to parse and validate artifact contents correctly.

5. Data Model

OCI-PRS defines a meta-component model that standardizes how application structural information, application assets, and user data are packaged. The core elements include:

  • Object (Namespace): A unique OCI namespace that represents a package domain.
  • Key (Tag): Metadata fields (e.g., version, dependency, or type) that act as keys for each record.
  • Value (Manifest Layer): The actual content stored within the artifact. In single-layer manifests, the payload encapsulates the package data.
  • Schema: An extendable metadata model (for instance, based on Schema.org) that describes the structure and semantics of artifacts within a namespace.

6. Detailed Encoding Format

OCI-PRS employs a canonical encoding scheme to represent artifacts in a deterministic and verifiable manner. The encoding process consists of two main parts:

6.1 Header and Metadata

  • Canonical Header: Each artifact includes a header that aggregates all metadata. This header is constructed by:

    • Collecting all OCI tags associated with the artifact.
    • Normalizing the order and format of these tags to ensure that the same artifact always yields an identical header.
    • Embedding key metadata fields such as package name, version, dependencies, and content type.

  • Key–Value Mapping: In this header, tags serve as keys, and their associated values (e.g., version numbers, semantic descriptors) are organized in a consistent JSON-based structure.

6.2 Payload Encoding

  • Manifest Layer as Payload: The artifact’s payload is contained within a single manifest layer. This layer stores the actual content or package payload in a binary or text format, typically JSON.
  • Content Hashing: The payload is processed with a content-addressable hash function, ensuring that any change in the content results in a new, unique representation.
  • Normalization: To achieve a canonical form, the payload is normalized (e.g., whitespace and ordering standardization) so that the same logical content always produces the same hash.

This two-part structure ensures that every artifact is encoded in a manner that is both immutable and verifiable. The uniqueness of the encoding supports integrity checks and simplifies resolver logic.

7. Resolver API Specification

The Resolver API is a client-side interface that functions as an adapter to the existing OCI distribution API. It performs resolution on the canonical encoded format and is used by resolver functions in database engines. The API is designed to work locally or remotely and includes the following methods:

7.1 API Endpoints and Methods

  • QueryNamespace(namespace: string) → ArtifactList

    • Description: Retrieves a list of artifacts within the specified OCI namespace.
    • Details: The method calls the OCI distribution API to list all artifacts in the namespace and returns their identifiers and associated metadata.

  • LookupTag(namespace: string, tag: string) → ArtifactID

    • Description: Searches within the specified namespace for an artifact that contains the given tag.
    • Details: This method performs a key-based lookup where the tag is interpreted as a key from the artifact’s header.

  • RetrieveManifest(artifactID: string) → Manifest

    • Description: Downloads the manifest for the given artifact ID.
    • Details: The manifest is expected to contain a single layer representing the payload. The payload is extracted and verified against the header’s content hash.

  • DownloadSchema(nameserver: string) → SchemaDefinition

    • Description: Retrieves the authoritative schema for the domain managed by a nameserver.
    • Details: The API call returns a machine-readable schema (e.g., JSON Schema) that describes the structure and expected keys of the artifacts in the nameserver’s namespace.

7.2 Resolver Function Workflow

The typical workflow for a resolver function using the Resolver API is as follows:

  1. Namespace Query:
    The client invokes QueryNamespace() with the target namespace to obtain a list of artifacts.

  2. Tag Lookup:
    For each artifact, the client calls LookupTag() to identify the artifact matching a specific key (tag).

  3. Manifest Retrieval and Validation:
    Once an artifact is identified, RetrieveManifest() is used to download the manifest. The payload is then validated by comparing its content hash to the hash specified in the header.

  4. Schema Discovery and Record Assembly:
    The client calls DownloadSchema() from the authoritative nameserver to retrieve the schema. The artifact’s header and payload are parsed according to this schema, and a complete record is assembled in a format suitable for ingestion by database engines.

  5. Local or Remote Execution:
    The Resolver API is implemented entirely on the client side. It integrates with local caching mechanisms and can be deployed as a lightweight service that runs on the client machine, interfacing with remote OCI registries as needed.

8. Schema Discovery

A key component of OCI-PRS is its built-in schema discovery mechanism:

  • Authoritative Schema Publication:
    Publishers must register and publish a machine-readable schema that defines the structure and semantic attributes of artifacts in their namespace.

  • Schema Retrieval API:
    Clients use the DownloadSchema() endpoint to fetch the schema from a nameserver. This schema is used to interpret the canonical encoding of artifacts, ensuring that data is correctly parsed and validated.

  • Extensibility:
    The base schema is designed to be extensible, allowing for additional package types and custom fields. This flexibility supports a wide range of modalities, from static application assets to dynamic user data.

9. Publisher Registration and Indexing

To support decentralized package management:

  • Publisher Registration:
    Publishers register with one or more indexes (akin to app stores) and are assigned an OCI namespace that serves as their ledger.

  • Namespace Ownership:
    Each publisher’s namespace contains their unique set of artifacts, maintained in the canonical encoded format.

  • Federated Indexes:
    Indexes act as centralized discovery portals that point to various publisher namespaces. They expose resolver functions that enable cross-domain search and discovery.

  • Record Correlation:
    The indexes store pointers to namespaces and reference the associated schemas, facilitating seamless resolution across the federated system.

10. Interoperability and Deployment

OCI-PRS is designed with cloud native principles:

  • OCI Compatibility:
    The specification is built on existing OCI image and runtime specifications, ensuring that current OCI registries require no modification. The PRS layer operates as an overlay on top of existing infrastructure.

  • Modular Architecture:
    The system supports multi-modal content, allowing both static application assets and dynamic user data to be managed through a consistent encoding and resolution process.

  • Decentralization:
    Namespaces serve as independent ledgers, and federated indexes enable decentralized management and cross-domain discovery.

11. Security and Integrity

The security and integrity of OCI-PRS are ensured through:

  • Immutable Encoding:
    Each artifact’s canonical encoding guarantees that any modification results in a new, uniquely addressed artifact.

  • Content Addressability:
    Artifacts are stored using content-based addressing, ensuring that the retrieval process is reliable and tamper-evident.

  • Access Controls:
    Namespaces and indexes implement access control mechanisms to protect publisher data and maintain ledger integrity.

  • Schema Validation:
    Schema discovery and validation processes help ensure that artifacts adhere to expected formats, mitigating risks from malformed or malicious content.

12. Conformance and Implementation Guidelines

Implementors of OCI-PRS must ensure:

  • Adherence to Encoding Format:
    Artifacts must be encoded in the canonical form defined herein, mapping namespaces to objects, tags to keys, and the manifest layer to values.

  • Standardized Resolver API:
    Client-side implementations must support all endpoints of the Resolver API and integrate with OCI distribution APIs for namespace queries, tag lookups, manifest retrieval, and schema discovery.

  • Schema Publication:
    Publishers are required to provide a machine-readable schema for their namespace, using established metadata vocabularies (e.g., Schema.org) as a base.

  • Interoperability Testing:
    Implementations must be tested for compatibility with existing OCI registries and cloud native tooling.

  • Security Best Practices:
    Follow recommended guidelines for content signing, integrity verification, and access control.

13. Detailed Encoding Implementation

The encoding scheme in OCI-PRS is designed to produce a unique, verifiable representation of each artifact:

  • Canonical Header Construction:

    • Gather all OCI tags associated with the artifact.
    • Normalize the tags into a consistent order.
    • Assemble these into a JSON object that serves as the header, containing keys (e.g., packageName, version, dependencies, contentType) and corresponding values.
    • Compute a digital fingerprint (hash) of the header for integrity checks.

  • Payload Processing:

    • The content of the artifact is placed into the single-layer manifest.
    • Normalize the payload (e.g., standardize formatting, ordering of keys in JSON) to ensure that identical content always produces the same hash.
    • Compute a content hash that is included in the header. This hash guarantees that any alteration in the payload results in a new, distinct artifact address.

  • Record Assembly:

    • On retrieval, the resolver function reconstructs the record by combining the canonical header and the payload.
    • The integrity of the record is verified by recalculating the header and payload hashes and comparing them with the stored values.

14. Resolver API Detailed Specification

The Resolver API operates as a client-side adapter to the OCI distribution API. It enables database engines and other clients to work with the encoded format:

14.1 Endpoints and Methods

  • QueryNamespace(namespace: string) → ArtifactList
    Retrieves a list of artifact identifiers and associated metadata from the specified OCI namespace.

  • LookupTag(namespace: string, tag: string) → ArtifactID
    Searches the namespace for an artifact with a matching tag, interpreted as a key from the canonical header.

  • RetrieveManifest(artifactID: string) → Manifest
    Downloads the manifest for the specified artifact. The manifest must include a single layer containing the payload. The API verifies that the payload hash matches the hash recorded in the header.

  • DownloadSchema(nameserver: string) → SchemaDefinition
    Retrieves the authoritative schema for the domain managed by the nameserver. The schema is provided in a machine-readable format (e.g., JSON Schema) and is used to parse and validate artifact records.

14.2 Resolver Function Workflow

  1. Namespace Query:
    The client calls QueryNamespace(namespace) to obtain the list of artifacts in a given domain.

  2. Key-Based Artifact Lookup:
    For a specific key (tag), the client invokes LookupTag(namespace, tag) to find the corresponding artifact.

  3. Manifest Retrieval and Integrity Check:
    Using the artifact ID, RetrieveManifest(artifactID) downloads the manifest. The resolver function extracts the payload and validates it against the content hash in the canonical header.

  4. Schema Download and Validation:
    The client calls DownloadSchema(nameserver) to retrieve the schema, which is then used to parse the canonical header and payload. This step ensures that the assembled record meets the expected structure and semantics.

  5. Record Assembly:
    The resolver function compiles the namespace (object), tags (keys), and manifest layer (value) into a complete record, ready for use by local applications or database engines.

  6. Local Caching and Optimization:
    The Resolver API is designed to support local caching of frequently accessed records and schemas, reducing latency and minimizing repetitive queries to remote OCI registries.

14.3 Implementation Considerations

  • Client-Side Operation:
    The entire Resolver API is implemented on the client side, integrated into database engines or other applications that need to perform content resolution.

  • OCI Distribution API Compatibility:
    The Resolver API interfaces directly with the existing OCI distribution API, requiring no changes to current OCI specifications. It acts as an intermediary that translates the canonical encoding format into a format that client applications can use.

  • Extensibility and Modular Design:
    The API is modular, allowing additional methods to be added in future revisions for enhanced functionality (e.g., support for multiple layers or advanced search capabilities).

  • Performance and Scalability:
    Resolver functions are optimized for performance with support for asynchronous queries, local caching, and batch processing to handle large-scale artifact resolution across federated indexes.

15. Interoperability and Deployment

OCI-PRS is designed with cloud native principles:

  • OCI Compatibility:
    OCI-PRS builds directly on existing OCI image and runtime specifications. No modifications to current OCI implementations are required.

  • Modular and Decentralized Architecture:
    The system supports multi-modal content—from static assets to dynamic user data—through consistent encoding and resolution.

  • Federation and Indexing:
    Publishers manage their own namespaces while centralized indexes (nameservers) aggregate and expose schemas for cross-domain discovery.

16. Security and Integrity

Security and integrity are maintained by:

  • Immutable Encoding:
    Every artifact is encoded in a canonical, immutable form. Changes result in a new artifact with a different content address.

  • Content Addressability and Hash Verification:
    Artifacts are content-addressable; resolver functions verify payload integrity by comparing computed hashes with stored values.

  • Access Control Mechanisms:
    Namespaces and indexes enforce access controls to protect publisher data and ensure ledger integrity.

  • Schema Validation:
    Automatic schema discovery and validation help prevent the ingestion of malformed or malicious content.

17. Conformance and Implementation Guidelines

Implementors of OCI-PRS must ensure:

  • Canonical Encoding Compliance:
    All artifacts must be encoded as specified, with namespaces as objects, tags as keys, and the manifest layer as the value.

  • Resolver API Implementation:
    Clients must implement the Resolver API endpoints exactly as defined, ensuring compatibility with OCI distribution APIs.

  • Schema Publication:
    Publishers must provide a machine-readable schema for their namespace using standardized metadata vocabularies.

  • Extensive Interoperability Testing:
    Implementations must be rigorously tested for compatibility with existing OCI registries and cloud native tools.

  • Adherence to Security Best Practices:
    Follow guidelines for content signing, integrity verification, and access control to safeguard the system.

18. Conclusion

OCI-PRS transforms OCI registries into a dynamic, federated package management system that supports multi-modal content resolution. By encoding artifacts in a canonical, self-describing format and incorporating built-in schema discovery, OCI-PRS provides a robust and scalable framework for managing application assets and user data. This specification serves as a comprehensive guide for implementors and maintainers in the cloud native community, offering detailed instructions for encoding, resolution, and interoperability while maintaining compatibility with existing OCI standards.

For further details and implementation examples, please refer to the accompanying implementation guide and reference repositories provided by the OCI working group.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment