Coming soon
Your registry. Your images. Owned.
pks-agent-registry
A single-binary container registry your agents spin up per project — a local, fully-owned replacement for Azure Container Registry that runs anywhere and backs up with `tar`.
Every image your agents build lives somewhere you don't control.
Coding agents build containers all day — for previews, for tests, for ship. But the registry they push to is almost always rented: a cloud account with its own login, its own pricing per gigabyte and per pull, its own outage window. When the agent loop depends on a registry you can't restart, back up, or reason about, you've handed the foundation of your pipeline to someone else. We chose to own that foundation.
Cloud registries bill you per gigabyte stored and per image pulled — costs that scale with exactly the thing agents do most: build and pull.
The "easy" path is the full `distribution/distribution` reference image and a managed control plane — overkill for a per-project registry, and a stack you don't own.
When the registry is a black box, you can't `tar` a backup, can't restart it in seconds, and can't read your own data on disk.
One container, one command, one volume.
Run one container.
`docker run` the single image with one volume for storage and one admin token. That's the whole install — no database, no extra services.
Add an owner.
`agent-registry owner add <you>` — one command creates your namespace and login. Repos and tags appear automatically the first time you push; nothing to pre-create.
Push like you always have.
`docker login`, `docker push`. It speaks the standard OCI v2 protocol, so `docker`, `podman`, `skopeo`, and `crane` all work unmodified.
Back it up with `tar`.
Everything is plain files under one folder — blobs, manifests, tags, owners. Copy the folder, you have a backup. Move the folder, you've migrated.
One binary, one volume
The whole registry is a single Go binary and one folder on disk; no database, no sidecar services to keep alive.
Standard OCI, zero surprises
Speaks the Docker Registry V2 / OCI Distribution Spec, so `docker`, `podman`, `skopeo`, and `crane` push and pull unmodified.
Owner + repo tenancy
Each owner gets a namespace and its own credential; repos and tags materialize on first push with nothing to pre-create.
Plain-file storage
Blobs, manifests, and tags are content-addressed files under `USER_DATA_DIR` — `tar`-friendly backups, no embedded database.
Admin baked into the binary
The same binary is the admin CLI: add owners, list repos, delete tags, and run GC locally via `docker exec` or remotely over the management API.
Auth you can reason about
HTTP Basic per owner for push/pull, a single Bearer token for management — terminate TLS at your own reverse proxy.
Built from the foundation, not the reference image. Instead of running the heavy `distribution/distribution` stack, this is a minimal Go binary written for exactly what a per-project registry needs — every decision deliberately taken.
No dependency we don't own. Storage is plain files we wrote the layout for; auth is Basic and Bearer we implement ourselves. There's no embedded database and no managed control plane to depend on.
Runs everywhere. It's one container that runs the same on a Hetzner host, a Coolify homelab, a CI job, or your laptop — HTTP only, with TLS terminated at the proxy you already run.
Composable by design. It's a runtime layer that holds still while the rest of the suite moves around it: agents push here, delivery pulls from here, and nothing forces you to run more than the registry itself.
Composes with
Stop renting the registry your agents depend on.
pks-agent-registry is one Go binary that speaks the standard OCI protocol. `docker push` works unmodified. Storage is plain files on your disk. No cloud account, no per-pull bill, no database to babysit.