# ───── Path C: agent-first manifest snippet ─────
# Two RegistryEntries: 'primary' for humans (full RW), 'agent-ro' for agents (RO).
# Agent role's scope file should declare ops = ['pull, 'verify, 'list] and
# namespaces restricted to what agents may read.

  registry_provides = m.make_registry_provides {
    participant = "<your-slug>",
    registries  = m.make_registries_config {
      default    = "primary",
      registries = [
        m.make_registry_entry {
          id                 = "primary",
          endpoint           = "<your-zot-host>",
          role               = 'primary,
          tls                = true,
          namespaces = {
            own      = ["domains/<your-slug>/", "modes/<your-slug>/"],
            prefixes = ["domains/<your-slug>/", "modes/<your-slug>/"],
          },
          credential_sops    = "registry/developer-ro.sops.yaml",
          credential_sops_rw = "registry/admin-rw.sops.yaml",
        },
        m.make_registry_entry {
          id                 = "agent-ro",
          endpoint           = "<your-zot-host>",
          role               = 'dev,
          tls                = true,
          namespaces = {
            own      = [],
            prefixes = ["domains/<your-slug>/"],
          },
          credential_sops    = "registry/agent-readonly.sops.yaml",
          # No credential_sops_rw — agents cannot push, full stop.
        },
      ],
    },
  },