# ───── Path B: multi-tenant manifest snippet ─────
# One RegistryEntry per tenant — credential_sops paths must match the
# recipient_rules patterns declared in project.ncl.

  registry_provides = m.make_registry_provides {
    participant = "<your-slug>",
    registries  = m.make_registries_config {
      default    = "primary",
      registries = [
        m.make_registry_entry {
          id                 = "primary",
          endpoint           = "<your-zot-host>",
          role               = 'primary,
          tls                = true,
          namespaces = {
            own      = ["domains/<your-slug>/", "modes/<your-slug>/"],
            prefixes = ["domains/<your-slug>/", "modes/<your-slug>/"],
          },
          # Default tenant — administrative fallback.
          credential_sops    = "registry/ro.sops.yaml",
          credential_sops_rw = "registry/rw.sops.yaml",
        },
        m.make_registry_entry {
          id                 = "clientA",
          endpoint           = "<your-zot-host>",
          role               = 'dev,
          tls                = true,
          namespaces = {
            own      = ["domains/clientA/", "modes/clientA/"],
            prefixes = ["domains/clientA/"],
          },
          credential_sops    = "registry/clientA-ro.sops.yaml",
          credential_sops_rw = "registry/clientA-rw.sops.yaml",
        },
        m.make_registry_entry {
          id                 = "clientB",
          endpoint           = "<your-zot-host>",
          role               = 'dev,
          tls                = true,
          namespaces = {
            own      = ["domains/clientB/", "modes/clientB/"],
            prefixes = ["domains/clientB/"],
          },
          credential_sops    = "registry/clientB-ro.sops.yaml",
          credential_sops_rw = "registry/clientB-rw.sops.yaml",
        },
      ],
    },
  },