The public registry
The public registry is where a published pack gets a short name, like an org's
@acme/security-review. You can install that name in place of a raw
github:acme/security-review-pack@v1.0.0 URL. This is the same shift
npm's package.json name makes over a bare git URL.
A resolver and index, not a warehouse
The registry doesn't host pack content. Each record is a pointer: a name, a version, and the
github:owner/repo source, plus the commit sha it resolved to at publish
time. The pack content itself always lives at that git source. /packs
browses the index without needing a login.
Namespaces
scope is the GitHub user or org that owns the publish, checked against
the GITHUB_TOKEN used to publish. name is
the pack's own id.
An org registry is a curated private twin
An org's internal registry (see Organizations) works the same way, but privately and with an added approval step: a maintainer's publish lands as pending until an admin approves it.
Example
baselane install @acme/security-review
The registry looks up @acme/security-review and returns its highest
published version, the github:acme/security-review-pack source it
points to, and the exact commit sha recorded at publish time. baselane fetches the pack content
from that GitHub source, not from the registry itself.