The public registry

The public registry is where a published pack gets a short name, like an org's @acme/security-review. You can install that name in place of a raw github:acme/security-review-pack@v1.0.0 URL. This is the same shift npm's package.json name makes over a bare git URL.

A resolver and index, not a warehouse

The registry doesn't host pack content. Each record is a pointer: a name, a version, and the github:owner/repo source, plus the commit sha it resolved to at publish time. The pack content itself always lives at that git source. /packs browses the index without needing a login.

Namespaces

scope is the GitHub user or org that owns the publish, checked against the GITHUB_TOKEN used to publish. name is the pack's own id.

An org registry is a curated private twin

An org's internal registry (see Organizations) works the same way, but privately and with an added approval step: a maintainer's publish lands as pending until an admin approves it.

Example

baselane install @acme/security-review

The registry looks up @acme/security-review and returns its highest published version, the github:acme/security-review-pack source it points to, and the exact commit sha recorded at publish time. baselane fetches the pack content from that GitHub source, not from the registry itself.