Registry Privacy
Syllago includes a privacy gate system to prevent accidental leakage of content from private registries to public destinations. This is a soft gate — it prevents mistakes, not intentional circumvention.
How It Works
Section titled “How It Works”The privacy gate operates in four layers:
1. Detection
Section titled “1. Detection”When you add a registry, syllago determines its visibility:
- API probes: Checks GitHub, GitLab, or Bitbucket APIs for the repository’s privacy status
- Manifest field: An optional
visibilityfield inregistry.yamlprovides explicit control - Default: Unknown visibility defaults to private (safe default)
2. Tainting
Section titled “2. Tainting”Content imported from private registries receives permanent metadata:
source_registry: my-private-registrysource_visibility: privateThese fields persist through the content’s entire lifecycle in your library. They are not removed by editing, re-importing from a different path, or any other library operation.
3. Enforcement (Four Gates)
Section titled “3. Enforcement (Four Gates)”| Gate | Command | Behavior |
|---|---|---|
| G1 | syllago publish | Blocks publishing tainted content to public registries |
| G2 | syllago share | Blocks sharing tainted content to public repos |
| G3 | syllago loadout create | Warns when loadout contains private items |
| G4 | syllago loadout publish | Blocks publishing loadouts with private items to public registries |
The sync-and-export command also warns when installing private-tainted content.
4. Scope
Section titled “4. Scope”Removing Taint
Section titled “Removing Taint”The only way to remove privacy taint is to re-add the content from a public source:
# Remove the tainted versionsyllago remove my-private-skill
# Re-add from a public registry or providersyllago add skills/my-skill --from claude-codeTeam Workflows
Section titled “Team Workflows”Private team registry
Section titled “Private team registry”If your team uses a private registry for internal content:
- Content added from the private registry is automatically tainted
- Team members can freely install tainted content to their providers
- Tainted content cannot be accidentally published to public registries
- To share content publicly, create it fresh or re-add from a public source
Mixed public/private
Section titled “Mixed public/private”If you use both public and private registries:
# Check which registries are privatesyllago registry list
# Inspect an item's taint statussyllago inspect my-skill --json | jq '.source_visibility'See Also
Section titled “See Also”- Registries — managing git-based registries
syllago publish— contributing to registries- Team Setup — configuring syllago for team use