feat: local cosmo cloud registry

[comatory]

When developing #2750, it was not straightforward to test the functionality of publishing gRPC plugins and have them loaded in local instance of the router. The work-around was to use non-public staging registry, which required modifications to docker compose files.

This change adds a new service to the compose file registry-2 which serves as mock docker registry. The goal is to simplify local development in two ways:

1. Publish gRPC plugin using local version of CLI: pnpm wgc router plugin publish ...
2. Have the plugins pulled from the local registry by running make start-router (given that correct router token is provided)

Caveats

You must provide PLUGIN_REGISTRY_URL according to environment example files. Insecure access to docker registry must be set in the docker configuration. Our setup assumes Orbstack, so this "insecure-registries": ["host.docker.internal:5050"] needs to be added to the docker config.

@coderabbitai summary

How to test this change

1. make infra-down
2. Update your local env files
3. Update the docker configuration, restart Orbstack or the docker engine
4. make infra-up
5. Create federated graph with routing url localhost:3002/graphql and --label-matcher graph=demo. Publish subgraphs associated with that graph (I'm using cosmo-onboarding repo, use the plugins in plugins/ directory): pnpm wgc router plugin publish --name <products-2|reviews> <path-to-local-folder> --label graph=demo --platform linux/amd64 linux/arm64 darwin/arm64 (I'm on mac so Darwin is required).
6. Create router token for this new federated graph
7. GRAPH_API_TOKEN=<new-token> make start-router

Checklist

• I have discussed my proposed changes in an issue and have received approval to proceed.
• I have followed the coding standards of the project.
• Tests or benchmarks have been added or updated.
• Documentation has been updated on https://github.com/wundergraph/docs-website.
• I have read the Contributors Guide.

Open Source AI Manifesto

This project follows the principles of the Open Source AI Manifesto. Please ensure your contribution aligns with its principles.

[coderabbitai]

Walkthrough

The changes introduce support for insecure Docker registry connections for OCI-based gRPC plugins. Environment variables, configuration structures, and registry connection logic are updated to enable plain-HTTP registry access for local development workflows.

Changes

Cohort / File(s)	Summary
Environment & Docker Configuration cli/.env.example, router/.env.example, docker-compose.yml	Updated PLUGIN_REGISTRY_URL to host.docker.internal:5050 in CLI example; added PLUGINS_REGISTRY_URL, PLUGINS_REGISTRY_INSECURE, and PLUGINS_ENABLED to router example; introduced plugin-registry service (dev profile) running registry:2 with port mapping and added quoting adjustment to rustfs service command.
Configuration Structures router/pkg/config/config.go, router/pkg/grpcconnector/grpcpluginoci/grpc_oci_plugin.go	Added Insecure bool field to PluginRegistryConfiguration struct; added RegistryInsecure to GRPCPluginConfig and GRPCPlugin; updated validation logic to permit token-less registry access when insecure mode is enabled; modified image pulling logic to conditionally apply crane.Insecure option based on registry security setting.
Integration Points router/core/graph_server.go, router-tests/testenv/testenv.go	Updated plugin initialization to pass RegistryInsecure configuration value from server registry config to GRPCPluginConfig; updated test environment configuration to explicitly set Insecure: true when registry URL is provided.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main purpose of the PR: adding support for a local Docker registry to enable local gRPC plugin development, which is the central change across all modified files.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 0% with 12 lines in your changes missing coverage. Please review.
✅ Project coverage is 51.83%. Comparing base (13a70dc) to head (6824841).
⚠️ Report is 26 commits behind head on main.

Files with missing lines	Patch %	Lines
...pkg/grpcconnector/grpcpluginoci/grpc_oci_plugin.go	0.00%	11 Missing ⚠️
router/core/graph_server.go	0.00%	1 Missing ⚠️

❌ Your patch check has failed because the patch coverage (0.00%) is below the target coverage (90.00%). You can increase the patch coverage or adjust the target coverage.

Additional details and impacted files

@@             Coverage Diff             @@
##             main    #2778       +/-   ##
===========================================
- Coverage   64.45%   51.83%   -12.63%     
===========================================
  Files         311      364       +53     
  Lines       44295    37100     -7195     
  Branches     4764      467     -4297     
===========================================
- Hits        28551    19229     -9322     
- Misses      15721    16400      +679     
- Partials       23     1471     +1448     

Files with missing lines	Coverage Δ
router/pkg/config/config.go	50.64% <ø> (ø)
router/core/graph_server.go	82.60% <0.00%> (ø)
...pkg/grpcconnector/grpcpluginoci/grpc_oci_plugin.go	0.00% <0.00%> (ø)

... and 672 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Router image scan passed

✅ No security vulnerabilities found in image:

ghcr.io/wundergraph/cosmo/router:sha-33eaa0f6879a9c622043090941cfc261c045df56

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docker-compose.yml`:
- Around line 382-383: The docker-compose ports mapping currently publishes the
registry on all interfaces via the line '- '5050:5000'', exposing an insecure
unauthenticated registry to the LAN; change that mapping to bind to loopback by
replacing the host portion with 127.0.0.1 (i.e., update the '- '5050:5000''
ports entry to use 127.0.0.1:5050:5000') so the registry listens only on
localhost.

In `@router/.env.example`:
- Around line 15-18: Dotenv-linter flags UnorderedKey because the plugin env
variables are not alphabetically ordered; reorder the three keys so they are
alphabetical (PLUGINS_ENABLED, PLUGINS_REGISTRY_INSECURE, PLUGINS_REGISTRY_URL)
while preserving their values (e.g., true/localhost:5050) so the dotenv-linter
no longer reports UnorderedKey for PLUGINS_REGISTRY_URL,
PLUGINS_REGISTRY_INSECURE, and PLUGINS_ENABLED.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: eeebaee6-477f-40bb-bb58-0aa34c5e7a67

📥 Commits

Reviewing files that changed from the base of the PR and between d86216f and 6824841.

📒 Files selected for processing (7)

• cli/.env.example
• docker-compose.yml
• router-tests/testenv/testenv.go
• router/.env.example
• router/core/graph_server.go
• router/pkg/config/config.go
• router/pkg/grpcconnector/grpcpluginoci/grpc_oci_plugin.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Bind local registry port to loopback to avoid LAN exposure.

Given this registry is intentionally unauthenticated/insecure, publishing on all interfaces is risky.

Safer port mapping

-      - '5050:5000'
+      - '127.0.0.1:5050:5000'

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	ports:
	- '5050:5000'
	ports:
	- '127.0.0.1:5050:5000'

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docker-compose.yml` around lines 382 - 383, The docker-compose ports mapping
currently publishes the registry on all interfaces via the line '- '5050:5000'',
exposing an insecure unauthenticated registry to the LAN; change that mapping to
bind to loopback by replacing the host portion with 127.0.0.1 (i.e., update the
'- '5050:5000'' ports entry to use 127.0.0.1:5050:5000') so the registry listens
only on localhost.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix .env key ordering to satisfy dotenv-linter warnings.

Current order triggers UnorderedKey warnings.

Suggested reorder

-PLUGINS_REGISTRY_URL=localhost:5050
-PLUGINS_REGISTRY_INSECURE=true
-PLUGINS_ENABLED=true
+PLUGINS_ENABLED=true
+PLUGINS_REGISTRY_INSECURE=true
+PLUGINS_REGISTRY_URL=localhost:5050

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# For local plugin development with docker-compose registry, set:
	PLUGINS_REGISTRY_URL=localhost:5050
	PLUGINS_REGISTRY_INSECURE=true
	PLUGINS_ENABLED=true
	# For local plugin development with docker-compose registry, set:
	PLUGINS_ENABLED=true
	PLUGINS_REGISTRY_INSECURE=true
	PLUGINS_REGISTRY_URL=localhost:5050

🧰 Tools

🪛 dotenv-linter (4.0.0)

[warning] 17-17: [UnorderedKey] The PLUGINS_REGISTRY_INSECURE key should go before the PLUGINS_REGISTRY_URL key

(UnorderedKey)

---

[warning] 18-18: [UnorderedKey] The PLUGINS_ENABLED key should go before the PLUGINS_REGISTRY_INSECURE key

(UnorderedKey)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@router/.env.example` around lines 15 - 18, Dotenv-linter flags UnorderedKey
because the plugin env variables are not alphabetically ordered; reorder the
three keys so they are alphabetical (PLUGINS_ENABLED, PLUGINS_REGISTRY_INSECURE,
PLUGINS_REGISTRY_URL) while preserving their values (e.g., true/localhost:5050)
so the dotenv-linter no longer reports UnorderedKey for PLUGINS_REGISTRY_URL,
PLUGINS_REGISTRY_INSECURE, and PLUGINS_ENABLED.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}