Registry Auth Pull Identity

Deploy pipeline calls `docker pull cgr.dev/acme-corp/nginx:latest` and receives `401 Unauthorized`. Operator last ran `chainctl auth login` 8 hours ago on a laptop; CI is not involved. Surface map requires `chainctl auth configur…

Agent runs `chainctl auth configure-docker` (or documents that the operator must) to refresh OIDC-backed registry tokens, verifies `docker pull` succeeds against `cgr.dev/acme-corp/nginx:latest`, and logs the identity used. Agent does not embed long-lived registry passwords in the deploy manifest.

Platform team wants `chainctl auth configure-docker --pull-token --ttl=24h --save` for a GitLab runner that only builds nightly. Token must be revocable via `chainctl iam identity delete`.

Agent creates pull token with `--ttl=24h` (or shorter justified window), stores only in GitLab masked variable, documents revocation steps mapping token → identity delete, and never prints token to build logs.

Incident response: token from `configure-docker --pull-token` was committed to a public gist. Two other CI identities (GitHub OIDC) must keep working.

Agent identifies the Chainguard identity backing the leaked token via chainctl, runs `chainctl iam identity delete` for that identity only, rotates secret in CI, and verifies OIDC identities still pull. Does not disable org-wide registry.