- cmd/dockercomms: CLI entrypoint
- pkg/cli: Cobra commands and flag handling
- pkg/config: Configuration loading
- pkg/oci: OCI registry client (oras-go/v2 wrapper)
- pkg/crypto: Sigstore verification (sigstore-go)
- pkg/transfer: Chunking, compression, reassembly
- Read file, stream into chunks (tar+gzip or tar+zstd)
- Compute digests, build manifest
- HEAD each blob; upload missing blobs
- Push manifest, tag with inbox-...
- Sign with cosign (os/exec), attach bundle as artifact + tag
- List tags with prefix inbox-<recipient_tag>-
- Pull manifest, validate annotations, apply --since filter
- Fetch bundle (referrers or tag fallback)
- Verify with sigstore-go; ensure signed digest matches manifest
- Download layers, reassemble by chunk index
- Write to temp file, fsync, atomic rename
- Optionally write receipt artifact
- Resolve bundle (auto: referrers then tag; or explicit mode)
- Verify bundle with sigstore-go policy
- Ensure signed digest equals given digest
- Verify-before-materialize: never write payload until verification succeeds
- Path traversal defense: filename is basename only
- Constant-time comparisons where applicable
- Hard limits on chunks and total size