chore: clarify credential resolution

[matthiasbruns]

What this PR does / why we need it

Clarification of questions that came up according to how credentials (direct vs indirect) are being resolved.

Which issue(s) this PR fixes

Contributes: open-component-model/ocm-project#702
Contributes: open-component-model/ocm-project#980

[netlify]

✅ Deploy Preview for ocm-website ready!

Name	Link
🔨 Latest commit	32aa916
🔍 Latest deploy log	https://app.netlify.com/projects/ocm-website/deploys/6a0325501e01c100089bbea3
😎 Deploy Preview	https://deploy-preview-2446--ocm-website.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
🤖 Make changes	Run an agent on this branch

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a subsection to the typed-credentials ADR describing credential resolution across three lookup paths (direct leaf credentials, indirect plugin-backed DAG resolution with ingestion-time cycle rejection, and repository fallback only when the DAG has no match) and appends a 2026-05-05 changelog entry summarizing these mechanics.

Changes

Typed credentials ADR

Layer / File(s)	Summary
Resolution mechanics docs/adr/0021_typed_credentials.md	New subsection describes credential resolution order: direct credentials (leaf-node only), indirect credentials (DAG edges created at ingestion, plugins resolved depth-first at lookup, cycles rejected at ingestion), and repository fallback (concurrent first-success lookup only when DAG has no match; no repository-to-repository recursion; indirect-backed credentials excluded).
Changelog entry docs/adr/0021_typed_credentials.md	Added 2026-05-05 changelog entry summarizing the three-path credential resolution mechanics and traversal/constraint behavior.

Sequence Diagrams

sequenceDiagram
  participant Ingestor
  participant Graph
  participant Plugin
  participant Repository
  Ingestor->>Graph: construct DAG (identities + credential nodes)
  Graph->>Plugin: depth-first resolve plugin-backed identity
  Plugin->>Graph: return child identities until leaf
  Graph->>Graph: detect and reject cycles at ingestion
  Graph->>Repository: if DAG has no match -> run repositories concurrently (first success wins)

Loading

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• open-component-model/open-component-model#2149: Related to typed credentials and resolver behavior; complements documented resolution order and fallback semantics.

Suggested labels

size/m

Suggested reviewers

• fabianburth
• morri-son

Poem

A rabbit hops through credential trees so neat,
Leaves hold direct secrets, plugins chase the beat,
DAGs are built at ingest — no cycles may meet,
Repos wait if the graph yields no treat,
Docs bloom bright — the spec is now complete! 🐰✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore: clarify credential resolution' is concise and directly describes the main change—adding documentation to clarify credential resolution behavior.
Description check	✅ Passed	The description clearly explains the PR purpose (clarifying credential resolution questions) and references two related issues (ocm-project#702 and ocm-project#980).
Linked Issues check	✅ Passed	The PR contributes to issue #702 (Typed credentials EPIC) by providing documentation that clarifies credential resolution behavior, which supports the broader goal of creating a self-documenting credential system with clear specifications.
Out of Scope Changes check	✅ Passed	The PR contains only documentation changes (ADR update and changelog entry) directly related to clarifying credential resolution, with no unrelated code modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[fabianburth]

Why wasn't the maintainer team requested as reviewers here?

[matthiasbruns]

Why wasn't the maintainer team requested as reviewers here?

I have no idea - now I did a request - doesn't that usually happen by repo rules?

[jakobmoellerdev]

I think github is playing tricks on us again, we didnt change any rules.

[jakobmoellerdev]

@matthiasbruns needs a rebase, but still good