Add OCI store lifecycle and pull performance

Round out the store with garbage collection, caching, and a faster
pull path:

- origin sidecar attached to each unpacked image tree so the GC
  walker can attribute layer blobs back to their owning image
- root-set walker that joins image trees to blob digests
- mark-and-sweep `oci prune` with `--older-than` and `--keep-bytes`
- per-layer raw-tar snapshot cache (APFS clonefile) so re-unpacking
  the same layer reuses the previous extracted tree
- ChainID-keyed stack snapshot cache that materializes a full
  layer-stack tree in one clonefile when the chain has been seen
  before
- `layers/` schema marker v2 + auto-migration from legacy v1
  (legacy v1 entries wiped; blobs and image trees untouched)
- raw-tar layer apply mode used to populate the per-layer cache
- unpack orchestrator rewritten on raw + ChainID stack caches
- `oci rebuild-cache` for back-filling stack snapshots on stores
  that were created before the cache existed
- cross-image dedup metrics in `oci inspect` (layer-reuse %, bytes
  saved)
- `oci status` (text + `--json`) summarizing blobs / layers /
  stacks / pinned images
- `oci pull --refresh` to revalidate the top-level manifest against
  the registry without re-downloading unchanged layers
- parallel blob fetch via curl_multi
- HTTP Range resume for partial blob downloads
- per-blob progress callback + TTY / non-TTY renderers
- podman / skopeo-style `policy.json` schema and loader (default,
  per-transport, per-repository rules)
- `policy.json` plumbed into fetch and the `oci pull` CLI
- `registries.d/*` overlay merged with policy (per-registry
  insecure / ca_bundle / auth_file); CLI flags still win

Author: Max042004

Makefile

@@ -69,20 +69,27 @@ SRCS := \
     oci/ref.c \
     oci/cli.c \
     oci/digest.c \
+    oci/digest-set.c \
     oci/blob-store.c \
     oci/media-type.c \
     oci/manifest.c \
     oci/fetch.c \
     oci/store.c \
     oci/pull.c \
     oci/inspect.c \
+    oci/dedup-metrics.c \
+    oci/status.c \
+    oci/policy.c \
     oci/tar.c \
     oci/decompress.c \
     oci/layer-meta.c \
     oci/layer-apply.c \
+    oci/origin-meta.c \
     oci/volume.c \
+    oci/volume-list.c \
     oci/clone-rootfs.c \
     oci/unpack.c \
+    oci/rebuild-cache.c \
     oci/runspec.c \
     oci/path-resolve.c \
     oci/run.c
@@ -228,28 +235,64 @@ $(BUILD_DIR)/lib/oci-mock.o: CFLAGS += $(OPENSSL_CFLAGS)
 ## test mock terminates TLS using libssl from brew openssl@3 so the ca_file
 ## negative cases exercise a real certificate verification path.
 $(BUILD_DIR)/test-oci-fetch.o: CFLAGS += $(OPENSSL_CFLAGS)
-$(BUILD_DIR)/test-oci-fetch: $(BUILD_DIR)/test-oci-fetch.o $(BUILD_DIR)/lib/oci-mock.o $(BUILD_DIR)/oci/fetch.o $(BUILD_DIR)/oci/blob-store.o $(BUILD_DIR)/oci/digest.o $(BUILD_DIR)/oci/manifest.o $(BUILD_DIR)/oci/media-type.o $(BUILD_DIR)/oci/ref.o $(CJSON_OBJ) | $(BUILD_DIR)
+$(BUILD_DIR)/test-oci-fetch: $(BUILD_DIR)/test-oci-fetch.o $(BUILD_DIR)/lib/oci-mock.o $(BUILD_DIR)/oci/fetch.o $(BUILD_DIR)/oci/policy.o $(BUILD_DIR)/oci/blob-store.o $(BUILD_DIR)/oci/digest.o $(BUILD_DIR)/oci/manifest.o $(BUILD_DIR)/oci/media-type.o $(BUILD_DIR)/oci/ref.o $(CJSON_OBJ) | $(BUILD_DIR)
 	@echo "  LD      $@"
 	$(Q)$(CC) $(CFLAGS) -o $@ $^ -lcurl -lpthread $(OPENSSL_LDFLAGS)
 
 ## Build the OCI local store unit test (native macOS, no HVF). Pure C; links
 ## against the store wrapper plus its blob-store, digest, and cJSON deps.
 ## cJSON is required because store.c now reads / writes index.json.
-$(BUILD_DIR)/test-oci-store: $(BUILD_DIR)/test-oci-store.o $(BUILD_DIR)/oci/store.o $(BUILD_DIR)/oci/blob-store.o $(BUILD_DIR)/oci/digest.o $(BUILD_DIR)/oci/ref.o $(CJSON_OBJ) | $(BUILD_DIR)
+$(BUILD_DIR)/test-oci-store: $(BUILD_DIR)/test-oci-store.o $(BUILD_DIR)/oci/store.o $(BUILD_DIR)/oci/blob-store.o $(BUILD_DIR)/oci/digest.o $(BUILD_DIR)/oci/digest-set.o $(BUILD_DIR)/oci/manifest.o $(BUILD_DIR)/oci/media-type.o $(BUILD_DIR)/oci/origin-meta.o $(BUILD_DIR)/oci/volume-list.o $(BUILD_DIR)/oci/ref.o $(CJSON_OBJ) | $(BUILD_DIR)
 	@echo "  LD      $@"
 	$(Q)$(CC) $(CFLAGS) -o $@ $^
 
 ## Build the OCI pull pipeline unit test (native macOS, no HVF). Shares the
 ## TLS-terminating mock server with test-oci-fetch via tests/lib/oci-mock.
 $(BUILD_DIR)/test-oci-pull.o: CFLAGS += $(OPENSSL_CFLAGS)
-$(BUILD_DIR)/test-oci-pull: $(BUILD_DIR)/test-oci-pull.o $(BUILD_DIR)/lib/oci-mock.o $(BUILD_DIR)/oci/pull.o $(BUILD_DIR)/oci/store.o $(BUILD_DIR)/oci/fetch.o $(BUILD_DIR)/oci/blob-store.o $(BUILD_DIR)/oci/digest.o $(BUILD_DIR)/oci/manifest.o $(BUILD_DIR)/oci/media-type.o $(BUILD_DIR)/oci/ref.o $(CJSON_OBJ) | $(BUILD_DIR)
+$(BUILD_DIR)/test-oci-pull: $(BUILD_DIR)/test-oci-pull.o $(BUILD_DIR)/lib/oci-mock.o $(BUILD_DIR)/oci/pull.o $(BUILD_DIR)/oci/store.o $(BUILD_DIR)/oci/fetch.o $(BUILD_DIR)/oci/policy.o $(BUILD_DIR)/oci/blob-store.o $(BUILD_DIR)/oci/digest.o $(BUILD_DIR)/oci/digest-set.o $(BUILD_DIR)/oci/manifest.o $(BUILD_DIR)/oci/media-type.o $(BUILD_DIR)/oci/origin-meta.o $(BUILD_DIR)/oci/volume-list.o $(BUILD_DIR)/oci/ref.o $(CJSON_OBJ) | $(BUILD_DIR)
 	@echo "  LD      $@"
 	$(Q)$(CC) $(CFLAGS) -o $@ $^ -lcurl -lpthread $(OPENSSL_LDFLAGS)
 
 ## Build the OCI inspect renderer unit test (native macOS, no HVF). Pure
 ## offline: no fetcher, no mock server, no libcurl. Pre-populates the store
 ## via oci_blob_store_put_bytes + oci_store_put_ref.
-$(BUILD_DIR)/test-oci-inspect: $(BUILD_DIR)/test-oci-inspect.o $(BUILD_DIR)/oci/inspect.o $(BUILD_DIR)/oci/store.o $(BUILD_DIR)/oci/blob-store.o $(BUILD_DIR)/oci/digest.o $(BUILD_DIR)/oci/manifest.o $(BUILD_DIR)/oci/media-type.o $(BUILD_DIR)/oci/ref.o $(CJSON_OBJ) | $(BUILD_DIR)
+$(BUILD_DIR)/test-oci-inspect: $(BUILD_DIR)/test-oci-inspect.o $(BUILD_DIR)/oci/inspect.o $(BUILD_DIR)/oci/dedup-metrics.o $(BUILD_DIR)/oci/store.o $(BUILD_DIR)/oci/blob-store.o $(BUILD_DIR)/oci/digest.o $(BUILD_DIR)/oci/digest-set.o $(BUILD_DIR)/oci/manifest.o $(BUILD_DIR)/oci/media-type.o $(BUILD_DIR)/oci/origin-meta.o $(BUILD_DIR)/oci/volume-list.o $(BUILD_DIR)/oci/ref.o $(CJSON_OBJ) | $(BUILD_DIR)
+	@echo "  LD      $@"
+	$(Q)$(CC) $(CFLAGS) -o $@ $^
+
+## Build the OCI cross-image dedup metrics unit test (native macOS, no HVF).
+## Drives oci_dedup_metrics_compute against scratch stores hand-populated
+## via oci_blob_store_put_bytes + oci_store_put_ref. Same dependency set
+## as test-oci-inspect, plus oci/dedup-metrics.o.
+$(BUILD_DIR)/test-oci-dedup-metrics: $(BUILD_DIR)/test-oci-dedup-metrics.o $(BUILD_DIR)/oci/dedup-metrics.o $(BUILD_DIR)/oci/store.o $(BUILD_DIR)/oci/blob-store.o $(BUILD_DIR)/oci/digest.o $(BUILD_DIR)/oci/digest-set.o $(BUILD_DIR)/oci/manifest.o $(BUILD_DIR)/oci/media-type.o $(BUILD_DIR)/oci/origin-meta.o $(BUILD_DIR)/oci/volume-list.o $(BUILD_DIR)/oci/ref.o $(CJSON_OBJ) | $(BUILD_DIR)
+	@echo "  LD      $@"
+	$(Q)$(CC) $(CFLAGS) -o $@ $^
+
+## Build the OCI rebuild-cache unit test (native macOS, no HVF). Drives
+## oci_rebuild_cache against scratch stores hand-populated via oci_origin_write
+## into a fixture <volume>/images/sha256-<hex>/ tree, then asserts that
+## <store>/layers/stacks/sha256/<chain>/ entries are created (commit) or left
+## absent (dry-run). Same dependency set as test-oci-store plus oci/rebuild-
+## cache.o.
+$(BUILD_DIR)/test-oci-rebuild-cache: $(BUILD_DIR)/test-oci-rebuild-cache.o $(BUILD_DIR)/oci/rebuild-cache.o $(BUILD_DIR)/oci/store.o $(BUILD_DIR)/oci/blob-store.o $(BUILD_DIR)/oci/digest.o $(BUILD_DIR)/oci/digest-set.o $(BUILD_DIR)/oci/manifest.o $(BUILD_DIR)/oci/media-type.o $(BUILD_DIR)/oci/origin-meta.o $(BUILD_DIR)/oci/volume-list.o $(BUILD_DIR)/oci/ref.o $(CJSON_OBJ) | $(BUILD_DIR)
+	@echo "  LD      $@"
+	$(Q)$(CC) $(CFLAGS) -o $@ $^
+
+## Build the OCI store-wide status unit test (native macOS, no HVF). Drives
+## oci_status_compute against scratch stores hand-populated via
+## stage_image / oci_origin_write fixture helpers and asserts the aggregated
+## struct fields (pin entries, unpacked entries, reachable + populated
+## ratios, store totals). Same dependency set as test-oci-store plus
+## oci/status.o.
+$(BUILD_DIR)/test-oci-status: $(BUILD_DIR)/test-oci-status.o $(BUILD_DIR)/oci/status.o $(BUILD_DIR)/oci/store.o $(BUILD_DIR)/oci/blob-store.o $(BUILD_DIR)/oci/digest.o $(BUILD_DIR)/oci/digest-set.o $(BUILD_DIR)/oci/manifest.o $(BUILD_DIR)/oci/media-type.o $(BUILD_DIR)/oci/origin-meta.o $(BUILD_DIR)/oci/volume-list.o $(BUILD_DIR)/oci/ref.o $(CJSON_OBJ) | $(BUILD_DIR)
+	@echo "  LD      $@"
+	$(Q)$(CC) $(CFLAGS) -o $@ $^
+
+## Build the OCI policy.json schema and loader unit test (native macOS, no HVF).
+## Pure C; links against the policy translation unit plus cJSON for the JSON
+## parser. Drives oci_policy_load against per-test scratch HOME / XDG / override
+## trees under /tmp.
+$(BUILD_DIR)/test-oci-policy: $(BUILD_DIR)/test-oci-policy.o $(BUILD_DIR)/oci/policy.o $(CJSON_OBJ) | $(BUILD_DIR)
 	@echo "  LD      $@"
 	$(Q)$(CC) $(CFLAGS) -o $@ $^
 
@@ -282,7 +325,7 @@ $(BUILD_DIR)/test-oci-path-resolve: $(BUILD_DIR)/test-oci-path-resolve.o $(BUILD
 ## the test ships an in-file elfuse_launch stub that aborts when called,
 ## and every case installs a launch hook via oci_run_set_launch_for_testing
 ## before invoking oci_run, so the real VM bring-up never runs from a test.
-$(BUILD_DIR)/test-oci-run: $(BUILD_DIR)/test-oci-run.o $(BUILD_DIR)/oci/run.o $(BUILD_DIR)/oci/runspec.o $(BUILD_DIR)/oci/path-resolve.o $(BUILD_DIR)/oci/unpack.o $(BUILD_DIR)/oci/volume.o $(BUILD_DIR)/oci/clone-rootfs.o $(BUILD_DIR)/oci/layer-apply.o $(BUILD_DIR)/oci/layer-meta.o $(BUILD_DIR)/oci/decompress.o $(BUILD_DIR)/oci/tar.o $(BUILD_DIR)/oci/store.o $(BUILD_DIR)/oci/blob-store.o $(BUILD_DIR)/oci/digest.o $(BUILD_DIR)/oci/manifest.o $(BUILD_DIR)/oci/media-type.o $(BUILD_DIR)/oci/ref.o $(BUILD_DIR)/core/sysroot.o $(BUILD_DIR)/debug/log.o $(CJSON_OBJ) $(ZSTD_OBJS) | $(BUILD_DIR)
+$(BUILD_DIR)/test-oci-run: $(BUILD_DIR)/test-oci-run.o $(BUILD_DIR)/oci/run.o $(BUILD_DIR)/oci/runspec.o $(BUILD_DIR)/oci/path-resolve.o $(BUILD_DIR)/oci/unpack.o $(BUILD_DIR)/oci/volume.o $(BUILD_DIR)/oci/volume-list.o $(BUILD_DIR)/oci/clone-rootfs.o $(BUILD_DIR)/oci/layer-apply.o $(BUILD_DIR)/oci/layer-meta.o $(BUILD_DIR)/oci/origin-meta.o $(BUILD_DIR)/oci/decompress.o $(BUILD_DIR)/oci/tar.o $(BUILD_DIR)/oci/store.o $(BUILD_DIR)/oci/blob-store.o $(BUILD_DIR)/oci/digest.o $(BUILD_DIR)/oci/digest-set.o $(BUILD_DIR)/oci/manifest.o $(BUILD_DIR)/oci/media-type.o $(BUILD_DIR)/oci/ref.o $(BUILD_DIR)/core/sysroot.o $(BUILD_DIR)/debug/log.o $(CJSON_OBJ) $(ZSTD_OBJS) | $(BUILD_DIR)
 	@echo "  LD      $@"
 	$(Q)$(CC) $(CFLAGS) -o $@ $^ -lz
 
@@ -291,7 +334,7 @@ $(BUILD_DIR)/test-oci-run: $(BUILD_DIR)/test-oci-run.o $(BUILD_DIR)/oci/run.o $(
 ## plus image-config flags. Used by tests/test-oci-compat.sh and
 ## available standalone for one-off "shape an image from local files"
 ## experiments.
-$(BUILD_DIR)/oci-fixture-builder: $(BUILD_DIR)/lib/oci-fixture-builder.o $(BUILD_DIR)/oci/store.o $(BUILD_DIR)/oci/blob-store.o $(BUILD_DIR)/oci/digest.o $(BUILD_DIR)/oci/ref.o $(CJSON_OBJ) | $(BUILD_DIR)
+$(BUILD_DIR)/oci-fixture-builder: $(BUILD_DIR)/lib/oci-fixture-builder.o $(BUILD_DIR)/oci/store.o $(BUILD_DIR)/oci/blob-store.o $(BUILD_DIR)/oci/digest.o $(BUILD_DIR)/oci/digest-set.o $(BUILD_DIR)/oci/manifest.o $(BUILD_DIR)/oci/media-type.o $(BUILD_DIR)/oci/origin-meta.o $(BUILD_DIR)/oci/volume-list.o $(BUILD_DIR)/oci/ref.o $(CJSON_OBJ) | $(BUILD_DIR)
 	@echo "  LD      $@"
 	$(Q)$(CC) $(CFLAGS) -o $@ $^
 
@@ -307,6 +350,13 @@ $(BUILD_DIR)/test-oci-meta: $(BUILD_DIR)/test-oci-meta.o $(BUILD_DIR)/oci/layer-
 	@echo "  LD      $@"
 	$(Q)$(CC) $(CFLAGS) -o $@ $^
 
+## Build the OCI origin sidecar unit test (native macOS, no HVF). Drives
+## oci_origin_write against a tmpdir and verifies the resulting
+## .elfuse-origin.json by parsing it back through cJSON.
+$(BUILD_DIR)/test-oci-origin: $(BUILD_DIR)/test-oci-origin.o $(BUILD_DIR)/oci/origin-meta.o $(CJSON_OBJ) | $(BUILD_DIR)
+	@echo "  LD      $@"
+	$(Q)$(CC) $(CFLAGS) -o $@ $^
+
 ## Build the OCI layer applier unit test (native macOS, no HVF). Builds
 ## tar payloads in memory, drives them through oci_layer_apply into a
 ## tmp tree, and verifies filesystem state via lstat/readlink.
@@ -331,7 +381,7 @@ $(BUILD_DIR)/test-oci-clone: $(BUILD_DIR)/test-oci-clone.o $(BUILD_DIR)/oci/clon
 ## Build the OCI unpack orchestrator integration smoke (native macOS,
 ## no HVF). Pulls in the full Phase 2 OCI stack so the dependency
 ## edges between modules are exercised at link time.
-$(BUILD_DIR)/test-oci-unpack: $(BUILD_DIR)/test-oci-unpack.o $(BUILD_DIR)/oci/unpack.o $(BUILD_DIR)/oci/volume.o $(BUILD_DIR)/oci/clone-rootfs.o $(BUILD_DIR)/oci/layer-apply.o $(BUILD_DIR)/oci/layer-meta.o $(BUILD_DIR)/oci/decompress.o $(BUILD_DIR)/oci/tar.o $(BUILD_DIR)/oci/store.o $(BUILD_DIR)/oci/blob-store.o $(BUILD_DIR)/oci/digest.o $(BUILD_DIR)/oci/manifest.o $(BUILD_DIR)/oci/media-type.o $(BUILD_DIR)/oci/ref.o $(BUILD_DIR)/core/sysroot.o $(BUILD_DIR)/debug/log.o $(CJSON_OBJ) $(ZSTD_OBJS) | $(BUILD_DIR)
+$(BUILD_DIR)/test-oci-unpack: $(BUILD_DIR)/test-oci-unpack.o $(BUILD_DIR)/oci/unpack.o $(BUILD_DIR)/oci/volume.o $(BUILD_DIR)/oci/volume-list.o $(BUILD_DIR)/oci/clone-rootfs.o $(BUILD_DIR)/oci/layer-apply.o $(BUILD_DIR)/oci/layer-meta.o $(BUILD_DIR)/oci/origin-meta.o $(BUILD_DIR)/oci/decompress.o $(BUILD_DIR)/oci/tar.o $(BUILD_DIR)/oci/store.o $(BUILD_DIR)/oci/blob-store.o $(BUILD_DIR)/oci/digest.o $(BUILD_DIR)/oci/digest-set.o $(BUILD_DIR)/oci/manifest.o $(BUILD_DIR)/oci/media-type.o $(BUILD_DIR)/oci/ref.o $(BUILD_DIR)/core/sysroot.o $(BUILD_DIR)/debug/log.o $(CJSON_OBJ) $(ZSTD_OBJS) | $(BUILD_DIR)
 	@echo "  LD      $@"
 	$(Q)$(CC) $(CFLAGS) -o $@ $^ -lz
 

mk/tests.mk

@@ -8,7 +8,11 @@
         test-full test-multi-vcpu test-rwx \
         test-oci-ref test-oci-digest test-oci-blob-store test-oci-manifest \
         test-oci-fetch test-oci-fetch-online test-oci-store test-oci-pull \
-        test-oci-inspect test-oci-tar test-oci-decompress test-oci-meta \
+        test-oci-inspect test-oci-dedup-metrics test-oci-rebuild-cache \
+        test-oci-status \
+        test-oci-policy \
+        test-oci-tar test-oci-decompress test-oci-meta \
+        test-oci-origin \
         test-oci-layer-apply test-oci-volume test-oci-clone \
         test-oci-unpack test-oci-runspec test-oci-path-resolve \
         test-oci-run test-oci-compat oci-fixture-builder \
@@ -58,12 +62,22 @@ check: $(ELFUSE_BIN) $(TEST_DEPS) check-syscall-coverage
 	@$(MAKE) --no-print-directory test-oci-pull
 	@printf "\n$(BLUE)━━━ OCI inspect renderer unit tests ━━━$(RESET)\n"
 	@$(MAKE) --no-print-directory test-oci-inspect
+	@printf "\n$(BLUE)━━━ OCI cross-image dedup metrics unit tests ━━━$(RESET)\n"
+	@$(MAKE) --no-print-directory test-oci-dedup-metrics
+	@printf "\n$(BLUE)━━━ OCI rebuild-cache unit tests ━━━$(RESET)\n"
+	@$(MAKE) --no-print-directory test-oci-rebuild-cache
+	@printf "\n$(BLUE)━━━ OCI store-wide status unit tests ━━━$(RESET)\n"
+	@$(MAKE) --no-print-directory test-oci-status
+	@printf "\n$(BLUE)━━━ OCI policy.json loader unit tests ━━━$(RESET)\n"
+	@$(MAKE) --no-print-directory test-oci-policy
 	@printf "\n$(BLUE)━━━ OCI tar reader unit tests ━━━$(RESET)\n"
 	@$(MAKE) --no-print-directory test-oci-tar
 	@printf "\n$(BLUE)━━━ OCI decompression dispatch unit tests ━━━$(RESET)\n"
 	@$(MAKE) --no-print-directory test-oci-decompress
 	@printf "\n$(BLUE)━━━ OCI sidecar metadata unit tests ━━━$(RESET)\n"
 	@$(MAKE) --no-print-directory test-oci-meta
+	@printf "\n$(BLUE)━━━ OCI origin sidecar unit tests ━━━$(RESET)\n"
+	@$(MAKE) --no-print-directory test-oci-origin
 	@printf "\n$(BLUE)━━━ OCI layer applier unit tests ━━━$(RESET)\n"
 	@$(MAKE) --no-print-directory test-oci-layer-apply
 	@printf "\n$(BLUE)━━━ OCI volume bootstrap unit tests ━━━$(RESET)\n"
@@ -120,6 +134,32 @@ test-oci-pull: $(BUILD_DIR)/test-oci-pull
 test-oci-inspect: $(BUILD_DIR)/test-oci-inspect
 	@$(BUILD_DIR)/test-oci-inspect
 
+## Run the OCI cross-image dedup metrics unit tests (native, no HVF, no network).
+## Phase 1 Plan 3 C3.4: validates oci_dedup_metrics_compute against pin-only
+## and pin + unpacked-tree scratch stores.
+test-oci-dedup-metrics: $(BUILD_DIR)/test-oci-dedup-metrics
+	@$(BUILD_DIR)/test-oci-dedup-metrics
+
+## Run the OCI rebuild-cache unit tests (native, no HVF, no network).
+## Phase 1 Plan 3 C3.5: validates oci_rebuild_cache against scratch
+## stores hand-populated via oci_origin_write into a fixture
+## <volume>/images/sha256-<hex>/ tree.
+test-oci-rebuild-cache: $(BUILD_DIR)/test-oci-rebuild-cache
+	@$(BUILD_DIR)/test-oci-rebuild-cache
+
+## Run the OCI store-wide status unit tests (native, no HVF, no network).
+## Phase 1 Plan 4 C4.1: validates oci_status_compute against scratch stores
+## hand-populated via stage_image + oci_origin_write fixture helpers.
+test-oci-status: $(BUILD_DIR)/test-oci-status
+	@$(BUILD_DIR)/test-oci-status
+
+## Run the OCI policy.json schema and loader unit tests (native, no HVF,
+## no network). Phase 1 Plan 6 C6.1: validates oci_policy_load against
+## scratch HOME / XDG / override trees, the load-order chain, and the
+## per-host effective view returned by oci_policy_lookup.
+test-oci-policy: $(BUILD_DIR)/test-oci-policy
+	@$(BUILD_DIR)/test-oci-policy
+
 ## Run the OCI tar reader unit tests (native, no HVF, no network)
 test-oci-tar: $(BUILD_DIR)/test-oci-tar
 	@$(BUILD_DIR)/test-oci-tar
@@ -132,6 +172,13 @@ test-oci-decompress: $(BUILD_DIR)/test-oci-decompress
 test-oci-meta: $(BUILD_DIR)/test-oci-meta
 	@$(BUILD_DIR)/test-oci-meta
 
+## Run the OCI origin sidecar unit tests (native, no HVF, no network).
+## Covers oci_origin_write + cJSON parse-back round-trips. Phase 3 sees
+## the file in unpacked image directories; Plan 1's root-set walker
+## consumes it to attribute layer blobs back to live sysroots.
+test-oci-origin: $(BUILD_DIR)/test-oci-origin
+	@$(BUILD_DIR)/test-oci-origin
+
 ## Run the OCI layer applier unit tests (native, no HVF, no network)
 test-oci-layer-apply: $(BUILD_DIR)/test-oci-layer-apply
 	@$(BUILD_DIR)/test-oci-layer-apply