@calimero-network/agent-skills 0.3.0 → 0.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +137 -17
- package/SKILL.md +31 -28
- package/package.json +1 -1
- package/scripts/install.js +3 -3
- package/scripts/test.js +6 -15
- package/skills/calimero-abi-codegen/SKILL.md +121 -22
- package/skills/calimero-abi-codegen/references/abi-format.md +3 -5
- package/skills/calimero-abi-codegen/references/generated-output.md +12 -4
- package/skills/calimero-abi-codegen/rules/schema-version.md +11 -4
- package/skills/calimero-abi-codegen/rules/unique-names.md +2 -6
- package/skills/calimero-client-js/SKILL.md +126 -31
- package/skills/calimero-client-js/references/auth.md +18 -10
- package/skills/calimero-client-js/references/rpc-calls.md +15 -21
- package/skills/calimero-client-js/references/sso.md +9 -9
- package/skills/calimero-client-js/references/websocket-events.md +73 -92
- package/skills/calimero-client-js/rules/camelcase-api.md +10 -7
- package/skills/calimero-client-js/rules/token-refresh.md +11 -11
- package/skills/calimero-client-py/SKILL.md +25 -13
- package/skills/calimero-client-py/references/api.md +41 -43
- package/skills/calimero-client-py/references/auth.md +7 -7
- package/skills/calimero-client-py/rules/async-usage.md +27 -31
- package/skills/calimero-client-py/rules/stable-node-name.md +7 -7
- package/skills/calimero-core/SKILL.md +135 -0
- package/skills/calimero-core/references/architecture.md +101 -0
- package/skills/calimero-core/references/jsonrpc-protocol.md +192 -0
- package/skills/calimero-core/references/namespaces-groups.md +94 -0
- package/skills/calimero-core/references/storage-types.md +118 -0
- package/skills/calimero-core/references/websocket-events.md +142 -0
- package/skills/calimero-core/rules/context-is-not-app.md +35 -0
- package/skills/calimero-core/rules/crdt-types-only.md +55 -0
- package/skills/calimero-desktop/SKILL.md +24 -19
- package/skills/calimero-desktop/references/sso-integration.md +2 -2
- package/skills/calimero-desktop/rules/sso-fallback.md +3 -2
- package/skills/calimero-merobox/SKILL.md +255 -28
- package/skills/calimero-merobox/references/ci-integration.md +3 -2
- package/skills/calimero-merobox/references/workflow-files.md +7 -5
- package/skills/calimero-merobox/rules/docker-required.md +7 -6
- package/skills/calimero-meroctl/SKILL.md +68 -0
- package/skills/calimero-meroctl/references/commands.md +177 -0
- package/skills/calimero-meroctl/references/scripting.md +80 -0
- package/skills/calimero-meroctl/rules/call-view-flag.md +28 -0
- package/skills/calimero-meroctl/rules/register-node-once.md +34 -0
- package/skills/calimero-merod/SKILL.md +49 -0
- package/skills/calimero-merod/references/health-endpoints.md +90 -0
- package/skills/calimero-merod/references/init-flags.md +84 -0
- package/skills/calimero-merod/rules/init-before-run.md +40 -0
- package/skills/calimero-merod/rules/port-assignments.md +33 -0
- package/skills/calimero-node/SKILL.md +50 -39
- package/skills/calimero-node/references/context-lifecycle.md +34 -17
- package/skills/calimero-node/references/meroctl-commands.md +89 -99
- package/skills/calimero-node/rules/app-vs-context.md +4 -4
- package/skills/calimero-registry/SKILL.md +110 -31
- package/skills/calimero-registry/references/bundle-and-push.md +99 -34
- package/skills/calimero-registry/references/manifest-format.md +56 -35
- package/skills/calimero-registry/references/mero-sign.md +10 -9
- package/skills/calimero-registry/rules/key-security.md +3 -2
- package/skills/calimero-registry/rules/sign-before-pack.md +5 -5
- package/skills/calimero-rust-sdk/SKILL.md +154 -44
- package/skills/calimero-rust-sdk/references/blob-api.md +119 -0
- package/skills/calimero-rust-sdk/references/event-handlers.md +122 -0
- package/skills/calimero-rust-sdk/references/events.md +2 -1
- package/skills/calimero-rust-sdk/references/examples.md +81 -29
- package/skills/calimero-rust-sdk/references/migrations.md +123 -0
- package/skills/calimero-rust-sdk/references/nested-crdts.md +113 -0
- package/skills/calimero-rust-sdk/references/private-storage.md +76 -34
- package/skills/calimero-rust-sdk/references/state-collections.md +106 -21
- package/skills/calimero-rust-sdk/references/user-and-frozen-storage.md +169 -0
- package/skills/calimero-rust-sdk/rules/app-macro-placement.md +5 -2
- package/skills/calimero-rust-sdk/rules/no-std-collections.md +5 -2
- package/skills/calimero-rust-sdk/rules/state-derives.md +9 -10
- package/skills/calimero-rust-sdk/rules/wasm-constraints.md +12 -10
- package/skills/calimero-sdk-js/SKILL.md +34 -26
- package/skills/calimero-sdk-js/references/build-pipeline.md +6 -6
- package/skills/calimero-sdk-js/references/collections.md +11 -11
- package/skills/calimero-sdk-js/references/events.md +7 -3
- package/skills/calimero-sdk-js/rules/crdt-only-state.md +18 -18
- package/skills/calimero-sdk-js/rules/no-console-log.md +6 -6
- package/skills/calimero-sdk-js/rules/view-decorator.md +6 -4
|
@@ -1,51 +1,130 @@
|
|
|
1
1
|
# calimero-registry — Agent Instructions
|
|
2
2
|
|
|
3
|
-
You are helping a developer **
|
|
3
|
+
You are helping a developer **build and publish a Calimero app bundle** to the App Registry.
|
|
4
4
|
|
|
5
|
-
## Two tools
|
|
5
|
+
## Two tools
|
|
6
6
|
|
|
7
|
-
| Tool
|
|
8
|
-
|
|
|
9
|
-
| `
|
|
10
|
-
| `
|
|
7
|
+
| Tool | Install | Purpose |
|
|
8
|
+
| ------------------- | ----------------------------------------------- | ----------------------------------------------------------- |
|
|
9
|
+
| `calimero-registry` | `npm install -g @calimero-network/registry-cli` | Bundle creation and registry push |
|
|
10
|
+
| `mero-sign` | `cargo install mero-sign` | Ed25519 key management and manifest signing (for ownership) |
|
|
11
11
|
|
|
12
|
-
##
|
|
12
|
+
## Quick workflow
|
|
13
13
|
|
|
14
|
-
|
|
15
|
-
|
|
14
|
+
```bash
|
|
15
|
+
# 1. Install registry CLI
|
|
16
|
+
npm install -g @calimero-network/registry-cli
|
|
16
17
|
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
3. `mero-sign sign manifest.json --key key.json` ← sign first
|
|
21
|
-
4. `calimero-registry bundle create ...` ← bundle second
|
|
22
|
-
5. `calimero-registry bundle push ...` ← then push
|
|
18
|
+
# 2. Configure registry (one-time)
|
|
19
|
+
calimero-registry config set registry-url https://apps.calimero.network
|
|
20
|
+
calimero-registry config set api-key your-api-key
|
|
23
21
|
|
|
24
|
-
|
|
22
|
+
# 3. Build WASM (your app's build script)
|
|
23
|
+
./build.sh
|
|
25
24
|
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
25
|
+
# 4. Create bundle (WASM + metadata → .mpk)
|
|
26
|
+
calimero-registry bundle create \
|
|
27
|
+
--output myapp-1.0.0.mpk \
|
|
28
|
+
--name "My App" \
|
|
29
|
+
--description "Does something useful" \
|
|
30
|
+
--author "Your Name" \
|
|
31
|
+
--frontend "https://my-app.com" \
|
|
32
|
+
--github "https://github.com/yourorg/myapp" \
|
|
33
|
+
path/to/app.wasm \
|
|
34
|
+
com.yourorg.myapp \
|
|
35
|
+
1.0.0
|
|
36
|
+
|
|
37
|
+
# 5. Push to registry
|
|
38
|
+
calimero-registry bundle push myapp-1.0.0.mpk --remote
|
|
39
|
+
```
|
|
40
|
+
|
|
41
|
+
## Signing for ownership (optional but recommended)
|
|
42
|
+
|
|
43
|
+
The registry tracks package ownership via Ed25519 signatures. If you sign the manifest, your key
|
|
44
|
+
becomes the package owner — only your key (or keys in `manifest.owners`) can push future versions.
|
|
30
45
|
|
|
31
|
-
|
|
46
|
+
```bash
|
|
47
|
+
# Generate signing key (one-time)
|
|
32
48
|
mero-sign generate-key --output my-key.json
|
|
33
49
|
echo "my-key.json" >> .gitignore
|
|
34
50
|
|
|
35
|
-
#
|
|
36
|
-
mero-sign sign
|
|
51
|
+
# After bundle create, sign the manifest inside the bundle:
|
|
52
|
+
mero-sign sign path/to/manifest.json --key my-key.json
|
|
53
|
+
|
|
54
|
+
# Then push
|
|
55
|
+
calimero-registry bundle push myapp-1.0.0.mpk --remote
|
|
56
|
+
```
|
|
57
|
+
|
|
58
|
+
## Bundle create flags
|
|
59
|
+
|
|
60
|
+
| Flag | Required | Description |
|
|
61
|
+
| ----------------------- | -------- | ------------------------------------------------------ |
|
|
62
|
+
| `<wasm-file>` | Yes | Path to WASM binary (positional) |
|
|
63
|
+
| `[package]` | Yes | Reverse-domain package name (e.g. `com.yourorg.myapp`) |
|
|
64
|
+
| `[version]` | Yes | SemVer version (e.g. `1.0.0`) |
|
|
65
|
+
| `-o, --output <path>` | No | Output `.mpk` filename |
|
|
66
|
+
| `-m, --manifest <path>` | No | Read config from a manifest JSON file |
|
|
67
|
+
| `--name <name>` | No | App display name |
|
|
68
|
+
| `--description <text>` | No | Short description |
|
|
69
|
+
| `--author <name>` | No | Author name |
|
|
70
|
+
| `--frontend <url>` | No | Frontend URL (used by Desktop to open the app) |
|
|
71
|
+
| `--github <url>` | No | Source repository URL |
|
|
72
|
+
| `--docs <url>` | No | Documentation URL |
|
|
73
|
+
|
|
74
|
+
## Bundle push flags
|
|
75
|
+
|
|
76
|
+
```bash
|
|
77
|
+
# Push to local registry (default)
|
|
78
|
+
calimero-registry bundle push myapp-1.0.0.mpk --local
|
|
37
79
|
|
|
38
|
-
#
|
|
80
|
+
# Push to remote registry (uses config file)
|
|
81
|
+
calimero-registry bundle push myapp-1.0.0.mpk --remote
|
|
82
|
+
|
|
83
|
+
# Override config with flags
|
|
84
|
+
calimero-registry bundle push myapp-1.0.0.mpk \
|
|
85
|
+
--remote \
|
|
86
|
+
--url https://apps.calimero.network \
|
|
87
|
+
--api-key your-api-key
|
|
88
|
+
```
|
|
89
|
+
|
|
90
|
+
## Configuration
|
|
91
|
+
|
|
92
|
+
```bash
|
|
93
|
+
# Set defaults (stored in ~/.calimero-registry/remote-config.json)
|
|
94
|
+
calimero-registry config set registry-url https://apps.calimero.network
|
|
95
|
+
calimero-registry config set api-key your-api-key
|
|
96
|
+
calimero-registry config list
|
|
97
|
+
|
|
98
|
+
# Or use environment variables
|
|
99
|
+
export CALIMERO_REGISTRY_URL=https://apps.calimero.network
|
|
100
|
+
export CALIMERO_API_KEY=your-api-key
|
|
101
|
+
```
|
|
102
|
+
|
|
103
|
+
## Package naming rules
|
|
104
|
+
|
|
105
|
+
- Must be reverse-domain format: `com.yourorg.appname`
|
|
106
|
+
- Version must be SemVer without `v` prefix: `1.0.0` not `v1.0.0`
|
|
107
|
+
|
|
108
|
+
## Updating an existing app (new version)
|
|
109
|
+
|
|
110
|
+
```bash
|
|
39
111
|
calimero-registry bundle create \
|
|
40
|
-
--output myapp-1.
|
|
41
|
-
|
|
42
|
-
|
|
112
|
+
--output myapp-1.1.0.mpk \
|
|
113
|
+
--name "My App" \
|
|
114
|
+
path/to/app.wasm \
|
|
115
|
+
com.yourorg.myapp \
|
|
116
|
+
1.1.0
|
|
43
117
|
|
|
44
|
-
|
|
45
|
-
calimero-registry bundle push myapp-1.0.0.mpk --key my-key.json
|
|
118
|
+
calimero-registry bundle push myapp-1.1.0.mpk --remote
|
|
46
119
|
```
|
|
47
120
|
|
|
121
|
+
## Related skills
|
|
122
|
+
|
|
123
|
+
- **`calimero-rust-sdk`** — building the WASM app that gets published
|
|
124
|
+
- **`calimero-core`** — application/context model and how the registry integrates with node app
|
|
125
|
+
install
|
|
126
|
+
|
|
48
127
|
## References
|
|
49
128
|
|
|
50
|
-
See `references/` for manifest format, signing details, and push workflow.
|
|
51
|
-
|
|
129
|
+
See `references/` for manifest format, signing details, and push workflow. See `rules/` for hard
|
|
130
|
+
constraints.
|
|
@@ -1,16 +1,31 @@
|
|
|
1
1
|
# Bundle Create & Push
|
|
2
2
|
|
|
3
|
-
##
|
|
3
|
+
## Install
|
|
4
4
|
|
|
5
5
|
```bash
|
|
6
|
-
npm install -g calimero-registry
|
|
6
|
+
npm install -g @calimero-network/registry-cli
|
|
7
7
|
# or
|
|
8
|
-
pnpm add -g calimero-registry
|
|
8
|
+
pnpm add -g @calimero-network/registry-cli
|
|
9
|
+
```
|
|
10
|
+
|
|
11
|
+
## One-time configuration
|
|
12
|
+
|
|
13
|
+
```bash
|
|
14
|
+
calimero-registry config set registry-url https://apps.calimero.network
|
|
15
|
+
calimero-registry config set api-key your-api-key
|
|
16
|
+
calimero-registry config list
|
|
17
|
+
```
|
|
18
|
+
|
|
19
|
+
Or use environment variables:
|
|
20
|
+
|
|
21
|
+
```bash
|
|
22
|
+
export CALIMERO_REGISTRY_URL=https://apps.calimero.network
|
|
23
|
+
export CALIMERO_API_KEY=your-api-key
|
|
9
24
|
```
|
|
10
25
|
|
|
11
26
|
## Bundle create
|
|
12
27
|
|
|
13
|
-
|
|
28
|
+
Creates an `.mpk` bundle from a WASM file:
|
|
14
29
|
|
|
15
30
|
```bash
|
|
16
31
|
calimero-registry bundle create \
|
|
@@ -18,52 +33,102 @@ calimero-registry bundle create \
|
|
|
18
33
|
--name "My App" \
|
|
19
34
|
--description "Does something useful" \
|
|
20
35
|
--author "Your Name" \
|
|
21
|
-
--frontend "https://my-app
|
|
22
|
-
--github "https://github.com/yourorg/
|
|
36
|
+
--frontend "https://my-app.com" \
|
|
37
|
+
--github "https://github.com/yourorg/myapp" \
|
|
23
38
|
path/to/app.wasm \
|
|
24
|
-
com.yourorg.myapp
|
|
39
|
+
com.yourorg.myapp \
|
|
40
|
+
1.0.0
|
|
25
41
|
```
|
|
26
42
|
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
|
30
|
-
|
|
|
31
|
-
|
|
|
32
|
-
|
|
|
33
|
-
| `--
|
|
34
|
-
| `--
|
|
43
|
+
Positional arguments: `<wasm-file> [package] [version]`
|
|
44
|
+
|
|
45
|
+
| Flag | Required | Description |
|
|
46
|
+
| ----------------------- | -------- | ------------------------------------------------ |
|
|
47
|
+
| `-o, --output <path>` | No | Output `.mpk` filename |
|
|
48
|
+
| `-m, --manifest <path>` | No | Read metadata from a manifest JSON file |
|
|
49
|
+
| `--name <name>` | No | App display name |
|
|
50
|
+
| `--description <text>` | No | Short description |
|
|
51
|
+
| `--author <name>` | No | Author name |
|
|
52
|
+
| `--frontend <url>` | No | Frontend URL (Desktop uses this to open the app) |
|
|
53
|
+
| `--github <url>` | No | Source repository URL |
|
|
54
|
+
| `--docs <url>` | No | Documentation URL |
|
|
35
55
|
|
|
36
|
-
|
|
56
|
+
After creating, the CLI prints sign instructions:
|
|
57
|
+
|
|
58
|
+
```text
|
|
59
|
+
1. Sign the manifest: mero-sign sign <output>/manifest.json --key key.json
|
|
60
|
+
2. Push the bundle: calimero-registry bundle push <output> --remote
|
|
61
|
+
```
|
|
37
62
|
|
|
38
63
|
## Bundle push
|
|
39
64
|
|
|
40
65
|
```bash
|
|
41
|
-
|
|
66
|
+
# Push to remote registry (uses config file values)
|
|
67
|
+
calimero-registry bundle push myapp-1.0.0.mpk --remote
|
|
68
|
+
|
|
69
|
+
# Push to local registry
|
|
70
|
+
calimero-registry bundle push myapp-1.0.0.mpk --local
|
|
71
|
+
|
|
72
|
+
# Override config
|
|
73
|
+
calimero-registry bundle push myapp-1.0.0.mpk \
|
|
74
|
+
--remote \
|
|
75
|
+
--url https://apps.calimero.network \
|
|
76
|
+
--api-key your-api-key
|
|
42
77
|
```
|
|
43
78
|
|
|
44
|
-
|
|
45
|
-
1. Unpack the `.mpk`
|
|
46
|
-
2. Verify the Ed25519 signature against the manifest
|
|
47
|
-
3. Validate your authenticated email against org membership (if publishing to an org)
|
|
48
|
-
4. Store the bundle and make it discoverable
|
|
79
|
+
## Full publish workflow
|
|
49
80
|
|
|
50
|
-
|
|
81
|
+
```bash
|
|
82
|
+
# 1. Build WASM
|
|
83
|
+
./build.sh
|
|
51
84
|
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
85
|
+
# 2. Create bundle
|
|
86
|
+
calimero-registry bundle create \
|
|
87
|
+
--output myapp-1.0.0.mpk \
|
|
88
|
+
--name "My App" \
|
|
89
|
+
--frontend "https://my-app.com" \
|
|
90
|
+
path/to/app.wasm \
|
|
91
|
+
com.yourorg.myapp \
|
|
92
|
+
1.0.0
|
|
56
93
|
|
|
57
|
-
|
|
94
|
+
# 3. (Optional) Sign manifest for ownership
|
|
95
|
+
mero-sign sign myapp-1.0.0/manifest.json --key my-key.json
|
|
96
|
+
|
|
97
|
+
# 4. Push
|
|
98
|
+
calimero-registry bundle push myapp-1.0.0.mpk --remote
|
|
99
|
+
```
|
|
58
100
|
|
|
59
101
|
## Updating an existing app (new version)
|
|
60
102
|
|
|
61
103
|
```bash
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
104
|
+
calimero-registry bundle create \
|
|
105
|
+
--output myapp-1.1.0.mpk \
|
|
106
|
+
--name "My App" \
|
|
107
|
+
path/to/app.wasm \
|
|
108
|
+
com.yourorg.myapp \
|
|
109
|
+
1.1.0
|
|
110
|
+
|
|
111
|
+
calimero-registry bundle push myapp-1.1.0.mpk --remote
|
|
66
112
|
```
|
|
67
113
|
|
|
68
|
-
|
|
69
|
-
|
|
114
|
+
## CI/CD (GitHub Actions)
|
|
115
|
+
|
|
116
|
+
```yaml
|
|
117
|
+
- name: Install Registry CLI
|
|
118
|
+
run: npm install -g @calimero-network/registry-cli
|
|
119
|
+
|
|
120
|
+
- name: Create Bundle
|
|
121
|
+
run: |
|
|
122
|
+
calimero-registry bundle create \
|
|
123
|
+
--output app-${{ github.event.release.tag_name }}.mpk \
|
|
124
|
+
--name "My Application" \
|
|
125
|
+
./app.wasm \
|
|
126
|
+
com.yourorg.myapp \
|
|
127
|
+
${{ github.event.release.tag_name }}
|
|
128
|
+
|
|
129
|
+
- name: Publish Bundle
|
|
130
|
+
env:
|
|
131
|
+
CALIMERO_API_KEY: ${{ secrets.CALIMERO_API_KEY }}
|
|
132
|
+
run: |
|
|
133
|
+
calimero-registry bundle push app-${{ github.event.release.tag_name }}.mpk --remote
|
|
134
|
+
```
|
|
@@ -1,46 +1,47 @@
|
|
|
1
|
-
# Manifest Format
|
|
1
|
+
# Manifest Format (V2)
|
|
2
2
|
|
|
3
|
-
|
|
3
|
+
The manifest describes the app bundle. It is generated by `calimero-registry bundle create` and can
|
|
4
|
+
optionally be signed with `mero-sign` before pushing.
|
|
4
5
|
|
|
5
|
-
##
|
|
6
|
+
## Bundle create generates this automatically
|
|
6
7
|
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
"name": "My App",
|
|
10
|
-
"version": "1.0.0",
|
|
11
|
-
"description": "A short description of what this app does.",
|
|
12
|
-
"repository": "https://github.com/yourorg/your-app",
|
|
13
|
-
"authors": ["Your Name <you@example.com>"],
|
|
14
|
-
"license": "MIT"
|
|
15
|
-
}
|
|
16
|
-
```
|
|
8
|
+
When you run `calimero-registry bundle create`, the CLI generates a `manifest.json` inside the
|
|
9
|
+
bundle directory. You can also supply a manifest via `-m, --manifest <path>` to pre-fill fields.
|
|
17
10
|
|
|
18
|
-
##
|
|
11
|
+
## Manifest V2 format
|
|
19
12
|
|
|
20
13
|
```json
|
|
21
14
|
{
|
|
22
|
-
"
|
|
23
|
-
"
|
|
24
|
-
"
|
|
25
|
-
"
|
|
26
|
-
|
|
27
|
-
|
|
15
|
+
"version": "1.0",
|
|
16
|
+
"package": "com.example.myapp",
|
|
17
|
+
"appVersion": "1.0.0",
|
|
18
|
+
"metadata": {
|
|
19
|
+
"name": "My Application",
|
|
20
|
+
"description": "Application description",
|
|
21
|
+
"author": "Your Name"
|
|
22
|
+
},
|
|
23
|
+
"wasm": {
|
|
24
|
+
"path": "app.wasm",
|
|
25
|
+
"hash": "sha256:...",
|
|
26
|
+
"size": 12345
|
|
27
|
+
},
|
|
28
28
|
"links": {
|
|
29
|
-
"frontend": "https://
|
|
30
|
-
"
|
|
29
|
+
"frontend": "https://example.com",
|
|
30
|
+
"github": "https://github.com/example/myapp",
|
|
31
|
+
"docs": "https://example.com/docs"
|
|
31
32
|
},
|
|
32
|
-
"
|
|
33
|
+
"minRuntimeVersion": "0.3.0"
|
|
33
34
|
}
|
|
34
35
|
```
|
|
35
36
|
|
|
36
|
-
## After signing
|
|
37
|
+
## After signing with mero-sign
|
|
37
38
|
|
|
38
39
|
mero-sign injects a `signature` block:
|
|
39
40
|
|
|
40
41
|
```json
|
|
41
42
|
{
|
|
42
|
-
"
|
|
43
|
-
"
|
|
43
|
+
"version": "1.0",
|
|
44
|
+
"package": "com.example.myapp",
|
|
44
45
|
...
|
|
45
46
|
"signature": {
|
|
46
47
|
"alg": "ed25519",
|
|
@@ -51,13 +52,33 @@ mero-sign injects a `signature` block:
|
|
|
51
52
|
}
|
|
52
53
|
```
|
|
53
54
|
|
|
54
|
-
##
|
|
55
|
+
## Package ownership
|
|
56
|
+
|
|
57
|
+
- The first push establishes the package owner via the Ed25519 `signature.pubkey`
|
|
58
|
+
- Only the owner (or keys in `manifest.owners`) can push subsequent versions
|
|
59
|
+
- For team publishing, add teammates' public keys to `manifest.owners`:
|
|
60
|
+
|
|
61
|
+
```json
|
|
62
|
+
{
|
|
63
|
+
"version": "1.0",
|
|
64
|
+
"package": "com.example.myapp",
|
|
65
|
+
"owners": [
|
|
66
|
+
"yuKE404BaldXazEIUC4XrVGFyXxxyoRVjrrGhcKk1P4",
|
|
67
|
+
"anotherTeammatePubKey..."
|
|
68
|
+
],
|
|
69
|
+
...
|
|
70
|
+
}
|
|
71
|
+
```
|
|
72
|
+
|
|
73
|
+
## Package naming
|
|
74
|
+
|
|
75
|
+
| Rule | Example |
|
|
76
|
+
| --------------------------- | ------------------------ |
|
|
77
|
+
| Must be reverse-domain | `com.yourorg.appname` ✅ |
|
|
78
|
+
| Version must be full SemVer | `1.0.0` ✅ |
|
|
79
|
+
| No `v` prefix on version | `v1.0.0` ❌ |
|
|
80
|
+
|
|
81
|
+
## `links.frontend` is used by Desktop
|
|
55
82
|
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
| `name` | Yes | Display name |
|
|
59
|
-
| `version` | Yes | Semver — `MAJOR.MINOR.PATCH` |
|
|
60
|
-
| `description` | Yes | Short description |
|
|
61
|
-
| `repository` | Yes | GitHub or other source URL |
|
|
62
|
-
| `links.frontend` | No | Used by Desktop to open the app UI |
|
|
63
|
-
| `min_runtime_version` | No | Minimum `merod` version required |
|
|
83
|
+
The Desktop app reads `links.frontend` to know which URL to open when a user opens this app. Always
|
|
84
|
+
include it.
|
|
@@ -25,16 +25,16 @@ Produces:
|
|
|
25
25
|
```json
|
|
26
26
|
{
|
|
27
27
|
"private_key": "PZbZ5yM9t63qOHMM-CCzExbNv8u79XTxZT9UW8GQJ60",
|
|
28
|
-
"public_key":
|
|
29
|
-
"signer_id":
|
|
28
|
+
"public_key": "yuKE404BaldXazEIUC4XrVGFyXxxyoRVjrrGhcKk1P4",
|
|
29
|
+
"signer_id": "did:key:z6Mkt7Ejb12a1BxvRiUpd5YWkMrk8KVjaShW2vMt6trm7FGH"
|
|
30
30
|
}
|
|
31
31
|
```
|
|
32
32
|
|
|
33
|
-
| Field
|
|
34
|
-
|
|
|
35
|
-
| `private_key` | Base64url Ed25519 secret (32 bytes). Never share or commit.
|
|
36
|
-
| `public_key`
|
|
37
|
-
| `signer_id`
|
|
33
|
+
| Field | Description |
|
|
34
|
+
| ------------- | ------------------------------------------------------------------------- |
|
|
35
|
+
| `private_key` | Base64url Ed25519 secret (32 bytes). Never share or commit. |
|
|
36
|
+
| `public_key` | Base64url public key (32 bytes). Embedded in every signed manifest. |
|
|
37
|
+
| `signer_id` | `did:key` DID representation. Used as identity reference in the registry. |
|
|
38
38
|
|
|
39
39
|
## Sign a manifest
|
|
40
40
|
|
|
@@ -45,7 +45,7 @@ mero-sign sign manifest.json --key key.json
|
|
|
45
45
|
|
|
46
46
|
## How signing works
|
|
47
47
|
|
|
48
|
-
```
|
|
48
|
+
```text
|
|
49
49
|
manifest.json (signature field absent or empty)
|
|
50
50
|
│
|
|
51
51
|
▼ Remove signature + all _* prefixed fields
|
|
@@ -63,7 +63,8 @@ mero-sign sign manifest.json --key key.json
|
|
|
63
63
|
|
|
64
64
|
## Team workflow
|
|
65
65
|
|
|
66
|
-
Each developer keeps their own key — the registry validates org membership via authenticated email,
|
|
66
|
+
Each developer keeps their own key — the registry validates org membership via authenticated email,
|
|
67
|
+
not by which key was used.
|
|
67
68
|
|
|
68
69
|
```bash
|
|
69
70
|
# Each developer once:
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
# Rule: Never commit key.json
|
|
2
2
|
|
|
3
|
-
The signing key file contains your Ed25519 private key. If committed to version control,
|
|
4
|
-
|
|
3
|
+
The signing key file contains your Ed25519 private key. If committed to version control, anyone with
|
|
4
|
+
repo access can sign bundles as you and publish malicious apps under your identity.
|
|
5
5
|
|
|
6
6
|
## Required steps
|
|
7
7
|
|
|
@@ -34,6 +34,7 @@ Store `CALIMERO_SIGNING_KEY` as a repository secret (GitHub Secrets, etc.), neve
|
|
|
34
34
|
## If you accidentally committed a key
|
|
35
35
|
|
|
36
36
|
Rotate immediately:
|
|
37
|
+
|
|
37
38
|
```bash
|
|
38
39
|
mero-sign generate-key --output new-key.json
|
|
39
40
|
# Update your public key in the registry
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
# Rule: Sign the manifest BEFORE bundling
|
|
2
2
|
|
|
3
|
-
mero-sign operates on a standalone `manifest.json` file — not on a `.mpk` archive.
|
|
4
|
-
|
|
3
|
+
mero-sign operates on a standalone `manifest.json` file — not on a `.mpk` archive. Signing after
|
|
4
|
+
`bundle create` will not work because the manifest is already packed.
|
|
5
5
|
|
|
6
6
|
## WRONG order:
|
|
7
7
|
|
|
@@ -20,6 +20,6 @@ calimero-registry bundle push app.mpk --key key.json # ✓ then push
|
|
|
20
20
|
|
|
21
21
|
## Why
|
|
22
22
|
|
|
23
|
-
The registry verifies the signature by re-running the RFC 8785 canonicalization on the
|
|
24
|
-
|
|
25
|
-
|
|
23
|
+
The registry verifies the signature by re-running the RFC 8785 canonicalization on the manifest
|
|
24
|
+
fields inside the bundle. If the manifest was modified after signing — including by the bundle tool
|
|
25
|
+
itself — the signature check fails with `400 invalid_signature`.
|