@despia/local 1.0.4 → 1.0.6

package/README.md

@@ -1,10 +1,10 @@
 # @despia/local
 
-Universal build plugin to generate `despia/local.json` manifest for [Despia](https://despia.com) web-native apps. This manifest enables Despia Local Server, which runs your web app from a secure local HTTPS server on-device, providing full offline functionality with seamless updates.
+Universal build plugin to generate `despia/local.json` manifest for [Despia](https://despia.com) web-native apps. This manifest enables Despia's local server, which runs your web app from a local HTTP server on-device, providing full offline functionality with seamless updates.
 
-**Note**: Despia Local Server is optional. Normally, the Despia runtime can run your web app directly from a URL. Despia Local Server is for developers who need extra performance and full true native offline support.
+**Note**: Despia's local server is optional. Normally, the Despia runtime can run your web app directly from a URL. Despia's local server is for developers who need extra performance and full true native offline support.
 
-**Store Compliant**: Despia Local Server is fully compliant with Apple App Store and Google Play Store guidelines. It downloads and caches web content (HTML, CSS, JavaScript) for offline display in a WebView—identical to how web browsers work. No native code or executables are downloaded. See [Store Compliance & Security](#store-compliance--security) section for detailed compliance information.
+**Store Compliant**: Despia's local server is fully compliant with Apple App Store and Google Play Store guidelines. It downloads and caches web content (HTML, CSS, JavaScript) for offline display in a WebView—identical to how web browsers work. No native code or executables are downloaded. See [Store Compliance & Security](#store-compliance--security) section for detailed compliance information.
 
 ## Features
 
@@ -15,11 +15,11 @@ Universal build plugin to generate `despia/local.json` manifest for [Despia](htt
 - **Sorted Output** - Alphabetically sorted paths for consistent builds
 - **Standalone Script** - Can be used with any build system via CLI
 
-## About Despia Local Server
+## About Despia's Local Server
 
-**Note**: Despia Local Server is optional. Normally, the Despia runtime can run your web app directly from a URL. Despia Local Server is for developers who need extra performance and full true native offline support.
+**Note**: Despia's local server is optional. Normally, the Despia runtime can run your web app directly from a URL. Despia's local server is for developers who need extra performance and full true native offline support.
 
-Despia Local Server enables your web app to run entirely from a secure local HTTPS server on-device, providing a native app experience with full offline functionality.
+Despia's local server enables your web app to run entirely from a local HTTP server on-device, providing a native app experience with full offline functionality.
 
 ### Architecture
 
@@ -28,13 +28,13 @@ The Despia native container consists of:
 - **Native iOS/Android Container**: The native binary submitted to App Store/Play Store
   - WebView for UI rendering (WKWebView on iOS, WebView on Android)
   - JavaScript bridge for native API access (exposes native capabilities to web content via [`despia-native`](https://www.npmjs.com/package/despia-native))
-  - Local HTTPS server infrastructure (runs on-device only)
+  - Local HTTP server infrastructure (runs on-device only)
   - Storage and update management systems
 
 - **Web Content Layer** (downloaded and cached):
   - HTML, CSS, JavaScript files
   - Images, fonts, and other static assets
-  - Served from `https://localhost` after initial hydration
+  - Served from `http://localhost` after initial hydration
 
 **Key Architecture Principles:**
 - Web content updates (HTML/CSS/JS only)
@@ -50,14 +50,14 @@ The App Store/Play Store binary contains the native iOS/Android container (see [
 - Native code (Swift/Kotlin) for platform integration
 - WebView component for UI rendering
 - JavaScript bridge for native API access (exposes native capabilities to web content via [`despia-native`](https://www.npmjs.com/package/despia-native))
-- Local HTTPS server infrastructure (runs on-device only)
+- Local HTTP server infrastructure (runs on-device only)
 - Storage and update management systems
 - No web app assets (HTML, CSS, JavaScript) are bundled in the binary
 
 This approach keeps initial install sizes minimal and allows for rapid iteration of web UI without requiring app store resubmissions. **Important**: All native code, the JavaScript bridge, and app functionality are fixed at submission time and cannot be changed. Only web content (HTML/CSS/JS) can be updated.
 
 **First Launch Hydration**
-On first app launch, Despia securely downloads your latest web build (HTML, CSS, JavaScript, images, fonts) from your repository and stores it locally on the device. The local HTTPS server then begins serving your web content from `https://localhost`, providing a stable, secure origin for your web application.
+On first app launch, Despia securely downloads your latest web build (HTML, CSS, JavaScript, images, fonts) from your repository and stores it locally on the device. The local HTTP server then begins serving your web content from `http://localhost`, providing a stable origin for your web application.
 
 **Note on Compliance**: This process downloads and caches web content files only. No native code, executables, or binary files are downloaded. The JavaScript executes within the WebView's sandbox, identical to how Safari or Chrome render web pages.
 
@@ -67,7 +67,7 @@ After the initial hydration, your app operates completely offline:
 - No network connectivity required
 - Full SPA routing and navigation
 - Deep linking support
-- Stable HTTPS origin (`https://localhost`) for security
+- Stable HTTP origin (`http://localhost`) for hybrid app flexibility
 
 If the device goes offline permanently, the app continues to function using the last hydrated version, ensuring reliability even without connectivity.
 
@@ -84,7 +84,7 @@ When connectivity is available, Despia checks for updates in the background and
 
 **Compliance Summary for App Reviewers:**
 
-Despia Local Server downloads and caches web content files (HTML, CSS, JavaScript, images) for offline display in a WebView. This is identical to how web browsers (Safari, Chrome) download and render web pages. 
+Despia's local server downloads and caches web content files (HTML, CSS, JavaScript, images) for offline display in a WebView. This is identical to how web browsers (Safari, Chrome) download and render web pages. 
 
 **Key Compliance Points:**
 - No native code is downloaded or executed
@@ -133,7 +133,7 @@ See the [`despia-version-guard` documentation](https://www.npmjs.com/package/des
 
 ---
 
-Despia Local Server is fully compliant with both Apple App Store and Google Play Store guidelines. This section explains the compliance in detail.
+Despia's local server is fully compliant with both Apple App Store and Google Play Store guidelines. This section explains the compliance in detail.
 
 #### Apple App Store Compliance
 
@@ -141,7 +141,7 @@ Despia Local Server is fully compliant with both Apple App Store and Google Play
 > "Apps must not download, install, or execute code which introduces or changes features or functionality of the app, including other apps."
 
 **Compliance Statement:**
-Despia Local Server complies with this guideline because:
+Despia's local server complies with this guideline because:
 
 1. **No Native Code Execution**: The app does not download, install, or execute any native code (Swift, Objective-C, C++, etc.). All native code is fixed at App Store submission time and cannot be modified.
 
@@ -159,7 +159,7 @@ Despia Local Server complies with this guideline because:
 
    **Note**: This follows the same pattern as [Expo](https://expo.dev), which has been generally accepted by app stores. However, Apple's interpretation of "feature changes" under Guideline 3.3.2 is subjective, and your app could still face review challenges. It's recommended to be conservative with updates that significantly change app behavior, even when using existing native APIs.
 
-4. **On-Device Execution**: All web content is served from a local HTTPS server running on-device (`localhost`). No remote code execution occurs.
+4. **On-Device Execution**: All web content is served from a local HTTP server running on-device (`localhost`). No remote code execution occurs.
 
 **This approach is explicitly permitted** under App Store guidelines, as evidenced by:
 - Safari and other browsers downloading and rendering web content
@@ -173,7 +173,7 @@ Despia Local Server complies with this guideline because:
 > "Apps must not download executable code (e.g., dex, JAR, .so files) from a source other than Google Play."
 
 **Compliance Statement:**
-Despia Local Server complies with this policy because:
+Despia's local server complies with this policy because:
 
 1. **No Executable Code Downloads**: The app does not download any executable code (`.dex`, `.jar`, `.so`, `.apk`, or native binaries). Only web content files (HTML, CSS, JavaScript, images, fonts) are downloaded.
 
@@ -236,12 +236,87 @@ This follows the same pattern as established frameworks like [Expo](https://expo
 - Consider submitting major feature additions through the normal App Store review process when possible
 
 **Security Model:**
-- All web content is served from `https://localhost` (on-device only)
+- All web content is served from `http://localhost` (on-device only)
 - WebView sandbox enforces same-origin policy
 - No network access to external servers after initial hydration
 - Content Security Policy (CSP) can be enforced
 - All execution happens within WebView's security boundaries
 
+### HTTP vs HTTPS for Local Apps
+
+Despia's local server uses **HTTP** for serving local content. This design choice provides important flexibility for hybrid apps while maintaining full security through `localhost`'s inherent security guarantees.
+
+#### Security Guarantees of localhost
+
+`http://localhost` is a **secure context** in all modern browsers and provides inherent security guarantees:
+
+1. **Reserved Hostname**: `localhost` is a reserved hostname that maps exclusively to `127.0.0.1` (IPv4) or `::1` (IPv6) on the local machine. It cannot be redirected or spoofed by external attackers.
+
+2. **No Network Exposure**: Traffic to `localhost` never leaves the device. All communication stays within the local machine, eliminating network-based attack vectors.
+
+3. **Secure Context**: `http://localhost` IS a secure context in browsers, meaning all modern Web APIs work perfectly:
+   - Service Workers
+   - Web Crypto API
+   - Geolocation API
+   - MediaDevices API
+   - And all other secure-context APIs
+
+4. **Cannot Be Spoofed**: External attackers cannot redirect `localhost` to their servers. The hostname is hardcoded to point to the local machine, providing the same security guarantees as HTTPS for local-only content.
+
+5. **On-Device Execution**: Combined with WebView sandbox isolation, same-origin policy, and Content Security Policy, `localhost` provides a secure execution environment without requiring encryption overhead.
+
+#### Why HTTP is the Right Choice for Hybrid Apps
+
+1. **Protocol Flexibility**: HTTP allows your app to load resources from both HTTPS (external APIs, CDNs) and HTTP (local server) origins without mixed content warnings. This is crucial for hybrid apps that need to:
+   - Load local assets from `http://localhost`
+   - Make API calls to `https://api.example.com`
+   - Embed external HTTPS resources (images, fonts, etc.)
+   - Work seamlessly across different network configurations
+
+2. **Secure Context Support**: `http://localhost` is treated as a secure context by browsers, meaning all modern Web APIs (Service Workers, Web Crypto API, Geolocation, etc.) work without requiring HTTPS.
+
+3. **Inherent Security**: `localhost` is a reserved hostname that can only point to the local machine (`127.0.0.1`). This means:
+   - Traffic never leaves the device (no network exposure)
+   - Cannot be spoofed or redirected by external attackers
+   - Provides the same security guarantees as HTTPS for local-only content
+
+4. **Simplified Development**: HTTP eliminates certificate management complexity for local development and testing. No need to generate, install, or manage SSL certificates for localhost.
+
+5. **Cross-Origin Resource Sharing (CORS)**: HTTP on localhost provides more predictable CORS behavior when mixing local and remote resources, reducing integration complexity.
+
+6. **Performance**: HTTP has slightly lower overhead than HTTPS, which is beneficial for local file serving where encryption isn't necessary since all content is already on-device and `localhost` provides inherent security.
+
+7. **Compatibility**: HTTP works consistently across all platforms and WebView implementations without requiring certificate pinning or trust store configuration.
+
+#### When HTTPS Might Be Needed
+
+While HTTP with `localhost` provides full security for local-only content, HTTPS might be required in specific scenarios:
+
+1. **Enterprise Compliance**: Some enterprise security policies require all network traffic (including local) to be encrypted, making HTTPS a requirement for certain deployment scenarios.
+
+2. **Certificate Validation**: HTTPS with proper certificate validation provides additional assurance that the local server hasn't been tampered with or replaced by malicious software. This can be important in high-security environments.
+
+3. **Security-in-Depth**: HTTPS enforces encryption even for local traffic, following security-in-depth principles. This protects against potential local network attacks or device-level interception in shared or untrusted environments.
+
+4. **Content Security Policy (CSP)**: HTTPS makes it easier to enforce strict CSP headers without mixed content warnings, though this is less relevant for local-only content.
+
+5. **Browser Security Indicators**: HTTPS provides visual security indicators (lock icon) that can increase user trust, even for local content.
+
+**Note**: For most hybrid app scenarios, HTTP with `localhost` provides the right balance of flexibility and security. The security comes from the reserved hostname and on-device execution, not encryption. However, if your use case requires HTTPS (e.g., enterprise compliance, strict security policies), you can configure your WebView to use HTTPS for the local server.
+
+#### Current Implementation Rationale
+
+Despia's local server uses HTTP because the primary use case is hybrid apps that need maximum flexibility to mix local and remote resources. The security model relies on:
+
+- **Secure Context**: `http://localhost` IS a secure context, enabling all modern Web APIs
+- **Reserved Hostname**: `localhost` is a reserved hostname (`127.0.0.1`) that cannot be spoofed
+- **On-Device Execution**: All traffic stays on-device (no network exposure)
+- **WebView Sandbox Isolation**: WebView enforces security boundaries
+- **Same-Origin Policy**: Browser enforces same-origin policy
+- **Content Security Policy**: CSP can be enforced when configured
+
+Security comes from the reserved hostname and on-device execution, not encryption. For most hybrid app scenarios, HTTP provides the right balance of flexibility and security.
+
 #### Comparison to Similar Technologies
 
 This approach is conceptually and technically identical to:
@@ -286,7 +361,7 @@ This is analogous to:
 
 #### Developer Responsibility
 
-When submitting apps using Despia Local Server:
+When submitting apps using Despia's local server:
 
 1. **App Store Submission**: Clearly state that the app uses a WebView to display web content that may be cached for offline use. This is standard practice and does not require special disclosure.
 
@@ -306,7 +381,7 @@ When submitting apps using Despia Local Server:
 
 ### The `local.json` Manifest
 
-The `despia/local.json` manifest generated by this plugin serves as an asset inventory for Despia Local Server. It contains a complete list of all assets that need to be cached locally, enabling:
+The `despia/local.json` manifest generated by this plugin serves as an asset inventory for Despia's local server. It contains a complete list of all assets that need to be cached locally, enabling:
 
 - **Complete Asset Discovery**: Ensures all files (JS, CSS, images, fonts, HTML) are properly cached
 - **Efficient Updates**: Allows Despia to determine which assets have changed between builds
@@ -568,17 +643,22 @@ All plugins accept the following options:
 
 ## Output Format
 
-The generated `despia/local.json` file contains a sorted JSON array of root-relative paths:
+The generated `despia/local.json` file contains an object with the entry HTML path and a sorted array of asset paths:
 
 ```json
-[
-  "/assets/app.abc123.css",
-  "/assets/app.def456.js",
-  "/assets/logo.xyz789.png",
-  "/index.html"
-]
+{
+  "entry": "/index.html",
+  "assets": [
+    "/assets/app.abc123.css",
+    "/assets/app.def456.js",
+    "/assets/logo.xyz789.png"
+  ]
+}
 ```
 
+- **`entry`**: The entry HTML file path (e.g., `/index.html`). **Required** - Local apps always need an entry point for client-side rendering. When `skipEntryHtml` is enabled, the entry is still required in the manifest but won't be included in the `assets` array.
+- **`assets`**: A sorted array of all asset paths (excluding the entry file).
+
 ## Examples
 
 ### React + Vite
@@ -668,8 +748,8 @@ export default defineConfig({
 2. **Scan Output Directory** - Recursively scans the build output directory for all files
 3. **Collect Asset Paths** - Collects paths from both the build tool's bundle metadata and file system
 4. **Normalize Paths** - Converts all paths to root-relative format (starting with `/`)
-5. **Include Entry HTML** - Ensures the entry HTML file is always included
-6. **Sort & Write** - Sorts paths alphabetically and writes to `despia/local.json`
+5. **Separate Entry from Assets** - Identifies the entry HTML file and separates it from other assets
+6. **Sort & Write** - Sorts asset paths alphabetically and writes object format `{ entry, assets }` to `despia/local.json`
 
 The generated manifest is then used by Despia during app hydration and updates to ensure all assets are properly cached for offline operation.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@despia/local",
-  "version": "1.0.4",
+  "version": "1.0.6",
   "description": "Universal build plugin to generate despia/local.json manifest for offline caching in Despia web-native apps. Supports Vite, Webpack, Rollup, Nuxt, SvelteKit, Astro, Remix, esbuild, Parcel, and more.",
   "type": "module",
   "main": "./src/core.js",

package/src/astro.js

@@ -37,11 +37,12 @@ export default function despiaLocalIntegration(options = {}) {
         }
         
         try {
-          const paths = generateManifest({
+          const manifest = generateManifest({
             outputDir,
             entryHtml
           });
-          console.log(`✓ Generated despia/local.json with ${paths.length} assets`);
+          const entryInfo = manifest.entry ? ` and entry: ${manifest.entry}` : '';
+          console.log(`✓ Generated despia/local.json with ${manifest.assets.length} assets${entryInfo}`);
         } catch (error) {
           console.error('Error generating despia/local.json:', error.message);
         }

package/src/core.js

@@ -51,9 +51,9 @@ export function collectFiles(dir, baseDir = dir) {
  * @param {string} options.outputDir - Output directory path (where to scan for assets)
  * @param {string} options.entryHtml - Entry HTML filename (default: 'index.html')
  * @param {string[]} options.additionalPaths - Additional paths to include
- * @param {boolean} options.skipEntryHtml - Skip adding entry HTML to manifest (for SSR apps)
+ * @param {boolean} options.skipEntryHtml - Skip adding entry HTML to assets array (entry is still required in manifest)
  * @param {string} options.manifestOutputPath - Custom path for manifest file (default: outputDir/despia/local.json)
- * @returns {string[]} Array of all asset paths
+ * @returns {{entry: string, assets: string[]}} Object with entry path and assets array
  */
 export function generateManifest({ outputDir, entryHtml = 'index.html', additionalPaths = [], skipEntryHtml = false, manifestOutputPath = null }) {
   const outputPath = resolve(process.cwd(), outputDir);
@@ -77,16 +77,26 @@ export function generateManifest({ outputDir, entryHtml = 'index.html', addition
     assetPaths.add(normalizedPath);
   });
   
-  // Ensure entry HTML is included (unless skipped for SSR apps)
+  // Determine entry path (always required for local apps)
+  const entryPath = entryHtml.startsWith('/') 
+    ? entryHtml 
+    : '/' + entryHtml;
+  
+  // Add entry HTML to assets if not skipped (for SSR apps, entry is still required but not in assets)
   if (!skipEntryHtml) {
-    const entryPath = entryHtml.startsWith('/') 
-      ? entryHtml 
-      : '/' + entryHtml;
     assetPaths.add(entryPath);
   }
   
-  // Convert to sorted array
-  const sortedPaths = Array.from(assetPaths).sort();
+  // Include all assets (entry is included in assets array)
+  const assets = Array.from(assetPaths)
+    .filter(path => !skipEntryHtml || path !== entryPath)
+    .sort();
+  
+  // Create manifest object (entry is always required for local client-side apps)
+  const manifest = {
+    entry: entryPath,
+    assets: assets
+  };
   
   // Create directory for manifest if it doesn't exist
   const manifestDir = manifestOutputPath 
@@ -96,9 +106,9 @@ export function generateManifest({ outputDir, entryHtml = 'index.html', addition
     mkdirSync(manifestDir, { recursive: true });
   }
   
-  // Write formatted JSON array
-  const jsonContent = JSON.stringify(sortedPaths, null, 2);
+  // Write formatted JSON object
+  const jsonContent = JSON.stringify(manifest, null, 2);
   writeFileSync(manifestPath, jsonContent, 'utf-8');
   
-  return sortedPaths;
+  return manifest;
 }

package/src/esbuild.js

@@ -48,12 +48,13 @@ export function despiaLocalEsbuild(options = {}) {
         }
 
         try {
-          const paths = generateManifest({
+          const manifest = generateManifest({
             outputDir: outDirPath,
             entryHtml,
             additionalPaths
           });
-          console.log(`✓ Generated despia/local.json with ${paths.length} assets`);
+          const entryInfo = manifest.entry ? ` and entry: ${manifest.entry}` : '';
+          console.log(`✓ Generated despia/local.json with ${manifest.assets.length} assets${entryInfo}`);
         } catch (error) {
           console.error('Error generating despia/local.json:', error.message);
         }

package/src/nuxt.js

@@ -45,11 +45,12 @@ export default function DespiaLocalModule(moduleOptions) {
     
     for (const dir of altDirs) {
       try {
-        const paths = generateManifest({
+        const manifest = generateManifest({
           outputDir: dir,
           entryHtml: options.entryHtml
         });
-        console.log(`✓ Generated despia/local.json with ${paths.length} assets`);
+        const entryInfo = manifest.entry ? ` and entry: ${manifest.entry}` : '';
+        console.log(`✓ Generated despia/local.json with ${manifest.assets.length} assets${entryInfo}`);
         generated = true;
         break;
       } catch (e) {

package/src/parcel.js

@@ -35,12 +35,13 @@ export default function(api) {
       }
 
       try {
-        const paths = generateManifest({
+        const manifest = generateManifest({
           outputDir: api.options?.outDir || outDir,
           entryHtml,
           additionalPaths
         });
-        console.log(`✓ Generated despia/local.json with ${paths.length} assets`);
+        const entryInfo = manifest.entry ? ` and entry: ${manifest.entry}` : '';
+        console.log(`✓ Generated despia/local.json with ${manifest.assets.length} assets${entryInfo}`);
       } catch (error) {
         console.error('Error generating despia/local.json:', error.message);
         console.warn('💡 Tip: For Parcel projects, use the standalone CLI: "despia-local dist"');

package/src/remix.js

@@ -27,11 +27,12 @@ export function despiaLocalRemix(options = {}) {
       
       for (const outputDir of outputDirs) {
         try {
-          const paths = generateManifest({
+          const manifest = generateManifest({
             outputDir,
             entryHtml
           });
-          console.log(`✓ Generated despia/local.json with ${paths.length} assets`);
+          const entryInfo = manifest.entry ? ` and entry: ${manifest.entry}` : '';
+          console.log(`✓ Generated despia/local.json with ${manifest.assets.length} assets${entryInfo}`);
           return; // Success, exit
         } catch (error) {
           // Try next directory

package/src/rollup.js

@@ -31,12 +31,13 @@ export function despiaLocal(options = {}) {
       }
       
       try {
-        const paths = generateManifest({ 
+        const manifest = generateManifest({ 
           outputDir, 
           entryHtml,
           additionalPaths 
         });
-        console.log(`✓ Generated despia/local.json with ${paths.length} assets`);
+        const entryInfo = manifest.entry ? ` and entry: ${manifest.entry}` : '';
+        console.log(`✓ Generated despia/local.json with ${manifest.assets.length} assets${entryInfo}`);
       } catch (error) {
         console.error('Error generating despia/local.json:', error.message);
       }

package/src/sveltekit.js

@@ -27,11 +27,12 @@ export function despiaLocalSvelteKit(options = {}) {
       
       for (const outputDir of outputDirs) {
         try {
-          const paths = generateManifest({
+          const manifest = generateManifest({
             outputDir,
             entryHtml
           });
-          console.log(`✓ Generated despia/local.json with ${paths.length} assets`);
+          const entryInfo = manifest.entry ? ` and entry: ${manifest.entry}` : '';
+          console.log(`✓ Generated despia/local.json with ${manifest.assets.length} assets${entryInfo}`);
           return; // Success, exit
         } catch (error) {
           // Try next directory

package/src/vite.js

@@ -33,12 +33,13 @@ export function despiaLocalPlugin(options = {}) {
       }
       
       try {
-        const paths = generateManifest({ 
+        const manifest = generateManifest({ 
           outputDir, 
           entryHtml,
           additionalPaths 
         });
-        console.log(`✓ Generated despia/local.json with ${paths.length} assets`);
+        const entryInfo = manifest.entry ? ` and entry: ${manifest.entry}` : '';
+        console.log(`✓ Generated despia/local.json with ${manifest.assets.length} assets${entryInfo}`);
       } catch (error) {
         console.error('Error generating despia/local.json:', error.message);
       }

package/src/webpack.js

@@ -93,8 +93,26 @@ class DespiaLocalPlugin {
           this.scanPublicDir(this.options.publicDir, this.options.publicDir, assets);
         }
         
-        // 3. Generate sorted array (Despia format - just a JSON array)
-        const manifest = JSON.stringify([...assets].sort(), null, 2);
+        // 3. Generate object format (entry is included in assets array)
+        // Entry is always required for local client-side apps
+        const entryPath = this.options.entryHtml.startsWith('/') 
+          ? this.options.entryHtml 
+          : '/' + this.options.entryHtml;
+        
+        // Ensure entry is in assets if not skipped
+        if (!this.options.skipEntryHtml) {
+          assets.add(entryPath);
+        }
+        
+        const assetList = Array.from(assets)
+          .filter(path => !this.options.skipEntryHtml || path !== entryPath)
+          .sort();
+        
+        const manifestObj = {
+          entry: entryPath,
+          assets: assetList
+        };
+        const manifest = JSON.stringify(manifestObj, null, 2);
         
         // 4. Inject into webpack output at despia/local.json
         const manifestPath = this.options.manifestPath || 'despia/local.json';
@@ -103,7 +121,7 @@ class DespiaLocalPlugin {
           size: () => Buffer.byteLength(manifest, 'utf8')
         };
         
-        console.log(`✓ Injected despia/local.json into build with ${assets.size} assets`);
+        console.log(`✓ Injected despia/local.json into build with ${assetList.length} assets and entry: ${entryPath}`);
       } else {
         // Traditional mode: Write to filesystem (for other bundlers)
         const additionalPaths = new Set();
@@ -134,13 +152,14 @@ class DespiaLocalPlugin {
         
         try {
           const outputPath = compilation.compiler.outputPath || this.options.outDir;
-          const paths = generateManifest({
+          const manifest = generateManifest({
             outputDir: outputPath,
             entryHtml: this.options.entryHtml,
             additionalPaths: Array.from(additionalPaths),
             skipEntryHtml: this.options.skipEntryHtml
           });
-          console.log(`✓ Generated despia/local.json with ${paths.length} assets`);
+          const entryInfo = manifest.entry ? ` and entry: ${manifest.entry}` : '';
+          console.log(`✓ Generated despia/local.json with ${manifest.assets.length} assets${entryInfo}`);
         } catch (error) {
           console.error('Error generating despia/local.json:', error.message);
         }