@verentis/cli 0.2.3 → 0.2.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -10,6 +10,21 @@ The Verentis CLI is three tools in one:
10
10
  npm install -g @verentis/cli
11
11
  ```
12
12
 
13
+ ## Staying up to date
14
+
15
+ The CLI checks the npm registry for a newer release at most once a day (in the background, so it never
16
+ slows a command down) and prints a one-line notice when one is available. Update in place with:
17
+
18
+ ```bash
19
+ verentis update # install the latest published version
20
+ verentis update --check # just report whether a newer version exists
21
+ verentis update --to 0.3.0 # install a specific version
22
+ ```
23
+
24
+ `update` detects your global package manager (npm/pnpm/yarn/bun). Silence the notice with
25
+ `VERENTIS_NO_UPDATE_CHECK=1` (it is also skipped in CI, on non-interactive output, and with `--json`).
26
+ Point `VERENTIS_UPDATE_REGISTRY` at a mirror if you install from a private registry.
27
+
13
28
  ## Sign in
14
29
 
15
30
  ```bash
@@ -116,10 +131,39 @@ verentis validate engine.yaml # manifest checks before
116
131
 
117
132
  `dev run` writes `.verentis/context.json` (mode 600 — contains a short-lived token; git-ignore `.verentis/`).
118
133
 
134
+ ### Standalone application launch
135
+
136
+ Applications that can open without a selected file opt in through their manifest:
137
+
138
+ ```yaml
139
+ spec:
140
+ entry: https://app.example.com
141
+ launch:
142
+ enabled: true
143
+ entry-point: home
144
+ pinnable: true
145
+ entry-points:
146
+ - id: home
147
+ route: /workspace
148
+ ```
149
+
150
+ `verentis init <name> --kind application` includes a commented launch template.
151
+ `verentis validate` verifies that `launch` is an object, `pinnable` is used only
152
+ with `enabled`, the selected entry-point id exists, and the launch resolves to
153
+ an absolute HTTP(S) iframe URL. Omit `spec.launch` for contextual file handlers
154
+ and headless apps.
155
+
156
+ At runtime this is still an iframe launch: the SDK receives
157
+ `context.surface === 'workspace'`, a resolved entry point, and no file context.
158
+
119
159
  ## Marketplace publishing
120
160
 
121
161
  ```bash
122
162
  verentis publisher create --name acme --display-name "Acme Inc."
163
+ verentis publisher create --name acme --display-name "Acme Inc." --logo ./brand/logo.png
164
+ verentis publisher update --description "Tools for data teams" --website https://acme.example
165
+ verentis publisher logo set ./brand/logo.svg
166
+ verentis publisher logo remove
123
167
  verentis keygen # Ed25519 signing key + register public half
124
168
  verentis init my-app --kind application
125
169
  verentis pack # signed .vpkg (--encrypt seals the payload)
@@ -139,15 +183,53 @@ verentis yank my-app 1.0.3
139
183
 
140
184
  Published versions are `Submitted` for moderation; once approved the marketplace countersigns them and they become installable.
141
185
 
186
+ ### Marketplace presentation
187
+
188
+ Applications, execution engines and bundles can add an optional top-level `marketplace` block:
189
+
190
+ ```yaml
191
+ marketplace:
192
+ logo: ./marketplace/logo.png
193
+ hero:
194
+ source: ./marketplace/hero.webp
195
+ alt: Abstract blue background behind the package title
196
+ images:
197
+ - source: ./marketplace/editor.png
198
+ alt: Editor showing a completed workflow
199
+ caption: Optional visible caption
200
+ readme: ./README.md
201
+ changelog: ./CHANGELOG.md
202
+ assets:
203
+ - "marketplace/docs/**/*.{png,jpg,jpeg,webp,svg}"
204
+ ```
205
+
206
+ Direct references are relative to the manifest directory and may not escape it. Hero and gallery `alt`
207
+ text is required for accessibility. Images must be PNG, JPEG, WebP or passive SVG content. Logos are
208
+ limited to 1 MiB; hero and gallery images are limited to 5 MiB each; galleries have at most 8 images.
209
+ The hero does not count toward that gallery limit, but it does count toward the 25 MiB total for all
210
+ unique presentation images. README and changelog Markdown files are each limited to 1 MiB.
211
+ `verentis validate` checks these paths, formats and limits before publishing.
212
+
142
213
  ## The `.vpkg` format
143
214
 
144
- A gzip tarball: `manifest.yaml` + `files/**` payload + `.verentis/` metadata (package.yaml, sha256 digests, DSSE signatures). Manifest references like `./schemas/x.json` resolve against `files/` — and against the children of the installed manifest node after installation. See the platform docs (`marketplace/packaging`) for the full specification.
215
+ A gzip tarball: `manifest.yaml` + `files/**` payload + optional plaintext `catalog/**` presentation
216
+ content + `.verentis/` metadata (package.yaml, sha256 digests, DSSE signatures). Manifest references
217
+ like `./schemas/x.json` resolve against `files/` — and against the children of the installed manifest
218
+ node after installation. See the platform docs (`marketplace/packaging`) for the full specification.
145
219
 
146
220
  Packing behaviour:
147
221
  - `packaging.files` globs select the payload; without them, applications automatically include every `./…` schema `source` referenced by the manifest.
148
- - Digests cover every payload entry; the registry rejects tampered packages.
222
+ - `pack --env production` merges `environments/production.yaml`; `--overlay <path>` selects an
223
+ explicit overlay, and `--version <version>` overrides the packed manifest version. `validate`
224
+ accepts the same overlay selectors.
225
+ - Marketplace files are selected independently of `packaging.files` and written to deterministic,
226
+ content-addressed `catalog/assets/**` and `catalog/docs/**` entries described by
227
+ `catalog/index.json` (schema version 1).
228
+ - Digests and signatures cover the manifest, every payload entry and every catalog entry; the registry rejects tampered packages.
149
229
  - With a configured signing key the digests document is DSSE-signed (Ed25519). Publishers with registered keys **must** sign uploads.
150
- - `pack --encrypt` seals the payload (AES-256-GCM, X25519 key wrapping per recipient — always including the `platform` escrow recipient so Verentis.Node can serve member reads).
230
+ - `pack --encrypt` seals only `files/**` (AES-256-GCM, X25519 key wrapping per recipient — always
231
+ including the `platform` escrow recipient so Verentis.Node can serve member reads). `catalog/**`
232
+ remains plaintext so the marketplace can render the approved presentation.
151
233
 
152
234
  ## Output & scripting
153
235