@verentis/cli 0.2.4 → 0.2.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +70 -3
- package/dist/index.js +637 -79
- package/dist/index.js.map +1 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -131,10 +131,39 @@ verentis validate engine.yaml # manifest checks before
|
|
|
131
131
|
|
|
132
132
|
`dev run` writes `.verentis/context.json` (mode 600 — contains a short-lived token; git-ignore `.verentis/`).
|
|
133
133
|
|
|
134
|
+
### Standalone application launch
|
|
135
|
+
|
|
136
|
+
Applications that can open without a selected file opt in through their manifest:
|
|
137
|
+
|
|
138
|
+
```yaml
|
|
139
|
+
spec:
|
|
140
|
+
entry: https://app.example.com
|
|
141
|
+
launch:
|
|
142
|
+
enabled: true
|
|
143
|
+
entry-point: home
|
|
144
|
+
pinnable: true
|
|
145
|
+
entry-points:
|
|
146
|
+
- id: home
|
|
147
|
+
route: /workspace
|
|
148
|
+
```
|
|
149
|
+
|
|
150
|
+
`verentis init <name> --kind application` includes a commented launch template.
|
|
151
|
+
`verentis validate` verifies that `launch` is an object, `pinnable` is used only
|
|
152
|
+
with `enabled`, the selected entry-point id exists, and the launch resolves to
|
|
153
|
+
an absolute HTTP(S) iframe URL. Omit `spec.launch` for contextual file handlers
|
|
154
|
+
and headless apps.
|
|
155
|
+
|
|
156
|
+
At runtime this is still an iframe launch: the SDK receives
|
|
157
|
+
`context.surface === 'workspace'`, a resolved entry point, and no file context.
|
|
158
|
+
|
|
134
159
|
## Marketplace publishing
|
|
135
160
|
|
|
136
161
|
```bash
|
|
137
162
|
verentis publisher create --name acme --display-name "Acme Inc."
|
|
163
|
+
verentis publisher create --name acme --display-name "Acme Inc." --logo ./brand/logo.png
|
|
164
|
+
verentis publisher update --description "Tools for data teams" --website https://acme.example
|
|
165
|
+
verentis publisher logo set ./brand/logo.svg
|
|
166
|
+
verentis publisher logo remove
|
|
138
167
|
verentis keygen # Ed25519 signing key + register public half
|
|
139
168
|
verentis init my-app --kind application
|
|
140
169
|
verentis pack # signed .vpkg (--encrypt seals the payload)
|
|
@@ -154,15 +183,53 @@ verentis yank my-app 1.0.3
|
|
|
154
183
|
|
|
155
184
|
Published versions are `Submitted` for moderation; once approved the marketplace countersigns them and they become installable.
|
|
156
185
|
|
|
186
|
+
### Marketplace presentation
|
|
187
|
+
|
|
188
|
+
Applications, execution engines and bundles can add an optional top-level `marketplace` block:
|
|
189
|
+
|
|
190
|
+
```yaml
|
|
191
|
+
marketplace:
|
|
192
|
+
logo: ./marketplace/logo.png
|
|
193
|
+
hero:
|
|
194
|
+
source: ./marketplace/hero.webp
|
|
195
|
+
alt: Abstract blue background behind the package title
|
|
196
|
+
images:
|
|
197
|
+
- source: ./marketplace/editor.png
|
|
198
|
+
alt: Editor showing a completed workflow
|
|
199
|
+
caption: Optional visible caption
|
|
200
|
+
readme: ./README.md
|
|
201
|
+
changelog: ./CHANGELOG.md
|
|
202
|
+
assets:
|
|
203
|
+
- "marketplace/docs/**/*.{png,jpg,jpeg,webp,svg}"
|
|
204
|
+
```
|
|
205
|
+
|
|
206
|
+
Direct references are relative to the manifest directory and may not escape it. Hero and gallery `alt`
|
|
207
|
+
text is required for accessibility. Images must be PNG, JPEG, WebP or passive SVG content. Logos are
|
|
208
|
+
limited to 1 MiB; hero and gallery images are limited to 5 MiB each; galleries have at most 8 images.
|
|
209
|
+
The hero does not count toward that gallery limit, but it does count toward the 25 MiB total for all
|
|
210
|
+
unique presentation images. README and changelog Markdown files are each limited to 1 MiB.
|
|
211
|
+
`verentis validate` checks these paths, formats and limits before publishing.
|
|
212
|
+
|
|
157
213
|
## The `.vpkg` format
|
|
158
214
|
|
|
159
|
-
A gzip tarball: `manifest.yaml` + `files/**` payload +
|
|
215
|
+
A gzip tarball: `manifest.yaml` + `files/**` payload + optional plaintext `catalog/**` presentation
|
|
216
|
+
content + `.verentis/` metadata (package.yaml, sha256 digests, DSSE signatures). Manifest references
|
|
217
|
+
like `./schemas/x.json` resolve against `files/` — and against the children of the installed manifest
|
|
218
|
+
node after installation. See the platform docs (`marketplace/packaging`) for the full specification.
|
|
160
219
|
|
|
161
220
|
Packing behaviour:
|
|
162
221
|
- `packaging.files` globs select the payload; without them, applications automatically include every `./…` schema `source` referenced by the manifest.
|
|
163
|
-
-
|
|
222
|
+
- `pack --env production` merges `environments/production.yaml`; `--overlay <path>` selects an
|
|
223
|
+
explicit overlay, and `--version <version>` overrides the packed manifest version. `validate`
|
|
224
|
+
accepts the same overlay selectors.
|
|
225
|
+
- Marketplace files are selected independently of `packaging.files` and written to deterministic,
|
|
226
|
+
content-addressed `catalog/assets/**` and `catalog/docs/**` entries described by
|
|
227
|
+
`catalog/index.json` (schema version 1).
|
|
228
|
+
- Digests and signatures cover the manifest, every payload entry and every catalog entry; the registry rejects tampered packages.
|
|
164
229
|
- With a configured signing key the digests document is DSSE-signed (Ed25519). Publishers with registered keys **must** sign uploads.
|
|
165
|
-
- `pack --encrypt` seals
|
|
230
|
+
- `pack --encrypt` seals only `files/**` (AES-256-GCM, X25519 key wrapping per recipient — always
|
|
231
|
+
including the `platform` escrow recipient so Verentis.Node can serve member reads). `catalog/**`
|
|
232
|
+
remains plaintext so the marketplace can render the approved presentation.
|
|
166
233
|
|
|
167
234
|
## Output & scripting
|
|
168
235
|
|