@verentis/cli 0.2.4 → 0.2.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -131,10 +131,39 @@ verentis validate engine.yaml # manifest checks before
131
131
 
132
132
  `dev run` writes `.verentis/context.json` (mode 600 — contains a short-lived token; git-ignore `.verentis/`).
133
133
 
134
+ ### Standalone application launch
135
+
136
+ Applications that can open without a selected file opt in through their manifest:
137
+
138
+ ```yaml
139
+ spec:
140
+ entry: https://app.example.com
141
+ launch:
142
+ enabled: true
143
+ entry-point: home
144
+ pinnable: true
145
+ entry-points:
146
+ - id: home
147
+ route: /workspace
148
+ ```
149
+
150
+ `verentis init <name> --kind application` includes a commented launch template.
151
+ `verentis validate` verifies that `launch` is an object, `pinnable` is used only
152
+ with `enabled`, the selected entry-point id exists, and the launch resolves to
153
+ an absolute HTTP(S) iframe URL. Omit `spec.launch` for contextual file handlers
154
+ and headless apps.
155
+
156
+ At runtime this is still an iframe launch: the SDK receives
157
+ `context.surface === 'workspace'`, a resolved entry point, and no file context.
158
+
134
159
  ## Marketplace publishing
135
160
 
136
161
  ```bash
137
162
  verentis publisher create --name acme --display-name "Acme Inc."
163
+ verentis publisher create --name acme --display-name "Acme Inc." --logo ./brand/logo.png
164
+ verentis publisher update --description "Tools for data teams" --website https://acme.example
165
+ verentis publisher logo set ./brand/logo.svg
166
+ verentis publisher logo remove
138
167
  verentis keygen # Ed25519 signing key + register public half
139
168
  verentis init my-app --kind application
140
169
  verentis pack # signed .vpkg (--encrypt seals the payload)
@@ -154,15 +183,53 @@ verentis yank my-app 1.0.3
154
183
 
155
184
  Published versions are `Submitted` for moderation; once approved the marketplace countersigns them and they become installable.
156
185
 
186
+ ### Marketplace presentation
187
+
188
+ Applications, execution engines and bundles can add an optional top-level `marketplace` block:
189
+
190
+ ```yaml
191
+ marketplace:
192
+ logo: ./marketplace/logo.png
193
+ hero:
194
+ source: ./marketplace/hero.webp
195
+ alt: Abstract blue background behind the package title
196
+ images:
197
+ - source: ./marketplace/editor.png
198
+ alt: Editor showing a completed workflow
199
+ caption: Optional visible caption
200
+ readme: ./README.md
201
+ changelog: ./CHANGELOG.md
202
+ assets:
203
+ - "marketplace/docs/**/*.{png,jpg,jpeg,webp,svg}"
204
+ ```
205
+
206
+ Direct references are relative to the manifest directory and may not escape it. Hero and gallery `alt`
207
+ text is required for accessibility. Images must be PNG, JPEG, WebP or passive SVG content. Logos are
208
+ limited to 1 MiB; hero and gallery images are limited to 5 MiB each; galleries have at most 8 images.
209
+ The hero does not count toward that gallery limit, but it does count toward the 25 MiB total for all
210
+ unique presentation images. README and changelog Markdown files are each limited to 1 MiB.
211
+ `verentis validate` checks these paths, formats and limits before publishing.
212
+
157
213
  ## The `.vpkg` format
158
214
 
159
- A gzip tarball: `manifest.yaml` + `files/**` payload + `.verentis/` metadata (package.yaml, sha256 digests, DSSE signatures). Manifest references like `./schemas/x.json` resolve against `files/` — and against the children of the installed manifest node after installation. See the platform docs (`marketplace/packaging`) for the full specification.
215
+ A gzip tarball: `manifest.yaml` + `files/**` payload + optional plaintext `catalog/**` presentation
216
+ content + `.verentis/` metadata (package.yaml, sha256 digests, DSSE signatures). Manifest references
217
+ like `./schemas/x.json` resolve against `files/` — and against the children of the installed manifest
218
+ node after installation. See the platform docs (`marketplace/packaging`) for the full specification.
160
219
 
161
220
  Packing behaviour:
162
221
  - `packaging.files` globs select the payload; without them, applications automatically include every `./…` schema `source` referenced by the manifest.
163
- - Digests cover every payload entry; the registry rejects tampered packages.
222
+ - `pack --env production` merges `environments/production.yaml`; `--overlay <path>` selects an
223
+ explicit overlay, and `--version <version>` overrides the packed manifest version. `validate`
224
+ accepts the same overlay selectors.
225
+ - Marketplace files are selected independently of `packaging.files` and written to deterministic,
226
+ content-addressed `catalog/assets/**` and `catalog/docs/**` entries described by
227
+ `catalog/index.json` (schema version 1).
228
+ - Digests and signatures cover the manifest, every payload entry and every catalog entry; the registry rejects tampered packages.
164
229
  - With a configured signing key the digests document is DSSE-signed (Ed25519). Publishers with registered keys **must** sign uploads.
165
- - `pack --encrypt` seals the payload (AES-256-GCM, X25519 key wrapping per recipient — always including the `platform` escrow recipient so Verentis.Node can serve member reads).
230
+ - `pack --encrypt` seals only `files/**` (AES-256-GCM, X25519 key wrapping per recipient — always
231
+ including the `platform` escrow recipient so Verentis.Node can serve member reads). `catalog/**`
232
+ remains plaintext so the marketplace can render the approved presentation.
166
233
 
167
234
  ## Output & scripting
168
235