openlatch-provider

Self-service onboarding CLI + runtime daemon for OpenLatch Editors and Providers.

openlatch-provider is the third project in the OpenLatch family, sibling to openlatch-client (agent-side forwarder) and openlatch-platform (cloud control plane). It is two things in one binary:

Install

# npm (recommended)
npx @openlatch/provider --version

# crates.io
cargo install openlatch-provider

# GitHub Releases (signed binaries + shell installer)
curl -fsSL https://openlatch.ai/install.sh | sh

Cross-platform: macOS (arm64 + x64), Linux (x64 + arm64), Windows (x64).

Quickstart

# 1. Authenticate (browser-based PKCE) — required, init validates slugs against the platform
openlatch-provider login

# 2. Scaffold a new editor + first tool. Each slug you pick is checked
#    against api.openlatch.ai before the manifest is written; collisions
#    re-prompt in TTY or surface as OL-4280..OL-4283 in CI mode.
openlatch-provider init

# 3. Edit openlatch.yaml to declare your tool(s) and provider(s)
$EDITOR openlatch.yaml

# 4. Validate before publishing. `--dry-run` (for both `publish` and
#    `register`) validates the manifest fully offline — no login / editor
#    token and no platform call — so it doubles as a tokenless CI manifest
#    check, e.g. `openlatch-provider register --provider openlatch.yaml \
#    --dry-run --skip-preflight`.
openlatch-provider publish --dry-run

# 5. Publish
openlatch-provider publish

# 6. Run the production daemon — it spawns each tool process listed in the
#    manifest's `process:` blocks, waits for /healthz, restarts on crash,
#    and reaps the child tree on Ctrl+C. For multi-tool deployments
#    (e.g. `openlatch-sectools`), pass `--provider <path>` to the v2
#    `kind: Provider` manifest; tool manifests are auto-discovered from
#    its `tool_paths:` globs.
openlatch-provider listen --port 8443
# or for v2 multi-tool:
# openlatch-provider listen --provider ./openlatch-provider.yaml

# 7. Inspect or control the supervised tools (in another terminal —
#    daemon must have been started with `--admin-port <PORT>`).
openlatch-provider tools status --admin-port 8444
openlatch-provider tools logs <slug> --follow
openlatch-provider tools restart <slug>
openlatch-provider tools probe <slug>

# 8. Watch verified events flow through the daemon. Reads
#    ~/.openlatch/provider/logs/runtime-YYYY-MM-DD.jsonl directly, so it
#    works whether the daemon is up or not.
openlatch-provider events tail --follow

The daemon emits one info! line per processed event to stderr (colored verdict in TTYs, JSON otherwise). Raise verbosity with --verbose / --debug or by exporting RUST_LOG=… (standard tracing-subscriber filter syntax).

Examples

• tools/coinflip-tool/ — a dummy detection tool (FastAPI + openlatch-tool-sdk) that randomly returns allow/deny verdicts. Use it to validate the full agent → client → platform → provider → tool pipeline locally; it is also exercised deterministically by the openlatch-provider-e2e coinflip E2E command.

Status

v0.1.0 — first GA release. Auto-update is enabled by default for npm-installed binaries (kill switch: OPENLATCH_NO_AUTO_UPDATE=1). See CHANGELOG.md for releases and docs/ for the full reference.

Documentation

• Quickstart — install -> register -> publish in <10 min.
• openlatch.yaml reference
• Auth flows
• Runtime mode — listen daemon, /v1/health, deploy patterns.
• Webhook security — HMAC + replay + SSRF defense.
• Tool authoring guides — Python (FastAPI), Node (Express/Hono), Rust (axum).
• Deploy — Docker, systemd, Caddy reverse-proxy.
• CLI reference — every subcommand and flag (auto-generated).
• Error code catalogue — OL-42xx codes with remediation steps.

The Rust binary, openlatch-tool-sdk (PyPI), and @openlatch/tool-sdk (npm) version in lock-step — one conventional-commit PR triggers a single release-please Release PR that bumps all three packages to the same X.Y.Z.

License

Apache-2.0 — see LICENSE.

Security

See SECURITY.md.