# `openlatch.yaml` reference
Every field of the per-editor manifest stored under
`~/.openlatch/provider/<slug>.yaml`. Authoritative shape:
`schemas/manifest-*.schema.json` (these are typify'd at build time and
runtime-validated via `jsonschema` before any platform call).
## Top-level
```yaml
schema_version: 1 # required, currently always 1
editor: # required: editor profile
...
tools: [...] # 0+ tools owned by this editor
providers: [...] # 0+ providers
bindings: [...] # 0+ tool->provider bindings
```
The CLI reads/writes this file with comment preservation (via
`serde_yaml` round-trips). Manual edits are safe; the wizard never
clobbers user comments.
## `editor`
```yaml
editor:
slug: my-editor # url-safe, <=63 chars, lowercase + hyphens
display_name: "My Editor"
description: "Optional ~280 char tagline"
homepage_url: https://example.com
docs_url: https://docs.example.com
```
`slug` is checked against the platform via the slug pre-flight at
`init` time and again at `register` time.
## `tools[]`
```yaml
tools:
- slug: pii-fast # unique within this editor
version: 1.0.0 # SemVer
license: apache-2.0 # SPDX expression
description: "PII detector for credit cards + SSN"
hooks_supported: [pre_tool_use, before_shell_execution]
agents_supported: [claude-code, cursor]
capabilities:
- threat_category: pii_outbound
execution_mode: sync # sync | async
declared_latency_p95_ms: 80
needs_raw_payload: false # bypass redaction; rare
```
`hooks_supported`, `agents_supported`, and `threat_category` are open
enums maintained in `schemas/enums.schema.json` (vendored from
`@openlatch/client-schemas`). Adding a value happens upstream first.
## `providers[]`
```yaml
providers:
- slug: example-prv-us
display_name: "Example US"
region: us-east-1
total_capacity_qps: 500
endpoint_url: https://provider-us.example.io/v1/event
```
`endpoint_url` is the public HTTPS URL the platform delivers webhooks
to (probe-validated at `register` time — public IP only, HTTPS only,
TLS 1.2+, no redirects). One ingress per provider; every binding
declared under this provider shares it. The runtime daemon dispatches
to the right tool by `X-OpenLatch-Binding-Id` after the request lands.
`region` is informational on the provider doc; the routing engine reads
the binding's `region` field.
## `bindings[]`
```yaml
bindings:
- tool: pii-fast
provider: example-prv-us
local_endpoint: http://localhost:8000/event # optional override
declared_latency_p95_ms: 80
capacity_qps: 500
priority: 100
pricing:
per_1k_calls_usd: 0.5
compliance:
certifications: [SOC2]
data_handling:
retention_secs: 0
log_payloads: false
```
`local_endpoint` overrides the address the runtime daemon proxies to
inside the vendor's compute (e.g. a sidecar on `localhost:8000`). The
public ingress URL lives on the provider, not the binding.
## File location + override
By default the active profile points at one manifest:
```toml
# ~/.openlatch/provider/config.toml
[profiles.default]
manifest_slug = "my-editor"
```
The CLI resolves to `~/.openlatch/provider/my-editor.yaml`. Override
per-invocation with `--manifest <path>`.
## Validation
The CLI runs three layers of validation:
1. Build-time: typify generates Rust types from the schemas — wire-shape mismatches don't compile.
2. Local: `jsonschema` validation against `schemas/manifest-*.schema.json` with field-path diagnostics ("did you mean..." for typos).
3. Pre-flight: a whole-manifest `:validate` POST to the platform before any mutation. Catches slug collisions and rate-limit hits.
Manifest validation errors surface with `OL-4210` (schema mismatch),
`OL-4211` (unknown threat_category), `OL-4280..4283` (slug collisions),
or `OL-4284` (composite pre-flight failure).