openlatch-provider 0.2.2

Self-service onboarding CLI + runtime daemon for OpenLatch Editors and Providers
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92

# Quickstart — openlatch-provider

Get an Editor + Provider + Tool registered, a binding minted, and a
sample event proxied to your tool — start to finish in under 10 minutes.

## Prerequisites

- Node.js 18+ (or Rust 1.88+ if you prefer `cargo install`).
- A web browser (for PKCE login). For headless / CI flows see `auth.md`.

## Install

```bash
npx -y @openlatch/provider --version
# or:
cargo install --locked openlatch-provider
```

## Authenticate

```bash
openlatch-provider login
```

This opens your browser and stores the resulting editor token in your
OS keyring (Keychain on macOS, Credential Manager on Windows, Secret
Service on Linux). On headless Linux without a key store, the token
falls back to an AES-256-GCM-encrypted file at
`~/.openlatch/provider/auth.toml`. See `auth.md` for the full chain.

## Init

```bash
openlatch-provider init
```

The interactive wizard:

1. Asks for an editor slug + display name (validates against the
   platform with a slug pre-flight).
2. Lets you scaffold a tool from a template (`new tool --template
   {python,rust,node}`).
3. Writes `~/.openlatch/provider/<slug>.yaml` and points your active
   profile at it.

## Register

```bash
openlatch-provider register
```

Reads the manifest, validates against `schemas/manifest-*.schema.json`,
runs a whole-manifest pre-flight `:validate` against the platform, then
mutates the platform: editor profile -> tools -> providers -> bindings.
Use `--dry-run` to preview without mutating.

## Publish

```bash
openlatch-provider publish patch       # bump 0.1.0 -> 0.1.1
openlatch-provider publish --version=1.2.3
```

Pre-flight `:validate` runs before any tool upsert; `--skip-preflight`
is the documented escape hatch for the rare case it gates spuriously.

## Run the runtime

```bash
openlatch-provider listen --port 8443
```

The daemon binds, loads the manifest, fetches live bindings + secrets
from the platform, and starts accepting Standard Webhooks v1 traffic on
`/v1/event`. See `runtime-mode.md` for TLS termination, systemd, and
Docker patterns.

## Verify

```bash
openlatch-provider doctor
```

Runs ~10 health checks: auth, manifest validity, endpoint reachability,
TLS minimum version, agent-platform support. Use `--output sarif` for
GitHub Code Scanning ingestion.

## Next

- `tool-authoring/python.md` — write a Python detector tool.
- `webhook-security.md` — HMAC + replay + SSRF defense deep-dive.
- `manifest-reference.md` — every field of `openlatch.yaml`.