Skip to main content
Registry state is staged. Each stage adds evidence without skipping the review gates that make a package installable:
StageMeaning
BlueprintDraft app source.
Showcase previewDiscoverable metadata, preview only.
Review reportValidation evidence and remaining blockers.
Collection entryUser- or space-scoped listing.
Signed packageInstallable only when host policy allows it.
These stages are represented by SDK_DISTRIBUTION_LIFECYCLE_CATALOG. Collection entries can be projected with resolveSdkDistributionLifecycleStage() so SDK docs, CLI review output, Hub previews, and future Eve sandbox decisions use the same vocabulary. For a full registry preflight, run the pack and registry commands after package validation. The first three commands create the local submission and index; the remaining commands prepare future hosted API payloads while keeping the package non-installable.
npx @budscollab/cli app pack budscollab.package.json --owner-id example-dev --owner-name "Example Developer" --visibility unlisted
npx @budscollab/cli app registry budscollab-registry-submission.json --out budscollab-registry-index.json
npx @budscollab/cli app registry-validate budscollab-registry-index.json
npx @budscollab/cli app registry-acceptance budscollab-registry-submission.json --out budscollab-registry-acceptance-request.json
npx @budscollab/cli app registry-acceptance-validate budscollab-registry-acceptance-request.json
npx @budscollab/cli app registry-publisher-verification budscollab-registry-submission.json --out budscollab-registry-publisher-verification.json
npx @budscollab/cli app registry-publisher-verification-validate budscollab-registry-publisher-verification.json
npx @budscollab/cli app registry-review-evidence budscollab-registry-submission.json --out budscollab-registry-review-evidence.json
npx @budscollab/cli app registry-review-evidence-validate budscollab-registry-review-evidence.json
npx @budscollab/cli app registry-signing-request budscollab-registry-acceptance-request.json --out budscollab-registry-signing-request.json
npx @budscollab/cli app registry-signing-request-validate budscollab-registry-signing-request.json
npx @budscollab/cli app registry-install-policy budscollab-registry-signing-request.json --out budscollab-registry-install-policy.json
npx @budscollab/cli app registry-install-policy-validate budscollab-registry-install-policy.json
The commands produce a handoff bundle:
ArtifactWhat it proves locally
budscollab-registry-submission.jsonOwner, visibility, package artifact, review report, blockers, next gate, and unsigned artifact digests.
budscollab-registry-index.jsonDeterministic local index for one or more submissions.
budscollab-registry-acceptance-request.jsonFuture hosted API request shape with required server gates.
budscollab-registry-publisher-verification.jsonDeclared publisher identity, still unverified.
budscollab-registry-review-evidence.jsonPrepared review evidence, still unstored.
budscollab-registry-signing-request.jsonUnsigned package digests for a future host-controlled signer.
budscollab-registry-install-policy.jsonInstall-policy preflight, still not-applied and non-installable.

Hosted API contract

The public SDK slice also includes hosted-registry-api-contract.json. It defines fail-closed /api/sdk/registry endpoints for:
EndpointArtifact
POST /acceptance-requestsbudscollab-registry-acceptance-request.json
POST /indexes/validatebudscollab-registry-index.json
POST /publisher-verificationbudscollab-registry-publisher-verification.json
POST /review-evidencebudscollab-registry-review-evidence.json
POST /signing-requestsbudscollab-registry-signing-request.json
POST /install-policybudscollab-registry-install-policy.json
The web app route stubs parse validated SDK artifacts, recompute SHA-256 package artifact hashes, reject digest mismatches, and return accepted: false, signed: false where applicable, installable: false, and the missing server gates. hosted-registry-readiness-contract.json is the readiness ledger for those server gates:
GateLocal status
Artifact hashEvidenced by artifactDigests and fail-closed route hash recomputation.
Publisher verificationDeclared, still unverified.
Review storagePrepared, still unstored.
Artifact signingPrepared, still unsigned.
Host install policyPlanned, still not applied.
The contract mirrors the fail-closed gateStatuses returned by the route stubs. The executable readiness verifier is scripts/verify-registry-readiness.mjs. Run pnpm verify:registry:local before deployment to check the contract and gate posture, then run pnpm verify:registry:hosted https://app.budscollab.com --artifact-dir ./generated-app after hosted routes exist to POST generated registry artifacts through each fail-closed endpoint. Until publisher identity, review storage, artifact hash, artifact signing, and renderer isolation are complete, external packages should be described as validated artifacts and showcase previews, not installable marketplace apps.