Skip to content

catalogue: io.pilot.duckdb v1.5.4#394

Closed
Alexgodoroja wants to merge 1 commit into
mainfrom
catalogue/io.pilot.duckdb-1.5.4
Closed

catalogue: io.pilot.duckdb v1.5.4#394
Alexgodoroja wants to merge 1 commit into
mainfrom
catalogue/io.pilot.duckdb-1.5.4

Conversation

@Alexgodoroja

Copy link
Copy Markdown
Collaborator

Automated catalogue update for io.pilot.duckdb v1.5.4 (rich submission, bundles already on R2). Primary: https://pub-f09f9a4ea848491198d48e329ba030e3.r2.dev/bundles/io.pilot.duckdb/1.5.4/io.pilot.duckdb-1.5.4-linux-amd64.tar.gz (sha256 faf00a9211ede5cbe50884e522a472aab76ec7812cf8c6c3c39589f4f7f65a4c). Platforms: . Publisher: ed25519:goaIo9+EvuMcRZnkum08HY83QScUWLRtqe0KG/uGljs=. catalogue.json re-signed with CATALOG_SIGN_KEY. CI verifies; human approves per APP-PUBLISHING-SPEC §7.2.

@Alexgodoroja
Alexgodoroja requested a review from TeoSlayer as a code owner July 15, 2026 20:28
Alexgodoroja pushed a commit that referenced this pull request Jul 16, 2026
…bstone (signed once)

Fold the six sibling catalogue PRs into this one so the catalogue is signed and
deployed once instead of seven times:

- Product demos for the 4 apps that still lacked one — cosift, primitive,
  wallet, slipstream — authored against each app's real method set (validated by
  internal/demo). All 23 installable apps now carry a product_demo.
- Consistency fixes: wallet's metadata had NO methods array (now its 16 methods);
  slipstream had NO metadata page at all (created one). Every installable entry
  is now schema_version 1 with methods + a demo whose skill == the app id.
- Demos for agentphone / bowmark / didit / docker / duckdb (PRs #390#394) are
  already present here — byte-identical — with main's richer entry metadata kept
  (the sibling PRs carried unenriched entries that would have regressed it).
- Smol rename collapse (from #360): io.pilot.smolmachines replaced with a
  tombstone (renamed_to io.pilot.smol, hidden), its detail page removed, and the
  "Renaming an app" convention documented in catalogue/README.md.
- Every metadata_sha256 recomputed; catalogue.json re-signed once. Verified: all
  23 metadata_url entries' shas match, the tombstone is well-formed, and the
  signature validates against the catalogue trust anchor.
@Alexgodoroja

Copy link
Copy Markdown
Collaborator Author

Consolidated into #398 (single signed catalogue). Verified: this PR's io.pilot.duckdb product demo is present in #398 byte-for-byte, on top of main's current enriched catalogue entry (proper categories/license/source_url/display_name) — which this PR's older, unenriched entry would have regressed. Closing so the catalogue is signed and deployed once instead of seven times.

Alexgodoroja added a commit that referenced this pull request Jul 16, 2026
* catalogue: backfill product demos into all 19 apps' metadata (signed)

Inject the example-driven `product_demo` (authored in the app-template
submissions, app-template#88) into each app's store-page metadata.json, so that
`pilotctl appstore install` (pilotprotocol#395) prints the usage banner and the
website renders the "Full usage demo". This is the DATA half of the feature —
#395 is the renderer and is inert until this lands.

- 18 apps: product_demo appended to the existing catalogue/apps/<id>/metadata.json
  (byte-preserving append; only the new key is added).
- io.telepat.ideon-free had no rich metadata page (no metadata_url); created one
  from its submission via BuildMetadata, and added metadata_url + metadata_sha256
  to its catalogue entry.
- io.pilot.sixtyfour's demo is injected here at the metadata layer (its
  third-party-owned app-template submission is under the update gate and could
  not carry the demo).
- catalogue.json: every touched app's metadata_sha256 recomputed; catalogue.json
  re-signed (catalogue.json.sig) with the catalogue key. Verified: every
  metadata_url entry's sha matches its file and the signature validates.

Additive + non-breaking: product_demo is an optional metadata field; clients
that don't render it ignore it. Merging deploys instantly (metadata_url is raw
main).

* catalogue: consolidate — demos for all 23 installable apps + smol tombstone (signed once)

Fold the six sibling catalogue PRs into this one so the catalogue is signed and
deployed once instead of seven times:

- Product demos for the 4 apps that still lacked one — cosift, primitive,
  wallet, slipstream — authored against each app's real method set (validated by
  internal/demo). All 23 installable apps now carry a product_demo.
- Consistency fixes: wallet's metadata had NO methods array (now its 16 methods);
  slipstream had NO metadata page at all (created one). Every installable entry
  is now schema_version 1 with methods + a demo whose skill == the app id.
- Demos for agentphone / bowmark / didit / docker / duckdb (PRs #390#394) are
  already present here — byte-identical — with main's richer entry metadata kept
  (the sibling PRs carried unenriched entries that would have regressed it).
- Smol rename collapse (from #360): io.pilot.smolmachines replaced with a
  tombstone (renamed_to io.pilot.smol, hidden), its detail page removed, and the
  "Renaming an app" convention documented in catalogue/README.md.
- Every metadata_sha256 recomputed; catalogue.json re-signed once. Verified: all
  23 metadata_url entries' shas match, the tombstone is well-formed, and the
  signature validates against the catalogue trust anchor.

* catalogue: fold aegis rev2 bundle (argv fix) from #396/#389 into the consolidated catalogue

aegis 0.1.3's live bundle has the cli.args argv bug that killed 6 of 7 methods.
Adopt the rev2 rebuild: bundle_url -> .../0.1.3/rev2/..., new bundle_sha256/size
and per-platform bundles map, metadata size updated, aegis metadata_sha256
recomputed, catalogue re-signed. Verified all 3 rev2 platform bundles resolve
(HTTP 200) and their sha256 match. The aegis product_demo (already present) is
byte-identical to #389/#396. Consolidates the aegis catalogue content of #389
(demo + go-live) and #396 (rev2 fix).

* catalogue: fix ground-truth mistakes in cosift/wallet/slipstream metadata

Reviewed the 4 hand-authored demos against each app's real API. Fixes:
- cosift: params were wrong — search/answer/research take "q" (not "query")
  and contents takes "url"/"urls" (not "id"). Verified against the
  cosift-app adapter (cmd/cosift-app/main.go methodTable) + cosift docs/API.md.
- wallet: it exposes NO wallet.help method — removed the phantom method from the
  metadata list (15 real methods) and from the demo's next. wallet.balance takes
  {"asset":"USDC"}. Method summaries corrected against pkg/walletipc source.
- slipstream: replaced hand-written method summaries with the authoritative ones
  from the live slipstream.help (installed + queried the app); demo args ({})
  confirmed valid (all list params optional).
- primitive: verified clean (all 5 demo methods exist, take no required params).
Recomputed the 3 metadata_sha256 and re-signed the catalogue.

* catalogue: add next_steps dependency graphs to all 19 apps (re-signed)

Folds the dynamic-context dependency graphs into this consolidated catalogue PR
so the whole rollout is one signature, not a second re-sign after a separate
merge. Each app's next_steps is copied verbatim from its app-template
submission (the same object BuildMetadata would emit) into
catalogue/apps/<id>/metadata.json, its metadata_sha256 re-pinned, and
catalogue.json re-signed.

18 apps gain next_steps here; io.telepat.ideon-free already carried a matching
graph. Purely additive to each metadata.json (+next_steps, nothing else
touched); aegis's rev2 argv-fix bundle pin is unchanged.

Verified: every metadata_sha256 pin matches its file bytes, every graph equals
its submission source, and the re-signed catalogue.json.sig verifies against the
embedded catalogue public key (and rejects tampering).

* catalogue: add next_steps graphs to the 5 first-party apps (re-signed)

Completes dynamic-context coverage: cosift, wallet, sixtyfour and slipstream
gain a next_steps graph here (authored from each app's own source + live testing
where free — cosift's flow was exercised end-to-end; sixtyfour used help only,
no metered calls; wallet/slipstream from their repos/metadata). Every step is a
full `pilotctl appstore call ...` command.

io.pilot.smolmachines is intentionally NOT covered: it is a hidden, non-installable
tombstone (renamed_to io.pilot.smol) with no metadata.json, so there is nothing to
attach a graph to and nothing can call it. That leaves 23/24 catalogue entries
with a graph — every real, installable app.

Each metadata.json gains only next_steps; metadata_sha256 re-pinned and
catalogue.json re-signed. Verified: all pins match, signature valid.

* catalogue: fix io.pilot.postgres links (object -> array) so `appstore view` parses

Pre-existing data bug, surfaced while verifying that the added product_demo/next_steps
fields don't break parsers: postgres's `links` was a JSON object
{"documentation":...,"psql_reference":...} but appMetadata.Links is []{label,url}
(the shape every other app uses). `pilotctl appstore view io.pilot.postgres` failed
to unmarshal the detail metadata on BOTH the released client and this one — unrelated
to next_steps. Converted to the array form; re-pinned + re-signed.

Authoritative typed-parse over all 23 metadata files now passes; product_demo and
next_steps parse cleanly everywhere (Go ignores unknown fields — no client strictness).

---------

Co-authored-by: Alexgodoroja <alex@vulturelabs.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant