Publish flow

Publishing adds a versioned row to the public catalog. Browsing and install metadata are anonymous; writes require Auth0.

Steps

1. Add your module under glixo-community-modules/catalog/ with a valid manifest and artifact zip.
2. Validate: POST /v1/extensions/validate (no auth).
3. Sign in on glixo.dev (Auth0 PKCE).
4. Publish from the dashboard or POST /v1/extensions/publish with Authorization: Bearer <token>.
5. Run catalog:pack / deploy pipeline so extend.glixo.io serves the new bundle.

Versioning rules

• Each id@version is immutable on stable/beta channels.
• Use dev or canary channels for iterative testing.
• Bump version and artifact hash for every release.

Source repository (Agxos apps)

Public marketplace listings for Agxos apps require a public git URL in the manifest so anyone can inspect and fork the code.

"sourceRepository": {
  "url": "https://github.com/you/my-agxos-app",
  "directory": "."
}

• Public — clone and browse without login (no private repos, no gist-only drops).
• HTTPS — standard host URLs; SSH-only repos are not accepted for listing.
• Matches the artifact — the tagged commit or default branch should contain the published version and artifact inputs.
• License — include SPDX license in the manifest; source must match what you ship.

Why: marketplace apps are installable binaries. A public repo is the trust and fork surface — users verify what runs, contributors open PRs, and App Creator can fork from your repo instead of an opaque zip.

Enforcement: policy is active for new Agxos listings; API validation will reject publishes without sourceRepository in a follow-up release. Local-only catalog sources and private workspace apps do not need this field.

Community monorepo modules can point at the subdirectory in the shared repo:

"sourceRepository": {
  "url": "https://gitlab.com/tmedanovic/glixo-community-modules",
  "directory": "catalog/agxos/apps/incident-notes"
}

Field reference: Manifests → sourceRepository. Iterating on a fork: Extend an existing app.

Dashboard publish

glixo.dev → Publish walks through sign-in and authenticated upload after validation succeeds in the Validator tab.

API validate example

curl -X POST https://api.glixo.dev/v1/extensions/validate \
  -H "content-type: application/json" \
  --data-binary @glixo.module.json