Manifest & permissions
The extension manifest reference: identity, permissions and trust, and packaging for the marketplace.
Every extension ships a manifest.jsonthat declares its identity, the permissions it needs, when it activates, and what it contributes. The desktop app reads it before any of your code runs — so users see exactly what an extension can do before they install it.
The manifest
Point $schema at the published manifest schema for editor autocomplete and validation. A complete example:
{
"$schema": "https://www.multilo.com/schemas/extension-manifest.schema.json",
"manifestVersion": 1,
"extensionId": "acme.todo",
"publisher": "acme",
"name": "todo",
"displayName": "TODO finder",
"description": "Flags unresolved TODOs.",
"version": "0.1.0",
"runtime": "web_worker",
"permissions": ["workspace.readText", "diagnostics.provide", "commands.register"],
"activationEvents": ["onLanguage:markdown", "onCommand:acme.hello"],
"engines": { "multilo": "^2.0.0" },
"package": { "entryPoint": "dist/extension.js", "packageSizeKb": 0 },
"capabilities": [
{ "kind": "diagnostics", "title": "TODO finder",
"languages": ["markdown"], "filePatterns": ["*.md"], "diagnosticKinds": [] }
],
"contributes": {
"commands": [{ "command": "acme.hello", "title": "Acme: Hello" }]
}
}See building an extension for how activationEvents and contributes map to the code you write.
Permissions & trust
Capabilities are gated by the permissions an extension declares, plus a verified-trust check. Scoped permissions like workspace.readText or diagnostics.providegrant a single capability each, so an extension can extend the app without quietly reaching into your files or your account. Heavier permissions — such as a node runtime, process.spawn, or network.*— require a higher trust tier and are surfaced prominently at install time.
Ask for the least you need
Request only the permissions your capability actually uses. Fewer permissions means a faster review, more installs, and a higher trust tier.Packaging
Build your entry point
Bundle your module to thepackage.entryPointyou declared (e.g.dist/extension.js).Record the package details
Setpackage.packageUrl,packageSha256, andpackageSizeKbso the app can fetch and verify the exact bytes it runs.Submit for review
Publish from the publisher dashboard. Once reviewed and signed, your extension appears in the marketplace.
Build against the SDK
The@multilo/extension-api package gives you the types and helpers for the whole manifest and API, so your editor catches mistakes before you publish.