Skip to content
Multilo Docs
Changelogmultilo.com
Download

Manifest & permissions

The extension manifest reference: identity, permissions and trust, and packaging for the marketplace.

Every extension ships a manifest.jsonthat declares its identity, the permissions it needs, when it activates, and what it contributes. The desktop app reads it before any of your code runs — so users see exactly what an extension can do before they install it.

The manifest

Point $schema at the published manifest schema for editor autocomplete and validation. A complete example:

manifest.json
{
  "$schema": "https://www.multilo.com/schemas/extension-manifest.schema.json",
  "manifestVersion": 1,
  "extensionId": "acme.todo",
  "publisher": "acme",
  "name": "todo",
  "displayName": "TODO finder",
  "description": "Flags unresolved TODOs.",
  "version": "0.1.0",
  "runtime": "web_worker",
  "permissions": ["workspace.readText", "diagnostics.provide", "commands.register"],
  "activationEvents": ["onLanguage:markdown", "onCommand:acme.hello"],
  "engines": { "multilo": "^2.0.0" },
  "package": { "entryPoint": "dist/extension.js", "packageSizeKb": 0 },
  "capabilities": [
    { "kind": "diagnostics", "title": "TODO finder",
      "languages": ["markdown"], "filePatterns": ["*.md"], "diagnosticKinds": [] }
  ],
  "contributes": {
    "commands": [{ "command": "acme.hello", "title": "Acme: Hello" }]
  }
}

See building an extension for how activationEvents and contributes map to the code you write.

Permissions & trust

Capabilities are gated by the permissions an extension declares, plus a verified-trust check. Scoped permissions like workspace.readText or diagnostics.providegrant a single capability each, so an extension can extend the app without quietly reaching into your files or your account. Heavier permissions — such as a node runtime, process.spawn, or network.*— require a higher trust tier and are surfaced prominently at install time.

Ask for the least you need

Request only the permissions your capability actually uses. Fewer permissions means a faster review, more installs, and a higher trust tier.

Packaging

  1. Build your entry point

    Bundle your module to the package.entryPoint you declared (e.g. dist/extension.js).

  2. Record the package details

    Set package.packageUrl, packageSha256, and packageSizeKb so the app can fetch and verify the exact bytes it runs.

  3. Submit for review

    Publish from the publisher dashboard. Once reviewed and signed, your extension appears in the marketplace.

Build against the SDK

The @multilo/extension-api package gives you the types and helpers for the whole manifest and API, so your editor catches mistakes before you publish.