You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Replaces ForgeBox with a git-based, curated registry in `wheels-dev/wheels-packages`. Registry hosts tarballs (defeats force-push / tag-rewrite attacks), tracks full version history, explicit-only CLI updates (defense against malicious version bumps).
Phases (each should probably split into its own PR)
Phase 1 — registry repo bootstrap
Create `wheels-dev/wheels-packages`
Seed with first-party manifests: sentry, hotwire, basecoat, legacyadapter, wheels-seo-suite, wheels-i18n
`schema/manifest.schema.json` with JSONSchema validation
`CONTRIBUTING.md` + `README.md`
`.github/workflows/validate.yml` — schema check, name uniqueness, author-repo/tag resolves, file-type allowlist, size cap
Phase 2 — tarball mirror CI
`mirror-tarball.yml` — clone author repo at tag → deterministic tar → upload as GH release asset on `wheels-packages` → compute sha256 → bot-commit URL + hash back into manifest
Release tag convention: `-`
Phase 3 — CLI commands
`wheels packages list | search | show | install | install @Version | update | update --all | remove`
`wheels packages registry refresh | info`
SemVer matcher shared with PackageLoader (reuses work from #2231)
Explicit-only update policy — no auto-pull on reload
`/wheels/packages` in-app (dev/testing only, gated per #2233)
One source of truth for CLI + web
Acceptance
A third-party author can open a PR to `wheels-packages`, have it validated + mirrored automatically, and users can `wheels packages install ` without any ForgeBox or CommandBox dependency.
Registry's `manifest.json` is authoritative; tarballs live on the registry repo's Releases; author's repo remains the development home.
No author-hosted `tarball:` URLs accepted.
Refs: GA audit P4 · related audit items: P3 (creation guide), P9 (checksums removal)
v4.1 Theme A — P4 (distribution story)
Design spec: `docs/superpowers/specs/2026-04-22-wheels-packages-registry-design.md`
Replaces ForgeBox with a git-based, curated registry in `wheels-dev/wheels-packages`. Registry hosts tarballs (defeats force-push / tag-rewrite attacks), tracks full version history, explicit-only CLI updates (defense against malicious version bumps).
Phases (each should probably split into its own PR)
Acceptance
Refs: GA audit P4 · related audit items: P3 (creation guide), P9 (checksums removal)