Casset Apps · Distribution
0.1 alpha · repository localBuild locally. Distribution stays curated.
The SDK and starters make the developer contract concrete. They do not open the marketplace. Production Casset Apps remain reviewed first-party capabilities mounted by Casset's own host.
Current truth
Availability at a glance
| Capability | Status | Constraint |
|---|---|---|
| Repository-local SDK | Available | Consumable in this repository and vendored into starter downloads; not published to npm. |
| Local development fixtures | Available | Deterministic host snapshots and lifecycle simulation; no production credentials. |
| Trusted App installation | Internal | Reviewed code-owned Apps can be installed, enabled, disabled, and removed in Studio. |
| Internal Workbench / Simulator | Internal | Authenticated tooling for the reviewed Pretty Shades World and Mood Ring candidates only. |
| Third-party submission | Unavailable | No external account, upload, review queue, credential, signing, or submission API exists. |
| Arbitrary production bundles | Unavailable | Listener runtime dispatch remains exhaustive, first-party, and code owned. |
Artist lifecycle
Installation is server truth, not a manifest claim.
A downloaded starter cannot install itself. Casset resolves an approved code-owned definition, exact artist scope, grants, placement, listener access, and fresh launch eligibility.
Artist owned
Install and enable
Studio writes a bounded artist-scoped installation. Stored data cannot choose executable code, a runtime key, an origin, or a new permission.
Fail closed
Disable or remove
Subsequent route/context creation fails. Core artist data and existing Casset purchases remain untouched.
Separate gate
Listener access
Reviewed Apps may be free or reuse same-artist Casset-purchase access where the host enforces it before App data mounts.
Security
What an App never receives
- No Prisma model, database connection, server secret, session cookie, Studio record, or raw
Artist.themeJson. - No audio element, audio token, storage key, raw audio URL, playback store, clock implementation, analyser, or render scheduler.
- No private Audience identity, Campaign participant, purchase row, payment metadata, or financial record.
- No authority derived from a visible launcher, client permission list, fixture, local proof, or manifest alone.
Two development environments
Local starters and the internal Simulator are not the same thing.
| Environment | What it does | What it cannot do |
|---|---|---|
| Downloaded starter | Runs your UI against deterministic SDK fixtures and a development host. | Cannot access Casset accounts, install an App, or prove production isolation. |
| Internal Profile Simulator | Rehearses two reviewed declarative candidates in an opaque static iframe and binds QA proof to an exact revision. | Cannot load the downloaded starter or arbitrary JavaScript. |
| Trusted listener runtime | Freshly authorizes and mounts reviewed in-repository components inside the Profile World. | Cannot execute an unregistered external bundle. |
Future admission
What must ship before third-party distribution opens
- External developer and team identity, scoped credentials, immutable App/version persistence, and audit history.
- Signed artifacts, isolated cookie-free hosting, response-level CSP, malware/review policy, quotas, performance budgets, suspension, rollback, and incident response.
- A generic fresh Profile Surface launch boundary, a real Track Runtime command bridge, resource brokering, and live revocation.
- Submission/review UI, versioned compatibility enforcement, entitlement-safe updates/removal, and a production threat model for arbitrary code.
FAQ
Common distribution questions
Can I publish to the Casset Store?
No. Build and validate locally, but there is no public submission or publishing flow.
Can I install @casset/apps from npm?
No. The alpha package is repository-local and included inside each downloadable starter as a file dependency.
Can the starter call Casset APIs?
Not as an installed App. It has no production credential. The separate public HTTP/Agent API does not make a caller a native Casset App.
Where do I go next?
Run a starter, change its manifest and interface, then exercise sparse, denied, expired, and responsive states locally.