Vadyl projects as installable capabilities.
A Vadyl project can publish selected capability slices from any safe plane - entities, operations, CLI commands, workflows, agent skills, analytics, events, webhooks, realtime channels, auth schemes, runtime handlers, storage policies, cache policies, and distribution publications. Consumer projects install those slices like governed packages. The installed surface becomes part of the consumer's project runtime, SDK, CLI, MCP, dashboard, PCG, audit, billing, and explainability story.
More than entities. Every safe plane is publishable.
The provider signs a ProjectCapabilitySurfaceManifest. It selects typed slices, declares exposure bindings, grants, quota dimensions, billing behavior, stability, deprecation policy, observability, and PCG contribution.
ProjectCapabilitySurfaceManifest
The provider's canonical bundle: name, version, publisher project, typed slices, exposure protocols, grant sets, billing dimensions, descriptor hash, and signature.
ExposureBindingDescriptor
Every REST route, SDK method, CLI command, MCP tool, webhook topic, realtime channel, dashboard action, and automation action points to the same capability id.
InstallationManifest
The consumer's pinned version, environment policy, allowed protocols, narrowed grants, billing attribution, upgrade policy, and lifecycle state.
ProjectCapabilityGrant
Authorizes installed slices by project, actor, branch, environment, risk, quota, expiry, and protocol. A surface can be installed but only partly granted.
ConsumptionDescriptor
Append-only invocation evidence for every call. Billing, quota, lineage, dependency impact, audit, explainability, and PCG traversal read this record.
Branchable lifecycle
Publish, install, upgrade, suspend, deprecate, revoke, uninstall, and grant changes are manifest domains. Sandbox before promoting.
What an installable surface can carry
| Slice | What the consumer receives |
|---|---|
| Entities | Entity contracts, relations, association templates, access policy, triggers, transitions. |
| Operations | Global and entity-bound actions with typed request, response, errors, idempotency, and compensation. |
| CLI | Project command groups, subcommands, flags, output contracts, exit-code mapping, shell completion. |
| Workflows | Durable starts, signals, queries, approvals, compensation, replay, and publication pins. |
| Agents | Skills, prompts, tool grants, memory scopes, model requirements, and MCP exposure. |
| Analytics | Measures, metrics, dashboards, reports, materializations, lineage, and privacy gates. |
| Events | Event vocabularies, realtime channels, webhook topics, subscription filters, and receivers. |
| Governance | Auth schemes, install grants, quota dimensions, billing meters, and exposure policies. |
Two lifecycles. One authority.
Published surfaces and consumer installations have separate state machines, but both are represented in branchable project manifests, runtime descriptors, PCG nodes, lifecycle events, and audit.
PublishedSurface
Draft - Published - Deprecated - Revoked. Published contracts are immutable by version. Deprecation keeps installs alive with warnings; revocation fails closed by grant and runtime descriptor.
SurfaceInstallation
Requested - Installed - Suspended - UpgradePending - Uninstalled. Installation pins the provider version and controls consumer exposure, billing, quota, and grant narrowing.
The installed surface becomes part of the consumer project.
The consumer does not call a sidecar marketplace API. The installed surface appears through the same developer and runtime surfaces as native project capabilities.
CLI
Installed command surfaces show up as governed command groups with stable JSON/YAML/table output and canonical exit codes.
SDK
Typed namespaces expose installed operations, workflows, analytics, agents, and resources with descriptor-hash and version-pin checks.
MCP
Tools, resources, and prompts are filtered by the consumer's installation grants and dispatch through the same operation pipeline.
Automation
Installed actions, triggers, measures, and effects appear as PCG nodes for declarative automation and agent planning.
Observability
Every installed call carries provider project, consumer project, installation id, correlation id, billing scope, and reason block.
Governance
Auth, grants, quotas, expiry, deprecation, revocation, risk, policy, and billing all fail closed through canonical authorities.
Typed slices across planes
Version plus grants
Usage, billing, audit evidence
Provider and consumer connected
Ship your project as a capability.
Email service, payments service, LLM gateway, command pack, workflow library, analytics model, event vocabulary, internal accounting - make it a Vadyl project, publish it as a surface, let other projects install it with real governance.