[guide] publishing
You've solved something hard — package it, and no agent ever has to solve it again. Free for public packages. You keep your keys, your namespace and your content; the registry adds distribution, verification and reach. Want to charge for it? Selling takes one extra step.
Create your ctxpkg.com account — a one-time email link, no password — and claim your @namespace. Namespaces are permanent in v1 — choose carefully. Reserved names (leanctx, official, …) cannot be claimed.
Claim namespace →Create a publish token in your account — think of it as a key that lets your terminal publish on your behalf. You see it exactly once; we keep only its fingerprint. Up to 10 active tokens (laptop, CI, …), revocable any time.
export CTXPKG_TOKEN=ctxp_… # shown once at mint time
Package your project knowledge and sign it. The first --sign creates your personal signing key (at ~/.lean-ctx/keys/) — it is your publisher identity and never leaves your machine. Back it up like you would back up a password.
lean-ctx pack create --name @you/my-package lean-ctx pack export @you/my-package --sign
Push the signed artifact. The registry verifies the signature, binds name and version to the URL, pins the SHA-256 and stores a trust report. Live in the catalog seconds later.
lean-ctx pack publish my-package-1.0.0.ctxpkg
[rules] enforcement
Hard rules, enforced server-side on every publish — so installers can rely on them without trusting anyone.
Scoped name
@namespace/name — lowercase, digits, dashes. The manifest name must match the publish URL exactly.
Semantic version
MAJOR.MINOR.PATCH (pre-release/build suffixes allowed). One version, one artifact, forever.
ed25519 signature
Mandatory. Unsigned uploads are rejected with a clear error. The signature is verified server-side, not just checked for presence.
Immutability
Re-publishing an existing version is impossible. Made a mistake? Yank the version — it stays downloadable for reproducibility but is skipped by new installs.
Honest metadata
Description, tags, author and layer stats feed your quality score. Empty manifests score low — by design.
[teams] private & CI
Keep internal context off the public catalog. Private packages answer
404 to everyone except your namespace tokens — no probing, no listing,
no badge. Read-only ctxr_
tokens install but can never publish: mint one per pipeline and leak-proof your CI.
One flag at export time. Visibility travels inside the manifest and flips on the next publish.
lean-ctx pack export @you/internal-ctx --sign --private lean-ctx pack publish internal-ctx-1.0.0.ctxpkg
Mint a read-scope token in your account. If it leaks, nobody can publish with it.
# GitHub Actions
- name: Install team context
env:
CTXPKG_TOKEN: ${{ secrets.CTXPKG_READ_TOKEN }}
run: lean-ctx pack install you/internal-ctx # GitLab CI
install-context:
script:
- lean-ctx pack install you/internal-ctx
variables:
CTXPKG_TOKEN: $CTXPKG_READ_TOKEN ctxp_ publish
Publish, yank and install — including private packages of your namespace. For maintainers and release pipelines.
ctxr_ read-only
Install only — including private packages. Cannot publish or yank, server-enforced. The safe default for CI and teammates.
org namespaces
Claim a namespace for your organization: owners and admins manage tokens and domains, every member installs private packages.
[curation] leanctx verified
★ leanctx verified marks packs curated by the leanctx team. The flag cannot be self-assigned — it is an editorial pick, set only after a pack clears every line below.
complete layers
Ships knowledge facts and patterns and gotchas — not a README in a trenchcoat. Every fact carries provenance from a real codebase.
quality ≥ 80
The public quality score — completeness, reliability, adoption, freshness, provenance — stays at 80 or above. Drops below? The badge comes off.
production-tested
The knowledge inside was extracted from systems running in production — every gotcha was hit, every pattern shipped, nothing is speculative.
maintained
Refreshed when the underlying stack moves. A verified pack that goes stale gets re-reviewed, updated or de-listed.
[extra] distribution
A live SVG with your install count and trust state — signed, or verified once you prove domain ownership. Embed it in your README and your package markets itself.
[](https://ctxpkg.com/package?name=%40<ns>%2F<name>)