SpiderPublish Overview
A tenant-isolated runtime and marketplace for dynamic booking apps.
SpiderPublish is not a generic CMS. It is built in three distinct layers to ensure multi-tenant security, fast global edge delivery, and powerful management capabilities.
STORE (PostgreSQL)
FastAPI backend. Every authored thing (page, component, template) lives here in a tenant-isolated row. Nothing is "on disk."
SERVE (Edge)
Cloudflare Workers read templates from KV and fetch content at request time. Blazing fast delivery to users.
MANAGE (MCP / CLI)
Dashboard, Model Context Protocol, and CLI all talk to the exact same STORE API endpoints.
Hard Gates
SpiderPublish employs two strict rules for any mutating operations:
- Tenant-Scope Verifier: Never mutate without ensuring the context is correct via
./scripts/verify-tenant-scope.sh. - Two-Phase Deploy Protocol: All production-altering actions must pass a dry-run/confirm flow. See the CLI documentation for details.
CLI & Setup
Tools and setup required for building SpiderPublish components locally.
Installation
Install the SpiderPublish tools from our private NPM registry.
npm install -g @spideriq/cli --registry=https://npm.spideriq.aiAuthentication
You must authenticate using a Personal Access Token (PAT). Generate this in the Dashboard Settings.
export SPIDERIQ_TOKEN="client_id:api_key:api_secret"
spideriq auth loginTwo-Phase Deploy
For safety, deployment uses a dry-run confirmation token system.
./scripts/dry-run-then-confirm.py \
--url https://spideriq.ai/api/v1/dashboard/projects/$PID/content/deploy \
--method POST \
--description "Deploy marketplace components" \
--body '{}'STORE API
Interact directly with the FastAPI backend.
Authentication Headers
All endpoints require a Bearer token in the Authorization header.
Authorization: Bearer spideriq_pat_...Core Endpoints
GET /content/pages— List pagesPOST /content/components— Create componentPATCH /content/pages/:id— Assign blocks and layoutPOST /content/deploy— Trigger Edge flush
Component Guidelines
Rules for writing components that execute safely inside our Shadow DOM.
Shadow DOM Rules
Components render in an isolated Shadow DOM context. Do not use document.querySelector. Instead, traverse from a known root element:
// Correct approach
var r = this.closest('.wrap').getRootNode();
var el = r.querySelector('.target');Event Listeners
Inline JS can be tricky due to Content Security Policy. The safest hack for running initialization logic is attaching it to a hidden SVG onload event:
<svg width="0" height="0" style="position:absolute;opacity:0" onload="yourJsCodeHere"></svg>Theme Tokens
Never hardcode brand colors (e.g., #1a73e8). Use our injected CSS variables which flow down per-tenant:
var(--spider-primary)var(--spider-text)var(--spider-bg)