whatalo validate
Validate your plugin project config, manifest, dependencies, and security — without making any API calls.
Syntax
whatalo validate [options]Options
| Flag | Type | Description |
|---|---|---|
--build | boolean | Also verify the build command succeeds |
--fix | boolean | Auto-fix fixable issues |
--json | boolean | Output results as JSON (useful for CI) |
--strict | boolean | Treat warnings as errors (exit code 1) |
--portal-url <url> | string | Developer Portal URL |
whatalo validate requires no authentication and makes no API calls. It is safe to run in any environment.
Checks (in order)
1. Config
Verifies whatalo.app.toml is present and passes the Zod schema validation. Checks for required fields: name, slug, plugin_id, build commands, dev port.
2. Manifest
Verifies whatalo.app.ts is present in the project root.
3. Dependencies
Checks package.json for required packages:
@whatalo/plugin-sdkreactvite
4. Security — hardcoded secrets
Scans source files (.ts, .tsx, .js, .jsx) for patterns that look like hardcoded credentials:
| Pattern | Example |
|---|---|
WHATALO_CLIENT_SECRET = "..." | Client secret in source code |
api_key: "..." (20+ chars) | API key in source code |
Bearer ... (20+ chars) | Token in source code |
password: "..." (8+ chars) | Password in source code |
Excluded directories: node_modules, dist, .git, .whatalo.
5. Security — .gitignore
Checks that .gitignore covers:
.env.whatalo/node_modules/
This check is auto-fixable with --fix.
6. TypeScript
Verifies tsconfig.json exists and runs tsc --noEmit to catch type errors.
7. Build (optional)
Only runs when --build is passed. Executes your configured build command and verifies the output directory exists afterward.
8. Port
Checks that the dev port configured in whatalo.app.toml is not already in use.
Exit Codes
| Code | Meaning |
|---|---|
0 | All checks passed |
1 | One or more errors found |
2 | Fatal error (config unreadable, etc.) |
With --strict, warnings are promoted to errors and will produce exit code 1.
Examples
Run a full validation before deploying:
whatalo validate --buildAuto-fix .gitignore issues:
whatalo validate --fixUse in CI with JSON output:
whatalo validate --strict --jsonRelated Commands
whatalo deploy— Deploy after validation passeswhatalo dev— Start development