You can use this article as a checklist before creating, testing or deploying a custo-manifest in production. Use it to keep your manifest maintainable, secure and easier to troubleshoot.
Checklist: Use these rules before deploying a custo-manifest to your users.
Construction
- Start from a template exported by Rainbow Desktop or from an already validated manifest.
- Remove unused extension points before production deployment.
- Keep
versionset to"2"andjsonTypeset to"Rainbow-custo-manifest". - Do not define more than 3 actions for the same extension point.
- Avoid hard-coded paths from a developer machine. Use
${custo.path}and package resources in a ZIP archive.
Security
- Declare all REST and iframe origins in Custo-manifest domains before deployment.
- Prefer HTTPS endpoints with stable DNS names.
- For REST APIs, configure CORS explicitly and test browser preflight requests.
- For local/private network servers, check Rainbow Web behavior with Local Network Access rules.
- Do not embed secrets directly in a manifest distributed to your users. Prefer server-side tokens or short-lived credentials where possible.
Variables
- Use the narrowest variable available for the extension point.
- Test variables with realistic calls, contacts and bubbles; some values are empty when the context is missing.
- Use
regexonly for simple transformations. Complex transformations should happen server-side. - Check phone number formats across Cloud PBX, OmniPCX Enterprise and OXO Connect deployments.
Adaptive Cards
- Keep cards short and focused on the user action.
- Test rendering on Rainbow Web and Desktop.
- Avoid unsupported Adaptive Card 1.6+ elements unless the target Rainbow client version explicitly supports them.
- For
Action.Submit, make the target endpoint idempotent and return clear feedback to the user.
Pre-production validation
- Validate JSON syntax.
- Test local import before central deployment.
- Test the manifest on Web and Desktop when both clients are targeted.
- Check all trusted domains, CORS headers and iframe headers.
- Deploy first to one pilot user or profile before wider rollout.
- Keep a copy of the previous manifest so rollback is immediate.