Marketplace

Marketplace de conectores

Attesto Marketplace en https://marketplace.attesto.eu es el catálogo público para productores de evidencia validados. Los visitantes públicos pueden ver connector cards. Tenant acquisition, install, update, revoke y artifact download requieren una dashboard tenant session autenticada. Publisher signup, publisher profile management y connector submission usan una cuenta developer marketplace-only separada. Attesto review y publication son procesos internos privados y no se exponen a visitantes públicos ni a marketplace developers.

Marketplace model

Un marketplace item es un connector asset validado. El catálogo guarda asset metadata, current version, manifest hash, artifact hash, validation result, entitlement state, install state y marketplace evidence events. El marketplace no ejecuta código de conectores en el navegador y no expone connector secrets.

Object	Significado
`asset`	Un connector listing como GitHub, GitLab o S3/R2 object commitments.
`version`	Un connector manifest validado con manifest y artifact hashes.
`entitlement`	El derecho del tenant a descargar o instalar una versión.
`install`	Un installation record tenant-scoped para la versión seleccionada.
`evidence event`	Un marketplace receipt canónico para acquisition, installation, submission o validation.

Explorar el catálogo público

El catálogo público expone solo assets públicos validados. Es seguro explorarlo sin tenant session:

GET https://marketplace.attesto.eu/v1/marketplace/categories
GET https://marketplace.attesto.eu/v1/marketplace/items?category=devops
GET https://marketplace.attesto.eu/v1/marketplace/items/attesto-github-repository-reference

Cada card muestra evidence score, validation state, supported languages, category, current version y enlace de documentación. Los visitantes públicos ven una acción sign-in en lugar de comandos acquire/install/download.

Evidence Score no es una nota de marketing. Es una salida determinista de attesto-marketplace-validation-v1: el mismo manifest, source reference y validator version producen el mismo score. El score es la suma de criterios explícitos para receipts, offline verification, secret scanning, dependency scanning, witness compatibility, documentation, repository reference, Proofstream capability, source reference y lenguajes Attesto soportados. El validation report guarda formula, criteria, components, total y max para que operators y publishers puedan reproducir por qué un conector recibió su tier.

Tenant acquisition and install lifecycle

Tenant users con rol owner, admin o developer pueden adquirir e instalar un conector first-party gratuito. El navegador debe tener la tenant session cookie y el CSRF token legible. Las production cookies están scoped a .attesto.eu, por lo que una session creada en dashboard.attesto.eu también funciona en marketplace.attesto.eu.

POST /v1/marketplace/items/attesto-github-repository-reference/acquire
X-CSRF-Token: <attesto_csrf cookie>

POST /v1/marketplace/items/attesto-github-repository-reference/install
Content-Type: application/json
X-CSRF-Token: <attesto_csrf cookie>

{
  "configRef": "tenant-managed-github-installation"
}

Los assets gratuitos instalados pueden actualizarse a la versión validada actual o ser revocados por un owner/admin. Revoke desactiva tanto el entitlement como el tenant install; artifact download falla hasta que el tenant adquiere e instala el asset otra vez.

POST /v1/marketplace/items/attesto-github-repository-reference/install/update
Content-Type: application/json
X-CSRF-Token: <attesto_csrf cookie>

{
  "configRef": "tenant-managed-github-installation-v2"
}

POST /v1/marketplace/items/attesto-github-repository-reference/revoke
Content-Type: application/json
X-CSRF-Token: <attesto_csrf cookie>

{
  "reason": "tenant_request"
}

El endpoint artifact devuelve el connector manifest solo después de que el tenant tenga un entitlement activo:

GET /v1/marketplace/items/attesto-github-repository-reference/artifact

Connector manifest

Un manifest describe el conector sin incluir secretos. Es el objeto que Python, TypeScript, Go, CLI, backend validation y marketplace validan contra el mismo contrato.

{
  "schemaVersion": "attesto.connector.v2",
  "slug": "attesto-github-repository-reference",
  "name": "GitHub Repository Reference",
  "version": "1.0.0",
  "assetType": "connector",
  "category": "devops",
  "summary": "Creates Proofstream references for repository changes.",
  "description": "Records repository change references as verifiable Attesto events.",
  "publisher": {
    "slug": "attesto",
    "name": "Attesto"
  },
  "repository": {
    "url": "https://git.example.com/attesto/connectors/github"
  },
  "documentation": {
    "url": "https://docs.attesto.eu/manuals/connectors.html#github"
  },
  "capabilities": ["proofstream", "offline-verification"],
  "evidence": {
    "receipts": true,
    "offlineVerification": true,
    "witnessCompatible": true
  },
  "security": {
    "secretScan": true,
    "dependencyScan": true
  },
  "supportedLanguages": ["en", "nl", "de", "fr", "es", "pl", "it"],
  "provider": {
    "id": "github",
    "name": "GitHub",
    "websiteUrl": "https://github.com"
  },
  "auth": {
    "mode": "signed-webhook",
    "scopes": ["repo", "push-events"]
  },
  "sync": {
    "modes": ["webhook"],
    "supportsReplay": true,
    "rateLimitPolicy": "provider-default"
  },
  "eventTypes": ["repository.push", "repository.merge_request"],
  "sourceTime": {
    "required": true,
    "timezonePolicy": "source-offset-required"
  },
  "configSchema": { "type": "object", "properties": {} },
  "secretSchema": { "type": "object", "properties": {} },
  "diagnostics": {
    "providerAuthStatus": true,
    "testConnection": true,
    "syncLag": true,
    "replayConflictCheck": true,
    "revocationCheck": true
  },
  "runtime": {
    "officialConnectorKit": true,
    "sdkSurfaces": ["python", "typescript", "go", "cli"],
    "requiredMethods": [
      "metadata",
      "validateConfig",
      "testConnection",
      "sync",
      "handleWebhook",
      "emitProofstreamEvent",
      "diagnostics",
      "revoke"
    ],
    "canary": {
      "status": "green",
      "ref": "release/attesto-2.0-connector-assurance-readiness/result.json"
    }
  },
  "installRequirements": {
    "tenantLoginRequired": true,
    "entitlementRequired": true
  },
  "changelog": [
    {
      "version": "1.0.0",
      "date": "2026-06-09",
      "changes": ["Validated first-party connector release."]
    }
  ]
}

Los campos requeridos se comprueban antes de aceptar un asset. El backend validator falla hidden assets por debajo de Evidence Score 50; Attesto puede aplicar una release policy privada más estricta para connectors first-party o partner. Un score es validation output derivado de evidence, no un adoption badge ni juicio marketing.

Marketplace CLI publishing flow

Publisher automation puede usar Attesto CLI para el mismo manifest contract que backend y connector kits. La CLI valida el manifest localmente antes de enviar nada a Attesto. Submission usa un marketplace publisher bearer token. La documentación pública cubre solo el publisher path; Attesto review y publication siguen siendo procesos internos privados. Los comandos publisher nunca imprimen stored tokens, Stripe identifiers, connector secrets ni raw customer payloads.

attesto --json marketplace init \
  --output attesto.connector.json \
  --slug acme-risk-connector \
  --name "ACME Risk Connector" \
  --version 1.0.0 \
  --category ai-governance \
  --summary "Produces Attesto evidence for ACME risk decisions." \
  --description "Produces verifiable Proofstream events for ACME risk decisions." \
  --publisher-slug acme \
  --publisher-name ACME \
  --repository-url https://git.example.com/acme/risk-connector \
  --docs-url https://docs.example.com/acme/risk-connector \
  --provider-url https://example.com/acme \
  --auth-mode oauth2 \
  --auth-scopes risk.read,risk.events \
  --sync-modes polling,webhook \
  --event-types risk.decision.created,risk.decision.updated \
  --canary-ref release/acme-risk-connector/canary-result.json \
  --capabilities proofstream,offline-verification

attesto --json marketplace validate \
  --manifest-file attesto.connector.json

attesto --json --token-env ATTESTO_MARKETPLACE_TOKEN marketplace submit \
  --manifest-file attesto.connector.json \
  --source-ref https://git.example.com/acme/risk-connector/releases/v1.0.0 \
  --visibility public \
  --pricing-model free

Después de submission, el asset queda private pending Attesto review. Attesto revisa validation evidence, source reference, publisher identity, pricing y release provenance en privado. La documentación pública se detiene intencionalmente en la developer submission boundary.

Publisher validation

Las marketplace developer accounts son marketplace-only. Pueden registrarse e iniciar sesión en marketplace.attesto.eu, gestionar un publisher profile, elegir un developer tier, enviar connector assets gratuitos a private Attesto review y empezar el flujo real de developer billing para paid publishing. No pueden entrar en dashboard.attesto.eu; los tenant users normales siguen necesitando una cuenta tenant Attesto normal para el dashboard.

POST /v1/marketplace/auth/signup
Content-Type: application/json

{
  "displayName": "ACME Evidence Labs",
  "name": "Publisher Operator",
  "email": "publisher@example.com",
  "password": "<operator-chosen password>"
}

POST /v1/marketplace/auth/login
Content-Type: application/json

{
  "email": "publisher@example.com",
  "password": "<operator-chosen password>"
}

GET /v1/marketplace/auth/me

Crear o actualizar un publisher profile registra marketplace evidence antes de enviar assets. Un perfil solo nunca publica un asset: free submissions son private pending review, y paid submissions requieren un paid developer tier activo más Stripe Connect readiness. Esto evita que el marketplace público sea una superficie de upload abierta.

POST /v1/marketplace/publisher/profile
Content-Type: application/json
X-CSRF-Token: <attesto_csrf cookie>

{
  "displayName": "Attesto Official Connector Team"
}

GET /v1/marketplace/publisher/profile

PATCH /v1/marketplace/publisher/profile
Content-Type: application/json
X-CSRF-Token: <attesto_csrf cookie>

{
  "displayName": "Attesto Business Connectors"
}

Developer publisher rights se actualizan in-place. El publisher mantiene la misma cuenta marketplace-only y publisher profile. Community developers pueden enviar assets gratuitos para private review. Verified Developer, Professional Publisher y Marketplace Partner plans usan un 14-day Stripe trial y desbloquean paid connector submission solo después de que Stripe confirme la subscription. Paid listing publication además requiere Stripe Connect payout readiness. Checkout y portal URLs se crean server-side mediante el encrypted Stripe integration store.

GET /v1/marketplace/developer-tiers

[
  {
    "tier": "community",
    "label": "Free Developer",
    "monthlyCents": 0,
    "annualCents": 0,
    "currency": "EUR",
    "checkoutRequired": false,
    "submissionEnabledWhenActive": false,
    "description": "Marketplace-only developer identity for profile management, manifest preparation, documentation review, and free connector submission into private Attesto review.",
    "requirements": [
      "marketplace publisher profile",
      "private Attesto review before public listing",
      "paid developer publisher tier before paid connector submission"
    ],
    "trialDays": 0
  },
  {
    "tier": "premium",
    "label": "Verified Developer",
    "monthlyCents": 1900,
    "annualCents": 19000,
    "currency": "EUR",
    "checkoutRequired": true,
    "submissionEnabledWhenActive": true,
    "description": "Paid developer publishing tier with a 14-day Stripe trial.",
    "requirements": [
      "active developer subscription",
      "connector validation passes",
      "private Attesto review before public listing"
    ],
    "trialDays": 14
  }
]

GET /v1/marketplace/publisher/billing-state

{
  "publisher": {
    "tier": "premium",
    "developerSubscriptionState": "active",
    "payoutState": "ready",
    "commercialEnabled": true
  },
  "checkoutAvailable": true,
  "billingPortalAvailable": true,
  "canSubmitAssets": true,
  "developerSignupRequired": false,
  "supportedTiers": [
    {"tier": "premium", "label": "Verified Developer", "monthlyCents": 1900, "annualCents": 19000, "currency": "EUR"},
    {"tier": "professional", "label": "Professional Publisher", "monthlyCents": 4900, "annualCents": 49000, "currency": "EUR"},
    {"tier": "partner", "label": "Marketplace Partner", "monthlyCents": 9900, "annualCents": 99000, "currency": "EUR"}
  ],
  "submissionRequirements": [],
  "commercialRequirements": [
    "active developer subscription",
    "Stripe Connect payout readiness"
  ],
  "gracePeriodDays": 14
}

POST /v1/marketplace/publisher/upgrade
Content-Type: application/json
X-CSRF-Token: <attesto_csrf cookie>

{
  "tier": "premium",
  "interval": "month",
  "successUrl": "https://marketplace.attesto.eu/?publisher=upgrade-success",
  "cancelUrl": "https://marketplace.attesto.eu/?publisher=upgrade-cancel"
}

POST /v1/marketplace/publisher/billing-portal
Content-Type: application/json
X-CSRF-Token: <attesto_csrf cookie>

{
  "returnUrl": "https://marketplace.attesto.eu/?publisher=billing-return"
}

Publishers que quieren vender paid assets deben completar Stripe Connect payout onboarding después de que la developer account esté activa. La API usa la configuración Stripe cifrada server-side de Attesto y devuelve solo una Stripe-hosted onboarding URL. No devuelve Stripe secret keys, connected-account IDs ni payout credentials al frontend.

POST /v1/marketplace/publisher/payout/onboarding
Content-Type: application/json
X-CSRF-Token: <attesto_csrf cookie>

{
  "returnUrl": "https://marketplace.attesto.eu/?publisher=payout-return",
  "refreshUrl": "https://marketplace.attesto.eu/?publisher=payout-refresh",
  "country": "NL"
}

POST /v1/marketplace/publisher/payout/status

Paid connector acquisition usa Stripe Checkout con Stripe Connect. El backend crea la Checkout Session, aplica la Attesto application fee, enruta la parte del developer a la connected account y espera el verified Stripe webhook antes de crear el tenant entitlement y la marketplace ledger entry.

POST /v1/marketplace/items/{slug}/acquire
Content-Type: application/json
X-CSRF-Token: <attesto_csrf cookie>

{
  "successUrl": "https://marketplace.attesto.eu/?marketplace=checkout-success",
  "cancelUrl": "https://marketplace.attesto.eu/?marketplace=checkout-cancel"
}

Webhook result:
marketplace_purchase_created
marketplace_entitlement_created
marketplace_revenue_split_recorded

Las notificaciones Stripe refund y payout también se procesan por el endpoint verified webhook. Un full refund cierra el entitlement, revoca installs activos del conector, bloquea artifact download y registra refund y entitlement-revocation evidence. Payout events reconcilian eligible publisher ledger entries y registran payout evidence sin exponer Stripe object identifiers ni provider payloads al navegador.

Webhook result for full refund:
marketplace_refund_recorded
marketplace_entitlement_revoked

Webhook result for payout:
developer_payout_completed

Webhook result for failed payout/refund:
developer_payout_failed
marketplace_refund_failed

Active developer publishers pueden entonces enviar business connectors mediante la marketplace publisher surface. La submit action valida el manifest, registra un validation run, crea un private pending-review asset, guarda version hashes y registra marketplace evidence. Incluso cuando visibility se pide como public, el listing permanece oculto hasta que private Attesto review y publication policy están completas. Tenants no cualificados reciben una respuesta fail-closed antes de que manifest validation se ejecute.

POST /v1/marketplace/publisher/assets
Content-Type: application/json
X-CSRF-Token: <attesto_csrf cookie>

{
  "sourceRef": "https://example.com/repository/connector-release",
  "visibility": "private",
  "pricingModel": "free",
  "manifest": { "...": "attesto.connector.v2 manifest" }
}

Attesto review y publication son procesos internos privados. Escriben marketplace evidence, pero los endpoints y procedimientos internos no forman parte de la documentación pública developer. El catálogo público solo devuelve versiones approved y non-revoked.

La source reference debe apuntar a la release source real del conector. Secrets, private keys, API tokens y customer payloads nunca deben colocarse en connector manifests.

Marketplace evidence events

Marketplace publisher profile create/update, acquisition, install, install update, entitlement revoke, paid purchase, refund, payout, publisher submission y validation/review actions escriben marketplace evidence canónica. El receipt hash se deriva del evidence envelope canónico y payload hash; el receipt record guarda tenant, actor, subject, timestamp y sanitized payload para vistas de tenant audit. Esto da a operators un audit trail determinista de quién cambió publisher identity y quién acquired, installed, updated, reviewed, published, refunded, paid out o revoked qué connector version.

GET /v1/marketplace/evidence/<receipt-id-or-receipt-hash>

Security boundaries

Public catalog browsing es unauthenticated y read-only.
Tenant acquire, install, artifact download, install update y tenant revoke actions requieren dashboard tenant auth y CSRF.
Marketplace asset submission, publisher profile changes, developer-tier checkout, billing portal access y payout onboarding requieren marketplace-only developer auth y CSRF.
Free marketplace developer accounts pueden enviar free assets para private review; paid assets requieren paid developer tier activo y Stripe Connect readiness.
Public listing review, publication y marketplace asset withdrawal son procesos privados Attesto, no APIs públicas marketplace o developer.
Connector manifests son solo metadata; no deben contener secrets ni raw customer payloads.
El frontend solo recibe public catalog data y non-secret build metadata.
Production bundles no deben incluir source maps, source files, test fixtures, credentials o API keys.
Marketplace evidence soporta auditability; no certifica por sí sola third-party legal compliance.