Marketplace
Marketplace dei connettori
Attesto Marketplace su https://marketplace.attesto.eu è
il catalogo pubblico per evidence producers validati. I visitatori
pubblici possono sfogliare connector cards. Tenant acquisition,
install, update, revoke e artifact download richiedono una dashboard
tenant session autenticata. Publisher signup, publisher profile
management e connector submission usano un account developer
marketplace-only separato. Attesto review e publication sono processi
interni privati e non sono esposti a visitatori pubblici o marketplace
developers.
Marketplace model
Un marketplace item è un connector asset validato. Il catalogo conserva asset metadata, current version, manifest hash, artifact hash, validation result, entitlement state, install state e marketplace evidence events. Il marketplace non esegue codice connector nel browser e non espone connector secrets.
| Object | Significato |
|---|---|
asset | Un connector listing come GitHub, GitLab o S3/R2 object commitments. |
version | Un connector manifest validato con manifest e artifact hashes. |
entitlement | Il diritto del tenant di scaricare o installare una version. |
install | Un installation record tenant-scoped per la version selezionata. |
evidence event | Una marketplace receipt canonica per acquisition, installation, submission o validation. |
Sfoglia il catalogo pubblico
Il catalogo pubblico espone solo assets pubblici validati. È sicuro da sfogliare senza tenant session:
GET https://marketplace.attesto.eu/v1/marketplace/categories
GET https://marketplace.attesto.eu/v1/marketplace/items?category=devops
GET https://marketplace.attesto.eu/v1/marketplace/items/attesto-github-repository-referenceOgni card mostra evidence score, validation state, supported languages, category, current version e documentation link. I visitatori pubblici vedono una sign-in action invece dei commands acquire/install/download.
Evidence Score non è un rating marketing. È un output deterministico
di attesto-marketplace-validation-v1: lo stesso manifest,
source reference e validator version producono lo stesso score. Lo
score è la somma di criteri espliciti per receipts, offline
verification, secret scanning, dependency scanning, witness
compatibility, documentation, repository reference, Proofstream
capability, source reference e lingue Attesto supportate. Il
validation report conserva formula, criteria,
components, total e max così
operators e publishers possono riprodurre perché un connettore ha
ricevuto il suo tier.
Tenant acquisition and install lifecycle
Tenant users con ruolo owner, admin o developer possono acquire e
installare un connettore first-party gratuito. Il browser deve avere
tenant session cookie e CSRF token leggibile. I production cookies
sono scoped su .attesto.eu, quindi una session creata su
dashboard.attesto.eu funziona anche su
marketplace.attesto.eu.
POST /v1/marketplace/items/attesto-github-repository-reference/acquire
X-CSRF-Token: <attesto_csrf cookie>
POST /v1/marketplace/items/attesto-github-repository-reference/install
Content-Type: application/json
X-CSRF-Token: <attesto_csrf cookie>
{
"configRef": "tenant-managed-github-installation"
}Gli assets gratuiti installati possono essere aggiornati alla current validated version o revoked da owner/admin. Revoke disattiva sia entitlement sia tenant install; artifact download fallisce finché il tenant non acquire e installa di nuovo l'asset.
POST /v1/marketplace/items/attesto-github-repository-reference/install/update
Content-Type: application/json
X-CSRF-Token: <attesto_csrf cookie>
{
"configRef": "tenant-managed-github-installation-v2"
}
POST /v1/marketplace/items/attesto-github-repository-reference/revoke
Content-Type: application/json
X-CSRF-Token: <attesto_csrf cookie>
{
"reason": "tenant_request"
}L'artifact endpoint restituisce il connector manifest solo dopo che il tenant ha un entitlement attivo:
GET /v1/marketplace/items/attesto-github-repository-reference/artifactConnector manifest
Un manifest descrive il connettore senza includere secrets. È l'oggetto che Python, TypeScript, Go, CLI, backend validation e marketplace validano tutti contro lo stesso contract.
{
"schemaVersion": "attesto.connector.v2",
"slug": "attesto-github-repository-reference",
"name": "GitHub Repository Reference",
"version": "1.0.0",
"assetType": "connector",
"category": "devops",
"summary": "Creates Proofstream references for repository changes.",
"description": "Records repository change references as verifiable Attesto events.",
"publisher": {
"slug": "attesto",
"name": "Attesto"
},
"repository": {
"url": "https://git.example.com/attesto/connectors/github"
},
"documentation": {
"url": "https://docs.attesto.eu/manuals/connectors.html#github"
},
"capabilities": ["proofstream", "offline-verification"],
"evidence": {
"receipts": true,
"offlineVerification": true,
"witnessCompatible": true
},
"security": {
"secretScan": true,
"dependencyScan": true
},
"supportedLanguages": ["en", "nl", "de", "fr", "es", "pl", "it"],
"provider": {
"id": "github",
"name": "GitHub",
"websiteUrl": "https://github.com"
},
"auth": {
"mode": "signed-webhook",
"scopes": ["repo", "push-events"]
},
"sync": {
"modes": ["webhook"],
"supportsReplay": true,
"rateLimitPolicy": "provider-default"
},
"eventTypes": ["repository.push", "repository.merge_request"],
"sourceTime": {
"required": true,
"timezonePolicy": "source-offset-required"
},
"configSchema": { "type": "object", "properties": {} },
"secretSchema": { "type": "object", "properties": {} },
"diagnostics": {
"providerAuthStatus": true,
"testConnection": true,
"syncLag": true,
"replayConflictCheck": true,
"revocationCheck": true
},
"runtime": {
"officialConnectorKit": true,
"sdkSurfaces": ["python", "typescript", "go", "cli"],
"requiredMethods": [
"metadata",
"validateConfig",
"testConnection",
"sync",
"handleWebhook",
"emitProofstreamEvent",
"diagnostics",
"revoke"
],
"canary": {
"status": "green",
"ref": "release/attesto-2.0-connector-assurance-readiness/result.json"
}
},
"installRequirements": {
"tenantLoginRequired": true,
"entitlementRequired": true
},
"changelog": [
{
"version": "1.0.0",
"date": "2026-06-09",
"changes": ["Validated first-party connector release."]
}
]
}I campi richiesti vengono controllati prima che un asset possa essere accettato. Il backend validator fa fallire hidden assets sotto Evidence Score 50; Attesto può comunque applicare una release policy privata più severa per connectors first-party o partner. Uno score è validation output derivato da evidence, non un adoption badge o giudizio marketing.
Marketplace CLI publishing flow
Publisher automation può usare Attesto CLI per lo stesso manifest contract del backend e dei connector kits. La CLI valida il manifest localmente prima di inviare qualcosa ad Attesto. Submission usa un marketplace publisher bearer token. La documentazione pubblica copre solo il publisher path; Attesto review e publication restano processi interni privati. I comandi publisher non stampano mai stored tokens, Stripe identifiers, connector secrets o raw customer payloads.
attesto --json marketplace init \
--output attesto.connector.json \
--slug acme-risk-connector \
--name "ACME Risk Connector" \
--version 1.0.0 \
--category ai-governance \
--summary "Produces Attesto evidence for ACME risk decisions." \
--description "Produces verifiable Proofstream events for ACME risk decisions." \
--publisher-slug acme \
--publisher-name ACME \
--repository-url https://git.example.com/acme/risk-connector \
--docs-url https://docs.example.com/acme/risk-connector \
--provider-url https://example.com/acme \
--auth-mode oauth2 \
--auth-scopes risk.read,risk.events \
--sync-modes polling,webhook \
--event-types risk.decision.created,risk.decision.updated \
--canary-ref release/acme-risk-connector/canary-result.json \
--capabilities proofstream,offline-verification
attesto --json marketplace validate \
--manifest-file attesto.connector.json
attesto --json --token-env ATTESTO_MARKETPLACE_TOKEN marketplace submit \
--manifest-file attesto.connector.json \
--source-ref https://git.example.com/acme/risk-connector/releases/v1.0.0 \
--visibility public \
--pricing-model freeDopo submission, l'asset resta private pending Attesto review. Attesto esamina validation evidence, source reference, publisher identity, pricing e release provenance in privato. Le docs pubbliche si fermano intenzionalmente alla developer submission boundary.
Publisher validation
Marketplace developer accounts sono marketplace-only. Possono fare
signup e signin su marketplace.attesto.eu, gestire un
publisher profile, scegliere un developer tier, inviare connector
assets gratuiti per private Attesto review e avviare il reale
developer billing flow per paid publishing. Non possono accedere a
dashboard.attesto.eu; i normali tenant users hanno ancora
bisogno di un normale Attesto tenant account per il dashboard.
POST /v1/marketplace/auth/signup
Content-Type: application/json
{
"displayName": "ACME Evidence Labs",
"name": "Publisher Operator",
"email": "publisher@example.com",
"password": "<operator-chosen password>"
}
POST /v1/marketplace/auth/login
Content-Type: application/json
{
"email": "publisher@example.com",
"password": "<operator-chosen password>"
}
GET /v1/marketplace/auth/meCreare o aggiornare un publisher profile registra marketplace evidence prima della submission degli assets. Un profile da solo non pubblica mai un asset: free submissions sono private pending review, e paid submissions richiedono un paid developer tier attivo più Stripe Connect readiness. Questo impedisce al marketplace pubblico di diventare una superficie di upload aperta.
POST /v1/marketplace/publisher/profile
Content-Type: application/json
X-CSRF-Token: <attesto_csrf cookie>
{
"displayName": "Attesto Official Connector Team"
}
GET /v1/marketplace/publisher/profile
PATCH /v1/marketplace/publisher/profile
Content-Type: application/json
X-CSRF-Token: <attesto_csrf cookie>
{
"displayName": "Attesto Business Connectors"
}Developer publisher rights vengono aggiornati in-place. Il publisher mantiene lo stesso account marketplace-only e publisher profile. Community developers possono inviare free assets per private review. Verified Developer, Professional Publisher e Marketplace Partner plans usano un 14-day Stripe trial e sbloccano paid connector submission solo dopo che Stripe conferma la subscription. Paid listing publication richiede anche Stripe Connect payout readiness. Checkout e portal URLs sono creati server-side tramite encrypted Stripe integration store.
GET /v1/marketplace/developer-tiers
[
{
"tier": "community",
"label": "Free Developer",
"monthlyCents": 0,
"annualCents": 0,
"currency": "EUR",
"checkoutRequired": false,
"submissionEnabledWhenActive": false,
"description": "Marketplace-only developer identity for profile management, manifest preparation, documentation review, and free connector submission into private Attesto review.",
"requirements": [
"marketplace publisher profile",
"private Attesto review before public listing",
"paid developer publisher tier before paid connector submission"
],
"trialDays": 0
},
{
"tier": "premium",
"label": "Verified Developer",
"monthlyCents": 1900,
"annualCents": 19000,
"currency": "EUR",
"checkoutRequired": true,
"submissionEnabledWhenActive": true,
"description": "Paid developer publishing tier with a 14-day Stripe trial.",
"requirements": [
"active developer subscription",
"connector validation passes",
"private Attesto review before public listing"
],
"trialDays": 14
}
]
GET /v1/marketplace/publisher/billing-state
{
"publisher": {
"tier": "premium",
"developerSubscriptionState": "active",
"payoutState": "ready",
"commercialEnabled": true
},
"checkoutAvailable": true,
"billingPortalAvailable": true,
"canSubmitAssets": true,
"developerSignupRequired": false,
"supportedTiers": [
{"tier": "premium", "label": "Verified Developer", "monthlyCents": 1900, "annualCents": 19000, "currency": "EUR"},
{"tier": "professional", "label": "Professional Publisher", "monthlyCents": 4900, "annualCents": 49000, "currency": "EUR"},
{"tier": "partner", "label": "Marketplace Partner", "monthlyCents": 9900, "annualCents": 99000, "currency": "EUR"}
],
"submissionRequirements": [],
"commercialRequirements": [
"active developer subscription",
"Stripe Connect payout readiness"
],
"gracePeriodDays": 14
}
POST /v1/marketplace/publisher/upgrade
Content-Type: application/json
X-CSRF-Token: <attesto_csrf cookie>
{
"tier": "premium",
"interval": "month",
"successUrl": "https://marketplace.attesto.eu/?publisher=upgrade-success",
"cancelUrl": "https://marketplace.attesto.eu/?publisher=upgrade-cancel"
}
POST /v1/marketplace/publisher/billing-portal
Content-Type: application/json
X-CSRF-Token: <attesto_csrf cookie>
{
"returnUrl": "https://marketplace.attesto.eu/?publisher=billing-return"
}I publishers che vogliono vendere paid assets devono completare Stripe Connect payout onboarding dopo che il developer account è attivo. L'API usa la configurazione Stripe cifrata server-side di Attesto e restituisce solo una Stripe-hosted onboarding URL. Non restituisce Stripe secret keys, connected-account IDs o payout credentials al frontend.
POST /v1/marketplace/publisher/payout/onboarding
Content-Type: application/json
X-CSRF-Token: <attesto_csrf cookie>
{
"returnUrl": "https://marketplace.attesto.eu/?publisher=payout-return",
"refreshUrl": "https://marketplace.attesto.eu/?publisher=payout-refresh",
"country": "NL"
}
POST /v1/marketplace/publisher/payout/statusPaid connector acquisition usa Stripe Checkout con Stripe Connect. Il backend crea la Checkout Session, applica la Attesto application fee, instrada la developer share al connected account e attende il verified Stripe webhook prima di creare tenant entitlement e marketplace ledger entry.
POST /v1/marketplace/items/{slug}/acquire
Content-Type: application/json
X-CSRF-Token: <attesto_csrf cookie>
{
"successUrl": "https://marketplace.attesto.eu/?marketplace=checkout-success",
"cancelUrl": "https://marketplace.attesto.eu/?marketplace=checkout-cancel"
}
Webhook result:
marketplace_purchase_created
marketplace_entitlement_created
marketplace_revenue_split_recordedAnche le notifiche Stripe refund e payout sono elaborate tramite l'endpoint verified webhook. Un full refund chiude l'entitlement, revoca gli install attivi per il connettore, blocca artifact download e registra refund ed entitlement-revocation evidence. I payout events riconciliano eligible publisher ledger entries e registrano payout evidence senza esporre Stripe object identifiers o provider payloads al browser.
Webhook result for full refund:
marketplace_refund_recorded
marketplace_entitlement_revoked
Webhook result for payout:
developer_payout_completed
Webhook result for failed payout/refund:
developer_payout_failed
marketplace_refund_failed
Active developer publishers possono poi inviare business connectors
tramite la marketplace publisher surface. La submit action valida il
manifest, registra un validation run, crea un private pending-review
asset, conserva version hashes e registra marketplace evidence. Anche
quando visibility è richiesta come public,
il listing resta nascosto finché private Attesto review e publication
policy non sono completate. Tenants non qualificati ricevono una
risposta fail-closed prima che la manifest validation venga eseguita.
POST /v1/marketplace/publisher/assets
Content-Type: application/json
X-CSRF-Token: <attesto_csrf cookie>
{
"sourceRef": "https://example.com/repository/connector-release",
"visibility": "private",
"pricingModel": "free",
"manifest": { "...": "attesto.connector.v2 manifest" }
}Attesto review e publication sono processi interni privati. Scrivono marketplace evidence, ma questi internal endpoints e procedures non fanno parte della documentazione pubblica developer. Il catalogo pubblico restituisce solo versioni approved e non-revoked.
La source reference deve puntare alla reale release source del connettore. Secrets, private keys, API tokens e customer payloads non devono mai essere inseriti nei connector manifests.
Marketplace evidence events
Marketplace publisher profile create/update, acquisition, install, install update, entitlement revoke, paid purchase, refund, payout, publisher submission e validation/review actions scrivono marketplace evidence canonica. Il receipt hash deriva dalla canonical evidence envelope e payload hash; il receipt record conserva tenant, actor, subject, timestamp e sanitized payload per le tenant audit views. Così operators hanno un audit trail deterministico di chi ha cambiato publisher identity e chi ha acquired, installed, updated, reviewed, published, refunded, paid out o revoked quale connector version.
GET /v1/marketplace/evidence/<receipt-id-or-receipt-hash>Security boundaries
- Public catalog browsing è unauthenticated e read-only.
- Tenant acquire, install, artifact download, install update e tenant revoke actions richiedono dashboard tenant auth e CSRF.
- Marketplace asset submission, publisher profile changes, developer-tier checkout, billing portal access e payout onboarding richiedono marketplace-only developer auth e CSRF.
- Free marketplace developer accounts possono inviare free assets per private review; paid assets richiedono paid developer tier attivo e Stripe Connect readiness.
- Public listing review, publication e marketplace asset withdrawal sono processi privati Attesto, non API pubbliche marketplace o developer.
- Connector manifests sono solo metadata; non devono contenere secrets o raw customer payloads.
- Il frontend riceve solo public catalog data e non-secret build metadata.
- Production bundles non devono includere source maps, source files, test fixtures, credentials o API keys.
- Marketplace evidence supporta auditability; non certifica da sola third-party legal compliance.