Skip to main content

The Marketplace

The marketplace is a governed catalog of providers organized for discovery, eligibility checking, and resolution. It also carries governance metadata used by control-plane policy gates. It is optional: you can bind providers by specifying them directly in resolveTrustedProviders. The marketplace is the recommended path for governed, reproducible deployments.

Why this exists

Without a governed catalog, provider discovery is manual and opaque. A developer looking for a provider for collections.write has no catalog to browse and no trust signal to consult. There is no standard format for declaring what a provider implements or how trustworthy it is.

The marketplace addresses these gaps. It gives you a structured way to discover providers by capability port, evaluate them by trust tier, and check eligibility before committing to a lockfile.

Discovering providers

import { catalog } from "@gooi/app-marketplace/catalog";

const snapshot = await catalog.getSnapshot();

// Find all providers that implement a specific port
const candidates = snapshot.providers.filter((p) =>
  p.ports.some((port) => port.port === "collections.write")
);

for (const provider of candidates) {
  console.log(provider.id, provider.certificationStatus, provider.trustScore);
}

Each provider in the catalog carries:

FieldMeaning
idPackage identifier (e.g. @gooi-marketplace/supabase)
versionCurrent stable version
portsCapability ports this provider implements
certificationStatusuncertified, community, certified, or first_party
trustScore0-100 composite score based on certification, hash history, and report history
compatibilityRangeWhich Gooi platform versions this provider is compatible with

Checking eligibility

Before adding a provider to your lockfile, check whether it satisfies your specific requirements.

import { explainProviderEligibility } from "@gooi/app-marketplace/eligibility";

const result = await explainProviderEligibility({
  provider: "@my-org/pg-provider@0.3.1",
  requirements,
});

console.log("Eligible:", result.eligible);
console.log("Satisfied ports:", result.satisfiedPorts);
console.log("Unsatisfied ports:", result.unsatisfiedPorts);
console.log("Reasons:", result.reasons);

Eligibility is computed from four factors:

  1. Port coverage: does this provider implement all required ports?
  2. Semantics compatibility: does the provider's declared semantics match the spec's requirement semantics?
  3. Version compatibility: is this provider version compatible with the current platform version?
  4. Trust gate: if you pass a minimum trust level to resolveTrustedProviders, providers below that level are ineligible.

Trust tiers

Trust in the ecosystem is explicit and layered.

LevelHow obtainedWhat it means
uncertifiedDefaultProvider exists in the catalog. Not reviewed. Use at your own risk.
communityPeer review by at least 3 community maintainersPorts are implemented correctly and pass conformance. No security audit.
certifiedGooi team security and conformance auditPorts are correct, secure, and production-appropriate.
first_partyOwned and maintained by the Gooi teamSame guarantee as certified plus a long-term support commitment.

You can enforce a minimum trust level in resolution:

const { plan, lockfile } = await resolveTrustedProviders({
  requirements,
  candidates,
  minTrustLevel: "certified",
});

Providers below certified are excluded from resolution. If no candidate at or above the minimum trust level satisfies a required port, that port appears in lockfile.unresolved.

Revocation

The marketplace maintains a revocation list. When a provider's certification is revoked:

  • It is flagged in catalog snapshots.
  • The resolver emits a warning on the next resolution run.
  • The runtime emits a warning at startup when activating a revoked provider.

Revocation is advisory, not mandatory. The lockfile is not automatically updated. You choose whether to re-resolve after a revocation notice.

What's next