Goal: Generate marketplace.json from OCI-distributed plugins and add signature support. No toolhive-core dependency — fully parallel.
Deliverables:
pluginsvc/marketplace.go — GenerateMarketplace emitting git-source marketplace.json (OCI refs are not valid native sources; emit git sources with sha pinning).--require-signature → cosign via OCI Referrers API (subject + GET /v2/<name>/referrers/<digest>). New dep: cosign/sigstore. Sequence signing last.
Dependency/gate: no core dependency; can start any time after Phase 2. Parallel with P5a/P5b/P5d.
Testing/exit gate: marketplace-generator unit; signature-required failure paths.
Part of #5525
Refs RFC PR stacklok/toolhive-rfcs#77
Goal: Generate
marketplace.jsonfrom OCI-distributed plugins and add signature support. Notoolhive-coredependency — fully parallel.Deliverables:
pluginsvc/marketplace.go—GenerateMarketplaceemitting git-sourcemarketplace.json(OCI refs are not valid native sources; emit git sources withshapinning).--require-signature→ cosign via OCI Referrers API (subject+GET /v2/<name>/referrers/<digest>). New dep: cosign/sigstore. Sequence signing last.Dependency/gate: no core dependency; can start any time after Phase 2. Parallel with P5a/P5b/P5d.
Testing/exit gate: marketplace-generator unit; signature-required failure paths.
Part of #5525
Refs RFC PR stacklok/toolhive-rfcs#77