Plugin Marketplace
A central registry for discovering, publishing, and managing Knowledge Tree plugins with enterprise-grade security controls.
Overview
The Plugin Marketplace is a central registry for Knowledge Tree plugins. It enables plugin authors to publish their plugins with versioning, digital signing, and documentation. Operators browse the marketplace from the Knowledge Tree UI or API, install plugins with a single click, and manage updates across their fleet of instances.
Plugin registry
The registry stores plugin metadata, binaries, and signatures. Every plugin has a unique namespace (e.g., knowledge-tree/aws,acme-corp/network-scanner) and follows semantic versioning.
| Feature | Description |
|---|---|
| Namespacing | publisher/plugin-name with verified publisher accounts |
| Versioning | Semantic versioning with release notes and changelogs |
| Dependencies | Plugins can declare dependencies on other plugins or SDK versions |
| Tags | Categorization by provider, resource type, and capability |
| Ratings | User ratings and reviews for quality signals |
Signing and verification
Every plugin published to the marketplace is cryptographically signed. The verification chain works as follows:
- Publisher identity -- publisher's GPG or Sigstore key is registered with the marketplace
- Plugin signing -- plugin binary is signed at publish time with the publisher's private key
- Signature storage -- signature is stored alongside the plugin in the registry
- Installation verification -- Knowledge Tree verifies the signature before loading the plugin
- Tamper detection -- any modification after signing invalidates the plugin
# Sign and publish a plugin
kt-marketplace publish \
--plugin ./bin/my-plugin \
--namespace acme-corp \
--name network-scanner \
--version 1.2.0 \
--key ~/.kt/publisher.gpgMarketplace UI
The marketplace is accessible from the Knowledge Tree administration panel. The UI provides:
- Browse and search -- filter by provider, category, rating, and compatibility
- Plugin details -- description, documentation, version history, and user reviews
- One-click install -- install plugins directly to your Knowledge Tree instance
- Update management -- see available updates and apply them with a single click
- Private registry -- host internal plugins behind authentication
Sandboxing
All marketplace plugins (and any third-party plugins) run in an isolated sandbox to prevent security incidents:
| Sandbox mechanism | Protection |
|---|---|
| gRPC isolation | Plugin runs as a separate process communicating via gRPC |
| Resource limits | CPU, memory, and file descriptor limits per plugin process |
| Network policy | Plugin network access is restricted to declared API endpoints |
| Filesystem isolation | Plugin sees only its own temporary directory |
| Timeout enforcement | Maximum execution time per discovery run |
Analytics
Plugin usage analytics help operators understand which plugins are being used and how they perform:
- Install counts -- how many instances have each plugin installed
- Execution metrics -- average discovery time, success rate, resource yield
- Error tracking -- crash reports and error rates per plugin version
- Usage trends -- adoption over time, popular plugin combinations