Marketplace admission profile
The machine-checkable bar a shared app must clear before anyone else runs it (roadmap
Phase 47, realizing the Phase 37 admission gate): run tesseraql admission --app . (or the
tesseraql:admission Maven goal, bound to verify) and ship only on exit 0.
The profile composes the existing gates and adds the marketplace constraints:
| Code | Constraint |
|---|---|
TQL-ADM-4701 |
Declarative-only. No plugin jars, no runtime service bindings (mode: extended), no unauthenticated write surfaces (mode: advanced) — the framework is the sandbox only when every behavior is interpreted from the documents. |
TQL-ADM-4702 |
Deny-by-default policies defined. A route referencing a policy the config does not define is only a lint warning inside one team (“another environment defines it”); for a shared app the policy must be defined here. |
TQL-ADM-4703 |
Egress bounded. A bare * in http.outbound/connectors.poll allow-lists is not an allow-list. |
TQL-ADM-4704 |
CSP intact on every HTML page (fragments under the documented /fragments/ convention are exempt — the host page’s CSP governs the document). |
TQL-ADM-4705 |
Governance clean. Every review-worthy surface is approved in governance/approvals.yml at its current hash. |
TQL-ADM-4706 |
Lint clean. Every AppLinter error fails admission. |
The gallery starter apps under examples/ are held to this bar in CI — what we ship passes
what we gate others on. Provenance (signing, SBOM, hash pinning) rides the existing
tesseraql:release-evidence pipeline and .tqlapp sha256 pinning; see
docs/promotion.md and docs/deployment.md.