Three Phases — InstallHub Overview

Phase 1 — Export

Status: COMPLETE — Production Ready

Phase 1 delivers the ability to create installable packages from any BizFirstGO tenant. Engineers select the artifacts they want to bundle, and the export pipeline handles everything else: dependency resolution, serialization, manifest generation, and ZIP assembly.

Artifact Selection

The caller specifies which artifact IDs to include in the package — one or many workflows, forms, or apps.

Dependency Resolution

The DependencyResolver traverses the artifact graph recursively. If a workflow references form ID 1001, that form is automatically included. All transitive dependencies are discovered.

Artifact Serialization

Each artifact is serialized to JSON and written to artifacts/{type}/{id}.json within the bundle.

Manifest Generation

A manifest.json is created listing all included artifacts, their versions, and the SHA-256 checksum of the bundle contents.

ZIP Assembly

All artifact files and the manifest are assembled into a ZIP archive. The caller receives the ZIP bytes and can store, transfer, or submit the bundle.

Phase 2 — Import

Status: PENDING — In Design

Phase 2 delivers the ability to install a package into any BizFirstGO tenant. The import pipeline validates the package, scans it for security issues, remaps artifact IDs to avoid collisions, resolves conflicts with existing artifacts, and installs everything in a single transaction.

Upload & Validate

The caller POSTs the ZIP to /api/installhub/packages/import. The engine validates the manifest schema and recomputes the SHA-256 checksum to verify bundle integrity.

Security Scan

Every package is scanned for expression injection, SQL injection patterns, and dependency vulnerabilities before any artifact is written. See Guide 8.

ID Remapping

Artifact IDs from the source tenant are remapped to new IDs in the target tenant, preventing collisions with existing artifacts.

Conflict Resolution

If an artifact with the same name and type already exists, the engine applies the configured conflict strategy: Replace, Merge, or Skip. See Guide 5.

Install & Verify

Artifacts are installed in dependency order within a database transaction. On failure, all changes are rolled back automatically.

Phase 3 — Marketplace (PublicHub)

Status: PENDING — In Design

Phase 3 delivers the public marketplace — a searchable catalog where BizFirstGO teams and community members can publish packages for others to discover and install.

Marketplace Trust Levels

Trust Level	Criteria	Review Process
Official	Published by BizFirstGO or Anthropic	Internal review + automated scan
Certified	Verified publisher + human review passed + test coverage met	Automated scan + human reviewer
Community	Any registered publisher — automated scan pass	Automated security scan only

Community Packages Community-level packages have passed automated security scanning but have not been reviewed by a human. Install them only from publishers you trust, or inspect the package contents using dry-run import before committing.

Phase Dependency

The three phases build on each other progressively:

Phase 1 (Export) is self-contained — it needs no other phase to be useful.
Phase 2 (Import) depends on Phase 1 to produce the packages it installs.
Phase 3 (Marketplace) depends on both Phase 1 (publishers use export) and Phase 2 (consumers use import) to deliver end-to-end discovery and installation.

← Overview Next: Artifact Types →