Package Trust Levels — Marketplace Overview

Phase 3 — PENDING This feature is planned but not yet implemented.

Trust Level Comparison

Criterion	Official	Certified	Community
Publisher	BizFirstGO / Anthropic	Verified organization	Any registered user
Automated security scan	Yes — PASS required	Yes — PASS required	Yes — PASS required
Human security review	Yes — internal team	Yes — BizFirstGO reviewer	No
Identity verification	Always verified	Domain verification required	Email verification only
Test coverage requirement	Yes — internal standards	Yes — minimum 70%	No
README completeness check	Yes	Yes — all sections required	No
Production install recommendation	Yes	Yes	Use with caution

Official packages are authored and maintained by the BizFirstGO engineering team or Anthropic. They represent:

Official packages are guaranteed to work on the current platform version and are updated with every major platform release.

Certified packages go through a multi-step review process:

The publisher verifies their organization by adding a DNS TXT record or uploading a verification file to their domain.

Security scan (PASS required), manifest completeness, README completeness, SemVer compliance.

A BizFirstGO reviewer inspects the package contents for quality, security, and compliance with marketplace guidelines.

The package receives the Certified badge. Future versions require a lighter review (automated checks + spot review for major versions).

Community packages have passed the automated security scan. They have not been human-reviewed. Best practices for Community packages:

Run preview before installing to see exactly what will be installed
Inspect the package README for documentation quality
Check the publisher's other packages and their ratings
Install with conflictStrategy: Skip to avoid overwriting existing artifacts unexpectedly
Test in a non-production tenant before installing in production