Skip to content
Defiant

Marketplace

The Defiant Marketplace is where teams publish and install extensions: custom agent skills, vertical pack additions, mandate bundles, and integration adapters. Everything in the marketplace is versioned, signed, and checked for license compliance (MIT/Apache/BSD only — mandate_8 applies to marketplace packages).

What you can install

Mandate bundles

Pre-packaged sets of mandates for specific compliance frameworks: ISO 27001, NIST CSF, PCI DSS Level 1, FedRAMP.

Agent skills

New capabilities for existing agents: deploy to Railway, Fly.io, or AWS; integrate with Linear, Jira, or Notion.

Vertical pack extensions

Additions to existing verticals: Fintech + crypto, Healthcare + clinical trials, B2B SaaS + usage-based billing.

Integration adapters

Ambassador-compatible adapters for services not built into Defiant: Twilio, SendGrid, PlanetScale, Cloudflare R2.

Installing a marketplace package

Terminal window
# Browse available packages
defiant marketplace search --category mandate-bundle


# Install a package
defiant marketplace install @defiant-marketplace/iso-27001


# List installed packages
defiant marketplace list


# Update a package
defiant marketplace update @defiant-marketplace/iso-27001


# Remove a package
defiant marketplace remove @defiant-marketplace/iso-27001

Mandate bundles

PackageDescriptionMandates added
@defiant-marketplace/iso-27001ISO/IEC 27001:2022 information security controls18
@defiant-marketplace/nist-csfNIST Cybersecurity Framework 2.024
@defiant-marketplace/pci-level1PCI DSS Level 1 (> 6M transactions/year)31
@defiant-marketplace/fedramp-moderateFedRAMP Moderate baseline47
@defiant-marketplace/soc2-type2SOC 2 Type II evidence collection hooks12

Agent skills

PackageDescriptionAgents extended
@defiant-marketplace/deploy-flyDeploy to Fly.ioLauncher
@defiant-marketplace/deploy-railwayDeploy to RailwayLauncher
@defiant-marketplace/deploy-awsDeploy to AWS (ECS, Lambda)Launcher
@defiant-marketplace/linear-trackerUpdate Linear issues on sprint completeScribe
@defiant-marketplace/jira-trackerUpdate Jira tickets on sprint completeScribe
@defiant-marketplace/notion-docsWrite sprint summaries to NotionScribe
@defiant-marketplace/slack-notifySend sprint notifications to SlackScribe, Launcher

Integration adapters

PackageDescription
@defiant-marketplace/twilioSMS and voice for Ambassador
@defiant-marketplace/cloudflare-r2Object storage adapter
@defiant-marketplace/planetscalePlanetScale DB adapter for Ambassador
@defiant-marketplace/upstash-redisRedis adapter (Upstash)
@defiant-marketplace/neonNeon serverless Postgres adapter

Publishing to the Marketplace

Package structure

my-defiant-package/
  package.json          # name, version, description, license, keywords
  manifest.yaml         # declares what this package provides
  mandates/             # mandate YAML files (if mandate-bundle)
  skills/               # skill definitions (if agent-skill)
  integrations/         # integration YAML (if integration-adapter)
  tests/                # tests for your package
  README.md

Manifest format

manifest.yaml
name: "@myorg/my-mandate-bundle"
version: "1.0.0"
type: mandate-bundle          # mandate-bundle | agent-skill | vertical-extension | integration-adapter
description: "ISO 27001:2022 mandate bundle for Defiant projects"
license: MIT
author: "My Organization <dev@myorg.com>"
defiant_version: ">=2.0.0"


# For mandate-bundles:
mandates:
  - mandates/iso27001_a5.yaml
  - mandates/iso27001_a6.yaml
  # ...


# For agent-skills:
skills:
  - agent: launcher
    skill: deploy.railway
    file: skills/deploy-railway.js


# For integration-adapters:
integrations:
  - integrations/railway.yaml

Signing requirements

All marketplace packages must be signed with an Ed25519 key registered with your Defiant account:

Terminal window
# Generate a signing key
defiant marketplace keys generate


# Sign a package
defiant marketplace sign ./my-defiant-package


# Publish
defiant marketplace publish ./my-defiant-package

Review process

The Marketplace team reviews all submissions for:

  1. License compliance — all code must be MIT, Apache-2.0, or BSD
  2. No malicious code — automated scan + human review for first-time publishers
  3. Mandate quality — mandate bundles are reviewed against the relevant compliance framework
  4. Test coverage — packages must include tests

Review typically takes 2-5 business days. Once approved, the package is published and available for install.

Enterprise private registry

Enterprise customers can run a private Marketplace registry for internal packages:

~/.defiant/config.json
{
  "marketplace": {
    "registry": "https://marketplace.internal.yourorg.com",
    "allowPublic": true    // allow public marketplace in addition to private
  }
}

Internal packages are not reviewed by the Defiant team and are the organization’s responsibility to validate.