feat(marketplace): rebuild as static git-sourced browser in the docs site

.github/dependabot.yml

@@ -13,7 +13,7 @@ updates:
           - "*"
 
   # Root pnpm workspace — covers all workspace packages via shared lockfile
-  # (apps/board, apps/cli, apps/desktop, apps/marketplace, packages/*, evals/fixtures, etc.)
+  # (apps/cli, apps/desktop, packages/*, evals/fixtures, etc.)
   - package-ecosystem: "npm"
     directory: "/"
     schedule:

.github/workflows/build.yml

@@ -30,6 +30,13 @@ jobs:
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
 
+      # The website imports a static marketplace JSON generated from git (gitignored
+      # build output). Generate it before the website build runs in the turbo graph.
+      - name: Generate marketplace data
+        run: |
+          pnpm --filter @harness-kit/shared --filter @harness-kit/core build
+          pnpm --filter @harness-kit/marketplace-data generate --strict
+
       - name: Build all packages
         # Desktop (Tauri) is excluded — requires Rust + platform-specific system libs.
         # Desktop is built and tested in the desktop-build-test job in validate.yml.

.github/workflows/deploy-docs.yml

@@ -6,6 +6,9 @@ on:
     paths:
       - 'website/**'
       - 'functions/**'
+      - '.claude-plugin/**'
+      - 'plugins/**'
+      - 'packages/**'
       - '.github/workflows/deploy-docs.yml'
     tags-ignore:
       - '**'
@@ -33,7 +36,19 @@ jobs:
         with:
           node-version: 22
           cache: pnpm
-          cache-dependency-path: website/pnpm-lock.yaml
+          cache-dependency-path: |
+            pnpm-lock.yaml
+            website/pnpm-lock.yaml
+
+      # Generate the static marketplace JSON the website consumes. Runs from the
+      # repo root with a filtered install so we pull only the generator and its
+      # workspace deps (core/shared) — not the heavy monorepo (desktop, native
+      # builds) that the website is deliberately installed in isolation from.
+      - name: Generate marketplace data
+        run: |
+          pnpm install --filter "@harness-kit/marketplace-data..." --frozen-lockfile
+          pnpm --filter @harness-kit/shared --filter @harness-kit/core build
+          pnpm --filter @harness-kit/marketplace-data generate --strict
 
       - name: Install dependencies
         working-directory: website

.github/workflows/validate.yml

@@ -309,6 +309,13 @@ jobs:
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
 
+      # The website imports a static marketplace JSON generated from git (gitignored
+      # build output). Generate it before the website build runs in the turbo graph.
+      - name: Generate marketplace data
+        run: |
+          pnpm --filter @harness-kit/shared --filter @harness-kit/core build
+          pnpm --filter @harness-kit/marketplace-data generate --strict
+
       - name: Build and test all packages
         run: pnpm turbo run build test
 
@@ -440,7 +447,19 @@ jobs:
         with:
           node-version: 24
           cache: pnpm
-          cache-dependency-path: website/pnpm-lock.yaml
+          cache-dependency-path: |
+            pnpm-lock.yaml
+            website/pnpm-lock.yaml
+
+      # Generate the static marketplace JSON the website consumes. Runs from the
+      # repo root with a filtered install so we pull only the generator and its
+      # workspace deps (core/shared) — not the heavy monorepo — before the website
+      # is installed in isolation.
+      - name: Generate marketplace data
+        run: |
+          pnpm install --filter "@harness-kit/marketplace-data..." --frozen-lockfile
+          pnpm --filter @harness-kit/shared --filter @harness-kit/core build
+          pnpm --filter @harness-kit/marketplace-data generate --strict
 
       - name: Install dependencies
         working-directory: website

.gitignore

@@ -23,9 +23,6 @@ website/.next/
 website/out/
 website/.source/
 
-# Marketplace
-apps/marketplace/.next/
-apps/marketplace/out/
 *.tsbuildinfo
 
 # Supabase local
@@ -53,6 +50,9 @@ packages/board-server/dist/
 # Agent server
 packages/agent-server/dist/
 
+# Marketplace data generator
+packages/marketplace-data/dist/
+
 # Auto Claude data directory
 .auto-claude/
 

CLAUDE.md

@@ -17,16 +17,16 @@ harness-kit/
 ├── packages/                     ← shared libraries and standalone servers
 │   ├── core/                     ← harness.yaml compile/parse/detect logic
 │   ├── shared/                   ← shared TypeScript types used across apps
+│   ├── marketplace-data/         ← build-time generator: git → static marketplace JSON (runs the security scanner)
 │   ├── board-server/             ← WebSocket + HTTP server for the Kanban board and Roadmap/Competitor Analysis features
 │   ├── agent-server/             ← LangGraph execution engine for per-card agent runs (port 4802)
 │   └── chat-relay/               ← self-hosted WebSocket relay for team chat (port 4801)
 ├── functions/                    ← Cloudflare Pages Functions (server-side endpoints, e.g. /feedback proxy)
-├── website/                      ← documentation site (harnesskit.ai)
+├── website/                      ← documentation site + plugin marketplace (harnesskit.ai)
 ├── homebrew/                     ← Homebrew tap formulae for CLI and desktop app
 ├── apps/                         ← end-user applications
 │   ├── desktop/                  ← Tauri desktop app (React + Rust)
-│   ├── cli/                      ← harness CLI
-│   └── marketplace/              ← Next.js marketplace web app
+│   └── cli/                      ← harness CLI
 ├── profiles/                     ← pre-configured harness.yaml bundles for different roles
 ├── evals/                        ← automated skill evaluation framework (Python + golden responses)
 ├── harness.yaml                  ← dogfooding config (plugins used to develop this repo)

SECURITY.md

@@ -59,15 +59,6 @@ Sensitive configuration values should NEVER be committed to version control. Use
 
 **Required Secrets by Service:**
 
-**Marketplace (`apps/marketplace/`):**
-- `NEXT_PUBLIC_SUPABASE_URL` - Supabase project URL (public, but project-specific)
-- `NEXT_PUBLIC_SUPABASE_ANON_KEY` - Supabase anonymous key (public, rate-limited)
-- `SUPABASE_SERVICE_ROLE_KEY` - Server-side Supabase key (PRIVATE, keep secret)
-- `SUPABASE_URL` - Supabase URL for seed scripts (PRIVATE)
-- `REGISTER_API_KEY` - API key protecting the /api/register endpoint (PRIVATE, keep secret)
-- `GITHUB_TOKEN` - GitHub personal access token for sync operations (PRIVATE, optional)
-- `GITHUB_WEBHOOK_SECRET` - GitHub webhook secret (PRIVATE, keep secret)
-
 **Board Server (`packages/board-server/`):**
 - `BOARD_PORT` - WebSocket server port (default: 4800)
 
@@ -101,14 +92,6 @@ Before deploying harness-kit services to production:
 - [ ] Logging is configured to exclude sensitive data
 - [ ] Security headers are configured (CSP, HSTS, X-Frame-Options, etc.)
 
-### Marketplace App (`apps/marketplace/`)
-
-- Deploy on a platform with built-in DDoS protection (e.g., Vercel, Cloudflare)
-- Configure Content Security Policy (CSP) headers
-- Enable Supabase RLS policies for all tables
-- Use `NEXT_PUBLIC_` prefix only for truly public variables
-- Never expose `SUPABASE_SERVICE_ROLE_KEY` to the client
-
 ### Board Server (`packages/board-server/`)
 
 - Run behind a reverse proxy (nginx, Caddy) with TLS termination