Publishing Content
Share your tools, workflows and configurations with the Ironspire community by publishing to the marketplace. This page covers the package format, content types, the publish wizard and trust levels.
Requirements
Publishing to the marketplace requires an Ironspire Forge subscription. Free-tier users can browse and install marketplace content but cannot publish.
You also need:
- An Ironspire account with a verified email address
- The content you want to publish, tested locally in Ironspire
- A description, icon and at least one tag for discoverability
The .isp package format
All marketplace content is distributed as .isp packages. An .isp file is a compressed archive containing:
- manifest.json: package metadata (name, version, type, description, author, dependencies, permissions)
- content/: the actual files for the package (server definitions, prompt text, workflow JSON, theme CSS, etc.)
- icon.png: a 256x256 package icon displayed in the marketplace
- README.md: documentation shown on the package detail page
The manifest schema is versioned. Ironspire validates the manifest on both publish and install to ensure compatibility.
Content types
The marketplace supports 10 content types, each with its own manifest structure and installation behaviour:
| Content type | Description |
|---|---|
| mcp_server | An MCP tool server definition with transport configuration, environment variables and documentation |
| skill | A Claude plugin that adds capabilities to agents without a separate server process |
| snippet | A behaviour preset (text block) injected into an agent's CLAUDE.md instructions |
| workflow | A multi-step automation sequence that agents execute in order |
| agent_preset | A complete agent configuration: model, tools, MCP servers, instructions and permissions |
| hook | A lifecycle hook that runs before or after specific agent actions (e.g. pre-commit, post-task) |
| theme | A visual theme for the Ironspire interface with custom colours and design tokens |
| prompt_template | A reusable prompt with variable placeholders for common tasks |
| project_template | A starter project configuration including agents, MCP servers and blueprint structure |
| collection | A curated bundle of multiple packages installed together as a set |
Start with a simple content type like a snippet or prompt template to familiarise yourself with the publish flow before tackling more complex types like workflows or agent presets.
The publish wizard
Open the publish wizard from Marketplace > Publish in the sidebar.
Step 1: Select content type
Choose one of the 10 content types listed above. The wizard adapts its fields and validation rules based on your selection.
Step 2: Package details
Fill in the package metadata:
- Name: a unique identifier (lowercase, hyphens allowed, 3-64 characters)
- Display name: the human-readable name shown in the marketplace
- Version: semantic version (e.g.
1.0.0). Each publish must increment the version. - Description: a short summary (under 200 characters) for search results and cards
- Tags: up to 5 tags for discoverability
- Category: the primary category for marketplace browsing
Step 3: Content upload
Upload or select the files that make up your package. The wizard validates the content against the schema for your chosen content type. Errors are shown inline with guidance on how to fix them.
For mcp_server packages, you provide the server command, transport type and any required environment variables. For workflow packages, you upload the workflow definition JSON. Each content type has its own required and optional fields.
Step 4: Security scan
Before publishing, Ironspire runs the built-in SecurityScanner against your package. The scanner checks for:
- Hardcoded secrets, API keys and credentials
- Unsafe shell commands or file operations
- Overly broad permission requests
- Known malicious patterns
- Dependency vulnerabilities (for packages with npm dependencies)
The scan produces a report with findings categorised as errors (must fix) or warnings (recommended to fix). You cannot publish a package with unresolved errors.
Step 5: Review and publish
The wizard shows a final summary of your package: metadata, content files, permission manifest, security scan results and estimated risk score. Review everything and click Publish.
Your package enters the marketplace review queue. Simple content types (snippets, prompt templates, themes) are typically approved within minutes via automated checks. Content types that include executable code (mcp_server, skill, hook, workflow) may take longer if flagged for manual review.
Versioning
Every publish creates an immutable version. You cannot modify a published version; instead, publish a new version with an incremented number. Users who installed a previous version see an update notification.
Version history is visible on your package's detail page. Users can pin a specific version if they prefer stability over the latest release.
Author profiles
Your Ironspire account serves as your author profile in the marketplace. Your profile page shows:
- Published packages with download counts and ratings
- Trust level badge (see below)
- Bio and links (configurable in account settings)
Organisation accounts
Teams can create an organisation account to publish packages under a shared identity. Organisation members can publish and manage packages on behalf of the organisation. Set up an organisation from Settings > Account > Create Organisation.
Trust levels
Every marketplace author has a trust level that appears on their packages:
| Trust level | Badge | Criteria |
|---|---|---|
| Official | Gold shield | Published by Ironspire. First-party content maintained by the Ironspire team. |
| Verified | Blue checkmark | Author has passed a manual audit. Code reviewed, identity confirmed, track record established. |
| Community | Grey circle | Default level for all new publishers. Content passes automated security scans but has not been manually audited. |
Trust levels are displayed prominently on package cards and detail pages so users can make informed decisions before installing.
To apply for Verified status, contact support@ironspire.dev with links to your published packages. The review process typically takes 5-7 business days.
Package visibility
Published packages are public by default. All marketplace users can browse, search and install them.
If you want to share a package privately (for example, within your organisation only), set the visibility to Private during the publish wizard. Private packages are only visible to members of your organisation.
Updating and deprecating
To update a package, open Marketplace > My Packages, select the package and click New Version. The publish wizard opens pre-filled with your existing metadata.
To deprecate a package, click Deprecate on the package detail page. Deprecated packages remain installed for existing users but are hidden from search results and show a deprecation notice.
Analytics and feedback
Once your package is published, the My Packages dashboard shows download counts, active installations, ratings and reviews. Use this data to understand adoption and prioritise improvements.
Users can rate packages on a 5-star scale and leave written reviews. You receive a notification for each new review. Responding to reviews is encouraged; it builds trust and helps users troubleshoot issues.
If a user reports a security concern via the flag icon on your package card, the Ironspire team investigates and may contact you for clarification. Prompt responses help maintain your trust level.
Publishing checklist
Before clicking Publish, verify the following:
- Package name is descriptive and not already taken
- Version number follows semantic versioning and increments from the previous release
- Description accurately reflects what the package does
- Permission manifest requests only the permissions the package genuinely needs
- Security scan passes with no unresolved errors
- README.md includes installation instructions, usage examples and a changelog