feat(scripts): add marketplace manifest validation and standardize source format

[agreaves-ms]

This PR introduced a marketplace manifest validation pipeline and standardized plugin source values in marketplace.json from relative paths (./plugins/<name>) to bare directory names (<name>). The change coordinated across schema definition, manifest generation, a new validation script, and CI integration to enforce the convention at every layer.

Description

Source Format Standardization

All 11 plugin entries in marketplace.json had their source fields updated from path-prefixed form to bare directory names (e.g., ./plugins/ado became ado). The manifest generation function New-MarketplaceManifestContent in PluginHelpers.psm1 was updated in parallel, so regenerated manifests automatically produce the bare-name format.

This aligns the source field with the JSON schema constraint pattern ^[a-z0-9-]+$, which rejects path separators entirely.

Marketplace Validation Script

A new 277-line Validate-Marketplace.ps1 script performs layered validation of the marketplace manifest:

• Structural checks for required fields, types, and metadata completeness
• Semantic checks including name-source consistency and duplicate detection
• Cross-file checks verifying version consistency against package.json
• Filesystem checks confirming each plugin source directory exists under plugins/
  • Source format validation rejects path separators and relative prefixes

The script follows existing repo conventions: copyright header, #Requires -Version 7.0, CIHelpers.psm1 import for CI annotations, the standard @{ Success; ErrorCount } return contract, and a dot-source guard for testability.

CI Integration

• Added a "Validate marketplace manifest" step to plugin-validation.yml, positioned between collection metadata validation and the plugin freshness check
• Added the lint:marketplace npm script and included it in the lint:all chain

JSON Schema

A new marketplace-manifest.schema.json (JSON Schema draft-07) was added as a specification artifact. It constrains plugin names and sources to ^[a-z0-9-]+$, requires semver-formatted versions, and disallows additional properties. The schema is not programmatically consumed by the validation script at runtime.

Related Issue(s)

None

Type of Change

Code & Documentation:

• Bug fix (non-breaking change fixing an issue)
• New feature (non-breaking change adding functionality)
• Breaking change (fix or feature causing existing functionality to change)
• Documentation update

Infrastructure & Configuration:

• GitHub Actions workflow
• Linting configuration (markdown, PowerShell, etc.)
• Security configuration
• DevContainer configuration
• Dependency update

AI Artifacts:

• Reviewed contribution with prompt-builder agent and addressed all feedback
• Copilot instructions (.github/instructions/*.instructions.md)
• Copilot prompt (.github/prompts/*.prompt.md)
• Copilot agent (.github/agents/*.agent.md)
• Copilot skill (.github/skills/*/SKILL.md)

Note for AI Artifact Contributors:

• Agents: Research, indexing/referencing other project (using standard VS Code GitHub Copilot/MCP tools), planning, and general implementation agents likely already exist. Review .github/agents/ before creating new ones.
• Skills: Must include both bash and PowerShell scripts. See Skills.
• Model Versions: Only contributions targeting the latest Anthropic and OpenAI models will be accepted. Older model versions (e.g., GPT-3.5, Claude 3) will be rejected.
• See Agents Not Accepted and Model Version Requirements.

Other:

• Script/automation (.ps1, .sh, .py)
• Other (please describe):

Sample Prompts (for AI Artifact Contributions)

User Request:

Execution Flow:

Output Artifacts:

Success Indicators:

For detailed contribution requirements, see:

• Common Standards: docs/contributing/ai-artifacts-common.md - Shared standards for XML blocks, markdown quality, RFC 2119, validation, and testing
• Agents: docs/contributing/custom-agents.md - Agent configurations with tools and behavior patterns
• Prompts: docs/contributing/prompts.md - Workflow-specific guidance with template variables
• Instructions: docs/contributing/instructions.md - Technology-specific standards with glob patterns
• Skills: docs/contributing/skills.md - Task execution utilities with cross-platform scripts

Testing

Automated Validation

Check	Command	Result
Markdown linting	npm run lint:md	Passed
Spell checking	npm run spell-check	Passed
Frontmatter validation	npm run lint:frontmatter	Passed
Skill structure validation	npm run validate:skills	Passed
Link validation	npm run lint:md-links	Failed (non-blocking, pre-existing)
PowerShell analysis	npm run lint:ps	Passed
Plugin freshness	npm run plugin:generate	Passed
Marketplace validation	npm run lint:marketplace	Passed

Link validation failures are pre-existing: two external links to bestpractices.dev returning HTTP 503 in GOVERNANCE.md and README.md. These are unrelated to this PR.

Security Analysis

• No sensitive data, API keys, or NDA information detected in the diff.
• No new external dependencies introduced.
• The validation script operates read-only on the filesystem and follows least privilege principles.

Diff-Based Assessments

• Confirmed all 11 plugin source values were updated consistently.
• Verified New-MarketplaceManifestContent generation change aligns with the schema constraint.
• Confirmed CI step placement maintains the existing validation-then-generation ordering.

Checklist

Required Checks

• Documentation is updated (if applicable) (N/A — no documentation changes required for this script/CI addition)
• Files follow existing naming conventions
• Changes are backwards compatible (if applicable)
• Tests added for new functionality (if applicable)

AI Artifact Contributions

• Used /prompt-analyze to review contribution
• Addressed all feedback from prompt-builder review
• Verified contribution follows common standards and type-specific requirements

Required Automated Checks

The following validation commands must pass before merging:

• Markdown linting: npm run lint:md
• Spell checking: npm run spell-check
• Frontmatter validation: npm run lint:frontmatter
• Skill structure validation: npm run validate:skills
• Link validation: npm run lint:md-links (pre-existing failures: bestpractices.dev returning 503)
• PowerShell analysis: npm run lint:ps
• Plugin freshness: npm run plugin:generate

PR Generation Validation

• PR description preserves all template sections
• pr-reference-log.md analysis is accurately reflected in the description
• Description uses past tense and follows writing-style conventions
• All significant changes from the diff are included
• Referenced files are accurate and exist in the repository
• Follow-up tasks are actionable and tied to specific code, files, or components

Security Considerations

• This PR does not contain any sensitive or NDA information
• Any new dependencies have been reviewed for security issues (N/A — no new dependencies introduced)
• Security-related scripts follow the principle of least privilege

Additional Notes

• The JSON schema file at scripts/linting/schemas/marketplace-manifest.schema.json serves as a specification artifact and is not consumed at runtime by the validation script. It could be integrated with a JSON Schema validator in a future enhancement.
• Test-PluginSourceFormat contains a cosmetically redundant ^\./ regex check since the preceding [/\\] pattern already catches ./ prefixes. This does not affect correctness.
• The name-source identity check (name must equal source) means the source field is currently redundant, potentially intentional for forward compatibility if the two diverge.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[codecov-commenter]

Codecov Report

❌ Patch coverage is 1.11111% with 89 lines in your changes missing coverage. Please review.
✅ Project coverage is 84.23%. Comparing base (75b7ec1) to head (c06d679).
⚠️ Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
scripts/plugins/Validate-Marketplace.ps1	0.00%	89 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #711      +/-   ##
==========================================
- Coverage   85.79%   84.23%   -1.57%     
==========================================
  Files          23       24       +1     
  Lines        4801     4890      +89     
==========================================
  Hits         4119     4119              
- Misses        682      771      +89     

Flag	Coverage Δ
pester	84.23% <1.11%> (-1.57%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
scripts/plugins/Modules/PluginHelpers.psm1	85.75% <100.00%> (ø)
scripts/plugins/Validate-Marketplace.ps1	0.00% <0.00%> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.