Marketplace architecture

Build a control plane for commercial cloud delivery.

CognoSys separates product intent, lifecycle services, provider execution, operational state and security controls so marketplace delivery can evolve without surrendering cloud-native boundaries or human release authority.

A layered marketplace control plane separating intent, lifecycle, provider execution and operational state
Architecture objective

Keep the product stable while providers and workflows change.

A marketplace platform should not become a collection of cloud API scripts. It needs a durable product model, explicit commands, provider adapters, recoverable jobs and an evidence trail that survives release-team changes and provider interface evolution.

INTENT

Product-owned model

Capture the release candidate, deployment outcome, commercial plan, availability and required authority without provider leakage.

CONTROL

Governed commands

Validate requests, evaluate prerequisites and separate preparation from consequential release decisions.

EXECUTION

Provider-native adapters

Translate approved commands into Azure, AWS, Google Cloud or Oracle Cloud operations through explicit contracts.

EVIDENCE

Inspectable outcomes

Connect every transition to actor, candidate, policy, provider response and observed state.

Control-plane layers

Shared foundation. Product services. Provider-specific edges.

Layering limits change propagation. Provider semantics remain at the boundary; lifecycle rules remain with the product; cross-cutting security and observability serve every path.

  1. ExperienceOperator workflows and controlled integrations.
  2. API boundaryAuthentication, tenant context and command validation.
  3. Lifecycle servicesProducts, releases, plans, evidence and approvals.
  4. OrchestrationState machines, jobs, policies and reconciliation.
  5. Provider adaptersNative API contracts and response mapping.
  6. State foundationRecords, artifacts, search and event history.
  7. OperationsSecurity, telemetry, recovery and audit.

Read and write models can evolve independently: operators need a fast portfolio view, while release commands require strict validation and durable processing. Events communicate state changes, but the authoritative record remains queryable without replaying an entire event history.

Execution paths

Design fast decisions and long-running work differently.

Validation may complete in milliseconds; provider scanning or review may take hours or days. The architecture makes both visible without holding fragile sessions open.

REQUEST PATH

Validate before accepting work

Authenticate the caller, establish tenant and environment, validate the command, evaluate policy and return a stable work identifier.

JOB PATH

Checkpoint provider execution

Workers acquire scoped credentials, perform bounded actions, persist correlation state and emit progress without exposing secrets.

RETURN PATH

Reconcile observed state

Polling, callbacks or scheduled reads normalize provider outcomes into state transitions while retaining the native response for diagnosis.

Provider adapter discipline

Use a common contract without forcing common behavior.

Adapters expose capabilities such as validate, submit, read status, update and withdraw only where they are meaningful. Feature discovery prevents the orchestration layer from calling a path the selected provider or offer type cannot support.

AZUREOffer and plan graph

Keep technical configuration, identities, plans, availability and validation responses mapped to native identifiers.

AWSProduct and delivery contracts

Represent delivery method, pricing dimensions, permissions and fulfillment interfaces as adapter capabilities.

GOOGLE CLOUDPackaging and procurement surfaces

Model the applicable deployment and commercial workflow without borrowing another provider’s assumptions.

ORACLE CLOUDOCI deployment boundary

Preserve tenancy, image or stack references, listing workflow and operational ownership in the provider context.

Security architecture

Carry identity and authority through every hop.

A trusted request begins with an authenticated actor and explicit tenant, product, environment and purpose. Background work carries that context by reference, not by copying broad credentials into queues. Authorization is evaluated again before consequential execution because permission or policy may have changed.

  • Tenant-aware authorization at API and worker boundaries
  • Workload identities separated from interactive identities
  • Provider credentials scoped by account, environment and operation
  • Secret material resolved at execution and excluded from logs
  • Artifact provenance and integrity checked before submission
  • Human approval bound to the exact release candidate
Resilience and recovery

Recover from uncertainty, not only explicit errors.

The hardest failure is an interrupted provider write with no trustworthy local result. Recovery requires correlation identifiers, idempotency keys, checkpoints and a provider read before another mutation is attempted.

TRANSIENT

Retry with boundaries

Use exponential backoff, jitter, rate awareness and a finite attempt policy while preserving the original work identity.

TERMINAL

Return actionable context

Capture the provider rule, affected object and remediation owner instead of recycling an impossible command.

PARTIAL

Compensate deliberately

Record completed steps, protect valid state and require authority before reversing a consequential provider action.

DRIFT

Reconcile continuously

Compare desired and observed state, classify divergence and route correction without silently overwriting intentional changes.

Observability and evidence

Answer what changed, why, where and under whose authority.

Technical telemetry explains system behavior; release evidence explains business action. The architecture connects both through shared correlation while keeping sensitive payloads and protected topology out of public or general operational views.

METRICS

Operating health

Track queue age, provider latency, retry volume, failure class, reconciliation drift and release throughput by ecosystem.

TRACES

End-to-end execution

Follow a work identifier across API validation, policy decisions, jobs, provider calls and state persistence.

AUDIT

Decision history

Retain actors, approvals, overrides, candidate identity and provider outcomes under clear access and retention rules.

Shape the architecture

Bring the product boundary and the difficult failure cases.

We can frame a public-safe reference architecture around your deployment model, provider mix, identity boundaries, release authority and operational constraints—then turn it into an incremental engineering plan.

  • Product and lifecycle systems of record
  • Provider APIs and supported operations
  • Identity, tenant and environment boundaries
  • Approval and evidence requirements
  • Expected scale and release cadence
  • Failure, recovery and support objectives