From 3b5669ada4f832e28ec083e500e6ad17f051de97 Mon Sep 17 00:00:00 2001
From: Vasili Pascal <vasili.pascal@gmail.com>
Date: Fri, 26 Jun 2026 16:37:08 +0300
Subject: [PATCH 1/2] vault mTLS: add mTLS client cert support to Vault clients

- Added client_cert/client_key fields to VaultSettings
- Updated both vault clients to pass Identity to reqwest
- docker-compose.dev.yml: added VAULT_CLIENT_CERT/KEY env vars
---
 docker-compose.dev.yml        |  3 +++
 src/configuration.rs          | 16 ++++++++++++++
 src/helpers/vault.rs          | 17 ++++++++++++++-
 src/services/vault_service.rs | 41 +++++++++++++++++++++++++++++++----
 4 files changed, 72 insertions(+), 5 deletions(-)

diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml
index 7eef27e2..703bdb8f 100644
--- a/docker-compose.dev.yml
+++ b/docker-compose.dev.yml
@@ -42,6 +42,9 @@ services:
       # Vault — must point to the real Vault service in the TryDirect network
       - VAULT_ADDRESS=https://vault.try.direct
       - VAULT_TOKEN=${STACKER_VAULT_TOKEN:-change-me}
+      # mTLS client cert for Vault — inline PEMs
+      - VAULT_CLIENT_CERT=${VAULT_CLIENT_CERT:-}
+      - VAULT_CLIENT_KEY=${VAULT_CLIENT_KEY:-}
     depends_on:
       stackerdb:
         condition: service_healthy
diff --git a/src/configuration.rs b/src/configuration.rs
index 884e4c8f..1544ba93 100644
--- a/src/configuration.rs
+++ b/src/configuration.rs
@@ -474,6 +474,14 @@ pub struct VaultSettings {
     pub api_prefix: String,
     #[serde(default)]
     pub ssh_key_path_prefix: Option<String>,
+    /// Client certificate PEM for mTLS (inline) or file path.
+    /// Read from VAULT_CLIENT_CERT env var.
+    #[serde(default)]
+    pub client_cert: Option<String>,
+    /// Client key PEM for mTLS (inline) or file path.
+    /// Read from VAULT_CLIENT_KEY env var.
+    #[serde(default)]
+    pub client_key: Option<String>,
 }
 
 impl std::fmt::Debug for VaultSettings {
@@ -484,6 +492,8 @@ impl std::fmt::Debug for VaultSettings {
             .field("agent_path_prefix", &self.agent_path_prefix)
             .field("api_prefix", &self.api_prefix)
             .field("ssh_key_path_prefix", &self.ssh_key_path_prefix)
+            .field("client_cert", &self.client_cert.as_ref().map(|_| "[REDACTED]"))
+            .field("client_key", &self.client_key.as_ref().map(|_| "[REDACTED]"))
             .finish()
     }
 }
@@ -496,6 +506,8 @@ impl Default for VaultSettings {
             agent_path_prefix: "agent".to_string(),
             api_prefix: Self::default_api_prefix(),
             ssh_key_path_prefix: Some("users".to_string()),
+            client_cert: None,
+            client_key: None,
         }
     }
 }
@@ -517,6 +529,8 @@ impl VaultSettings {
             self.ssh_key_path_prefix
                 .unwrap_or_else(|| "users".to_string()),
         );
+        let client_cert = std::env::var("VAULT_CLIENT_CERT").ok().or(self.client_cert);
+        let client_key = std::env::var("VAULT_CLIENT_KEY").ok().or(self.client_key);
 
         VaultSettings {
             address,
@@ -524,6 +538,8 @@ impl VaultSettings {
             agent_path_prefix,
             api_prefix,
             ssh_key_path_prefix: Some(ssh_key_path_prefix),
+            client_cert,
+            client_key,
         }
     }
 }
diff --git a/src/helpers/vault.rs b/src/helpers/vault.rs
index 575758a6..57ddadc7 100644
--- a/src/helpers/vault.rs
+++ b/src/helpers/vault.rs
@@ -1,5 +1,6 @@
 use crate::configuration::VaultSettings;
 use reqwest::Client;
+use reqwest::Identity;
 use serde_json::json;
 
 pub struct VaultClient {
@@ -25,8 +26,22 @@ impl std::fmt::Debug for VaultClient {
 
 impl VaultClient {
     pub fn new(settings: &VaultSettings) -> Self {
+        let mut client_builder = Client::builder();
+        if let (Some(cert), Some(key)) = (&settings.client_cert, &settings.client_key) {
+            let identity_pem = format!("{}\n{}", cert, key);
+            match Identity::from_pem(identity_pem.as_bytes()) {
+                Ok(identity) => {
+                    client_builder = client_builder.identity(identity);
+                }
+                Err(e) => {
+                    tracing::warn!("Failed to load mTLS identity for Vault client: {}", e);
+                }
+            }
+        }
+        let client = client_builder.build().unwrap_or_else(|_| Client::new());
+
         Self {
-            client: Client::new(),
+            client,
             address: settings.address.clone(),
             token: settings.token.clone(),
             agent_path_prefix: settings.agent_path_prefix.clone(),
diff --git a/src/services/vault_service.rs b/src/services/vault_service.rs
index be818d49..67209f95 100644
--- a/src/services/vault_service.rs
+++ b/src/services/vault_service.rs
@@ -8,6 +8,7 @@
 
 use anyhow::Result;
 use reqwest::Client;
+use reqwest::Identity;
 use serde::{Deserialize, Serialize};
 use std::collections::HashMap;
 use std::time::Duration;
@@ -95,8 +96,22 @@ impl VaultService {
     pub fn from_settings(
         settings: &crate::configuration::VaultSettings,
     ) -> Result<Self, VaultError> {
-        let http_client = Client::builder()
-            .timeout(Duration::from_secs(REQUEST_TIMEOUT_SECS))
+        let mut builder = Client::builder()
+            .timeout(Duration::from_secs(REQUEST_TIMEOUT_SECS));
+
+        if let (Some(cert), Some(key)) = (&settings.client_cert, &settings.client_key) {
+            let identity_pem = format!("{}\n{}", cert, key);
+            match Identity::from_pem(identity_pem.as_bytes()) {
+                Ok(identity) => {
+                    builder = builder.identity(identity);
+                }
+                Err(e) => {
+                    tracing::warn!("Failed to load mTLS identity for Vault service: {}", e);
+                }
+            }
+        }
+
+        let http_client = builder
             .build()
             .map_err(|e| VaultError::Other(format!("Failed to create HTTP client: {}", e)))?;
 
@@ -120,6 +135,8 @@ impl VaultService {
     /// - `VAULT_ADDRESS`: Base URL (e.g., https://vault.try.direct)
     /// - `VAULT_TOKEN`: Authentication token
     /// - `VAULT_CONFIG_PATH_PREFIX`: KV mount/prefix (e.g., secret/debug)
+    /// - `VAULT_CLIENT_CERT`: Client certificate PEM for mTLS
+    /// - `VAULT_CLIENT_KEY`: Client key PEM for mTLS
     pub fn from_env() -> Result<Option<Self>, VaultError> {
         let base_url = std::env::var("VAULT_ADDRESS").ok();
         let token = std::env::var("VAULT_TOKEN").ok();
@@ -129,8 +146,24 @@ impl VaultService {
 
         match (base_url, token, prefix) {
             (Some(base), Some(tok), Some(pref)) => {
-                let http_client = Client::builder()
-                    .timeout(Duration::from_secs(REQUEST_TIMEOUT_SECS))
+                let mut builder = Client::builder()
+                    .timeout(Duration::from_secs(REQUEST_TIMEOUT_SECS));
+
+                let client_cert = std::env::var("VAULT_CLIENT_CERT").ok();
+                let client_key = std::env::var("VAULT_CLIENT_KEY").ok();
+                if let (Some(cert), Some(key)) = (&client_cert, &client_key) {
+                    let identity_pem = format!("{}\n{}", cert, key);
+                    match Identity::from_pem(identity_pem.as_bytes()) {
+                        Ok(identity) => {
+                            builder = builder.identity(identity);
+                        }
+                        Err(e) => {
+                            tracing::warn!("Failed to load mTLS identity for Vault service from env: {}", e);
+                        }
+                    }
+                }
+
+                let http_client = builder
                     .build()
                     .map_err(|e| {
                         VaultError::Other(format!("Failed to create HTTP client: {}", e))

From 92ae1f6f69d86a7e241eb3059edf8c730e61ca63 Mon Sep 17 00:00:00 2001
From: Vasili Pascal <vasili.pascal@gmail.com>
Date: Sat, 27 Jun 2026 13:33:11 +0300
Subject: [PATCH 2/2] mTLS, stacker templates command and aliases to list all
 available templates from catalog

---
 Cargo.toml                              |   2 +-
 docs/MARKETPLACE_PUBLISH.md             | 288 ++++++++++++++++++++++++
 src/bin/stacker.rs                      |  18 ++
 src/connectors/user_service/utils.rs    |  33 ++-
 src/console/commands/cli/marketplace.rs | 128 ++++++++++-
 src/helpers/vault.rs                    |  11 +-
 src/routes/chat/get.rs                  |   2 +-
 src/routes/marketplace/search.rs        |  70 +++++-
 src/services/vault_service.rs           |   6 +-
 9 files changed, 531 insertions(+), 27 deletions(-)
 create mode 100644 docs/MARKETPLACE_PUBLISH.md

diff --git a/Cargo.toml b/Cargo.toml
index 6cc6336e..127ac5df 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -36,7 +36,7 @@ actix = "0.13.5"
 actix-web-actors = "4.3.1"
 chrono = { version = "0.4.39", features = ["serde", "clock"] }
 config = "0.13.4"
-reqwest = { version = "0.11.23", features = ["json", "blocking", "stream"] }
+reqwest = { version = "0.11.23", features = ["json", "blocking", "stream", "native-tls"] }
 serde = { version = "1.0.195", features = ["derive"] }
 tokio = { version = "1.28.1", features = ["full"] }
 tracing = { version = "0.1.40", features = ["log"] }
diff --git a/docs/MARKETPLACE_PUBLISH.md b/docs/MARKETPLACE_PUBLISH.md
new file mode 100644
index 00000000..5fcc6fd3
--- /dev/null
+++ b/docs/MARKETPLACE_PUBLISH.md
@@ -0,0 +1,288 @@
+# Publishing a Stack to the TryDirect Marketplace
+
+This guide walks creators through publishing a stack to the TryDirect marketplace
+so other users can deploy it in one click and you earn on every sale.
+
+---
+
+## Table of Contents
+
+- [Who this is for](#who-this-is-for)
+- [What you get](#what-you-get)
+- [Two ways to publish](#two-ways-to-publish)
+- [Path A: Publish from Stack Builder (UI)](#path-a-publish-from-stack-builder-ui)
+- [Path B: Publish from CLI (stacker.yml)](#path-b-publish-from-cli-stackeryml)
+- [Required metadata](#required-metadata)
+- [Pricing options](#pricing-options)
+- [The review process](#the-review-process)
+- [After approval](#after-approval)
+- [Updating a published template](#updating-a-published-template)
+- [Common rejection reasons](#common-rejection-reasons)
+- [FAQ](#faq)
+
+---
+
+## Who this is for
+
+You should publish to the marketplace if you have a working Docker Compose stack
+or `stacker.yml` that:
+
+- Solves a clear business problem (e.g. "Internal AI Helpdesk", "RAG Knowledge Base")
+- Wires multiple services together so buyers don't have to (database + cache + app + LLM, etc.)
+- Has been tested end-to-end on at least one cloud provider
+
+Single-container stacks are accepted but multi-service bundles consistently
+outperform them in deployments and revenue.
+
+---
+
+## What you get
+
+- **75% revenue share** on every paid deployment, including subscription renewals
+- **Monthly Net-30 payouts** via Stripe Connect or PayPal (minimum $50)
+- Automatic marketplace promotion: SEO landing page at `/applications/<slug>`,
+  inclusion in weekly digests, "Trending" badge if your template gains traction
+- A "Deploy with TryDirect" badge you can embed in your GitHub README
+- Public deploy count and creator profile
+
+Full payout terms: see `config/docs/MARKETPLACE_PAYOUT_TERMS.md`.
+
+---
+
+## Two ways to publish
+
+| Path | Best for | Effort |
+|---|---|---|
+| **Stack Builder (UI)** | Stacks you built visually inside TryDirect | Click "Publish to Marketplace" |
+| **stacker.yml (CLI)** | Stacks defined in your own repo | `stacker publish` |
+
+Both paths produce the same `StackTemplate` record and follow the same review
+process. Pick whichever fits how you author your stack.
+
+---
+
+## Path A: Publish from Stack Builder (UI)
+
+1. Open your stack in **Stack Builder** at `/builder`.
+2. Verify it deploys cleanly to a test server.
+3. Click **Publish to Marketplace** in the project sidebar.
+4. Fill in the publish form:
+   - **Name** — a business-oriented name, not just tech ("Client AI Agent Workspace", not "n8n+Qdrant+Ollama")
+   - **Short description** — one sentence: what problem does it solve?
+   - **Long description** — markdown supported; cover use cases, requirements, customisation
+   - **Category** — AI Agents, Data Pipelines, SaaS Starter, Dev Tools, etc.
+   - **Tags** — `n8n`, `qdrant`, `ollama`, `supabase`, `postgres`, etc.
+   - **License / pricing** — Free, Paid (one-time), or Subscription
+   - **Price** (if paid) — USD
+   - **Support URL** — GitHub repo, docs site, or contact form
+   - **No-secrets confirmation** — required checkbox: confirms you removed all
+     embedded credentials before submitting
+5. Click **Submit to marketplace**. Your dashboard will show status:
+   `In review` → `Approved` or `Rejected (with reason)`.
+
+---
+
+## Path B: Publish from CLI (stacker.yml)
+
+Add a `marketplace` section to your `stacker.yml`, then run `stacker publish`.
+
+### Example `stacker.yml` marketplace block
+
+```yaml
+name: ai-helpdesk-starter
+version: 1.0.0
+
+# ... your existing app, services, deploy, etc. ...
+
+marketplace:
+  publish: true
+  display_name: "Internal AI Helpdesk"
+  short_description: "Self-hosted AI helpdesk with n8n workflows, Qdrant memory, and Ollama LLM."
+  long_description: |
+    Deploy a complete internal AI helpdesk stack: n8n handles ticket routing
+    and workflow automation, Qdrant stores conversation memory and document
+    embeddings, and Ollama serves the local LLM.
+
+    Comes pre-wired with example workflows for common helpdesk patterns.
+    Customise via the n8n web UI after deployment.
+  category: ai-agents
+  tags:
+    - n8n
+    - qdrant
+    - ollama
+    - helpdesk
+    - rag
+  license: paid
+  pricing:
+    plan_type: one_time   # one_time | subscription | free
+    price: 49
+    currency: USD
+  support_url: https://github.com/your-org/ai-helpdesk-starter
+  no_secrets_confirmation: true
+```
+
+### Submit
+
+```bash
+# From your project root
+stacker publish
+
+# Stacker validates stacker.yml, packages the stack definition,
+# and submits it to the TryDirect marketplace for review.
+```
+
+### Check status
+
+```bash
+stacker publish --status
+
+# Shows: in_review | approved | rejected (with reason)
+```
+
+---
+
+## Required metadata
+
+| Field | Required | Notes |
+|---|---|---|
+| Name | Yes | 5-80 chars, business-oriented |
+| Short description | Yes | 20-200 chars, one sentence |
+| Long description | Yes | Markdown, 100-5000 chars |
+| Category | Yes | Must match an existing category code |
+| Tags | Yes | 1-10 tags |
+| License | Yes | `free`, `paid`, `subscription` |
+| Price | If paid/subscription | USD, > 0 |
+| Support URL | Yes | Public URL where buyers can reach you |
+| No-secrets confirmation | Yes | Must be `true` |
+
+---
+
+## Pricing options
+
+### Free
+No revenue, but full marketplace promotion (SEO page, digest inclusion, trending
+badges). Good for building reputation and audience.
+
+### One-time
+Buyer pays once, deploys as many times as they want for their own use.
+You earn 75% of the sale price. Most templates start here.
+
+### Subscription
+Buyer pays monthly or yearly. You earn 75% of every renewal cycle, not just
+the first sale. Best for templates that ship updates regularly.
+
+You can change pricing on future versions but not retroactively. Buyers of
+v1.0.0 keep their original pricing for that version's lifetime.
+
+---
+
+## The review process
+
+| Step | Time | Who |
+|---|---|---|
+| Submission received | Instant | Auto-confirmation email |
+| Initial automated checks | < 1 hour | `stacker.yml` validation, no embedded secrets, no banned services |
+| Manual review | 1-3 business days | TryDirect review team |
+| Decision | — | Approved → live on `/applications`; Rejected → feedback in dashboard |
+
+Reviewers check:
+1. **Deploys cleanly** on a fresh server
+2. **No embedded credentials** in env vars, configs, or volumes
+3. **No insecure defaults** (e.g. `--api.insecure=true`, `0.0.0.0/0` ACLs, hardcoded passwords)
+4. **Metadata accurate** — what the listing claims matches what the stack actually does
+5. **Support URL reachable** — opens to a real GitHub/docs/contact page
+
+---
+
+## After approval
+
+Once approved, several things happen automatically:
+
+- **SEO landing page** generated at `/applications/<your-slug>`
+- **Social post** to TryDirect Twitter/X: "New on TryDirect: <Template> by @<you>"
+- **"You're live!" email** with your sharing kit:
+  - Direct deployment link
+  - Referral link (tracks deployments and credits earnings)
+  - "Deploy with TryDirect" Markdown badge for your README
+  - Auto-generated OG social card
+- **Inclusion in weekly subscriber digest** for the relevant category
+
+Your dashboard at `/dashboard/marketplace/submissions?tab=earnings` shows real-time:
+- Deploy count
+- Gross sales
+- Your share (75%)
+- Pending payout
+- Paid history
+
+---
+
+## Updating a published template
+
+To publish a new version:
+
+**UI:** Open the stack in Stack Builder, make changes, click **Publish new version**.
+
+**CLI:**
+```bash
+# Bump the version in stacker.yml first
+stacker publish
+```
+
+Each version goes through review. While a new version is under review, the
+previous approved version remains live.
+
+Existing buyers automatically get access to all future versions — they don't
+re-purchase.
+
+---
+
+## Common rejection reasons
+
+| Reason | Fix |
+|---|---|
+| Embedded secrets | Replace hardcoded credentials with env vars; use `${VAR}` interpolation |
+| Insecure defaults | Disable insecure flags (e.g. `--api.insecure=true`); restrict bind addresses; require passwords |
+| Stack doesn't deploy | Test on a fresh server before resubmitting; check `stacker deploy --target local` works clean |
+| Vague metadata | Use a specific business-problem name; describe concrete use cases |
+| Broken support URL | Make sure the link resolves and points to a real support channel |
+| Banned service | Some services aren't allowed (e.g. unconsented crypto miners, malware tools); see `config/docs/MARKETPLACE_ACCEPTABLE_USE.md` |
+
+Rejections include specific feedback in your dashboard. You can revise and
+resubmit without limit.
+
+---
+
+## FAQ
+
+**Q: Can I publish a stack that uses paid third-party services (e.g. OpenAI API)?**  
+A: Yes. The buyer brings their own API keys via env vars during deployment.
+Document required keys in your long description.
+
+**Q: Can I publish a stack that depends on my own SaaS backend?**  
+A: Yes, but the buyer must be able to use it without you having access to their
+deployment. Document the SaaS integration clearly.
+
+**Q: What happens if I want to take a template offline?**  
+A: You can deprecate it any time. Existing buyers keep access; new buyers can
+no longer purchase. Earnings from existing subscriptions continue.
+
+**Q: Can I see who deployed my template?**  
+A: You see deploy count and aggregated stats, never individual buyer emails or
+deployment details (GDPR/privacy).
+
+**Q: How is the 25% platform fee broken down?**  
+A: Payment processing (~3%), marketplace hosting and promotion, review
+operations, ongoing platform development.
+
+**Q: Can I run a discount or promo code?**  
+A: Discount codes are on the roadmap for 2026 H2. Until then, you can change
+your template's base price.
+
+---
+
+## Reference
+
+- `stacker.yml` full reference: `docs/STACKER_YML_REFERENCE.md`
+- Vendor profile API: `docs/vendor-profile-endpoints-spec.md`
+- Payout terms: `config/docs/MARKETPLACE_PAYOUT_TERMS.md`
+- Acceptable use policy: `config/docs/MARKETPLACE_ACCEPTABLE_USE.md`
diff --git a/src/bin/stacker.rs b/src/bin/stacker.rs
index e7699ede..dafc8f71 100644
--- a/src/bin/stacker.rs
+++ b/src/bin/stacker.rs
@@ -200,6 +200,19 @@ enum StackerCommands {
         #[arg(long)]
         limit: Option<u32>,
     },
+    /// List all available marketplace application templates
+    #[command(visible_alias = "catalog", visible_alias = "apps")]
+    Templates {
+        /// Filter by category code
+        #[arg(long)]
+        category: Option<String>,
+        /// Filter by tag
+        #[arg(long)]
+        tag: Option<String>,
+        /// Output in JSON format
+        #[arg(long)]
+        json: bool,
+    },
     /// Create a project from a marketplace application template
     Install {
         /// Template slug from `stacker find`
@@ -2642,6 +2655,11 @@ fn get_command(
                 query, json, limit,
             ),
         ),
+        StackerCommands::Templates { category, tag, json } => Box::new(
+            stacker::console::commands::cli::marketplace::MarketplaceTemplatesCommand::new(
+                category, tag, json,
+            ),
+        ),
         StackerCommands::Install {
             template,
             name,
diff --git a/src/connectors/user_service/utils.rs b/src/connectors/user_service/utils.rs
index 44eea791..3243dc2f 100644
--- a/src/connectors/user_service/utils.rs
+++ b/src/connectors/user_service/utils.rs
@@ -1,17 +1,34 @@
+/// Maps a plan name/code returned by the User Service to a canonical tier name.
+/// The User Service may return display names (e.g. "Team", "Pro", "Enterprise")
+/// or plan codes (e.g. "plan-individual-monthly", "plan-pro-monthly").
+fn normalize_plan_to_tier(plan: &str) -> String {
+    match plan.to_lowercase().as_str() {
+        // Canonical names
+        "free" => "free",
+        "basic" => "basic",
+        "professional" | "pro" => "professional",
+        "team" => "professional",
+        "enterprise" => "enterprise",
+        // Plan codes (legacy / from User Service)
+        "plan-individual-monthly" => "professional",
+        "plan-pro-monthly" | "plan-professional-monthly" => "professional",
+        "plan-enterprise-monthly" | "plan-enterprise-yearly" => "enterprise",
+        // Unknown — pass through as-is so the caller can decide
+        other => other,
+    }
+    .to_string()
+}
+
 /// Helper function to determine if a plan tier can access a required plan
 /// Hierarchy (lowest to highest): free < basic < professional < enterprise
 pub(crate) fn is_plan_higher_tier(user_plan: &str, required_plan: &str) -> bool {
     let plan_hierarchy = vec!["free", "basic", "professional", "enterprise"];
 
-    let user_lower = user_plan.to_lowercase();
-    let required_lower = required_plan.to_lowercase();
+    let user_tier = normalize_plan_to_tier(user_plan);
+    let required_tier = normalize_plan_to_tier(required_plan);
 
-    let user_level = plan_hierarchy
-        .iter()
-        .position(|&p| p == user_lower.as_str());
-    let required_level = plan_hierarchy
-        .iter()
-        .position(|&p| p == required_lower.as_str());
+    let user_level = plan_hierarchy.iter().position(|&p| p == user_tier);
+    let required_level = plan_hierarchy.iter().position(|&p| p == required_tier);
 
     match (user_level, required_level) {
         (Some(user_level), Some(required_level)) => user_level >= required_level,
diff --git a/src/console/commands/cli/marketplace.rs b/src/console/commands/cli/marketplace.rs
index 058b00eb..b76e824f 100644
--- a/src/console/commands/cli/marketplace.rs
+++ b/src/console/commands/cli/marketplace.rs
@@ -8,6 +8,74 @@ use dialoguer::Confirm;
 use serde_json::{Map, Value};
 use std::path::{Path, PathBuf};
 
+// ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+// marketplace templates (list all / browse catalog)
+// ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+pub struct MarketplaceTemplatesCommand {
+    category: Option<String>,
+    tag: Option<String>,
+    json: bool,
+}
+
+impl MarketplaceTemplatesCommand {
+    pub fn new(category: Option<String>, tag: Option<String>, json: bool) -> Self {
+        Self { category, tag, json }
+    }
+}
+
+impl CallableTrait for MarketplaceTemplatesCommand {
+    fn call(&self) -> Result<(), Box<dyn std::error::Error>> {
+        let ctx = CliRuntime::new("list marketplace templates")?;
+        let templates = ctx.block_on(async {
+            ctx.client
+                .list_marketplace_templates(self.category.as_deref(), self.tag.as_deref())
+                .await
+        })?;
+
+        if self.json {
+            println!("{}", serde_json::to_string_pretty(&templates)?);
+            return Ok(());
+        }
+
+        if templates.is_empty() {
+            let filter_hint = match (&self.category, &self.tag) {
+                (Some(cat), None) => format!(" for category '{}'", cat),
+                (None, Some(tag)) => format!(" for tag '{}'", tag),
+                (Some(cat), Some(tag)) => format!(" for category '{}' and tag '{}'", cat, tag),
+                (None, None) => String::new(),
+            };
+            println!("No marketplace templates found{}.", filter_hint);
+            println!("Browse the catalog at: https://try.direct/applications");
+            return Ok(());
+        }
+
+        println!(
+            "{:<24} {:<28} {:<14} {}",
+            "ITEM", "NAME", "PLAN", "DESCRIPTION"
+        );
+        println!("{}", "\u{2500}".repeat(92));
+        for template in &templates {
+            println!(
+                "{:<24} {:<28} {:<14} {}",
+                truncate(&template.slug, 22),
+                truncate(&template.name, 26),
+                display_plan(template),
+                truncate(template.description.as_deref().unwrap_or(""), 26),
+            );
+        }
+        eprintln!(
+            "\nInstall one with: stacker install {}",
+            templates
+                .first()
+                .map(|template| template.slug.as_str())
+                .unwrap_or("<item>")
+        );
+
+        Ok(())
+    }
+}
+
 // ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
 // marketplace find/install
 // ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
@@ -27,15 +95,22 @@ impl MarketplaceFindCommand {
 impl CallableTrait for MarketplaceFindCommand {
     fn call(&self) -> Result<(), Box<dyn std::error::Error>> {
         let ctx = CliRuntime::new("find marketplace templates")?;
+
+        let is_list_all = self.query.eq_ignore_ascii_case("all") || self.query == "*";
+
         let templates = ctx.block_on(async {
-            ctx.client
-                .search_marketplace_templates(
-                    Some(&self.query),
-                    None,
-                    None,
-                    Some(self.limit.unwrap_or(20)),
-                )
-                .await
+            if is_list_all {
+                ctx.client.list_marketplace_templates(None, None).await
+            } else {
+                ctx.client
+                    .search_marketplace_templates(
+                        Some(&self.query),
+                        None,
+                        None,
+                        Some(self.limit.unwrap_or(20)),
+                    )
+                    .await
+            }
         })?;
 
         if self.json {
@@ -44,7 +119,15 @@ impl CallableTrait for MarketplaceFindCommand {
         }
 
         if templates.is_empty() {
-            println!("No marketplace templates found for '{}'.", self.query);
+            if is_list_all {
+                println!("No marketplace templates found.");
+                println!("Browse the catalog at: https://try.direct/applications");
+            } else {
+                println!(
+                    "No marketplace templates found for '{}'. Try 'stacker find all' to browse everything.",
+                    self.query
+                );
+            }
             return Ok(());
         }
 
@@ -58,7 +141,7 @@ impl CallableTrait for MarketplaceFindCommand {
                 "{:<24} {:<28} {:<14} {}",
                 truncate(&template.slug, 22),
                 truncate(&template.name, 26),
-                template.required_plan_name.as_deref().unwrap_or("pro/team"),
+                display_plan(template),
                 truncate(template.description.as_deref().unwrap_or(""), 26),
             );
         }
@@ -671,6 +754,31 @@ impl CallableTrait for MarketplaceLogsCommand {
 
 // ── helpers ──────────────────────────────────────────
 
+/// Format the plan/price column for display.
+/// Shows `required_plan_name` if set, otherwise formats `price` with currency,
+/// or "free" if neither indicates a paid template.
+fn display_plan(template: &MarketplaceTemplate) -> String {
+    if let Some(plan) = template.required_plan_name.as_deref().filter(|p| !p.is_empty()) {
+        return plan.to_string();
+    }
+    if let Some(price) = template.price {
+        if price > 0.0 {
+            let cycle = template
+                .billing_cycle
+                .as_deref()
+                .unwrap_or("/mo");
+            let cycle = match cycle {
+                "one_time" | "one-time" | "once" | "free" => "",
+                "monthly" | "month" | "/mo" => "/mo",
+                "yearly" | "year" | "/yr" => "/yr",
+                other => other,
+            };
+            return format!("${:.2}{}", price, cycle);
+        }
+    }
+    "free".to_string()
+}
+
 /// Truncate a string to `max_len` characters, adding "..." if truncated.
 fn truncate(s: &str, max_len: usize) -> String {
     if s.chars().count() > max_len {
diff --git a/src/helpers/vault.rs b/src/helpers/vault.rs
index 57ddadc7..3ecfd5b7 100644
--- a/src/helpers/vault.rs
+++ b/src/helpers/vault.rs
@@ -28,8 +28,7 @@ impl VaultClient {
     pub fn new(settings: &VaultSettings) -> Self {
         let mut client_builder = Client::builder();
         if let (Some(cert), Some(key)) = (&settings.client_cert, &settings.client_key) {
-            let identity_pem = format!("{}\n{}", cert, key);
-            match Identity::from_pem(identity_pem.as_bytes()) {
+            match Identity::from_pkcs8_pem(cert.as_bytes(), key.as_bytes()) {
                 Ok(identity) => {
                     client_builder = client_builder.identity(identity);
                 }
@@ -715,6 +714,8 @@ mod tests {
             agent_path_prefix: prefix.clone(),
             api_prefix: "v1".to_string(),
             ssh_key_path_prefix: None,
+            client_cert: None,
+            client_key: None,
         };
         let client = VaultClient::new(&settings);
         let dh = "dep_test_abc";
@@ -766,6 +767,8 @@ mod tests {
             agent_path_prefix: "agent".to_string(),
             api_prefix: "v1".to_string(),
             ssh_key_path_prefix: None,
+            client_cert: None,
+            client_key: None,
         };
         let client = VaultClient::new(&settings);
         let dh = "dep_runtime_test";
@@ -814,6 +817,8 @@ mod tests {
             agent_path_prefix: "agent".to_string(),
             api_prefix: "v1".to_string(),
             ssh_key_path_prefix: None,
+            client_cert: None,
+            client_key: None,
         };
         let client = VaultClient::new(&settings);
 
@@ -848,6 +853,8 @@ mod tests {
             agent_path_prefix: "agent".to_string(),
             api_prefix: "v1".to_string(),
             ssh_key_path_prefix: None,
+            client_cert: None,
+            client_key: None,
         };
         let client = VaultClient::new(&settings);
 
diff --git a/src/routes/chat/get.rs b/src/routes/chat/get.rs
index fed31ef6..25706359 100644
--- a/src/routes/chat/get.rs
+++ b/src/routes/chat/get.rs
@@ -26,6 +26,6 @@ pub async fn item(
         .map_err(|err| JsonResponse::internal_server_error(err.to_string()))
         .and_then(|conv| match conv {
             Some(c) => Ok(JsonResponse::build().set_item(Some(c)).ok("OK")),
-            None => Err(JsonResponse::not_found("No chat history found")),
+            None => Ok(JsonResponse::build().ok("OK")),
         })
 }
diff --git a/src/routes/marketplace/search.rs b/src/routes/marketplace/search.rs
index 30bc29a9..ee41d3dd 100644
--- a/src/routes/marketplace/search.rs
+++ b/src/routes/marketplace/search.rs
@@ -1,6 +1,8 @@
+use std::collections::HashMap;
 use std::sync::Arc;
 
 use actix_web::{get, web, Responder, Result};
+use sqlx::PgPool;
 
 use crate::connectors::user_service::UserServiceConnector;
 use crate::helpers::JsonResponse;
@@ -15,19 +17,83 @@ pub struct ApplicationSearchQuery {
     pub limit: Option<u32>,
 }
 
+#[derive(Debug, sqlx::FromRow)]
+struct TemplatePricing {
+    slug: String,
+    price: Option<f64>,
+    billing_cycle: Option<String>,
+    required_plan_name: Option<String>,
+}
+
+async fn enrich_items_with_pricing(
+    pg_pool: &PgPool,
+    items: &mut [serde_json::Value],
+) {
+    let slugs: Vec<String> = items
+        .iter()
+        .filter_map(|item| {
+            item.get("code")
+                .and_then(|v| v.as_str())
+                .map(|s| s.to_string())
+        })
+        .collect();
+
+    if slugs.is_empty() {
+        return;
+    }
+
+    let pricing = sqlx::query_as::<_, TemplatePricing>(
+        r#"
+        SELECT slug, price, billing_cycle, required_plan_name
+        FROM stack_template
+        WHERE slug = ANY($1) AND status = 'approved'
+        "#,
+    )
+    .bind(&slugs)
+    .fetch_all(pg_pool)
+    .await;
+
+    let pricing_map: HashMap<String, TemplatePricing> = match pricing {
+        Ok(rows) => rows.into_iter().map(|r| (r.slug.clone(), r)).collect(),
+        Err(e) => {
+            tracing::warn!("Failed to fetch template pricing: {}", e);
+            return;
+        }
+    };
+
+    for item in items.iter_mut() {
+        let slug = match item.get("code").and_then(|v| v.as_str()) {
+            Some(s) => s,
+            None => continue,
+        };
+        if let Some(p) = pricing_map.get(slug) {
+            if let Some(price) = p.price {
+                item["price"] = serde_json::json!(price);
+            }
+            if let Some(ref cycle) = p.billing_cycle {
+                item["billing_cycle"] = serde_json::json!(cycle);
+            }
+            if let Some(ref plan) = p.required_plan_name {
+                item["required_plan_name"] = serde_json::json!(plan);
+            }
+        }
+    }
+}
+
 #[tracing::instrument(name = "Search marketplace applications catalog", skip_all)]
 #[get("/applications")]
 pub async fn applications_search_handler(
     query: web::Query<ApplicationSearchQuery>,
     user: web::ReqData<Arc<models::User>>,
     user_service: web::Data<Arc<dyn UserServiceConnector>>,
+    pg_pool: web::Data<PgPool>,
 ) -> Result<impl Responder> {
     let token = user.access_token.as_deref().ok_or_else(|| {
         JsonResponse::<serde_json::Value>::build()
             .forbidden("User token is required to search applications")
     })?;
 
-    let items = user_service
+    let mut items = user_service
         .search_marketplace_templates(
             token,
             query.q.as_deref(),
@@ -43,5 +109,7 @@ pub async fn applications_search_handler(
                 .internal_server_error("Applications catalog search failed")
         })?;
 
+    enrich_items_with_pricing(pg_pool.get_ref(), &mut items).await;
+
     Ok(JsonResponse::build().set_list(items).ok("OK"))
 }
diff --git a/src/services/vault_service.rs b/src/services/vault_service.rs
index 67209f95..d62fb740 100644
--- a/src/services/vault_service.rs
+++ b/src/services/vault_service.rs
@@ -100,8 +100,7 @@ impl VaultService {
             .timeout(Duration::from_secs(REQUEST_TIMEOUT_SECS));
 
         if let (Some(cert), Some(key)) = (&settings.client_cert, &settings.client_key) {
-            let identity_pem = format!("{}\n{}", cert, key);
-            match Identity::from_pem(identity_pem.as_bytes()) {
+            match Identity::from_pkcs8_pem(cert.as_bytes(), key.as_bytes()) {
                 Ok(identity) => {
                     builder = builder.identity(identity);
                 }
@@ -152,8 +151,7 @@ impl VaultService {
                 let client_cert = std::env::var("VAULT_CLIENT_CERT").ok();
                 let client_key = std::env::var("VAULT_CLIENT_KEY").ok();
                 if let (Some(cert), Some(key)) = (&client_cert, &client_key) {
-                    let identity_pem = format!("{}\n{}", cert, key);
-                    match Identity::from_pem(identity_pem.as_bytes()) {
+                    match Identity::from_pkcs8_pem(cert.as_bytes(), key.as_bytes()) {
                         Ok(identity) => {
                             builder = builder.identity(identity);
                         }