Every plugin built for the Lerian ecosystem must meet strict technical, security, and regulatory requirements. This guide outlines the expectations for partners developing solutions that will be published on the Lerian Marketplace.

These guidelines reflect Lerian's commitment to quality, interoperability, and compliance, and are continually updated based on feedback, regulations, and technological advancements.

Architecture and infrastructure

---

Programming language and architecture

You’re free to choose the programming language that best suits your plugin, but keep in mind that Lerian's stack is primarily built in Golang, and your solution must interoperate with it seamlessly.

We recommend:

• Container-first design using Docker.
• Domain-Driven Design (DDD) for clean modularity.
• Isolation of concerns and microservice-friendly practices.

MSP model requirements

All plugins must be designed to run under the Managed Service Provider (MSP) model, with:

• Infrastructure as Code (IaC) documented, preferably in Terraform.
• Helm Charts for Kubernetes deployments.
• Declarative deployment with GitOps.

❗️

Important

GitOps is required to ensure traceable and predictable production deployments across environments.

Observability

Plugins must be observable by design, including:

• Structured logs
• Domain-specific metrics
• Distributed tracing

All observability data must integrate with OpenTelemetry (OTel) and support OTLP exports.

👍

Tip

Common destinations include Datadog, Prometheus, and other APM tools.

Auditability and traceability

If your plugin handles transactions, it must integrate with Trillian or an equivalent solution for:

• Immutable, verifiable audit logs
• Integrity verification (off-chain capable)

🚧

Attention

Plugins impacting financial data without auditability will not pass homologation.

Authentication and authorization

Every plugin must integrate with Lerian's Access Manager, our identity and access control plugin.

📘

Note

This ensures a unified authentication experience for clients. For mor information, refer to the Access Manager Guide .

APIs

Plugins exposing APIs must follow:

• RESTful principles
• OpenAPI 3.1
• camelCase JSON attributes
• GraphQL is optional but allowed.

🚧

Attention

Error responses must comply with Lerian’s standard format according to the Error model guideline.

Quality and performance

---

Testing standards

Your plugin must demonstrate:

• ≥ 90% unit test coverage
• Integration and contract tests for external systems
• A visible test coverage report

👍

Tip

We also recommend automated CI/CD checks, linting, and peer reviews.

Performance testing

Performance testing is mandatory. Your plugin must be:

• Stateless and horizontally scalable
• Resource-efficient (CPU, memory, connections)
• Fault-tolerant and high availability ready

🚧

Attention

A stress test report must be included in the repository.

SDKs

While not required, we strongly recommend building SDKs in popular languages to help clients adopt your plugin faster.

Security and compliance

---

Security by design

All plugins must comply with:

• OWASP ASVS Level 3
• CIS Benchmarks for container, K8s, and OS hardening
• Integration with secret managers like Vault or AWS Secrets Manager

Pentests and security audits

A pentest is mandatory before publication and must be repeated at least every 6–12 months or after major changes.

👍

Tip

Don’t have a provider? We can recommend one.

Data protection and LGPD

All plugins must comply fully with the LGPD.

• Personal data must be encrypted at rest and in transit.
• No exceptions are allowed.

Regulatory Compliance

Your plugin must follow all applicable regulations, including:

• BACEN circulars
• Other relevant governing bodies

Versioning and releases

---

Versioning

All plugins must use Semantic Versioning 2.0.0.

📘

Note

Check our simplified Versioning guide

Release cycle

All plugin releases must align with Lerian's official release calendar.

While your internal development workflow remains independent, this external alignment ensures predictability for shared clients.

📘

Note

Patch versions for hotfixes or critical updates can be released outside the regular cycle.

Technical documentation

---

Required documentation

Every plugin must have its documentation hosted on the Lerian Docs site:

• Guides
• API Reference

📘

Note

You can still host your own docs, just make sure the client is redirected to Lerian's official site when they look for technical content.

To ensure consistency and usability, all documentation must:

• Follow the Lerian Writing Standards
• Use the official templates for:
  • Guides
  • API Reference

❗️

Important

These standards are mandatory and help ensure that partners deliver high-quality, readable, and accessible documentation for end users.

Approval process

---

Homologation

Before being published, all plugins must pass a formal review, which includes:

• Technical checklist
• Security checklist
• Quality & performance checks
• Regulatory compliance review
• End-to-end tests with Midaz or other Lerian solutions

Severity-based SLAs

---

If your plugin is distributed under a support agreement where you, as the development partner, are responsible for maintaining it, you must follow Lerian’s severity-based SLA guidelines to ensure timely issue resolution.

These SLAs define the maximum time allowed to deliver a fix, based on the severity of the reported issue:

❗️

Important

These timelines refer to business days and apply from the moment the issue is confirmed. They are mandatory for all plugins where support is provided by the partner.

This ensures a consistent experience for users and reinforces trust in the Lerian ecosystem.