Another vote for Customer Managed Egress being eligible for RoA.
We just had a customer asking about our plans for Forge / RoA as part of a routine security assessment (which in itself was interesting - questions specifically about Forge are, in our experience at least, exceedingly rare, despite what sometimes Atlassian would have us believe).
Our upcoming Forge version runs entirely on the Atlassian Forge platform for both compute & storage. We do however allow our customers to specify a URL that our app fetches at runtime from the browser client; and since we cannot know ahead of time the possible URLs to include in our manifest, we currently require external.client.fetch.address = “*”.
We advised the customer that our app would otherwise be eligible for RoA, but for the fact that our browser code can read content from a customer supplied URL, and Atlassian deems any external fetch request (even a GET request) as “egress”.
They were surprised to say the least, as in their mind (and ours) an app whose compute & storage is fully within the Atlassian environment and does not send data outside of the Atlassian environment is, at least in spirit, the very definition of “Runs on Atlassian”.
We pointed to the Customer-managed egress and remotes (EAP) and said that our hope is that in future this could be RoA-compliant, and they were again surprised that it wasn’t already. After all, isn’t that the whole point of CME? To give customer admins the ability to decide which external connections are trusted?