docs: plugin distribution design (ADR-0025/0026 + design doc)

[os-zhuang]

What

Design docs for distributing code-bearing marketplace contributions (plugins with npm deps, drivers, connectors, AI extensions, client UI plugins), alongside the existing pure-element / metadata-only JSON package flow. Docs only — no code or schema changes.

• ADR-0025 — Plugin Package Distribution (server/runtime): .osplugin artifact, build→sign→publish, permissioned install, trust/isolation tiers.
• ADR-0026 — Client-Side UI Plugin Distribution: runtime:'ui' variant reusing the ADR-0025 backbone (field renderers / view types / widgets in the browser).
• docs/design/plugin-distribution.md — supply-side companion to the existing marketplace-publishing.md: operationalizes the ADRs into layers, a scenario catalog, and workflows.

Why

Pure-element packages compile to JSON and publish/install trivially because nothing executes. Code contributions carry executable code + deps, so distribution must additionally solve build/bundling, dependency handling, trust/security, and version compatibility. The repo already has the authoring half (packages/plugins/*, microkernel plugin-loader, PluginPermissionEnforcer, QuickJS sandbox, sys_* schema); these docs design the missing distribution layer on top.

ADR-0025 key decisions

• .osplugin artifact + compiled objectstack.plugin.json (adds engines/runtime/permissions/integrity).
• build → sign → publish extending os package publish; registry stores browsable metadata and the binary blob (sys_plugin/sys_plugin_version/sys_plugin_installation).
• Permissioned install: resolve → compat → consent → verified download → materialize → register → load.
• Trust tiers: in-process (T0) / QuickJS sandbox (T1) / out-of-process (T2).
• Bundled-default packaging (no npm at install time); manifest-deps opt-in.

Scenario-review refinements (§3.10)

1. Default-deny trust — T0 reserved for verified publishers; third-party defaults to sandbox/worker, enforced at publish.
2. Externalize @objectstack/* as host-provided peer-dep singletons (bundling forks the engine).
3. Protocol-first compatibility over platform semver.
4. Permissions compose with object/field-level RLS.
5. Secrets via settings/KV store (ADR-0007), never in the artifact.
6. Connectors span declarative (OpenAPI/MCP) + code-plugin sub-paths.
7. Explicit three-layer model: L0 declarative JSON / L1 sandboxed-script JSON / L2 code plugin.

ADR-0026 key decisions

• UI plugin = runtime:'ui' .osplugin (browser ESM bundle registering field/view/widget extensions).
• Two-tier loading: U0 in-app module (verified) / U1 iframe sandbox (third-party default, postMessage RPC + per-plugin CSP).
• Server-authoritative data — UI plugins read/write only via the client SDK under the user's session, so all access stays RLS-gated server-side.

Reconciliation with ADR-0019 (important)

ADR-0019 makes the App the only consumer-facing unit; plugins/drivers/UI/themes are internal contributions a consumer never installs directly. These docs (ADR-0025 §3.11, ADR-0026 §3.7) reconcile explicitly:

• Audience = developers/operators/ISVs. A plugin reaches a tenant bundled inside an App or operator-provisioned — not browsed in the consumer Marketplace.
• Two catalogs, one backbone: consumer App Marketplace (type: app) vs developer/operator contribution catalog — same signed sys_* registry + artifact storage.
• This pipeline builds the L2-sandbox + permission-enforcer "load-bearing wall" that ADR-0019 §Out-of-scope named as the prerequisite for any future self-serve code marketplace; it does not open that gate.

Scope

Design/ADRs + one design doc only. Phasing in each doc's §4. Builds on ADR-0003/0004/0007/0010/0016/0019/0022/0023/0024.

https://claude.ai/code/session_01DRww7tXjCVdqXsHtv5gDq6

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
spec	Ready	Preview, Comment	Jun 1, 2026 1:36am