Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

feat(cli): add plugin system with allowlist policy#40

Open
hopelynd wants to merge 8 commits into
main from
feat/plugin
Open

feat(cli): add plugin system with allowlist policy #40
hopelynd wants to merge 8 commits into
main from
feat/plugin

Conversation

@hopelynd

@hopelynd hopelynd commented Jun 9, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Summary

  • Add a plugin system for bailian-cli with bl plugin install, link, list, and remove
  • Dynamically load plugin commands into the CLI registry so new commands are available without restarting
  • Enforce an allowlist security policy: only official plugins under the @ali scope (e.g. @ali/bailian-plugin-agent)
  • Install plugins via an isolated npm sandbox; plugin commands use caching and priority resolution
  • Add e2e tests, core type definitions, and skills/bailian-cli/reference/plugin.md documentation

Key changes

Area Description
packages/cli/src/plugins/ Discovery, scanning, caching, management, npm sandbox, allowlist policy
packages/cli/src/commands/plugin/ install, link, list, and remove subcommands
packages/cli/src/load-commands.ts Lazy-load command catalog and merge built-in and plugin commands
packages/core/src/types/plugin.ts Plugin manifest type definitions
packages/cli/tests/e2e/plugins.e2e.test.ts E2E coverage for install, link, and command discovery

Test plan

  • vp check passes (format, lint, type check)
  • vp test passes (including plugins.e2e.test.ts)
  • bl plugin list lists discovered plugins
  • bl plugin install @ali/bailian-plugin-agent exposes new commands after install
  • bl plugin link <path> works for local development
  • Non-allowlisted plugins are rejected with a clear hint
  • bl config export-schema lazy-loads the catalog without regressions

hopelynd added 8 commits June 2, 2026 11:22 
...mprove security
- Rename all plugin-related commands from 'plugins' to 'plugin' scope
- Implement plugin allowlist policy with required scopes (e.g., @ali)
- Add security checks to prevent unauthorized plugin installation
- Restrict npm child process environment variables to prevent credential leaks
- Enhance plugin validation with scope and allowlist verification
- Add proper error handling for malformed plugin manifests
- Introduce noAuthSetup validation to ensure rules match plugin commands
- Move plugin commands to dedicated subdirectory structure
- Add comprehensive plugin policy enforcement functions
- Update tests and fixtures to use new @ali scoped plugin naming
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@XXPermanentXX XXPermanentXX Awaiting requested review from XXPermanentXX

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

AltStyle によって変換されたページ (->オリジナル) /