feat(core,cli): M5 — plugins (manifest+hash) + Skill tool + CLI integration#6
Merged
Merged
Conversation
…ntegration
What ships
----------
- plugins/manifest.ts (175 lines)
· PluginManifest schema + readManifest()
· SHA-256 source hash (manifest + all SKILL.md files) via computeSourceHash()
· Trust state at ~/.deepcode/plugins-trust.json
· installLocal() — copy + record trust + hash
· discoverPlugins() — scan + verify hashes + return enabled list
· Hash drift detection flags tampered plugins
· disabled list honored
- skills/tool.ts (60 lines)
· makeSkillTool(skills) factory — returns ToolHandler for "Skill"
· Agent invokes by qualifiedName; returns body as tool_result
· Supports plugin-prefixed names (plugin-x:do-thing)
· Helpful error listing known skills when lookup fails
- apps/cli/src/repl.ts (+50 lines)
· Loads memory (DEEPCODE.md hierarchy + AGENTS.md + rules/) via loadMemory()
· Loads skills via loadSkills() with skillOverrides settings respected
· Loads output styles, applies active style to system prompt
· Registers Skill tool when any skills loaded
· Builds composite system prompt: default + memory + skills block + style
· Wires mode + permissions + hooks + approval into runAgent()
· Approval prompts user [y]es/[n]o via readline when verdict is 'ask'
DELIBERATELY DEFERRED to M5.1 (security gate)
---------------------------------------------
Plugin code does NOT yet execute in the host process. discoverPlugins()
finds them and hash-verifies them; their contributed skills/agents/hooks/
MCP servers are NOT registered into live registries until sandbox subprocess
lands (per docs/design/plugin-security.md §3.5).
Running arbitrary plugin code in-process is the primary RCE vector enumerated
in the security doc. M5 ships the trust foundation; M5.1 ships the safe
execution boundary.
Tests
-----
- plugins/manifest.test.ts (12) — manifest validation, hash determinism +
sensitivity, trust round-trip, install,
discover + drift, disabled, untrusted
- skills/tool.test.ts ( 6) — tool shape, lookup, args, plugin names,
missing skill, missing arg
Total: 258 passed / 4 skipped / 0 failed (was 240).
Verified
--------
pnpm typecheck → green
pnpm build → green
pnpm test → 258 passed
pnpm format:check → conformant
CLI bin: --version, --help, doctor all work
Docs
----
- docs/milestones/M5.md — what shipped, what M5.1 needs, why the deferral
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
makeSkillTool) so the agent can invoke skills by qualified name.runAgent. Full end-to-end gating is live.Deliberately deferred to M5.1
Plugin code execution is deferred until the sandbox subprocess design (
docs/design/plugin-security.md§3.5) lands. M5 ships discovery + trust + hash verification — running plugin code in-process without sandbox would be the RCE vector the security doc explicitly warned about.Release notes
release-notes:featureCo-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com