feat(plugins): runtime plugin management — global toggle, per-plugin mode, cross-instance propagation (#4292)

* feat(plugins): runtime plugin management — global toggle, per-plugin mode, cross-instance propagation

Adds runtime plugin management capabilities — global enable/disable,
per-plugin mode changes, and cross-worker/cross-pod state propagation
via Redis. Closes 14 multi-instance gaps identified in the plugin
configuration system.

Key changes:
- PUT /admin/plugins — global enable/disable via Redis
- PUT /admin/plugins/{name} — per-plugin mode change (enforce/permissive/disabled)
- GET /admin/plugins — includes plugins_globally_enabled from runtime state
- TTL-based cache refresh (30s default) for eventual consistency across instances
- Wildcard binding invalidation fix — evicts all team contexts on * binding
- DB error fallback — graceful degradation when Postgres is temporarily unavailable
- MGET batched Redis reads for mode overrides
- Structured audit logging for all plugin state changes
- 43 tests (23 unit + 20 integration)

Co-authored-by: cafalchio <mcafalchio@gmail.com>
Signed-off-by: Pratik Gandhi <gandhipratik203@gmail.com>

* feat(plugins): runtime plugin management — address review findings

Consolidates the review-driven changes on top of the initial runtime plugin
management commit:

- Redis is authoritative for both the global toggle and per-plugin mode
  overrides; single-node deployments fall through to an in-process map with
  explicit ``redis_persisted`` signalling in the admin responses.
- Redis-synced local overrides expire at the cluster's 24h TTL so workers
  don't keep applying overrides the cluster has already released; durable
  entries (Redis unavailable at write time) remain sticky.
- Factory-init failures on nodes with plugins disabled are recorded and
  surface one ERROR the first time a shared-toggle request hits a degraded
  node, instead of being silently swallowed.
- Runtime-state globals live in a leaf ``_state.py`` to break the
  ``framework → manager → framework`` import cycle; writers go through
  ``_state.set_local_mode_override`` and ``prune_expired_local_overrides``
  so snapshot/prune semantics stay consistent.
- Admin toggle handler refreshes ``app.state.plugin_manager`` and the
  ``PluginService`` singleton so freshly disabled nodes can serve the
  runtime-enabled subsystem without a restart; the inverse disable path
  clears them.
- Admin plugin-view GETs run a best-effort self-heal that always mirrors
  ``framework.get_plugin_manager()`` (TTL-cached) into the admin caches,
  so remote disables take effect on this worker's next read and a
  swallowed toggle-sync failure cannot leave views stale.
- ``update_plugin_mode`` validates against the configured plugin set
  instead of the live manager, so operators can pre-stage per-plugin
  overrides on a process that booted with plugins disabled.
- Test suite updated and expanded: deny-path regressions for the admin
  cache sync, remote-disable self-heal, configured-name validation,
  expired-override pruning, and backing-dict identity.

Signed-off-by: Jonathan Springer <jps@s390x.com>

* test(plugins): reset framework Redis provider between tests

Lifespan-exercising tests in ``test_main_extended.py`` monkeypatch
``main.get_redis_client`` to an ``AsyncMock`` before triggering lifespan,
which registers that mock as the plugin framework's shared Redis provider.
``set_shared_redis_provider`` is module-level state that ``monkeypatch``
doesn't roll back, so the mock bled into subsequent tests: the next call
to ``_read_shared_enabled`` treated the mock's return value as a real
Redis reply, decoded to ``False``, and made ``get_plugin_manager`` return
``None`` even after the test had set ``_PLUGINS_ENABLED = True``.

Adds an autouse fixture in ``tests/unit/mcpgateway/conftest.py`` that
clears the shared provider before and after each test. Plugin-suite tests
re-install their dynamic provider after this runs, so behaviour there is
unchanged.

Signed-off-by: Jonathan Springer <jps@s390x.com>

* test(admin): drop caplog dependency from error-swallow regression pins

Two error-swallow regression tests asserted on ``caplog.records`` to prove
the warning path was hit. That capture is brittle under pytest-xdist: if
any earlier test in the same worker triggered the app's lifespan, its
``LoggingService.initialize`` calls ``root_logger.handlers.clear()`` and
wipes caplog's handler, so subsequent ``LOGGER.warning`` calls never reach
the capture fixture.

The tests now verify the observable behaviour — the operation returns
normally instead of raising, and the failing sync step was actually
exercised (via ``assert_called_once_with``/sentinel) rather than skipped.
Equally strong guarantee, no log-capture dependency.

Signed-off-by: Jonathan Springer <jps@s390x.com>

* test(admin): restore warning-path pins via logger-local handler

The prior rewrite dropped caplog entirely, which lost the regression pin on
the WARNING log a future refactor could accidentally remove. Replaces caplog
with a small ``_capture_admin_logger_records`` context manager that attaches
a handler directly to the ``mcpgateway.admin`` logger.

Logger-local capture is immune to the xdist hazard that caused the CI
failure (``LoggingService.initialize`` calls ``root_logger.handlers.clear()``
during lifespan, wiping caplog's root-attached handler) and also bypasses
the root level gate — so the warning assertion remains reliable regardless
of which tests ran earlier in the same worker.

Signed-off-by: Jonathan Springer <jps@s390x.com>

* test(plugins): close coverage gaps on framework, manager, tool-bindings router, and lifespan

Adds targeted regression pins for the remaining uncovered lines:

- ``framework/__init__.py`` (86% → 100%): Redis-transport failure branches in
  ``_read_shared_enabled``, ``enable_plugins_shared``, ``_publish_invalidation``,
  ``publish_plugin_mode_change`` and ``get_plugin_mode_override``; the
  ``list_configured_plugin_names``/``get_plugin_manager_factory`` accessors;
  unknown-frame rejection and swallow-and-log paths in
  ``_handle_invalidation_message``; and the listener's polling-when-no-client
  and subscribe/dispatch/cancel branches.

- ``framework/manager.py`` (95% → 98%): TTL-expired cache eviction,
  ``_apply_redis_mode_overrides`` client-factory failure + model_copy
  ValidationError, and the swallow-and-log semantics of ``invalidate_all`` /
  ``invalidate_team`` plus the ``iter_context_ids`` snapshot.

- ``admin.py``: ``update_plugin_mode`` no longer 500s when
  ``invalidate_all_plugin_managers`` raises — WARNs instead.

- ``tool_plugin_bindings.py`` (66.7% → 100%): wildcard ``tool_name="*"``
  binding routes through ``factory.invalidate_team`` + team-scoped publish,
  and still broadcasts when the local factory is degraded.

- ``main.py`` lifespan: plugin-factory init failure crashes loud when
  ``plugins.enabled=true`` and marks the node degraded when it's false; a
  ``stop_plugin_invalidation_listener`` shutdown failure is swallowed.

Signed-off-by: Jonathan Springer <jps@s390x.com>

* test(admin): intercept LOGGER directly in admin warning-path pins

Earlier iterations tried ``caplog`` (lost when lifespan clears root handlers)
and a logger-local handler (still vulnerable to ``logger.disabled`` flips,
filter additions, or LOG_LEVEL/effective-level gates depending on what other
tests in the same xdist worker did). Both kept failing intermittently in CI.

Replaces ``_capture_admin_logger_records`` with a direct ``patch.object``
on ``admin_module.LOGGER``. The spy records what the production code
actually called; the standard logging chain is no longer in the test path
at all, so worker ordering can't perturb the assertion.

Signed-off-by: Jonathan Springer <jps@s390x.com>

---------

Signed-off-by: Pratik Gandhi <gandhipratik203@gmail.com>
Signed-off-by: Jonathan Springer <jps@s390x.com>
Co-authored-by: cafalchio <mcafalchio@gmail.com>
Co-authored-by: Jonathan Springer <jps@s390x.com>

Author: 3 people

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "(?x)( package-lock\\.json$ |Cargo\\.lock$ |uv\\.lock$ |go\\.sum$ |mcpgateway/sri_hashes\\.json$ )|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2026-04-19T08:51:02Z",
+  "generated_at": "2026-04-19T16:27:13Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -4170,31 +4170,31 @@
         "hashed_secret": "fa9beb99e4029ad5a6615399e7bbae21356086b3",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 4184,
+        "line_number": 4187,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "559b05f1b2863e725b76e216ac3dadecbf92e244",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 4785,
+        "line_number": 4788,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "a8af4759392d4f7496d613174f33afe2074a4b8d",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 4787,
+        "line_number": 4790,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "85b60d811d16ff56b3654587d4487f713bfa33b7",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 15113,
+        "line_number": 15116,
         "type": "Secret Keyword",
         "verified_result": null
       }

charts/mcp-stack/profiles/ocp/values-pgo.yaml

@@ -58,7 +58,7 @@ mcpContextForge:
         include_user_info: false
       plugins:
         - name: "PIIFilterPlugin"
-          kind: "plugins.pii_filter.pii_filter.PIIFilterPlugin"
+          kind: "cpex_pii_filter.PIIFilterPlugin"
           description: "Detects and masks Personally Identifiable Information"
           version: "0.1.0"
           author: "Mihai Criveti"
@@ -85,7 +85,7 @@ mcpContextForge:
               - "test@example.com"
               - "555-555-5555"
         - name: "RateLimiterPlugin"
-          kind: "plugins.rate_limiter.rate_limiter.RateLimiterPlugin"
+          kind: "cpex_rate_limiter.RateLimiterPlugin"
           description: "Per-user/tenant/tool rate limits"
           version: "0.1.0"
           author: "Mihai Criveti"
@@ -103,7 +103,7 @@ mcpContextForge:
             by_tenant: "3000/m"
             by_tool: {}
         - name: "RetryWithBackoffPlugin"
-          kind: "plugins.retry_with_backoff.retry_with_backoff.RetryWithBackoffPlugin"
+          kind: "cpex_retry_with_backoff.RetryWithBackoffPlugin"
           description: "Detects transient failures and asks the gateway to re-invoke the tool after a jittered exponential backoff delay"
           version: "0.1.0"
           author: "Mihai Criveti"
@@ -136,7 +136,7 @@ mcpContextForge:
             strategy: "truncate"
             ellipsis: "…"
         - name: "SecretsDetection"
-          kind: "plugins.secrets_detection.secrets_detection.SecretsDetectionPlugin"
+          kind: "cpex_secrets_detection.SecretsDetectionPlugin"
           description: "Detects keys/tokens/secrets in inputs/outputs; optional redaction/blocking"
           version: "0.1.0"
           author: "ContextForge"
@@ -160,7 +160,7 @@ mcpContextForge:
             block_on_detection: true
             min_findings_to_block: 1
         - name: "EncodedExfilDetector"
-          kind: "plugins.encoded_exfil_detection.encoded_exfil_detector.EncodedExfilDetectorPlugin"
+          kind: "cpex_encoded_exfil_detection.EncodedExfilDetectorPlugin"
           description: "Detects suspicious encoded exfiltration patterns in prompt args and tool outputs"
           version: "0.1.0"
           author: "Mihai Criveti"

docs/docs/api/plugin-bindings-api.md

@@ -579,7 +579,7 @@ curl -s -X POST \
 2. `GatewayTenantPluginManagerFactory.get_config_from_db()` fetches all DB bindings for the `(team_id, tool_name)` pair, including any wildcard `*` bindings.
 3. For each binding, the DB `mode` and `config` are merged over the global `config.yaml` values (`_merge_tenant_config`). DB values always win.
 4. A **`TenantPluginManager`** is instantiated with the merged config and cached in memory, keyed by context ID.
-5. On upsert or delete, the cache entry is invalidated immediately so the next call picks up the new config.
+5. On upsert or delete, the handling worker invalidates its local cache entry and broadcasts a `binding_change` frame on the `plugin:invalidation` Redis pub/sub channel, so peer workers evict within milliseconds. If pub/sub delivery fails, the cache TTL (default 30 seconds) bounds the worst-case drift. For wildcard bindings (`tool_name="*"`), every cached context for the team is evicted on the handling worker.
 
 ### Priority execution order
 

mcpgateway/admin.py

@@ -104,7 +104,11 @@
     PaginationMeta,
     PluginDetail,
     PluginListResponse,
+    PluginModeUpdateRequest,
+    PluginModeUpdateResponse,
     PluginStatsResponse,
+    PluginToggleRequest,
+    PluginToggleResponse,
     PromptCreate,
     PromptMetrics,
     PromptRead,
@@ -2028,11 +2032,10 @@ async def get_overview_partial(
         resources_total = db.query(func.count(DbResource.id)).scalar() or 0  # pylint: disable=not-callable
         resources_active = db.query(func.count(DbResource.id)).filter(DbResource.enabled.is_(True)).scalar() or 0  # pylint: disable=not-callable
 
-        # Plugin stats
+        # Plugin stats — self-heal the cache so the overview reflects the live
+        # shared toggle even on a process that booted with plugins disabled.
         overview_plugin_service = get_plugin_service()
-        plugin_manager = getattr(request.app.state, "plugin_manager", None)
-        if plugin_manager:
-            overview_plugin_service.set_plugin_manager(plugin_manager)
+        await _sync_plugin_service_from_runtime(request, overview_plugin_service)
         plugin_stats = await overview_plugin_service.get_plugin_statistics()
 
         # Infrastructure status (database, cache, uptime)
@@ -16535,6 +16538,41 @@ async def get_gateways_section(
 ####################
 
 
+async def _sync_plugin_service_from_runtime(request: Request, plugin_service) -> None:
+    """Self-heal the admin plugin cache from the live framework state.
+
+    The framework's ``get_plugin_manager`` is the single source of truth — it
+    reads the shared toggle (TTL-cached, so this is a cheap call) and returns
+    ``None`` when plugins are globally disabled, even when the disable came
+    from a *remote* node via the Redis toggle.
+
+    Every admin read mirrors that answer back into ``app.state.plugin_manager``
+    and the ``PluginService`` singleton. This closes three gaps:
+
+    1. Processes that booted with plugins disabled never had ``app.state`` set,
+       so admin views returned empty until restart even after the shared
+       toggle was flipped on.
+    2. If ``toggle_plugins_global`` swallowed an admin-cache sync failure, the
+       stale cache would persist forever — now the next GET repairs it.
+    3. A remote disable (``PUT /admin/plugins {"enabled": false}`` on another
+       worker) would leave this worker's ``app.state.plugin_manager``
+       populated from a prior enable, making admin views serve plugin
+       metadata the cluster had already turned off.
+
+    Best-effort: a failure logs a WARNING and leaves ``app.state`` alone. It
+    never raises, so it can't turn a read into a 500.
+    """
+    try:
+        # pylint: disable=import-outside-toplevel
+        from mcpgateway.plugins.framework import get_plugin_manager
+
+        plugin_manager = await get_plugin_manager()
+        request.app.state.plugin_manager = plugin_manager
+        plugin_service.set_plugin_manager(plugin_manager)
+    except Exception as sync_exc:
+        LOGGER.warning("Admin plugin-cache self-heal failed (%s) — view may render stale/empty", sync_exc)
+
+
 @admin_router.get("/plugins/partial")
 @require_permission("admin.plugins", allow_admin_bypass=False)
 async def get_plugins_partial(request: Request, db: Session = Depends(get_db), user=Depends(get_current_user_with_permissions)) -> HTMLResponse:  # pylint: disable=unused-argument
@@ -16558,17 +16596,15 @@ async def get_plugins_partial(request: Request, db: Session = Depends(get_db), u
         # Get plugin service and check if plugins are enabled
         plugin_service = get_plugin_service()
 
-        # Check if plugin manager is available in app state
-        plugin_manager = getattr(request.app.state, "plugin_manager", None)
-        if plugin_manager:
-            plugin_service.set_plugin_manager(plugin_manager)
+        # Self-heal the cache so the partial reflects the live shared toggle.
+        await _sync_plugin_service_from_runtime(request, plugin_service)
 
         # Get plugin data
         plugins = plugin_service.get_all_plugins()
         stats = await plugin_service.get_plugin_statistics()
 
         # Prepare context for template
-        context = {"request": request, "plugins": plugins, "stats": stats, "plugins_enabled": plugin_manager is not None, "root_path": _resolve_root_path(request)}
+        context = {"request": request, "plugins": plugins, "stats": stats, "plugins_enabled": plugin_service.get_plugin_manager() is not None, "root_path": _resolve_root_path(request)}
 
         # Render the partial template
         return request.app.state.templates.TemplateResponse(request, "plugins_partial.html", context)
@@ -16620,10 +16656,8 @@ async def list_plugins(
         # Get plugin service
         plugin_service = get_plugin_service()
 
-        # Check if plugin manager is available
-        plugin_manager = getattr(request.app.state, "plugin_manager", None)
-        if plugin_manager:
-            plugin_service.set_plugin_manager(plugin_manager)
+        # Self-heal the cache from the live framework state.
+        await _sync_plugin_service_from_runtime(request, plugin_service)
 
         # Get filtered plugins
         if any([search, mode, hook, tag]):
@@ -16656,14 +16690,73 @@ async def list_plugins(
             },
         )
 
-        return PluginListResponse(plugins=plugins, total=len(plugins), enabled_count=enabled_count, disabled_count=disabled_count)
+        from mcpgateway.plugins.framework import are_plugins_enabled_shared  # pylint: disable=import-outside-toplevel
+
+        return PluginListResponse(plugins_globally_enabled=await are_plugins_enabled_shared(), plugins=plugins, total=len(plugins), enabled_count=enabled_count, disabled_count=disabled_count)
 
     except Exception as e:
         LOGGER.error(f"Error listing plugins: {e}")
         structured_logger.error("Failed to list plugins in marketplace", user_id=get_user_id(user), user_email=get_user_email(user), error=e, component="plugin_marketplace", category="business_logic")
         raise HTTPException(status_code=500, detail=str(e))
 
 
+@admin_router.put("/plugins", response_model=PluginToggleResponse)
+@require_permission("admin.plugins", allow_admin_bypass=False)
+async def toggle_plugins_global(
+    payload: PluginToggleRequest,
+    request: Request,
+    user=Depends(get_current_user_with_permissions),
+) -> PluginToggleResponse:
+    """Enable or disable the plugin subsystem globally and broadcast the change."""
+    # pylint: disable=import-outside-toplevel
+    from mcpgateway.plugins.framework import are_plugins_enabled_shared, enable_plugins_shared, get_plugin_manager
+
+    redis_persisted = await enable_plugins_shared(payload.enabled)
+
+    # Sync the admin-side cache so ``GET /admin/plugins`` and
+    # ``GET /admin/plugins/{name}`` reflect the toggle on a process that
+    # started with plugins disabled (``app.state.plugin_manager`` stayed unset
+    # and ``PluginService`` was never wired). Without this, enabling plugins
+    # at runtime leaves the admin surfaces reading stale/empty metadata until
+    # the next restart; disabling likewise keeps the old manager visible.
+    #
+    # Treat the sync as best-effort: the shared toggle above already committed,
+    # so an exception here (e.g. factory build failure on a degraded node) must
+    # not turn into a 500 for a toggle that actually took effect. The admin
+    # surfaces will self-correct on the next request that re-reads the manager.
+    try:
+        plugin_service = get_plugin_service()
+        if payload.enabled:
+            plugin_manager = await get_plugin_manager()
+            if plugin_manager is not None:
+                plugin_service.set_plugin_manager(plugin_manager)
+                request.app.state.plugin_manager = plugin_manager
+        else:
+            plugin_service.set_plugin_manager(None)
+            request.app.state.plugin_manager = None
+    except Exception as sync_exc:
+        LOGGER.warning(
+            "Plugin global toggle applied (enabled=%s) but admin-cache sync failed (%s) — admin views will refresh on next request",
+            payload.enabled,
+            sync_exc,
+        )
+
+    LOGGER.info(f"Plugins globally {'enabled' if payload.enabled else 'disabled'} by {get_user_email(user)}")
+    structured_logger = get_structured_logger()
+    structured_logger.info(
+        f"Plugin subsystem globally {'enabled' if payload.enabled else 'disabled'}",
+        user_id=get_user_id(user),
+        user_email=get_user_email(user),
+        component="plugin_runtime",
+        category="security",
+        resource_type="plugin_global_toggle",
+        resource_action="update",
+        custom_fields={"enabled": payload.enabled, "redis_persisted": redis_persisted},
+    )
+
+    return PluginToggleResponse(plugins_enabled=await are_plugins_enabled_shared(), redis_persisted=redis_persisted)
+
+
 @admin_router.get("/plugins/stats", response_model=PluginStatsResponse)
 @require_permission("admin.plugins", allow_admin_bypass=False)
 async def get_plugin_stats(request: Request, db: Session = Depends(get_db), user=Depends(get_current_user_with_permissions)) -> PluginStatsResponse:  # pylint: disable=unused-argument
@@ -16687,10 +16780,8 @@ async def get_plugin_stats(request: Request, db: Session = Depends(get_db), user
         # Get plugin service
         plugin_service = get_plugin_service()
 
-        # Check if plugin manager is available
-        plugin_manager = getattr(request.app.state, "plugin_manager", None)
-        if plugin_manager:
-            plugin_service.set_plugin_manager(plugin_manager)
+        # Self-heal the cache from the live framework state.
+        await _sync_plugin_service_from_runtime(request, plugin_service)
 
         # Get statistics
         stats = await plugin_service.get_plugin_statistics()
@@ -16749,10 +16840,8 @@ async def get_plugin_details(name: str, request: Request, db: Session = Depends(
         # Get plugin service
         plugin_service = get_plugin_service()
 
-        # Check if plugin manager is available
-        plugin_manager = getattr(request.app.state, "plugin_manager", None)
-        if plugin_manager:
-            plugin_service.set_plugin_manager(plugin_manager)
+        # Self-heal the cache from the live framework state.
+        await _sync_plugin_service_from_runtime(request, plugin_service)
 
         # Get plugin details
         plugin = plugin_service.get_plugin_by_name(name)
@@ -16806,6 +16895,69 @@ async def get_plugin_details(name: str, request: Request, db: Session = Depends(
         raise HTTPException(status_code=500, detail=str(e))
 
 
+@admin_router.put("/plugins/{name}", response_model=PluginModeUpdateResponse)
+@require_permission("admin.plugins", allow_admin_bypass=False)
+async def update_plugin_mode(
+    name: str,
+    payload: PluginModeUpdateRequest,
+    _db: Session = Depends(get_db),  # required by rbac decorator's session lookup
+    user=Depends(get_current_user_with_permissions),
+) -> PluginModeUpdateResponse:
+    """Persist a per-plugin mode override in Redis and invalidate cached managers."""
+    # pylint: disable=import-outside-toplevel
+    from mcpgateway.plugins.framework import invalidate_all_plugin_managers, list_configured_plugin_names, publish_plugin_mode_change
+
+    mode = payload.mode
+
+    # Validate against the *configured* plugin set, not the live manager. On a
+    # process that booted with plugins globally disabled, no manager is wired
+    # and ``PluginService.get_all_plugins()`` returns ``[]``; without this the
+    # handler 404s for every valid name and blocks operators from pre-staging
+    # a per-plugin mode before turning the subsystem on.
+    plugin_names = list_configured_plugin_names()
+    if name not in plugin_names:
+        raise HTTPException(status_code=404, detail=f"Plugin '{name}' not found. Available: {', '.join(plugin_names[:10])}")
+
+    # publish_plugin_mode_change always updates the in-process override map
+    # (so single-node-no-Redis deployments still work) and additionally
+    # attempts a Redis SET + publish. The Redis outcome is surfaced back to
+    # the caller as redis_persisted so they know whether the change reached
+    # other workers.
+    redis_persisted = await publish_plugin_mode_change(name, mode)
+    # The override is already stored (in-process map and/or Redis) by the line
+    # above. Treat the cache sweep as best-effort — if it raises, a background
+    # TTL refresh still reaches the new mode, and the operator must not see a
+    # 500 for an override that actually took effect.
+    try:
+        await invalidate_all_plugin_managers()
+    except Exception as invalidate_exc:
+        LOGGER.warning(
+            "Plugin '%s' mode override stored but cache invalidation failed (%s) — fresh managers will rebuild on next TTL expiry",
+            name,
+            invalidate_exc,
+        )
+
+    if redis_persisted:
+        LOGGER.info(f"Plugin '{name}' mode changed to '{mode}' by {get_user_email(user)} (Redis persisted, 24h TTL)")
+    else:
+        LOGGER.warning(f"Plugin '{name}' mode changed to '{mode}' by {get_user_email(user)} (this worker only — Redis unavailable)")
+
+    structured_logger = get_structured_logger()
+    structured_logger.info(
+        f"Plugin '{name}' mode changed to '{mode}'",
+        user_id=get_user_id(user),
+        user_email=get_user_email(user),
+        component="plugin_runtime",
+        category="security",
+        resource_type="plugin_mode",
+        resource_id=name,
+        resource_action="update",
+        custom_fields={"plugin_name": name, "new_mode": mode, "redis_persisted": redis_persisted},
+    )
+
+    return PluginModeUpdateResponse(plugin=name, mode=mode, redis_persisted=redis_persisted)
+
+
 ##################################################
 # MCP Registry Endpoints
 ##################################################