feat: plugin bundling, catalog, installation and versioning (#31)

* chore: provde better examples for PluginPackageInfo constructor

Signed-off-by: habeck <habeck@us.ibm.com>

* enh: add PluginVersionInfo and PluginVersionRegistry models w/unit tests

Signed-off-by: habeck <habeck@us.ibm.com>

* chore: lint fix

Signed-off-by: habeck <habeck@us.ibm.com>

* chore: lint fix

Signed-off-by: habeck <habeck@us.ibm.com>

* chore: unit tests and fixtures for plugin isolation via venv.

Signed-off-by: habeck <habeck@us.ibm.com>

* enh: refactored the invoke_hook method in cpex/framework/isolated/client.py to run async

Signed-off-by: habeck <habeck@us.ibm.com>

* chore: lint fix

Signed-off-by: habeck <habeck@us.ibm.com>

* chore: updated unit test test_worker to get coverage to 97%.

Signed-off-by: habeck <habeck@us.ibm.com>

* enh: The optimization eliminates the overhead of:
Forking a new Python process (~1.2ms per fork_exec)
Initializing the Python interpreter
Loading modules and dependencies
Setting up the subprocess communication pipes

Signed-off-by: habeck <habeck@us.ibm.com>

* fix: fail early plugin_path do not exist, computer .venv path automatically, update cli to support creating an isolated plugin.

Signed-off-by: habeck <habeck@us.ibm.com>

* chore: lint fix

Signed-off-by: habeck <habeck@us.ibm.com>

* fix: use the system config file (PLUGINS_CONFIG_FILE) for syspath update (Consistent with how the PluginManager works).

Signed-off-by: habeck <habeck@us.ibm.com>

* chore: lint fix

Signed-off-by: habeck <habeck@us.ibm.com>

* chore: Validate plugin_dirs entries against an allowlist

Signed-off-by: habeck <habeck@us.ibm.com>

* fix: remove hardcoded reference to plugins/config in the cpex/framework/isolated/client.py and update tests. remove methods_to_exclude from validator.

Signed-off-by: habeck <habeck@us.ibm.com>

* chore: lint fix

Signed-off-by: habeck <habeck@us.ibm.com>

* enh: Add a maximum line length check before parsing.  Add model tests for PluginPackageInfo and PluginVersionRegistry

Signed-off-by: habeck <habeck@us.ibm.com>

* enh: model updates for PluginManifest, InstalledPluginInfo, and InstalledPluginRegistry

Signed-off-by: habeck <habeck@us.ibm.com>

* enh: example values for git monorepo  installation

Signed-off-by: habeck <habeck@us.ibm.com>

* enh: add ConfigSaver class to ConfigLoader

Signed-off-by: habeck <habeck@us.ibm.com>

* enh: plugin installation catalog

Signed-off-by: habeck <habeck@us.ibm.com>

* enh: add support to enable installation of a plugin using the cli from a git monorepo, or pypi.

Signed-off-by: habeck <habeck@us.ibm.com>

* chore: doc string fix

Signed-off-by: habeck <habeck@us.ibm.com>

* chore: lint fix

Signed-off-by: habeck <habeck@us.ibm.com>

* chore: remove duplicate code

Signed-off-by: habeck <habeck@us.ibm.com>

* chore: test coverage improvements, remove duplicate code

Signed-off-by: habeck <habeck@us.ibm.com>

* chore: replace cargo with search for pyproject.

Signed-off-by: habeck <habeck@us.ibm.com>

* chore: lint fixes

Signed-off-by: habeck <habeck@us.ibm.com>

* enh: use pygithub apis rather than github rest apis, as they provide automatic backoff when github response with too many requests.

Signed-off-by: habeck <habeck@us.ibm.com>

* enh: add support for uninstall of plugin

Signed-off-by: habeck <habeck@us.ibm.com>

* chore: lint-fix

Signed-off-by: habeck <habeck@us.ibm.com>

* fix: use the manifest from the local catalog to pull the kind value of the package to be removed and use that to remove all matching kind entries from plugins/config.yaml unless kind is external or isolated_venv in which case check if the plugin name is a substring of the plugin name.

Signed-off-by: habeck <habeck@us.ibm.com>

* fix: when installing a plugin via mono-repo or pipi, the cache_root will not exist under the plugins dir, create the directory if it does not exist on plugin startup for venv plugins.

Signed-off-by: habeck <habeck@us.ibm.com>

* enh: enable package install from both pypi and test-pypi, fix: properly resolve location of requirements.txt while performing pypi installs.

Signed-off-by: habeck <habeck@us.ibm.com>

* chore: stub for local installation

Signed-off-by: habeck <habeck@us.ibm.com>

* chore: lint fix

Signed-off-by: habeck <habeck@us.ibm.com>

* doc: add README for tools

Signed-off-by: habeck <habeck@us.ibm.com>

* enh: use cached repo object

Signed-off-by: habeck <habeck@us.ibm.com>

* chore: use rich emoji

Signed-off-by: habeck <habeck@us.ibm.com>

* ptf: workaround for version mis-match of cpex dependency in plugin

Signed-off-by: habeck <habeck@us.ibm.com>

* fix: download install targets to a temp folder to avoid installing to incorrect venv.

Signed-off-by: habeck <habeck@us.ibm.com>

* enh: pass the plugin install path to the update method, as isolated_venv plugins are not installed in the current venv.

Signed-off-by: habeck <habeck@us.ibm.com>

* enh: the catalog now returns the install path for isolated_venv plugins

Signed-off-by: habeck <habeck@us.ibm.com>

* chore: unit test updates

Signed-off-by: habeck <habeck@us.ibm.com>

* misc: type fix

Signed-off-by: habeck <habeck@us.ibm.com>

* enh: the plugin self installs into the isolated_venv via requirements.txt

Signed-off-by: habeck <habeck@us.ibm.com>

* chore: increase coverage above 90%

Signed-off-by: habeck <habeck@us.ibm.com>

* chore: update min_max_framework_version

Signed-off-by: habeck <habeck@us.ibm.com>

* enh: isolated venv cookiecutter update for install flow

Signed-off-by: habeck <habeck@us.ibm.com>

* enh: catalog now properly persists all plugin-manifest*.yaml files

Signed-off-by: habeck <habeck@us.ibm.com>

* enh: upgrade pip before installing requirements

Signed-off-by: habeck <habeck@us.ibm.com>

* enh: allow the developer provided version registry values to persist, overriding only if they are not present. Improved install path resolution for isolated_venv plugins

Signed-off-by: habeck <habeck@us.ibm.com>

* enh: only update the catalog when not installing from test-pypi  or pypi.  Correctly determine the install path for the plugin registry for monorepo installs and isolated_venv plugins.

Signed-off-by: habeck <habeck@us.ibm.com>

* enh: refactor to reduce duplicate code, fix uninstall for isolated_venv, add install support for type local,

Signed-off-by: habeck <habeck@us.ibm.com>

* chore: properly format info

Signed-off-by: habeck <habeck@us.ibm.com>

* chore: update README.md

Signed-off-by: habeck <habeck@us.ibm.com>

* chore: Add a, "before you begin" section detailing the required .env variable.

Signed-off-by: habeck <habeck@us.ibm.com>

* fix: P0 fix — tarfile/zip path traversal

Signed-off-by: habeck <habeck@us.ibm.com>

* enh: add remove_venv method to IsolatedVenvPlugin for uninstall cleanup.

Signed-off-by: habeck <habeck@us.ibm.com>

* fix: priority 1 items

Signed-off-by: habeck <habeck@us.ibm.com>

* fix: p2 item 17 search() case-insensitive match broken

Signed-off-by: habeck <habeck@us.ibm.com>

* chore: add tests for _ver method.

Signed-off-by: habeck <habeck@us.ibm.com>

* fix: version registry update cleanup

Signed-off-by: habeck <habeck@us.ibm.com>

* chore: lint fix

Signed-off-by: habeck <habeck@us.ibm.com>

* chore: add missing doc string, and tests for _ver method.

Signed-off-by: habeck <habeck@us.ibm.com>

* chore: lint fix

Signed-off-by: habeck <habeck@us.ibm.com>

* fix: review p2 moderate 21 - list function now uses console.print

Signed-off-by: habeck <habeck@us.ibm.com>

* chore: fix failing unit test, address non-atomic registry write.

Signed-off-by: habeck <habeck@us.ibm.com>

* chore: lint fix

Signed-off-by: habeck <habeck@us.ibm.com>

* chore: claude can't tell the difference between if "rc is False" and "if rc".

Signed-off-by: habeck <habeck@us.ibm.com>

* fix: cpex/framework/models.py — register_plugin (line 2392): replaced the unconditional append with a filter-then-append. Any existing entry with the same
   name is removed before the new one is added, so a reinstall upgrades the entry rather than creating a duplicate. One save() call, same atomicity as
  before.

Signed-off-by: habeck <habeck@us.ibm.com>

* fix: P2 Issue 20 Implementation Complete: Exit Code Handling

Signed-off-by: habeck <habeck@us.ibm.com>

* chore: lint fix

Signed-off-by: habeck <habeck@us.ibm.com>

* fix: list function shadows built-in

Signed-off-by: habeck <habeck@us.ibm.com>

* chore: logic tweak

Signed-off-by: habeck <habeck@us.ibm.com>

* fix: p2 issue 23

Signed-off-by: habeck <habeck@us.ibm.com>

* fix: P2 issue 19 error handling for corrupted JSON registry

Signed-off-by: habeck <habeck@us.ibm.com>

* chore: lint fix

Signed-off-by: habeck <habeck@us.ibm.com>

* fix: P2 issue 24 - Registry file path triplicated

Signed-off-by: habeck <habeck@us.ibm.com>

* chore: lint-fix

Signed-off-by: habeck <habeck@us.ibm.com>

* fix: P2 issue 25

Signed-off-by: habeck <habeck@us.ibm.com>

* fix: update worker to call cpex.framework.utils.import_module rather than importlib.import_module directly.

Signed-off-by: habeck <habeck@us.ibm.com>

* enh: add package integrity verification

Signed-off-by: habeck <habeck@us.ibm.com>

* chore: lint fix

Signed-off-by: habeck <habeck@us.ibm.com>

* chore: missed commit

Signed-off-by: habeck <habeck@us.ibm.com>

* fix: if the plugins/config.yaml plugins array is empty, initialize it with the appropriate default from catalog settings.

Signed-off-by: habeck <habeck@us.ibm.com>

* chore: lint fix

Signed-off-by: habeck <habeck@us.ibm.com>

* chore:  version to '0.1.0 minimum'

Signed-off-by: habeck <habeck@us.ibm.com>

---------

Signed-off-by: habeck <habeck@us.ibm.com>

Author: tedhabeck

.env.example

@@ -6,9 +6,25 @@
 #   `allow`, `deny`
 # PLUGINS_DEFAULT_HOOK_POLICY=allow
 
+# Path to plugins folder
+# PLUGINS_FOLDER=plugins
 # Path to main plugins configuration file
 # PLUGINS_CONFIG_FILE=plugins/config.yaml
 
+### Plugin installation
+# Comma Separated Values used by install with --type monorepo
+# PLUGINS_REPO_URLS="https://github.com/ibm/cpex-plugins"
+
+# registry path
+# PLUGIN_REGISTRY_FOLDER=data
+
+# Github API
+# PLUGINS_GITHUB_API=api.github.com
+
+# PLUGINS_GITHUB_TOKEN=<github token>
+### end Plugin installation
+
+
 # Logging level for plugin framework components
 # PLUGINS_LOG_LEVEL=INFO
 
@@ -148,3 +164,15 @@
 # PLUGINS_GRPC_SERVER_SSL_ENABLED=
 
 
+
+### Package Integrity Verification
+# Enable SHA256 hash verification for PyPI packages (default: True)
+# When enabled, downloaded packages are verified against hashes from PyPI's JSON API
+# Recommended: Keep enabled for security
+# PLUGINS_VERIFY_PACKAGE_INTEGRITY=True
+
+# Strict integrity mode (default: False)
+# When True: Fail installation if package hashes are unavailable
+# When False: Warn but continue if hashes are unavailable
+# Recommended: False for development, True for production
+# PLUGINS_STRICT_INTEGRITY_MODE=False

.gitignore

@@ -250,4 +250,4 @@ db_path/
 tmp/
 
 .continue
-
+plugin-catalog

cpex/framework/isolated/client.py

@@ -27,6 +27,7 @@
 from cpex.framework.hooks.registry import get_hook_registry
 from cpex.framework.isolated.venv_comm import VenvProcessCommunicator
 from cpex.framework.models import PluginConfig, PluginContext, PluginErrorModel, PluginPayload, PluginResult
+from cpex.framework.utils import find_package_path
 
 logger = logging.getLogger(__name__)
 
@@ -43,10 +44,10 @@ def __init__(self, config: PluginConfig, plugin_dirs) -> None:
         # use the first plugin dir specified in the plugin configuration file.
         path = Path(self.plugin_dirs[0]).resolve()
         class_root = self.config.config.get("class_name").split(".")[0]
-        cache_root = path / class_root
-        self.plugin_path = cache_root
+        cache_root: Path = path / class_root
+        self.plugin_path: Path = cache_root
         if not cache_root.exists():
-            raise RuntimeError(f"plugin path does not exist: {str(cache_root)}")
+            cache_root.mkdir(parents=True, exist_ok=True)
         self.cache_dir: Path = cache_root / ".cpex" / "venv_cache"
         self.cache_dir.mkdir(parents=True, exist_ok=True)
 
@@ -217,21 +218,17 @@ async def initialize(self) -> None:
         else:
             requirements_file = Path(requirements_file_input)
 
-        # If it's a relative path, resolve it relative to plugin_path
-        if not requirements_file.is_absolute():
-            requirements_file = (self.plugin_path / requirements_file).resolve()
-        else:
-            # If absolute, resolve it to normalize
-            requirements_file = requirements_file.resolve()
-
-        # Validate that the resolved path is within plugin_path (security check)
+        # Try to find the package location where plugin-manifest.yaml resides
+        # Fall back to self.plugin_path if package is not installed (e.g., in tests)
         try:
-            requirements_file.relative_to(self.plugin_path.resolve())
-        except ValueError as ve:
-            raise RuntimeError(
-                f"Invalid requirements_file path: {requirements_file_input}. "
-                f"Path must be within plugin directory: {self.plugin_path}"
-            ) from ve
+            package_path = find_package_path(self.config.name)
+            logger.debug("Found installed package %s at %s", self.config.name, package_path)
+        except RuntimeError:
+            # Package not installed (e.g., in test environment), use plugin_path
+            package_path = self.plugin_path
+            logger.debug("Package %s not installed, using plugin_path: %s", self.config.name, package_path)
+
+        requirements_file = package_path / requirements_file_input
 
         # Create venv with caching support
         new_venv = await self.create_venv(venv_path=venv_path, requirements_file=requirements_file, use_cache=True)
@@ -339,3 +336,10 @@ async def invoke_hook(self, hook_type: str, payload: PluginPayload, context: Plu
         except Exception as e:
             logger.exception("Unexpected error invoking hook '%s' for plugin '%s'", hook_type, self.name)
             raise PluginError(error=convert_exception_to_error(e, plugin_name=self.name)) from e
+
+    def remove_venv(self):
+        """
+        Remove the virtual environment associated with the plugin.
+        """
+        shutil.rmtree(self.plugin_path.joinpath(".cpex"))
+        shutil.rmtree(self.plugin_path.joinpath(".venv"))

cpex/framework/isolated/venv_comm.py

@@ -53,6 +53,13 @@ def _get_python_executable(self):
 
         return str(python_exe)
 
+    def upgrade_pip(self) -> None:
+        """Upgrade pip in the target venv."""
+        try:
+            subprocess.check_call([self.python_executable, "-m", "pip", "install", "--upgrade", "pip"])
+        except Exception as e:
+            raise RuntimeError("Failed to upgrade pip") from e
+
     def install_requirements(self, requirements_file: str) -> None:
         """
         Install Python requirements from a file in the target venv.
@@ -62,6 +69,7 @@ def install_requirements(self, requirements_file: str) -> None:
         requirements_path = Path(requirements_file)
         if requirements_path.exists():
             try:
+                self.upgrade_pip()
                 subprocess.check_call([self.python_executable, "-m", "pip", "install", "-r", requirements_file])
             except Exception as e:
                 raise RuntimeError(f"Failed to install requirements from {requirements_file}") from e

cpex/framework/isolated/worker.py

@@ -24,7 +24,7 @@
 from cpex.framework.loader.plugin import ALLOWED_PLUGIN_DIRS
 from cpex.framework.manager import PluginExecutor
 from cpex.framework.models import PluginConfig, PluginContext
-from cpex.framework.utils import parse_class_name
+from cpex.framework.utils import import_module, parse_class_name
 
 logger = logging.getLogger(__name__)
 
@@ -115,7 +115,7 @@ async def process_task(task_data, tp: TaskProcessor):
             hook_type = task_data.get(HOOK_TYPE)
             cls_name: str = task_data.get("class_name")
             mod_name, n_cls_name = parse_class_name(cls_name)
-            module: ModuleType = importlib.import_module(mod_name)
+            module: ModuleType = import_module(mod_name)
             # cool, we found the module, and verified it implemented the hook type.
             class_ = getattr(module, n_cls_name)
             plugin_type = cast(Type[Plugin], class_)
@@ -162,7 +162,7 @@ async def main():
         while True:
             try:
                 # Read one line at a time
-                if tp.plugin_config:
+                if tp.plugin_config and "max_content_size" in tp.plugin_config:
                     line = sys.stdin.readline(limit=int(tp.plugin_config.max_content_size))
                 else:
                     # on the first read, the plugin_config has not yet been initialized so just read.
@@ -198,14 +198,17 @@ async def main():
                 serialized_response = json.dumps(serializable_response)
                 # Send response back to parent (one line per response)
                 if tp.plugin_config:
-                    if len(serialized_response) > tp.plugin_config.max_content_size:
-                        logger.error("Serialized response exceeds max content size")
-                        error_response = {
-                            "status": "error",
-                            "message": "Serialized response exceeds max content size",
-                            "request_id": request_id,
-                        }
-                        serialized_response = json.dumps(error_response)
+                    # workaround until cpex is updated beyond dev11
+                    # cpex is a dependency of the plugin and as such it's PluginConfig does not contain the max_content_size yet.
+                    if "max_content_size" in tp.plugin_config:
+                        if len(serialized_response) > tp.plugin_config.max_content_size:
+                            logger.error("Serialized response exceeds max content size")
+                            error_response = {
+                                "status": "error",
+                                "message": "Serialized response exceeds max content size",
+                                "request_id": request_id,
+                            }
+                            serialized_response = json.dumps(error_response)
                 print(serialized_response, flush=True)
 
             except json.JSONDecodeError as e:

cpex/framework/loader/config.py

@@ -79,3 +79,22 @@ def load_config(config: str, use_jinja: bool = True) -> Config:
         except FileNotFoundError:
             # Graceful fallback for tests and minimal environments without plugin config
             return Config(plugins=[], plugin_dirs=[])
+
+
+class ConfigSaver:
+    """
+    A configuration saver
+    """
+
+    @staticmethod
+    def save_config(config: Config, config_path: str) -> None:
+        """
+        Save the supplied configuration data to the filesystem
+        """
+        try:
+            updated_content = yaml.safe_dump(config.model_dump(mode="json"), default_flow_style=False)
+            with open(os.path.normpath(config_path), "w", encoding="utf-8") as file:
+                file.write(updated_content)
+                file.flush()
+        except OSError as ose:
+            raise RuntimeError(f"Error saving PluginConfig to {config_path}") from ose