ADR-015: Unified Plugin System

Status

Accepted

Date

2026-01-06

Context

Claude Flow v3 has multiple extension mechanisms scattered across different packages:

• Plugin interfaces in @claude-flow/shared
• Worker system in @claude-flow/integration
• Hooks system in @claude-flow/hooks
• Provider definitions spread across multiple modules
• Duplicate security utilities in various places

This fragmentation leads to:

1. Inconsistent APIs across extension points
2. Code duplication (~3,000+ lines of overlapping functionality)
3. Complex dependency chains between packages
4. Difficulty for plugin authors to understand the full API surface
5. Security vulnerabilities from inconsistent validation

Decision

Create a unified @claude-flow/plugins package that consolidates all plugin development capabilities into a single, coherent SDK.

Package Structure

@claude-flow/plugins/
├── src/
│   ├── types/              # Unified type definitions
│   │   └── index.ts        # All plugin-related types
│   ├── core/               # Core plugin infrastructure
│   │   ├── plugin-interface.ts
│   │   └── base-plugin.ts
│   ├── registry/           # Plugin registration & lifecycle
│   │   └── plugin-registry.ts
│   ├── sdk/                # Builder patterns & quick creators
│   │   └── index.ts
│   ├── workers/            # Worker pool & definitions
│   │   └── index.ts
│   ├── hooks/              # Hook registry & executors
│   │   └── index.ts
│   ├── providers/          # LLM provider integration
│   │   └── index.ts
│   ├── integrations/       # External integrations
│   │   ├── agentic-flow.ts # agentic-flow@alpha bridge
│   │   └── index.ts
│   ├── security/           # Security utilities
│   │   └── index.ts
│   └── index.ts            # Main exports
└── __tests__/              # Comprehensive tests

Key Design Decisions

1. Builder Pattern for Plugin Creation

const plugin = new PluginBuilder('my-plugin', '1.0.0')
  .withDescription('My awesome plugin')
  .withMCPTools([...])
  .withHooks([...])
  .withWorkers([...])
  .build();

Rationale: Fluent API reduces boilerplate and guides developers through proper plugin configuration.

2. Unified Type System

All plugin-related types are centralized in types/index.ts:

• Plugin lifecycle states and metadata
• Extension point definitions (AgentType, TaskType, MCPTool, etc.)
• Worker types and configurations
• Hook events and handlers
• Provider definitions

Rationale: Single source of truth prevents type drift and simplifies imports.

3. Security-First Design

Dedicated security module with:

• Input validation (strings, numbers, booleans, arrays, enums)
• Path security (traversal prevention, safe path creation)
• JSON security (prototype pollution prevention, circular reference handling)
• Command security (command validation, shell escaping)
• Error sanitization (credential redaction)
• Rate limiting and resource limiting

Rationale: Centralized security utilities ensure consistent protection across all plugins.

4. Integration Bridges

Separate bridge modules for external systems:

• AgenticFlowBridge: Swarm coordination, agent spawning, task orchestration
• AgentDBBridge: Vector storage, similarity search (150x-12,500x faster)

Rationale: Clean separation allows mocking for testing and future provider swapping.

5. Extension Point Collection

PluginRegistry automatically collects extension points during initialization:

• Agent types
• Task types
• MCP tools
• CLI commands
• Memory backends
• Hooks
• Workers
• LLM providers

Rationale: Plugins register capabilities declaratively; the registry handles aggregation.

Consequences

Positive

1. Single Import: Plugin authors import from @claude-flow/plugins only
2. Type Safety: Unified types with strict TypeScript validation
3. Security: Centralized, audited security utilities
4. Testing: Comprehensive test suite with 100+ test cases
5. Documentation: Single package to document and maintain
6. Performance: Optimized implementations (ring buffers, caching, etc.)

Negative

1. Larger Package: Single package is larger than individual modules
2. Migration Effort: Existing plugins need updating to new APIs
3. Breaking Changes: Some API changes from previous implementation

Neutral

1. Dependency: All plugins depend on this one package
2. Learning Curve: New API patterns to learn (offset by better ergonomics)

Implementation

Phase 1: Core Infrastructure (Completed)

• Types and interfaces
• Plugin interface and base class
• Plugin registry with dependency resolution
• SDK builders (Plugin, Tool, Hook, Worker)

Phase 2: Extension Systems (Completed)

• Worker pool and factory
• Hook registry and executor
• Provider registry and base implementation

Phase 3: Integrations (Completed)

• AgenticFlowBridge for swarm coordination
• AgentDBBridge for vector storage
• Security module with comprehensive utilities

Phase 4: Testing & Documentation (Completed)

• Plugin registry tests (23 tests)
• SDK builder tests (17 tests)
• Security module tests (40 tests)
• Plugin creator tests (30+ tests)
• README.md with comprehensive API documentation
• Example plugin creator demonstrating all features

Phase 5: Example Plugin (Completed)

• Plugin Creator meta-plugin
• Template-based plugin generation
• Code generation for tools, hooks, workers, agents
• Full MCP tool integration for plugin creation

Performance Targets

Security Considerations

Input Validation

• All external inputs validated before use
• Type coercion with explicit validation
• Pattern matching for strings
• Range checking for numbers

Path Security

• Base directory enforcement
• Symlink resolution (TOCTOU prevention)
• Blocked dangerous paths (/etc, /var, etc.)

JSON Security

• Prototype pollution prevention (strips __proto__, constructor, prototype)
• Circular reference detection
• Depth limiting

Command Security

• Allowlist-based command validation
• Shell metacharacter blocking
• Argument escaping

Error Handling

• Credential redaction in error messages
• Stack trace sanitization for production
• Truncation of oversized messages

Migration Guide

From @claude-flow/shared

// Before
import { IPlugin, PluginMetadata } from '@claude-flow/shared';

// After
import { IPlugin, PluginMetadata } from '@claude-flow/plugins';

From @claude-flow/hooks

// Before
import { HookEvent, HookHandler } from '@claude-flow/hooks';

// After
import { HookEvent, HookHandler, HookRegistry } from '@claude-flow/plugins';

From manual plugin creation

// Before
class MyPlugin implements IPlugin {
  metadata = { name: 'my-plugin', version: '1.0.0' };
  state = 'uninitialized';
  async initialize(ctx) { ... }
  async shutdown() { ... }
  registerMCPTools() { return [...]; }
}

// After
const myPlugin = new PluginBuilder('my-plugin', '1.0.0')
  .withMCPTools([...])
  .onInitialize(async (ctx) => { ... })
  .build();

Example: Plugin Creator

The package includes a comprehensive example plugin that demonstrates all SDK capabilities:

import { pluginCreatorPlugin } from '@claude-flow/plugins/examples/plugin-creator';

// Register the meta-plugin
await getDefaultRegistry().register(pluginCreatorPlugin);

// Create plugins using MCP tools:
// - create-plugin: Generate complete plugins from templates
// - list-plugin-templates: Show available templates
// - generate-tool: Create individual MCP tools
// - generate-hook: Create lifecycle hooks
// - generate-worker: Create worker definitions

Available Templates

Test Results

Test Files  4 passed (4)
     Tests  110+ passed
TypeErrors  0 errors
  Duration  ~2s

Related ADRs

• ADR-001: Adopt agentic-flow as core foundation
• ADR-004: Plugin-based architecture (microkernel pattern)
• ADR-005: MCP-first API design
• ADR-006: Unified memory service (AgentDB integration)

References

• Plugin Interface Design
• Base Plugin Implementation
• Security Module
• agentic-flow@alpha Integration
• Plugin Creator Example
• README.md