Plugin Governance

Plugin governance determines who can publish, who can install, and what standards plugins must meet. In an enterprise deployment, governance is non-negotiable — an unreviewed plugin running inside your agent system is unreviewed code running inside your infrastructure. The governance framework has three pillars.

Publication standards: every plugin must pass automated security checks, provide documentation, and include a test suite. Manual review is required for plugins that request elevated permissions (network access, file write, inter-plugin communication). Installation policies: organizational admins can restrict which plugins are installable from the public registry, maintain a curated internal registry of approved plugins, and require approval for any plugin not on the approved list. Maintenance requirements: plugins in the approved list must be updated within 30 days of a security advisory affecting their dependencies. Plugins that fall behind on maintenance are flagged and eventually removed from the approved list.