Research · 2026-05-12
A signed plugin system for a governed gateway
How MCPG loads third-party code without giving up its security story: a frozen FFI/ABI, Ed25519 + cosign signing with SLSA provenance, revocation lists, and 21 typed extension points.
A gateway that mediates every agent tool call is exactly where you least want to load untrusted code — and exactly where extensibility matters most. RFC 0018 is MCPG's answer, shipped across twelve phases as the v25 plugin system.
The trust chain comes first. Every plugin is Ed25519-signed and cosign-attested with SLSA provenance; the gateway verifies before load, honors revocation lists, and supports air-gapped mirrors for environments where "fetch from the registry" is not a sentence you can say. First-party plugins ship 96 strong across 15 categories, every one through the same pipeline — the lab eats its own supply chain.
The ABI is frozen, the surface is typed. Plugins target a frozen 1.0 FFI/ABI, in native cdylib or WASM Component Model form, and attach to one of 21 extension points — identity providers, policy engines, backends, pipeline steps, redactors, audit sinks. The extension points are the governance model's seams: a plugin extends a stage of the pipeline, never the pipeline's shape.
Hosts stay in charge. Plugins receive a capability-scoped HostHandle
rather than ambient authority: what a plugin can read, call, or emit is an
explicit grant. The Wave L adoption pass moved all eleven first-party
plugin families onto this interface and documented the patterns — and the
workarounds — future plugin authors will hit.
The design doc is a good read for anyone building a plugin system for security-sensitive middleware: most of its decisions generalize, and the mistakes it documents were paid for once so yours don't have to be.
Canonical: mcpg repo · docs/plugin-protocol/rfcs/0018-plugin-system-v25.md