Built-in Plugins
Catalog of first-party plugins shipped with the gateway. All are native Go (runtime: premade) and are inert until included in an active immutable snapshot.
For the overall plugin model (hook stages, snapshot lifecycle, capability broker, failure semantics, customer-authored WASM plugins), see architecture-overview.md and rfcs/rfc-hook-plugin-system.md.
Catalog
Section titled “Catalog”| Plugin ID | Hook stage | Default mode | Required capabilities | Purpose |
|---|---|---|---|---|
builtin.project_membership | project.bootstrap | enforcement host entry; observe/enforce policy config | — | Mandatory typed bootstrap for every project-scoped runtime snapshot. Evaluates ProjectMembershipV1 issuer, required/accepted status, expiration, revocation, and role policy. Only its validated typed success can establish authoritative project context; generic context_writes cannot. |
builtin.authorization | proxy.pre | enforcement | — | Allow/deny rules over the verified-request envelope (method, gateway path, upstream path, agent ID). The primary post-verify authorization seam. |
builtin.verifiable_credential | proxy.pre | enforcement | cid.resolve | Resolves the signed X-Viper-Credential-CID list, selects the non-membership agent VC, runs W3C VC linked-data proof verification (trustbloc/vc-go), checks issuer trust list, subject = request signer DID, and validity window. The deprecated single-CID header remains a migration fallback. |
builtin.opa_rego | proxy.pre | enforcement | — | Evaluates operator-authored Rego policy + static JSON data against a normalized hook input. Snapshot-managed — Rego compiles once at snapshot preparation, not per-request. |
builtin.config_validation | proxy.pre | observability | cid.resolve | Resolves the agent’s config-files collection, runs regex/structural rules against config files and derived.config.permissions, and flags violations. Never denies. Rules can live in snapshot config or a DB store with TTL cache. |
builtin.static_response | proxy.pre | varies | — | Test/bootstrap-only matcher: deny when method + gateway-path prefix + upstream-path prefix + agent ID all match. Used for deterministic hook tests and to seed early policy snapshots. |
builtin.vtscan | request.end | observability | cid.resolve, http.request | Resolves the agent skills collection, hashes each entry, and queries the VirusTotal API for known-malicious indicators. Async, rate-limited, never blocks the response. |
builtin.intent_monitor | request.end | observability | request.body.read, http.request | Extracts user intents and agent actions from the LLM conversation body and evaluates alignment via an external LLM. Async; flags drift, never blocks. |
Stage coverage
Section titled “Stage coverage”| Stage | Plugins |
|---|---|
request.start | (none shipped) |
project.bootstrap | project_membership (mandatory for project snapshots) |
proxy.pre | authorization, verifiable_credential, opa_rego, config_validation, static_response |
proxy.post | (none shipped) |
request.end | vtscan, intent_monitor |
Capability usage
Section titled “Capability usage”Three plugins need privileged host capabilities (granted per snapshot entry, never per request):
| Capability | Used by | What it does |
|---|---|---|
cid.resolve | verifiable_credential, config_validation, vtscan | Read-only lookup of request-referenced CIDs from the embedded CID router / blob store. Non-transitive in V1. |
http.request | vtscan, intent_monitor | Host-dispatched HTTPS to allow-listed destinations, with secret-ref auth injection and per-call timeout / size limits. |
request.body.read | intent_monitor | Opt-in full request-body access with byte cap. |
Source layout
Section titled “Source layout”| Plugin | Definition (config schema, hook, mode) | Runtime handler |
|---|---|---|
builtin.project_membership | shared/servicekit/plugins/builtin_project_membership.go | llm-gateway/service/internal/hooks/project_membership.go (+ shared/servicekit/projectmembership) |
builtin.authorization | shared/servicekit/plugins/builtin_authorization.go | llm-gateway/service/internal/hooks/authorization.go |
builtin.verifiable_credential | shared/servicekit/plugins/builtin_verifiable_credential.go | llm-gateway/service/internal/hooks/verifiable_credential.go (+ shared/servicekit/agentcredential/validate.go) |
builtin.opa_rego | shared/servicekit/plugins/builtin_opa_rego.go | llm-gateway/service/internal/hooks/opa_rego.go |
builtin.config_validation | shared/servicekit/plugins/builtin_config_validation.go | llm-gateway/service/internal/hooks/config_validation.go |
builtin.static_response | (in-tree only) | llm-gateway/service/internal/hooks/builtins.go |
builtin.vtscan | shared/servicekit/plugins/builtin_vtscan.go | llm-gateway/service/internal/hooks/vtscan.go |
builtin.intent_monitor | shared/servicekit/plugins/builtin_intent_monitor.go | llm-gateway/service/internal/hooks/intent_monitor.go |
Project membership configuration
Section titled “Project membership configuration”Project snapshots must contain exactly one enabled builtin.project_membership entry at project.bootstrap, using the premade runtime and an enforcement host entry. The host entry stays fail-closed for missing implementations, invalid typed results, or runtime errors. Its mode config controls membership-policy rollout: observe records a would-deny and establishes no project context; enforce denies. Other fields are membership_required, trusted_issuers, accepted_statuses, enforce_expiration, enforce_revocation, allowed_roles, and required_roles.
The plugin receives no network capability. Blob/evidence resolution happens through the Gateway’s local, signer-bound candidate binder; membership evaluation never calls an external service on the request hot path.
Customer-authored WASM plugins
Section titled “Customer-authored WASM plugins”Not part of this list — the gateway also runs customer-authored modules compiled to wasm32-wasip1, executed in-process via wazero. Those are authored against crates/guardian-plugin-sdk, packaged via crates/guardian-plugin, content-addressed by SHA-256, and signed by trusted platform release keys before the gateway will load them. See plugin-developer-mvp.md for the authoring workflow. Working SDK + capability examples live in the repo under test-plugins/ (rust-allow-all, rust-host-capability-probe, rust-request-start-cid-guard).