Skip to content

Built-in Plugins

Catalog of first-party plugins shipped with the gateway. All are native Go (runtime: premade) and are inert until included in an active immutable snapshot.

For the overall plugin model (hook stages, snapshot lifecycle, capability broker, failure semantics, customer-authored WASM plugins), see architecture-overview.md and rfcs/rfc-hook-plugin-system.md.

Plugin IDHook stageDefault modeRequired capabilitiesPurpose
builtin.project_membershipproject.bootstrapenforcement host entry; observe/enforce policy configMandatory typed bootstrap for every project-scoped runtime snapshot. Evaluates ProjectMembershipV1 issuer, required/accepted status, expiration, revocation, and role policy. Only its validated typed success can establish authoritative project context; generic context_writes cannot.
builtin.authorizationproxy.preenforcementAllow/deny rules over the verified-request envelope (method, gateway path, upstream path, agent ID). The primary post-verify authorization seam.
builtin.verifiable_credentialproxy.preenforcementcid.resolveResolves the signed X-Viper-Credential-CID list, selects the non-membership agent VC, runs W3C VC linked-data proof verification (trustbloc/vc-go), checks issuer trust list, subject = request signer DID, and validity window. The deprecated single-CID header remains a migration fallback.
builtin.opa_regoproxy.preenforcementEvaluates operator-authored Rego policy + static JSON data against a normalized hook input. Snapshot-managed — Rego compiles once at snapshot preparation, not per-request.
builtin.config_validationproxy.preobservabilitycid.resolveResolves the agent’s config-files collection, runs regex/structural rules against config files and derived.config.permissions, and flags violations. Never denies. Rules can live in snapshot config or a DB store with TTL cache.
builtin.static_responseproxy.prevariesTest/bootstrap-only matcher: deny when method + gateway-path prefix + upstream-path prefix + agent ID all match. Used for deterministic hook tests and to seed early policy snapshots.
builtin.vtscanrequest.endobservabilitycid.resolve, http.requestResolves the agent skills collection, hashes each entry, and queries the VirusTotal API for known-malicious indicators. Async, rate-limited, never blocks the response.
builtin.intent_monitorrequest.endobservabilityrequest.body.read, http.requestExtracts user intents and agent actions from the LLM conversation body and evaluates alignment via an external LLM. Async; flags drift, never blocks.
StagePlugins
request.start(none shipped)
project.bootstrapproject_membership (mandatory for project snapshots)
proxy.preauthorization, verifiable_credential, opa_rego, config_validation, static_response
proxy.post(none shipped)
request.endvtscan, intent_monitor

Three plugins need privileged host capabilities (granted per snapshot entry, never per request):

CapabilityUsed byWhat it does
cid.resolveverifiable_credential, config_validation, vtscanRead-only lookup of request-referenced CIDs from the embedded CID router / blob store. Non-transitive in V1.
http.requestvtscan, intent_monitorHost-dispatched HTTPS to allow-listed destinations, with secret-ref auth injection and per-call timeout / size limits.
request.body.readintent_monitorOpt-in full request-body access with byte cap.
PluginDefinition (config schema, hook, mode)Runtime handler
builtin.project_membershipshared/servicekit/plugins/builtin_project_membership.gollm-gateway/service/internal/hooks/project_membership.go (+ shared/servicekit/projectmembership)
builtin.authorizationshared/servicekit/plugins/builtin_authorization.gollm-gateway/service/internal/hooks/authorization.go
builtin.verifiable_credentialshared/servicekit/plugins/builtin_verifiable_credential.gollm-gateway/service/internal/hooks/verifiable_credential.go (+ shared/servicekit/agentcredential/validate.go)
builtin.opa_regoshared/servicekit/plugins/builtin_opa_rego.gollm-gateway/service/internal/hooks/opa_rego.go
builtin.config_validationshared/servicekit/plugins/builtin_config_validation.gollm-gateway/service/internal/hooks/config_validation.go
builtin.static_response(in-tree only)llm-gateway/service/internal/hooks/builtins.go
builtin.vtscanshared/servicekit/plugins/builtin_vtscan.gollm-gateway/service/internal/hooks/vtscan.go
builtin.intent_monitorshared/servicekit/plugins/builtin_intent_monitor.gollm-gateway/service/internal/hooks/intent_monitor.go

Project snapshots must contain exactly one enabled builtin.project_membership entry at project.bootstrap, using the premade runtime and an enforcement host entry. The host entry stays fail-closed for missing implementations, invalid typed results, or runtime errors. Its mode config controls membership-policy rollout: observe records a would-deny and establishes no project context; enforce denies. Other fields are membership_required, trusted_issuers, accepted_statuses, enforce_expiration, enforce_revocation, allowed_roles, and required_roles.

The plugin receives no network capability. Blob/evidence resolution happens through the Gateway’s local, signer-bound candidate binder; membership evaluation never calls an external service on the request hot path.

Not part of this list — the gateway also runs customer-authored modules compiled to wasm32-wasip1, executed in-process via wazero. Those are authored against crates/guardian-plugin-sdk, packaged via crates/guardian-plugin, content-addressed by SHA-256, and signed by trusted platform release keys before the gateway will load them. See plugin-developer-mvp.md for the authoring workflow. Working SDK + capability examples live in the repo under test-plugins/ (rust-allow-all, rust-host-capability-probe, rust-request-start-cid-guard).