Scope
Deferred from workflow#765 (verify-capabilities). The cycle-2 plan-phase adversarial review identified two reasons contract-diff couldn't ship in #765:
PluginManifest.capabilities.iacServices field doesn't exist — plugin.json has no LHS to diff against.BuildContractRegistry returns ALL gRPC services including go-plugin internals (PluginService, GRPCBroker, GRPCStdio, grpc.health.v1.Health). Set-equal diff would always fail with 3-5 spurious "extra-in-binary" entries.
This issue tracks both pieces.
Acceptance criteria
- Add
capabilities.iacServices []string (or equivalent) to plugin.PluginManifest. Update validate-contract static check to enforce presence on IaC plugins.
- Add
BuildContractRegistryForPlugin(grpcSrv, namespace string) *pb.ContractRegistry to SDK. Filters to plugin-owned services only (e.g. workflow.iac.v1.*). Existing BuildContractRegistry retained for full-surface scenarios.
- Extend
wfctl plugin verify-capabilities (workflow#765) to call GetContractRegistry, filter, and set-equal diff against plugin.json.capabilities.iacServices.
- Sweep all 4 IaC plugins (aws, azure, gcp, digitalocean) to populate the new
capabilities.iacServices field in their plugin.json.
Related
- workflow#762 (parent contract)
- workflow#764 (Layer 3b sweep)
- workflow#765 (verify-capabilities — Name + Version diff shipped; contract-diff deferred here)
- Design doc:
docs/plans/2026-05-24-verify-capabilities-design.md §Non-goals
Scope
Deferred from workflow#765 (verify-capabilities). The cycle-2 plan-phase adversarial review identified two reasons contract-diff couldn't ship in #765:
PluginManifest.capabilities.iacServicesfield doesn't exist —plugin.jsonhas no LHS to diff against.BuildContractRegistryreturns ALL gRPC services including go-plugin internals (PluginService,GRPCBroker,GRPCStdio,grpc.health.v1.Health). Set-equal diff would always fail with 3-5 spurious "extra-in-binary" entries.This issue tracks both pieces.
Acceptance criteria
capabilities.iacServices []string(or equivalent) toplugin.PluginManifest. Updatevalidate-contractstatic check to enforce presence on IaC plugins.BuildContractRegistryForPlugin(grpcSrv, namespace string) *pb.ContractRegistryto SDK. Filters to plugin-owned services only (e.g.workflow.iac.v1.*). ExistingBuildContractRegistryretained for full-surface scenarios.wfctl plugin verify-capabilities(workflow#765) to callGetContractRegistry, filter, and set-equal diff againstplugin.json.capabilities.iacServices.capabilities.iacServicesfield in theirplugin.json.Related
docs/plans/2026-05-24-verify-capabilities-design.md§Non-goals