feat(plugins): live ShellExecutor hot-reload, skipped_plugins UX, sha256 integrity check#3166
Merged
feat(plugins): live ShellExecutor hot-reload, skipped_plugins UX, sha256 integrity check#3166
Conversation
github-actions
Bot
added
enhancement
This was
linked to
issues
Apr 18, 2026
github-actions
Bot
added
enhancement
bug-ops
force-pushed
the
plugins-shell-hot-reload
branch
from
e29a6f4 to
b41d45a
Compare
…256 integrity check Implements three deferred features from PR #3145 (issue #3128). Replaces the static blocked_commands Vec in ShellExecutor with an ArcSwap<ShellPolicy> handle. When reload_config detects a change in blocked_commands via the plugin overlay, it calls handle.rebuild() to swap in the new policy atomically — no restart required. allowed_commands changes still require a restart and emit a WARN banner. - Add arc-swap as explicit workspace dependency (was already transitive) - Add ShellPolicy, ShellPolicyHandle, compute_blocked_commands to zeph-tools - find_blocked_command return type: Option<&str> -> Option<String> - Wire ShellPolicyHandle into SharedAgentDeps, LifecycleState, acp/daemon/runner - Add hot_reload_rebuilds_shell_blocklist e2e test Surfaces ResolvedOverlay::source_plugins and skipped_plugins in user-facing commands so partial-apply failures are diagnosable without debug logs. - zeph plugin list --overlay: new --overlay flag with format_overlay_section output - /plugins overlay slash command - PluginListOverlay TUI palette entry ("plugin:overlay") Records a sha256 digest of each .plugin.toml at install time in a registry at <data_root>/.plugin-integrity.toml (outside plugins_dir to prevent TOCTOU). At startup and hot-reload, the digest is verified before the overlay is applied; mismatches are added to skipped_plugins with an "integrity mismatch" reason. - New IntegrityRegistry in crates/zeph-plugins/src/integrity.rs - Atomic save via tmp+rename; chmod 0o600 on unix - default_integrity_registry_path() helper in zeph-config - Strict from_utf8 throughout manager.rs (replaces from_utf8_lossy) - Missing entries permitted with debug log (forward-compat with existing installs) - Regression test: list_installed_ignores_non_directory_entries Closes #3146, #3147, #3148
…ebuild in zeph-core
bug-ops
force-pushed
the
plugins-shell-hot-reload
branch
from
b41d45a to
0e72d4e
Compare
bug-ops
added a commit
that referenced
this pull request
Apr 18, 2026
- specs/027-runtime-layer: ArcSwap hot-reload, skipped_plugins diagnostics, sha256 integrity - specs/006-tools: ShellPolicyHandle, find_blocked_command return type - specs/010-security: plugin manifest integrity section - specs/039-background-task-supervisor: two-phase drain shutdown invariant - book/guides/custom-skills: overlay flag, integrity check, hot-reload behavior - book/reference/security: plugin manifest integrity section - book/reference/cli: zeph plugin subcommand and --overlay flag
bug-ops
added a commit
that referenced
this pull request
Apr 18, 2026
* release: prepare v0.19.2 - Bump version from 0.19.1 to 0.19.2 in all manifests - Update CHANGELOG.md with v0.19.2 release section - Refresh all crate READMEs and root README (test badge: 8647) - Update user documentation in book/ for new features - Update specifications in specs/ to reflect implemented changes - Accept updated splash snapshot for v0.19.2 * docs: update specs and book for #3166 and #3167 - specs/027-runtime-layer: ArcSwap hot-reload, skipped_plugins diagnostics, sha256 integrity - specs/006-tools: ShellPolicyHandle, find_blocked_command return type - specs/010-security: plugin manifest integrity section - specs/039-background-task-supervisor: two-phase drain shutdown invariant - book/guides/custom-skills: overlay flag, integrity check, hot-reload behavior - book/reference/security: plugin manifest integrity section - book/reference/cli: zeph plugin subcommand and --overlay flag
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implements three deferred features from PR #3145 (issue #3128).
Summary
blocked_commandspolicy rebuilt atomically viaArcSwap<ShellPolicy>on hot-reload, no restart requiredzeph plugin list --overlay//plugins overlay/ TUI palette entry surfacessource_pluginsandskipped_pluginswith reasons.plugin.tomlat load time: digest recorded at install, verified on every load/hot-reload, mismatch skips plugin and surfaces reason inskipped_pluginsChanges
feat(plugins): ShellExecutor live-rebuild (#3146)
ShellPolicy,ShellPolicyHandle(ArcSwap<ShellPolicy>) tozeph-toolsfind_blocked_commandreturn type:Option<&str>→Option<String>ShellPolicyHandleintoLifecycleState,SharedAgentDeps, acp/daemon/runnerreload_configcallshandle.rebuild()onblocked_commandschange;allowed_commandsstill emits WARN + restart bannerarc-swapas direct workspace dep (was already transitive)feat(plugins): skipped_plugins UX (#3147)
zeph plugin list --overlayflag with formatted output/plugins overlayand/plugins list --overlayslash commandsPluginListOverlayTUI palette entryfeat(security): sha256 integrity check (#3148)
IntegrityRegistryincrates/zeph-plugins/src/integrity.rs<data_root>/.plugin-integrity.toml(outsideplugins_dir, avoids TOCTOU)from_utf8throughoutmanager.rs(replacesfrom_utf8_lossy)debug!(forward-compat with pre-feature installs)default_integrity_registry_path()helper inzeph-configTest plan
cargo nextest run --config-file .github/nextest.toml --workspace --lib --bins— 8356 passedcargo +nightly fmt --check— cleancargo clippy --workspace -- -D warnings— cleanhot_reload_rebuilds_shell_blockliste2e test coversreload_config→rebuild()pathlist_installed_ignores_non_directory_entriesregression: stray files inplugins_dirnot surfaced as pluginsoverlay_ignores_integrity_registry_file:.plugin-integrity.tomlnot surfaced as plugin/Users/rabax/Dev/zeph/.local/testing/playbooks/plugins.mdscenarios A–ECloses #3146, #3147, #3148