Replies: 10 comments 35 replies
-
|
Thanks for the thoughtful framing @vdmkenny - you've made good points on where the value is and where I over-engineered. On the UI: I'd love to keep the discovery UI if the maintainers are open to it. My bias is toward making complex things feel simple, and I've seen too many plugin systems die because editing a JSON file and restarting a server is the onboarding flow. A visual grid with install/enable toggles turns that into one click. I'm happy to split it into a follow-up PR if it makes review easier, but I'd prefer not to lose it entirely. On the iframe sandbox: Hindsight is 20/20, and you're absolutely right here. The sandbox was a premature "what if plugins are evil" hedge. But Odysseus plugins are server-side, pip-installed packages - same trust model as any other Python dependency. We already gate capabilities through the manifest and permission model, so the bespoke sandbox and custom JS↔Python bridge are just dead weight. Dropping them cuts ~2,500 lines and removes a fragile security surface I don't think we need. Revised plan, taking both points on board: Keep: manifest, permissions, discovery UI, simple entry-point loader |
Beta Was this translation helpful? Give feedback.
-
|
I think there are two different problems getting mixed together here, and they need different answers. If the main problem is PR volume and review pressure, I would rather explore the #4415 direction first: parent trackers, child issues, and PRs as candidate implementations. That gives maintainers a way to route broad or overlapping work without turning every useful feature into an extension-platform decision. A PR can be valid, partial, superseded, or not good enough, while the underlying issue still stays owned somewhere. If the goal is broader than review routing, and we want to deliberately slim core over time by pushing feature ownership out to independent maintainers, then I think that needs an explicit direction call from @pewdiepie-archdaemon. That is not just a technical implementation detail. It changes what Odysseus is responsible for owning. My bias is still toward core-owned paths or standalone integrations for important capabilities, mainly for security, maintainability, style preservation, and product cohesion. The macOS comparison that comes to mind is not “everything is extensible”; it is that the owned paths feel coherent and generally work together. Odysseus probably needs some of that discipline too. I am not totally opposed to plugins. I just do not think “large feature” automatically means “should be a plugin.” I would expect core to keep owning some foundational product capabilities. The line is probably not “small in core, large out of core.” It is more like: core owns the product contract and essential service boundaries; extensions add optional or specialized behavior around those boundaries. Right now I think core still needs more scaffolding before a plugin platform is the right pressure valve. The architecture Odysseus canonizes becomes the shape plugins build against, and that directly dictates how useful, stable, and maintainable those plugins can be. If the plugin API is built around unsettled internals, plugins either become fragile wrappers around today’s implementation details, or core gets stuck preserving accidental contracts too early. In particular, the inference path is likely the most important service boundary to canonize first: Odysseus already has multiple engine/provider shapes, and plugins should build on stable internal contracts and core adapters for the essential flows. Looking at #4241 specifically, my concern is not just size. It makes Odysseus own a lot at once:
That is a full extension platform surface. The iframe/backend split also needs a much stronger threat model before I would be comfortable treating it as safe. Browser-side, iframe sandboxing and message bridges need to be designed as hard security boundaries, not just implementation details. Backend-side, a Python subprocess is still host code unless there is real OS/process/container isolation. It may be a cleaner execution model than in-process imports, but it is not a security boundary by itself. The ComfyUI extension-manager path is a useful warning here. Once extensions become common, extensions ask for more permissions, users get trained to grant those permissions because otherwise things do not work, and the host project inherits pressure to support and secure that ecosystem. ComfyUI has had to add explicit controls around things like arbitrary git URL installs and pip installs. I would rather Odysseus not accidentally normalize “random repo code with broad permissions” as something the project implicitly owns. So my current position would be:
A thinner next step might be contributor guidance plus a manifest/capability discussion, without adopting a runtime/discovery UI immediately. That would let maintainers redirect broad work more consistently while leaving the bigger question open: whether Odysseus wants to own a plugin platform, or just define stable external seams around a coherent core. The main thing I would want to avoid is exposing Odysseus as a platform before the core shape is ready, because once people build plugins against it, today’s internal structure starts becoming tomorrow’s compatibility contract. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks @Zen0-99, the revised scope sounds right. Here's how I'd suggest we shape it. I'd propose landing the contract first as one small PR, with a reviewable core of roughly:
One thing worth flagging: the frontend would need a genuinely new extension point. Today nav entries and settings tabs are hardcoded in On capabilities, I'd suggest tiering them: ordinary ( It would also be worth being explicit about the trust model in the docs. Since plugins are pip-installed server-side Python (the same trust as any dependency), the manifest is really transparency rather than a sandbox: For the discovery/management UI, my suggestion would be a follow-up PR that ships it as the first bundled plugin (default-enabled, removable). That would dogfood the contract end to end (if our own UI cannot be a plugin, the seam is not expressive enough), and it would naturally be the holder of the It might also help to draw the plugin vs MCP vs skill line so contributors and maintainers can redirect consistently: an MCP server for an external tool-only process (WhatsApp's tools could fit there), a plugin for in-process Python that adds routes/settings/providers/UI (Atlas-shaped), and a skill for prompt/behaviour only. Over the mid to long term, existing features could then migrate out behind the same seam, easiest-first: the provider registries are already plugin-shaped, then app-adjacent features (TTS, media, calendar ICS, eventually email/cookbook), each as a small PR with a compatibility shim so nothing breaks for users. Net, the idea would be: a small contract PR (seam + schema + a tiny example) first, the discovery UI as the first bundled plugin right after, and core getting lighter as features migrate behind the same contract. Curious what you and the maintainers think, especially on the frontend extension point and the privileged-capability tier. |
Beta Was this translation helpful? Give feedback.
-
|
Seems like a lot of work to go to rather than just telling people no, we’re not adding perplexity search. |
Beta Was this translation helpful? Give feedback.
-
|
I have been following this and wanted to add something grounded rather than theoretical, since my OIDC PR (#3508) was one of the examples in the opening post. I actually tried porting OIDC to the contractSpent a day mapping it out. Of the 11 integration points OIDC requires, 5 map cleanly to the contract (routes, settings UI, static files, env reading, state management). The other 6 have no API — and they are the core auth ones: calling I do not think this is a flaw in the contract. It is evidence the contract has the right scope. Auth is the one subsystem where a bug breaks the entire trust boundary — it should stay in-tree with mandatory multi-reviewer scrutiny. A plugin contract that says "yes" to messaging and "no" to auth is correctly bounded. Messaging integrations are the proof caseThe same analysis applied to the WhatsApp PR (#4357) tells a completely different story:
Every seam exists. And the blast radius is self-contained — a bug in Telegram breaks Telegram, not login. Discord, Matrix, Signal follow the same pattern. The contract already covers the entire messaging integration category without a single new API. Provider PRs are the easiest winThe provider long tail (Kagi #3837, Fireworks #3279, Perplexity #3340, Astraflow #3379, Atlas-Cloud #3582) is the most mechanical, repetitive review burden. All five follow the same pattern: add a class, register it. Once @vdmkenny already called it
That is the direction. The question is not whether — it is how thin and how soon. Concrete dogfood candidate: calendar ICS@vdmkenny suggested dogfooding internally first. Calendar ICS (#3759) is the ideal first target: it needs a route (iCal fetch/webhook), settings (calendar URL, refresh interval), a sidebar item, and tools (create event, list events). Every one maps to the contract. It touches 4 different host APIs, the existing code is already in-tree to diff against, and it is small enough to port in a day. If the calendar cannot sit cleanly behind the contract, we learn that before external plugins touch it — if it can, we have proof the contract works. Bottom line: the contract has the right scope. Auth stays in-tree. Messaging and providers move behind it. Let us land the thin version in #4241, wire |
Beta Was this translation helpful? Give feedback.
-
|
@holden093's port attempt is the most useful thing here, and it quietly settles the #4241-vs-contract question. The 6 of 11 points with no API aren't an OIDC quirk, they're the measurement: a plugin contract reaches only as far as the core already exposes a seam, and the valuable features are exactly the ones that need the unexposed core hooks. So the manifest isn't the hard part, and neither is the runtime. The hard part is deciding which core capabilities become stable, supported seams. That argues for sequencing it backwards from the usual: let real port attempts enumerate the missing seams, expose those few as versioned core APIs, then let the contract bind against them. We hit the same thing defining a messaging hub as an interface first and porting components to it. The ones that needed several unexposed internals told us the interface was incomplete, not that the feature was wrong. |
Beta Was this translation helpful? Give feedback.
-
|
I want to be clear that I fully agree with the need for a plugin-based system in Odysseus. I think it is the right long-term direction. The current pattern of large, niche, or optional feature PRs landing directly in core is not sustainable. It increases review pressure, expands the maintenance and security surface, and makes future refactors harder. A plugin system gives those features a proper home without making the core team responsible for maintaining every integration indefinitely. That said, I think the important question is sequencing. I would separate plugin-based direction from public plugin-platform exposure. We can agree that Odysseus needs plugins without immediately exposing a broad third-party API before the core seams are stable. The concrete port attempts are the most useful signal here. OIDC not fitting cleanly is probably evidence that auth should stay core-owned and receive heavier review, not evidence that the plugin direction is wrong. Messaging integrations, providers, calendar-style integrations, and app-adjacent optional features seem like much better proof cases because their blast radius is smaller and they map more naturally to extension seams. So my preferred path would be:
This still moves the plugin system forward, but avoids freezing unsettled internals too early. I would like to see the first milestone framed as something like “stable internal extension seams with dogfood ports,” followed by the public plugin contract once those seams have proved themselves. I also think the review-pressure problem should stay separate. Parent trackers, clearer roadmap buckets, and stronger PR routing help regardless of plugins. But for the long-term health of the project, I do think Odysseus needs a plugin-based architecture so optional integrations can live outside core ownership instead of becoming permanent maintenance drag. |
Beta Was this translation helpful? Give feedback.
-
|
@vdmkenny @RaresKeY @Zen0-99 — I've been dogfooding the plugin contract from #4241 by building a real GitHub integration plugin on top of First, a thank you — this was genuinely the most informative experiment I've run as a sysadmin. Even though the implementation was AI-driven, understanding how a plugin contract maps to real infrastructure (git state machines, fork sync flows, rebase/merge orchestration) taught me a lot about the boundaries Odysseus draws between core and extension. The challenge of making a plugin feel native without touching core gave me a real appreciation for the design work in #4241. The plugin evolved through four phases — started as simple branch listing, ended as a full conflict resolution center with AI integration. Plugin code is ~1,700 lines, fully self-contained in AI-driven development: I'm not a frontend developer. Every line was produced by an agent reading the plugin contract. The surface is small enough that an LLM can build a real, multi-featured plugin end-to-end — that's the strongest signal I can offer that the API is learnable. Core wiring: the plugin itself needed zero core changes. Marginal fixes to the plugin host from #4241 (~50 lines across Documentation gap: since Technical summaryPhase 1 — Backend: server-side Phase 2 — Frontend UX: native dialogs replaced with Promise-based custom modals styled to the dark theme. Phase 3 — Persistence & Sync: Phase 4 — Conflict Resolution Center: three-pane modal with theme-safe colorized diff editor, LLM chat using native agent tool execution (file path only, agent reads/writes via its own tools), "Apply Fix" safety net, auto-continue chain on completion. |
Beta Was this translation helpful? Give feedback.
-
|
Hi @vdmkenny and everyone, Solid proposal, the flood of huge PRs is exactly the kind of coordination pain I was talking about in #5092. I appreciate you laying out the plugin angle and calling out the irony with #4241 being so big itself. I agree we need to handle scope better, but I'm not convinced pushing large features out via plugins is the main answer. In a fast-moving project like this, some overlap and one PR stepping on another feels pretty normal. It's the energy that comes with lots of people building stuff. The real bottleneck I'm seeing is prioritization: we get a bunch of small fixes daily while bigger direction decisions drag, and everything ends up competing. What would help most is clearer ways for the community to rank and choose priorities (a simple feature page or voting system on key items). That would give maintainers better signals and let us focus without trying to do everything at once. Accepting that picking X might mean reworking Y later seems necessary too. On the governance side, as we scale it might be worth thinking about some lightweight bylaws or a more structured way for input (maybe something collaborative that fits the project's vibe). Direct community ranking on features feels like it could cut through a lot of the current friction. Happy to help flesh out a basic voting idea or pull together some priority examples (search quality keeps coming up for me). |
Beta Was this translation helpful? Give feedback.
-
Dogfood evidence: four small in-tree host seams from a maintained Voice Orb forkWe have now published a maintained-fork beta that dogfoods voice, bounded foreground actions, read-only Calendar context, and user-initiated camera/media lifecycle behavior against canonical This is not a request to merge the fork delta or to call the current extension work a stable plugin ABI. The fork's compatibility record deliberately keeps
Public evidence:
The product setup UI, worker adapters, and explicit Tailnet model discovery remain maintained-fork concerns; they are not part of this upstream ask. Would maintainers like these as independent PRs against |
Beta Was this translation helpful? Give feedback.


Uh oh!
There was an error while loading. Please reload this page.
-
Problem
We have a recurring flood of multi-thousand-line feature PRs landing (or trying to land) in core. A non-exhaustive snapshot of what is open right now:
Each is hard to review, grows the security and maintenance surface, and re-litigates "should this be in Odysseus." #4395 (a VS Code extension) was declined on exactly these grounds.
Two things that change the framing
odysseus-plugin.jsonmanifest, iframe/CSP-sandboxed JS, optional Python hooks, and a discovery UI. Its stated motivation matches this one. So this is less a greenfield idea than a decision about feat(plugin-system): thin contract (previously plugin system) - JSON schema, host facade, registry, reference plugin #4241.SKILLS_DIR), theintegrations/directory, and the search/LLM provider registries. Much of the pile fits one of these without new core code.Tension
#4241 is itself a ~4,900-line bespoke in-tree plugin runtime (iframe sandbox plus discovery UI). That is ironic for a "stop big in-tree PRs" goal, and it is a large new security and maintenance surface of its own.
Proposal: agree the direction before adopting a runtime
Goal
New features ship as plugins / MCP servers / out-of-tree, and the core gets lighter over time as existing integrations migrate out.
cc @pewdiepie-archdaemon @lalalune @NicholaiVogel @Michiel-VandeVelde @Bandonker @mikaelaldy @vcscsvcscs @alteixeira20 @nopoz @crazyjackel @RaresKeY @Zen0-99 (author of #4241) because this overlaps the Stabilization v1 milestone (#3163) and maintainer-owned direction.
Beta Was this translation helpful? Give feedback.
All reactions