• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

stacklok / toolhive / 28384795303

29 Jun 2026 03:50PM UTC coverage: 67.381% (-0.002%) from 67.383%
28384795303

push

github

web-flow
Add plugin core service, validation, and storage (Phase 2, THV-0077) (#5676)

* Add plugin core service, validation, and storage (Phase 2, THV-0077)

Stand up the plugin distribution layer's foundation: types, manifest
parser, validator, the build/push/validate/content service, and SQLite
storage. Mirrors pkg/skills and pkg/skills/skillsvc file-for-file,
substituting toolhive-core's oci/plugins package for oci/skills.

Phase 2 implements only the build/push/validate/list-builds/delete-build/
get-content surface on pluginsvc.New (returning plugins.PluginService).
Install/uninstall/list/info and the MaterializationAdapter are declared
in the issue but land in Phase 3 (#5527); REST API and CLI are Phase 4
(#5528). App wiring is deferred to Phase 4 — this lands the library and
storage layer plus the migration, which applies to the shared DB on
existing deployments.

Storage introduces a typed EntryType ("skill"/"plugin") replacing the
stringly-typed entry_type literal in skill_store.go, and a new 002
migration adding installed_plugins + plugin_dependencies off the existing
entries table (reusing, not redefining, its UNIQUE(entry_type, name)).

Exit gate tests: parser/validator units (keywords-must-be-array type
mismatch, component-path traversal rejection, bundled-skill validation
reuse), packager determinism via the service, migration up/down, and a
build→push round-trip against a mock OCI registry.

Part of stacklok/toolhive#5525
Refs RFC stacklok/toolhive-rfcs#77

* Address panel review round 2 findings

Narrow PluginService to the 6 Phase-2 methods and drop the unused store
param from pluginsvc.New (now an option, WithStore, for Phase 3). Round-1
declared the full 10-method interface but *service only implemented 6,
making var s plugins.PluginService = pluginsvc.New(...) a compile error.

Backfill test gaps the QA reviewer flagged:
- parser symlink/oversize guards (security-relevant TOCTOU/bomb paths)
- validateLocalPath null-byte rejection
- List ORD... (continued)

779 of 1138 new or added lines in 14 files covered. (68.45%)

14 existing lines in 4 files now uncovered.

70505 of 104637 relevant lines covered (67.38%)

62.64 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

83.75
/pkg/plugins/parser.go


Source Not Available

STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc