Plugin descriptors
What you'll find here
The craik.plugin_descriptor contract — governed plugin metadata
that declares needs without granting runtime authority.
Declarations, not authorizations.
Descriptors do not authorize execution, file writes, network access,
memory access, or GitHub operations. Runtime authority remains in
craik.capability_grant and must be checked before a runner invokes
plugin behavior.
What it records
Identity
id · name · publisher · plugin_version.
Trust boundary
Where the descriptor is valid: project, repository, organization, user, or external.
Entrypoints
Command · module · workflow · service · docs paths exposed by the plugin.
Capability declarations
Requested capabilities · operations · targets · risk · whether an explicit grant is required.
Docs and security notes
Required for review.
Compatibility metadata
Craik versions · Python versions · platforms · support status.
Optional links
To skill packages and provenance records.
Validation
Craik rejects descriptors that:
Omit required fields
Entrypoints · capabilities · docs · security notes · compatibility metadata.
Use a non-version-like plugin_version
Use non-version-like Craik compatibility entries
Compatibility uses semantic-version-like Craik versions.
Set runtime_authority to true
Declare high or critical risk capabilities
Without requiring explicit grants.
Request grants without boundaries
Grant-required capabilities must name operations and targets.
This keeps plugin discovery and review independent from policy decisions about what the current run is allowed to do.
Supported descriptors must also declare Python versions and platforms. Unsupported descriptors must include notes explaining the boundary so operators know whether the plugin is intentionally unavailable or just underspecified.