Extension Model
Extension Model
Extensions are brokered subjects, not ambient plugins.
Runtime taxonomy follows SPEC-012:
core / first-party module / plugin / external adapter / UI shell / distribution
Every extension declares requested permissions in a manifest. Kratos evaluates the request against the core capability broker before any extension can receive authority.
An extension must not:
- read arbitrary files
- open arbitrary sockets
- read raw environment secrets without a brokered grant
- spawn arbitrary processes
- mutate git without approval
- bypass audit
- grant itself authority
Implemented v0 surfaces:
mnemos extensions parse MANIFEST
mnemos extensions admit MANIFEST [--actor ACTOR] [--home PATH]
mnemos extensions list [--home PATH]
mnemos doctor --project PROJECT
Manifest v0 supports JSON and a constrained TOML subset. Admission stores the extension descriptor, bridge adapter rows, sandbox provider rows, UI panel rows, capability decisions, approval requests, and event/audit records in SQLite.
Boundary checks enforced by the parser:
- memory connectors must declare Mnemos as the internal substrate
- workflow packs must compile into FlowIR
- skill packs must route through the Resource Catalog
- MCP/ACP bridges must declare peer protocol and version
- sandbox providers must declare process/filesystem/network constraints
- UI panels must declare sandboxed capability routes and no direct authority API
Runtime execution of extension-provided tools remains blocked unless a later authority slice connects execution dispatch to approved extension grants.