{"id":46849538,"url":"https://github.com/arediss/simplyterm-plugin-registry","last_synced_at":"2026-03-10T16:27:03.952Z","repository":{"id":338010102,"uuid":"1152903337","full_name":"arediss/simplyterm-plugin-registry","owner":"arediss","description":null,"archived":false,"fork":false,"pushed_at":"2026-02-12T11:39:55.000Z","size":25,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-02-12T20:06:41.662Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/arediss.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-02-08T16:04:08.000Z","updated_at":"2026-02-12T11:39:57.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/arediss/simplyterm-plugin-registry","commit_stats":null,"previous_names":["arediss/simplyterm-plugin-registry"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/arediss/simplyterm-plugin-registry","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arediss%2Fsimplyterm-plugin-registry","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arediss%2Fsimplyterm-plugin-registry/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arediss%2Fsimplyterm-plugin-registry/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arediss%2Fsimplyterm-plugin-registry/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/arediss","download_url":"https://codeload.github.com/arediss/simplyterm-plugin-registry/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arediss%2Fsimplyterm-plugin-registry/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30342168,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-10T15:55:29.454Z","status":"ssl_error","status_checked_at":"2026-03-10T15:54:58.440Z","response_time":106,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-03-10T16:26:58.696Z","updated_at":"2026-03-10T16:27:03.943Z","avatar_url":"https://github.com/arediss.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# SimplyTerm Plugin Registry\n\nOfficial plugin registry for [SimplyTerm](https://github.com/arediss/SimplyTerm). The app fetches `plugins.json` to discover, install, and update plugins from this registry.\n\n---\n\n## Table of contents\n\n- [How it works](#how-it-works)\n- [Publishing a plugin](#publishing-a-plugin)\n  - [1. Create your plugin repository](#1-create-your-plugin-repository)\n  - [2. Create a GitHub Release](#2-create-a-github-release)\n  - [3. Submit to the registry](#3-submit-to-the-registry)\n- [Updating your plugin](#updating-your-plugin)\n- [Security model](#security-model)\n  - [How the review process works](#how-the-review-process-works)\n  - [Integrity verification (SHA256 checksum)](#integrity-verification-sha256-checksum)\n  - [Permission tracking](#permission-tracking)\n- [Permissions reference](#permissions-reference)\n- [Available categories](#available-categories)\n- [Registry URL](#registry-url)\n\n---\n\n## How it works\n\n```mermaid\nflowchart LR\n    A[\"repos.json\\n(source of truth)\"] --\u003e B[\"GitHub Action\\n(daily or on push)\"]\n    B --\u003e C[\"Fetch manifest.json\\nfrom each repo\"]\n    C --\u003e D[\"Download plugin.zip\\nfrom latest release\"]\n    D --\u003e E[\"Compute SHA256\\nchecksum\"]\n    E --\u003e F[\"Open Pull Request\\nwith diff \u0026 warnings\"]\n    F --\u003e G[\"Owner reviews\\n\u0026 merges\"]\n    G --\u003e H[\"plugins.json\\n(published)\"]\n```\n\nThe registry is built around three files:\n\n| File | Role | Who edits it |\n|------|------|-------------|\n| `repos.json` | List of approved plugin repositories + their approved permissions | You (via PR) |\n| `plugins.json` | Full plugin index with metadata, download URLs, and checksums | GitHub Action (auto-generated) |\n| `update-registry.yml` | Workflow that fetches, verifies, and proposes updates | Nobody (runs automatically) |\n\nThe key principle: **no plugin code reaches users without a human review.** Every change goes through a Pull Request.\n\n---\n\n## Publishing a plugin\n\n### 1. Create your plugin repository\n\nYour repo must contain a `manifest.json` at the root:\n\n```json\n{\n  \"id\": \"com.yourname.your-plugin\",\n  \"name\": \"Your Plugin\",\n  \"version\": \"1.0.0\",\n  \"api_version\": \"1.0.0\",\n  \"description\": \"A short description of what your plugin does\",\n  \"author\": \"Your Name\",\n  \"license\": \"MIT\",\n  \"category\": \"tools\",\n  \"keywords\": [\"keyword1\", \"keyword2\"],\n  \"permissions\": [\"ui_notifications\"],\n  \"main\": \"index.js\"\n}\n```\n\n**Fields:**\n\n| Field | Required | Description |\n|-------|----------|-------------|\n| `id` | Yes | Unique identifier in reverse domain notation (`com.yourname.plugin-name`) |\n| `name` | Yes | Display name shown in the plugin browser |\n| `version` | Yes | Semver version (`major.minor.patch`) |\n| `api_version` | Yes | Minimum SimplyTerm API version required (currently `1.0.0`) |\n| `description` | Yes | Short description of what the plugin does |\n| `author` | Yes | Author name |\n| `license` | No | SPDX license identifier (e.g., `MIT`, `GPL-3.0`) |\n| `category` | No | One of the [available categories](#available-categories) |\n| `keywords` | No | Array of search keywords |\n| `permissions` | Yes | Array of [permissions](#permissions-reference) your plugin needs |\n| `main` | Yes | Entry point file (usually `index.js`) |\n\n### 2. Create a GitHub Release\n\nPackage your plugin files into a zip and attach it to a GitHub Release:\n\n```bash\n# Create the zip (include all plugin files)\nzip plugin.zip manifest.json index.js\n\n# Create a release using the GitHub CLI\ngh release create v1.0.0 plugin.zip --title \"v1.0.0\" --notes \"Initial release\"\n```\n\n\u003e **Important:** Name the zip asset **`plugin.zip`** so the registry can find it automatically. If the asset has a different name, the registry will look for any `.zip` file as a fallback.\n\n### 3. Submit to the registry\n\nOpen a Pull Request on this repository adding your plugin to `repos.json`:\n\n```json\n{\n  \"plugins\": [\n    {\n      \"repository\": \"yourname/your-plugin-repo\",\n      \"approved_permissions\": [\"ui_notifications\"]\n    }\n  ]\n}\n```\n\nThe `approved_permissions` array must match the `permissions` in your `manifest.json`. The registry owner will:\n\n1. Review your plugin source code\n2. Verify the permissions are justified\n3. Merge the PR\n\nOnce merged, the GitHub Action picks up your plugin and adds it to `plugins.json` on its next run.\n\n---\n\n## Updating your plugin\n\nTo publish a new version:\n\n1. Update `version` in your `manifest.json`\n2. Create a new `plugin.zip` with the updated files\n3. Create a new GitHub Release with the zip attached\n\n```bash\nzip plugin.zip manifest.json index.js\ngh release create v1.1.0 plugin.zip --title \"v1.1.0\" --notes \"What changed\"\n```\n\n**That's it.** The registry Action will:\n\n- Detect the new version on its next run (daily at 6:00 UTC, or trigger it manually)\n- Download the new `plugin.zip` and compute its SHA256 checksum\n- Open a Pull Request with a summary like:\n\n```markdown\n## Registry Update\n### Changes\n- **Your Plugin**: `1.0.0` → `1.1.0` (repo | release)\n```\n\nThe update will only reach users **after the PR is reviewed and merged**.\n\n\u003e **If you change permissions** (e.g., add `shell_execute`), the PR will include a security warning. You'll need to update `approved_permissions` in `repos.json` as well.\n\n---\n\n## Security model\n\nSimplyTerm takes plugin security seriously. The registry implements multiple layers of protection to ensure that users only install verified, reviewed code.\n\n### How the review process works\n\n```mermaid\nsequenceDiagram\n    participant Dev as Developer\n    participant Reg as Registry\n    participant User as User\n\n    Note over Dev,User: Initial submission\n    Dev-\u003e\u003eReg: 1. Submits PR (new plugin)\n    Reg-\u003e\u003eReg: 2. Owner reviews code + permissions\n    Reg-\u003e\u003eReg: 3. Merges PR → plugins.json updated\n\n    Note over Dev,User: Plugin update\n    Dev-\u003e\u003eReg: 4. Publishes new GitHub release\n    Reg-\u003e\u003eReg: 5. Action opens PR with checksum + diff\n    Reg-\u003e\u003eReg: 6. Owner reviews \u0026 merges\n\n    Note over Dev,User: Installation\n    User-\u003e\u003eReg: 7. Installs or updates plugin\n    Reg--\u003e\u003eUser: Sends plugin.zip + checksum\n    User-\u003e\u003eUser: Verifies SHA256\n    alt Checksum matches\n        User-\u003e\u003eUser: Install plugin\n    else Checksum mismatch\n        User-\u003e\u003eUser: Reject install\n    end\n```\n\nNo code reaches users without passing through steps 2-3 (initial) or 5-6 (updates).\n\n### Integrity verification (SHA256 checksum)\n\nEvery plugin zip has a SHA256 checksum that guarantees the file hasn't been tampered with.\n\n**What is a SHA256 checksum?**\n\nIt's a cryptographic fingerprint of a file. Feed any file into the SHA256 algorithm and you get a unique 64-character hex string. Change even a single byte in the file and the hash changes completely.\n\n```\nplugin.zip (original)       → sha256 → a1b2c3d4e5f6...\nplugin.zip (1 byte changed) → sha256 → 9x8y7z6w5v4u... (completely different)\n```\n\n**How SimplyTerm uses it:**\n\n```mermaid\nflowchart TD\n    A[\"GitHub Action downloads\\nplugin.zip from release\"] --\u003e B[\"Computes SHA256 hash\"]\n    B --\u003e C[\"Stores hash in plugins.json\\nchecksum: 'a1b2c3...'\"]\n    C --\u003e D[\"Owner reviews PR\\nand merges\"]\n    D --\u003e E[\"User installs plugin\"]\n    E --\u003e F[\"Client downloads\\nplugin.zip\"]\n    F --\u003e G[\"Client computes\\nSHA256 hash\"]\n    G --\u003e H{\"Hashes\\nmatch?\"}\n    H -- Yes --\u003e I[\"Plugin installed\"]\n    H -- No --\u003e J[\"Install rejected\\nPossible tampering\"]\n\n    style I fill:#a6e3a1,color:#1e1e2e\n    style J fill:#f38ba8,color:#1e1e2e\n```\n\n**What this protects against:**\n\n- A compromised CDN serving a modified zip\n- A man-in-the-middle attack altering the download\n- A developer replacing a release asset after the registry approved it\n\n\u003e **Note:** The SimplyTerm client **requires** a checksum. If `plugins.json` has `\"checksum\": null`, the install will be rejected.\n\n### Permission tracking\n\nPlugins declare the permissions they need in `manifest.json`. The registry tracks which permissions were approved.\n\n**How it works:**\n\n1. When you submit a plugin, you list its permissions in `repos.json` under `approved_permissions`\n2. The GitHub Action compares the manifest's `permissions` with `approved_permissions` on every run\n3. If they don't match (e.g., a new version added `vault_read`), the PR includes a warning:\n\n```markdown\n### ⚠ Security Warnings\n⚠ **Your Plugin** (yourname/your-repo): permissions changed!\n  - Approved: `ui_notifications`\n  - Current:  `ui_notifications,vault_read`\n```\n\n4. The owner must update `approved_permissions` in `repos.json` if the new permissions are justified\n\n**Why this matters:** A plugin that initially only needed `ui_notifications` could silently add `terminal_read` + `network_http` in an update, allowing it to read SSH passwords and send them to a remote server. Permission tracking catches this.\n\n---\n\n## Permissions reference\n\nPlugins must declare every permission they need. Users see these permissions in an approval dialog before enabling the plugin.\n\n### Low risk (read-only, non-sensitive)\n\n| Permission | Description |\n|-----------|-------------|\n| `sessions_read` | Read saved sessions and their configuration |\n| `sessions_metadata_read` | Read plugin-specific session metadata |\n| `folders_read` | Read folder organization structure |\n| `vault_status` | Check if the secure vault is locked or unlocked |\n| `settings_read` | Read application settings and preferences |\n| `recent_read` | Read recently used sessions history |\n| `events_subscribe` | Listen to application events |\n| `fs_read` | Read files from plugin data directory |\n| `bastions_read` | Read bastion/jump host profiles |\n| `known_hosts_read` | Read SSH known hosts entries |\n\n### Medium risk (write access or network)\n\n| Permission | Description |\n|-----------|-------------|\n| `sessions_write` | Create, modify, and delete saved sessions |\n| `sessions_metadata_write` | Write plugin-specific session metadata |\n| `folders_write` | Create, modify, and delete folders |\n| `settings_write` | Modify application settings and preferences |\n| `recent_write` | Modify recently used sessions history |\n| `events_emit` | Send custom events to other plugins |\n| `network_http` | Make HTTP/HTTPS requests to remote servers |\n| `network_websocket` | Establish WebSocket connections |\n| `fs_write` | Write files to plugin data directory |\n| `terminal_read` | Read terminal output |\n| `clipboard_read` | Read content from system clipboard |\n| `clipboard_write` | Write content to system clipboard |\n| `bastions_write` | Create, modify, and delete bastion profiles |\n| `known_hosts_write` | Manage SSH known hosts entries |\n| `vault_export_encrypted` | Export the encrypted vault bundle for sync/backup |\n| `vault_import_encrypted` | Import and overwrite the encrypted vault bundle |\n| `ui_notifications` | Display system notifications |\n| `ui_panels` | Register custom panels in the interface |\n| `ui_commands` | Register commands in the command palette |\n| `ui_modals` | Display modal dialogs |\n| `ui_sidebar` | Register sections in the sidebar |\n| `ui_context_menu` | Add items to context menus |\n| `ui_menu` | Add items to application menus |\n| `ui_settings` | Add a settings panel in preferences |\n\n### High risk (sensitive data or system access)\n\nThese permissions trigger a warning in the user's approval dialog.\n\n| Permission | Description |\n|-----------|-------------|\n| `sessions_connect` | Initiate connections to remote hosts |\n| `vault_read` | Read encrypted data from the secure vault |\n| `vault_write` | Store encrypted data in the secure vault |\n| `shell_execute` | Execute shell commands on the local system |\n| `terminal_write` | Write data to terminal sessions |\n\n\u003e **Tip:** Only request the permissions your plugin actually needs. Requesting unnecessary high-risk permissions will make users less likely to install your plugin.\n\n---\n\n## Available categories\n\n| Category | Description |\n|----------|-------------|\n| `themes` | Visual themes and color schemes |\n| `productivity` | Workflow and productivity tools |\n| `security` | Security and credential management |\n| `devops` | DevOps and infrastructure tools |\n| `tools` | General-purpose utilities |\n\n---\n\n## Automatic cleanup\n\nThe Action automatically removes plugins from the registry when their repository is:\n\n- **Deleted** (404)\n- **Archived**\n\nThis keeps the registry clean without manual intervention.\n\n---\n\n## Registry URL\n\n```\nhttps://arediss.github.io/simplyterm-plugin-registry/plugins.json\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Farediss%2Fsimplyterm-plugin-registry","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Farediss%2Fsimplyterm-plugin-registry","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Farediss%2Fsimplyterm-plugin-registry/lists"}