Registry ownership checks
When a plugin repository is added at plugins.jolter.dev, the registry verifies:- the signed-in user owns the selected personal repository, or the selected organization has granted access through the Jolter GitHub App;
- the repository contains a root
plugin.json; plugin.json#$schemaishttps://schemas.jolter.dev/plugin/v1/schema.jsonwhen present;plugin.json#namematches the canonical registry owner scope and slug;plugin.json#repository.urlpoints to the selected GitHub repository.
Release checks
When a release is registered, the registry verifies:- the GitHub token or Jolter bearer token is allowed to publish for the registered repository;
- the GitHub release exists;
- the release tag matches
v<version>; - the release contains
plugin.release.json,plugin.wasm, andchecksums.txt; plugin.release.json#$schemaishttps://schemas.jolter.dev/plugin-release/v1/schema.jsonwhen present;- root and release manifests agree on name and repository;
- the release manifest tag matches the GitHub release tag;
- the release entrypoint file exists as a release asset;
- the WASM asset size and SHA-256 match the release manifest;
- provided tool names are lowercase;
- requested filesystem scopes are supported;
- shell command execution is not requested.
Install checks
During plugin installation, Jolter verifies the selected release manifest and WASM entrypoint before storing the plugin underJOLTER_HOME/plugins.
When a plugin resolves a tool release, Jolter expects:
| Field | Requirement |
|---|---|
version | Semantic version, including prereleases when the provider supports them |
url | HTTPS artifact URL |
sha256 | Lowercase 64-character SHA-256 |
archiveFormat | tar.gz or zip |
stripComponents | Non-negative integer |
commands | Non-empty lowercase command list |
JOLTER_HOME/plugin-tools.
Permissions
Jolter plugin v1 does not allow shell execution from the plugin manifest:Aliases and verification
Custom aliases are admin reviewed. A pending or rejected alias does not resolve. Registry verification is also controlled by registry administrators. It is a trust signal for registry metadata and ownership review, not a guarantee that every tool artifact produced by the plugin is harmless.CI guidance
Use--yes only after plugin requirements are reviewed:
- do not share a writable
JOLTER_HOMEwith trusted jobs; - prefer preinstalled plugins or a read-only cache from a trusted branch;
- review
jolter.json, workflow files, and registry overrides together.
Non-goals
Jolter cannot protect against:- a compromised registry serving valid metadata for a malicious release;
- a malicious plugin returning valid integrity metadata for a malicious tool artifact;
- an attacker with write access to
JOLTER_HOME; - arbitrary code intentionally run by a selected tool;
- secrets exposed by the surrounding shell, proxy, or CI environment.