BMUX Plugin Architecture

Design principles

1. Core is domain-agnostic. packages/server, packages/client, packages/ipc, packages/session, packages/terminal, and packages/event must contain no domain-specific logic — no windows, sessions, contexts, clients, panes, or permissions concepts should appear in type names, fields, operations, or event names. Plugins own all product concepts. Runtime core scope also includes packages/cli/src/runtime/** (Option B boundary). Plugin infrastructure (packages/plugin-sdk, packages/plugin, packages/plugin-schema, packages/plugin-schema-macros) must also stay domain-agnostic — they provide only generic host primitives (storage, log, recording, capability scopes, service dispatch).
2. Plugins are composable and typed. Plugins declare their public API in BPDL (see bpdl-spec.md). Other plugins consume those APIs as typed Rust traits generated at compile time.
3. Easy to write simple plugins, powerful enough for complex ones. A minimal plugin is ~30 lines of Rust. Rich plugins like the windows plugin compose naturally with other plugins through the typed service and event systems. Any domain feature should be built in a plugin unless there is a strong reason for core runtime plumbing.
4. Rust-first, language-agnostic. Rust gets the most ergonomic SDK because in-tree plugins are native Rust. The BPDL schema and the underlying serialized envelope (ServiceRequest / ServiceResponse) are language-agnostic; non-Rust plugins can implement the same wire format and gain full inter-plugin capabilities.

Crate topology

Core (domain-agnostic)

Plugins

1. <name>-plugin-api — the stable typed contract. Generated from a .bpdl file via bmux_plugin_schema_macros::schema!. Contains no runtime logic. It may expose generated service/client/event modules, stable wire/model types, schema tests, and intentional re-exports from neutral primitive crates. Consumers of the plugin depend on this crate alone.
2. <name>-plugin — the implementation. Depends on its -api crate and whatever other APIs it consumes. Registered with the host at runtime.

• plugins/sessions-plugin-api + plugins/sessions-plugin (owns session lifecycle: list, create, kill, select).
• plugins/contexts-plugin-api + plugins/contexts-plugin (owns context state: list, create, select, close, current).
• plugins/clients-plugin-api + plugins/clients-plugin (owns per-client identity, selected session, follow state).
• plugins/windows-plugin-api + plugins/windows-plugin (owns pane / window / tab lifecycle; exposes state queries, commands, events).
• plugins/decoration-plugin-api + plugins/decoration-plugin (owns pane visual styling; depends on windows-plugin-api).
• plugins/pane-runtime-plugin-api + plugins/pane-runtime-plugin (owns pane/session runtime orchestration, attach lifecycle, and attach-view queries — see “Pane-runtime ownership” below).
• plugins/permissions-plugin (owns role/permission policy).
• plugins/cluster-plugin (owns multi-session input broadcasting).

Pane-runtime ownership

• pane-runtime-commands — split-pane, launch-pane, focus-pane, resize-pane, close-pane, restart-pane, zoom-pane, pane-direct-input, new-session-with-runtime, kill-session-runtime, restore-session-runtime. Each handler performs its own permission check through the sessions-plugin’s session-policy-state::check typed service, runs the SessionRuntimeManagerHandle operation, and publishes the corresponding Event::* through the registered WireEventSinkHandle.
• pane-runtime-state — list-panes (session_id is optional; unset resolves via FollowState::selected_session(caller_client_id)) and get-pane.
• attach-runtime-commands — attach-session, attach-context, attach-open, attach-input, attach-output, attach-set-viewport, detach, set-client-attach-policy. The plugin owns attach-token issuance, runtime begin/end attach, FollowState::attached_stream_session, and per-client attach_detach_allowed policy.
• attach-runtime-state — attach-layout-state, attach-snapshot-state, attach-pane-snapshot-state, attach-pane-output-batch, attach-pane-images (serialized as JSON-encoded Vec<AttachPaneImageDelta>).

Host runtime surface for plugins

• ServiceCaller — the generic dispatch primitive. Provides call_service_raw, call_service, and execute_kernel_request. Domain-agnostic: takes interface ids and operation names as opaque strings.
• HostRuntimeApi — generic convenience methods only. Covers core_cli_command_run_path, plugin_command_run, storage_get, storage_set, log_write, recording_write_event. No domain methods (pane_*, session_*, context_*, current_client) exist on this trait.

Host state registry

Persistence

Combined envelope format

StatefulPlugin participants

Orchestrator

• path: Option<PathBuf> — snapshot file location (None = disabled).
• dirty_flag: Arc<SnapshotDirtyFlag> — atomic bit flipped by server on every state change.
• stateful_registry: Arc<RwLock<StatefulPluginRegistry>> — the process-wide registry of participants.

IPC wiring

Offline path (offline_kill_sessions)

Boundary properties

• packages/server carries zero snapshot-schema types. Every persistence interaction is one trait-object dispatch through SnapshotOrchestratorHandle.
• packages/server/src/persistence.rs does not exist; the whole legacy SnapshotV4 + SnapshotManager pipeline was deleted.
• Plugin-api crates own the wire format (envelope + sections) and the offline utility. Plugin impl crates own the orchestrator, the debounce thread, and the atomic file I/O.
• CLI drives both paths: online via the SnapshotOrchestratorHandle IPC dispatch, offline via the offline_snapshot module.

Interaction patterns

1. Query (query): synchronous read-only lookup. E.g. WindowsState::pane_state(id) -> PaneState?.
2. Command (command): write / mutating call. May fail with a typed error. E.g. WindowsCommands::focus_pane(id) -> result<unit, focus-error>.
3. Event (events): pub/sub stream with per-interface ordering. Publishers emit typed events; subscribers receive them via the plugin host’s event bus.
4. Future: resources (long-lived typed handles), richer streams.

Event bus

Context model (canonical)

What a context represents

• pane tree/layout
• focused pane
• attach routing target
• per-context runtime/view state

Identity and sharing

• ContextId is globally unique (UUID).
• Contexts are shareable across plugins.
• Core does not hardcode one plugin as owner of contexts.

Attributes

• core.* reserved for core-defined keys
• <plugin_id>.* for plugin-defined keys

Session relationship

• Contexts are not always scoped to sessions.
• Core should support contexts as first-class resources without mandatory session ownership.
• Session behavior may itself become plugin-owned in the future.

Activation and close semantics

• On close of the active context, select the most-recent-active context (MRU).
• ContextClose supports force.

Plugin API direction

Command outcome contract

Scene and rendering

• rect — outer bounds.
• content_rect — the PTY interior (authoritative; renderer, PTY sizer, image compositor, and mouse hit-tester all read this field).
• interactive_regions — named sub-rectangles owned by a plugin that route mouse events back to the declaring plugin.

Mouse dispatch (architecture)

1. Hit-test identifies the topmost AttachSurface containing the click.
2. If the click is inside content_rect, core encodes the click in the pane’s mouse protocol and forwards the bytes to the PTY.
3. If the click is inside an interactive_region, core emits a SurfaceRegionClicked plugin event targeting the region’s owning_plugin_id. The owning plugin’s subscribers react. (This path is scaffolded — the event stream carries the required data — and will be wired into full region-click dispatch in a follow-up.)

Mouse gestures (config)

• click_left
• hover_focus
• scroll_up
• scroll_down

Permissions and policy

• Enforcement is config/policy-file driven and non-interactive for now.
• No interactive permission prompts at this stage (may be added later).
• Policy actions should be explicit, no aliases.

• context.create
• context.select
• context.close
• context.list

Windows plugin mapping

• new-window creates a context
• switch/next/prev/last-window select contexts
• kill-window closes a context
• ctrl-a c immediately switches attach context to the newly created context

Core defaults when plugins are missing

• Windows plugin missing: baseline single-terminal attach / session / pane flow still works. Core falls back to painting a default 1-cell border in the renderer (packages/attach_pipeline/src/render.rs).
• Permissions plugin missing: permissive single-user behavior.
• Decoration plugin missing: surfaces render with content_rect == rect - 1 on each side and the renderer paints the default ASCII border. A follow-up will let the scene producer emit content_rect == rect (no chrome) when no decoration plugin is present, and have the renderer no-op on border painting.

Writing a plugin

1. Write your BPDL schema (bpdl/my-plugin.bpdl):
   plugin my.example version 1; interface my-state { query hello(name: string) -> string; }
2. Create the API crate (my-plugin-api/src/lib.rs):
   bmux_plugin_schema_macros::schema!("bpdl/my-plugin.bpdl");
3. Create the impl crate (my-plugin/src/lib.rs):
   use my_plugin_api::my_state::MyState; pub struct MyPlugin; impl MyState for MyPlugin { fn hello(&self, name: String) -> Pin<Box<dyn Future<...>>> { Box::pin(async move { format!("hello {name}") }) } }
4. Register with the host (via the existing plugin-sdk registration macros). Consumers import my_plugin_api and use the trait generically.

Guardrails and validation

• runtime_production_code_is_domain_agnostic — CLI runtime files reference only generic service/plugin APIs.
• core_packages_do_not_reference_domain_plugin_markers — core crates (server, client, session/models, event, event/models) don’t reference windows/permissions interface ids or legacy IPC request variants.
• plugin_production_code_uses_generic_host_api_only — bundled plugins reach core via ServiceCaller::execute_kernel_request or plugin-api crates, not raw IPC.
• event_core_crate_has_no_domain_event_types — the packages/event crates carry no SessionEvent/PaneEvent/ClientEvent/InputEvent enums or helper constructors.
• event_models_crate_has_no_domain_dependencies — bmux_event_models never depends on bmux_session_models or bmux_terminal_models.
• client_core_crate_has_no_domain_convenience_methods — the IPC client library exposes no new_session/list_contexts/split_pane/ etc. convenience methods; callers route through BmuxClient::invoke_service_raw with typed plugin-api payloads.
• cli_crate_does_not_reexport_domain_types — packages/cli/src/lib.rs doesn’t re-export SessionId/SessionManager/TerminalInstance/etc.
• bmux_umbrella_has_no_domain_reexports — the top-level bmux crate re-exports only domain-agnostic building blocks.
• session_models_is_minimal — packages/session/models carries only the minimum types the server still needs (SessionId, ClientId, Session, SessionInfo). Dead types (LayoutError, PaneError, ClientError, ClientInfo, SessionError, PaneId) are deleted and can’t be reintroduced.

• Required validation for runtime/code changes follows AGENTS.md.

Routing policy (config)

• exact path claim takes precedence over namespace claim
• conflicting plugin claims fail startup
• unmet required claims fail startup

Compatibility policy

• Pre-baseline plugin command bridge behavior is intentionally unsupported (clean break).
• Current baseline is versioned and explicit:
  • capability: bmux.commands
  • service interface: cli-command/v1
  • operation: run_path
  • bridge protocol marker: BMUXCMD1
  • bridge protocol version: 1
• Future compatibility changes should be additive:
  • add .../v2 interfaces or operations, do not mutate v1 semantics silently
  • negotiate by advertised capabilities/interfaces before selecting newer versions
  • keep compatibility seams in shared constants/helpers rather than ad-hoc call sites

Process runtime protocol v1

• transport marker: BMUXPRC1
• frame layout: <magic><u32_be_payload_len><payload_bytes>
• payload encoding: service codec message (encode_service_message / decode_service_message)
• protocol version field in request/response envelopes: 1

• BMUX_PLUGIN_RUNTIME_PROTOCOL=stdio-v1
• BMUX_PLUGIN_ID=<plugin-id>
• BMUX_PLUGIN_RUNTIME_PERSISTENT_WORKER=1 (only when process_persistent_worker = true)

• entry - process command/path to execute
• entry_args - default process arguments
• process_persistent_worker = true|false - optional worker mode (reuse one process for multiple invocations)

• stdout is reserved for framed protocol responses only.
• non-protocol diagnostics should be written to stderr.
• host enforces a process timeout (default 30000ms).
• timeout may be overridden with BMUX_PROCESS_PLUGIN_TIMEOUT_MS.
• if a process exits without framed stdout, host treats it as unsupported for framed operations.

• examples/process-plugin-node/
• examples/process-plugin-python/

• error: missing BMUXPRC1 frame prefix
  • cause: process emitted non-protocol bytes to stdout
  • fix: write diagnostics to stderr only; keep stdout framed responses only
• error: truncated frame header or truncated payload
  • cause: incomplete write to stdout
  • fix: write a single complete frame and flush stdout before exit
• error: process entry is not executable
  • cause: entry path exists but lacks execute permissions
  • fix: chmod +x <entry> (or use a launch command like python3 with script args)
• error: process plugin timed out
  • cause: process did not return in time
  • fix: optimize startup/handler path or increase BMUX_PROCESS_PLUGIN_TIMEOUT_MS

• keep v1 semantics stable once published
• introduce v2+ as additive protocol envelopes/operations
• gate newer behavior via explicit protocol version/capability checks

Migration direction

• move pane/layout ownership to context runtime structures
• add context IPC/client/plugin host primitives
• keep fallback behavior when plugins are missing
• add persistence migration from legacy single-target state to default context state

Status

• bpdl-spec.md
• plugin-ops.md
• plugin-triage-playbook.md
• plugin-perf-troubleshooting.md