cpex-core 0.2.2

CPEX plugin runtime core — PluginManager, executor, hooks, and config.
Documentation
# CPEX Plugin Demo Configuration
#
# Three plugins, policy groups with tag-based activation,
# and routes that map tools to different plugin combinations.

plugin_settings:
  routing_enabled: true
  plugin_timeout: 30

global:
  policies:
    # "all" is reserved — these plugins fire on every invocation
    all:
      plugins: [identity-resolver]
    # "pii" group — activated when a route has the "pii" tag
    pii:
      plugins: [pii-guard]
    # "external_authz" group — activated when a route has the
    # "needs_remote_authz" tag. Fires the async RemoteAuthz plugin.
    external_authz:
      plugins: [remote-authz]

plugins:
  - name: identity-resolver
    kind: builtin/identity
    hooks: [tool_pre_invoke, tool_post_invoke]
    mode: sequential
    priority: 10
    on_error: fail

  - name: pii-guard
    kind: builtin/pii
    hooks: [tool_pre_invoke]
    mode: sequential
    priority: 20
    on_error: fail
    config:
      clearance_level: confidential

  # Awaiting plugin — its `handle` body uses `.await` for a
  # (simulated) remote authz call on cache miss. Wired in exactly
  # the same way as plugins whose `handle` body has no `.await`;
  # registration is identical either way.
  - name: remote-authz
    kind: builtin/remote_authz
    hooks: [tool_pre_invoke]
    mode: sequential
    priority: 30
    on_error: fail

  - name: audit-logger
    kind: builtin/audit
    hooks: [tool_pre_invoke, tool_post_invoke]
    mode: fire_and_forget
    priority: 100
    on_error: ignore

routes:
  # HR compensation tool — contains PII, gets full security stack
  - tool: get_compensation
    meta:
      tags: [pii, hr]
    plugins:
      - audit-logger

  # Public department listing — standard security only
  - tool: list_departments
    plugins:
      - audit-logger

  # Tool that requires remote authz — triggers the async plugin
  # on top of the standard "all" policy stack. The "external_authz"
  # tag matches the policy group of the same name, which fires
  # remote-authz.
  - tool: query_external_data
    meta:
      tags: [external_authz]
    plugins:
      - audit-logger

  # Wildcard — catch-all for unmatched tools
  - tool: "*"
    plugins:
      - audit-logger