Module plugin 

Plugin extractor interface (RFC-028 §7).

This module defines the security-boundary types for external extractor plugins. In v0.8, plugin loading is not yet implemented (dynamic linking is deferred), but the interface is defined so that:

1. Built-in extractors can be registered with the same manifest.
2. The security contract is formalized before any loading code exists.

Security model (RFC-028 §6)

• A plugin extractor receives only a ValidatedPath — it cannot request arbitrary filesystem access. The PathGuard boundary (RFC-003 §8) applies before any plugin receives a path.
• Plugin failures are isolated: a panic in a plugin extractor must not crash the orbok process (RFC-005 §13).
• User consent is required before a non-built-in plugin is used; the manifest provides the metadata for that consent dialog.
• Plugin logging must follow NFR-014: no document contents logged.

Dynamic loading (future)

When RFC-028 is fully activated, plugin .so/.dll files will be located via the PluginRegistry. Until then, PluginRegistry only holds the built-in extractors.

Structs

PluginExtractor

A plugin extractor: manifest metadata + the extraction implementation.

PluginManifest

Metadata attached to every extractor plugin for display and consent.

PluginRegistry

The plugin registry (RFC-028 §8).