feat: add support for plugins

[JivusAyrus]

Summary by CodeRabbit

• New Features

  • Plugin & gRPC subgraph support: create, publish, generate, delete, and validate workflows; plugin registry support and Docker multi‑platform publishing; UI shows subgraph types and plugin metadata.

• Improvements

  • Enforced per‑plan plugin limits and RBAC; composition and repo handling updated for subgraph types; safer plugin image handling and lifecycle.

• Bug Fixes

  • Routing/validation fixes and improved path sanitization and error messages.

• Chores

  • DB migration for subgraph types, CI/build updates, dependency refresh, and deployment script updates.

• Tests

  • Extensive tests covering plugin flows, publishing, feature subgraphs, and access control.

Checklist

• I have discussed my proposed changes in an issue and have received approval to proceed.
• I have followed the coding standards of the project.
• Tests or benchmarks have been added or updated.
• Documentation has been updated on https://github.com/wundergraph/cosmo-docs.
• I have read the Contributors Guide.

COMPLETES ENG-7682
COMPLETES ENG-7758

[coderabbitai]

Walkthrough

This change introduces first-class support for plugin and gRPC subgraphs across the entire stack, including schema, database, control plane, CLI, router, and studio. It adds new subgraph types, plugin lifecycle management, registry integration, plugin image handling, protobuf schema storage, new CLI commands, and comprehensive test coverage for plugin workflows and feature subgraphs.

Changes

Cohort / File(s)	Change Summary
Database & Migrations controlplane/migrations/0128_nifty_romulus.sql, controlplane/src/db/schema.ts, controlplane/src/db/models.ts, controlplane/migrations/meta/_journal.json	Adds subgraph_type enum (standard, grpc_plugin, grpc_service), new tables plugin_image_versions and protobuf_schema_versions, and a non-null type column on subgraphs. Updates models and migration journal.
Protobuf & Connect Definitions proto/wg/cosmo/platform/v1/platform.proto, connect/src/wg/cosmo/platform/v1/platform_pb.ts, connect/src/wg/cosmo/platform/v1/platform_connect.ts, connect/src/wg/cosmo/platform/v1/platform-PlatformService_connectquery.ts, proto/wg/cosmo/node/v1/node.proto, connect/src/wg/cosmo/node/v1/node_pb.ts	Adds SubgraphType enum, ProtoInput message, plugin PluginData, ValidateAndFetchPluginData request/response and RPC, and ImageReference message + field in node plugin config.
Control Plane: Types & Utilities controlplane/src/types/index.ts, controlplane/src/core/util.ts, controlplane/src/core/crypto/jwt.ts, controlplane/src/core/composition/composer.ts	Introduces DB/DTO type changes (ProtoSubgraph, DBSubgraphType, organizationId), plugin JWT audience, plugin-version validation, and conversions between enum/string subgraph types; composer extended for plugin/gRPC subgraphs and image references.
Control Plane: Repositories & Schema Handling controlplane/src/core/repositories/SubgraphRepository.ts, controlplane/src/core/repositories/PluginRepository.ts, controlplane/src/core/repositories/FederatedGraphRepository.ts, controlplane/src/core/repositories/FeatureFlagRepository.ts, controlplane/src/core/repositories/OrganizationRepository.ts, controlplane/src/core/repositories/GraphCompositionRepository.ts	Subgraph repo now stores/returns type and optional proto/plugin data, adds plugin image/proto version persistence; new PluginRepository.count to count plugins; federated graph returns include organizationId; organization features include plugins.
Control Plane: API Handlers (bufservices) controlplane/src/core/bufservices/subgraph/createFederatedSubgraph.ts, .../publishFederatedSubgraph.ts, .../getSubgraphById.ts, .../getSubgraphByName.ts, .../getSubgraphs.ts, .../federated-graph/*.ts, .../feature-flag/*.ts, controlplane/src/core/bufservices/plugin/validateAndFetchPluginData.ts, controlplane/src/core/bufservices/PlatformService.ts, controlplane/src/core/bufservices/monograph/createMonograph.ts	Extends handlers to accept/validate type and proto, enforce plugin limits, derive feature-subgraph types from base, add validateAndFetchPluginData RPC implementation, and map DB type to API responses.
Control Plane: Composition & Router Config controlplane/src/core/composition/composer.ts, shared/src/router-config/builder.ts	Composer supports plugin/grpc subgraphs, includes schemaVersionId, parses gRPC mappings, and builds PluginConfiguration with imageReference.
Control Plane: Services, Billing & Build controlplane/src/core/services/ApolloMigrator.ts, controlplane/src/bin/billing.json, controlplane/package.json, controlplane/Dockerfile	Migration ensures subgraph type on import; billing plans gain plugins feature/limits; controlplane now depends on protographic and includes it in image build.
CLI: Plugin Commands & Templates cli/src/commands/router/commands/plugin/*, cli/src/commands/router/commands/plugin/index.ts, cli/src/commands/router/commands/plugin/templates/plugin.ts, cli/.env.example, cli/src/core/config.ts, cli/src/core/types/types.ts, .github/workflows/controlplane-ci.yaml	Adds generate, create, publish, delete, init plugin CLI commands; updates templates (Makefile, Dockerfile), adds PLUGIN_REGISTRY_URL config, fixes protobuf import paths, and includes protographic in CI build filters.
CLI: Subgraph & Feature-subgraph Commands cli/src/commands/feature-subgraph/commands/*.ts, cli/src/commands/subgraph/commands/*.ts	Import/usage of SubgraphType and make routing URL optional where appropriate; publish/create accept explicit type and proto input.
Router: Plugin & gRPC Refactor + OCI Support router/core/graph_server.go, router/pkg/grpcconnector/* (multiple files moved/refactored to grpccommon, grpcremote, grpcplugin, grpcpluginoci), router/pkg/grpcconnector/grpcpluginoci/*, router/pkg/grpcconnector/grpcremote/grpc_remote.go, router/pkg/grpcconnector/provider.go, router/pkg/grpcconnector/connector.go, router/pkg/config/*, router/go.mod, router-tests/go.mod	Large refactor: provider interface simplified (removed Name()), common startup/command preparation refactored into grpccommon, OCI-based plugin provider (grpcpluginoci) added (image pull, unpack, run), remote provider simplified, registry config added, dependency updates with selective pins.
Studio: UI & SDL Viewer studio/src/components/subgraphs-table.tsx, studio/src/pages/.../subgraph/.../index.tsx, studio/src/pages/.../compositions/.../index.tsx, studio/src/components/schema/sdl-viewer.tsx	Adds subgraph type badges and plugin metadata display; adds protobuf syntax highlighting support and download handling in SDL viewer.
Tests & Test Data controlplane/test/* (many), controlplane/test/test-data/plugin/*, router/pkg/grpcconnector/grpcpluginoci/*_test.go, router/pkg/grpcconnector/grpcpluginoci/image_unpack_test.go, router/pkg/grpcconnector/grpccommon/*_test.go	Adds extensive tests for plugin workflows: validate/fetch plugin data, plugin create/publish/delete flows, feature-subgraph interactions, composition with plugin subgraphs, and unit tests for OCI plugin unpack/prep and related helpers. Includes proto, mapping, and lock test files.
Miscellaneous .gitignore, demo/deploy.sh, demo/pkg/subgraphs/projects/Dockerfile, docker-compose.full.yml, composition-go/shim/tsup.config.ts, controlplane/src/core/repositories/analytics/MetricsRepository.ts, controlplane/test/organization-groups.test.ts	Various updates: ignore pattern, demo/docker paths and Dockerfile, compose Dockerfile paths, tsup regex broadened, minor SQL string formatting, and test import path fix.

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~90+ minutes

Complexity: cross-cutting, schema and migration changes, new DB tables and enum, protobuf contract changes, new RPCs, significant router plugin lifecycle refactor (OCI image handling), CLI surface additions, and many new/updated tests. Review should include DB migration safety, protobuf compatibility, security checks for image unpacking and JWTs, RBAC and quota enforcement, and integration flows between router, control plane, and CLI.

Possibly related PRs

• fix: prevent feature subgraphs from using other feature subgraphs as base subgraphs #2122 — Overlaps modifications to create/publish feature-subgraph handlers in controlplane; likely touches same files and validation logic.
• feat: otel support for grpc plugins #2021 — Related to gRPC plugin startup/config refactor (startup_config injection and plugin connector changes), overlaps router/plugin provider refactor.

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch suvij/eng-7509-router-plugins-with-cosmo-integration

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[github-actions]

Router image scan passed

✅ No security vulnerabilities found in image:

ghcr.io/wundergraph/cosmo/router:sha-ff4b4e02a5b609c306d286989261ccf13ee20bad

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (3)

proto/wg/cosmo/platform/v1/platform.proto (3)

168-168: Make CreateFederatedSubgraphRequest.type optional for presence detection (duplicate)

Without optional, down-level clients are indistinguishable from those explicitly setting STANDARD (0). This can defeat validation and migration logic.

-  SubgraphType type = 13;
+  optional SubgraphType type = 13;

---

399-401: Make Subgraph.type optional for presence detection (duplicate)

Same rationale as creation: without presence, existing clients get coerced to STANDARD (0) and servers cannot tell unset from explicitly set.

-  SubgraphType type = 18;
+  optional SubgraphType type = 18;

---

1842-1842: Make GraphCompositionSubgraph.subgraphType optional (duplicate)

Maintains presence semantics in composition results and prevents defaulting ambiguity.

-  SubgraphType subgraphType = 7;
+  optional SubgraphType subgraphType = 7;

🧹 Nitpick comments (6)

proto/wg/cosmo/platform/v1/platform.proto (6)

39-45: ProtoInput: keep strings (UTF-8) — add brief field docs for clarity

Aligned with the team decision to keep these as string. Consider documenting expected contents and formats to aid SDK users.

 message ProtoInput {
-  string schema = 1;
-  string mappings = 2;
-  string lock = 3;
-  repeated string platforms = 4;
-  string version = 5;
+  // Text contents of the protobuf schema (UTF-8)
+  string schema = 1;
+  // Text contents of plugin mappings (UTF-8)
+  string mappings = 2;
+  // Text contents of the lock file (UTF-8)
+  string lock = 3;
+  // Supported build targets (e.g., "linux/amd64", "linux/arm64", "wasm")
+  repeated string platforms = 4;
+  // Plugin version (e.g., semver)
+  string version = 5;
 }

---

67-68: PublishFederatedSubgraphRequest: clarify relation between type and proto

Please document the precondition so clients know how to populate these fields. Server-side must enforce it.

   optional bool disable_resolvability_validation = 12;
-  optional SubgraphType type = 13;
-  optional ProtoInput proto = 14;
+  // If type != STANDARD, 'proto' must be provided; for STANDARD subgraphs, 'proto' must be omitted.
+  optional SubgraphType type = 13;
+  optional ProtoInput proto = 14;

---

370-374: SubgraphType: add short comments per value

Names look good. Add one-line docs to reduce ambiguity across SDKs.

 enum SubgraphType {
-  STANDARD = 0;
-  GRPC_PLUGIN = 1;
-  GRPC_SERVICE = 2;
+  // Standard GraphQL subgraph
+  STANDARD = 0;
+  // gRPC plugin running within the router
+  GRPC_PLUGIN = 1;
+  // External gRPC service subgraph
+  GRPC_SERVICE = 2;
 }

---

377-381: Subgraph.PluginData: add field docs

Mirror ProtoInput docs so the meaning of platforms and version remains consistent across request/response types.

 message Subgraph {
   message PluginData{
-    string version = 1;
-    repeated string platforms = 2;
+    // Plugin version (e.g., semver)
+    string version = 1;
+    // Supported target platforms (e.g., "linux/amd64", "linux/arm64", "wasm")
+    repeated string platforms = 2;
   }

---

3223-3225: Annotate RPC as NO_SIDE_EFFECTS

This RPC validates and fetches metadata; marking as no side effects can improve client behavior and proxies.

-  rpc ValidateAndFetchPluginData(ValidateAndFetchPluginDataRequest) returns (ValidateAndFetchPluginDataResponse) {}
+  rpc ValidateAndFetchPluginData(ValidateAndFetchPluginDataRequest) returns (ValidateAndFetchPluginDataResponse) {
+    option idempotency_level = NO_SIDE_EFFECTS;
+  }

---

2846-2850: ValidateAndFetchPluginDataRequest: confirm call timing & strengthen identity

I didn’t find any implementation or call sites for ValidateAndFetchPluginData in the service layer—please verify whether this RPC can be invoked before a subgraph record exists. If it can, adding a unique identifier (for example, a type or dedicated id field) will help avoid misclassification down-the-line.

Please review proto/wg/cosmo/platform/v1/platform.proto:

message ValidateAndFetchPluginDataRequest {
  string name = 1;
  string namespace = 2;
  repeated Label labels = 3;
  // Optional: include when request may occur pre-subgraph creation
  optional SubgraphType type = 4;
}

– If the RPC is always called post-creation, confirm here.
– If pre-creation calls are possible, please add and document the new field.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b0ec824 and e23121b.

⛔ Files ignored due to path filters (3)

• connect-go/gen/proto/wg/cosmo/platform/v1/platform.pb.go is excluded by !**/*.pb.go, !**/gen/**
• router-tests/go.sum is excluded by !**/*.sum
• router/go.sum is excluded by !**/*.sum

📒 Files selected for processing (4)

• connect/src/wg/cosmo/platform/v1/platform_pb.ts (12 hunks)
• proto/wg/cosmo/platform/v1/platform.proto (8 hunks)
• router-tests/go.mod (6 hunks)
• router/go.mod (6 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• router/go.mod
• router-tests/go.mod
• connect/src/wg/cosmo/platform/v1/platform_pb.ts

🧰 Additional context used

🧠 Learnings (3)

📚 Learning: 2025-08-07T12:05:06.744Z

Learnt from: StarpTech
PR: wundergraph/cosmo#2079
File: proto/wg/cosmo/platform/v1/platform.proto:39-45
Timestamp: 2025-08-07T12:05:06.744Z
Learning: In the Cosmo project, the proto fields for schema, mappings, and lock in ProtoInput are intentionally kept as string types rather than bytes because the team works with text data and wants it to be UTF-8 encoded for readability and text processing purposes.

Applied to files:

• proto/wg/cosmo/platform/v1/platform.proto

📚 Learning: 2025-07-21T15:06:36.664Z

Learnt from: SkArchon
PR: wundergraph/cosmo#2067
File: router/pkg/config/config.schema.json:1637-1644
Timestamp: 2025-07-21T15:06:36.664Z
Learning: In the Cosmo router project, when extending JSON schema validation for security-sensitive fields like JWKS secrets, backwards compatibility is maintained by implementing warnings in the Go code rather than hard validation constraints in the schema. This allows existing configurations to continue working while alerting users to potential security issues.

Applied to files:

• proto/wg/cosmo/platform/v1/platform.proto

📚 Learning: 2025-07-21T14:46:34.879Z

Learnt from: SkArchon
PR: wundergraph/cosmo#2067
File: router/pkg/authentication/jwks_token_decoder.go:80-106
Timestamp: 2025-07-21T14:46:34.879Z
Learning: In the Cosmo router project, required field validation for JWKS configuration (Secret, Algorithm, KeyId) is handled at the JSON schema level in config.schema.json rather than through runtime validation in the Go code at router/pkg/authentication/jwks_token_decoder.go.

Applied to files:

• proto/wg/cosmo/platform/v1/platform.proto

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (17)

• GitHub Check: build-router
• GitHub Check: Analyze (go)
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: image_scan (nonroot)
• GitHub Check: integration_test (./events)
• GitHub Check: integration_test (./telemetry)
• GitHub Check: build_push_image
• GitHub Check: integration_test (./. ./fuzzquery ./lifecycle ./modules)
• GitHub Check: image_scan
• GitHub Check: build_push_image (nonroot)
• GitHub Check: build_test
• GitHub Check: build_test
• GitHub Check: build_test
• GitHub Check: build_push_image
• GitHub Check: build_push_image
• GitHub Check: build_test
• GitHub Check: build_test

[StarpTech]

LGTM