Skip to content
LVIS AI
EN|KO

Plugins

Permission grant flow

When a plugin is activated for the first time, a single unified dialog shows the user every permission element declared in its manifest (capabilities · tools categories · pluginAccess · hostSecrets · agentApprovalScopes) at once.

Permission grant dialog shown the first time a plugin activates

Items reviewed from the manifest

  • capabilities: 12 items in a closed enum — mail-source, calendar-source, meeting-recorder, knowledge-index, background-watcher, external-auth-consumer, document-indexer, routine-provider, lifecycle-observer, worker-client, ms-graph-consumer, host:overlay.
  • tools[]: the list of tool names. Each tool's toolSchemas.<name>.categoryread | write | shell | network | meta — is grouped by category and shown to the user.
  • pluginAccess: which other plugin's tools/events this plugin will use (e.g. work-assistant calling ms-graph's msgraph_calendar_today).
  • agentApprovalScopes: standard labels for cross-plugin risky actions (e.g. agent_file_share, agent_task_delegate, agent_external_api_call).
  • hostSecrets / llmKeySource: secret access / LLM key vendor declarations.
  • configSchema: user-editable config fields + defaults.

What the user sees

  1. 01

    Deeplink from Marketplace

    The "Install" button on the web page fires lvis://install/<slug> or lvis://install/<type>/<slug>. The host receives and handles the URL (lvis-protocol.ts:72).

  2. 02

    Package + signature verification

    sig

    The host verifies the Ed25519 signature envelope issued by the Marketplace. It passes once at least one signature matches a known public key (marketplace/server/src/lvis_marketplace/signing.py:219).

  3. 03

    Permission dialog — everything at once

    The parsed manifest is grouped by category — capabilities / tools / pluginAccess / secrets — and shown together. The grant is saved once the user confirms.

  4. 04

    First activation

    start()

    Its own namespace ~/.lvis/plugins/<pluginId>/ is created (0o700). The plugin's start() callback is called — hostApi.registerKeywords is registered if present.

Behavior after revoking a permission
Even after installation, a grant can be revoked from Host Settings → Plugins → the plugin → Permission Management. Once revoked, an incoming tool call is rejected immediately with no fallback, and a re-grant card is fired (LVIS's no-fallback rule).