Message envelope
The message is the ProtobufPluginMessage defined by the Protobuf contract:
The target receives a
PluginMessageReply:
The Kernel does not interpret
topic, payload, or message. Define their
format between the participating plugins. You can use JSON, Protobuf, text,
or another encoding, but the sender and target must agree on it.
Send a message
To send a message:- choose the registered name of the target plugin;
- choose a stable topic name;
- encode the request into
payload; and - send the envelope through the generated host binding for your backend.
message value. The
source plugin cannot choose or override its identity; the Kernel replaces the
source field with the authenticated name of the calling plugin.
Receive a message
The target plugin receives the same envelope, including the Kernel-providedsource. It should:
- verify that the source plugin is allowed to request the operation;
- route the message by
topic; - decode and validate
payload; and - return either a result or an error.
Errors and delivery
Messages are delivered only to a currently running target plugin. The send fails when:targetis empty;- the target plugin is not running;
- the target handler returns a transport or execution error; or
- the target reply contains a non-empty
errorfield.
error value is returned to the sender as an error. A message is
not delivered to another plugin when the target is unavailable.
Messages are not queued, retried, broadcast, or persisted. There is no
durable delivery guarantee. If the target stops while a message is in flight,
the call context is canceled with the target plugin’s lifecycle.
Backend behavior
The message semantics are identical for both plugin backends:- a WASM plugin sends through generated host bindings; and
- a gRPC plugin sends through the Kernel’s host callback channel.
Identity and authorization
The Kernel authenticates the source plugin at the host boundary. A plugin cannot impersonate another plugin by writing a differentsource value into a
send request.
There is no Kernel-level access policy for individual topics. Any running
plugin can address another running plugin by name, so the target must enforce
authorization in its own handler when a topic or payload represents a
privileged operation. Treat topic as routing information, not as an access
control mechanism.