Publishing Plugins
Share your plugin with the bext community by publishing it to the plugin registry at plugins.bext.dev. Plugins can be free or paid, and the registry handles discovery, versioning, security audits, and payments.
Prerequisites
Before publishing, ensure your plugin:
1. Has a valid plugin.toml with all required fields filled in.
2. Passes bext plugin test with no failures.
3. Has a README.md in the plugin root directory.
4. Does not include secrets, credentials, or .env files.
Authenticate with the registry:
bext auth login
This opens a browser window for OAuth authentication. Your API token is stored in ~/.config/bext/credentials.toml.
Publishing
cd my-plugin
bext plugin publish
The CLI packages your plugin directory, uploads it to the registry, and runs an automated security audit. The command:
1. Validates plugin.toml structure and required fields.
2. Checks that the name field is available (not already taken by another publisher).
3. Bundles the plugin source, manifest, README, and test files.
4. Uploads the bundle to plugins.bext.dev.
5. Triggers the automated security and quality audit pipeline.
6. Returns the published version URL.
Publishing maintenance-mode@0.1.0...
Validating manifest... OK
Bundling 3 files (4.2 KB)... OK
Uploading to plugins.bext.dev... OK
Security audit... PASSED (score: 92/100)
Published: https://plugins.bext.dev/plugins/maintenance-mode/0.1.0
Versioning
Plugins follow semantic versioning. Bump the version field in plugin.toml before each publish:
[manifest]
name = "maintenance-mode"
version = "0.2.0"
The registry rejects re-publishing an existing version. Use --force only for pre-release versions (0.x.x):
bext plugin publish --force
Users can pin to a specific version or use a range:
# bext.config.toml
[plugins.maintenance-mode]
version = "^0.2.0" # Compatible with 0.2.x
When a new version is published, bext notifies users who have the plugin installed via the CLI:
$ bext dev
Plugin update available: maintenance-mode 0.2.0 -> 0.3.0
Run `bext plugin update maintenance-mode` to upgrade
Security Audit
Every published plugin goes through an automated security audit that checks:
- Static analysis -- scans for known vulnerability patterns (eval usage, prototype pollution, path traversal attempts).
- Permission review -- flags plugins requesting broad permissions (allowed_urls = ["*"]).
- Dependency scan -- for WASM plugins, checks linked libraries against known CVE databases.
- Sandbox compliance -- verifies the plugin runs cleanly within its declared resource limits.
- Source review -- checks for obfuscated code or attempts to bypass sandbox restrictions.
Results are visible on the plugin's registry page and summarized as a score from 0 to 100.
Quality Score
The registry assigns a quality score based on:
| Factor | Weight | Description |
|---|---|---|
| Test coverage | 25% | Percentage of exported hooks covered by tests |
| Documentation | 20% | README length, code examples, configuration docs |
| Security audit | 25% | Results of automated security analysis |
| Maintenance | 15% | Publish frequency, issue response time |
| Usage | 15% | Install count, active installations |
Plugins scoring below 50 are flagged with a warning on the registry page.
Pricing: Free and Paid Plugins
Free Plugins
The default. Users install and use your plugin at no cost:
[manifest]
name = "security-headers"
version = "1.0.0"
pricing = "free"
Paid Plugins
Charge a monthly fee per installation. Revenue is split 80/20 (you keep 80%, bext keeps 20%):
[manifest]
name = "advanced-waf-rules"
version = "1.0.0"
pricing = "paid"
[pricing]
monthly_usd = 9.99
trial_days = 14
To receive payments, connect your Stripe account:
bext plugin connect-stripe
This initiates the Stripe Connect onboarding flow. Once connected, payments are deposited to your Stripe account automatically with a 30-day rolling payout schedule.
Users see the price on the registry page and are prompted to subscribe during installation:
$ bext plugin install advanced-waf-rules
This is a paid plugin: $9.99/month (14-day free trial)
Subscribe? [y/N]: y
Subscription created. Plugin installed.
Managing Subscriptions
View your plugin's revenue and subscriber count:
bext plugin revenue advanced-waf-rules
Users can cancel anytime:
bext plugin unsubscribe advanced-waf-rules
The plugin continues to work until the end of the current billing period.
Updating a Published Plugin
# Edit plugin.toml to bump version
# Make your changes
bext plugin test # Verify tests pass
bext plugin publish # Upload new version
Unpublishing
You can unpublish a version within 72 hours of publishing. After that, versions are immutable to protect users who depend on them:
bext plugin unpublish maintenance-mode@0.1.0
To deprecate a plugin (soft removal with a message):
bext plugin deprecate maintenance-mode --message "Use maintenance-mode-v2 instead"
Deprecated plugins still work but show a warning during bext dev and bext build.
Plugin Page
Each published plugin gets a page at plugins.bext.dev/plugins/<name> showing:
- README rendered as HTML
- Version history with changelogs
- Security audit score
- Quality score
- Install count and active installations
- Configuration reference (auto-generated from plugin.toml)
- Pricing details (for paid plugins)