RFC: sessions.patch plugin extension hook \u2014 let plugins handle their own patch payloads

[100yenadmin]

Problem statement

Third-party plugins that need to react to sessions.patch RPCs (UI inline-button events, /command-style mutations from any channel) currently have to patch the gateway's applySessionsPatchToStore handler at src/gateway/sessions-patch.ts:89 to add new branches. This is brittle:

• Every host version bump requires re-baselining the patch
• The patch grows monotonically as the plugin adds features (Smarter-Claw's plan-mode patch is now ~500 lines)
• Multiple plugins patching the same handler will conflict
• Schema changes require a parallel patch to src/gateway/protocol/schema/sessions.ts

Smarter-Claw is the proof case: we maintain installer/patches/core/sessions-patch-handler-plan-mode.diff (500 LOC) and installer/patches/core/sessions-patch-schema-plan-mode.diff (~70 LOC) just to wire the UI's Approve/Reject/Edit/Auto/Answer button payloads through to plugin state. A clean SDK seam would let us delete both patches.

Proposed change

Add an extension field to the sessions.patch payload + a plugin-SDK callback for handling it.

Schema (additive)

// src/gateway/protocol/schema/sessions.ts
export const sessionsPatchPayload = Type.Object({
  key: NonEmptyString,
  // ...existing fields...
  extension: Type.Optional(
    Type.Object(
      {
        plugin: NonEmptyString,                          // "smarter-claw"
        action: NonEmptyString,                          // "approve" / "reject" / "answer"
        payload: Type.Unknown(),                         // plugin-validated
      },
      { additionalProperties: false },
    ),
  ),
});

Plugin SDK seam (additive)

// src/plugin-sdk/sessions-patch.ts (NEW or extend existing)
export type SessionsPatchExtensionHandler = (input: {
  key: string;                                   // sessionKey
  agentId: string;
  entry: SessionEntry;                           // current entry (post any non-extension patch fields)
  payload: unknown;                              // raw plugin payload
}) => Promise<
  | { ok: true; entryPatch?: Partial<SessionEntry> }
  | { ok: false; error: string }
>;

// Plugin manifest declares the extension handler:
export const plugin = definePluginEntry({
  // ...existing...
  sessionsPatchExtensions: {
    "approve": myApproveHandler,
    "reject": myRejectHandler,
    "answer": myAnswerHandler,
  },
});

Handler dispatch (gateway-side, ~20 LOC)

// src/gateway/sessions-patch.ts
if (patch.extension) {
  const plugin = pluginRegistry.get(patch.extension.plugin);
  if (!plugin?.sessionsPatchExtensions?.[patch.extension.action]) {
    return invalid(`unknown extension: ${patch.extension.plugin}.${patch.extension.action}`);
  }
  const result = await plugin.sessionsPatchExtensions[patch.extension.action]({
    key, agentId, entry: next, payload: patch.extension.payload,
  });
  if (!result.ok) return invalid(result.error);
  if (result.entryPatch) Object.assign(next, result.entryPatch);
}

Backward compatibility

• Fully additive — clients without extension field unaffected
• Existing plugins that patch the handler directly continue to work
• New plugins use the SDK seam instead

What this saves Smarter-Claw

• Delete installer/patches/core/sessions-patch-handler-plan-mode.diff (500 LOC)
• Delete installer/patches/core/sessions-patch-schema-plan-mode.diff (~70 LOC)
• Move ~570 LOC from a brittle host patch into typed plugin code
• Eliminate version-bump fragility (no more SHA pinning per host upgrade for these patches)

Generalizes to any plugin that wants to react to UI button events / channel-routed mutations.

Vocabulary alignment

The payload: Type.Unknown() shape lets each plugin own its own payload schema (validated inside the handler). This avoids leaking plugin-specific vocabulary like "approve"/"reject"/"answer" into the gateway protocol — keeps core extension-agnostic per the AGENTS.md architecture rule.

Tests proposed

• Round-trip: client sends extension: { plugin: "test-plugin", action: "noop", payload: {x:1} } → plugin handler receives raw payload → returns ok with entryPatch → next entry contains patch
• Unknown plugin → 400 with clear error
• Unknown action for known plugin → 400
• Plugin handler throws → 500 surfaced cleanly (not silent)
• Plugin returns ok=false → mutation rejected, error surfaced

Cross-link

Smarter-Claw architecture impact: electricsheephq/Smarter-Claw#44, #45, #46. Once this RFC lands + Smarter-Claw migrates, the entire sessions-patch-handler-plan-mode.diff retires.

This is one of several RFCs Smarter-Claw is filing to push the plugin/host seam upstream. Sister RFC: #71260 (mergeSessionEntryWithPolicy "merge-plugin-metadata").

[clawsweeper]

Closing this as duplicate or superseded after Codex automated review.

Close #71426 as superseded by the open canonical RFC #71732. Current main does not implement the proposed sessions.patch plugin extension hook, but #71732 covers the same patch-action need in a broader namespaced plugin session extension API, including plugin-owned state, public projection, patch routing, lifecycle, disabled-plugin semantics, and gateway scope decisions.

Best possible solution:

Close #71426 as superseded and keep #71732 as the maintainer-facing RFC for the full plugin session extension and patch-action API. If accepted, the implementation should add an additive, documented, versioned plugin session extension surface with protocol schema, SDK types, gateway routing, lifecycle behavior, scope enforcement, tests, and docs.

What I checked:

• Superseding RFC: Provided GitHub context shows [RFC] Plugin session extensions and patch actions #71732 is open, authored by the same contributor, and explicitly proposes plugin session extensions plus patch actions. Its body states maintainers should choose between sessions.pluginPatch and a sessions.patch.plugin envelope, which directly subsumes RFC: sessions.patch plugin extension hook \u2014 let plugins handle their own patch payloads #71426's narrower sessions.patch extension envelope.
• Current protocol schema lacks extension envelope: SessionsPatchParamsSchema is a fixed object of core session patch fields with additionalProperties: false; there is no extension, plugin, action, or plugin payload field in current main. (src/gateway/protocol/schema/sessions.ts:131, c74fb781943f)
• Current handler only applies core fields: applySessionsPatchToStore applies known session fields and writes store[storeKey] = next; it has no plugin registry lookup or plugin handler dispatch for patch payloads. (src/gateway/sessions-patch.ts:89, c74fb781943f)
• Existing post-write hook is not the requested mutation seam: The server emits an internal session:patch hook only after a successful patch and with a cloned context; this observes the completed patch but does not let plugins validate or handle their own sessions.patch payloads before persistence. (src/gateway/server-methods/sessions.ts:1313, c74fb781943f)
• Plugin API has no session patch extension registration: The public plugin API exposes generic gateway methods, runtime helpers, and typed hooks, but no registerSessionExtension, sessionsPatchExtensions, or equivalent patch-action registration surface. A repository search for those names found no implementation. (src/plugins/types.ts:2061, c74fb781943f)
• Project direction supports API design, not a ClawHub-only close: VISION.md says optional capability should usually ship as plugins, and if a useful feature cannot be built as a plugin yet, the project welcomes design discussions that extend the plugin API. That makes [RFC] Plugin session extensions and patch actions #71732 the right canonical place for the remaining core/API decision. (VISION.md:38, c74fb781943f)

So I’m closing this here and keeping the remaining discussion on the canonical linked item.

Codex Review notes: model gpt-5.5, reasoning high; reviewed against c74fb781943f.