Plugin system implementation

Arti

So while I was looking trough older issues Ive found #337
And looking trough mentions Ive noticed several times that sir Alexander mentioned a plugin system (₁-2 years ago)
Well at this day I still do not see one. So since I kinda have time to waste, Ill try to implement it.

@Alexander01998 so I need approval; asking in advance so it doesnt happen that something is already in development.
Idea:

It will be most likely compiled at runtime with javax.tools.JavaCompiler
I assume you will be concerned about security so I plan to add a trusted and unknown mode
Unknown will have restrictions, while trusted will have all access to file I/O and similar
1. Vague idea is that for each script a hash is computed and then we either retrive or hardcode a list with trusted hashes and check
2. This will mean that this system needs a moderation which will approve (or ban?) hashes
3. This also includes that a website for sharing can be made
4. (sandboxing?)
5. (automatically alarm user if script has dangerous calls like System.exit(0))
Users would share java files, those are compiled when ran
If I manage Ill write api docs, my grammar is very crappy tho, can be solved with some help of a llm I assume.

This is kinda ambitious, so might take quite some time to make.
Also might be that I just give up, as said somewhere Im in process of learning CS.

Ive made a some tests, and a small part is done, its a little bit laggy but works for simple scripts:

A little explanation if there are struggles understanding whats going on:
Ive made RuntimeCompilerService aswell as CompilerTest, the testCompiler() tests a good and a broken code (missing a ')' ).
Ive added the call to Nofall when enabling, just as a workaround for testing now.
The console prints all the expected results, good code is compiled while bad spits out an error.

<sub> worthy of title wurst 8, eh? </sub>

Alexander01998

Arti I would do something much simpler by having the add-ons / plugins just be Fabric mods with a dependency on Wurst and a special entrypoint / API so they can register their custom hacks, commands, etc. in Wurst. (And maybe those would somehow show up differently in the UI, so you can see what comes from a plugin and what doesn't.)

But also, there are a lot of open pull requests right now, including some big ones that will probably require other changes to the codebase. I feel like a plugin system PR right now would be very likely to go stale and/or end up with a lot of conflicts from other PRs that get merged first.

Arti

Alexander01998
Hmm I had this also in mind, but I feel like such implementation would defeat the purpose of this feature in wurst.
Why bother with this and not just create a stand alone mod with keybinds then?
This would be much more appealing to creators as it would attribute only them;
More freedom in terms of possible features;
And this is kinda too "big" for simpler macros or event listeners to enable this or that feature.
This would also make moderation much harder, as decompiling and checking is a pain, especially if symbols are stripped.

I also had in mind other plans for distant future like LUA support, blue prints (unreal engine like) or code blocks, which would make creating e.g. macros for people with lesser programming experience much easier.

And for the amount of PRs, It will probably take quite a while to polish, test, etc, maybe if lucky less PRs will be present at that time, for now I do not see any big coming modifications to already existing files by the api an execution system, I am currently working only in the Wurst7\src\main\java\net\wurstclient\api\scripting, I do not plan quitting development soon, so Ill manage resolving conflicts (will be a challenge to train me, so im not against it).

I plan for an extra menu like the Navigator GUI, with options on the top, like load script, create, verify, allow untrusted, etc.

Well if you still think, my changes should wait even longer, or this implementation is bad, ill accept it, in the end Im the one having fun making it, so Ill end up making it for myself either way

Edit: I am not against adding pre compiled support for big plugins, but those who release them should be trusted, or wurst might be considered vulnerable. If you think you wouldn't have the time to moderate the plugins, you could use LLMs, they will definitely point out suspicious stuff. Jar files will take some more time to analyse as decompilation takes time.

Alexander01998

Arti I feel like such implementation would defeat the purpose of this feature in wurst.

What do you think the purpose of a plugin system is, if not to add custom functionality to Wurst? To do that effectively, plugin authors need to be able to do all the same things that Wurst does. Some heavily restricted scripting language isn't going to cut it.

Arti Why bother with this and not just create a stand alone mod with keybinds then?
This would be much more appealing to creators as it would attribute only them;
More freedom in terms of possible features;

Because you don't want to make a standalone mod, but instead add something to Wurst, have it show up in ClickGUI/Navigator and work like any other Wurst feature. You don't want to create your own systems for settings, keybinds, event listeners, UI, etc. and even if you did, that would be annoying to use alongside Wurst because you would then have all these systems twice.

Arti And this is kinda too "big" for simpler macros or event listeners to enable this or that feature.

That's fine. Plugins and macros are two different things. They shouldn't be handled by the same system anyways.

Arti This would also make moderation much harder, as decompiling and checking is a pain, especially if symbols are stripped.

This is such a weird sentence to unpack. Decompiling other people's closed-source, obfuscated plugins? Why would I do that? If there was some official plugin directory in the far future, it either wouldn't list closed-source plugins at all, or stick a warning on them and not even try to check what they're doing.

Let's not forget that anyone can make a plugin and list it on their own website, just like anyone can make a fork of Wurst. There is nobody moderating either of those things, and people doing that don't need anyone's approval. Any artificial restrictions put on the plugin system are ultimately meaningless.

The only effect would be fewer people making plugins, as the unfamiliar syntax and limited capabilities of a scripting language and the quirks of a sandbox system would unnecessarily make life harder for those who aren't trying to write malware.

Arti I also had in mind other plans for distant future like LUA support, blue prints (unreal engine like) or code blocks, which would make creating e.g. macros for people with lesser programming experience much easier.

That does not belong in a plugin system.

Arti And for the amount of PRs, It will probably take quite a while to polish, test, etc, maybe if lucky less PRs will be present at that time, for now I do not see any big coming modifications to already existing files by the api an execution system, I am currently working only in the Wurst7\src\main\java\net\wurstclient\api\scripting, I do not plan quitting development soon, so Ill manage resolving conflicts (will be a challenge to train me, so im not against it).

Alright, just don't say I didn't warn you.

Arti I plan for an extra menu like the Navigator GUI, with options on the top, like load script, create, verify, allow untrusted, etc.

This, ironically, would defeat the purpose of a plugin system. If plugin features don't show up in the same GUI as vanilla ones, then plugin authors might as well write standalone mods instead.

Arti Well if you still think, my changes should wait even longer, or this implementation is bad, ill accept it, in the end Im the one having fun making it, so Ill end up making it for myself either way

You don't have to wait, but I would not merge it with the restrictions outlined in your first message, or the Lua scripting system in your second message.

Arti Edit: I am not against adding pre compiled support for big plugins, but those who release them should be trusted, or wurst might be considered vulnerable. If you think you wouldn't have the time to moderate the plugins, you could use LLMs, they will definitely point out suspicious stuff. Jar files will take some more time to analyse as decompilation takes time.

This reads like some propaganda from an anti-repair lobbying group. "wurst might be considered vulnerable"?! It's open source! People can just fork it and add whatever viruses they want. Is Minecraft considered vulnerable because mods are executable files? This is Wurst-Imperium, not Nintendo. We are not anti-freedom here.

Aside, the whole plugin system as you've described it so far has a kind of closed, protect-users-from-themselves feel to it. It really clashes with the open source, do-whatever-you-want nature of Wurst.

Arti

Well looks like our views are quite different sadly.
I will not argue much more as I assume you, with greater experience than me, know whats better for wurst,
Looks like my experience with plugin systems was quite different.
I thought of making a more or less universal system that combines ideas like
ComputerCraft , Garrys mod has lua. Or a mod for the game Satisfactory: FicsIt‑VisualScript. These are all features I liked,
And for the macros system it would be quite similar for me, e.g. user creates a hook to chat and if message "game end" is found it autosends "gg".

Alexander01998 It's open source! People can just fork it and add whatever viruses they want.

As for this, usually the mod is blamed for not preventing or moderated plugins, Minecraft (or the distribution platforms like curseforge) had own callouts for not preventing malicious mods from distributing, executing, etc.

Usually, from my observations, programs/mods who officially support plugins have a dedicated page, which is officially associated with the mod, and it would be not the best idea to distribute closed source plugins there.

Well theoretically youre right, this wouldnt fit wurst, better for a separate mod.
Just proposed as wurst is usually the first client people use, and having a way to implement own features without even needing to know much lower level languages would, keep most users using Wurst.