xcore — L'orchestrateur invisible de vos plugins

Launching May 20, 2026

The invisible

orchestrator

for your plugins.

xcore is a Python framework that handles isolation, permission control and complete orchestration of your plugins — with absolute precision. Invisible by design. Essential by nature.

↳ Une notification · Aucun spam

What xcore is

Three metaphors. One infrastructure.

Understanding xcore means understanding what happens beneath the surface — in the systems that never show themselves, but upon which everything else depends.

The air traffic controller

It orchestrates dozens of plugins simultaneously from a single central control point. Nobody sees it. Everyone trusts it. One mistake = catastrophe. Absolute precision, total control, calm under pressure.

The submarine command room

Dense, precise environment — every instrument has a role. Nothing is decorative. Signals carry exact functional meaning. You operate in the dark, seeing what others cannot.

The kernel — the center of everything

Everything passes through it. Plugins radiate from a single central point. It doesn't impose — it holds. Remove the kernel, and everything collapses. Every plugin loses its context, its rights, its services.

For framework developers

Your app becomes extensible in just a few lines.

xcore handles loading, isolation, dependency resolution, permission management, and observability for your plugins. You code your business logic — xcore does the rest.

01Hot-reload without server restart

02Native subprocess sandbox (memory + CPU limits)

03Typed shared services: DB, cache, scheduler

04Built-in observability: Prometheus, OpenTelemetry

05Async pub/sub EventBus with wildcard support

06Granular RBAC permission engine per resource

main.py

from contextlib import asynccontextmanager
from xcore import Xcore

xcore = Xcore(config_path="int.yaml")

@asynccontextmanager
async def lifespan(app: FastAPI):
    await xcore.boot(app)
    yield
    await xcore.shutdown()

›5-phase boot · Isolated plugins · Zero config

For plugin developers

Build. Submit. Publish. Earn.

The xcorehub.dev marketplace hosts community plugins. Every submission goes through an automated security pipeline before becoming available. Your plugin is cryptographically signed and recorded in a public transparency log.

Build

Develop your plugin with the xcore API. Trusted (in-process) or sandboxed (isolated subprocess). Declare your permissions, resources, and dependencies.

Submit

Submit your archive on xcorehub.dev. The pipeline starts automatically. Track progress gate by gate in real time.

Validate

Automated security pipeline: static analysis, supply chain, secret detection, sandboxed execution, behavioral analysis. Every anomaly is scored.

Publish

If the pipeline passes, your plugin is signed (Ed25519), the Merkle root is recorded in the Rekor transparency log (Sigstore). It's then available on the marketplace.

Progressive trust levels

Every plugin starts in Sandboxed mode. After validation and usage, it can progress to Verified then Trusted — with increasing rights and performance.

SANDBOXED → VERIFIED → TRUSTED

SandboxedIsolated subprocess · Limited rights

VerifiedFull pipeline · Rekor signature

TrustedIn-process · Full service access

Security

Every plugin is isolated, controlled, certified.

xcore doesn't trust by default. Every plugin operates within a defined perimeter, with explicit permissions, under constant monitoring.

3layers

3-layer Sandbox

Static AST analysis to block dangerous imports. Isolated subprocess via JSON-RPC 2.0. RLIMIT constraints on memory (256 MB) and CPU (30s).

100kevents

RBAC Permission Engine

Every plugin declares its permissions in the manifest (resource:action). First-match-wins. Complete audit trail of 100k entries. No privilege escalation possible.

SLSALevel 3

Signatures & Transparency

SHA-256 Merkle root of every plugin. Ed25519 signature. Registration in the Rekor transparency log (Sigstore) — publicly verifiable. SLSA Level 3.