@mushi-mushi/plugin-sdk
Advanced tools
TypeScript SDK for building third-party Mushi Mushi plugins (webhook handlers + signature verification + typed events).
@mushi-mushi/plugin-sdkBuild third-party plugins for Mushi Mushi. Plugins are stand-alone HTTPS services that receive signed event webhooks from the Mushi platform and may optionally call back into the REST API to comment on, re-classify, or transition reports.
A webhook server is a stronger isolation boundary than running plugin code inside the Mushi platform itself:
The trade-off is latency: the Mushi pipeline doesn't block on plugin acknowledgement (deliveries are async), so plugins that need synchronous mutation should call the REST API back from the handler.
npm i @mushi-mushi/plugin-sdk
import express from 'express'
import { createPluginHandler, expressMiddleware, createMushiClient } from '@mushi-mushi/plugin-sdk'
const mushi = createMushiClient({
apiKey: process.env.MUSHI_API_KEY!,
projectId: process.env.MUSHI_PROJECT_ID!,
})
const handler = createPluginHandler({
secret: process.env.MUSHI_PLUGIN_SECRET!,
on: {
'report.created': async (e) => {
console.log('New report', e.data)
},
'report.classified': async (e) => {
const { classification } = e.data as { classification: { severity: string } }
if (classification.severity === 'critical') {
await mushi.comment((e.data as any).report.id, 'Auto-paged on-call.', { visibleToReporter: false })
}
},
},
})
const app = express()
app.post('/mushi/webhook', expressMiddleware(handler))
app.listen(3000)
import { Hono } from 'hono'
import { createPluginHandler, honoHandler } from '@mushi-mushi/plugin-sdk/hono'
const handler = createPluginHandler({
secret: process.env.MUSHI_PLUGIN_SECRET!,
on: { '*': async (e) => console.log(e.event, e.deliveryId) },
})
const app = new Hono()
app.post('/mushi/webhook', honoHandler(handler))
export default app
| Header | Value |
|---|---|
X-Mushi-Event | Event name (e.g. report.created) |
X-Mushi-Signature | t=<unix-ms>,v1=<hex> — Stripe-style |
X-Mushi-Project | Project UUID |
X-Mushi-Plugin | Plugin slug (matches the marketplace listing) |
X-Mushi-Delivery | Per-delivery UUID; safe as an idempotency key |
The v1 signature is HMAC_SHA256(secret, "${t}.${rawBody}") in lowercase
hex. Tolerance is 5 minutes by default and is verified in constant time.
The SDK ships two zero-dependency helpers used by every reference plugin:
withRetry(fn, opts)Exponential back-off + bounded-additive jitter for outbound HTTP calls.
Retries 429 (honouring Retry-After), 503, 504, other 5xx, and
network errors; fails fast on other 4xx. Throw the raw Response object
so the wrapper can read status + headers:
import { withRetry } from '@mushi-mushi/plugin-sdk'
const json = await withRetry(async () => {
const res = await fetch(url, { method: 'POST', body })
if (!res.ok) throw res // expose status + Retry-After
return res.json()
}, { maxAttempts: 4, idempotencyKey: deliveryId })
assertFields(payload, required) / safeParseInbound(payload, required)Two type-narrowing guards for inbound webhook payloads. assertFields
throws TypeError; safeParseInbound returns { ok, data | error } for
use at I/O boundaries.
Once your plugin is ready, submit it to the Mushi marketplace by opening a PR
that adds your plugin.json manifest under apps/admin/src/marketplace/.
A reviewer will validate the manifest, the public callback URL, and the
requested API permissions before listing it.
The Mushi monorepo ships open-source reference plugins built on this SDK; copy and adapt them as a starting point:
Project management / on-call
@mushi-mushi/plugin-pagerduty — paged on critical events; auto-resolves on fix.applied.@mushi-mushi/plugin-jira — bidirectional Jira issue sync (HMAC-verified inbound webhook).@mushi-mushi/plugin-linear — bidirectional Linear sync.@mushi-mushi/plugin-github-issues — open + close GitHub Issues with the mushi-bug label.Chat / notifications
@mushi-mushi/plugin-slack-app — Block-Kit messages + Slack interaction handler.@mushi-mushi/plugin-discord — embed posts to a Discord webhook.@mushi-mushi/plugin-msteams — Adaptive Card 1.4 notifications.Error monitoring (mirrored writes)
@mushi-mushi/plugin-sentry — mirror reports into Sentry; resolve on fix.@mushi-mushi/plugin-bugsnag — Bugsnag Data API v2 mirror.@mushi-mushi/plugin-rollbar — Rollbar item mirror + auto-resolve.@mushi-mushi/plugin-crashlytics — close Crashlytics issues on fix.Workflow
@mushi-mushi/plugin-zapier — fan-out to any Zapier workflow via incoming webhook.MIT
FAQs
TypeScript SDK for building third-party Mushi Mushi plugins (webhook handlers + signature verification + typed events).
We found that @mushi-mushi/plugin-sdk demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
/Security News
A mini Shai-Hulud campaign compromised Red Hat Cloud Services npm packages to steal developer and CI/CD secrets during installation.
Research
/Security News
The North Korean malware loader hides in a Packagist-listed package and its GitHub branch to fetch and execute remote code in a likely Contagious Interview-style lure.
Security News
The Rust project is moving toward formal rules on LLM use in contributions after months of internal debate over maintainer burden, code quality, and contributor experience.