Publishing & distribution
How to publish a Nextly plugin, how plugins are discovered, and the trust model behind v1.
Nextly plugins are plain npm packages, registered in code (D0). There is no marketplace, no UI-install, and no runtime sandbox in v1 — distribution and trust ride entirely on npm.
Publish
- Build with
tsupto ESMdist/(first-party plugins are ESM-only — see the note below). - Set package metadata:
"type": "module"and anexportsmap (include./adminif you ship admin components, like the scaffold does)."files": ["dist"]so the embeddeddev/playground never publishes.- Add the
nextly-pluginkeyword (this is how plugins are discovered, D42). - List
nextly(and@nextlyhq/admin/reactif you have admin UI) as peerDependencies, and declare anextlycore-compatibility range in yourdefinePlugin(e.g."^1 || ^2", boot-checked, D6).
npm publish.
// package.json (essentials)
{
"type": "module",
"keywords": ["nextly-plugin"],
"files": ["dist"],
"exports": {
".": { "types": "./dist/index.d.ts", "import": "./dist/index.mjs" },
"./admin": { "types": "./dist/admin.d.ts", "import": "./dist/admin.mjs" }
},
"peerDependencies": { "nextly": "^1" }
}ESM-only: first-party plugins ship ESM only. CommonJS tooling importing them gets
ERR_PACKAGE_PATH_NOT_EXPORTED. Either keep your consuming tooling ESM, or ship a dual (ESM+CJS) build if you must support CJS consumers.
Configuration & secrets
Plugin options are passed where the plugin is registered
(defineConfig({ plugins: [myPlugin({ ... })] })). For sensitive values, read from the
environment and wrap them with secret() (D37) so they auto-redact in logs, JSON, and
inspection — the real value is only available via .reveal():
import { secret } from "@nextlyhq/plugin-sdk";
myPlugin({ apiKey: secret(process.env.ACME_API_KEY) });secret() is currently @experimental. Never hard-code
secrets in config or commit them.
Discovery (D42)
In v1, plugins are found through:
- npm — search the
nextly-pluginkeyword. - The Nextly docs — first-party and notable community plugins are listed on the plugins index. To get a community plugin listed, see Contributing a plugin.
- GitHub — the
nextly-plugintopic.
There is intentionally no in-app gallery or one-click install yet.
Trust model (D34)
v1 is full-trust: a plugin runs with the same access as your application code. There is no sandbox and no verification gate — installing a plugin is exactly as much a trust decision as adding any npm dependency. Vet plugins the way you vet dependencies: read the source, check the maintainer, pin versions.
Sandboxing, verification, and a curated marketplace are deferred to a post-v1 milestone — they're designed-for, not shipped. Until then, trust is npm trust, stated honestly.
See also: API stability · Contributing a plugin.