feat: Plugin architecture for paid tier (medusa-pro as separate package) #3
Description
Problem
Currently paid features (licensing.py, runtime rules, REST API) are gitignored stubs inside the free repo's directory structure. This causes two issues:
- Contributor UX — anyone who installs or tests paid features sees a dirty
git statuswith files they can't commit. Creates confusion and friction for contributors. - No clean separation — the free package has empty slots for paid code rather than being fully self-contained.
Proposed Solution
Move paid code into a completely separate package (medusa-pro) that installs alongside the free package as a plugin.
Plugin detection pattern
# medusa/__init__.py
try:
import medusa_pro
medusa_pro.register() # injects licensing, runtime rules, API
except ImportError:
pass # free tier, fully functionalInstall experience
# Free (open source, this repo)
pip install medusa
uv add medusa
# Paid (private repo/index)
pip install medusa-pro --index-url https://pkg.pantheonsecurity.dev
uv add medusa-pro --index https://pkg.pantheonsecurity.devBenefits
- Free repo is 100% clean — no gitignored paid stubs
- Contributors never see dirty working tree
- Clear open core boundary
- License key can double as private index auth token
medusa-procan be versioned and released independently
Work Required
- Remove
licensing.py,api/, runtime rule stubs from free repo gitignore (they move to private repo entirely) - Add plugin discovery hook in
medusa/__init__.py - Create
medusa-proprivate repo with plugin registration - Set up private package index (Cloudflare Worker or GitHub Packages)
- Update CONTRIBUTING.md with architecture explanation