Orbis: Building a Plugin-Driven Desktop Platform with Rust and React

Published: 23 hours ago (December 27, 2025 at 10:40 PM EST)

5 min read

Source: Dev.to

Source: Dev.to

The Pain of Existing Plugin Systems

If you’ve ever developed plugins for tools like VS Code, IntelliJ, or Figma, you know the pain:

Unfamiliar environment – every platform has its own APIs, quirks, and limitations.
UI is hard – you either get limited UI primitives or have to learn yet another framework.
Security is an afterthought – most plugin systems trust plugin code implicitly.
State management becomes spaghetti – coordinating between plugin state and host‑application state is a nightmare.

I wanted to solve all of these problems without sacrificing performance, so the answer is Rust.

A Radical Idea: Plugins Ship JSON Schemas, Not React Code

{
  "type": "Container",
  "children": [
    {
      "type": "Heading",
      "level": 1,
      "text": "Hello, {{state.username}}!"
    },
    {
      "type": "Button",
      "label": "Count: {{state.clicks}}",
      "events": {
        "onClick": [
          {
            "type": "updateState",
            "path": "clicks",
            "value": "{{state.clicks + 1}}"
          }
        ]
      }
    }
  ]
}

That’s it. No JSX, no bundlers, no framework lock‑in. The Orbis core interprets this schema and renders production‑ready React components using shadcn/ui.

Controlled Action System

Because plugins can’t ship arbitrary JavaScript, they can’t run arbitrary JavaScript. Every interaction goes through a controlled action system:

Want to make an API call? Use the call_api action.
Want to navigate? Use the navigate action.

The core validates every action before execution.

Consistent, Native‑Feeling UI

All plugins render through the same component library, eliminating jarring UI mismatches (e.g., one plugin using Material Design while another uses Bootstrap).

You don’t need to be a frontend developer to create a plugin.
If you can write JSON (or eventually our custom DSL), you can build a UI.

Layered Architecture

┌─────────────────────────────────────────────────┐
│                 User Interface                  │
│              (Plugin Pages & UI)                │
├─────────────────────────────────────────────────┤
│              Frontend Layer                     │
│   Schema Renderer │ Zustand State │ Actions     │
├─────────────────────────────────────────────────┤
│               Backend Layer                     │
│   Tauri Commands │ Plugin Runtime │ Auth        │
├─────────────────────────────────────────────────┤
│              Plugin System                      │
│   WASM Sandbox │ Manifests │ UI Schemas        │
├─────────────────────────────────────────────────┤
│              Storage Layer                      │
│   SQLite │ PostgreSQL                           │
└─────────────────────────────────────────────────┘

Frontend

Built with React.
Uses Zustand for state management.
Isolated state per plugin page – no global state pollution.

// Simplified: each page gets its own isolated state store
const pageStore = createPageStateStore({
  username: "Guest",
  clicks: 0
});

Backend

Pure Rust, using Tauri for the desktop wrapper and Axum for the HTTP server.
Benefits:
- Native performance – no Electron bloat.
- Memory safety – Rust’s guarantees extend to plugins.
- Cross‑platform – Windows, macOS, Linux from a single codebase.

WASM Sandboxing

Plugins are compiled to WASM and run in wasmtime sandboxes, which provide:

No filesystem access without permission.
No network requests without permission.
No crashes that affect the host application.
Isolated memory spaces.

Built‑In UI Components

Out of the box, Orbis provides:

Layout Components
Form Components
Display Components
Interactive Components

Each maps to a well‑tested shadcn/ui implementation, giving you accessibility, keyboard navigation, and modern UI patterns for free.

Actions – How Plugins Interact with the World

{
  "type": "call_api",
  "api": "users.list",
  "method": "GET",
  "onSuccess": [
    {
      "type": "update_state",
      "path": "users",
      "value": "{{$response.body.data}}"
    }
  ]
}

Available Actions

Action	Description
`update_state`	Modify page state
`call_api`	Make HTTP requests
`navigate`	Change routes
`show_toast`	Display toast notifications
`show_dialog` / `close_dialog`	Handle modals
`validate_form` / `reset_form`	Manage form states
`conditional`	If/else logic
…	More coming soon

Storage Options

Single‑user desktop apps – embedded SQLite (zero external dependencies).
Multi‑user apps – connect to a central Orbis server with PostgreSQL backend, full authentication, session management, etc.

Security – Baked In, Not Added On

Secure authentication – JWT tokens with Argon2 password hashing.
Session management – Secure handling with refresh tokens.
WASM sandboxing – Isolated plugin execution.
TLS support – Optional HTTPS with rustls (no OpenSSL or other system dependencies).

Roadmap

Milestone	Description
Plugin Marketplace	Discover and install plugins with one click
Inter‑Plugin Communication	Secure message passing between plugins
Custom DSL	Cleaner syntax than JSON for page definitions
Full GUI Override	Allow plugins to completely replace the default UI
Auto‑Updates	Leverage Tauri’s built‑in updater for seamless updates
…	More features in the pipeline

Updates

Check out the full roadmap for upcoming features

Clone the Repository

git clone https://github.com/cyberpath-HQ/orbis
cd orbis

Install Frontend Dependencies

cd orbis && bun install

Run in Development Mode

bun run tauri dev

Your First Plugin Can Be As Simple As

{
  "name": "hello-world",
  "version": "0.1.0",
  "pages": [
    {
      "id": "main",
      "title": "Hello World",
      "route": "/hello",
      "state": {
        "message": { "type": "string", "default": "Hello, Orbis!" }
      },
      "layout": {
        "type": "Container",
        "children": [
          {
            "type": "Heading",
            "text": "{{state.message}}"
          }
        ]
      }
    }
  ]
}

Why Rust?

The choice of Rust wasn’t arbitrary. Beyond the performance benefits, Rust’s ownership model ensures:

No data races in our plugin runtime
Predictable memory usage
Fearless concurrency for plugin execution
Compile‑time guarantees that would be runtime errors elsewhere

Plus, the Rust ecosystem for WASM is mature:

Wasmtime – battle‑tested sandbox
Tauri – lean desktop wrapper
Axum – fast async HTTP server

What Orbis Offers

Orbis represents a new approach to extensible desktop applications. By separating the what (JSON schemas) from the how (React rendering), we’ve created a platform where:

Plugin developers focus on functionality, not framework quirks
Users get consistent, secure, beautiful applications
The core team can evolve the rendering layer without breaking plugins

If you’re building a desktop application that needs to be extended—whether it’s an internal tool, a developer utility, or a full product—give Orbis a try.

Resources

Website: orbis.cyberpath-hq.com
GitHub: github.com/cyberpath-HQ/orbis
Documentation: orbis.cyberpath-hq.com/docs
Issues & Discussions: GitHub Issues

If you found this interesting, follow for more deep dives into Rust, security, and developer tooling. And if you build something with Orbis, I’d love to see it!