Currently, permissions are tied to a plugin (i.e. a plugin reports its required permissions) and not tied to an enabled plugin (i.e. account enables plugins with some permissions). I think that this distinction is important to make as a plugin may partially work with reduced permissions, so "required permissions" should just be the minimum permissions required for the plugin to work, and not all the permissions that a plugin can make use of.
As an example use case:
Let's say that you want a ERC-4337 plugin. User 1 wants to allow the EntryPoint to execute transactions on behalf of the account, but does not want to allow the EntryPoint to modify account settings (so no CALL_TO_SELF or EXECUTE_DELEGATECALL permissions). User 2 wants to use the same plugin, but is OK with giving the Entrypoint full control over the account, so it would enable all permissions.
In that use-case, you would have to deploy at least 2 different plugins with different permission bits set in order to support both users. One solution would be to potentially not include the requiredPermissions as part of the plugin itself but rather have the permissions set when the plugin is enabled. The details of which permissions are required and which are optional can also be included in metadata and doesn't need to be completely "machine readable".
Not necessarily suggesting that something should change, just documenting a potentially not covered use-case that may be worth considering.
Currently, permissions are tied to a plugin (i.e. a plugin reports its required permissions) and not tied to an enabled plugin (i.e. account enables plugins with some permissions). I think that this distinction is important to make as a plugin may partially work with reduced permissions, so "required permissions" should just be the minimum permissions required for the plugin to work, and not all the permissions that a plugin can make use of.
As an example use case:
In that use-case, you would have to deploy at least 2 different plugins with different permission bits set in order to support both users. One solution would be to potentially not include the
requiredPermissionsas part of the plugin itself but rather have the permissions set when the plugin is enabled. The details of which permissions are required and which are optional can also be included in metadata and doesn't need to be completely "machine readable".Not necessarily suggesting that something should change, just documenting a potentially not covered use-case that may be worth considering.