@checkstack/script-packages-backend 0.2.0 → 0.3.0

package/src/audit-scanner.ts

@@ -0,0 +1,156 @@
+import { spawn } from "bun";
+import { mkdir, writeFile, rm } from "node:fs/promises";
+import path from "node:path";
+import type {
+  AuditAdvisory,
+  PackageSpec,
+} from "@checkstack/script-packages-common";
+import { buildDependencies, buildStorePackageJson } from "./lockfile";
+import { renderNpmrc, type NpmrcInput } from "./npmrc";
+import { parseBunAudit } from "./audit-parse";
+
+/**
+ * Minimal subset of Bun's `spawn` the scanner relies on. Injectable so tests
+ * can assert on the spawn options (e.g. `BUN_INSTALL_CACHE_DIR`) without
+ * launching a real process.
+ */
+export interface SpawnHandle {
+  // The scanner always spawns with `stdout`/`stderr: "pipe"`, so both are
+  // readable streams (never fds).
+  stdout: ReadableStream<Uint8Array>;
+  stderr: ReadableStream<Uint8Array>;
+  exited: Promise<number>;
+}
+export interface SpawnOptions {
+  cmd: string[];
+  cwd: string;
+  env: Record<string, string | undefined>;
+  stdout: "pipe";
+  stderr: "pipe";
+}
+export type SpawnFn = (options: SpawnOptions) => SpawnHandle;
+
+/**
+ * Runs `bun audit --json` against the resolved script-packages tree, reusing
+ * the EXACT scratch / `.npmrc` / registry-config setup the installer's
+ * {@link createCentralResolver} uses (same `package.json`, same token-bearing
+ * `.npmrc`, same throwaway-scratch cleanup) so audit and install never drift
+ * on registry/auth config. The audit reports purely from the lockfile against
+ * the advisory DB - no install scripts run.
+ *
+ * The token-bearing scratch dir is removed on EVERY exit path (success OR
+ * throw) so the plaintext registry token never lingers on disk.
+ */
+
+export interface AuditScannerOptions {
+  /** Scratch dir for the audit (created + removed per scan). */
+  scratchDir: string;
+  /**
+   * Dedicated Bun cache dir to install into - MUST be the same
+   * `BUN_INSTALL_CACHE_DIR` the installer's resolver uses (`paths.cache`), so
+   * the audit reuses already-fetched packages instead of re-downloading into
+   * Bun's default global cache and drifting from the install path.
+   */
+  cacheDir: string;
+  /** Registry config (token already resolved from the secret store). */
+  registry: NpmrcInput;
+  /** Injectable spawn (defaults to Bun's `spawn`); for tests. */
+  spawnFn?: SpawnFn;
+}
+
+export interface AuditScanResult {
+  advisories: AuditAdvisory[];
+}
+
+function bunfigDisableAutoInstall(): string {
+  return '[install]\nauto = "disable"\n';
+}
+
+export interface AuditScanner {
+  scan(input: {
+    packages: PackageSpec[];
+    ignoreScripts: boolean;
+  }): Promise<AuditScanResult>;
+}
+
+export function createAuditScanner(options: AuditScannerOptions): AuditScanner {
+  return {
+    async scan({ packages, ignoreScripts }) {
+      const { scratchDir, cacheDir, registry } = options;
+      const spawnFn: SpawnFn = options.spawnFn ?? ((o) => spawn(o));
+
+      // No enabled packages → nothing to audit.
+      if (Object.keys(buildDependencies(packages)).length === 0) {
+        return { advisories: [] };
+      }
+
+      await rm(scratchDir, { recursive: true, force: true });
+      await mkdir(scratchDir, { recursive: true });
+      await mkdir(cacheDir, { recursive: true });
+
+      await writeFile(
+        path.join(scratchDir, "package.json"),
+        buildStorePackageJson(packages),
+      );
+      await writeFile(path.join(scratchDir, ".npmrc"), renderNpmrc(registry));
+      await writeFile(
+        path.join(scratchDir, "bunfig.toml"),
+        bunfigDisableAutoInstall(),
+      );
+
+      try {
+        // Install (writes bun.lock from the fully-pinned set) so audit has a
+        // lockfile to report against. `--ignore-scripts` keeps the
+        // supply-chain guardrail: audit reads the lockfile + advisory DB, it
+        // does not execute package code.
+        const installArgs = ["install"];
+        if (ignoreScripts) installArgs.push("--ignore-scripts");
+        const install = spawnFn({
+          cmd: [process.execPath, ...installArgs],
+          cwd: scratchDir,
+          env: { ...process.env, BUN_INSTALL_CACHE_DIR: cacheDir },
+          stdout: "pipe",
+          stderr: "pipe",
+        });
+        const [installStderr, installExit] = await Promise.all([
+          new Response(install.stderr).text(),
+          install.exited,
+        ]);
+        if (installExit !== 0) {
+          throw new Error(
+            `bun install (for audit) failed (exit ${installExit}): ${installStderr.slice(0, 800)}`,
+          );
+        }
+
+        // `bun audit --json` exit code is unreliable (non-zero even on a
+        // clean tree in some Bun versions), so we IGNORE it and parse stdout.
+        const audit = spawnFn({
+          cmd: [process.execPath, "audit", "--json"],
+          cwd: scratchDir,
+          env: { ...process.env, BUN_INSTALL_CACHE_DIR: cacheDir },
+          stdout: "pipe",
+          stderr: "pipe",
+        });
+        const [stdout, stderr] = await Promise.all([
+          new Response(audit.stdout).text(),
+          new Response(audit.stderr).text(),
+          audit.exited,
+        ]);
+
+        try {
+          return parseBunAudit(stdout);
+        } catch (parseError) {
+          // Surface Bun's own stderr (never the .npmrc / token) to aid
+          // diagnosis when the output wasn't parseable JSON.
+          throw new Error(
+            `Could not parse bun audit output: ${(parseError as Error).message}${
+              stderr ? ` (stderr: ${stderr.slice(0, 400)})` : ""
+            }`,
+          );
+        }
+      } finally {
+        await rm(scratchDir, { recursive: true, force: true }).catch(() => {});
+      }
+    },
+  };
+}

package/src/hooks.ts

@@ -1,7 +1,9 @@
 import { createHook } from "@checkstack/backend-api";
 import {
   SCRIPT_PACKAGES_CHANGED_HOOK_ID,
+  SCRIPT_SANDBOX_POLICY_CHANGED_HOOK_ID,
   type ScriptPackagesChangedPayload,
+  type SandboxPolicyChangedPayload,
 } from "@checkstack/script-packages-common";
 
 /**
@@ -18,3 +20,15 @@ import {
 export const scriptPackagesChangedHook = createHook<ScriptPackagesChangedPayload>(
   SCRIPT_PACKAGES_CHANGED_HOOK_ID,
 );
+
+/**
+ * Backend hook fired after a successful global sandbox-policy write.
+ *
+ * Core instances subscribe in `broadcast` mode (every pod receives it) and each
+ * pushes the new policy to its OWN connected satellites (push-on-change relay).
+ * Best-effort liveness; the durable policy row is the source of truth and a
+ * satellite re-pulls the relayed policy on (re)connect.
+ */
+export const sandboxPolicyChangedHook = createHook<SandboxPolicyChangedPayload>(
+  SCRIPT_SANDBOX_POLICY_CHANGED_HOOK_ID,
+);

package/src/index.ts

@@ -8,10 +8,16 @@ import {
 } from "./registry-token";
 import {
   pluginMetadata,
+  scriptPackagesAccess,
   scriptPackagesAccessRules,
   scriptPackagesContract,
+  SCRIPT_PACKAGES_AUDIT_COMPLETED_SIGNAL,
+  type AuditRunSummary,
   type BlobGcSummary,
 } from "@checkstack/script-packages-common";
+import type { SandboxPolicy } from "@checkstack/common";
+import { AuthApi } from "@checkstack/auth-common";
+import { NotificationApi } from "@checkstack/notification-common";
 import type { PluginMetadata } from "@checkstack/common";
 import { extractErrorMessage } from "@checkstack/common";
 import { blobStoreExtensionPoint, type BlobStore } from "./blob-store";
@@ -28,8 +34,11 @@ import {
   createBlobIndexStore,
   createBlobGcStateStore,
   createLockfileHistoryStore,
+  createAuditStore,
 } from "./stores";
 import { createBlobGcTrigger } from "./blob-gc-runner";
+import { createAuditRunner } from "./audit-runner";
+import { createAuditScanner } from "./audit-scanner";
 import {
   createInstallStateStore,
   createInstallerLock,
@@ -43,10 +52,23 @@ import { createCentralResolver } from "./resolver";
 import { resolveRegistryRequestConfig } from "./registry-request-config";
 import { createReconcileFsDeps } from "./reconcile-fs";
 import { reconcileToHash } from "./reconciler";
-import { scriptPackagesChangedHook } from "./hooks";
+import { scriptPackagesChangedHook, sandboxPolicyChangedHook } from "./hooks";
+import {
+  createSandboxPolicyService,
+  registerScriptPackagesSandboxProvider,
+} from "./sandbox-policy";
+import { logSandboxStartupReadiness } from "./sandbox-startup-log";
 import { createScriptPackagesRouter } from "./router";
 import { createTypeClosureHttpHandler } from "./type-acquisition-route";
-import { TYPE_ACQUISITION_PATH_PREFIX } from "@checkstack/script-packages-common";
+import { createSdkTypesHttpHandler } from "./sdk-types-route";
+import {
+  TYPE_ACQUISITION_PATH_PREFIX,
+  SDK_TYPES_PATH_PREFIX,
+} from "@checkstack/script-packages-common";
+import {
+  SDK_EDITOR_BUNDLE_DTS,
+  SDK_RELEASE_VERSION,
+} from "@checkstack/sdk/editor-bundle";
 import * as schema from "./schema";
 
 interface EnvStash {
@@ -57,6 +79,14 @@ interface EnvStash {
    * Undefined until `afterPluginsReady` runs.
    */
   emitChanged?: (lockfileHash: string) => Promise<void>;
+  /**
+   * Set in `afterPluginsReady` (where `emitHook` exists) and called by the
+   * `setSandboxPolicy` handler (wired in `init`) after a successful policy
+   * write, so core instances broadcast the new policy to their satellites.
+   * Undefined until `afterPluginsReady` runs (a write before then still
+   * persists durably; satellites pick it up on next connect).
+   */
+  emitSandboxPolicyChanged?: (policy: SandboxPolicy) => Promise<void>;
   /** Registry token store (internal secrets), set in `init`. */
   registryToken?: RegistryTokenStore;
   /**
@@ -64,6 +94,12 @@ interface EnvStash {
    * Reused by the scheduled recurring job registered in `afterPluginsReady`.
    */
   triggerBlobGc?: () => Promise<BlobGcSummary>;
+  /**
+   * Vulnerability-audit trigger built in `init` (wires the scanner, stores,
+   * installer lock, and notification path). Reused by the scheduled recurring
+   * job registered in `afterPluginsReady`.
+   */
+  triggerAudit?: () => Promise<AuditRunSummary>;
 }
 
 export default createBackendPlugin({
@@ -86,17 +122,23 @@ export default createBackendPlugin({
       deps: {
         logger: coreServices.logger,
         rpc: coreServices.rpc,
+        rpcClient: coreServices.rpcClient,
+        signalService: coreServices.signalService,
         auth: coreServices.auth,
         advisoryLock: coreServices.advisoryLock,
         queueManager: coreServices.queueManager,
+        config: coreServices.config,
         internalSecrets: internalSecretsRef,
       },
       init: async ({
         logger,
         database,
         rpc,
+        rpcClient,
+        signalService,
         auth,
         advisoryLock,
+        config,
         internalSecrets,
       }) => {
         logger.debug("📦 Initializing Script Packages Backend...");
@@ -148,6 +190,89 @@ export default createBackendPlugin({
         });
         (env as unknown as EnvStash).triggerBlobGc = triggerBlobGc;
 
+        // Vulnerability-audit trigger: shared by the admin `auditNow` RPC and
+        // the scheduled recurring job. Holds the installer lock for the pass
+        // (mutually exclusive with installs / migrations / GC). Reuses the
+        // installer's registry/`.npmrc` resolution so audit + install never
+        // drift, and records advisories to the plugin's own Postgres tables
+        // (cluster-wide source of truth; the on-disk tree is pod-local).
+        const auditStore = createAuditStore(database);
+        const authClient = rpcClient.forPlugin(AuthApi);
+        const notificationClient = rpcClient.forPlugin(NotificationApi);
+        const triggerAudit = createAuditRunner({
+          installerLock,
+          auditStore,
+          loadCurrent: async () => {
+            const state = await installState.load();
+            const reg = await registry.get();
+            const list = await packages.list();
+            return {
+              lockfileHash: state.lockfileHash,
+              packages: list.map((p) => ({
+                name: p.name,
+                version: p.version,
+                enabled: p.enabled,
+              })),
+              ignoreScripts: reg.ignoreScripts,
+            };
+          },
+          scan: async ({ packages: pkgs, ignoreScripts }) => {
+            const reqConfig = await resolveRegistryRequestConfig({
+              registry,
+              registryToken,
+              logger,
+            });
+            const paths = storePaths(storeRoot);
+            const scanner = createAuditScanner({
+              scratchDir: path.join(paths.root, ".audit-scratch"),
+              // Same shared cache the installer's resolver uses, so the audit
+              // reuses already-fetched packages instead of re-downloading.
+              cacheDir: paths.cache,
+              registry: {
+                registryUrl: reqConfig.registryUrl,
+                scopedRegistries: reqConfig.scopedRegistries,
+                authToken: reqConfig.authToken,
+              },
+            });
+            return scanner.scan({
+              packages: pkgs.map((p) => ({
+                name: p.name,
+                version: p.version,
+                enabled: p.enabled,
+              })),
+              ignoreScripts,
+            });
+          },
+          getUserIds: async () => {
+            const users = await authClient.getUsers();
+            return users.map((u) => u.id);
+          },
+          filterManagers: (userIds) =>
+            authClient.filterUsersByAccessRule({
+              userIds,
+              accessRule: scriptPackagesAccess.manage.id,
+            }),
+          notifyUser: async ({ userId, title, body, importance, action }) => {
+            // sendTransactional's importance vocabulary is info|warning|critical.
+            const notification: {
+              title: string;
+              body: string;
+              importance: "info" | "warning" | "critical";
+              action?: { label: string; url: string };
+            } = { title, body, importance };
+            if (action) notification.action = action;
+            await notificationClient.sendTransactional({ userId, notification });
+          },
+          emitCompleted: async ({ lockfileHash, total }) => {
+            await signalService.broadcast(
+              SCRIPT_PACKAGES_AUDIT_COMPLETED_SIGNAL,
+              { lockfileHash, total },
+            );
+          },
+          logger,
+        });
+        (env as unknown as EnvStash).triggerAudit = triggerAudit;
+
         // Build the install orchestration. The resolver + active blob store
         // are resolved lazily at install time so config/registry changes
         // and store-plugin registration order don't matter.
@@ -254,6 +379,31 @@ export default createBackendPlugin({
           return { started: true };
         };
 
+        // GLOBAL sandbox policy: the single owning row lives in THIS plugin's
+        // ConfigService (shared Postgres, NOT pod-local). script-packages is
+        // the single source of truth — it registers the one process-wide policy
+        // provider that every script runner on this pod resolves through, so
+        // both script plugins read the identical value (no more last-writer-wins
+        // across two plugin-scoped rows). The runners FAIL CLOSED if this read
+        // throws, so a transient DB error never widens the sandbox.
+        const sandboxPolicy = createSandboxPolicyService({
+          configService: config,
+        });
+        registerScriptPackagesSandboxProvider({ service: sandboxPolicy });
+
+        // One-time, per-pod startup observability for the script sandbox: the
+        // host readiness banner AND the capability/effective-enforcement line
+        // for the configured global default. Both surfaces are emitted here, in
+        // process, by the single policy owner — the policy is read through the
+        // in-process `sandboxPolicy.read()` closure with NO RPC. This replaces
+        // the old per-script-plugin `getSandboxPolicy` RPC log, which 404'd when
+        // a script plugin's init ran before this plugin had mounted its router.
+        // Best-effort: never throws, never relaxes enforcement.
+        await logSandboxStartupReadiness({
+          logger,
+          readPolicy: () => sandboxPolicy.read(),
+        });
+
         const router = createScriptPackagesRouter({
           db: database,
           blobStores,
@@ -261,7 +411,18 @@ export default createBackendPlugin({
           triggerInstall,
           triggerMigration,
           triggerBlobGc,
+          triggerAudit,
           registryToken,
+          sandboxPolicy,
+          // Push-on-change: broadcast the new policy to all connected
+          // satellites via the cluster-wide hook (each pod fans it out to its
+          // own satellites). No-op until `afterPluginsReady` wires `emitHook`;
+          // the durable row + connect-time relay are the backstop.
+          onSandboxPolicyChanged: async (policy) => {
+            await (env as unknown as EnvStash).emitSandboxPolicyChanged?.(
+              policy,
+            );
+          },
         });
         rpc.registerRouter(router, scriptPackagesContract);
 
@@ -282,6 +443,21 @@ export default createBackendPlugin({
           TYPE_ACQUISITION_PATH_PREFIX,
         );
 
+        // Raw, HTTP-cacheable route serving the running release's generated
+        // @checkstack/sdk editor bundle for the in-app script editor. Keyed by
+        // the running release version so a deployment upgrade refreshes the
+        // editor's SDK types (never stale); mismatched version -> 409.
+        // Mounted at `/api/script-packages/sdk-types/:releaseVersion`.
+        rpc.registerHttpHandler(
+          createSdkTypesHttpHandler({
+            auth,
+            getReleaseVersion: () => SDK_RELEASE_VERSION,
+            getSdkBundle: () => SDK_EDITOR_BUNDLE_DTS,
+            logger,
+          }),
+          SDK_TYPES_PATH_PREFIX,
+        );
+
         logger.debug("✅ Script Packages Backend initialized.");
       },
 
@@ -379,6 +555,13 @@ export default createBackendPlugin({
           await emitHook(scriptPackagesChangedHook, { lockfileHash });
         };
 
+        // Let the `setSandboxPolicy` handler (in init's router) broadcast the
+        // new global policy cluster-wide; each core pod's broadcast subscriber
+        // (in satellite-backend) pushes it to its own connected satellites.
+        stash.emitSandboxPolicyChanged = async (policy) => {
+          await emitHook(sandboxPolicyChangedHook, { policy });
+        };
+
         // Reconcile this instance to a desired hash using the shared blob
         // store (delta pull from whichever backend holds each blob).
         const reconcileLocal = async (input: {
@@ -483,6 +666,49 @@ export default createBackendPlugin({
           }
         }
 
+        // Scheduled recurring vulnerability audit: run `bun audit` against the
+        // installed tree, persist advisories (cluster-wide source of truth),
+        // and notify `script-packages.manage` holders about newly-appeared /
+        // escalated advisories. The trigger (built in `init`) holds the
+        // installer advisory lock for the pass, so exactly one pod audits at a
+        // time and it is mutually exclusive with installs / migrations / GC.
+        // Runs daily (an admin-configurable interval is a follow-up).
+        const triggerAudit = stash.triggerAudit;
+        if (triggerAudit) {
+          try {
+            const auditQueue = queueManager.getQueue<Record<string, never>>(
+              "script-packages-audit",
+            );
+            await auditQueue.consume(
+              async () => {
+                const summary = await triggerAudit();
+                if (summary.ran) {
+                  logger.debug(
+                    `Scheduled audit: ${summary.total} advisor(ies), ${summary.notified} notified.`,
+                  );
+                } else {
+                  logger.debug(
+                    `Scheduled audit skipped: ${summary.reason ?? "unknown"}.`,
+                  );
+                }
+              },
+              { consumerGroup: "script-packages-audit-worker", maxRetries: 0 },
+            );
+            await auditQueue.scheduleRecurring(
+              {},
+              {
+                jobId: "script-packages-audit-daily",
+                intervalSeconds: 24 * 60 * 60,
+              },
+            );
+            logger.debug("🛡️ Script-packages vulnerability audit scheduled (daily).");
+          } catch (error) {
+            logger.error(
+              `Failed to schedule vulnerability audit: ${extractErrorMessage(error)}`,
+            );
+          }
+        }
+
         logger.debug("✅ Script Packages Backend afterPluginsReady complete.");
       },
     });
@@ -548,7 +774,16 @@ export {
   type ReconcileDeps,
   type ReconcileResult,
 } from "./reconciler";
-export { scriptPackagesChangedHook } from "./hooks";
+export { scriptPackagesChangedHook, sandboxPolicyChangedHook } from "./hooks";
+export {
+  createSandboxPolicyService,
+  registerScriptPackagesSandboxProvider,
+  type SandboxPolicyService,
+} from "./sandbox-policy";
+export {
+  logSandboxStartupReadiness,
+  type SandboxStartupLogger,
+} from "./sandbox-startup-log";
 export {
   createCentralResolver,
   type CentralResolverOptions,
@@ -561,6 +796,10 @@ export {
   extractReferences,
 } from "./package-types";
 export { createTypeClosureHttpHandler } from "./type-acquisition-route";
+export {
+  createSdkTypesHttpHandler,
+  SDK_BUNDLE_VIRTUAL_PATH,
+} from "./sdk-types-route";
 export {
   resolveResolutionRoot,
   resolveResolutionRootForHost,
@@ -590,5 +829,27 @@ export { sweepTreeGc, type TreeGcResult } from "./tree-gc";
 export {
   createLockfileHistoryStore,
   createBlobGcStateStore,
+  createAuditStore,
+  type AuditStore,
 } from "./stores";
+export {
+  parseBunAudit,
+  countBySeverity,
+  meetsThreshold,
+  type ParseAuditResult,
+} from "./audit-parse";
+export {
+  computeAuditDelta,
+  advisoryKey,
+  type AuditDeltaInput,
+  type AuditDeltaResult,
+} from "./audit-delta";
+export {
+  createAuditScanner,
+  type AuditScanner,
+  type AuditScannerOptions,
+  type AuditScanResult,
+  type SpawnFn,
+} from "./audit-scanner";
+export { createAuditRunner, type AuditRunnerDeps } from "./audit-runner";
 export * as schema from "./schema";

package/src/router.ts

@@ -10,9 +10,12 @@ import {
 import type { RegistryTokenStore } from "./registry-token";
 import {
   scriptPackagesContract,
+  type AuditRunSummary,
   type BlobGcSummary,
 } from "@checkstack/script-packages-common";
 import type { BlobStoreRegistry } from "./blob-store-registry";
+import type { SandboxPolicyService } from "./sandbox-policy";
+import type { SandboxPolicy } from "@checkstack/common";
 import {
   createPackageStore,
   createRegistryConfigStore,
@@ -20,6 +23,7 @@ import {
   createStorageConfigStore,
   createSatelliteStateStore,
   createBlobGcStateStore,
+  createAuditStore,
 } from "./stores";
 import { createInstallStateStore } from "./install-state-store";
 import { resolveRegistryRequestConfig } from "./registry-request-config";
@@ -50,11 +54,28 @@ export interface ScriptPackagesRouterDeps {
    * (wires the blob stores + retention/grace). Returns a summary.
    */
   triggerBlobGc(): Promise<BlobGcSummary>;
+  /**
+   * Run a vulnerability-audit pass on demand (elected via the installer
+   * advisory lock; refuses while an install / migration / GC is in flight).
+   * Provided by the plugin (wires the scanner + notification path).
+   */
+  triggerAudit(): Promise<AuditRunSummary>;
   /**
    * Registry auth-token store, backed by the secrets platform's internal
    * secrets. Provided by the plugin (which injects `internalSecretsRef`).
    */
   registryToken: RegistryTokenStore;
+  /**
+   * The GLOBAL script-sandbox policy service (single owning row). Powers the
+   * admin `getSandboxPolicy` / `setSandboxPolicy` endpoints.
+   */
+  sandboxPolicy: SandboxPolicyService;
+  /**
+   * Called after a successful `setSandboxPolicy` with the resolved policy, so
+   * the plugin can broadcast it to all connected satellites (push-on-change).
+   * Provided by the plugin (wires the broadcast hook).
+   */
+  onSandboxPolicyChanged(policy: SandboxPolicy): Promise<void>;
 }
 
 export function createScriptPackagesRouter({
@@ -64,7 +85,10 @@ export function createScriptPackagesRouter({
   triggerInstall,
   triggerMigration,
   triggerBlobGc,
+  triggerAudit,
   registryToken,
+  sandboxPolicy,
+  onSandboxPolicyChanged,
 }: ScriptPackagesRouterDeps) {
   const packages = createPackageStore(db);
   const registry = createRegistryConfigStore(db);
@@ -73,6 +97,7 @@ export function createScriptPackagesRouter({
   const satellites = createSatelliteStateStore(db);
   const installState = createInstallStateStore(db);
   const blobGcState = createBlobGcStateStore(db);
+  const auditStore = createAuditStore(db);
 
   const os = implement(scriptPackagesContract)
     .$context<RpcContext>()
@@ -221,6 +246,17 @@ export function createScriptPackagesRouter({
 
     getBlobGcState: os.getBlobGcState.handler(async () => blobGcState.get()),
 
+    // ─── Vulnerability audit ──────────────────────────────────────────────
+    getAuditState: os.getAuditState.handler(async () => {
+      const state = await auditStore.getState();
+      const advisories = state.lockfileHash
+        ? await auditStore.advisoriesForHash(state.lockfileHash)
+        : [];
+      return { state, advisories };
+    }),
+
+    auditNow: os.auditNow.handler(async () => triggerAudit()),
+
     // ─── Per-host status ──────────────────────────────────────────────────
     listSatelliteSyncState: os.listSatelliteSyncState.handler(async () => ({
       items: await satellites.list(),
@@ -233,6 +269,19 @@ export function createScriptPackagesRouter({
       },
     ),
 
+    // ─── Global sandbox policy (admin-only) ───────────────────────────────
+    getSandboxPolicy: os.getSandboxPolicy.handler(async () =>
+      sandboxPolicy.read(),
+    ),
+
+    setSandboxPolicy: os.setSandboxPolicy.handler(async ({ input }) => {
+      const resolved = await sandboxPolicy.write(input);
+      // Push-on-change: relay the new policy to all connected satellites. The
+      // broadcast is best-effort liveness; satellites re-pull on (re)connect.
+      await onSandboxPolicyChanged(resolved);
+      return resolved;
+    }),
+
     // ─── Authoring / runtime ──────────────────────────────────────────────
     getInstallState: os.getInstallState.handler(async () => installState.load()),