@objectstack/core 1.0.2 → 1.0.5

package/dist/index.cjs

@@ -0,0 +1,4294 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  ApiRegistry: () => ApiRegistry,
+  DependencyResolver: () => DependencyResolver,
+  HotReloadManager: () => HotReloadManager,
+  LiteKernel: () => LiteKernel,
+  ObjectKernel: () => ObjectKernel,
+  ObjectKernelBase: () => ObjectKernelBase,
+  ObjectLogger: () => ObjectLogger,
+  PluginConfigValidator: () => PluginConfigValidator,
+  PluginHealthMonitor: () => PluginHealthMonitor,
+  PluginLoader: () => PluginLoader,
+  PluginPermissionEnforcer: () => PluginPermissionEnforcer,
+  PluginPermissionManager: () => PluginPermissionManager,
+  PluginSandboxRuntime: () => PluginSandboxRuntime,
+  PluginSecurityScanner: () => PluginSecurityScanner,
+  PluginSignatureVerifier: () => PluginSignatureVerifier,
+  QA: () => qa_exports,
+  SecurePluginContext: () => SecurePluginContext,
+  SemanticVersionManager: () => SemanticVersionManager,
+  ServiceLifecycle: () => ServiceLifecycle,
+  createApiRegistryPlugin: () => createApiRegistryPlugin,
+  createLogger: () => createLogger,
+  createPluginConfigValidator: () => createPluginConfigValidator,
+  createPluginPermissionEnforcer: () => createPluginPermissionEnforcer,
+  getEnv: () => getEnv,
+  getMemoryUsage: () => getMemoryUsage,
+  isNode: () => isNode,
+  safeExit: () => safeExit
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/kernel-base.ts
+var ObjectKernelBase = class {
+  constructor(logger) {
+    this.plugins = /* @__PURE__ */ new Map();
+    this.services = /* @__PURE__ */ new Map();
+    this.hooks = /* @__PURE__ */ new Map();
+    this.state = "idle";
+    this.logger = logger;
+  }
+  /**
+   * Validate kernel state
+   * @param requiredState - Required state for the operation
+   * @throws Error if current state doesn't match
+   */
+  validateState(requiredState) {
+    if (this.state !== requiredState) {
+      throw new Error(
+        `[Kernel] Invalid state: expected '${requiredState}', got '${this.state}'`
+      );
+    }
+  }
+  /**
+   * Validate kernel is in idle state (for plugin registration)
+   */
+  validateIdle() {
+    if (this.state !== "idle") {
+      throw new Error("[Kernel] Cannot register plugins after bootstrap has started");
+    }
+  }
+  /**
+   * Create the plugin context
+   * Subclasses can override to customize context creation
+   */
+  createContext() {
+    return {
+      registerService: (name, service) => {
+        if (this.services instanceof Map) {
+          if (this.services.has(name)) {
+            throw new Error(`[Kernel] Service '${name}' already registered`);
+          }
+          this.services.set(name, service);
+        } else {
+          this.services.register(name, service);
+        }
+        this.logger.info(`Service '${name}' registered`, { service: name });
+      },
+      getService: (name) => {
+        if (this.services instanceof Map) {
+          const service = this.services.get(name);
+          if (!service) {
+            throw new Error(`[Kernel] Service '${name}' not found`);
+          }
+          return service;
+        } else {
+          return this.services.get(name);
+        }
+      },
+      hook: (name, handler) => {
+        if (!this.hooks.has(name)) {
+          this.hooks.set(name, []);
+        }
+        this.hooks.get(name).push(handler);
+      },
+      trigger: async (name, ...args) => {
+        const handlers = this.hooks.get(name) || [];
+        for (const handler of handlers) {
+          await handler(...args);
+        }
+      },
+      getServices: () => {
+        if (this.services instanceof Map) {
+          return new Map(this.services);
+        } else {
+          return /* @__PURE__ */ new Map();
+        }
+      },
+      logger: this.logger,
+      getKernel: () => this
+    };
+  }
+  /**
+   * Resolve plugin dependencies using topological sort
+   * @returns Ordered list of plugins (dependencies first)
+   */
+  resolveDependencies() {
+    const resolved = [];
+    const visited = /* @__PURE__ */ new Set();
+    const visiting = /* @__PURE__ */ new Set();
+    const visit = (pluginName) => {
+      if (visited.has(pluginName)) return;
+      if (visiting.has(pluginName)) {
+        throw new Error(`[Kernel] Circular dependency detected: ${pluginName}`);
+      }
+      const plugin = this.plugins.get(pluginName);
+      if (!plugin) {
+        throw new Error(`[Kernel] Plugin '${pluginName}' not found`);
+      }
+      visiting.add(pluginName);
+      const deps = plugin.dependencies || [];
+      for (const dep of deps) {
+        if (!this.plugins.has(dep)) {
+          throw new Error(
+            `[Kernel] Dependency '${dep}' not found for plugin '${pluginName}'`
+          );
+        }
+        visit(dep);
+      }
+      visiting.delete(pluginName);
+      visited.add(pluginName);
+      resolved.push(plugin);
+    };
+    for (const pluginName of this.plugins.keys()) {
+      visit(pluginName);
+    }
+    return resolved;
+  }
+  /**
+   * Run plugin init phase
+   * @param plugin - Plugin to initialize
+   */
+  async runPluginInit(plugin) {
+    const pluginName = plugin.name;
+    this.logger.info(`Initializing plugin: ${pluginName}`);
+    try {
+      await plugin.init(this.context);
+      this.logger.info(`Plugin initialized: ${pluginName}`);
+    } catch (error) {
+      this.logger.error(`Plugin init failed: ${pluginName}`, error);
+      throw error;
+    }
+  }
+  /**
+   * Run plugin start phase
+   * @param plugin - Plugin to start
+   */
+  async runPluginStart(plugin) {
+    if (!plugin.start) return;
+    const pluginName = plugin.name;
+    this.logger.info(`Starting plugin: ${pluginName}`);
+    try {
+      await plugin.start(this.context);
+      this.logger.info(`Plugin started: ${pluginName}`);
+    } catch (error) {
+      this.logger.error(`Plugin start failed: ${pluginName}`, error);
+      throw error;
+    }
+  }
+  /**
+   * Run plugin destroy phase
+   * @param plugin - Plugin to destroy
+   */
+  async runPluginDestroy(plugin) {
+    if (!plugin.destroy) return;
+    const pluginName = plugin.name;
+    this.logger.info(`Destroying plugin: ${pluginName}`);
+    try {
+      await plugin.destroy();
+      this.logger.info(`Plugin destroyed: ${pluginName}`);
+    } catch (error) {
+      this.logger.error(`Plugin destroy failed: ${pluginName}`, error);
+      throw error;
+    }
+  }
+  /**
+   * Trigger a hook with all registered handlers
+   * @param name - Hook name
+   * @param args - Arguments to pass to handlers
+   */
+  async triggerHook(name, ...args) {
+    const handlers = this.hooks.get(name) || [];
+    this.logger.debug(`Triggering hook: ${name}`, {
+      hook: name,
+      handlerCount: handlers.length
+    });
+    for (const handler of handlers) {
+      try {
+        await handler(...args);
+      } catch (error) {
+        this.logger.error(`Hook handler failed: ${name}`, error);
+      }
+    }
+  }
+  /**
+   * Get current kernel state
+   */
+  getState() {
+    return this.state;
+  }
+  /**
+   * Get all registered plugins
+   */
+  getPlugins() {
+    return new Map(this.plugins);
+  }
+};
+
+// src/utils/env.ts
+var isNode = typeof process !== "undefined" && process.versions != null && process.versions.node != null;
+function getEnv(key, defaultValue) {
+  if (typeof process !== "undefined" && process.env) {
+    return process.env[key] || defaultValue;
+  }
+  try {
+    if (typeof globalThis !== "undefined" && globalThis.process?.env) {
+      return globalThis.process.env[key] || defaultValue;
+    }
+  } catch (e) {
+  }
+  return defaultValue;
+}
+function safeExit(code = 0) {
+  if (isNode) {
+    process.exit(code);
+  }
+}
+function getMemoryUsage() {
+  if (isNode) {
+    return process.memoryUsage();
+  }
+  return { heapUsed: 0, heapTotal: 0 };
+}
+
+// src/logger.ts
+var import_meta = {};
+var ObjectLogger = class _ObjectLogger {
+  // CommonJS require function for Node.js
+  constructor(config = {}) {
+    this.isNode = isNode;
+    this.config = {
+      name: config.name,
+      level: config.level ?? "info",
+      format: config.format ?? (this.isNode ? "json" : "pretty"),
+      redact: config.redact ?? ["password", "token", "secret", "key"],
+      sourceLocation: config.sourceLocation ?? false,
+      file: config.file,
+      rotation: config.rotation ?? {
+        maxSize: "10m",
+        maxFiles: 5
+      }
+    };
+    if (this.isNode) {
+      this.initPinoLogger();
+    }
+  }
+  /**
+   * Initialize Pino logger for Node.js
+   */
+  initPinoLogger() {
+    if (!this.isNode) return;
+    try {
+      const { createRequire } = eval('require("module")');
+      this.require = createRequire(import_meta.url);
+      const pino = this.require("pino");
+      const pinoOptions = {
+        level: this.config.level,
+        redact: {
+          paths: this.config.redact,
+          censor: "***REDACTED***"
+        }
+      };
+      if (this.config.name) {
+        pinoOptions.name = this.config.name;
+      }
+      const targets = [];
+      if (this.config.format === "pretty") {
+        let hasPretty = false;
+        try {
+          this.require.resolve("pino-pretty");
+          hasPretty = true;
+        } catch (e) {
+        }
+        if (hasPretty) {
+          targets.push({
+            target: "pino-pretty",
+            options: {
+              colorize: true,
+              translateTime: "SYS:standard",
+              ignore: "pid,hostname"
+            },
+            level: this.config.level
+          });
+        } else {
+          console.warn("[Logger] pino-pretty not found. Install it for pretty logging: pnpm add -D pino-pretty");
+          targets.push({
+            target: "pino/file",
+            options: { destination: 1 },
+            level: this.config.level
+          });
+        }
+      } else if (this.config.format === "json") {
+        targets.push({
+          target: "pino/file",
+          options: { destination: 1 },
+          // stdout
+          level: this.config.level
+        });
+      } else {
+        targets.push({
+          target: "pino/file",
+          options: { destination: 1 },
+          level: this.config.level
+        });
+      }
+      if (this.config.file) {
+        targets.push({
+          target: "pino/file",
+          options: {
+            destination: this.config.file,
+            mkdir: true
+          },
+          level: this.config.level
+        });
+      }
+      if (targets.length > 0) {
+        pinoOptions.transport = targets.length === 1 ? targets[0] : { targets };
+      }
+      this.pinoInstance = pino(pinoOptions);
+      this.pinoLogger = this.pinoInstance;
+    } catch (error) {
+      console.warn("[Logger] Pino not available, falling back to console:", error);
+      this.pinoLogger = null;
+    }
+  }
+  /**
+   * Redact sensitive keys from context object (for browser)
+   */
+  redactSensitive(obj) {
+    if (!obj || typeof obj !== "object") return obj;
+    const redacted = Array.isArray(obj) ? [...obj] : { ...obj };
+    for (const key in redacted) {
+      const lowerKey = key.toLowerCase();
+      const shouldRedact = this.config.redact.some(
+        (pattern) => lowerKey.includes(pattern.toLowerCase())
+      );
+      if (shouldRedact) {
+        redacted[key] = "***REDACTED***";
+      } else if (typeof redacted[key] === "object" && redacted[key] !== null) {
+        redacted[key] = this.redactSensitive(redacted[key]);
+      }
+    }
+    return redacted;
+  }
+  /**
+   * Format log entry for browser
+   */
+  formatBrowserLog(level, message, context) {
+    if (this.config.format === "json") {
+      return JSON.stringify({
+        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+        level,
+        message,
+        ...context
+      });
+    }
+    if (this.config.format === "text") {
+      const parts = [(/* @__PURE__ */ new Date()).toISOString(), level.toUpperCase(), message];
+      if (context && Object.keys(context).length > 0) {
+        parts.push(JSON.stringify(context));
+      }
+      return parts.join(" | ");
+    }
+    const levelColors = {
+      debug: "\x1B[36m",
+      // Cyan
+      info: "\x1B[32m",
+      // Green
+      warn: "\x1B[33m",
+      // Yellow
+      error: "\x1B[31m",
+      // Red
+      fatal: "\x1B[35m",
+      // Magenta
+      silent: ""
+    };
+    const reset = "\x1B[0m";
+    const color = levelColors[level] || "";
+    let output = `${color}[${level.toUpperCase()}]${reset} ${message}`;
+    if (context && Object.keys(context).length > 0) {
+      output += ` ${JSON.stringify(context, null, 2)}`;
+    }
+    return output;
+  }
+  /**
+   * Log using browser console
+   */
+  logBrowser(level, message, context, error) {
+    const redactedContext = context ? this.redactSensitive(context) : void 0;
+    const mergedContext = error ? { ...redactedContext, error: { message: error.message, stack: error.stack } } : redactedContext;
+    const formatted = this.formatBrowserLog(level, message, mergedContext);
+    const consoleMethod = level === "debug" ? "debug" : level === "info" ? "log" : level === "warn" ? "warn" : level === "error" || level === "fatal" ? "error" : "log";
+    console[consoleMethod](formatted);
+  }
+  /**
+   * Public logging methods
+   */
+  debug(message, meta) {
+    if (this.isNode && this.pinoLogger) {
+      this.pinoLogger.debug(meta || {}, message);
+    } else {
+      this.logBrowser("debug", message, meta);
+    }
+  }
+  info(message, meta) {
+    if (this.isNode && this.pinoLogger) {
+      this.pinoLogger.info(meta || {}, message);
+    } else {
+      this.logBrowser("info", message, meta);
+    }
+  }
+  warn(message, meta) {
+    if (this.isNode && this.pinoLogger) {
+      this.pinoLogger.warn(meta || {}, message);
+    } else {
+      this.logBrowser("warn", message, meta);
+    }
+  }
+  error(message, errorOrMeta, meta) {
+    let error;
+    let context = {};
+    if (errorOrMeta instanceof Error) {
+      error = errorOrMeta;
+      context = meta || {};
+    } else {
+      context = errorOrMeta || {};
+    }
+    if (this.isNode && this.pinoLogger) {
+      const errorContext = error ? { err: error, ...context } : context;
+      this.pinoLogger.error(errorContext, message);
+    } else {
+      this.logBrowser("error", message, context, error);
+    }
+  }
+  fatal(message, errorOrMeta, meta) {
+    let error;
+    let context = {};
+    if (errorOrMeta instanceof Error) {
+      error = errorOrMeta;
+      context = meta || {};
+    } else {
+      context = errorOrMeta || {};
+    }
+    if (this.isNode && this.pinoLogger) {
+      const errorContext = error ? { err: error, ...context } : context;
+      this.pinoLogger.fatal(errorContext, message);
+    } else {
+      this.logBrowser("fatal", message, context, error);
+    }
+  }
+  /**
+   * Create a child logger with additional context
+   * Note: Child loggers share the parent's Pino instance
+   */
+  child(context) {
+    const childLogger = new _ObjectLogger(this.config);
+    if (this.isNode && this.pinoInstance) {
+      childLogger.pinoLogger = this.pinoInstance.child(context);
+      childLogger.pinoInstance = this.pinoInstance;
+    }
+    return childLogger;
+  }
+  /**
+   * Set trace context for distributed tracing
+   */
+  withTrace(traceId, spanId) {
+    return this.child({ traceId, spanId });
+  }
+  /**
+   * Cleanup resources
+   */
+  async destroy() {
+    if (this.pinoLogger && this.pinoLogger.flush) {
+      await new Promise((resolve) => {
+        this.pinoLogger.flush(() => resolve());
+      });
+    }
+  }
+  /**
+   * Compatibility method for console.log usage
+   */
+  log(message, ...args) {
+    this.info(message, args.length > 0 ? { args } : void 0);
+  }
+};
+function createLogger(config) {
+  return new ObjectLogger(config);
+}
+
+// src/kernel.ts
+var import_system = require("@objectstack/spec/system");
+
+// src/security/plugin-config-validator.ts
+var import_zod = require("zod");
+var PluginConfigValidator = class {
+  constructor(logger) {
+    this.logger = logger;
+  }
+  /**
+   * Validate plugin configuration against its Zod schema
+   * 
+   * @param plugin - Plugin metadata with configSchema
+   * @param config - User-provided configuration
+   * @returns Validated and typed configuration
+   * @throws Error with detailed validation errors
+   */
+  validatePluginConfig(plugin, config) {
+    if (!plugin.configSchema) {
+      this.logger.debug(`Plugin ${plugin.name} has no config schema - skipping validation`);
+      return config;
+    }
+    try {
+      const validatedConfig = plugin.configSchema.parse(config);
+      this.logger.debug(`\u2705 Plugin config validated: ${plugin.name}`, {
+        plugin: plugin.name,
+        configKeys: Object.keys(config || {}).length
+      });
+      return validatedConfig;
+    } catch (error) {
+      if (error instanceof import_zod.z.ZodError) {
+        const formattedErrors = this.formatZodErrors(error);
+        const errorMessage = [
+          `Plugin ${plugin.name} configuration validation failed:`,
+          ...formattedErrors.map((e) => `  - ${e.path}: ${e.message}`)
+        ].join("\n");
+        this.logger.error(errorMessage, void 0, {
+          plugin: plugin.name,
+          errors: formattedErrors
+        });
+        throw new Error(errorMessage);
+      }
+      throw error;
+    }
+  }
+  /**
+   * Validate partial configuration (for incremental updates)
+   * 
+   * @param plugin - Plugin metadata
+   * @param partialConfig - Partial configuration to validate
+   * @returns Validated partial configuration
+   */
+  validatePartialConfig(plugin, partialConfig) {
+    if (!plugin.configSchema) {
+      return partialConfig;
+    }
+    try {
+      const partialSchema = plugin.configSchema.partial();
+      const validatedConfig = partialSchema.parse(partialConfig);
+      this.logger.debug(`\u2705 Partial config validated: ${plugin.name}`);
+      return validatedConfig;
+    } catch (error) {
+      if (error instanceof import_zod.z.ZodError) {
+        const formattedErrors = this.formatZodErrors(error);
+        const errorMessage = [
+          `Plugin ${plugin.name} partial configuration validation failed:`,
+          ...formattedErrors.map((e) => `  - ${e.path}: ${e.message}`)
+        ].join("\n");
+        throw new Error(errorMessage);
+      }
+      throw error;
+    }
+  }
+  /**
+   * Get default configuration from schema
+   * 
+   * @param plugin - Plugin metadata
+   * @returns Default configuration object
+   */
+  getDefaultConfig(plugin) {
+    if (!plugin.configSchema) {
+      return void 0;
+    }
+    try {
+      const defaults = plugin.configSchema.parse({});
+      this.logger.debug(`Default config extracted: ${plugin.name}`);
+      return defaults;
+    } catch (error) {
+      this.logger.debug(`No default config available: ${plugin.name}`);
+      return void 0;
+    }
+  }
+  /**
+   * Check if configuration is valid without throwing
+   * 
+   * @param plugin - Plugin metadata
+   * @param config - Configuration to check
+   * @returns True if valid, false otherwise
+   */
+  isConfigValid(plugin, config) {
+    if (!plugin.configSchema) {
+      return true;
+    }
+    const result = plugin.configSchema.safeParse(config);
+    return result.success;
+  }
+  /**
+   * Get configuration errors without throwing
+   * 
+   * @param plugin - Plugin metadata
+   * @param config - Configuration to check
+   * @returns Array of validation errors, or empty array if valid
+   */
+  getConfigErrors(plugin, config) {
+    if (!plugin.configSchema) {
+      return [];
+    }
+    const result = plugin.configSchema.safeParse(config);
+    if (result.success) {
+      return [];
+    }
+    return this.formatZodErrors(result.error);
+  }
+  // Private methods
+  formatZodErrors(error) {
+    return error.issues.map((e) => ({
+      path: e.path.join(".") || "root",
+      message: e.message
+    }));
+  }
+};
+function createPluginConfigValidator(logger) {
+  return new PluginConfigValidator(logger);
+}
+
+// src/plugin-loader.ts
+var ServiceLifecycle = /* @__PURE__ */ ((ServiceLifecycle2) => {
+  ServiceLifecycle2["SINGLETON"] = "singleton";
+  ServiceLifecycle2["TRANSIENT"] = "transient";
+  ServiceLifecycle2["SCOPED"] = "scoped";
+  return ServiceLifecycle2;
+})(ServiceLifecycle || {});
+var PluginLoader = class {
+  constructor(logger) {
+    this.loadedPlugins = /* @__PURE__ */ new Map();
+    this.serviceFactories = /* @__PURE__ */ new Map();
+    this.serviceInstances = /* @__PURE__ */ new Map();
+    this.scopedServices = /* @__PURE__ */ new Map();
+    this.creating = /* @__PURE__ */ new Set();
+    this.logger = logger;
+    this.configValidator = new PluginConfigValidator(logger);
+  }
+  /**
+   * Set the plugin context for service factories
+   */
+  setContext(context) {
+    this.context = context;
+  }
+  /**
+   * Get a synchronous service instance if it exists (Sync Helper)
+   */
+  getServiceInstance(name) {
+    return this.serviceInstances.get(name);
+  }
+  /**
+   * Load a plugin asynchronously with validation
+   */
+  async loadPlugin(plugin) {
+    const startTime = Date.now();
+    try {
+      this.logger.info(`Loading plugin: ${plugin.name}`);
+      const metadata = this.toPluginMetadata(plugin);
+      this.validatePluginStructure(metadata);
+      const versionCheck = this.checkVersionCompatibility(metadata);
+      if (!versionCheck.compatible) {
+        throw new Error(`Version incompatible: ${versionCheck.message}`);
+      }
+      if (metadata.configSchema) {
+        this.validatePluginConfig(metadata);
+      }
+      if (metadata.signature) {
+        await this.verifyPluginSignature(metadata);
+      }
+      this.loadedPlugins.set(metadata.name, metadata);
+      const loadTime = Date.now() - startTime;
+      this.logger.info(`Plugin loaded: ${plugin.name} (${loadTime}ms)`);
+      return {
+        success: true,
+        plugin: metadata,
+        loadTime
+      };
+    } catch (error) {
+      this.logger.error(`Failed to load plugin: ${plugin.name}`, error);
+      return {
+        success: false,
+        error,
+        loadTime: Date.now() - startTime
+      };
+    }
+  }
+  /**
+   * Register a service with factory function
+   */
+  registerServiceFactory(registration) {
+    if (this.serviceFactories.has(registration.name)) {
+      throw new Error(`Service factory '${registration.name}' already registered`);
+    }
+    this.serviceFactories.set(registration.name, registration);
+    this.logger.debug(`Service factory registered: ${registration.name} (${registration.lifecycle})`);
+  }
+  /**
+   * Get or create a service instance based on lifecycle type
+   */
+  async getService(name, scopeId) {
+    const registration = this.serviceFactories.get(name);
+    if (!registration) {
+      const instance = this.serviceInstances.get(name);
+      if (!instance) {
+        throw new Error(`Service '${name}' not found`);
+      }
+      return instance;
+    }
+    switch (registration.lifecycle) {
+      case "singleton" /* SINGLETON */:
+        return await this.getSingletonService(registration);
+      case "transient" /* TRANSIENT */:
+        return await this.createTransientService(registration);
+      case "scoped" /* SCOPED */:
+        if (!scopeId) {
+          throw new Error(`Scope ID required for scoped service '${name}'`);
+        }
+        return await this.getScopedService(registration, scopeId);
+      default:
+        throw new Error(`Unknown service lifecycle: ${registration.lifecycle}`);
+    }
+  }
+  /**
+   * Register a static service instance (legacy support)
+   */
+  registerService(name, service) {
+    if (this.serviceInstances.has(name)) {
+      throw new Error(`Service '${name}' already registered`);
+    }
+    this.serviceInstances.set(name, service);
+  }
+  /**
+   * Check if a service is registered (either as instance or factory)
+   */
+  hasService(name) {
+    return this.serviceInstances.has(name) || this.serviceFactories.has(name);
+  }
+  /**
+   * Detect circular dependencies in service factories
+   * Note: This only detects cycles in service dependencies, not plugin dependencies.
+   * Plugin dependency cycles are detected in the kernel's resolveDependencies method.
+   */
+  detectCircularDependencies() {
+    const cycles = [];
+    const visited = /* @__PURE__ */ new Set();
+    const visiting = /* @__PURE__ */ new Set();
+    const visit = (serviceName, path = []) => {
+      if (visiting.has(serviceName)) {
+        const cycle = [...path, serviceName].join(" -> ");
+        cycles.push(cycle);
+        return;
+      }
+      if (visited.has(serviceName)) {
+        return;
+      }
+      visiting.add(serviceName);
+      const registration = this.serviceFactories.get(serviceName);
+      if (registration?.dependencies) {
+        for (const dep of registration.dependencies) {
+          visit(dep, [...path, serviceName]);
+        }
+      }
+      visiting.delete(serviceName);
+      visited.add(serviceName);
+    };
+    for (const serviceName of this.serviceFactories.keys()) {
+      visit(serviceName);
+    }
+    return cycles;
+  }
+  /**
+   * Check plugin health
+   */
+  async checkPluginHealth(pluginName) {
+    const plugin = this.loadedPlugins.get(pluginName);
+    if (!plugin) {
+      return {
+        healthy: false,
+        message: "Plugin not found",
+        lastCheck: /* @__PURE__ */ new Date()
+      };
+    }
+    if (!plugin.healthCheck) {
+      return {
+        healthy: true,
+        message: "No health check defined",
+        lastCheck: /* @__PURE__ */ new Date()
+      };
+    }
+    try {
+      const status = await plugin.healthCheck();
+      return {
+        ...status,
+        lastCheck: /* @__PURE__ */ new Date()
+      };
+    } catch (error) {
+      return {
+        healthy: false,
+        message: `Health check failed: ${error.message}`,
+        lastCheck: /* @__PURE__ */ new Date()
+      };
+    }
+  }
+  /**
+   * Clear scoped services for a scope
+   */
+  clearScope(scopeId) {
+    this.scopedServices.delete(scopeId);
+    this.logger.debug(`Cleared scope: ${scopeId}`);
+  }
+  /**
+   * Get all loaded plugins
+   */
+  getLoadedPlugins() {
+    return new Map(this.loadedPlugins);
+  }
+  // Private helper methods
+  toPluginMetadata(plugin) {
+    return {
+      ...plugin,
+      version: plugin.version || "0.0.0"
+    };
+  }
+  validatePluginStructure(plugin) {
+    if (!plugin.name) {
+      throw new Error("Plugin name is required");
+    }
+    if (!plugin.init) {
+      throw new Error("Plugin init function is required");
+    }
+    if (!this.isValidSemanticVersion(plugin.version)) {
+      throw new Error(`Invalid semantic version: ${plugin.version}`);
+    }
+  }
+  checkVersionCompatibility(plugin) {
+    const version = plugin.version;
+    if (!this.isValidSemanticVersion(version)) {
+      return {
+        compatible: false,
+        pluginVersion: version,
+        message: "Invalid semantic version format"
+      };
+    }
+    return {
+      compatible: true,
+      pluginVersion: version
+    };
+  }
+  isValidSemanticVersion(version) {
+    const semverRegex = /^\d+\.\d+\.\d+(-[a-zA-Z0-9.-]+)?(\+[a-zA-Z0-9.-]+)?$/;
+    return semverRegex.test(version);
+  }
+  validatePluginConfig(plugin, config) {
+    if (!plugin.configSchema) {
+      return;
+    }
+    if (config === void 0) {
+      this.logger.debug(`Plugin ${plugin.name} has configuration schema (config validation postponed)`);
+      return;
+    }
+    this.configValidator.validatePluginConfig(plugin, config);
+  }
+  async verifyPluginSignature(plugin) {
+    if (!plugin.signature) {
+      return;
+    }
+    this.logger.debug(`Plugin ${plugin.name} has signature (use PluginSignatureVerifier for verification)`);
+  }
+  async getSingletonService(registration) {
+    let instance = this.serviceInstances.get(registration.name);
+    if (!instance) {
+      instance = await this.createServiceInstance(registration);
+      this.serviceInstances.set(registration.name, instance);
+      this.logger.debug(`Singleton service created: ${registration.name}`);
+    }
+    return instance;
+  }
+  async createTransientService(registration) {
+    const instance = await this.createServiceInstance(registration);
+    this.logger.debug(`Transient service created: ${registration.name}`);
+    return instance;
+  }
+  async getScopedService(registration, scopeId) {
+    if (!this.scopedServices.has(scopeId)) {
+      this.scopedServices.set(scopeId, /* @__PURE__ */ new Map());
+    }
+    const scope = this.scopedServices.get(scopeId);
+    let instance = scope.get(registration.name);
+    if (!instance) {
+      instance = await this.createServiceInstance(registration);
+      scope.set(registration.name, instance);
+      this.logger.debug(`Scoped service created: ${registration.name} (scope: ${scopeId})`);
+    }
+    return instance;
+  }
+  async createServiceInstance(registration) {
+    if (!this.context) {
+      throw new Error(`[PluginLoader] Context not set - cannot create service '${registration.name}'`);
+    }
+    if (this.creating.has(registration.name)) {
+      throw new Error(`Circular dependency detected: ${Array.from(this.creating).join(" -> ")} -> ${registration.name}`);
+    }
+    this.creating.add(registration.name);
+    try {
+      return await registration.factory(this.context);
+    } finally {
+      this.creating.delete(registration.name);
+    }
+  }
+};
+
+// src/kernel.ts
+var ObjectKernel = class {
+  constructor(config = {}) {
+    this.plugins = /* @__PURE__ */ new Map();
+    this.services = /* @__PURE__ */ new Map();
+    this.hooks = /* @__PURE__ */ new Map();
+    this.state = "idle";
+    this.startedPlugins = /* @__PURE__ */ new Set();
+    this.pluginStartTimes = /* @__PURE__ */ new Map();
+    this.shutdownHandlers = [];
+    this.config = {
+      defaultStartupTimeout: 3e4,
+      // 30 seconds
+      gracefulShutdown: true,
+      shutdownTimeout: 6e4,
+      // 60 seconds
+      rollbackOnFailure: true,
+      ...config
+    };
+    this.logger = createLogger(config.logger);
+    this.pluginLoader = new PluginLoader(this.logger);
+    this.context = {
+      registerService: (name, service) => {
+        this.registerService(name, service);
+      },
+      getService: (name) => {
+        const service = this.services.get(name);
+        if (service) {
+          return service;
+        }
+        const loaderService = this.pluginLoader.getServiceInstance(name);
+        if (loaderService) {
+          this.services.set(name, loaderService);
+          return loaderService;
+        }
+        try {
+          const service2 = this.pluginLoader.getService(name);
+          if (service2 instanceof Promise) {
+            throw new Error(`Service '${name}' is async - use await`);
+          }
+          return service2;
+        } catch (error) {
+          if (error.message?.includes("is async")) {
+            throw error;
+          }
+          const isNotFoundError = error.message === `Service '${name}' not found`;
+          if (!isNotFoundError) {
+            throw error;
+          }
+          throw new Error(`[Kernel] Service '${name}' not found`);
+        }
+      },
+      hook: (name, handler) => {
+        if (!this.hooks.has(name)) {
+          this.hooks.set(name, []);
+        }
+        this.hooks.get(name).push(handler);
+      },
+      trigger: async (name, ...args) => {
+        const handlers = this.hooks.get(name) || [];
+        for (const handler of handlers) {
+          await handler(...args);
+        }
+      },
+      getServices: () => {
+        return new Map(this.services);
+      },
+      logger: this.logger,
+      getKernel: () => this
+      // Type compatibility
+    };
+    this.pluginLoader.setContext(this.context);
+    if (this.config.gracefulShutdown) {
+      this.registerShutdownSignals();
+    }
+  }
+  /**
+   * Register a plugin with enhanced validation
+   */
+  async use(plugin) {
+    if (this.state !== "idle") {
+      throw new Error("[Kernel] Cannot register plugins after bootstrap has started");
+    }
+    const result = await this.pluginLoader.loadPlugin(plugin);
+    if (!result.success || !result.plugin) {
+      throw new Error(`Failed to load plugin: ${plugin.name} - ${result.error?.message}`);
+    }
+    const pluginMeta = result.plugin;
+    this.plugins.set(pluginMeta.name, pluginMeta);
+    this.logger.info(`Plugin registered: ${pluginMeta.name}@${pluginMeta.version}`, {
+      plugin: pluginMeta.name,
+      version: pluginMeta.version
+    });
+    return this;
+  }
+  /**
+   * Register a service instance directly
+   */
+  registerService(name, service) {
+    if (this.services.has(name)) {
+      throw new Error(`[Kernel] Service '${name}' already registered`);
+    }
+    this.services.set(name, service);
+    this.pluginLoader.registerService(name, service);
+    this.logger.info(`Service '${name}' registered`, { service: name });
+    return this;
+  }
+  /**
+   * Register a service factory with lifecycle management
+   */
+  registerServiceFactory(name, factory, lifecycle = "singleton" /* SINGLETON */, dependencies) {
+    this.pluginLoader.registerServiceFactory({
+      name,
+      factory,
+      lifecycle,
+      dependencies
+    });
+    return this;
+  }
+  /**
+   * Validate Critical System Requirements
+   */
+  validateSystemRequirements() {
+    if (this.config.skipSystemValidation) {
+      this.logger.debug("System requirement validation skipped");
+      return;
+    }
+    this.logger.debug("Validating system service requirements...");
+    const missingServices = [];
+    const missingCoreServices = [];
+    for (const [serviceName, criticality] of Object.entries(import_system.ServiceRequirementDef)) {
+      const hasService = this.services.has(serviceName) || this.pluginLoader.hasService(serviceName);
+      if (!hasService) {
+        if (criticality === "required") {
+          this.logger.error(`CRITICAL: Required service missing: ${serviceName}`);
+          missingServices.push(serviceName);
+        } else if (criticality === "core") {
+          this.logger.warn(`CORE: Core service missing, functionality may be degraded: ${serviceName}`);
+          missingCoreServices.push(serviceName);
+        } else {
+          this.logger.info(`Info: Optional service not present: ${serviceName}`);
+        }
+      }
+    }
+    if (missingServices.length > 0) {
+      const errorMsg = `System failed to start. Missing critical services: ${missingServices.join(", ")}`;
+      this.logger.error(errorMsg);
+      throw new Error(errorMsg);
+    }
+    if (missingCoreServices.length > 0) {
+      this.logger.warn(`System started with degraded capabilities. Missing core services: ${missingCoreServices.join(", ")}`);
+    }
+    this.logger.info("System requirement check passed");
+  }
+  /**
+   * Bootstrap the kernel with enhanced features
+   */
+  async bootstrap() {
+    if (this.state !== "idle") {
+      throw new Error("[Kernel] Kernel already bootstrapped");
+    }
+    this.state = "initializing";
+    this.logger.info("Bootstrap started");
+    try {
+      const cycles = this.pluginLoader.detectCircularDependencies();
+      if (cycles.length > 0) {
+        this.logger.warn("Circular service dependencies detected:", { cycles });
+      }
+      const orderedPlugins = this.resolveDependencies();
+      this.logger.info("Phase 1: Init plugins");
+      for (const plugin of orderedPlugins) {
+        await this.initPluginWithTimeout(plugin);
+      }
+      this.logger.info("Phase 2: Start plugins");
+      this.state = "running";
+      for (const plugin of orderedPlugins) {
+        const result = await this.startPluginWithTimeout(plugin);
+        if (!result.success) {
+          this.logger.error(`Plugin startup failed: ${plugin.name}`, result.error);
+          if (this.config.rollbackOnFailure) {
+            this.logger.warn("Rolling back started plugins...");
+            await this.rollbackStartedPlugins();
+            throw new Error(`Plugin ${plugin.name} failed to start - rollback complete`);
+          }
+        }
+      }
+      this.validateSystemRequirements();
+      this.logger.debug("Triggering kernel:ready hook");
+      await this.context.trigger("kernel:ready");
+      this.logger.info("\u2705 Bootstrap complete");
+    } catch (error) {
+      this.state = "stopped";
+      throw error;
+    }
+  }
+  /**
+   * Graceful shutdown with timeout
+   */
+  async shutdown() {
+    if (this.state === "stopped" || this.state === "stopping") {
+      this.logger.warn("Kernel already stopped or stopping");
+      return;
+    }
+    if (this.state !== "running") {
+      throw new Error("[Kernel] Kernel not running");
+    }
+    this.state = "stopping";
+    this.logger.info("Graceful shutdown started");
+    try {
+      const shutdownPromise = this.performShutdown();
+      const timeoutPromise = new Promise((_, reject) => {
+        setTimeout(() => {
+          reject(new Error("Shutdown timeout exceeded"));
+        }, this.config.shutdownTimeout);
+      });
+      await Promise.race([shutdownPromise, timeoutPromise]);
+      this.state = "stopped";
+      this.logger.info("\u2705 Graceful shutdown complete");
+    } catch (error) {
+      this.logger.error("Shutdown error - forcing stop", error);
+      this.state = "stopped";
+      throw error;
+    } finally {
+      await this.logger.destroy();
+    }
+  }
+  /**
+   * Check health of a specific plugin
+   */
+  async checkPluginHealth(pluginName) {
+    return await this.pluginLoader.checkPluginHealth(pluginName);
+  }
+  /**
+   * Check health of all plugins
+   */
+  async checkAllPluginsHealth() {
+    const results = /* @__PURE__ */ new Map();
+    for (const pluginName of this.plugins.keys()) {
+      const health = await this.checkPluginHealth(pluginName);
+      results.set(pluginName, health);
+    }
+    return results;
+  }
+  /**
+   * Get plugin startup metrics
+   */
+  getPluginMetrics() {
+    return new Map(this.pluginStartTimes);
+  }
+  /**
+   * Get a service (sync helper)
+   */
+  getService(name) {
+    return this.context.getService(name);
+  }
+  /**
+   * Get a service asynchronously (supports factories)
+   */
+  async getServiceAsync(name, scopeId) {
+    return await this.pluginLoader.getService(name, scopeId);
+  }
+  /**
+   * Check if kernel is running
+   */
+  isRunning() {
+    return this.state === "running";
+  }
+  /**
+   * Get kernel state
+   */
+  getState() {
+    return this.state;
+  }
+  // Private methods
+  async initPluginWithTimeout(plugin) {
+    const timeout = plugin.startupTimeout || this.config.defaultStartupTimeout;
+    this.logger.debug(`Init: ${plugin.name}`, { plugin: plugin.name });
+    const initPromise = plugin.init(this.context);
+    const timeoutPromise = new Promise((_, reject) => {
+      setTimeout(() => {
+        reject(new Error(`Plugin ${plugin.name} init timeout after ${timeout}ms`));
+      }, timeout);
+    });
+    await Promise.race([initPromise, timeoutPromise]);
+  }
+  async startPluginWithTimeout(plugin) {
+    if (!plugin.start) {
+      return { success: true, pluginName: plugin.name };
+    }
+    const timeout = plugin.startupTimeout || this.config.defaultStartupTimeout;
+    const startTime = Date.now();
+    this.logger.debug(`Start: ${plugin.name}`, { plugin: plugin.name });
+    try {
+      const startPromise = plugin.start(this.context);
+      const timeoutPromise = new Promise((_, reject) => {
+        setTimeout(() => {
+          reject(new Error(`Plugin ${plugin.name} start timeout after ${timeout}ms`));
+        }, timeout);
+      });
+      await Promise.race([startPromise, timeoutPromise]);
+      const duration = Date.now() - startTime;
+      this.startedPlugins.add(plugin.name);
+      this.pluginStartTimes.set(plugin.name, duration);
+      this.logger.debug(`Plugin started: ${plugin.name} (${duration}ms)`);
+      return {
+        success: true,
+        pluginName: plugin.name,
+        startTime: duration
+      };
+    } catch (error) {
+      const duration = Date.now() - startTime;
+      const isTimeout = error.message.includes("timeout");
+      return {
+        success: false,
+        pluginName: plugin.name,
+        error,
+        startTime: duration,
+        timedOut: isTimeout
+      };
+    }
+  }
+  async rollbackStartedPlugins() {
+    const pluginsToRollback = Array.from(this.startedPlugins).reverse();
+    for (const pluginName of pluginsToRollback) {
+      const plugin = this.plugins.get(pluginName);
+      if (plugin?.destroy) {
+        try {
+          this.logger.debug(`Rollback: ${pluginName}`);
+          await plugin.destroy();
+        } catch (error) {
+          this.logger.error(`Rollback failed for ${pluginName}`, error);
+        }
+      }
+    }
+    this.startedPlugins.clear();
+  }
+  async performShutdown() {
+    await this.context.trigger("kernel:shutdown");
+    const orderedPlugins = Array.from(this.plugins.values()).reverse();
+    for (const plugin of orderedPlugins) {
+      if (plugin.destroy) {
+        this.logger.debug(`Destroy: ${plugin.name}`, { plugin: plugin.name });
+        try {
+          await plugin.destroy();
+        } catch (error) {
+          this.logger.error(`Error destroying plugin ${plugin.name}`, error);
+        }
+      }
+    }
+    for (const handler of this.shutdownHandlers) {
+      try {
+        await handler();
+      } catch (error) {
+        this.logger.error("Shutdown handler error", error);
+      }
+    }
+  }
+  resolveDependencies() {
+    const resolved = [];
+    const visited = /* @__PURE__ */ new Set();
+    const visiting = /* @__PURE__ */ new Set();
+    const visit = (pluginName) => {
+      if (visited.has(pluginName)) return;
+      if (visiting.has(pluginName)) {
+        throw new Error(`[Kernel] Circular dependency detected: ${pluginName}`);
+      }
+      const plugin = this.plugins.get(pluginName);
+      if (!plugin) {
+        throw new Error(`[Kernel] Plugin '${pluginName}' not found`);
+      }
+      visiting.add(pluginName);
+      const deps = plugin.dependencies || [];
+      for (const dep of deps) {
+        if (!this.plugins.has(dep)) {
+          throw new Error(`[Kernel] Dependency '${dep}' not found for plugin '${pluginName}'`);
+        }
+        visit(dep);
+      }
+      visiting.delete(pluginName);
+      visited.add(pluginName);
+      resolved.push(plugin);
+    };
+    for (const pluginName of this.plugins.keys()) {
+      visit(pluginName);
+    }
+    return resolved;
+  }
+  registerShutdownSignals() {
+    const signals = ["SIGINT", "SIGTERM", "SIGQUIT"];
+    let shutdownInProgress = false;
+    const handleShutdown = async (signal) => {
+      if (shutdownInProgress) {
+        this.logger.warn(`Shutdown already in progress, ignoring ${signal}`);
+        return;
+      }
+      shutdownInProgress = true;
+      this.logger.info(`Received ${signal} - initiating graceful shutdown`);
+      try {
+        await this.shutdown();
+        safeExit(0);
+      } catch (error) {
+        this.logger.error("Shutdown failed", error);
+        safeExit(1);
+      }
+    };
+    if (isNode) {
+      for (const signal of signals) {
+        process.on(signal, () => handleShutdown(signal));
+      }
+    }
+  }
+  /**
+   * Register a custom shutdown handler
+   */
+  onShutdown(handler) {
+    this.shutdownHandlers.push(handler);
+  }
+};
+
+// src/lite-kernel.ts
+var LiteKernel = class extends ObjectKernelBase {
+  constructor(config) {
+    const logger = createLogger(config?.logger);
+    super(logger);
+    this.context = this.createContext();
+  }
+  /**
+   * Register a plugin
+   * @param plugin - Plugin instance
+   */
+  use(plugin) {
+    this.validateIdle();
+    const pluginName = plugin.name;
+    if (this.plugins.has(pluginName)) {
+      throw new Error(`[Kernel] Plugin '${pluginName}' already registered`);
+    }
+    this.plugins.set(pluginName, plugin);
+    return this;
+  }
+  /**
+   * Bootstrap the kernel
+   * 1. Resolve dependencies (topological sort)
+   * 2. Init phase - plugins register services
+   * 3. Start phase - plugins execute business logic
+   * 4. Trigger 'kernel:ready' hook
+   */
+  async bootstrap() {
+    this.validateState("idle");
+    this.state = "initializing";
+    this.logger.info("Bootstrap started");
+    const orderedPlugins = this.resolveDependencies();
+    this.logger.info("Phase 1: Init plugins");
+    for (const plugin of orderedPlugins) {
+      await this.runPluginInit(plugin);
+    }
+    this.logger.info("Phase 2: Start plugins");
+    this.state = "running";
+    for (const plugin of orderedPlugins) {
+      await this.runPluginStart(plugin);
+    }
+    await this.triggerHook("kernel:ready");
+    this.logger.info("\u2705 Bootstrap complete", {
+      pluginCount: this.plugins.size
+    });
+  }
+  /**
+   * Shutdown the kernel
+   * Calls destroy on all plugins in reverse order
+   */
+  async shutdown() {
+    await this.destroy();
+  }
+  /**
+   * Graceful shutdown - destroy all plugins in reverse order
+   */
+  async destroy() {
+    if (this.state === "stopped") {
+      this.logger.warn("Kernel already stopped");
+      return;
+    }
+    this.state = "stopping";
+    this.logger.info("Shutdown started");
+    await this.triggerHook("kernel:shutdown");
+    const orderedPlugins = this.resolveDependencies();
+    for (const plugin of orderedPlugins.reverse()) {
+      await this.runPluginDestroy(plugin);
+    }
+    this.state = "stopped";
+    this.logger.info("\u2705 Shutdown complete");
+    if (this.logger && typeof this.logger.destroy === "function") {
+      await this.logger.destroy();
+    }
+  }
+  /**
+   * Get a service from the registry
+   * Convenience method for external access
+   */
+  getService(name) {
+    return this.context.getService(name);
+  }
+  /**
+   * Check if kernel is running
+   */
+  isRunning() {
+    return this.state === "running";
+  }
+};
+
+// src/api-registry.ts
+var import_api = require("@objectstack/spec/api");
+var ApiRegistry = class {
+  constructor(logger, conflictResolution = "error", version = "1.0.0") {
+    this.apis = /* @__PURE__ */ new Map();
+    this.endpoints = /* @__PURE__ */ new Map();
+    this.routes = /* @__PURE__ */ new Map();
+    // Performance optimization: Auxiliary indices for O(1) lookups
+    this.apisByType = /* @__PURE__ */ new Map();
+    this.apisByTag = /* @__PURE__ */ new Map();
+    this.apisByStatus = /* @__PURE__ */ new Map();
+    this.logger = logger;
+    this.conflictResolution = conflictResolution;
+    this.version = version;
+    this.updatedAt = (/* @__PURE__ */ new Date()).toISOString();
+  }
+  /**
+   * Register an API with its endpoints
+   * 
+   * @param api - API registry entry
+   * @throws Error if API already registered or route conflicts detected
+   */
+  registerApi(api) {
+    if (this.apis.has(api.id)) {
+      throw new Error(`[ApiRegistry] API '${api.id}' already registered`);
+    }
+    const fullApi = import_api.ApiRegistryEntrySchema.parse(api);
+    for (const endpoint of fullApi.endpoints) {
+      this.validateEndpoint(endpoint, fullApi.id);
+    }
+    this.apis.set(fullApi.id, fullApi);
+    for (const endpoint of fullApi.endpoints) {
+      this.registerEndpoint(fullApi.id, endpoint);
+    }
+    this.updateIndices(fullApi);
+    this.updatedAt = (/* @__PURE__ */ new Date()).toISOString();
+    this.logger.info(`API registered: ${fullApi.id}`, {
+      api: fullApi.id,
+      type: fullApi.type,
+      endpointCount: fullApi.endpoints.length
+    });
+  }
+  /**
+   * Unregister an API and all its endpoints
+   * 
+   * @param apiId - API identifier
+   */
+  unregisterApi(apiId) {
+    const api = this.apis.get(apiId);
+    if (!api) {
+      throw new Error(`[ApiRegistry] API '${apiId}' not found`);
+    }
+    for (const endpoint of api.endpoints) {
+      this.unregisterEndpoint(apiId, endpoint.id);
+    }
+    this.removeFromIndices(api);
+    this.apis.delete(apiId);
+    this.updatedAt = (/* @__PURE__ */ new Date()).toISOString();
+    this.logger.info(`API unregistered: ${apiId}`);
+  }
+  /**
+   * Register a single endpoint
+   * 
+   * @param apiId - API identifier
+   * @param endpoint - Endpoint registration
+   * @throws Error if route conflict detected
+   */
+  registerEndpoint(apiId, endpoint) {
+    const endpointKey = `${apiId}:${endpoint.id}`;
+    if (this.endpoints.has(endpointKey)) {
+      throw new Error(`[ApiRegistry] Endpoint '${endpoint.id}' already registered for API '${apiId}'`);
+    }
+    this.endpoints.set(endpointKey, { api: apiId, endpoint });
+    if (endpoint.path) {
+      this.registerRoute(apiId, endpoint);
+    }
+  }
+  /**
+   * Unregister a single endpoint
+   * 
+   * @param apiId - API identifier
+   * @param endpointId - Endpoint identifier
+   */
+  unregisterEndpoint(apiId, endpointId) {
+    const endpointKey = `${apiId}:${endpointId}`;
+    const entry = this.endpoints.get(endpointKey);
+    if (!entry) {
+      return;
+    }
+    if (entry.endpoint.path) {
+      const routeKey = this.getRouteKey(entry.endpoint);
+      this.routes.delete(routeKey);
+    }
+    this.endpoints.delete(endpointKey);
+  }
+  /**
+   * Register a route with conflict detection
+   * 
+   * @param apiId - API identifier
+   * @param endpoint - Endpoint registration
+   * @throws Error if route conflict detected (based on strategy)
+   */
+  registerRoute(apiId, endpoint) {
+    const routeKey = this.getRouteKey(endpoint);
+    const priority = endpoint.priority ?? 100;
+    const existingRoute = this.routes.get(routeKey);
+    if (existingRoute) {
+      this.handleRouteConflict(routeKey, apiId, endpoint, existingRoute, priority);
+      return;
+    }
+    this.routes.set(routeKey, {
+      api: apiId,
+      endpointId: endpoint.id,
+      priority
+    });
+  }
+  /**
+   * Handle route conflict based on resolution strategy
+   * 
+   * @param routeKey - Route key
+   * @param apiId - New API identifier
+   * @param endpoint - New endpoint
+   * @param existingRoute - Existing route registration
+   * @param newPriority - New endpoint priority
+   * @throws Error if strategy is 'error'
+   */
+  handleRouteConflict(routeKey, apiId, endpoint, existingRoute, newPriority) {
+    const strategy = this.conflictResolution;
+    switch (strategy) {
+      case "error":
+        throw new Error(
+          `[ApiRegistry] Route conflict detected: '${routeKey}' is already registered by API '${existingRoute.api}' endpoint '${existingRoute.endpointId}'`
+        );
+      case "priority":
+        if (newPriority > existingRoute.priority) {
+          this.logger.warn(
+            `Route conflict: replacing '${routeKey}' (priority ${existingRoute.priority} -> ${newPriority})`,
+            {
+              oldApi: existingRoute.api,
+              oldEndpoint: existingRoute.endpointId,
+              newApi: apiId,
+              newEndpoint: endpoint.id
+            }
+          );
+          this.routes.set(routeKey, {
+            api: apiId,
+            endpointId: endpoint.id,
+            priority: newPriority
+          });
+        } else {
+          this.logger.warn(
+            `Route conflict: keeping existing '${routeKey}' (priority ${existingRoute.priority} >= ${newPriority})`,
+            {
+              existingApi: existingRoute.api,
+              existingEndpoint: existingRoute.endpointId,
+              newApi: apiId,
+              newEndpoint: endpoint.id
+            }
+          );
+        }
+        break;
+      case "first-wins":
+        this.logger.warn(
+          `Route conflict: keeping first registered '${routeKey}'`,
+          {
+            existingApi: existingRoute.api,
+            newApi: apiId
+          }
+        );
+        break;
+      case "last-wins":
+        this.logger.warn(
+          `Route conflict: replacing with last registered '${routeKey}'`,
+          {
+            oldApi: existingRoute.api,
+            newApi: apiId
+          }
+        );
+        this.routes.set(routeKey, {
+          api: apiId,
+          endpointId: endpoint.id,
+          priority: newPriority
+        });
+        break;
+      default:
+        throw new Error(`[ApiRegistry] Unknown conflict resolution strategy: ${strategy}`);
+    }
+  }
+  /**
+   * Generate a unique route key for conflict detection
+   * 
+   * NOTE: This implementation uses exact string matching for route conflict detection.
+   * It works well for static paths but has limitations with parameterized routes.
+   * For example, `/api/users/:id` and `/api/users/:userId` will NOT be detected as conflicts
+   * even though they are semantically identical parameterized patterns. Similarly,
+   * `/api/:resource/list` and `/api/:entity/list` would also not be detected as conflicting.
+   * 
+   * For more advanced conflict detection (e.g., path-to-regexp pattern matching),
+   * consider integrating with your routing library's conflict detection mechanism.
+   * 
+   * @param endpoint - Endpoint registration
+   * @returns Route key (e.g., "GET:/api/v1/customers/:id")
+   */
+  getRouteKey(endpoint) {
+    const method = endpoint.method || "ANY";
+    return `${method}:${endpoint.path}`;
+  }
+  /**
+   * Validate endpoint registration
+   * 
+   * @param endpoint - Endpoint to validate
+   * @param apiId - API identifier (for error messages)
+   * @throws Error if endpoint is invalid
+   */
+  validateEndpoint(endpoint, apiId) {
+    if (!endpoint.id) {
+      throw new Error(`[ApiRegistry] Endpoint in API '${apiId}' missing 'id' field`);
+    }
+    if (!endpoint.path) {
+      throw new Error(`[ApiRegistry] Endpoint '${endpoint.id}' in API '${apiId}' missing 'path' field`);
+    }
+  }
+  /**
+   * Get an API by ID
+   * 
+   * @param apiId - API identifier
+   * @returns API registry entry or undefined
+   */
+  getApi(apiId) {
+    return this.apis.get(apiId);
+  }
+  /**
+   * Get all registered APIs
+   * 
+   * @returns Array of all APIs
+   */
+  getAllApis() {
+    return Array.from(this.apis.values());
+  }
+  /**
+   * Find APIs matching query criteria
+   * 
+   * Performance optimized with auxiliary indices for O(1) lookups on type, tags, and status.
+   * 
+   * @param query - Discovery query parameters
+   * @returns Matching APIs
+   */
+  findApis(query) {
+    let resultIds;
+    if (query.type) {
+      const typeIds = this.apisByType.get(query.type);
+      if (!typeIds || typeIds.size === 0) {
+        return { apis: [], total: 0, filters: query };
+      }
+      resultIds = new Set(typeIds);
+    }
+    if (query.status) {
+      const statusIds = this.apisByStatus.get(query.status);
+      if (!statusIds || statusIds.size === 0) {
+        return { apis: [], total: 0, filters: query };
+      }
+      if (resultIds) {
+        resultIds = new Set([...resultIds].filter((id) => statusIds.has(id)));
+      } else {
+        resultIds = new Set(statusIds);
+      }
+      if (resultIds.size === 0) {
+        return { apis: [], total: 0, filters: query };
+      }
+    }
+    if (query.tags && query.tags.length > 0) {
+      const tagMatches = /* @__PURE__ */ new Set();
+      for (const tag of query.tags) {
+        const tagIds = this.apisByTag.get(tag);
+        if (tagIds) {
+          tagIds.forEach((id) => tagMatches.add(id));
+        }
+      }
+      if (tagMatches.size === 0) {
+        return { apis: [], total: 0, filters: query };
+      }
+      if (resultIds) {
+        resultIds = new Set([...resultIds].filter((id) => tagMatches.has(id)));
+      } else {
+        resultIds = tagMatches;
+      }
+      if (resultIds.size === 0) {
+        return { apis: [], total: 0, filters: query };
+      }
+    }
+    let results;
+    if (resultIds) {
+      results = Array.from(resultIds).map((id) => this.apis.get(id)).filter((api) => api !== void 0);
+    } else {
+      results = Array.from(this.apis.values());
+    }
+    if (query.pluginSource) {
+      results = results.filter(
+        (api) => api.metadata?.pluginSource === query.pluginSource
+      );
+    }
+    if (query.version) {
+      results = results.filter((api) => api.version === query.version);
+    }
+    if (query.search) {
+      const searchLower = query.search.toLowerCase();
+      results = results.filter(
+        (api) => api.name.toLowerCase().includes(searchLower) || api.description && api.description.toLowerCase().includes(searchLower)
+      );
+    }
+    return {
+      apis: results,
+      total: results.length,
+      filters: query
+    };
+  }
+  /**
+   * Get endpoint by API ID and endpoint ID
+   * 
+   * @param apiId - API identifier
+   * @param endpointId - Endpoint identifier
+   * @returns Endpoint registration or undefined
+   */
+  getEndpoint(apiId, endpointId) {
+    const key = `${apiId}:${endpointId}`;
+    return this.endpoints.get(key)?.endpoint;
+  }
+  /**
+   * Find endpoint by route (method + path)
+   * 
+   * @param method - HTTP method
+   * @param path - URL path
+   * @returns Endpoint registration or undefined
+   */
+  findEndpointByRoute(method, path) {
+    const routeKey = `${method}:${path}`;
+    const route = this.routes.get(routeKey);
+    if (!route) {
+      return void 0;
+    }
+    const api = this.apis.get(route.api);
+    const endpoint = this.getEndpoint(route.api, route.endpointId);
+    if (!api || !endpoint) {
+      return void 0;
+    }
+    return { api, endpoint };
+  }
+  /**
+   * Get complete registry snapshot
+   * 
+   * @returns Current registry state
+   */
+  getRegistry() {
+    const apis = Array.from(this.apis.values());
+    const byType = {};
+    for (const api of apis) {
+      if (!byType[api.type]) {
+        byType[api.type] = [];
+      }
+      byType[api.type].push(api);
+    }
+    const byStatus = {};
+    for (const api of apis) {
+      const status = api.metadata?.status || "active";
+      if (!byStatus[status]) {
+        byStatus[status] = [];
+      }
+      byStatus[status].push(api);
+    }
+    const totalEndpoints = apis.reduce(
+      (sum, api) => sum + api.endpoints.length,
+      0
+    );
+    return {
+      version: this.version,
+      conflictResolution: this.conflictResolution,
+      apis,
+      totalApis: apis.length,
+      totalEndpoints,
+      byType,
+      byStatus,
+      updatedAt: this.updatedAt
+    };
+  }
+  /**
+   * Clear all registered APIs
+   * 
+   * **⚠️ SAFETY WARNING:**
+   * This method clears all registered APIs and should be used with caution.
+   * 
+   * **Usage Restrictions:**
+   * - In production environments (NODE_ENV=production), a `force: true` parameter is required
+   * - Primarily intended for testing and development hot-reload scenarios
+   * 
+   * @param options - Clear options
+   * @param options.force - Force clear in production environment (default: false)
+   * @throws Error if called in production without force flag
+   * 
+   * @example Safe usage in tests
+   * ```typescript
+   * beforeEach(() => {
+   *   registry.clear(); // OK in test environment
+   * });
+   * ```
+   * 
+   * @example Usage in production (requires explicit force)
+   * ```typescript
+   * // In production, explicit force is required
+   * registry.clear({ force: true });
+   * ```
+   */
+  clear(options = {}) {
+    const isProduction = this.isProductionEnvironment();
+    if (isProduction && !options.force) {
+      throw new Error(
+        "[ApiRegistry] Cannot clear registry in production environment without force flag. Use clear({ force: true }) if you really want to clear the registry."
+      );
+    }
+    this.apis.clear();
+    this.endpoints.clear();
+    this.routes.clear();
+    this.apisByType.clear();
+    this.apisByTag.clear();
+    this.apisByStatus.clear();
+    this.updatedAt = (/* @__PURE__ */ new Date()).toISOString();
+    if (isProduction) {
+      this.logger.warn("API registry forcefully cleared in production", { force: options.force });
+    } else {
+      this.logger.info("API registry cleared");
+    }
+  }
+  /**
+   * Get registry statistics
+   * 
+   * @returns Registry statistics
+   */
+  getStats() {
+    const apis = Array.from(this.apis.values());
+    const apisByType = {};
+    for (const api of apis) {
+      apisByType[api.type] = (apisByType[api.type] || 0) + 1;
+    }
+    const endpointsByApi = {};
+    for (const api of apis) {
+      endpointsByApi[api.id] = api.endpoints.length;
+    }
+    return {
+      totalApis: this.apis.size,
+      totalEndpoints: this.endpoints.size,
+      totalRoutes: this.routes.size,
+      apisByType,
+      endpointsByApi
+    };
+  }
+  /**
+   * Update auxiliary indices when an API is registered
+   * 
+   * @param api - API entry to index
+   * @private
+   * @internal
+   */
+  updateIndices(api) {
+    this.ensureIndexSet(this.apisByType, api.type).add(api.id);
+    const status = api.metadata?.status || "active";
+    this.ensureIndexSet(this.apisByStatus, status).add(api.id);
+    const tags = api.metadata?.tags || [];
+    for (const tag of tags) {
+      this.ensureIndexSet(this.apisByTag, tag).add(api.id);
+    }
+  }
+  /**
+   * Remove API from auxiliary indices when unregistered
+   * 
+   * @param api - API entry to remove from indices
+   * @private
+   * @internal
+   */
+  removeFromIndices(api) {
+    this.removeFromIndexSet(this.apisByType, api.type, api.id);
+    const status = api.metadata?.status || "active";
+    this.removeFromIndexSet(this.apisByStatus, status, api.id);
+    const tags = api.metadata?.tags || [];
+    for (const tag of tags) {
+      this.removeFromIndexSet(this.apisByTag, tag, api.id);
+    }
+  }
+  /**
+   * Helper to ensure an index set exists and return it
+   * 
+   * @param map - Index map
+   * @param key - Index key
+   * @returns The Set for this key (created if needed)
+   * @private
+   * @internal
+   */
+  ensureIndexSet(map, key) {
+    let set = map.get(key);
+    if (!set) {
+      set = /* @__PURE__ */ new Set();
+      map.set(key, set);
+    }
+    return set;
+  }
+  /**
+   * Helper to remove an ID from an index set and clean up empty sets
+   * 
+   * @param map - Index map
+   * @param key - Index key
+   * @param id - API ID to remove
+   * @private
+   * @internal
+   */
+  removeFromIndexSet(map, key, id) {
+    const set = map.get(key);
+    if (set) {
+      set.delete(id);
+      if (set.size === 0) {
+        map.delete(key);
+      }
+    }
+  }
+  /**
+   * Check if running in production environment
+   * 
+   * @returns true if NODE_ENV is 'production'
+   * @private
+   * @internal
+   */
+  isProductionEnvironment() {
+    return getEnv("NODE_ENV") === "production";
+  }
+};
+
+// src/api-registry-plugin.ts
+function createApiRegistryPlugin(config = {}) {
+  const {
+    conflictResolution = "error",
+    version = "1.0.0"
+  } = config;
+  return {
+    name: "com.objectstack.core.api-registry",
+    version: "1.0.0",
+    init: async (ctx) => {
+      const registry = new ApiRegistry(
+        ctx.logger,
+        conflictResolution,
+        version
+      );
+      ctx.registerService("api-registry", registry);
+      ctx.logger.info("API Registry plugin initialized", {
+        conflictResolution,
+        version
+      });
+    }
+  };
+}
+
+// src/qa/index.ts
+var qa_exports = {};
+__export(qa_exports, {
+  HttpTestAdapter: () => HttpTestAdapter,
+  TestRunner: () => TestRunner
+});
+
+// src/qa/runner.ts
+var TestRunner = class {
+  constructor(adapter) {
+    this.adapter = adapter;
+  }
+  async runSuite(suite) {
+    const results = [];
+    for (const scenario of suite.scenarios) {
+      results.push(await this.runScenario(scenario));
+    }
+    return results;
+  }
+  async runScenario(scenario) {
+    const startTime = Date.now();
+    const context = {};
+    if (scenario.setup) {
+      for (const step of scenario.setup) {
+        try {
+          await this.runStep(step, context);
+        } catch (e) {
+          return {
+            scenarioId: scenario.id,
+            passed: false,
+            steps: [],
+            error: `Setup failed: ${e instanceof Error ? e.message : String(e)}`,
+            duration: Date.now() - startTime
+          };
+        }
+      }
+    }
+    const stepResults = [];
+    let scenarioPassed = true;
+    let scenarioError = void 0;
+    for (const step of scenario.steps) {
+      const stepStartTime = Date.now();
+      try {
+        const output = await this.runStep(step, context);
+        stepResults.push({
+          stepName: step.name,
+          passed: true,
+          output,
+          duration: Date.now() - stepStartTime
+        });
+      } catch (e) {
+        scenarioPassed = false;
+        scenarioError = e;
+        stepResults.push({
+          stepName: step.name,
+          passed: false,
+          error: e,
+          duration: Date.now() - stepStartTime
+        });
+        break;
+      }
+    }
+    if (scenario.teardown) {
+      for (const step of scenario.teardown) {
+        try {
+          await this.runStep(step, context);
+        } catch (e) {
+          if (scenarioPassed) {
+            scenarioPassed = false;
+            scenarioError = `Teardown failed: ${e instanceof Error ? e.message : String(e)}`;
+          }
+        }
+      }
+    }
+    return {
+      scenarioId: scenario.id,
+      passed: scenarioPassed,
+      steps: stepResults,
+      error: scenarioError,
+      duration: Date.now() - startTime
+    };
+  }
+  async runStep(step, context) {
+    const resolvedAction = this.resolveVariables(step.action, context);
+    const result = await this.adapter.execute(resolvedAction, context);
+    if (step.capture) {
+      for (const [varName, path] of Object.entries(step.capture)) {
+        context[varName] = this.getValueByPath(result, path);
+      }
+    }
+    if (step.assertions) {
+      for (const assertion of step.assertions) {
+        this.assert(result, assertion, context);
+      }
+    }
+    return result;
+  }
+  resolveVariables(action, _context) {
+    return action;
+  }
+  getValueByPath(obj, path) {
+    if (!path) return obj;
+    const parts = path.split(".");
+    let current = obj;
+    for (const part of parts) {
+      if (current === null || current === void 0) return void 0;
+      current = current[part];
+    }
+    return current;
+  }
+  assert(result, assertion, _context) {
+    const actual = this.getValueByPath(result, assertion.field);
+    const expected = assertion.expectedValue;
+    switch (assertion.operator) {
+      case "equals":
+        if (actual !== expected) throw new Error(`Assertion failed: ${assertion.field} expected ${expected}, got ${actual}`);
+        break;
+      case "not_equals":
+        if (actual === expected) throw new Error(`Assertion failed: ${assertion.field} expected not ${expected}, got ${actual}`);
+        break;
+      case "contains":
+        if (Array.isArray(actual)) {
+          if (!actual.includes(expected)) throw new Error(`Assertion failed: ${assertion.field} array does not contain ${expected}`);
+        } else if (typeof actual === "string") {
+          if (!actual.includes(String(expected))) throw new Error(`Assertion failed: ${assertion.field} string does not contain ${expected}`);
+        }
+        break;
+      case "not_null":
+        if (actual === null || actual === void 0) throw new Error(`Assertion failed: ${assertion.field} is null`);
+        break;
+      case "is_null":
+        if (actual !== null && actual !== void 0) throw new Error(`Assertion failed: ${assertion.field} is not null`);
+        break;
+      // ... Add other operators
+      default:
+        throw new Error(`Unknown assertion operator: ${assertion.operator}`);
+    }
+  }
+};
+
+// src/qa/http-adapter.ts
+var HttpTestAdapter = class {
+  constructor(baseUrl, authToken) {
+    this.baseUrl = baseUrl;
+    this.authToken = authToken;
+  }
+  async execute(action, _context) {
+    const headers = {
+      "Content-Type": "application/json"
+    };
+    if (this.authToken) {
+      headers["Authorization"] = `Bearer ${this.authToken}`;
+    }
+    if (action.user) {
+      headers["X-Run-As"] = action.user;
+    }
+    switch (action.type) {
+      case "create_record":
+        return this.createRecord(action.target, action.payload || {}, headers);
+      case "update_record":
+        return this.updateRecord(action.target, action.payload || {}, headers);
+      case "delete_record":
+        return this.deleteRecord(action.target, action.payload || {}, headers);
+      case "read_record":
+        return this.readRecord(action.target, action.payload || {}, headers);
+      case "query_records":
+        return this.queryRecords(action.target, action.payload || {}, headers);
+      case "api_call":
+        return this.rawApiCall(action.target, action.payload || {}, headers);
+      case "wait":
+        const ms = Number(action.payload?.duration || 1e3);
+        return new Promise((resolve) => setTimeout(() => resolve({ waited: ms }), ms));
+      default:
+        throw new Error(`Unsupported action type in HttpAdapter: ${action.type}`);
+    }
+  }
+  async createRecord(objectName, data, headers) {
+    const response = await fetch(`${this.baseUrl}/api/data/${objectName}`, {
+      method: "POST",
+      headers,
+      body: JSON.stringify(data)
+    });
+    return this.handleResponse(response);
+  }
+  async updateRecord(objectName, data, headers) {
+    const id = data._id || data.id;
+    if (!id) throw new Error("Update record requires _id or id in payload");
+    const response = await fetch(`${this.baseUrl}/api/data/${objectName}/${id}`, {
+      method: "PUT",
+      headers,
+      body: JSON.stringify(data)
+    });
+    return this.handleResponse(response);
+  }
+  async deleteRecord(objectName, data, headers) {
+    const id = data._id || data.id;
+    if (!id) throw new Error("Delete record requires _id or id in payload");
+    const response = await fetch(`${this.baseUrl}/api/data/${objectName}/${id}`, {
+      method: "DELETE",
+      headers
+    });
+    return this.handleResponse(response);
+  }
+  async readRecord(objectName, data, headers) {
+    const id = data._id || data.id;
+    if (!id) throw new Error("Read record requires _id or id in payload");
+    const response = await fetch(`${this.baseUrl}/api/data/${objectName}/${id}`, {
+      method: "GET",
+      headers
+    });
+    return this.handleResponse(response);
+  }
+  async queryRecords(objectName, data, headers) {
+    const response = await fetch(`${this.baseUrl}/api/data/${objectName}/query`, {
+      method: "POST",
+      headers,
+      body: JSON.stringify(data)
+    });
+    return this.handleResponse(response);
+  }
+  async rawApiCall(endpoint, data, headers) {
+    const method = data.method || "GET";
+    const body = data.body ? JSON.stringify(data.body) : void 0;
+    const url = endpoint.startsWith("http") ? endpoint : `${this.baseUrl}${endpoint}`;
+    const response = await fetch(url, {
+      method,
+      headers,
+      body
+    });
+    return this.handleResponse(response);
+  }
+  async handleResponse(response) {
+    if (!response.ok) {
+      const text = await response.text();
+      throw new Error(`HTTP Error ${response.status}: ${text}`);
+    }
+    const contentType = response.headers.get("content-type");
+    if (contentType && contentType.includes("application/json")) {
+      return response.json();
+    }
+    return response.text();
+  }
+};
+
+// src/security/plugin-signature-verifier.ts
+var cryptoModule = null;
+if (typeof globalThis.window === "undefined") {
+  try {
+    cryptoModule = eval('require("crypto")');
+  } catch {
+  }
+}
+var PluginSignatureVerifier = class {
+  constructor(config, logger) {
+    this.config = config;
+    this.logger = logger;
+    this.validateConfig();
+  }
+  /**
+   * Verify plugin signature
+   * 
+   * @param plugin - Plugin metadata with signature
+   * @returns Verification result
+   * @throws Error if verification fails in strict mode
+   */
+  async verifyPluginSignature(plugin) {
+    if (!plugin.signature) {
+      return this.handleUnsignedPlugin(plugin);
+    }
+    try {
+      const publisherId = this.extractPublisherId(plugin.name);
+      const publicKey = this.config.trustedPublicKeys.get(publisherId);
+      if (!publicKey) {
+        const error = `No trusted public key for publisher: ${publisherId}`;
+        this.logger.warn(error, { plugin: plugin.name, publisherId });
+        if (this.config.strictMode && !this.config.allowSelfSigned) {
+          throw new Error(error);
+        }
+        return {
+          verified: false,
+          error,
+          publisherId
+        };
+      }
+      const pluginHash = this.computePluginHash(plugin);
+      const isValid = await this.verifyCryptoSignature(
+        pluginHash,
+        plugin.signature,
+        publicKey
+      );
+      if (!isValid) {
+        const error = `Signature verification failed for plugin: ${plugin.name}`;
+        this.logger.error(error, void 0, { plugin: plugin.name, publisherId });
+        throw new Error(error);
+      }
+      this.logger.info(`\u2705 Plugin signature verified: ${plugin.name}`, {
+        plugin: plugin.name,
+        publisherId,
+        algorithm: this.config.algorithm
+      });
+      return {
+        verified: true,
+        publisherId,
+        algorithm: this.config.algorithm
+      };
+    } catch (error) {
+      this.logger.error(`Signature verification error: ${plugin.name}`, error);
+      if (this.config.strictMode) {
+        throw error;
+      }
+      return {
+        verified: false,
+        error: error.message
+      };
+    }
+  }
+  /**
+   * Register a trusted public key for a publisher
+   */
+  registerPublicKey(publisherId, publicKey) {
+    this.config.trustedPublicKeys.set(publisherId, publicKey);
+    this.logger.info(`Trusted public key registered for: ${publisherId}`);
+  }
+  /**
+   * Remove a trusted public key
+   */
+  revokePublicKey(publisherId) {
+    this.config.trustedPublicKeys.delete(publisherId);
+    this.logger.warn(`Public key revoked for: ${publisherId}`);
+  }
+  /**
+   * Get list of trusted publishers
+   */
+  getTrustedPublishers() {
+    return Array.from(this.config.trustedPublicKeys.keys());
+  }
+  // Private methods
+  handleUnsignedPlugin(plugin) {
+    if (this.config.strictMode) {
+      const error = `Plugin missing signature (strict mode): ${plugin.name}`;
+      this.logger.error(error, void 0, { plugin: plugin.name });
+      throw new Error(error);
+    }
+    this.logger.warn(`\u26A0\uFE0F  Plugin not signed: ${plugin.name}`, {
+      plugin: plugin.name,
+      recommendation: "Consider signing plugins for production environments"
+    });
+    return {
+      verified: false,
+      error: "Plugin not signed"
+    };
+  }
+  extractPublisherId(pluginName) {
+    const parts = pluginName.split(".");
+    if (parts.length < 2) {
+      throw new Error(`Invalid plugin name format: ${pluginName} (expected reverse domain notation)`);
+    }
+    return `${parts[0]}.${parts[1]}`;
+  }
+  computePluginHash(plugin) {
+    if (typeof globalThis.window !== "undefined") {
+      return this.computePluginHashBrowser(plugin);
+    }
+    return this.computePluginHashNode(plugin);
+  }
+  computePluginHashNode(plugin) {
+    if (!cryptoModule) {
+      this.logger.warn("crypto module not available, using fallback hash");
+      return this.computePluginHashFallback(plugin);
+    }
+    const pluginCode = this.serializePluginCode(plugin);
+    return cryptoModule.createHash("sha256").update(pluginCode).digest("hex");
+  }
+  computePluginHashBrowser(plugin) {
+    this.logger.debug("Using browser hash (SubtleCrypto integration pending)");
+    return this.computePluginHashFallback(plugin);
+  }
+  computePluginHashFallback(plugin) {
+    const pluginCode = this.serializePluginCode(plugin);
+    let hash = 0;
+    for (let i = 0; i < pluginCode.length; i++) {
+      const char = pluginCode.charCodeAt(i);
+      hash = (hash << 5) - hash + char;
+      hash = hash & hash;
+    }
+    return hash.toString(16);
+  }
+  serializePluginCode(plugin) {
+    const parts = [
+      plugin.name,
+      plugin.version,
+      plugin.init.toString()
+    ];
+    if (plugin.start) {
+      parts.push(plugin.start.toString());
+    }
+    if (plugin.destroy) {
+      parts.push(plugin.destroy.toString());
+    }
+    return parts.join("|");
+  }
+  async verifyCryptoSignature(data, signature, publicKey) {
+    if (typeof globalThis.window !== "undefined") {
+      return this.verifyCryptoSignatureBrowser(data, signature, publicKey);
+    }
+    return this.verifyCryptoSignatureNode(data, signature, publicKey);
+  }
+  verifyCryptoSignatureNode(data, signature, publicKey) {
+    if (!cryptoModule) {
+      this.logger.error("Crypto module not available for signature verification");
+      return false;
+    }
+    try {
+      if (this.config.algorithm === "ES256") {
+        const verify = cryptoModule.createVerify("sha256");
+        verify.update(data);
+        return verify.verify(
+          {
+            key: publicKey,
+            format: "pem",
+            type: "spki"
+          },
+          signature,
+          "base64"
+        );
+      } else {
+        const verify = cryptoModule.createVerify("RSA-SHA256");
+        verify.update(data);
+        return verify.verify(publicKey, signature, "base64");
+      }
+    } catch (error) {
+      this.logger.error("Signature verification failed", error);
+      return false;
+    }
+  }
+  async verifyCryptoSignatureBrowser(_data, _signature, _publicKey) {
+    this.logger.warn("Browser signature verification not yet implemented");
+    return false;
+  }
+  validateConfig() {
+    if (!this.config.trustedPublicKeys || this.config.trustedPublicKeys.size === 0) {
+      this.logger.warn("No trusted public keys configured - all signatures will fail");
+    }
+    if (!this.config.algorithm) {
+      throw new Error("Signature algorithm must be specified");
+    }
+    if (!["RS256", "ES256"].includes(this.config.algorithm)) {
+      throw new Error(`Unsupported algorithm: ${this.config.algorithm}`);
+    }
+  }
+};
+
+// src/security/plugin-permission-enforcer.ts
+var PluginPermissionEnforcer = class {
+  constructor(logger) {
+    this.permissionRegistry = /* @__PURE__ */ new Map();
+    this.capabilityRegistry = /* @__PURE__ */ new Map();
+    this.logger = logger;
+  }
+  /**
+   * Register plugin capabilities and build permission set
+   * 
+   * @param pluginName - Plugin identifier
+   * @param capabilities - Array of capability declarations
+   */
+  registerPluginPermissions(pluginName, capabilities) {
+    this.capabilityRegistry.set(pluginName, capabilities);
+    const permissions = {
+      canAccessService: (service) => this.checkServiceAccess(capabilities, service),
+      canTriggerHook: (hook) => this.checkHookAccess(capabilities, hook),
+      canReadFile: (path) => this.checkFileRead(capabilities, path),
+      canWriteFile: (path) => this.checkFileWrite(capabilities, path),
+      canNetworkRequest: (url) => this.checkNetworkAccess(capabilities, url)
+    };
+    this.permissionRegistry.set(pluginName, permissions);
+    this.logger.info(`Permissions registered for plugin: ${pluginName}`, {
+      plugin: pluginName,
+      capabilityCount: capabilities.length
+    });
+  }
+  /**
+   * Enforce service access permission
+   * 
+   * @param pluginName - Plugin requesting access
+   * @param serviceName - Service to access
+   * @throws Error if permission denied
+   */
+  enforceServiceAccess(pluginName, serviceName) {
+    const result = this.checkPermission(pluginName, (perms) => perms.canAccessService(serviceName));
+    if (!result.allowed) {
+      const error = `Permission denied: Plugin ${pluginName} cannot access service ${serviceName}`;
+      this.logger.warn(error, {
+        plugin: pluginName,
+        service: serviceName,
+        reason: result.reason
+      });
+      throw new Error(error);
+    }
+    this.logger.debug(`Service access granted: ${pluginName} -> ${serviceName}`);
+  }
+  /**
+   * Enforce hook trigger permission
+   * 
+   * @param pluginName - Plugin requesting access
+   * @param hookName - Hook to trigger
+   * @throws Error if permission denied
+   */
+  enforceHookTrigger(pluginName, hookName) {
+    const result = this.checkPermission(pluginName, (perms) => perms.canTriggerHook(hookName));
+    if (!result.allowed) {
+      const error = `Permission denied: Plugin ${pluginName} cannot trigger hook ${hookName}`;
+      this.logger.warn(error, {
+        plugin: pluginName,
+        hook: hookName,
+        reason: result.reason
+      });
+      throw new Error(error);
+    }
+    this.logger.debug(`Hook trigger granted: ${pluginName} -> ${hookName}`);
+  }
+  /**
+   * Enforce file read permission
+   * 
+   * @param pluginName - Plugin requesting access
+   * @param path - File path to read
+   * @throws Error if permission denied
+   */
+  enforceFileRead(pluginName, path) {
+    const result = this.checkPermission(pluginName, (perms) => perms.canReadFile(path));
+    if (!result.allowed) {
+      const error = `Permission denied: Plugin ${pluginName} cannot read file ${path}`;
+      this.logger.warn(error, {
+        plugin: pluginName,
+        path,
+        reason: result.reason
+      });
+      throw new Error(error);
+    }
+    this.logger.debug(`File read granted: ${pluginName} -> ${path}`);
+  }
+  /**
+   * Enforce file write permission
+   * 
+   * @param pluginName - Plugin requesting access
+   * @param path - File path to write
+   * @throws Error if permission denied
+   */
+  enforceFileWrite(pluginName, path) {
+    const result = this.checkPermission(pluginName, (perms) => perms.canWriteFile(path));
+    if (!result.allowed) {
+      const error = `Permission denied: Plugin ${pluginName} cannot write file ${path}`;
+      this.logger.warn(error, {
+        plugin: pluginName,
+        path,
+        reason: result.reason
+      });
+      throw new Error(error);
+    }
+    this.logger.debug(`File write granted: ${pluginName} -> ${path}`);
+  }
+  /**
+   * Enforce network request permission
+   * 
+   * @param pluginName - Plugin requesting access
+   * @param url - URL to access
+   * @throws Error if permission denied
+   */
+  enforceNetworkRequest(pluginName, url) {
+    const result = this.checkPermission(pluginName, (perms) => perms.canNetworkRequest(url));
+    if (!result.allowed) {
+      const error = `Permission denied: Plugin ${pluginName} cannot access URL ${url}`;
+      this.logger.warn(error, {
+        plugin: pluginName,
+        url,
+        reason: result.reason
+      });
+      throw new Error(error);
+    }
+    this.logger.debug(`Network request granted: ${pluginName} -> ${url}`);
+  }
+  /**
+   * Get plugin capabilities
+   * 
+   * @param pluginName - Plugin identifier
+   * @returns Array of capabilities or undefined
+   */
+  getPluginCapabilities(pluginName) {
+    return this.capabilityRegistry.get(pluginName);
+  }
+  /**
+   * Get plugin permissions
+   * 
+   * @param pluginName - Plugin identifier
+   * @returns Permissions object or undefined
+   */
+  getPluginPermissions(pluginName) {
+    return this.permissionRegistry.get(pluginName);
+  }
+  /**
+   * Revoke all permissions for a plugin
+   * 
+   * @param pluginName - Plugin identifier
+   */
+  revokePermissions(pluginName) {
+    this.permissionRegistry.delete(pluginName);
+    this.capabilityRegistry.delete(pluginName);
+    this.logger.warn(`Permissions revoked for plugin: ${pluginName}`);
+  }
+  // Private methods
+  checkPermission(pluginName, check) {
+    const permissions = this.permissionRegistry.get(pluginName);
+    if (!permissions) {
+      return {
+        allowed: false,
+        reason: "Plugin permissions not registered"
+      };
+    }
+    const allowed = check(permissions);
+    return {
+      allowed,
+      reason: allowed ? void 0 : "No matching capability found"
+    };
+  }
+  checkServiceAccess(capabilities, serviceName) {
+    return capabilities.some((cap) => {
+      const protocolId = cap.protocol.id;
+      if (protocolId.includes("protocol.service.all")) {
+        return true;
+      }
+      if (protocolId.includes(`protocol.service.${serviceName}`)) {
+        return true;
+      }
+      const serviceCategory = serviceName.split(".")[0];
+      if (protocolId.includes(`protocol.service.${serviceCategory}`)) {
+        return true;
+      }
+      return false;
+    });
+  }
+  checkHookAccess(capabilities, hookName) {
+    return capabilities.some((cap) => {
+      const protocolId = cap.protocol.id;
+      if (protocolId.includes("protocol.hook.all")) {
+        return true;
+      }
+      if (protocolId.includes(`protocol.hook.${hookName}`)) {
+        return true;
+      }
+      const hookCategory = hookName.split(":")[0];
+      if (protocolId.includes(`protocol.hook.${hookCategory}`)) {
+        return true;
+      }
+      return false;
+    });
+  }
+  checkFileRead(capabilities, _path) {
+    return capabilities.some((cap) => {
+      const protocolId = cap.protocol.id;
+      if (protocolId.includes("protocol.filesystem.read")) {
+        return true;
+      }
+      return false;
+    });
+  }
+  checkFileWrite(capabilities, _path) {
+    return capabilities.some((cap) => {
+      const protocolId = cap.protocol.id;
+      if (protocolId.includes("protocol.filesystem.write")) {
+        return true;
+      }
+      return false;
+    });
+  }
+  checkNetworkAccess(capabilities, _url) {
+    return capabilities.some((cap) => {
+      const protocolId = cap.protocol.id;
+      if (protocolId.includes("protocol.network")) {
+        return true;
+      }
+      return false;
+    });
+  }
+};
+var SecurePluginContext = class {
+  constructor(pluginName, permissionEnforcer, baseContext) {
+    this.pluginName = pluginName;
+    this.permissionEnforcer = permissionEnforcer;
+    this.baseContext = baseContext;
+  }
+  registerService(name, service) {
+    this.baseContext.registerService(name, service);
+  }
+  getService(name) {
+    this.permissionEnforcer.enforceServiceAccess(this.pluginName, name);
+    return this.baseContext.getService(name);
+  }
+  getServices() {
+    return this.baseContext.getServices();
+  }
+  hook(name, handler) {
+    this.baseContext.hook(name, handler);
+  }
+  async trigger(name, ...args) {
+    this.permissionEnforcer.enforceHookTrigger(this.pluginName, name);
+    await this.baseContext.trigger(name, ...args);
+  }
+  get logger() {
+    return this.baseContext.logger;
+  }
+  getKernel() {
+    return this.baseContext.getKernel();
+  }
+};
+function createPluginPermissionEnforcer(logger) {
+  return new PluginPermissionEnforcer(logger);
+}
+
+// src/security/permission-manager.ts
+var PluginPermissionManager = class {
+  constructor(logger) {
+    // Plugin permission definitions
+    this.permissionSets = /* @__PURE__ */ new Map();
+    // Granted permissions (pluginId -> Set of permission IDs)
+    this.grants = /* @__PURE__ */ new Map();
+    // Permission grant details
+    this.grantDetails = /* @__PURE__ */ new Map();
+    this.logger = logger.child({ component: "PermissionManager" });
+  }
+  /**
+   * Register permission requirements for a plugin
+   */
+  registerPermissions(pluginId, permissionSet) {
+    this.permissionSets.set(pluginId, permissionSet);
+    this.logger.info("Permissions registered for plugin", {
+      pluginId,
+      permissionCount: permissionSet.permissions.length
+    });
+  }
+  /**
+   * Grant a permission to a plugin
+   */
+  grantPermission(pluginId, permissionId, grantedBy, expiresAt) {
+    const permissionSet = this.permissionSets.get(pluginId);
+    if (!permissionSet) {
+      throw new Error(`No permissions registered for plugin: ${pluginId}`);
+    }
+    const permission = permissionSet.permissions.find((p) => p.id === permissionId);
+    if (!permission) {
+      throw new Error(`Permission ${permissionId} not declared by plugin ${pluginId}`);
+    }
+    if (!this.grants.has(pluginId)) {
+      this.grants.set(pluginId, /* @__PURE__ */ new Set());
+    }
+    this.grants.get(pluginId).add(permissionId);
+    const grantKey = `${pluginId}:${permissionId}`;
+    this.grantDetails.set(grantKey, {
+      permissionId,
+      pluginId,
+      grantedAt: /* @__PURE__ */ new Date(),
+      grantedBy,
+      expiresAt
+    });
+    this.logger.info("Permission granted", {
+      pluginId,
+      permissionId,
+      grantedBy
+    });
+  }
+  /**
+   * Revoke a permission from a plugin
+   */
+  revokePermission(pluginId, permissionId) {
+    const grants = this.grants.get(pluginId);
+    if (grants) {
+      grants.delete(permissionId);
+      const grantKey = `${pluginId}:${permissionId}`;
+      this.grantDetails.delete(grantKey);
+      this.logger.info("Permission revoked", { pluginId, permissionId });
+    }
+  }
+  /**
+   * Grant all permissions for a plugin
+   */
+  grantAllPermissions(pluginId, grantedBy) {
+    const permissionSet = this.permissionSets.get(pluginId);
+    if (!permissionSet) {
+      throw new Error(`No permissions registered for plugin: ${pluginId}`);
+    }
+    for (const permission of permissionSet.permissions) {
+      this.grantPermission(pluginId, permission.id, grantedBy);
+    }
+    this.logger.info("All permissions granted", { pluginId, grantedBy });
+  }
+  /**
+   * Check if a plugin has a specific permission
+   */
+  hasPermission(pluginId, permissionId) {
+    const grants = this.grants.get(pluginId);
+    if (!grants) {
+      return false;
+    }
+    if (!grants.has(permissionId)) {
+      return false;
+    }
+    const grantKey = `${pluginId}:${permissionId}`;
+    const grantDetails = this.grantDetails.get(grantKey);
+    if (grantDetails?.expiresAt && grantDetails.expiresAt < /* @__PURE__ */ new Date()) {
+      this.revokePermission(pluginId, permissionId);
+      return false;
+    }
+    return true;
+  }
+  /**
+   * Check if plugin can perform an action on a resource
+   */
+  checkAccess(pluginId, resource, action, resourceId) {
+    const permissionSet = this.permissionSets.get(pluginId);
+    if (!permissionSet) {
+      return {
+        allowed: false,
+        reason: "No permissions registered for plugin"
+      };
+    }
+    const matchingPermissions = permissionSet.permissions.filter((p) => {
+      if (p.resource !== resource) {
+        return false;
+      }
+      if (!p.actions.includes(action)) {
+        return false;
+      }
+      if (resourceId && p.filter?.resourceIds) {
+        if (!p.filter.resourceIds.includes(resourceId)) {
+          return false;
+        }
+      }
+      return true;
+    });
+    if (matchingPermissions.length === 0) {
+      return {
+        allowed: false,
+        reason: `No permission found for ${action} on ${resource}`
+      };
+    }
+    const grantedPermissions = matchingPermissions.filter(
+      (p) => this.hasPermission(pluginId, p.id)
+    );
+    if (grantedPermissions.length === 0) {
+      return {
+        allowed: false,
+        reason: "Required permissions not granted",
+        requiredPermission: matchingPermissions[0].id
+      };
+    }
+    return {
+      allowed: true,
+      grantedPermissions: grantedPermissions.map((p) => p.id)
+    };
+  }
+  /**
+   * Get all permissions for a plugin
+   */
+  getPluginPermissions(pluginId) {
+    const permissionSet = this.permissionSets.get(pluginId);
+    return permissionSet?.permissions || [];
+  }
+  /**
+   * Get granted permissions for a plugin
+   */
+  getGrantedPermissions(pluginId) {
+    const grants = this.grants.get(pluginId);
+    return grants ? Array.from(grants) : [];
+  }
+  /**
+   * Get required but not granted permissions
+   */
+  getMissingPermissions(pluginId) {
+    const permissionSet = this.permissionSets.get(pluginId);
+    if (!permissionSet) {
+      return [];
+    }
+    const granted = this.grants.get(pluginId) || /* @__PURE__ */ new Set();
+    return permissionSet.permissions.filter(
+      (p) => p.required && !granted.has(p.id)
+    );
+  }
+  /**
+   * Check if all required permissions are granted
+   */
+  hasAllRequiredPermissions(pluginId) {
+    return this.getMissingPermissions(pluginId).length === 0;
+  }
+  /**
+   * Get permission grant details
+   */
+  getGrantDetails(pluginId, permissionId) {
+    const grantKey = `${pluginId}:${permissionId}`;
+    return this.grantDetails.get(grantKey);
+  }
+  /**
+   * Validate permission against scope constraints
+   */
+  validatePermissionScope(permission, context) {
+    switch (permission.scope) {
+      case "global":
+        return true;
+      case "tenant":
+        return !!context.tenantId;
+      case "user":
+        return !!context.userId;
+      case "resource":
+        return !!context.resourceId;
+      case "plugin":
+        return true;
+      default:
+        return false;
+    }
+  }
+  /**
+   * Clear all permissions for a plugin
+   */
+  clearPluginPermissions(pluginId) {
+    this.permissionSets.delete(pluginId);
+    const grants = this.grants.get(pluginId);
+    if (grants) {
+      for (const permissionId of grants) {
+        const grantKey = `${pluginId}:${permissionId}`;
+        this.grantDetails.delete(grantKey);
+      }
+      this.grants.delete(pluginId);
+    }
+    this.logger.info("All permissions cleared", { pluginId });
+  }
+  /**
+   * Shutdown permission manager
+   */
+  shutdown() {
+    this.permissionSets.clear();
+    this.grants.clear();
+    this.grantDetails.clear();
+    this.logger.info("Permission manager shutdown complete");
+  }
+};
+
+// src/security/sandbox-runtime.ts
+var PluginSandboxRuntime = class {
+  constructor(logger) {
+    // Active sandboxes (pluginId -> context)
+    this.sandboxes = /* @__PURE__ */ new Map();
+    // Resource monitoring intervals
+    this.monitoringIntervals = /* @__PURE__ */ new Map();
+    this.logger = logger.child({ component: "SandboxRuntime" });
+  }
+  /**
+   * Create a sandbox for a plugin
+   */
+  createSandbox(pluginId, config) {
+    if (this.sandboxes.has(pluginId)) {
+      throw new Error(`Sandbox already exists for plugin: ${pluginId}`);
+    }
+    const context = {
+      pluginId,
+      config,
+      startTime: /* @__PURE__ */ new Date(),
+      resourceUsage: {
+        memory: { current: 0, peak: 0, limit: config.memory?.maxHeap },
+        cpu: { current: 0, average: 0, limit: config.cpu?.maxCpuPercent },
+        connections: { current: 0, limit: config.network?.maxConnections }
+      }
+    };
+    this.sandboxes.set(pluginId, context);
+    this.startResourceMonitoring(pluginId);
+    this.logger.info("Sandbox created", {
+      pluginId,
+      level: config.level,
+      memoryLimit: config.memory?.maxHeap,
+      cpuLimit: config.cpu?.maxCpuPercent
+    });
+    return context;
+  }
+  /**
+   * Destroy a sandbox
+   */
+  destroySandbox(pluginId) {
+    const context = this.sandboxes.get(pluginId);
+    if (!context) {
+      return;
+    }
+    this.stopResourceMonitoring(pluginId);
+    this.sandboxes.delete(pluginId);
+    this.logger.info("Sandbox destroyed", { pluginId });
+  }
+  /**
+   * Check if resource access is allowed
+   */
+  checkResourceAccess(pluginId, resourceType, resourcePath) {
+    const context = this.sandboxes.get(pluginId);
+    if (!context) {
+      return { allowed: false, reason: "Sandbox not found" };
+    }
+    const { config } = context;
+    switch (resourceType) {
+      case "file":
+        return this.checkFileAccess(config, resourcePath);
+      case "network":
+        return this.checkNetworkAccess(config, resourcePath);
+      case "process":
+        return this.checkProcessAccess(config);
+      case "env":
+        return this.checkEnvAccess(config, resourcePath);
+      default:
+        return { allowed: false, reason: "Unknown resource type" };
+    }
+  }
+  /**
+   * Check file system access
+   * WARNING: Uses simple prefix matching. For production, use proper path
+   * resolution with path.resolve() and path.normalize() to prevent traversal.
+   */
+  checkFileAccess(config, path) {
+    if (config.level === "none") {
+      return { allowed: true };
+    }
+    if (!config.filesystem) {
+      return { allowed: false, reason: "File system access not configured" };
+    }
+    if (!path) {
+      return { allowed: config.filesystem.mode !== "none" };
+    }
+    const allowedPaths = config.filesystem.allowedPaths || [];
+    const isAllowed = allowedPaths.some((allowed) => {
+      return path.startsWith(allowed);
+    });
+    if (allowedPaths.length > 0 && !isAllowed) {
+      return {
+        allowed: false,
+        reason: `Path not in allowed list: ${path}`
+      };
+    }
+    const deniedPaths = config.filesystem.deniedPaths || [];
+    const isDenied = deniedPaths.some((denied) => {
+      return path.startsWith(denied);
+    });
+    if (isDenied) {
+      return {
+        allowed: false,
+        reason: `Path is explicitly denied: ${path}`
+      };
+    }
+    return { allowed: true };
+  }
+  /**
+   * Check network access
+   * WARNING: Uses simple string matching. For production, use proper URL
+   * parsing with new URL() and check hostname property.
+   */
+  checkNetworkAccess(config, url) {
+    if (config.level === "none") {
+      return { allowed: true };
+    }
+    if (!config.network) {
+      return { allowed: false, reason: "Network access not configured" };
+    }
+    if (config.network.mode === "none") {
+      return { allowed: false, reason: "Network access disabled" };
+    }
+    if (!url) {
+      return { allowed: config.network.mode !== "none" };
+    }
+    const allowedHosts = config.network.allowedHosts || [];
+    if (allowedHosts.length > 0) {
+      const isAllowed = allowedHosts.some((host) => {
+        return url.includes(host);
+      });
+      if (!isAllowed) {
+        return {
+          allowed: false,
+          reason: `Host not in allowed list: ${url}`
+        };
+      }
+    }
+    const deniedHosts = config.network.deniedHosts || [];
+    const isDenied = deniedHosts.some((host) => {
+      return url.includes(host);
+    });
+    if (isDenied) {
+      return {
+        allowed: false,
+        reason: `Host is blocked: ${url}`
+      };
+    }
+    return { allowed: true };
+  }
+  /**
+   * Check process spawning access
+   */
+  checkProcessAccess(config) {
+    if (config.level === "none") {
+      return { allowed: true };
+    }
+    if (!config.process) {
+      return { allowed: false, reason: "Process access not configured" };
+    }
+    if (!config.process.allowSpawn) {
+      return { allowed: false, reason: "Process spawning not allowed" };
+    }
+    return { allowed: true };
+  }
+  /**
+   * Check environment variable access
+   */
+  checkEnvAccess(config, varName) {
+    if (config.level === "none") {
+      return { allowed: true };
+    }
+    if (!config.process) {
+      return { allowed: false, reason: "Environment access not configured" };
+    }
+    if (!varName) {
+      return { allowed: true };
+    }
+    return { allowed: true };
+  }
+  /**
+   * Check resource limits
+   */
+  checkResourceLimits(pluginId) {
+    const context = this.sandboxes.get(pluginId);
+    if (!context) {
+      return { withinLimits: true, violations: [] };
+    }
+    const violations = [];
+    const { resourceUsage, config } = context;
+    if (config.memory?.maxHeap && resourceUsage.memory.current > config.memory.maxHeap) {
+      violations.push(`Memory limit exceeded: ${resourceUsage.memory.current} > ${config.memory.maxHeap}`);
+    }
+    if (config.runtime?.resourceLimits?.maxCpu && resourceUsage.cpu.current > config.runtime.resourceLimits.maxCpu) {
+      violations.push(`CPU limit exceeded: ${resourceUsage.cpu.current}% > ${config.runtime.resourceLimits.maxCpu}%`);
+    }
+    if (config.network?.maxConnections && resourceUsage.connections.current > config.network.maxConnections) {
+      violations.push(`Connection limit exceeded: ${resourceUsage.connections.current} > ${config.network.maxConnections}`);
+    }
+    return {
+      withinLimits: violations.length === 0,
+      violations
+    };
+  }
+  /**
+   * Get resource usage for a plugin
+   */
+  getResourceUsage(pluginId) {
+    const context = this.sandboxes.get(pluginId);
+    return context?.resourceUsage;
+  }
+  /**
+   * Start monitoring resource usage
+   */
+  startResourceMonitoring(pluginId) {
+    const interval = setInterval(() => {
+      this.updateResourceUsage(pluginId);
+    }, 5e3);
+    this.monitoringIntervals.set(pluginId, interval);
+  }
+  /**
+   * Stop monitoring resource usage
+   */
+  stopResourceMonitoring(pluginId) {
+    const interval = this.monitoringIntervals.get(pluginId);
+    if (interval) {
+      clearInterval(interval);
+      this.monitoringIntervals.delete(pluginId);
+    }
+  }
+  /**
+   * Update resource usage statistics
+   * 
+   * NOTE: Currently uses global process.memoryUsage() which tracks the entire
+   * Node.js process, not individual plugins. For production, implement proper
+   * per-plugin tracking using V8 heap snapshots or allocation tracking at
+   * plugin boundaries.
+   */
+  updateResourceUsage(pluginId) {
+    const context = this.sandboxes.get(pluginId);
+    if (!context) {
+      return;
+    }
+    const memoryUsage = getMemoryUsage();
+    context.resourceUsage.memory.current = memoryUsage.heapUsed;
+    context.resourceUsage.memory.peak = Math.max(
+      context.resourceUsage.memory.peak,
+      memoryUsage.heapUsed
+    );
+    context.resourceUsage.cpu.current = 0;
+    const { withinLimits, violations } = this.checkResourceLimits(pluginId);
+    if (!withinLimits) {
+      this.logger.warn("Resource limit violations detected", {
+        pluginId,
+        violations
+      });
+    }
+  }
+  /**
+   * Get all active sandboxes
+   */
+  getAllSandboxes() {
+    return new Map(this.sandboxes);
+  }
+  /**
+   * Shutdown sandbox runtime
+   */
+  shutdown() {
+    for (const pluginId of this.monitoringIntervals.keys()) {
+      this.stopResourceMonitoring(pluginId);
+    }
+    this.sandboxes.clear();
+    this.logger.info("Sandbox runtime shutdown complete");
+  }
+};
+
+// src/security/security-scanner.ts
+var PluginSecurityScanner = class {
+  constructor(logger, config) {
+    // Known vulnerabilities database (CVE cache)
+    this.vulnerabilityDb = /* @__PURE__ */ new Map();
+    // Scan results cache
+    this.scanResults = /* @__PURE__ */ new Map();
+    this.passThreshold = 70;
+    this.logger = logger.child({ component: "SecurityScanner" });
+    if (config?.passThreshold !== void 0) {
+      this.passThreshold = config.passThreshold;
+    }
+  }
+  /**
+   * Perform a comprehensive security scan on a plugin
+   */
+  async scan(target) {
+    this.logger.info("Starting security scan", {
+      pluginId: target.pluginId,
+      version: target.version
+    });
+    const issues = [];
+    try {
+      const codeIssues = await this.scanCode(target);
+      issues.push(...codeIssues);
+      const depIssues = await this.scanDependencies(target);
+      issues.push(...depIssues);
+      const malwareIssues = await this.scanMalware(target);
+      issues.push(...malwareIssues);
+      const licenseIssues = await this.scanLicenses(target);
+      issues.push(...licenseIssues);
+      const configIssues = await this.scanConfiguration(target);
+      issues.push(...configIssues);
+      const score = this.calculateSecurityScore(issues);
+      const result = {
+        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+        scanner: { name: "ObjectStack Security Scanner", version: "1.0.0" },
+        status: score >= this.passThreshold ? "passed" : "failed",
+        vulnerabilities: issues.map((issue) => ({
+          id: issue.id,
+          severity: issue.severity,
+          category: issue.category,
+          title: issue.title,
+          description: issue.description,
+          location: issue.location ? `${issue.location.file}:${issue.location.line}` : void 0,
+          remediation: issue.remediation,
+          affectedVersions: [],
+          exploitAvailable: false,
+          patchAvailable: false
+        })),
+        summary: {
+          totalVulnerabilities: issues.length,
+          criticalCount: issues.filter((i) => i.severity === "critical").length,
+          highCount: issues.filter((i) => i.severity === "high").length,
+          mediumCount: issues.filter((i) => i.severity === "medium").length,
+          lowCount: issues.filter((i) => i.severity === "low").length,
+          infoCount: issues.filter((i) => i.severity === "info").length
+        }
+      };
+      this.scanResults.set(`${target.pluginId}:${target.version}`, result);
+      this.logger.info("Security scan complete", {
+        pluginId: target.pluginId,
+        score,
+        status: result.status,
+        summary: result.summary
+      });
+      return result;
+    } catch (error) {
+      this.logger.error("Security scan failed", {
+        pluginId: target.pluginId,
+        error
+      });
+      throw error;
+    }
+  }
+  /**
+   * Scan code for vulnerabilities
+   */
+  async scanCode(target) {
+    const issues = [];
+    this.logger.debug("Code scan complete", {
+      pluginId: target.pluginId,
+      issuesFound: issues.length
+    });
+    return issues;
+  }
+  /**
+   * Scan dependencies for known vulnerabilities
+   */
+  async scanDependencies(target) {
+    const issues = [];
+    if (!target.dependencies) {
+      return issues;
+    }
+    for (const [depName, version] of Object.entries(target.dependencies)) {
+      const vulnKey = `${depName}@${version}`;
+      const vulnerability = this.vulnerabilityDb.get(vulnKey);
+      if (vulnerability) {
+        issues.push({
+          id: `vuln-${vulnerability.cve || depName}`,
+          severity: vulnerability.severity,
+          category: "vulnerability",
+          title: `Vulnerable dependency: ${depName}`,
+          description: `${depName}@${version} has known security vulnerabilities`,
+          remediation: vulnerability.fixedIn ? `Upgrade to ${vulnerability.fixedIn.join(" or ")}` : "No fix available",
+          cve: vulnerability.cve
+        });
+      }
+    }
+    this.logger.debug("Dependency scan complete", {
+      pluginId: target.pluginId,
+      dependencies: Object.keys(target.dependencies).length,
+      vulnerabilities: issues.length
+    });
+    return issues;
+  }
+  /**
+   * Scan for malware patterns
+   */
+  async scanMalware(target) {
+    const issues = [];
+    this.logger.debug("Malware scan complete", {
+      pluginId: target.pluginId,
+      issuesFound: issues.length
+    });
+    return issues;
+  }
+  /**
+   * Check license compliance
+   */
+  async scanLicenses(target) {
+    const issues = [];
+    if (!target.dependencies) {
+      return issues;
+    }
+    this.logger.debug("License scan complete", {
+      pluginId: target.pluginId,
+      issuesFound: issues.length
+    });
+    return issues;
+  }
+  /**
+   * Check configuration security
+   */
+  async scanConfiguration(target) {
+    const issues = [];
+    this.logger.debug("Configuration scan complete", {
+      pluginId: target.pluginId,
+      issuesFound: issues.length
+    });
+    return issues;
+  }
+  /**
+   * Calculate security score based on issues
+   */
+  calculateSecurityScore(issues) {
+    let score = 100;
+    for (const issue of issues) {
+      switch (issue.severity) {
+        case "critical":
+          score -= 20;
+          break;
+        case "high":
+          score -= 10;
+          break;
+        case "medium":
+          score -= 5;
+          break;
+        case "low":
+          score -= 2;
+          break;
+        case "info":
+          score -= 0;
+          break;
+      }
+    }
+    return Math.max(0, score);
+  }
+  /**
+   * Add a vulnerability to the database
+   */
+  addVulnerability(packageName, version, vulnerability) {
+    const key = `${packageName}@${version}`;
+    this.vulnerabilityDb.set(key, vulnerability);
+    this.logger.debug("Vulnerability added to database", {
+      package: packageName,
+      version,
+      cve: vulnerability.cve
+    });
+  }
+  /**
+   * Get scan result from cache
+   */
+  getScanResult(pluginId, version) {
+    return this.scanResults.get(`${pluginId}:${version}`);
+  }
+  /**
+   * Clear scan results cache
+   */
+  clearCache() {
+    this.scanResults.clear();
+    this.logger.debug("Scan results cache cleared");
+  }
+  /**
+   * Update vulnerability database from external source
+   */
+  async updateVulnerabilityDatabase() {
+    this.logger.info("Updating vulnerability database");
+    this.logger.info("Vulnerability database updated", {
+      entries: this.vulnerabilityDb.size
+    });
+  }
+  /**
+   * Shutdown security scanner
+   */
+  shutdown() {
+    this.vulnerabilityDb.clear();
+    this.scanResults.clear();
+    this.logger.info("Security scanner shutdown complete");
+  }
+};
+
+// src/health-monitor.ts
+var PluginHealthMonitor = class {
+  constructor(logger) {
+    this.healthChecks = /* @__PURE__ */ new Map();
+    this.healthStatus = /* @__PURE__ */ new Map();
+    this.healthReports = /* @__PURE__ */ new Map();
+    this.checkIntervals = /* @__PURE__ */ new Map();
+    this.failureCounters = /* @__PURE__ */ new Map();
+    this.successCounters = /* @__PURE__ */ new Map();
+    this.restartAttempts = /* @__PURE__ */ new Map();
+    this.logger = logger.child({ component: "HealthMonitor" });
+  }
+  /**
+   * Register a plugin for health monitoring
+   */
+  registerPlugin(pluginName, config) {
+    this.healthChecks.set(pluginName, config);
+    this.healthStatus.set(pluginName, "unknown");
+    this.failureCounters.set(pluginName, 0);
+    this.successCounters.set(pluginName, 0);
+    this.restartAttempts.set(pluginName, 0);
+    this.logger.info("Plugin registered for health monitoring", {
+      plugin: pluginName,
+      interval: config.interval
+    });
+  }
+  /**
+   * Start monitoring a plugin
+   */
+  startMonitoring(pluginName, plugin) {
+    const config = this.healthChecks.get(pluginName);
+    if (!config) {
+      this.logger.warn("Cannot start monitoring - plugin not registered", { plugin: pluginName });
+      return;
+    }
+    this.stopMonitoring(pluginName);
+    const interval = setInterval(() => {
+      this.performHealthCheck(pluginName, plugin, config).catch((error) => {
+        this.logger.error("Health check failed with error", {
+          plugin: pluginName,
+          error
+        });
+      });
+    }, config.interval);
+    this.checkIntervals.set(pluginName, interval);
+    this.logger.info("Health monitoring started", { plugin: pluginName });
+    this.performHealthCheck(pluginName, plugin, config).catch((error) => {
+      this.logger.error("Initial health check failed", {
+        plugin: pluginName,
+        error
+      });
+    });
+  }
+  /**
+   * Stop monitoring a plugin
+   */
+  stopMonitoring(pluginName) {
+    const interval = this.checkIntervals.get(pluginName);
+    if (interval) {
+      clearInterval(interval);
+      this.checkIntervals.delete(pluginName);
+      this.logger.info("Health monitoring stopped", { plugin: pluginName });
+    }
+  }
+  /**
+   * Perform a health check on a plugin
+   */
+  async performHealthCheck(pluginName, plugin, config) {
+    const startTime = Date.now();
+    let status = "healthy";
+    let message;
+    const checks = [];
+    try {
+      if (config.checkMethod && typeof plugin[config.checkMethod] === "function") {
+        const checkResult = await Promise.race([
+          plugin[config.checkMethod](),
+          this.timeout(config.timeout, `Health check timeout after ${config.timeout}ms`)
+        ]);
+        if (checkResult === false || checkResult && checkResult.status === "unhealthy") {
+          status = "unhealthy";
+          message = checkResult?.message || "Custom health check failed";
+          checks.push({ name: config.checkMethod, status: "failed", message });
+        } else {
+          checks.push({ name: config.checkMethod, status: "passed" });
+        }
+      } else {
+        checks.push({ name: "plugin-loaded", status: "passed" });
+      }
+      if (status === "healthy") {
+        this.successCounters.set(pluginName, (this.successCounters.get(pluginName) || 0) + 1);
+        this.failureCounters.set(pluginName, 0);
+        const currentStatus = this.healthStatus.get(pluginName);
+        if (currentStatus === "unhealthy" || currentStatus === "degraded") {
+          const successCount = this.successCounters.get(pluginName) || 0;
+          if (successCount >= config.successThreshold) {
+            this.healthStatus.set(pluginName, "healthy");
+            this.logger.info("Plugin recovered to healthy state", { plugin: pluginName });
+          } else {
+            this.healthStatus.set(pluginName, "recovering");
+          }
+        } else {
+          this.healthStatus.set(pluginName, "healthy");
+        }
+      } else {
+        this.failureCounters.set(pluginName, (this.failureCounters.get(pluginName) || 0) + 1);
+        this.successCounters.set(pluginName, 0);
+        const failureCount = this.failureCounters.get(pluginName) || 0;
+        if (failureCount >= config.failureThreshold) {
+          this.healthStatus.set(pluginName, "unhealthy");
+          this.logger.warn("Plugin marked as unhealthy", {
+            plugin: pluginName,
+            failures: failureCount
+          });
+          if (config.autoRestart) {
+            await this.attemptRestart(pluginName, plugin, config);
+          }
+        } else {
+          this.healthStatus.set(pluginName, "degraded");
+        }
+      }
+    } catch (error) {
+      status = "failed";
+      message = error instanceof Error ? error.message : "Unknown error";
+      this.failureCounters.set(pluginName, (this.failureCounters.get(pluginName) || 0) + 1);
+      this.healthStatus.set(pluginName, "failed");
+      checks.push({
+        name: "health-check",
+        status: "failed",
+        message
+      });
+      this.logger.error("Health check exception", {
+        plugin: pluginName,
+        error
+      });
+    }
+    const report = {
+      status: this.healthStatus.get(pluginName) || "unknown",
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      message,
+      metrics: {
+        uptime: Date.now() - startTime
+      },
+      checks: checks.length > 0 ? checks : void 0
+    };
+    this.healthReports.set(pluginName, report);
+  }
+  /**
+   * Attempt to restart a plugin
+   */
+  async attemptRestart(pluginName, plugin, config) {
+    const attempts = this.restartAttempts.get(pluginName) || 0;
+    if (attempts >= config.maxRestartAttempts) {
+      this.logger.error("Max restart attempts reached, giving up", {
+        plugin: pluginName,
+        attempts
+      });
+      this.healthStatus.set(pluginName, "failed");
+      return;
+    }
+    this.restartAttempts.set(pluginName, attempts + 1);
+    const delay = this.calculateBackoff(attempts, config.restartBackoff);
+    this.logger.info("Scheduling plugin restart", {
+      plugin: pluginName,
+      attempt: attempts + 1,
+      delay
+    });
+    await new Promise((resolve) => setTimeout(resolve, delay));
+    try {
+      if (plugin.destroy) {
+        await plugin.destroy();
+      }
+      this.logger.info("Plugin restarted", { plugin: pluginName });
+      this.failureCounters.set(pluginName, 0);
+      this.successCounters.set(pluginName, 0);
+      this.healthStatus.set(pluginName, "recovering");
+    } catch (error) {
+      this.logger.error("Plugin restart failed", {
+        plugin: pluginName,
+        error
+      });
+      this.healthStatus.set(pluginName, "failed");
+    }
+  }
+  /**
+   * Calculate backoff delay for restarts
+   */
+  calculateBackoff(attempt, strategy) {
+    const baseDelay = 1e3;
+    switch (strategy) {
+      case "fixed":
+        return baseDelay;
+      case "linear":
+        return baseDelay * (attempt + 1);
+      case "exponential":
+        return baseDelay * Math.pow(2, attempt);
+      default:
+        return baseDelay;
+    }
+  }
+  /**
+   * Get current health status of a plugin
+   */
+  getHealthStatus(pluginName) {
+    return this.healthStatus.get(pluginName);
+  }
+  /**
+   * Get latest health report for a plugin
+   */
+  getHealthReport(pluginName) {
+    return this.healthReports.get(pluginName);
+  }
+  /**
+   * Get all health statuses
+   */
+  getAllHealthStatuses() {
+    return new Map(this.healthStatus);
+  }
+  /**
+   * Shutdown health monitor
+   */
+  shutdown() {
+    for (const pluginName of this.checkIntervals.keys()) {
+      this.stopMonitoring(pluginName);
+    }
+    this.healthChecks.clear();
+    this.healthStatus.clear();
+    this.healthReports.clear();
+    this.failureCounters.clear();
+    this.successCounters.clear();
+    this.restartAttempts.clear();
+    this.logger.info("Health monitor shutdown complete");
+  }
+  /**
+   * Timeout helper
+   */
+  timeout(ms, message) {
+    return new Promise((_, reject) => {
+      setTimeout(() => reject(new Error(message)), ms);
+    });
+  }
+};
+
+// src/hot-reload.ts
+var generateUUID = () => {
+  if (typeof crypto !== "undefined" && crypto.randomUUID) {
+    return crypto.randomUUID();
+  }
+  return "xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx".replace(/[xy]/g, function(c) {
+    const r = Math.random() * 16 | 0;
+    const v = c === "x" ? r : r & 3 | 8;
+    return v.toString(16);
+  });
+};
+var PluginStateManager = class {
+  constructor(logger) {
+    this.stateSnapshots = /* @__PURE__ */ new Map();
+    this.memoryStore = /* @__PURE__ */ new Map();
+    this.logger = logger.child({ component: "StateManager" });
+  }
+  /**
+   * Save plugin state before reload
+   */
+  async saveState(pluginId, version, state, config) {
+    const snapshot = {
+      pluginId,
+      version,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      state,
+      metadata: {
+        checksum: this.calculateChecksum(state),
+        compressed: false
+      }
+    };
+    const snapshotId = generateUUID();
+    switch (config.stateStrategy) {
+      case "memory":
+        this.memoryStore.set(snapshotId, snapshot);
+        this.logger.debug("State saved to memory", { pluginId, snapshotId });
+        break;
+      case "disk":
+        this.memoryStore.set(snapshotId, snapshot);
+        this.logger.debug("State saved to disk (memory fallback)", { pluginId, snapshotId });
+        break;
+      case "distributed":
+        this.memoryStore.set(snapshotId, snapshot);
+        this.logger.debug("State saved to distributed store (memory fallback)", {
+          pluginId,
+          snapshotId
+        });
+        break;
+      case "none":
+        this.logger.debug("State persistence disabled", { pluginId });
+        break;
+    }
+    this.stateSnapshots.set(pluginId, snapshot);
+    return snapshotId;
+  }
+  /**
+   * Restore plugin state after reload
+   */
+  async restoreState(pluginId, snapshotId) {
+    let snapshot;
+    if (snapshotId) {
+      snapshot = this.memoryStore.get(snapshotId);
+    } else {
+      snapshot = this.stateSnapshots.get(pluginId);
+    }
+    if (!snapshot) {
+      this.logger.warn("No state snapshot found", { pluginId, snapshotId });
+      return void 0;
+    }
+    if (snapshot.metadata?.checksum) {
+      const currentChecksum = this.calculateChecksum(snapshot.state);
+      if (currentChecksum !== snapshot.metadata.checksum) {
+        this.logger.error("State checksum mismatch - data may be corrupted", {
+          pluginId,
+          expected: snapshot.metadata.checksum,
+          actual: currentChecksum
+        });
+        return void 0;
+      }
+    }
+    this.logger.debug("State restored", { pluginId, version: snapshot.version });
+    return snapshot.state;
+  }
+  /**
+   * Clear state for a plugin
+   */
+  clearState(pluginId) {
+    this.stateSnapshots.delete(pluginId);
+    this.logger.debug("State cleared", { pluginId });
+  }
+  /**
+   * Calculate simple checksum for state verification
+   * WARNING: This is a simple hash for demo purposes.
+   * In production, use a cryptographic hash like SHA-256.
+   */
+  calculateChecksum(state) {
+    const stateStr = JSON.stringify(state);
+    let hash = 0;
+    for (let i = 0; i < stateStr.length; i++) {
+      const char = stateStr.charCodeAt(i);
+      hash = (hash << 5) - hash + char;
+      hash = hash & hash;
+    }
+    return hash.toString(16);
+  }
+  /**
+   * Shutdown state manager
+   */
+  shutdown() {
+    this.stateSnapshots.clear();
+    this.memoryStore.clear();
+    this.logger.info("State manager shutdown complete");
+  }
+};
+var HotReloadManager = class {
+  constructor(logger) {
+    this.reloadConfigs = /* @__PURE__ */ new Map();
+    this.watchHandles = /* @__PURE__ */ new Map();
+    this.reloadTimers = /* @__PURE__ */ new Map();
+    this.logger = logger.child({ component: "HotReload" });
+    this.stateManager = new PluginStateManager(logger);
+  }
+  /**
+   * Register a plugin for hot reload
+   */
+  registerPlugin(pluginName, config) {
+    if (!config.enabled) {
+      this.logger.debug("Hot reload disabled for plugin", { plugin: pluginName });
+      return;
+    }
+    this.reloadConfigs.set(pluginName, config);
+    this.logger.info("Plugin registered for hot reload", {
+      plugin: pluginName,
+      watchPatterns: config.watchPatterns,
+      stateStrategy: config.stateStrategy
+    });
+  }
+  /**
+   * Start watching for changes (requires file system integration)
+   */
+  startWatching(pluginName) {
+    const config = this.reloadConfigs.get(pluginName);
+    if (!config || !config.enabled) {
+      return;
+    }
+    this.logger.info("File watching started", {
+      plugin: pluginName,
+      patterns: config.watchPatterns
+    });
+  }
+  /**
+   * Stop watching for changes
+   */
+  stopWatching(pluginName) {
+    const handle = this.watchHandles.get(pluginName);
+    if (handle) {
+      this.watchHandles.delete(pluginName);
+      this.logger.info("File watching stopped", { plugin: pluginName });
+    }
+    const timer = this.reloadTimers.get(pluginName);
+    if (timer) {
+      clearTimeout(timer);
+      this.reloadTimers.delete(pluginName);
+    }
+  }
+  /**
+   * Trigger hot reload for a plugin
+   */
+  async reloadPlugin(pluginName, plugin, version, getPluginState, restorePluginState) {
+    const config = this.reloadConfigs.get(pluginName);
+    if (!config) {
+      this.logger.warn("Cannot reload - plugin not registered", { plugin: pluginName });
+      return false;
+    }
+    this.logger.info("Starting hot reload", { plugin: pluginName });
+    try {
+      if (config.beforeReload) {
+        this.logger.debug("Executing before reload hooks", {
+          plugin: pluginName,
+          hooks: config.beforeReload
+        });
+      }
+      let snapshotId;
+      if (config.preserveState && config.stateStrategy !== "none") {
+        const state = getPluginState();
+        snapshotId = await this.stateManager.saveState(
+          pluginName,
+          version,
+          state,
+          config
+        );
+        this.logger.debug("Plugin state saved", { plugin: pluginName, snapshotId });
+      }
+      if (plugin.destroy) {
+        this.logger.debug("Destroying plugin", { plugin: pluginName });
+        const shutdownPromise = plugin.destroy();
+        const timeoutPromise = new Promise((_, reject) => {
+          setTimeout(() => reject(new Error("Shutdown timeout")), config.shutdownTimeout);
+        });
+        await Promise.race([shutdownPromise, timeoutPromise]);
+        this.logger.debug("Plugin destroyed successfully", { plugin: pluginName });
+      }
+      this.logger.debug("Plugin module would be reloaded here", { plugin: pluginName });
+      if (snapshotId && config.preserveState) {
+        const restoredState = await this.stateManager.restoreState(pluginName, snapshotId);
+        if (restoredState) {
+          restorePluginState(restoredState);
+          this.logger.debug("Plugin state restored", { plugin: pluginName });
+        }
+      }
+      if (config.afterReload) {
+        this.logger.debug("Executing after reload hooks", {
+          plugin: pluginName,
+          hooks: config.afterReload
+        });
+      }
+      this.logger.info("Hot reload completed successfully", { plugin: pluginName });
+      return true;
+    } catch (error) {
+      this.logger.error("Hot reload failed", {
+        plugin: pluginName,
+        error
+      });
+      return false;
+    }
+  }
+  /**
+   * Schedule a reload with debouncing
+   */
+  scheduleReload(pluginName, reloadFn) {
+    const config = this.reloadConfigs.get(pluginName);
+    if (!config) {
+      return;
+    }
+    const existingTimer = this.reloadTimers.get(pluginName);
+    if (existingTimer) {
+      clearTimeout(existingTimer);
+    }
+    const timer = setTimeout(() => {
+      this.logger.debug("Debounce period elapsed, executing reload", {
+        plugin: pluginName
+      });
+      reloadFn().catch((error) => {
+        this.logger.error("Scheduled reload failed", {
+          plugin: pluginName,
+          error
+        });
+      });
+      this.reloadTimers.delete(pluginName);
+    }, config.debounceDelay);
+    this.reloadTimers.set(pluginName, timer);
+    this.logger.debug("Reload scheduled with debounce", {
+      plugin: pluginName,
+      delay: config.debounceDelay
+    });
+  }
+  /**
+   * Get state manager for direct access
+   */
+  getStateManager() {
+    return this.stateManager;
+  }
+  /**
+   * Shutdown hot reload manager
+   */
+  shutdown() {
+    for (const pluginName of this.watchHandles.keys()) {
+      this.stopWatching(pluginName);
+    }
+    for (const timer of this.reloadTimers.values()) {
+      clearTimeout(timer);
+    }
+    this.reloadConfigs.clear();
+    this.watchHandles.clear();
+    this.reloadTimers.clear();
+    this.stateManager.shutdown();
+    this.logger.info("Hot reload manager shutdown complete");
+  }
+};
+
+// src/dependency-resolver.ts
+var SemanticVersionManager = class {
+  /**
+   * Parse a version string into semantic version components
+   */
+  static parse(versionStr) {
+    const cleanVersion = versionStr.replace(/^v/, "");
+    const match = cleanVersion.match(
+      /^(\d+)\.(\d+)\.(\d+)(?:-([a-zA-Z0-9.-]+))?(?:\+([a-zA-Z0-9.-]+))?$/
+    );
+    if (!match) {
+      throw new Error(`Invalid semantic version: ${versionStr}`);
+    }
+    return {
+      major: parseInt(match[1], 10),
+      minor: parseInt(match[2], 10),
+      patch: parseInt(match[3], 10),
+      preRelease: match[4],
+      build: match[5]
+    };
+  }
+  /**
+   * Convert semantic version back to string
+   */
+  static toString(version) {
+    let str = `${version.major}.${version.minor}.${version.patch}`;
+    if (version.preRelease) {
+      str += `-${version.preRelease}`;
+    }
+    if (version.build) {
+      str += `+${version.build}`;
+    }
+    return str;
+  }
+  /**
+   * Compare two semantic versions
+   * Returns: -1 if a < b, 0 if a === b, 1 if a > b
+   */
+  static compare(a, b) {
+    if (a.major !== b.major) return a.major - b.major;
+    if (a.minor !== b.minor) return a.minor - b.minor;
+    if (a.patch !== b.patch) return a.patch - b.patch;
+    if (a.preRelease && !b.preRelease) return -1;
+    if (!a.preRelease && b.preRelease) return 1;
+    if (a.preRelease && b.preRelease) {
+      return a.preRelease.localeCompare(b.preRelease);
+    }
+    return 0;
+  }
+  /**
+   * Check if version satisfies constraint
+   */
+  static satisfies(version, constraint) {
+    const constraintStr = constraint;
+    if (constraintStr === "*" || constraintStr === "latest") {
+      return true;
+    }
+    if (/^[\d.]+$/.test(constraintStr)) {
+      const exact = this.parse(constraintStr);
+      return this.compare(version, exact) === 0;
+    }
+    if (constraintStr.startsWith("^")) {
+      const base = this.parse(constraintStr.slice(1));
+      return version.major === base.major && this.compare(version, base) >= 0;
+    }
+    if (constraintStr.startsWith("~")) {
+      const base = this.parse(constraintStr.slice(1));
+      return version.major === base.major && version.minor === base.minor && this.compare(version, base) >= 0;
+    }
+    if (constraintStr.startsWith(">=")) {
+      const base = this.parse(constraintStr.slice(2));
+      return this.compare(version, base) >= 0;
+    }
+    if (constraintStr.startsWith(">")) {
+      const base = this.parse(constraintStr.slice(1));
+      return this.compare(version, base) > 0;
+    }
+    if (constraintStr.startsWith("<=")) {
+      const base = this.parse(constraintStr.slice(2));
+      return this.compare(version, base) <= 0;
+    }
+    if (constraintStr.startsWith("<")) {
+      const base = this.parse(constraintStr.slice(1));
+      return this.compare(version, base) < 0;
+    }
+    const rangeMatch = constraintStr.match(/^([\d.]+)\s*-\s*([\d.]+)$/);
+    if (rangeMatch) {
+      const min = this.parse(rangeMatch[1]);
+      const max = this.parse(rangeMatch[2]);
+      return this.compare(version, min) >= 0 && this.compare(version, max) <= 0;
+    }
+    return false;
+  }
+  /**
+   * Determine compatibility level between two versions
+   */
+  static getCompatibilityLevel(from, to) {
+    const cmp = this.compare(from, to);
+    if (cmp === 0) {
+      return "fully-compatible";
+    }
+    if (from.major !== to.major) {
+      return "breaking-changes";
+    }
+    if (from.minor < to.minor) {
+      return "backward-compatible";
+    }
+    if (from.patch < to.patch) {
+      return "fully-compatible";
+    }
+    return "incompatible";
+  }
+};
+var DependencyResolver = class {
+  constructor(logger) {
+    this.logger = logger.child({ component: "DependencyResolver" });
+  }
+  /**
+   * Resolve dependencies using topological sort
+   */
+  resolve(plugins) {
+    const graph = /* @__PURE__ */ new Map();
+    const inDegree = /* @__PURE__ */ new Map();
+    for (const [pluginName, pluginInfo] of plugins) {
+      if (!graph.has(pluginName)) {
+        graph.set(pluginName, []);
+        inDegree.set(pluginName, 0);
+      }
+      const deps = pluginInfo.dependencies || [];
+      for (const dep of deps) {
+        if (!plugins.has(dep)) {
+          throw new Error(`Missing dependency: ${pluginName} requires ${dep}`);
+        }
+        if (!graph.has(dep)) {
+          graph.set(dep, []);
+          inDegree.set(dep, 0);
+        }
+        graph.get(dep).push(pluginName);
+        inDegree.set(pluginName, (inDegree.get(pluginName) || 0) + 1);
+      }
+    }
+    const queue = [];
+    const result = [];
+    for (const [node, degree] of inDegree) {
+      if (degree === 0) {
+        queue.push(node);
+      }
+    }
+    while (queue.length > 0) {
+      const node = queue.shift();
+      result.push(node);
+      const dependents = graph.get(node) || [];
+      for (const dependent of dependents) {
+        const newDegree = (inDegree.get(dependent) || 0) - 1;
+        inDegree.set(dependent, newDegree);
+        if (newDegree === 0) {
+          queue.push(dependent);
+        }
+      }
+    }
+    if (result.length !== plugins.size) {
+      const remaining = Array.from(plugins.keys()).filter((p) => !result.includes(p));
+      this.logger.error("Circular dependency detected", { remaining });
+      throw new Error(`Circular dependency detected among: ${remaining.join(", ")}`);
+    }
+    this.logger.debug("Dependencies resolved", { order: result });
+    return result;
+  }
+  /**
+   * Detect dependency conflicts
+   */
+  detectConflicts(plugins) {
+    const conflicts = [];
+    const versionRequirements = /* @__PURE__ */ new Map();
+    for (const [pluginName, pluginInfo] of plugins) {
+      if (!pluginInfo.dependencies) continue;
+      for (const [depName, constraint] of Object.entries(pluginInfo.dependencies)) {
+        if (!versionRequirements.has(depName)) {
+          versionRequirements.set(depName, /* @__PURE__ */ new Map());
+        }
+        versionRequirements.get(depName).set(pluginName, constraint);
+      }
+    }
+    for (const [depName, requirements] of versionRequirements) {
+      const depInfo = plugins.get(depName);
+      if (!depInfo) continue;
+      const depVersion = SemanticVersionManager.parse(depInfo.version);
+      const unsatisfied = [];
+      for (const [requiringPlugin, constraint] of requirements) {
+        if (!SemanticVersionManager.satisfies(depVersion, constraint)) {
+          unsatisfied.push({
+            pluginId: requiringPlugin,
+            version: constraint
+          });
+        }
+      }
+      if (unsatisfied.length > 0) {
+        conflicts.push({
+          type: "version-mismatch",
+          severity: "error",
+          description: `Version mismatch for ${depName}: detected ${unsatisfied.length} unsatisfied requirements`,
+          plugins: [
+            { pluginId: depName, version: depInfo.version },
+            ...unsatisfied
+          ],
+          resolutions: [{
+            strategy: "upgrade",
+            description: `Upgrade ${depName} to satisfy all constraints`,
+            targetPlugins: [depName],
+            automatic: false
+          }]
+        });
+      }
+    }
+    try {
+      this.resolve(new Map(
+        Array.from(plugins.entries()).map(([name, info]) => [
+          name,
+          { version: info.version, dependencies: info.dependencies ? Object.keys(info.dependencies) : [] }
+        ])
+      ));
+    } catch (error) {
+      if (error instanceof Error && error.message.includes("Circular dependency")) {
+        conflicts.push({
+          type: "circular-dependency",
+          severity: "critical",
+          description: error.message,
+          plugins: [],
+          // Would need to extract from error
+          resolutions: [{
+            strategy: "manual",
+            description: "Remove circular dependency by restructuring plugins",
+            automatic: false
+          }]
+        });
+      }
+    }
+    return conflicts;
+  }
+  /**
+   * Find best version that satisfies all constraints
+   */
+  findBestVersion(availableVersions, constraints) {
+    const versions = availableVersions.map((v) => ({ str: v, parsed: SemanticVersionManager.parse(v) })).sort((a, b) => -SemanticVersionManager.compare(a.parsed, b.parsed));
+    for (const version of versions) {
+      const satisfiesAll = constraints.every(
+        (constraint) => SemanticVersionManager.satisfies(version.parsed, constraint)
+      );
+      if (satisfiesAll) {
+        return version.str;
+      }
+    }
+    return void 0;
+  }
+  /**
+   * Check if dependencies form a valid DAG (no cycles)
+   */
+  isAcyclic(dependencies) {
+    try {
+      const plugins = new Map(
+        Array.from(dependencies.entries()).map(([name, deps]) => [
+          name,
+          { dependencies: deps }
+        ])
+      );
+      this.resolve(plugins);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  ApiRegistry,
+  DependencyResolver,
+  HotReloadManager,
+  LiteKernel,
+  ObjectKernel,
+  ObjectKernelBase,
+  ObjectLogger,
+  PluginConfigValidator,
+  PluginHealthMonitor,
+  PluginLoader,
+  PluginPermissionEnforcer,
+  PluginPermissionManager,
+  PluginSandboxRuntime,
+  PluginSecurityScanner,
+  PluginSignatureVerifier,
+  QA,
+  SecurePluginContext,
+  SemanticVersionManager,
+  ServiceLifecycle,
+  createApiRegistryPlugin,
+  createLogger,
+  createPluginConfigValidator,
+  createPluginPermissionEnforcer,
+  getEnv,
+  getMemoryUsage,
+  isNode,
+  safeExit
+});
+//# sourceMappingURL=index.cjs.map