@objectstack/core 1.0.2 → 1.0.5

package/dist/index.d.ts

@@ -1,22 +1,1777 @@
+import { LoggerConfig } from '@objectstack/spec/system';
+import { Logger, IServiceRegistry } from '@objectstack/spec/contracts';
+export { DriverInterface, IDataEngine, IHttpRequest, IHttpResponse, IHttpServer, Logger, Middleware, RouteHandler } from '@objectstack/spec/contracts';
+import { z } from 'zod';
+import { ConflictResolutionStrategy, ApiRegistryEntryInput, ApiRegistryEntry, ApiDiscoveryQuery, ApiDiscoveryResponse, ApiEndpointRegistration, ApiRegistry as ApiRegistry$1 } from '@objectstack/spec/api';
+import { QA } from '@objectstack/spec';
+import { PluginCapability, PermissionSet, ResourceType, PermissionAction, Permission, SandboxConfig, SecurityScanResult, SecurityVulnerability, PluginHealthCheck, PluginHealthStatus as PluginHealthStatus$1, PluginHealthReport, HotReloadConfig, SemanticVersion, VersionConstraint, CompatibilityLevel, DependencyConflict } from '@objectstack/spec/kernel';
+
 /**
- * @objectstack/core
- *
- * Core runtime for ObjectStack microkernel architecture.
- * Provides plugin system, dependency injection, and lifecycle management.
- */
-export * from './kernel-base.js';
-export * from './kernel.js';
-export * from './lite-kernel.js';
-export * from './types.js';
-export * from './logger.js';
-export * from './plugin-loader.js';
-export * from './api-registry.js';
-export * from './api-registry-plugin.js';
-export * as QA from './qa/index.js';
-export * from './security/index.js';
-export * from './utils/env.js';
-export * from './health-monitor.js';
-export * from './hot-reload.js';
-export * from './dependency-resolver.js';
-export type { Logger, IHttpServer, IHttpRequest, IHttpResponse, RouteHandler, Middleware, IDataEngine, DriverInterface } from '@objectstack/spec/contracts';
-//# sourceMappingURL=index.d.ts.map
+ * Service Lifecycle Types
+ * Defines how services are instantiated and managed
+ */
+declare enum ServiceLifecycle {
+    /** Single instance shared across all requests */
+    SINGLETON = "singleton",
+    /** New instance created for each request */
+    TRANSIENT = "transient",
+    /** New instance per scope (e.g., per HTTP request) */
+    SCOPED = "scoped"
+}
+/**
+ * Service Factory
+ * Function that creates a service instance
+ */
+type ServiceFactory<T = any> = (ctx: PluginContext) => T | Promise<T>;
+/**
+ * Service Registration Options
+ */
+interface ServiceRegistration {
+    name: string;
+    factory: ServiceFactory;
+    lifecycle: ServiceLifecycle;
+    dependencies?: string[];
+}
+/**
+ * Plugin Configuration Validator Interface
+ * Uses Zod for runtime validation of plugin configurations
+ * @deprecated Use the PluginConfigValidator class from security module instead
+ */
+interface IPluginConfigValidator {
+    schema: z.ZodSchema;
+    validate(config: any): any;
+}
+/**
+ * Plugin Metadata with Enhanced Features
+ */
+interface PluginMetadata extends Plugin {
+    /** Semantic version (e.g., "1.0.0") */
+    version: string;
+    /** Configuration schema for validation */
+    configSchema?: z.ZodSchema;
+    /** Plugin signature for security verification */
+    signature?: string;
+    /** Plugin health check function */
+    healthCheck?(): Promise<PluginHealthStatus>;
+    /** Startup timeout in milliseconds (default: 30000) */
+    startupTimeout?: number;
+    /** Whether plugin supports hot reload */
+    hotReloadable?: boolean;
+}
+/**
+ * Plugin Health Status
+ */
+interface PluginHealthStatus {
+    healthy: boolean;
+    message?: string;
+    details?: Record<string, any>;
+    lastCheck?: Date;
+}
+/**
+ * Plugin Load Result
+ */
+interface PluginLoadResult {
+    success: boolean;
+    plugin?: PluginMetadata;
+    error?: Error;
+    loadTime?: number;
+}
+/**
+ * Plugin Startup Result
+ */
+interface PluginStartupResult {
+    success: boolean;
+    pluginName: string;
+    startTime?: number;
+    error?: Error;
+    timedOut?: boolean;
+}
+/**
+ * Version Compatibility Result
+ */
+interface VersionCompatibility {
+    compatible: boolean;
+    pluginVersion: string;
+    requiredVersion?: string;
+    message?: string;
+}
+/**
+ * Enhanced Plugin Loader
+ * Provides advanced plugin loading capabilities with validation, security, and lifecycle management
+ */
+declare class PluginLoader {
+    private logger;
+    private context?;
+    private configValidator;
+    private loadedPlugins;
+    private serviceFactories;
+    private serviceInstances;
+    private scopedServices;
+    private creating;
+    constructor(logger: Logger);
+    /**
+     * Set the plugin context for service factories
+     */
+    setContext(context: PluginContext): void;
+    /**
+     * Get a synchronous service instance if it exists (Sync Helper)
+     */
+    getServiceInstance<T>(name: string): T | undefined;
+    /**
+     * Load a plugin asynchronously with validation
+     */
+    loadPlugin(plugin: Plugin): Promise<PluginLoadResult>;
+    /**
+     * Register a service with factory function
+     */
+    registerServiceFactory(registration: ServiceRegistration): void;
+    /**
+     * Get or create a service instance based on lifecycle type
+     */
+    getService<T>(name: string, scopeId?: string): Promise<T>;
+    /**
+     * Register a static service instance (legacy support)
+     */
+    registerService(name: string, service: any): void;
+    /**
+     * Check if a service is registered (either as instance or factory)
+     */
+    hasService(name: string): boolean;
+    /**
+     * Detect circular dependencies in service factories
+     * Note: This only detects cycles in service dependencies, not plugin dependencies.
+     * Plugin dependency cycles are detected in the kernel's resolveDependencies method.
+     */
+    detectCircularDependencies(): string[];
+    /**
+     * Check plugin health
+     */
+    checkPluginHealth(pluginName: string): Promise<PluginHealthStatus>;
+    /**
+     * Clear scoped services for a scope
+     */
+    clearScope(scopeId: string): void;
+    /**
+     * Get all loaded plugins
+     */
+    getLoadedPlugins(): Map<string, PluginMetadata>;
+    private toPluginMetadata;
+    private validatePluginStructure;
+    private checkVersionCompatibility;
+    private isValidSemanticVersion;
+    private validatePluginConfig;
+    private verifyPluginSignature;
+    private getSingletonService;
+    private createTransientService;
+    private getScopedService;
+    private createServiceInstance;
+}
+
+/**
+ * Enhanced Kernel Configuration
+ */
+interface ObjectKernelConfig {
+    logger?: Partial<LoggerConfig>;
+    /** Default plugin startup timeout in milliseconds */
+    defaultStartupTimeout?: number;
+    /** Whether to enable graceful shutdown */
+    gracefulShutdown?: boolean;
+    /** Graceful shutdown timeout in milliseconds */
+    shutdownTimeout?: number;
+    /** Whether to rollback on startup failure */
+    rollbackOnFailure?: boolean;
+    /** Whether to skip strict system requirement validation (Critical for testing) */
+    skipSystemValidation?: boolean;
+}
+/**
+ * Enhanced ObjectKernel with Advanced Plugin Management
+ *
+ * Extends the basic ObjectKernel with:
+ * - Async plugin loading with validation
+ * - Version compatibility checking
+ * - Plugin signature verification
+ * - Configuration validation (Zod)
+ * - Factory-based dependency injection
+ * - Service lifecycle management (singleton/transient/scoped)
+ * - Circular dependency detection
+ * - Lazy loading services
+ * - Graceful shutdown
+ * - Plugin startup timeout control
+ * - Startup failure rollback
+ * - Plugin health checks
+ */
+declare class ObjectKernel {
+    private plugins;
+    private services;
+    private hooks;
+    private state;
+    private logger;
+    private context;
+    private pluginLoader;
+    private config;
+    private startedPlugins;
+    private pluginStartTimes;
+    private shutdownHandlers;
+    constructor(config?: ObjectKernelConfig);
+    /**
+     * Register a plugin with enhanced validation
+     */
+    use(plugin: Plugin): Promise<this>;
+    /**
+     * Register a service instance directly
+     */
+    registerService<T>(name: string, service: T): this;
+    /**
+     * Register a service factory with lifecycle management
+     */
+    registerServiceFactory<T>(name: string, factory: ServiceFactory<T>, lifecycle?: ServiceLifecycle, dependencies?: string[]): this;
+    /**
+     * Validate Critical System Requirements
+     */
+    private validateSystemRequirements;
+    /**
+     * Bootstrap the kernel with enhanced features
+     */
+    bootstrap(): Promise<void>;
+    /**
+     * Graceful shutdown with timeout
+     */
+    shutdown(): Promise<void>;
+    /**
+     * Check health of a specific plugin
+     */
+    checkPluginHealth(pluginName: string): Promise<any>;
+    /**
+     * Check health of all plugins
+     */
+    checkAllPluginsHealth(): Promise<Map<string, any>>;
+    /**
+     * Get plugin startup metrics
+     */
+    getPluginMetrics(): Map<string, number>;
+    /**
+     * Get a service (sync helper)
+     */
+    getService<T>(name: string): T;
+    /**
+     * Get a service asynchronously (supports factories)
+     */
+    getServiceAsync<T>(name: string, scopeId?: string): Promise<T>;
+    /**
+     * Check if kernel is running
+     */
+    isRunning(): boolean;
+    /**
+     * Get kernel state
+     */
+    getState(): string;
+    private initPluginWithTimeout;
+    private startPluginWithTimeout;
+    private rollbackStartedPlugins;
+    private performShutdown;
+    private resolveDependencies;
+    private registerShutdownSignals;
+    /**
+     * Register a custom shutdown handler
+     */
+    onShutdown(handler: () => Promise<void>): void;
+}
+
+/**
+ * PluginContext - Runtime context available to plugins
+ *
+ * Provides access to:
+ * - Service registry (registerService/getService)
+ * - Event/Hook system (hook/trigger)
+ * - Logger
+ * - Kernel instance (for advanced use cases)
+ */
+interface PluginContext {
+    /**
+     * Register a service that can be consumed by other plugins
+     * @param name - Service name (e.g., 'db', 'http-server', 'objectql')
+     * @param service - Service instance
+     */
+    registerService(name: string, service: any): void;
+    /**
+     * Get a service registered by another plugin
+     * @param name - Service name
+     * @returns Service instance
+     * @throws Error if service not found
+     */
+    getService<T>(name: string): T;
+    /**
+     * Get all registered services
+     */
+    getServices(): Map<string, any>;
+    /**
+     * Register a hook handler
+     * @param name - Hook name (e.g., 'kernel:ready', 'data:beforeInsert')
+     * @param handler - Hook handler function
+     */
+    hook(name: string, handler: (...args: any[]) => void | Promise<void>): void;
+    /**
+     * Trigger a hook
+     * @param name - Hook name
+     * @param args - Arguments to pass to hook handlers
+     */
+    trigger(name: string, ...args: any[]): Promise<void>;
+    /**
+     * Logger instance
+     */
+    logger: Logger;
+    /**
+     * Get the kernel instance (for advanced use cases)
+     * @returns Kernel instance
+     */
+    getKernel(): ObjectKernel;
+}
+/**
+ * Plugin Interface
+ *
+ * All ObjectStack plugins must implement this interface.
+ */
+interface Plugin {
+    /**
+     * Unique plugin name (e.g., 'com.objectstack.engine.objectql')
+     */
+    name: string;
+    /**
+     * Plugin version
+     */
+    version?: string;
+    /**
+     * List of other plugin names that this plugin depends on.
+     * The kernel ensures these plugins are initialized before this one.
+     */
+    dependencies?: string[];
+    /**
+     * Init Phase: Register services
+     * Called when kernel is initializing.
+     * Use this to register services that other plugins might need.
+     */
+    init(ctx: PluginContext): Promise<void> | void;
+    /**
+     * Start Phase: Execute business logic
+     * Called after all plugins have been initialized.
+     * Use this to start servers, connect to DBs, or execute main logic.
+     */
+    start?(ctx: PluginContext): Promise<void> | void;
+    /**
+     * Destroy Phase: Cleanup
+     * Called when kernel is shutting down.
+     */
+    destroy?(): Promise<void> | void;
+}
+
+/**
+ * Kernel state machine
+ */
+type KernelState = 'idle' | 'initializing' | 'running' | 'stopping' | 'stopped';
+/**
+ * ObjectKernelBase - Abstract Base Class for Microkernel
+ *
+ * Provides common functionality for ObjectKernel and LiteKernel:
+ * - Plugin management (Map storage)
+ * - Dependency resolution (topological sort)
+ * - Hook/Event system
+ * - Context creation
+ * - State validation
+ *
+ * This eliminates code duplication between the implementations.
+ */
+declare abstract class ObjectKernelBase {
+    protected plugins: Map<string, Plugin>;
+    protected services: IServiceRegistry | Map<string, any>;
+    protected hooks: Map<string, Array<(...args: any[]) => void | Promise<void>>>;
+    protected state: KernelState;
+    protected logger: Logger;
+    protected context: PluginContext;
+    constructor(logger: Logger);
+    /**
+     * Validate kernel state
+     * @param requiredState - Required state for the operation
+     * @throws Error if current state doesn't match
+     */
+    protected validateState(requiredState: KernelState): void;
+    /**
+     * Validate kernel is in idle state (for plugin registration)
+     */
+    protected validateIdle(): void;
+    /**
+     * Create the plugin context
+     * Subclasses can override to customize context creation
+     */
+    protected createContext(): PluginContext;
+    /**
+     * Resolve plugin dependencies using topological sort
+     * @returns Ordered list of plugins (dependencies first)
+     */
+    protected resolveDependencies(): Plugin[];
+    /**
+     * Run plugin init phase
+     * @param plugin - Plugin to initialize
+     */
+    protected runPluginInit(plugin: Plugin): Promise<void>;
+    /**
+     * Run plugin start phase
+     * @param plugin - Plugin to start
+     */
+    protected runPluginStart(plugin: Plugin): Promise<void>;
+    /**
+     * Run plugin destroy phase
+     * @param plugin - Plugin to destroy
+     */
+    protected runPluginDestroy(plugin: Plugin): Promise<void>;
+    /**
+     * Trigger a hook with all registered handlers
+     * @param name - Hook name
+     * @param args - Arguments to pass to handlers
+     */
+    protected triggerHook(name: string, ...args: any[]): Promise<void>;
+    /**
+     * Get current kernel state
+     */
+    getState(): KernelState;
+    /**
+     * Get all registered plugins
+     */
+    getPlugins(): Map<string, Plugin>;
+    /**
+     * Abstract methods to be implemented by subclasses
+     */
+    abstract use(plugin: Plugin): this | Promise<this>;
+    abstract bootstrap(): Promise<void>;
+    abstract destroy(): Promise<void>;
+}
+
+/**
+ * ObjectKernel - MiniKernel Architecture
+ *
+ * A highly modular, plugin-based microkernel that:
+ * - Manages plugin lifecycle (init, start, destroy)
+ * - Provides dependency injection via service registry
+ * - Implements event/hook system for inter-plugin communication
+ * - Handles dependency resolution (topological sort)
+ * - Provides configurable logging for server and browser
+ *
+ * Core philosophy:
+ * - Business logic is completely separated into plugins
+ * - Kernel only manages lifecycle, DI, and hooks
+ * - Plugins are loaded as equal building blocks
+ */
+declare class LiteKernel extends ObjectKernelBase {
+    constructor(config?: {
+        logger?: Partial<LoggerConfig>;
+    });
+    /**
+     * Register a plugin
+     * @param plugin - Plugin instance
+     */
+    use(plugin: Plugin): this;
+    /**
+     * Bootstrap the kernel
+     * 1. Resolve dependencies (topological sort)
+     * 2. Init phase - plugins register services
+     * 3. Start phase - plugins execute business logic
+     * 4. Trigger 'kernel:ready' hook
+     */
+    bootstrap(): Promise<void>;
+    /**
+     * Shutdown the kernel
+     * Calls destroy on all plugins in reverse order
+     */
+    shutdown(): Promise<void>;
+    /**
+     * Graceful shutdown - destroy all plugins in reverse order
+     */
+    destroy(): Promise<void>;
+    /**
+     * Get a service from the registry
+     * Convenience method for external access
+     */
+    getService<T>(name: string): T;
+    /**
+     * Check if kernel is running
+     */
+    isRunning(): boolean;
+}
+
+/**
+ * Universal Logger Implementation
+ *
+ * A configurable logger that works in both browser and Node.js environments.
+ * - Node.js: Uses Pino for high-performance structured logging
+ * - Browser: Simple console-based implementation
+ *
+ * Features:
+ * - Structured logging with multiple formats (json, text, pretty)
+ * - Log level filtering
+ * - Sensitive data redaction
+ * - File logging with rotation (Node.js only via Pino)
+ * - Browser console integration
+ * - Distributed tracing support (traceId, spanId)
+ */
+declare class ObjectLogger implements Logger {
+    private config;
+    private isNode;
+    private pinoLogger?;
+    private pinoInstance?;
+    private require?;
+    constructor(config?: Partial<LoggerConfig>);
+    /**
+     * Initialize Pino logger for Node.js
+     */
+    private initPinoLogger;
+    /**
+     * Redact sensitive keys from context object (for browser)
+     */
+    private redactSensitive;
+    /**
+     * Format log entry for browser
+     */
+    private formatBrowserLog;
+    /**
+     * Log using browser console
+     */
+    private logBrowser;
+    /**
+     * Public logging methods
+     */
+    debug(message: string, meta?: Record<string, any>): void;
+    info(message: string, meta?: Record<string, any>): void;
+    warn(message: string, meta?: Record<string, any>): void;
+    error(message: string, errorOrMeta?: Error | Record<string, any>, meta?: Record<string, any>): void;
+    fatal(message: string, errorOrMeta?: Error | Record<string, any>, meta?: Record<string, any>): void;
+    /**
+     * Create a child logger with additional context
+     * Note: Child loggers share the parent's Pino instance
+     */
+    child(context: Record<string, any>): ObjectLogger;
+    /**
+     * Set trace context for distributed tracing
+     */
+    withTrace(traceId: string, spanId?: string): ObjectLogger;
+    /**
+     * Cleanup resources
+     */
+    destroy(): Promise<void>;
+    /**
+     * Compatibility method for console.log usage
+     */
+    log(message: string, ...args: any[]): void;
+}
+/**
+ * Create a logger instance
+ */
+declare function createLogger(config?: Partial<LoggerConfig>): ObjectLogger;
+
+/**
+ * API Registry Service
+ *
+ * Central registry for managing API endpoints across different protocols.
+ * Provides endpoint registration, discovery, and conflict resolution.
+ *
+ * **Features:**
+ * - Multi-protocol support (REST, GraphQL, OData, WebSocket, etc.)
+ * - Route conflict detection with configurable resolution strategies
+ * - RBAC permission integration
+ * - Dynamic schema linking with ObjectQL references
+ * - Plugin API registration
+ *
+ * **Architecture Alignment:**
+ * - Kubernetes: Service Discovery & API Server
+ * - AWS API Gateway: Unified API Management
+ * - Kong Gateway: Plugin-based API Management
+ *
+ * @example
+ * ```typescript
+ * const registry = new ApiRegistry(logger, 'priority');
+ *
+ * // Register an API
+ * registry.registerApi({
+ *   id: 'customer_api',
+ *   name: 'Customer API',
+ *   type: 'rest',
+ *   version: 'v1',
+ *   basePath: '/api/v1/customers',
+ *   endpoints: [...]
+ * });
+ *
+ * // Discover APIs
+ * const apis = registry.findApis({ type: 'rest', status: 'active' });
+ *
+ * // Get registry snapshot
+ * const snapshot = registry.getRegistry();
+ * ```
+ */
+declare class ApiRegistry {
+    private apis;
+    private endpoints;
+    private routes;
+    private apisByType;
+    private apisByTag;
+    private apisByStatus;
+    private conflictResolution;
+    private logger;
+    private version;
+    private updatedAt;
+    constructor(logger: Logger, conflictResolution?: ConflictResolutionStrategy, version?: string);
+    /**
+     * Register an API with its endpoints
+     *
+     * @param api - API registry entry
+     * @throws Error if API already registered or route conflicts detected
+     */
+    registerApi(api: ApiRegistryEntryInput): void;
+    /**
+     * Unregister an API and all its endpoints
+     *
+     * @param apiId - API identifier
+     */
+    unregisterApi(apiId: string): void;
+    /**
+     * Register a single endpoint
+     *
+     * @param apiId - API identifier
+     * @param endpoint - Endpoint registration
+     * @throws Error if route conflict detected
+     */
+    private registerEndpoint;
+    /**
+     * Unregister a single endpoint
+     *
+     * @param apiId - API identifier
+     * @param endpointId - Endpoint identifier
+     */
+    private unregisterEndpoint;
+    /**
+     * Register a route with conflict detection
+     *
+     * @param apiId - API identifier
+     * @param endpoint - Endpoint registration
+     * @throws Error if route conflict detected (based on strategy)
+     */
+    private registerRoute;
+    /**
+     * Handle route conflict based on resolution strategy
+     *
+     * @param routeKey - Route key
+     * @param apiId - New API identifier
+     * @param endpoint - New endpoint
+     * @param existingRoute - Existing route registration
+     * @param newPriority - New endpoint priority
+     * @throws Error if strategy is 'error'
+     */
+    private handleRouteConflict;
+    /**
+     * Generate a unique route key for conflict detection
+     *
+     * NOTE: This implementation uses exact string matching for route conflict detection.
+     * It works well for static paths but has limitations with parameterized routes.
+     * For example, `/api/users/:id` and `/api/users/:userId` will NOT be detected as conflicts
+     * even though they are semantically identical parameterized patterns. Similarly,
+     * `/api/:resource/list` and `/api/:entity/list` would also not be detected as conflicting.
+     *
+     * For more advanced conflict detection (e.g., path-to-regexp pattern matching),
+     * consider integrating with your routing library's conflict detection mechanism.
+     *
+     * @param endpoint - Endpoint registration
+     * @returns Route key (e.g., "GET:/api/v1/customers/:id")
+     */
+    private getRouteKey;
+    /**
+     * Validate endpoint registration
+     *
+     * @param endpoint - Endpoint to validate
+     * @param apiId - API identifier (for error messages)
+     * @throws Error if endpoint is invalid
+     */
+    private validateEndpoint;
+    /**
+     * Get an API by ID
+     *
+     * @param apiId - API identifier
+     * @returns API registry entry or undefined
+     */
+    getApi(apiId: string): ApiRegistryEntry | undefined;
+    /**
+     * Get all registered APIs
+     *
+     * @returns Array of all APIs
+     */
+    getAllApis(): ApiRegistryEntry[];
+    /**
+     * Find APIs matching query criteria
+     *
+     * Performance optimized with auxiliary indices for O(1) lookups on type, tags, and status.
+     *
+     * @param query - Discovery query parameters
+     * @returns Matching APIs
+     */
+    findApis(query: ApiDiscoveryQuery): ApiDiscoveryResponse;
+    /**
+     * Get endpoint by API ID and endpoint ID
+     *
+     * @param apiId - API identifier
+     * @param endpointId - Endpoint identifier
+     * @returns Endpoint registration or undefined
+     */
+    getEndpoint(apiId: string, endpointId: string): ApiEndpointRegistration | undefined;
+    /**
+     * Find endpoint by route (method + path)
+     *
+     * @param method - HTTP method
+     * @param path - URL path
+     * @returns Endpoint registration or undefined
+     */
+    findEndpointByRoute(method: string, path: string): {
+        api: ApiRegistryEntry;
+        endpoint: ApiEndpointRegistration;
+    } | undefined;
+    /**
+     * Get complete registry snapshot
+     *
+     * @returns Current registry state
+     */
+    getRegistry(): ApiRegistry$1;
+    /**
+     * Clear all registered APIs
+     *
+     * **⚠️ SAFETY WARNING:**
+     * This method clears all registered APIs and should be used with caution.
+     *
+     * **Usage Restrictions:**
+     * - In production environments (NODE_ENV=production), a `force: true` parameter is required
+     * - Primarily intended for testing and development hot-reload scenarios
+     *
+     * @param options - Clear options
+     * @param options.force - Force clear in production environment (default: false)
+     * @throws Error if called in production without force flag
+     *
+     * @example Safe usage in tests
+     * ```typescript
+     * beforeEach(() => {
+     *   registry.clear(); // OK in test environment
+     * });
+     * ```
+     *
+     * @example Usage in production (requires explicit force)
+     * ```typescript
+     * // In production, explicit force is required
+     * registry.clear({ force: true });
+     * ```
+     */
+    clear(options?: {
+        force?: boolean;
+    }): void;
+    /**
+     * Get registry statistics
+     *
+     * @returns Registry statistics
+     */
+    getStats(): {
+        totalApis: number;
+        totalEndpoints: number;
+        totalRoutes: number;
+        apisByType: Record<string, number>;
+        endpointsByApi: Record<string, number>;
+    };
+    /**
+     * Update auxiliary indices when an API is registered
+     *
+     * @param api - API entry to index
+     * @private
+     * @internal
+     */
+    private updateIndices;
+    /**
+     * Remove API from auxiliary indices when unregistered
+     *
+     * @param api - API entry to remove from indices
+     * @private
+     * @internal
+     */
+    private removeFromIndices;
+    /**
+     * Helper to ensure an index set exists and return it
+     *
+     * @param map - Index map
+     * @param key - Index key
+     * @returns The Set for this key (created if needed)
+     * @private
+     * @internal
+     */
+    private ensureIndexSet;
+    /**
+     * Helper to remove an ID from an index set and clean up empty sets
+     *
+     * @param map - Index map
+     * @param key - Index key
+     * @param id - API ID to remove
+     * @private
+     * @internal
+     */
+    private removeFromIndexSet;
+    /**
+     * Check if running in production environment
+     *
+     * @returns true if NODE_ENV is 'production'
+     * @private
+     * @internal
+     */
+    private isProductionEnvironment;
+}
+
+/**
+ * API Registry Plugin Configuration
+ */
+interface ApiRegistryPluginConfig {
+    /**
+     * Conflict resolution strategy for route conflicts
+     * @default 'error'
+     */
+    conflictResolution?: ConflictResolutionStrategy;
+    /**
+     * Registry version
+     * @default '1.0.0'
+     */
+    version?: string;
+}
+/**
+ * API Registry Plugin
+ *
+ * Registers the API Registry service in the kernel, making it available
+ * to all plugins for endpoint registration and discovery.
+ *
+ * **Usage:**
+ * ```typescript
+ * const kernel = new ObjectKernel();
+ *
+ * // Register API Registry Plugin
+ * kernel.use(createApiRegistryPlugin({ conflictResolution: 'priority' }));
+ *
+ * // In other plugins, access the API Registry
+ * const plugin: Plugin = {
+ *   name: 'my-plugin',
+ *   init: async (ctx) => {
+ *     const registry = ctx.getService<ApiRegistry>('api-registry');
+ *
+ *     // Register plugin APIs
+ *     registry.registerApi({
+ *       id: 'my_plugin_api',
+ *       name: 'My Plugin API',
+ *       type: 'rest',
+ *       version: 'v1',
+ *       basePath: '/api/v1/my-plugin',
+ *       endpoints: [...]
+ *     });
+ *   }
+ * };
+ * ```
+ *
+ * @param config - Plugin configuration
+ * @returns Plugin instance
+ */
+declare function createApiRegistryPlugin(config?: ApiRegistryPluginConfig): Plugin;
+
+/**
+ * Interface for executing test actions against a target system.
+ * The target could be a local Kernel instance or a remote API.
+ */
+interface TestExecutionAdapter {
+    /**
+     * Execute a single test action.
+     * @param action The action to perform (create_record, api_call, etc.)
+     * @returns The result of the action (e.g. created record, API response)
+     */
+    execute(action: QA.TestAction, context: Record<string, unknown>): Promise<unknown>;
+}
+
+interface TestResult {
+    scenarioId: string;
+    passed: boolean;
+    steps: StepResult[];
+    error?: unknown;
+    duration: number;
+}
+interface StepResult {
+    stepName: string;
+    passed: boolean;
+    error?: unknown;
+    output?: unknown;
+    duration: number;
+}
+declare class TestRunner {
+    private adapter;
+    constructor(adapter: TestExecutionAdapter);
+    runSuite(suite: QA.TestSuite): Promise<TestResult[]>;
+    runScenario(scenario: QA.TestScenario): Promise<TestResult>;
+    private runStep;
+    private resolveVariables;
+    private getValueByPath;
+    private assert;
+}
+
+declare class HttpTestAdapter implements TestExecutionAdapter {
+    private baseUrl;
+    private authToken?;
+    constructor(baseUrl: string, authToken?: string | undefined);
+    execute(action: QA.TestAction, _context: Record<string, unknown>): Promise<unknown>;
+    private createRecord;
+    private updateRecord;
+    private deleteRecord;
+    private readRecord;
+    private queryRecords;
+    private rawApiCall;
+    private handleResponse;
+}
+
+type index_HttpTestAdapter = HttpTestAdapter;
+declare const index_HttpTestAdapter: typeof HttpTestAdapter;
+type index_StepResult = StepResult;
+type index_TestExecutionAdapter = TestExecutionAdapter;
+type index_TestResult = TestResult;
+type index_TestRunner = TestRunner;
+declare const index_TestRunner: typeof TestRunner;
+declare namespace index {
+  export { index_HttpTestAdapter as HttpTestAdapter, type index_StepResult as StepResult, type index_TestExecutionAdapter as TestExecutionAdapter, type index_TestResult as TestResult, index_TestRunner as TestRunner };
+}
+
+/**
+ * Plugin Signature Configuration
+ * Controls how plugin signatures are verified
+ */
+interface PluginSignatureConfig {
+    /**
+     * Map of publisher IDs to their trusted public keys
+     * Format: { 'com.objectstack': '-----BEGIN PUBLIC KEY-----...' }
+     */
+    trustedPublicKeys: Map<string, string>;
+    /**
+     * Signature algorithm to use
+     * - RS256: RSA with SHA-256
+     * - ES256: ECDSA with SHA-256
+     */
+    algorithm: 'RS256' | 'ES256';
+    /**
+     * Strict mode: reject plugins without signatures
+     * - true: All plugins must be signed
+     * - false: Unsigned plugins are allowed with warning
+     */
+    strictMode: boolean;
+    /**
+     * Allow self-signed plugins in development
+     */
+    allowSelfSigned?: boolean;
+}
+/**
+ * Plugin Signature Verification Result
+ */
+interface SignatureVerificationResult {
+    verified: boolean;
+    error?: string;
+    publisherId?: string;
+    algorithm?: string;
+    signedAt?: Date;
+}
+/**
+ * Plugin Signature Verifier
+ *
+ * Implements cryptographic verification of plugin signatures to ensure:
+ * 1. Plugin integrity - code hasn't been tampered with
+ * 2. Publisher authenticity - plugin comes from trusted source
+ * 3. Non-repudiation - publisher cannot deny signing
+ *
+ * Architecture:
+ * - Uses Node.js crypto module for signature verification
+ * - Supports RSA (RS256) and ECDSA (ES256) algorithms
+ * - Verifies against trusted public key registry
+ * - Computes hash of plugin code for integrity check
+ *
+ * Security Model:
+ * - Public keys are pre-registered and trusted
+ * - Plugin signature is verified before loading
+ * - Strict mode rejects unsigned plugins
+ * - Development mode allows self-signed plugins
+ */
+declare class PluginSignatureVerifier {
+    private config;
+    private logger;
+    constructor(config: PluginSignatureConfig, logger: Logger);
+    /**
+     * Verify plugin signature
+     *
+     * @param plugin - Plugin metadata with signature
+     * @returns Verification result
+     * @throws Error if verification fails in strict mode
+     */
+    verifyPluginSignature(plugin: PluginMetadata): Promise<SignatureVerificationResult>;
+    /**
+     * Register a trusted public key for a publisher
+     */
+    registerPublicKey(publisherId: string, publicKey: string): void;
+    /**
+     * Remove a trusted public key
+     */
+    revokePublicKey(publisherId: string): void;
+    /**
+     * Get list of trusted publishers
+     */
+    getTrustedPublishers(): string[];
+    private handleUnsignedPlugin;
+    private extractPublisherId;
+    private computePluginHash;
+    private computePluginHashNode;
+    private computePluginHashBrowser;
+    private computePluginHashFallback;
+    private serializePluginCode;
+    private verifyCryptoSignature;
+    private verifyCryptoSignatureNode;
+    private verifyCryptoSignatureBrowser;
+    private validateConfig;
+}
+
+/**
+ * Plugin Configuration Validator
+ *
+ * Validates plugin configurations against Zod schemas to ensure:
+ * 1. Type safety - all config values have correct types
+ * 2. Business rules - values meet constraints (min/max, regex, etc.)
+ * 3. Required fields - all mandatory configuration is provided
+ * 4. Default values - missing optional fields get defaults
+ *
+ * Architecture:
+ * - Uses Zod for runtime validation
+ * - Provides detailed error messages with field paths
+ * - Supports nested configuration objects
+ * - Allows partial validation for incremental updates
+ *
+ * Usage:
+ * ```typescript
+ * const validator = new PluginConfigValidator(logger);
+ * const validConfig = validator.validatePluginConfig(plugin, userConfig);
+ * ```
+ */
+declare class PluginConfigValidator {
+    private logger;
+    constructor(logger: Logger);
+    /**
+     * Validate plugin configuration against its Zod schema
+     *
+     * @param plugin - Plugin metadata with configSchema
+     * @param config - User-provided configuration
+     * @returns Validated and typed configuration
+     * @throws Error with detailed validation errors
+     */
+    validatePluginConfig<T = any>(plugin: PluginMetadata, config: any): T;
+    /**
+     * Validate partial configuration (for incremental updates)
+     *
+     * @param plugin - Plugin metadata
+     * @param partialConfig - Partial configuration to validate
+     * @returns Validated partial configuration
+     */
+    validatePartialConfig<T = any>(plugin: PluginMetadata, partialConfig: any): Partial<T>;
+    /**
+     * Get default configuration from schema
+     *
+     * @param plugin - Plugin metadata
+     * @returns Default configuration object
+     */
+    getDefaultConfig<T = any>(plugin: PluginMetadata): T | undefined;
+    /**
+     * Check if configuration is valid without throwing
+     *
+     * @param plugin - Plugin metadata
+     * @param config - Configuration to check
+     * @returns True if valid, false otherwise
+     */
+    isConfigValid(plugin: PluginMetadata, config: any): boolean;
+    /**
+     * Get configuration errors without throwing
+     *
+     * @param plugin - Plugin metadata
+     * @param config - Configuration to check
+     * @returns Array of validation errors, or empty array if valid
+     */
+    getConfigErrors(plugin: PluginMetadata, config: any): Array<{
+        path: string;
+        message: string;
+    }>;
+    private formatZodErrors;
+}
+/**
+ * Create a plugin config validator
+ *
+ * @param logger - Logger instance
+ * @returns Plugin config validator
+ */
+declare function createPluginConfigValidator(logger: Logger): PluginConfigValidator;
+
+/**
+ * Plugin Permissions
+ * Defines what actions a plugin is allowed to perform
+ */
+interface PluginPermissions {
+    canAccessService(serviceName: string): boolean;
+    canTriggerHook(hookName: string): boolean;
+    canReadFile(path: string): boolean;
+    canWriteFile(path: string): boolean;
+    canNetworkRequest(url: string): boolean;
+}
+/**
+ * Permission Check Result
+ */
+interface PermissionCheckResult$1 {
+    allowed: boolean;
+    reason?: string;
+    capability?: string;
+}
+/**
+ * Plugin Permission Enforcer
+ *
+ * Implements capability-based security model to enforce:
+ * 1. Service access control - which services a plugin can use
+ * 2. Hook restrictions - which hooks a plugin can trigger
+ * 3. File system permissions - what files a plugin can read/write
+ * 4. Network permissions - what URLs a plugin can access
+ *
+ * Architecture:
+ * - Uses capability declarations from plugin manifest
+ * - Checks permissions before allowing operations
+ * - Logs all permission denials for security audit
+ * - Supports allowlist and denylist patterns
+ *
+ * Security Model:
+ * - Principle of least privilege - plugins get minimal permissions
+ * - Explicit declaration - all capabilities must be declared
+ * - Runtime enforcement - checks happen at operation time
+ * - Audit trail - all denials are logged
+ *
+ * Usage:
+ * ```typescript
+ * const enforcer = new PluginPermissionEnforcer(logger);
+ * enforcer.registerPluginPermissions(pluginName, capabilities);
+ * enforcer.enforceServiceAccess(pluginName, 'database');
+ * ```
+ */
+declare class PluginPermissionEnforcer {
+    private logger;
+    private permissionRegistry;
+    private capabilityRegistry;
+    constructor(logger: Logger);
+    /**
+     * Register plugin capabilities and build permission set
+     *
+     * @param pluginName - Plugin identifier
+     * @param capabilities - Array of capability declarations
+     */
+    registerPluginPermissions(pluginName: string, capabilities: PluginCapability[]): void;
+    /**
+     * Enforce service access permission
+     *
+     * @param pluginName - Plugin requesting access
+     * @param serviceName - Service to access
+     * @throws Error if permission denied
+     */
+    enforceServiceAccess(pluginName: string, serviceName: string): void;
+    /**
+     * Enforce hook trigger permission
+     *
+     * @param pluginName - Plugin requesting access
+     * @param hookName - Hook to trigger
+     * @throws Error if permission denied
+     */
+    enforceHookTrigger(pluginName: string, hookName: string): void;
+    /**
+     * Enforce file read permission
+     *
+     * @param pluginName - Plugin requesting access
+     * @param path - File path to read
+     * @throws Error if permission denied
+     */
+    enforceFileRead(pluginName: string, path: string): void;
+    /**
+     * Enforce file write permission
+     *
+     * @param pluginName - Plugin requesting access
+     * @param path - File path to write
+     * @throws Error if permission denied
+     */
+    enforceFileWrite(pluginName: string, path: string): void;
+    /**
+     * Enforce network request permission
+     *
+     * @param pluginName - Plugin requesting access
+     * @param url - URL to access
+     * @throws Error if permission denied
+     */
+    enforceNetworkRequest(pluginName: string, url: string): void;
+    /**
+     * Get plugin capabilities
+     *
+     * @param pluginName - Plugin identifier
+     * @returns Array of capabilities or undefined
+     */
+    getPluginCapabilities(pluginName: string): PluginCapability[] | undefined;
+    /**
+     * Get plugin permissions
+     *
+     * @param pluginName - Plugin identifier
+     * @returns Permissions object or undefined
+     */
+    getPluginPermissions(pluginName: string): PluginPermissions | undefined;
+    /**
+     * Revoke all permissions for a plugin
+     *
+     * @param pluginName - Plugin identifier
+     */
+    revokePermissions(pluginName: string): void;
+    private checkPermission;
+    private checkServiceAccess;
+    private checkHookAccess;
+    private checkFileRead;
+    private checkFileWrite;
+    private checkNetworkAccess;
+}
+/**
+ * Secure Plugin Context
+ * Wraps PluginContext with permission checks
+ */
+declare class SecurePluginContext implements PluginContext {
+    private pluginName;
+    private permissionEnforcer;
+    private baseContext;
+    constructor(pluginName: string, permissionEnforcer: PluginPermissionEnforcer, baseContext: PluginContext);
+    registerService(name: string, service: any): void;
+    getService<T>(name: string): T;
+    getServices(): Map<string, any>;
+    hook(name: string, handler: (...args: any[]) => void | Promise<void>): void;
+    trigger(name: string, ...args: any[]): Promise<void>;
+    get logger(): Logger;
+    getKernel(): ObjectKernel;
+}
+/**
+ * Create a plugin permission enforcer
+ *
+ * @param logger - Logger instance
+ * @returns Plugin permission enforcer
+ */
+declare function createPluginPermissionEnforcer(logger: Logger): PluginPermissionEnforcer;
+
+/**
+ * Permission Grant
+ * Represents a granted permission at runtime
+ */
+interface PermissionGrant {
+    permissionId: string;
+    pluginId: string;
+    grantedAt: Date;
+    grantedBy?: string;
+    expiresAt?: Date;
+    conditions?: Record<string, any>;
+}
+/**
+ * Permission Check Result
+ */
+interface PermissionCheckResult {
+    allowed: boolean;
+    reason?: string;
+    requiredPermission?: string;
+    grantedPermissions?: string[];
+}
+/**
+ * Plugin Permission Manager
+ *
+ * Manages fine-grained permissions for plugin security and access control
+ */
+declare class PluginPermissionManager {
+    private logger;
+    private permissionSets;
+    private grants;
+    private grantDetails;
+    constructor(logger: ObjectLogger);
+    /**
+     * Register permission requirements for a plugin
+     */
+    registerPermissions(pluginId: string, permissionSet: PermissionSet): void;
+    /**
+     * Grant a permission to a plugin
+     */
+    grantPermission(pluginId: string, permissionId: string, grantedBy?: string, expiresAt?: Date): void;
+    /**
+     * Revoke a permission from a plugin
+     */
+    revokePermission(pluginId: string, permissionId: string): void;
+    /**
+     * Grant all permissions for a plugin
+     */
+    grantAllPermissions(pluginId: string, grantedBy?: string): void;
+    /**
+     * Check if a plugin has a specific permission
+     */
+    hasPermission(pluginId: string, permissionId: string): boolean;
+    /**
+     * Check if plugin can perform an action on a resource
+     */
+    checkAccess(pluginId: string, resource: ResourceType, action: PermissionAction, resourceId?: string): PermissionCheckResult;
+    /**
+     * Get all permissions for a plugin
+     */
+    getPluginPermissions(pluginId: string): Permission[];
+    /**
+     * Get granted permissions for a plugin
+     */
+    getGrantedPermissions(pluginId: string): string[];
+    /**
+     * Get required but not granted permissions
+     */
+    getMissingPermissions(pluginId: string): Permission[];
+    /**
+     * Check if all required permissions are granted
+     */
+    hasAllRequiredPermissions(pluginId: string): boolean;
+    /**
+     * Get permission grant details
+     */
+    getGrantDetails(pluginId: string, permissionId: string): PermissionGrant | undefined;
+    /**
+     * Validate permission against scope constraints
+     */
+    validatePermissionScope(permission: Permission, context: {
+        tenantId?: string;
+        userId?: string;
+        resourceId?: string;
+    }): boolean;
+    /**
+     * Clear all permissions for a plugin
+     */
+    clearPluginPermissions(pluginId: string): void;
+    /**
+     * Shutdown permission manager
+     */
+    shutdown(): void;
+}
+
+/**
+ * Resource Usage Statistics
+ */
+interface ResourceUsage {
+    memory: {
+        current: number;
+        peak: number;
+        limit?: number;
+    };
+    cpu: {
+        current: number;
+        average: number;
+        limit?: number;
+    };
+    connections: {
+        current: number;
+        limit?: number;
+    };
+}
+/**
+ * Sandbox Execution Context
+ * Represents an isolated execution environment for a plugin
+ */
+interface SandboxContext {
+    pluginId: string;
+    config: SandboxConfig;
+    startTime: Date;
+    resourceUsage: ResourceUsage;
+}
+/**
+ * Plugin Sandbox Runtime
+ *
+ * Provides isolated execution environments for plugins with resource limits
+ * and access controls
+ */
+declare class PluginSandboxRuntime {
+    private logger;
+    private sandboxes;
+    private monitoringIntervals;
+    constructor(logger: ObjectLogger);
+    /**
+     * Create a sandbox for a plugin
+     */
+    createSandbox(pluginId: string, config: SandboxConfig): SandboxContext;
+    /**
+     * Destroy a sandbox
+     */
+    destroySandbox(pluginId: string): void;
+    /**
+     * Check if resource access is allowed
+     */
+    checkResourceAccess(pluginId: string, resourceType: 'file' | 'network' | 'process' | 'env', resourcePath?: string): {
+        allowed: boolean;
+        reason?: string;
+    };
+    /**
+     * Check file system access
+     * WARNING: Uses simple prefix matching. For production, use proper path
+     * resolution with path.resolve() and path.normalize() to prevent traversal.
+     */
+    private checkFileAccess;
+    /**
+     * Check network access
+     * WARNING: Uses simple string matching. For production, use proper URL
+     * parsing with new URL() and check hostname property.
+     */
+    private checkNetworkAccess;
+    /**
+     * Check process spawning access
+     */
+    private checkProcessAccess;
+    /**
+     * Check environment variable access
+     */
+    private checkEnvAccess;
+    /**
+     * Check resource limits
+     */
+    checkResourceLimits(pluginId: string): {
+        withinLimits: boolean;
+        violations: string[];
+    };
+    /**
+     * Get resource usage for a plugin
+     */
+    getResourceUsage(pluginId: string): ResourceUsage | undefined;
+    /**
+     * Start monitoring resource usage
+     */
+    private startResourceMonitoring;
+    /**
+     * Stop monitoring resource usage
+     */
+    private stopResourceMonitoring;
+    /**
+     * Update resource usage statistics
+     *
+     * NOTE: Currently uses global process.memoryUsage() which tracks the entire
+     * Node.js process, not individual plugins. For production, implement proper
+     * per-plugin tracking using V8 heap snapshots or allocation tracking at
+     * plugin boundaries.
+     */
+    private updateResourceUsage;
+    /**
+     * Get all active sandboxes
+     */
+    getAllSandboxes(): Map<string, SandboxContext>;
+    /**
+     * Shutdown sandbox runtime
+     */
+    shutdown(): void;
+}
+
+/**
+ * Scan Target
+ */
+interface ScanTarget {
+    pluginId: string;
+    version: string;
+    files?: string[];
+    dependencies?: Record<string, string>;
+}
+/**
+ * Security Issue
+ */
+interface SecurityIssue {
+    id: string;
+    severity: 'critical' | 'high' | 'medium' | 'low' | 'info';
+    category: 'vulnerability' | 'malware' | 'license' | 'code-quality' | 'configuration';
+    title: string;
+    description: string;
+    location?: {
+        file?: string;
+        line?: number;
+        column?: number;
+    };
+    remediation?: string;
+    cve?: string;
+    cvss?: number;
+}
+/**
+ * Plugin Security Scanner
+ *
+ * Scans plugins for security vulnerabilities, malware, and license issues
+ */
+declare class PluginSecurityScanner {
+    private logger;
+    private vulnerabilityDb;
+    private scanResults;
+    private passThreshold;
+    constructor(logger: ObjectLogger, config?: {
+        passThreshold?: number;
+    });
+    /**
+     * Perform a comprehensive security scan on a plugin
+     */
+    scan(target: ScanTarget): Promise<SecurityScanResult>;
+    /**
+     * Scan code for vulnerabilities
+     */
+    private scanCode;
+    /**
+     * Scan dependencies for known vulnerabilities
+     */
+    private scanDependencies;
+    /**
+     * Scan for malware patterns
+     */
+    private scanMalware;
+    /**
+     * Check license compliance
+     */
+    private scanLicenses;
+    /**
+     * Check configuration security
+     */
+    private scanConfiguration;
+    /**
+     * Calculate security score based on issues
+     */
+    private calculateSecurityScore;
+    /**
+     * Add a vulnerability to the database
+     */
+    addVulnerability(packageName: string, version: string, vulnerability: SecurityVulnerability): void;
+    /**
+     * Get scan result from cache
+     */
+    getScanResult(pluginId: string, version: string): SecurityScanResult | undefined;
+    /**
+     * Clear scan results cache
+     */
+    clearCache(): void;
+    /**
+     * Update vulnerability database from external source
+     */
+    updateVulnerabilityDatabase(): Promise<void>;
+    /**
+     * Shutdown security scanner
+     */
+    shutdown(): void;
+}
+
+/**
+ * Environment utilities for universal (Node/Browser) compatibility.
+ */
+declare const isNode: boolean;
+/**
+ * Safely access environment variables
+ */
+declare function getEnv(key: string, defaultValue?: string): string | undefined;
+/**
+ * Safely exit the process if in Node.js
+ */
+declare function safeExit(code?: number): void;
+/**
+ * Safely get memory usage
+ */
+declare function getMemoryUsage(): {
+    heapUsed: number;
+    heapTotal: number;
+};
+
+/**
+ * Plugin Health Monitor
+ *
+ * Monitors plugin health status and performs automatic recovery actions.
+ * Implements the advanced lifecycle health monitoring protocol.
+ */
+declare class PluginHealthMonitor {
+    private logger;
+    private healthChecks;
+    private healthStatus;
+    private healthReports;
+    private checkIntervals;
+    private failureCounters;
+    private successCounters;
+    private restartAttempts;
+    constructor(logger: ObjectLogger);
+    /**
+     * Register a plugin for health monitoring
+     */
+    registerPlugin(pluginName: string, config: PluginHealthCheck): void;
+    /**
+     * Start monitoring a plugin
+     */
+    startMonitoring(pluginName: string, plugin: Plugin): void;
+    /**
+     * Stop monitoring a plugin
+     */
+    stopMonitoring(pluginName: string): void;
+    /**
+     * Perform a health check on a plugin
+     */
+    private performHealthCheck;
+    /**
+     * Attempt to restart a plugin
+     */
+    private attemptRestart;
+    /**
+     * Calculate backoff delay for restarts
+     */
+    private calculateBackoff;
+    /**
+     * Get current health status of a plugin
+     */
+    getHealthStatus(pluginName: string): PluginHealthStatus$1 | undefined;
+    /**
+     * Get latest health report for a plugin
+     */
+    getHealthReport(pluginName: string): PluginHealthReport | undefined;
+    /**
+     * Get all health statuses
+     */
+    getAllHealthStatuses(): Map<string, PluginHealthStatus$1>;
+    /**
+     * Shutdown health monitor
+     */
+    shutdown(): void;
+    /**
+     * Timeout helper
+     */
+    private timeout;
+}
+
+/**
+ * Plugin State Manager
+ *
+ * Handles state persistence and restoration during hot reloads
+ */
+declare class PluginStateManager {
+    private logger;
+    private stateSnapshots;
+    private memoryStore;
+    constructor(logger: ObjectLogger);
+    /**
+     * Save plugin state before reload
+     */
+    saveState(pluginId: string, version: string, state: Record<string, any>, config: HotReloadConfig): Promise<string>;
+    /**
+     * Restore plugin state after reload
+     */
+    restoreState(pluginId: string, snapshotId?: string): Promise<Record<string, any> | undefined>;
+    /**
+     * Clear state for a plugin
+     */
+    clearState(pluginId: string): void;
+    /**
+     * Calculate simple checksum for state verification
+     * WARNING: This is a simple hash for demo purposes.
+     * In production, use a cryptographic hash like SHA-256.
+     */
+    private calculateChecksum;
+    /**
+     * Shutdown state manager
+     */
+    shutdown(): void;
+}
+/**
+ * Hot Reload Manager
+ *
+ * Manages hot reloading of plugins with state preservation
+ */
+declare class HotReloadManager {
+    private logger;
+    private stateManager;
+    private reloadConfigs;
+    private watchHandles;
+    private reloadTimers;
+    constructor(logger: ObjectLogger);
+    /**
+     * Register a plugin for hot reload
+     */
+    registerPlugin(pluginName: string, config: HotReloadConfig): void;
+    /**
+     * Start watching for changes (requires file system integration)
+     */
+    startWatching(pluginName: string): void;
+    /**
+     * Stop watching for changes
+     */
+    stopWatching(pluginName: string): void;
+    /**
+     * Trigger hot reload for a plugin
+     */
+    reloadPlugin(pluginName: string, plugin: Plugin, version: string, getPluginState: () => Record<string, any>, restorePluginState: (state: Record<string, any>) => void): Promise<boolean>;
+    /**
+     * Schedule a reload with debouncing
+     */
+    scheduleReload(pluginName: string, reloadFn: () => Promise<void>): void;
+    /**
+     * Get state manager for direct access
+     */
+    getStateManager(): PluginStateManager;
+    /**
+     * Shutdown hot reload manager
+     */
+    shutdown(): void;
+}
+
+/**
+ * Semantic Version Parser and Comparator
+ *
+ * Implements semantic versioning comparison and constraint matching
+ */
+declare class SemanticVersionManager {
+    /**
+     * Parse a version string into semantic version components
+     */
+    static parse(versionStr: string): SemanticVersion;
+    /**
+     * Convert semantic version back to string
+     */
+    static toString(version: SemanticVersion): string;
+    /**
+     * Compare two semantic versions
+     * Returns: -1 if a < b, 0 if a === b, 1 if a > b
+     */
+    static compare(a: SemanticVersion, b: SemanticVersion): number;
+    /**
+     * Check if version satisfies constraint
+     */
+    static satisfies(version: SemanticVersion, constraint: VersionConstraint): boolean;
+    /**
+     * Determine compatibility level between two versions
+     */
+    static getCompatibilityLevel(from: SemanticVersion, to: SemanticVersion): CompatibilityLevel;
+}
+/**
+ * Plugin Dependency Resolver
+ *
+ * Resolves plugin dependencies using topological sorting and conflict detection
+ */
+declare class DependencyResolver {
+    private logger;
+    constructor(logger: ObjectLogger);
+    /**
+     * Resolve dependencies using topological sort
+     */
+    resolve(plugins: Map<string, {
+        version?: string;
+        dependencies?: string[];
+    }>): string[];
+    /**
+     * Detect dependency conflicts
+     */
+    detectConflicts(plugins: Map<string, {
+        version: string;
+        dependencies?: Record<string, VersionConstraint>;
+    }>): DependencyConflict[];
+    /**
+     * Find best version that satisfies all constraints
+     */
+    findBestVersion(availableVersions: string[], constraints: VersionConstraint[]): string | undefined;
+    /**
+     * Check if dependencies form a valid DAG (no cycles)
+     */
+    isAcyclic(dependencies: Map<string, string[]>): boolean;
+}
+
+export { ApiRegistry, type ApiRegistryPluginConfig, DependencyResolver, HotReloadManager, type IPluginConfigValidator, type KernelState, LiteKernel, ObjectKernel, ObjectKernelBase, type ObjectKernelConfig, ObjectLogger, type PermissionCheckResult$1 as PermissionCheckResult, type PermissionGrant, type Plugin, PluginConfigValidator, type PluginContext, PluginHealthMonitor, type PluginHealthStatus, type PluginLoadResult, PluginLoader, type PluginMetadata, type PermissionCheckResult as PluginPermissionCheckResult, PluginPermissionEnforcer, PluginPermissionManager, type PluginPermissions, PluginSandboxRuntime, PluginSecurityScanner, type PluginSignatureConfig, PluginSignatureVerifier, type PluginStartupResult, index as QA, type ResourceUsage, type SandboxContext, type ScanTarget, SecurePluginContext, type SecurityIssue, SemanticVersionManager, type ServiceFactory, ServiceLifecycle, type ServiceRegistration, type SignatureVerificationResult, type VersionCompatibility, createApiRegistryPlugin, createLogger, createPluginConfigValidator, createPluginPermissionEnforcer, getEnv, getMemoryUsage, isNode, safeExit };