@objectstack/core 1.0.4 → 1.0.5

package/dist/security/plugin-signature-verifier.js

@@ -1,250 +0,0 @@
-// Conditionally import crypto for Node.js environments
-let cryptoModule = null;
-if (typeof globalThis.window === 'undefined') {
-    try {
-        // Dynamic import for Node.js crypto module (using eval to avoid bundling issues)
-        // @ts-ignore - dynamic require for Node.js
-        cryptoModule = eval('require("crypto")');
-    }
-    catch {
-        // Crypto module not available (e.g., browser environment)
-    }
-}
-/**
- * Plugin Signature Verifier
- *
- * Implements cryptographic verification of plugin signatures to ensure:
- * 1. Plugin integrity - code hasn't been tampered with
- * 2. Publisher authenticity - plugin comes from trusted source
- * 3. Non-repudiation - publisher cannot deny signing
- *
- * Architecture:
- * - Uses Node.js crypto module for signature verification
- * - Supports RSA (RS256) and ECDSA (ES256) algorithms
- * - Verifies against trusted public key registry
- * - Computes hash of plugin code for integrity check
- *
- * Security Model:
- * - Public keys are pre-registered and trusted
- * - Plugin signature is verified before loading
- * - Strict mode rejects unsigned plugins
- * - Development mode allows self-signed plugins
- */
-export class PluginSignatureVerifier {
-    constructor(config, logger) {
-        this.config = config;
-        this.logger = logger;
-        this.validateConfig();
-    }
-    /**
-     * Verify plugin signature
-     *
-     * @param plugin - Plugin metadata with signature
-     * @returns Verification result
-     * @throws Error if verification fails in strict mode
-     */
-    async verifyPluginSignature(plugin) {
-        // Handle unsigned plugins
-        if (!plugin.signature) {
-            return this.handleUnsignedPlugin(plugin);
-        }
-        try {
-            // 1. Extract publisher ID from plugin name (reverse domain notation)
-            const publisherId = this.extractPublisherId(plugin.name);
-            // 2. Get trusted public key for publisher
-            const publicKey = this.config.trustedPublicKeys.get(publisherId);
-            if (!publicKey) {
-                const error = `No trusted public key for publisher: ${publisherId}`;
-                this.logger.warn(error, { plugin: plugin.name, publisherId });
-                if (this.config.strictMode && !this.config.allowSelfSigned) {
-                    throw new Error(error);
-                }
-                return {
-                    verified: false,
-                    error,
-                    publisherId,
-                };
-            }
-            // 3. Compute plugin code hash
-            const pluginHash = this.computePluginHash(plugin);
-            // 4. Verify signature using crypto module
-            const isValid = await this.verifyCryptoSignature(pluginHash, plugin.signature, publicKey);
-            if (!isValid) {
-                const error = `Signature verification failed for plugin: ${plugin.name}`;
-                this.logger.error(error, undefined, { plugin: plugin.name, publisherId });
-                throw new Error(error);
-            }
-            this.logger.info(`✅ Plugin signature verified: ${plugin.name}`, {
-                plugin: plugin.name,
-                publisherId,
-                algorithm: this.config.algorithm,
-            });
-            return {
-                verified: true,
-                publisherId,
-                algorithm: this.config.algorithm,
-            };
-        }
-        catch (error) {
-            this.logger.error(`Signature verification error: ${plugin.name}`, error);
-            if (this.config.strictMode) {
-                throw error;
-            }
-            return {
-                verified: false,
-                error: error.message,
-            };
-        }
-    }
-    /**
-     * Register a trusted public key for a publisher
-     */
-    registerPublicKey(publisherId, publicKey) {
-        this.config.trustedPublicKeys.set(publisherId, publicKey);
-        this.logger.info(`Trusted public key registered for: ${publisherId}`);
-    }
-    /**
-     * Remove a trusted public key
-     */
-    revokePublicKey(publisherId) {
-        this.config.trustedPublicKeys.delete(publisherId);
-        this.logger.warn(`Public key revoked for: ${publisherId}`);
-    }
-    /**
-     * Get list of trusted publishers
-     */
-    getTrustedPublishers() {
-        return Array.from(this.config.trustedPublicKeys.keys());
-    }
-    // Private methods
-    handleUnsignedPlugin(plugin) {
-        if (this.config.strictMode) {
-            const error = `Plugin missing signature (strict mode): ${plugin.name}`;
-            this.logger.error(error, undefined, { plugin: plugin.name });
-            throw new Error(error);
-        }
-        this.logger.warn(`⚠️  Plugin not signed: ${plugin.name}`, {
-            plugin: plugin.name,
-            recommendation: 'Consider signing plugins for production environments',
-        });
-        return {
-            verified: false,
-            error: 'Plugin not signed',
-        };
-    }
-    extractPublisherId(pluginName) {
-        // Extract publisher from reverse domain notation
-        // Example: "com.objectstack.engine.objectql" -> "com.objectstack"
-        const parts = pluginName.split('.');
-        if (parts.length < 2) {
-            throw new Error(`Invalid plugin name format: ${pluginName} (expected reverse domain notation)`);
-        }
-        // Return first two parts (domain reversed)
-        return `${parts[0]}.${parts[1]}`;
-    }
-    computePluginHash(plugin) {
-        // In browser environment, use SubtleCrypto
-        if (typeof globalThis.window !== 'undefined') {
-            return this.computePluginHashBrowser(plugin);
-        }
-        // In Node.js environment, use crypto module
-        return this.computePluginHashNode(plugin);
-    }
-    computePluginHashNode(plugin) {
-        // Use pre-loaded crypto module
-        if (!cryptoModule) {
-            this.logger.warn('crypto module not available, using fallback hash');
-            return this.computePluginHashFallback(plugin);
-        }
-        // Compute hash of plugin code
-        const pluginCode = this.serializePluginCode(plugin);
-        return cryptoModule.createHash('sha256').update(pluginCode).digest('hex');
-    }
-    computePluginHashBrowser(plugin) {
-        // Browser environment - use simple hash for now
-        // In production, should use SubtleCrypto for proper cryptographic hash
-        this.logger.debug('Using browser hash (SubtleCrypto integration pending)');
-        return this.computePluginHashFallback(plugin);
-    }
-    computePluginHashFallback(plugin) {
-        // Simple hash fallback (not cryptographically secure)
-        const pluginCode = this.serializePluginCode(plugin);
-        let hash = 0;
-        for (let i = 0; i < pluginCode.length; i++) {
-            const char = pluginCode.charCodeAt(i);
-            hash = ((hash << 5) - hash) + char;
-            hash = hash & hash; // Convert to 32-bit integer
-        }
-        return hash.toString(16);
-    }
-    serializePluginCode(plugin) {
-        // Serialize plugin code for hashing
-        // Include init, start, destroy functions
-        const parts = [
-            plugin.name,
-            plugin.version,
-            plugin.init.toString(),
-        ];
-        if (plugin.start) {
-            parts.push(plugin.start.toString());
-        }
-        if (plugin.destroy) {
-            parts.push(plugin.destroy.toString());
-        }
-        return parts.join('|');
-    }
-    async verifyCryptoSignature(data, signature, publicKey) {
-        // In browser environment, use SubtleCrypto
-        if (typeof globalThis.window !== 'undefined') {
-            return this.verifyCryptoSignatureBrowser(data, signature, publicKey);
-        }
-        // In Node.js environment, use crypto module
-        return this.verifyCryptoSignatureNode(data, signature, publicKey);
-    }
-    verifyCryptoSignatureNode(data, signature, publicKey) {
-        if (!cryptoModule) {
-            this.logger.error('Crypto module not available for signature verification');
-            return false;
-        }
-        try {
-            // Create verify object based on algorithm
-            if (this.config.algorithm === 'ES256') {
-                // ECDSA verification - requires lowercase 'sha256'
-                const verify = cryptoModule.createVerify('sha256');
-                verify.update(data);
-                return verify.verify({
-                    key: publicKey,
-                    format: 'pem',
-                    type: 'spki',
-                }, signature, 'base64');
-            }
-            else {
-                // RSA verification (RS256)
-                const verify = cryptoModule.createVerify('RSA-SHA256');
-                verify.update(data);
-                return verify.verify(publicKey, signature, 'base64');
-            }
-        }
-        catch (error) {
-            this.logger.error('Signature verification failed', error);
-            return false;
-        }
-    }
-    async verifyCryptoSignatureBrowser(_data, _signature, _publicKey) {
-        // Browser implementation using SubtleCrypto
-        // TODO: Implement SubtleCrypto-based verification
-        this.logger.warn('Browser signature verification not yet implemented');
-        return false;
-    }
-    validateConfig() {
-        if (!this.config.trustedPublicKeys || this.config.trustedPublicKeys.size === 0) {
-            this.logger.warn('No trusted public keys configured - all signatures will fail');
-        }
-        if (!this.config.algorithm) {
-            throw new Error('Signature algorithm must be specified');
-        }
-        if (!['RS256', 'ES256'].includes(this.config.algorithm)) {
-            throw new Error(`Unsupported algorithm: ${this.config.algorithm}`);
-        }
-    }
-}

package/dist/security/sandbox-runtime.d.ts

@@ -1,115 +0,0 @@
-import type { SandboxConfig } from '@objectstack/spec/kernel';
-import type { ObjectLogger } from '../logger.js';
-/**
- * Resource Usage Statistics
- */
-export interface ResourceUsage {
-    memory: {
-        current: number;
-        peak: number;
-        limit?: number;
-    };
-    cpu: {
-        current: number;
-        average: number;
-        limit?: number;
-    };
-    connections: {
-        current: number;
-        limit?: number;
-    };
-}
-/**
- * Sandbox Execution Context
- * Represents an isolated execution environment for a plugin
- */
-export interface SandboxContext {
-    pluginId: string;
-    config: SandboxConfig;
-    startTime: Date;
-    resourceUsage: ResourceUsage;
-}
-/**
- * Plugin Sandbox Runtime
- *
- * Provides isolated execution environments for plugins with resource limits
- * and access controls
- */
-export declare class PluginSandboxRuntime {
-    private logger;
-    private sandboxes;
-    private monitoringIntervals;
-    constructor(logger: ObjectLogger);
-    /**
-     * Create a sandbox for a plugin
-     */
-    createSandbox(pluginId: string, config: SandboxConfig): SandboxContext;
-    /**
-     * Destroy a sandbox
-     */
-    destroySandbox(pluginId: string): void;
-    /**
-     * Check if resource access is allowed
-     */
-    checkResourceAccess(pluginId: string, resourceType: 'file' | 'network' | 'process' | 'env', resourcePath?: string): {
-        allowed: boolean;
-        reason?: string;
-    };
-    /**
-     * Check file system access
-     * WARNING: Uses simple prefix matching. For production, use proper path
-     * resolution with path.resolve() and path.normalize() to prevent traversal.
-     */
-    private checkFileAccess;
-    /**
-     * Check network access
-     * WARNING: Uses simple string matching. For production, use proper URL
-     * parsing with new URL() and check hostname property.
-     */
-    private checkNetworkAccess;
-    /**
-     * Check process spawning access
-     */
-    private checkProcessAccess;
-    /**
-     * Check environment variable access
-     */
-    private checkEnvAccess;
-    /**
-     * Check resource limits
-     */
-    checkResourceLimits(pluginId: string): {
-        withinLimits: boolean;
-        violations: string[];
-    };
-    /**
-     * Get resource usage for a plugin
-     */
-    getResourceUsage(pluginId: string): ResourceUsage | undefined;
-    /**
-     * Start monitoring resource usage
-     */
-    private startResourceMonitoring;
-    /**
-     * Stop monitoring resource usage
-     */
-    private stopResourceMonitoring;
-    /**
-     * Update resource usage statistics
-     *
-     * NOTE: Currently uses global process.memoryUsage() which tracks the entire
-     * Node.js process, not individual plugins. For production, implement proper
-     * per-plugin tracking using V8 heap snapshots or allocation tracking at
-     * plugin boundaries.
-     */
-    private updateResourceUsage;
-    /**
-     * Get all active sandboxes
-     */
-    getAllSandboxes(): Map<string, SandboxContext>;
-    /**
-     * Shutdown sandbox runtime
-     */
-    shutdown(): void;
-}
-//# sourceMappingURL=sandbox-runtime.d.ts.map

package/dist/security/sandbox-runtime.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"sandbox-runtime.d.ts","sourceRoot":"","sources":["../../src/security/sandbox-runtime.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,aAAa,EACd,MAAM,0BAA0B,CAAC;AAClC,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAGjD;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE;QACN,OAAO,EAAE,MAAM,CAAC;QAChB,IAAI,EAAE,MAAM,CAAC;QACb,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,CAAC;IACF,GAAG,EAAE;QACH,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,MAAM,CAAC;QAChB,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,CAAC;IACF,WAAW,EAAE;QACX,OAAO,EAAE,MAAM,CAAC;QAChB,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,CAAC;CACH;AAED;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,aAAa,CAAC;IACtB,SAAS,EAAE,IAAI,CAAC;IAChB,aAAa,EAAE,aAAa,CAAC;CAC9B;AAED;;;;;GAKG;AACH,qBAAa,oBAAoB;IAC/B,OAAO,CAAC,MAAM,CAAe;IAG7B,OAAO,CAAC,SAAS,CAAqC;IAGtD,OAAO,CAAC,mBAAmB,CAAqC;gBAEpD,MAAM,EAAE,YAAY;IAIhC;;OAEG;IACH,aAAa,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,aAAa,GAAG,cAAc;IA+BtE;;OAEG;IACH,cAAc,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI;IActC;;OAEG;IACH,mBAAmB,CACjB,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,GAAG,SAAS,GAAG,SAAS,GAAG,KAAK,EACpD,YAAY,CAAC,EAAE,MAAM,GACpB;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE;IA0BxC;;;;OAIG;IACH,OAAO,CAAC,eAAe;IAiDvB;;;;OAIG;IACH,OAAO,CAAC,kBAAkB;IAwD1B;;OAEG;IACH,OAAO,CAAC,kBAAkB;IAkB1B;;OAEG;IACH,OAAO,CAAC,cAAc;IAsBtB;;OAEG;IACH,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG;QACrC,YAAY,EAAE,OAAO,CAAC;QACtB,UAAU,EAAE,MAAM,EAAE,CAAA;KACrB;IAiCD;;OAEG;IACH,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,aAAa,GAAG,SAAS;IAK7D;;OAEG;IACH,OAAO,CAAC,uBAAuB;IAS/B;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAQ9B;;;;;;;OAOG;IACH,OAAO,CAAC,mBAAmB;IAiC3B;;OAEG;IACH,eAAe,IAAI,GAAG,CAAC,MAAM,EAAE,cAAc,CAAC;IAI9C;;OAEG;IACH,QAAQ,IAAI,IAAI;CAUjB"}

package/dist/security/sandbox-runtime.js

@@ -1,311 +0,0 @@
-import { getMemoryUsage } from '../utils/env.js';
-/**
- * Plugin Sandbox Runtime
- *
- * Provides isolated execution environments for plugins with resource limits
- * and access controls
- */
-export class PluginSandboxRuntime {
-    constructor(logger) {
-        // Active sandboxes (pluginId -> context)
-        this.sandboxes = new Map();
-        // Resource monitoring intervals
-        this.monitoringIntervals = new Map();
-        this.logger = logger.child({ component: 'SandboxRuntime' });
-    }
-    /**
-     * Create a sandbox for a plugin
-     */
-    createSandbox(pluginId, config) {
-        if (this.sandboxes.has(pluginId)) {
-            throw new Error(`Sandbox already exists for plugin: ${pluginId}`);
-        }
-        const context = {
-            pluginId,
-            config,
-            startTime: new Date(),
-            resourceUsage: {
-                memory: { current: 0, peak: 0, limit: config.memory?.maxHeap },
-                cpu: { current: 0, average: 0, limit: config.cpu?.maxCpuPercent },
-                connections: { current: 0, limit: config.network?.maxConnections },
-            },
-        };
-        this.sandboxes.set(pluginId, context);
-        // Start resource monitoring
-        this.startResourceMonitoring(pluginId);
-        this.logger.info('Sandbox created', {
-            pluginId,
-            level: config.level,
-            memoryLimit: config.memory?.maxHeap,
-            cpuLimit: config.cpu?.maxCpuPercent
-        });
-        return context;
-    }
-    /**
-     * Destroy a sandbox
-     */
-    destroySandbox(pluginId) {
-        const context = this.sandboxes.get(pluginId);
-        if (!context) {
-            return;
-        }
-        // Stop monitoring
-        this.stopResourceMonitoring(pluginId);
-        this.sandboxes.delete(pluginId);
-        this.logger.info('Sandbox destroyed', { pluginId });
-    }
-    /**
-     * Check if resource access is allowed
-     */
-    checkResourceAccess(pluginId, resourceType, resourcePath) {
-        const context = this.sandboxes.get(pluginId);
-        if (!context) {
-            return { allowed: false, reason: 'Sandbox not found' };
-        }
-        const { config } = context;
-        switch (resourceType) {
-            case 'file':
-                return this.checkFileAccess(config, resourcePath);
-            case 'network':
-                return this.checkNetworkAccess(config, resourcePath);
-            case 'process':
-                return this.checkProcessAccess(config);
-            case 'env':
-                return this.checkEnvAccess(config, resourcePath);
-            default:
-                return { allowed: false, reason: 'Unknown resource type' };
-        }
-    }
-    /**
-     * Check file system access
-     * WARNING: Uses simple prefix matching. For production, use proper path
-     * resolution with path.resolve() and path.normalize() to prevent traversal.
-     */
-    checkFileAccess(config, path) {
-        if (config.level === 'none') {
-            return { allowed: true };
-        }
-        if (!config.filesystem) {
-            return { allowed: false, reason: 'File system access not configured' };
-        }
-        // If no path specified, check general access
-        if (!path) {
-            return { allowed: config.filesystem.mode !== 'none' };
-        }
-        // TODO: Use path.resolve() and path.normalize() for production
-        // Check allowed paths
-        const allowedPaths = config.filesystem.allowedPaths || [];
-        const isAllowed = allowedPaths.some(allowed => {
-            // Simple prefix matching - vulnerable to traversal attacks
-            // TODO: Use proper path resolution
-            return path.startsWith(allowed);
-        });
-        if (allowedPaths.length > 0 && !isAllowed) {
-            return {
-                allowed: false,
-                reason: `Path not in allowed list: ${path}`
-            };
-        }
-        // Check denied paths
-        const deniedPaths = config.filesystem.deniedPaths || [];
-        const isDenied = deniedPaths.some(denied => {
-            return path.startsWith(denied);
-        });
-        if (isDenied) {
-            return {
-                allowed: false,
-                reason: `Path is explicitly denied: ${path}`
-            };
-        }
-        return { allowed: true };
-    }
-    /**
-     * Check network access
-     * WARNING: Uses simple string matching. For production, use proper URL
-     * parsing with new URL() and check hostname property.
-     */
-    checkNetworkAccess(config, url) {
-        if (config.level === 'none') {
-            return { allowed: true };
-        }
-        if (!config.network) {
-            return { allowed: false, reason: 'Network access not configured' };
-        }
-        // Check if network access is enabled
-        if (config.network.mode === 'none') {
-            return { allowed: false, reason: 'Network access disabled' };
-        }
-        // If no URL specified, check general access
-        if (!url) {
-            return { allowed: config.network.mode !== 'none' };
-        }
-        // TODO: Use new URL() and check hostname property for production
-        // Check allowed hosts
-        const allowedHosts = config.network.allowedHosts || [];
-        if (allowedHosts.length > 0) {
-            const isAllowed = allowedHosts.some(host => {
-                // Simple string matching - vulnerable to bypass
-                // TODO: Use proper URL parsing
-                return url.includes(host);
-            });
-            if (!isAllowed) {
-                return {
-                    allowed: false,
-                    reason: `Host not in allowed list: ${url}`
-                };
-            }
-        }
-        // Check denied hosts
-        const deniedHosts = config.network.deniedHosts || [];
-        const isDenied = deniedHosts.some(host => {
-            return url.includes(host);
-        });
-        if (isDenied) {
-            return {
-                allowed: false,
-                reason: `Host is blocked: ${url}`
-            };
-        }
-        return { allowed: true };
-    }
-    /**
-     * Check process spawning access
-     */
-    checkProcessAccess(config) {
-        if (config.level === 'none') {
-            return { allowed: true };
-        }
-        if (!config.process) {
-            return { allowed: false, reason: 'Process access not configured' };
-        }
-        if (!config.process.allowSpawn) {
-            return { allowed: false, reason: 'Process spawning not allowed' };
-        }
-        return { allowed: true };
-    }
-    /**
-     * Check environment variable access
-     */
-    checkEnvAccess(config, varName) {
-        if (config.level === 'none') {
-            return { allowed: true };
-        }
-        if (!config.process) {
-            return { allowed: false, reason: 'Environment access not configured' };
-        }
-        // If no variable specified, check general access
-        if (!varName) {
-            return { allowed: true };
-        }
-        // For now, allow all env access if process is configured
-        // In a real implementation, would check specific allowed vars
-        return { allowed: true };
-    }
-    /**
-     * Check resource limits
-     */
-    checkResourceLimits(pluginId) {
-        const context = this.sandboxes.get(pluginId);
-        if (!context) {
-            return { withinLimits: true, violations: [] };
-        }
-        const violations = [];
-        const { resourceUsage, config } = context;
-        // Check memory limit
-        if (config.memory?.maxHeap &&
-            resourceUsage.memory.current > config.memory.maxHeap) {
-            violations.push(`Memory limit exceeded: ${resourceUsage.memory.current} > ${config.memory.maxHeap}`);
-        }
-        // Check CPU limit (would need runtime config)
-        if (config.runtime?.resourceLimits?.maxCpu &&
-            resourceUsage.cpu.current > config.runtime.resourceLimits.maxCpu) {
-            violations.push(`CPU limit exceeded: ${resourceUsage.cpu.current}% > ${config.runtime.resourceLimits.maxCpu}%`);
-        }
-        // Check connection limit
-        if (config.network?.maxConnections &&
-            resourceUsage.connections.current > config.network.maxConnections) {
-            violations.push(`Connection limit exceeded: ${resourceUsage.connections.current} > ${config.network.maxConnections}`);
-        }
-        return {
-            withinLimits: violations.length === 0,
-            violations,
-        };
-    }
-    /**
-     * Get resource usage for a plugin
-     */
-    getResourceUsage(pluginId) {
-        const context = this.sandboxes.get(pluginId);
-        return context?.resourceUsage;
-    }
-    /**
-     * Start monitoring resource usage
-     */
-    startResourceMonitoring(pluginId) {
-        // Monitor every 5 seconds
-        const interval = setInterval(() => {
-            this.updateResourceUsage(pluginId);
-        }, 5000);
-        this.monitoringIntervals.set(pluginId, interval);
-    }
-    /**
-     * Stop monitoring resource usage
-     */
-    stopResourceMonitoring(pluginId) {
-        const interval = this.monitoringIntervals.get(pluginId);
-        if (interval) {
-            clearInterval(interval);
-            this.monitoringIntervals.delete(pluginId);
-        }
-    }
-    /**
-     * Update resource usage statistics
-     *
-     * NOTE: Currently uses global process.memoryUsage() which tracks the entire
-     * Node.js process, not individual plugins. For production, implement proper
-     * per-plugin tracking using V8 heap snapshots or allocation tracking at
-     * plugin boundaries.
-     */
-    updateResourceUsage(pluginId) {
-        const context = this.sandboxes.get(pluginId);
-        if (!context) {
-            return;
-        }
-        // In a real implementation, this would collect actual metrics
-        // For now, this is a placeholder structure
-        // Update memory usage (global process memory - not per-plugin)
-        // TODO: Implement per-plugin memory tracking
-        const memoryUsage = getMemoryUsage();
-        context.resourceUsage.memory.current = memoryUsage.heapUsed;
-        context.resourceUsage.memory.peak = Math.max(context.resourceUsage.memory.peak, memoryUsage.heapUsed);
-        // Update CPU usage (would use process.cpuUsage() or similar)
-        // This is a placeholder - real implementation would track per-plugin CPU
-        // TODO: Implement per-plugin CPU tracking
-        context.resourceUsage.cpu.current = 0;
-        // Check for violations
-        const { withinLimits, violations } = this.checkResourceLimits(pluginId);
-        if (!withinLimits) {
-            this.logger.warn('Resource limit violations detected', {
-                pluginId,
-                violations
-            });
-        }
-    }
-    /**
-     * Get all active sandboxes
-     */
-    getAllSandboxes() {
-        return new Map(this.sandboxes);
-    }
-    /**
-     * Shutdown sandbox runtime
-     */
-    shutdown() {
-        // Stop all monitoring
-        for (const pluginId of this.monitoringIntervals.keys()) {
-            this.stopResourceMonitoring(pluginId);
-        }
-        this.sandboxes.clear();
-        this.logger.info('Sandbox runtime shutdown complete');
-    }
-}