@objectstack/core 2.0.1 → 2.0.2

package/.turbo/turbo-build.log

@@ -1,5 +1,5 @@
 
-> @objectstack/core@2.0.1 build /home/runner/work/spec/spec/packages/core
+> @objectstack/core@2.0.2 build /home/runner/work/spec/spec/packages/core
 > tsup --config ../../tsup.config.ts
 
 CLI Building entry: src/index.ts
@@ -10,13 +10,13 @@
 CLI Cleaning output folder
 ESM Build start
 CJS Build start
-ESM dist/index.js     128.03 KB
-ESM dist/index.js.map 270.63 KB
-ESM ⚡️ Build success in 100ms
-CJS dist/index.cjs     130.65 KB
-CJS dist/index.cjs.map 271.95 KB
-CJS ⚡️ Build success in 105ms
+ESM dist/index.js     131.69 KB
+ESM dist/index.js.map 276.68 KB
+ESM ⚡️ Build success in 92ms
+CJS dist/index.cjs     134.46 KB
+CJS dist/index.cjs.map 278.04 KB
+CJS ⚡️ Build success in 97ms
 DTS Build start
-DTS ⚡️ Build success in 3881ms
-DTS dist/index.d.ts  52.46 KB
-DTS dist/index.d.cts 52.46 KB
+DTS ⚡️ Build success in 3262ms
+DTS dist/index.d.ts  52.28 KB
+DTS dist/index.d.cts 52.28 KB

package/CHANGELOG.md

@@ -1,5 +1,12 @@
 # @objectstack/core
 
+## 2.0.2
+
+### Patch Changes
+
+- Updated dependencies [1db8559]
+  - @objectstack/spec@2.0.2
+
 ## 2.0.1
 
 ### Patch Changes

package/dist/index.cjs

@@ -2138,8 +2138,18 @@ var TestRunner = class {
     }
     return result;
   }
-  resolveVariables(action, _context) {
-    return action;
+  resolveVariables(action, context) {
+    const actionStr = JSON.stringify(action);
+    const resolved = actionStr.replace(/\{\{([^}]+)\}\}/g, (_match, varPath) => {
+      const value = this.getValueByPath(context, varPath.trim());
+      if (value === void 0) return _match;
+      return typeof value === "string" ? value : JSON.stringify(value);
+    });
+    try {
+      return JSON.parse(resolved);
+    } catch {
+      return action;
+    }
   }
   getValueByPath(obj, path) {
     if (!path) return obj;
@@ -2476,9 +2486,38 @@ var PluginSignatureVerifier = class {
       return false;
     }
   }
-  async verifyCryptoSignatureBrowser(_data, _signature, _publicKey) {
-    this.logger.warn("Browser signature verification not yet implemented");
-    return false;
+  async verifyCryptoSignatureBrowser(data, signature, publicKey) {
+    try {
+      const subtle = globalThis.crypto?.subtle;
+      if (!subtle) {
+        this.logger.error("SubtleCrypto not available in this environment");
+        return false;
+      }
+      const pemBody = publicKey.replace(/-----BEGIN PUBLIC KEY-----/, "").replace(/-----END PUBLIC KEY-----/, "").replace(/\s/g, "");
+      const keyBytes = Uint8Array.from(atob(pemBody), (c) => c.charCodeAt(0));
+      let importAlgorithm;
+      let verifyAlgorithm;
+      if (this.config.algorithm === "ES256") {
+        importAlgorithm = { name: "ECDSA", namedCurve: "P-256" };
+        verifyAlgorithm = { name: "ECDSA", hash: "SHA-256" };
+      } else {
+        importAlgorithm = { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" };
+        verifyAlgorithm = { name: "RSASSA-PKCS1-v1_5" };
+      }
+      const cryptoKey = await subtle.importKey(
+        "spki",
+        keyBytes,
+        importAlgorithm,
+        false,
+        ["verify"]
+      );
+      const signatureBytes = Uint8Array.from(atob(signature), (c) => c.charCodeAt(0));
+      const dataBytes = new TextEncoder().encode(data);
+      return await subtle.verify(verifyAlgorithm, cryptoKey, signatureBytes, dataBytes);
+    } catch (error) {
+      this.logger.error("Browser signature verification failed", error);
+      return false;
+    }
   }
   validateConfig() {
     if (!this.config.trustedPublicKeys || this.config.trustedPublicKeys.size === 0) {
@@ -2696,29 +2735,48 @@ var PluginPermissionEnforcer = class {
       return false;
     });
   }
-  checkFileRead(capabilities, _path) {
+  matchGlob(pattern, str) {
+    const regexStr = pattern.split("**").map((segment) => {
+      const escaped = segment.replace(/[.+?^${}()|[\]\\]/g, "\\$&");
+      return escaped.replace(/\*/g, "[^/]*");
+    }).join(".*");
+    return new RegExp(`^${regexStr}$`).test(str);
+  }
+  checkFileRead(capabilities, path) {
     return capabilities.some((cap) => {
       const protocolId = cap.protocol.id;
       if (protocolId.includes("protocol.filesystem.read")) {
-        return true;
+        const paths = cap.metadata?.paths;
+        if (!Array.isArray(paths) || paths.length === 0) {
+          return true;
+        }
+        return paths.some((p) => typeof p === "string" && this.matchGlob(p, path));
       }
       return false;
     });
   }
-  checkFileWrite(capabilities, _path) {
+  checkFileWrite(capabilities, path) {
     return capabilities.some((cap) => {
       const protocolId = cap.protocol.id;
       if (protocolId.includes("protocol.filesystem.write")) {
-        return true;
+        const paths = cap.metadata?.paths;
+        if (!Array.isArray(paths) || paths.length === 0) {
+          return true;
+        }
+        return paths.some((p) => typeof p === "string" && this.matchGlob(p, path));
       }
       return false;
     });
   }
-  checkNetworkAccess(capabilities, _url) {
+  checkNetworkAccess(capabilities, url) {
     return capabilities.some((cap) => {
       const protocolId = cap.protocol.id;
       if (protocolId.includes("protocol.network")) {
-        return true;
+        const hosts = cap.metadata?.hosts;
+        if (!Array.isArray(hosts) || hosts.length === 0) {
+          return true;
+        }
+        return hosts.some((h) => typeof h === "string" && this.matchGlob(h, url));
       }
       return false;
     });
@@ -2985,12 +3043,16 @@ var PluginPermissionManager = class {
 };
 
 // src/security/sandbox-runtime.ts
-var PluginSandboxRuntime = class {
+var import_node_path = __toESM(require("path"), 1);
+var _PluginSandboxRuntime = class _PluginSandboxRuntime {
   constructor(logger) {
     // Active sandboxes (pluginId -> context)
     this.sandboxes = /* @__PURE__ */ new Map();
     // Resource monitoring intervals
     this.monitoringIntervals = /* @__PURE__ */ new Map();
+    // Per-plugin resource baselines for delta tracking
+    this.memoryBaselines = /* @__PURE__ */ new Map();
+    this.cpuBaselines = /* @__PURE__ */ new Map();
     this.logger = logger.child({ component: "SandboxRuntime" });
   }
   /**
@@ -3011,6 +3073,9 @@ var PluginSandboxRuntime = class {
       }
     };
     this.sandboxes.set(pluginId, context);
+    const baselineMemory = getMemoryUsage();
+    this.memoryBaselines.set(pluginId, baselineMemory.heapUsed);
+    this.cpuBaselines.set(pluginId, process.cpuUsage());
     this.startResourceMonitoring(pluginId);
     this.logger.info("Sandbox created", {
       pluginId,
@@ -3029,6 +3094,8 @@ var PluginSandboxRuntime = class {
       return;
     }
     this.stopResourceMonitoring(pluginId);
+    this.memoryBaselines.delete(pluginId);
+    this.cpuBaselines.delete(pluginId);
     this.sandboxes.delete(pluginId);
     this.logger.info("Sandbox destroyed", { pluginId });
   }
@@ -3056,45 +3123,46 @@ var PluginSandboxRuntime = class {
   }
   /**
    * Check file system access
-   * WARNING: Uses simple prefix matching. For production, use proper path
-   * resolution with path.resolve() and path.normalize() to prevent traversal.
+   * Uses path.resolve() and path.normalize() to prevent directory traversal.
    */
-  checkFileAccess(config, path) {
+  checkFileAccess(config, filePath) {
     if (config.level === "none") {
       return { allowed: true };
     }
     if (!config.filesystem) {
       return { allowed: false, reason: "File system access not configured" };
     }
-    if (!path) {
+    if (!filePath) {
       return { allowed: config.filesystem.mode !== "none" };
     }
     const allowedPaths = config.filesystem.allowedPaths || [];
+    const resolvedPath = import_node_path.default.normalize(import_node_path.default.resolve(filePath));
     const isAllowed = allowedPaths.some((allowed) => {
-      return path.startsWith(allowed);
+      const resolvedAllowed = import_node_path.default.normalize(import_node_path.default.resolve(allowed));
+      return resolvedPath.startsWith(resolvedAllowed);
     });
     if (allowedPaths.length > 0 && !isAllowed) {
       return {
         allowed: false,
-        reason: `Path not in allowed list: ${path}`
+        reason: `Path not in allowed list: ${filePath}`
       };
     }
     const deniedPaths = config.filesystem.deniedPaths || [];
     const isDenied = deniedPaths.some((denied) => {
-      return path.startsWith(denied);
+      const resolvedDenied = import_node_path.default.normalize(import_node_path.default.resolve(denied));
+      return resolvedPath.startsWith(resolvedDenied);
     });
     if (isDenied) {
       return {
         allowed: false,
-        reason: `Path is explicitly denied: ${path}`
+        reason: `Path is explicitly denied: ${filePath}`
       };
     }
     return { allowed: true };
   }
   /**
    * Check network access
-   * WARNING: Uses simple string matching. For production, use proper URL
-   * parsing with new URL() and check hostname property.
+   * Uses URL parsing to properly validate hostnames.
    */
   checkNetworkAccess(config, url) {
     if (config.level === "none") {
@@ -3109,10 +3177,16 @@ var PluginSandboxRuntime = class {
     if (!url) {
       return { allowed: config.network.mode !== "none" };
     }
+    let parsedHostname;
+    try {
+      parsedHostname = new URL(url).hostname;
+    } catch {
+      return { allowed: false, reason: `Invalid URL: ${url}` };
+    }
     const allowedHosts = config.network.allowedHosts || [];
     if (allowedHosts.length > 0) {
       const isAllowed = allowedHosts.some((host) => {
-        return url.includes(host);
+        return parsedHostname === host;
       });
       if (!isAllowed) {
         return {
@@ -3123,7 +3197,7 @@ var PluginSandboxRuntime = class {
     }
     const deniedHosts = config.network.deniedHosts || [];
     const isDenied = deniedHosts.some((host) => {
-      return url.includes(host);
+      return parsedHostname === host;
     });
     if (isDenied) {
       return {
@@ -3200,7 +3274,7 @@ var PluginSandboxRuntime = class {
   startResourceMonitoring(pluginId) {
     const interval = setInterval(() => {
       this.updateResourceUsage(pluginId);
-    }, 5e3);
+    }, _PluginSandboxRuntime.MONITORING_INTERVAL_MS);
     this.monitoringIntervals.set(pluginId, interval);
   }
   /**
@@ -3216,10 +3290,9 @@ var PluginSandboxRuntime = class {
   /**
    * Update resource usage statistics
    * 
-   * NOTE: Currently uses global process.memoryUsage() which tracks the entire
-   * Node.js process, not individual plugins. For production, implement proper
-   * per-plugin tracking using V8 heap snapshots or allocation tracking at
-   * plugin boundaries.
+   * Tracks per-plugin memory and CPU usage using delta from baseline
+   * captured at sandbox creation time. This is an approximation since
+   * true per-plugin isolation isn't possible in a single Node.js process.
    */
   updateResourceUsage(pluginId) {
     const context = this.sandboxes.get(pluginId);
@@ -3227,12 +3300,21 @@ var PluginSandboxRuntime = class {
       return;
     }
     const memoryUsage = getMemoryUsage();
-    context.resourceUsage.memory.current = memoryUsage.heapUsed;
+    const memoryBaseline = this.memoryBaselines.get(pluginId) ?? 0;
+    const memoryDelta = Math.max(0, memoryUsage.heapUsed - memoryBaseline);
+    context.resourceUsage.memory.current = memoryDelta;
     context.resourceUsage.memory.peak = Math.max(
       context.resourceUsage.memory.peak,
-      memoryUsage.heapUsed
+      memoryDelta
     );
-    context.resourceUsage.cpu.current = 0;
+    const cpuBaseline = this.cpuBaselines.get(pluginId) ?? { user: 0, system: 0 };
+    const cpuCurrent = process.cpuUsage();
+    const cpuDeltaUser = cpuCurrent.user - cpuBaseline.user;
+    const cpuDeltaSystem = cpuCurrent.system - cpuBaseline.system;
+    const totalCpuMicros = cpuDeltaUser + cpuDeltaSystem;
+    const intervalMicros = _PluginSandboxRuntime.MONITORING_INTERVAL_MS * 1e3;
+    context.resourceUsage.cpu.current = totalCpuMicros / intervalMicros * 100;
+    this.cpuBaselines.set(pluginId, cpuCurrent);
     const { withinLimits, violations } = this.checkResourceLimits(pluginId);
     if (!withinLimits) {
       this.logger.warn("Resource limit violations detected", {
@@ -3255,9 +3337,13 @@ var PluginSandboxRuntime = class {
       this.stopResourceMonitoring(pluginId);
     }
     this.sandboxes.clear();
+    this.memoryBaselines.clear();
+    this.cpuBaselines.clear();
     this.logger.info("Sandbox runtime shutdown complete");
   }
 };
+_PluginSandboxRuntime.MONITORING_INTERVAL_MS = 5e3;
+var PluginSandboxRuntime = _PluginSandboxRuntime;
 
 // src/security/security-scanner.ts
 var PluginSecurityScanner = class {
@@ -3724,6 +3810,7 @@ var PluginHealthMonitor = class {
 };
 
 // src/hot-reload.ts
+var import_node_crypto = require("crypto");
 var generateUUID = () => {
   if (typeof crypto !== "undefined" && crypto.randomUUID) {
     return crypto.randomUUID();
@@ -3814,19 +3901,11 @@ var PluginStateManager = class {
     this.logger.debug("State cleared", { pluginId });
   }
   /**
-   * Calculate simple checksum for state verification
-   * WARNING: This is a simple hash for demo purposes.
-   * In production, use a cryptographic hash like SHA-256.
+   * Calculate checksum for state verification using SHA-256.
    */
   calculateChecksum(state) {
     const stateStr = JSON.stringify(state);
-    let hash = 0;
-    for (let i = 0; i < stateStr.length; i++) {
-      const char = stateStr.charCodeAt(i);
-      hash = (hash << 5) - hash + char;
-      hash = hash & hash;
-    }
-    return hash.toString(16);
+    return (0, import_node_crypto.createHash)("sha256").update(stateStr).digest("hex");
   }
   /**
    * Shutdown state manager