@objectstack/core 2.0.1 → 2.0.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@objectstack/core",
-  "version": "2.0.1",
+  "version": "2.0.2",
   "license": "Apache-2.0",
   "description": "Microkernel Core for ObjectStack",
   "type": "module",
@@ -16,13 +16,13 @@
   "devDependencies": {
     "typescript": "^5.0.0",
     "vitest": "^4.0.18",
-    "@types/node": "^25.1.0"
+    "@types/node": "^25.2.2"
   },
   "dependencies": {
     "pino": "^10.3.0",
     "pino-pretty": "^13.1.3",
-    "zod": "^3.24.1",
-    "@objectstack/spec": "2.0.1"
+    "zod": "^4.3.6",
+    "@objectstack/spec": "2.0.2"
   },
   "peerDependencies": {
     "pino": "^8.0.0"

package/src/hot-reload.ts

@@ -1,5 +1,7 @@
 // Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
 
+import { createHash } from 'node:crypto';
+
 import type { 
   HotReloadConfig, 
   PluginStateSnapshot 
@@ -136,21 +138,11 @@ class PluginStateManager {
   }
 
   /**
-   * Calculate simple checksum for state verification
-   * WARNING: This is a simple hash for demo purposes.
-   * In production, use a cryptographic hash like SHA-256.
+   * Calculate checksum for state verification using SHA-256.
    */
   private calculateChecksum(state: Record<string, any>): string {
-    // Simple checksum using JSON serialization
-    // TODO: Replace with crypto.createHash('sha256') for production
     const stateStr = JSON.stringify(state);
-    let hash = 0;
-    for (let i = 0; i < stateStr.length; i++) {
-      const char = stateStr.charCodeAt(i);
-      hash = ((hash << 5) - hash) + char;
-      hash = hash & hash; // Convert to 32-bit integer
-    }
-    return hash.toString(16);
+    return createHash('sha256').update(stateStr).digest('hex');
   }
 
   /**

package/src/qa/runner.ts

@@ -131,10 +131,18 @@ export class TestRunner {
     return result;
   }
 
-  private resolveVariables(action: QA.TestAction, _context: Record<string, unknown>): QA.TestAction {
-    // TODO: Implement JSON path variable substitution stringify/parse
-    // For now returning as is
-    return action; 
+  private resolveVariables(action: QA.TestAction, context: Record<string, unknown>): QA.TestAction {
+    const actionStr = JSON.stringify(action);
+    const resolved = actionStr.replace(/\{\{([^}]+)\}\}/g, (_match, varPath: string) => {
+      const value = this.getValueByPath(context, varPath.trim());
+      if (value === undefined) return _match; // Keep unresolved
+      return typeof value === 'string' ? value : JSON.stringify(value);
+    });
+    try {
+      return JSON.parse(resolved) as QA.TestAction;
+    } catch {
+      return action; // Fallback to original if parse fails
+    }
   }
 
   private getValueByPath(obj: unknown, path: string): unknown {

package/src/security/plugin-permission-enforcer.ts

@@ -306,45 +306,65 @@ export class PluginPermissionEnforcer {
     });
   }
   
-  private checkFileRead(capabilities: PluginCapability[], _path: string): boolean {
+  private matchGlob(pattern: string, str: string): boolean {
+    const regexStr = pattern
+      .split('**')
+      .map(segment => {
+        const escaped = segment.replace(/[.+?^${}()|[\]\\]/g, '\\$&');
+        return escaped.replace(/\*/g, '[^/]*');
+      })
+      .join('.*');
+    return new RegExp(`^${regexStr}$`).test(str);
+  }
+  
+  private checkFileRead(capabilities: PluginCapability[], path: string): boolean {
     // Check if plugin has capability to read this file
     return capabilities.some(cap => {
       const protocolId = cap.protocol.id;
       
       // Check for file read capability
       if (protocolId.includes('protocol.filesystem.read')) {
-        // TODO: Add path pattern matching
-        return true;
+        const paths = cap.metadata?.paths;
+        if (!Array.isArray(paths) || paths.length === 0) {
+          return true;
+        }
+        return paths.some(p => typeof p === 'string' && this.matchGlob(p, path));
       }
       
       return false;
     });
   }
   
-  private checkFileWrite(capabilities: PluginCapability[], _path: string): boolean {
+  private checkFileWrite(capabilities: PluginCapability[], path: string): boolean {
     // Check if plugin has capability to write this file
     return capabilities.some(cap => {
       const protocolId = cap.protocol.id;
       
       // Check for file write capability
       if (protocolId.includes('protocol.filesystem.write')) {
-        // TODO: Add path pattern matching
-        return true;
+        const paths = cap.metadata?.paths;
+        if (!Array.isArray(paths) || paths.length === 0) {
+          return true;
+        }
+        return paths.some(p => typeof p === 'string' && this.matchGlob(p, path));
       }
       
       return false;
     });
   }
   
-  private checkNetworkAccess(capabilities: PluginCapability[], _url: string): boolean {
+  private checkNetworkAccess(capabilities: PluginCapability[], url: string): boolean {
     // Check if plugin has capability to access this URL
     return capabilities.some(cap => {
       const protocolId = cap.protocol.id;
       
       // Check for network capability
       if (protocolId.includes('protocol.network')) {
-        // TODO: Add URL pattern matching
-        return true;
+        const hosts = cap.metadata?.hosts;
+        if (!Array.isArray(hosts) || hosts.length === 0) {
+          return true;
+        }
+        return hosts.some(h => typeof h === 'string' && this.matchGlob(h, url));
       }
       
       return false;

package/src/security/plugin-signature-verifier.ts

@@ -336,14 +336,55 @@ export class PluginSignatureVerifier {
   }
   
   private async verifyCryptoSignatureBrowser(
-    _data: string,
-    _signature: string,
-    _publicKey: string
+    data: string,
+    signature: string,
+    publicKey: string
   ): Promise<boolean> {
-    // Browser implementation using SubtleCrypto
-    // TODO: Implement SubtleCrypto-based verification
-    this.logger.warn('Browser signature verification not yet implemented');
-    return false;
+    try {
+      const subtle = globalThis.crypto?.subtle;
+      if (!subtle) {
+        this.logger.error('SubtleCrypto not available in this environment');
+        return false;
+      }
+
+      // Decode PEM public key to raw DER bytes
+      const pemBody = publicKey
+        .replace(/-----BEGIN PUBLIC KEY-----/, '')
+        .replace(/-----END PUBLIC KEY-----/, '')
+        .replace(/\s/g, '');
+      const keyBytes = Uint8Array.from(atob(pemBody), c => c.charCodeAt(0));
+
+      // Configure algorithms based on RS256 or ES256
+      let importAlgorithm: { name: string; hash?: string; namedCurve?: string };
+      let verifyAlgorithm: { name: string; hash?: string };
+
+      if (this.config.algorithm === 'ES256') {
+        importAlgorithm = { name: 'ECDSA', namedCurve: 'P-256' };
+        verifyAlgorithm = { name: 'ECDSA', hash: 'SHA-256' };
+      } else {
+        importAlgorithm = { name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256' };
+        verifyAlgorithm = { name: 'RSASSA-PKCS1-v1_5' };
+      }
+
+      const cryptoKey = await subtle.importKey(
+        'spki',
+        keyBytes,
+        importAlgorithm,
+        false,
+        ['verify']
+      );
+
+      // Decode base64 signature to ArrayBuffer
+      const signatureBytes = Uint8Array.from(atob(signature), c => c.charCodeAt(0));
+
+      // Encode data to ArrayBuffer
+      const dataBytes = new TextEncoder().encode(data);
+
+      return await subtle.verify(verifyAlgorithm, cryptoKey, signatureBytes, dataBytes);
+    } catch (error) {
+      this.logger.error('Browser signature verification failed', error as Error);
+      return false;
+    }
   }
   
   private validateConfig(): void {

package/src/security/sandbox-runtime.ts

@@ -1,5 +1,7 @@
 // Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
 
+import nodePath from 'node:path';
+
 import type { 
   SandboxConfig
 } from '@objectstack/spec/kernel';
@@ -44,6 +46,8 @@ export interface SandboxContext {
  * and access controls
  */
 export class PluginSandboxRuntime {
+  private static readonly MONITORING_INTERVAL_MS = 5000;
+
   private logger: ObjectLogger;
   
   // Active sandboxes (pluginId -> context)
@@ -52,6 +56,10 @@ export class PluginSandboxRuntime {
   // Resource monitoring intervals
   private monitoringIntervals = new Map<string, NodeJS.Timeout>();
 
+  // Per-plugin resource baselines for delta tracking
+  private memoryBaselines = new Map<string, number>();
+  private cpuBaselines = new Map<string, { user: number; system: number }>();
+
   constructor(logger: ObjectLogger) {
     this.logger = logger.child({ component: 'SandboxRuntime' });
   }
@@ -77,6 +85,11 @@ export class PluginSandboxRuntime {
 
     this.sandboxes.set(pluginId, context);
 
+    // Capture resource baselines for per-plugin delta tracking
+    const baselineMemory = getMemoryUsage();
+    this.memoryBaselines.set(pluginId, baselineMemory.heapUsed);
+    this.cpuBaselines.set(pluginId, process.cpuUsage());
+
     // Start resource monitoring
     this.startResourceMonitoring(pluginId);
 
@@ -102,6 +115,8 @@ export class PluginSandboxRuntime {
     // Stop monitoring
     this.stopResourceMonitoring(pluginId);
 
+    this.memoryBaselines.delete(pluginId);
+    this.cpuBaselines.delete(pluginId);
     this.sandboxes.delete(pluginId);
 
     this.logger.info('Sandbox destroyed', { pluginId });
@@ -142,12 +157,11 @@ export class PluginSandboxRuntime {
 
   /**
    * Check file system access
-   * WARNING: Uses simple prefix matching. For production, use proper path
-   * resolution with path.resolve() and path.normalize() to prevent traversal.
+   * Uses path.resolve() and path.normalize() to prevent directory traversal.
    */
   private checkFileAccess(
     config: SandboxConfig,
-    path?: string
+    filePath?: string
   ): { allowed: boolean; reason?: string } {
     if (config.level === 'none') {
       return { allowed: true };
@@ -158,36 +172,36 @@ export class PluginSandboxRuntime {
     }
 
     // If no path specified, check general access
-    if (!path) {
+    if (!filePath) {
       return { allowed: config.filesystem.mode !== 'none' };
     }
 
-    // TODO: Use path.resolve() and path.normalize() for production
-    // Check allowed paths
+    // Check allowed paths using proper path resolution to prevent directory traversal
     const allowedPaths = config.filesystem.allowedPaths || [];
+    const resolvedPath = nodePath.normalize(nodePath.resolve(filePath));
     const isAllowed = allowedPaths.some(allowed => {
-      // Simple prefix matching - vulnerable to traversal attacks
-      // TODO: Use proper path resolution
-      return path.startsWith(allowed);
+      const resolvedAllowed = nodePath.normalize(nodePath.resolve(allowed));
+      return resolvedPath.startsWith(resolvedAllowed);
     });
 
     if (allowedPaths.length > 0 && !isAllowed) {
       return { 
         allowed: false, 
-        reason: `Path not in allowed list: ${path}` 
+        reason: `Path not in allowed list: ${filePath}` 
       };
     }
 
-    // Check denied paths
+    // Check denied paths using proper path resolution
     const deniedPaths = config.filesystem.deniedPaths || [];
     const isDenied = deniedPaths.some(denied => {
-      return path.startsWith(denied);
+      const resolvedDenied = nodePath.normalize(nodePath.resolve(denied));
+      return resolvedPath.startsWith(resolvedDenied);
     });
 
     if (isDenied) {
       return { 
         allowed: false, 
-        reason: `Path is explicitly denied: ${path}` 
+        reason: `Path is explicitly denied: ${filePath}` 
       };
     }
 
@@ -196,8 +210,7 @@ export class PluginSandboxRuntime {
 
   /**
    * Check network access
-   * WARNING: Uses simple string matching. For production, use proper URL
-   * parsing with new URL() and check hostname property.
+   * Uses URL parsing to properly validate hostnames.
    */
   private checkNetworkAccess(
     config: SandboxConfig,
@@ -221,14 +234,19 @@ export class PluginSandboxRuntime {
       return { allowed: (config.network.mode as string) !== 'none' };
     }
 
-    // TODO: Use new URL() and check hostname property for production
+    // Parse URL and check hostname against allowed/denied hosts
+    let parsedHostname: string;
+    try {
+      parsedHostname = new URL(url).hostname;
+    } catch {
+      return { allowed: false, reason: `Invalid URL: ${url}` };
+    }
+
     // Check allowed hosts
     const allowedHosts = config.network.allowedHosts || [];
     if (allowedHosts.length > 0) {
       const isAllowed = allowedHosts.some(host => {
-        // Simple string matching - vulnerable to bypass
-        // TODO: Use proper URL parsing
-        return url.includes(host);
+        return parsedHostname === host;
       });
 
       if (!isAllowed) {
@@ -242,7 +260,7 @@ export class PluginSandboxRuntime {
     // Check denied hosts
     const deniedHosts = config.network.deniedHosts || [];
     const isDenied = deniedHosts.some(host => {
-      return url.includes(host);
+      return parsedHostname === host;
     });
 
     if (isDenied) {
@@ -352,10 +370,10 @@ export class PluginSandboxRuntime {
    * Start monitoring resource usage
    */
   private startResourceMonitoring(pluginId: string): void {
-    // Monitor every 5 seconds
+    // Monitor at the configured interval
     const interval = setInterval(() => {
       this.updateResourceUsage(pluginId);
-    }, 5000);
+    }, PluginSandboxRuntime.MONITORING_INTERVAL_MS);
 
     this.monitoringIntervals.set(pluginId, interval);
   }
@@ -374,10 +392,9 @@ export class PluginSandboxRuntime {
   /**
    * Update resource usage statistics
    * 
-   * NOTE: Currently uses global process.memoryUsage() which tracks the entire
-   * Node.js process, not individual plugins. For production, implement proper
-   * per-plugin tracking using V8 heap snapshots or allocation tracking at
-   * plugin boundaries.
+   * Tracks per-plugin memory and CPU usage using delta from baseline
+   * captured at sandbox creation time. This is an approximation since
+   * true per-plugin isolation isn't possible in a single Node.js process.
    */
   private updateResourceUsage(pluginId: string): void {
     const context = this.sandboxes.get(pluginId);
@@ -388,19 +405,27 @@ export class PluginSandboxRuntime {
     // In a real implementation, this would collect actual metrics
     // For now, this is a placeholder structure
     
-    // Update memory usage (global process memory - not per-plugin)
-    // TODO: Implement per-plugin memory tracking
+    // Update memory usage using delta from baseline for per-plugin approximation
     const memoryUsage = getMemoryUsage();
-    context.resourceUsage.memory.current = memoryUsage.heapUsed;
+    const memoryBaseline = this.memoryBaselines.get(pluginId) ?? 0;
+    const memoryDelta = Math.max(0, memoryUsage.heapUsed - memoryBaseline);
+    context.resourceUsage.memory.current = memoryDelta;
     context.resourceUsage.memory.peak = Math.max(
       context.resourceUsage.memory.peak,
-      memoryUsage.heapUsed
+      memoryDelta
     );
 
-    // Update CPU usage (would use process.cpuUsage() or similar)
-    // This is a placeholder - real implementation would track per-plugin CPU
-    // TODO: Implement per-plugin CPU tracking
-    context.resourceUsage.cpu.current = 0;
+    // Update CPU usage using delta from baseline for per-plugin approximation
+    const cpuBaseline = this.cpuBaselines.get(pluginId) ?? { user: 0, system: 0 };
+    const cpuCurrent = process.cpuUsage();
+    const cpuDeltaUser = cpuCurrent.user - cpuBaseline.user;
+    const cpuDeltaSystem = cpuCurrent.system - cpuBaseline.system;
+    // Convert microseconds to a percentage approximation over the monitoring interval
+    const totalCpuMicros = cpuDeltaUser + cpuDeltaSystem;
+    const intervalMicros = PluginSandboxRuntime.MONITORING_INTERVAL_MS * 1000;
+    context.resourceUsage.cpu.current = (totalCpuMicros / intervalMicros) * 100;
+    // Update baseline for next interval
+    this.cpuBaselines.set(pluginId, cpuCurrent);
 
     // Check for violations
     const { withinLimits, violations } = this.checkResourceLimits(pluginId);
@@ -429,6 +454,8 @@ export class PluginSandboxRuntime {
     }
 
     this.sandboxes.clear();
+    this.memoryBaselines.clear();
+    this.cpuBaselines.clear();
     
     this.logger.info('Sandbox runtime shutdown complete');
   }