@objectstack/core 7.4.1 → 7.6.0

package/dist/index.d.cts

@@ -6,7 +6,8 @@ import { ObjectLogger } from './logger.cjs';
 export { createLogger } from './logger.cjs';
 import { ConflictResolutionStrategy, ApiRegistryEntryInput, ApiRegistryEntry, ApiDiscoveryQuery, ApiDiscoveryResponse, ApiEndpointRegistration, ApiRegistry as ApiRegistry$1 } from '@objectstack/spec/api';
 import * as QA from '@objectstack/spec/qa';
-import { PluginCapability, PluginPermissionSet, ResourceType, PermissionAction, PluginPermission, SandboxConfig, KernelSecurityScanResult, KernelSecurityVulnerability, PluginHealthCheck, PluginHealthStatus as PluginHealthStatus$1, PluginHealthReport, HotReloadConfig, VersionConstraint, DependencyConflict, SemanticVersion, CompatibilityLevel } from '@objectstack/spec/kernel';
+import { KeyObject } from 'node:crypto';
+import { PluginCapability, PluginPermissions as PluginPermissions$1, PluginPermissionSet, ResourceType, PermissionAction, PluginPermission, SandboxConfig, KernelSecurityScanResult, KernelSecurityVulnerability, PluginHealthCheck, PluginHealthStatus as PluginHealthStatus$1, PluginHealthReport, HotReloadConfig, VersionConstraint, DependencyConflict, SemanticVersion, CompatibilityLevel } from '@objectstack/spec/kernel';
 
 /**
  * Service Lifecycle Types
@@ -1000,6 +1001,120 @@ declare class PluginSignatureVerifier {
     private validateConfig;
 }
 
+/**
+ * Plugin artifact signing & verification (ADR-0025 §3.4–§3.7, framework F3).
+ *
+ * This is the CANONICAL Ed25519 detached-signature contract shared by the
+ * whole plugin distribution pipeline. It is intentionally byte-for-byte
+ * compatible with the cloud control plane's `package-signing.ts` so the
+ * two never drift:
+ *
+ *   - signature string format: `ed25519:<keyId>:<base64url(signature)>`
+ *   - publisher signature: Ed25519 over the raw `.osplugin` artifact bytes,
+ *     produced by `os plugin sign`, verified by cloud at publish time and by
+ *     the runtime when it materializes the artifact.
+ *   - platform counter-signature: Ed25519 over {@link counterSignPayload}
+ *     (the version identity), produced by cloud at approval, verified by the
+ *     runtime at load time as the marketplace's "reviewed + approved" attest.
+ *
+ * Algorithm: Ed25519 via node:crypto (`sign(null, …)` / `verify(null, …)`):
+ * short, deterministic, no padding ambiguity. The `keyId` is an opaque
+ * rotation handle used to resolve the verifying public key.
+ *
+ * The two trust chains the runtime checks before loading a third-party
+ * plugin are combined in {@link verifyPluginArtifact}.
+ */
+
+declare const SIGNATURE_ALG = "ed25519";
+type KeyInput = string | KeyObject;
+/** Generate an Ed25519 keypair as PEM strings (publisher bootstrap / tests). */
+declare function generateEd25519KeyPair(): {
+    publicKeyPem: string;
+    privateKeyPem: string;
+};
+/**
+ * Sign `payload` with an Ed25519 private key, returning the formatted
+ * signature string `ed25519:<keyId>:<base64url(sig)>`.
+ */
+declare function signPayload(payload: string | Uint8Array, privateKey: KeyInput, keyId?: string): string;
+interface ParsedSignature {
+    alg: 'ed25519';
+    keyId: string;
+    signature: Uint8Array;
+}
+/** Parse an `ed25519:<keyId>:<base64url>` signature string. Returns null if malformed. */
+declare function parseSignature(s: string | undefined | null): ParsedSignature | null;
+/** Verify a formatted signature string over `payload` with the given public key. */
+declare function verifyPayload(payload: string | Uint8Array, signature: string, publicKey: KeyInput): boolean;
+/**
+ * Canonical payload the platform counter-signs at approval. Binds the
+ * attestation to the version identity + artifact location + the publisher
+ * signature (which itself binds the artifact bytes). MUST match the cloud
+ * control plane's `counterSignPayload` exactly.
+ */
+declare function counterSignPayload(version: {
+    package_id: string;
+    version: string;
+    blob_key?: string | null;
+    signature?: string | null;
+}): string;
+interface PublisherVerifyResult {
+    /** Whether loading may proceed on signature grounds. */
+    ok: boolean;
+    /** True when a signature was present AND cryptographically verified. */
+    verified: boolean;
+    reason?: string;
+}
+/**
+ * Verify a publisher signature over the raw artifact bytes. `getPublicKey`
+ * resolves the verifying key from the signature's embedded keyId.
+ *
+ * Mirrors cloud's publish-time policy:
+ *   - no signature → ok, verified=false (caller decides via trust tier).
+ *   - malformed / fails verification → NOT ok.
+ *   - unknown keyId → NOT ok (never silently trust).
+ */
+declare function verifyPublisherSignature(args: {
+    artifact: Uint8Array;
+    signature?: string | null;
+}, getPublicKey?: (keyId: string) => Promise<KeyInput | null> | KeyInput | null): Promise<PublisherVerifyResult>;
+/** Verify a platform counter-signature against the version identity + platform public key. */
+declare function verifyPlatformSignature(version: {
+    package_id: string;
+    version: string;
+    blob_key?: string | null;
+    signature?: string | null;
+    platform_signature?: string | null;
+}, platformPublicKey: KeyInput): boolean;
+interface PluginArtifactVerifyResult {
+    /** Overall verdict: both required chains satisfied under the given policy. */
+    ok: boolean;
+    publisherVerified: boolean;
+    platformVerified: boolean;
+    reason?: string;
+}
+/**
+ * Verify both trust chains for a downloaded plugin artifact at load time
+ * (ADR-0025 §3.7). The platform counter-signature is the authoritative
+ * marketplace attestation; the publisher signature additionally binds the
+ * exact bytes. `requirePlatform` (default true) rejects artifacts that lack
+ * a valid platform counter-sign — set false for first-party / local builds.
+ */
+declare function verifyPluginArtifact(input: {
+    artifact: Uint8Array;
+    version: {
+        package_id: string;
+        version: string;
+        blob_key?: string | null;
+        signature?: string | null;
+        platform_signature?: string | null;
+    };
+}, keys: {
+    platformPublicKey?: KeyInput;
+    getPublisherPublicKey?: (keyId: string) => Promise<KeyInput | null> | KeyInput | null;
+    requirePlatform?: boolean;
+}): Promise<PluginArtifactVerifyResult>;
+
 /**
  * Plugin Configuration Validator
  *
@@ -1136,6 +1251,19 @@ declare class PluginPermissionEnforcer {
      * @param capabilities - Array of capability declarations
      */
     registerPluginPermissions(pluginName: string, capabilities: PluginCapability[]): void;
+    /**
+     * Register the install-time GRANTED permission set for a plugin
+     * (ADR-0025 F4). This is the structured `{ services, hooks, network, fs }`
+     * grant that the cloud control plane persists to
+     * `sys_package_installation.granted_permissions` after the user consents
+     * at install (ADR §3.5 step 2). The runtime calls this when materializing
+     * a third-party plugin so {@link SecurePluginContext} enforces exactly the
+     * consented surface — independent of whatever the manifest *requested*.
+     *
+     * Prefer this over {@link registerPluginPermissions} for distributed
+     * plugins: it enforces what was granted, not what was declared.
+     */
+    registerGrantedPermissions(pluginName: string, granted: PluginPermissions$1 | null | undefined): void;
     /**
      * Enforce service access permission
      *
@@ -1231,6 +1359,17 @@ declare class SecurePluginContext implements PluginContext {
  * @returns Plugin permission enforcer
  */
 declare function createPluginPermissionEnforcer(logger: Logger): PluginPermissionEnforcer;
+/**
+ * Build the runtime {@link PluginPermissions} bag from a structured
+ * install-time grant set (ADR-0025 §3.2 `{ services, hooks, network, fs }`).
+ *
+ * Matching: an entry allows when it equals the requested value, is a glob
+ * that matches it, or is the wildcard `*`. Network grants match against the
+ * request URL's host (or the raw URL). `fs` governs both read and write —
+ * the structured grant set does not split the two. A null/empty grant set
+ * denies everything (principle of least privilege).
+ */
+declare function buildPermissionsFromGrants(granted: PluginPermissions$1 | null | undefined): PluginPermissions;
 
 /**
  * Permission Grant
@@ -1941,4 +2080,4 @@ declare class NamespaceResolver {
     private suggestAlternative;
 }
 
-export { ApiRegistry, type ApiRegistryPluginConfig, CORE_FALLBACK_FACTORIES, DependencyResolver, HotReloadManager, type KernelState, LiteKernel, type NamespaceCheckResult, type NamespaceConflict, type NamespaceEntry, NamespaceResolver, ObjectKernel, ObjectKernelBase, type ObjectKernelConfig, ObjectLogger, type PermissionCheckResult$1 as PermissionCheckResult, type PermissionGrant, type Plugin, PluginConfigValidator, type PluginContext, PluginHealthMonitor, type PluginHealthStatus, type PluginLoadResult, PluginLoader, type PluginMetadata, type PermissionCheckResult as PluginPermissionCheckResult, PluginPermissionEnforcer, PluginPermissionManager, type PluginPermissions, PluginSandboxRuntime, PluginSecurityScanner, type PluginSignatureConfig, PluginSignatureVerifier, type PluginStartupResult, index as QA, type ResourceUsage, type SandboxContext, type ScanTarget, SecurePluginContext, type SecurityIssue, SemanticVersionManager, type ServiceFactory, ServiceLifecycle, type ServiceRegistration, type SignatureVerificationResult, type VersionCompatibility, createApiRegistryPlugin, createMemoryCache, createMemoryI18n, createMemoryJob, createMemoryMetadata, createMemoryQueue, createPluginConfigValidator, createPluginPermissionEnforcer, getEnv, getMemoryUsage, isNode, resolveLocale, safeExit };
+export { ApiRegistry, type ApiRegistryPluginConfig, CORE_FALLBACK_FACTORIES, DependencyResolver, HotReloadManager, type KernelState, type KeyInput, LiteKernel, type NamespaceCheckResult, type NamespaceConflict, type NamespaceEntry, NamespaceResolver, ObjectKernel, ObjectKernelBase, type ObjectKernelConfig, ObjectLogger, type ParsedSignature, type PermissionCheckResult$1 as PermissionCheckResult, type PermissionGrant, type Plugin, type PluginArtifactVerifyResult, PluginConfigValidator, type PluginContext, PluginHealthMonitor, type PluginHealthStatus, type PluginLoadResult, PluginLoader, type PluginMetadata, type PermissionCheckResult as PluginPermissionCheckResult, PluginPermissionEnforcer, PluginPermissionManager, type PluginPermissions, PluginSandboxRuntime, PluginSecurityScanner, type PluginSignatureConfig, PluginSignatureVerifier, type PluginStartupResult, type PublisherVerifyResult, index as QA, type ResourceUsage, SIGNATURE_ALG, type SandboxContext, type ScanTarget, SecurePluginContext, type SecurityIssue, SemanticVersionManager, type ServiceFactory, ServiceLifecycle, type ServiceRegistration, type SignatureVerificationResult, type VersionCompatibility, buildPermissionsFromGrants, counterSignPayload, createApiRegistryPlugin, createMemoryCache, createMemoryI18n, createMemoryJob, createMemoryMetadata, createMemoryQueue, createPluginConfigValidator, createPluginPermissionEnforcer, generateEd25519KeyPair, getEnv, getMemoryUsage, isNode, parseSignature, resolveLocale, safeExit, signPayload, verifyPayload, verifyPlatformSignature, verifyPluginArtifact, verifyPublisherSignature };

package/dist/index.d.ts

@@ -6,7 +6,8 @@ import { ObjectLogger } from './logger.js';
 export { createLogger } from './logger.js';
 import { ConflictResolutionStrategy, ApiRegistryEntryInput, ApiRegistryEntry, ApiDiscoveryQuery, ApiDiscoveryResponse, ApiEndpointRegistration, ApiRegistry as ApiRegistry$1 } from '@objectstack/spec/api';
 import * as QA from '@objectstack/spec/qa';
-import { PluginCapability, PluginPermissionSet, ResourceType, PermissionAction, PluginPermission, SandboxConfig, KernelSecurityScanResult, KernelSecurityVulnerability, PluginHealthCheck, PluginHealthStatus as PluginHealthStatus$1, PluginHealthReport, HotReloadConfig, VersionConstraint, DependencyConflict, SemanticVersion, CompatibilityLevel } from '@objectstack/spec/kernel';
+import { KeyObject } from 'node:crypto';
+import { PluginCapability, PluginPermissions as PluginPermissions$1, PluginPermissionSet, ResourceType, PermissionAction, PluginPermission, SandboxConfig, KernelSecurityScanResult, KernelSecurityVulnerability, PluginHealthCheck, PluginHealthStatus as PluginHealthStatus$1, PluginHealthReport, HotReloadConfig, VersionConstraint, DependencyConflict, SemanticVersion, CompatibilityLevel } from '@objectstack/spec/kernel';
 
 /**
  * Service Lifecycle Types
@@ -1000,6 +1001,120 @@ declare class PluginSignatureVerifier {
     private validateConfig;
 }
 
+/**
+ * Plugin artifact signing & verification (ADR-0025 §3.4–§3.7, framework F3).
+ *
+ * This is the CANONICAL Ed25519 detached-signature contract shared by the
+ * whole plugin distribution pipeline. It is intentionally byte-for-byte
+ * compatible with the cloud control plane's `package-signing.ts` so the
+ * two never drift:
+ *
+ *   - signature string format: `ed25519:<keyId>:<base64url(signature)>`
+ *   - publisher signature: Ed25519 over the raw `.osplugin` artifact bytes,
+ *     produced by `os plugin sign`, verified by cloud at publish time and by
+ *     the runtime when it materializes the artifact.
+ *   - platform counter-signature: Ed25519 over {@link counterSignPayload}
+ *     (the version identity), produced by cloud at approval, verified by the
+ *     runtime at load time as the marketplace's "reviewed + approved" attest.
+ *
+ * Algorithm: Ed25519 via node:crypto (`sign(null, …)` / `verify(null, …)`):
+ * short, deterministic, no padding ambiguity. The `keyId` is an opaque
+ * rotation handle used to resolve the verifying public key.
+ *
+ * The two trust chains the runtime checks before loading a third-party
+ * plugin are combined in {@link verifyPluginArtifact}.
+ */
+
+declare const SIGNATURE_ALG = "ed25519";
+type KeyInput = string | KeyObject;
+/** Generate an Ed25519 keypair as PEM strings (publisher bootstrap / tests). */
+declare function generateEd25519KeyPair(): {
+    publicKeyPem: string;
+    privateKeyPem: string;
+};
+/**
+ * Sign `payload` with an Ed25519 private key, returning the formatted
+ * signature string `ed25519:<keyId>:<base64url(sig)>`.
+ */
+declare function signPayload(payload: string | Uint8Array, privateKey: KeyInput, keyId?: string): string;
+interface ParsedSignature {
+    alg: 'ed25519';
+    keyId: string;
+    signature: Uint8Array;
+}
+/** Parse an `ed25519:<keyId>:<base64url>` signature string. Returns null if malformed. */
+declare function parseSignature(s: string | undefined | null): ParsedSignature | null;
+/** Verify a formatted signature string over `payload` with the given public key. */
+declare function verifyPayload(payload: string | Uint8Array, signature: string, publicKey: KeyInput): boolean;
+/**
+ * Canonical payload the platform counter-signs at approval. Binds the
+ * attestation to the version identity + artifact location + the publisher
+ * signature (which itself binds the artifact bytes). MUST match the cloud
+ * control plane's `counterSignPayload` exactly.
+ */
+declare function counterSignPayload(version: {
+    package_id: string;
+    version: string;
+    blob_key?: string | null;
+    signature?: string | null;
+}): string;
+interface PublisherVerifyResult {
+    /** Whether loading may proceed on signature grounds. */
+    ok: boolean;
+    /** True when a signature was present AND cryptographically verified. */
+    verified: boolean;
+    reason?: string;
+}
+/**
+ * Verify a publisher signature over the raw artifact bytes. `getPublicKey`
+ * resolves the verifying key from the signature's embedded keyId.
+ *
+ * Mirrors cloud's publish-time policy:
+ *   - no signature → ok, verified=false (caller decides via trust tier).
+ *   - malformed / fails verification → NOT ok.
+ *   - unknown keyId → NOT ok (never silently trust).
+ */
+declare function verifyPublisherSignature(args: {
+    artifact: Uint8Array;
+    signature?: string | null;
+}, getPublicKey?: (keyId: string) => Promise<KeyInput | null> | KeyInput | null): Promise<PublisherVerifyResult>;
+/** Verify a platform counter-signature against the version identity + platform public key. */
+declare function verifyPlatformSignature(version: {
+    package_id: string;
+    version: string;
+    blob_key?: string | null;
+    signature?: string | null;
+    platform_signature?: string | null;
+}, platformPublicKey: KeyInput): boolean;
+interface PluginArtifactVerifyResult {
+    /** Overall verdict: both required chains satisfied under the given policy. */
+    ok: boolean;
+    publisherVerified: boolean;
+    platformVerified: boolean;
+    reason?: string;
+}
+/**
+ * Verify both trust chains for a downloaded plugin artifact at load time
+ * (ADR-0025 §3.7). The platform counter-signature is the authoritative
+ * marketplace attestation; the publisher signature additionally binds the
+ * exact bytes. `requirePlatform` (default true) rejects artifacts that lack
+ * a valid platform counter-sign — set false for first-party / local builds.
+ */
+declare function verifyPluginArtifact(input: {
+    artifact: Uint8Array;
+    version: {
+        package_id: string;
+        version: string;
+        blob_key?: string | null;
+        signature?: string | null;
+        platform_signature?: string | null;
+    };
+}, keys: {
+    platformPublicKey?: KeyInput;
+    getPublisherPublicKey?: (keyId: string) => Promise<KeyInput | null> | KeyInput | null;
+    requirePlatform?: boolean;
+}): Promise<PluginArtifactVerifyResult>;
+
 /**
  * Plugin Configuration Validator
  *
@@ -1136,6 +1251,19 @@ declare class PluginPermissionEnforcer {
      * @param capabilities - Array of capability declarations
      */
     registerPluginPermissions(pluginName: string, capabilities: PluginCapability[]): void;
+    /**
+     * Register the install-time GRANTED permission set for a plugin
+     * (ADR-0025 F4). This is the structured `{ services, hooks, network, fs }`
+     * grant that the cloud control plane persists to
+     * `sys_package_installation.granted_permissions` after the user consents
+     * at install (ADR §3.5 step 2). The runtime calls this when materializing
+     * a third-party plugin so {@link SecurePluginContext} enforces exactly the
+     * consented surface — independent of whatever the manifest *requested*.
+     *
+     * Prefer this over {@link registerPluginPermissions} for distributed
+     * plugins: it enforces what was granted, not what was declared.
+     */
+    registerGrantedPermissions(pluginName: string, granted: PluginPermissions$1 | null | undefined): void;
     /**
      * Enforce service access permission
      *
@@ -1231,6 +1359,17 @@ declare class SecurePluginContext implements PluginContext {
  * @returns Plugin permission enforcer
  */
 declare function createPluginPermissionEnforcer(logger: Logger): PluginPermissionEnforcer;
+/**
+ * Build the runtime {@link PluginPermissions} bag from a structured
+ * install-time grant set (ADR-0025 §3.2 `{ services, hooks, network, fs }`).
+ *
+ * Matching: an entry allows when it equals the requested value, is a glob
+ * that matches it, or is the wildcard `*`. Network grants match against the
+ * request URL's host (or the raw URL). `fs` governs both read and write —
+ * the structured grant set does not split the two. A null/empty grant set
+ * denies everything (principle of least privilege).
+ */
+declare function buildPermissionsFromGrants(granted: PluginPermissions$1 | null | undefined): PluginPermissions;
 
 /**
  * Permission Grant
@@ -1941,4 +2080,4 @@ declare class NamespaceResolver {
     private suggestAlternative;
 }
 
-export { ApiRegistry, type ApiRegistryPluginConfig, CORE_FALLBACK_FACTORIES, DependencyResolver, HotReloadManager, type KernelState, LiteKernel, type NamespaceCheckResult, type NamespaceConflict, type NamespaceEntry, NamespaceResolver, ObjectKernel, ObjectKernelBase, type ObjectKernelConfig, ObjectLogger, type PermissionCheckResult$1 as PermissionCheckResult, type PermissionGrant, type Plugin, PluginConfigValidator, type PluginContext, PluginHealthMonitor, type PluginHealthStatus, type PluginLoadResult, PluginLoader, type PluginMetadata, type PermissionCheckResult as PluginPermissionCheckResult, PluginPermissionEnforcer, PluginPermissionManager, type PluginPermissions, PluginSandboxRuntime, PluginSecurityScanner, type PluginSignatureConfig, PluginSignatureVerifier, type PluginStartupResult, index as QA, type ResourceUsage, type SandboxContext, type ScanTarget, SecurePluginContext, type SecurityIssue, SemanticVersionManager, type ServiceFactory, ServiceLifecycle, type ServiceRegistration, type SignatureVerificationResult, type VersionCompatibility, createApiRegistryPlugin, createMemoryCache, createMemoryI18n, createMemoryJob, createMemoryMetadata, createMemoryQueue, createPluginConfigValidator, createPluginPermissionEnforcer, getEnv, getMemoryUsage, isNode, resolveLocale, safeExit };
+export { ApiRegistry, type ApiRegistryPluginConfig, CORE_FALLBACK_FACTORIES, DependencyResolver, HotReloadManager, type KernelState, type KeyInput, LiteKernel, type NamespaceCheckResult, type NamespaceConflict, type NamespaceEntry, NamespaceResolver, ObjectKernel, ObjectKernelBase, type ObjectKernelConfig, ObjectLogger, type ParsedSignature, type PermissionCheckResult$1 as PermissionCheckResult, type PermissionGrant, type Plugin, type PluginArtifactVerifyResult, PluginConfigValidator, type PluginContext, PluginHealthMonitor, type PluginHealthStatus, type PluginLoadResult, PluginLoader, type PluginMetadata, type PermissionCheckResult as PluginPermissionCheckResult, PluginPermissionEnforcer, PluginPermissionManager, type PluginPermissions, PluginSandboxRuntime, PluginSecurityScanner, type PluginSignatureConfig, PluginSignatureVerifier, type PluginStartupResult, type PublisherVerifyResult, index as QA, type ResourceUsage, SIGNATURE_ALG, type SandboxContext, type ScanTarget, SecurePluginContext, type SecurityIssue, SemanticVersionManager, type ServiceFactory, ServiceLifecycle, type ServiceRegistration, type SignatureVerificationResult, type VersionCompatibility, buildPermissionsFromGrants, counterSignPayload, createApiRegistryPlugin, createMemoryCache, createMemoryI18n, createMemoryJob, createMemoryMetadata, createMemoryQueue, createPluginConfigValidator, createPluginPermissionEnforcer, generateEd25519KeyPair, getEnv, getMemoryUsage, isNode, parseSignature, resolveLocale, safeExit, signPayload, verifyPayload, verifyPlatformSignature, verifyPluginArtifact, verifyPublisherSignature };

package/dist/index.js

@@ -508,6 +508,108 @@ function createPluginConfigValidator(logger) {
   return new PluginConfigValidator(logger);
 }
 
+// src/security/plugin-artifact-signature.ts
+import {
+  sign as cryptoSign,
+  verify as cryptoVerify,
+  createPublicKey,
+  createPrivateKey,
+  generateKeyPairSync
+} from "crypto";
+var SIGNATURE_ALG = "ed25519";
+var SIG_PREFIX = "ed25519:";
+function toPrivateKey(key) {
+  return typeof key === "string" ? createPrivateKey(key) : key;
+}
+function toPublicKey(key) {
+  return typeof key === "string" ? createPublicKey(key) : key;
+}
+function toBytes(payload) {
+  return typeof payload === "string" ? new TextEncoder().encode(payload) : payload;
+}
+function generateEd25519KeyPair() {
+  const { publicKey, privateKey } = generateKeyPairSync("ed25519");
+  return {
+    publicKeyPem: publicKey.export({ type: "spki", format: "pem" }).toString(),
+    privateKeyPem: privateKey.export({ type: "pkcs8", format: "pem" }).toString()
+  };
+}
+function signPayload(payload, privateKey, keyId = "default") {
+  if (keyId.includes(":")) throw new Error('keyId must not contain ":"');
+  const sig = cryptoSign(null, toBytes(payload), toPrivateKey(privateKey));
+  return `${SIG_PREFIX}${keyId}:${sig.toString("base64url")}`;
+}
+function parseSignature(s) {
+  if (typeof s !== "string" || !s.startsWith(SIG_PREFIX)) return null;
+  const rest = s.slice(SIG_PREFIX.length);
+  const idx = rest.indexOf(":");
+  if (idx <= 0) return null;
+  const keyId = rest.slice(0, idx);
+  const b64 = rest.slice(idx + 1);
+  if (!keyId || !b64) return null;
+  try {
+    return { alg: "ed25519", keyId, signature: new Uint8Array(Buffer.from(b64, "base64url")) };
+  } catch {
+    return null;
+  }
+}
+function verifyPayload(payload, signature, publicKey) {
+  const parsed = parseSignature(signature);
+  if (!parsed) return false;
+  try {
+    return cryptoVerify(null, toBytes(payload), toPublicKey(publicKey), parsed.signature);
+  } catch {
+    return false;
+  }
+}
+function counterSignPayload(version) {
+  return [
+    version.package_id,
+    version.version,
+    version.blob_key ?? "",
+    version.signature ?? ""
+  ].join("\n");
+}
+async function verifyPublisherSignature(args, getPublicKey) {
+  const sig = args.signature;
+  if (!sig) return { ok: true, verified: false, reason: "no signature supplied" };
+  const parsed = parseSignature(sig);
+  if (!parsed) return { ok: false, verified: false, reason: "signature is malformed" };
+  if (!getPublicKey) {
+    return { ok: true, verified: false, reason: "no publisher key registry configured" };
+  }
+  const pub = await getPublicKey(parsed.keyId);
+  if (!pub) return { ok: false, verified: false, reason: `unknown publisher key '${parsed.keyId}'` };
+  return verifyPayload(args.artifact, sig, pub) ? { ok: true, verified: true } : { ok: false, verified: false, reason: "publisher signature does not match artifact" };
+}
+function verifyPlatformSignature(version, platformPublicKey) {
+  if (!version.platform_signature) return false;
+  return verifyPayload(counterSignPayload(version), version.platform_signature, platformPublicKey);
+}
+async function verifyPluginArtifact(input, keys) {
+  const requirePlatform = keys.requirePlatform ?? true;
+  const publisher = await verifyPublisherSignature(
+    { artifact: input.artifact, signature: input.version.signature },
+    keys.getPublisherPublicKey
+  );
+  if (!publisher.ok) {
+    return { ok: false, publisherVerified: false, platformVerified: false, reason: publisher.reason };
+  }
+  let platformVerified = false;
+  if (keys.platformPublicKey) {
+    platformVerified = verifyPlatformSignature(input.version, keys.platformPublicKey);
+  }
+  if (requirePlatform && !platformVerified) {
+    return {
+      ok: false,
+      publisherVerified: publisher.verified,
+      platformVerified,
+      reason: keys.platformPublicKey ? "platform counter-signature missing or invalid" : "no platform public key configured"
+    };
+  }
+  return { ok: true, publisherVerified: publisher.verified, platformVerified };
+}
+
 // src/plugin-loader.ts
 var ServiceLifecycle = /* @__PURE__ */ ((ServiceLifecycle2) => {
   ServiceLifecycle2["SINGLETON"] = "singleton";
@@ -765,7 +867,15 @@ var PluginLoader = class {
     if (!plugin.signature) {
       return;
     }
-    this.logger.debug(`Plugin ${plugin.name} has signature (use PluginSignatureVerifier for verification)`);
+    const parsed = parseSignature(plugin.signature);
+    if (!parsed) {
+      throw new Error(
+        `Plugin ${plugin.name} carries a malformed signature (expected ed25519:<keyId>:<base64url>)`
+      );
+    }
+    this.logger.debug(
+      `Plugin ${plugin.name} signature well-formed (alg=${parsed.alg}, keyId=${parsed.keyId}); artifact verification occurs at materialize time`
+    );
   }
   async getSingletonService(registration) {
     let instance = this.serviceInstances.get(registration.name);
@@ -2709,9 +2819,31 @@ var PluginPermissionEnforcer = class {
       capabilityCount: capabilities.length
     });
   }
+  /**
+   * Register the install-time GRANTED permission set for a plugin
+   * (ADR-0025 F4). This is the structured `{ services, hooks, network, fs }`
+   * grant that the cloud control plane persists to
+   * `sys_package_installation.granted_permissions` after the user consents
+   * at install (ADR §3.5 step 2). The runtime calls this when materializing
+   * a third-party plugin so {@link SecurePluginContext} enforces exactly the
+   * consented surface — independent of whatever the manifest *requested*.
+   *
+   * Prefer this over {@link registerPluginPermissions} for distributed
+   * plugins: it enforces what was granted, not what was declared.
+   */
+  registerGrantedPermissions(pluginName, granted) {
+    this.permissionRegistry.set(pluginName, buildPermissionsFromGrants(granted));
+    this.logger.info(`Granted permissions registered for plugin: ${pluginName}`, {
+      plugin: pluginName,
+      services: granted?.services?.length ?? 0,
+      hooks: granted?.hooks?.length ?? 0,
+      network: granted?.network?.length ?? 0,
+      fs: granted?.fs?.length ?? 0
+    });
+  }
   /**
    * Enforce service access permission
-   * 
+   *
    * @param pluginName - Plugin requesting access
    * @param serviceName - Service to access
    * @throws Error if permission denied
@@ -2974,6 +3106,32 @@ var SecurePluginContext = class {
 function createPluginPermissionEnforcer(logger) {
   return new PluginPermissionEnforcer(logger);
 }
+function grantGlobMatch(pattern, value) {
+  if (pattern === "*" || pattern === "**") return true;
+  const regexStr = pattern.split("**").map((segment) => segment.replace(/[.+?^${}()|[\]\\]/g, "\\$&").replace(/\*/g, "[^/]*")).join(".*");
+  return new RegExp(`^${regexStr}$`).test(value);
+}
+function hostOf(url) {
+  try {
+    return new URL(url).host;
+  } catch {
+    return url;
+  }
+}
+var inList = (list, value) => Array.isArray(list) && list.some((p) => p === value || grantGlobMatch(p, value));
+function buildPermissionsFromGrants(granted) {
+  const services = granted?.services;
+  const hooks = granted?.hooks;
+  const network = granted?.network;
+  const fs = granted?.fs;
+  return {
+    canAccessService: (name) => inList(services, name),
+    canTriggerHook: (name) => inList(hooks, name),
+    canReadFile: (path) => inList(fs, path),
+    canWriteFile: (path) => inList(fs, path),
+    canNetworkRequest: (url) => inList(network, hostOf(url)) || inList(network, url)
+  };
+}
 
 // src/security/permission-manager.ts
 var PluginPermissionManager = class {
@@ -4658,9 +4816,12 @@ export {
   PluginSecurityScanner,
   PluginSignatureVerifier,
   qa_exports as QA,
+  SIGNATURE_ALG,
   SecurePluginContext,
   SemanticVersionManager,
   ServiceLifecycle,
+  buildPermissionsFromGrants,
+  counterSignPayload,
   createApiRegistryPlugin,
   createLogger,
   createMemoryCache,
@@ -4670,10 +4831,17 @@ export {
   createMemoryQueue,
   createPluginConfigValidator,
   createPluginPermissionEnforcer,
+  generateEd25519KeyPair,
   getEnv,
   getMemoryUsage,
   isNode,
+  parseSignature,
   resolveLocale,
-  safeExit
+  safeExit,
+  signPayload,
+  verifyPayload,
+  verifyPlatformSignature,
+  verifyPluginArtifact,
+  verifyPublisherSignature
 };
 //# sourceMappingURL=index.js.map