npm - @objectstack/core - Versions diffs - 7.5.0 → 7.6.0 - Mend

@objectstack/core 7.5.0 → 7.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.cjs CHANGED Viewed

@@ -48,9 +48,12 @@ __export(index_exports, {
   PluginSecurityScanner: () => PluginSecurityScanner,
   PluginSignatureVerifier: () => PluginSignatureVerifier,
   QA: () => qa_exports,
+  SIGNATURE_ALG: () => SIGNATURE_ALG,
   SecurePluginContext: () => SecurePluginContext,
   SemanticVersionManager: () => SemanticVersionManager,
   ServiceLifecycle: () => ServiceLifecycle,
+  buildPermissionsFromGrants: () => buildPermissionsFromGrants,
+  counterSignPayload: () => counterSignPayload,
   createApiRegistryPlugin: () => createApiRegistryPlugin,
   createLogger: () => createLogger,
   createMemoryCache: () => createMemoryCache,
@@ -60,11 +63,18 @@ __export(index_exports, {
   createMemoryQueue: () => createMemoryQueue,
   createPluginConfigValidator: () => createPluginConfigValidator,
   createPluginPermissionEnforcer: () => createPluginPermissionEnforcer,
+  generateEd25519KeyPair: () => generateEd25519KeyPair,
   getEnv: () => getEnv,
   getMemoryUsage: () => getMemoryUsage,
   isNode: () => isNode,
+  parseSignature: () => parseSignature,
   resolveLocale: () => resolveLocale,
-  safeExit: () => safeExit
+  safeExit: () => safeExit,
+  signPayload: () => signPayload,
+  verifyPayload: () => verifyPayload,
+  verifyPlatformSignature: () => verifyPlatformSignature,
+  verifyPluginArtifact: () => verifyPluginArtifact,
+  verifyPublisherSignature: () => verifyPublisherSignature
 });
 module.exports = __toCommonJS(index_exports);
@@ -566,6 +576,102 @@ function createPluginConfigValidator(logger) {
   return new PluginConfigValidator(logger);
 }
+// src/security/plugin-artifact-signature.ts
+var import_node_crypto = require("crypto");
+var SIGNATURE_ALG = "ed25519";
+var SIG_PREFIX = "ed25519:";
+function toPrivateKey(key) {
+  return typeof key === "string" ? (0, import_node_crypto.createPrivateKey)(key) : key;
+}
+function toPublicKey(key) {
+  return typeof key === "string" ? (0, import_node_crypto.createPublicKey)(key) : key;
+}
+function toBytes(payload) {
+  return typeof payload === "string" ? new TextEncoder().encode(payload) : payload;
+}
+function generateEd25519KeyPair() {
+  const { publicKey, privateKey } = (0, import_node_crypto.generateKeyPairSync)("ed25519");
+  return {
+    publicKeyPem: publicKey.export({ type: "spki", format: "pem" }).toString(),
+    privateKeyPem: privateKey.export({ type: "pkcs8", format: "pem" }).toString()
+  };
+}
+function signPayload(payload, privateKey, keyId = "default") {
+  if (keyId.includes(":")) throw new Error('keyId must not contain ":"');
+  const sig = (0, import_node_crypto.sign)(null, toBytes(payload), toPrivateKey(privateKey));
+  return `${SIG_PREFIX}${keyId}:${sig.toString("base64url")}`;
+}
+function parseSignature(s) {
+  if (typeof s !== "string" || !s.startsWith(SIG_PREFIX)) return null;
+  const rest = s.slice(SIG_PREFIX.length);
+  const idx = rest.indexOf(":");
+  if (idx <= 0) return null;
+  const keyId = rest.slice(0, idx);
+  const b64 = rest.slice(idx + 1);
+  if (!keyId || !b64) return null;
+  try {
+    return { alg: "ed25519", keyId, signature: new Uint8Array(Buffer.from(b64, "base64url")) };
+  } catch {
+    return null;
+  }
+}
+function verifyPayload(payload, signature, publicKey) {
+  const parsed = parseSignature(signature);
+  if (!parsed) return false;
+  try {
+    return (0, import_node_crypto.verify)(null, toBytes(payload), toPublicKey(publicKey), parsed.signature);
+  } catch {
+    return false;
+  }
+}
+function counterSignPayload(version) {
+  return [
+    version.package_id,
+    version.version,
+    version.blob_key ?? "",
+    version.signature ?? ""
+  ].join("\n");
+}
+async function verifyPublisherSignature(args, getPublicKey) {
+  const sig = args.signature;
+  if (!sig) return { ok: true, verified: false, reason: "no signature supplied" };
+  const parsed = parseSignature(sig);
+  if (!parsed) return { ok: false, verified: false, reason: "signature is malformed" };
+  if (!getPublicKey) {
+    return { ok: true, verified: false, reason: "no publisher key registry configured" };
+  }
+  const pub = await getPublicKey(parsed.keyId);
+  if (!pub) return { ok: false, verified: false, reason: `unknown publisher key '${parsed.keyId}'` };
+  return verifyPayload(args.artifact, sig, pub) ? { ok: true, verified: true } : { ok: false, verified: false, reason: "publisher signature does not match artifact" };
+}
+function verifyPlatformSignature(version, platformPublicKey) {
+  if (!version.platform_signature) return false;
+  return verifyPayload(counterSignPayload(version), version.platform_signature, platformPublicKey);
+}
+async function verifyPluginArtifact(input, keys) {
+  const requirePlatform = keys.requirePlatform ?? true;
+  const publisher = await verifyPublisherSignature(
+    { artifact: input.artifact, signature: input.version.signature },
+    keys.getPublisherPublicKey
+  );
+  if (!publisher.ok) {
+    return { ok: false, publisherVerified: false, platformVerified: false, reason: publisher.reason };
+  }
+  let platformVerified = false;
+  if (keys.platformPublicKey) {
+    platformVerified = verifyPlatformSignature(input.version, keys.platformPublicKey);
+  }
+  if (requirePlatform && !platformVerified) {
+    return {
+      ok: false,
+      publisherVerified: publisher.verified,
+      platformVerified,
+      reason: keys.platformPublicKey ? "platform counter-signature missing or invalid" : "no platform public key configured"
+    };
+  }
+  return { ok: true, publisherVerified: publisher.verified, platformVerified };
+}
 // src/plugin-loader.ts
 var ServiceLifecycle = /* @__PURE__ */ ((ServiceLifecycle2) => {
   ServiceLifecycle2["SINGLETON"] = "singleton";
@@ -823,7 +929,15 @@ var PluginLoader = class {
     if (!plugin.signature) {
       return;
     }
-    this.logger.debug(`Plugin ${plugin.name} has signature (use PluginSignatureVerifier for verification)`);
+    const parsed = parseSignature(plugin.signature);
+    if (!parsed) {
+      throw new Error(
+        `Plugin ${plugin.name} carries a malformed signature (expected ed25519:<keyId>:<base64url>)`
+      );
+    }
+    this.logger.debug(
+      `Plugin ${plugin.name} signature well-formed (alg=${parsed.alg}, keyId=${parsed.keyId}); artifact verification occurs at materialize time`
+    );
   }
   async getSingletonService(registration) {
     let instance = this.serviceInstances.get(registration.name);
@@ -2767,9 +2881,31 @@ var PluginPermissionEnforcer = class {
       capabilityCount: capabilities.length
     });
   }
+  /**
+   * Register the install-time GRANTED permission set for a plugin
+   * (ADR-0025 F4). This is the structured `{ services, hooks, network, fs }`
+   * grant that the cloud control plane persists to
+   * `sys_package_installation.granted_permissions` after the user consents
+   * at install (ADR §3.5 step 2). The runtime calls this when materializing
+   * a third-party plugin so {@link SecurePluginContext} enforces exactly the
+   * consented surface — independent of whatever the manifest *requested*.
+   *
+   * Prefer this over {@link registerPluginPermissions} for distributed
+   * plugins: it enforces what was granted, not what was declared.
+   */
+  registerGrantedPermissions(pluginName, granted) {
+    this.permissionRegistry.set(pluginName, buildPermissionsFromGrants(granted));
+    this.logger.info(`Granted permissions registered for plugin: ${pluginName}`, {
+      plugin: pluginName,
+      services: granted?.services?.length ?? 0,
+      hooks: granted?.hooks?.length ?? 0,
+      network: granted?.network?.length ?? 0,
+      fs: granted?.fs?.length ?? 0
+    });
+  }
   /**
    * Enforce service access permission
-   *
+   *
    * @param pluginName - Plugin requesting access
    * @param serviceName - Service to access
    * @throws Error if permission denied
@@ -3032,6 +3168,32 @@ var SecurePluginContext = class {
 function createPluginPermissionEnforcer(logger) {
   return new PluginPermissionEnforcer(logger);
 }
+function grantGlobMatch(pattern, value) {
+  if (pattern === "*" || pattern === "**") return true;
+  const regexStr = pattern.split("**").map((segment) => segment.replace(/[.+?^${}()|[\]\\]/g, "\\$&").replace(/\*/g, "[^/]*")).join(".*");
+  return new RegExp(`^${regexStr}$`).test(value);
+}
+function hostOf(url) {
+  try {
+    return new URL(url).host;
+  } catch {
+    return url;
+  }
+}
+var inList = (list, value) => Array.isArray(list) && list.some((p) => p === value || grantGlobMatch(p, value));
+function buildPermissionsFromGrants(granted) {
+  const services = granted?.services;
+  const hooks = granted?.hooks;
+  const network = granted?.network;
+  const fs = granted?.fs;
+  return {
+    canAccessService: (name) => inList(services, name),
+    canTriggerHook: (name) => inList(hooks, name),
+    canReadFile: (path) => inList(fs, path),
+    canWriteFile: (path) => inList(fs, path),
+    canNetworkRequest: (url) => inList(network, hostOf(url)) || inList(network, url)
+  };
+}
 // src/security/permission-manager.ts
 var PluginPermissionManager = class {
@@ -4027,7 +4189,7 @@ var PluginHealthMonitor = class {
 };
 // src/hot-reload.ts
-var import_node_crypto = require("crypto");
+var import_node_crypto2 = require("crypto");
 var generateUUID = () => {
   if (typeof crypto !== "undefined" && crypto.randomUUID) {
     return crypto.randomUUID();
@@ -4122,7 +4284,7 @@ var PluginStateManager = class {
    */
   calculateChecksum(state) {
     const stateStr = JSON.stringify(state);
-    return (0, import_node_crypto.createHash)("sha256").update(stateStr).digest("hex");
+    return (0, import_node_crypto2.createHash)("sha256").update(stateStr).digest("hex");
   }
   /**
    * Shutdown state manager
@@ -4717,9 +4879,12 @@ var NamespaceResolver = class {
   PluginSecurityScanner,
   PluginSignatureVerifier,
   QA,
+  SIGNATURE_ALG,
   SecurePluginContext,
   SemanticVersionManager,
   ServiceLifecycle,
+  buildPermissionsFromGrants,
+  counterSignPayload,
   createApiRegistryPlugin,
   createLogger,
   createMemoryCache,
@@ -4729,10 +4894,17 @@ var NamespaceResolver = class {
   createMemoryQueue,
   createPluginConfigValidator,
   createPluginPermissionEnforcer,
+  generateEd25519KeyPair,
   getEnv,
   getMemoryUsage,
   isNode,
+  parseSignature,
   resolveLocale,
-  safeExit
+  safeExit,
+  signPayload,
+  verifyPayload,
+  verifyPlatformSignature,
+  verifyPluginArtifact,
+  verifyPublisherSignature
 });
 //# sourceMappingURL=index.cjs.map