@objectstack/spec 0.9.1 → 0.9.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +14 -0
- package/dist/ai/cost.zod.d.ts +1 -1
- package/dist/ai/devops-agent.zod.d.ts +6 -6
- package/dist/ai/index.d.ts +4 -0
- package/dist/ai/index.d.ts.map +1 -1
- package/dist/ai/index.js +4 -0
- package/dist/ai/plugin-development.zod.d.ts +415 -0
- package/dist/ai/plugin-development.zod.d.ts.map +1 -0
- package/dist/ai/plugin-development.zod.js +576 -0
- package/dist/ai/runtime-ops.zod.d.ts +480 -0
- package/dist/ai/runtime-ops.zod.d.ts.map +1 -0
- package/dist/ai/runtime-ops.zod.js +578 -0
- package/dist/api/discovery.zod.d.ts +1 -1
- package/dist/api/endpoint.zod.d.ts +2 -2
- package/dist/api/hub.zod.d.ts +74 -74
- package/dist/api/realtime.zod.d.ts +2 -2
- package/dist/api/websocket.zod.d.ts +6 -6
- package/dist/automation/trigger-registry.zod.d.ts +6 -6
- package/dist/contracts/service-registry.d.ts +1 -1
- package/dist/hub/hub-federation.zod.d.ts +4 -4
- package/dist/hub/index.d.ts +1 -0
- package/dist/hub/index.d.ts.map +1 -1
- package/dist/hub/index.js +1 -0
- package/dist/hub/license.zod.d.ts +1 -1
- package/dist/hub/marketplace-enhanced.zod.d.ts +1028 -0
- package/dist/hub/marketplace-enhanced.zod.d.ts.map +1 -0
- package/dist/hub/marketplace-enhanced.zod.js +728 -0
- package/dist/hub/plugin-registry.zod.d.ts +3 -3
- package/dist/hub/plugin-security.zod.d.ts +4 -4
- package/dist/hub/space.zod.d.ts +2 -2
- package/dist/integration/connector/database.zod.d.ts +1 -1
- package/dist/integration/connector/file-storage.zod.d.ts +1 -1
- package/dist/integration/connector/github.zod.d.ts +1 -1
- package/dist/integration/connector/message-queue.zod.d.ts +1 -1
- package/dist/integration/connector/saas.zod.d.ts +3 -3
- package/dist/integration/connector/vercel.zod.d.ts +4 -4
- package/dist/integration/connector.zod.d.ts +2 -2
- package/dist/stack.zod.d.ts +5 -5
- package/dist/system/index.d.ts +3 -0
- package/dist/system/index.d.ts.map +1 -1
- package/dist/system/index.js +3 -0
- package/dist/system/logging.zod.d.ts +5 -0
- package/dist/system/logging.zod.d.ts.map +1 -1
- package/dist/system/logging.zod.js +2 -1
- package/dist/system/notification.zod.d.ts +1 -1
- package/dist/system/plugin-lifecycle-advanced.zod.d.ts +357 -0
- package/dist/system/plugin-lifecycle-advanced.zod.d.ts.map +1 -0
- package/dist/system/plugin-lifecycle-advanced.zod.js +411 -0
- package/dist/system/plugin-security-advanced.zod.d.ts +904 -0
- package/dist/system/plugin-security-advanced.zod.d.ts.map +1 -0
- package/dist/system/plugin-security-advanced.zod.js +606 -0
- package/dist/system/plugin-versioning.zod.d.ts +438 -0
- package/dist/system/plugin-versioning.zod.d.ts.map +1 -0
- package/dist/system/plugin-versioning.zod.js +397 -0
- package/json-schema/ai/AICodeReviewResult.json +7 -0
- package/json-schema/ai/AIOpsAgentConfig.json +7 -0
- package/json-schema/ai/AnomalyDetectionConfig.json +7 -0
- package/json-schema/ai/AutoScalingPolicy.json +7 -0
- package/json-schema/ai/CodeGenerationRequest.json +7 -0
- package/json-schema/ai/GeneratedCode.json +7 -0
- package/json-schema/ai/PerformanceOptimization.json +7 -0
- package/json-schema/ai/PluginCompositionRequest.json +7 -0
- package/json-schema/ai/PluginCompositionResult.json +7 -0
- package/json-schema/ai/PluginRecommendation.json +7 -0
- package/json-schema/ai/PluginRecommendationRequest.json +7 -0
- package/json-schema/ai/PluginScaffoldingTemplate.json +7 -0
- package/json-schema/ai/RootCauseAnalysisRequest.json +7 -0
- package/json-schema/ai/RootCauseAnalysisResult.json +7 -0
- package/json-schema/ai/SelfHealingAction.json +7 -0
- package/json-schema/ai/SelfHealingConfig.json +7 -0
- package/json-schema/hub/MarketplaceQualityMetrics.json +7 -0
- package/json-schema/hub/PluginCategory.json +7 -0
- package/json-schema/hub/PluginCertification.json +7 -0
- package/json-schema/hub/PluginInstallationRequest.json +7 -0
- package/json-schema/hub/PluginInstallationStatus.json +7 -0
- package/json-schema/hub/PluginLicense.json +7 -0
- package/json-schema/hub/PluginMarketplaceListing.json +7 -0
- package/json-schema/hub/PluginRating.json +7 -0
- package/json-schema/hub/PluginRevenueSharing.json +7 -0
- package/json-schema/hub/PluginSearchQuery.json +7 -0
- package/json-schema/hub/PluginTag.json +7 -0
- package/json-schema/hub/RegistryConfig.json +7 -0
- package/json-schema/hub/RegistrySyncPolicy.json +7 -0
- package/json-schema/hub/RegistryUpstream.json +7 -0
- package/json-schema/system/AdvancedPluginLifecycleConfig.json +7 -0
- package/json-schema/system/BreakingChange.json +7 -0
- package/json-schema/system/CompatibilityLevel.json +7 -0
- package/json-schema/system/CompatibilityMatrixEntry.json +7 -0
- package/json-schema/system/DependencyConflict.json +7 -0
- package/json-schema/system/DependencyResolutionResult.json +7 -0
- package/json-schema/system/DeprecationNotice.json +7 -0
- package/json-schema/system/DistributedStateConfig.json +7 -0
- package/json-schema/system/GracefulDegradation.json +7 -0
- package/json-schema/system/HotReloadConfig.json +7 -0
- package/json-schema/system/MultiVersionSupport.json +7 -0
- package/json-schema/system/Permission.json +7 -0
- package/json-schema/system/PermissionAction.json +7 -0
- package/json-schema/system/PermissionScope.json +7 -0
- package/json-schema/system/PermissionSet.json +7 -0
- package/json-schema/system/PluginCompatibilityMatrix.json +7 -0
- package/json-schema/system/PluginHealthCheck.json +7 -0
- package/json-schema/system/PluginHealthReport.json +7 -0
- package/json-schema/system/PluginHealthStatus.json +7 -0
- package/json-schema/system/PluginSecurityManifest.json +7 -0
- package/json-schema/system/PluginStateSnapshot.json +7 -0
- package/json-schema/system/PluginTrustLevel.json +7 -0
- package/json-schema/system/PluginUpdateStrategy.json +7 -0
- package/json-schema/system/PluginVersionMetadata.json +7 -0
- package/json-schema/system/ResourceType.json +7 -0
- package/json-schema/system/RuntimeConfig.json +7 -0
- package/json-schema/system/SandboxConfig.json +7 -0
- package/json-schema/system/SecurityPolicy.json +7 -0
- package/json-schema/system/SecurityScanResult.json +7 -0
- package/json-schema/system/SecurityVulnerability.json +7 -0
- package/json-schema/system/SemanticVersion.json +7 -0
- package/json-schema/system/VersionConstraint.json +7 -0
- package/package.json +1 -1
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"plugin-security-advanced.zod.d.ts","sourceRoot":"","sources":["../../src/system/plugin-security-advanced.zod.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB;;;;;;;;;;;;GAYG;AAEH;;;GAGG;AACH,eAAO,MAAM,qBAAqB;;;;;;EAMY,CAAC;AAE/C;;;GAGG;AACH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;EAYU,CAAC;AAE9C;;;GAGG;AACH,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;;EAiBe,CAAC;AAE/C;;;GAGG;AACH,eAAO,MAAM,gBAAgB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAuD3B,CAAC;AAEH;;;GAGG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAwB9B,CAAC;AAEH;;;GAGG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAsH9B,CAAC;AAEH;;;GAGG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBA6E9B,CAAC;AAEH;;;GAGG;AACH,eAAO,MAAM,2BAA2B;;;;;;;;;;;;;;;;;;;;;;;;iBAqFtC,CAAC;AAEH;;;GAGG;AACH,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAoEnC,CAAC;AAEH;;;GAGG;AACH,eAAO,MAAM,oBAAoB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAyD/B,CAAC;AAEH;;;GAGG;AACH,eAAO,MAAM,sBAAsB;;;;;;EAMK,CAAC;AAEzC;;;GAGG;AACH,eAAO,MAAM,4BAA4B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBA2EvC,CAAC;AAGH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AACpE,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AACtE,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAC9D,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAC1D,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAChE,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAChE,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAChE,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAC;AAChF,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAC1E,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAClE,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AACtE,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,4BAA4B,CAAC,CAAC"}
|
|
@@ -0,0 +1,606 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.PluginSecurityManifestSchema = exports.PluginTrustLevelSchema = exports.SecurityPolicySchema = exports.SecurityScanResultSchema = exports.SecurityVulnerabilitySchema = exports.SandboxConfigSchema = exports.RuntimeConfigSchema = exports.PermissionSetSchema = exports.PermissionSchema = exports.ResourceTypeSchema = exports.PermissionActionSchema = exports.PermissionScopeSchema = void 0;
|
|
4
|
+
const zod_1 = require("zod");
|
|
5
|
+
/**
|
|
6
|
+
* # Plugin Security and Sandboxing Protocol
|
|
7
|
+
*
|
|
8
|
+
* Defines comprehensive security mechanisms for plugin isolation, permission
|
|
9
|
+
* management, and threat protection in the ObjectStack ecosystem.
|
|
10
|
+
*
|
|
11
|
+
* Features:
|
|
12
|
+
* - Fine-grained permission system
|
|
13
|
+
* - Resource access control
|
|
14
|
+
* - Sandboxing and isolation
|
|
15
|
+
* - Security scanning and verification
|
|
16
|
+
* - Runtime security monitoring
|
|
17
|
+
*/
|
|
18
|
+
/**
|
|
19
|
+
* Permission Scope
|
|
20
|
+
* Defines the scope of a permission
|
|
21
|
+
*/
|
|
22
|
+
exports.PermissionScopeSchema = zod_1.z.enum([
|
|
23
|
+
'global', // Applies to entire system
|
|
24
|
+
'tenant', // Applies to specific tenant
|
|
25
|
+
'user', // Applies to specific user
|
|
26
|
+
'resource', // Applies to specific resource
|
|
27
|
+
'plugin', // Applies within plugin boundaries
|
|
28
|
+
]).describe('Scope of permission application');
|
|
29
|
+
/**
|
|
30
|
+
* Permission Action
|
|
31
|
+
* Standard CRUD + extended actions
|
|
32
|
+
*/
|
|
33
|
+
exports.PermissionActionSchema = zod_1.z.enum([
|
|
34
|
+
'create', // Create new resources
|
|
35
|
+
'read', // Read existing resources
|
|
36
|
+
'update', // Update existing resources
|
|
37
|
+
'delete', // Delete resources
|
|
38
|
+
'execute', // Execute operations/functions
|
|
39
|
+
'manage', // Full management rights
|
|
40
|
+
'configure', // Configuration changes
|
|
41
|
+
'share', // Share with others
|
|
42
|
+
'export', // Export data
|
|
43
|
+
'import', // Import data
|
|
44
|
+
'admin', // Administrative access
|
|
45
|
+
]).describe('Type of action being permitted');
|
|
46
|
+
/**
|
|
47
|
+
* Resource Type
|
|
48
|
+
* Types of resources that can be accessed
|
|
49
|
+
*/
|
|
50
|
+
exports.ResourceTypeSchema = zod_1.z.enum([
|
|
51
|
+
'data.object', // ObjectQL objects
|
|
52
|
+
'data.record', // Individual records
|
|
53
|
+
'data.field', // Specific fields
|
|
54
|
+
'ui.view', // UI views
|
|
55
|
+
'ui.dashboard', // Dashboards
|
|
56
|
+
'ui.report', // Reports
|
|
57
|
+
'system.config', // System configuration
|
|
58
|
+
'system.plugin', // Other plugins
|
|
59
|
+
'system.api', // API endpoints
|
|
60
|
+
'system.service', // System services
|
|
61
|
+
'storage.file', // File storage
|
|
62
|
+
'storage.database', // Database access
|
|
63
|
+
'network.http', // HTTP requests
|
|
64
|
+
'network.websocket', // WebSocket connections
|
|
65
|
+
'process.spawn', // Process spawning
|
|
66
|
+
'process.env', // Environment variables
|
|
67
|
+
]).describe('Type of resource being accessed');
|
|
68
|
+
/**
|
|
69
|
+
* Permission Definition
|
|
70
|
+
* Defines a single permission requirement
|
|
71
|
+
*/
|
|
72
|
+
exports.PermissionSchema = zod_1.z.object({
|
|
73
|
+
/**
|
|
74
|
+
* Permission identifier
|
|
75
|
+
*/
|
|
76
|
+
id: zod_1.z.string().describe('Unique permission identifier'),
|
|
77
|
+
/**
|
|
78
|
+
* Resource type
|
|
79
|
+
*/
|
|
80
|
+
resource: exports.ResourceTypeSchema,
|
|
81
|
+
/**
|
|
82
|
+
* Allowed actions
|
|
83
|
+
*/
|
|
84
|
+
actions: zod_1.z.array(exports.PermissionActionSchema),
|
|
85
|
+
/**
|
|
86
|
+
* Permission scope
|
|
87
|
+
*/
|
|
88
|
+
scope: exports.PermissionScopeSchema.default('plugin'),
|
|
89
|
+
/**
|
|
90
|
+
* Resource filter
|
|
91
|
+
*/
|
|
92
|
+
filter: zod_1.z.object({
|
|
93
|
+
/**
|
|
94
|
+
* Specific resource IDs
|
|
95
|
+
*/
|
|
96
|
+
resourceIds: zod_1.z.array(zod_1.z.string()).optional(),
|
|
97
|
+
/**
|
|
98
|
+
* Filter condition
|
|
99
|
+
*/
|
|
100
|
+
condition: zod_1.z.string().optional().describe('Filter expression (e.g., owner = currentUser)'),
|
|
101
|
+
/**
|
|
102
|
+
* Field-level access
|
|
103
|
+
*/
|
|
104
|
+
fields: zod_1.z.array(zod_1.z.string()).optional().describe('Allowed fields for data resources'),
|
|
105
|
+
}).optional(),
|
|
106
|
+
/**
|
|
107
|
+
* Human-readable description
|
|
108
|
+
*/
|
|
109
|
+
description: zod_1.z.string(),
|
|
110
|
+
/**
|
|
111
|
+
* Whether this permission is required or optional
|
|
112
|
+
*/
|
|
113
|
+
required: zod_1.z.boolean().default(true),
|
|
114
|
+
/**
|
|
115
|
+
* Justification for permission
|
|
116
|
+
*/
|
|
117
|
+
justification: zod_1.z.string().optional().describe('Why this permission is needed'),
|
|
118
|
+
});
|
|
119
|
+
/**
|
|
120
|
+
* Permission Set
|
|
121
|
+
* Collection of permissions for a plugin
|
|
122
|
+
*/
|
|
123
|
+
exports.PermissionSetSchema = zod_1.z.object({
|
|
124
|
+
/**
|
|
125
|
+
* All permissions required by plugin
|
|
126
|
+
*/
|
|
127
|
+
permissions: zod_1.z.array(exports.PermissionSchema),
|
|
128
|
+
/**
|
|
129
|
+
* Permission groups for easier management
|
|
130
|
+
*/
|
|
131
|
+
groups: zod_1.z.array(zod_1.z.object({
|
|
132
|
+
name: zod_1.z.string().describe('Group name'),
|
|
133
|
+
description: zod_1.z.string(),
|
|
134
|
+
permissions: zod_1.z.array(zod_1.z.string()).describe('Permission IDs in this group'),
|
|
135
|
+
})).optional(),
|
|
136
|
+
/**
|
|
137
|
+
* Default grant strategy
|
|
138
|
+
*/
|
|
139
|
+
defaultGrant: zod_1.z.enum([
|
|
140
|
+
'prompt', // Always prompt user
|
|
141
|
+
'allow', // Allow by default
|
|
142
|
+
'deny', // Deny by default
|
|
143
|
+
'inherit', // Inherit from parent
|
|
144
|
+
]).default('prompt'),
|
|
145
|
+
});
|
|
146
|
+
/**
|
|
147
|
+
* Runtime Configuration
|
|
148
|
+
* Defines the execution environment for plugin isolation
|
|
149
|
+
*/
|
|
150
|
+
exports.RuntimeConfigSchema = zod_1.z.object({
|
|
151
|
+
/**
|
|
152
|
+
* Runtime engine type
|
|
153
|
+
*/
|
|
154
|
+
engine: zod_1.z.enum([
|
|
155
|
+
'v8-isolate', // V8 isolate-based isolation (lightweight, fast)
|
|
156
|
+
'wasm', // WebAssembly-based isolation (secure, portable)
|
|
157
|
+
'container', // Container-based isolation (Docker, podman)
|
|
158
|
+
'process', // Process-based isolation (traditional)
|
|
159
|
+
]).default('v8-isolate')
|
|
160
|
+
.describe('Execution environment engine'),
|
|
161
|
+
/**
|
|
162
|
+
* Engine-specific configuration
|
|
163
|
+
*/
|
|
164
|
+
engineConfig: zod_1.z.object({
|
|
165
|
+
/**
|
|
166
|
+
* WASM-specific settings (when engine is "wasm")
|
|
167
|
+
*/
|
|
168
|
+
wasm: zod_1.z.object({
|
|
169
|
+
/**
|
|
170
|
+
* Maximum memory pages (64KB per page)
|
|
171
|
+
*/
|
|
172
|
+
maxMemoryPages: zod_1.z.number().int().min(1).max(65536).optional()
|
|
173
|
+
.describe('Maximum WASM memory pages (64KB each)'),
|
|
174
|
+
/**
|
|
175
|
+
* Instruction execution limit
|
|
176
|
+
*/
|
|
177
|
+
instructionLimit: zod_1.z.number().int().min(1).optional()
|
|
178
|
+
.describe('Maximum instructions before timeout'),
|
|
179
|
+
/**
|
|
180
|
+
* Enable SIMD instructions
|
|
181
|
+
*/
|
|
182
|
+
enableSimd: zod_1.z.boolean().default(false)
|
|
183
|
+
.describe('Enable WebAssembly SIMD support'),
|
|
184
|
+
/**
|
|
185
|
+
* Enable threads
|
|
186
|
+
*/
|
|
187
|
+
enableThreads: zod_1.z.boolean().default(false)
|
|
188
|
+
.describe('Enable WebAssembly threads'),
|
|
189
|
+
/**
|
|
190
|
+
* Enable bulk memory operations
|
|
191
|
+
*/
|
|
192
|
+
enableBulkMemory: zod_1.z.boolean().default(true)
|
|
193
|
+
.describe('Enable bulk memory operations'),
|
|
194
|
+
}).optional(),
|
|
195
|
+
/**
|
|
196
|
+
* Container-specific settings (when engine is "container")
|
|
197
|
+
*/
|
|
198
|
+
container: zod_1.z.object({
|
|
199
|
+
/**
|
|
200
|
+
* Container image
|
|
201
|
+
*/
|
|
202
|
+
image: zod_1.z.string().optional()
|
|
203
|
+
.describe('Container image to use'),
|
|
204
|
+
/**
|
|
205
|
+
* Container runtime
|
|
206
|
+
*/
|
|
207
|
+
runtime: zod_1.z.enum(['docker', 'podman', 'containerd']).default('docker'),
|
|
208
|
+
/**
|
|
209
|
+
* Resource limits
|
|
210
|
+
*/
|
|
211
|
+
resources: zod_1.z.object({
|
|
212
|
+
cpuLimit: zod_1.z.string().optional().describe('CPU limit (e.g., "0.5", "2")'),
|
|
213
|
+
memoryLimit: zod_1.z.string().optional().describe('Memory limit (e.g., "512m", "1g")'),
|
|
214
|
+
}).optional(),
|
|
215
|
+
/**
|
|
216
|
+
* Network mode
|
|
217
|
+
*/
|
|
218
|
+
networkMode: zod_1.z.enum(['none', 'bridge', 'host']).default('bridge'),
|
|
219
|
+
}).optional(),
|
|
220
|
+
/**
|
|
221
|
+
* V8 Isolate-specific settings (when engine is "v8-isolate")
|
|
222
|
+
*/
|
|
223
|
+
v8Isolate: zod_1.z.object({
|
|
224
|
+
/**
|
|
225
|
+
* Heap size limit in MB
|
|
226
|
+
*/
|
|
227
|
+
heapSizeMb: zod_1.z.number().int().min(1).optional(),
|
|
228
|
+
/**
|
|
229
|
+
* Enable snapshot
|
|
230
|
+
*/
|
|
231
|
+
enableSnapshot: zod_1.z.boolean().default(true),
|
|
232
|
+
}).optional(),
|
|
233
|
+
}).optional(),
|
|
234
|
+
/**
|
|
235
|
+
* General resource limits (applies to all engines)
|
|
236
|
+
*/
|
|
237
|
+
resourceLimits: zod_1.z.object({
|
|
238
|
+
/**
|
|
239
|
+
* Maximum memory in bytes
|
|
240
|
+
*/
|
|
241
|
+
maxMemory: zod_1.z.number().int().optional()
|
|
242
|
+
.describe('Maximum memory allocation'),
|
|
243
|
+
/**
|
|
244
|
+
* Maximum CPU percentage
|
|
245
|
+
*/
|
|
246
|
+
maxCpu: zod_1.z.number().min(0).max(100).optional()
|
|
247
|
+
.describe('Maximum CPU usage percentage'),
|
|
248
|
+
/**
|
|
249
|
+
* Execution timeout in milliseconds
|
|
250
|
+
*/
|
|
251
|
+
timeout: zod_1.z.number().int().min(0).optional()
|
|
252
|
+
.describe('Maximum execution time'),
|
|
253
|
+
}).optional(),
|
|
254
|
+
});
|
|
255
|
+
/**
|
|
256
|
+
* Sandbox Configuration
|
|
257
|
+
* Defines how plugin is isolated
|
|
258
|
+
*/
|
|
259
|
+
exports.SandboxConfigSchema = zod_1.z.object({
|
|
260
|
+
/**
|
|
261
|
+
* Enable sandboxing
|
|
262
|
+
*/
|
|
263
|
+
enabled: zod_1.z.boolean().default(true),
|
|
264
|
+
/**
|
|
265
|
+
* Sandboxing level
|
|
266
|
+
*/
|
|
267
|
+
level: zod_1.z.enum([
|
|
268
|
+
'none', // No sandboxing
|
|
269
|
+
'minimal', // Basic isolation
|
|
270
|
+
'standard', // Standard sandboxing
|
|
271
|
+
'strict', // Strict isolation
|
|
272
|
+
'paranoid', // Maximum isolation
|
|
273
|
+
]).default('standard'),
|
|
274
|
+
/**
|
|
275
|
+
* Runtime environment configuration
|
|
276
|
+
*/
|
|
277
|
+
runtime: exports.RuntimeConfigSchema.optional()
|
|
278
|
+
.describe('Execution environment and isolation settings'),
|
|
279
|
+
/**
|
|
280
|
+
* File system access
|
|
281
|
+
*/
|
|
282
|
+
filesystem: zod_1.z.object({
|
|
283
|
+
mode: zod_1.z.enum(['none', 'readonly', 'restricted', 'full']).default('restricted'),
|
|
284
|
+
allowedPaths: zod_1.z.array(zod_1.z.string()).optional().describe('Whitelisted paths'),
|
|
285
|
+
deniedPaths: zod_1.z.array(zod_1.z.string()).optional().describe('Blacklisted paths'),
|
|
286
|
+
maxFileSize: zod_1.z.number().int().optional().describe('Maximum file size in bytes'),
|
|
287
|
+
}).optional(),
|
|
288
|
+
/**
|
|
289
|
+
* Network access
|
|
290
|
+
*/
|
|
291
|
+
network: zod_1.z.object({
|
|
292
|
+
mode: zod_1.z.enum(['none', 'local', 'restricted', 'full']).default('restricted'),
|
|
293
|
+
allowedHosts: zod_1.z.array(zod_1.z.string()).optional().describe('Whitelisted hosts'),
|
|
294
|
+
deniedHosts: zod_1.z.array(zod_1.z.string()).optional().describe('Blacklisted hosts'),
|
|
295
|
+
allowedPorts: zod_1.z.array(zod_1.z.number()).optional().describe('Allowed port numbers'),
|
|
296
|
+
maxConnections: zod_1.z.number().int().optional(),
|
|
297
|
+
}).optional(),
|
|
298
|
+
/**
|
|
299
|
+
* Process execution
|
|
300
|
+
*/
|
|
301
|
+
process: zod_1.z.object({
|
|
302
|
+
allowSpawn: zod_1.z.boolean().default(false).describe('Allow spawning child processes'),
|
|
303
|
+
allowedCommands: zod_1.z.array(zod_1.z.string()).optional().describe('Whitelisted commands'),
|
|
304
|
+
timeout: zod_1.z.number().int().optional().describe('Process timeout in ms'),
|
|
305
|
+
}).optional(),
|
|
306
|
+
/**
|
|
307
|
+
* Memory limits
|
|
308
|
+
*/
|
|
309
|
+
memory: zod_1.z.object({
|
|
310
|
+
maxHeap: zod_1.z.number().int().optional().describe('Maximum heap size in bytes'),
|
|
311
|
+
maxStack: zod_1.z.number().int().optional().describe('Maximum stack size in bytes'),
|
|
312
|
+
}).optional(),
|
|
313
|
+
/**
|
|
314
|
+
* CPU limits
|
|
315
|
+
*/
|
|
316
|
+
cpu: zod_1.z.object({
|
|
317
|
+
maxCpuPercent: zod_1.z.number().min(0).max(100).optional(),
|
|
318
|
+
maxThreads: zod_1.z.number().int().optional(),
|
|
319
|
+
}).optional(),
|
|
320
|
+
/**
|
|
321
|
+
* Environment variables
|
|
322
|
+
*/
|
|
323
|
+
environment: zod_1.z.object({
|
|
324
|
+
mode: zod_1.z.enum(['none', 'readonly', 'restricted', 'full']).default('readonly'),
|
|
325
|
+
allowedVars: zod_1.z.array(zod_1.z.string()).optional(),
|
|
326
|
+
deniedVars: zod_1.z.array(zod_1.z.string()).optional(),
|
|
327
|
+
}).optional(),
|
|
328
|
+
});
|
|
329
|
+
/**
|
|
330
|
+
* Security Vulnerability
|
|
331
|
+
* Represents a known security vulnerability
|
|
332
|
+
*/
|
|
333
|
+
exports.SecurityVulnerabilitySchema = zod_1.z.object({
|
|
334
|
+
/**
|
|
335
|
+
* CVE identifier
|
|
336
|
+
*/
|
|
337
|
+
cve: zod_1.z.string().optional(),
|
|
338
|
+
/**
|
|
339
|
+
* Vulnerability identifier
|
|
340
|
+
*/
|
|
341
|
+
id: zod_1.z.string(),
|
|
342
|
+
/**
|
|
343
|
+
* Severity level
|
|
344
|
+
*/
|
|
345
|
+
severity: zod_1.z.enum(['critical', 'high', 'medium', 'low', 'info']),
|
|
346
|
+
/**
|
|
347
|
+
* Category (e.g., SAST, DAST, Dependency)
|
|
348
|
+
*/
|
|
349
|
+
category: zod_1.z.string().optional(),
|
|
350
|
+
/**
|
|
351
|
+
* Title
|
|
352
|
+
*/
|
|
353
|
+
title: zod_1.z.string(),
|
|
354
|
+
/**
|
|
355
|
+
* Location of the vulnerability
|
|
356
|
+
*/
|
|
357
|
+
location: zod_1.z.string().optional(),
|
|
358
|
+
/**
|
|
359
|
+
* Remediation steps
|
|
360
|
+
*/
|
|
361
|
+
remediation: zod_1.z.string().optional(),
|
|
362
|
+
/**
|
|
363
|
+
* Description
|
|
364
|
+
*/
|
|
365
|
+
description: zod_1.z.string(),
|
|
366
|
+
/**
|
|
367
|
+
* Affected versions
|
|
368
|
+
*/
|
|
369
|
+
affectedVersions: zod_1.z.array(zod_1.z.string()),
|
|
370
|
+
/**
|
|
371
|
+
* Fixed in versions
|
|
372
|
+
*/
|
|
373
|
+
fixedIn: zod_1.z.array(zod_1.z.string()).optional(),
|
|
374
|
+
/**
|
|
375
|
+
* CVSS score
|
|
376
|
+
*/
|
|
377
|
+
cvssScore: zod_1.z.number().min(0).max(10).optional(),
|
|
378
|
+
/**
|
|
379
|
+
* Exploit availability
|
|
380
|
+
*/
|
|
381
|
+
exploitAvailable: zod_1.z.boolean().default(false),
|
|
382
|
+
/**
|
|
383
|
+
* Patch available
|
|
384
|
+
*/
|
|
385
|
+
patchAvailable: zod_1.z.boolean().default(false),
|
|
386
|
+
/**
|
|
387
|
+
* Workaround
|
|
388
|
+
*/
|
|
389
|
+
workaround: zod_1.z.string().optional(),
|
|
390
|
+
/**
|
|
391
|
+
* References
|
|
392
|
+
*/
|
|
393
|
+
references: zod_1.z.array(zod_1.z.string()).optional(),
|
|
394
|
+
/**
|
|
395
|
+
* Discovered date
|
|
396
|
+
*/
|
|
397
|
+
discoveredDate: zod_1.z.string().datetime().optional(),
|
|
398
|
+
/**
|
|
399
|
+
* Published date
|
|
400
|
+
*/
|
|
401
|
+
publishedDate: zod_1.z.string().datetime().optional(),
|
|
402
|
+
});
|
|
403
|
+
/**
|
|
404
|
+
* Security Scan Result
|
|
405
|
+
* Result of security scanning
|
|
406
|
+
*/
|
|
407
|
+
exports.SecurityScanResultSchema = zod_1.z.object({
|
|
408
|
+
/**
|
|
409
|
+
* Scan timestamp
|
|
410
|
+
*/
|
|
411
|
+
timestamp: zod_1.z.string().datetime(),
|
|
412
|
+
/**
|
|
413
|
+
* Scanner information
|
|
414
|
+
*/
|
|
415
|
+
scanner: zod_1.z.object({
|
|
416
|
+
name: zod_1.z.string(),
|
|
417
|
+
version: zod_1.z.string(),
|
|
418
|
+
}),
|
|
419
|
+
/**
|
|
420
|
+
* Overall status
|
|
421
|
+
*/
|
|
422
|
+
status: zod_1.z.enum(['passed', 'failed', 'warning']),
|
|
423
|
+
/**
|
|
424
|
+
* Vulnerabilities found
|
|
425
|
+
*/
|
|
426
|
+
vulnerabilities: zod_1.z.array(exports.SecurityVulnerabilitySchema).optional(),
|
|
427
|
+
/**
|
|
428
|
+
* Code quality issues
|
|
429
|
+
*/
|
|
430
|
+
codeIssues: zod_1.z.array(zod_1.z.object({
|
|
431
|
+
severity: zod_1.z.enum(['error', 'warning', 'info']),
|
|
432
|
+
type: zod_1.z.string().describe('Issue type (e.g., sql-injection, xss)'),
|
|
433
|
+
file: zod_1.z.string(),
|
|
434
|
+
line: zod_1.z.number().int().optional(),
|
|
435
|
+
message: zod_1.z.string(),
|
|
436
|
+
suggestion: zod_1.z.string().optional(),
|
|
437
|
+
})).optional(),
|
|
438
|
+
/**
|
|
439
|
+
* Dependency vulnerabilities
|
|
440
|
+
*/
|
|
441
|
+
dependencyVulnerabilities: zod_1.z.array(zod_1.z.object({
|
|
442
|
+
package: zod_1.z.string(),
|
|
443
|
+
version: zod_1.z.string(),
|
|
444
|
+
vulnerability: exports.SecurityVulnerabilitySchema,
|
|
445
|
+
})).optional(),
|
|
446
|
+
/**
|
|
447
|
+
* License compliance
|
|
448
|
+
*/
|
|
449
|
+
licenseCompliance: zod_1.z.object({
|
|
450
|
+
status: zod_1.z.enum(['compliant', 'non-compliant', 'unknown']),
|
|
451
|
+
issues: zod_1.z.array(zod_1.z.object({
|
|
452
|
+
package: zod_1.z.string(),
|
|
453
|
+
license: zod_1.z.string(),
|
|
454
|
+
reason: zod_1.z.string(),
|
|
455
|
+
})).optional(),
|
|
456
|
+
}).optional(),
|
|
457
|
+
/**
|
|
458
|
+
* Summary statistics
|
|
459
|
+
*/
|
|
460
|
+
summary: zod_1.z.object({
|
|
461
|
+
totalVulnerabilities: zod_1.z.number().int(),
|
|
462
|
+
criticalCount: zod_1.z.number().int(),
|
|
463
|
+
highCount: zod_1.z.number().int(),
|
|
464
|
+
mediumCount: zod_1.z.number().int(),
|
|
465
|
+
lowCount: zod_1.z.number().int(),
|
|
466
|
+
infoCount: zod_1.z.number().int(),
|
|
467
|
+
}),
|
|
468
|
+
});
|
|
469
|
+
/**
|
|
470
|
+
* Security Policy
|
|
471
|
+
* Defines security policies for plugin
|
|
472
|
+
*/
|
|
473
|
+
exports.SecurityPolicySchema = zod_1.z.object({
|
|
474
|
+
/**
|
|
475
|
+
* Content Security Policy
|
|
476
|
+
*/
|
|
477
|
+
csp: zod_1.z.object({
|
|
478
|
+
directives: zod_1.z.record(zod_1.z.string(), zod_1.z.array(zod_1.z.string())).optional(),
|
|
479
|
+
reportOnly: zod_1.z.boolean().default(false),
|
|
480
|
+
}).optional(),
|
|
481
|
+
/**
|
|
482
|
+
* CORS policy
|
|
483
|
+
*/
|
|
484
|
+
cors: zod_1.z.object({
|
|
485
|
+
allowedOrigins: zod_1.z.array(zod_1.z.string()),
|
|
486
|
+
allowedMethods: zod_1.z.array(zod_1.z.string()),
|
|
487
|
+
allowedHeaders: zod_1.z.array(zod_1.z.string()),
|
|
488
|
+
allowCredentials: zod_1.z.boolean().default(false),
|
|
489
|
+
maxAge: zod_1.z.number().int().optional(),
|
|
490
|
+
}).optional(),
|
|
491
|
+
/**
|
|
492
|
+
* Rate limiting
|
|
493
|
+
*/
|
|
494
|
+
rateLimit: zod_1.z.object({
|
|
495
|
+
enabled: zod_1.z.boolean().default(true),
|
|
496
|
+
maxRequests: zod_1.z.number().int(),
|
|
497
|
+
windowMs: zod_1.z.number().int().describe('Time window in milliseconds'),
|
|
498
|
+
strategy: zod_1.z.enum(['fixed', 'sliding', 'token-bucket']).default('sliding'),
|
|
499
|
+
}).optional(),
|
|
500
|
+
/**
|
|
501
|
+
* Authentication requirements
|
|
502
|
+
*/
|
|
503
|
+
authentication: zod_1.z.object({
|
|
504
|
+
required: zod_1.z.boolean().default(true),
|
|
505
|
+
methods: zod_1.z.array(zod_1.z.enum(['jwt', 'oauth2', 'api-key', 'session', 'certificate'])),
|
|
506
|
+
tokenExpiration: zod_1.z.number().int().optional().describe('Token expiration in seconds'),
|
|
507
|
+
}).optional(),
|
|
508
|
+
/**
|
|
509
|
+
* Encryption requirements
|
|
510
|
+
*/
|
|
511
|
+
encryption: zod_1.z.object({
|
|
512
|
+
dataAtRest: zod_1.z.boolean().default(false).describe('Encrypt data at rest'),
|
|
513
|
+
dataInTransit: zod_1.z.boolean().default(true).describe('Enforce HTTPS/TLS'),
|
|
514
|
+
algorithm: zod_1.z.string().optional().describe('Encryption algorithm'),
|
|
515
|
+
minKeyLength: zod_1.z.number().int().optional().describe('Minimum key length in bits'),
|
|
516
|
+
}).optional(),
|
|
517
|
+
/**
|
|
518
|
+
* Audit logging
|
|
519
|
+
*/
|
|
520
|
+
auditLog: zod_1.z.object({
|
|
521
|
+
enabled: zod_1.z.boolean().default(true),
|
|
522
|
+
events: zod_1.z.array(zod_1.z.string()).optional().describe('Events to log'),
|
|
523
|
+
retention: zod_1.z.number().int().optional().describe('Log retention in days'),
|
|
524
|
+
}).optional(),
|
|
525
|
+
});
|
|
526
|
+
/**
|
|
527
|
+
* Plugin Trust Level
|
|
528
|
+
* Indicates trust level of plugin
|
|
529
|
+
*/
|
|
530
|
+
exports.PluginTrustLevelSchema = zod_1.z.enum([
|
|
531
|
+
'verified', // Official/verified plugin
|
|
532
|
+
'trusted', // Trusted third-party
|
|
533
|
+
'community', // Community plugin
|
|
534
|
+
'untrusted', // Unverified plugin
|
|
535
|
+
'blocked', // Blocked/malicious
|
|
536
|
+
]).describe('Trust level of the plugin');
|
|
537
|
+
/**
|
|
538
|
+
* Plugin Security Manifest
|
|
539
|
+
* Complete security information for plugin
|
|
540
|
+
*/
|
|
541
|
+
exports.PluginSecurityManifestSchema = zod_1.z.object({
|
|
542
|
+
/**
|
|
543
|
+
* Plugin identifier
|
|
544
|
+
*/
|
|
545
|
+
pluginId: zod_1.z.string(),
|
|
546
|
+
/**
|
|
547
|
+
* Trust level
|
|
548
|
+
*/
|
|
549
|
+
trustLevel: exports.PluginTrustLevelSchema,
|
|
550
|
+
/**
|
|
551
|
+
* Required permissions
|
|
552
|
+
*/
|
|
553
|
+
permissions: exports.PermissionSetSchema,
|
|
554
|
+
/**
|
|
555
|
+
* Sandbox configuration
|
|
556
|
+
*/
|
|
557
|
+
sandbox: exports.SandboxConfigSchema,
|
|
558
|
+
/**
|
|
559
|
+
* Security policy
|
|
560
|
+
*/
|
|
561
|
+
policy: exports.SecurityPolicySchema.optional(),
|
|
562
|
+
/**
|
|
563
|
+
* Security scan results
|
|
564
|
+
*/
|
|
565
|
+
scanResults: zod_1.z.array(exports.SecurityScanResultSchema).optional(),
|
|
566
|
+
/**
|
|
567
|
+
* Known vulnerabilities
|
|
568
|
+
*/
|
|
569
|
+
vulnerabilities: zod_1.z.array(exports.SecurityVulnerabilitySchema).optional(),
|
|
570
|
+
/**
|
|
571
|
+
* Code signing
|
|
572
|
+
*/
|
|
573
|
+
codeSigning: zod_1.z.object({
|
|
574
|
+
signed: zod_1.z.boolean(),
|
|
575
|
+
signature: zod_1.z.string().optional(),
|
|
576
|
+
certificate: zod_1.z.string().optional(),
|
|
577
|
+
algorithm: zod_1.z.string().optional(),
|
|
578
|
+
timestamp: zod_1.z.string().datetime().optional(),
|
|
579
|
+
}).optional(),
|
|
580
|
+
/**
|
|
581
|
+
* Security certifications
|
|
582
|
+
*/
|
|
583
|
+
certifications: zod_1.z.array(zod_1.z.object({
|
|
584
|
+
name: zod_1.z.string().describe('Certification name (e.g., SOC 2, ISO 27001)'),
|
|
585
|
+
issuer: zod_1.z.string(),
|
|
586
|
+
issuedDate: zod_1.z.string().datetime(),
|
|
587
|
+
expiryDate: zod_1.z.string().datetime().optional(),
|
|
588
|
+
certificateUrl: zod_1.z.string().url().optional(),
|
|
589
|
+
})).optional(),
|
|
590
|
+
/**
|
|
591
|
+
* Security contact
|
|
592
|
+
*/
|
|
593
|
+
securityContact: zod_1.z.object({
|
|
594
|
+
email: zod_1.z.string().email().optional(),
|
|
595
|
+
url: zod_1.z.string().url().optional(),
|
|
596
|
+
pgpKey: zod_1.z.string().optional(),
|
|
597
|
+
}).optional(),
|
|
598
|
+
/**
|
|
599
|
+
* Vulnerability disclosure policy
|
|
600
|
+
*/
|
|
601
|
+
vulnerabilityDisclosure: zod_1.z.object({
|
|
602
|
+
policyUrl: zod_1.z.string().url().optional(),
|
|
603
|
+
responseTime: zod_1.z.number().int().optional().describe('Expected response time in hours'),
|
|
604
|
+
bugBounty: zod_1.z.boolean().default(false),
|
|
605
|
+
}).optional(),
|
|
606
|
+
});
|