@thotischner/observability-mcp 1.3.4 → 1.4.1

package/dist/connectors/loader.js

@@ -0,0 +1,222 @@
+import { readdirSync, readFileSync, existsSync, statSync } from "node:fs";
+import { join, resolve } from "node:path";
+import { pathToFileURL } from "node:url";
+import { manifestSchema } from "../sdk/manifest-schema.js";
+import { PrometheusConnector } from "./prometheus.js";
+import { LokiConnector } from "./loki.js";
+import { sanitizeForLog } from "../util/sanitize.js";
+import { instrumentConnector } from "../metrics/instrument-connector.js";
+import { loadTrustRoot, verifyIntegrity, verifyManifestSignature, PluginVerificationError, } from "./verify.js";
+/**
+ * Resolves which connector implementations the server should know about,
+ * applying three sources in order (later overrides earlier):
+ *   1. builtin shim — Prometheus/Loki bundled with the server
+ *   2. filesystem  — every subdir of PLUGINS_DIR with a valid package.json
+ *   3. config-pinned — `plugins:` block in sources.yaml (not yet wired)
+ *
+ * The legacy `connectorFactories` map in registry.ts can be replaced
+ * with this loader's output without changing observable behaviour.
+ */
+export class PluginLoader {
+    connectors = new Map();
+    pluginsDir;
+    disabled;
+    // Fail-closed verification for filesystem plugins. Builtins are part
+    // of the trusted image and are never gated. Default off so existing
+    // deployments are unchanged; recommended on in prod/airgapped (the
+    // Helm chart sets it).
+    verify;
+    trustRootPath;
+    trustRoot;
+    constructor(opts = {}) {
+        this.pluginsDir = opts.pluginsDir
+            ?? process.env.PLUGINS_DIR
+            ?? "/app/plugins";
+        // Per-plugin disable via env: PLUGINS_DISABLED="prometheus,loki"
+        const envDisabled = (process.env.PLUGINS_DISABLED ?? "")
+            .split(",")
+            .map((s) => s.trim())
+            .filter(Boolean);
+        this.disabled = new Set([...(opts.disabled ?? []), ...envDisabled]);
+        this.verify = opts.verify ?? /^(1|true|yes)$/i.test(process.env.VERIFY_PLUGINS ?? "");
+        this.trustRootPath = opts.trustRoot ?? process.env.PLUGIN_TRUST_ROOT;
+    }
+    async load() {
+        this.loadBuiltins();
+        if (this.verify) {
+            if (!this.trustRootPath) {
+                console.warn("VERIFY_PLUGINS is on but PLUGIN_TRUST_ROOT is unset — refusing to load any filesystem plugins (fail-closed). Builtins remain available.");
+                return;
+            }
+            try {
+                this.trustRoot = loadTrustRoot(this.trustRootPath);
+                console.log("Plugin verification enabled; trust root loaded from %s", sanitizeForLog(this.trustRootPath));
+            }
+            catch (err) {
+                console.warn("VERIFY_PLUGINS is on but trust root failed to load (%s) — refusing to load any filesystem plugins (fail-closed). Builtins remain available.", sanitizeForLog(String(err)));
+                return;
+            }
+        }
+        await this.loadFilesystem();
+    }
+    list() {
+        return Array.from(this.connectors.values());
+    }
+    get(name) {
+        return this.connectors.get(name);
+    }
+    has(name) {
+        return this.connectors.has(name);
+    }
+    supportedTypes() {
+        return Array.from(this.connectors.keys());
+    }
+    /** Create a fresh instance of a connector. Returns undefined for unknown types. */
+    create(name) {
+        const entry = this.connectors.get(name);
+        if (!entry)
+            return undefined;
+        const c = entry.factory();
+        if (c instanceof Promise) {
+            // For now connectors are sync-constructed; if a plugin returns a
+            // Promise we await it lazily in the consumer. Document if/when
+            // this becomes a real pattern.
+            throw new Error(`Connector ${name} returned a Promise; async factories not yet wired`);
+        }
+        return instrumentConnector(c);
+    }
+    loadBuiltins() {
+        this.register({
+            name: "prometheus",
+            source: "builtin",
+            factory: () => new PrometheusConnector(),
+        });
+        this.register({
+            name: "loki",
+            source: "builtin",
+            factory: () => new LokiConnector(),
+        });
+    }
+    async loadFilesystem() {
+        const dir = this.pluginsDir;
+        if (!existsSync(dir))
+            return;
+        let entries;
+        try {
+            entries = readdirSync(dir);
+        }
+        catch {
+            return;
+        }
+        for (const entry of entries) {
+            const pluginRoot = join(dir, entry);
+            try {
+                if (!statSync(pluginRoot).isDirectory())
+                    continue;
+                await this.loadFilesystemPlugin(pluginRoot);
+            }
+            catch (err) {
+                console.warn("Failed to load plugin %s: %s", sanitizeForLog(entry), sanitizeForLog(String(err)));
+            }
+        }
+    }
+    async loadFilesystemPlugin(pluginRoot) {
+        const pkgPath = join(pluginRoot, "package.json");
+        if (!existsSync(pkgPath))
+            return;
+        const pkg = JSON.parse(readFileSync(pkgPath, "utf8"));
+        const marker = pkg.observabilityMcp;
+        if (!marker || marker.kind !== "connector" || !marker.name)
+            return;
+        let manifest;
+        let manifestPath;
+        let manifestBytes;
+        if (marker.manifest) {
+            manifestPath = resolve(pluginRoot, marker.manifest);
+            if (existsSync(manifestPath)) {
+                manifestBytes = readFileSync(manifestPath);
+                const raw = JSON.parse(manifestBytes.toString("utf8"));
+                const parsed = manifestSchema.safeParse(raw);
+                if (!parsed.success) {
+                    const issues = parsed.error.issues
+                        .map((i) => `${i.path.join(".")}: ${i.message}`)
+                        .join("; ");
+                    console.warn("Plugin %s has invalid manifest.json — %s; skipping", sanitizeForLog(marker.name), sanitizeForLog(issues));
+                    return;
+                }
+                manifest = parsed.data;
+                if (manifest.name !== marker.name) {
+                    console.warn("Plugin %s package.json marker name does not match manifest.json (%s); skipping", sanitizeForLog(marker.name), sanitizeForLog(manifest.name));
+                    return;
+                }
+            }
+        }
+        const entryFile = pkg.main || "index.js";
+        const entryPath = resolve(pluginRoot, entryFile);
+        if (!existsSync(entryPath)) {
+            console.warn("Plugin %s missing entry file %s", sanitizeForLog(marker.name), sanitizeForLog(entryFile));
+            return;
+        }
+        // Fail-closed verification gate. A plugin only loads under
+        // VERIFY_PLUGINS if it ships a manifest whose `integrity` matches
+        // the entry file AND a detached `<manifest>.sig` that verifies
+        // against the trust root. Everything is local — airgapped-safe.
+        if (this.verify) {
+            if (!manifest || !manifestPath || !manifestBytes) {
+                console.warn("VERIFY_PLUGINS: plugin %s has no manifest.json — skipping (fail-closed)", sanitizeForLog(marker.name));
+                return;
+            }
+            const sigPath = manifestPath + ".sig";
+            if (!existsSync(sigPath)) {
+                console.warn("VERIFY_PLUGINS: plugin %s missing manifest signature %s — skipping (fail-closed)", sanitizeForLog(marker.name), sanitizeForLog(marker.manifest + ".sig"));
+                return;
+            }
+            try {
+                verifyManifestSignature(manifestBytes, readFileSync(sigPath), this.trustRoot);
+                verifyIntegrity(entryPath, manifest.integrity);
+            }
+            catch (err) {
+                const detail = err instanceof PluginVerificationError ? err.message : String(err);
+                console.warn("VERIFY_PLUGINS: plugin %s failed verification (%s) — skipping (fail-closed)", sanitizeForLog(marker.name), sanitizeForLog(detail));
+                return;
+            }
+            console.log("VERIFY_PLUGINS: plugin %s signature + integrity OK", sanitizeForLog(marker.name));
+        }
+        const mod = await import(pathToFileURL(entryPath).href);
+        const factory = mod.default ?? mod.createConnector;
+        if (typeof factory !== "function") {
+            console.warn("Plugin %s has no default export factory", sanitizeForLog(marker.name));
+            return;
+        }
+        this.register({
+            name: marker.name,
+            source: "filesystem",
+            manifest,
+            factory,
+        });
+        console.log('Connector plugin "%s" loaded from %s', sanitizeForLog(marker.name), sanitizeForLog(pluginRoot));
+    }
+    register(entry) {
+        if (this.disabled.has(entry.name)) {
+            console.log("Connector %s disabled via PLUGINS_DISABLED; skipping", sanitizeForLog(entry.name));
+            return;
+        }
+        // Later sources override earlier ones; current call order is
+        // builtin → filesystem → config-pinned, matching the design doc.
+        this.connectors.set(entry.name, entry);
+    }
+}
+/**
+ * Singleton loader populated at server startup. The registry consults
+ * this for connector creation. Tests may swap in their own instance
+ * with `setPluginLoader`.
+ */
+let activeLoader = null;
+export function getPluginLoader() {
+    if (!activeLoader)
+        activeLoader = new PluginLoader();
+    return activeLoader;
+}
+export function setPluginLoader(loader) {
+    activeLoader = loader;
+}

package/dist/connectors/loki.js

@@ -54,13 +54,19 @@ export class LokiConnector {
     }
     async disconnect() { }
     async listServices() {
-        // Probe each candidate label and merge values. Loki streams may identify
-        // services via service_name, service, job, app, or container depending on
-        // the shipper configuration. Walking all candidates ensures historical
-        // streams remain reachable when label conventions change over time.
+        // Candidate labels are ordered by preference (service_name, service,
+        // job, app, container). The FIRST label that yields any values wins —
+        // we do not union across labels. Unioning duplicated every service:
+        // one real container is simultaneously `service="api-gateway"` and
+        // `container="myproj-api-gateway-1"`, and a co-located shipper can add
+        // unrelated `container` values (e.g. other compose/k8s containers on
+        // the same Docker host). The ordered fallback still keeps streams
+        // reachable on backends that only carry a low-priority label.
         const seen = new Map();
         for (const label of this.serviceLabels) {
             const values = await this.getLabelValues(label);
+            if (values.length === 0)
+                continue;
             for (const raw of values) {
                 // Docker's loki.source.docker writes container names with a leading '/'
                 // (Docker API Names[0] convention). Strip it for display so the name
@@ -75,6 +81,7 @@ export class LokiConnector {
                     });
                 }
             }
+            break; // first non-empty label is authoritative
         }
         return Array.from(seen.values());
     }
@@ -200,8 +207,9 @@ export class LokiConnector {
         return value.replace(/\\/g, "\\\\").replace(/"/g, '\\"');
     }
     escapeLogQLRegex(value) {
-        // Escape backticks which would break the LogQL regex delimiter
-        return value.replace(/`/g, "\\`");
+        // Escape backslash first (so we don't double-escape sequences we add),
+        // then the backtick that delimits LogQL regex literals.
+        return value.replace(/\\/g, "\\\\").replace(/`/g, "\\`");
     }
     buildAuthHeaders() {
         if (!this.auth || this.auth.type === "none")

package/dist/connectors/loki.test.js

@@ -108,4 +108,31 @@ describe("LokiConnector", () => {
             assert.equal(proto.escapeLogQLRegex("error`test`"), "error\\`test\\`");
         });
     });
+    describe("listServices", () => {
+        function withLabelValues(map) {
+            const c = new LokiConnector();
+            c.serviceLabels = ["service_name", "service", "job", "app", "container"];
+            c.getLabelValues = async (label) => map[label] ?? [];
+            return c;
+        }
+        it("first non-empty label wins — does NOT union container aliases", async () => {
+            const c = withLabelValues({
+                service: ["api-gateway", "payment-service"],
+                // co-located shipper noise that must NOT leak in:
+                container: ["myproj-api-gateway-1", "k8s_POD_api-gateway_demo_x"],
+            });
+            const names = (await c.listServices()).map((s) => s.name).sort();
+            assert.deepEqual(names, ["api-gateway", "payment-service"]);
+        });
+        it("falls back to a lower-priority label only when higher ones are empty", async () => {
+            const c = withLabelValues({ container: ["/svc-a", "/svc-b"] });
+            const svcs = await c.listServices();
+            assert.deepEqual(svcs.map((s) => s.name).sort(), ["svc-a", "svc-b"]);
+            assert.equal(svcs[0].labels.discoveredVia, "container");
+        });
+        it("returns empty when no candidate label has values", async () => {
+            const c = withLabelValues({});
+            assert.deepEqual(await c.listServices(), []);
+        });
+    });
 });

package/dist/connectors/registry.d.ts

@@ -1,9 +1,12 @@
 import type { ObservabilityConnector } from "./interface.js";
 import type { Config, ConnectorHealth, SignalType, SourceConfig } from "../types.js";
+import { type PluginLoader } from "./loader.js";
 export declare function getSupportedTypes(): string[];
 export declare class ConnectorRegistry {
     private connectors;
     private sourceConfigs;
+    private loader;
+    constructor(loader?: PluginLoader);
     initialize(config: Config): Promise<void>;
     private connectSource;
     addSource(source: SourceConfig): Promise<void>;

package/dist/connectors/registry.js

@@ -1,15 +1,15 @@
-import { PrometheusConnector } from "./prometheus.js";
-import { LokiConnector } from "./loki.js";
-const connectorFactories = {
-    prometheus: () => new PrometheusConnector(),
-    loki: () => new LokiConnector(),
-};
+import { getPluginLoader } from "./loader.js";
+import { sanitizeForLog } from "../util/sanitize.js";
 export function getSupportedTypes() {
-    return Object.keys(connectorFactories);
+    return getPluginLoader().supportedTypes();
 }
 export class ConnectorRegistry {
     connectors = new Map();
     sourceConfigs = new Map();
+    loader;
+    constructor(loader = getPluginLoader()) {
+        this.loader = loader;
+    }
     async initialize(config) {
         for (const source of config.sources) {
             this.sourceConfigs.set(source.name, source);
@@ -19,19 +19,20 @@ export class ConnectorRegistry {
         }
     }
     async connectSource(source) {
-        const factory = connectorFactories[source.type];
-        if (!factory) {
-            console.warn(`Unknown connector type: ${source.type}, skipping ${source.name}`);
+        const connector = this.loader.create(source.type);
+        const safeName = sanitizeForLog(source.name);
+        const safeType = sanitizeForLog(source.type);
+        if (!connector) {
+            console.warn("Unknown connector type: %s, skipping %s", safeType, safeName);
             return;
         }
-        const connector = factory();
         try {
             await connector.connect(source);
             this.connectors.set(source.name, connector);
-            console.log(`Connector "${source.name}" (${source.type}) connected`);
+            console.log('Connector "%s" (%s) connected', safeName, safeType);
         }
         catch (err) {
-            console.error(`Failed to connect "${source.name}":`, err);
+            console.error('Failed to connect "%s":', safeName, err);
         }
     }
     async addSource(source) {
@@ -53,11 +54,10 @@ export class ConnectorRegistry {
         await this.addSource(source);
     }
     async testConnection(source) {
-        const factory = connectorFactories[source.type];
-        if (!factory) {
+        const connector = this.loader.create(source.type);
+        if (!connector) {
             return { status: "down", latencyMs: 0, message: `Unknown type: ${source.type}` };
         }
-        const connector = factory();
         try {
             await connector.connect(source);
             const health = await connector.healthCheck();

package/dist/connectors/tls.test.js

@@ -1,11 +1,11 @@
 import { describe, it, before, after } from "node:test";
 import assert from "node:assert/strict";
 import { Agent } from "node:https";
-import { writeFileSync, mkdirSync, rmSync } from "node:fs";
+import { writeFileSync, mkdtempSync, rmSync } from "node:fs";
 import { join } from "node:path";
 import { tmpdir } from "node:os";
 import { buildTlsAgent } from "./tls.js";
-const TMP_DIR = join(tmpdir(), "tls-test-" + Date.now());
+let TMP_DIR;
 function makeConfig(overrides = {}) {
     return { name: "test", type: "prometheus", url: "https://localhost:9090", enabled: true, ...overrides };
 }
@@ -38,7 +38,7 @@ describe("buildTlsAgent", () => {
     });
     describe("with certificate files", () => {
         before(() => {
-            mkdirSync(TMP_DIR, { recursive: true });
+            TMP_DIR = mkdtempSync(join(tmpdir(), "tls-test-"));
             writeFileSync(join(TMP_DIR, "ca.pem"), "-----BEGIN CERTIFICATE-----\nfake-ca\n-----END CERTIFICATE-----\n");
             writeFileSync(join(TMP_DIR, "client.pem"), "-----BEGIN CERTIFICATE-----\nfake-client\n-----END CERTIFICATE-----\n");
             writeFileSync(join(TMP_DIR, "client-key.pem"), "-----BEGIN PRIVATE KEY-----\nfake-key\n-----END PRIVATE KEY-----\n");

package/dist/connectors/verify.d.ts

@@ -0,0 +1,19 @@
+import { type KeyObject } from "node:crypto";
+export declare class PluginVerificationError extends Error {
+}
+/** Parse a PEM public key into a KeyObject. Throws PluginVerificationError. */
+export declare function loadTrustRoot(pemPath: string): KeyObject;
+/** "sha256-<base64>" digest of a buffer, matching the manifest `integrity` form. */
+export declare function sha256Integrity(data: Buffer): string;
+/**
+ * Constant-time-ish compare of the entry file against the manifest's
+ * declared integrity digest. Throws on mismatch.
+ */
+export declare function verifyIntegrity(entryPath: string, integrity: string | undefined): void;
+/**
+ * Verify a detached signature over the raw manifest bytes against the
+ * trust root. Signature is read as base64 (whitespace tolerated, e.g. a
+ * `manifest.json.sig` produced by `openssl dgst -sign ... | base64`).
+ * Throws PluginVerificationError if the signature does not verify.
+ */
+export declare function verifyManifestSignature(manifestBytes: Buffer, signatureBytes: Buffer, trustRoot: KeyObject): void;

package/dist/connectors/verify.js

@@ -0,0 +1,87 @@
+import { createHash, createPublicKey, verify as cryptoVerify } from "node:crypto";
+import { readFileSync } from "node:fs";
+// Airgapped-friendly plugin verification.
+//
+// No network, no external binary (no cosign): a plugin is trusted when
+//   1. its entry file hashes to the manifest's `integrity` digest, and
+//   2. the manifest bytes carry a detached signature that verifies
+//      against a locally-configured trust-root public key.
+//
+// Ed25519 and RSA/EC (PKCS#8 / SPKI PEM) trust roots are supported.
+export class PluginVerificationError extends Error {
+}
+/** Parse a PEM public key into a KeyObject. Throws PluginVerificationError. */
+export function loadTrustRoot(pemPath) {
+    let pem;
+    try {
+        pem = readFileSync(pemPath, "utf8");
+    }
+    catch (err) {
+        throw new PluginVerificationError(`trust root unreadable at ${pemPath}: ${String(err)}`);
+    }
+    try {
+        return createPublicKey(pem);
+    }
+    catch (err) {
+        throw new PluginVerificationError(`trust root is not a valid PEM public key: ${String(err)}`);
+    }
+}
+/** "sha256-<base64>" digest of a buffer, matching the manifest `integrity` form. */
+export function sha256Integrity(data) {
+    return "sha256-" + createHash("sha256").update(data).digest("base64");
+}
+/**
+ * Constant-time-ish compare of the entry file against the manifest's
+ * declared integrity digest. Throws on mismatch.
+ */
+export function verifyIntegrity(entryPath, integrity) {
+    if (!integrity) {
+        throw new PluginVerificationError("manifest has no integrity digest");
+    }
+    let bytes;
+    try {
+        bytes = readFileSync(entryPath);
+    }
+    catch (err) {
+        throw new PluginVerificationError(`entry file unreadable: ${String(err)}`);
+    }
+    const actual = sha256Integrity(bytes);
+    if (actual.length !== integrity.length || actual !== integrity) {
+        throw new PluginVerificationError(`entry file integrity mismatch (manifest=${integrity} actual=${actual})`);
+    }
+}
+/**
+ * Verify a detached signature over the raw manifest bytes against the
+ * trust root. Signature is read as base64 (whitespace tolerated, e.g. a
+ * `manifest.json.sig` produced by `openssl dgst -sign ... | base64`).
+ * Throws PluginVerificationError if the signature does not verify.
+ */
+export function verifyManifestSignature(manifestBytes, signatureBytes, trustRoot) {
+    const sig = decodeSignature(signatureBytes);
+    // Ed25519/Ed448 take algorithm=null; RSA/EC sign over a SHA-256 digest.
+    const keyType = trustRoot.asymmetricKeyType;
+    const algorithm = keyType === "ed25519" || keyType === "ed448" ? null : "sha256";
+    let ok = false;
+    try {
+        ok = cryptoVerify(algorithm, manifestBytes, trustRoot, sig);
+    }
+    catch (err) {
+        throw new PluginVerificationError(`signature verification errored: ${String(err)}`);
+    }
+    if (!ok) {
+        throw new PluginVerificationError("manifest signature does not match trust root");
+    }
+}
+// Accept either raw DER bytes or a base64/armored .sig file.
+function decodeSignature(raw) {
+    const text = raw.toString("utf8").trim();
+    if (/^[A-Za-z0-9+/\s=]+$/.test(text) && text.length > 0) {
+        const compact = text.replace(/\s+/g, "");
+        const b = Buffer.from(compact, "base64");
+        // Round-trip check: if it re-encodes cleanly it was really base64.
+        if (b.length > 0 && b.toString("base64").replace(/=+$/, "") === compact.replace(/=+$/, "")) {
+            return b;
+        }
+    }
+    return raw;
+}

package/dist/connectors/verify.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/connectors/verify.test.js

@@ -0,0 +1,63 @@
+import { test } from "node:test";
+import assert from "node:assert/strict";
+import { generateKeyPairSync, sign as cryptoSign, createPublicKey } from "node:crypto";
+import { mkdtempSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { sha256Integrity, verifyIntegrity, verifyManifestSignature, loadTrustRoot, PluginVerificationError, } from "./verify.js";
+function tmp() {
+    return mkdtempSync(join(tmpdir(), "verify-"));
+}
+test("sha256Integrity produces sha256-<base64> and round-trips", () => {
+    const digest = sha256Integrity(Buffer.from("hello"));
+    assert.match(digest, /^sha256-[A-Za-z0-9+/]+=*$/);
+    assert.equal(sha256Integrity(Buffer.from("hello")), digest);
+    assert.notEqual(sha256Integrity(Buffer.from("hellp")), digest);
+});
+test("verifyIntegrity passes on match, throws on mismatch and missing", () => {
+    const dir = tmp();
+    const entry = join(dir, "index.js");
+    writeFileSync(entry, "export default () => ({});\n");
+    const good = sha256Integrity(Buffer.from("export default () => ({});\n"));
+    assert.doesNotThrow(() => verifyIntegrity(entry, good));
+    assert.throws(() => verifyIntegrity(entry, "sha256-AAAA"), PluginVerificationError);
+    assert.throws(() => verifyIntegrity(entry, undefined), PluginVerificationError);
+    assert.throws(() => verifyIntegrity(join(dir, "nope.js"), good), PluginVerificationError);
+});
+test("Ed25519: valid signature verifies, tampered manifest is rejected", () => {
+    const { publicKey, privateKey } = generateKeyPairSync("ed25519");
+    const manifest = Buffer.from('{"name":"prometheus","schemaVersion":1}');
+    const sig = cryptoSign(null, manifest, privateKey);
+    assert.doesNotThrow(() => verifyManifestSignature(manifest, sig, publicKey));
+    // base64-armored signature (the form `openssl ... | base64` emits)
+    const armored = Buffer.from(sig.toString("base64"));
+    assert.doesNotThrow(() => verifyManifestSignature(manifest, armored, publicKey));
+    // tampered bytes
+    assert.throws(() => verifyManifestSignature(Buffer.from('{"name":"evil"}'), sig, publicKey), PluginVerificationError);
+});
+test("RSA trust root path (algorithm=sha256) verifies", () => {
+    const { publicKey, privateKey } = generateKeyPairSync("rsa", { modulusLength: 2048 });
+    const manifest = Buffer.from('{"name":"loki"}');
+    const sig = cryptoSign("sha256", manifest, privateKey);
+    assert.doesNotThrow(() => verifyManifestSignature(manifest, sig, publicKey));
+});
+test("signature from a different key is rejected", () => {
+    const a = generateKeyPairSync("ed25519");
+    const b = generateKeyPairSync("ed25519");
+    const manifest = Buffer.from("payload");
+    const sig = cryptoSign(null, manifest, a.privateKey);
+    assert.throws(() => verifyManifestSignature(manifest, sig, b.publicKey), PluginVerificationError);
+});
+test("loadTrustRoot parses PEM and rejects garbage", () => {
+    const dir = tmp();
+    const { publicKey } = generateKeyPairSync("ed25519");
+    const pem = publicKey.export({ type: "spki", format: "pem" });
+    const p = join(dir, "trust.pem");
+    writeFileSync(p, pem);
+    const loaded = loadTrustRoot(p);
+    assert.equal(loaded.export({ type: "spki", format: "pem" }), createPublicKey(pem).export({ type: "spki", format: "pem" }));
+    const bad = join(dir, "bad.pem");
+    writeFileSync(bad, "not a key");
+    assert.throws(() => loadTrustRoot(bad), PluginVerificationError);
+    assert.throws(() => loadTrustRoot(join(dir, "missing.pem")), PluginVerificationError);
+});