haechi 0.9.0 → 1.1.0

package/packages/auth/index.mjs

@@ -212,4 +212,177 @@ export function createBearerAuthProvider({ path, cryptoProvider }) {
   };
 }
 
+// Conformance suite for any authProvider — the CORRECTNESS gate the plugin
+// loader runs before wiring a (sandboxed) auth plugin. It is NOT a malice screen
+// (a signed plugin can detect a fixed test and behave, so vectors are randomized
+// per run and the host re-validates PII-safety per call); it asserts the
+// enumerated security behaviors of the authProvider contract:
+//   - missing credential -> null
+//   - malformed credential -> null
+//   - expired / not-yet-valid credential (clock via injected now) -> null
+//   - an internal throw surfaces to the caller as null (never propagates)
+//   - a returned identity MUST carry subjectHash AND issuerHash, and MUST NOT
+//     contain any field whose value equals the raw input subject or issuer
+//   - deny is DETERMINISTIC for identical input
+//   - a valid credential -> a well-formed PII-safe identity
+//
+// vectors lets a caller supply the request builders / raw values; by default a
+// randomized-per-run vector set is generated so a plugin cannot hardcode the
+// test. Mirrors assertCryptoProviderConformance's check/assert/failures shape.
+export async function assertAuthProviderConformance(provider, { now = Date.now(), vectors } = {}) {
+  const failures = [];
+  const check = async (name, fn) => {
+    try {
+      await fn();
+    } catch (error) {
+      failures.push(`${name}: ${error.message}`);
+    }
+  };
+  const assert = (condition, message) => {
+    if (!condition) {
+      throw new Error(message);
+    }
+  };
+
+  if (typeof provider?.authenticate !== "function") {
+    throw new Error("authProvider must implement authenticate()");
+  }
+
+  const v = vectors ?? randomAuthVectors(now);
+
+  // A contract-conformant authProvider must never throw into the caller. We wrap
+  // every call so a throw becomes an explicit failure in the relevant check
+  // rather than aborting the whole suite — except the dedicated throw-vector
+  // check below, which asserts the provider itself swallowed the throw.
+  const callRaw = (request) => provider.authenticate(request);
+  const callSafe = async (request) => {
+    try {
+      return await provider.authenticate(request);
+    } catch (error) {
+      return { __threw: true, error };
+    }
+  };
+
+  await check("missing credential -> null", async () => {
+    const result = await callSafe(v.missing.request);
+    assert(!result?.__threw, "authenticate threw on a missing credential (must return null)");
+    assert(result === null, "missing credential must deny with null");
+  });
+
+  await check("malformed credential -> null", async () => {
+    const result = await callSafe(v.malformed.request);
+    assert(!result?.__threw, "authenticate threw on a malformed credential (must return null)");
+    assert(result === null, "malformed credential must deny with null");
+  });
+
+  await check("expired credential -> null", async () => {
+    const result = await callSafe(v.expired.request);
+    assert(!result?.__threw, "authenticate threw on an expired credential (must return null)");
+    assert(result === null, "expired credential must deny with null");
+  });
+
+  await check("not-yet-valid credential -> null", async () => {
+    const result = await callSafe(v.notYetValid.request);
+    assert(!result?.__threw, "authenticate threw on a not-yet-valid credential (must return null)");
+    assert(result === null, "not-yet-valid credential must deny with null");
+  });
+
+  await check("an internal throw surfaces to the caller as null (never propagates)", async () => {
+    let propagated = false;
+    let result;
+    try {
+      result = await callRaw(v.throwing.request);
+    } catch {
+      propagated = true;
+    }
+    assert(!propagated, "authenticate propagated an internal throw (must catch and deny with null)");
+    assert(result === null, "an internal error must deny with null, not a non-null identity");
+  });
+
+  await check("deny is deterministic for identical input", async () => {
+    const a = await callSafe(v.malformed.request);
+    const b = await callSafe(v.malformed.request);
+    assert(!a?.__threw && !b?.__threw, "authenticate threw while checking determinism");
+    assert(a === b, "deny is not deterministic for identical input (expected null both times)");
+    assert(a === null, "expected a deterministic null deny");
+  });
+
+  await check("valid credential -> a well-formed, PII-safe identity", async () => {
+    const identity = await callSafe(v.valid.request);
+    assert(!identity?.__threw, "authenticate threw on a valid credential");
+    assert(identity && typeof identity === "object", "a valid credential must return an identity object");
+    assert(typeof identity.subjectHash === "string" && identity.subjectHash.length > 0,
+      "identity must carry a non-empty subjectHash");
+    assert(typeof identity.issuerHash === "string" && identity.issuerHash.length > 0,
+      "identity must carry a non-empty issuerHash");
+    // PII-safety: no field value may equal the raw input subject or issuer.
+    assertNoRawPii(identity, v.valid.subject, v.valid.issuer, assert);
+
+    // Determinism for the accept path too: identical valid input -> identical
+    // identity (a non-deterministic identity breaks audit correlation).
+    const again = await callSafe(v.valid.request);
+    assert(!again?.__threw, "authenticate threw on a repeated valid credential");
+    assert(JSON.stringify(again) === JSON.stringify(identity),
+      "accept is not deterministic for identical valid input");
+  });
+
+  if (failures.length > 0) {
+    return { ok: false, failures };
+  }
+  return { ok: true, failures: [] };
+}
+
+// Recursively assert no value in the identity equals the raw subject/issuer. The
+// keyed-HMAC subjectHash/issuerHash are derived from these, so an equality
+// against the raw value would mean a PII leak (or an un-hashed passthrough).
+function assertNoRawPii(value, subject, issuer, assert, path = "identity") {
+  if (typeof value === "string") {
+    assert(value !== subject, `${path} contains the raw subject (PII leak)`);
+    assert(value !== issuer, `${path} contains the raw issuer (PII leak)`);
+    return;
+  }
+  if (Array.isArray(value)) {
+    value.forEach((item, i) => assertNoRawPii(item, subject, issuer, assert, `${path}[${i}]`));
+    return;
+  }
+  if (value && typeof value === "object") {
+    for (const [key, item] of Object.entries(value)) {
+      assertNoRawPii(item, subject, issuer, assert, `${path}.${key}`);
+    }
+  }
+}
+
+function randomAuthVectors(now) {
+  const nowMs = typeof now === "number" ? now : Date.parse(now);
+  // Per-run random so a plugin cannot hardcode the expected test values.
+  const nonce = randomBytes(8).toString("hex");
+  const subject = `subj-${randomBytes(6).toString("hex")}`;
+  const issuer = `iss-${randomBytes(6).toString("hex")}`;
+  const validToken = `valid.${nonce}.${randomBytes(8).toString("hex")}`;
+  const expiredToken = `expired.${nonce}.${randomBytes(8).toString("hex")}`;
+  const notYetToken = `notyet.${nonce}.${randomBytes(8).toString("hex")}`;
+  const malformedToken = `~malformed~${nonce}`;
+  const throwToken = `throw.${nonce}`;
+
+  const bearer = (token) => ({ headers: { authorization: `Bearer ${token}` } });
+  // The valid credential encodes the random subject/issuer so any provider that
+  // echoes/leaks them into the returned identity is caught by assertNoRawPii.
+  // The credential is structured as "valid.<nonce>.<randHex>.<subject>.<issuer>"
+  // so a provider COULD extract them — but it MUST then keyed-hash them (not echo
+  // them raw) for the PII-safety assertion to pass. This makes the default-vector
+  // PII check non-vacuous: a leaking provider fails without custom vectors.
+  const validTokenWithPii = `${validToken}.${subject}.${issuer}`;
+  return {
+    nowMs,
+    subject,
+    issuer,
+    missing: { request: { headers: {} } },
+    malformed: { request: bearer(malformedToken), token: malformedToken },
+    expired: { request: bearer(expiredToken), token: expiredToken },
+    notYetValid: { request: bearer(notYetToken), token: notYetToken },
+    throwing: { request: bearer(throwToken), token: throwToken },
+    valid: { request: bearer(validTokenWithPii), token: validTokenWithPii, subject, issuer }
+  };
+}
+
 export { DEFAULT_ALLOWED_LABEL_KEYS };

package/packages/cli/bin/haechi.mjs

@@ -660,7 +660,7 @@ function printHelp(topic) {
     "plugin-validate", "mcp-stdio", "mcp-wrap", "auth", "config"
   ];
   const lines = order.map((name) => `  ${name.padEnd(16)}${COMMAND_HELP[name].summary}`);
-  console.log(`Haechi — self-hosted AI context enforcement (developer preview)
+  console.log(`Haechi — self-hosted AI context enforcement
 
 Usage:
   haechi <command> [options]

package/packages/cli/runtime.mjs

@@ -10,8 +10,22 @@ import { loadVerifiedPolicyBundleFileSync } from "../policy-bundle/index.mjs";
 import { createProtocolAdapter } from "../protocol-adapters/index.mjs";
 import { applyPrivacyProfile, getPrivacyProfile } from "../privacy-profiles/index.mjs";
 import { createBearerAuthProvider } from "../auth/index.mjs";
+import { createSandboxedAuthProviderSync, createProcessIsolatedAuthProviderSync } from "../plugin/index.mjs";
 import { DEFAULT_PROXY_PORT } from "../proxy/index.mjs";
 
+// Capability keys an operator may allowlist for a plugin. Mirrors the plugin
+// manifest's declared-capability set plus the authProvider-specific
+// readsCredentials. Inlined (not imported) to keep the dependency one-way.
+const KNOWN_PLUGIN_CAPABILITIES = new Set([
+  "readsPlaintext",
+  "writesPlaintext",
+  "networkEgress",
+  "fileWrite",
+  "auditWrite",
+  "externalSecrets",
+  "readsCredentials"
+]);
+
 export const DEFAULT_CONFIG_PATH = "haechi.config.json";
 
 export function defaultConfig() {
@@ -85,6 +99,12 @@ export function defaultConfig() {
       store: ".haechi/auth.json",
       allowedLabelKeys: ["team", "env", "tier", "role"]
     },
+    // Top-level kill-switch for dynamic plugin loading (1.0 §2.2). Default true;
+    // an operator sets `plugins.enabled: false` to force-refuse construction of
+    // any sandboxed plugin (a live force-drop, since revocation is next-load).
+    plugins: {
+      enabled: true
+    },
     mcp: {
       allowedMethods: ["initialize", "tools/call", "resources/read", "prompts/get"],
       protectParams: true,
@@ -128,8 +148,10 @@ export function createRuntime(config, providers = {}) {
   // closed at construction rather than deep in a request if a needing feature
   // is configured without it.
   if (typeof cryptoProvider.hmac !== "function"
-    && (normalized.auth.provider === "bearer" || normalized.tokenVault.deterministic)) {
-    throw new Error("cryptoProvider must implement hmac() for bearer auth / deterministic tokenization");
+    && (normalized.auth.provider === "bearer"
+      || normalized.auth.provider === "plugin"
+      || normalized.tokenVault.deterministic)) {
+    throw new Error("cryptoProvider must implement hmac() for bearer/plugin auth / deterministic tokenization");
   }
   const auditSink = providers.auditSink ?? createJsonlAuditSink({
     path: normalized.audit.path,
@@ -169,7 +191,7 @@ export function createRuntime(config, providers = {}) {
   const policyEngine = providers.policyEngine ?? policyProfiles.base.policyEngine;
   assertProvider("policyEngine", policyEngine, ["decide"]);
 
-  const authProvider = resolveAuthProvider(normalized, providers, cryptoProvider);
+  const authProvider = resolveAuthProvider(normalized, providers, cryptoProvider, auditSink);
 
   return {
     config: normalized,
@@ -250,6 +272,10 @@ export function normalizeConfig(config) {
       ...(config.auth ?? {}),
       allowedLabelKeys: config.auth?.allowedLabelKeys ?? defaultConfig().auth.allowedLabelKeys
     },
+    plugins: {
+      ...defaultConfig().plugins,
+      ...(config.plugins ?? {})
+    },
     mcp: {
       ...defaultConfig().mcp,
       ...(config.mcp ?? {}),
@@ -340,7 +366,7 @@ export function normalizeConfig(config) {
     throw new Error("limits.upstreamTimeoutMs must be a positive number");
   }
   validatePolicyExtras(merged.policy);
-  if (!["none", "bearer", "external"].includes(merged.auth.provider)) {
+  if (!["none", "bearer", "external", "plugin"].includes(merged.auth.provider)) {
     throw new Error(`Invalid auth.provider: ${merged.auth.provider}`);
   }
   if (typeof merged.auth.store !== "string" || !merged.auth.store.trim()) {
@@ -350,6 +376,9 @@ export function normalizeConfig(config) {
     || !merged.auth.allowedLabelKeys.every((key) => typeof key === "string" && key.trim())) {
     throw new Error("auth.allowedLabelKeys must be an array of non-empty strings");
   }
+  if (merged.auth.provider === "plugin") {
+    validatePluginAuthConfig(merged);
+  }
   createProtocolAdapter(merged.target);
   return merged;
 }
@@ -411,7 +440,161 @@ function assertRate(value, label) {
   }
 }
 
-function resolveAuthProvider(config, providers, cryptoProvider) {
+// Enumerated, fail-closed validation of auth.provider:"plugin" (1.0 §2.3). Every
+// rule throws a distinct error so a bad option is attributable. Mirrors the
+// keys/tokenVault rigor — no silent degradation.
+function validatePluginAuthConfig(merged) {
+  // Kill-switch: refuse to construct any plugin when plugins.enabled is false.
+  if (typeof merged.plugins?.enabled !== "boolean") {
+    throw new Error("plugins.enabled must be boolean");
+  }
+  if (merged.plugins.enabled === false) {
+    throw new Error("plugins are disabled (plugins.enabled: false); refusing to construct a plugin authProvider");
+  }
+
+  const plugin = merged.auth.plugin;
+  if (!plugin || typeof plugin !== "object" || Array.isArray(plugin)) {
+    throw new Error("auth.provider 'plugin' requires an auth.plugin object");
+  }
+  if (typeof plugin.manifestPath !== "string" || !plugin.manifestPath.trim()) {
+    throw new Error("auth.plugin.manifestPath must be a non-empty string");
+  }
+
+  // trustAnchors: a non-empty array of {keyId, publicKey} OR a non-empty object
+  // map keyId -> publicKey/anchor.
+  const anchors = plugin.trustAnchors;
+  if (Array.isArray(anchors)) {
+    if (anchors.length === 0) {
+      throw new Error("auth.plugin.trustAnchors must be a non-empty array");
+    }
+    for (const anchor of anchors) {
+      if (!anchor || typeof anchor !== "object"
+        || typeof anchor.keyId !== "string" || !anchor.keyId.trim()
+        || anchor.publicKey === undefined || anchor.publicKey === null) {
+        throw new Error("each auth.plugin.trustAnchors entry must be { keyId, publicKey }");
+      }
+    }
+  } else if (anchors && typeof anchors === "object") {
+    const keys = Object.keys(anchors);
+    if (keys.length === 0) {
+      throw new Error("auth.plugin.trustAnchors must be a non-empty object");
+    }
+    for (const keyId of keys) {
+      if (anchors[keyId] === undefined || anchors[keyId] === null) {
+        throw new Error(`auth.plugin.trustAnchors.${keyId} must be a public key`);
+      }
+    }
+  } else {
+    throw new Error("auth.plugin.trustAnchors must be a non-empty array or object of { keyId, publicKey }");
+  }
+
+  // allowCapabilities: an array of known capability keys, including readsCredentials.
+  if (!Array.isArray(plugin.allowCapabilities) || plugin.allowCapabilities.length === 0) {
+    throw new Error("auth.plugin.allowCapabilities must be a non-empty array of capability keys");
+  }
+  for (const capability of plugin.allowCapabilities) {
+    if (typeof capability !== "string" || !KNOWN_PLUGIN_CAPABILITIES.has(capability)) {
+      throw new Error(`auth.plugin.allowCapabilities contains an unknown capability: ${capability}`);
+    }
+  }
+  if (!plugin.allowCapabilities.includes("readsCredentials")) {
+    throw new Error("auth.plugin.allowCapabilities must include readsCredentials for an authProvider");
+  }
+
+  // isolation: "worker" (default, 1.0 worker_threads — memory/crash isolation) or
+  // "process" (1.1 — a --permission child with real capability enforcement).
+  const isolation = plugin.isolation ?? "worker";
+  if (!["worker", "process"].includes(isolation)) {
+    throw new Error(`auth.plugin.isolation must be "worker" or "process" (got: ${JSON.stringify(plugin.isolation)})`);
+  }
+
+  if (!Number.isInteger(plugin.timeoutMs) || plugin.timeoutMs <= 0) {
+    throw new Error("auth.plugin.timeoutMs must be a positive integer");
+  }
+
+  if (isolation === "worker") {
+    // worker_threads resourceLimits (heap bound). Required for the worker runtime.
+    const limits = plugin.resourceLimits;
+    if (!limits || typeof limits !== "object" || Array.isArray(limits)
+      || !Number.isInteger(limits.maxOldGenerationSizeMb) || limits.maxOldGenerationSizeMb <= 0) {
+      throw new Error("auth.plugin.resourceLimits.maxOldGenerationSizeMb must be a positive integer");
+    }
+  } else {
+    // process-isolated: resourceLimits is N/A (the child is OS-bounded). Validate
+    // the network-enforcement policy and the optional host-mediated key material.
+    const netEnforcement = plugin.netEnforcement ?? "require-permission";
+    if (netEnforcement !== "require-permission") {
+      throw new Error(`auth.plugin.netEnforcement must be "require-permission" (got: ${JSON.stringify(plugin.netEnforcement)})`);
+    }
+    if (plugin.keyMaterial !== undefined && plugin.keyMaterial !== null) {
+      const km = plugin.keyMaterial;
+      if (typeof km !== "object" || Array.isArray(km) || typeof km.url !== "string" || !km.url.trim()) {
+        throw new Error("auth.plugin.keyMaterial must be an object with an operator-declared url string");
+      }
+      let keyUrl;
+      try {
+        keyUrl = new URL(km.url);
+      } catch {
+        throw new Error("auth.plugin.keyMaterial.url must be a valid URL");
+      }
+      if (keyUrl.protocol !== "https:") {
+        throw new Error("auth.plugin.keyMaterial.url must be https");
+      }
+      for (const field of ["ttlMs", "cooldownMs", "timeoutMs", "maxBytes"]) {
+        if (km[field] !== undefined && (typeof km[field] !== "number" || km[field] < 0)) {
+          throw new Error(`auth.plugin.keyMaterial.${field} must be a non-negative number`);
+        }
+      }
+    }
+  }
+
+  if (plugin.maxPendingCalls !== undefined
+    && (!Number.isInteger(plugin.maxPendingCalls) || plugin.maxPendingCalls < 1)) {
+    throw new Error("auth.plugin.maxPendingCalls must be a positive integer");
+  }
+  if (plugin.maxMessageBytes !== undefined
+    && (!Number.isInteger(plugin.maxMessageBytes) || plugin.maxMessageBytes < 1)) {
+    throw new Error("auth.plugin.maxMessageBytes must be a positive integer");
+  }
+
+  if (plugin.pin !== undefined && plugin.pin !== null) {
+    if (typeof plugin.pin !== "object" || Array.isArray(plugin.pin)) {
+      throw new Error("auth.plugin.pin must be an object");
+    }
+    for (const field of ["version", "entrySha256", "manifestSha256"]) {
+      if (plugin.pin[field] !== undefined && plugin.pin[field] !== null
+        && (typeof plugin.pin[field] !== "string" || !plugin.pin[field].trim())) {
+        throw new Error(`auth.plugin.pin.${field} must be a non-empty string`);
+      }
+    }
+  }
+
+  if (plugin.revoked !== undefined && plugin.revoked !== null) {
+    if (typeof plugin.revoked !== "object" || Array.isArray(plugin.revoked)) {
+      throw new Error("auth.plugin.revoked must be an object");
+    }
+    for (const field of ["signerKeyIds", "entrySha256"]) {
+      if (plugin.revoked[field] !== undefined
+        && (!Array.isArray(plugin.revoked[field])
+          || !plugin.revoked[field].every((v) => typeof v === "string" && v.trim()))) {
+        throw new Error(`auth.plugin.revoked.${field} must be an array of non-empty strings`);
+      }
+    }
+  }
+
+  if (plugin.versionFloor !== undefined && plugin.versionFloor !== null) {
+    if (typeof plugin.versionFloor !== "object" || Array.isArray(plugin.versionFloor)) {
+      throw new Error("auth.plugin.versionFloor must be an object mapping pluginId -> version");
+    }
+    for (const [id, floor] of Object.entries(plugin.versionFloor)) {
+      if (typeof floor !== "string" || !floor.trim()) {
+        throw new Error(`auth.plugin.versionFloor.${id} must be a non-empty version string`);
+      }
+    }
+  }
+}
+
+function resolveAuthProvider(config, providers, cryptoProvider, auditSink) {
   if (config.auth.provider === "external") {
     if (typeof providers.authProvider?.authenticate !== "function") {
       throw new Error("auth.provider external requires createRuntime(config, { authProvider })");
@@ -425,9 +608,51 @@ function resolveAuthProvider(config, providers, cryptoProvider) {
   if (config.auth.provider === "bearer") {
     return createBearerAuthProvider({ path: config.auth.store, cryptoProvider });
   }
+  if (config.auth.provider === "plugin") {
+    const plugin = config.auth.plugin;
+    const common = {
+      manifestPath: plugin.manifestPath,
+      trustAnchors: normalizeTrustAnchors(plugin.trustAnchors),
+      allowCapabilities: plugin.allowCapabilities,
+      pin: plugin.pin ?? null,
+      revoked: plugin.revoked ?? {},
+      versionFloor: plugin.versionFloor ?? {},
+      timeoutMs: plugin.timeoutMs,
+      maxPendingCalls: plugin.maxPendingCalls,
+      maxMessageBytes: plugin.maxMessageBytes,
+      coreVersion: plugin.coreVersion ?? null,
+      cryptoProvider,
+      auditSink,
+      allowedLabelKeys: config.auth.allowedLabelKeys
+    };
+    if ((plugin.isolation ?? "worker") === "process") {
+      // 1.1 capability enforcement. Construction fails closed on a Node that
+      // cannot enforce --allow-net (netEnforcement: require-permission).
+      return createProcessIsolatedAuthProviderSync({
+        ...common,
+        netEnforcement: plugin.netEnforcement ?? "require-permission",
+        keyMaterial: plugin.keyMaterial ?? null
+      });
+    }
+    return createSandboxedAuthProviderSync({ ...common, resourceLimits: plugin.resourceLimits });
+  }
   return null;
 }
 
+// The config form is a non-empty array of { keyId, publicKey } OR an object map.
+// verifySignedPlugin resolves the anchor by signerKeyId against an object map, so
+// normalize an array form into that map here.
+function normalizeTrustAnchors(anchors) {
+  if (Array.isArray(anchors)) {
+    const map = {};
+    for (const anchor of anchors) {
+      map[anchor.keyId] = anchor.publicKey;
+    }
+    return map;
+  }
+  return anchors;
+}
+
 function createConfiguredCryptoProvider(config) {
   if (config.keys.provider === "external") {
     throw new Error("keys.provider external requires createRuntime(config, { cryptoProvider })");

package/packages/core/index.mjs

@@ -387,14 +387,29 @@ async function replacementFor(segment, detection, decision, { context, cryptoPro
 
 function buildAuditEvent({ context, mode, enforced, blocked, payload, detections, decisions }) {
   return {
+    // Reader-facing audit-event schema version (frozen as part of the 1.0 API
+    // contract — see docs/current/api-stability.md). Additive-only: a new field
+    // bumps nothing here; only a canonicalization change is a MAJOR schema bump
+    // (a new value + a reader migration). It is part of the canonicalized object
+    // and so is self-consistent for hash-chain verification of new events.
+    schemaVersion: "1",
     id: randomUUID(),
     timestamp: new Date().toISOString(),
     protocol: context.protocol ?? "custom",
     operation: context.operation ?? "protect",
-    // PII-safe identity built by the auth layer (subject/issuer are keyed
-    // HMACs); null when no auth is configured. `profile` is the resolved
-    // policy profile name (or null).
-    identity: context.identity ?? null,
+    // PII-safe identity — projected to the five frozen 1.0 audit-identity keys
+    // (id, type, subjectHash, issuerHash, provider). scopes/labels are available
+    // to the live policy engine via context.identity but are NOT part of the
+    // frozen audit schema (§2.1) and must never be persisted to the hash-chained
+    // log (an untrusted plugin's attacker-controlled label/scope value would
+    // otherwise enter the immutable audit record via this path).
+    identity: context.identity ? {
+      id: context.identity.id,
+      type: context.identity.type,
+      subjectHash: context.identity.subjectHash,
+      issuerHash: context.identity.issuerHash,
+      provider: context.identity.provider
+    } : null,
     profile: context.profile ?? null,
     mode,
     enforced,

package/packages/plugin/index.mjs

@@ -1,5 +1,22 @@
 import { readFile } from "node:fs/promises";
 
+export {
+  signPluginManifest,
+  verifySignedPlugin,
+  PluginLoadError,
+  PLUGIN_LOAD_REASONS
+} from "./signing.mjs";
+
+export {
+  createSandboxedAuthProvider,
+  createSandboxedAuthProviderSync
+} from "./sandbox.mjs";
+
+export {
+  createProcessIsolatedAuthProvider,
+  createProcessIsolatedAuthProviderSync
+} from "./process-sandbox.mjs";
+
 const VALID_KINDS = new Set([
   "crypto-provider",
   "key-provider",
@@ -8,7 +25,10 @@ const VALID_KINDS = new Set([
   "token-vault",
   "audit-sink",
   "protocol-adapter",
-  "classifier-plugin"
+  "classifier-plugin",
+  // 1.0: the first dynamically-loadable kind, only under the worker-isolated
+  // signed/capability-gated/audited sandbox.
+  "authProvider"
 ]);
 
 const CAPABILITY_KEYS = [
@@ -19,7 +39,13 @@ const CAPABILITY_KEYS = [
   "auditWrite",
   "externalSecrets"
 ];
-const VALID_RUNTIMES = new Set(["manifest-only"]);
+// manifest-only is the historical, behavior-preserving path. worker-isolated
+// (1.0) and process-isolated (1.1) are the dynamic-loading runtimes — both
+// permitted ONLY for kind authProvider and only with the Ed25519 signed envelope
+// (see validateSignedDynamicManifest). They share the same manifest contract; the
+// difference is the isolation mechanism (worker_threads vs a --permission child).
+const VALID_RUNTIMES = new Set(["manifest-only", "worker-isolated", "process-isolated"]);
+const SIGNED_DYNAMIC_RUNTIMES = new Set(["worker-isolated", "process-isolated"]);
 
 export async function validatePluginManifestFile(path) {
   const manifest = JSON.parse(await readFile(path, "utf8"));
@@ -47,26 +73,36 @@ export function validatePluginManifest(manifest) {
       errors.push("dynamic plugin execution is not supported; set runtime to manifest-only");
     }
 
-    if (!plugin.compatibility?.haechiCore) {
-      errors.push("missing compatibility.haechiCore");
-    }
-
-    if (!plugin.capabilities || typeof plugin.capabilities !== "object") {
-      errors.push("missing capabilities");
+    if (SIGNED_DYNAMIC_RUNTIMES.has(plugin.runtime)) {
+      // The dynamic-loading path (worker-isolated 1.0 / process-isolated 1.1): a
+      // separate, stricter contract (signed Ed25519 envelope + a validity window +
+      // authProvider-only). Kept apart from the manifest-only checks so the
+      // historical path is untouched.
+      validateSignedDynamicManifest(plugin, errors);
     } else {
-      for (const key of CAPABILITY_KEYS) {
-        if (typeof plugin.capabilities[key] !== "boolean") {
-          errors.push(`capabilities.${key} must be boolean`);
+      // manifest-only (and any other declared-but-rejected runtime): the
+      // historical, behavior-preserving contract — UNCHANGED.
+      if (!plugin.compatibility?.haechiCore) {
+        errors.push("missing compatibility.haechiCore");
+      }
+
+      if (!plugin.capabilities || typeof plugin.capabilities !== "object") {
+        errors.push("missing capabilities");
+      } else {
+        for (const key of CAPABILITY_KEYS) {
+          if (typeof plugin.capabilities[key] !== "boolean") {
+            errors.push(`capabilities.${key} must be boolean`);
+          }
         }
       }
-    }
 
-    if (plugin.capabilities?.networkEgress && plugin.capabilities.readsPlaintext && !plugin.dataHandling?.retention) {
-      errors.push("plaintext-reading network plugins must declare dataHandling.retention");
-    }
+      if (plugin.capabilities?.networkEgress && plugin.capabilities.readsPlaintext && !plugin.dataHandling?.retention) {
+        errors.push("plaintext-reading network plugins must declare dataHandling.retention");
+      }
 
-    if (plugin.dataHandling?.logsRawPayload === true) {
-      errors.push("dataHandling.logsRawPayload must not be true");
+      if (plugin.dataHandling?.logsRawPayload === true) {
+        errors.push("dataHandling.logsRawPayload must not be true");
+      }
     }
   }
 
@@ -76,6 +112,46 @@ export function validatePluginManifest(manifest) {
   };
 }
 
+// The signed-dynamic runtimes (worker-isolated 1.0 / process-isolated 1.1) are
+// dynamic code-loading; both are permitted ONLY for kind authProvider and ONLY
+// with the Ed25519 signed envelope fields. A manifest that is not an authProvider,
+// or is missing the signed fields / validity window / readsCredentials, is
+// rejected with a clear error. The two runtimes share this identical contract.
+function validateSignedDynamicManifest(plugin, errors) {
+  if (plugin.kind !== "authProvider") {
+    errors.push(`${plugin.runtime} runtime is only supported for kind authProvider`);
+  }
+
+  // The signed-envelope fields that bind authorship and the exact entry bytes.
+  // signature must be a non-empty base64-ish string; entrySha256 must be a
+  // 64-char lowercase hex string. Loose shapes signal a malformed/forged manifest.
+  if (!plugin.signature || typeof plugin.signature !== "string" || plugin.signature.length === 0) {
+    errors.push("missing signature");
+  } else if (!/^[A-Za-z0-9+/=]+$/.test(plugin.signature)) {
+    errors.push("signature must be a non-empty base64 string");
+  }
+  requireString(plugin, "signerKeyId", errors);
+  if (!plugin.entrySha256 || typeof plugin.entrySha256 !== "string" || plugin.entrySha256.length === 0) {
+    errors.push("missing entrySha256");
+  } else if (!/^[0-9a-f]{64}$/.test(plugin.entrySha256)) {
+    errors.push("entrySha256 must be a 64-character lowercase hex string");
+  }
+
+  // A validity window is mandatory for a dynamically-loaded artifact.
+  const hasNotBefore = plugin.notBefore !== undefined && plugin.notBefore !== null;
+  const hasNotAfter = plugin.notAfter !== undefined && plugin.notAfter !== null;
+  if (!hasNotBefore && !hasNotAfter) {
+    errors.push(`${plugin.runtime} manifest requires a validity window (notBefore and/or notAfter)`);
+  }
+
+  if (!plugin.capabilities || typeof plugin.capabilities !== "object" || Array.isArray(plugin.capabilities)) {
+    errors.push("missing capabilities");
+  } else if (plugin.capabilities.readsCredentials !== true) {
+    // An authProvider sees the bearer token, so it MUST declare readsCredentials.
+    errors.push(`${plugin.runtime} authProvider must declare capabilities.readsCredentials = true`);
+  }
+}
+
 function requireString(object, key, errors) {
   if (!object[key] || typeof object[key] !== "string") {
     errors.push(`missing ${key}`);