lumiverse-spindle-types 0.4.76 → 0.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/src/capabilities.ts +41 -0
- package/src/index.ts +4 -0
- package/src/manifest.ts +9 -0
package/package.json
CHANGED
|
@@ -0,0 +1,41 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Declared backend capabilities that opt an extension out of specific
|
|
3
|
+
* Spindle heuristic-scanner blocks. Unlike permissions (runtime gates),
|
|
4
|
+
* capabilities are install-time declarations that survive scanner checks.
|
|
5
|
+
*
|
|
6
|
+
* Only patterns with a meaningful false-positive rate get a capability —
|
|
7
|
+
* truly dangerous modules (fs, child_process, raw sockets, sqlite, workers)
|
|
8
|
+
* remain hard-blocked with no opt-in.
|
|
9
|
+
*/
|
|
10
|
+
export type SpindleCapability =
|
|
11
|
+
/**
|
|
12
|
+
* Bypass the `dynamic code execution` heuristic: `eval(...)`,
|
|
13
|
+
* `Function(...)` / `new Function(...)`. Required for extensions that:
|
|
14
|
+
* - embed Zod / Handlebars / similar libs that probe `new Function("")`
|
|
15
|
+
* to feature-detect Cloudflare-Workers-style environments;
|
|
16
|
+
* - ship a regex literal whose source contains `Function\s*\(` (e.g.
|
|
17
|
+
* a security check that itself bans the Function constructor);
|
|
18
|
+
* - intentionally execute user-supplied code in a sandboxed runtime
|
|
19
|
+
* (lumiscript's AsyncFunction sandbox is the canonical example).
|
|
20
|
+
*
|
|
21
|
+
* Extensions declaring this still cannot reach fs / child_process / net /
|
|
22
|
+
* etc. — those remain blocked by independent heuristics.
|
|
23
|
+
*/
|
|
24
|
+
| "dynamic_code_execution"
|
|
25
|
+
/**
|
|
26
|
+
* Bypass the `base64 decoding` heuristic: `Buffer.from(s, "base64")`.
|
|
27
|
+
* The pattern is commonly used to smuggle code past static scanners
|
|
28
|
+
* (decode + eval the payload), but it has plenty of legitimate uses
|
|
29
|
+
* (image bytes, binary asset I/O). Pair with `dynamic_code_execution`
|
|
30
|
+
* only when the extension actually needs both.
|
|
31
|
+
*/
|
|
32
|
+
| "base64_decode";
|
|
33
|
+
|
|
34
|
+
export const ALL_CAPABILITIES: readonly SpindleCapability[] = [
|
|
35
|
+
"dynamic_code_execution",
|
|
36
|
+
"base64_decode",
|
|
37
|
+
] as const;
|
|
38
|
+
|
|
39
|
+
export function isValidCapability(c: string): c is SpindleCapability {
|
|
40
|
+
return (ALL_CAPABILITIES as readonly string[]).includes(c);
|
|
41
|
+
}
|
package/src/index.ts
CHANGED
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
export type {
|
|
2
2
|
SpindleManifest,
|
|
3
3
|
SpindlePermission,
|
|
4
|
+
SpindleCapability,
|
|
4
5
|
} from "./manifest";
|
|
5
6
|
export {
|
|
6
7
|
IDENTIFIER_PATTERN,
|
|
@@ -10,6 +11,9 @@ export {
|
|
|
10
11
|
export type { SpindlePermission as SpindlePermissionType } from "./permissions";
|
|
11
12
|
export { ALL_PERMISSIONS, isValidPermission } from "./permissions";
|
|
12
13
|
|
|
14
|
+
export type { SpindleCapability as SpindleCapabilityType } from "./capabilities";
|
|
15
|
+
export { ALL_CAPABILITIES, isValidCapability } from "./capabilities";
|
|
16
|
+
|
|
13
17
|
export { SpindleEvent, CoreEventType } from "./events";
|
|
14
18
|
|
|
15
19
|
export type {
|
package/src/manifest.ts
CHANGED
|
@@ -15,6 +15,14 @@ export interface SpindleManifest {
|
|
|
15
15
|
description?: string;
|
|
16
16
|
/** Requested permissions (gated capabilities) */
|
|
17
17
|
permissions: SpindlePermission[];
|
|
18
|
+
/**
|
|
19
|
+
* Declared backend capabilities that opt this extension out of specific
|
|
20
|
+
* Spindle heuristic-scanner blocks. See `SpindleCapability` for the
|
|
21
|
+
* available values. Distinct from `permissions`: permissions gate runtime
|
|
22
|
+
* API surfaces; capabilities suppress install-time scanner false positives
|
|
23
|
+
* for patterns the extension legitimately needs.
|
|
24
|
+
*/
|
|
25
|
+
requested_capabilities?: SpindleCapability[];
|
|
18
26
|
/** Backend entry point (default: "dist/backend.js") */
|
|
19
27
|
entry_backend?: string;
|
|
20
28
|
/** Frontend entry point (default: "dist/frontend.js") */
|
|
@@ -44,6 +52,7 @@ export interface SpindleStorageSeedFile {
|
|
|
44
52
|
}
|
|
45
53
|
|
|
46
54
|
export type SpindlePermission = import("./permissions").SpindlePermission;
|
|
55
|
+
export type SpindleCapability = import("./capabilities").SpindleCapability;
|
|
47
56
|
|
|
48
57
|
/** Regex for validating extension identifiers */
|
|
49
58
|
export const IDENTIFIER_PATTERN = /^[a-z][a-z0-9_]*$/;
|