pal-explorer-cli 0.4.0

package/lib/core/extensions.js

@@ -0,0 +1,1082 @@
+import { EventEmitter } from 'events';
+import crypto from 'crypto';
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+import sodium from 'sodium-native';
+import config from '../utils/config.js';
+import { analyzeFile, analyzeExtension, BLOCKED_MODULES as ANALYZER_BLOCKED } from './extensionAnalyzer.js';
+import { SandboxedExtension } from './extensionSandbox.js';
+import appLogger from '../utils/logger.js';
+import { getActivePlan } from './billing.js';
+
+const EXTENSIONS_DIR = path.join(
+  process.env.PAL_DATA_DIR || path.join(process.env.HOME || process.env.USERPROFILE, '.palexplorer'),
+  'extensions'
+);
+
+const BUNDLED_DIR = path.join(EXTENSIONS_DIR, '@palexplorer');
+
+const CORE_EXTENSIONS = new Set([
+  'analytics',
+  'discovery',
+  'explorer-integration',
+  'vfs',
+]);
+
+// Ed25519 public key for verifying extension signatures (Palexplorer team key)
+const TEAM_PUBLIC_KEY = 'ba71d876238e24b1b230c567a6b7339abdf55030e98580a5a883b97ee0a3f084';
+const TRUSTED_SIGNING_KEY = process.env.PAL_EXT_SIGNING_KEY || TEAM_PUBLIC_KEY;
+
+const BLOCKED_MODULES = ANALYZER_BLOCKED;
+
+const VALID_PERMISSIONS = new Set([
+  'fs:read', 'fs:write', 'fs:delete',
+  'net:http', 'net:ws', 'net:listen',
+  'config:read', 'config:write',
+  'identity:read', 'identity:write',
+  'shares:read', 'shares:write',
+  'transfers:read',
+  'peers:read',
+  'messages:send', 'messages:read',
+  'schedule:write',
+  'clipboard', 'notifications',
+  'audit:read', 'audit:write',
+]);
+
+const HIGH_RISK_PERMISSIONS = new Set([
+  'fs:write', 'fs:delete', 'net:http', 'net:ws', 'messages:send', 'shares:write',
+]);
+
+// Whether to require signatures on community extensions (default: true in production)
+const REQUIRE_SIGNATURE = config.get('extensionRequireSignature') ?? (process.env.NODE_ENV === 'production');
+
+const TIER_RANK = { free: 0, pro: 1, enterprise: 2 };
+
+function checkExtensionTier(manifest) {
+  const tier = manifest.tier || (manifest.pro ? 'pro' : 'free');
+  if (tier === 'free') return { allowed: true, tier, planTier: 'free' };
+
+  let plan;
+  try { plan = getActivePlan(); } catch { plan = { key: 'free' }; }
+
+  const planTier = plan.key === 'free' ? 'free'
+    : plan.key.startsWith('enterprise') ? 'enterprise' : 'pro';
+
+  if (TIER_RANK[planTier] >= TIER_RANK[tier]) {
+    return { allowed: true, tier, planTier };
+  }
+
+  return { allowed: false, tier, planTier };
+}
+
+const OFFLINE_GRACE_DAYS = 7;
+
+async function verifyExtensionLicense(manifest, extPath) {
+  const tier = manifest.tier || (manifest.pro ? 'pro' : 'free');
+  if (tier === 'free' || manifest.bundled) return true;
+
+  const machineId = crypto.createHash('sha256')
+    .update(os.hostname() + os.userInfo().username)
+    .digest('hex');
+
+  const name = manifest.name;
+  const cached = config.get(`ext_license.${name}`);
+  if (cached && cached.token && cached.expiresAt) {
+    if (Date.now() < cached.expiresAt) return true;
+  }
+
+  const discoveryServer = config.get('discoveryServer') || process.env.PAL_DISCOVERY_SERVER;
+  if (!discoveryServer) {
+    console.warn(`[extensions] No discovery server configured for license verification of ${name}`);
+    return _checkOfflineGrace(name);
+  }
+
+  const apiKey = config.get('apiKey');
+
+  try {
+    const res = await fetch(`${discoveryServer}/api/v1/extensions/verify`, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        ...(apiKey ? { Authorization: `Bearer ${apiKey}` } : {}),
+      },
+      body: JSON.stringify({ extensionId: name, machineId }),
+      signal: AbortSignal.timeout(10000),
+    });
+
+    if (res.ok) {
+      const data = await res.json();
+      config.set(`ext_license.${name}`, {
+        token: data.token || true,
+        expiresAt: data.expiresAt || (Date.now() + 24 * 60 * 60 * 1000),
+      });
+      config.set(`ext_license_last.${name}`, Date.now());
+      return true;
+    }
+
+    if (res.status === 403) {
+      console.warn(`[extensions] License denied for ${name} (403)`);
+      return _checkOfflineGrace(name);
+    }
+
+    console.warn(`[extensions] License server returned ${res.status} for ${name}`);
+    return _checkOfflineGrace(name);
+  } catch (err) {
+    console.warn(`[extensions] License verification network error for ${name}: ${err.message}`);
+    return _checkOfflineGrace(name);
+  }
+}
+
+function _checkOfflineGrace(name) {
+  const lastVerified = config.get(`ext_license_last.${name}`);
+  if (lastVerified && (Date.now() - lastVerified) < OFFLINE_GRACE_DAYS * 24 * 60 * 60 * 1000) {
+    console.warn(`[extensions] ${name} running in offline grace period`);
+    return true;
+  }
+  console.error(`[extensions] ${name} license expired. Purchase or renew at https://palexplorer.com/pro`);
+  return false;
+}
+
+class ExtensionHooks extends EventEmitter {
+  constructor() {
+    super();
+    this.setMaxListeners(100);
+    this._sandboxedExtensions = [];
+  }
+
+  addSandboxed(sandbox) {
+    this._sandboxedExtensions.push(sandbox);
+  }
+
+  removeSandboxed(sandbox) {
+    this._sandboxedExtensions = this._sandboxedExtensions.filter(s => s !== sandbox);
+  }
+
+  async emit(event, payload) {
+    // First run in-process listeners (bundled extensions)
+    const listeners = this.listeners(event);
+    for (const fn of listeners) {
+      try {
+        const result = await fn(payload);
+        if (result && result.block) {
+          return { blocked: true, reason: result.reason || 'Blocked by extension' };
+        }
+      } catch (err) {
+        console.error(`[extensions] Hook error on ${event}:`, err.message);
+      }
+    }
+
+    // Then run sandboxed extension hooks
+    for (const sandbox of this._sandboxedExtensions) {
+      try {
+        const result = await sandbox.callHook(event, payload);
+        if (result && result.blocked) {
+          return { blocked: true, reason: result.reason || 'Blocked by sandboxed extension' };
+        }
+      } catch (err) {
+        console.error(`[extensions] Sandbox hook error on ${event}:`, err.message);
+      }
+    }
+
+    return { blocked: false };
+  }
+}
+
+const hooks = new ExtensionHooks();
+const loadedExtensions = new Map();
+
+function validateManifest(manifest) {
+  if (!manifest.name || typeof manifest.name !== 'string') return 'Missing or invalid name';
+  if (manifest.name.length > 50) return 'Name exceeds 50 characters';
+  if (!manifest.version) return 'Missing version';
+  if (!/^\d+\.\d+\.\d+/.test(manifest.version)) return 'Version must be valid semver (e.g. 1.0.0)';
+  if (!manifest.main) return 'Missing main entry point';
+  if (typeof manifest.main !== 'string' || !manifest.main.endsWith('.js')) return 'Main entry point must be a .js file';
+  if (/\.\.[\\/]|^[/\\~]/.test(manifest.main)) return 'Main entry point contains path traversal';
+  if (manifest.description && manifest.description.length > 500) return 'Description exceeds 500 characters';
+  if (manifest.permissions) {
+    if (manifest.permissions.length > 10) return 'Too many permissions (max 10)';
+    for (const p of manifest.permissions) {
+      if (!p.startsWith('exec:') && !VALID_PERMISSIONS.has(p)) {
+        return `Invalid permission: ${p}`;
+      }
+    }
+  }
+  if (manifest.hooks && manifest.hooks.length > 20) return 'Too many hooks (max 20)';
+  return null;
+}
+
+function verifySignature(extPath, manifest) {
+  const sigPath = path.join(extPath, 'extension.sig');
+  if (!fs.existsSync(sigPath)) return { signed: false, verified: false };
+
+  try {
+    const sig = fs.readFileSync(sigPath);
+    if (sig.length !== sodium.crypto_sign_BYTES) {
+      return { signed: true, verified: false, reason: 'Invalid signature length' };
+    }
+
+    const manifestData = fs.readFileSync(path.join(extPath, 'extension.json'));
+    const mainData = fs.readFileSync(path.join(extPath, manifest.main || 'index.js'));
+    const content = Buffer.concat([manifestData, mainData]);
+
+    if (TRUSTED_SIGNING_KEY) {
+      const pubKey = Buffer.from(TRUSTED_SIGNING_KEY, 'hex');
+      if (pubKey.length === sodium.crypto_sign_PUBLICKEYBYTES) {
+        if (sodium.crypto_sign_verify_detached(sig, content, pubKey)) {
+          return { signed: true, verified: true, signer: 'palexplorer' };
+        }
+      }
+    }
+
+    if (manifest.signerPublicKey) {
+      const pubKey = Buffer.from(manifest.signerPublicKey, 'hex');
+      if (pubKey.length === sodium.crypto_sign_PUBLICKEYBYTES) {
+        if (sodium.crypto_sign_verify_detached(sig, content, pubKey)) {
+          return { signed: true, verified: true, signer: manifest.signerPublicKey };
+        }
+      }
+    }
+
+    return { signed: true, verified: false, reason: 'No matching public key' };
+  } catch (err) {
+    return { signed: true, verified: false, reason: err.message };
+  }
+}
+
+function computeIntegrityHash(extPath, manifest) {
+  const hash = crypto.createHash('sha256');
+  const mainPath = path.join(extPath, manifest.main || 'index.js');
+  if (fs.existsSync(mainPath)) hash.update(fs.readFileSync(mainPath));
+  const manifestPath = path.join(extPath, 'extension.json');
+  if (fs.existsSync(manifestPath)) hash.update(fs.readFileSync(manifestPath));
+  return hash.digest('hex');
+}
+
+function getSecurityRisk(manifest) {
+  const perms = manifest.permissions || [];
+  const highRisk = perms.filter(p => HIGH_RISK_PERMISSIONS.has(p) || p.startsWith('exec:'));
+  if (highRisk.length >= 3) return 'high';
+  if (highRisk.length >= 1) return 'medium';
+  return 'low';
+}
+
+// Legacy regex-based scanning — kept for backward compat, but AST analyzer is primary
+function hasBlockedImports(filePath) {
+  const result = analyzeFile(filePath);
+  if (result.blocked.length > 0) return result.blocked[0].module;
+  return null;
+}
+
+function scanDangerousPatterns(filePath) {
+  const result = analyzeFile(filePath);
+  return result.dangerous.map(f => f.message);
+}
+
+// Full AST analysis — returns rich structured data
+function analyzeExtensionSecurity(extPath, manifest) {
+  return analyzeExtension(extPath, manifest);
+}
+
+function getApprovedPermissions(extName) {
+  return config.get(`ext_approved_perms.${extName}`) || null;
+}
+
+function setApprovedPermissions(extName, permissions) {
+  config.set(`ext_approved_perms.${extName}`, permissions);
+}
+
+function hasPendingPermissions(extName, manifest) {
+  const approved = getApprovedPermissions(extName);
+  if (!approved) return (manifest.permissions?.length || 0) > 0;
+  const requested = manifest.permissions || [];
+  return requested.some(p => !approved.includes(p));
+}
+
+function getPendingPermissions(extName, manifest) {
+  const approved = getApprovedPermissions(extName) || [];
+  return (manifest.permissions || []).filter(p => !approved.includes(p));
+}
+
+function getSharePaths() {
+  const shares = config.get('shares') || [];
+  return shares.map(s => s.path).filter(Boolean);
+}
+
+function buildContext(manifest) {
+  const perms = new Set(manifest.permissions || []);
+  const defaults = manifest.config || {};
+
+  function liveConfig() {
+    const extConfig = config.get(`ext.${manifest.name}`) || {};
+    for (const [key, def] of Object.entries(defaults)) {
+      if (extConfig[key] === undefined && def.default !== undefined) {
+        extConfig[key] = def.default;
+      }
+    }
+    return extConfig;
+  }
+
+  const sharePaths = getSharePaths();
+
+  function enforcePathScope(filePath) {
+    const resolved = path.resolve(filePath);
+    let real;
+    try { real = fs.realpathSync(resolved); } catch { real = resolved; }
+    const inScope = sharePaths.some(p => {
+      const rp = path.resolve(p);
+      return real === rp || real.startsWith(rp + path.sep);
+    });
+    if (!inScope) {
+      throw new Error(`Path access denied: ${filePath} is outside share paths`);
+    }
+    return real;
+  }
+
+  const ctx = {
+    hooks,
+    config: {
+      get(key) {
+        if (!perms.has('config:read')) throw new Error('Permission denied: config:read');
+        return liveConfig()[key];
+      },
+      set(key, value) {
+        if (!perms.has('config:write')) throw new Error('Permission denied: config:write');
+        const current = liveConfig();
+        current[key] = value;
+        config.set(`ext.${manifest.name}`, current);
+      },
+      getAll() {
+        if (!perms.has('config:read')) throw new Error('Permission denied: config:read');
+        return { ...liveConfig() };
+      },
+    },
+    logger: {
+      info: (...args) => { if (appLogger.shouldLog('info')) console.log(`[ext:${manifest.name}]`, ...args); },
+      warn: (...args) => console.warn(`[ext:${manifest.name}]`, ...args),
+      error: (...args) => console.error(`[ext:${manifest.name}]`, ...args),
+    },
+    app: {
+      version: getAppVersion(),
+      dataDir: EXTENSIONS_DIR,
+      appRoot: path.resolve(new URL(import.meta.url).pathname.replace(/^\/([A-Z]:)/, '$1'), '../../..'),
+      platform: process.platform,
+      mode: globalThis.__palMode || 'cli',
+    },
+    store: createStore(manifest.name),
+  };
+
+  if (perms.has('identity:read')) {
+    ctx.identity = {
+      get() {
+        const id = config.get('identity');
+        return id ? { handle: id.handle, publicKey: id.publicKey } : null;
+      },
+    };
+  }
+
+  if (perms.has('shares:read')) {
+    ctx.shares = {
+      list() { return (config.get('shares') || []).map(s => ({ id: s.id, path: s.path, type: s.type, visibility: s.visibility })); },
+      get(id) {
+        const s = (config.get('shares') || []).find(s => s.magnet === id || s.path === id);
+        return s ? { id: s.id, path: s.path, type: s.type, visibility: s.visibility } : null;
+      },
+    };
+  }
+
+  if (perms.has('transfers:read')) {
+    ctx.transfers = {
+      async history() {
+        const { default: Conf } = await import('conf');
+        const store = new Conf({ projectName: 'palexplorer-cli', configName: 'transfers' });
+        return store.get('history') || [];
+      },
+      async stats() {
+        const { getTransferStats } = await import('./transfers.js');
+        return getTransferStats();
+      },
+    };
+  }
+
+  if (perms.has('peers:read')) {
+    ctx.peers = {
+      list() {
+        const friends = config.get('friends') || [];
+        return friends.map(f => ({ handle: f.handle, publicKey: f.publicKey }));
+      },
+    };
+  }
+
+  if (perms.has('net:http')) {
+    const httpCallLog = [];
+    ctx.http = async (url, opts = {}) => {
+      httpCallLog.push({ url, method: opts.method || 'GET', ts: Date.now() });
+      // Rate limit: max 100 calls per minute
+      const oneMinAgo = Date.now() - 60000;
+      const recentCalls = httpCallLog.filter(c => c.ts > oneMinAgo);
+      if (recentCalls.length > 100) {
+        throw new Error('HTTP rate limit exceeded (100 requests/minute)');
+      }
+      ctx.logger.info(`HTTP ${opts.method || 'GET'} ${url}`);
+      return fetch(url, { ...opts, signal: opts.signal || AbortSignal.timeout(30000) });
+    };
+  }
+
+  if (perms.has('fs:read')) {
+    ctx.fs = {
+      ...ctx.fs,
+      read(filePath, encoding = 'utf8') {
+        const real = enforcePathScope(filePath);
+        return fs.readFileSync(real, encoding);
+      },
+      readdir(dirPath) {
+        const real = enforcePathScope(dirPath);
+        return fs.readdirSync(real);
+      },
+      stat(filePath) {
+        const real = enforcePathScope(filePath);
+        const st = fs.statSync(real);
+        return { size: st.size, isFile: st.isFile(), isDirectory: st.isDirectory(), mtime: st.mtime };
+      },
+    };
+  }
+
+  if (perms.has('fs:write')) {
+    ctx.fs = {
+      ...ctx.fs,
+      write(filePath, data) {
+        const real = enforcePathScope(filePath);
+        fs.writeFileSync(real, data);
+      },
+      mkdir(dirPath) {
+        const real = enforcePathScope(dirPath);
+        fs.mkdirSync(real, { recursive: true });
+      },
+    };
+  }
+
+  if (perms.has('fs:delete')) {
+    ctx.fs = {
+      ...ctx.fs,
+      delete(filePath) {
+        const real = enforcePathScope(filePath);
+        fs.unlinkSync(real);
+      },
+    };
+  }
+
+  if (perms.has('notifications')) {
+    ctx.notify = {
+      show(title, body) {
+        if (typeof Notification !== 'undefined') {
+          new Notification(title, { body });
+        }
+      },
+    };
+  }
+
+  return ctx;
+}
+
+function createStore(extName) {
+  const storeKey = `ext_store.${extName}`;
+  return {
+    get(key) {
+      const data = config.get(storeKey) || {};
+      return key ? data[key] : data;
+    },
+    set(key, value) {
+      const data = config.get(storeKey) || {};
+      data[key] = value;
+      config.set(storeKey, data);
+    },
+    delete(key) {
+      const data = config.get(storeKey) || {};
+      delete data[key];
+      config.set(storeKey, data);
+    },
+  };
+}
+
+function getAppVersion() {
+  try {
+    const dir = path.dirname(new URL(import.meta.url).pathname.replace(/^\/([A-Z]:)/, '$1'));
+    const pkg = JSON.parse(fs.readFileSync(path.resolve(dir, '../../package.json'), 'utf8'));
+    return pkg.version;
+  } catch {
+    return '0.0.0';
+  }
+}
+
+function getInstalledExtensions() {
+  const extensions = [];
+  const disabled = config.get('disabledExtensions') || [];
+
+  if (!fs.existsSync(EXTENSIONS_DIR)) return extensions;
+
+  for (const entry of fs.readdirSync(EXTENSIONS_DIR)) {
+    const extPath = path.join(EXTENSIONS_DIR, entry);
+    if (entry === '@palexplorer') {
+      if (!fs.statSync(extPath).isDirectory()) continue;
+      for (const bundled of fs.readdirSync(extPath)) {
+        const bundledPath = path.join(extPath, bundled);
+        const manifest = readManifest(bundledPath);
+        if (manifest) {
+          const fullName = `@palexplorer/${bundled}`;
+          const isCore = CORE_EXTENSIONS.has(bundled);
+          const explicitEnabled = (config.get('enabledExtensions') || []).includes(fullName);
+          const explicitDisabled = disabled.includes(fullName);
+          const manifestDefault = manifest.config?.enabled?.default === true;
+          extensions.push({
+            ...manifest,
+            path: bundledPath,
+            bundled: true,
+            enabled: isCore
+              ? !explicitDisabled
+              : explicitDisabled ? false : (explicitEnabled || manifestDefault),
+          });
+        }
+      }
+    } else if (!entry.startsWith('.')) {
+      const manifest = readManifest(extPath);
+      if (manifest) {
+        extensions.push({
+          ...manifest,
+          path: extPath,
+          bundled: false,
+          enabled: !disabled.includes(entry),
+        });
+      }
+    }
+  }
+
+  return extensions;
+}
+
+function readManifest(extPath) {
+  const manifestPath = path.join(extPath, 'extension.json');
+  if (!fs.existsSync(manifestPath)) return null;
+  try {
+    return JSON.parse(fs.readFileSync(manifestPath, 'utf8'));
+  } catch {
+    return null;
+  }
+}
+
+function buildSandboxContext(manifest) {
+  const extConfig = config.get(`ext.${manifest.name}`) || {};
+  const defaults = manifest.config || {};
+  for (const [key, def] of Object.entries(defaults)) {
+    if (extConfig[key] === undefined && def.default !== undefined) {
+      extConfig[key] = def.default;
+    }
+  }
+
+  const sharePaths = getSharePaths();
+
+  return {
+    configSnapshot: { ...extConfig },
+    appInfo: { version: getAppVersion(), platform: process.platform, mode: globalThis.__palMode || 'cli' },
+    configGet(key) { return extConfig[key]; },
+    configSet(key, value) {
+      extConfig[key] = value;
+      config.set(`ext.${manifest.name}`, extConfig);
+    },
+    storeGet(key) {
+      const data = config.get(`ext_store.${manifest.name}`) || {};
+      return key ? data[key] : data;
+    },
+    storeSet(key, value) {
+      const data = config.get(`ext_store.${manifest.name}`) || {};
+      data[key] = value;
+      config.set(`ext_store.${manifest.name}`, data);
+    },
+    storeDelete(key) {
+      const data = config.get(`ext_store.${manifest.name}`) || {};
+      delete data[key];
+      config.set(`ext_store.${manifest.name}`, data);
+    },
+    getIdentity() {
+      const id = config.get('identity');
+      return id ? { handle: id.handle, publicKey: id.publicKey } : null;
+    },
+    listShares() {
+      return (config.get('shares') || []).map(s => ({ id: s.id, path: s.path, type: s.type, visibility: s.visibility }));
+    },
+    listPeers() {
+      return (config.get('friends') || []).map(f => ({ handle: f.handle, publicKey: f.publicKey }));
+    },
+    logHttpCall(url, method) {
+      console.log(`[ext:${manifest.name}] HTTP ${method} ${url}`);
+    },
+    notify(title, body) {
+      if (typeof Notification !== 'undefined') {
+        new Notification(title, { body });
+      }
+    },
+  };
+}
+
+async function loadExtension(extPath, manifest) {
+  const fullName = manifest.bundled ? `@palexplorer/${manifest.name}` : manifest.name;
+  if (loadedExtensions.has(fullName)) return;
+
+  const error = validateManifest(manifest);
+  if (error) {
+    console.error(`[extensions] Invalid manifest for ${fullName}: ${error}`);
+    return;
+  }
+
+  // Tier enforcement — paid extensions require matching subscription
+  if (!manifest.bundled) {
+    const tierCheck = checkExtensionTier(manifest);
+    if (!tierCheck.allowed) {
+      console.warn(`[extensions] ${fullName} requires ${tierCheck.tier} plan (current: ${tierCheck.planTier}). Upgrade at https://palexplorer.com/pro`);
+      return;
+    }
+
+    if (tierCheck.tier !== 'free') {
+      const licensed = await verifyExtensionLicense(manifest, extPath);
+      if (!licensed) {
+        console.warn(`[extensions] ${fullName} license verification failed. Purchase at https://palexplorer.com/pro`);
+        return;
+      }
+    }
+  }
+
+  const mainPath = path.join(extPath, manifest.main || 'index.js');
+  if (!fs.existsSync(mainPath)) {
+    console.error(`[extensions] Entry point not found: ${mainPath}`);
+    return;
+  }
+
+  // Integrity check
+  const storedHash = config.get(`ext_integrity.${manifest.name}`);
+  const currentHash = computeIntegrityHash(extPath, manifest);
+  if (storedHash && storedHash !== currentHash) {
+    console.error(`[extensions] SECURITY: ${fullName} files modified since install. Refusing to load.`);
+    console.error(`[extensions] Run 'pe ext remove ${manifest.name} && pe ext install ...' to reinstall.`);
+    return;
+  }
+
+  if (!manifest.bundled) {
+    // AST analysis — catches obfuscated dynamic imports, eval tricks, etc.
+    const analysis = analyzeExtension(extPath, manifest);
+    if (analysis.blocked.length > 0) {
+      const mods = [...new Set(analysis.blocked.map(b => b.module))].join(', ');
+      console.error(`[extensions] SECURITY: ${fullName} imports blocked modules: ${mods}. Refusing to load.`);
+      disableExtension(fullName);
+      return;
+    }
+
+    if (analysis.hasCritical) {
+      console.error(`[extensions] SECURITY: ${fullName} has critical security findings. Refusing to load.`);
+      for (const f of analysis.findings.filter(f => f.severity === 'critical')) {
+        console.error(`  Line ${f.line || '?'}: ${f.message}`);
+      }
+      disableExtension(fullName);
+      return;
+    }
+
+    if (analysis.hasHigh) {
+      console.warn(`[extensions] WARNING: ${fullName} has high-severity findings:`);
+      for (const f of analysis.findings.filter(f => f.severity === 'high')) {
+        console.warn(`  Line ${f.line || '?'}: ${f.message}`);
+      }
+    }
+
+    // Permission approval check
+    if (hasPendingPermissions(manifest.name, manifest)) {
+      const pending = getPendingPermissions(manifest.name, manifest);
+      console.error(`[extensions] SECURITY: ${fullName} has unapproved permissions: ${pending.join(', ')}. Refusing to load.`);
+      return;
+    }
+
+    // Signature enforcement
+    const sig = verifySignature(extPath, manifest);
+    if (REQUIRE_SIGNATURE && !sig.verified) {
+      console.error(`[extensions] SECURITY: ${fullName} is unsigned or has invalid signature. Refusing to load.`);
+      console.error(`[extensions] Set 'extensionRequireSignature' to false in config to allow unsigned extensions (not recommended).`);
+      return;
+    }
+    if (!sig.verified) {
+      console.warn(`[extensions] WARNING: ${fullName} is not signed. Loading in sandbox with restrictions.`);
+    }
+
+    // Community extensions run in Worker thread sandbox
+    try {
+      const sandboxCtx = buildSandboxContext(manifest);
+      const sandbox = new SandboxedExtension(extPath, manifest, sandboxCtx);
+      await sandbox.start();
+      hooks.addSandboxed(sandbox);
+      loadedExtensions.set(fullName, { manifest, sandbox, path: extPath, hash: currentHash, sandboxed: true });
+      console.log(`[extensions] Loaded ${fullName} (sandboxed worker)`);
+    } catch (err) {
+      console.error(`[extensions] Failed to load ${fullName} in sandbox:`, err.message);
+      const failKey = `ext_failures.${manifest.name}`;
+      const failures = (config.get(failKey) || 0) + 1;
+      config.set(failKey, failures);
+      if (failures >= 3) {
+        console.error(`[extensions] ${fullName} failed ${failures} times. Auto-disabling.`);
+        disableExtension(fullName);
+      }
+    }
+    return;
+  }
+
+  // Bundled extensions run in-process (trusted)
+  try {
+    const mod = await import(`file://${mainPath.replace(/\\/g, '/')}`);
+    const ctx = buildContext(manifest);
+
+    if (typeof mod.activate === 'function') {
+      await Promise.race([
+        mod.activate(ctx),
+        new Promise((_, reject) => setTimeout(() => reject(new Error('Activation timeout')), 10000)),
+      ]);
+    }
+
+    loadedExtensions.set(fullName, { manifest, module: mod, ctx, path: extPath, hash: currentHash, sandboxed: false });
+  } catch (err) {
+    console.error(`[extensions] Failed to load ${fullName}:`, err.message);
+    const failKey = `ext_failures.${manifest.name}`;
+    const failures = (config.get(failKey) || 0) + 1;
+    config.set(failKey, failures);
+    if (failures >= 3) {
+      console.error(`[extensions] ${fullName} failed ${failures} times. Auto-disabling.`);
+      disableExtension(fullName);
+    }
+  }
+}
+
+async function unloadExtension(name) {
+  const ext = loadedExtensions.get(name);
+  if (!ext) return;
+
+  if (ext.sandboxed && ext.sandbox) {
+    hooks.removeSandboxed(ext.sandbox);
+    await ext.sandbox.stop();
+  } else if (ext.module && typeof ext.module.deactivate === 'function') {
+    try {
+      await ext.module.deactivate();
+    } catch (err) {
+      console.error(`[extensions] Error deactivating ${name}:`, err.message);
+    }
+  }
+
+  loadedExtensions.delete(name);
+}
+
+async function loadAllExtensions() {
+  try { deployBundledExtensions(); } catch {}
+  const extensions = getInstalledExtensions();
+  for (const ext of extensions) {
+    if (!ext.enabled) continue;
+    await loadExtension(ext.path, ext);
+  }
+}
+
+async function installExtension(source, { skipPrompt = false } = {}) {
+  fs.mkdirSync(EXTENSIONS_DIR, { recursive: true });
+
+  let sourcePath = source;
+
+  if (source.startsWith('http') || source.startsWith('git@')) {
+    if (source.startsWith('http:')) {
+      throw new Error('Insecure HTTP git URLs are not allowed. Use HTTPS.');
+    }
+    const { spawnSync } = await import('child_process');
+    const tmpDir = path.join(EXTENSIONS_DIR, `.tmp-${Date.now()}`);
+    try {
+      const result = spawnSync('git', ['clone', '--depth', '1', source, tmpDir], { stdio: 'pipe', timeout: 30000 });
+      if (result.status !== 0) throw new Error(result.stderr?.toString() || 'Git clone failed');
+    } catch (err) {
+      fs.rmSync(tmpDir, { recursive: true, force: true });
+      throw new Error(`Git clone failed: ${err.message}`);
+    }
+    sourcePath = tmpDir;
+  }
+
+  const manifest = readManifest(sourcePath);
+  if (!manifest) {
+    if (sourcePath !== source) fs.rmSync(sourcePath, { recursive: true, force: true });
+    throw new Error('No valid extension.json found at source');
+  }
+
+  const error = validateManifest(manifest);
+  if (error) {
+    if (sourcePath !== source) fs.rmSync(sourcePath, { recursive: true, force: true });
+    throw new Error(`Invalid extension: ${error}`);
+  }
+
+  if (!/^[a-z0-9]([a-z0-9._-]*[a-z0-9])?$/.test(manifest.name)) {
+    if (sourcePath !== source) fs.rmSync(sourcePath, { recursive: true, force: true });
+    throw new Error(`Invalid extension name "${manifest.name}". Must be lowercase alphanumeric with dots, dashes, or underscores.`);
+  }
+
+  if (manifest.name.startsWith('@palexplorer') || manifest.name.startsWith('palexplorer-')) {
+    if (sourcePath !== source) fs.rmSync(sourcePath, { recursive: true, force: true });
+    throw new Error('Cannot install extensions using reserved @palexplorer namespace.');
+  }
+
+  // Tier enforcement — paid extensions require matching subscription
+  const tierCheck = checkExtensionTier(manifest);
+  if (!tierCheck.allowed) {
+    if (sourcePath !== source) fs.rmSync(sourcePath, { recursive: true, force: true });
+    throw new Error(`Extension '${manifest.name}' requires a ${tierCheck.tier} subscription (current: ${tierCheck.planTier}). Upgrade at https://palexplorer.com/pro`);
+  }
+
+  // AST analysis (replaces old regex scanning)
+  const analysis = analyzeExtension(sourcePath, manifest);
+  if (analysis.blocked.length > 0) {
+    const mods = [...new Set(analysis.blocked.map(b => b.module))].join(', ');
+    if (sourcePath !== source) fs.rmSync(sourcePath, { recursive: true, force: true });
+    throw new Error(`SECURITY: Extension imports blocked modules: ${mods}. Install rejected.`);
+  }
+
+  if (analysis.hasCritical) {
+    if (sourcePath !== source) fs.rmSync(sourcePath, { recursive: true, force: true });
+    const details = analysis.findings.filter(f => f.severity === 'critical').map(f => f.message).join('; ');
+    throw new Error(`SECURITY: Extension has critical findings: ${details}. Install rejected.`);
+  }
+
+  const sig = verifySignature(sourcePath, manifest);
+  const risk = getSecurityRisk(manifest);
+
+  if (REQUIRE_SIGNATURE && !sig.verified) {
+    if (sourcePath !== source) fs.rmSync(sourcePath, { recursive: true, force: true });
+    throw new Error('SECURITY: Extension is unsigned. Set extensionRequireSignature=false to allow (not recommended).');
+  }
+
+  const destPath = path.join(EXTENSIONS_DIR, manifest.name);
+  if (fs.existsSync(destPath)) {
+    if (sourcePath !== source) fs.rmSync(sourcePath, { recursive: true, force: true });
+    throw new Error(`Extension "${manifest.name}" is already installed`);
+  }
+
+  fs.cpSync(sourcePath, destPath, { recursive: true });
+
+  const hash = computeIntegrityHash(destPath, manifest);
+  config.set(`ext_integrity.${manifest.name}`, hash);
+  config.delete(`ext_failures.${manifest.name}`);
+
+  if (manifest.permissions?.length > 0) {
+    setApprovedPermissions(manifest.name, manifest.permissions);
+  }
+
+  if (sourcePath !== source && sourcePath.includes('.tmp-')) {
+    fs.rmSync(sourcePath, { recursive: true, force: true });
+  }
+
+  return {
+    ...manifest,
+    signature: sig,
+    risk,
+    analysis: {
+      dangerous: analysis.dangerous.map(f => f.message),
+      summary: analysis.summary,
+    },
+  };
+}
+
+function removeExtension(name) {
+  const extPath = path.join(EXTENSIONS_DIR, name);
+  if (!fs.existsSync(extPath)) throw new Error(`Extension "${name}" not found`);
+
+  const manifest = readManifest(extPath);
+  if (!manifest) throw new Error(`Invalid extension at ${extPath}`);
+
+  unloadExtension(name);
+
+  fs.rmSync(extPath, { recursive: true, force: true });
+
+  config.delete(`ext.${name}`);
+  config.delete(`ext_store.${name}`);
+  config.delete(`ext_approved_perms.${name}`);
+  config.delete(`ext_integrity.${name}`);
+  config.delete(`ext_failures.${name}`);
+}
+
+function enableExtension(name) {
+  const full = name.includes('/') ? name : `@palexplorer/${name}`;
+  const short = name.replace('@palexplorer/', '');
+
+  const disabled = config.get('disabledExtensions') || [];
+  // Remove both forms from disabled list
+  const newDisabled = disabled.filter(d => d !== name && d !== full && d !== short);
+  if (newDisabled.length !== disabled.length) config.set('disabledExtensions', newDisabled);
+
+  if (!CORE_EXTENSIONS.has(short)) {
+    const enabled = config.get('enabledExtensions') || [];
+    if (!enabled.includes(full)) {
+      enabled.push(full);
+      config.set('enabledExtensions', enabled);
+    }
+  }
+}
+
+function disableExtension(name) {
+  const full = name.includes('/') ? name : `@palexplorer/${name}`;
+  const short = name.replace('@palexplorer/', '');
+
+  const disabled = config.get('disabledExtensions') || [];
+  if (!disabled.includes(full)) {
+    disabled.push(full);
+    config.set('disabledExtensions', disabled);
+  }
+
+  if (!CORE_EXTENSIONS.has(short)) {
+    const enabled = config.get('enabledExtensions') || [];
+    const newEnabled = enabled.filter(e => e !== name && e !== full && e !== short);
+    if (newEnabled.length !== enabled.length) config.set('enabledExtensions', newEnabled);
+  }
+  unloadExtension(name);
+}
+
+function getExtensionConfig(name) {
+  return config.get(`ext.${name}`) || {};
+}
+
+function setExtensionConfig(name, key, value) {
+  const extConfig = config.get(`ext.${name}`) || {};
+  extConfig[key] = value;
+  config.set(`ext.${name}`, extConfig);
+  hooks.emit('on:config:change', { key: `ext.${name}`, value: extConfig }).catch(() => {});
+}
+
+function ensureBundledDir() {
+  fs.mkdirSync(BUNDLED_DIR, { recursive: true });
+}
+
+function deployBundledExtensions() {
+  const appDir = path.dirname(new URL(import.meta.url).pathname.replace(/^\/([A-Z]:)/, '$1'));
+  const srcBundled = path.resolve(appDir, '../../extensions/@palexplorer');
+  if (!fs.existsSync(srcBundled)) return;
+
+  ensureBundledDir();
+
+  const srcNames = new Set();
+  for (const name of fs.readdirSync(srcBundled)) {
+    const srcPath = path.join(srcBundled, name);
+    if (!fs.statSync(srcPath).isDirectory()) continue;
+    const manifest = readManifest(srcPath);
+    if (!manifest) continue;
+    srcNames.add(name);
+
+    const destPath = path.join(BUNDLED_DIR, name);
+    const destManifest = readManifest(destPath);
+
+    // Deploy if not present or if source version is newer
+    if (!destManifest || semverGt(manifest.version, destManifest.version)) {
+      fs.cpSync(srcPath, destPath, { recursive: true });
+    }
+  }
+
+  // Remove bundled extensions that are no longer in source
+  if (fs.existsSync(BUNDLED_DIR)) {
+    for (const name of fs.readdirSync(BUNDLED_DIR)) {
+      if (name.startsWith('.')) continue;
+      if (!srcNames.has(name)) {
+        const destPath = path.join(BUNDLED_DIR, name);
+        if (fs.statSync(destPath).isDirectory()) {
+          fs.rmSync(destPath, { recursive: true, force: true });
+        }
+      }
+    }
+  }
+}
+
+function semverGt(a, b) {
+  const pa = (a || '0.0.0').split('.').map(Number);
+  const pb = (b || '0.0.0').split('.').map(Number);
+  for (let i = 0; i < 3; i++) {
+    if ((pa[i] || 0) > (pb[i] || 0)) return true;
+    if ((pa[i] || 0) < (pb[i] || 0)) return false;
+  }
+  return false;
+}
+
+function getExtension(name) {
+  return loadedExtensions.get(name);
+}
+
+function getContributedPages() {
+  const extensions = getInstalledExtensions();
+  const pages = [];
+  for (const ext of extensions) {
+    if (!ext.enabled) continue;
+    if (!ext.contributes?.pages) continue;
+    for (const page of ext.contributes.pages) {
+      pages.push({
+        id: page.id,
+        label: page.label,
+        icon: page.icon,
+        section: page.section,
+        minLevel: page.minLevel || null,
+        extension: ext.name,
+      });
+    }
+  }
+  return pages;
+}
+
+function ensureDefaultExtensions() {
+  if (!fs.existsSync(BUNDLED_DIR)) return;
+  const enabled = config.get('enabledExtensions') || [];
+  const disabled = config.get('disabledExtensions') || [];
+  let changed = false;
+  for (const bundled of fs.readdirSync(BUNDLED_DIR)) {
+    const manifest = readManifest(path.join(BUNDLED_DIR, bundled));
+    if (!manifest) continue;
+    const full = `@palexplorer/${bundled}`;
+    if (manifest.config?.enabled?.default === true && !CORE_EXTENSIONS.has(bundled)) {
+      if (!enabled.includes(full) && !disabled.includes(full)) {
+        enabled.push(full);
+        changed = true;
+      }
+    }
+  }
+  if (changed) config.set('enabledExtensions', enabled);
+}
+
+export {
+  hooks,
+  loadedExtensions,
+  getExtension,
+  getContributedPages,
+  getInstalledExtensions,
+  loadAllExtensions,
+  loadExtension,
+  unloadExtension,
+  installExtension,
+  removeExtension,
+  enableExtension,
+  disableExtension,
+  getExtensionConfig,
+  setExtensionConfig,
+  validateManifest,
+  readManifest,
+  ensureBundledDir,
+  deployBundledExtensions,
+  verifySignature,
+  computeIntegrityHash,
+  getSecurityRisk,
+  hasBlockedImports,
+  scanDangerousPatterns,
+  analyzeExtensionSecurity,
+  getApprovedPermissions,
+  setApprovedPermissions,
+  hasPendingPermissions,
+  getPendingPermissions,
+  EXTENSIONS_DIR,
+  BUNDLED_DIR,
+  VALID_PERMISSIONS,
+  HIGH_RISK_PERMISSIONS,
+  BLOCKED_MODULES,
+  REQUIRE_SIGNATURE,
+  checkExtensionTier,
+  verifyExtensionLicense,
+  ensureDefaultExtensions,
+};