wu-framework 1.0.5 → 1.0.6

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "wu-framework",
-  "version": "1.0.5",
+  "version": "1.0.6",
   "description": "🚀 Universal Microfrontends Framework - Framework agnostic, zero config, Shadow DOM isolation",
   "main": "src/index.js",
   "type": "module",

package/src/core/wu-cache.js

@@ -1,16 +1,10 @@
 /**
- * 💾 WU-CACHE: INTERNAL FRAMEWORK CACHING
+ * 💾 WU-CACHE: SECURE INTERNAL CACHING
  *
- * Sistema de caché INTERNO para recursos del framework:
- * - Manifests de microfrontends
- * - Módulos cargados
- * - Configuraciones de apps
- *
- * Features:
- * - Cache persistente (localStorage/sessionStorage)
- * - Cache en memoria (Map)
- * - TTL (Time To Live) configurable
- * - LRU (Least Recently Used) eviction
+ * Sistema de caché INTERNO con rate limiting
+ * - Rate limiting para prevenir abuso
+ * - Cache persistente y en memoria
+ * - TTL y LRU eviction
  *
  * ⚠️ USO INTERNO: No exponer en API pública
  */
@@ -22,15 +16,26 @@ export class WuCache {
       maxItems: options.maxItems || 100,
       defaultTTL: options.defaultTTL || 3600000, // 1 hour
       persistent: options.persistent !== false,
-      storage: options.storage || 'memory', // 'memory' | 'localStorage' | 'sessionStorage'
+      storage: options.storage || 'memory',
       compression: options.compression || false
     };
 
+    // 🔐 Rate limiting configuration
+    this.rateLimiting = {
+      enabled: options.rateLimiting !== false,
+      maxOpsPerSecond: options.maxOpsPerSecond || 100,
+      windowMs: 1000, // 1 second window
+      cooldownMs: options.cooldownMs || 5000, // 5 second cooldown after limit
+      operations: [],
+      inCooldown: false,
+      cooldownUntil: 0
+    };
+
     // Memory cache
     this.memoryCache = new Map();
 
     // LRU tracking
-    this.accessOrder = new Map(); // key -> timestamp
+    this.accessOrder = new Map();
 
     // Statistics
     this.stats = {
@@ -38,10 +43,67 @@ export class WuCache {
       misses: 0,
       sets: 0,
       evictions: 0,
-      size: 0
+      size: 0,
+      rateLimited: 0 // 🔐 Contador de operaciones rechazadas
     };
+  }
+
+  /**
+   * 🔐 CHECK RATE LIMIT: Verificar si la operación está permitida
+   * @returns {boolean} true si la operación está permitida
+   */
+  _checkRateLimit() {
+    if (!this.rateLimiting.enabled) return true;
+
+    const now = Date.now();
+
+    // Verificar si estamos en cooldown
+    if (this.rateLimiting.inCooldown) {
+      if (now < this.rateLimiting.cooldownUntil) {
+        this.stats.rateLimited++;
+        return false;
+      }
+      // Cooldown terminado
+      this.rateLimiting.inCooldown = false;
+      this.rateLimiting.operations = [];
+    }
+
+    // Limpiar operaciones antiguas (fuera de la ventana)
+    const windowStart = now - this.rateLimiting.windowMs;
+    this.rateLimiting.operations = this.rateLimiting.operations.filter(
+      ts => ts > windowStart
+    );
+
+    // Verificar límite
+    if (this.rateLimiting.operations.length >= this.rateLimiting.maxOpsPerSecond) {
+      // Activar cooldown
+      this.rateLimiting.inCooldown = true;
+      this.rateLimiting.cooldownUntil = now + this.rateLimiting.cooldownMs;
+      this.stats.rateLimited++;
+      console.warn(`[WuCache] 🚫 Rate limit exceeded. Cooldown for ${this.rateLimiting.cooldownMs}ms`);
+      return false;
+    }
 
-    console.log('[WuCache] 💾 Advanced cache system initialized');
+    // Registrar operación
+    this.rateLimiting.operations.push(now);
+    return true;
+  }
+
+  /**
+   * 🔐 GET RATE LIMIT STATUS
+   */
+  getRateLimitStatus() {
+    const now = Date.now();
+    return {
+      enabled: this.rateLimiting.enabled,
+      inCooldown: this.rateLimiting.inCooldown,
+      cooldownRemaining: this.rateLimiting.inCooldown
+        ? Math.max(0, this.rateLimiting.cooldownUntil - now)
+        : 0,
+      currentOps: this.rateLimiting.operations.length,
+      maxOps: this.rateLimiting.maxOpsPerSecond,
+      rateLimited: this.stats.rateLimited
+    };
   }
 
   /**
@@ -50,6 +112,11 @@ export class WuCache {
    * @returns {*} Valor cacheado o null
    */
   get(key) {
+    // 🔐 Check rate limit
+    if (!this._checkRateLimit()) {
+      return null; // Silently fail on rate limit
+    }
+
     // 1. Buscar en memoria
     if (this.memoryCache.has(key)) {
       const entry = this.memoryCache.get(key);
@@ -92,6 +159,11 @@ export class WuCache {
    * @returns {boolean}
    */
   set(key, value, ttl) {
+    // 🔐 Check rate limit
+    if (!this._checkRateLimit()) {
+      return false; // Reject on rate limit
+    }
+
     try {
       const entry = {
         key,

package/src/core/wu-event-bus.js

@@ -1,46 +1,156 @@
 /**
- * 📡 WU-EVENT-BUS: ADVANCED PUB/SUB SYSTEM
+ * 📡 WU-EVENT-BUS: SECURE PUB/SUB SYSTEM
  *
  * Sistema de eventos para comunicación entre microfrontends
- * - Pub/Sub pattern
+ * - Pub/Sub pattern con validación de origen
  * - Event namespaces
  * - Wildcards
  * - Event replay
- * - Performance optimizado
+ * - Verificación de apps autorizadas
  */
 
 export class WuEventBus {
   constructor() {
-    this.listeners = new Map(); // eventName -> Set<callback>
-    this.history = []; // Event history para replay
+    this.listeners = new Map();
+    this.history = [];
+
+    // 🔐 SEGURIDAD: Registro de apps autorizadas con tokens
+    this.authorizedApps = new Map(); // appName -> { token, permissions }
+    this.trustedEvents = new Set(['wu:*', 'system:*']); // Eventos del sistema
+
     this.config = {
       maxHistory: 100,
       enableReplay: true,
       enableWildcards: true,
-      logEvents: false
+      logEvents: false,
+      // 🔐 Opciones de seguridad
+      strictMode: false, // Si true, rechaza eventos de apps no autorizadas
+      validateOrigin: true // Valida que appName sea una app registrada
     };
 
     this.stats = {
       emitted: 0,
-      subscriptions: 0
+      subscriptions: 0,
+      rejected: 0 // Eventos rechazados por seguridad
     };
+  }
 
-    console.log('[WuEventBus] 📡 Advanced event bus initialized');
+  /**
+   * 🔐 REGISTER APP: Registrar app autorizada para emitir eventos
+   * @param {string} appName - Nombre de la app
+   * @param {Object} options - { permissions: ['event:*'], token }
+   * @returns {string} Token de autorización
+   */
+  registerApp(appName, options = {}) {
+    const token = options.token || this._generateToken();
+
+    this.authorizedApps.set(appName, {
+      token,
+      permissions: options.permissions || ['*'], // Por defecto puede emitir todo
+      registeredAt: Date.now()
+    });
+
+    return token;
   }
 
   /**
-   * 📢 EMIT: Emitir evento
+   * 🔓 UNREGISTER APP: Desregistrar app
+   * @param {string} appName
+   */
+  unregisterApp(appName) {
+    this.authorizedApps.delete(appName);
+  }
+
+  /**
+   * 🔐 VALIDATE ORIGIN: Verificar que el emisor está autorizado
+   * @param {string} eventName
+   * @param {string} appName
+   * @param {string} token
+   * @returns {boolean}
+   */
+  _validateOrigin(eventName, appName, token) {
+    // Eventos del sistema siempre permitidos
+    if (this._isSystemEvent(eventName)) {
+      return true;
+    }
+
+    // Si no está en modo estricto, permitir todo
+    if (!this.config.strictMode) {
+      return true;
+    }
+
+    // Verificar que la app esté registrada
+    const appInfo = this.authorizedApps.get(appName);
+    if (!appInfo) {
+      return false;
+    }
+
+    // Verificar token si se proporciona
+    if (token && appInfo.token !== token) {
+      return false;
+    }
+
+    // Verificar permisos
+    return this._hasPermission(appInfo.permissions, eventName);
+  }
+
+  /**
+   * 🔐 HAS PERMISSION: Verificar si la app tiene permiso para el evento
+   */
+  _hasPermission(permissions, eventName) {
+    if (permissions.includes('*')) return true;
+
+    return permissions.some(pattern => {
+      if (pattern === eventName) return true;
+      if (pattern.includes('*')) {
+        return this.matchesWildcard(eventName, pattern);
+      }
+      return false;
+    });
+  }
+
+  /**
+   * 🔐 IS SYSTEM EVENT: Verificar si es un evento del sistema
+   */
+  _isSystemEvent(eventName) {
+    return eventName.startsWith('wu:') ||
+           eventName.startsWith('system:') ||
+           eventName.startsWith('app:');
+  }
+
+  /**
+   * 🔐 GENERATE TOKEN: Generar token único
+   */
+  _generateToken() {
+    return `wu_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`;
+  }
+
+  /**
+   * 📢 EMIT: Emitir evento con validación de origen
    * @param {string} eventName - Nombre del evento
    * @param {*} data - Datos del evento
-   * @param {Object} options - Opciones { appName, timestamp, meta }
+   * @param {Object} options - { appName, timestamp, meta, token }
    */
   emit(eventName, data, options = {}) {
+    const appName = options.appName || 'unknown';
+
+    // 🔐 Validar origen si está habilitado
+    if (this.config.validateOrigin && this.config.strictMode) {
+      if (!this._validateOrigin(eventName, appName, options.token)) {
+        this.stats.rejected++;
+        console.warn(`[WuEventBus] 🚫 Event rejected: ${eventName} from ${appName} (unauthorized)`);
+        return false;
+      }
+    }
+
     const event = {
       name: eventName,
       data,
       timestamp: options.timestamp || Date.now(),
-      appName: options.appName || 'unknown',
-      meta: options.meta || {}
+      appName,
+      meta: options.meta || {},
+      // 🔐 Marcar si el origen fue verificado
+      verified: this.authorizedApps.has(appName)
     };
 
     // Agregar a historial
@@ -71,13 +181,11 @@ export class WuEventBus {
     }
 
     this.stats.emitted++;
+    return true;
   }
 
   /**
    * 👂 ON: Suscribirse a evento
-   * @param {string} eventName - Nombre del evento (puede usar wildcards: 'app.*', '*.update')
-   * @param {Function} callback - Callback a ejecutar
-   * @returns {Function} Función para desuscribirse
    */
   on(eventName, callback) {
     if (!this.listeners.has(eventName)) {
@@ -87,48 +195,36 @@ export class WuEventBus {
     this.listeners.get(eventName).add(callback);
     this.stats.subscriptions++;
 
-    // Retornar función de desuscripción
     return () => this.off(eventName, callback);
   }
 
   /**
    * 🔇 OFF: Desuscribirse de evento
-   * @param {string} eventName - Nombre del evento
-   * @param {Function} callback - Callback a remover
    */
   off(eventName, callback) {
     const listeners = this.listeners.get(eventName);
     if (listeners) {
       listeners.delete(callback);
-
-      // Limpiar si no quedan listeners
       if (listeners.size === 0) {
         this.listeners.delete(eventName);
       }
-
       this.stats.subscriptions--;
     }
   }
 
   /**
    * 🎯 ONCE: Suscribirse una sola vez
-   * @param {string} eventName - Nombre del evento
-   * @param {Function} callback - Callback a ejecutar
-   * @returns {Function} Función para desuscribirse
    */
   once(eventName, callback) {
     const wrappedCallback = (event) => {
       callback(event);
       this.off(eventName, wrappedCallback);
     };
-
     return this.on(eventName, wrappedCallback);
   }
 
   /**
-   * 🌟 WILDCARD LISTENERS: Notificar listeners con wildcards
-   * @param {string} eventName - Nombre del evento emitido
-   * @param {Object} event - Objeto del evento
+   * 🌟 WILDCARD LISTENERS
    */
   notifyWildcardListeners(eventName, event) {
     for (const [pattern, listeners] of this.listeners) {
@@ -145,41 +241,29 @@ export class WuEventBus {
   }
 
   /**
-   * 🎯 MATCHES WILDCARD: Verificar si evento coincide con patrón wildcard
-   * @param {string} eventName - Nombre del evento
-   * @param {string} pattern - Patrón con wildcards
-   * @returns {boolean}
+   * 🎯 MATCHES WILDCARD
    */
   matchesWildcard(eventName, pattern) {
-    // Si no hay wildcard, ya se procesó en listeners exactos
     if (!pattern.includes('*')) return false;
-
-    // Convertir pattern a regex
     const regexPattern = pattern
       .replace(/\./g, '\\.')
       .replace(/\*/g, '.*');
-
     const regex = new RegExp(`^${regexPattern}$`);
     return regex.test(eventName);
   }
 
   /**
-   * 📝 ADD TO HISTORY: Agregar evento al historial
-   * @param {Object} event - Evento
+   * 📝 ADD TO HISTORY
    */
   addToHistory(event) {
     this.history.push(event);
-
-    // Mantener tamaño máximo
     if (this.history.length > this.config.maxHistory) {
       this.history.shift();
     }
   }
 
   /**
-   * 🔄 REPLAY: Reproducir eventos del historial
-   * @param {string} eventNameOrPattern - Nombre o patrón de eventos a reproducir
-   * @param {Function} callback - Callback para cada evento
+   * 🔄 REPLAY
    */
   replay(eventNameOrPattern, callback) {
     const events = this.history.filter(event => {
@@ -189,8 +273,6 @@ export class WuEventBus {
       return event.name === eventNameOrPattern;
     });
 
-    console.log(`[WuEventBus] 🔄 Replaying ${events.length} events for ${eventNameOrPattern}`);
-
     events.forEach(event => {
       try {
         callback(event);
@@ -201,13 +283,11 @@ export class WuEventBus {
   }
 
   /**
-   * 🧹 CLEAR HISTORY: Limpiar historial de eventos
-   * @param {string} eventNameOrPattern - Patrón de eventos a limpiar (opcional)
+   * 🧹 CLEAR HISTORY
    */
   clearHistory(eventNameOrPattern) {
     if (!eventNameOrPattern) {
       this.history = [];
-      console.log('[WuEventBus] 🧹 Event history cleared');
       return;
     }
 
@@ -220,14 +300,14 @@ export class WuEventBus {
   }
 
   /**
-   * 📊 GET STATS: Obtener estadísticas
-   * @returns {Object}
+   * 📊 GET STATS
    */
   getStats() {
     return {
       ...this.stats,
       activeListeners: this.listeners.size,
       historySize: this.history.length,
+      authorizedApps: this.authorizedApps.size,
       listenersByEvent: Array.from(this.listeners.entries()).map(([event, listeners]) => ({
         event,
         listeners: listeners.size
@@ -236,22 +316,31 @@ export class WuEventBus {
   }
 
   /**
-   * ⚙️ CONFIGURE: Configurar event bus
-   * @param {Object} config - Nueva configuración
+   * ⚙️ CONFIGURE
    */
   configure(config) {
-    this.config = {
-      ...this.config,
-      ...config
-    };
+    this.config = { ...this.config, ...config };
+  }
+
+  /**
+   * 🔐 ENABLE STRICT MODE: Activar modo estricto de seguridad
+   */
+  enableStrictMode() {
+    this.config.strictMode = true;
+  }
+
+  /**
+   * 🔓 DISABLE STRICT MODE
+   */
+  disableStrictMode() {
+    this.config.strictMode = false;
   }
 
   /**
-   * 🗑️ REMOVE ALL: Remover todos los listeners
+   * 🗑️ REMOVE ALL
    */
   removeAll() {
     this.listeners.clear();
     this.stats.subscriptions = 0;
-    console.log('[WuEventBus] 🗑️ All listeners removed');
   }
 }

package/src/core/wu-manifest.js

@@ -1,6 +1,6 @@
 /**
- * 📋 WU-MANIFEST: SISTEMA DE MANIFIESTOS SIMPLIFICADO
- * Maneja wu.json sin complicaciones innecesarias
+ * 📋 WU-MANIFEST: SECURE MANIFEST SYSTEM
+ * Validación estricta de wu.json para seguridad
  */
 
 export class WuManifest {
@@ -8,10 +8,33 @@ export class WuManifest {
     this.cache = new Map();
     this.schemas = new Map();
 
-    // Definir schema básico
-    this.defineSchema();
+    // 🔐 Configuración de seguridad
+    this.security = {
+      maxManifestSize: 100 * 1024, // 100KB máximo
+      maxNameLength: 50,
+      maxEntryLength: 200,
+      maxExports: 100,
+      maxImports: 50,
+      maxRoutes: 100,
+      // Patrones peligrosos en paths
+      dangerousPatterns: [
+        /\.\./,           // Path traversal
+        /^\/etc\//,       // System paths
+        /^\/proc\//,
+        /^file:\/\//,     // File protocol
+        /javascript:/i,   // JS injection
+        /data:/i,         // Data URLs
+        /<script/i,       // Script tags
+        /on\w+\s*=/i      // Event handlers
+      ],
+      // Dominios bloqueados
+      blockedDomains: [
+        'evil.com',
+        'malware.com'
+      ]
+    };
 
-    console.log('[WuManifest] 📋 Manifest system initialized');
+    this.defineSchema();
   }
 
   /**
@@ -67,7 +90,19 @@ export class WuManifest {
       }
 
       const manifestText = await response.text();
-      const manifest = JSON.parse(manifestText);
+
+      // 🔐 Validar tamaño del manifest
+      if (manifestText.length > this.security.maxManifestSize) {
+        throw new Error(`Manifest too large (${manifestText.length} bytes, max ${this.security.maxManifestSize})`);
+      }
+
+      // 🔐 Intentar parsear JSON de forma segura
+      let manifest;
+      try {
+        manifest = JSON.parse(manifestText);
+      } catch (parseError) {
+        throw new Error(`Invalid JSON in manifest: ${parseError.message}`);
+      }
 
       // Validar manifest
       const validatedManifest = this.validate(manifest);
@@ -133,13 +168,64 @@ export class WuManifest {
   }
 
   /**
-   * Validar manifest contra schema
+   * 🔐 SANITIZE STRING: Limpiar string de caracteres peligrosos
+   */
+  _sanitizeString(str) {
+    if (typeof str !== 'string') return '';
+    return str
+      .replace(/[<>'"]/g, '') // Remove HTML chars
+      .replace(/[\x00-\x1F\x7F]/g, '') // Remove control chars
+      .trim();
+  }
+
+  /**
+   * 🔐 CHECK DANGEROUS PATTERNS: Verificar patrones peligrosos
+   */
+  _hasDangerousPatterns(str) {
+    if (typeof str !== 'string') return false;
+    return this.security.dangerousPatterns.some(pattern => pattern.test(str));
+  }
+
+  /**
+   * 🔐 VALIDATE URL: Verificar que URL es segura
+   */
+  _isUrlSafe(url) {
+    if (typeof url !== 'string') return false;
+
+    // Verificar patrones peligrosos
+    if (this._hasDangerousPatterns(url)) {
+      return false;
+    }
+
+    // Verificar dominios bloqueados
+    try {
+      const urlObj = new URL(url, 'http://localhost');
+      if (this.security.blockedDomains.some(d => urlObj.hostname.includes(d))) {
+        return false;
+      }
+    } catch {
+      // Si no es URL válida, verificar como path
+      if (this._hasDangerousPatterns(url)) {
+        return false;
+      }
+    }
+
+    return true;
+  }
+
+  /**
+   * Validar manifest contra schema con validación de seguridad
    * @param {Object} manifest - Manifest a validar
    * @returns {Object} Manifest validado
    */
   validate(manifest) {
     const schema = this.schemas.get('wu.json');
 
+    // 🔐 Verificar que manifest es un objeto
+    if (!manifest || typeof manifest !== 'object' || Array.isArray(manifest)) {
+      throw new Error('Manifest must be a valid object');
+    }
+
     // Verificar campos requeridos
     for (const field of schema.required) {
       if (!manifest[field]) {
@@ -147,23 +233,68 @@ export class WuManifest {
       }
     }
 
+    // 🔐 Validar nombre
+    if (typeof manifest.name !== 'string') {
+      throw new Error('name must be a string');
+    }
+    if (manifest.name.length > this.security.maxNameLength) {
+      throw new Error(`name too long (max ${this.security.maxNameLength} chars)`);
+    }
+    if (this._hasDangerousPatterns(manifest.name)) {
+      throw new Error('name contains dangerous patterns');
+    }
+
+    // 🔐 Validar entry
+    if (typeof manifest.entry !== 'string') {
+      throw new Error('entry must be a string');
+    }
+    if (manifest.entry.length > this.security.maxEntryLength) {
+      throw new Error(`entry too long (max ${this.security.maxEntryLength} chars)`);
+    }
+    if (!this._isUrlSafe(manifest.entry)) {
+      throw new Error('entry contains dangerous patterns');
+    }
+
     // Verificar tipos en sección wu
     if (manifest.wu) {
       const wu = manifest.wu;
-      const wuSchema = schema.wu;
 
       if (wu.exports && typeof wu.exports !== 'object') {
         throw new Error('wu.exports must be an object');
       }
 
+      // 🔐 Validar límites de exports
+      if (wu.exports && Object.keys(wu.exports).length > this.security.maxExports) {
+        throw new Error(`Too many exports (max ${this.security.maxExports})`);
+      }
+
+      // 🔐 Validar cada export path
+      if (wu.exports) {
+        for (const [key, path] of Object.entries(wu.exports)) {
+          if (!this._isUrlSafe(path)) {
+            throw new Error(`Dangerous export path: ${key}`);
+          }
+        }
+      }
+
       if (wu.imports && !Array.isArray(wu.imports)) {
         throw new Error('wu.imports must be an array');
       }
 
+      // 🔐 Validar límites de imports
+      if (wu.imports && wu.imports.length > this.security.maxImports) {
+        throw new Error(`Too many imports (max ${this.security.maxImports})`);
+      }
+
       if (wu.routes && !Array.isArray(wu.routes)) {
         throw new Error('wu.routes must be an array');
       }
 
+      // 🔐 Validar límites de routes
+      if (wu.routes && wu.routes.length > this.security.maxRoutes) {
+        throw new Error(`Too many routes (max ${this.security.maxRoutes})`);
+      }
+
       if (wu.permissions && !Array.isArray(wu.permissions)) {
         throw new Error('wu.permissions must be an array');
       }

package/src/core/wu-plugin.js

@@ -1,53 +1,168 @@
 /**
- * 🔌 WU-PLUGIN: EXTENSIBLE PLUGIN SYSTEM
+ * 🔌 WU-PLUGIN: SECURE PLUGIN SYSTEM
  *
- * Sistema de plugins para extender wu-framework sin modificar el core
+ * Sistema de plugins con sandboxing de seguridad
  * - Plugin lifecycle (install, beforeMount, afterMount, etc.)
- * - Dependency injection
- * - Plugin communication
+ * - Sandboxed API (plugins no tienen acceso completo al core)
+ * - Permission system
+ * - Timeout protection
  */
 
 export class WuPluginSystem {
   constructor(core) {
-    this.core = core;
-    this.plugins = new Map(); // name -> plugin instance
-    this.hooks = new Map(); // hook name -> [callbacks]
+    this._core = core; // Privado - no expuesto a plugins
+    this.plugins = new Map();
+    this.hooks = new Map();
 
     // Hooks disponibles
     this.availableHooks = [
-      'beforeInit',
-      'afterInit',
-      'beforeMount',
-      'afterMount',
-      'beforeUnmount',
-      'afterUnmount',
-      'onError',
-      'onDestroy'
+      'beforeInit', 'afterInit',
+      'beforeMount', 'afterMount',
+      'beforeUnmount', 'afterUnmount',
+      'onError', 'onDestroy'
     ];
 
-    // Inicializar hooks
+    // 🔐 Permisos disponibles
+    this.availablePermissions = [
+      'mount',      // Puede montar/desmontar apps
+      'events',     // Puede emitir/escuchar eventos
+      'store',      // Puede leer/escribir store
+      'apps',       // Puede ver lista de apps
+      'config',     // Puede modificar configuración
+      'unsafe'      // Acceso completo (peligroso)
+    ];
+
+    // 🔐 Timeout para hooks (evita que plugins bloqueen)
+    this.hookTimeout = 5000; // 5 segundos
+
     this.availableHooks.forEach(hook => {
       this.hooks.set(hook, []);
     });
+  }
+
+  /**
+   * 🔐 CREATE SANDBOXED API: Crea API limitada para el plugin
+   * @param {Array} permissions - Permisos del plugin
+   * @returns {Object} API sandboxeada
+   */
+  _createSandboxedApi(permissions) {
+    const api = {
+      // Info básica siempre disponible
+      version: this._core.version,
+      info: this._core.info,
+
+      // 📊 Métodos de solo lectura
+      getAppInfo: (appName) => {
+        const mounted = this._core.mounted.get(appName);
+        if (!mounted) return null;
+        return {
+          name: appName,
+          state: mounted.state,
+          timestamp: mounted.timestamp
+        };
+      },
+
+      getMountedApps: () => {
+        return Array.from(this._core.mounted.keys());
+      },
+
+      getStats: () => this._core.getStats()
+    };
+
+    // 🔐 Agregar métodos según permisos
+    if (permissions.includes('events') || permissions.includes('unsafe')) {
+      api.emit = (event, data) => this._core.eventBus.emit(event, data, { appName: 'plugin' });
+      api.on = (event, cb) => this._core.eventBus.on(event, cb);
+      api.off = (event, cb) => this._core.eventBus.off(event, cb);
+    }
+
+    if (permissions.includes('store') || permissions.includes('unsafe')) {
+      api.getState = (path) => this._core.store.get(path);
+      api.setState = (path, value) => this._core.store.set(path, value);
+    }
+
+    if (permissions.includes('mount') || permissions.includes('unsafe')) {
+      api.mount = (appName, container) => this._core.mount(appName, container);
+      api.unmount = (appName) => this._core.unmount(appName);
+    }
+
+    if (permissions.includes('config') || permissions.includes('unsafe')) {
+      api.configure = (config) => {
+        // Solo permitir configuración segura
+        const safeKeys = ['debug', 'logLevel'];
+        const safeConfig = {};
+        for (const key of safeKeys) {
+          if (key in config) safeConfig[key] = config[key];
+        }
+        Object.assign(this._core, safeConfig);
+      };
+    }
+
+    // 🚨 Acceso completo solo con permiso 'unsafe'
+    if (permissions.includes('unsafe')) {
+      api._unsafeCore = this._core;
+      console.warn('[WuPlugin] ⚠️ Plugin has unsafe access to core!');
+    }
+
+    // Congelar API para evitar modificaciones
+    return Object.freeze(api);
+  }
+
+  /**
+   * 🔐 VALIDATE PLUGIN: Validar estructura del plugin
+   * @param {Object} plugin
+   * @returns {boolean}
+   */
+  _validatePlugin(plugin) {
+    if (!plugin || typeof plugin !== 'object') {
+      throw new Error('[WuPlugin] Invalid plugin: must be an object');
+    }
+
+    if (!plugin.name || typeof plugin.name !== 'string') {
+      throw new Error('[WuPlugin] Invalid plugin: must have a name (string)');
+    }
+
+    if (plugin.name.length > 50) {
+      throw new Error('[WuPlugin] Invalid plugin: name too long (max 50 chars)');
+    }
+
+    // Validar que los hooks sean funciones
+    for (const hookName of this.availableHooks) {
+      if (plugin[hookName] && typeof plugin[hookName] !== 'function') {
+        throw new Error(`[WuPlugin] Invalid plugin: ${hookName} must be a function`);
+      }
+    }
+
+    // Validar permisos
+    if (plugin.permissions) {
+      if (!Array.isArray(plugin.permissions)) {
+        throw new Error('[WuPlugin] Invalid plugin: permissions must be an array');
+      }
+
+      for (const perm of plugin.permissions) {
+        if (!this.availablePermissions.includes(perm)) {
+          throw new Error(`[WuPlugin] Invalid permission: ${perm}`);
+        }
+      }
+    }
 
-    console.log('[WuPlugin] 🔌 Plugin system initialized');
+    return true;
   }
 
   /**
-   * 📦 USE: Instalar plugin
+   * 📦 USE: Instalar plugin con sandboxing
    * @param {Object|Function} plugin - Plugin o factory function
    * @param {Object} options - Opciones del plugin
    */
   use(plugin, options = {}) {
     // Si es una función, ejecutarla para obtener el plugin
+    // Nota: factory functions NO reciben acceso al core
     if (typeof plugin === 'function') {
-      plugin = plugin(this.core, options);
+      plugin = plugin(options);
     }
 
     // Validar plugin
-    if (!plugin.name) {
-      throw new Error('[WuPlugin] Plugin must have a name property');
-    }
+    this._validatePlugin(plugin);
 
     // Verificar si ya está instalado
     if (this.plugins.has(plugin.name)) {
@@ -55,15 +170,28 @@ export class WuPluginSystem {
       return;
     }
 
-    // Ejecutar install del plugin
+    // Determinar permisos (por defecto: solo eventos)
+    const permissions = plugin.permissions || ['events'];
+
+    // 🔐 Crear API sandboxeada
+    const sandboxedApi = this._createSandboxedApi(permissions);
+
+    // Ejecutar install del plugin con API sandboxeada
     if (plugin.install) {
-      plugin.install(this.core, options);
+      try {
+        plugin.install(sandboxedApi, options);
+      } catch (error) {
+        console.error(`[WuPlugin] Error installing "${plugin.name}":`, error);
+        throw error;
+      }
     }
 
-    // Registrar hooks del plugin
+    // Registrar hooks del plugin con protección
     this.availableHooks.forEach(hookName => {
       if (typeof plugin[hookName] === 'function') {
-        this.registerHook(hookName, plugin[hookName].bind(plugin));
+        // Wrap el hook con timeout y try-catch
+        const wrappedHook = this._wrapHook(plugin[hookName].bind(plugin), plugin.name, hookName);
+        this.registerHook(hookName, wrappedHook);
       }
     });
 
@@ -71,31 +199,52 @@ export class WuPluginSystem {
     this.plugins.set(plugin.name, {
       plugin,
       options,
+      permissions,
+      sandboxedApi,
       installedAt: Date.now()
     });
 
-    console.log(`[WuPlugin] ✅ Plugin "${plugin.name}" installed`);
+    console.log(`[WuPlugin] ✅ Plugin "${plugin.name}" installed (permissions: ${permissions.join(', ')})`);
+  }
+
+  /**
+   * 🔐 WRAP HOOK: Envolver hook con timeout y error handling
+   */
+  _wrapHook(hookFn, pluginName, hookName) {
+    return async (context) => {
+      const timeoutPromise = new Promise((_, reject) => {
+        setTimeout(() => {
+          reject(new Error(`Plugin "${pluginName}" hook "${hookName}" timed out after ${this.hookTimeout}ms`));
+        }, this.hookTimeout);
+      });
+
+      try {
+        // Race entre el hook y el timeout
+        return await Promise.race([
+          hookFn(context),
+          timeoutPromise
+        ]);
+      } catch (error) {
+        console.error(`[WuPlugin] Error in ${pluginName}.${hookName}:`, error);
+        // No propagar error para no romper otros plugins
+        return undefined;
+      }
+    };
   }
 
   /**
-   * 🪝 REGISTER HOOK: Registrar callback en un hook
-   * @param {string} hookName - Nombre del hook
-   * @param {Function} callback - Función callback
+   * 🪝 REGISTER HOOK
    */
   registerHook(hookName, callback) {
     if (!this.hooks.has(hookName)) {
       console.warn(`[WuPlugin] Unknown hook: ${hookName}`);
       return;
     }
-
     this.hooks.get(hookName).push(callback);
   }
 
   /**
-   * 🎯 CALL HOOK: Ejecutar todos los callbacks de un hook
-   * @param {string} hookName - Nombre del hook
-   * @param {*} context - Contexto a pasar a los callbacks
-   * @returns {Promise<boolean>} false si algún callback cancela la operación
+   * 🎯 CALL HOOK
    */
   async callHook(hookName, context) {
     const callbacks = this.hooks.get(hookName) || [];
@@ -103,17 +252,11 @@ export class WuPluginSystem {
     for (const callback of callbacks) {
       try {
         const result = await callback(context);
-
-        // Si retorna false, cancelar operación
         if (result === false) {
-          console.log(`[WuPlugin] Hook ${hookName} cancelled by plugin`);
           return false;
         }
       } catch (error) {
         console.error(`[WuPlugin] Error in hook ${hookName}:`, error);
-
-        // Llamar hook de error
-        await this.callHook('onError', { hookName, error, context });
       }
     }
 
@@ -121,61 +264,46 @@ export class WuPluginSystem {
   }
 
   /**
-   * 🗑️ UNINSTALL: Desinstalar plugin
-   * @param {string} pluginName - Nombre del plugin
+   * 🗑️ UNINSTALL
    */
   uninstall(pluginName) {
     const pluginData = this.plugins.get(pluginName);
-
     if (!pluginData) {
       console.warn(`[WuPlugin] Plugin "${pluginName}" not found`);
       return;
     }
 
-    const { plugin } = pluginData;
+    const { plugin, sandboxedApi } = pluginData;
 
-    // Ejecutar uninstall si existe
     if (plugin.uninstall) {
-      plugin.uninstall(this.core);
-    }
-
-    // Remover hooks del plugin
-    this.availableHooks.forEach(hookName => {
-      if (typeof plugin[hookName] === 'function') {
-        const callbacks = this.hooks.get(hookName);
-        const index = callbacks.indexOf(plugin[hookName]);
-        if (index > -1) {
-          callbacks.splice(index, 1);
-        }
+      try {
+        plugin.uninstall(sandboxedApi);
+      } catch (error) {
+        console.error(`[WuPlugin] Error uninstalling "${pluginName}":`, error);
       }
-    });
+    }
 
-    // Remover plugin
     this.plugins.delete(pluginName);
-
     console.log(`[WuPlugin] ✅ Plugin "${pluginName}" uninstalled`);
   }
 
   /**
-   * 📋 GET PLUGIN: Obtener plugin instalado
-   * @param {string} pluginName - Nombre del plugin
-   * @returns {Object}
+   * 📋 GET PLUGIN
    */
   getPlugin(pluginName) {
     return this.plugins.get(pluginName)?.plugin;
   }
 
   /**
-   * 📊 GET STATS: Estadísticas de plugins
-   * @returns {Object}
+   * 📊 GET STATS
    */
   getStats() {
     return {
       totalPlugins: this.plugins.size,
       plugins: Array.from(this.plugins.entries()).map(([name, data]) => ({
         name,
-        installedAt: data.installedAt,
-        hasUninstall: typeof data.plugin.uninstall === 'function'
+        permissions: data.permissions,
+        installedAt: data.installedAt
       })),
       hooks: Array.from(this.hooks.entries()).map(([name, callbacks]) => ({
         name,
@@ -185,23 +313,25 @@ export class WuPluginSystem {
   }
 
   /**
-   * 🧹 CLEANUP: Limpiar todos los plugins
+   * 🧹 CLEANUP
    */
   cleanup() {
     for (const [name] of this.plugins) {
       this.uninstall(name);
     }
-
-    console.log('[WuPlugin] 🧹 All plugins cleaned up');
   }
 }
 
 /**
- * 📦 PLUGIN HELPER: Helper para crear plugins fácilmente
+ * 📦 PLUGIN HELPER: Helper para crear plugins
+ * @param {Object} config - Configuración del plugin
+ * @param {string} config.name - Nombre del plugin
+ * @param {Array} config.permissions - Permisos requeridos
  */
 export const createPlugin = (config) => {
   return {
     name: config.name,
+    permissions: config.permissions || ['events'],
     install: config.install,
     uninstall: config.uninstall,
     beforeMount: config.beforeMount,

package/src/index.js

@@ -103,7 +103,7 @@ if (typeof window !== 'undefined') {
 
   // Configurar propiedades si no existen
   if (!wu.version) {
-    wu.version = '1.0.5';
+    wu.version = '1.0.6';
     console.log('🚀 Wu Framework loaded - Universal Microfrontends ready');
     wu.info = {
       name: 'Wu Framework',