ObjectStackObjectStack

Plugin Security Advanced

Plugin Security Advanced protocol schemas

Plugin Security and Sandboxing Protocol

Defines comprehensive security mechanisms for plugin isolation, permission

management, and threat protection in the ObjectStack ecosystem.

Features:

  • Fine-grained permission system

  • Resource access control

  • Sandboxing and isolation

  • Security scanning and verification

  • Runtime security monitoring

Source: packages/spec/src/kernel/plugin-security-advanced.zod.ts

TypeScript Usage

import { KernelSecurityPolicy, KernelSecurityScanResult, KernelSecurityVulnerability, Permission, PermissionAction, PermissionScope, PluginSecurityManifest, PluginTrustLevel, ResourceType, RuntimeConfig, SandboxConfig } from '@objectstack/spec/kernel';
import type { KernelSecurityPolicy, KernelSecurityScanResult, KernelSecurityVulnerability, Permission, PermissionAction, PermissionScope, PluginSecurityManifest, PluginTrustLevel, ResourceType, RuntimeConfig, SandboxConfig } from '@objectstack/spec/kernel';

// Validate data
const result = KernelSecurityPolicy.parse(data);

KernelSecurityPolicy

Properties

PropertyTypeRequiredDescription
cspObjectoptional
corsObjectoptional
rateLimitObjectoptional
authenticationObjectoptional
encryptionObjectoptional
auditLogObjectoptional

KernelSecurityScanResult

Properties

PropertyTypeRequiredDescription
timestampstring
scannerObject
statusEnum<'passed' | 'failed' | 'warning'>
vulnerabilitiesObject[]optional
codeIssuesObject[]optional
dependencyVulnerabilitiesObject[]optional
licenseComplianceObjectoptional
summaryObject

KernelSecurityVulnerability

Properties

PropertyTypeRequiredDescription
cvestringoptional
idstring
severityEnum<'critical' | 'high' | 'medium' | 'low' | 'info'>
categorystringoptional
titlestring
locationstringoptional
remediationstringoptional
descriptionstring
affectedVersionsstring[]
fixedInstring[]optional
cvssScorenumberoptional
exploitAvailableboolean
patchAvailableboolean
workaroundstringoptional
referencesstring[]optional
discoveredDatestringoptional
publishedDatestringoptional

Permission

Properties

PropertyTypeRequiredDescription
idstringUnique permission identifier
resourceEnum<'data.object' | 'data.record' | 'data.field' | 'ui.view' | 'ui.dashboard' | 'ui.report' | 'system.config' | 'system.plugin' | 'system.api' | 'system.service' | 'storage.file' | 'storage.database' | 'network.http' | 'network.websocket' | 'process.spawn' | 'process.env'>Type of resource being accessed
actionsEnum<'create' | 'read' | 'update' | 'delete' | 'execute' | 'manage' | 'configure' | 'share' | 'export' | 'import' | 'admin'>[]
scopeEnum<'global' | 'tenant' | 'user' | 'resource' | 'plugin'>Scope of permission application
filterObjectoptional
descriptionstring
requiredboolean
justificationstringoptionalWhy this permission is needed

PermissionAction

Type of action being permitted

Allowed Values

  • create
  • read
  • update
  • delete
  • execute
  • manage
  • configure
  • share
  • export
  • import
  • admin

PermissionScope

Scope of permission application

Allowed Values

  • global
  • tenant
  • user
  • resource
  • plugin

PluginSecurityManifest

Properties

PropertyTypeRequiredDescription
pluginIdstring
trustLevelEnum<'verified' | 'trusted' | 'community' | 'untrusted' | 'blocked'>Trust level of the plugin
permissionsObject
sandboxObject
policyObjectoptional
scanResultsObject[]optional
vulnerabilitiesObject[]optional
codeSigningObjectoptional
certificationsObject[]optional
securityContactObjectoptional
vulnerabilityDisclosureObjectoptional

PluginTrustLevel

Trust level of the plugin

Allowed Values

  • verified
  • trusted
  • community
  • untrusted
  • blocked

ResourceType

Type of resource being accessed

Allowed Values

  • data.object
  • data.record
  • data.field
  • ui.view
  • ui.dashboard
  • ui.report
  • system.config
  • system.plugin
  • system.api
  • system.service
  • storage.file
  • storage.database
  • network.http
  • network.websocket
  • process.spawn
  • process.env

RuntimeConfig

Properties

PropertyTypeRequiredDescription
engineEnum<'v8-isolate' | 'wasm' | 'container' | 'process'>Execution environment engine
engineConfigObjectoptional
resourceLimitsObjectoptional

SandboxConfig

Properties

PropertyTypeRequiredDescription
enabledboolean
levelEnum<'none' | 'minimal' | 'standard' | 'strict' | 'paranoid'>
runtimeObjectoptionalExecution environment and isolation settings
filesystemObjectoptional
networkObjectoptional
processObjectoptional
memoryObjectoptional
cpuObjectoptional
environmentObjectoptional

On this page

Plugin Security and Sandboxing ProtocolTypeScript UsageKernelSecurityPolicyPropertiesKernelSecurityScanResultPropertiesKernelSecurityVulnerabilityPropertiesPermissionPropertiesPermissionActionAllowed ValuesPermissionScopeAllowed ValuesPluginSecurityManifestPropertiesPluginTrustLevelAllowed ValuesResourceTypeAllowed ValuesRuntimeConfigPropertiesSandboxConfigProperties