orion-ecs / keen-eye / 20667926793

65%

Build Type

push

github

Committed by tyevco

Commit Message

feat(editor): Add plugin security and sandboxing system

Implement comprehensive plugin security infrastructure with:

Phase 1 - Code Analysis & Signing:
- AssemblyAnalyzer: Static IL analysis using System.Reflection.Metadata
- Detects reflection, unsafe code, P/Invoke, file/network access patterns
- PluginSignatureVerifier: Validates assembly signatures
- TrustedPublisherStore: Manages trusted signing keys
- PluginSecurityManager: Coordinates security checks before plugin load
- SecurityConfiguration: Configurable analysis modes (WarnOnly/Block)

Phase 2 - Permission System:
- PluginPermission: 64-bit flags enum with 24 permissions + composites
- PermissionManager: Grants/revokes/validates per-plugin permissions
- SecurePluginContext: Permission-aware IEditorContext wrapper
- Capability-to-permission mapping (Menu→MenuAccess, Panel→PanelAccess)
- Async permission request flow with user consent handler
- Persistent storage at ~/.keeneyes/plugin-permissions.json

Integration:
- PluginLoader runs security checks before assembly loading
- EditorPluginManager uses SecurePluginContext when enabled
- PluginManifest supports security and permissions sections

Closes #677

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Coverage Stats

5309 of 6365 branches covered (83.41%)

Branch coverage included in aggregate %.

774 of 1050 new or added lines in 16 files covered. (73.71%)

4 existing lines in 3 files now uncovered.

34088 of 42355 relevant lines covered (80.48%)

1.15 hits per line