Repo Policy

Plugin Repository Policy

This document defines publish requirements for the website-hosted plugin repo.

Required release artifacts

Every published release must include:

• immutable ZIP package at /repo/packages/<pluginId>/<version>.zip
• immutable scan report at /repo/reports/<pluginId>/<version>.json
• manifest entry in /repo/plugins.json with:

- sha256

- entry signature

- status (active or revoked)

Required metadata

• pluginId (lowercase slug)
• version (semver)
• tier
• minPBVersion
• changelog

Required package files

• manifest.json at package root

- id must match pluginId

- version must match release version

• lockfile required (package-lock.json, pnpm-lock.yaml, or yarn.lock)
• package.json with scripts.build and scripts.test

Security scan gates (fail closed)

Publish is blocked unless all checks pass:

1. ZIP safety check (zip-slip, blocked extensions)

2. ClamAV malware scan

3. Policy scan (forbidden APIs / high-risk patterns)

4. Dependency/build/test checks in isolated temp workspace:

- npm ci

- npm audit --audit-level=high

- npm run build

- npm test

Any scanner error blocks publication.

Immutability and yanking

• (pluginId, version) is immutable and cannot be overwritten.
• Releases cannot be deleted from package/report storage.
• Yanking is supported by changing manifest entry status to revoked.

Signing model

• Repository uses ed25519 signing keys generated server-side.
• Private key never leaves server storage.
• /repo/plugins.json includes signed metadata and a manifest signature.
• Each release entry is signed.