Owlibou/gnoma
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(plugin): trust-on-first-use manifest pinning

Browse Source 
Plugins are now verified against ~/.config/gnoma/plugins.pins.toml at
load time. Each plugin's plugin.json bytes are hashed (SHA-256) and:

- recorded automatically on first load (TOFU) with a prominent warning
- compared on subsequent loads
- refused with a clear error if the hash drifted, without overwriting
  the pin so the user can review and re-enrol deliberately

Pin-store I/O failures degrade to load-without-pinning rather than
locking the user out of previously-trusted plugins.

Closes audit finding C2. See ADR-003 for the decision rationale and
docs/plugins-trust.md for the end-user trust model.
This commit is contained in:
vikingowl
2026-05-19 16:44:09 +02:00
parent c44db99b41
commit dc438ea181
9 changed files with 546 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/essentials/INDEX.md
+6
View File
@@ -33,3 +33,9 @@ essentials:
| 10 | Milestones | complete | [milestones.md](milestones.md) | 2026-04-03 |
| 11 | Decision Log | complete | [decisions/001-initial-decisions.md](decisions/001-initial-decisions.md) | 2026-04-03 |
| 12 | Risk / Unknowns | complete | [risks.md](risks.md) | 2026-04-03 |
## Architecture Decision Records
- [ADR-001 — Initial Decisions](decisions/001-initial-decisions.md)
- [ADR-002 — SLM Routing](decisions/002-slm-routing.md)
- [ADR-003 — Plugin Trust via TOFU Manifest Pinning](decisions/003-plugin-trust.md)