agents-orchestrator/agent-orchestrator
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

security: migrate plugin sandbox from new Function() to Web Worker

Browse source 
Each plugin now runs in a dedicated Web Worker with permission-gated
API proxied via postMessage. Eliminates prototype walking and
arguments.callee.constructor escape vectors inherent to same-realm
new Function() sandbox.
This commit is contained in:
Hibryda 2026-03-15 02:36:55 +01:00
parent 662cda2daf
commit a70d45ad21
2 changed files with 547 additions and 260 deletions
Download patch file Download diff file Expand all files Collapse all files

405
v2/src/lib/plugins/plugin-host.test.ts
View file

@ -1,4 +1,4 @@
import { describe, it, expect, vi, beforeEach } from 'vitest';
import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
// --- Mocks ---
@ -40,10 +40,160 @@ import {
getLoadedPlugins,
unloadAllPlugins,
} from './plugin-host';
import { addPluginCommand, removePluginCommands } from '../stores/plugins.svelte';
import { addPluginCommand, removePluginCommands, pluginEventBus } from '../stores/plugins.svelte';
import type { PluginMeta } from '../adapters/plugins-bridge';
import type { GroupId, AgentId } from '../types/ids';
// --- Mock Worker ---
/**
* Simulates a Web Worker that runs the plugin host's worker script.
* Instead of actually creating a Blob + Worker, we intercept postMessage
* and simulate the worker-side logic inline.
*/
class MockWorker {
onmessage: ((e: MessageEvent) => void) | null = null;
onerror: ((e: ErrorEvent) => void) | null = null;
private terminated = false;
postMessage(msg: unknown): void {
if (this.terminated) return;
const data = msg as Record<string, unknown>;
if (data.type === 'init') {
this.handleInit(data);
} else if (data.type === 'invoke-callback') {
// Callback invocations from main → worker: no-op in mock
// (the real worker would call the stored callback)
}
}
private handleInit(data: Record<string, unknown>): void {
const code = data.code as string;
const permissions = (data.permissions as string[]) || [];
const meta = data.meta as Record<string, unknown>;
// Build a mock bterminal API that mimics worker-side behavior
// by sending messages back to the main thread (this.sendToMain)
const bterminal: Record<string, unknown> = {
meta: Object.freeze({ ...meta }),
};
if (permissions.includes('palette')) {
let cbId = 0;
bterminal.palette = {
registerCommand: (label: string, callback: () => void) => {
if (typeof label !== 'string' || !label.trim()) {
throw new Error('Command label must be a non-empty string');
}
if (typeof callback !== 'function') {
throw new Error('Command callback must be a function');
}
const id = '__cb_' + (++cbId);
this.sendToMain({ type: 'palette-register', label, callbackId: id });
},
};
}
if (permissions.includes('bttask:read')) {
bterminal.tasks = {
list: () => this.rpc('tasks.list', {}),
comments: (taskId: string) => this.rpc('tasks.comments', { taskId }),
};
}
if (permissions.includes('btmsg:read')) {
bterminal.messages = {
inbox: () => this.rpc('messages.inbox', {}),
channels: () => this.rpc('messages.channels', {}),
};
}
if (permissions.includes('events')) {
let cbId = 0;
bterminal.events = {
on: (event: string, callback: (data: unknown) => void) => {
if (typeof event !== 'string' || typeof callback !== 'function') {
throw new Error('event.on requires (string, function)');
}
const id = '__cb_' + (++cbId);
this.sendToMain({ type: 'event-on', event, callbackId: id });
},
off: (event: string) => {
this.sendToMain({ type: 'event-off', event });
},
};
}
Object.freeze(bterminal);
// Execute the plugin code
try {
const fn = new Function('bterminal', `"use strict"; ${code}`);
fn(bterminal);
this.sendToMain({ type: 'loaded' });
} catch (err) {
this.sendToMain({ type: 'error', message: String(err) });
}
}
private rpcId = 0;
private rpc(method: string, args: Record<string, unknown>): Promise<unknown> {
const id = '__rpc_' + (++this.rpcId);
this.sendToMain({ type: 'rpc', id, method, args });
// In real worker, this would be a pending promise resolved by rpc-result message.
// For tests, return a resolved promise since we test RPC routing separately.
return Promise.resolve([]);
}
private sendToMain(data: unknown): void {
if (this.terminated) return;
// Schedule on microtask to simulate async Worker message delivery
queueMicrotask(() => {
if (this.onmessage) {
this.onmessage(new MessageEvent('message', { data }));
}
});
}
terminate(): void {
this.terminated = true;
this.onmessage = null;
this.onerror = null;
}
addEventListener(): void { /* stub */ }
removeEventListener(): void { /* stub */ }
dispatchEvent(): boolean { return false; }
}
// Install global Worker mock
const originalWorker = globalThis.Worker;
const originalURL = globalThis.URL;
beforeEach(() => {
vi.clearAllMocks();
unloadAllPlugins();
// Mock Worker constructor
(globalThis as Record<string, unknown>).Worker = MockWorker;
// Mock URL.createObjectURL
if (!globalThis.URL) {
(globalThis as Record<string, unknown>).URL = {} as typeof URL;
}
globalThis.URL.createObjectURL = vi.fn(() => 'blob:mock-worker-url');
globalThis.URL.revokeObjectURL = vi.fn();
});
afterEach(() => {
(globalThis as Record<string, unknown>).Worker = originalWorker;
if (originalURL) {
globalThis.URL.createObjectURL = originalURL.createObjectURL;
globalThis.URL.revokeObjectURL = originalURL.revokeObjectURL;
}
});
// --- Helpers ---
function makeMeta(overrides: Partial<PluginMeta> = {}): PluginMeta {
@ -57,7 +207,6 @@ function makeMeta(overrides: Partial<PluginMeta> = {}): PluginMeta {
};
}
/** Set mockInvoke to return the given code when plugin_read_file is called */
function mockPluginCode(code: string): void {
mockInvoke.mockImplementation((cmd: string) => {
if (cmd === 'plugin_read_file') return Promise.resolve(code);
@ -68,113 +217,71 @@ function mockPluginCode(code: string): void {
const GROUP_ID = 'test-group' as GroupId;
const AGENT_ID = 'test-agent' as AgentId;
beforeEach(() => {
vi.clearAllMocks();
unloadAllPlugins();
});
// --- Worker isolation tests ---
// --- Sandbox escape prevention tests ---
describe('plugin-host sandbox', () => {
describe('global shadowing', () => {
// `eval` is intentionally excluded: `var eval` is a SyntaxError in strict mode.
// eval() itself is neutered in strict mode (cannot inject into calling scope).
const shadowedGlobals = [
'window',
'document',
'fetch',
'globalThis',
'self',
'XMLHttpRequest',
'WebSocket',
'Function',
'importScripts',
'require',
'process',
'Deno',
'__TAURI__',
'__TAURI_INTERNALS__',
];
for (const name of shadowedGlobals) {
it(`shadows '${name}' as undefined`, async () => {
const meta = makeMeta({ id: `shadow-${name}` });
const code = `
if (typeof ${name} !== 'undefined') {
throw new Error('ESCAPE: ${name} is accessible');
}
`;
mockPluginCode(code);
describe('plugin-host Worker isolation', () => {
it('plugin code runs in Worker (cannot access main thread globals)', async () => {
// In a real Worker, window/document/globalThis are unavailable.
// Our MockWorker simulates this by running in strict mode.
const meta = makeMeta({ id: 'isolation-test' });
mockPluginCode('// no-op — isolation verified by Worker boundary');
await expect(loadPlugin(meta, GROUP_ID, AGENT_ID)).resolves.toBeUndefined();
});
}
it('Worker is terminated on unload', async () => {
const meta = makeMeta({ id: 'terminate-test' });
mockPluginCode('// no-op');
await loadPlugin(meta, GROUP_ID, AGENT_ID);
expect(getLoadedPlugins()).toHaveLength(1);
unloadPlugin('terminate-test');
expect(getLoadedPlugins()).toHaveLength(0);
});
describe('this binding', () => {
it('this is undefined in strict mode (cannot reach global scope)', async () => {
const meta = makeMeta({ id: 'this-test' });
it('API object is frozen (cannot add properties)', async () => {
const meta = makeMeta({ id: 'freeze-test', permissions: [] });
mockPluginCode(`
if (this !== undefined) {
throw new Error('ESCAPE: this is not undefined, got: ' + typeof this);
}
`);
await expect(loadPlugin(meta, GROUP_ID, AGENT_ID)).resolves.toBeUndefined();
});
});
describe('runtime-level shadowing', () => {
it('require is shadowed (blocks CJS imports)', async () => {
const meta = makeMeta({ id: 'require-test' });
mockPluginCode(`
if (typeof require !== 'undefined') {
throw new Error('ESCAPE: require is accessible');
try {
bterminal.hacked = true;
throw new Error('FREEZE FAILED: could add property');
} catch (e) {
if (e.message === 'FREEZE FAILED: could add property') throw e;
}
`);
await expect(loadPlugin(meta, GROUP_ID, AGENT_ID)).resolves.toBeUndefined();
});
it('process is shadowed (blocks env access)', async () => {
const meta = makeMeta({ id: 'process-test' });
it('API object is frozen (cannot delete properties)', async () => {
const meta = makeMeta({ id: 'freeze-delete-test', permissions: [] });
mockPluginCode(`
if (typeof process !== 'undefined') {
throw new Error('ESCAPE: process is accessible');
try {
delete bterminal.meta;
throw new Error('FREEZE FAILED: could delete property');
} catch (e) {
if (e.message === 'FREEZE FAILED: could delete property') throw e;
}
`);
await expect(loadPlugin(meta, GROUP_ID, AGENT_ID)).resolves.toBeUndefined();
});
it('Deno is shadowed', async () => {
const meta = makeMeta({ id: 'deno-test' });
it('meta is accessible and frozen', async () => {
const meta = makeMeta({ id: 'meta-access', permissions: [] });
mockPluginCode(`
if (typeof Deno !== 'undefined') {
throw new Error('ESCAPE: Deno is accessible');
if (bterminal.meta.id !== 'meta-access') {
throw new Error('meta.id mismatch');
}
if (bterminal.meta.name !== 'Test Plugin') {
throw new Error('meta.name mismatch');
}
try {
bterminal.meta.id = 'hacked';
throw new Error('META FREEZE FAILED');
} catch (e) {
if (e.message === 'META FREEZE FAILED') throw e;
}
`);
await expect(loadPlugin(meta, GROUP_ID, AGENT_ID)).resolves.toBeUndefined();
});
});
describe('Tauri IPC shadowing', () => {
it('__TAURI__ is shadowed (blocks Tauri IPC bridge)', async () => {
const meta = makeMeta({ id: 'tauri-test' });
mockPluginCode(`
if (typeof __TAURI__ !== 'undefined') {
throw new Error('ESCAPE: __TAURI__ is accessible');
}
`);
await expect(loadPlugin(meta, GROUP_ID, AGENT_ID)).resolves.toBeUndefined();
});
it('__TAURI_INTERNALS__ is shadowed', async () => {
const meta = makeMeta({ id: 'tauri-internals-test' });
mockPluginCode(`
if (typeof __TAURI_INTERNALS__ !== 'undefined') {
throw new Error('ESCAPE: __TAURI_INTERNALS__ is accessible');
}
`);
await expect(loadPlugin(meta, GROUP_ID, AGENT_ID)).resolves.toBeUndefined();
});
});
});
// --- Permission-gated API tests ---
@ -237,30 +344,61 @@ describe('plugin-host permissions', () => {
});
});
describe('API object is frozen', () => {
it('cannot add properties to bterminal', async () => {
const meta = makeMeta({ id: 'freeze-test', permissions: [] });
// In strict mode, assigning to a frozen object throws TypeError
describe('bttask:read permission', () => {
it('plugin with bttask:read can call tasks.list', async () => {
const meta = makeMeta({ id: 'task-plugin', permissions: ['bttask:read'] });
mockPluginCode(`
try {
bterminal.hacked = true;
throw new Error('FREEZE FAILED: could add property');
} catch (e) {
if (e.message === 'FREEZE FAILED: could add property') throw e;
// TypeError from strict mode + frozen object is expected
}
bterminal.tasks.list();
`);
await expect(loadPlugin(meta, GROUP_ID, AGENT_ID)).resolves.toBeUndefined();
});
it('cannot delete properties from bterminal', async () => {
const meta = makeMeta({ id: 'freeze-delete-test', permissions: [] });
it('plugin without bttask:read has no tasks API', async () => {
const meta = makeMeta({ id: 'no-task-plugin', permissions: [] });
mockPluginCode(`
try {
delete bterminal.meta;
throw new Error('FREEZE FAILED: could delete property');
} catch (e) {
if (e.message === 'FREEZE FAILED: could delete property') throw e;
if (bterminal.tasks !== undefined) {
throw new Error('tasks API should not be available');
}
`);
await expect(loadPlugin(meta, GROUP_ID, AGENT_ID)).resolves.toBeUndefined();
});
});
describe('btmsg:read permission', () => {
it('plugin with btmsg:read can call messages.inbox', async () => {
const meta = makeMeta({ id: 'msg-plugin', permissions: ['btmsg:read'] });
mockPluginCode(`
bterminal.messages.inbox();
`);
await expect(loadPlugin(meta, GROUP_ID, AGENT_ID)).resolves.toBeUndefined();
});
it('plugin without btmsg:read has no messages API', async () => {
const meta = makeMeta({ id: 'no-msg-plugin', permissions: [] });
mockPluginCode(`
if (bterminal.messages !== undefined) {
throw new Error('messages API should not be available');
}
`);
await expect(loadPlugin(meta, GROUP_ID, AGENT_ID)).resolves.toBeUndefined();
});
});
describe('events permission', () => {
it('plugin with events permission can subscribe', async () => {
const meta = makeMeta({ id: 'events-plugin', permissions: ['events'] });
mockPluginCode(`
bterminal.events.on('test-event', function(data) {});
`);
await loadPlugin(meta, GROUP_ID, AGENT_ID);
expect(pluginEventBus.on).toHaveBeenCalledWith('test-event', expect.any(Function));
});
it('plugin without events permission has no events API', async () => {
const meta = makeMeta({ id: 'no-events-plugin', permissions: [] });
mockPluginCode(`
if (bterminal.events !== undefined) {
throw new Error('events API should not be available');
}
`);
await expect(loadPlugin(meta, GROUP_ID, AGENT_ID)).resolves.toBeUndefined();
@ -293,7 +431,6 @@ describe('plugin-host lifecycle', () => {
expect(consoleSpy).toHaveBeenCalledWith("Plugin 'duplicate-load' is already loaded");
consoleSpy.mockRestore();
// Still only one entry
expect(getLoadedPlugins()).toHaveLength(1);
});
@ -351,23 +488,47 @@ describe('plugin-host lifecycle', () => {
);
});
it('plugin meta is accessible and frozen', async () => {
const meta = makeMeta({ id: 'meta-access', permissions: [] });
it('unloadPlugin cleans up event subscriptions', async () => {
const meta = makeMeta({ id: 'events-cleanup', permissions: ['events'] });
mockPluginCode(`
if (bterminal.meta.id !== 'meta-access') {
throw new Error('meta.id mismatch');
}
if (bterminal.meta.name !== 'Test Plugin') {
throw new Error('meta.name mismatch');
}
// meta should also be frozen
try {
bterminal.meta.id = 'hacked';
throw new Error('META FREEZE FAILED');
} catch (e) {
if (e.message === 'META FREEZE FAILED') throw e;
}
bterminal.events.on('my-event', function() {});
`);
await loadPlugin(meta, GROUP_ID, AGENT_ID);
expect(pluginEventBus.on).toHaveBeenCalledWith('my-event', expect.any(Function));
unloadPlugin('events-cleanup');
expect(pluginEventBus.off).toHaveBeenCalledWith('my-event', expect.any(Function));
});
});
// --- RPC routing tests ---
describe('plugin-host RPC routing', () => {
it('tasks.list RPC is routed to main thread', async () => {
const meta = makeMeta({ id: 'rpc-tasks', permissions: ['bttask:read'] });
mockPluginCode(`bterminal.tasks.list();`);
// Mock the bttask bridge
mockInvoke.mockImplementation((cmd: string) => {
if (cmd === 'plugin_read_file') return Promise.resolve('bterminal.tasks.list();');
if (cmd === 'bttask_list') return Promise.resolve([]);
return Promise.reject(new Error(`Unexpected: ${cmd}`));
});
await expect(loadPlugin(meta, GROUP_ID, AGENT_ID)).resolves.toBeUndefined();
});
it('messages.inbox RPC is routed to main thread', async () => {
const meta = makeMeta({ id: 'rpc-messages', permissions: ['btmsg:read'] });
mockPluginCode(`bterminal.messages.inbox();`);
mockInvoke.mockImplementation((cmd: string) => {
if (cmd === 'plugin_read_file') return Promise.resolve('bterminal.messages.inbox();');
if (cmd === 'btmsg_get_unread') return Promise.resolve([]);
return Promise.reject(new Error(`Unexpected: ${cmd}`));
});
await expect(loadPlugin(meta, GROUP_ID, AGENT_ID)).resolves.toBeUndefined();
});
});

330
v2/src/lib/plugins/plugin-host.ts
View file

@ -1,19 +1,15 @@
/**
* Plugin Host sandboxed runtime for BTerminal plugins.
* Plugin Host Web Worker sandbox for BTerminal plugins.
*
* Plugins run via `new Function()` with a controlled API object (`bterminal`).
* Dangerous globals are shadowed via `var` declarations inside strict mode.
* Each plugin runs in a dedicated Web Worker, providing true process-level
* isolation from the main thread. The Worker has no access to the DOM,
* Tauri IPC, or any main-thread state.
*
* SECURITY BOUNDARY: Best-effort sandbox, NOT a security boundary.
* `new Function()` executes in the same JS realm. Known limitations:
* - `arguments.callee.constructor('return this')()` can recover the real global
* object this is inherent to `new Function()` and cannot be fully blocked
* without a separate realm (iframe, Worker, or wasm-based isolate).
* - Prototype chain walking (e.g., `({}).constructor.constructor`) can also
* reach Function and thus the global scope.
* - Plugins MUST be treated as UNTRUSTED. This sandbox reduces the attack
* surface but does not eliminate it. Defense in depth comes from the Rust
* backend's Landlock sandbox and permission-gated Tauri commands.
* Communication:
* - Main Worker: plugin code, permissions, callback invocations
* - Worker Main: API call proxies (palette, tasks, messages, events)
*
* On unload, the Worker is terminated all plugin state is destroyed.
*/
import type { PluginMeta } from '../adapters/plugins-bridge';
@ -32,94 +28,153 @@ import type { GroupId, AgentId } from '../types/ids';
interface LoadedPlugin {
meta: PluginMeta;
worker: Worker;
callbacks: Map<string, () => void>;
eventSubscriptions: Array<{ event: string; handler: (data: unknown) => void }>;
cleanup: () => void;
}
const loadedPlugins = new Map<string, LoadedPlugin>();
/**
* Build the sandboxed API object for a plugin.
* Only exposes capabilities matching the plugin's declared permissions.
* Build the Worker script as an inline blob.
* The Worker receives plugin code + permissions and builds a sandboxed bterminal API
* that proxies all calls to the main thread via postMessage.
*/
function buildPluginAPI(meta: PluginMeta, groupId: GroupId, agentId: AgentId): Record<string, unknown> {
const api: Record<string, unknown> = {
meta: Object.freeze({ ...meta }),
};
function buildWorkerScript(): string {
return `
"use strict";
// palette permission — register command palette commands
if (meta.permissions.includes('palette')) {
// Callback registry for palette commands and event handlers
const _callbacks = new Map();
let _callbackId = 0;
function _nextCallbackId() {
return '__cb_' + (++_callbackId);
}
// Pending RPC calls (for async APIs like tasks.list)
const _pending = new Map();
let _rpcId = 0;
function _rpc(method, args) {
return new Promise((resolve, reject) => {
const id = '__rpc_' + (++_rpcId);
_pending.set(id, { resolve, reject });
self.postMessage({ type: 'rpc', id, method, args });
});
}
// Handle messages from main thread
self.onmessage = function(e) {
const msg = e.data;
if (msg.type === 'init') {
const permissions = msg.permissions || [];
const meta = msg.meta;
// Build the bterminal API based on permissions
const api = { meta: Object.freeze(meta) };
if (permissions.includes('palette')) {
api.palette = {
registerCommand(label: string, callback: () => void) {
registerCommand(label, callback) {
if (typeof label !== 'string' || !label.trim()) {
throw new Error('Command label must be a non-empty string');
}
if (typeof callback !== 'function') {
throw new Error('Command callback must be a function');
}
addPluginCommand(meta.id, label, callback);
const cbId = _nextCallbackId();
_callbacks.set(cbId, callback);
self.postMessage({ type: 'palette-register', label, callbackId: cbId });
},
};
}
// bttask:read permission — read-only task access
if (meta.permissions.includes('bttask:read')) {
if (permissions.includes('bttask:read')) {
api.tasks = {
async list() {
return listTasks(groupId);
},
async comments(taskId: string) {
return getTaskComments(taskId);
},
list() { return _rpc('tasks.list', {}); },
comments(taskId) { return _rpc('tasks.comments', { taskId }); },
};
}
// btmsg:read permission — read-only message access
if (meta.permissions.includes('btmsg:read')) {
if (permissions.includes('btmsg:read')) {
api.messages = {
async inbox() {
return getUnreadMessages(agentId);
},
async channels() {
return getChannels(groupId);
},
inbox() { return _rpc('messages.inbox', {}); },
channels() { return _rpc('messages.channels', {}); },
};
}
// events permission — subscribe to app events
if (meta.permissions.includes('events')) {
const subscriptions: Array<{ event: string; callback: (data: unknown) => void }> = [];
if (permissions.includes('events')) {
api.events = {
on(event: string, callback: (data: unknown) => void) {
on(event, callback) {
if (typeof event !== 'string' || typeof callback !== 'function') {
throw new Error('event.on requires (string, function)');
}
pluginEventBus.on(event, callback);
subscriptions.push({ event, callback });
const cbId = _nextCallbackId();
_callbacks.set(cbId, callback);
self.postMessage({ type: 'event-on', event, callbackId: cbId });
},
off(event: string, callback: (data: unknown) => void) {
pluginEventBus.off(event, callback);
const idx = subscriptions.findIndex(s => s.event === event && s.callback === callback);
if (idx >= 0) subscriptions.splice(idx, 1);
off(event, callbackId) {
// Worker-side off is a no-op for now (main thread handles cleanup on terminate)
self.postMessage({ type: 'event-off', event, callbackId });
},
};
// Return a cleanup function that removes all subscriptions
const originalCleanup = () => {
for (const sub of subscriptions) {
pluginEventBus.off(sub.event, sub.callback);
}
subscriptions.length = 0;
};
// Attach to meta for later use
(api as { _eventCleanup?: () => void })._eventCleanup = originalCleanup;
}
return api;
Object.freeze(api);
// Execute the plugin code
try {
const fn = (0, eval)(
'(function(bterminal) { "use strict"; ' + msg.code + '\\n})'
);
fn(api);
self.postMessage({ type: 'loaded' });
} catch (err) {
self.postMessage({ type: 'error', message: String(err) });
}
}
if (msg.type === 'invoke-callback') {
const cb = _callbacks.get(msg.callbackId);
if (cb) {
try {
cb(msg.data);
} catch (err) {
self.postMessage({ type: 'callback-error', callbackId: msg.callbackId, message: String(err) });
}
}
}
if (msg.type === 'rpc-result') {
const pending = _pending.get(msg.id);
if (pending) {
_pending.delete(msg.id);
if (msg.error) {
pending.reject(new Error(msg.error));
} else {
pending.resolve(msg.result);
}
}
}
};
`;
}
let workerBlobUrl: string | null = null;
function getWorkerBlobUrl(): string {
if (!workerBlobUrl) {
const blob = new Blob([buildWorkerScript()], { type: 'application/javascript' });
workerBlobUrl = URL.createObjectURL(blob);
}
return workerBlobUrl;
}
/**
* Load and execute a plugin in a sandboxed context.
* Load and execute a plugin in a Web Worker sandbox.
*/
export async function loadPlugin(
meta: PluginMeta,
@ -139,55 +194,126 @@ export async function loadPlugin(
throw new Error(`Failed to read plugin '${meta.id}' entry file '${meta.main}': ${e}`);
}
const api = buildPluginAPI(meta, groupId, agentId);
const worker = new Worker(getWorkerBlobUrl(), { type: 'classic' });
const callbacks = new Map<string, () => void>();
const eventSubscriptions: Array<{ event: string; handler: (data: unknown) => void }> = [];
// Execute the plugin code in a sandbox via new Function().
// The plugin receives `bterminal` as its only external reference.
// No access to window, document, fetch, globalThis, etc.
try {
const sandbox = new Function(
'bterminal',
// Explicitly shadow dangerous globals.
// `var` declarations in strict mode shadow the outer scope names,
// making direct references resolve to `undefined`.
// See file-level JSDoc for known limitations of this approach.
`"use strict";
var window = undefined;
var document = undefined;
var fetch = undefined;
var globalThis = undefined;
var self = undefined;
var XMLHttpRequest = undefined;
var WebSocket = undefined;
var Function = undefined;
var importScripts = undefined;
var require = undefined;
var process = undefined;
var Deno = undefined;
var __TAURI__ = undefined;
var __TAURI_INTERNALS__ = undefined;
${code}`,
);
// Bind `this` to undefined so plugin code cannot use `this` to reach
// the global scope. In strict mode, `this` remains undefined.
sandbox.call(undefined, Object.freeze(api));
} catch (e) {
// Clean up any partially registered commands
// Set up message handler before sending init
const loadResult = await new Promise<void>((resolve, reject) => {
const onMessage = async (e: MessageEvent) => {
const msg = e.data;
switch (msg.type) {
case 'loaded':
resolve();
break;
case 'error':
// Clean up any commands/events registered before the crash
removePluginCommands(meta.id);
throw new Error(`Plugin '${meta.id}' execution failed: ${e}`);
for (const sub of eventSubscriptions) {
pluginEventBus.off(sub.event, sub.handler);
}
worker.terminate();
reject(new Error(`Plugin '${meta.id}' execution failed: ${msg.message}`));
break;
case 'palette-register': {
const cbId = msg.callbackId as string;
const invokeCallback = () => {
worker.postMessage({ type: 'invoke-callback', callbackId: cbId });
};
callbacks.set(cbId, invokeCallback);
addPluginCommand(meta.id, msg.label, invokeCallback);
break;
}
const cleanup = () => {
removePluginCommands(meta.id);
const eventCleanup = (api as { _eventCleanup?: () => void })._eventCleanup;
if (eventCleanup) eventCleanup();
case 'event-on': {
const cbId = msg.callbackId as string;
const handler = (data: unknown) => {
worker.postMessage({ type: 'invoke-callback', callbackId: cbId, data });
};
eventSubscriptions.push({ event: msg.event, handler });
pluginEventBus.on(msg.event, handler);
break;
}
case 'event-off': {
const idx = eventSubscriptions.findIndex(s => s.event === msg.event);
if (idx >= 0) {
pluginEventBus.off(eventSubscriptions[idx].event, eventSubscriptions[idx].handler);
eventSubscriptions.splice(idx, 1);
}
break;
}
case 'rpc': {
const { id, method, args } = msg;
try {
let result: unknown;
switch (method) {
case 'tasks.list':
result = await listTasks(groupId);
break;
case 'tasks.comments':
result = await getTaskComments(args.taskId);
break;
case 'messages.inbox':
result = await getUnreadMessages(agentId);
break;
case 'messages.channels':
result = await getChannels(groupId);
break;
default:
throw new Error(`Unknown RPC method: ${method}`);
}
worker.postMessage({ type: 'rpc-result', id, result });
} catch (err) {
worker.postMessage({
type: 'rpc-result',
id,
error: err instanceof Error ? err.message : String(err),
});
}
break;
}
case 'callback-error':
console.error(`Plugin '${meta.id}' callback error:`, msg.message);
break;
}
};
loadedPlugins.set(meta.id, { meta, cleanup });
worker.onmessage = onMessage;
worker.onerror = (err) => {
reject(new Error(`Plugin '${meta.id}' worker error: ${err.message}`));
};
// Send init message with plugin code, permissions, and meta
worker.postMessage({
type: 'init',
code,
permissions: meta.permissions,
meta: { id: meta.id, name: meta.name, version: meta.version, description: meta.description },
});
});
// If we get here, the plugin loaded successfully
const cleanup = () => {
removePluginCommands(meta.id);
for (const sub of eventSubscriptions) {
pluginEventBus.off(sub.event, sub.handler);
}
eventSubscriptions.length = 0;
callbacks.clear();
worker.terminate();
};
loadedPlugins.set(meta.id, { meta, worker, callbacks, eventSubscriptions, cleanup });
}
/**
* Unload a plugin, removing all its registered commands and event subscriptions.
* Unload a plugin, terminating its Worker.
*/
export function unloadPlugin(id: string): void {
const plugin = loadedPlugins.get(id);