Skip to content

Enhanced Module Manifest Security and Integrity Validation #208

New issue
New issue
Open
Feature
Open
Enhanced Module Manifest Security and Integrity Validation#208
Feature
Labels
change-proposalProposal for a new changeenhancementNew feature or requestmodule-systemModule system and registryopenspec
@djm81

Description

@djm81
djm81
opened on Feb 8, 2026

Enhanced Module Manifest Security and Integrity Validation

Why

arch-05-bridge-registry enables modular interoperability, but marketplace readiness still lacks trust guarantees for published modules. To prevent tampering and unsafe dependency drift, module manifests must carry integrity metadata and installation must verify checksums/signatures before enabling modules.

What Changes

  • MODIFY: Extend module manifest metadata (ModulePackageMetadata) with publisher identity, integrity fields, and versioned dependency entries.
  • NEW: Add src/specfact_cli/registry/crypto_validator.py for checksum and optional signature verification.
  • MODIFY: Extend module installation and registration flows to enforce integrity checks and reject invalid artifacts.
  • NEW: Add signing automation script (scripts/sign-module.sh) and CI signing workflow for official module packages.
  • NEW: Add unsigned-module safety controls requiring explicit allow-unsigned opt-in.
  • NEW: Add documentation for module trust model and signature verification (docs/reference/module-security.md).

Capabilities

New Capabilities

  • module-security: Cryptographic integrity and trust validation for module package installation and registration.

Modified Capabilities

  • module-packages: Manifest schema expanded with publisher/integrity metadata and versioned dependency contracts.
  • module-lifecycle-management: Registration and installation behavior strengthened with integrity validation and unsigned-module controls.

Impact

  • Affected specs: New spec for module-security; delta specs for module-packages and module-lifecycle-management.
  • Affected code:
    • src/specfact_cli/models/module_package.py (publisher/integrity/versioned deps)
    • src/specfact_cli/registry/crypto_validator.py (new)
    • src/specfact_cli/registry/module_installer.py (integrity checks)
    • src/specfact_cli/registry/module_packages.py (registration-time trust enforcement)
    • scripts/sign-module.sh (new)
    • .github/workflows/sign-modules.yml (new)
  • Affected documentation:
    • docs/reference/module-security.md (new)
    • docs/reference/architecture.md (security/trust model updates)
    • docs/_layouts/default.html (navigation update)
  • Integration points: module manifest parsing, module install/registration paths, CI packaging/signing pipeline.
  • Backward compatibility: Backward compatible by default; unsigned modules remain possible only with explicit opt-in policy.
  • Rollback plan: Disable signature enforcement and fallback to checksum-only or legacy manifest fields while preserving compatibility parsing.

OpenSpec Change Proposal: arch-06-enhanced-manifest-security

Metadata

Metadata

Assignees

No one assigned

    Labels

    change-proposalProposal for a new changeenhancementNew feature or requestmodule-systemModule system and registryopenspec

    Type

    Feature

    Projects

    SpecFact CLI

    Status

    Todo

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions