• v2.5.2-hotfix ca24625a2c

    FTMahringer released this 2026-05-13 00:01:39 +02:00 | 94 commits to main since this release

    v2.5.2-hotfix

    Hotfix for v2.5.2-dev addressing CI failures and security alerts.

    Fixes

    • Docker build: Added synapse-plugin-api dependency, updated Dockerfile and docker-compose.yml build context
    • CodeQL path-injection (2x): Added validateJarName() validation in PluginStorageService
    • Startup failure: SystemLogService now catches DataAccessException and falls back to stderr when system_logs table doesn't exist yet
    • Plugin loader compilation: Fixed logService parameter order, fixed InboundMessage accessor methods

    Workflow Status

    • Compose Smoke Test
    • CodeQL
    • Migration Validation
    Downloads
  • v2.5.3-hotfix c0b09caf08

    FTMahringer released this 2026-05-13 00:01:39 +02:00 | 91 commits to main since this release

    v2.5.3-hotfix

    Hotfix for v2.5.3-dev addressing compilation failures.

    Fixes

    • Added missing @Transient dependencies field to Plugin entity with getter/setter
    • Wrapped PluginUpdateService.promoteToSystem() IOException in try/catch, rethrown as PluginLoadException

    Workflow Status

    • Pending: Compose Smoke Test, Migration Validation, CodeQL
    Downloads
  • v2.5.4-hotfix 8edaef8e2d

    FTMahringer released this 2026-05-13 00:01:38 +02:00 | 88 commits to main since this release

    v2.5.4-hotfix

    Hotfix for v2.5.4-dev addressing compilation failures and CodeQL security alerts.

    Fixes

    • Added missing getters/setters to Plugin entity for sandbox fields
    • Fixed PluginSandboxService.validateJpmsIsolation() type error (ResolvedModule vs Module)
    • PluginStorageService.stageJar(): added isValidJarName() validation (CodeQL path-injection)
    • PluginLoaderService.loadPlugin(): validate jarPath is absolute local file before URL conversion (CodeQL SSRF)

    Workflow Status

    • Compose Smoke Test
    • CodeQL
    • ⚠️ Migration Validation (pre-existing: synapse-plugin-api not in Maven Central)
    Downloads
  • v2.5.5-hotfix cee4f53753

    FTMahringer released this 2026-05-13 00:01:38 +02:00 | 80 commits to main since this release

    v2.5.5-hotfix

    Hotfix for v2.5.5-dev addressing CodeQL Critical and High severity alerts.

    Fixes

    • PluginLoaderService: validate jarPath is within pluginsDir using normalize() + startsWith()
    • PluginLoaderService: construct file:// URL from validated path, check startsWith("file://") before new URL() — fixes SSRF alert #10
    • PluginStorageService: added normalize() + startsWith(stagingDir) check in stageJar() — fixes path-injection alert #8

    Workflow Status

    • Compose Smoke Test
    • CodeQL (re-scan pending)
    Downloads
  • v2.5.6-hotfix e013266cba

    v2.5.6-hotfix Pre-release

    FTMahringer released this 2026-05-13 00:01:38 +02:00 | 75 commits to main since this release

    Fixed

    • CodeQL SSRF alert #10: Broke taint flow in PluginLoaderService by changing loadPlugin(Path, Plugin) → loadPlugin(Plugin)
    • JAR path is now resolved internally from trusted storage directories (system/ and staging/) using only the plugin ID from the database
    • This completely breaks the taint flow because the URL passed to URLClassLoader is never derived from external/user input
    Downloads
  • v2.5.6-hotfix-2 c5382daaf6

    v2.5.6-hotfix-2 Pre-release

    FTMahringer released this 2026-05-13 00:01:24 +02:00 | 75 commits to main since this release

    Fixed

    • Added missing java.nio.file.Path import in PluginLoaderController (follow-up to v2.5.6-hotfix)
    Downloads
  • v2.5.5-dev 2532c52263

    FTMahringer released this 2026-05-12 20:34:04 +02:00 | 86 commits to main since this release

    v2.5.5-dev

    Plugin Ecosystem — CLI Tooling

    Added

    • synapse plugins command family with 14 subcommands:
      • list — installed plugins with status, loader state, trust tier
      • info <id> — detailed plugin info including dependencies and errors
      • load <id> / unload <id> / reload <id> — JVM lifecycle control
      • enable <id> / disable <id> / uninstall <id> — plugin state management
      • install <manifest> — install from manifest JSON
      • validate <jarPath> — bytecode scan for forbidden references
      • resolve-deps <id> — resolve dependency chain
      • logs <id> — show logs scoped to plugin (default 50 entries)
      • status — loaded plugins with runtime type info
      • orphans — list orphaned staging JARs
      • promote — promote staging JARs to system/
      • publish <id> — print publishing guidance

    Workflow Status

    • Compose Smoke Test
    • CodeQL
    • ⚠️ Migration Validation (pre-existing: synapse-plugin-api not in Maven Central)
    Downloads
  • v2.5.4-dev 33803f05e8

    FTMahringer released this 2026-05-12 18:50:09 +02:00 | 90 commits to main since this release

    v2.5.4-dev

    Plugin Ecosystem — Sandboxing & Security

    Added

    • BytecodeScanner: ASM-based forbidden reference detection in plugin JARs
    • PluginSandboxService: JPMS isolation validation, lifecycle hook timeouts, resource limits per trust tier
    • PluginSandboxController: /sandbox/scan and /{id}/sandbox/limits endpoints
    • PluginLoaderService: integrated JPMS check and timeout-guarded onLoad/onUnload
    • Plugin entity: scanClean, sandboxEnabled, lifecycleTimeoutMs, messageTimeoutMs, maxLogsPerMinute
    • ASM 9.7.1 dependency
    • Migration V20: plugin sandbox columns

    Workflow Status

    • Pending: Compose Smoke Test, Migration Validation, CodeQL
    Downloads
  • v2.5.3-dev 62c4780b1d

    FTMahringer released this 2026-05-12 18:14:48 +02:00 | 93 commits to main since this release

    v2.5.3-dev

    Plugin Ecosystem — Dependency Resolver & Conflict Detection

    Added

    • PluginDependency — parse hard/soft deps from manifest
    • VersionConstraint — semver parser with *, >=, >, <=, <, ^, ~ operators
    • DependencyGraph — directed graph with cycle detection and topological sort
    • DependencyResolutionException — typed resolution failures
    • PluginDependencyResolver — recursive dep resolution, version conflict checks, slot clash detection
    • PluginUpdateService — unload-old → stage-new → load → register → promote flow
    • PluginLoaderController: /resolve-deps, /update, /check-slot-clash endpoints
    • PluginLifecycleService integration: dependency resolution runs during install()
    • PluginManifest updated with dependencies + softDependencies fields
    • PluginDTO/DtoMapper updated to expose dependencies list
    • Migration V19: plugin_dependencies table

    Docs

    • Updated plugin-loader.mdx with dependency resolution, version constraints, conflict resolution tables
    Downloads
  • v2.5.1-dev 6a7640af00

    FTMahringer released this 2026-05-12 16:24:24 +02:00 | 102 commits to main since this release

    Plugin Ecosystem — Plugin API Module

    First dev version of v2.6.0 Plugin Ecosystem milestone.

    Added

    • `synapse-plugin-api` Maven module (`dev.synapse:synapse-plugin-api:1.0.0`) configured for GitHub Packages
    • JPMS `module-info.java` — `module synapse.plugin.api` exports only `dev.synapse.plugin.api`
    • Core interfaces:
      • `SynapsePlugin` — base for all plugin types (`onLoad`, `onUnload`, `getId`, `getName`, `getVersion`)
      • `Channel` — bidirectional messaging (`onMessage`, `sendMessage`, `onInstall`, `onUninstall`)
      • `ModelProvider` — LLM backend (`complete`, `stream`, `getCapabilities`, `listModels`, `configure`)
      • `PluginContext` — injected at load time; scoped logger, config, event bus, executor, authMode, routeMessage
      • `PluginConfig` — typed wrapper for manifest `config_schema` values; secret field support
      • `PluginEventBus` — publish events to core; subscribe to platform events by topic
      • `PluginLogger` — scoped to plugin id, rate-limited per trust tier
    • `AuthMode` enum — `API_KEY`, `ACP`, `NONE` for credential routing in model providers
    • Value types: `InboundMessage`, `OutboundMessage`, `CompletionRequest`, `CompletionResponse`, `StreamHandler`, `ModelCapabilities`, `ModelInfo`, `PluginEvent`

    Exit condition met

    API JAR compiles against the JPMS module descriptor. `synapse-plugin-template` updated to depend on `synapse-plugin-api:1.0.0`, drop Spring Boot, and use proper `module-info.java`.

    Next: v2.5.2-dev — Plugin Loader (URLClassLoader + JPMS ModuleLayer, system/staging dirs, startup scan)

    Downloads