-
v2.5.2-hotfix — Plugin Loader Fixes Pre-release
released this
2026-05-13 00:01:39 +02:00 | 94 commits to main since this releasev2.5.2-hotfix
Hotfix for v2.5.2-dev addressing CI failures and security alerts.
Fixes
- Docker build: Added synapse-plugin-api dependency, updated Dockerfile and docker-compose.yml build context
- CodeQL path-injection (2x): Added validateJarName() validation in PluginStorageService
- Startup failure: SystemLogService now catches DataAccessException and falls back to stderr when system_logs table doesn't exist yet
- Plugin loader compilation: Fixed logService parameter order, fixed InboundMessage accessor methods
Workflow Status
- ✅ Compose Smoke Test
- ✅ CodeQL
- ✅ Migration Validation
Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads
-
v2.5.3-hotfix — Plugin Entity Fix Pre-release
released this
2026-05-13 00:01:39 +02:00 | 91 commits to main since this releasev2.5.3-hotfix
Hotfix for v2.5.3-dev addressing compilation failures.
Fixes
- Added missing
@Transient dependenciesfield toPluginentity with getter/setter - Wrapped
PluginUpdateService.promoteToSystem()IOException in try/catch, rethrown asPluginLoadException
Workflow Status
- Pending: Compose Smoke Test, Migration Validation, CodeQL
Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads
- Added missing
-
v2.5.4-hotfix — Plugin Entity & JPMS Fix Pre-release
released this
2026-05-13 00:01:38 +02:00 | 88 commits to main since this releasev2.5.4-hotfix
Hotfix for v2.5.4-dev addressing compilation failures and CodeQL security alerts.
Fixes
- Added missing getters/setters to Plugin entity for sandbox fields
- Fixed PluginSandboxService.validateJpmsIsolation() type error (ResolvedModule vs Module)
- PluginStorageService.stageJar(): added isValidJarName() validation (CodeQL path-injection)
- PluginLoaderService.loadPlugin(): validate jarPath is absolute local file before URL conversion (CodeQL SSRF)
Workflow Status
- ✅ Compose Smoke Test
- ✅ CodeQL
- ⚠️ Migration Validation (pre-existing: synapse-plugin-api not in Maven Central)
Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads
-
v2.5.5-hotfix — CodeQL Path Validation Fix Pre-release
released this
2026-05-13 00:01:38 +02:00 | 80 commits to main since this releasev2.5.5-hotfix
Hotfix for v2.5.5-dev addressing CodeQL Critical and High severity alerts.
Fixes
- PluginLoaderService: validate jarPath is within pluginsDir using normalize() + startsWith()
- PluginLoaderService: construct file:// URL from validated path, check startsWith("file://") before new URL() — fixes SSRF alert #10
- PluginStorageService: added normalize() + startsWith(stagingDir) check in stageJar() — fixes path-injection alert #8
Workflow Status
- ✅ Compose Smoke Test
- ✅ CodeQL (re-scan pending)
Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads
-
v2.5.6-hotfix Pre-release
released this
2026-05-13 00:01:38 +02:00 | 75 commits to main since this releaseFixed
- CodeQL SSRF alert #10: Broke taint flow in PluginLoaderService by changing loadPlugin(Path, Plugin) → loadPlugin(Plugin)
- JAR path is now resolved internally from trusted storage directories (system/ and staging/) using only the plugin ID from the database
- This completely breaks the taint flow because the URL passed to URLClassLoader is never derived from external/user input
Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads
-
v2.5.6-hotfix-2 Pre-release
released this
2026-05-13 00:01:24 +02:00 | 75 commits to main since this releaseFixed
- Added missing java.nio.file.Path import in PluginLoaderController (follow-up to v2.5.6-hotfix)
Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads
-
v2.5.5-dev — CLI Plugin Tooling Pre-release
released this
2026-05-12 20:34:04 +02:00 | 86 commits to main since this releasev2.5.5-dev
Plugin Ecosystem — CLI Tooling
Added
synapse pluginscommand family with 14 subcommands:list— installed plugins with status, loader state, trust tierinfo <id>— detailed plugin info including dependencies and errorsload <id>/unload <id>/reload <id>— JVM lifecycle controlenable <id>/disable <id>/uninstall <id>— plugin state managementinstall <manifest>— install from manifest JSONvalidate <jarPath>— bytecode scan for forbidden referencesresolve-deps <id>— resolve dependency chainlogs <id>— show logs scoped to plugin (default 50 entries)status— loaded plugins with runtime type infoorphans— list orphaned staging JARspromote— promote staging JARs to system/publish <id>— print publishing guidance
Workflow Status
- ✅ Compose Smoke Test
- ✅ CodeQL
- ⚠️ Migration Validation (pre-existing: synapse-plugin-api not in Maven Central)
Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads
-
v2.5.4-dev — Plugin Sandboxing & Security Pre-release
released this
2026-05-12 18:50:09 +02:00 | 90 commits to main since this releasev2.5.4-dev
Plugin Ecosystem — Sandboxing & Security
Added
- BytecodeScanner: ASM-based forbidden reference detection in plugin JARs
- PluginSandboxService: JPMS isolation validation, lifecycle hook timeouts, resource limits per trust tier
- PluginSandboxController: /sandbox/scan and /{id}/sandbox/limits endpoints
- PluginLoaderService: integrated JPMS check and timeout-guarded onLoad/onUnload
- Plugin entity: scanClean, sandboxEnabled, lifecycleTimeoutMs, messageTimeoutMs, maxLogsPerMinute
- ASM 9.7.1 dependency
- Migration V20: plugin sandbox columns
Workflow Status
- Pending: Compose Smoke Test, Migration Validation, CodeQL
Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads
-
released this
2026-05-12 18:14:48 +02:00 | 93 commits to main since this releasev2.5.3-dev
Plugin Ecosystem — Dependency Resolver & Conflict Detection
Added
- PluginDependency — parse hard/soft deps from manifest
- VersionConstraint — semver parser with *, >=, >, <=, <, ^, ~ operators
- DependencyGraph — directed graph with cycle detection and topological sort
- DependencyResolutionException — typed resolution failures
- PluginDependencyResolver — recursive dep resolution, version conflict checks, slot clash detection
- PluginUpdateService — unload-old → stage-new → load → register → promote flow
- PluginLoaderController: /resolve-deps, /update, /check-slot-clash endpoints
- PluginLifecycleService integration: dependency resolution runs during install()
- PluginManifest updated with dependencies + softDependencies fields
- PluginDTO/DtoMapper updated to expose dependencies list
- Migration V19: plugin_dependencies table
Docs
- Updated plugin-loader.mdx with dependency resolution, version constraints, conflict resolution tables
Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads
-
v2.5.1-dev: Plugin API Module Pre-release
released this
2026-05-12 16:24:24 +02:00 | 102 commits to main since this releasePlugin Ecosystem — Plugin API Module
First dev version of v2.6.0 Plugin Ecosystem milestone.
Added
- `synapse-plugin-api` Maven module (`dev.synapse:synapse-plugin-api:1.0.0`) configured for GitHub Packages
- JPMS `module-info.java` — `module synapse.plugin.api` exports only `dev.synapse.plugin.api`
- Core interfaces:
- `SynapsePlugin` — base for all plugin types (`onLoad`, `onUnload`, `getId`, `getName`, `getVersion`)
- `Channel` — bidirectional messaging (`onMessage`, `sendMessage`, `onInstall`, `onUninstall`)
- `ModelProvider` — LLM backend (`complete`, `stream`, `getCapabilities`, `listModels`, `configure`)
- `PluginContext` — injected at load time; scoped logger, config, event bus, executor, authMode, routeMessage
- `PluginConfig` — typed wrapper for manifest `config_schema` values; secret field support
- `PluginEventBus` — publish events to core; subscribe to platform events by topic
- `PluginLogger` — scoped to plugin id, rate-limited per trust tier
- `AuthMode` enum — `API_KEY`, `ACP`, `NONE` for credential routing in model providers
- Value types: `InboundMessage`, `OutboundMessage`, `CompletionRequest`, `CompletionResponse`, `StreamHandler`, `ModelCapabilities`, `ModelInfo`, `PluginEvent`
Exit condition met
API JAR compiles against the JPMS module descriptor. `synapse-plugin-template` updated to depend on `synapse-plugin-api:1.0.0`, drop Spring Boot, and use proper `module-info.java`.
Next: v2.5.2-dev — Plugin Loader (URLClassLoader + JPMS ModuleLayer, system/staging dirs, startup scan)
Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads