Skip to main content

Module registry

heldar_kernel

Module registry 

Source
Expand description

Plugin registry catalog — types + signature verification (Phase C of the plugin platform).

The store browses a catalog: a list of available plugins (distinct from crate::modules, which tracks what is loaded/installed). A catalog comes from two kinds of source:

  • the bundled first-party catalog, compiled into the binary (include_str!) and therefore trusted by construction — it lists only OPEN modules so the open repo names no proprietary product;
  • optional remote registries (admin-configured URLs) whose documents are verified against a pinned Ed25519 public key, so a “verified publisher” badge is a real asymmetric guarantee. The proprietary shelf is served this way at runtime, never baked into open source.

This module is pure (types + crypto, no IO); the fetch/cache/merge lives in crate::services::registry. Verification is detached Ed25519 over the exact catalog bytes (mirroring the webhook signer), so there is no JSON-canonicalization footgun.

Structs§

CatalogDoc
The signed catalog document (heldar-catalog/v1).
CatalogEntry
One advertised plugin. Serialized back to the dashboard (flattened) inside a RegistryEntryView.
Keyset
The set of keys a verification runs against: the pinned TRUSTED_KEYS plus operator extras.
RegistryEntryView
One catalog entry with its computed shelf/state/verification, ready for the dashboard.
RegistrySourceView
A catalog source’s status (for the “registry signature” indicator + diagnostics).
RegistryView
The full GET /api/v1/registry response.
SignatureDoc
The detached-signature sidecar artifact for a remote catalog (<catalog-url>.sig).
TrustedKey
A pinned trust anchor. Only the PUBLIC key is embedded — the matching private key is held solely in the publisher’s release infrastructure and never enters either repo.
Verification
Outcome of verifying a catalog document.

Enums§

EntryState
The per-entry live state, cross-referenced against loaded/installed modules.
InstallSpec
How an entry is installed. builtin modules are compiled into the binary (not runtime-installable; the store shows status + CTA); sidecar entries pre-fill the Phase B register form.
Shelf
Which store shelf an entry belongs on.

Constants§

TRUSTED_KEYS
Compile-time pinned keys. Operators add their own via HELDAR_REGISTRY_TRUSTED_KEYS.

Functions§

bundled_catalog
The first-party catalog compiled into the binary. Trusted by construction (it IS the binary), so its entries are always verified. Lists only OPEN modules — the proprietary shelf is remote-only.
verify_detached
Verify a detached Ed25519 signature over the exact catalog bytes. Fail-closed: any problem returns verified=false with a reason; the caller drops an unverified remote source’s entries.