feat(store): add policy controls for v2.6.3-dev

Add store policy enforcement across backend, CLI role checks, and dashboard controls for the v2.6.3-dev cycle.

Author: FTMahringer

.github/release-notes/v2.6.3-dev.md

@@ -0,0 +1,23 @@
+# v2.6.3-dev
+
+Store Policy & Admin Controls for the v2.7.0 plugin ecosystem milestone.
+
+## Added
+
+- Store policy storage and enforcement for plugin IDs, authors, tags, and trust badges.
+- Store policy API endpoints under `/api/store/policy`.
+- Dashboard settings controls for editing store policy.
+- CLI role checks for mutating plugin commands based on the cached login role.
+
+## Validation
+
+```bash
+cd packages/core
+mvn -q -Dtest=PluginSafetyServiceTest,StorePolicyServiceTest,PluginRegistryServiceTest test
+
+cd ../cli
+go test ./cmd -run 'TestRequirePluginOperator|TestSetTokenPersistsRole'
+
+cd ../dashboard/frontend
+npm run build
+```

.gitignore

@@ -27,3 +27,5 @@ Thumbs.db
 /.installer-tmp
 /go-tui-incubator
 /packages/cli/cmd/*.go.*
+/packages/dashboard/frontend/dist/
+/packages/dashboard/frontend/node_modules/

CHANGELOG.md

@@ -9,6 +9,24 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ---
 
+## [v2.6.3-dev] - 2026-05-18
+
+**Store Policy & Admin Controls**
+
+### Added
+- Store policy storage with allow/block lists for plugin IDs, authors, tags, and trust badges.
+- Store policy APIs under `/api/store/policy` and a dashboard settings panel for editing them.
+- Store policy filtering in store listings and install-time enforcement for community and untrusted entries.
+- Role-gated CLI checks for mutating plugin commands, backed by the cached login role.
+
+### Changed
+- Core, dashboard, and plugin registry version defaults now advance to `2.6.3-dev`.
+- Community store entries are hidden when store policy disables them.
+- Plugin install and bundle install flows now respect store policy before proceeding.
+
+### Fixed
+- Linux-first backend, CLI, and dashboard validation paths remain green on Ubuntu 24.04 WSL2.
+
 ## [v2.6.2-dev] - 2026-05-18
 
 **Custom Registry Sources**

packages/cli/cmd/auth.go

@@ -53,7 +53,7 @@ var loginCmd = &cobra.Command{
 			return fmt.Errorf("login failed: %w", err)
 		}
 
-		if err := config.SetToken(profile, resp.Token); err != nil {
+		if err := config.SetToken(profile, resp.Token, resp.Role); err != nil {
 			return fmt.Errorf("failed to save token: %w", err)
 		}
 
@@ -85,6 +85,9 @@ var sessionCmd = &cobra.Command{
 		tuioutput.Header("Session")
 		tuioutput.KV("Profile", profile)
 		tuioutput.KV("Host", p.Host)
+		if p.Role != "" {
+			tuioutput.KV("Role", p.Role)
+		}
 		if p.Token != "" {
 			tuioutput.KV("Token", p.Token[:min(12, len(p.Token))]+"...")
 		} else {

packages/cli/cmd/plugins.go

@@ -6,6 +6,7 @@ import (
 
 	"github.com/spf13/cobra"
 	"github.com/synapse-dev/synapse-cli/internal/commandfeatures"
+	"github.com/synapse-dev/synapse-cli/internal/config"
 	tuioutput "github.com/synapse-dev/synapse-cli/internal/output"
 )
 
@@ -105,6 +106,9 @@ var pluginsLoadCmd = &cobra.Command{
 	Args:  cobra.ExactArgs(1),
 	RunE: func(cmd *cobra.Command, args []string) error {
 		client := clientFromCmd(cmd)
+		if err := requirePluginOperator(cmd, "load plugin"); err != nil {
+			return err
+		}
 		var resp map[string]any
 		if err := client.Post("/api/plugins/"+args[0]+"/load", nil, &resp); err != nil {
 			return err
@@ -120,6 +124,9 @@ var pluginsUnloadCmd = &cobra.Command{
 	Args:  cobra.ExactArgs(1),
 	RunE: func(cmd *cobra.Command, args []string) error {
 		client := clientFromCmd(cmd)
+		if err := requirePluginOperator(cmd, "unload plugin"); err != nil {
+			return err
+		}
 		if err := client.Post("/api/plugins/"+args[0]+"/unload", nil, nil); err != nil {
 			return err
 		}
@@ -134,6 +141,9 @@ var pluginsReloadCmd = &cobra.Command{
 	Args:  cobra.ExactArgs(1),
 	RunE: func(cmd *cobra.Command, args []string) error {
 		client := clientFromCmd(cmd)
+		if err := requirePluginOperator(cmd, "reload plugin"); err != nil {
+			return err
+		}
 		var resp map[string]any
 		if err := client.Post("/api/plugins/"+args[0]+"/reload", nil, &resp); err != nil {
 			return err
@@ -149,6 +159,9 @@ var pluginsEnableCmd = &cobra.Command{
 	Args:  cobra.ExactArgs(1),
 	RunE: func(cmd *cobra.Command, args []string) error {
 		client := clientFromCmd(cmd)
+		if err := requirePluginOperator(cmd, "enable plugin"); err != nil {
+			return err
+		}
 		var resp map[string]any
 		if err := client.Post("/api/plugins/"+args[0]+"/enable", nil, &resp); err != nil {
 			return err
@@ -164,6 +177,9 @@ var pluginsDisableCmd = &cobra.Command{
 	Args:  cobra.ExactArgs(1),
 	RunE: func(cmd *cobra.Command, args []string) error {
 		client := clientFromCmd(cmd)
+		if err := requirePluginOperator(cmd, "disable plugin"); err != nil {
+			return err
+		}
 		var resp map[string]any
 		if err := client.Post("/api/plugins/"+args[0]+"/disable", nil, &resp); err != nil {
 			return err
@@ -179,6 +195,9 @@ var pluginsUninstallCmd = &cobra.Command{
 	Args:  cobra.ExactArgs(1),
 	RunE: func(cmd *cobra.Command, args []string) error {
 		client := clientFromCmd(cmd)
+		if err := requirePluginOperator(cmd, "uninstall plugin"); err != nil {
+			return err
+		}
 		if err := client.Delete("/api/plugins/" + args[0]); err != nil {
 			return err
 		}
@@ -193,6 +212,9 @@ var pluginsInstallCmd = &cobra.Command{
 	Args:  cobra.ExactArgs(1),
 	RunE: func(cmd *cobra.Command, args []string) error {
 		client := clientFromCmd(cmd)
+		if err := requirePluginOperator(cmd, "install plugin"); err != nil {
+			return err
+		}
 
 		var manifest map[string]any
 		if err := client.Post("/api/plugins/install", args[0], &manifest); err != nil {
@@ -405,6 +427,9 @@ var pluginsPromoteCmd = &cobra.Command{
 	Short: "Promote all staging JARs to system/",
 	RunE: func(cmd *cobra.Command, args []string) error {
 		client := clientFromCmd(cmd)
+		if err := requirePluginOperator(cmd, "promote plugin staging JARs"); err != nil {
+			return err
+		}
 		if err := client.Post("/api/plugins/loader/promote", nil, nil); err != nil {
 			return err
 		}
@@ -418,6 +443,9 @@ var pluginsPublishCmd = &cobra.Command{
 	Short: "Print submission guidance for publishing a plugin",
 	Args:  cobra.ExactArgs(1),
 	RunE: func(cmd *cobra.Command, args []string) error {
+		if err := requirePluginOperator(cmd, "publish plugin"); err != nil {
+			return err
+		}
 		tuioutput.Header("Plugin Publishing Guide")
 		tuioutput.Separator()
 		tuioutput.Row("Official plugins:", "Submit PR to github.com/FTMahringer/synapse-plugins")
@@ -459,3 +487,15 @@ func init() {
 	commandfeatures.BindSubcommandListing(pluginsCmd)
 	rootCmd.AddCommand(pluginsCmd)
 }
+
+func requirePluginOperator(cmd *cobra.Command, action string) error {
+	profile, _ := cmd.Flags().GetString("profile")
+	role := strings.ToUpper(strings.TrimSpace(config.GetProfile(profile).Role))
+	if role == "ADMIN" || role == "OWNER" {
+		return nil
+	}
+	if role == "" {
+		role = "unset"
+	}
+	return fmt.Errorf("%s requires ADMIN or OWNER role (current role: %s)", action, role)
+}

packages/cli/cmd/plugins_policy_test.go

@@ -0,0 +1,54 @@
+package cmd
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+	"github.com/synapse-dev/synapse-cli/internal/config"
+)
+
+func TestRequirePluginOperatorRejectsViewer(t *testing.T) {
+	viper.Set("profiles.default.host", "http://localhost:8080")
+	viper.Set("profiles.default.role", "VIEWER")
+
+	cmd := &cobra.Command{}
+	cmd.Flags().StringP("profile", "p", "default", "")
+
+	if err := requirePluginOperator(cmd, "install plugin"); err == nil {
+		t.Fatal("expected role restriction error")
+	}
+}
+
+func TestRequirePluginOperatorAllowsAdmin(t *testing.T) {
+	viper.Set("profiles.default.host", "http://localhost:8080")
+	viper.Set("profiles.default.role", "ADMIN")
+
+	cmd := &cobra.Command{}
+	cmd.Flags().StringP("profile", "p", "default", "")
+
+	if err := requirePluginOperator(cmd, "install plugin"); err != nil {
+		t.Fatalf("expected admin access, got %v", err)
+	}
+}
+
+func TestSetTokenPersistsRole(t *testing.T) {
+	home := t.TempDir()
+	t.Setenv("HOME", home)
+	viper.Reset()
+
+	if err := config.SetToken("default", "token-value", "OWNER"); err != nil {
+		t.Fatalf("set token: %v", err)
+	}
+
+	data, err := os.ReadFile(filepath.Join(home, ".synapse", "config.yaml"))
+	if err != nil {
+		t.Fatalf("read config: %v", err)
+	}
+	if !strings.Contains(string(data), "role: OWNER") {
+		t.Fatalf("expected role to be persisted, got %s", string(data))
+	}
+}

packages/cli/internal/config/config.go

@@ -11,6 +11,7 @@ import (
 type Profile struct {
 	Host  string `mapstructure:"host"`
 	Token string `mapstructure:"token"`
+	Role  string `mapstructure:"role"`
 }
 
 // Init loads config from ~/.synapse/config.yaml
@@ -46,7 +47,7 @@ func GetProfile(name string) Profile {
 	return p
 }
 
-func SetToken(profile, token string) error {
+func SetToken(profile, token, role string) error {
 	home, err := os.UserHomeDir()
 	if err != nil {
 		return err
@@ -58,11 +59,13 @@ func SetToken(profile, token string) error {
 	}
 
 	viper.Set("profiles."+profile+".token", token)
+	viper.Set("profiles."+profile+".role", role)
 	return viper.WriteConfigAs(filepath.Join(dir, "config.yaml"))
 }
 
 func ClearToken(profile string) error {
 	viper.Set("profiles."+profile+".token", "")
+	viper.Set("profiles."+profile+".role", "")
 	home, _ := os.UserHomeDir()
 	return viper.WriteConfigAs(filepath.Join(home, ".synapse", "config.yaml"))
 }

packages/core/pom.xml

@@ -15,7 +15,7 @@
 
     <groupId>dev.synapse</groupId>
     <artifactId>synapse-core</artifactId>
-    <version>2.6.2-dev</version>
+    <version>2.6.3-dev</version>
     <name>synapse-core</name>
     <description>SYNAPSE Spring Boot backend</description>
 

packages/core/src/main/java/dev/synapse/plugins/BundleInstallService.java

@@ -25,17 +25,20 @@ public class BundleInstallService {
     private final StoreEntryRepository storeEntryRepository;
     private final PluginLifecycleService lifecycleService;
     private final PluginRepository pluginRepository;
+    private final StorePolicyService storePolicyService;
     private final SystemLogService logService;
 
     public BundleInstallService(
         StoreEntryRepository storeEntryRepository,
         PluginLifecycleService lifecycleService,
         PluginRepository pluginRepository,
+        StorePolicyService storePolicyService,
         SystemLogService logService
     ) {
         this.storeEntryRepository = storeEntryRepository;
         this.lifecycleService = lifecycleService;
         this.pluginRepository = pluginRepository;
+        this.storePolicyService = storePolicyService;
         this.logService = logService;
     }
 
@@ -76,13 +79,15 @@ public BundleInstallResult installBundle(String bundleId) {
 
         StoreEntry bundle = storeEntryRepository.findById(bundleId)
             .orElseThrow(() -> new ResourceNotFoundException("Bundle", bundleId));
+        storePolicyService.assertInstallAllowed(bundle);
 
         List<String> installed = new ArrayList<>();
         List<String> skipped = new ArrayList<>();
 
         for (String pluginId : extractPluginIds(bundle)) {
             StoreEntry entry = storeEntryRepository.findById(pluginId).orElse(null);
             if (entry == null) continue;
+            storePolicyService.assertInstallAllowed(entry);
 
             if (pluginRepository.existsById(pluginId)) {
                 skipped.add(pluginId);

packages/core/src/main/java/dev/synapse/plugins/PluginRegistryService.java

@@ -48,7 +48,7 @@ public PluginRegistryService(
         RegistrySourceRepository registrySourceRepository,
         RegistryProperties registryProperties,
         RestClient restClient,
-        @Value("${synapse.version:${spring.application.version:v2.6.2-dev}}") String synapseVersion
+        @Value("${synapse.version:${spring.application.version:v2.6.3-dev}}") String synapseVersion
     ) {
         this.storeRegistryService = storeRegistryService;
         this.registrySourceRepository = registrySourceRepository;
@@ -95,20 +95,42 @@ public RegistryMetadata findEntries(
     }
 
     public List<StoreEntry> findStoreEntries(String type, int page, int size) {
-        return findEntries(null, null, type, false)
+        return findStoreEntries(type, page, size, null);
+    }
+
+    public List<StoreEntry> findStoreEntries(
+        String type,
+        int page,
+        int size,
+        StorePolicyService policyService
+    ) {
+        List<StoreEntry> entries = findEntries(null, null, type, false)
             .entries()
             .stream()
             .filter(this::isStoreVisible)
+            .toList();
+        if (policyService != null) {
+            entries = policyService.filterEntries(entries);
+        }
+        return entries
+            .stream()
             .skip((long) Math.max(page, 0) * Math.max(size, 1))
             .limit(Math.max(size, 1))
             .toList();
     }
 
     public StoreEntry findStoreEntry(String id) {
+        return findStoreEntry(id, null);
+    }
+
+    public StoreEntry findStoreEntry(String id, StorePolicyService policyService) {
         StoreEntry entry = storeRegistryService.findById(id);
         if (entry == null || !isStoreVisible(entry)) {
             return null;
         }
+        if (policyService != null) {
+            return policyService.requireVisible(entry);
+        }
         return entry;
     }