Skip to content
Indigo HQ Docs

Package Spec v2

Package Spec v2 was designed security-first, with a formal threat model covering supply chain attacks, entitlement bypass, and privilege escalation.

Package Manifest

Every package includes a package.yaml:

name: adobe-campaign-ops
version: 1.2.0
description: Adobe Campaign operations workers and commands
publisher: clerk_user_abc123  # Clerk user ID
publishedAt: 2026-03-25T10:00:00Z


contents:
  workers:
    - workers/campaign-ops/worker.yaml
    - workers/analytics/worker.yaml
  commands:
    - commands/adobe-deploy.md
    - commands/adobe-audience-sync.md
  knowledge:
    - knowledge/adobe/
  policies:
    - policies/adobe-compliance.md


integrity:
  sha256: "a1b2c3d4..."
  signature: "RSA_SIGNATURE_BASE64..."


# Replaces v1 license_key field
# Authorization is now identity-based via Clerk entitlements

Content Allow-List

Only these file types are permitted in packages:

ExtensionPurpose
.yaml / .ymlWorker definitions, config
.mdCommands, knowledge, policies
.shHooks (requires explicit user approval)

Binaries are rejected. This prevents executable payloads from being distributed through the package system.

Integrity Verification

Every package tarball is verified at two levels:

  1. SHA256 hash — The X-Package-SHA256 response header must match the computed hash of the downloaded tarball.
  2. RSA signature — The X-Package-Signature header is verified against Indigo’s public key. This proves the tarball was published by an authorized source and hasn’t been tampered with.
Download tarball
    
    ├── Compute SHA256 → match X-Package-SHA256 header?
    │     └── No → Reject (tampered in transit)
    
    └── Verify RSA signature with public key?
          └── No → Reject (not published by trusted source)

Threat Model

The v2 spec includes a formal threat model covering:

ThreatMitigation
Supply chain attack (malicious package)RSA signing, content allow-list, no binaries
Entitlement bypassServer-side Clerk JWT validation per download
Privilege escalation via hooksHook content shown to user, requires explicit consent
Path traversalpath.resolve() validation (fixes v1 path.basename() vulnerability)
MCP server injectionContent allow-list blocks executable code