Theme signing pipeline (cosign)

[tayebmokni]

Summary

Set up the theme signing pipeline per doc 13 §7.3. Themes ship as npm tarball (or zipped equivalent) plus theme.json manifest plus signature.sig (cosign bundle). Trusted theme-publisher identities live in theme.signing.trusted_keys. Unsigned themes are blocked by default; admin can override with an operator-level flag (--allow-unsigned), which triggers a prominent banner and an audit event on activation. The signature covers the package tarball checksum so file-level tamper is detected. Themes have stronger requirements than plugins because they run unsandboxed in the Next.js process (per §14.2).

Design reference

• docs/13-security-baseline.md §7.3 (themes signing), §14.2 (themes not sandboxed), §7.9 (tradeoffs)

Acceptance criteria

• Theme package format documented: tarball + theme.json + signature.sig cosign bundle
• Publish tooling step that signs the tarball checksum with cosign
• Theme installer runs cosign verify against theme.signing.trusted_keys
• Unsigned themes refused unless operator-level --allow-unsigned is passed at install time
• Prominent admin banner for any unsigned theme activated
• Audit log event on every unsigned theme activation
• Tarball tamper detection covered by integration test
• Signature verification failure produces a clear admin-facing error

Dependencies

#105

Complexity

L

[tayebmokni]

Closing — shipped in the final-wave PR (#487-#492). Auto-close only fires for first ref.