[Security] Implement assembly validation and signing for plugin loading

[csharpfritz]

Summary

Plugin DLLs are loaded from the plugins directory with zero integrity verification. Any .dll file matching the manifest key gets loaded into a CollectibleAssemblyLoadContext with full access to app services, database, filesystem, and network.

Affected Files

File	Detail
src/SharpSite.Web/PluginManager.cs:99-109	Plugin DLL loading with no validation
src/SharpSite.Plugins/PluginAssemblyLoadContext.cs	No restrictions on loaded assemblies

Risk

A malicious plugin gets full application-level trust. No code signing, hash verification, or publisher validation exists.

Recommended Fix (Phased)

Phase 1 Assembly Name Validation (Quick win): Validate assembly name matches manifest ID + SHA-256 hash verification.

Phase 2 Plugin Sandboxing: Permission manifest restricting plugin capabilities.

Phase 3 Code Signing (Long-term): Publisher certificate chain verification.

Estimated Effort

Phase 1: 4-6 hours | Phase 2: 2-3 days | Phase 3: 1 week

[csharpfritz]

Triage: Security (Enhancement)

Routed to @river. Plugin DLLs loaded with zero integrity verification. Malicious plugin has unrestricted app access.

Priority: 2 (critical security)
Phased approach:

• Phase 1 (4-6 hrs): Assembly name validation + SHA-256 hash verification
• Phase 2 (2-3 days): Permission manifest sandboxing
• Phase 3 (1 week): Code signing certificate chain

Start with Phase 1.

[csharpfritz]

Phase 1 fixed in commit 352ff8d. Created PluginAssemblyValidator with assembly name matching + SHA-256 hash verification at install and startup. Part of PR #352. Phase 2-3 remain for future work.