Plugin auth bypass via appCopy routing methods

Summary

src/interfaces/plugins.ts:571 creates a shallow copy of Express via _.assign({}, app, {...}) and passes it to plugins. Express routing methods (app.get/post/...) register routes on the root Express instance, bypassing the /plugins/{id}/ admin auth middleware. ARCHITECTURAL ROOT CAUSE — 12+ confirmed plugin findings are downstream symptoms.

Impact

Any installed plugin can mount unauthenticated HTTP endpoints. Privilege-broadening: admin install becomes LAN-reachable endpoint.

Evidence — code citations

• research/audits/signalk/validation/evidence/MSS-SK-2026-0002/

Proof of concept