@ebowwa/sandbox 0.1.1

package/dist/core/permissions.d.ts

@@ -0,0 +1,103 @@
+/**
+ * Permissions Primitive
+ *
+ * Composable permission enforcement for sandbox execution.
+ * Each permission can be independently granted or denied.
+ */
+import type { Permissions, PermissionLevel, FileSystemPermission, NetworkPermission, EnvironmentPermission, ProcessPermission } from "./types.js";
+/**
+ * Permission Checker
+ *
+ * Validates permissions against allowed operations.
+ */
+export declare class PermissionChecker {
+    private permissions;
+    constructor(permissions: Permissions);
+    /**
+     * Check if filesystem read is allowed
+     */
+    canReadFile(path?: string): boolean;
+    /**
+     * Check if filesystem write is allowed
+     */
+    canWriteFile(path?: string): boolean;
+    /**
+     * Check if filesystem delete is allowed
+     */
+    canDeleteFile(path?: string): boolean;
+    /**
+     * Check if network outbound is allowed
+     */
+    canConnect(host?: string): boolean;
+    /**
+     * Check if network inbound is allowed
+     */
+    canListen(port?: number): boolean;
+    /**
+     * Check if environment read is allowed
+     */
+    canReadEnv(key?: string): boolean;
+    /**
+     * Check if environment write is allowed
+     */
+    canWriteEnv(key?: string): boolean;
+    /**
+     * Check if process spawn is allowed
+     */
+    canSpawnProcess(command?: string): boolean;
+    /**
+     * Get memory limit
+     */
+    getMemoryLimit(): number | undefined;
+    /**
+     * Get CPU limits
+     */
+    getCpuLimits(): {
+        maxPercent?: number;
+        maxTimeMs?: number;
+    };
+    /**
+     * Check if path is allowed
+     */
+    private isPathAllowed;
+    /**
+     * Check if host is allowed
+     */
+    private isHostAllowed;
+}
+/**
+ * Permission Builder
+ *
+ * Fluent API for building permission sets.
+ */
+export declare class PermissionBuilder {
+    private permissions;
+    filesystem(options: Partial<FileSystemPermission>): this;
+    network(options: Partial<NetworkPermission>): this;
+    environment(options: Partial<EnvironmentPermission>): this;
+    process(options: Partial<ProcessPermission>): this;
+    memory(maxBytes: number): this;
+    cpu(options: {
+        maxPercent?: number;
+        maxTimeMs?: number;
+    }): this;
+    build(): Permissions;
+}
+/**
+ * Create permission set from level
+ */
+export declare function createPermissions(level: PermissionLevel): Permissions;
+/**
+ * Merge permissions (intersection - most restrictive)
+ */
+export declare function mergePermissions(...perms: Permissions[]): Permissions;
+/**
+ * Check if permission level implies another
+ */
+export declare function impliesPermission(level: PermissionLevel, required: PermissionLevel): boolean;
+/**
+ * Upgrade permissions to higher level
+ */
+export declare function upgradePermissions(current: Permissions, newLevel: PermissionLevel): Permissions;
+export { permissionsFromLevel } from "./types.js";
+//# sourceMappingURL=permissions.d.ts.map

package/dist/core/permissions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissions.d.ts","sourceRoot":"","sources":["../../src/core/permissions.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EACV,WAAW,EACX,eAAe,EACf,oBAAoB,EACpB,iBAAiB,EACjB,qBAAqB,EACrB,iBAAiB,EAClB,MAAM,YAAY,CAAC;AAEpB;;;;GAIG;AACH,qBAAa,iBAAiB;IAChB,OAAO,CAAC,WAAW;gBAAX,WAAW,EAAE,WAAW;IAE5C;;OAEG;IACH,WAAW,CAAC,IAAI,CAAC,EAAE,MAAM,GAAG,OAAO;IAUnC;;OAEG;IACH,YAAY,CAAC,IAAI,CAAC,EAAE,MAAM,GAAG,OAAO;IAUpC;;OAEG;IACH,aAAa,CAAC,IAAI,CAAC,EAAE,MAAM,GAAG,OAAO;IAUrC;;OAEG;IACH,UAAU,CAAC,IAAI,CAAC,EAAE,MAAM,GAAG,OAAO;IAUlC;;OAEG;IACH,SAAS,CAAC,IAAI,CAAC,EAAE,MAAM,GAAG,OAAO;IAQjC;;OAEG;IACH,UAAU,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,OAAO;IAUjC;;OAEG;IACH,WAAW,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,OAAO;IAUlC;;OAEG;IACH,eAAe,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,OAAO;IAY1C;;OAEG;IACH,cAAc,IAAI,MAAM,GAAG,SAAS;IAIpC;;OAEG;IACH,YAAY,IAAI;QAAE,UAAU,CAAC,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE;IAQ3D;;OAEG;IACH,OAAO,CAAC,aAAa;IAuBrB;;OAEG;IACH,OAAO,CAAC,aAAa;CAsBtB;AAED;;;;GAIG;AACH,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,WAAW,CAAmB;IAEtC,UAAU,CAAC,OAAO,EAAE,OAAO,CAAC,oBAAoB,CAAC,GAAG,IAAI;IAQxD,OAAO,CAAC,OAAO,EAAE,OAAO,CAAC,iBAAiB,CAAC,GAAG,IAAI;IAQlD,WAAW,CAAC,OAAO,EAAE,OAAO,CAAC,qBAAqB,CAAC,GAAG,IAAI;IAQ1D,OAAO,CAAC,OAAO,EAAE,OAAO,CAAC,iBAAiB,CAAC,GAAG,IAAI;IAQlD,MAAM,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI;IAK9B,GAAG,CAAC,OAAO,EAAE;QAAE,UAAU,CAAC,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI;IAK/D,KAAK,IAAI,WAAW;CAGrB;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,eAAe,GAAG,WAAW,CAsCrE;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,GAAG,KAAK,EAAE,WAAW,EAAE,GAAG,WAAW,CAwDrE;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,KAAK,EAAE,eAAe,EACtB,QAAQ,EAAE,eAAe,GACxB,OAAO,CAUT;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAChC,OAAO,EAAE,WAAW,EACpB,QAAQ,EAAE,eAAe,GACxB,WAAW,CAGb;AAuBD,OAAO,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAC"}

package/dist/core/permissions.js

@@ -0,0 +1,341 @@
+/**
+ * Permissions Primitive
+ *
+ * Composable permission enforcement for sandbox execution.
+ * Each permission can be independently granted or denied.
+ */
+/**
+ * Permission Checker
+ *
+ * Validates permissions against allowed operations.
+ */
+export class PermissionChecker {
+    permissions;
+    constructor(permissions) {
+        this.permissions = permissions;
+    }
+    /**
+     * Check if filesystem read is allowed
+     */
+    canReadFile(path) {
+        const fs = this.permissions.fs;
+        if (!fs?.read)
+            return false;
+        if (path) {
+            return this.isPathAllowed(path, fs);
+        }
+        return true;
+    }
+    /**
+     * Check if filesystem write is allowed
+     */
+    canWriteFile(path) {
+        const fs = this.permissions.fs;
+        if (!fs?.write)
+            return false;
+        if (path) {
+            return this.isPathAllowed(path, fs);
+        }
+        return true;
+    }
+    /**
+     * Check if filesystem delete is allowed
+     */
+    canDeleteFile(path) {
+        const fs = this.permissions.fs;
+        if (!fs?.delete)
+            return false;
+        if (path) {
+            return this.isPathAllowed(path, fs);
+        }
+        return true;
+    }
+    /**
+     * Check if network outbound is allowed
+     */
+    canConnect(host) {
+        const net = this.permissions.network;
+        if (!net?.outbound)
+            return false;
+        if (host) {
+            return this.isHostAllowed(host, net);
+        }
+        return true;
+    }
+    /**
+     * Check if network inbound is allowed
+     */
+    canListen(port) {
+        const net = this.permissions.network;
+        if (!net?.inbound)
+            return false;
+        // Could add port-based restrictions here
+        return true;
+    }
+    /**
+     * Check if environment read is allowed
+     */
+    canReadEnv(key) {
+        const env = this.permissions.env;
+        if (!env?.read)
+            return false;
+        if (key && env.allowedKeys) {
+            return env.allowedKeys.includes(key);
+        }
+        return true;
+    }
+    /**
+     * Check if environment write is allowed
+     */
+    canWriteEnv(key) {
+        const env = this.permissions.env;
+        if (!env?.write)
+            return false;
+        if (key && env.allowedKeys) {
+            return env.allowedKeys.includes(key);
+        }
+        return true;
+    }
+    /**
+     * Check if process spawn is allowed
+     */
+    canSpawnProcess(command) {
+        const proc = this.permissions.process;
+        if (!proc?.spawn)
+            return false;
+        if (command && proc.allowedCommands) {
+            return proc.allowedCommands.some(cmd => command.startsWith(cmd) || command === cmd);
+        }
+        return true;
+    }
+    /**
+     * Get memory limit
+     */
+    getMemoryLimit() {
+        return this.permissions.memory?.maxBytes;
+    }
+    /**
+     * Get CPU limits
+     */
+    getCpuLimits() {
+        const cpu = this.permissions.cpu;
+        return {
+            maxPercent: cpu?.maxPercent,
+            maxTimeMs: cpu?.maxTimeMs,
+        };
+    }
+    /**
+     * Check if path is allowed
+     */
+    isPathAllowed(path, fs) {
+        // Check denied paths first
+        if (fs.deniedPaths) {
+            for (const denied of fs.deniedPaths) {
+                if (path.startsWith(denied)) {
+                    return false;
+                }
+            }
+        }
+        // Check allowed paths
+        if (fs.allowedPaths) {
+            for (const allowed of fs.allowedPaths) {
+                if (path.startsWith(allowed)) {
+                    return true;
+                }
+            }
+            return false;
+        }
+        return true;
+    }
+    /**
+     * Check if host is allowed
+     */
+    isHostAllowed(host, net) {
+        // Check denied hosts first
+        if (net.deniedHosts) {
+            for (const denied of net.deniedHosts) {
+                if (host === denied || host.endsWith(`.${denied}`)) {
+                    return false;
+                }
+            }
+        }
+        // Check allowed hosts
+        if (net.allowedHosts) {
+            for (const allowed of net.allowedHosts) {
+                if (host === allowed || host.endsWith(`.${allowed}`)) {
+                    return true;
+                }
+            }
+            return false;
+        }
+        return true;
+    }
+}
+/**
+ * Permission Builder
+ *
+ * Fluent API for building permission sets.
+ */
+export class PermissionBuilder {
+    permissions = {};
+    filesystem(options) {
+        this.permissions.fs = {
+            ...this.permissions.fs,
+            ...options,
+        };
+        return this;
+    }
+    network(options) {
+        this.permissions.network = {
+            ...this.permissions.network,
+            ...options,
+        };
+        return this;
+    }
+    environment(options) {
+        this.permissions.env = {
+            ...this.permissions.env,
+            ...options,
+        };
+        return this;
+    }
+    process(options) {
+        this.permissions.process = {
+            ...this.permissions.process,
+            ...options,
+        };
+        return this;
+    }
+    memory(maxBytes) {
+        this.permissions.memory = { maxBytes };
+        return this;
+    }
+    cpu(options) {
+        this.permissions.cpu = options;
+        return this;
+    }
+    build() {
+        return this.permissions;
+    }
+}
+/**
+ * Create permission set from level
+ */
+export function createPermissions(level) {
+    switch (level) {
+        case "isolated":
+            return {};
+        case "readonly":
+            return {
+                fs: { read: true },
+            };
+        case "network":
+            return {
+                fs: { read: true },
+                network: { outbound: true },
+            };
+        case "filesystem":
+            return {
+                fs: { read: true, write: true, delete: true },
+                network: { outbound: true, inbound: true },
+            };
+        case "admin":
+            return {
+                fs: { read: true, write: true, delete: true },
+                network: { outbound: true, inbound: true },
+                env: { read: true, write: true },
+                process: { spawn: true },
+            };
+        case "sudo":
+            return {
+                fs: { read: true, write: true, delete: true },
+                network: { outbound: true, inbound: true },
+                env: { read: true, write: true },
+                process: { spawn: true },
+            };
+    }
+}
+/**
+ * Merge permissions (intersection - most restrictive)
+ */
+export function mergePermissions(...perms) {
+    const result = {};
+    // Filesystem
+    const fsPerms = perms.filter(p => p.fs);
+    if (fsPerms.length === perms.length) {
+        result.fs = {
+            read: fsPerms.every(p => p.fs?.read),
+            write: fsPerms.every(p => p.fs?.write),
+            delete: fsPerms.every(p => p.fs?.delete),
+            allowedPaths: intersectArrays(...fsPerms.map(p => p.fs?.allowedPaths).filter(Boolean)),
+            deniedPaths: unionArrays(...fsPerms.map(p => p.fs?.deniedPaths).filter(Boolean)),
+        };
+    }
+    // Network
+    const netPerms = perms.filter(p => p.network);
+    if (netPerms.length === perms.length) {
+        result.network = {
+            outbound: netPerms.every(p => p.network?.outbound),
+            inbound: netPerms.every(p => p.network?.inbound),
+            allowedHosts: intersectArrays(...netPerms.map(p => p.network?.allowedHosts).filter(Boolean)),
+            deniedHosts: unionArrays(...netPerms.map(p => p.network?.deniedHosts).filter(Boolean)),
+        };
+    }
+    // Memory (take minimum)
+    const memoryLimits = perms
+        .map(p => p.memory?.maxBytes)
+        .filter(Boolean);
+    if (memoryLimits.length > 0) {
+        result.memory = { maxBytes: Math.min(...memoryLimits) };
+    }
+    // CPU (take minimums)
+    const cpuPerms = perms.filter(p => p.cpu);
+    if (cpuPerms.length > 0) {
+        result.cpu = {
+            maxPercent: Math.min(...cpuPerms.map(p => p.cpu?.maxPercent ?? 100)),
+            maxTimeMs: Math.min(...cpuPerms.map(p => p.cpu?.maxTimeMs ?? Infinity)),
+        };
+    }
+    return result;
+}
+/**
+ * Check if permission level implies another
+ */
+export function impliesPermission(level, required) {
+    const levels = [
+        "isolated",
+        "readonly",
+        "network",
+        "filesystem",
+        "admin",
+        "sudo",
+    ];
+    return levels.indexOf(level) >= levels.indexOf(required);
+}
+/**
+ * Upgrade permissions to higher level
+ */
+export function upgradePermissions(current, newLevel) {
+    const newPerms = createPermissions(newLevel);
+    return mergePermissions(current, newPerms);
+}
+// Helper functions
+function intersectArrays(...arrays) {
+    if (arrays.length === 0)
+        return [];
+    if (arrays.length === 1)
+        return arrays[0];
+    return arrays[0].filter(item => arrays.every(arr => arr.includes(item)));
+}
+function unionArrays(...arrays) {
+    const set = new Set();
+    for (const arr of arrays) {
+        for (const item of arr) {
+            set.add(item);
+        }
+    }
+    return Array.from(set);
+}
+// Re-export from types
+export { permissionsFromLevel } from "./types.js";
+//# sourceMappingURL=permissions.js.map

package/dist/core/permissions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissions.js","sourceRoot":"","sources":["../../src/core/permissions.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAWH;;;;GAIG;AACH,MAAM,OAAO,iBAAiB;IACR;IAApB,YAAoB,WAAwB;QAAxB,gBAAW,GAAX,WAAW,CAAa;IAAG,CAAC;IAEhD;;OAEG;IACH,WAAW,CAAC,IAAa;QACvB,MAAM,EAAE,GAAG,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;QAC/B,IAAI,CAAC,EAAE,EAAE,IAAI;YAAE,OAAO,KAAK,CAAC;QAE5B,IAAI,IAAI,EAAE,CAAC;YACT,OAAO,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QACtC,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,YAAY,CAAC,IAAa;QACxB,MAAM,EAAE,GAAG,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;QAC/B,IAAI,CAAC,EAAE,EAAE,KAAK;YAAE,OAAO,KAAK,CAAC;QAE7B,IAAI,IAAI,EAAE,CAAC;YACT,OAAO,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QACtC,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,aAAa,CAAC,IAAa;QACzB,MAAM,EAAE,GAAG,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;QAC/B,IAAI,CAAC,EAAE,EAAE,MAAM;YAAE,OAAO,KAAK,CAAC;QAE9B,IAAI,IAAI,EAAE,CAAC;YACT,OAAO,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QACtC,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,UAAU,CAAC,IAAa;QACtB,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC;QACrC,IAAI,CAAC,GAAG,EAAE,QAAQ;YAAE,OAAO,KAAK,CAAC;QAEjC,IAAI,IAAI,EAAE,CAAC;YACT,OAAO,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;QACvC,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,SAAS,CAAC,IAAa;QACrB,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC;QACrC,IAAI,CAAC,GAAG,EAAE,OAAO;YAAE,OAAO,KAAK,CAAC;QAEhC,yCAAyC;QACzC,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,UAAU,CAAC,GAAY;QACrB,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC;QACjC,IAAI,CAAC,GAAG,EAAE,IAAI;YAAE,OAAO,KAAK,CAAC;QAE7B,IAAI,GAAG,IAAI,GAAG,CAAC,WAAW,EAAE,CAAC;YAC3B,OAAO,GAAG,CAAC,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QACvC,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,WAAW,CAAC,GAAY;QACtB,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC;QACjC,IAAI,CAAC,GAAG,EAAE,KAAK;YAAE,OAAO,KAAK,CAAC;QAE9B,IAAI,GAAG,IAAI,GAAG,CAAC,WAAW,EAAE,CAAC;YAC3B,OAAO,GAAG,CAAC,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QACvC,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,eAAe,CAAC,OAAgB;QAC9B,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC;QACtC,IAAI,CAAC,IAAI,EAAE,KAAK;YAAE,OAAO,KAAK,CAAC;QAE/B,IAAI,OAAO,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;YACpC,OAAO,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CACrC,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,OAAO,KAAK,GAAG,CAC3C,CAAC;QACJ,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,cAAc;QACZ,OAAO,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,QAAQ,CAAC;IAC3C,CAAC;IAED;;OAEG;IACH,YAAY;QACV,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC;QACjC,OAAO;YACL,UAAU,EAAE,GAAG,EAAE,UAAU;YAC3B,SAAS,EAAE,GAAG,EAAE,SAAS;SAC1B,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,aAAa,CAAC,IAAY,EAAE,EAAwB;QAC1D,2BAA2B;QAC3B,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;YACnB,KAAK,MAAM,MAAM,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;gBACpC,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;oBAC5B,OAAO,KAAK,CAAC;gBACf,CAAC;YACH,CAAC;QACH,CAAC;QAED,sBAAsB;QACtB,IAAI,EAAE,CAAC,YAAY,EAAE,CAAC;YACpB,KAAK,MAAM,OAAO,IAAI,EAAE,CAAC,YAAY,EAAE,CAAC;gBACtC,IAAI,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;oBAC7B,OAAO,IAAI,CAAC;gBACd,CAAC;YACH,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACK,aAAa,CAAC,IAAY,EAAE,GAAsB;QACxD,2BAA2B;QAC3B,IAAI,GAAG,CAAC,WAAW,EAAE,CAAC;YACpB,KAAK,MAAM,MAAM,IAAI,GAAG,CAAC,WAAW,EAAE,CAAC;gBACrC,IAAI,IAAI,KAAK,MAAM,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,MAAM,EAAE,CAAC,EAAE,CAAC;oBACnD,OAAO,KAAK,CAAC;gBACf,CAAC;YACH,CAAC;QACH,CAAC;QAED,sBAAsB;QACtB,IAAI,GAAG,CAAC,YAAY,EAAE,CAAC;YACrB,KAAK,MAAM,OAAO,IAAI,GAAG,CAAC,YAAY,EAAE,CAAC;gBACvC,IAAI,IAAI,KAAK,OAAO,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,OAAO,EAAE,CAAC,EAAE,CAAC;oBACrD,OAAO,IAAI,CAAC;gBACd,CAAC;YACH,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AAED;;;;GAIG;AACH,MAAM,OAAO,iBAAiB;IACpB,WAAW,GAAgB,EAAE,CAAC;IAEtC,UAAU,CAAC,OAAsC;QAC/C,IAAI,CAAC,WAAW,CAAC,EAAE,GAAG;YACpB,GAAG,IAAI,CAAC,WAAW,CAAC,EAAE;YACtB,GAAG,OAAO;SACX,CAAC;QACF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,CAAC,OAAmC;QACzC,IAAI,CAAC,WAAW,CAAC,OAAO,GAAG;YACzB,GAAG,IAAI,CAAC,WAAW,CAAC,OAAO;YAC3B,GAAG,OAAO;SACX,CAAC;QACF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,WAAW,CAAC,OAAuC;QACjD,IAAI,CAAC,WAAW,CAAC,GAAG,GAAG;YACrB,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG;YACvB,GAAG,OAAO;SACX,CAAC;QACF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,CAAC,OAAmC;QACzC,IAAI,CAAC,WAAW,CAAC,OAAO,GAAG;YACzB,GAAG,IAAI,CAAC,WAAW,CAAC,OAAO;YAC3B,GAAG,OAAO;SACX,CAAC;QACF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,CAAC,QAAgB;QACrB,IAAI,CAAC,WAAW,CAAC,MAAM,GAAG,EAAE,QAAQ,EAAE,CAAC;QACvC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,GAAG,CAAC,OAAoD;QACtD,IAAI,CAAC,WAAW,CAAC,GAAG,GAAG,OAAO,CAAC;QAC/B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK;QACH,OAAO,IAAI,CAAC,WAAW,CAAC;IAC1B,CAAC;CACF;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,KAAsB;IACtD,QAAQ,KAAK,EAAE,CAAC;QACd,KAAK,UAAU;YACb,OAAO,EAAE,CAAC;QAEZ,KAAK,UAAU;YACb,OAAO;gBACL,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE;aACnB,CAAC;QAEJ,KAAK,SAAS;YACZ,OAAO;gBACL,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE;gBAClB,OAAO,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE;aAC5B,CAAC;QAEJ,KAAK,YAAY;YACf,OAAO;gBACL,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE;gBAC7C,OAAO,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE;aAC3C,CAAC;QAEJ,KAAK,OAAO;YACV,OAAO;gBACL,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE;gBAC7C,OAAO,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE;gBAC1C,GAAG,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE;gBAChC,OAAO,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE;aACzB,CAAC;QAEJ,KAAK,MAAM;YACT,OAAO;gBACL,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE;gBAC7C,OAAO,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE;gBAC1C,GAAG,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE;gBAChC,OAAO,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE;aACzB,CAAC;IACN,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,GAAG,KAAoB;IACtD,MAAM,MAAM,GAAgB,EAAE,CAAC;IAE/B,aAAa;IACb,MAAM,OAAO,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IACxC,IAAI,OAAO,CAAC,MAAM,KAAK,KAAK,CAAC,MAAM,EAAE,CAAC;QACpC,MAAM,CAAC,EAAE,GAAG;YACV,IAAI,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,IAAI,CAAC;YACpC,KAAK,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,KAAK,CAAC;YACtC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,MAAM,CAAC;YACxC,YAAY,EAAE,eAAe,CAC3B,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,YAAY,CAAC,CAAC,MAAM,CAAC,OAAO,CAAe,CACtE;YACD,WAAW,EAAE,WAAW,CACtB,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,WAAW,CAAC,CAAC,MAAM,CAAC,OAAO,CAAe,CACrE;SACF,CAAC;IACJ,CAAC;IAED,UAAU;IACV,MAAM,QAAQ,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;IAC9C,IAAI,QAAQ,CAAC,MAAM,KAAK,KAAK,CAAC,MAAM,EAAE,CAAC;QACrC,MAAM,CAAC,OAAO,GAAG;YACf,QAAQ,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC;YAClD,OAAO,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,EAAE,OAAO,CAAC;YAChD,YAAY,EAAE,eAAe,CAC3B,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,MAAM,CAAC,OAAO,CAAe,CAC5E;YACD,WAAW,EAAE,WAAW,CACtB,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC,MAAM,CAAC,OAAO,CAAe,CAC3E;SACF,CAAC;IACJ,CAAC;IAED,wBAAwB;IACxB,MAAM,YAAY,GAAG,KAAK;SACvB,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,EAAE,QAAQ,CAAC;SAC5B,MAAM,CAAC,OAAO,CAAa,CAAC;IAC/B,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,MAAM,CAAC,MAAM,GAAG,EAAE,QAAQ,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,YAAY,CAAC,EAAE,CAAC;IAC1D,CAAC;IAED,sBAAsB;IACtB,MAAM,QAAQ,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IAC1C,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,MAAM,CAAC,GAAG,GAAG;YACX,UAAU,EAAE,IAAI,CAAC,GAAG,CAClB,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,EAAE,UAAU,IAAI,GAAG,CAAC,CAC/C;YACD,SAAS,EAAE,IAAI,CAAC,GAAG,CACjB,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,EAAE,SAAS,IAAI,QAAQ,CAAC,CACnD;SACF,CAAC;IACJ,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAC/B,KAAsB,EACtB,QAAyB;IAEzB,MAAM,MAAM,GAAsB;QAChC,UAAU;QACV,UAAU;QACV,SAAS;QACT,YAAY;QACZ,OAAO;QACP,MAAM;KACP,CAAC;IACF,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;AAC3D,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAChC,OAAoB,EACpB,QAAyB;IAEzB,MAAM,QAAQ,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC;IAC7C,OAAO,gBAAgB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;AAC7C,CAAC;AAED,mBAAmB;AACnB,SAAS,eAAe,CAAI,GAAG,MAAa;IAC1C,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IACnC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,MAAM,CAAC,CAAC,CAAC,CAAC;IAE1C,OAAO,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAC7B,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CACxC,CAAC;AACJ,CAAC;AAED,SAAS,WAAW,CAAI,GAAG,MAAa;IACtC,MAAM,GAAG,GAAG,IAAI,GAAG,EAAK,CAAC;IACzB,KAAK,MAAM,GAAG,IAAI,MAAM,EAAE,CAAC;QACzB,KAAK,MAAM,IAAI,IAAI,GAAG,EAAE,CAAC;YACvB,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAChB,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACzB,CAAC;AAED,uBAAuB;AACvB,OAAO,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAC"}

package/dist/core/runtime.d.ts

@@ -0,0 +1,127 @@
+/**
+ * Runtime Primitive
+ *
+ * Executes compiled code (WASM) with resource limits and permissions.
+ * Composable: different runtimes for different isolation levels.
+ */
+import type { ExecutionResult, Permissions, Limits } from "./types.js";
+import type { CompileResult } from "./compiler.js";
+/** Runtime options */
+export interface RuntimeOptions {
+    permissions: Permissions;
+    limits: Limits;
+    /** Environment variables */
+    env?: Record<string, string>;
+    /** Working directory */
+    cwd?: string;
+    /** Abort signal */
+    signal?: AbortSignal;
+}
+/** Execution request */
+export interface ExecutionRequest {
+    /** Compiled WASM */
+    wasm: CompileResult;
+    /** Entrypoint function */
+    entrypoint?: string;
+    /** Arguments to pass */
+    args?: unknown[];
+    /** Input data */
+    input?: unknown;
+    /** Previous state */
+    state?: Map<string, unknown>;
+}
+/** Base runtime interface */
+export interface IRuntime {
+    /** Runtime name */
+    readonly name: string;
+    /** Runtime capabilities */
+    readonly capabilities: RuntimeCapabilities;
+    /** Initialize runtime */
+    init(): Promise<void>;
+    /** Check if runtime is available */
+    isAvailable(): Promise<boolean>;
+    /** Execute compiled code */
+    execute(request: ExecutionRequest, options: RuntimeOptions): Promise<ExecutionResult>;
+    /** Terminate runtime and cleanup resources */
+    terminate(): Promise<void>;
+    /** Check if currently executing */
+    isExecuting(): boolean;
+}
+/** Runtime capabilities */
+export interface RuntimeCapabilities {
+    /** Isolation level */
+    isolation: "none" | "process" | "vm" | "wasm" | "container";
+    /** Supports state persistence */
+    stateful: boolean;
+    /** Supports async execution */
+    async: boolean;
+    /** Can access filesystem */
+    filesystem: boolean;
+    /** Can access network */
+    network: boolean;
+    /** Max memory (bytes) */
+    maxMemory: number;
+    /** Supports WASI */
+    wasi: boolean;
+}
+/**
+ * WASM-in-WASM Runtime
+ *
+ * Uses @ebowwa/wasm2wasm for maximum isolation.
+ * Runs WASM bytecode inside a WASM interpreter.
+ */
+export declare class Wasm2WasmRuntime implements IRuntime {
+    readonly name = "wasm2wasm";
+    readonly capabilities: RuntimeCapabilities;
+    private executing;
+    init(): Promise<void>;
+    isAvailable(): Promise<boolean>;
+    execute(request: ExecutionRequest, options: RuntimeOptions): Promise<ExecutionResult>;
+    terminate(): Promise<void>;
+    isExecuting(): boolean;
+    private createErrorResult;
+    private parseMemory;
+    private parseTimeout;
+    private combineSignals;
+}
+/**
+ * Native WASM Runtime
+ *
+ * Uses browser/Node WebAssembly API directly.
+ * Less isolated but faster.
+ */
+export declare class NativeWasmRuntime implements IRuntime {
+    readonly name = "native-wasm";
+    readonly capabilities: RuntimeCapabilities;
+    private executing;
+    init(): Promise<void>;
+    isAvailable(): Promise<boolean>;
+    execute(request: ExecutionRequest, options: RuntimeOptions): Promise<ExecutionResult>;
+    terminate(): Promise<void>;
+    isExecuting(): boolean;
+    private buildImports;
+    private createErrorResult;
+    private parseTimeout;
+}
+/**
+ * Runtime Registry
+ *
+ * Manages available runtimes and selects appropriate one.
+ */
+export declare class RuntimeRegistry {
+    private runtimes;
+    register(runtime: IRuntime): void;
+    get(name: string): IRuntime | undefined;
+    has(name: string): boolean;
+    getAvailable(): Promise<string[]>;
+    /**
+     * Select best runtime for given requirements
+     */
+    selectBest(requirements: {
+        isolation?: RuntimeCapabilities["isolation"];
+        filesystem?: boolean;
+        network?: boolean;
+    }): IRuntime | undefined;
+}
+export declare const defaultRuntimeRegistry: RuntimeRegistry;
+//# sourceMappingURL=runtime.d.ts.map

package/dist/core/runtime.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"runtime.d.ts","sourceRoot":"","sources":["../../src/core/runtime.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EACV,eAAe,EAEf,WAAW,EACX,MAAM,EAEP,MAAM,YAAY,CAAC;AACpB,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAEnD,sBAAsB;AACtB,MAAM,WAAW,cAAc;IAC7B,WAAW,EAAE,WAAW,CAAC;IACzB,MAAM,EAAE,MAAM,CAAC;IACf,4BAA4B;IAC5B,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B,wBAAwB;IACxB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,mBAAmB;IACnB,MAAM,CAAC,EAAE,WAAW,CAAC;CACtB;AAED,wBAAwB;AACxB,MAAM,WAAW,gBAAgB;IAC/B,oBAAoB;IACpB,IAAI,EAAE,aAAa,CAAC;IACpB,0BAA0B;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,wBAAwB;IACxB,IAAI,CAAC,EAAE,OAAO,EAAE,CAAC;IACjB,iBAAiB;IACjB,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,qBAAqB;IACrB,KAAK,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAC9B;AAED,6BAA6B;AAC7B,MAAM,WAAW,QAAQ;IACvB,mBAAmB;IACnB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IAEtB,2BAA2B;IAC3B,QAAQ,CAAC,YAAY,EAAE,mBAAmB,CAAC;IAE3C,yBAAyB;IACzB,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAEtB,oCAAoC;IACpC,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC;IAEhC,4BAA4B;IAC5B,OAAO,CAAC,OAAO,EAAE,gBAAgB,EAAE,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;IAEtF,8CAA8C;IAC9C,SAAS,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAE3B,mCAAmC;IACnC,WAAW,IAAI,OAAO,CAAC;CACxB;AAED,2BAA2B;AAC3B,MAAM,WAAW,mBAAmB;IAClC,sBAAsB;IACtB,SAAS,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAAG,MAAM,GAAG,WAAW,CAAC;IAC5D,iCAAiC;IACjC,QAAQ,EAAE,OAAO,CAAC;IAClB,+BAA+B;IAC/B,KAAK,EAAE,OAAO,CAAC;IACf,4BAA4B;IAC5B,UAAU,EAAE,OAAO,CAAC;IACpB,yBAAyB;IACzB,OAAO,EAAE,OAAO,CAAC;IACjB,yBAAyB;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,oBAAoB;IACpB,IAAI,EAAE,OAAO,CAAC;CACf;AAED;;;;;GAKG;AACH,qBAAa,gBAAiB,YAAW,QAAQ;IAC/C,QAAQ,CAAC,IAAI,eAAe;IAC5B,QAAQ,CAAC,YAAY,EAAE,mBAAmB,CAQxC;IAEF,OAAO,CAAC,SAAS,CAAS;IAEpB,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAIrB,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC;IAU/B,OAAO,CACX,OAAO,EAAE,gBAAgB,EACzB,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,eAAe,CAAC;IA+ErB,SAAS,IAAI,OAAO,CAAC,IAAI,CAAC;IAIhC,WAAW,IAAI,OAAO;IAItB,OAAO,CAAC,iBAAiB;IAgBzB,OAAO,CAAC,WAAW;IAYnB,OAAO,CAAC,YAAY;IAYpB,OAAO,CAAC,cAAc;CAcvB;AAED;;;;;GAKG;AACH,qBAAa,iBAAkB,YAAW,QAAQ;IAChD,QAAQ,CAAC,IAAI,iBAAiB;IAC9B,QAAQ,CAAC,YAAY,EAAE,mBAAmB,CAQxC;IAEF,OAAO,CAAC,SAAS,CAAS;IAEpB,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAIrB,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC;IAI/B,OAAO,CACX,OAAO,EAAE,gBAAgB,EACzB,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,eAAe,CAAC;IA0ErB,SAAS,IAAI,OAAO,CAAC,IAAI,CAAC;IAIhC,WAAW,IAAI,OAAO;IAItB,OAAO,CAAC,YAAY;IAgCpB,OAAO,CAAC,iBAAiB;IAkBzB,OAAO,CAAC,YAAY;CAWrB;AAED;;;;GAIG;AACH,qBAAa,eAAe;IAC1B,OAAO,CAAC,QAAQ,CAA+B;IAE/C,QAAQ,CAAC,OAAO,EAAE,QAAQ,GAAG,IAAI;IAIjC,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,QAAQ,GAAG,SAAS;IAIvC,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAIpB,YAAY,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;IAUvC;;OAEG;IACH,UAAU,CAAC,YAAY,EAAE;QACvB,SAAS,CAAC,EAAE,mBAAmB,CAAC,WAAW,CAAC,CAAC;QAC7C,UAAU,CAAC,EAAE,OAAO,CAAC;QACrB,OAAO,CAAC,EAAE,OAAO,CAAC;KACnB,GAAG,QAAQ,GAAG,SAAS;CAgBzB;AAGD,eAAO,MAAM,sBAAsB,iBAAwB,CAAC"}