@eidos.space/just-bash 3.0.2

package/dist/bin/chunks/worker.js

@@ -0,0 +1,3150 @@
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
+
+// src/commands/python3/worker.ts
+import { createRequire } from "node:module";
+import { dirname } from "node:path";
+import { parentPort, workerData } from "node:worker_threads";
+
+// src/fs/sanitize-error.ts
+function sanitizeWithUnixPrefixes(message, includeHostRuntimePrefixes, includeFileUrls) {
+  if (!message) return message;
+  let sanitized = message.replace(/\n\s+at\s.*/g, "");
+  if (includeFileUrls) {
+    sanitized = sanitized.replace(/\bfile:\/\/\/?[^\s'",)}\]:]+/g, "<path>");
+  }
+  sanitized = sanitized.replace(
+    includeHostRuntimePrefixes ? /(?:\/(?:Users|home|private|var|opt|Library|System|usr|etc|tmp|nix|snap|workspace|root|srv|mnt|app))\b[^\s'",)}\]:]*/g : /(?:\/(?:Users|home|private|var|opt|Library|System|usr|etc|tmp|nix|snap))\b[^\s'",)}\]:]*/g,
+    "<path>"
+  );
+  sanitized = sanitized.replace(/node:internal\/[^\s'",)}\]:]+/g, "<internal>");
+  sanitized = sanitized.replace(/[A-Z]:\\[^\s'",)}\]:]+/g, "<path>");
+  if (includeFileUrls) {
+    sanitized = sanitized.replace(/\\\\[^\s\\]+\\[^\s'",)}\]:]+/g, "<path>");
+  }
+  return sanitized;
+}
+function sanitizeErrorMessage(message) {
+  return sanitizeWithUnixPrefixes(message, false, false);
+}
+function sanitizeHostErrorMessage(message) {
+  return sanitizeWithUnixPrefixes(message, true, true);
+}
+
+// src/security/blocked-globals.ts
+function getBlockedGlobals() {
+  const globals = [
+    // Direct code execution vectors
+    {
+      prop: "Function",
+      target: globalThis,
+      violationType: "function_constructor",
+      strategy: "throw",
+      reason: "Function constructor allows arbitrary code execution"
+    },
+    {
+      prop: "eval",
+      target: globalThis,
+      violationType: "eval",
+      strategy: "throw",
+      reason: "eval() allows arbitrary code execution"
+    },
+    // Timer functions with string argument allow code execution
+    {
+      prop: "setTimeout",
+      target: globalThis,
+      violationType: "setTimeout",
+      strategy: "throw",
+      reason: "setTimeout with string argument allows code execution"
+    },
+    {
+      prop: "setInterval",
+      target: globalThis,
+      violationType: "setInterval",
+      strategy: "throw",
+      reason: "setInterval with string argument allows code execution"
+    },
+    {
+      prop: "setImmediate",
+      target: globalThis,
+      violationType: "setImmediate",
+      strategy: "throw",
+      reason: "setImmediate could be used to escape sandbox context"
+    },
+    // Note: We intentionally do NOT block `process` entirely because:
+    // 1. Node.js internals (Promise resolution, etc.) use process.nextTick
+    // 2. Blocking process entirely breaks normal async operation
+    // 3. The primary code execution vectors (Function, eval) are already blocked
+    // However, we DO block specific dangerous process properties.
+    {
+      prop: "env",
+      target: process,
+      violationType: "process_env",
+      strategy: "throw",
+      reason: "process.env could leak sensitive environment variables",
+      // Node.js internals and bundled dependencies read these env vars
+      // during module loading, file watching, and I/O within the
+      // AsyncLocalStorage context. None are user secrets.
+      allowedKeys: /* @__PURE__ */ new Set([
+        // Node.js core
+        "NODE_V8_COVERAGE",
+        "NODE_DEBUG",
+        "NODE_DEBUG_NATIVE",
+        "NODE_COMPILE_CACHE",
+        "WATCH_REPORT_DEPENDENCIES",
+        // Dependencies
+        "FORCE_COLOR",
+        // chalk/supports-color
+        "DEBUG",
+        // debug package
+        "UNDICI_NO_FG",
+        // undici (Node.js fetch)
+        "JEST_WORKER_ID",
+        // jest/vitest worker detection
+        "__MINIMATCH_TESTING_PLATFORM__",
+        // minimatch
+        "LOG_TOKENS",
+        // query engine debug logging
+        "LOG_STREAM"
+        // query engine debug logging
+      ])
+    },
+    {
+      prop: "binding",
+      target: process,
+      violationType: "process_binding",
+      strategy: "throw",
+      reason: "process.binding provides access to native Node.js modules"
+    },
+    {
+      prop: "_linkedBinding",
+      target: process,
+      violationType: "process_binding",
+      strategy: "throw",
+      reason: "process._linkedBinding provides access to native Node.js modules"
+    },
+    {
+      prop: "dlopen",
+      target: process,
+      violationType: "process_dlopen",
+      strategy: "throw",
+      reason: "process.dlopen allows loading native addons"
+    },
+    {
+      prop: "getBuiltinModule",
+      target: process,
+      violationType: "process_get_builtin_module",
+      strategy: "throw",
+      reason: "process.getBuiltinModule allows loading native Node.js modules (fs, child_process, vm)"
+    },
+    // Note: process.mainModule is handled specially in defense-in-depth-box.ts
+    // and worker-defense-in-depth.ts because it may be undefined in ESM contexts
+    // but we still want to block both reading and setting it.
+    // Process control vectors
+    {
+      prop: "exit",
+      target: process,
+      violationType: "process_exit",
+      strategy: "throw",
+      reason: "process.exit could terminate the interpreter"
+    },
+    {
+      prop: "abort",
+      target: process,
+      violationType: "process_exit",
+      strategy: "throw",
+      reason: "process.abort could crash the interpreter"
+    },
+    {
+      prop: "kill",
+      target: process,
+      violationType: "process_kill",
+      strategy: "throw",
+      reason: "process.kill could signal other processes"
+    },
+    // Privilege escalation vectors
+    {
+      prop: "setuid",
+      target: process,
+      violationType: "process_setuid",
+      strategy: "throw",
+      reason: "process.setuid could escalate privileges"
+    },
+    {
+      prop: "setgid",
+      target: process,
+      violationType: "process_setuid",
+      strategy: "throw",
+      reason: "process.setgid could escalate privileges"
+    },
+    {
+      prop: "seteuid",
+      target: process,
+      violationType: "process_setuid",
+      strategy: "throw",
+      reason: "process.seteuid could escalate effective user privileges"
+    },
+    {
+      prop: "setegid",
+      target: process,
+      violationType: "process_setuid",
+      strategy: "throw",
+      reason: "process.setegid could escalate effective group privileges"
+    },
+    {
+      prop: "initgroups",
+      target: process,
+      violationType: "process_setuid",
+      strategy: "throw",
+      reason: "process.initgroups could modify supplementary group IDs"
+    },
+    {
+      prop: "setgroups",
+      target: process,
+      violationType: "process_setuid",
+      strategy: "throw",
+      reason: "process.setgroups could modify supplementary group IDs"
+    },
+    // File permission manipulation
+    {
+      prop: "umask",
+      target: process,
+      violationType: "process_umask",
+      strategy: "throw",
+      reason: "process.umask could modify file creation permissions"
+    },
+    // Information disclosure vectors
+    // Note: process.argv is an array (object) so gets an object proxy
+    {
+      prop: "argv",
+      target: process,
+      violationType: "process_argv",
+      strategy: "throw",
+      reason: "process.argv may contain secrets in CLI arguments"
+    },
+    // Note: process.execPath is a string primitive, handled specially
+    // in defense-in-depth-box.ts and worker-defense-in-depth.ts
+    // Note: process.connected is a boolean primitive, handled specially
+    // in defense-in-depth-box.ts and worker-defense-in-depth.ts
+    // Working directory access/manipulation
+    {
+      prop: "cwd",
+      target: process,
+      violationType: "process_chdir",
+      strategy: "throw",
+      reason: "process.cwd could disclose real host working directory path"
+    },
+    {
+      prop: "chdir",
+      target: process,
+      violationType: "process_chdir",
+      strategy: "throw",
+      reason: "process.chdir could confuse the interpreter's CWD tracking"
+    },
+    // Diagnostic report (leaks full environment, host paths, system info)
+    {
+      prop: "report",
+      target: process,
+      violationType: "process_report",
+      strategy: "throw",
+      reason: "process.report could disclose full environment, host paths, and system info"
+    },
+    // Environment file loading (Node 21.7+)
+    {
+      prop: "loadEnvFile",
+      target: process,
+      violationType: "process_env",
+      strategy: "throw",
+      reason: "process.loadEnvFile could load env files bypassing env proxy"
+    },
+    // Exception handler manipulation
+    {
+      prop: "setUncaughtExceptionCaptureCallback",
+      target: process,
+      violationType: "process_exception_handler",
+      strategy: "throw",
+      reason: "setUncaughtExceptionCaptureCallback could intercept security errors"
+    },
+    // IPC communication vectors (may be undefined in non-IPC contexts)
+    {
+      prop: "send",
+      target: process,
+      violationType: "process_send",
+      strategy: "throw",
+      reason: "process.send could communicate with parent process in IPC contexts"
+    },
+    {
+      prop: "channel",
+      target: process,
+      violationType: "process_channel",
+      strategy: "throw",
+      reason: "process.channel could access IPC channel to parent process"
+    },
+    // Timing side-channel vectors
+    {
+      prop: "cpuUsage",
+      target: process,
+      violationType: "process_timing",
+      strategy: "throw",
+      reason: "process.cpuUsage could enable timing side-channel attacks"
+    },
+    {
+      prop: "memoryUsage",
+      target: process,
+      violationType: "process_timing",
+      strategy: "throw",
+      reason: "process.memoryUsage could enable timing side-channel attacks"
+    },
+    {
+      prop: "hrtime",
+      target: process,
+      violationType: "process_timing",
+      strategy: "throw",
+      reason: "process.hrtime could enable timing side-channel attacks"
+    },
+    // We also don't block `require` because:
+    // 1. It may not exist in all environments (ESM)
+    // 2. import() is the modern escape vector and can't be blocked this way
+    // Reference leak vectors
+    {
+      prop: "WeakRef",
+      target: globalThis,
+      violationType: "weak_ref",
+      strategy: "throw",
+      reason: "WeakRef could be used to leak references outside sandbox"
+    },
+    {
+      prop: "FinalizationRegistry",
+      target: globalThis,
+      violationType: "finalization_registry",
+      strategy: "throw",
+      reason: "FinalizationRegistry could be used to leak references outside sandbox"
+    },
+    // Introspection/interception vectors (freeze instead of throw)
+    // SECURITY RATIONALE: Reflect is frozen (not blocked) because:
+    // 1. Defense infrastructure uses Reflect.apply/get/set/construct internally
+    // 2. Frozen Reflect cannot be mutated but remains fully functional
+    // 3. Reflect.construct(Function, ['code']) IS safe because globalThis.Function
+    //    is replaced with a blocking proxy — Reflect.construct receives the proxy
+    // 4. Security depends on NEVER leaking original Function/eval references.
+    //    If an unpatched Function ref leaked, Reflect.construct would bypass defense.
+    {
+      prop: "Reflect",
+      target: globalThis,
+      violationType: "reflect",
+      strategy: "freeze",
+      reason: "Reflect provides introspection capabilities"
+    },
+    {
+      prop: "Proxy",
+      target: globalThis,
+      violationType: "proxy",
+      strategy: "throw",
+      reason: "Proxy allows intercepting and modifying object behavior"
+    },
+    // WebAssembly allows arbitrary code execution
+    {
+      prop: "WebAssembly",
+      target: globalThis,
+      violationType: "webassembly",
+      strategy: "throw",
+      reason: "WebAssembly allows executing arbitrary compiled code"
+    },
+    // SharedArrayBuffer and Atomics can enable side-channel attacks
+    {
+      prop: "SharedArrayBuffer",
+      target: globalThis,
+      violationType: "shared_array_buffer",
+      strategy: "throw",
+      reason: "SharedArrayBuffer could enable side-channel communication or timing attacks"
+    },
+    {
+      prop: "Atomics",
+      target: globalThis,
+      violationType: "atomics",
+      strategy: "throw",
+      reason: "Atomics could enable side-channel communication or timing attacks"
+    },
+    // Note: Error.prepareStackTrace is handled specially in defense-in-depth-box.ts
+    // because we only want to block SETTING it, not reading (V8 reads it internally)
+    // Timing side-channel: performance.now() provides sub-millisecond resolution
+    // Note: Date.now() is intentionally NOT blocked — it's used for $SECONDS,
+    // date command, and has only ~1ms resolution (vs process.hrtime at ns).
+    {
+      prop: "performance",
+      target: globalThis,
+      violationType: "performance_timing",
+      strategy: "throw",
+      reason: "performance.now() provides sub-millisecond timing for side-channel attacks"
+    },
+    // Block direct access to process.stdout and process.stderr to prevent
+    // writing to the host's actual stdout/stderr, bypassing the interpreter's
+    // output accumulation.
+    {
+      prop: "stdout",
+      target: process,
+      violationType: "process_stdout",
+      strategy: "throw",
+      reason: "process.stdout could bypass interpreter output to write to host stdout"
+    },
+    {
+      prop: "stderr",
+      target: process,
+      violationType: "process_stderr",
+      strategy: "throw",
+      reason: "process.stderr could bypass interpreter output to write to host stderr"
+    },
+    // Prototype pollution vectors
+    {
+      prop: "__defineGetter__",
+      target: Object.prototype,
+      violationType: "prototype_mutation",
+      strategy: "throw",
+      reason: "__defineGetter__ allows prototype pollution via getter injection"
+    },
+    {
+      prop: "__defineSetter__",
+      target: Object.prototype,
+      violationType: "prototype_mutation",
+      strategy: "throw",
+      reason: "__defineSetter__ allows prototype pollution via setter injection"
+    },
+    {
+      prop: "__lookupGetter__",
+      target: Object.prototype,
+      violationType: "prototype_mutation",
+      strategy: "throw",
+      reason: "__lookupGetter__ enables introspection for prototype pollution attacks"
+    },
+    {
+      prop: "__lookupSetter__",
+      target: Object.prototype,
+      violationType: "prototype_mutation",
+      strategy: "throw",
+      reason: "__lookupSetter__ enables introspection for prototype pollution attacks"
+    },
+    // Freeze JSON and Math to prevent mutation of built-in utility objects
+    {
+      prop: "JSON",
+      target: globalThis,
+      violationType: "json_mutation",
+      strategy: "freeze",
+      reason: "Freeze JSON to prevent mutation of parsing/serialization"
+    },
+    {
+      prop: "Math",
+      target: globalThis,
+      violationType: "math_mutation",
+      strategy: "freeze",
+      reason: "Freeze Math to prevent mutation of math utilities"
+    }
+  ];
+  try {
+    const AsyncFunction = Object.getPrototypeOf(async () => {
+    }).constructor;
+    if (AsyncFunction && AsyncFunction !== Function) {
+      globals.push({
+        prop: "constructor",
+        target: Object.getPrototypeOf(async () => {
+        }),
+        violationType: "async_function_constructor",
+        strategy: "throw",
+        reason: "AsyncFunction constructor allows arbitrary async code execution"
+      });
+    }
+  } catch {
+  }
+  try {
+    const GeneratorFunction = Object.getPrototypeOf(
+      function* () {
+      }
+    ).constructor;
+    if (GeneratorFunction && GeneratorFunction !== Function) {
+      globals.push({
+        prop: "constructor",
+        target: Object.getPrototypeOf(function* () {
+        }),
+        violationType: "generator_function_constructor",
+        strategy: "throw",
+        reason: "GeneratorFunction constructor allows arbitrary generator code execution"
+      });
+    }
+  } catch {
+  }
+  try {
+    const AsyncGeneratorFunction = Object.getPrototypeOf(
+      async function* () {
+      }
+    ).constructor;
+    if (AsyncGeneratorFunction && AsyncGeneratorFunction !== Function && AsyncGeneratorFunction !== Object.getPrototypeOf(async () => {
+    }).constructor) {
+      globals.push({
+        prop: "constructor",
+        target: Object.getPrototypeOf(async function* () {
+        }),
+        violationType: "async_generator_function_constructor",
+        strategy: "throw",
+        reason: "AsyncGeneratorFunction constructor allows arbitrary async generator code execution"
+      });
+    }
+  } catch {
+  }
+  return globals.filter((g) => {
+    try {
+      return g.target[g.prop] !== void 0;
+    } catch {
+      return false;
+    }
+  });
+}
+
+// src/security/defense-in-depth-box.ts
+var IS_BROWSER = typeof __BROWSER__ !== "undefined" && __BROWSER__;
+var AsyncLocalStorageClass = null;
+if (!IS_BROWSER) {
+  try {
+    const { AsyncLocalStorage } = __require("node:async_hooks");
+    AsyncLocalStorageClass = AsyncLocalStorage;
+  } catch {
+  }
+}
+var executionContext = !IS_BROWSER && AsyncLocalStorageClass ? new AsyncLocalStorageClass() : null;
+
+// src/security/worker-defense-in-depth.ts
+var DEFENSE_IN_DEPTH_NOTICE = "\n\nThis is a defense-in-depth measure and indicates a bug in just-bash. Please report this at security@vercel.com";
+var WorkerSecurityViolationError = class extends Error {
+  constructor(message, violation) {
+    super(message + DEFENSE_IN_DEPTH_NOTICE);
+    this.violation = violation;
+    this.name = "WorkerSecurityViolationError";
+  }
+  violation;
+};
+var MAX_STORED_VIOLATIONS = 1e3;
+function generateExecutionId() {
+  if (typeof crypto !== "undefined" && crypto.randomUUID) {
+    return crypto.randomUUID();
+  }
+  return "xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx".replace(/[xy]/g, (c) => {
+    const r = Math.random() * 16 | 0;
+    const v = c === "x" ? r : r & 3 | 8;
+    return v.toString(16);
+  });
+}
+var WorkerDefenseInDepth = class {
+  config;
+  isActivated = false;
+  originalDescriptors = [];
+  violations = [];
+  executionId;
+  /**
+   * Original Proxy constructor, captured before patching.
+   * This is captured at instance creation time to ensure we get the unpatched version.
+   */
+  originalProxy;
+  /**
+   * Recursion guard to prevent infinite loops when proxy traps trigger
+   * code that accesses the same proxied object (e.g., process.env).
+   */
+  inTrap = false;
+  /**
+   * Create and activate the worker defense layer.
+   *
+   * @param config - Configuration for the defense layer
+   */
+  constructor(config) {
+    this.originalProxy = Proxy;
+    this.config = config;
+    this.executionId = generateExecutionId();
+    if (config.enabled !== false) {
+      this.activate();
+    }
+  }
+  /**
+   * Get statistics about the defense layer.
+   */
+  getStats() {
+    return {
+      violationsBlocked: this.violations.length,
+      violations: [...this.violations],
+      isActive: this.isActivated
+    };
+  }
+  /**
+   * Clear stored violations. Useful for testing.
+   */
+  clearViolations() {
+    this.violations = [];
+  }
+  /**
+   * Get the execution ID for this worker.
+   */
+  getExecutionId() {
+    return this.executionId;
+  }
+  /**
+   * Deactivate the defense layer and restore original globals.
+   * Typically only needed for testing.
+   */
+  deactivate() {
+    if (!this.isActivated) {
+      return;
+    }
+    this.restorePatches();
+    this.isActivated = false;
+  }
+  /**
+   * Activate the defense layer by applying patches.
+   */
+  activate() {
+    if (this.isActivated) {
+      return;
+    }
+    this.applyPatches();
+    this.isActivated = true;
+  }
+  /**
+   * Get a human-readable path for a target object and property.
+   */
+  getPathForTarget(target, prop) {
+    if (target === globalThis) {
+      return `globalThis.${prop}`;
+    }
+    if (typeof process !== "undefined" && target === process) {
+      return `process.${prop}`;
+    }
+    if (target === Error) {
+      return `Error.${prop}`;
+    }
+    if (target === Function.prototype) {
+      return `Function.prototype.${prop}`;
+    }
+    if (target === Object.prototype) {
+      return `Object.prototype.${prop}`;
+    }
+    return `<object>.${prop}`;
+  }
+  /**
+   * Record a violation and invoke the callback.
+   * In worker context, blocking always happens (no audit mode context check).
+   */
+  recordViolation(type, path, message) {
+    const violation = {
+      timestamp: Date.now(),
+      type,
+      message,
+      path,
+      stack: new Error().stack,
+      executionId: this.executionId
+    };
+    if (this.violations.length < MAX_STORED_VIOLATIONS) {
+      this.violations.push(violation);
+    }
+    if (this.config.onViolation) {
+      try {
+        this.config.onViolation(violation);
+      } catch (e) {
+        console.debug(
+          "[WorkerDefenseInDepth] onViolation callback threw:",
+          e instanceof Error ? e.message : e
+        );
+      }
+    }
+    return violation;
+  }
+  /**
+   * Create a blocking proxy for a function.
+   * In worker context, always blocks (no context check needed).
+   */
+  createBlockingProxy(original, path, violationType) {
+    const self = this;
+    const auditMode = this.config.auditMode;
+    return new this.originalProxy(original, {
+      apply(target, thisArg, args) {
+        const message = `${path} is blocked in worker context`;
+        const violation = self.recordViolation(violationType, path, message);
+        if (!auditMode) {
+          throw new WorkerSecurityViolationError(message, violation);
+        }
+        return Reflect.apply(target, thisArg, args);
+      },
+      construct(target, args, newTarget) {
+        const message = `${path} constructor is blocked in worker context`;
+        const violation = self.recordViolation(violationType, path, message);
+        if (!auditMode) {
+          throw new WorkerSecurityViolationError(message, violation);
+        }
+        return Reflect.construct(target, args, newTarget);
+      }
+    });
+  }
+  /**
+   * Create a blocking proxy for an object (blocks all property access).
+   */
+  createBlockingObjectProxy(original, path, violationType, allowedKeys) {
+    const self = this;
+    const auditMode = this.config.auditMode;
+    return new this.originalProxy(original, {
+      get(target, prop, receiver) {
+        if (self.inTrap) {
+          return Reflect.get(target, prop, receiver);
+        }
+        if (allowedKeys && typeof prop === "string" && allowedKeys.has(prop)) {
+          return Reflect.get(target, prop, receiver);
+        }
+        self.inTrap = true;
+        try {
+          const fullPath = `${path}.${String(prop)}`;
+          const message = `${fullPath} is blocked in worker context`;
+          const violation = self.recordViolation(
+            violationType,
+            fullPath,
+            message
+          );
+          if (!auditMode) {
+            throw new WorkerSecurityViolationError(message, violation);
+          }
+          return Reflect.get(target, prop, receiver);
+        } finally {
+          self.inTrap = false;
+        }
+      },
+      set(target, prop, value, receiver) {
+        if (self.inTrap) {
+          return Reflect.set(target, prop, value, receiver);
+        }
+        self.inTrap = true;
+        try {
+          const fullPath = `${path}.${String(prop)}`;
+          const message = `${fullPath} modification is blocked in worker context`;
+          const violation = self.recordViolation(
+            violationType,
+            fullPath,
+            message
+          );
+          if (!auditMode) {
+            throw new WorkerSecurityViolationError(message, violation);
+          }
+          return Reflect.set(target, prop, value, receiver);
+        } finally {
+          self.inTrap = false;
+        }
+      },
+      ownKeys(target) {
+        if (self.inTrap) {
+          return Reflect.ownKeys(target);
+        }
+        self.inTrap = true;
+        try {
+          const message = `${path} enumeration is blocked in worker context`;
+          const violation = self.recordViolation(violationType, path, message);
+          if (!auditMode) {
+            throw new WorkerSecurityViolationError(message, violation);
+          }
+          return Reflect.ownKeys(target);
+        } finally {
+          self.inTrap = false;
+        }
+      },
+      getOwnPropertyDescriptor(target, prop) {
+        if (self.inTrap) {
+          return Reflect.getOwnPropertyDescriptor(target, prop);
+        }
+        self.inTrap = true;
+        try {
+          const fullPath = `${path}.${String(prop)}`;
+          const message = `${fullPath} descriptor access is blocked in worker context`;
+          const violation = self.recordViolation(
+            violationType,
+            fullPath,
+            message
+          );
+          if (!auditMode) {
+            throw new WorkerSecurityViolationError(message, violation);
+          }
+          return Reflect.getOwnPropertyDescriptor(target, prop);
+        } finally {
+          self.inTrap = false;
+        }
+      },
+      has(target, prop) {
+        if (self.inTrap) {
+          return Reflect.has(target, prop);
+        }
+        self.inTrap = true;
+        try {
+          const fullPath = `${path}.${String(prop)}`;
+          const message = `${fullPath} existence check is blocked in worker context`;
+          const violation = self.recordViolation(
+            violationType,
+            fullPath,
+            message
+          );
+          if (!auditMode) {
+            throw new WorkerSecurityViolationError(message, violation);
+          }
+          return Reflect.has(target, prop);
+        } finally {
+          self.inTrap = false;
+        }
+      },
+      deleteProperty(target, prop) {
+        if (self.inTrap) {
+          return Reflect.deleteProperty(target, prop);
+        }
+        self.inTrap = true;
+        try {
+          const fullPath = `${path}.${String(prop)}`;
+          const message = `${fullPath} deletion is blocked in worker context`;
+          const violation = self.recordViolation(
+            violationType,
+            fullPath,
+            message
+          );
+          if (!auditMode) {
+            throw new WorkerSecurityViolationError(message, violation);
+          }
+          return Reflect.deleteProperty(target, prop);
+        } finally {
+          self.inTrap = false;
+        }
+      },
+      setPrototypeOf(target, proto) {
+        if (self.inTrap) {
+          return Reflect.setPrototypeOf(target, proto);
+        }
+        self.inTrap = true;
+        try {
+          const message = `${path} setPrototypeOf is blocked in worker context`;
+          const violation = self.recordViolation(violationType, path, message);
+          if (!auditMode) {
+            throw new WorkerSecurityViolationError(message, violation);
+          }
+          return Reflect.setPrototypeOf(target, proto);
+        } finally {
+          self.inTrap = false;
+        }
+      },
+      defineProperty(target, prop, descriptor) {
+        if (self.inTrap) {
+          return Reflect.defineProperty(target, prop, descriptor);
+        }
+        self.inTrap = true;
+        try {
+          const fullPath = `${path}.${String(prop)}`;
+          const message = `${fullPath} defineProperty is blocked in worker context`;
+          const violation = self.recordViolation(
+            violationType,
+            fullPath,
+            message
+          );
+          if (!auditMode) {
+            throw new WorkerSecurityViolationError(message, violation);
+          }
+          return Reflect.defineProperty(target, prop, descriptor);
+        } finally {
+          self.inTrap = false;
+        }
+      }
+    });
+  }
+  /**
+   * Apply security patches to dangerous globals.
+   */
+  applyPatches() {
+    const blockedGlobals = getBlockedGlobals();
+    const excludeTypes = new Set(this.config.excludeViolationTypes ?? []);
+    for (const blocked of blockedGlobals) {
+      if (excludeTypes.has(blocked.violationType)) {
+        continue;
+      }
+      this.applyPatch(blocked);
+    }
+    if (!excludeTypes.has("function_constructor")) {
+      this.protectConstructorChain(excludeTypes);
+    }
+    if (!excludeTypes.has("error_prepare_stack_trace")) {
+      this.protectErrorPrepareStackTrace();
+    }
+    if (!excludeTypes.has("module_load")) {
+      this.protectModuleLoad();
+    }
+    if (!excludeTypes.has("module_resolve_filename")) {
+      this.protectModuleResolveFilename();
+    }
+    if (!excludeTypes.has("process_main_module")) {
+      this.protectProcessMainModule();
+    }
+    if (!excludeTypes.has("process_exec_path")) {
+      this.protectProcessExecPath();
+    }
+    if (!excludeTypes.has("process_connected")) {
+      this.protectProcessConnected();
+    }
+    this.lockWellKnownSymbols();
+    if (!excludeTypes.has("proxy")) {
+      this.protectProxyRevocable();
+    }
+  }
+  /**
+   * Lock well-known Symbol properties on built-in constructors/prototypes.
+   */
+  lockWellKnownSymbols() {
+    const lock = (obj, sym) => {
+      try {
+        const desc = Object.getOwnPropertyDescriptor(obj, sym);
+        if (desc?.configurable) {
+          if ("value" in desc) {
+            Object.defineProperty(obj, sym, {
+              ...desc,
+              configurable: false,
+              writable: false
+            });
+            return;
+          }
+          Object.defineProperty(obj, sym, { ...desc, configurable: false });
+        }
+      } catch {
+      }
+    };
+    for (const ctor of [Array, Map, Set, RegExp, Promise]) {
+      lock(ctor, Symbol.species);
+    }
+    for (const proto of [
+      Array.prototype,
+      String.prototype,
+      Map.prototype,
+      Set.prototype
+    ]) {
+      lock(proto, Symbol.iterator);
+    }
+    lock(Symbol.prototype, Symbol.toPrimitive);
+    lock(Date.prototype, Symbol.toPrimitive);
+    for (const sym of [
+      Symbol.match,
+      Symbol.matchAll,
+      Symbol.replace,
+      Symbol.search,
+      Symbol.split
+    ]) {
+      lock(RegExp.prototype, sym);
+    }
+    lock(Function.prototype, Symbol.hasInstance);
+    lock(Array.prototype, Symbol.unscopables);
+    for (const proto of [
+      Map.prototype,
+      Set.prototype,
+      Promise.prototype,
+      ArrayBuffer.prototype
+    ]) {
+      lock(proto, Symbol.toStringTag);
+    }
+    try {
+      const stackDesc = Object.getOwnPropertyDescriptor(
+        Error,
+        "stackTraceLimit"
+      );
+      this.originalDescriptors.push({
+        target: Error,
+        prop: "stackTraceLimit",
+        descriptor: stackDesc
+      });
+      Object.defineProperty(Error, "stackTraceLimit", {
+        value: Error.stackTraceLimit,
+        writable: false,
+        configurable: true
+      });
+    } catch {
+    }
+  }
+  /**
+   * Block Proxy.revocable to prevent bypassing Proxy constructor blocking.
+   *
+   * Proxy.revocable internally uses the real Proxy constructor, so it bypasses
+   * our blocking proxy on globalThis.Proxy. We replace it with a wrapper that
+   * always blocks in worker context.
+   */
+  protectProxyRevocable() {
+    const self = this;
+    const auditMode = this.config.auditMode;
+    try {
+      const originalRevocable = this.originalProxy.revocable;
+      if (typeof originalRevocable !== "function") return;
+      const descriptor = Object.getOwnPropertyDescriptor(
+        this.originalProxy,
+        "revocable"
+      );
+      this.originalDescriptors.push({
+        target: this.originalProxy,
+        prop: "revocable",
+        descriptor
+      });
+      Object.defineProperty(this.originalProxy, "revocable", {
+        value: function revocable(_target, _handler) {
+          const message = "Proxy.revocable is blocked in worker context";
+          const violation = self.recordViolation(
+            "proxy",
+            "Proxy.revocable",
+            message
+          );
+          if (!auditMode) {
+            throw new WorkerSecurityViolationError(message, violation);
+          }
+          return originalRevocable(_target, _handler);
+        },
+        writable: false,
+        configurable: true
+        // Must be configurable for restoration
+      });
+    } catch {
+    }
+  }
+  /**
+   * Protect against .constructor.constructor escape vector.
+   * @param excludeTypes - Set of violation types to skip
+   */
+  protectConstructorChain(excludeTypes) {
+    let AsyncFunction = null;
+    let GeneratorFunction = null;
+    let AsyncGeneratorFunction = null;
+    try {
+      AsyncFunction = Object.getPrototypeOf(async () => {
+      }).constructor;
+    } catch {
+    }
+    try {
+      GeneratorFunction = Object.getPrototypeOf(function* () {
+      }).constructor;
+    } catch {
+    }
+    try {
+      AsyncGeneratorFunction = Object.getPrototypeOf(
+        async function* () {
+        }
+      ).constructor;
+    } catch {
+    }
+    this.patchPrototypeConstructor(
+      Function.prototype,
+      "Function.prototype.constructor",
+      "function_constructor"
+    );
+    if (!excludeTypes.has("async_function_constructor") && AsyncFunction && AsyncFunction !== Function) {
+      this.patchPrototypeConstructor(
+        AsyncFunction.prototype,
+        "AsyncFunction.prototype.constructor",
+        "async_function_constructor"
+      );
+    }
+    if (!excludeTypes.has("generator_function_constructor") && GeneratorFunction && GeneratorFunction !== Function) {
+      this.patchPrototypeConstructor(
+        GeneratorFunction.prototype,
+        "GeneratorFunction.prototype.constructor",
+        "generator_function_constructor"
+      );
+    }
+    if (!excludeTypes.has("async_generator_function_constructor") && AsyncGeneratorFunction && AsyncGeneratorFunction !== Function && AsyncGeneratorFunction !== AsyncFunction) {
+      this.patchPrototypeConstructor(
+        AsyncGeneratorFunction.prototype,
+        "AsyncGeneratorFunction.prototype.constructor",
+        "async_generator_function_constructor"
+      );
+    }
+  }
+  /**
+   * Protect Error.prepareStackTrace from being set.
+   */
+  protectErrorPrepareStackTrace() {
+    const self = this;
+    const auditMode = this.config.auditMode;
+    try {
+      const originalDescriptor = Object.getOwnPropertyDescriptor(
+        Error,
+        "prepareStackTrace"
+      );
+      this.originalDescriptors.push({
+        target: Error,
+        prop: "prepareStackTrace",
+        descriptor: originalDescriptor
+      });
+      let currentValue = originalDescriptor?.value;
+      Object.defineProperty(Error, "prepareStackTrace", {
+        get() {
+          return currentValue;
+        },
+        set(value) {
+          const message = "Error.prepareStackTrace modification is blocked in worker context";
+          const violation = self.recordViolation(
+            "error_prepare_stack_trace",
+            "Error.prepareStackTrace",
+            message
+          );
+          if (!auditMode) {
+            throw new WorkerSecurityViolationError(message, violation);
+          }
+          currentValue = value;
+        },
+        configurable: true
+      });
+    } catch {
+    }
+  }
+  /**
+   * Patch a prototype's constructor property.
+   *
+   * Returns a proxy that allows reading properties (like .name) but blocks
+   * calling the constructor as a function (which would allow code execution).
+   */
+  patchPrototypeConstructor(prototype, path, violationType) {
+    const self = this;
+    const auditMode = this.config.auditMode;
+    try {
+      const originalDescriptor = Object.getOwnPropertyDescriptor(
+        prototype,
+        "constructor"
+      );
+      this.originalDescriptors.push({
+        target: prototype,
+        prop: "constructor",
+        descriptor: originalDescriptor
+      });
+      const originalValue = originalDescriptor?.value;
+      const constructorProxy = originalValue && typeof originalValue === "function" ? new this.originalProxy(originalValue, {
+        apply(_target, _thisArg, _args) {
+          const message = `${path} invocation is blocked in worker context`;
+          const violation = self.recordViolation(
+            violationType,
+            path,
+            message
+          );
+          if (!auditMode) {
+            throw new WorkerSecurityViolationError(message, violation);
+          }
+          return void 0;
+        },
+        construct(_target, _args, _newTarget) {
+          const message = `${path} construction is blocked in worker context`;
+          const violation = self.recordViolation(
+            violationType,
+            path,
+            message
+          );
+          if (!auditMode) {
+            throw new WorkerSecurityViolationError(message, violation);
+          }
+          return {};
+        },
+        // Allow all property access (like .name, .prototype, etc.)
+        get(target, prop, receiver) {
+          return Reflect.get(target, prop, receiver);
+        },
+        getPrototypeOf(target) {
+          return Reflect.getPrototypeOf(target);
+        },
+        has(target, prop) {
+          return Reflect.has(target, prop);
+        },
+        ownKeys(target) {
+          return Reflect.ownKeys(target);
+        },
+        getOwnPropertyDescriptor(target, prop) {
+          return Reflect.getOwnPropertyDescriptor(target, prop);
+        }
+      }) : originalValue;
+      Object.defineProperty(prototype, "constructor", {
+        get() {
+          return constructorProxy;
+        },
+        set(value) {
+          const message = `${path} modification is blocked in worker context`;
+          const violation = self.recordViolation(violationType, path, message);
+          if (!auditMode) {
+            throw new WorkerSecurityViolationError(message, violation);
+          }
+          Object.defineProperty(this, "constructor", {
+            value,
+            writable: true,
+            configurable: true
+          });
+        },
+        configurable: true
+      });
+    } catch {
+    }
+  }
+  /**
+   * Protect process.mainModule from being accessed or set.
+   *
+   * The attack vector is:
+   * ```
+   * process.mainModule.require('child_process').execSync('whoami')
+   * process.mainModule.constructor._load('vm')
+   * ```
+   *
+   * process.mainModule may be undefined in ESM contexts but could exist in
+   * CommonJS workers. We block both reading and setting.
+   */
+  protectProcessMainModule() {
+    if (typeof process === "undefined") return;
+    const self = this;
+    const auditMode = this.config.auditMode;
+    try {
+      const originalDescriptor = Object.getOwnPropertyDescriptor(
+        process,
+        "mainModule"
+      );
+      this.originalDescriptors.push({
+        target: process,
+        prop: "mainModule",
+        descriptor: originalDescriptor
+      });
+      const currentValue = originalDescriptor?.value;
+      if (currentValue !== void 0) {
+        Object.defineProperty(process, "mainModule", {
+          get() {
+            const message = "process.mainModule access is blocked in worker context";
+            const violation = self.recordViolation(
+              "process_main_module",
+              "process.mainModule",
+              message
+            );
+            if (!auditMode) {
+              throw new WorkerSecurityViolationError(message, violation);
+            }
+            return currentValue;
+          },
+          set(value) {
+            const message = "process.mainModule modification is blocked in worker context";
+            const violation = self.recordViolation(
+              "process_main_module",
+              "process.mainModule",
+              message
+            );
+            if (!auditMode) {
+              throw new WorkerSecurityViolationError(message, violation);
+            }
+            Object.defineProperty(process, "mainModule", {
+              value,
+              writable: true,
+              configurable: true
+            });
+          },
+          configurable: true
+        });
+      }
+    } catch {
+    }
+  }
+  /**
+   * Protect process.execPath from being read or set in worker context.
+   *
+   * process.execPath is a string primitive (not an object), so it cannot be
+   * proxied via the normal blocked globals mechanism. We use Object.defineProperty
+   * with getter/setter (same pattern as protectProcessMainModule).
+   */
+  protectProcessExecPath() {
+    if (typeof process === "undefined") return;
+    const self = this;
+    const auditMode = this.config.auditMode;
+    try {
+      const originalDescriptor = Object.getOwnPropertyDescriptor(
+        process,
+        "execPath"
+      );
+      this.originalDescriptors.push({
+        target: process,
+        prop: "execPath",
+        descriptor: originalDescriptor
+      });
+      const currentValue = originalDescriptor?.value ?? process.execPath;
+      Object.defineProperty(process, "execPath", {
+        get() {
+          const message = "process.execPath access is blocked in worker context";
+          const violation = self.recordViolation(
+            "process_exec_path",
+            "process.execPath",
+            message
+          );
+          if (!auditMode) {
+            throw new WorkerSecurityViolationError(message, violation);
+          }
+          return currentValue;
+        },
+        set(value) {
+          const message = "process.execPath modification is blocked in worker context";
+          const violation = self.recordViolation(
+            "process_exec_path",
+            "process.execPath",
+            message
+          );
+          if (!auditMode) {
+            throw new WorkerSecurityViolationError(message, violation);
+          }
+          Object.defineProperty(process, "execPath", {
+            value,
+            writable: true,
+            configurable: true
+          });
+        },
+        configurable: true
+      });
+    } catch {
+    }
+  }
+  /**
+   * Protect process.connected from being read or set in worker context.
+   *
+   * process.connected is a boolean primitive (not an object), so it cannot be
+   * proxied via the normal blocked globals mechanism. We use Object.defineProperty
+   * with getter/setter (same pattern as protectProcessExecPath).
+   *
+   * Only protects if process.connected exists (IPC contexts).
+   */
+  protectProcessConnected() {
+    if (typeof process === "undefined") return;
+    if (process.connected === void 0) return;
+    const self = this;
+    const auditMode = this.config.auditMode;
+    try {
+      const originalDescriptor = Object.getOwnPropertyDescriptor(
+        process,
+        "connected"
+      );
+      this.originalDescriptors.push({
+        target: process,
+        prop: "connected",
+        descriptor: originalDescriptor
+      });
+      const currentValue = originalDescriptor?.value ?? process.connected;
+      Object.defineProperty(process, "connected", {
+        get() {
+          const message = "process.connected access is blocked in worker context";
+          const violation = self.recordViolation(
+            "process_connected",
+            "process.connected",
+            message
+          );
+          if (!auditMode) {
+            throw new WorkerSecurityViolationError(message, violation);
+          }
+          return currentValue;
+        },
+        set(value) {
+          const message = "process.connected modification is blocked in worker context";
+          const violation = self.recordViolation(
+            "process_connected",
+            "process.connected",
+            message
+          );
+          if (!auditMode) {
+            throw new WorkerSecurityViolationError(message, violation);
+          }
+          Object.defineProperty(process, "connected", {
+            value,
+            writable: true,
+            configurable: true
+          });
+        },
+        configurable: true
+      });
+    } catch {
+    }
+  }
+  /**
+   * Protect Module._load from being called.
+   *
+   * The attack vector is:
+   * ```
+   * module.constructor._load('child_process')
+   * require.main.constructor._load('vm')
+   * ```
+   *
+   * We access the Module class and replace _load with a blocking proxy.
+   */
+  protectModuleLoad() {
+    const self = this;
+    const auditMode = this.config.auditMode;
+    try {
+      let ModuleClass = null;
+      if (typeof process !== "undefined") {
+        const mainModule = process.mainModule;
+        if (mainModule && typeof mainModule === "object") {
+          ModuleClass = mainModule.constructor;
+        }
+      }
+      if (!ModuleClass && typeof __require !== "undefined" && typeof __require.main !== "undefined") {
+        ModuleClass = __require.main.constructor;
+      }
+      if (!ModuleClass || typeof ModuleClass._load !== "function") {
+        return;
+      }
+      const original = ModuleClass._load;
+      const descriptor = Object.getOwnPropertyDescriptor(ModuleClass, "_load");
+      this.originalDescriptors.push({
+        target: ModuleClass,
+        prop: "_load",
+        descriptor
+      });
+      const path = "Module._load";
+      const proxy = new this.originalProxy(original, {
+        apply(_target, _thisArg, _args) {
+          const message = `${path} is blocked in worker context`;
+          const violation = self.recordViolation("module_load", path, message);
+          if (!auditMode) {
+            throw new WorkerSecurityViolationError(message, violation);
+          }
+          return Reflect.apply(_target, _thisArg, _args);
+        }
+      });
+      Object.defineProperty(ModuleClass, "_load", {
+        value: proxy,
+        writable: true,
+        configurable: true
+      });
+    } catch {
+    }
+  }
+  /**
+   * Protect Module._resolveFilename from being called in worker context.
+   *
+   * Module._resolveFilename is called for both require() and import() resolution.
+   * Blocking it catches file-based import() specifiers.
+   *
+   * data: and blob: URLs are handled by ESM loader hooks registered
+   * in the main thread (DefenseInDepthBox.protectDynamicImport).
+   */
+  protectModuleResolveFilename() {
+    const self = this;
+    const auditMode = this.config.auditMode;
+    try {
+      let ModuleClass = null;
+      if (typeof process !== "undefined") {
+        const mainModule = process.mainModule;
+        if (mainModule && typeof mainModule === "object") {
+          ModuleClass = mainModule.constructor;
+        }
+      }
+      if (!ModuleClass && typeof __require !== "undefined" && typeof __require.main !== "undefined") {
+        ModuleClass = __require.main.constructor;
+      }
+      if (!ModuleClass || typeof ModuleClass._resolveFilename !== "function") {
+        return;
+      }
+      const original = ModuleClass._resolveFilename;
+      const descriptor = Object.getOwnPropertyDescriptor(
+        ModuleClass,
+        "_resolveFilename"
+      );
+      this.originalDescriptors.push({
+        target: ModuleClass,
+        prop: "_resolveFilename",
+        descriptor
+      });
+      const path = "Module._resolveFilename";
+      const proxy = new this.originalProxy(original, {
+        apply(_target, _thisArg, _args) {
+          const message = `${path} is blocked in worker context`;
+          const violation = self.recordViolation(
+            "module_resolve_filename",
+            path,
+            message
+          );
+          if (!auditMode) {
+            throw new WorkerSecurityViolationError(message, violation);
+          }
+          return Reflect.apply(_target, _thisArg, _args);
+        }
+      });
+      Object.defineProperty(ModuleClass, "_resolveFilename", {
+        value: proxy,
+        writable: true,
+        configurable: true
+      });
+    } catch {
+    }
+  }
+  /**
+   * Apply a single patch to a blocked global.
+   */
+  applyPatch(blocked) {
+    const { target, prop, violationType, strategy } = blocked;
+    try {
+      const original = target[prop];
+      if (original === void 0) {
+        return;
+      }
+      const descriptor = Object.getOwnPropertyDescriptor(target, prop);
+      this.originalDescriptors.push({ target, prop, descriptor });
+      if (strategy === "freeze") {
+        if (typeof original === "object" && original !== null) {
+          Object.freeze(original);
+        }
+      } else {
+        const path = this.getPathForTarget(target, prop);
+        const proxy = typeof original === "function" ? this.createBlockingProxy(
+          original,
+          path,
+          violationType
+        ) : this.createBlockingObjectProxy(
+          original,
+          path,
+          violationType,
+          blocked.allowedKeys
+        );
+        Object.defineProperty(target, prop, {
+          value: proxy,
+          writable: true,
+          configurable: true
+        });
+      }
+    } catch {
+    }
+  }
+  /**
+   * Restore all original values.
+   */
+  restorePatches() {
+    for (let i = this.originalDescriptors.length - 1; i >= 0; i--) {
+      const { target, prop, descriptor } = this.originalDescriptors[i];
+      try {
+        if (descriptor) {
+          Object.defineProperty(target, prop, descriptor);
+        } else {
+          delete target[prop];
+        }
+      } catch {
+      }
+    }
+    this.originalDescriptors = [];
+  }
+};
+
+// src/security/wasm-callback.ts
+function sanitizeUnknownError(error) {
+  const message = error instanceof Error ? error.message : String(error);
+  return sanitizeErrorMessage(message);
+}
+function wrapWasmCallback(component, phase, callback) {
+  return (...args) => {
+    try {
+      return callback(...args);
+    } catch (error) {
+      const message = sanitizeUnknownError(error);
+      throw new Error(`${component} ${phase} callback failed: ${message}`);
+    }
+  };
+}
+
+// src/security/trusted-globals.ts
+var _SharedArrayBuffer = globalThis.SharedArrayBuffer;
+var _Atomics = globalThis.Atomics;
+var _performanceNow = performance.now.bind(performance);
+var _Headers = globalThis.Headers;
+
+// src/commands/worker-bridge/protocol.ts
+var OpCode = {
+  NOOP: 0,
+  READ_FILE: 1,
+  WRITE_FILE: 2,
+  STAT: 3,
+  READDIR: 4,
+  MKDIR: 5,
+  RM: 6,
+  EXISTS: 7,
+  APPEND_FILE: 8,
+  SYMLINK: 9,
+  READLINK: 10,
+  LSTAT: 11,
+  CHMOD: 12,
+  REALPATH: 13,
+  RENAME: 14,
+  COPY_FILE: 15,
+  // Special operations for I/O
+  WRITE_STDOUT: 100,
+  WRITE_STDERR: 101,
+  EXIT: 102,
+  // HTTP operations
+  HTTP_REQUEST: 200,
+  // Sub-shell execution
+  EXEC_COMMAND: 300,
+  // Tool invocation (executor mode)
+  INVOKE_TOOL: 400
+};
+var Status = {
+  PENDING: 0,
+  READY: 1,
+  SUCCESS: 2,
+  ERROR: 3
+};
+var ErrorCode = {
+  NONE: 0,
+  NOT_FOUND: 1,
+  IS_DIRECTORY: 2,
+  NOT_DIRECTORY: 3,
+  EXISTS: 4,
+  PERMISSION_DENIED: 5,
+  INVALID_PATH: 6,
+  IO_ERROR: 7,
+  TIMEOUT: 8,
+  NETWORK_ERROR: 9,
+  NETWORK_NOT_CONFIGURED: 10
+};
+var Offset = {
+  OP_CODE: 0,
+  STATUS: 4,
+  PATH_LENGTH: 8,
+  DATA_LENGTH: 12,
+  RESULT_LENGTH: 16,
+  ERROR_CODE: 20,
+  FLAGS: 24,
+  MODE: 28,
+  PATH_BUFFER: 32,
+  DATA_BUFFER: 4128
+  // 32 + 4096
+};
+var Size = {
+  CONTROL_REGION: 32,
+  PATH_BUFFER: 4096,
+  // 8MB limit for FS read/write, HTTP responses, and tool invocation results.
+  // Sized to handle typical OpenAPI/GraphQL responses (paginated lists, batch queries).
+  // Still well under the 64MB QuickJS memory limit per execution.
+  DATA_BUFFER: 8388608,
+  TOTAL: 8392736
+  // 32 + 4096 + 8MB
+};
+var Flags = {
+  NONE: 0,
+  RECURSIVE: 1,
+  FORCE: 2,
+  MKDIR_RECURSIVE: 1
+};
+var StatLayout = {
+  IS_FILE: 0,
+  IS_DIRECTORY: 1,
+  IS_SYMLINK: 2,
+  MODE: 4,
+  SIZE: 8,
+  MTIME: 16,
+  TOTAL: 24
+};
+var ProtocolBuffer = class {
+  int32View;
+  uint8View;
+  dataView;
+  constructor(buffer) {
+    this.int32View = new Int32Array(buffer);
+    this.uint8View = new Uint8Array(buffer);
+    this.dataView = new DataView(buffer);
+  }
+  getOpCode() {
+    return _Atomics.load(this.int32View, Offset.OP_CODE / 4);
+  }
+  setOpCode(code) {
+    _Atomics.store(this.int32View, Offset.OP_CODE / 4, code);
+  }
+  getStatus() {
+    return _Atomics.load(this.int32View, Offset.STATUS / 4);
+  }
+  setStatus(status) {
+    _Atomics.store(this.int32View, Offset.STATUS / 4, status);
+  }
+  getPathLength() {
+    return _Atomics.load(this.int32View, Offset.PATH_LENGTH / 4);
+  }
+  setPathLength(length) {
+    _Atomics.store(this.int32View, Offset.PATH_LENGTH / 4, length);
+  }
+  getDataLength() {
+    return _Atomics.load(this.int32View, Offset.DATA_LENGTH / 4);
+  }
+  setDataLength(length) {
+    _Atomics.store(this.int32View, Offset.DATA_LENGTH / 4, length);
+  }
+  getResultLength() {
+    return _Atomics.load(this.int32View, Offset.RESULT_LENGTH / 4);
+  }
+  setResultLength(length) {
+    _Atomics.store(this.int32View, Offset.RESULT_LENGTH / 4, length);
+  }
+  getErrorCode() {
+    return _Atomics.load(
+      this.int32View,
+      Offset.ERROR_CODE / 4
+    );
+  }
+  setErrorCode(code) {
+    _Atomics.store(this.int32View, Offset.ERROR_CODE / 4, code);
+  }
+  getFlags() {
+    return _Atomics.load(this.int32View, Offset.FLAGS / 4);
+  }
+  setFlags(flags) {
+    _Atomics.store(this.int32View, Offset.FLAGS / 4, flags);
+  }
+  getMode() {
+    return _Atomics.load(this.int32View, Offset.MODE / 4);
+  }
+  setMode(mode) {
+    _Atomics.store(this.int32View, Offset.MODE / 4, mode);
+  }
+  getPath() {
+    const length = this.getPathLength();
+    const bytes = this.uint8View.slice(
+      Offset.PATH_BUFFER,
+      Offset.PATH_BUFFER + length
+    );
+    return new TextDecoder().decode(bytes);
+  }
+  setPath(path) {
+    const encoded = new TextEncoder().encode(path);
+    if (encoded.length > Size.PATH_BUFFER) {
+      throw new Error(`Path too long: ${encoded.length} > ${Size.PATH_BUFFER}`);
+    }
+    this.uint8View.set(encoded, Offset.PATH_BUFFER);
+    this.setPathLength(encoded.length);
+  }
+  getData() {
+    const length = this.getDataLength();
+    return this.uint8View.slice(
+      Offset.DATA_BUFFER,
+      Offset.DATA_BUFFER + length
+    );
+  }
+  setData(data) {
+    if (data.length > Size.DATA_BUFFER) {
+      throw new Error(`Data too large: ${data.length} > ${Size.DATA_BUFFER}`);
+    }
+    this.uint8View.set(data, Offset.DATA_BUFFER);
+    this.setDataLength(data.length);
+  }
+  getDataAsString() {
+    const data = this.getData();
+    return new TextDecoder().decode(data);
+  }
+  setDataFromString(str) {
+    const encoded = new TextEncoder().encode(str);
+    this.setData(encoded);
+  }
+  getResult() {
+    const length = this.getResultLength();
+    return this.uint8View.slice(
+      Offset.DATA_BUFFER,
+      Offset.DATA_BUFFER + length
+    );
+  }
+  setResult(data) {
+    if (data.length > Size.DATA_BUFFER) {
+      throw new Error(`Result too large: ${data.length} > ${Size.DATA_BUFFER}`);
+    }
+    this.uint8View.set(data, Offset.DATA_BUFFER);
+    this.setResultLength(data.length);
+  }
+  getResultAsString() {
+    const result = this.getResult();
+    return new TextDecoder().decode(result);
+  }
+  setResultFromString(str) {
+    const encoded = new TextEncoder().encode(str);
+    this.setResult(encoded);
+  }
+  encodeStat(stat) {
+    this.uint8View[Offset.DATA_BUFFER + StatLayout.IS_FILE] = stat.isFile ? 1 : 0;
+    this.uint8View[Offset.DATA_BUFFER + StatLayout.IS_DIRECTORY] = stat.isDirectory ? 1 : 0;
+    this.uint8View[Offset.DATA_BUFFER + StatLayout.IS_SYMLINK] = stat.isSymbolicLink ? 1 : 0;
+    this.dataView.setInt32(
+      Offset.DATA_BUFFER + StatLayout.MODE,
+      stat.mode,
+      true
+    );
+    const size = Math.min(stat.size, Number.MAX_SAFE_INTEGER);
+    this.dataView.setFloat64(Offset.DATA_BUFFER + StatLayout.SIZE, size, true);
+    this.dataView.setFloat64(
+      Offset.DATA_BUFFER + StatLayout.MTIME,
+      stat.mtime.getTime(),
+      true
+    );
+    this.setResultLength(StatLayout.TOTAL);
+  }
+  decodeStat() {
+    return {
+      isFile: this.uint8View[Offset.DATA_BUFFER + StatLayout.IS_FILE] === 1,
+      isDirectory: this.uint8View[Offset.DATA_BUFFER + StatLayout.IS_DIRECTORY] === 1,
+      isSymbolicLink: this.uint8View[Offset.DATA_BUFFER + StatLayout.IS_SYMLINK] === 1,
+      mode: this.dataView.getInt32(Offset.DATA_BUFFER + StatLayout.MODE, true),
+      size: this.dataView.getFloat64(
+        Offset.DATA_BUFFER + StatLayout.SIZE,
+        true
+      ),
+      mtime: new Date(
+        this.dataView.getFloat64(Offset.DATA_BUFFER + StatLayout.MTIME, true)
+      )
+    };
+  }
+  waitForReady(timeout) {
+    return _Atomics.wait(
+      this.int32View,
+      Offset.STATUS / 4,
+      Status.PENDING,
+      timeout
+    );
+  }
+  waitForReadyAsync(timeout) {
+    return _Atomics.waitAsync(
+      this.int32View,
+      Offset.STATUS / 4,
+      Status.PENDING,
+      timeout
+    );
+  }
+  /**
+   * Wait for status to become READY.
+   * Returns immediately if status is already READY, or waits until it changes.
+   */
+  async waitUntilReady(timeout) {
+    const startTime = Date.now();
+    while (true) {
+      const status = this.getStatus();
+      if (status === Status.READY) {
+        return true;
+      }
+      const elapsed = Date.now() - startTime;
+      if (elapsed >= timeout) {
+        return false;
+      }
+      const remainingMs = timeout - elapsed;
+      const result = _Atomics.waitAsync(
+        this.int32View,
+        Offset.STATUS / 4,
+        status,
+        remainingMs
+      );
+      if (result.async) {
+        const waitResult = await result.value;
+        if (waitResult === "timed-out") {
+          return false;
+        }
+      }
+    }
+  }
+  waitForResult(timeout) {
+    return _Atomics.wait(
+      this.int32View,
+      Offset.STATUS / 4,
+      Status.READY,
+      timeout
+    );
+  }
+  notify() {
+    return _Atomics.notify(this.int32View, Offset.STATUS / 4);
+  }
+  reset() {
+    this.setOpCode(OpCode.NOOP);
+    this.setStatus(Status.PENDING);
+    this.setPathLength(0);
+    this.setDataLength(0);
+    this.setResultLength(0);
+    this.setErrorCode(ErrorCode.NONE);
+    this.setFlags(Flags.NONE);
+    this.setMode(0);
+  }
+};
+
+// src/commands/worker-bridge/sync-backend.ts
+var SyncBackend = class {
+  protocol;
+  operationTimeoutMs;
+  constructor(sharedBuffer, operationTimeoutMs = 3e4) {
+    this.protocol = new ProtocolBuffer(sharedBuffer);
+    this.operationTimeoutMs = operationTimeoutMs;
+  }
+  execSync(opCode, path, data, flags = 0, mode = 0) {
+    this.protocol.reset();
+    this.protocol.setOpCode(opCode);
+    this.protocol.setPath(path);
+    this.protocol.setFlags(flags);
+    this.protocol.setMode(mode);
+    if (data) {
+      this.protocol.setData(data);
+    }
+    this.protocol.setStatus(Status.READY);
+    this.protocol.notify();
+    const waitResult = this.protocol.waitForResult(this.operationTimeoutMs);
+    if (waitResult === "timed-out") {
+      return { success: false, error: "Operation timed out" };
+    }
+    const status = this.protocol.getStatus();
+    if (status === Status.SUCCESS) {
+      return { success: true, result: this.protocol.getResult() };
+    }
+    return {
+      success: false,
+      error: this.protocol.getResultAsString() || `Error code: ${this.protocol.getErrorCode()}`
+    };
+  }
+  readFile(path) {
+    const result = this.execSync(OpCode.READ_FILE, path);
+    if (!result.success) {
+      throw new Error(result.error || "Failed to read file");
+    }
+    return result.result ?? new Uint8Array(0);
+  }
+  writeFile(path, data) {
+    const result = this.execSync(OpCode.WRITE_FILE, path, data);
+    if (!result.success) {
+      throw new Error(result.error || "Failed to write file");
+    }
+  }
+  stat(path) {
+    const result = this.execSync(OpCode.STAT, path);
+    if (!result.success) {
+      throw new Error(result.error || "Failed to stat");
+    }
+    return this.protocol.decodeStat();
+  }
+  lstat(path) {
+    const result = this.execSync(OpCode.LSTAT, path);
+    if (!result.success) {
+      throw new Error(result.error || "Failed to lstat");
+    }
+    return this.protocol.decodeStat();
+  }
+  readdir(path) {
+    const result = this.execSync(OpCode.READDIR, path);
+    if (!result.success) {
+      throw new Error(result.error || "Failed to readdir");
+    }
+    return JSON.parse(this.protocol.getResultAsString());
+  }
+  mkdir(path, recursive = false) {
+    const flags = recursive ? Flags.MKDIR_RECURSIVE : 0;
+    const result = this.execSync(OpCode.MKDIR, path, void 0, flags);
+    if (!result.success) {
+      throw new Error(result.error || "Failed to mkdir");
+    }
+  }
+  rm(path, recursive = false, force = false) {
+    let flags = 0;
+    if (recursive) flags |= Flags.RECURSIVE;
+    if (force) flags |= Flags.FORCE;
+    const result = this.execSync(OpCode.RM, path, void 0, flags);
+    if (!result.success) {
+      throw new Error(result.error || "Failed to rm");
+    }
+  }
+  exists(path) {
+    const result = this.execSync(OpCode.EXISTS, path);
+    if (!result.success) {
+      return false;
+    }
+    return result.result?.[0] === 1;
+  }
+  appendFile(path, data) {
+    const result = this.execSync(OpCode.APPEND_FILE, path, data);
+    if (!result.success) {
+      throw new Error(result.error || "Failed to append file");
+    }
+  }
+  symlink(target, linkPath) {
+    const targetData = new TextEncoder().encode(target);
+    const result = this.execSync(OpCode.SYMLINK, linkPath, targetData);
+    if (!result.success) {
+      throw new Error(result.error || "Failed to symlink");
+    }
+  }
+  readlink(path) {
+    const result = this.execSync(OpCode.READLINK, path);
+    if (!result.success) {
+      throw new Error(result.error || "Failed to readlink");
+    }
+    return this.protocol.getResultAsString();
+  }
+  chmod(path, mode) {
+    const result = this.execSync(OpCode.CHMOD, path, void 0, 0, mode);
+    if (!result.success) {
+      throw new Error(result.error || "Failed to chmod");
+    }
+  }
+  realpath(path) {
+    const result = this.execSync(OpCode.REALPATH, path);
+    if (!result.success) {
+      throw new Error(result.error || "Failed to realpath");
+    }
+    return this.protocol.getResultAsString();
+  }
+  rename(oldPath, newPath) {
+    const newPathData = new TextEncoder().encode(newPath);
+    const result = this.execSync(OpCode.RENAME, oldPath, newPathData);
+    if (!result.success) {
+      throw new Error(result.error || "Failed to rename");
+    }
+  }
+  copyFile(src, dest) {
+    const destData = new TextEncoder().encode(dest);
+    const result = this.execSync(OpCode.COPY_FILE, src, destData);
+    if (!result.success) {
+      throw new Error(result.error || "Failed to copyFile");
+    }
+  }
+  writeStdout(data) {
+    const encoded = new TextEncoder().encode(data);
+    const result = this.execSync(OpCode.WRITE_STDOUT, "", encoded);
+    if (!result.success) {
+      throw new Error(result.error || "Failed to write stdout");
+    }
+  }
+  writeStderr(data) {
+    const encoded = new TextEncoder().encode(data);
+    const result = this.execSync(OpCode.WRITE_STDERR, "", encoded);
+    if (!result.success) {
+      throw new Error(result.error || "Failed to write stderr");
+    }
+  }
+  exit(code) {
+    this.execSync(OpCode.EXIT, "", void 0, code);
+  }
+  /**
+   * Make an HTTP request through the main thread's secureFetch.
+   * Returns the response as a parsed object.
+   */
+  httpRequest(url, options) {
+    const requestData = options ? new TextEncoder().encode(JSON.stringify(options)) : void 0;
+    const result = this.execSync(OpCode.HTTP_REQUEST, url, requestData);
+    if (!result.success) {
+      throw new Error(result.error || "HTTP request failed");
+    }
+    const responseJson = new TextDecoder().decode(result.result);
+    const parsed = JSON.parse(responseJson);
+    const bodyBase64 = parsed.bodyBase64 ?? "";
+    const body = atob(bodyBase64);
+    return {
+      status: parsed.status,
+      statusText: parsed.statusText,
+      headers: parsed.headers,
+      url: parsed.url,
+      body,
+      bodyBase64
+    };
+  }
+  /**
+   * Execute a shell command through the main thread's exec function.
+   * Returns the result as { stdout, stderr, exitCode }.
+   */
+  execCommand(command, stdin) {
+    const requestData = stdin ? new TextEncoder().encode(JSON.stringify({ stdin })) : void 0;
+    const result = this.execSync(OpCode.EXEC_COMMAND, command, requestData);
+    if (!result.success) {
+      throw new Error(result.error || "Command execution failed");
+    }
+    const responseJson = new TextDecoder().decode(result.result);
+    return JSON.parse(responseJson);
+  }
+  /**
+   * Execute a shell command with structured args (shell-escaped on the main thread).
+   * Prevents command injection from unsanitized args.
+   */
+  execCommandArgs(command, args) {
+    const requestData = new TextEncoder().encode(JSON.stringify({ args }));
+    const result = this.execSync(OpCode.EXEC_COMMAND, command, requestData);
+    if (!result.success) {
+      throw new Error(result.error || "Command execution failed");
+    }
+    const responseJson = new TextDecoder().decode(result.result);
+    return JSON.parse(responseJson);
+  }
+  /**
+   * Invoke a tool through the main thread's invokeTool hook.
+   * Returns the JSON-serialized result.
+   */
+  invokeTool(path, argsJson) {
+    const requestData = argsJson ? new TextEncoder().encode(argsJson) : void 0;
+    const result = this.execSync(OpCode.INVOKE_TOOL, path, requestData);
+    if (!result.success) {
+      throw new Error(result.error || "Tool invocation failed");
+    }
+    return new TextDecoder().decode(result.result);
+  }
+};
+
+// src/commands/python3/worker.ts
+import { readFileSync } from "node:fs";
+var require2 = createRequire(import.meta.url);
+var CPYTHON_ENTRY_BASENAME = "/vendor/cpython-emscripten/python.cjs";
+var CPYTHON_STDLIB_BASENAME = "/vendor/cpython-emscripten/python313.zip";
+var moduleLoadGuardInstalled = false;
+function normalizePath(path) {
+  return path.replace(/\\/g, "/");
+}
+function isApprovedCpythonEntryPath(path) {
+  return normalizePath(path).endsWith(CPYTHON_ENTRY_BASENAME);
+}
+function isApprovedStdlibZipPath(path) {
+  return normalizePath(path).endsWith(CPYTHON_STDLIB_BASENAME);
+}
+function assertApprovedPath(path, kind) {
+  const ok = kind === "cpython-entry" ? isApprovedCpythonEntryPath(path) : isApprovedStdlibZipPath(path);
+  if (!ok) {
+    throw new Error(
+      `[Defense-in-depth] rejected ${kind} path outside approved vendor bundle: ${path}`
+    );
+  }
+}
+try {
+  const NodeModule = require2("node:module");
+  if (typeof NodeModule._load === "function") {
+    const originalLoad = NodeModule._load;
+    const blockedModules = /* @__PURE__ */ new Set([
+      "child_process",
+      "node:child_process",
+      "cluster",
+      "node:cluster",
+      "dgram",
+      "node:dgram",
+      "dns",
+      "node:dns",
+      "net",
+      "node:net",
+      "tls",
+      "node:tls",
+      "vm",
+      "node:vm",
+      "v8",
+      "node:v8",
+      "inspector",
+      "node:inspector",
+      "inspector/promises",
+      "node:inspector/promises",
+      "trace_events",
+      "node:trace_events",
+      "perf_hooks",
+      "node:perf_hooks",
+      "worker_threads",
+      "node:worker_threads"
+    ]);
+    NodeModule._load = function(request, ...rest) {
+      if (blockedModules.has(request)) {
+        throw new Error(
+          `[Defense-in-depth] require('${request}') is blocked in worker context`
+        );
+      }
+      return originalLoad.apply(this, [request, ...rest]);
+    };
+    moduleLoadGuardInstalled = true;
+  }
+} catch {
+}
+var cpythonEntryPath;
+try {
+  cpythonEntryPath = require2.resolve(
+    "../../../vendor/cpython-emscripten/python.cjs"
+  );
+} catch (_e) {
+  cpythonEntryPath = dirname(import.meta.url).replace("file://", "") + "/../../../vendor/cpython-emscripten/python.cjs";
+}
+assertApprovedPath(cpythonEntryPath, "cpython-entry");
+var cpythonDir = dirname(cpythonEntryPath);
+var stdlibZipPath = `${cpythonDir}/python313.zip`;
+assertApprovedPath(stdlibZipPath, "cpython-stdlib");
+function createHOSTFS(backend, FS, PATH) {
+  const ERRNO_CODES = Object.assign(
+    /* @__PURE__ */ Object.create(null),
+    {
+      EPERM: 63,
+      ENOENT: 44,
+      EIO: 29,
+      EBADF: 8,
+      EAGAIN: 6,
+      EACCES: 2,
+      EBUSY: 10,
+      EEXIST: 20,
+      ENOTDIR: 54,
+      EISDIR: 31,
+      EINVAL: 28,
+      EMFILE: 33,
+      ENOSPC: 51,
+      ESPIPE: 70,
+      EROFS: 69,
+      ENOTEMPTY: 55,
+      ENOSYS: 52,
+      ENOTSUP: 138,
+      ENODATA: 42
+    }
+  );
+  function realPath(node) {
+    const parts = [];
+    while (node.parent !== node) {
+      parts.push(node.name);
+      node = node.parent;
+    }
+    parts.push(node.mount.opts.root);
+    parts.reverse();
+    return PATH.join(...parts);
+  }
+  function tryFSOperation(f) {
+    try {
+      return f();
+    } catch (e) {
+      const msg = e?.message?.toLowerCase() || (typeof e === "string" ? e.toLowerCase() : "");
+      let code = ERRNO_CODES.EIO;
+      if (msg.includes("no such file") || msg.includes("not found")) {
+        code = ERRNO_CODES.ENOENT;
+      } else if (msg.includes("is a directory")) {
+        code = ERRNO_CODES.EISDIR;
+      } else if (msg.includes("not a directory")) {
+        code = ERRNO_CODES.ENOTDIR;
+      } else if (msg.includes("already exists")) {
+        code = ERRNO_CODES.EEXIST;
+      } else if (msg.includes("permission")) {
+        code = ERRNO_CODES.EACCES;
+      } else if (msg.includes("not empty")) {
+        code = ERRNO_CODES.ENOTEMPTY;
+      }
+      throw new FS.ErrnoError(code);
+    }
+  }
+  function getMode(path) {
+    return tryFSOperation(() => {
+      const stat = backend.stat(path);
+      let mode = stat.mode & 511;
+      if (stat.isDirectory) {
+        mode |= 16384;
+      } else if (stat.isSymbolicLink) {
+        mode |= 40960;
+      } else {
+        mode |= 32768;
+      }
+      return mode;
+    });
+  }
+  const HOSTFS = {
+    mount(_mount) {
+      return HOSTFS.createNode(null, "/", 16877, 0);
+    },
+    createNode(parent, name, mode, dev) {
+      if (!FS.isDir(mode) && !FS.isFile(mode) && !FS.isLink(mode)) {
+        throw new FS.ErrnoError(ERRNO_CODES.EINVAL);
+      }
+      const node = FS.createNode(parent, name, mode, dev);
+      node.node_ops = HOSTFS.node_ops;
+      node.stream_ops = HOSTFS.stream_ops;
+      return node;
+    },
+    node_ops: {
+      getattr(node) {
+        const path = realPath(node);
+        return tryFSOperation(() => {
+          const stat = backend.stat(path);
+          let mode = stat.mode & 511;
+          if (stat.isDirectory) {
+            mode |= 16384;
+          } else if (stat.isSymbolicLink) {
+            mode |= 40960;
+          } else {
+            mode |= 32768;
+          }
+          return {
+            dev: 1,
+            ino: node.id,
+            mode,
+            nlink: 1,
+            uid: 0,
+            gid: 0,
+            rdev: 0,
+            size: stat.size,
+            atime: stat.mtime,
+            mtime: stat.mtime,
+            ctime: stat.mtime,
+            blksize: 4096,
+            blocks: Math.ceil(stat.size / 512)
+          };
+        });
+      },
+      setattr(node, attr) {
+        const path = realPath(node);
+        const mode = attr.mode;
+        if (mode !== void 0) {
+          tryFSOperation(() => backend.chmod(path, mode));
+          node.mode = mode;
+        }
+        if (attr.size !== void 0) {
+          tryFSOperation(() => {
+            const content = backend.readFile(path);
+            const newContent = content.slice(0, attr.size);
+            backend.writeFile(path, newContent);
+          });
+        }
+      },
+      lookup(parent, name) {
+        const path = PATH.join2(realPath(parent), name);
+        const mode = getMode(path);
+        return HOSTFS.createNode(parent, name, mode);
+      },
+      mknod(parent, name, mode, _dev) {
+        const node = HOSTFS.createNode(parent, name, mode, _dev);
+        const path = realPath(node);
+        tryFSOperation(() => {
+          if (FS.isDir(node.mode)) {
+            backend.mkdir(path, false);
+          } else {
+            backend.writeFile(path, new Uint8Array(0));
+          }
+        });
+        return node;
+      },
+      rename(oldNode, newDir, newName) {
+        const oldPath = realPath(oldNode);
+        const newPath = PATH.join2(realPath(newDir), newName);
+        tryFSOperation(() => {
+          const content = backend.readFile(oldPath);
+          backend.writeFile(newPath, content);
+          backend.rm(oldPath, false, false);
+        });
+        oldNode.name = newName;
+      },
+      unlink(parent, name) {
+        const path = PATH.join2(realPath(parent), name);
+        tryFSOperation(() => backend.rm(path, false, false));
+      },
+      rmdir(parent, name) {
+        const path = PATH.join2(realPath(parent), name);
+        tryFSOperation(() => backend.rm(path, false, false));
+      },
+      readdir(node) {
+        const path = realPath(node);
+        return tryFSOperation(() => backend.readdir(path));
+      },
+      symlink(parent, newName, oldPath) {
+        const newPath = PATH.join2(realPath(parent), newName);
+        tryFSOperation(() => backend.symlink(oldPath, newPath));
+      },
+      readlink(node) {
+        const path = realPath(node);
+        return tryFSOperation(() => backend.readlink(path));
+      }
+    },
+    stream_ops: {
+      open(stream) {
+        const path = realPath(stream.node);
+        const flags = stream.flags;
+        const O_WRONLY = 1;
+        const O_RDWR = 2;
+        const O_CREAT = 64;
+        const O_TRUNC = 512;
+        const O_APPEND = 1024;
+        const accessMode = flags & 3;
+        const isWrite = accessMode === O_WRONLY || accessMode === O_RDWR;
+        const isCreate = (flags & O_CREAT) !== 0;
+        const isTruncate = (flags & O_TRUNC) !== 0;
+        const isAppend = (flags & O_APPEND) !== 0;
+        if (FS.isDir(stream.node.mode)) {
+          return;
+        }
+        let content;
+        try {
+          if (isTruncate && isWrite) {
+            content = new Uint8Array(0);
+          } else {
+            content = backend.readFile(path);
+          }
+        } catch (_e) {
+          if (isCreate && isWrite) {
+            content = new Uint8Array(0);
+          } else {
+            throw new FS.ErrnoError(ERRNO_CODES.ENOENT);
+          }
+        }
+        stream.hostContent = content;
+        stream.hostModified = isTruncate && isWrite;
+        stream.hostPath = path;
+        if (isAppend) {
+          stream.position = content.length;
+        }
+      },
+      close(stream) {
+        const hostPath = stream.hostPath;
+        const hostContent = stream.hostContent;
+        if (stream.hostModified && hostContent && hostPath) {
+          tryFSOperation(() => backend.writeFile(hostPath, hostContent));
+        }
+        delete stream.hostContent;
+        delete stream.hostModified;
+        delete stream.hostPath;
+      },
+      read(stream, buffer, offset, length, position) {
+        const content = stream.hostContent;
+        if (!content) return 0;
+        const size = content.length;
+        if (position >= size) return 0;
+        const bytesToRead = Math.min(length, size - position);
+        buffer.set(content.subarray(position, position + bytesToRead), offset);
+        return bytesToRead;
+      },
+      write(stream, buffer, offset, length, position) {
+        let content = stream.hostContent || new Uint8Array(0);
+        const newSize = Math.max(content.length, position + length);
+        if (newSize > content.length) {
+          const newContent = new Uint8Array(newSize);
+          newContent.set(content);
+          content = newContent;
+          stream.hostContent = content;
+        }
+        content.set(buffer.subarray(offset, offset + length), position);
+        stream.hostModified = true;
+        return length;
+      },
+      llseek(stream, offset, whence) {
+        const SEEK_CUR = 1;
+        const SEEK_END = 2;
+        let position = offset;
+        if (whence === SEEK_CUR) {
+          position += stream.position;
+        } else if (whence === SEEK_END) {
+          if (FS.isFile(stream.node.mode)) {
+            const content = stream.hostContent;
+            position += content ? content.length : 0;
+          }
+        }
+        if (position < 0) {
+          throw new FS.ErrnoError(ERRNO_CODES.EINVAL);
+        }
+        return position;
+      }
+    }
+  };
+  return HOSTFS;
+}
+function generateSetupCode(input) {
+  const envSetup = Object.entries(input.env).map(([key, value]) => {
+    return `os.environ[${JSON.stringify(key)}] = ${JSON.stringify(value)}`;
+  }).join("\n");
+  const argv0 = input.scriptPath || "python3";
+  const argvList = [argv0, ...input.args].map((arg) => JSON.stringify(arg)).join(", ");
+  return `
+import os
+import sys
+import json
+
+${envSetup}
+
+sys.argv = [${argvList}]
+
+# Path redirection: redirect /absolute paths to /host mount
+def _should_redirect(path):
+    return (isinstance(path, str) and
+            path.startswith('/') and
+            not path.startswith('/lib') and
+            not path.startswith('/proc') and
+            not path.startswith('/host') and
+            not path.startswith('/_jb_http'))
+
+# builtins.open
+import builtins
+_orig_open = builtins.open
+def _redir_open(path, mode='r', *args, **kwargs):
+    if _should_redirect(path):
+        path = '/host' + path
+    return _orig_open(path, mode, *args, **kwargs)
+builtins.open = _redir_open
+
+# os file operations
+_orig_listdir = os.listdir
+def _redir_listdir(path='.'):
+    if _should_redirect(path):
+        path = '/host' + path
+    return _orig_listdir(path)
+os.listdir = _redir_listdir
+
+_orig_exists = os.path.exists
+def _redir_exists(path):
+    if _should_redirect(path):
+        path = '/host' + path
+    return _orig_exists(path)
+os.path.exists = _redir_exists
+
+_orig_isfile = os.path.isfile
+def _redir_isfile(path):
+    if _should_redirect(path):
+        path = '/host' + path
+    return _orig_isfile(path)
+os.path.isfile = _redir_isfile
+
+_orig_isdir = os.path.isdir
+def _redir_isdir(path):
+    if _should_redirect(path):
+        path = '/host' + path
+    return _orig_isdir(path)
+os.path.isdir = _redir_isdir
+
+_orig_stat = os.stat
+def _redir_stat(path, *args, **kwargs):
+    if _should_redirect(path):
+        path = '/host' + path
+    return _orig_stat(path, *args, **kwargs)
+os.stat = _redir_stat
+
+_orig_mkdir = os.mkdir
+def _redir_mkdir(path, *args, **kwargs):
+    if _should_redirect(path):
+        path = '/host' + path
+    return _orig_mkdir(path, *args, **kwargs)
+os.mkdir = _redir_mkdir
+
+_orig_makedirs = os.makedirs
+def _redir_makedirs(path, *args, **kwargs):
+    if _should_redirect(path):
+        path = '/host' + path
+    return _orig_makedirs(path, *args, **kwargs)
+os.makedirs = _redir_makedirs
+
+_orig_remove = os.remove
+def _redir_remove(path, *args, **kwargs):
+    if _should_redirect(path):
+        path = '/host' + path
+    return _orig_remove(path, *args, **kwargs)
+os.remove = _redir_remove
+
+_orig_rmdir = os.rmdir
+def _redir_rmdir(path, *args, **kwargs):
+    if _should_redirect(path):
+        path = '/host' + path
+    return _orig_rmdir(path, *args, **kwargs)
+os.rmdir = _redir_rmdir
+
+_orig_getcwd = os.getcwd
+def _redir_getcwd():
+    cwd = _orig_getcwd()
+    if cwd.startswith('/host'):
+        return cwd[5:]
+    return cwd
+os.getcwd = _redir_getcwd
+
+_orig_chdir = os.chdir
+def _redir_chdir(path):
+    if _should_redirect(path):
+        path = '/host' + path
+    return _orig_chdir(path)
+os.chdir = _redir_chdir
+
+# glob
+import glob as _glob_module
+_orig_glob = _glob_module.glob
+def _redir_glob(pathname, *args, **kwargs):
+    if _should_redirect(pathname):
+        pathname = '/host' + pathname
+    return _orig_glob(pathname, *args, **kwargs)
+_glob_module.glob = _redir_glob
+
+_orig_iglob = _glob_module.iglob
+def _redir_iglob(pathname, *args, **kwargs):
+    if _should_redirect(pathname):
+        pathname = '/host' + pathname
+    return _orig_iglob(pathname, *args, **kwargs)
+_glob_module.iglob = _redir_iglob
+
+# os.walk
+_orig_walk = os.walk
+def _redir_walk(top, *args, **kwargs):
+    redirected = False
+    if _should_redirect(top):
+        top = '/host' + top
+        redirected = True
+    for dirpath, dirnames, filenames in _orig_walk(top, *args, **kwargs):
+        if redirected and dirpath.startswith('/host'):
+            dirpath = dirpath[5:] if len(dirpath) > 5 else '/'
+        yield dirpath, dirnames, filenames
+os.walk = _redir_walk
+
+# os.scandir
+_orig_scandir = os.scandir
+def _redir_scandir(path='.'):
+    if _should_redirect(path):
+        path = '/host' + path
+    return _orig_scandir(path)
+os.scandir = _redir_scandir
+
+# io.open
+import io as _io_module
+_io_module.open = builtins.open
+
+# shutil
+import shutil as _shutil_module
+
+_orig_shutil_copy = _shutil_module.copy
+def _redir_shutil_copy(src, dst, *args, **kwargs):
+    if _should_redirect(src): src = '/host' + src
+    if _should_redirect(dst): dst = '/host' + dst
+    return _orig_shutil_copy(src, dst, *args, **kwargs)
+_shutil_module.copy = _redir_shutil_copy
+
+_orig_shutil_copy2 = _shutil_module.copy2
+def _redir_shutil_copy2(src, dst, *args, **kwargs):
+    if _should_redirect(src): src = '/host' + src
+    if _should_redirect(dst): dst = '/host' + dst
+    return _orig_shutil_copy2(src, dst, *args, **kwargs)
+_shutil_module.copy2 = _redir_shutil_copy2
+
+_orig_shutil_copyfile = _shutil_module.copyfile
+def _redir_shutil_copyfile(src, dst, *args, **kwargs):
+    if _should_redirect(src): src = '/host' + src
+    if _should_redirect(dst): dst = '/host' + dst
+    return _orig_shutil_copyfile(src, dst, *args, **kwargs)
+_shutil_module.copyfile = _redir_shutil_copyfile
+
+_orig_shutil_copytree = _shutil_module.copytree
+def _redir_shutil_copytree(src, dst, *args, **kwargs):
+    if _should_redirect(src): src = '/host' + src
+    if _should_redirect(dst): dst = '/host' + dst
+    return _orig_shutil_copytree(src, dst, *args, **kwargs)
+_shutil_module.copytree = _redir_shutil_copytree
+
+_orig_shutil_move = _shutil_module.move
+def _redir_shutil_move(src, dst, *args, **kwargs):
+    if _should_redirect(src): src = '/host' + src
+    if _should_redirect(dst): dst = '/host' + dst
+    return _orig_shutil_move(src, dst, *args, **kwargs)
+_shutil_module.move = _redir_shutil_move
+
+_orig_shutil_rmtree = _shutil_module.rmtree
+def _redir_shutil_rmtree(path, *args, **kwargs):
+    if _should_redirect(path): path = '/host' + path
+    return _orig_shutil_rmtree(path, *args, **kwargs)
+_shutil_module.rmtree = _redir_shutil_rmtree
+
+# pathlib.Path
+from pathlib import Path
+
+def _redirect_path(p):
+    s = str(p)
+    if _should_redirect(s):
+        return Path('/host' + s)
+    return p
+
+Path._orig_stat = Path.stat
+def _path_stat(self, *args, **kwargs):
+    return _redirect_path(self)._orig_stat(*args, **kwargs)
+Path.stat = _path_stat
+
+Path._orig_exists = Path.exists
+def _path_exists(self):
+    return _redirect_path(self)._orig_exists()
+Path.exists = _path_exists
+
+Path._orig_is_file = Path.is_file
+def _path_is_file(self):
+    return _redirect_path(self)._orig_is_file()
+Path.is_file = _path_is_file
+
+Path._orig_is_dir = Path.is_dir
+def _path_is_dir(self):
+    return _redirect_path(self)._orig_is_dir()
+Path.is_dir = _path_is_dir
+
+Path._orig_open = Path.open
+def _path_open(self, *args, **kwargs):
+    return _redirect_path(self)._orig_open(*args, **kwargs)
+Path.open = _path_open
+
+Path._orig_read_text = Path.read_text
+def _path_read_text(self, *args, **kwargs):
+    return _redirect_path(self)._orig_read_text(*args, **kwargs)
+Path.read_text = _path_read_text
+
+Path._orig_read_bytes = Path.read_bytes
+def _path_read_bytes(self):
+    return _redirect_path(self)._orig_read_bytes()
+Path.read_bytes = _path_read_bytes
+
+Path._orig_write_text = Path.write_text
+def _path_write_text(self, *args, **kwargs):
+    return _redirect_path(self)._orig_write_text(*args, **kwargs)
+Path.write_text = _path_write_text
+
+Path._orig_write_bytes = Path.write_bytes
+def _path_write_bytes(self, data):
+    return _redirect_path(self)._orig_write_bytes(data)
+Path.write_bytes = _path_write_bytes
+
+Path._orig_mkdir = Path.mkdir
+def _path_mkdir(self, *args, **kwargs):
+    return _redirect_path(self)._orig_mkdir(*args, **kwargs)
+Path.mkdir = _path_mkdir
+
+Path._orig_rmdir = Path.rmdir
+def _path_rmdir(self):
+    return _redirect_path(self)._orig_rmdir()
+Path.rmdir = _path_rmdir
+
+Path._orig_unlink = Path.unlink
+def _path_unlink(self, *args, **kwargs):
+    return _redirect_path(self)._orig_unlink(*args, **kwargs)
+Path.unlink = _path_unlink
+
+Path._orig_iterdir = Path.iterdir
+def _path_iterdir(self):
+    redirected = _redirect_path(self)
+    for p in redirected._orig_iterdir():
+        s = str(p)
+        if s.startswith('/host'):
+            yield Path(s[5:])
+        else:
+            yield p
+Path.iterdir = _path_iterdir
+
+Path._orig_glob = Path.glob
+def _path_glob(self, pattern):
+    redirected = _redirect_path(self)
+    for p in redirected._orig_glob(pattern):
+        s = str(p)
+        if s.startswith('/host'):
+            yield Path(s[5:])
+        else:
+            yield p
+Path.glob = _path_glob
+
+Path._orig_rglob = Path.rglob
+def _path_rglob(self, pattern):
+    redirected = _redirect_path(self)
+    for p in redirected._orig_rglob(pattern):
+        s = str(p)
+        if s.startswith('/host'):
+            yield Path(s[5:])
+        else:
+            yield p
+Path.rglob = _path_rglob
+
+# Set cwd to host mount
+os.chdir('/host' + ${JSON.stringify(input.cwd)})
+`;
+}
+function createHTTPFS(backend, FS) {
+  let lastResponse = null;
+  const encoder = new TextEncoder();
+  const decoder = new TextDecoder();
+  const HTTPFS = {
+    mount(_mount) {
+      return HTTPFS.createNode(null, "/", 16877, 0);
+    },
+    createNode(parent, name, mode, dev) {
+      const node = FS.createNode(parent, name, mode, dev);
+      node.node_ops = HTTPFS.node_ops;
+      node.stream_ops = HTTPFS.stream_ops;
+      return node;
+    },
+    node_ops: {
+      getattr(node) {
+        const isDir = node.name === "/" || node.parent === node;
+        return {
+          dev: 1,
+          ino: node.id,
+          mode: isDir ? 16877 : 33206,
+          nlink: 1,
+          uid: 0,
+          gid: 0,
+          rdev: 0,
+          size: lastResponse ? lastResponse.length : 0,
+          atime: /* @__PURE__ */ new Date(),
+          mtime: /* @__PURE__ */ new Date(),
+          ctime: /* @__PURE__ */ new Date(),
+          blksize: 4096,
+          blocks: 0
+        };
+      },
+      setattr(_node, _attr) {
+      },
+      lookup(parent, name) {
+        return HTTPFS.createNode(parent, name, 33206);
+      },
+      mknod(parent, name, mode, _dev) {
+        return HTTPFS.createNode(parent, name, mode);
+      },
+      rename() {
+      },
+      unlink() {
+      },
+      rmdir() {
+      },
+      readdir(_node) {
+        return ["request"];
+      },
+      symlink() {
+      },
+      readlink(_node) {
+        return "";
+      }
+    },
+    stream_ops: {
+      open(stream) {
+        delete stream.hostContent;
+        stream.hostModified = false;
+        const accessMode = stream.flags & 3;
+        const isRead = accessMode === 0;
+        if (isRead && lastResponse) {
+          stream.hostContent = lastResponse;
+        }
+      },
+      close(stream) {
+        if (stream.hostModified && stream.hostContent) {
+          const reqJson = decoder.decode(stream.hostContent);
+          try {
+            const req = JSON.parse(reqJson);
+            const result = backend.httpRequest(req.url, {
+              method: req.method || "GET",
+              headers: req.headers || void 0,
+              body: req.body || void 0
+            });
+            lastResponse = encoder.encode(JSON.stringify(result));
+          } catch (e) {
+            const message = sanitizeHostErrorMessage(e.message);
+            lastResponse = encoder.encode(JSON.stringify({ error: message }));
+          }
+        }
+        delete stream.hostContent;
+        delete stream.hostModified;
+      },
+      read(stream, buffer, offset, length, position) {
+        const content = stream.hostContent;
+        if (!content) return 0;
+        const size = content.length;
+        if (position >= size) return 0;
+        const bytesToRead = Math.min(length, size - position);
+        buffer.set(content.subarray(position, position + bytesToRead), offset);
+        return bytesToRead;
+      },
+      write(stream, buffer, offset, length, position) {
+        let content = stream.hostContent || new Uint8Array(0);
+        const newSize = Math.max(content.length, position + length);
+        if (newSize > content.length) {
+          const newContent = new Uint8Array(newSize);
+          newContent.set(content);
+          content = newContent;
+          stream.hostContent = content;
+        }
+        content.set(buffer.subarray(offset, offset + length), position);
+        stream.hostModified = true;
+        return length;
+      },
+      llseek(stream, offset, whence) {
+        let position = offset;
+        if (whence === 1)
+          position += stream.position;
+        else if (whence === 2) {
+          const content = stream.hostContent;
+          position += content ? content.length : 0;
+        }
+        if (position < 0) throw new FS.ErrnoError(28);
+        return position;
+      }
+    }
+  };
+  return HTTPFS;
+}
+function generateHttpBridgeCode() {
+  return `
+# HTTP bridge: jb_http module
+# Write request JSON to /_jb_http/request (custom FS triggers HTTP via SharedArrayBuffer)
+# Then read response JSON from same path.
+
+import base64 as _base64
+
+class _JbHttpResponse:
+    """HTTP response object similar to requests.Response"""
+    def __init__(self, data):
+        self.status_code = data.get('status', 0)
+        self.reason = data.get('statusText', '')
+        # @banned-pattern-ignore: Python code, not JavaScript
+        self.headers = data.get('headers', {})
+        self.url = data.get('url', '')
+        self._error = data.get('error')
+        b64 = data.get('bodyBase64')
+        if b64 is not None:
+            self.content = _base64.b64decode(b64)
+            self.text = self.content.decode('utf-8', errors='replace')
+        else:
+            self.content = b''
+            self.text = data.get('body', '')
+
+    @property
+    def ok(self):
+        return 200 <= self.status_code < 300
+
+    def json(self):
+        return json.loads(self.text)
+
+    def raise_for_status(self):
+        if self._error:
+            raise Exception(self._error)
+        if not self.ok:
+            raise Exception(f"HTTP {self.status_code}: {self.reason}")
+
+class _JbHttp:
+    """HTTP client that bridges to just-bash's secureFetch via custom FS"""
+    def _do_request(self, method, url, headers=None, body=None):
+        import json as _json
+        req = _json.dumps({'url': url, 'method': method, 'headers': headers, 'body': body})
+        # Write request to HTTPFS \u2014 close triggers the HTTP call synchronously
+        with _orig_open('/_jb_http/request', 'w') as f:
+            f.write(req)
+        # Read response (cached by HTTPFS from the HTTP call above)
+        with _orig_open('/_jb_http/request', 'r') as f:
+            return _json.loads(f.read())
+
+    def request(self, method, url, headers=None, data=None, json_data=None):
+        if json_data is not None:
+            data = json.dumps(json_data)
+            headers = headers or {}
+            headers['Content-Type'] = 'application/json'
+        result = self._do_request(method, url, headers, data)
+        if 'error' in result and result.get('status') is None:
+            raise Exception(result['error'])
+        return _JbHttpResponse(result)
+
+    def get(self, url, headers=None, **kwargs):
+        return self.request('GET', url, headers=headers, **kwargs)
+
+    def post(self, url, headers=None, data=None, json=None, **kwargs):
+        return self.request('POST', url, headers=headers, data=data, json_data=json, **kwargs)
+
+    def put(self, url, headers=None, data=None, json=None, **kwargs):
+        return self.request('PUT', url, headers=headers, data=data, json_data=json, **kwargs)
+
+    def delete(self, url, headers=None, **kwargs):
+        return self.request('DELETE', url, headers=headers, **kwargs)
+
+    def head(self, url, headers=None, **kwargs):
+        return self.request('HEAD', url, headers=headers, **kwargs)
+
+    def patch(self, url, headers=None, data=None, json=None, **kwargs):
+        return self.request('PATCH', url, headers=headers, data=data, json_data=json, **kwargs)
+
+import types
+jb_http = types.ModuleType('jb_http')
+jb_http._client = _JbHttp()
+jb_http.get = jb_http._client.get
+jb_http.post = jb_http._client.post
+jb_http.put = jb_http._client.put
+jb_http.delete = jb_http._client.delete
+jb_http.head = jb_http._client.head
+jb_http.patch = jb_http._client.patch
+jb_http.request = jb_http._client.request
+jb_http.Response = _JbHttpResponse
+sys.modules['jb_http'] = jb_http
+`;
+}
+var cachedStdlibZip = new Uint8Array(readFileSync(stdlibZipPath));
+function wrapWorkerMessage(protocolToken, message) {
+  const wrapped = /* @__PURE__ */ Object.create(null);
+  if (!message || typeof message !== "object") {
+    wrapped.success = false;
+    wrapped.error = "Worker attempted to post non-object message";
+    wrapped.protocolToken = protocolToken;
+    return wrapped;
+  }
+  for (const [key, value] of Object.entries(message))
+    wrapped[key] = value;
+  wrapped.protocolToken = protocolToken;
+  return wrapped;
+}
+function postWorkerMessage(protocolToken, message) {
+  try {
+    parentPort?.postMessage(wrapWorkerMessage(protocolToken, message));
+  } catch (error) {
+    console.debug(
+      "[python3-worker] failed to post worker message:",
+      sanitizeUnknownError(error)
+    );
+  }
+}
+async function runPython(input) {
+  if (!moduleLoadGuardInstalled) {
+    return {
+      success: false,
+      error: "Defense-in-depth module-loader guard failed to initialize; refusing to execute Python worker"
+    };
+  }
+  const backend = new SyncBackend(input.sharedBuffer, input.timeoutMs);
+  assertApprovedPath(cpythonEntryPath, "cpython-entry");
+  const createPythonModule = require2(cpythonEntryPath);
+  let moduleReady = false;
+  const pendingStdout = [];
+  const pendingStderr = [];
+  let Module;
+  try {
+    const onPreRun = wrapWasmCallback(
+      "python3-worker",
+      "preRun",
+      (mod) => {
+        mod.FS.mkdirTree("/lib");
+        mod.FS.writeFile("/lib/python313.zip", cachedStdlibZip);
+        mod.ENV.PYTHONHOME = "/";
+        mod.ENV.PYTHONPATH = "/lib/python313.zip";
+      }
+    );
+    const onPrint = wrapWasmCallback(
+      "python3-worker",
+      "print",
+      (text) => {
+        if (moduleReady) {
+          backend.writeStdout(`${text}
+`);
+        } else {
+          pendingStdout.push(`${text}
+`);
+        }
+      }
+    );
+    const onPrintErr = wrapWasmCallback(
+      "python3-worker",
+      "printErr",
+      (text) => {
+        if (typeof text === "string" && (text.includes("Could not find platform") || text.includes("LLVM Profile Error"))) {
+          return;
+        }
+        if (moduleReady) {
+          backend.writeStderr(`${text}
+`);
+        } else {
+          pendingStderr.push(`${text}
+`);
+        }
+      }
+    );
+    Module = await createPythonModule({
+      noInitialRun: true,
+      preRun: [onPreRun],
+      print: onPrint,
+      printErr: onPrintErr
+    });
+  } catch (e) {
+    const message = sanitizeHostErrorMessage(e.message);
+    return {
+      success: false,
+      error: `Failed to load CPython: ${message}`
+    };
+  }
+  activateDefense(input.protocolToken);
+  moduleReady = true;
+  for (const text of pendingStdout) backend.writeStdout(text);
+  for (const text of pendingStderr) backend.writeStderr(text);
+  const HOSTFS = createHOSTFS(backend, Module.FS, Module.PATH);
+  try {
+    Module.FS.mkdir("/host");
+    Module.FS.mount(HOSTFS, { root: "/" }, "/host");
+  } catch (e) {
+    const message = sanitizeHostErrorMessage(e.message);
+    return {
+      success: false,
+      error: `Failed to mount HOSTFS: ${message}`
+    };
+  }
+  const HTTPFS = createHTTPFS(backend, Module.FS);
+  try {
+    Module.FS.mkdir("/_jb_http");
+    Module.FS.mount(HTTPFS, { root: "/" }, "/_jb_http");
+  } catch (e) {
+    const message = sanitizeHostErrorMessage(e.message);
+    return {
+      success: false,
+      error: `Failed to mount HTTPFS: ${message}`
+    };
+  }
+  const setupCode = generateSetupCode(input);
+  const httpBridgeCode = generateHttpBridgeCode();
+  const wrappedCode = `
+import sys
+_jb_exit_code = 0
+try:
+${setupCode.split("\n").map((line) => `    ${line}`).join("\n")}
+${httpBridgeCode.split("\n").map((line) => `    ${line}`).join("\n")}
+${input.pythonCode.split("\n").map((line) => `    ${line}`).join("\n")}
+except SystemExit as e:
+    _jb_exit_code = e.code if isinstance(e.code, int) else (1 if e.code else 0)
+except Exception as e:
+    import traceback
+    traceback.print_exc()
+    _jb_exit_code = 1
+sys.exit(_jb_exit_code)
+`;
+  try {
+    Module.FS.mkdir("/tmp");
+  } catch (_e) {
+  }
+  const encoder = new TextEncoder();
+  const scriptPath = "/tmp/_jb_script.py";
+  const scriptData = encoder.encode(wrappedCode);
+  Module.FS.writeFile(scriptPath, scriptData);
+  try {
+    const ret = Module.callMain([scriptPath]);
+    const exitCode = (typeof ret === "number" ? ret : 0) || process.exitCode || 0;
+    backend.exit(exitCode);
+    return { success: true };
+  } catch (e) {
+    const error = e;
+    const exitCode = error.status ?? process.exitCode ?? 1;
+    backend.exit(exitCode);
+    return { success: true };
+  }
+}
+var defense = null;
+function activateDefense(protocolToken) {
+  if (defense) return;
+  const _DateNow = Date.now;
+  const degraded = { now: () => _DateNow(), timeOrigin: _DateNow() };
+  Object.defineProperty(globalThis, "performance", {
+    value: degraded,
+    writable: true,
+    configurable: true
+  });
+  const onViolation = wrapWasmCallback(
+    "python3-worker",
+    "onViolation",
+    (v) => {
+      postWorkerMessage(protocolToken, {
+        type: "security-violation",
+        violation: v
+      });
+    }
+  );
+  defense = new WorkerDefenseInDepth({
+    excludeViolationTypes: [
+      // SharedArrayBuffer/Atomics: Used by sync-fs-backend.ts for synchronous
+      // filesystem communication between the WASM thread and the main thread.
+      "shared_array_buffer",
+      "atomics",
+      // performance: Excluded because we replaced it above with a ms-precision
+      // stub. Defense doesn't need to block it — it's already degraded.
+      "performance_timing"
+    ],
+    onViolation
+  });
+}
+process.on("uncaughtException", (e) => {
+  if (!activeProtocolToken) {
+    return;
+  }
+  const message = sanitizeHostErrorMessage(e.message);
+  postWorkerMessage(activeProtocolToken, {
+    success: false,
+    error: `Worker uncaught exception: ${message}`
+  });
+});
+var activeProtocolToken = null;
+if (parentPort) {
+  if (workerData) {
+    const input = workerData;
+    activeProtocolToken = input.protocolToken;
+    runPython(input).then((result) => {
+      result.defenseStats = defense?.getStats();
+      postWorkerMessage(input.protocolToken, result);
+    }).catch((e) => {
+      const message = sanitizeUnknownError(e);
+      postWorkerMessage(input.protocolToken, {
+        success: false,
+        error: message,
+        defenseStats: defense?.getStats()
+      });
+    });
+  }
+}