npm - @nekzus/liop - Versions diffs - 2.1.0-beta.3 → 2.1.0-beta.5 - Mend

@nekzus/liop 2.1.0-beta.3 → 2.1.0-beta.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (92) hide show

package/README.md +12 -0
package/dist/bin/agent.js +301 -4
package/dist/bin/agent.js.map +1 -1
package/dist/bridge.d.ts +2 -2
package/dist/bridge.js +3 -1
package/dist/chunk-2JLG4DET.js +3354 -0
package/dist/chunk-2JLG4DET.js.map +1 -0
package/dist/chunk-32ADSAJS.js +104 -0
package/dist/chunk-32ADSAJS.js.map +1 -0
package/dist/chunk-72MNYFR6.js +64 -0
package/dist/chunk-72MNYFR6.js.map +1 -0
package/dist/chunk-CT6NHSYP.js +30 -0
package/dist/chunk-CT6NHSYP.js.map +1 -0
package/dist/chunk-E5QBDD5E.js +469 -0
package/dist/chunk-E5QBDD5E.js.map +1 -0
package/dist/chunk-HB5DXX3Q.js +1976 -0
package/dist/chunk-HB5DXX3Q.js.map +1 -0
package/dist/chunk-IJHTRIZC.js +56 -0
package/dist/chunk-IJHTRIZC.js.map +1 -0
package/dist/chunk-J3WPBMJ5.js +332 -0
package/dist/chunk-J3WPBMJ5.js.map +1 -0
package/dist/chunk-NJRSFFD7.js +815 -0
package/dist/chunk-NJRSFFD7.js.map +1 -0
package/dist/chunk-OUUTDSOW.js +24 -0
package/dist/chunk-OUUTDSOW.js.map +1 -0
package/dist/chunk-PHTWUTY7.js +300 -0
package/dist/chunk-PHTWUTY7.js.map +1 -0
package/dist/chunk-QLCOEP5J.js +68 -0
package/dist/chunk-QLCOEP5J.js.map +1 -0
package/dist/chunk-RDWCGZ2A.js +87 -0
package/dist/chunk-RDWCGZ2A.js.map +1 -0
package/dist/chunk-RWRRBYG4.js +1 -0
package/dist/chunk-UVO7DII3.js +463 -0
package/dist/chunk-UVO7DII3.js.map +1 -0
package/dist/client.d.ts +2 -2
package/dist/client.js +8 -1
package/dist/gateway.d.ts +2 -2
package/dist/gateway.js +9 -1
package/dist/{index-DO97j6hP.d.ts → index-BlGc0iym.d.ts} +10 -1
package/dist/{index-Brfvxmdt.d.ts → index-qM8ZH8sC.d.ts} +1 -1
package/dist/index.d.ts +5 -5
package/dist/index.js +58 -4
package/dist/index.js.map +1 -1
package/dist/kyber-3ULIJSE3.js +3 -0
package/dist/{kyber-NONMBQNH.js.map → kyber-3ULIJSE3.js.map} +1 -1
package/dist/mesh.js +4 -1
package/dist/server.d.ts +2 -2
package/dist/server.js +6 -1
package/dist/{types-DzEXgi4s.d.ts → types-sKeUxuky.d.ts} +4 -46
package/dist/types.d.ts +1 -1
package/dist/types.js +2 -1
package/dist/verifier-3FAKCFNN.js +5 -0
package/dist/{verifier-XU2DB56Z.js.map → verifier-3FAKCFNN.js.map} +1 -1
package/dist/workers/logic-execution.js +255 -1
package/dist/workers/logic-execution.js.map +1 -1
package/dist/workers/zk-verifier.js +173 -1
package/dist/workers/zk-verifier.js.map +1 -1
package/package.json +74 -45
package/dist/chunk-2MGFSIXN.js +0 -2
package/dist/chunk-2MGFSIXN.js.map +0 -1
package/dist/chunk-4C666HHU.js +0 -2
package/dist/chunk-4C666HHU.js.map +0 -1
package/dist/chunk-ANFXJGMP.js +0 -2
package/dist/chunk-ANFXJGMP.js.map +0 -1
package/dist/chunk-DBXGYHKY.js +0 -2
package/dist/chunk-DBXGYHKY.js.map +0 -1
package/dist/chunk-DQ6UW6L7.js +0 -2
package/dist/chunk-DQ6UW6L7.js.map +0 -1
package/dist/chunk-GI2LSJYZ.js +0 -13
package/dist/chunk-GI2LSJYZ.js.map +0 -1
package/dist/chunk-GJUZGKZW.js +0 -3
package/dist/chunk-GJUZGKZW.js.map +0 -1
package/dist/chunk-I46YEWND.js +0 -33
package/dist/chunk-I46YEWND.js.map +0 -1
package/dist/chunk-PWCXZWSE.js +0 -2
package/dist/chunk-PWCXZWSE.js.map +0 -1
package/dist/chunk-RYYRR4N5.js +0 -31
package/dist/chunk-RYYRR4N5.js.map +0 -1
package/dist/chunk-S6RJHZV2.js +0 -2
package/dist/chunk-S6RJHZV2.js.map +0 -1
package/dist/chunk-SB5XJXKV.js +0 -2
package/dist/chunk-SB5XJXKV.js.map +0 -1
package/dist/chunk-T3L6OCM3.js +0 -3
package/dist/chunk-T3L6OCM3.js.map +0 -1
package/dist/chunk-TYVG6TXQ.js +0 -2
package/dist/chunk-TYVG6TXQ.js.map +0 -1
package/dist/chunk-UCCGDGHE.js +0 -54
package/dist/chunk-UCCGDGHE.js.map +0 -1
package/dist/chunk-V5MKJT6S.js +0 -2
package/dist/chunk-V5MKJT6S.js.map +0 -1
package/dist/kyber-NONMBQNH.js +0 -2
package/dist/verifier-XU2DB56Z.js +0 -2

package/dist/chunk-J3WPBMJ5.js ADDED Viewed

@@ -0,0 +1,332 @@
+import crypto from 'crypto';
+import * as fs from 'fs/promises';
+import * as os from 'os';
+import * as path from 'path';
+import vm from 'vm';
+import { WASI } from 'wasi';
+// src/sandbox/guardian.ts
+var GuardianError = class extends Error {
+  constructor(message) {
+    super(`AST Sec-Policy Violation: ${message}`);
+    this.name = "GuardianError";
+  }
+};
+var ASTGuardian = {
+  /**
+   * Analyzes the WebAssembly Module interface proactively.
+   *
+   * @param module - The compiled WebAssembly.Module to inspect
+   * @throws {GuardianError} If illegal imports or capabilities are detected
+   */
+  analyze(module) {
+    const imports = WebAssembly.Module.imports(module);
+    let _importCount = 0;
+    const ALLOWED_WASI_FUNCTIONS = /* @__PURE__ */ new Set([
+      "fd_write",
+      "fd_read",
+      "fd_close",
+      "fd_seek",
+      "environ_get",
+      "environ_sizes_get",
+      "args_get",
+      "args_sizes_get",
+      "clock_time_get",
+      "random_get",
+      "proc_exit",
+      "fd_prestat_get",
+      "fd_prestat_dir_name",
+      "fd_fdstat_get"
+    ]);
+    for (const imp of imports) {
+      if (imp.module === "wasi_snapshot_preview1") {
+        if (!ALLOWED_WASI_FUNCTIONS.has(imp.name)) {
+          throw new GuardianError(
+            `Banned WASI Import Detected: ${imp.module}/${imp.name}`
+          );
+        }
+      } else {
+        throw new GuardianError(
+          `Banned Host Import Module Detected: ${imp.module}`
+        );
+      }
+      _importCount++;
+      if (_importCount > 128) {
+        throw new GuardianError(
+          "Import limit exceeded. Possible resource exhaustion attack."
+        );
+      }
+    }
+  }
+};
+var originalEmit = process.emit;
+process.emit = (name, data, ...args) => {
+  if (name === "warning" && typeof data === "object" && data.name === "ExperimentalWarning" && String(data.message).includes("WASI") || String(data.message).includes("importing WASI")) {
+    return false;
+  }
+  return originalEmit.call(process, name, data, ...args);
+};
+function getDefaultEnvironment() {
+  const isWindows = process.platform === "win32";
+  const safeKeys = isWindows ? [
+    "APPDATA",
+    "HOMEDRIVE",
+    "HOMEPATH",
+    "LOCALAPPDATA",
+    "PATH",
+    "PROCESSOR_ARCHITECTURE",
+    "SYSTEMDRIVE",
+    "SYSTEMROOT",
+    "TEMP",
+    "USERNAME",
+    "USERPROFILE",
+    "PROGRAMFILES"
+  ] : ["HOME", "LOGNAME", "PATH", "SHELL", "TERM", "USER"];
+  const env = {
+    NODE_ENV: "production",
+    LIOP_NODE: "true"
+  };
+  for (const key of safeKeys) {
+    const val = process.env[key];
+    if (val !== void 0 && !val.startsWith("()")) {
+      env[key] = val;
+    }
+  }
+  return env;
+}
+var WasiSandbox = class {
+  wasi;
+  sandboxId;
+  workingDir;
+  config;
+  stdoutHandle = null;
+  stderrHandle = null;
+  constructor(config = {}) {
+    this.sandboxId = crypto.randomUUID();
+    this.workingDir = path.join(
+      os.tmpdir(),
+      "liop-mesh",
+      "sandboxes",
+      this.sandboxId
+    );
+    this.config = config;
+  }
+  /**
+   * Initializes the physical sandbox environment with strict directory lockdown.
+   */
+  async init() {
+    try {
+      await fs.mkdir(this.workingDir, { recursive: true });
+      this.stdoutHandle = await fs.open(
+        path.join(this.workingDir, "stdout.log"),
+        "w+"
+      );
+      this.stderrHandle = await fs.open(
+        path.join(this.workingDir, "stderr.log"),
+        "w+"
+      );
+      this.wasi = new WASI({
+        version: "preview1",
+        args: ["liop_runtime"],
+        env: this.config.allowEnv ? { ...getDefaultEnvironment(), RUNTIME_ID: this.sandboxId } : {
+          NODE_ENV: "production",
+          LIOP_NODE: "true",
+          RUNTIME_ID: this.sandboxId
+        },
+        preopens: {
+          "/sandbox": this.workingDir,
+          ...this.config.allowedDirectories
+        },
+        stdout: this.stdoutHandle.fd,
+        stderr: this.stderrHandle.fd
+      });
+    } catch (error) {
+      throw new Error(
+        `Sandbox Initialization Failed: ${error instanceof Error ? error.message : "FS Error"}`
+      );
+    }
+  }
+  /**
+   * Executes logic (WASM or JS-Wrapped) with hard resource limits.
+   */
+  async execute(compiledLogic, records = [], inputs = {}) {
+    const startTime = performance.now();
+    if (compiledLogic instanceof Buffer) {
+      try {
+        const module = await WebAssembly.compile(new Uint8Array(compiledLogic));
+        ASTGuardian.analyze(module);
+        const instance = await WebAssembly.instantiate(
+          module,
+          this.wasi.getImportObject()
+        );
+        this.wasi.start(instance);
+        const stdoutPath = path.join(this.workingDir, "stdout.log");
+        const stderrPath = path.join(this.workingDir, "stderr.log");
+        const stdout = await fs.readFile(stdoutPath, "utf-8");
+        const stderr = await fs.readFile(stderrPath, "utf-8");
+        const duration = performance.now() - startTime;
+        return {
+          output: stdout || (stderr ? `Error: ${stderr}` : "WASM_EXECUTION_SUCCESS"),
+          fuelConsumed: Math.floor(duration * 1e3)
+        };
+      } catch (error) {
+        throw new Error(
+          `WASM Runtime Error: ${error instanceof Error ? error.message : String(error)}`
+        );
+      }
+    } else {
+      const sandboxEnv = /* @__PURE__ */ Object.create(null);
+      const env = { records, ...inputs };
+      sandboxEnv.require = void 0;
+      sandboxEnv.process = void 0;
+      sandboxEnv.global = void 0;
+      sandboxEnv.globalThis = void 0;
+      sandboxEnv.Buffer = void 0;
+      sandboxEnv.setTimeout = void 0;
+      sandboxEnv.setInterval = void 0;
+      sandboxEnv.setImmediate = void 0;
+      sandboxEnv.queueMicrotask = void 0;
+      sandboxEnv.eval = void 0;
+      sandboxEnv.Function = void 0;
+      sandboxEnv.SharedArrayBuffer = void 0;
+      sandboxEnv.Date = void 0;
+      sandboxEnv.ArrayBuffer = void 0;
+      sandboxEnv.Uint8Array = void 0;
+      sandboxEnv.Int8Array = void 0;
+      sandboxEnv.Uint16Array = void 0;
+      sandboxEnv.Int16Array = void 0;
+      sandboxEnv.Uint32Array = void 0;
+      sandboxEnv.Int32Array = void 0;
+      sandboxEnv.Float32Array = void 0;
+      sandboxEnv.Float64Array = void 0;
+      sandboxEnv.BigInt64Array = void 0;
+      sandboxEnv.BigUint64Array = void 0;
+      sandboxEnv.DataView = void 0;
+      const toNullPrototype = (obj) => {
+        if (!obj || typeof obj !== "object") {
+          return obj;
+        }
+        if (Array.isArray(obj)) {
+          return obj.map(toNullPrototype);
+        }
+        const clone = /* @__PURE__ */ Object.create(null);
+        for (const [key, val] of Object.entries(obj)) {
+          clone[key] = toNullPrototype(val);
+        }
+        return clone;
+      };
+      sandboxEnv.records = toNullPrototype(JSON.parse(JSON.stringify(records)));
+      sandboxEnv.env = toNullPrototype(JSON.parse(JSON.stringify(env)));
+      for (const [key, value] of Object.entries(inputs)) {
+        sandboxEnv[key] = toNullPrototype(JSON.parse(JSON.stringify(value)));
+      }
+      const deepFreeze = (obj) => {
+        if (obj && typeof obj === "object" && !Object.isFrozen(obj)) {
+          Object.freeze(obj);
+          for (const key of Object.keys(obj)) {
+            deepFreeze(obj[key]);
+          }
+        }
+        return obj;
+      };
+      deepFreeze(sandboxEnv.records);
+      deepFreeze(sandboxEnv.env);
+      for (const key of Object.keys(sandboxEnv)) {
+        Object.defineProperty(sandboxEnv, key, {
+          writable: false,
+          configurable: false
+        });
+      }
+      let processedLogic = String(compiledLogic);
+      if (/^\s*return\s/m.test(processedLogic) || !processedLogic.includes("function liop_main")) {
+        if (!processedLogic.includes("function liop_main")) {
+          processedLogic = `function liop_main(env) {
+${processedLogic}
+}`;
+        }
+      }
+      const scriptCode = `
+				(function() {
+					"use strict";
+					try {
+						// Pre-execution prototype freezing (PCI-DSS Compliance)
+						Object.freeze(Object.prototype);
+						Object.freeze(Array.prototype);
+						Object.freeze(String.prototype);
+						Object.freeze(Number.prototype);
+						Object.freeze(Boolean.prototype);
+						Object.freeze(RegExp.prototype);
+						Object.freeze(Map.prototype);
+						Object.freeze(Set.prototype);
+						Object.freeze(Promise.prototype);
+						Object.freeze(Error.prototype);
+						Object.freeze(Object.getPrototypeOf(function(){}));
+						${processedLogic}
+						if (typeof liop_main === 'function') {
+							return liop_main(env);
+						}
+						return "ERR_NO_ENTRY_POINT";
+					} catch(e) {
+						return "LogicError: " + e.message;
+					}
+				})();
+			`;
+      try {
+        const script = new vm.Script(scriptCode, {
+          filename: `liop-sandbox-${this.sandboxId.slice(0, 8)}.js`
+        });
+        if (!process.env.VITEST && typeof Object.prototype === "object" && !Object.isFrozen(Object.prototype)) {
+          Object.freeze(Object.prototype);
+          Object.freeze(Array.prototype);
+          Object.freeze(String.prototype);
+          Object.freeze(Number.prototype);
+          Object.freeze(Boolean.prototype);
+          Object.freeze(RegExp.prototype);
+          Object.freeze(Map.prototype);
+          Object.freeze(Set.prototype);
+          Object.freeze(Promise.prototype);
+          Object.freeze(Error.prototype);
+        }
+        const context = vm.createContext(sandboxEnv, {
+          name: "LIOP Isolate",
+          origin: "liop://sandbox",
+          microtaskMode: "afterEvaluate"
+        });
+        const output = script.runInContext(context, {
+          timeout: 5e3,
+          breakOnSigint: true,
+          displayErrors: true
+        });
+        const duration = performance.now() - startTime;
+        const rawFuel = Math.floor(duration * 1500 + 100);
+        const fuelUsed = Math.ceil(rawFuel / 100) * 100;
+        if (fuelUsed > 1e6) {
+          throw new Error(
+            "LIOP_RESOURCE_EXHAUSTED: Execution fuel limit exceeded."
+          );
+        }
+        return { output, fuelConsumed: fuelUsed };
+      } catch (error) {
+        throw new Error(
+          `V8 Isolate Fault: ${error instanceof Error ? error.message : "Execution Timeout"}`
+        );
+      }
+    }
+  }
+  /**
+   * Physically cleans up the sandbox and releases resources.
+   */
+  async teardown() {
+    try {
+      if (this.stdoutHandle) await this.stdoutHandle.close();
+      if (this.stderrHandle) await this.stderrHandle.close();
+      await fs.rm(this.workingDir, { recursive: true, force: true });
+    } catch (_e) {
+    }
+  }
+};
+export { ASTGuardian, WasiSandbox, getDefaultEnvironment };
+//# sourceMappingURL=chunk-J3WPBMJ5.js.map
+//# sourceMappingURL=chunk-J3WPBMJ5.js.map

package/dist/chunk-J3WPBMJ5.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/sandbox/guardian.ts","../src/sandbox/wasi.ts"],"names":[],"mappings":";;;;;;;;AAAO,IAAM,aAAA,GAAN,cAA4B,KAAA,CAAM;AAAA,EACxC,YAAY,OAAA,EAAiB;AAC5B,IAAA,KAAA,CAAM,CAAA,0BAAA,EAA6B,OAAO,CAAA,CAAE,CAAA;AAC5C,IAAA,IAAA,CAAK,IAAA,GAAO,eAAA;AAAA,EACb;AACD,CAAA;AAQO,IAAM,WAAA,GAAc;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAO1B,QAAQ,MAAA,EAAkC;AACzC,IAAA,MAAM,OAAA,GAAU,WAAA,CAAY,MAAA,CAAO,OAAA,CAAQ,MAAM,CAAA;AACjD,IAAA,IAAI,YAAA,GAAe,CAAA;AAEnB,IAAA,MAAM,sBAAA,uBAA6B,GAAA,CAAI;AAAA,MACtC,UAAA;AAAA,MACA,SAAA;AAAA,MACA,UAAA;AAAA,MACA,SAAA;AAAA,MACA,aAAA;AAAA,MACA,mBAAA;AAAA,MACA,UAAA;AAAA,MACA,gBAAA;AAAA,MACA,gBAAA;AAAA,MACA,YAAA;AAAA,MACA,WAAA;AAAA,MACA,gBAAA;AAAA,MACA,qBAAA;AAAA,MACA;AAAA,KACA,CAAA;AAED,IAAA,KAAA,MAAW,OAAO,OAAA,EAAS;AAE1B,MAAA,IAAI,GAAA,CAAI,WAAW,wBAAA,EAA0B;AAC5C,QAAA,IAAI,CAAC,sBAAA,CAAuB,GAAA,CAAI,GAAA,CAAI,IAAI,CAAA,EAAG;AAC1C,UAAA,MAAM,IAAI,aAAA;AAAA,YACT,CAAA,6BAAA,EAAgC,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,IAAI,CAAA;AAAA,WACvD;AAAA,QACD;AAAA,MACD,CAAA,MAAO;AACN,QAAA,MAAM,IAAI,aAAA;AAAA,UACT,CAAA,oCAAA,EAAuC,IAAI,MAAM,CAAA;AAAA,SAClD;AAAA,MACD;AACA,MAAA,YAAA,EAAA;AAEA,MAAA,IAAI,eAAe,GAAA,EAAK;AACvB,QAAA,MAAM,IAAI,aAAA;AAAA,UACT;AAAA,SACD;AAAA,MACD;AAAA,IACD;AAAA,EAKD;AACD;AC1DA,IAAM,eAAe,OAAA,CAAQ,IAAA;AAE7B,OAAA,CAAQ,IAAA,GAAO,CAAC,IAAA,EAAM,IAAA,EAAA,GAAS,IAAA,KAAS;AACvC,EAAA,IACE,IAAA,KAAS,aACT,OAAO,IAAA,KAAS,YACf,IAAA,CAAiC,IAAA,KAAS,yBAC3C,MAAA,CAAQ,IAAA,CAAiC,OAAO,CAAA,CAAE,QAAA,CAAS,MAAM,CAAA,IAClE,MAAA,CAAQ,KAAiC,OAAO,CAAA,CAAE,QAAA,CAAS,gBAAgB,CAAA,EAC1E;AACD,IAAA,OAAO,KAAA;AAAA,EACR;AACA,EAAA,OAAO,aAAa,IAAA,CAAK,OAAA,EAAS,IAAA,EAAM,IAAA,EAAM,GAAG,IAAI,CAAA;AACtD,CAAA;AAMO,SAAS,qBAAA,GAAgD;AAC/D,EAAA,MAAM,SAAA,GAAY,QAAQ,QAAA,KAAa,OAAA;AACvC,EAAA,MAAM,WAAW,SAAA,GACd;AAAA,IACA,SAAA;AAAA,IACA,WAAA;AAAA,IACA,UAAA;AAAA,IACA,cAAA;AAAA,IACA,MAAA;AAAA,IACA,wBAAA;AAAA,IACA,aAAA;AAAA,IACA,YAAA;AAAA,IACA,MAAA;AAAA,IACA,UAAA;AAAA,IACA,aAAA;AAAA,IACA;AAAA,MAEA,CAAC,MAAA,EAAQ,WAAW,MAAA,EAAQ,OAAA,EAAS,QAAQ,MAAM,CAAA;AAEtD,EAAA,MAAM,GAAA,GAA8B;AAAA,IACnC,QAAA,EAAU,YAAA;AAAA,IACV,SAAA,EAAW;AAAA,GACZ;AAEA,EAAA,KAAA,MAAW,OAAO,QAAA,EAAU;AAC3B,IAAA,MAAM,GAAA,GAAM,OAAA,CAAQ,GAAA,CAAI,GAAG,CAAA;AAC3B,IAAA,IAAI,QAAQ,MAAA,IAAa,CAAC,GAAA,CAAI,UAAA,CAAW,IAAI,CAAA,EAAG;AAC/C,MAAA,GAAA,CAAI,GAAG,CAAA,GAAI,GAAA;AAAA,IACZ;AAAA,EACD;AAEA,EAAA,OAAO,GAAA;AACR;AAeO,IAAM,cAAN,MAAkB;AAAA,EAChB,IAAA;AAAA,EACA,SAAA;AAAA,EACA,UAAA;AAAA,EACA,MAAA;AAAA,EACA,YAAA,GAAqC,IAAA;AAAA,EACrC,YAAA,GAAqC,IAAA;AAAA,EAE7C,WAAA,CAAY,MAAA,GAAwB,EAAC,EAAG;AACvC,IAAA,IAAA,CAAK,SAAA,GAAY,OAAO,UAAA,EAAW;AAEnC,IAAA,IAAA,CAAK,UAAA,GAAkB,IAAA,CAAA,IAAA;AAAA,MACnB,EAAA,CAAA,MAAA,EAAO;AAAA,MACV,WAAA;AAAA,MACA,WAAA;AAAA,MACA,IAAA,CAAK;AAAA,KACN;AACA,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AAAA,EACf;AAAA;AAAA;AAAA;AAAA,EAKA,MAAa,IAAA,GAAsB;AAClC,IAAA,IAAI;AACH,MAAA,MAAS,SAAM,IAAA,CAAK,UAAA,EAAY,EAAE,SAAA,EAAW,MAAM,CAAA;AAGnD,MAAA,IAAA,CAAK,eAAe,MAAS,EAAA,CAAA,IAAA;AAAA,QACvB,IAAA,CAAA,IAAA,CAAK,IAAA,CAAK,UAAA,EAAY,YAAY,CAAA;AAAA,QACvC;AAAA,OACD;AACA,MAAA,IAAA,CAAK,eAAe,MAAS,EAAA,CAAA,IAAA;AAAA,QACvB,IAAA,CAAA,IAAA,CAAK,IAAA,CAAK,UAAA,EAAY,YAAY,CAAA;AAAA,QACvC;AAAA,OACD;AAEA,MAAA,IAAA,CAAK,IAAA,GAAO,IAAI,IAAA,CAAK;AAAA,QACpB,OAAA,EAAS,UAAA;AAAA,QACT,IAAA,EAAM,CAAC,cAAc,CAAA;AAAA,QACrB,GAAA,EAAK,IAAA,CAAK,MAAA,CAAO,QAAA,GACd,EAAE,GAAG,qBAAA,EAAsB,EAAG,UAAA,EAAY,IAAA,CAAK,SAAA,EAAU,GACzD;AAAA,UACA,QAAA,EAAU,YAAA;AAAA,UACV,SAAA,EAAW,MAAA;AAAA,UACX,YAAY,IAAA,CAAK;AAAA,SAClB;AAAA,QACF,QAAA,EAAU;AAAA,UACT,YAAY,IAAA,CAAK,UAAA;AAAA,UACjB,GAAG,KAAK,MAAA,CAAO;AAAA,SAChB;AAAA,QACA,MAAA,EAAQ,KAAK,YAAA,CAAa,EAAA;AAAA,QAC1B,MAAA,EAAQ,KAAK,YAAA,CAAa;AAAA,OAC1B,CAAA;AAAA,IACF,SAAS,KAAA,EAAO;AACf,MAAA,MAAM,IAAI,KAAA;AAAA,QACT,CAAA,+BAAA,EAAkC,KAAA,YAAiB,KAAA,GAAQ,KAAA,CAAM,UAAU,UAAU,CAAA;AAAA,OACtF;AAAA,IACD;AAAA,EACD;AAAA;AAAA;AAAA;AAAA,EAKA,MAAa,QACZ,aAAA,EACA,OAAA,GAAqC,EAAC,EACtC,MAAA,GAAkC,EAAC,EACkB;AACrD,IAAA,MAAM,SAAA,GAAY,YAAY,GAAA,EAAI;AAElC,IAAA,IAAI,yBAAyB,MAAA,EAAQ;AAEpC,MAAA,IAAI;AACH,QAAA,MAAM,SAAS,MAAM,WAAA,CAAY,QAAQ,IAAI,UAAA,CAAW,aAAa,CAAC,CAAA;AAGtE,QAAA,WAAA,CAAY,QAAQ,MAAM,CAAA;AAE1B,QAAA,MAAM,QAAA,GAAW,MAAM,WAAA,CAAY,WAAA;AAAA,UAClC,MAAA;AAAA,UACA,IAAA,CAAK,KAAK,eAAA;AAAgB,SAC3B;AAGA,QAAA,IAAA,CAAK,IAAA,CAAK,MAAM,QAAQ,CAAA;AAGxB,QAAA,MAAM,UAAA,GAAkB,IAAA,CAAA,IAAA,CAAK,IAAA,CAAK,UAAA,EAAY,YAAY,CAAA;AAC1D,QAAA,MAAM,UAAA,GAAkB,IAAA,CAAA,IAAA,CAAK,IAAA,CAAK,UAAA,EAAY,YAAY,CAAA;AAC1D,QAAA,MAAM,MAAA,GAAS,MAAS,EAAA,CAAA,QAAA,CAAS,UAAA,EAAY,OAAO,CAAA;AACpD,QAAA,MAAM,MAAA,GAAS,MAAS,EAAA,CAAA,QAAA,CAAS,UAAA,EAAY,OAAO,CAAA;AAEpD,QAAA,MAAM,QAAA,GAAW,WAAA,CAAY,GAAA,EAAI,GAAI,SAAA;AACrC,QAAA,OAAO;AAAA,UACN,MAAA,EACC,MAAA,KAAW,MAAA,GAAS,CAAA,OAAA,EAAU,MAAM,CAAA,CAAA,GAAK,wBAAA,CAAA;AAAA,UAC1C,YAAA,EAAc,IAAA,CAAK,KAAA,CAAM,QAAA,GAAW,GAAI;AAAA,SACzC;AAAA,MACD,SAAS,KAAA,EAAgB;AACxB,QAAA,MAAM,IAAI,KAAA;AAAA,UACT,uBAAuB,KAAA,YAAiB,KAAA,GAAQ,MAAM,OAAA,GAAU,MAAA,CAAO,KAAK,CAAC,CAAA;AAAA,SAC9E;AAAA,MACD;AAAA,IACD,CAAA,MAAO;AAKN,MAAA,MAAM,UAAA,mBAAkB,MAAA,CAAO,MAAA,CAAO,IAAI,CAAA;AAC1C,MAAA,MAAM,GAAA,GAAM,EAAE,OAAA,EAAS,GAAG,MAAA,EAAO;AAGjC,MAAA,UAAA,CAAW,OAAA,GAAU,MAAA;AACrB,MAAA,UAAA,CAAW,OAAA,GAAU,MAAA;AACrB,MAAA,UAAA,CAAW,MAAA,GAAS,MAAA;AACpB,MAAA,UAAA,CAAW,UAAA,GAAa,MAAA;AACxB,MAAA,UAAA,CAAW,MAAA,GAAS,MAAA;AACpB,MAAA,UAAA,CAAW,UAAA,GAAa,MAAA;AACxB,MAAA,UAAA,CAAW,WAAA,GAAc,MAAA;AACzB,MAAA,UAAA,CAAW,YAAA,GAAe,MAAA;AAC1B,MAAA,UAAA,CAAW,cAAA,GAAiB,MAAA;AAC5B,MAAA,UAAA,CAAW,IAAA,GAAO,MAAA;AAClB,MAAA,UAAA,CAAW,QAAA,GAAW,MAAA;AACtB,MAAA,UAAA,CAAW,iBAAA,GAAoB,MAAA;AAC/B,MAAA,UAAA,CAAW,IAAA,GAAO,MAAA;AAMlB,MAAA,UAAA,CAAW,WAAA,GAAc,MAAA;AACzB,MAAA,UAAA,CAAW,UAAA,GAAa,MAAA;AACxB,MAAA,UAAA,CAAW,SAAA,GAAY,MAAA;AACvB,MAAA,UAAA,CAAW,WAAA,GAAc,MAAA;AACzB,MAAA,UAAA,CAAW,UAAA,GAAa,MAAA;AACxB,MAAA,UAAA,CAAW,WAAA,GAAc,MAAA;AACzB,MAAA,UAAA,CAAW,UAAA,GAAa,MAAA;AACxB,MAAA,UAAA,CAAW,YAAA,GAAe,MAAA;AAC1B,MAAA,UAAA,CAAW,YAAA,GAAe,MAAA;AAC1B,MAAA,UAAA,CAAW,aAAA,GAAgB,MAAA;AAC3B,MAAA,UAAA,CAAW,cAAA,GAAiB,MAAA;AAC5B,MAAA,UAAA,CAAW,QAAA,GAAW,MAAA;AAItB,MAAA,MAAM,eAAA,GAAkB,CAAC,GAAA,KAAkB;AAC1C,QAAA,IAAI,CAAC,GAAA,IAAO,OAAO,GAAA,KAAQ,QAAA,EAAU;AACpC,UAAA,OAAO,GAAA;AAAA,QACR;AACA,QAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AACvB,UAAA,OAAO,GAAA,CAAI,IAAI,eAAe,CAAA;AAAA,QAC/B;AACA,QAAA,MAAM,KAAA,mBAAQ,MAAA,CAAO,MAAA,CAAO,IAAI,CAAA;AAChC,QAAA,KAAA,MAAW,CAAC,GAAA,EAAK,GAAG,KAAK,MAAA,CAAO,OAAA,CAAQ,GAAG,CAAA,EAAG;AAC7C,UAAA,KAAA,CAAM,GAAG,CAAA,GAAI,eAAA,CAAgB,GAAG,CAAA;AAAA,QACjC;AACA,QAAA,OAAO,KAAA;AAAA,MACR,CAAA;AAGA,MAAA,UAAA,CAAW,OAAA,GAAU,gBAAgB,IAAA,CAAK,KAAA,CAAM,KAAK,SAAA,CAAU,OAAO,CAAC,CAAC,CAAA;AACxE,MAAA,UAAA,CAAW,GAAA,GAAM,gBAAgB,IAAA,CAAK,KAAA,CAAM,KAAK,SAAA,CAAU,GAAG,CAAC,CAAC,CAAA;AAEhE,MAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,MAAM,CAAA,EAAG;AAClD,QAAA,UAAA,CAAW,GAAG,IAAI,eAAA,CAAgB,IAAA,CAAK,MAAM,IAAA,CAAK,SAAA,CAAU,KAAK,CAAC,CAAC,CAAA;AAAA,MACpE;AAIA,MAAA,MAAM,UAAA,GAAa,CAAC,GAAA,KAAa;AAChC,QAAA,IAAI,GAAA,IAAO,OAAO,GAAA,KAAQ,QAAA,IAAY,CAAC,MAAA,CAAO,QAAA,CAAS,GAAG,CAAA,EAAG;AAC5D,UAAA,MAAA,CAAO,OAAO,GAAG,CAAA;AACjB,UAAA,KAAA,MAAW,GAAA,IAAO,MAAA,CAAO,IAAA,CAAK,GAAG,CAAA,EAAG;AACnC,YAAA,UAAA,CAAW,GAAA,CAAI,GAAG,CAAC,CAAA;AAAA,UACpB;AAAA,QACD;AACA,QAAA,OAAO,GAAA;AAAA,MACR,CAAA;AAEA,MAAA,UAAA,CAAW,WAAW,OAAO,CAAA;AAC7B,MAAA,UAAA,CAAW,WAAW,GAAG,CAAA;AAGzB,MAAA,KAAA,MAAW,GAAA,IAAO,MAAA,CAAO,IAAA,CAAK,UAAU,CAAA,EAAG;AAC1C,QAAA,MAAA,CAAO,cAAA,CAAe,YAAY,GAAA,EAAK;AAAA,UACtC,QAAA,EAAU,KAAA;AAAA,UACV,YAAA,EAAc;AAAA,SACd,CAAA;AAAA,MACF;AAIA,MAAA,IAAI,cAAA,GAAiB,OAAO,aAAa,CAAA;AACzC,MAAA,IACC,eAAA,CAAgB,KAAK,cAAc,CAAA,IACnC,CAAC,cAAA,CAAe,QAAA,CAAS,oBAAoB,CAAA,EAC5C;AACD,QAAA,IAAI,CAAC,cAAA,CAAe,QAAA,CAAS,oBAAoB,CAAA,EAAG;AACnD,UAAA,cAAA,GAAiB,CAAA;AAAA,EAA8B,cAAc;AAAA,CAAA,CAAA;AAAA,QAC9D;AAAA,MACD;AAEA,MAAA,MAAM,UAAA,GAAa;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA,MAAA,EAiBd,cAAc;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,GAAA,CAAA;AAWnB,MAAA,IAAI;AACH,QAAA,MAAM,MAAA,GAAS,IAAI,EAAA,CAAG,MAAA,CAAO,UAAA,EAAY;AAAA,UACxC,UAAU,CAAA,aAAA,EAAgB,IAAA,CAAK,UAAU,KAAA,CAAM,CAAA,EAAG,CAAC,CAAC,CAAA,GAAA;AAAA,SACpD,CAAA;AAGD,QAAA,IACC,CAAC,OAAA,CAAQ,GAAA,CAAI,MAAA,IACb,OAAO,MAAA,CAAO,SAAA,KAAc,QAAA,IAC5B,CAAC,MAAA,CAAO,QAAA,CAAS,MAAA,CAAO,SAAS,CAAA,EAChC;AACD,UAAA,MAAA,CAAO,MAAA,CAAO,OAAO,SAAS,CAAA;AAC9B,UAAA,MAAA,CAAO,MAAA,CAAO,MAAM,SAAS,CAAA;AAC7B,UAAA,MAAA,CAAO,MAAA,CAAO,OAAO,SAAS,CAAA;AAC9B,UAAA,MAAA,CAAO,MAAA,CAAO,OAAO,SAAS,CAAA;AAC9B,UAAA,MAAA,CAAO,MAAA,CAAO,QAAQ,SAAS,CAAA;AAC/B,UAAA,MAAA,CAAO,MAAA,CAAO,OAAO,SAAS,CAAA;AAC9B,UAAA,MAAA,CAAO,MAAA,CAAO,IAAI,SAAS,CAAA;AAC3B,UAAA,MAAA,CAAO,MAAA,CAAO,IAAI,SAAS,CAAA;AAC3B,UAAA,MAAA,CAAO,MAAA,CAAO,QAAQ,SAAS,CAAA;AAC/B,UAAA,MAAA,CAAO,MAAA,CAAO,MAAM,SAAS,CAAA;AAAA,QAC9B;AAKA,QAAA,MAAM,OAAA,GAAU,EAAA,CAAG,aAAA,CAAc,UAAA,EAAY;AAAA,UAC5C,IAAA,EAAM,cAAA;AAAA,UACN,MAAA,EAAQ,gBAAA;AAAA,UACR,aAAA,EAAe;AAAA,SACf,CAAA;AAGD,QAAA,MAAM,MAAA,GAAS,MAAA,CAAO,YAAA,CAAa,OAAA,EAAS;AAAA,UAC3C,OAAA,EAAS,GAAA;AAAA,UACT,aAAA,EAAe,IAAA;AAAA,UACf,aAAA,EAAe;AAAA,SACf,CAAA;AAED,QAAA,MAAM,QAAA,GAAW,WAAA,CAAY,GAAA,EAAI,GAAI,SAAA;AAErC,QAAA,MAAM,OAAA,GAAU,IAAA,CAAK,KAAA,CAAM,QAAA,GAAW,OAAO,GAAG,CAAA;AAChD,QAAA,MAAM,QAAA,GAAW,IAAA,CAAK,IAAA,CAAK,OAAA,GAAU,GAAG,CAAA,GAAI,GAAA;AAE5C,QAAA,IAAI,WAAW,GAAA,EAAS;AACvB,UAAA,MAAM,IAAI,KAAA;AAAA,YACT;AAAA,WACD;AAAA,QACD;AAEA,QAAA,OAAO,EAAE,MAAA,EAAQ,YAAA,EAAc,QAAA,EAAS;AAAA,MACzC,SAAS,KAAA,EAAO;AACf,QAAA,MAAM,IAAI,KAAA;AAAA,UACT,CAAA,kBAAA,EAAqB,KAAA,YAAiB,KAAA,GAAQ,KAAA,CAAM,UAAU,mBAAmB,CAAA;AAAA,SAClF;AAAA,MACD;AAAA,IACD;AAAA,EACD;AAAA;AAAA;AAAA;AAAA,EAKA,MAAa,QAAA,GAA0B;AACtC,IAAA,IAAI;AACH,MAAA,IAAI,IAAA,CAAK,YAAA,EAAc,MAAM,IAAA,CAAK,aAAa,KAAA,EAAM;AACrD,MAAA,IAAI,IAAA,CAAK,YAAA,EAAc,MAAM,IAAA,CAAK,aAAa,KAAA,EAAM;AACrD,MAAA,MAAS,EAAA,CAAA,EAAA,CAAG,KAAK,UAAA,EAAY,EAAE,WAAW,IAAA,EAAM,KAAA,EAAO,MAAM,CAAA;AAAA,IAC9D,SAAS,EAAA,EAAI;AAAA,IAEb;AAAA,EACD;AACD","file":"chunk-J3WPBMJ5.js","sourcesContent":["export class GuardianError extends Error {\n\tconstructor(message: string) {\n\t\tsuper(`AST Sec-Policy Violation: ${message}`);\n\t\tthis.name = \"GuardianError\";\n\t}\n}\n\n/**\n * The Guardian-TS Module\n * Scans the Abstract Syntax Tree (AST) imports of incoming WASM\n * before it reaches the V8 Wasmtime engine to prevent sandbox-escape\n * zero-days, resource exhaustion bombs, and evasive execution.\n */\nexport const ASTGuardian = {\n\t/**\n\t * Analyzes the WebAssembly Module interface proactively.\n\t *\n\t * @param module - The compiled WebAssembly.Module to inspect\n\t * @throws {GuardianError} If illegal imports or capabilities are detected\n\t */\n\tanalyze(module: WebAssembly.Module): void {\n\t\tconst imports = WebAssembly.Module.imports(module);\n\t\tlet _importCount = 0;\n\n\t\tconst ALLOWED_WASI_FUNCTIONS = new Set([\n\t\t\t\"fd_write\",\n\t\t\t\"fd_read\",\n\t\t\t\"fd_close\",\n\t\t\t\"fd_seek\",\n\t\t\t\"environ_get\",\n\t\t\t\"environ_sizes_get\",\n\t\t\t\"args_get\",\n\t\t\t\"args_sizes_get\",\n\t\t\t\"clock_time_get\",\n\t\t\t\"random_get\",\n\t\t\t\"proc_exit\",\n\t\t\t\"fd_prestat_get\",\n\t\t\t\"fd_prestat_dir_name\",\n\t\t\t\"fd_fdstat_get\",\n\t\t]);\n\n\t\tfor (const imp of imports) {\n\t\t\t// Strict Sandbox Validation: Only allow WASI preview 1 specific whitelisted functions.\n\t\t\tif (imp.module === \"wasi_snapshot_preview1\") {\n\t\t\t\tif (!ALLOWED_WASI_FUNCTIONS.has(imp.name)) {\n\t\t\t\t\tthrow new GuardianError(\n\t\t\t\t\t\t`Banned WASI Import Detected: ${imp.module}/${imp.name}`,\n\t\t\t\t\t);\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tthrow new GuardianError(\n\t\t\t\t\t`Banned Host Import Module Detected: ${imp.module}`,\n\t\t\t\t);\n\t\t\t}\n\t\t\t_importCount++;\n\n\t\t\tif (_importCount > 128) {\n\t\t\t\tthrow new GuardianError(\n\t\t\t\t\t\"Import limit exceeded. Possible resource exhaustion attack.\",\n\t\t\t\t);\n\t\t\t}\n\t\t}\n\n\t\t// In Node.js / V8, the maximum module size and function limits\n\t\t// are natively enforced by the engine during compilation.\n\t\t// A successfully compiled WebAssembly.Module already passed structural checks.\n\t},\n};\n","import crypto from \"node:crypto\";\nimport * as fs from \"node:fs/promises\";\nimport * as os from \"node:os\";\nimport * as path from \"node:path\";\nimport vm from \"node:vm\";\nimport { WASI } from \"node:wasi\";\nimport { ASTGuardian } from \"./guardian.js\";\n\n// Silence Node.js ExperimentalWarning for WASI (Industrial console parity)\nconst originalEmit = process.emit;\n// @ts-expect-error\nprocess.emit = (name, data, ...args) => {\n\tif (\n\t\t(name === \"warning\" &&\n\t\t\ttypeof data === \"object\" &&\n\t\t\t(data as Record<string, unknown>).name === \"ExperimentalWarning\" &&\n\t\t\tString((data as Record<string, unknown>).message).includes(\"WASI\")) ||\n\t\tString((data as Record<string, unknown>).message).includes(\"importing WASI\")\n\t) {\n\t\treturn false;\n\t}\n\treturn originalEmit.call(process, name, data, ...args);\n};\n\n/**\n * Returns a filtered environment object containing only safe system variables,\n * preventing exposure of sensitive credentials and shell function injection.\n */\nexport function getDefaultEnvironment(): Record<string, string> {\n\tconst isWindows = process.platform === \"win32\";\n\tconst safeKeys = isWindows\n\t\t? [\n\t\t\t\t\"APPDATA\",\n\t\t\t\t\"HOMEDRIVE\",\n\t\t\t\t\"HOMEPATH\",\n\t\t\t\t\"LOCALAPPDATA\",\n\t\t\t\t\"PATH\",\n\t\t\t\t\"PROCESSOR_ARCHITECTURE\",\n\t\t\t\t\"SYSTEMDRIVE\",\n\t\t\t\t\"SYSTEMROOT\",\n\t\t\t\t\"TEMP\",\n\t\t\t\t\"USERNAME\",\n\t\t\t\t\"USERPROFILE\",\n\t\t\t\t\"PROGRAMFILES\",\n\t\t\t]\n\t\t: [\"HOME\", \"LOGNAME\", \"PATH\", \"SHELL\", \"TERM\", \"USER\"];\n\n\tconst env: Record<string, string> = {\n\t\tNODE_ENV: \"production\",\n\t\tLIOP_NODE: \"true\",\n\t};\n\n\tfor (const key of safeKeys) {\n\t\tconst val = process.env[key];\n\t\tif (val !== undefined && !val.startsWith(\"()\")) {\n\t\t\tenv[key] = val;\n\t\t}\n\t}\n\n\treturn env;\n}\n\nexport interface SandboxConfig {\n\tallowEnv?: boolean;\n\tallowedDirectories?: Record<string, string>; // guestPath -> hostPath\n\tmemoryLimitMb?: number;\n}\n\n/**\n * LIOP WasiSandbox (Industrial Grade)\n *\n * Provides a production-grade isolated environment for executing untrusted logic.\n * Primarily uses WebAssembly (WASI) for byte-code isolation, with a hardened\n * V8 Isolate fallback for dynamic JS-to-WASM logic injection.\n */\nexport class WasiSandbox {\n\tprivate wasi!: WASI;\n\tprivate sandboxId: string;\n\tprivate workingDir: string;\n\tprivate config: SandboxConfig;\n\tprivate stdoutHandle: fs.FileHandle | null = null;\n\tprivate stderrHandle: fs.FileHandle | null = null;\n\n\tconstructor(config: SandboxConfig = {}) {\n\t\tthis.sandboxId = crypto.randomUUID();\n\t\t// Use a dedicated LIOP directory in the OS temp folder\n\t\tthis.workingDir = path.join(\n\t\t\tos.tmpdir(),\n\t\t\t\"liop-mesh\",\n\t\t\t\"sandboxes\",\n\t\t\tthis.sandboxId,\n\t\t);\n\t\tthis.config = config;\n\t}\n\n\t/**\n\t * Initializes the physical sandbox environment with strict directory lockdown.\n\t */\n\tpublic async init(): Promise<void> {\n\t\ttry {\n\t\t\tawait fs.mkdir(this.workingDir, { recursive: true });\n\n\t\t\t// Initialize WASI with explicit limits\n\t\t\tthis.stdoutHandle = await fs.open(\n\t\t\t\tpath.join(this.workingDir, \"stdout.log\"),\n\t\t\t\t\"w+\",\n\t\t\t);\n\t\t\tthis.stderrHandle = await fs.open(\n\t\t\t\tpath.join(this.workingDir, \"stderr.log\"),\n\t\t\t\t\"w+\",\n\t\t\t);\n\n\t\t\tthis.wasi = new WASI({\n\t\t\t\tversion: \"preview1\",\n\t\t\t\targs: [\"liop_runtime\"],\n\t\t\t\tenv: this.config.allowEnv\n\t\t\t\t\t? { ...getDefaultEnvironment(), RUNTIME_ID: this.sandboxId }\n\t\t\t\t\t: {\n\t\t\t\t\t\t\tNODE_ENV: \"production\",\n\t\t\t\t\t\t\tLIOP_NODE: \"true\",\n\t\t\t\t\t\t\tRUNTIME_ID: this.sandboxId,\n\t\t\t\t\t\t},\n\t\t\t\tpreopens: {\n\t\t\t\t\t\"/sandbox\": this.workingDir,\n\t\t\t\t\t...this.config.allowedDirectories,\n\t\t\t\t},\n\t\t\t\tstdout: this.stdoutHandle.fd,\n\t\t\t\tstderr: this.stderrHandle.fd,\n\t\t\t});\n\t\t} catch (error) {\n\t\t\tthrow new Error(\n\t\t\t\t`Sandbox Initialization Failed: ${error instanceof Error ? error.message : \"FS Error\"}`,\n\t\t\t);\n\t\t}\n\t}\n\n\t/**\n\t * Executes logic (WASM or JS-Wrapped) with hard resource limits.\n\t */\n\tpublic async execute(\n\t\tcompiledLogic: Buffer | string,\n\t\trecords: Record<string, unknown>[] = [],\n\t\tinputs: Record<string, unknown> = {},\n\t): Promise<{ output: unknown; fuelConsumed: number }> {\n\t\tconst startTime = performance.now();\n\n\t\tif (compiledLogic instanceof Buffer) {\n\t\t\t// Path A: Native WebAssembly Isolation\n\t\t\ttry {\n\t\t\t\tconst module = await WebAssembly.compile(new Uint8Array(compiledLogic));\n\n\t\t\t\t// Tier-0 Guardian: Static analysis to prevent sandbox escapes\n\t\t\t\tASTGuardian.analyze(module);\n\n\t\t\t\tconst instance = await WebAssembly.instantiate(\n\t\t\t\t\tmodule,\n\t\t\t\t\tthis.wasi.getImportObject() as WebAssembly.Imports,\n\t\t\t\t);\n\n\t\t\t\t// Standard entry point\n\t\t\t\tthis.wasi.start(instance);\n\n\t\t\t\t// Capture output from the sandbox\n\t\t\t\tconst stdoutPath = path.join(this.workingDir, \"stdout.log\");\n\t\t\t\tconst stderrPath = path.join(this.workingDir, \"stderr.log\");\n\t\t\t\tconst stdout = await fs.readFile(stdoutPath, \"utf-8\");\n\t\t\t\tconst stderr = await fs.readFile(stderrPath, \"utf-8\");\n\n\t\t\t\tconst duration = performance.now() - startTime;\n\t\t\t\treturn {\n\t\t\t\t\toutput:\n\t\t\t\t\t\tstdout || (stderr ? `Error: ${stderr}` : \"WASM_EXECUTION_SUCCESS\"),\n\t\t\t\t\tfuelConsumed: Math.floor(duration * 1000),\n\t\t\t\t};\n\t\t\t} catch (error: unknown) {\n\t\t\t\tthrow new Error(\n\t\t\t\t\t`WASM Runtime Error: ${error instanceof Error ? error.message : String(error)}`,\n\t\t\t\t);\n\t\t\t}\n\t\t} else {\n\t\t\t// Path B: Hardened V8 Isolate Fallback\n\t\t\t// Uses node:vm with zero-prototype objects to prevent prototype pollution escapes.\n\n\t\t\t// biome-ignore lint/suspicious/noExplicitAny: Required for Sandbox global poisoning\n\t\t\tconst sandboxEnv: any = Object.create(null); // Isolated global object\n\t\t\tconst env = { records, ...inputs };\n\n\t\t\t// Explicitly poison Node.js escape vectors in the context\n\t\t\tsandboxEnv.require = undefined;\n\t\t\tsandboxEnv.process = undefined;\n\t\t\tsandboxEnv.global = undefined;\n\t\t\tsandboxEnv.globalThis = undefined;\n\t\t\tsandboxEnv.Buffer = undefined;\n\t\t\tsandboxEnv.setTimeout = undefined;\n\t\t\tsandboxEnv.setInterval = undefined;\n\t\t\tsandboxEnv.setImmediate = undefined;\n\t\t\tsandboxEnv.queueMicrotask = undefined;\n\t\t\tsandboxEnv.eval = undefined;\n\t\t\tsandboxEnv.Function = undefined;\n\t\t\tsandboxEnv.SharedArrayBuffer = undefined;\n\t\t\tsandboxEnv.Date = undefined;\n\n\t\t\t// [DoS Defense] Block off-heap memory allocation vectors.\n\t\t\t// Logic-on-Origin operates on JSON data (env.records) — binary buffers\n\t\t\t// serve no legitimate purpose and enable memory exhaustion DoS.\n\t\t\t// (Uint8Array(2GB) bypassed Piscina's maxOldGenerationSizeMb limit)\n\t\t\tsandboxEnv.ArrayBuffer = undefined;\n\t\t\tsandboxEnv.Uint8Array = undefined;\n\t\t\tsandboxEnv.Int8Array = undefined;\n\t\t\tsandboxEnv.Uint16Array = undefined;\n\t\t\tsandboxEnv.Int16Array = undefined;\n\t\t\tsandboxEnv.Uint32Array = undefined;\n\t\t\tsandboxEnv.Int32Array = undefined;\n\t\t\tsandboxEnv.Float32Array = undefined;\n\t\t\tsandboxEnv.Float64Array = undefined;\n\t\t\tsandboxEnv.BigInt64Array = undefined;\n\t\t\tsandboxEnv.BigUint64Array = undefined;\n\t\t\tsandboxEnv.DataView = undefined;\n\n\t\t\t// Recurse and strip prototype chain from host-passed objects to prevent escaping via constructor\n\t\t\t// biome-ignore lint/suspicious/noExplicitAny: Required for recursive null prototype mapping\n\t\t\tconst toNullPrototype = (obj: any): any => {\n\t\t\t\tif (!obj || typeof obj !== \"object\") {\n\t\t\t\t\treturn obj;\n\t\t\t\t}\n\t\t\t\tif (Array.isArray(obj)) {\n\t\t\t\t\treturn obj.map(toNullPrototype);\n\t\t\t\t}\n\t\t\t\tconst clone = Object.create(null);\n\t\t\t\tfor (const [key, val] of Object.entries(obj)) {\n\t\t\t\t\tclone[key] = toNullPrototype(val);\n\t\t\t\t}\n\t\t\t\treturn clone;\n\t\t\t};\n\n\t\t\t// Inject strictly monitored globals\n\t\t\tsandboxEnv.records = toNullPrototype(JSON.parse(JSON.stringify(records))); // Deep copy safety + null prototype\n\t\t\tsandboxEnv.env = toNullPrototype(JSON.parse(JSON.stringify(env)));\n\n\t\t\tfor (const [key, value] of Object.entries(inputs)) {\n\t\t\t\tsandboxEnv[key] = toNullPrototype(JSON.parse(JSON.stringify(value)));\n\t\t\t}\n\n\t\t\t// Freeze the sandbox context to prevent mutation (SEC-GAP-1)\n\t\t\t// biome-ignore lint/suspicious/noExplicitAny: Required for recursive deep freeze of unknown data\n\t\t\tconst deepFreeze = (obj: any) => {\n\t\t\t\tif (obj && typeof obj === \"object\" && !Object.isFrozen(obj)) {\n\t\t\t\t\tObject.freeze(obj);\n\t\t\t\t\tfor (const key of Object.keys(obj)) {\n\t\t\t\t\t\tdeepFreeze(obj[key]);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\treturn obj;\n\t\t\t};\n\n\t\t\tdeepFreeze(sandboxEnv.records);\n\t\t\tdeepFreeze(sandboxEnv.env);\n\n\t\t\t// Prevent property addition/modification on global scope\n\t\t\tfor (const key of Object.keys(sandboxEnv)) {\n\t\t\t\tObject.defineProperty(sandboxEnv, key, {\n\t\t\t\t\twritable: false,\n\t\t\t\t\tconfigurable: false,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\t// LIOP Execution Wrapper\n\t\t\t// Host-side logic transformation to avoid 'new Function' in sandbox\n\t\t\tlet processedLogic = String(compiledLogic);\n\t\t\tif (\n\t\t\t\t/^\\s*return\\s/m.test(processedLogic) ||\n\t\t\t\t!processedLogic.includes(\"function liop_main\")\n\t\t\t) {\n\t\t\t\tif (!processedLogic.includes(\"function liop_main\")) {\n\t\t\t\t\tprocessedLogic = `function liop_main(env) {\\n${processedLogic}\\n}`;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tconst scriptCode = `\n\t\t\t\t(function() {\n\t\t\t\t\t\"use strict\";\n\t\t\t\t\ttry {\n\t\t\t\t\t\t// Pre-execution prototype freezing (PCI-DSS Compliance)\n\t\t\t\t\t\tObject.freeze(Object.prototype);\n\t\t\t\t\t\tObject.freeze(Array.prototype);\n\t\t\t\t\t\tObject.freeze(String.prototype);\n\t\t\t\t\t\tObject.freeze(Number.prototype);\n\t\t\t\t\t\tObject.freeze(Boolean.prototype);\n\t\t\t\t\t\tObject.freeze(RegExp.prototype);\n\t\t\t\t\t\tObject.freeze(Map.prototype);\n\t\t\t\t\t\tObject.freeze(Set.prototype);\n\t\t\t\t\t\tObject.freeze(Promise.prototype);\n\t\t\t\t\t\tObject.freeze(Error.prototype);\n\t\t\t\t\t\tObject.freeze(Object.getPrototypeOf(function(){}));\n\n\t\t\t\t\t\t${processedLogic}\n\t\t\t\t\t\tif (typeof liop_main === 'function') {\n\t\t\t\t\t\t\treturn liop_main(env);\n\t\t\t\t\t\t}\n\t\t\t\t\t\treturn \"ERR_NO_ENTRY_POINT\";\n\t\t\t\t\t} catch(e) {\n\t\t\t\t\t\treturn \"LogicError: \" + e.message;\n\t\t\t\t\t}\n\t\t\t\t})();\n\t\t\t`;\n\n\t\t\ttry {\n\t\t\t\tconst script = new vm.Script(scriptCode, {\n\t\t\t\t\tfilename: `liop-sandbox-${this.sandboxId.slice(0, 8)}.js`,\n\t\t\t\t});\n\n\t\t\t\t// Freeze Host prototypes in production (non-test environments) to completely block Prototype Pollution\n\t\t\t\tif (\n\t\t\t\t\t!process.env.VITEST &&\n\t\t\t\t\ttypeof Object.prototype === \"object\" &&\n\t\t\t\t\t!Object.isFrozen(Object.prototype)\n\t\t\t\t) {\n\t\t\t\t\tObject.freeze(Object.prototype);\n\t\t\t\t\tObject.freeze(Array.prototype);\n\t\t\t\t\tObject.freeze(String.prototype);\n\t\t\t\t\tObject.freeze(Number.prototype);\n\t\t\t\t\tObject.freeze(Boolean.prototype);\n\t\t\t\t\tObject.freeze(RegExp.prototype);\n\t\t\t\t\tObject.freeze(Map.prototype);\n\t\t\t\t\tObject.freeze(Set.prototype);\n\t\t\t\t\tObject.freeze(Promise.prototype);\n\t\t\t\t\tObject.freeze(Error.prototype);\n\t\t\t\t}\n\n\t\t\t\t// microtaskMode: Ensures Promises created inside the sandbox are\n\t\t\t\t// resolved within the timeout/breakOnSigint scope (Node.js ≥14.6).\n\t\t\t\t// Without this, async microtasks could escape the 5s CPU limit.\n\t\t\t\tconst context = vm.createContext(sandboxEnv, {\n\t\t\t\t\tname: \"LIOP Isolate\",\n\t\t\t\t\torigin: \"liop://sandbox\",\n\t\t\t\t\tmicrotaskMode: \"afterEvaluate\",\n\t\t\t\t});\n\n\t\t\t\t// Execution with hard CPU and Memory limits (Fuel)\n\t\t\t\tconst output = script.runInContext(context, {\n\t\t\t\t\ttimeout: 5000,\n\t\t\t\t\tbreakOnSigint: true,\n\t\t\t\t\tdisplayErrors: true,\n\t\t\t\t});\n\n\t\t\t\tconst duration = performance.now() - startTime;\n\t\t\t\t// SEC: Normalize fuel to buckets of 100 to prevent timing side-channel inference\n\t\t\t\tconst rawFuel = Math.floor(duration * 1500 + 100);\n\t\t\t\tconst fuelUsed = Math.ceil(rawFuel / 100) * 100;\n\n\t\t\t\tif (fuelUsed > 1000000) {\n\t\t\t\t\tthrow new Error(\n\t\t\t\t\t\t\"LIOP_RESOURCE_EXHAUSTED: Execution fuel limit exceeded.\",\n\t\t\t\t\t);\n\t\t\t\t}\n\n\t\t\t\treturn { output, fuelConsumed: fuelUsed };\n\t\t\t} catch (error) {\n\t\t\t\tthrow new Error(\n\t\t\t\t\t`V8 Isolate Fault: ${error instanceof Error ? error.message : \"Execution Timeout\"}`,\n\t\t\t\t);\n\t\t\t}\n\t\t}\n\t}\n\n\t/**\n\t * Physically cleans up the sandbox and releases resources.\n\t */\n\tpublic async teardown(): Promise<void> {\n\t\ttry {\n\t\t\tif (this.stdoutHandle) await this.stdoutHandle.close();\n\t\t\tif (this.stderrHandle) await this.stderrHandle.close();\n\t\t\tawait fs.rm(this.workingDir, { recursive: true, force: true });\n\t\t} catch (_e) {\n\t\t\t// Silent fail on teardown to prevent process crashes\n\t\t}\n\t}\n}\n"]}