@robinbraemer/codemode 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 CNAP - Cloud Native Application Platform
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,278 @@
+# codemode
+
+Two MCP tools that replace hundreds. Give an AI agent your OpenAPI spec and a request handler — it discovers and calls your entire API by writing JavaScript in a sandboxed runtime.
+
+Instead of defining individual MCP tools for every API endpoint (`list-pods`, `create-product`, `get-logs`, ...), CodeMode exposes just **two tools**:
+
+- **`search`** — the agent writes JS to filter your OpenAPI spec and discover endpoints
+- **`execute`** — the agent writes JS to call your API via an injected client
+
+This is the same pattern [Cloudflare uses](https://blog.cloudflare.com/code-mode-mcp/) to expose 2,500+ API endpoints through just two MCP tools, reducing context window usage by 99.9%.
+
+## Install
+
+```bash
+pnpm add codemode
+
+# Install a sandbox runtime (pick one):
+pnpm add isolated-vm       # V8 isolates — fastest, recommended
+pnpm add quickjs-emscripten # WASM — portable fallback
+```
+
+## Quick Start
+
+```typescript
+import { CodeMode } from 'codemode';
+import { Hono } from 'hono';
+
+const app = new Hono();
+app.get('/v1/clusters', (c) => c.json([{ id: '1', name: 'prod' }]));
+app.post('/v1/clusters', async (c) => {
+  const body = await c.req.json();
+  return c.json({ id: '2', ...body }, 201);
+});
+
+const codemode = new CodeMode({
+  spec: myOpenAPISpec,              // OpenAPI 3.x spec, or async getter
+  request: app.request.bind(app),   // in-process, no network hop
+});
+
+// The agent searches the spec to discover endpoints...
+const search = await codemode.callTool('search', {
+  code: `async () => {
+    return Object.entries(spec.paths)
+      .filter(([p]) => p.includes('/clusters'))
+      .flatMap(([path, methods]) =>
+        Object.entries(methods)
+          .filter(([m]) => ['get','post','put','delete'].includes(m))
+          .map(([method, op]) => ({ method: method.toUpperCase(), path, summary: op.summary }))
+      );
+  }`
+});
+
+// ...then executes API calls
+const result = await codemode.callTool('execute', {
+  code: `async () => {
+    const res = await api.request({ method: "GET", path: "/v1/clusters" });
+    return res.body;
+  }`
+});
+```
+
+## MCP Server Integration
+
+```typescript
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
+import { CodeMode } from 'codemode';
+import { registerTools } from 'codemode/mcp';
+
+const codemode = new CodeMode({
+  spec: () => fetchOpenAPISpec(),
+  request: app.request.bind(app),
+});
+
+const server = new McpServer({ name: 'my-api', version: '1.0.0' });
+registerTools(codemode, server);
+
+const transport = new StdioServerTransport();
+await server.connect(transport);
+```
+
+## How It Works
+
+```
+AI Agent
+  │ writes JavaScript code
+  ▼
+CodeMode MCP Server
+  │
+  ├─ search(code) → runs JS with OpenAPI spec as a global
+  │   → agent discovers endpoints, schemas, parameters
+  │
+  └─ execute(code) → runs JS with injected request client
+      → api.request() calls your handler in-process
+      → no network hop, auth handled automatically
+```
+
+All code runs in an isolated sandbox (V8 isolate or QuickJS WASM). The sandbox has zero I/O by default — no `require`, no `process`, no `fetch`, no filesystem. The only way to interact with the outside world is through the injected globals (`spec` for search, `{namespace}.request()` for execute).
+
+Each tool call gets a fresh sandbox with no state carried over between calls.
+
+## API
+
+### `new CodeMode(options)`
+
+| Option | Type | Default | Description |
+|--------|------|---------|-------------|
+| `spec` | `OpenAPISpec \| () => OpenAPISpec \| Promise<OpenAPISpec>` | required | OpenAPI 3.x spec or async getter |
+| `request` | `(input, init?) => Response` | required | Fetch-compatible handler (`app.request.bind(app)` for Hono) |
+| `namespace` | `string` | `"api"` | Client name in sandbox (`api.request(...)`) |
+| `baseUrl` | `string` | `"http://localhost"` | Base URL for relative paths |
+| `sandbox` | `{ memoryMB?, timeoutMs? }` | `{ 64, 30000 }` | Sandbox resource limits |
+| `executor` | `Executor` | auto-detect | Custom sandbox executor |
+
+### Methods
+
+#### `codemode.tools(): ToolDefinition[]`
+
+Returns MCP-compatible tool definitions for `search` and `execute`.
+
+#### `codemode.callTool(name, { code }): Promise<ToolCallResult>`
+
+Route a tool call. Returns `{ content: [{ type: "text", text }], isError? }`.
+
+#### `codemode.search(code): Promise<ToolCallResult>`
+
+Run search code directly (shorthand for `callTool('search', { code })`).
+
+#### `codemode.execute(code): Promise<ToolCallResult>`
+
+Run execute code directly (shorthand for `callTool('execute', { code })`).
+
+#### `codemode.setToolNames(search, execute): this`
+
+Override default tool names. Useful when running multiple CodeMode instances.
+
+#### `codemode.dispose(): void`
+
+Clean up sandbox resources.
+
+## Sandbox API
+
+### Inside `search`
+
+The `spec` global is the full OpenAPI 3.x document:
+
+```javascript
+// Find endpoints by keyword
+async () => {
+  return Object.entries(spec.paths)
+    .filter(([p]) => p.includes('/clusters'))
+    .flatMap(([path, methods]) =>
+      Object.entries(methods)
+        .filter(([m]) => ['get','post','put','delete','patch'].includes(m))
+        .map(([method, op]) => ({
+          method: method.toUpperCase(), path, summary: op.summary
+        }))
+    );
+}
+
+// Get a specific schema
+async () => spec.components?.schemas?.Product
+
+// Spec metadata
+async () => ({
+  title: spec.info.title,
+  version: spec.info.version,
+  endpoints: Object.keys(spec.paths).length,
+})
+```
+
+### Inside `execute`
+
+The `{namespace}.request()` function makes API calls through the host handler:
+
+```javascript
+// GET with query params
+async () => {
+  const res = await api.request({
+    method: "GET",
+    path: "/v1/clusters",
+    query: { limit: 10 },
+  });
+  return res.body;
+}
+
+// POST with body
+async () => {
+  return api.request({
+    method: "POST",
+    path: "/v1/products",
+    body: { name: "Redis", chart: "bitnami/redis" },
+  });
+}
+
+// Chain calls
+async () => {
+  const list = await api.request({ method: "GET", path: "/v1/clusters" });
+  const details = await Promise.all(
+    list.body.map(c =>
+      api.request({ method: "GET", path: `/v1/clusters/${c.id}` })
+    )
+  );
+  return details.map(d => d.body);
+}
+```
+
+**Request options:**
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `method` | `string` | HTTP method (`"GET"`, `"POST"`, etc.) |
+| `path` | `string` | API path (`"/v1/clusters"`) |
+| `query` | `Record<string, string \| number \| boolean>` | Query parameters (optional) |
+| `body` | `unknown` | Request body, auto-serialized as JSON (optional) |
+| `headers` | `Record<string, string>` | Additional headers (optional) |
+
+**Response:** `{ status: number, headers: Record<string, string>, body: unknown }`
+
+## Executors
+
+CodeMode auto-detects your installed sandbox runtime. You can also pass one explicitly:
+
+```typescript
+import { CodeMode, IsolatedVMExecutor } from 'codemode';
+
+const codemode = new CodeMode({
+  spec,
+  request: handler,
+  executor: new IsolatedVMExecutor({ memoryMB: 128, timeoutMs: 60_000 }),
+});
+```
+
+| Executor | Package | Performance | Portability |
+|----------|---------|-------------|-------------|
+| `IsolatedVMExecutor` | `isolated-vm` | Native V8 speed | Node.js |
+| `QuickJSExecutor` | `quickjs-emscripten` | ~3-5x slower (still fast) | Node.js, Bun, browsers |
+
+Both are optional peer dependencies. Install at least one.
+
+### Custom Executor
+
+Implement the `Executor` interface to use your own sandbox:
+
+```typescript
+import { CodeMode, type Executor, type ExecuteResult } from 'codemode';
+
+class MyExecutor implements Executor {
+  async execute(code: string, globals: Record<string, unknown>): Promise<ExecuteResult> {
+    // `code` is an async arrow function as a string: "async () => { ... }"
+    // `globals` contains named values to inject:
+    //   - plain data (objects, arrays, primitives) → read-only values
+    //   - functions → callable host functions
+    //   - objects with function values → namespace with callable methods
+    return { result: ..., logs: [] };
+  }
+
+  dispose() { /* clean up */ }
+}
+
+const codemode = new CodeMode({
+  spec,
+  request: handler,
+  executor: new MyExecutor(),
+});
+```
+
+## Token Efficiency
+
+| Approach | Context Tokens |
+|----------|---------------|
+| Individual MCP tools (15-50+ tools) | ~15,000-50,000+ |
+| Full OpenAPI spec in context | ~1,000,000+ |
+| **CodeMode (2 tools)** | **~1,000** |
+
+## License
+
+MIT

package/dist/chunk-NSUQUO7S.js

@@ -0,0 +1,115 @@
+// src/executor/isolated-vm.ts
+var IsolatedVMExecutor = class {
+  memoryMB;
+  timeoutMs;
+  constructor(options = {}) {
+    this.memoryMB = options.memoryMB ?? 64;
+    this.timeoutMs = options.timeoutMs ?? 3e4;
+  }
+  async execute(code, globals) {
+    const ivm = (await import("isolated-vm")).default ?? await import("isolated-vm");
+    const isolate = new ivm.Isolate({ memoryLimit: this.memoryMB });
+    const logs = [];
+    try {
+      const context = await isolate.createContext();
+      const jail = context.global;
+      await jail.set("global", jail.derefInto());
+      jail.setSync(
+        "__log",
+        new ivm.Callback((...args) => {
+          logs.push(
+            args.map((a) => typeof a === "string" ? a : stringify(a)).join(" ")
+          );
+        })
+      );
+      await context.eval(`
+        globalThis.console = {
+          log: (...args) => __log(...args),
+          warn: (...args) => __log(...args),
+          error: (...args) => __log(...args),
+        };
+      `);
+      let refCounter = 0;
+      for (const [name, value] of Object.entries(globals)) {
+        if (typeof value === "function") {
+          const refName = `__ref${refCounter++}`;
+          await jail.set(refName, new ivm.Reference(value));
+          await context.eval(`
+            globalThis[${JSON.stringify(name)}] = function(...args) {
+              return ${refName}.apply(undefined, args, {
+                arguments: { copy: true },
+                result: { promise: true, copy: true },
+              });
+            };
+          `);
+        } else if (isNamespaceWithMethods(value)) {
+          const ns = value;
+          let nsSetup = `globalThis[${JSON.stringify(name)}] = {};
+`;
+          for (const [key, val] of Object.entries(ns)) {
+            if (typeof val === "function") {
+              const refName = `__ref${refCounter++}`;
+              await jail.set(refName, new ivm.Reference(val));
+              nsSetup += `
+                globalThis[${JSON.stringify(name)}][${JSON.stringify(key)}] = function(...args) {
+                  return ${refName}.apply(undefined, args, {
+                    arguments: { copy: true },
+                    result: { promise: true, copy: true },
+                  });
+                };
+              `;
+            }
+          }
+          const dataProps = Object.entries(ns).filter(([, v]) => typeof v !== "function");
+          if (dataProps.length > 0) {
+            const dataObj = Object.fromEntries(dataProps);
+            nsSetup += `Object.assign(globalThis[${JSON.stringify(name)}], ${JSON.stringify(dataObj)});
+`;
+          }
+          await context.eval(nsSetup);
+        } else {
+          await context.eval(
+            `globalThis[${JSON.stringify(name)}] = ${JSON.stringify(value)};`
+          );
+        }
+      }
+      const wrappedCode = `(${code})()`;
+      const script = await isolate.compileScript(wrappedCode);
+      const result = await script.run(context, {
+        timeout: this.timeoutMs,
+        promise: true,
+        copy: true
+      });
+      context.release();
+      return { result, logs };
+    } catch (err) {
+      return {
+        result: void 0,
+        error: err instanceof Error ? err.message : String(err),
+        logs
+      };
+    } finally {
+      if (!isolate.isDisposed) {
+        isolate.dispose();
+      }
+    }
+  }
+};
+function isNamespaceWithMethods(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value) && Object.values(value).some(
+    (v) => typeof v === "function"
+  );
+}
+function stringify(value) {
+  if (typeof value === "string") return value;
+  try {
+    return JSON.stringify(value);
+  } catch {
+    return String(value);
+  }
+}
+
+export {
+  IsolatedVMExecutor
+};
+//# sourceMappingURL=chunk-NSUQUO7S.js.map

package/dist/chunk-NSUQUO7S.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/executor/isolated-vm.ts"],"sourcesContent":["import type { Executor, ExecuteResult, SandboxOptions } from \"../types.js\";\n\n/**\n * Executor implementation using isolated-vm (V8 isolates).\n * Requires `isolated-vm` v6+ as a peer dependency.\n *\n * Each execute() call creates a fresh V8 isolate with its own heap — no state\n * leaks between calls. The sandbox has zero I/O capabilities by default (no\n * fetch, no fs, no require). The only way out is through injected host functions.\n */\nexport class IsolatedVMExecutor implements Executor {\n  private memoryMB: number;\n  private timeoutMs: number;\n\n  constructor(options: SandboxOptions = {}) {\n    this.memoryMB = options.memoryMB ?? 64;\n    this.timeoutMs = options.timeoutMs ?? 30_000;\n  }\n\n  async execute(\n    code: string,\n    globals: Record<string, unknown>,\n  ): Promise<ExecuteResult> {\n    // @ts-ignore — optional peer dependency\n    const ivm = (await import(\"isolated-vm\")).default ?? (await import(\"isolated-vm\"));\n    const isolate = new ivm.Isolate({ memoryLimit: this.memoryMB });\n    const logs: string[] = [];\n\n    try {\n      const context = await isolate.createContext();\n      const jail = context.global;\n      await jail.set(\"global\", jail.derefInto());\n\n      // Inject console (captures logs via Callback)\n      jail.setSync(\n        \"__log\",\n        new ivm.Callback((...args: unknown[]) => {\n          logs.push(\n            args\n              .map((a) => (typeof a === \"string\" ? a : stringify(a)))\n              .join(\" \"),\n          );\n        }),\n      );\n      await context.eval(`\n        globalThis.console = {\n          log: (...args) => __log(...args),\n          warn: (...args) => __log(...args),\n          error: (...args) => __log(...args),\n        };\n      `);\n\n      // Inject globals\n      let refCounter = 0;\n      for (const [name, value] of Object.entries(globals)) {\n        if (typeof value === \"function\") {\n          // Async host function: set Reference, wrap with .apply() in isolate\n          const refName = `__ref${refCounter++}`;\n          await jail.set(refName, new ivm.Reference(value));\n          await context.eval(`\n            globalThis[${JSON.stringify(name)}] = function(...args) {\n              return ${refName}.apply(undefined, args, {\n                arguments: { copy: true },\n                result: { promise: true, copy: true },\n              });\n            };\n          `);\n        } else if (isNamespaceWithMethods(value)) {\n          // Namespace object with methods (e.g. { request: fn })\n          const ns = value as Record<string, unknown>;\n          let nsSetup = `globalThis[${JSON.stringify(name)}] = {};\\n`;\n\n          for (const [key, val] of Object.entries(ns)) {\n            if (typeof val === \"function\") {\n              const refName = `__ref${refCounter++}`;\n              await jail.set(refName, new ivm.Reference(val));\n              nsSetup += `\n                globalThis[${JSON.stringify(name)}][${JSON.stringify(key)}] = function(...args) {\n                  return ${refName}.apply(undefined, args, {\n                    arguments: { copy: true },\n                    result: { promise: true, copy: true },\n                  });\n                };\n              `;\n            }\n          }\n\n          // Inject non-function properties as JSON\n          const dataProps = Object.entries(ns).filter(([, v]) => typeof v !== \"function\");\n          if (dataProps.length > 0) {\n            const dataObj = Object.fromEntries(dataProps);\n            nsSetup += `Object.assign(globalThis[${JSON.stringify(name)}], ${JSON.stringify(dataObj)});\\n`;\n          }\n\n          await context.eval(nsSetup);\n        } else {\n          // Plain data: inject as JSON\n          await context.eval(\n            `globalThis[${JSON.stringify(name)}] = ${JSON.stringify(value)};`,\n          );\n        }\n      }\n\n      // Execute the code\n      const wrappedCode = `(${code})()`;\n      const script = await isolate.compileScript(wrappedCode);\n      const result = await script.run(context, {\n        timeout: this.timeoutMs,\n        promise: true,\n        copy: true,\n      });\n\n      context.release();\n      return { result, logs };\n    } catch (err) {\n      return {\n        result: undefined,\n        error: err instanceof Error ? err.message : String(err),\n        logs,\n      };\n    } finally {\n      if (!isolate.isDisposed) {\n        isolate.dispose();\n      }\n    }\n  }\n}\n\nfunction isNamespaceWithMethods(value: unknown): boolean {\n  return (\n    typeof value === \"object\" &&\n    value !== null &&\n    !Array.isArray(value) &&\n    Object.values(value as Record<string, unknown>).some(\n      (v) => typeof v === \"function\",\n    )\n  );\n}\n\nfunction stringify(value: unknown): string {\n  if (typeof value === \"string\") return value;\n  try {\n    return JSON.stringify(value);\n  } catch {\n    return String(value);\n  }\n}\n"],"mappings":";AAUO,IAAM,qBAAN,MAA6C;AAAA,EAC1C;AAAA,EACA;AAAA,EAER,YAAY,UAA0B,CAAC,GAAG;AACxC,SAAK,WAAW,QAAQ,YAAY;AACpC,SAAK,YAAY,QAAQ,aAAa;AAAA,EACxC;AAAA,EAEA,MAAM,QACJ,MACA,SACwB;AAExB,UAAM,OAAO,MAAM,OAAO,aAAa,GAAG,WAAY,MAAM,OAAO,aAAa;AAChF,UAAM,UAAU,IAAI,IAAI,QAAQ,EAAE,aAAa,KAAK,SAAS,CAAC;AAC9D,UAAM,OAAiB,CAAC;AAExB,QAAI;AACF,YAAM,UAAU,MAAM,QAAQ,cAAc;AAC5C,YAAM,OAAO,QAAQ;AACrB,YAAM,KAAK,IAAI,UAAU,KAAK,UAAU,CAAC;AAGzC,WAAK;AAAA,QACH;AAAA,QACA,IAAI,IAAI,SAAS,IAAI,SAAoB;AACvC,eAAK;AAAA,YACH,KACG,IAAI,CAAC,MAAO,OAAO,MAAM,WAAW,IAAI,UAAU,CAAC,CAAE,EACrD,KAAK,GAAG;AAAA,UACb;AAAA,QACF,CAAC;AAAA,MACH;AACA,YAAM,QAAQ,KAAK;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,OAMlB;AAGD,UAAI,aAAa;AACjB,iBAAW,CAAC,MAAM,KAAK,KAAK,OAAO,QAAQ,OAAO,GAAG;AACnD,YAAI,OAAO,UAAU,YAAY;AAE/B,gBAAM,UAAU,QAAQ,YAAY;AACpC,gBAAM,KAAK,IAAI,SAAS,IAAI,IAAI,UAAU,KAAK,CAAC;AAChD,gBAAM,QAAQ,KAAK;AAAA,yBACJ,KAAK,UAAU,IAAI,CAAC;AAAA,uBACtB,OAAO;AAAA;AAAA;AAAA;AAAA;AAAA,WAKnB;AAAA,QACH,WAAW,uBAAuB,KAAK,GAAG;AAExC,gBAAM,KAAK;AACX,cAAI,UAAU,cAAc,KAAK,UAAU,IAAI,CAAC;AAAA;AAEhD,qBAAW,CAAC,KAAK,GAAG,KAAK,OAAO,QAAQ,EAAE,GAAG;AAC3C,gBAAI,OAAO,QAAQ,YAAY;AAC7B,oBAAM,UAAU,QAAQ,YAAY;AACpC,oBAAM,KAAK,IAAI,SAAS,IAAI,IAAI,UAAU,GAAG,CAAC;AAC9C,yBAAW;AAAA,6BACI,KAAK,UAAU,IAAI,CAAC,KAAK,KAAK,UAAU,GAAG,CAAC;AAAA,2BAC9C,OAAO;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,YAMtB;AAAA,UACF;AAGA,gBAAM,YAAY,OAAO,QAAQ,EAAE,EAAE,OAAO,CAAC,CAAC,EAAE,CAAC,MAAM,OAAO,MAAM,UAAU;AAC9E,cAAI,UAAU,SAAS,GAAG;AACxB,kBAAM,UAAU,OAAO,YAAY,SAAS;AAC5C,uBAAW,4BAA4B,KAAK,UAAU,IAAI,CAAC,MAAM,KAAK,UAAU,OAAO,CAAC;AAAA;AAAA,UAC1F;AAEA,gBAAM,QAAQ,KAAK,OAAO;AAAA,QAC5B,OAAO;AAEL,gBAAM,QAAQ;AAAA,YACZ,cAAc,KAAK,UAAU,IAAI,CAAC,OAAO,KAAK,UAAU,KAAK,CAAC;AAAA,UAChE;AAAA,QACF;AAAA,MACF;AAGA,YAAM,cAAc,IAAI,IAAI;AAC5B,YAAM,SAAS,MAAM,QAAQ,cAAc,WAAW;AACtD,YAAM,SAAS,MAAM,OAAO,IAAI,SAAS;AAAA,QACvC,SAAS,KAAK;AAAA,QACd,SAAS;AAAA,QACT,MAAM;AAAA,MACR,CAAC;AAED,cAAQ,QAAQ;AAChB,aAAO,EAAE,QAAQ,KAAK;AAAA,IACxB,SAAS,KAAK;AACZ,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,OAAO,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAAA,QACtD;AAAA,MACF;AAAA,IACF,UAAE;AACA,UAAI,CAAC,QAAQ,YAAY;AACvB,gBAAQ,QAAQ;AAAA,MAClB;AAAA,IACF;AAAA,EACF;AACF;AAEA,SAAS,uBAAuB,OAAyB;AACvD,SACE,OAAO,UAAU,YACjB,UAAU,QACV,CAAC,MAAM,QAAQ,KAAK,KACpB,OAAO,OAAO,KAAgC,EAAE;AAAA,IAC9C,CAAC,MAAM,OAAO,MAAM;AAAA,EACtB;AAEJ;AAEA,SAAS,UAAU,OAAwB;AACzC,MAAI,OAAO,UAAU,SAAU,QAAO;AACtC,MAAI;AACF,WAAO,KAAK,UAAU,KAAK;AAAA,EAC7B,QAAQ;AACN,WAAO,OAAO,KAAK;AAAA,EACrB;AACF;","names":[]}

package/dist/chunk-PZ5AY32C.js

@@ -0,0 +1,10 @@
+var __defProp = Object.defineProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+
+export {
+  __export
+};
+//# sourceMappingURL=chunk-PZ5AY32C.js.map

package/dist/chunk-PZ5AY32C.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}

package/dist/chunk-ZWSO33DZ.js

@@ -0,0 +1,148 @@
+// src/executor/quickjs.ts
+var QuickJSExecutor = class {
+  memoryBytes;
+  timeoutMs;
+  constructor(options = {}) {
+    this.memoryBytes = (options.memoryMB ?? 64) * 1024 * 1024;
+    this.timeoutMs = options.timeoutMs ?? 3e4;
+  }
+  async execute(code, globals) {
+    const qjs = await import("quickjs-emscripten");
+    const logs = [];
+    const vm = await qjs.newAsyncContext();
+    const runtime = vm.runtime;
+    runtime.setMemoryLimit(this.memoryBytes);
+    runtime.setMaxStackSize(1024 * 320);
+    const deadline = Date.now() + this.timeoutMs;
+    runtime.setInterruptHandler(() => Date.now() > deadline);
+    try {
+      injectConsole(vm, logs);
+      for (const [name, value] of Object.entries(globals)) {
+        if (typeof value === "function") {
+          injectAsyncFunction(vm, name, value);
+        } else if (typeof value === "object" && value !== null && !Array.isArray(value) && Object.values(value).some((v) => typeof v === "function")) {
+          injectNamespace(vm, name, value);
+        } else {
+          const jsonStr = JSON.stringify(value);
+          const handle = vm.evalCode(`(${jsonStr})`);
+          if (handle.error) {
+            handle.error.dispose();
+          } else {
+            vm.setProp(vm.global, name, handle.value);
+            handle.value.dispose();
+          }
+        }
+      }
+      const wrappedCode = `(${code})()`;
+      const resultHandle = await vm.evalCodeAsync(wrappedCode);
+      if (resultHandle.error) {
+        let error = vm.dump(resultHandle.error);
+        try {
+          resultHandle.error.dispose();
+        } catch {
+        }
+        if (typeof error === "object" && error?.type === "rejected") {
+          error = error.reason;
+        }
+        return {
+          result: void 0,
+          error: typeof error === "object" && error?.message ? error.message : String(error),
+          logs
+        };
+      }
+      let result = vm.dump(resultHandle.value);
+      try {
+        resultHandle.value.dispose();
+      } catch {
+      }
+      result = unwrapPromiseResult(result);
+      return { result, logs };
+    } catch (err) {
+      return {
+        result: void 0,
+        error: err instanceof Error ? err.message : String(err),
+        logs
+      };
+    } finally {
+      try {
+        vm.dispose();
+      } catch {
+      }
+      try {
+        runtime.dispose();
+      } catch {
+      }
+    }
+  }
+};
+function injectConsole(vm, logs) {
+  const consoleObj = vm.newObject();
+  const logFn = vm.newFunction("log", (...args) => {
+    const values = args.map((h) => vm.dump(h));
+    logs.push(values.map((v) => typeof v === "string" ? v : JSON.stringify(v)).join(" "));
+  });
+  vm.setProp(consoleObj, "log", logFn);
+  vm.setProp(consoleObj, "warn", logFn);
+  vm.setProp(consoleObj, "error", logFn);
+  vm.setProp(vm.global, "console", consoleObj);
+  logFn.dispose();
+  consoleObj.dispose();
+}
+function injectAsyncFunction(vm, name, fn) {
+  const handle = vm.newAsyncifiedFunction(name, async (...argHandles) => {
+    const args = argHandles.map((h) => vm.dump(h));
+    const result = await fn(...args);
+    return marshalToVM(vm, result);
+  });
+  vm.setProp(vm.global, name, handle);
+  handle.dispose();
+}
+function injectNamespace(vm, name, ns) {
+  const nsObj = vm.newObject();
+  for (const [key, value] of Object.entries(ns)) {
+    if (typeof value === "function") {
+      const handle = vm.newAsyncifiedFunction(key, async (...argHandles) => {
+        const args = argHandles.map((h) => vm.dump(h));
+        const result = await value(...args);
+        return marshalToVM(vm, result);
+      });
+      vm.setProp(nsObj, key, handle);
+      handle.dispose();
+    } else {
+      const jsonStr = JSON.stringify(value);
+      const handle = vm.evalCode(`(${jsonStr})`);
+      if (!handle.error) {
+        vm.setProp(nsObj, key, handle.value);
+        handle.value.dispose();
+      } else {
+        handle.error.dispose();
+      }
+    }
+  }
+  vm.setProp(vm.global, name, nsObj);
+  nsObj.dispose();
+}
+function unwrapPromiseResult(result) {
+  if (typeof result === "object" && result !== null && "type" in result && result.type === "fulfilled" && "value" in result) {
+    return result.value;
+  }
+  return result;
+}
+function marshalToVM(vm, value) {
+  if (value === void 0 || value === null) return vm.undefined;
+  if (typeof value === "string") return vm.newString(value);
+  if (typeof value === "number") return vm.newNumber(value);
+  if (typeof value === "boolean") return value ? vm.true : vm.false;
+  const jsonStr = JSON.stringify(value);
+  const result = vm.evalCode(`(${jsonStr})`);
+  if (result.error) {
+    result.error.dispose();
+    return vm.undefined;
+  }
+  return result.value;
+}
+
+export {
+  QuickJSExecutor
+};
+//# sourceMappingURL=chunk-ZWSO33DZ.js.map

package/dist/chunk-ZWSO33DZ.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/executor/quickjs.ts"],"sourcesContent":["import type { Executor, ExecuteResult, SandboxOptions } from \"../types.js\";\n\n/**\n * Executor implementation using quickjs-emscripten (QuickJS compiled to WASM).\n * Requires `quickjs-emscripten` as a peer dependency.\n *\n * Advantages over isolated-vm:\n * - Pure WASM, no native dependencies (works everywhere including Bun)\n * - WASM-level sandbox isolation\n *\n * Tradeoffs:\n * - ~3-5x slower than V8 for compute (negligible for API orchestration)\n * - Only one async suspension at a time per module\n */\nexport class QuickJSExecutor implements Executor {\n  private memoryBytes: number;\n  private timeoutMs: number;\n\n  constructor(options: SandboxOptions = {}) {\n    this.memoryBytes = (options.memoryMB ?? 64) * 1024 * 1024;\n    this.timeoutMs = options.timeoutMs ?? 30_000;\n  }\n\n  async execute(\n    code: string,\n    globals: Record<string, unknown>,\n  ): Promise<ExecuteResult> {\n    const qjs = await import(\"quickjs-emscripten\");\n    const logs: string[] = [];\n\n    // Use the convenience function that manages module/runtime lifecycle\n    const vm = await qjs.newAsyncContext();\n    const runtime = vm.runtime;\n\n    runtime.setMemoryLimit(this.memoryBytes);\n    runtime.setMaxStackSize(1024 * 320); // 320KB stack\n\n    // Interrupt after timeout\n    const deadline = Date.now() + this.timeoutMs;\n    runtime.setInterruptHandler(() => Date.now() > deadline);\n\n    try {\n      // Inject console\n      injectConsole(vm, logs);\n\n      // Inject globals\n      for (const [name, value] of Object.entries(globals)) {\n        if (typeof value === \"function\") {\n          injectAsyncFunction(vm, name, value as (...args: unknown[]) => unknown);\n        } else if (\n          typeof value === \"object\" &&\n          value !== null &&\n          !Array.isArray(value) &&\n          Object.values(value as Record<string, unknown>).some((v) => typeof v === \"function\")\n        ) {\n          injectNamespace(vm, name, value as Record<string, unknown>);\n        } else {\n          // Inject as JSON data\n          const jsonStr = JSON.stringify(value);\n          const handle = vm.evalCode(`(${jsonStr})`);\n          if (handle.error) {\n            handle.error.dispose();\n          } else {\n            vm.setProp(vm.global, name, handle.value);\n            handle.value.dispose();\n          }\n        }\n      }\n\n      // Execute the code\n      const wrappedCode = `(${code})()`;\n      const resultHandle = await vm.evalCodeAsync(wrappedCode);\n\n      if (resultHandle.error) {\n        let error = vm.dump(resultHandle.error);\n        try { resultHandle.error.dispose(); } catch { /* already disposed */ }\n        // Unwrap rejected promise wrapper\n        if (typeof error === \"object\" && error?.type === \"rejected\") {\n          error = error.reason;\n        }\n        return {\n          result: undefined,\n          error: typeof error === \"object\" && error?.message ? error.message : String(error),\n          logs,\n        };\n      }\n\n      let result = vm.dump(resultHandle.value);\n      // The value handle from async evaluation may already be managed/disposed\n      // by the runtime, so we guard the dispose call\n      try { resultHandle.value.dispose(); } catch { /* already disposed */ }\n\n      // evalCodeAsync wraps async results as { type: 'fulfilled', value } or { type: 'rejected', reason }\n      result = unwrapPromiseResult(result);\n\n      return { result, logs };\n    } catch (err) {\n      return {\n        result: undefined,\n        error: err instanceof Error ? err.message : String(err),\n        logs,\n      };\n    } finally {\n      // Dispose context first, then runtime\n      // Use try/catch because quickjs-emscripten can throw during\n      // cleanup when host references are freed\n      try { vm.dispose(); } catch { /* ignore cleanup errors */ }\n      try { runtime.dispose(); } catch { /* ignore cleanup errors */ }\n    }\n  }\n}\n\nfunction injectConsole(vm: any, logs: string[]): void {\n  const consoleObj = vm.newObject();\n\n  const logFn = vm.newFunction(\"log\", (...args: any[]) => {\n    const values = args.map((h: any) => vm.dump(h));\n    logs.push(values.map((v: unknown) => (typeof v === \"string\" ? v : JSON.stringify(v))).join(\" \"));\n  });\n\n  vm.setProp(consoleObj, \"log\", logFn);\n  vm.setProp(consoleObj, \"warn\", logFn);\n  vm.setProp(consoleObj, \"error\", logFn);\n  vm.setProp(vm.global, \"console\", consoleObj);\n\n  logFn.dispose();\n  consoleObj.dispose();\n}\n\nfunction injectAsyncFunction(\n  vm: any,\n  name: string,\n  fn: (...args: unknown[]) => unknown,\n): void {\n  const handle = vm.newAsyncifiedFunction(name, async (...argHandles: any[]) => {\n    const args = argHandles.map((h: any) => vm.dump(h));\n    const result = await fn(...args);\n    return marshalToVM(vm, result);\n  });\n  vm.setProp(vm.global, name, handle);\n  handle.dispose();\n}\n\nfunction injectNamespace(\n  vm: any,\n  name: string,\n  ns: Record<string, unknown>,\n): void {\n  const nsObj = vm.newObject();\n\n  for (const [key, value] of Object.entries(ns)) {\n    if (typeof value === \"function\") {\n      const handle = vm.newAsyncifiedFunction(key, async (...argHandles: any[]) => {\n        const args = argHandles.map((h: any) => vm.dump(h));\n        const result = await value(...args);\n        return marshalToVM(vm, result);\n      });\n      vm.setProp(nsObj, key, handle);\n      handle.dispose();\n    } else {\n      const jsonStr = JSON.stringify(value);\n      const handle = vm.evalCode(`(${jsonStr})`);\n      if (!handle.error) {\n        vm.setProp(nsObj, key, handle.value);\n        handle.value.dispose();\n      } else {\n        handle.error.dispose();\n      }\n    }\n  }\n\n  vm.setProp(vm.global, name, nsObj);\n  nsObj.dispose();\n}\n\n/**\n * When evalCodeAsync runs an async arrow function, the dump of the result\n * is `{ type: 'fulfilled', value: X }` instead of just `X`.\n * This unwraps it.\n */\nfunction unwrapPromiseResult(result: unknown): unknown {\n  if (\n    typeof result === \"object\" &&\n    result !== null &&\n    \"type\" in result &&\n    (result as any).type === \"fulfilled\" &&\n    \"value\" in result\n  ) {\n    return (result as any).value;\n  }\n  return result;\n}\n\nfunction marshalToVM(vm: any, value: unknown): any {\n  if (value === undefined || value === null) return vm.undefined;\n  if (typeof value === \"string\") return vm.newString(value);\n  if (typeof value === \"number\") return vm.newNumber(value);\n  if (typeof value === \"boolean\") return value ? vm.true : vm.false;\n\n  // For objects/arrays, serialize to JSON and parse inside VM\n  const jsonStr = JSON.stringify(value);\n  const result = vm.evalCode(`(${jsonStr})`);\n  if (result.error) {\n    result.error.dispose();\n    return vm.undefined;\n  }\n  return result.value;\n}\n"],"mappings":";AAcO,IAAM,kBAAN,MAA0C;AAAA,EACvC;AAAA,EACA;AAAA,EAER,YAAY,UAA0B,CAAC,GAAG;AACxC,SAAK,eAAe,QAAQ,YAAY,MAAM,OAAO;AACrD,SAAK,YAAY,QAAQ,aAAa;AAAA,EACxC;AAAA,EAEA,MAAM,QACJ,MACA,SACwB;AACxB,UAAM,MAAM,MAAM,OAAO,oBAAoB;AAC7C,UAAM,OAAiB,CAAC;AAGxB,UAAM,KAAK,MAAM,IAAI,gBAAgB;AACrC,UAAM,UAAU,GAAG;AAEnB,YAAQ,eAAe,KAAK,WAAW;AACvC,YAAQ,gBAAgB,OAAO,GAAG;AAGlC,UAAM,WAAW,KAAK,IAAI,IAAI,KAAK;AACnC,YAAQ,oBAAoB,MAAM,KAAK,IAAI,IAAI,QAAQ;AAEvD,QAAI;AAEF,oBAAc,IAAI,IAAI;AAGtB,iBAAW,CAAC,MAAM,KAAK,KAAK,OAAO,QAAQ,OAAO,GAAG;AACnD,YAAI,OAAO,UAAU,YAAY;AAC/B,8BAAoB,IAAI,MAAM,KAAwC;AAAA,QACxE,WACE,OAAO,UAAU,YACjB,UAAU,QACV,CAAC,MAAM,QAAQ,KAAK,KACpB,OAAO,OAAO,KAAgC,EAAE,KAAK,CAAC,MAAM,OAAO,MAAM,UAAU,GACnF;AACA,0BAAgB,IAAI,MAAM,KAAgC;AAAA,QAC5D,OAAO;AAEL,gBAAM,UAAU,KAAK,UAAU,KAAK;AACpC,gBAAM,SAAS,GAAG,SAAS,IAAI,OAAO,GAAG;AACzC,cAAI,OAAO,OAAO;AAChB,mBAAO,MAAM,QAAQ;AAAA,UACvB,OAAO;AACL,eAAG,QAAQ,GAAG,QAAQ,MAAM,OAAO,KAAK;AACxC,mBAAO,MAAM,QAAQ;AAAA,UACvB;AAAA,QACF;AAAA,MACF;AAGA,YAAM,cAAc,IAAI,IAAI;AAC5B,YAAM,eAAe,MAAM,GAAG,cAAc,WAAW;AAEvD,UAAI,aAAa,OAAO;AACtB,YAAI,QAAQ,GAAG,KAAK,aAAa,KAAK;AACtC,YAAI;AAAE,uBAAa,MAAM,QAAQ;AAAA,QAAG,QAAQ;AAAA,QAAyB;AAErE,YAAI,OAAO,UAAU,YAAY,OAAO,SAAS,YAAY;AAC3D,kBAAQ,MAAM;AAAA,QAChB;AACA,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,OAAO,OAAO,UAAU,YAAY,OAAO,UAAU,MAAM,UAAU,OAAO,KAAK;AAAA,UACjF;AAAA,QACF;AAAA,MACF;AAEA,UAAI,SAAS,GAAG,KAAK,aAAa,KAAK;AAGvC,UAAI;AAAE,qBAAa,MAAM,QAAQ;AAAA,MAAG,QAAQ;AAAA,MAAyB;AAGrE,eAAS,oBAAoB,MAAM;AAEnC,aAAO,EAAE,QAAQ,KAAK;AAAA,IACxB,SAAS,KAAK;AACZ,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,OAAO,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAAA,QACtD;AAAA,MACF;AAAA,IACF,UAAE;AAIA,UAAI;AAAE,WAAG,QAAQ;AAAA,MAAG,QAAQ;AAAA,MAA8B;AAC1D,UAAI;AAAE,gBAAQ,QAAQ;AAAA,MAAG,QAAQ;AAAA,MAA8B;AAAA,IACjE;AAAA,EACF;AACF;AAEA,SAAS,cAAc,IAAS,MAAsB;AACpD,QAAM,aAAa,GAAG,UAAU;AAEhC,QAAM,QAAQ,GAAG,YAAY,OAAO,IAAI,SAAgB;AACtD,UAAM,SAAS,KAAK,IAAI,CAAC,MAAW,GAAG,KAAK,CAAC,CAAC;AAC9C,SAAK,KAAK,OAAO,IAAI,CAAC,MAAgB,OAAO,MAAM,WAAW,IAAI,KAAK,UAAU,CAAC,CAAE,EAAE,KAAK,GAAG,CAAC;AAAA,EACjG,CAAC;AAED,KAAG,QAAQ,YAAY,OAAO,KAAK;AACnC,KAAG,QAAQ,YAAY,QAAQ,KAAK;AACpC,KAAG,QAAQ,YAAY,SAAS,KAAK;AACrC,KAAG,QAAQ,GAAG,QAAQ,WAAW,UAAU;AAE3C,QAAM,QAAQ;AACd,aAAW,QAAQ;AACrB;AAEA,SAAS,oBACP,IACA,MACA,IACM;AACN,QAAM,SAAS,GAAG,sBAAsB,MAAM,UAAU,eAAsB;AAC5E,UAAM,OAAO,WAAW,IAAI,CAAC,MAAW,GAAG,KAAK,CAAC,CAAC;AAClD,UAAM,SAAS,MAAM,GAAG,GAAG,IAAI;AAC/B,WAAO,YAAY,IAAI,MAAM;AAAA,EAC/B,CAAC;AACD,KAAG,QAAQ,GAAG,QAAQ,MAAM,MAAM;AAClC,SAAO,QAAQ;AACjB;AAEA,SAAS,gBACP,IACA,MACA,IACM;AACN,QAAM,QAAQ,GAAG,UAAU;AAE3B,aAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,EAAE,GAAG;AAC7C,QAAI,OAAO,UAAU,YAAY;AAC/B,YAAM,SAAS,GAAG,sBAAsB,KAAK,UAAU,eAAsB;AAC3E,cAAM,OAAO,WAAW,IAAI,CAAC,MAAW,GAAG,KAAK,CAAC,CAAC;AAClD,cAAM,SAAS,MAAM,MAAM,GAAG,IAAI;AAClC,eAAO,YAAY,IAAI,MAAM;AAAA,MAC/B,CAAC;AACD,SAAG,QAAQ,OAAO,KAAK,MAAM;AAC7B,aAAO,QAAQ;AAAA,IACjB,OAAO;AACL,YAAM,UAAU,KAAK,UAAU,KAAK;AACpC,YAAM,SAAS,GAAG,SAAS,IAAI,OAAO,GAAG;AACzC,UAAI,CAAC,OAAO,OAAO;AACjB,WAAG,QAAQ,OAAO,KAAK,OAAO,KAAK;AACnC,eAAO,MAAM,QAAQ;AAAA,MACvB,OAAO;AACL,eAAO,MAAM,QAAQ;AAAA,MACvB;AAAA,IACF;AAAA,EACF;AAEA,KAAG,QAAQ,GAAG,QAAQ,MAAM,KAAK;AACjC,QAAM,QAAQ;AAChB;AAOA,SAAS,oBAAoB,QAA0B;AACrD,MACE,OAAO,WAAW,YAClB,WAAW,QACX,UAAU,UACT,OAAe,SAAS,eACzB,WAAW,QACX;AACA,WAAQ,OAAe;AAAA,EACzB;AACA,SAAO;AACT;AAEA,SAAS,YAAY,IAAS,OAAqB;AACjD,MAAI,UAAU,UAAa,UAAU,KAAM,QAAO,GAAG;AACrD,MAAI,OAAO,UAAU,SAAU,QAAO,GAAG,UAAU,KAAK;AACxD,MAAI,OAAO,UAAU,SAAU,QAAO,GAAG,UAAU,KAAK;AACxD,MAAI,OAAO,UAAU,UAAW,QAAO,QAAQ,GAAG,OAAO,GAAG;AAG5D,QAAM,UAAU,KAAK,UAAU,KAAK;AACpC,QAAM,SAAS,GAAG,SAAS,IAAI,OAAO,GAAG;AACzC,MAAI,OAAO,OAAO;AAChB,WAAO,MAAM,QAAQ;AACrB,WAAO,GAAG;AAAA,EACZ;AACA,SAAO,OAAO;AAChB;","names":[]}