@ruifung/codemode-bridge 1.0.6 → 1.0.8

package/dist/cli/commands.d.ts

@@ -6,7 +6,7 @@
 /**
  * Run the bridge server
  */
-export declare function runServer(configPath?: string, servers?: string[], debug?: boolean): Promise<void>;
+export declare function runServer(configPath?: string, servers?: string[], debug?: boolean, executor?: string): Promise<void>;
 /**
  * List all configured servers
  */

package/dist/cli/commands.js

@@ -4,23 +4,25 @@
  * Implements subcommands for managing and running the bridge
  */
 import chalk from "chalk";
-import * as fs from "fs";
-import * as path from "path";
+import * as fs from "node:fs";
+import * as path from "node:path";
 import { loadConfig, saveConfig, addServer, removeServer, updateServer, getServer, listServers, validateServer, getConfigFilePath, } from "./config-manager.js";
 import { startCodeModeBridgeServer } from "../mcp/server.js";
 import { getServerConfig } from "../mcp/config.js";
 import { initializeLogger, logInfo, logError, flushStderrBuffer } from "../utils/logger.js";
+import { getRuntimeName } from "../utils/env.js";
 import { tokenPersistence } from "../mcp/token-persistence.js";
 import { MCPClient } from "../mcp/mcp-client.js";
 /**
  * Run the bridge server
  */
-export async function runServer(configPath, servers, debug) {
+export async function runServer(configPath, servers, debug, executor) {
     try {
         // Initialize logger with debug mode if requested
         initializeLogger(debug);
         console.error(chalk.cyan("\n🚀 Code Mode Bridge"));
         console.error(chalk.cyan("====================\n"));
+        logInfo(`Runtime: ${getRuntimeName()}`, { component: 'CLI' });
         // Load the bridge configuration
         const bridgeConfig = loadConfig(configPath);
         logInfo(`Loaded config from: ${getConfigFilePath(configPath)}`, { component: 'CLI' });
@@ -53,7 +55,7 @@ export async function runServer(configPath, servers, debug) {
         }
         logInfo(`Starting bridge with ${serverConfigs.length} server(s)`, { component: 'CLI' });
         // Start the MCP bridge server
-        await startCodeModeBridgeServer(serverConfigs);
+        await startCodeModeBridgeServer(serverConfigs, executor);
         // Flush buffered stderr output from stdio tools now that Bridge is fully running
         flushStderrBuffer();
         logInfo("Bridge is running!", { component: 'CLI' });

package/dist/cli/config-manager.js

@@ -4,8 +4,8 @@
  * Manages the bridge configuration stored in .config/codemode-bridge/mcp.json
  * Provides utilities to load, save, and manipulate the configuration
  */
-import * as fs from "fs";
-import * as path from "path";
+import * as fs from "node:fs";
+import * as path from "node:path";
 /**
  * Get the default config directory for the current platform
  */

package/dist/cli/index.js

@@ -19,7 +19,7 @@
 import { Command } from "commander";
 import { runServer, listServersCommand, showServerCommand, addServerCommand, removeServerCommand, editServerCommand, configInfoCommand, authLoginCommand, authLogoutCommand, authListCommand, } from "./commands.js";
 import { getConfigFilePath } from "./config-manager.js";
-import * as fs from "fs";
+import * as fs from "node:fs";
 const pkg = JSON.parse(fs.readFileSync(new URL("../../package.json", import.meta.url), "utf-8"));
 const defaultConfigPath = getConfigFilePath();
 const program = new Command();
@@ -34,9 +34,10 @@ program
     .option("-c, --config <path>", `Path to mcp.json configuration file (default: ${defaultConfigPath})`)
     .option("-s, --servers <names>", "Comma-separated list of servers to connect to")
     .option("-d, --debug", "Enable debug logging")
+    .option("-e, --executor <type>", "Executor type (isolated-vm, container, deno, vm2)")
     .action(async (options) => {
     const servers = options.servers ? options.servers.split(",").map((s) => s.trim()) : undefined;
-    await runServer(options.config, servers, options.debug);
+    await runServer(options.config, servers, options.debug, options.executor);
 });
 // Config command group
 const config = program.command("config").description("Manage bridge configuration").enablePositionalOptions();

package/dist/executor/container-executor.d.ts

@@ -18,8 +18,12 @@ import type { Executor, ExecuteResult } from '@cloudflare/codemode';
 export interface ContainerExecutorOptions {
     /** Execution timeout per call in ms (default 30000) */
     timeout?: number;
-    /** Container image (default 'node:22-slim') */
+    /** Container image (default 'node:24-slim') */
     image?: string;
+    /** Container user (default based on image) */
+    user?: string;
+    /** Container command to run the runner (default based on image) */
+    command?: string[];
     /** Container runtime command — 'docker' | 'podman' | auto-detect */
     runtime?: string;
     /** Memory limit (default '256m') */
@@ -30,6 +34,8 @@ export interface ContainerExecutorOptions {
 export declare class ContainerExecutor implements Executor {
     private runtime;
     private image;
+    private containerUser;
+    private containerCommand;
     private timeout;
     private memoryLimit;
     private cpuLimit;

package/dist/executor/container-executor.js

@@ -20,6 +20,7 @@ import { createInterface } from 'node:readline';
 import { fileURLToPath } from 'node:url';
 import { dirname, join } from 'node:path';
 import { wrapCode } from './wrap-code.js';
+import { isBun, isDeno } from '../utils/env.js';
 // ── Runtime detection ───────────────────────────────────────────────
 function detectRuntime(requested) {
     if (requested)
@@ -67,10 +68,37 @@ export class ContainerExecutor {
         this.pendingExecution = null;
         this.initPromise = null;
         this.timeout = options.timeout ?? 30000;
-        this.image = options.image ?? 'node:24-slim';
         this.memoryLimit = options.memoryLimit ?? '256m';
         this.cpuLimit = options.cpuLimit ?? 1.0;
         this.runtime = detectRuntime(options.runtime);
+        // Platform-specific defaults
+        if (options.image) {
+            this.image = options.image;
+            this.containerUser = options.user ?? '1000';
+            this.containerCommand = options.command ?? ['node'];
+        }
+        else if (isBun()) {
+            this.image = 'oven/bun:debian';
+            this.containerUser = options.user ?? '1000'; // bun user is 1000
+            this.containerCommand = ['bun', 'run'];
+        }
+        else if (isDeno()) {
+            this.image = 'denoland/deno:debian';
+            this.containerUser = options.user ?? '1000'; // deno:debian has no 'deno' user by default
+            this.containerCommand = ['deno', 'run', '-A'];
+        }
+        else {
+            this.image = 'node:24-slim';
+            this.containerUser = options.user ?? '1000'; // node user is 1000
+            this.containerCommand = ['node'];
+        }
+        // Start initialization immediately to create the container before the first execution.
+        if (process.env.DEBUG || process.env.NODE_ENV === 'test') {
+            console.log(`[ContainerExecutor] Using image: ${this.image}, user: ${this.containerUser}, command: ${this.containerCommand.join(' ')}`);
+        }
+        this.init().catch(err => {
+            process.stderr.write(`[container-executor] Immediate initialization failed: ${err.message}\n`);
+        });
     }
     /**
      * Start the container and wait for the runner to signal readiness.
@@ -140,7 +168,7 @@ export class ContainerExecutor {
             '--read-only', // immutable rootfs
             '--tmpfs', '/tmp:rw,noexec,nosuid,size=64m', // writable /tmp
             '--cap-drop=ALL', // drop all capabilities
-            '--user', 'node', // run as non-root user
+            '--user', this.containerUser,
             '--memory', this.memoryLimit,
             `--cpus=${this.cpuLimit}`,
             '--pids-limit=64', // limit process spawning
@@ -148,7 +176,7 @@ export class ContainerExecutor {
             '-v', `${scripts.worker}:/app/container-worker.mjs:ro`, // mount worker script
             '-w', '/app',
             this.image,
-            'node', '/app/container-runner.mjs',
+            ...this.containerCommand, '/app/container-runner.mjs',
         ];
         this.process = spawn(this.runtime, args, {
             stdio: ['pipe', 'pipe', 'pipe'],

package/dist/executor/deno-executor.d.ts

@@ -0,0 +1,26 @@
+import type { Executor, ExecuteResult } from '@cloudflare/codemode';
+export interface DenoExecutorOptions {
+    /** Execution timeout per call in ms (default 30000) */
+    timeout?: number;
+    /** Deno executable path — 'deno' | auto-detect */
+    denoPath?: string;
+}
+export declare class DenoExecutor implements Executor {
+    private denoPath;
+    private timeout;
+    private process;
+    private readline;
+    private ready;
+    private readyResolve;
+    private pendingExecution;
+    private initPromise;
+    constructor(options?: DenoExecutorOptions);
+    private init;
+    private _init;
+    private handleMessage;
+    private handleToolCall;
+    private send;
+    execute(code: string, fns: Record<string, (...args: unknown[]) => Promise<unknown>>): Promise<ExecuteResult>;
+    dispose(): void;
+}
+export declare function createDenoExecutor(options?: DenoExecutorOptions): DenoExecutor;

package/dist/executor/deno-executor.js

@@ -0,0 +1,251 @@
+import { spawn, execSync } from 'node:child_process';
+import { createInterface } from 'node:readline';
+import { fileURLToPath } from 'node:url';
+import { dirname, join } from 'node:path';
+import { wrapCode } from './wrap-code.js';
+// ── Runtime detection ───────────────────────────────────────────────
+function detectDeno(requested) {
+    if (requested)
+        return requested;
+    // If we are already running on Deno, use the current executable path
+    if (typeof globalThis.Deno?.execPath === 'function') {
+        return globalThis.Deno.execPath();
+    }
+    // Try 'deno' command in PATH
+    try {
+        execSync('deno --version', { stdio: 'ignore' });
+        return 'deno';
+    }
+    catch {
+        // not available
+    }
+    throw new Error('Deno executable not found. Install Deno or set DENO_PATH environment variable.');
+}
+// ── Resolve runner script path ──────────────────────────────────────
+function getScriptPaths() {
+    let dir;
+    try {
+        dir = dirname(fileURLToPath(import.meta.url));
+    }
+    catch {
+        dir = __dirname;
+    }
+    return {
+        runner: join(dir, 'container-runner.mjs'),
+        worker: join(dir, 'container-worker.mjs'),
+    };
+}
+// ── DenoExecutor ────────────────────────────────────────────────────
+export class DenoExecutor {
+    constructor(options = {}) {
+        this.process = null;
+        this.readline = null;
+        this.ready = false;
+        this.readyResolve = null;
+        this.pendingExecution = null;
+        this.initPromise = null;
+        this.timeout = options.timeout ?? 30000;
+        this.denoPath = detectDeno(options.denoPath);
+        this.init().catch(err => {
+            process.stderr.write(`[deno-executor] Immediate initialization failed: ${err.message}\n`);
+        });
+    }
+    async init() {
+        if (this.ready)
+            return;
+        if (this.initPromise)
+            return this.initPromise;
+        this.initPromise = this._init();
+        return this.initPromise;
+    }
+    async _init() {
+        const scripts = getScriptPaths();
+        // Start a long-lived Deno process with restricted permissions
+        const args = [
+            'run',
+            '--no-prompt',
+            '--no-config',
+            '--no-npm',
+            '--no-remote',
+            '--allow-read=' + scripts.runner + ',' + scripts.worker,
+            '--deny-net',
+            '--deny-write',
+            '--deny-run',
+            '--deny-env',
+            '--deny-sys',
+            '--deny-ffi',
+        ];
+        args.push(scripts.runner);
+        this.process = spawn(this.denoPath, args, {
+            stdio: ['pipe', 'pipe', 'pipe'],
+        });
+        this.process.stderr?.on('data', (data) => {
+            process.stderr.write(`[deno] ${data.toString()}`);
+        });
+        this.process.on('exit', (code) => {
+            this.ready = false;
+            if (this.pendingExecution) {
+                clearTimeout(this.pendingExecution.timeoutHandle);
+                this.pendingExecution.reject(new Error(`Deno process exited unexpectedly with code ${code}`));
+                this.pendingExecution = null;
+            }
+        });
+        this.readline = createInterface({
+            input: this.process.stdout,
+            terminal: false,
+        });
+        this.readline.on('line', (line) => this.handleMessage(line));
+        await new Promise((resolve, reject) => {
+            const timeout = setTimeout(() => {
+                reject(new Error('Deno process failed to become ready within 10s'));
+            }, 10000);
+            this.readyResolve = () => {
+                clearTimeout(timeout);
+                this.ready = true;
+                this.readyResolve = null;
+                resolve();
+            };
+            this.process.on('error', (err) => {
+                clearTimeout(timeout);
+                this.readyResolve = null;
+                reject(new Error(`Failed to start Deno: ${err.message}`));
+            });
+        });
+    }
+    handleMessage(line) {
+        if (!line.trim())
+            return;
+        let msg;
+        try {
+            msg = JSON.parse(line);
+        }
+        catch {
+            process.stderr.write(`[deno-executor] bad JSON from deno: ${line}\n`);
+            return;
+        }
+        switch (msg.type) {
+            case 'tool-call':
+                this.handleToolCall(msg);
+                break;
+            case 'result':
+                if (this.pendingExecution && this.pendingExecution.id === msg.id) {
+                    clearTimeout(this.pendingExecution.timeoutHandle);
+                    this.pendingExecution.resolve({
+                        result: msg.result,
+                        logs: msg.logs,
+                    });
+                    this.pendingExecution = null;
+                }
+                break;
+            case 'error':
+                if (this.pendingExecution && this.pendingExecution.id === msg.id) {
+                    clearTimeout(this.pendingExecution.timeoutHandle);
+                    this.pendingExecution.resolve({
+                        result: undefined,
+                        error: msg.error,
+                        logs: msg.logs,
+                    });
+                    this.pendingExecution = null;
+                }
+                break;
+            case 'ready':
+                if (this.readyResolve) {
+                    this.readyResolve();
+                }
+                break;
+        }
+    }
+    async handleToolCall(msg) {
+        if (!this.pendingExecution) {
+            this.send({ type: 'tool-error', id: msg.id, error: 'No active execution context' });
+            return;
+        }
+        const fns = this.pendingExecution.fns;
+        const fn = fns[msg.name];
+        if (!fn) {
+            this.send({
+                type: 'tool-error',
+                id: msg.id,
+                error: `Tool '${msg.name}' not found. Available tools: ${Object.keys(fns).join(', ')}`,
+            });
+            return;
+        }
+        try {
+            const args = msg.args;
+            const result = await fn(...(Array.isArray(args) ? args : [args]));
+            this.send({ type: 'tool-result', id: msg.id, result });
+        }
+        catch (err) {
+            this.send({
+                type: 'tool-error',
+                id: msg.id,
+                error: err instanceof Error ? err.message : String(err),
+            });
+        }
+    }
+    send(msg) {
+        if (!this.process?.stdin?.writable) {
+            throw new Error('Deno stdin is not writable');
+        }
+        this.process.stdin.write(JSON.stringify(msg) + '\n');
+    }
+    async execute(code, fns) {
+        await this.init();
+        if (this.pendingExecution) {
+            return {
+                result: undefined,
+                error: 'Another execution is already in progress',
+            };
+        }
+        const id = `exec-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+        const wrappedCode = wrapCode(code);
+        return new Promise((resolve, reject) => {
+            const timeoutHandle = setTimeout(() => {
+                if (this.pendingExecution?.id === id) {
+                    this.pendingExecution = null;
+                    resolve({
+                        result: undefined,
+                        error: `Code execution timeout after ${this.timeout}ms`,
+                    });
+                }
+            }, this.timeout);
+            this.pendingExecution = { id, resolve, reject, fns, timeoutHandle };
+            this.send({ type: 'execute', id, code: wrappedCode });
+        });
+    }
+    dispose() {
+        if (this.pendingExecution) {
+            clearTimeout(this.pendingExecution.timeoutHandle);
+            this.pendingExecution.reject(new Error('Executor disposed'));
+            this.pendingExecution = null;
+        }
+        if (this.process?.stdin?.writable) {
+            try {
+                this.send({ type: 'shutdown' });
+            }
+            catch {
+                // ignore
+            }
+        }
+        if (this.readline) {
+            this.readline.close();
+            this.readline = null;
+        }
+        if (this.process) {
+            this.process.kill('SIGTERM');
+            const proc = this.process;
+            setTimeout(() => {
+                try {
+                    proc.kill('SIGKILL');
+                }
+                catch { /* already dead */ }
+            }, 2000);
+            this.process = null;
+        }
+        this.ready = false;
+        this.initPromise = null;
+    }
+}
+export function createDenoExecutor(options) {
+    return new DenoExecutor(options);
+}

package/dist/executor/executor-test-suite.js

@@ -1,4 +1,5 @@
 import { describe, it, expect, beforeAll, afterAll, vi } from 'vitest';
+import { getRuntimeName } from '../utils/env.js';
 export function createExecutorTestSuite(name, createExecutor, options) {
     const skipSet = new Set(options?.skipTests ?? []);
     /** Use it.skip for tests in the skip list, it otherwise */
@@ -11,6 +12,7 @@ export function createExecutorTestSuite(name, createExecutor, options) {
         }
     };
     describe(`Executor: ${name}`, () => {
+        console.log(`[Test] Runtime: ${getRuntimeName()}`);
         let executor;
         beforeAll(async () => {
             executor = createExecutor();
@@ -335,7 +337,7 @@ export function createExecutorTestSuite(name, createExecutor, options) {
         });
         describe('Isolation & Safety', () => {
             testOrSkip('should not allow access to require', async () => {
-                const result = await executor.execute('return require("fs");', {});
+                const result = await executor.execute('return require("node:fs");', {});
                 expect(result.error).toBeDefined();
             });
             testOrSkip('should not allow process access', async () => {
@@ -361,7 +363,7 @@ export function createExecutorTestSuite(name, createExecutor, options) {
             return 'network allowed via fetch';
           }
           if (typeof require === 'function') {
-            const http = require('http');
+            const http = require('node:http');
             await new Promise((resolve, reject) => {
               http.get('http://example.com', resolve).on('error', reject);
             });
@@ -389,7 +391,7 @@ export function createExecutorTestSuite(name, createExecutor, options) {
           if (typeof require === 'function') {
             // Try net.Socket (TCP)
             try {
-              const net = require('net');
+              const net = require('node:net');
               await new Promise((resolve, reject) => {
                 const sock = new net.Socket();
                 sock.setTimeout(2000);
@@ -402,7 +404,7 @@ export function createExecutorTestSuite(name, createExecutor, options) {
 
             // Try dgram (UDP)
             try {
-              const dgram = require('dgram');
+              const dgram = require('node:dgram');
               const sock = dgram.createSocket('udp4');
               await new Promise((resolve, reject) => {
                 sock.on('error', reject);
@@ -416,7 +418,7 @@ export function createExecutorTestSuite(name, createExecutor, options) {
 
             // Try tls.connect
             try {
-              const tls = require('tls');
+              const tls = require('node:tls');
               await new Promise((resolve, reject) => {
                 const sock = tls.connect(443, '1.1.1.1', {}, resolve);
                 sock.on('error', reject);
@@ -426,7 +428,7 @@ export function createExecutorTestSuite(name, createExecutor, options) {
 
             // Try dns.resolve
             try {
-              const dns = require('dns');
+              const dns = require('node:dns');
               await new Promise((resolve, reject) => {
                 dns.resolve('example.com', (err, addresses) => {
                   err ? reject(err) : resolve(addresses);
@@ -529,7 +531,7 @@ export function createExecutorTestSuite(name, createExecutor, options) {
             testOrSkip('should block dynamic import', async () => {
                 const result = await executor.execute(`
           try {
-            const m = await import('fs');
+            const m = await import('node:fs');
             return 'import allowed';
           } catch (e) {
             return 'blocked';

package/dist/mcp/config.js

@@ -2,8 +2,8 @@
  * Config Loader - Load MCP server configurations from files
  * Supports VS Code's mcp.json format and other config files
  */
-import * as fs from "fs";
-import * as path from "path";
+import * as fs from "node:fs";
+import * as path from "node:path";
 /**
  * Load MCP server configurations from VS Code's mcp.json file
  * Default location: ~/.config/Code/User/mcp.json (Linux/Mac) or

package/dist/mcp/e2e-bridge-test-suite.js

@@ -26,6 +26,7 @@ import { createCodeTool } from '@cloudflare/codemode/ai';
 import { z } from 'zod';
 import { adaptAISDKToolToMCP } from './mcp-adapter.js';
 import { jsonSchemaToZod } from './server.js';
+import { getRuntimeName } from '../utils/env.js';
 // ── Helpers ─────────────────────────────────────────────────────────────────
 /**
  * Create a mock upstream MCP server with test tools and connect an MCP client
@@ -141,6 +142,7 @@ export function createE2EBridgeTestSuite(executorName, createExecutor, options)
         }
     };
     describe(`E2E Bridge Pipeline [${executorName}]`, () => {
+        console.log(`[Test] Runtime: ${getRuntimeName()}`);
         let upstreamState;
         let bridgeState;
         let client;
@@ -378,10 +380,10 @@ export function createE2EBridgeTestSuite(executorName, createExecutor, options)
             testOrSkip('should not allow require access', async () => {
                 const response = await client.callTool({
                     name: 'eval',
-                    arguments: { code: 'async () => { return require("fs"); }' },
+                    arguments: { code: 'async () => { return require("node:fs"); }' },
                 });
                 const text = response.content?.[0]?.text || '';
-                expect(text.toLowerCase()).toMatch(/error|not defined|not allowed/);
+                expect(text.toLowerCase()).toMatch(/error|not defined|not allowed|requires .* access|could not be cloned/);
             });
             testOrSkip('should not allow process access', async () => {
                 const response = await client.callTool({
@@ -389,7 +391,7 @@ export function createE2EBridgeTestSuite(executorName, createExecutor, options)
                     arguments: { code: 'async () => { return process.env; }' },
                 });
                 const text = response.content?.[0]?.text || '';
-                expect(text.toLowerCase()).toMatch(/error|not defined|not allowed/);
+                expect(text.toLowerCase()).toMatch(/error|not defined|not allowed|requires .* access|could not be cloned/);
             });
             testOrSkip('should isolate state between executions', async () => {
                 await callCodemode(client, 'async () => { globalThis.__test = 123; return "set"; }');

package/dist/mcp/executor.d.ts

@@ -3,7 +3,7 @@
  * Selects the best available executor (isolated-vm → container → vm2)
  */
 import type { Executor } from "@cloudflare/codemode";
-export type ExecutorType = 'isolated-vm' | 'container' | 'vm2';
+export type ExecutorType = 'isolated-vm' | 'container' | 'deno' | 'vm2';
 /**
  * Metadata about the executor that was created.
  */
@@ -19,13 +19,14 @@ export interface ExecutorInfo {
  * Factory function to create an Executor instance.
  *
  * Selection logic:
+ *   - If explicitType is provided, that executor is used (throws if unavailable).
  *   - If EXECUTOR_TYPE is set, that executor is used (throws if unavailable).
  *   - Otherwise, executors are tried in preference order (isolated-vm →
  *     container → vm2) and the first available one is selected.
  *
  * Returns both the executor and metadata about the selection.
  */
-export declare function createExecutor(timeout?: number): Promise<{
+export declare function createExecutor(timeout?: number, explicitType?: ExecutorType): Promise<{
     executor: Executor;
     info: ExecutorInfo;
 }>;

package/dist/mcp/executor.js

@@ -3,44 +3,90 @@
  * Selects the best available executor (isolated-vm → container → vm2)
  */
 import { execFileSync } from "node:child_process";
-import { logInfo } from "../utils/logger.js";
+import { logInfo, logDebug } from "../utils/logger.js";
+import { isNode, isDeno, isBun, getNodeMajorVersion } from "../utils/env.js";
 // ── Availability checks (cached) ────────────────────────────────────
 let _isolatedVmAvailable = null;
+async function isDenoAvailable() {
+    // Only allow Deno executor if running on Deno
+    return isDeno();
+}
 async function isIsolatedVmAvailable() {
     if (_isolatedVmAvailable !== null)
         return _isolatedVmAvailable;
+    // isolated-vm is a native module specifically built for Node.js.
+    // While Bun and Deno provide compatibility layers, they often fail or
+    // exhibit unstable behavior with native Node modules like isolated-vm.
+    // Additionally, isolated-vm only supports LTS (even-numbered) Node.js versions.
+    const majorVersion = getNodeMajorVersion();
+    const isEvenVersion = majorVersion > 0 && majorVersion % 2 === 0;
+    if (!isNode() || !isEvenVersion) {
+        logDebug('isolated-vm is only supported on LTS (even-numbered) versions of native Node.js (not Bun, Deno, or odd-numbered Node versions)', { component: 'Executor' });
+        _isolatedVmAvailable = false;
+        return false;
+    }
+    logDebug('Checking isolated-vm availability...', { component: 'Executor' });
     try {
-        // @ts-ignore - isolated-vm is an optional dependency
-        await import('isolated-vm');
+        // We run the check in a separate process because isolated-vm can cause 
+        // segmentation faults if native dependencies or environment are incompatible.
+        // Running it here ensures a crash doesn't take down the main bridge process.
+        const checkScript = `
+      import ivm from 'isolated-vm';
+      const isolate = new ivm.Isolate({ memoryLimit: 8 });
+      isolate.dispose();
+      process.exit(0);
+    `;
+        const { execSync } = await import('node:child_process');
+        execSync(`node -e "${checkScript.replace(/"/g, '\\"').replace(/\n/g, '')}"`, { stdio: 'ignore', timeout: 5000 });
+        logDebug('isolated-vm is available and functional (verified via subprocess)', { component: 'Executor' });
         _isolatedVmAvailable = true;
     }
-    catch {
+    catch (err) {
+        logDebug(`isolated-vm check failed or crashed: ${err instanceof Error ? err.message : String(err)}`, { component: 'Executor' });
         _isolatedVmAvailable = false;
     }
     return _isolatedVmAvailable;
 }
 let _containerRuntimeAvailable = null;
-function isContainerRuntimeAvailable() {
+async function isContainerRuntimeAvailable() {
     if (_containerRuntimeAvailable !== null)
         return _containerRuntimeAvailable;
+    logDebug('Checking container runtime availability...', { component: 'Executor' });
+    // Check for docker or podman
     for (const cmd of ['docker', 'podman']) {
         try {
-            execFileSync(cmd, ['--version'], { stdio: 'ignore', timeout: 5000 });
+            logDebug(`Testing container runtime: ${cmd}`, { component: 'Executor' });
+            // Use 'ps' instead of '--version' because 'ps' requires the 
+            // runtime daemon/service to be actually running and responsive.
+            // execFileSync is okay here as it's a one-time check during startup/first-use.
+            execFileSync(cmd, ['ps'], { stdio: 'ignore', timeout: 3000 });
+            logDebug(`Container runtime "${cmd}" is available and responsive`, { component: 'Executor' });
             _containerRuntimeAvailable = true;
             return true;
         }
-        catch {
-            // not available
+        catch (err) {
+            logDebug(`Container runtime "${cmd}" check failed: ${err instanceof Error ? err.message : String(err)}`, { component: 'Executor' });
+            // not available or not running
         }
     }
+    logDebug('No responsive container runtime found', { component: 'Executor' });
     _containerRuntimeAvailable = false;
     return false;
 }
 // ── Executor registry (sorted by preference, lowest first) ─────────
 const executorRegistry = [
     {
-        type: 'isolated-vm',
+        type: 'deno',
         preference: 0,
+        isAvailable: isDenoAvailable,
+        async create(timeout) {
+            const { createDenoExecutor } = await import('../executor/deno-executor.js');
+            return createDenoExecutor({ timeout });
+        },
+    },
+    {
+        type: 'isolated-vm',
+        preference: 1,
         isAvailable: isIsolatedVmAvailable,
         async create(timeout) {
             const { createIsolatedVmExecutor } = await import('../executor/isolated-vm-executor.js');
@@ -49,8 +95,8 @@ const executorRegistry = [
     },
     {
         type: 'container',
-        preference: 1,
-        isAvailable: async () => isContainerRuntimeAvailable(),
+        preference: 2,
+        isAvailable: isContainerRuntimeAvailable,
         async create(timeout) {
             const { createContainerExecutor } = await import('../executor/container-executor.js');
             return createContainerExecutor({ timeout });
@@ -58,8 +104,12 @@ const executorRegistry = [
     },
     {
         type: 'vm2',
-        preference: 2,
+        preference: 3,
         isAvailable: async () => {
+            // vm2 is fundamentally broken on Bun (prototype freezing issues)
+            // and Node.js built-in 'node:vm' is not safe for untrusted code.
+            if (isBun())
+                return false;
             try {
                 await import('vm2');
                 return true;
@@ -79,26 +129,27 @@ const executorRegistry = [
  * Factory function to create an Executor instance.
  *
  * Selection logic:
+ *   - If explicitType is provided, that executor is used (throws if unavailable).
  *   - If EXECUTOR_TYPE is set, that executor is used (throws if unavailable).
  *   - Otherwise, executors are tried in preference order (isolated-vm →
  *     container → vm2) and the first available one is selected.
  *
  * Returns both the executor and metadata about the selection.
  */
-export async function createExecutor(timeout = 30000) {
-    const requested = process.env.EXECUTOR_TYPE?.toLowerCase();
+export async function createExecutor(timeout = 30000, explicitType) {
+    const requested = (explicitType || process.env.EXECUTOR_TYPE?.toLowerCase());
     // Explicit selection — must succeed or throw
     if (requested) {
         const entry = executorRegistry.find(e => e.type === requested);
         if (!entry) {
             const known = executorRegistry.map(e => e.type).join(', ');
-            throw new Error(`Unknown EXECUTOR_TYPE="${requested}". Valid types: ${known}`);
+            throw new Error(`Unknown executor type "${requested}". Valid types: ${known}`);
         }
         const available = await entry.isAvailable();
         if (!available) {
-            throw new Error(`EXECUTOR_TYPE=${requested} but it is not available in this environment.`);
+            throw new Error(`Executor type ${requested} requested but it is not available in this environment.`);
         }
-        logInfo(`Using ${entry.type} executor (EXECUTOR_TYPE=${requested})`, { component: 'Executor' });
+        logInfo(`Using ${entry.type} executor (${explicitType ? 'explicit option' : `EXECUTOR_TYPE=${requested}`})`, { component: 'Executor' });
         return {
             executor: await entry.create(timeout),
             info: { type: entry.type, reason: 'explicit', timeout },

package/dist/mcp/oauth-handler.js

@@ -6,8 +6,8 @@
  * to our loopback server with the authorization code, which we capture and use
  * to complete the authorization flow.
  */
-import { createServer } from 'http';
-import { URL } from 'url';
+import { createServer } from 'node:http';
+import { URL } from 'node:url';
 /**
  * Loopback HTTP server that listens for OAuth2 redirect callbacks
  */

package/dist/mcp/server.d.ts

@@ -15,11 +15,12 @@
  * 6. Exposes the "codemode" tool via MCP protocol downstream
  */
 import { z } from "zod";
+import { type ExecutorType } from "./executor.js";
 import { type MCPServerConfig } from "./mcp-client.js";
-export type { MCPServerConfig };
+export type { MCPServerConfig, ExecutorType };
 /**
  * Convert JSON Schema to Zod schema
  * MCP tools use JSON Schema, but createCodeTool expects Zod schemas
  */
 export declare function jsonSchemaToZod(schema: any): z.ZodType<any>;
-export declare function startCodeModeBridgeServer(serverConfigs: MCPServerConfig[]): Promise<void>;
+export declare function startCodeModeBridgeServer(serverConfigs: MCPServerConfig[], executorType?: ExecutorType): Promise<void>;

package/dist/mcp/server.js

@@ -219,7 +219,7 @@ function convertMCPToolToDescriptor(toolDef, client, toolName, serverName) {
         },
     };
 }
-export async function startCodeModeBridgeServer(serverConfigs) {
+export async function startCodeModeBridgeServer(serverConfigs, executorType) {
     // Enable buffering of stderr output from stdio tools during startup
     enableStderrBuffering();
     const mcp = new McpServer({
@@ -276,7 +276,7 @@ export async function startCodeModeBridgeServer(serverConfigs) {
         }
     }
     // Create the executor using the codemode SDK pattern
-    const { executor, info: executorInfo } = await createExecutor(30000); // 30 second timeout
+    const { executor, info: executorInfo } = await createExecutor(30000, executorType); // 30 second timeout
     // Create the codemode tool using the codemode SDK
     // Pass ToolDescriptor format (with Zod schemas and execute functions)
     logInfo(`Creating codemode tool with ${totalToolCount} tools from ${serverConfigs.length} server(s)`, { component: 'Bridge' });

package/dist/mcp/token-persistence.js

@@ -4,9 +4,9 @@
  * Persists OAuth tokens and client information to disk for reuse across sessions.
  * Stored in ~/.config/codemode-bridge/mcp-tokens.json
  */
-import { existsSync, mkdirSync, writeFileSync, readFileSync } from 'fs';
-import { join } from 'path';
-import { homedir } from 'os';
+import { existsSync, mkdirSync, writeFileSync, readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { homedir } from 'node:os';
 /**
  * Manages OAuth token storage for MCP server connections
  */

package/dist/utils/env.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Environment detection utilities
+ */
+/**
+ * Returns true if the current runtime is Node.js
+ */
+export declare function isNode(): boolean;
+/**
+ * Returns the Node.js major version, or 0 if not running on Node.js
+ */
+export declare function getNodeMajorVersion(): number;
+/**
+ * Returns true if the current runtime is Bun
+ */
+export declare function isBun(): boolean;
+/**
+ * Returns true if the current runtime is Deno
+ */
+export declare function isDeno(): boolean;
+/**
+ * Returns the name of the current runtime (Node.js, Bun, or Deno)
+ */
+export declare function getRuntimeName(): string;

package/dist/utils/env.js

@@ -0,0 +1,47 @@
+/**
+ * Environment detection utilities
+ */
+/**
+ * Returns true if the current runtime is Node.js
+ */
+export function isNode() {
+    return (typeof process !== 'undefined' &&
+        !!process.versions?.node &&
+        !isBun() &&
+        !isDeno());
+}
+/**
+ * Returns the Node.js major version, or 0 if not running on Node.js
+ */
+export function getNodeMajorVersion() {
+    if (typeof process === 'undefined' || !process.versions?.node) {
+        return 0;
+    }
+    return parseInt(process.versions.node.split('.')[0], 10);
+}
+/**
+ * Returns true if the current runtime is Bun
+ */
+export function isBun() {
+    return (typeof process !== 'undefined' &&
+        !!process.versions?.bun);
+}
+/**
+ * Returns true if the current runtime is Deno
+ */
+export function isDeno() {
+    return ((typeof globalThis !== 'undefined' && !!globalThis.Deno) ||
+        (typeof process !== 'undefined' && !!process.versions?.deno));
+}
+/**
+ * Returns the name of the current runtime (Node.js, Bun, or Deno)
+ */
+export function getRuntimeName() {
+    if (isBun())
+        return "Bun";
+    if (isDeno())
+        return "Deno";
+    if (isNode())
+        return "Node.js";
+    return "Unknown";
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ruifung/codemode-bridge",
-  "version": "1.0.6",
+  "version": "1.0.8",
   "description": "MCP bridge that connects to upstream MCP servers and exposes tools via a single codemode tool for orchestration",
   "main": "dist/index.js",
   "bin": {
@@ -15,7 +15,7 @@
     "prepare": "npm run build",
     "dev": "tsx src/cli/index.ts",
     "test": "vitest",
-    "test:e2e": "vitest run src/mcp/e2e-bridge-runner.test.ts"
+    "test:e2e": "vitest run src/mcp/e2e-bridge-runner.test.ts --reporter=verbose"
   },
   "keywords": [
     "mcp",