@secure-exec/browser 0.0.0-agentos-dylib-base.edaa4a4

package/dist/permission-validation.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Validate permission callback source strings before revival via new Function().
+ *
+ * Permission callbacks are serialized with fn.toString() on the host and revived
+ * in the Web Worker. Because revival uses new Function(), the source must be
+ * validated to prevent code injection.
+ */
+/**
+ * Validate that a permission callback source string is safe to revive.
+ *
+ * Returns true if the source appears to be a safe function expression.
+ * Returns false if the source contains blocked patterns that could indicate
+ * code injection.
+ */
+export declare function validatePermissionSource(source: string): boolean;

package/dist/permission-validation.js

@@ -0,0 +1,62 @@
+/**
+ * Validate permission callback source strings before revival via new Function().
+ *
+ * Permission callbacks are serialized with fn.toString() on the host and revived
+ * in the Web Worker. Because revival uses new Function(), the source must be
+ * validated to prevent code injection.
+ */
+/**
+ * Dangerous patterns that should never appear in a permission callback.
+ * These could be used to escape the sandbox or access host resources.
+ */
+const BLOCKED_PATTERNS = [
+    // Code execution / eval
+    /\beval\s*\(/,
+    /\bFunction\s*\(/,
+    /\bnew\s+Function\b/,
+    // Module loading
+    /\bimport\s*\(/,
+    /\bimportScripts\s*\(/,
+    /\brequire\s*\(/,
+    // Global object access
+    /\bglobalThis\b/,
+    /\bself\b/,
+    /\bwindow\b/,
+    // Process/system access
+    /\bprocess\s*\.\s*(?:exit|kill|binding|_linkedBinding|env)\b/,
+    // Network / IO escape
+    /\bXMLHttpRequest\b/,
+    /\bWebSocket\b/,
+    /\bfetch\s*\(/,
+    // Prototype pollution / constructor abuse
+    /\bconstructor\s*\[/,
+    /\b__proto__\b/,
+    /Object\s*\.\s*(?:defineProperty|setPrototypeOf|assign)\b/,
+    // Dynamic property access on dangerous objects
+    /\bpostMessage\b/,
+];
+/**
+ * Validate that a permission callback source string is safe to revive.
+ *
+ * Returns true if the source appears to be a safe function expression.
+ * Returns false if the source contains blocked patterns that could indicate
+ * code injection.
+ */
+export function validatePermissionSource(source) {
+    if (!source || typeof source !== "string")
+        return false;
+    const trimmed = source.trim();
+    // Must look like a function expression (arrow function or function keyword)
+    const startsLikeFunction = trimmed.startsWith("function") ||
+        trimmed.startsWith("(") ||
+        // Single-param arrow functions: x => ...
+        /^[a-zA-Z_$][a-zA-Z0-9_$]*\s*=>/.test(trimmed);
+    if (!startsLikeFunction)
+        return false;
+    // Check for blocked patterns
+    for (const pattern of BLOCKED_PATTERNS) {
+        if (pattern.test(source))
+            return false;
+    }
+    return true;
+}

package/dist/root-filesystem-from-vfs.d.ts

@@ -0,0 +1,13 @@
+import type { RootFilesystemConfig } from "@secure-exec/core/vm-config";
+import type { VirtualFileSystem } from "./runtime.js";
+type RootFilesystemEntry = RootFilesystemConfig["bootstrapEntries"][number];
+export interface RootFilesystemSnapshotOptions {
+    root?: string;
+    mode?: RootFilesystemConfig["mode"];
+    disableDefaultBaseLayer?: boolean;
+}
+/** Walk `vfs` and produce kernel bootstrap entries for its contents. */
+export declare function collectRootFilesystemEntries(vfs: VirtualFileSystem, root?: string): Promise<RootFilesystemEntry[]>;
+/** A full `RootFilesystemConfig` seeded from `vfs`. */
+export declare function rootFilesystemConfigFromVfs(vfs: VirtualFileSystem, options?: RootFilesystemSnapshotOptions): Promise<RootFilesystemConfig>;
+export {};

package/dist/root-filesystem-from-vfs.js

@@ -0,0 +1,95 @@
+// Migration shim: snapshot a legacy caller-provided VirtualFileSystem into a
+// kernel `RootFilesystemConfig` (bootstrap entries) so the converged driver can
+// seed a kernel-owned VM from filesystem content that was previously handed in
+// as a live TS VFS object. This bridges the legacy `options.system.filesystem`
+// model to the converged kernel-owns-fs model without rewriting every caller at
+// once; new callers should provide a `CreateVmConfig.rootFilesystem` directly.
+import { encodeBase64 } from "./converged-base64.js";
+// Kernel-owned pseudo-filesystems must not be materialized as bootstrap entries.
+const SKIP_ROOTS = ["/dev", "/proc", "/sys"];
+/** Walk `vfs` and produce kernel bootstrap entries for its contents. */
+export async function collectRootFilesystemEntries(vfs, root = "/") {
+    const entries = [];
+    await walk(vfs, normalizeDir(root), entries);
+    return entries;
+}
+/** A full `RootFilesystemConfig` seeded from `vfs`. */
+export async function rootFilesystemConfigFromVfs(vfs, options = {}) {
+    return {
+        mode: options.mode ?? "ephemeral",
+        disableDefaultBaseLayer: options.disableDefaultBaseLayer ?? false,
+        lowers: [],
+        bootstrapEntries: await collectRootFilesystemEntries(vfs, options.root ?? "/"),
+    };
+}
+async function walk(vfs, dir, entries) {
+    let children;
+    try {
+        children = await vfs.readDirWithTypes(dir);
+    }
+    catch {
+        return;
+    }
+    for (const child of children) {
+        if (child.name === "." || child.name === "..") {
+            continue;
+        }
+        const path = joinPath(dir, child.name);
+        if (SKIP_ROOTS.includes(path)) {
+            continue;
+        }
+        if (child.isSymbolicLink) {
+            const target = await vfs.readlink(path).catch(() => null);
+            if (target !== null) {
+                entries.push({ path, kind: "symlink", target, executable: false });
+            }
+            continue;
+        }
+        if (child.isDirectory) {
+            entries.push({ path, kind: "directory", executable: true });
+            await walk(vfs, path, entries);
+            continue;
+        }
+        entries.push(await fileEntry(vfs, path));
+    }
+}
+async function fileEntry(vfs, path) {
+    const bytes = await vfs.readFile(path);
+    const executable = await isExecutable(vfs, path);
+    const text = tryDecodeUtf8(bytes);
+    if (text !== null) {
+        return { path, kind: "file", content: text, encoding: "utf8", executable };
+    }
+    return {
+        path,
+        kind: "file",
+        content: encodeBase64(bytes),
+        encoding: "base64",
+        executable,
+    };
+}
+async function isExecutable(vfs, path) {
+    try {
+        return ((await vfs.stat(path)).mode & 0o111) !== 0;
+    }
+    catch {
+        return false;
+    }
+}
+function tryDecodeUtf8(bytes) {
+    try {
+        return new TextDecoder("utf-8", { fatal: true }).decode(bytes);
+    }
+    catch {
+        return null;
+    }
+}
+function normalizeDir(dir) {
+    if (dir.length > 1 && dir.endsWith("/")) {
+        return dir.slice(0, -1);
+    }
+    return dir;
+}
+function joinPath(parent, child) {
+    return parent === "/" ? `/${child}` : `${parent}/${child}`;
+}

package/dist/runtime-driver.d.ts

@@ -0,0 +1,66 @@
+import type { ProtocolFramePayloadCodec } from "@secure-exec/core/protocol-frames";
+import type { CreateVmConfig } from "@secure-exec/core/vm-config";
+import type { ConvergedServicer } from "./converged-driver-setup.js";
+import type { ExecOptions, ExecResult, NetworkAdapter, NodeRuntimeDriver, NodeRuntimeDriverFactory, RunResult, RuntimeDriverOptions } from "./runtime.js";
+export interface BrowserRuntimeDriverFactoryOptions {
+    workerUrl?: URL | string;
+    convergedSidecar?: ConvergedSidecarFactoryOptions;
+}
+export interface ConvergedSidecarHandle {
+    pushFrame(frame: Uint8Array): Uint8Array;
+    setNextExecutionId?(executionId: string): void;
+}
+export interface ConvergedSidecarFactoryOptions {
+    loadSidecar(): Promise<ConvergedSidecarHandle>;
+    config: CreateVmConfig;
+    codec?: ProtocolFramePayloadCodec;
+    onFsReadDenied?: () => void;
+}
+export declare class BrowserRuntimeDriver implements NodeRuntimeDriver {
+    private readonly worker;
+    private readonly pending;
+    private readonly controlToken;
+    private readonly defaultOnStdio?;
+    private readonly defaultTimingMitigation;
+    private readonly networkAdapter;
+    private readonly commandExecutor;
+    private readonly syncBridge;
+    private readonly childProcessSessions;
+    private readonly signalStates;
+    private readonly ready;
+    private readonly encoder;
+    private nextId;
+    private nextExecutionId;
+    private nextChildProcessSessionId;
+    private disposed;
+    private readonly networkPermission?;
+    private convergedServicer?;
+    private readonly convergedReady?;
+    constructor(options: RuntimeDriverOptions, factoryOptions?: BrowserRuntimeDriverFactoryOptions);
+    private setupConvergedSidecar;
+    get network(): Pick<NetworkAdapter, "fetch" | "dnsLookup" | "httpRequest">;
+    private handleWorkerError;
+    private handleWorkerMessage;
+    private handleSyncRequest;
+    private rejectAllPending;
+    private clearWorkerHandlers;
+    private allocateExecutionId;
+    private allocateChildProcessSessionId;
+    private hasPendingExecutionRequest;
+    private cleanupExecutionState;
+    private resetSyncBridgeState;
+    private cleanup;
+    private callWorker;
+    run<T = unknown>(code: string, filePath?: string): Promise<RunResult<T>>;
+    exec(code: string, options?: ExecOptions): Promise<ExecResult>;
+    dispatchExtensionRequest(namespace: string, payload: Uint8Array): Promise<Uint8Array>;
+    dispose(): void;
+    /**
+     * Snapshot the converged VM root filesystem (writable changes) so callers can
+     * persist them to host storage across runtimes. Returns null in legacy mode.
+     */
+    snapshotConvergedRootFilesystem(): Promise<ReturnType<ConvergedServicer["snapshotRootFilesystem"]> | null>;
+    terminate(): Promise<void>;
+    signalPendingExecution(signal?: number): boolean;
+}
+export declare function createBrowserRuntimeDriverFactory(factoryOptions?: BrowserRuntimeDriverFactoryOptions): NodeRuntimeDriverFactory;