@secure-exec/browser 0.1.1-rc.2 → 0.2.0-rc.1

package/dist/driver.d.ts

@@ -1,5 +1,6 @@
 import { createCommandExecutorStub, createFsStub, createNetworkStub } from "@secure-exec/core";
-import type { NetworkAdapter, Permissions, SystemDriver, VirtualFileSystem } from "@secure-exec/core";
+import type { Permissions, VirtualFileSystem } from "@secure-exec/core";
+import type { NetworkAdapter, SystemDriver } from "@secure-exec/core";
 export interface BrowserRuntimeSystemOptions {
     filesystem: "opfs" | "memory";
     networkEnabled: boolean;
@@ -23,16 +24,23 @@ export declare class OpfsFileSystem implements VirtualFileSystem {
     }>>;
     writeFile(path: string, content: string | Uint8Array): Promise<void>;
     createDir(path: string): Promise<void>;
-    mkdir(path: string): Promise<void>;
+    mkdir(path: string, _options?: {
+        recursive?: boolean;
+    }): Promise<void>;
     exists(path: string): Promise<boolean>;
     stat(path: string): Promise<{
         mode: number;
         size: number;
         isDirectory: boolean;
+        isSymbolicLink: boolean;
         atimeMs: number;
         mtimeMs: number;
         ctimeMs: number;
         birthtimeMs: number;
+        ino: number;
+        nlink: number;
+        uid: number;
+        gid: number;
     }>;
     removeFile(path: string): Promise<void>;
     removeDir(path: string): Promise<void>;
@@ -43,17 +51,23 @@ export declare class OpfsFileSystem implements VirtualFileSystem {
         mode: number;
         size: number;
         isDirectory: boolean;
-        isSymbolicLink?: boolean;
+        isSymbolicLink: boolean;
         atimeMs: number;
         mtimeMs: number;
         ctimeMs: number;
         birthtimeMs: number;
+        ino: number;
+        nlink: number;
+        uid: number;
+        gid: number;
     }>;
     link(_oldPath: string, _newPath: string): Promise<void>;
     chmod(_path: string, _mode: number): Promise<void>;
     chown(_path: string, _uid: number, _gid: number): Promise<void>;
     utimes(_path: string, _atime: number, _mtime: number): Promise<void>;
     truncate(path: string, length: number): Promise<void>;
+    realpath(path: string): Promise<string>;
+    pread(path: string, offset: number, length: number): Promise<Uint8Array>;
 }
 export interface BrowserDriverOptions {
     filesystem?: "opfs" | "memory";

package/dist/driver.js

@@ -103,7 +103,7 @@ export class OpfsFileSystem {
         await this.getDirHandle(parent, false);
         await this.getDirHandle(normalized, true);
     }
-    async mkdir(path) {
+    async mkdir(path, _options) {
         const parts = splitPath(path);
         let current = "";
         for (const part of parts) {
@@ -134,10 +134,15 @@ export class OpfsFileSystem {
                 mode: S_IFREG | 0o644,
                 size: file.size,
                 isDirectory: false,
+                isSymbolicLink: false,
                 atimeMs: file.lastModified,
                 mtimeMs: file.lastModified,
                 ctimeMs: file.lastModified,
                 birthtimeMs: file.lastModified,
+                ino: 0,
+                nlink: 1,
+                uid: 0,
+                gid: 0,
             };
         }
         catch {
@@ -149,10 +154,15 @@ export class OpfsFileSystem {
                     mode: S_IFDIR | 0o755,
                     size: 4096,
                     isDirectory: true,
+                    isSymbolicLink: false,
                     atimeMs: now,
                     mtimeMs: now,
                     ctimeMs: now,
                     birthtimeMs: now,
+                    ino: 0,
+                    nlink: 2,
+                    uid: 0,
+                    gid: 0,
                 };
             }
             catch {
@@ -207,6 +217,16 @@ export class OpfsFileSystem {
         await writable.truncate(length);
         await writable.close();
     }
+    async realpath(path) {
+        const normalized = normalizePath(path);
+        if (await this.exists(normalized))
+            return normalized;
+        throw new Error(`ENOENT: no such file or directory, realpath '${normalized}'`);
+    }
+    async pread(path, offset, length) {
+        const data = await this.readFile(path);
+        return data.slice(offset, offset + length);
+    }
 }
 /** Create an OPFS-backed filesystem, falling back to in-memory if OPFS is unavailable. */
 export async function createOpfsFileSystem() {

package/dist/index.d.ts

@@ -3,3 +3,6 @@ export type { BrowserDriverOptions, BrowserRuntimeSystemOptions, } from "./drive
 export { createBrowserRuntimeDriverFactory, } from "./runtime-driver.js";
 export type { BrowserRuntimeDriverFactoryOptions, } from "./runtime-driver.js";
 export { createInMemoryFileSystem } from "@secure-exec/core";
+export { InMemoryFileSystem } from "./os-filesystem.js";
+export { BrowserWorkerAdapter } from "./worker-adapter.js";
+export type { WorkerHandle } from "./worker-adapter.js";

package/dist/index.js

@@ -1,3 +1,5 @@
 export { createBrowserDriver, createBrowserNetworkAdapter, createOpfsFileSystem, } from "./driver.js";
 export { createBrowserRuntimeDriverFactory, } from "./runtime-driver.js";
 export { createInMemoryFileSystem } from "@secure-exec/core";
+export { InMemoryFileSystem } from "./os-filesystem.js";
+export { BrowserWorkerAdapter } from "./worker-adapter.js";

package/dist/os-filesystem.d.ts

@@ -0,0 +1,47 @@
+/**
+ * In-memory filesystem for browser environments.
+ *
+ * Expanded from the original secure-exec InMemoryFileSystem with POSIX
+ * extensions (symlinks, hard links, chmod, chown, utimes, truncate)
+ * needed by the kernel VFS interface.
+ */
+import type { VirtualFileSystem, VirtualStat, VirtualDirEntry } from "@secure-exec/core";
+export declare class InMemoryFileSystem implements VirtualFileSystem {
+    private entries;
+    constructor();
+    readFile(path: string): Promise<Uint8Array>;
+    readTextFile(path: string): Promise<string>;
+    readDir(path: string): Promise<string[]>;
+    readDirWithTypes(path: string): Promise<VirtualDirEntry[]>;
+    writeFile(path: string, content: string | Uint8Array): Promise<void>;
+    createDir(path: string): Promise<void>;
+    mkdir(path: string, options?: {
+        recursive?: boolean;
+    }): Promise<void>;
+    exists(path: string): Promise<boolean>;
+    stat(path: string): Promise<VirtualStat>;
+    removeFile(path: string): Promise<void>;
+    removeDir(path: string): Promise<void>;
+    realpath(path: string): Promise<string>;
+    rename(oldPath: string, newPath: string): Promise<void>;
+    symlink(target: string, linkPath: string): Promise<void>;
+    readlink(path: string): Promise<string>;
+    lstat(path: string): Promise<VirtualStat>;
+    link(oldPath: string, newPath: string): Promise<void>;
+    chmod(path: string, mode: number): Promise<void>;
+    chown(path: string, uid: number, gid: number): Promise<void>;
+    utimes(path: string, atime: number, mtime: number): Promise<void>;
+    truncate(path: string, length: number): Promise<void>;
+    pread(path: string, offset: number, length: number): Promise<Uint8Array>;
+    /**
+     * Resolve symlinks to get the final path. Returns the normalized path
+     * after following all symlinks.
+     */
+    private resolvePath;
+    /** Resolve a path and return the entry (following symlinks). */
+    private resolveEntry;
+    private newDir;
+    private toStat;
+    private enoent;
+}
+export declare function createInMemoryFileSystem(): InMemoryFileSystem;

package/dist/os-filesystem.js

@@ -0,0 +1,384 @@
+/**
+ * In-memory filesystem for browser environments.
+ *
+ * Expanded from the original secure-exec InMemoryFileSystem with POSIX
+ * extensions (symlinks, hard links, chmod, chown, utimes, truncate)
+ * needed by the kernel VFS interface.
+ */
+const S_IFREG = 0o100000;
+const S_IFDIR = 0o040000;
+const S_IFLNK = 0o120000;
+const MAX_SYMLINK_DEPTH = 40;
+function normalizePath(path) {
+    if (!path)
+        return "/";
+    let normalized = path.startsWith("/") ? path : `/${path}`;
+    normalized = normalized.replace(/\/+/g, "/");
+    if (normalized.length > 1 && normalized.endsWith("/")) {
+        normalized = normalized.slice(0, -1);
+    }
+    // Resolve . and ..
+    const parts = normalized.split("/");
+    const resolved = [];
+    for (const part of parts) {
+        if (part === "." || part === "")
+            continue;
+        if (part === "..") {
+            resolved.pop();
+        }
+        else {
+            resolved.push(part);
+        }
+    }
+    return "/" + resolved.join("/") || "/";
+}
+function dirname(path) {
+    const parts = normalizePath(path).split("/").filter(Boolean);
+    if (parts.length <= 1)
+        return "/";
+    return "/" + parts.slice(0, -1).join("/");
+}
+let nextIno = 1;
+export class InMemoryFileSystem {
+    entries = new Map();
+    constructor() {
+        // Root directory
+        this.entries.set("/", this.newDir());
+    }
+    // --- Core operations ---
+    async readFile(path) {
+        const entry = this.resolveEntry(path);
+        if (!entry || entry.type !== "file") {
+            throw this.enoent("open", path);
+        }
+        entry.atimeMs = Date.now();
+        return entry.data;
+    }
+    async readTextFile(path) {
+        const data = await this.readFile(path);
+        return new TextDecoder().decode(data);
+    }
+    async readDir(path) {
+        return (await this.readDirWithTypes(path)).map((e) => e.name);
+    }
+    async readDirWithTypes(path) {
+        const resolved = this.resolvePath(path);
+        const dir = this.entries.get(resolved);
+        if (!dir || dir.type !== "dir") {
+            throw this.enoent("scandir", path);
+        }
+        const prefix = resolved === "/" ? "/" : resolved + "/";
+        const names = new Map();
+        for (const [entryPath, entry] of this.entries) {
+            if (entryPath.startsWith(prefix)) {
+                const rest = entryPath.slice(prefix.length);
+                if (rest && !rest.includes("/")) {
+                    names.set(rest, {
+                        name: rest,
+                        isDirectory: entry.type === "dir",
+                        isSymbolicLink: entry.type === "symlink",
+                    });
+                }
+            }
+        }
+        return Array.from(names.values());
+    }
+    async writeFile(path, content) {
+        const normalized = normalizePath(path);
+        // Ensure parent exists
+        await this.mkdir(dirname(normalized), { recursive: true });
+        const data = typeof content === "string"
+            ? new TextEncoder().encode(content)
+            : content;
+        const existing = this.entries.get(normalized);
+        if (existing && existing.type === "file") {
+            existing.data = data;
+            existing.mtimeMs = Date.now();
+            existing.ctimeMs = Date.now();
+            return;
+        }
+        const now = Date.now();
+        this.entries.set(normalized, {
+            type: "file",
+            data,
+            mode: S_IFREG | 0o644,
+            uid: 1000,
+            gid: 1000,
+            nlink: 1,
+            ino: nextIno++,
+            atimeMs: now,
+            mtimeMs: now,
+            ctimeMs: now,
+            birthtimeMs: now,
+        });
+    }
+    async createDir(path) {
+        const normalized = normalizePath(path);
+        const parent = dirname(normalized);
+        if (!this.entries.has(parent)) {
+            throw this.enoent("mkdir", path);
+        }
+        if (!this.entries.has(normalized)) {
+            this.entries.set(normalized, this.newDir());
+        }
+    }
+    async mkdir(path, options) {
+        const normalized = normalizePath(path);
+        if (options?.recursive !== false) {
+            // Recursive: create all missing parents
+            const parts = normalized.split("/").filter(Boolean);
+            let current = "";
+            for (const part of parts) {
+                current += "/" + part;
+                if (!this.entries.has(current)) {
+                    this.entries.set(current, this.newDir());
+                }
+            }
+        }
+        else {
+            await this.createDir(path);
+        }
+    }
+    async exists(path) {
+        try {
+            const resolved = this.resolvePath(path);
+            return this.entries.has(resolved);
+        }
+        catch {
+            return false;
+        }
+    }
+    async stat(path) {
+        const entry = this.resolveEntry(path);
+        if (!entry)
+            throw this.enoent("stat", path);
+        return this.toStat(entry);
+    }
+    async removeFile(path) {
+        const resolved = this.resolvePath(path);
+        const entry = this.entries.get(resolved);
+        if (!entry || entry.type === "dir") {
+            throw this.enoent("unlink", path);
+        }
+        this.entries.delete(resolved);
+    }
+    async removeDir(path) {
+        const resolved = this.resolvePath(path);
+        if (resolved === "/") {
+            throw new Error("EPERM: operation not permitted, rmdir '/'");
+        }
+        const entry = this.entries.get(resolved);
+        if (!entry || entry.type !== "dir") {
+            throw this.enoent("rmdir", path);
+        }
+        // Check if empty
+        const prefix = resolved + "/";
+        for (const key of this.entries.keys()) {
+            if (key.startsWith(prefix)) {
+                throw new Error(`ENOTEMPTY: directory not empty, rmdir '${path}'`);
+            }
+        }
+        this.entries.delete(resolved);
+    }
+    async realpath(path) {
+        return this.resolvePath(path);
+    }
+    async rename(oldPath, newPath) {
+        const oldResolved = this.resolvePath(oldPath);
+        const newNorm = normalizePath(newPath);
+        const entry = this.entries.get(oldResolved);
+        if (!entry)
+            throw this.enoent("rename", oldPath);
+        // Ensure parent of target exists
+        if (!this.entries.has(dirname(newNorm))) {
+            throw this.enoent("rename", newPath);
+        }
+        if (entry.type !== "dir") {
+            this.entries.set(newNorm, entry);
+            this.entries.delete(oldResolved);
+            return;
+        }
+        // Move directory and all children
+        const prefix = oldResolved + "/";
+        const toMove = [];
+        for (const [key, val] of this.entries) {
+            if (key === oldResolved || key.startsWith(prefix)) {
+                toMove.push([key, val]);
+            }
+        }
+        for (const [key] of toMove) {
+            this.entries.delete(key);
+        }
+        for (const [key, val] of toMove) {
+            const newKey = key === oldResolved
+                ? newNorm
+                : newNorm + key.slice(oldResolved.length);
+            this.entries.set(newKey, val);
+        }
+    }
+    // --- Symlinks ---
+    async symlink(target, linkPath) {
+        const normalized = normalizePath(linkPath);
+        if (this.entries.has(normalized)) {
+            throw new Error(`EEXIST: file already exists, symlink '${linkPath}'`);
+        }
+        const now = Date.now();
+        this.entries.set(normalized, {
+            type: "symlink",
+            target,
+            mode: S_IFLNK | 0o777,
+            uid: 1000,
+            gid: 1000,
+            nlink: 1,
+            ino: nextIno++,
+            atimeMs: now,
+            mtimeMs: now,
+            ctimeMs: now,
+            birthtimeMs: now,
+        });
+    }
+    async readlink(path) {
+        const normalized = normalizePath(path);
+        const entry = this.entries.get(normalized);
+        if (!entry || entry.type !== "symlink") {
+            throw this.enoent("readlink", path);
+        }
+        return entry.target;
+    }
+    async lstat(path) {
+        const normalized = normalizePath(path);
+        const entry = this.entries.get(normalized);
+        if (!entry)
+            throw this.enoent("lstat", path);
+        return this.toStat(entry);
+    }
+    // --- Links ---
+    async link(oldPath, newPath) {
+        const entry = this.resolveEntry(oldPath);
+        if (!entry || entry.type !== "file") {
+            throw this.enoent("link", oldPath);
+        }
+        const newNorm = normalizePath(newPath);
+        if (this.entries.has(newNorm)) {
+            throw new Error(`EEXIST: file already exists, link '${newPath}'`);
+        }
+        entry.nlink++;
+        this.entries.set(newNorm, entry);
+    }
+    // --- Permissions & Metadata ---
+    async chmod(path, mode) {
+        const entry = this.resolveEntry(path);
+        if (!entry)
+            throw this.enoent("chmod", path);
+        // Preserve file type bits, update permission bits
+        entry.mode = (entry.mode & 0o170000) | (mode & 0o7777);
+        entry.ctimeMs = Date.now();
+    }
+    async chown(path, uid, gid) {
+        const entry = this.resolveEntry(path);
+        if (!entry)
+            throw this.enoent("chown", path);
+        entry.uid = uid;
+        entry.gid = gid;
+        entry.ctimeMs = Date.now();
+    }
+    async utimes(path, atime, mtime) {
+        const entry = this.resolveEntry(path);
+        if (!entry)
+            throw this.enoent("utimes", path);
+        entry.atimeMs = atime;
+        entry.mtimeMs = mtime;
+        entry.ctimeMs = Date.now();
+    }
+    async truncate(path, length) {
+        const entry = this.resolveEntry(path);
+        if (!entry || entry.type !== "file") {
+            throw this.enoent("truncate", path);
+        }
+        if (length < entry.data.length) {
+            entry.data = entry.data.slice(0, length);
+        }
+        else if (length > entry.data.length) {
+            const newData = new Uint8Array(length);
+            newData.set(entry.data);
+            entry.data = newData;
+        }
+        entry.mtimeMs = Date.now();
+        entry.ctimeMs = Date.now();
+    }
+    async pread(path, offset, length) {
+        const entry = this.resolveEntry(path);
+        if (!entry || entry.type !== "file") {
+            throw this.enoent("open", path);
+        }
+        entry.atimeMs = Date.now();
+        if (offset >= entry.data.length)
+            return new Uint8Array(0);
+        return entry.data.slice(offset, Math.min(offset + length, entry.data.length));
+    }
+    // --- Helpers ---
+    /**
+     * Resolve symlinks to get the final path. Returns the normalized path
+     * after following all symlinks.
+     */
+    resolvePath(path, depth = 0) {
+        if (depth > MAX_SYMLINK_DEPTH) {
+            throw new Error(`ELOOP: too many levels of symbolic links, '${path}'`);
+        }
+        const normalized = normalizePath(path);
+        const entry = this.entries.get(normalized);
+        if (!entry)
+            return normalized;
+        if (entry.type === "symlink") {
+            const target = entry.target.startsWith("/")
+                ? entry.target
+                : dirname(normalized) + "/" + entry.target;
+            return this.resolvePath(target, depth + 1);
+        }
+        return normalized;
+    }
+    /** Resolve a path and return the entry (following symlinks). */
+    resolveEntry(path) {
+        const resolved = this.resolvePath(path);
+        return this.entries.get(resolved);
+    }
+    newDir() {
+        const now = Date.now();
+        return {
+            type: "dir",
+            mode: S_IFDIR | 0o755,
+            uid: 1000,
+            gid: 1000,
+            nlink: 2,
+            ino: nextIno++,
+            atimeMs: now,
+            mtimeMs: now,
+            ctimeMs: now,
+            birthtimeMs: now,
+        };
+    }
+    toStat(entry) {
+        return {
+            mode: entry.mode,
+            size: entry.type === "file" ? entry.data.length : 4096,
+            isDirectory: entry.type === "dir",
+            isSymbolicLink: entry.type === "symlink",
+            atimeMs: entry.atimeMs,
+            mtimeMs: entry.mtimeMs,
+            ctimeMs: entry.ctimeMs,
+            birthtimeMs: entry.birthtimeMs,
+            ino: entry.ino,
+            nlink: entry.nlink,
+            uid: entry.uid,
+            gid: entry.gid,
+        };
+    }
+    enoent(op, path) {
+        const err = new Error(`ENOENT: no such file or directory, ${op} '${path}'`);
+        err.code = "ENOENT";
+        return err;
+    }
+}
+export function createInMemoryFileSystem() {
+    return new InMemoryFileSystem();
+}

package/dist/worker-adapter.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Browser worker adapter.
+ *
+ * Wraps the Web Worker API for spawning Workers.
+ * Requires COOP/COEP headers for SharedArrayBuffer support.
+ */
+export interface WorkerHandle {
+    postMessage(data: unknown, transferList?: Transferable[]): void;
+    onMessage(handler: (data: unknown) => void): void;
+    onError(handler: (err: Error) => void): void;
+    onExit(handler: (code: number) => void): void;
+    terminate(): void;
+}
+export declare class BrowserWorkerAdapter {
+    /**
+     * Spawn a Web Worker for the given script URL.
+     */
+    static create(scriptUrl: string | URL, options?: {
+        workerData?: unknown;
+    }): WorkerHandle;
+}

package/dist/worker-adapter.js

@@ -0,0 +1,40 @@
+/**
+ * Browser worker adapter.
+ *
+ * Wraps the Web Worker API for spawning Workers.
+ * Requires COOP/COEP headers for SharedArrayBuffer support.
+ */
+export class BrowserWorkerAdapter {
+    /**
+     * Spawn a Web Worker for the given script URL.
+     */
+    static create(scriptUrl, options) {
+        const worker = new Worker(scriptUrl, { type: "module" });
+        // Send workerData as the initial message (Web Workers don't have
+        // a constructor option for this like Node's worker_threads)
+        if (options?.workerData !== undefined) {
+            worker.postMessage({
+                type: "init",
+                workerData: options.workerData,
+            });
+        }
+        return {
+            postMessage(data, transferList) {
+                worker.postMessage(data, transferList ?? []);
+            },
+            onMessage(handler) {
+                worker.addEventListener("message", (e) => handler(e.data));
+            },
+            onError(handler) {
+                worker.addEventListener("error", (e) => handler(new Error(e.message)));
+            },
+            onExit(_handler) {
+                // Web Workers don't have an exit event — the terminate()
+                // caller is responsible for cleanup
+            },
+            terminate() {
+                worker.terminate();
+            },
+        };
+    }
+}

package/dist/worker.js

@@ -75,7 +75,7 @@ function revivePermissions(serialized) {
 }
 /**
  * Wrap a sync function in the bridge calling convention (`applySync`) so
- * bridge code can call it the same way it calls isolated-vm References.
+ * bridge code can call it the same way it calls bridge References.
  */
 function makeApplySync(fn) {
     const applySync = (_ctx, args) => fn(...args);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@secure-exec/browser",
-  "version": "0.1.1-rc.2",
+  "version": "0.2.0-rc.1",
   "type": "module",
   "license": "Apache-2.0",
   "main": "./dist/index.js",
@@ -39,11 +39,21 @@
       "types": "./dist/permission-validation.d.ts",
       "import": "./dist/permission-validation.js",
       "default": "./dist/permission-validation.js"
+    },
+    "./internal/os-filesystem": {
+      "types": "./dist/os-filesystem.d.ts",
+      "import": "./dist/os-filesystem.js",
+      "default": "./dist/os-filesystem.js"
+    },
+    "./internal/worker-adapter": {
+      "types": "./dist/worker-adapter.d.ts",
+      "import": "./dist/worker-adapter.js",
+      "default": "./dist/worker-adapter.js"
     }
   },
   "dependencies": {
     "sucrase": "^3.35.0",
-    "@secure-exec/core": "0.1.1-rc.2"
+    "@secure-exec/core": "0.2.0-rc.1"
   },
   "devDependencies": {
     "@types/node": "^22.10.2",