@secure-exec/browser 0.2.0-rc.1 → 0.3.0-rc.1

package/README.md

@@ -1,7 +1,6 @@
-# Secure Exec
+# Secure Exec Browser
 
-Secure Node.js execution without a sandbox. V8 isolate-based code execution with full Node.js and npm compatibility.
+Browser driver primitives for secure-exec.
 
-- [Website](https://secureexec.dev)
-- [Documentation](https://secureexec.dev/docs)
-- [GitHub](https://github.com/rivet-dev/secure-exec)
+- Package: `@secure-exec/browser`
+- Exports: `createBrowserDriver`, `createBrowserRuntimeDriverFactory`, `createOpfsFileSystem`, `BrowserWorkerAdapter`

package/dist/driver.d.ts

@@ -1,6 +1,5 @@
-import { createCommandExecutorStub, createFsStub, createNetworkStub } from "@secure-exec/core";
-import type { Permissions, VirtualFileSystem } from "@secure-exec/core";
-import type { NetworkAdapter, SystemDriver } from "@secure-exec/core";
+import type { NetworkAdapter, Permissions, SystemDriver, VirtualFileSystem } from "./runtime.js";
+import { createCommandExecutorStub, createFsStub, createNetworkStub } from "./runtime.js";
 export interface BrowserRuntimeSystemOptions {
     filesystem: "opfs" | "memory";
     networkEnabled: boolean;
@@ -31,6 +30,9 @@ export declare class OpfsFileSystem implements VirtualFileSystem {
     stat(path: string): Promise<{
         mode: number;
         size: number;
+        blocks: number;
+        dev: number;
+        rdev: number;
         isDirectory: boolean;
         isSymbolicLink: boolean;
         atimeMs: number;
@@ -50,6 +52,9 @@ export declare class OpfsFileSystem implements VirtualFileSystem {
     lstat(path: string): Promise<{
         mode: number;
         size: number;
+        blocks: number;
+        dev: number;
+        rdev: number;
         isDirectory: boolean;
         isSymbolicLink: boolean;
         atimeMs: number;
@@ -68,6 +73,7 @@ export declare class OpfsFileSystem implements VirtualFileSystem {
     truncate(path: string, length: number): Promise<void>;
     realpath(path: string): Promise<string>;
     pread(path: string, offset: number, length: number): Promise<Uint8Array>;
+    pwrite(path: string, offset: number, data: Uint8Array): Promise<void>;
 }
 export interface BrowserDriverOptions {
     filesystem?: "opfs" | "memory";
@@ -82,4 +88,4 @@ export declare function createBrowserNetworkAdapter(): NetworkAdapter;
 export declare function getBrowserSystemDriverOptions(systemDriver: SystemDriver): BrowserRuntimeSystemOptions;
 /** Assemble a browser-side SystemDriver with permission-wrapped adapters. */
 export declare function createBrowserDriver(options?: BrowserDriverOptions): Promise<SystemDriver>;
-export { createCommandExecutorStub, createFsStub, createNetworkStub, };
+export { createCommandExecutorStub, createFsStub, createNetworkStub };

package/dist/driver.js

@@ -1,4 +1,4 @@
-import { createCommandExecutorStub, createFsStub, createNetworkStub, wrapFileSystem, wrapNetworkAdapter, createInMemoryFileSystem, createEnosysError, } from "@secure-exec/core";
+import { createCommandExecutorStub, createEnosysError, createFsStub, createInMemoryFileSystem, createNetworkStub, wrapFileSystem, wrapNetworkAdapter, } from "./runtime.js";
 const S_IFREG = 0o100000;
 const S_IFDIR = 0o040000;
 const BROWSER_SYSTEM_DRIVER_OPTIONS = Symbol.for("secure-exec.browserSystemDriverOptions");
@@ -133,6 +133,9 @@ export class OpfsFileSystem {
             return {
                 mode: S_IFREG | 0o644,
                 size: file.size,
+                blocks: file.size === 0 ? 0 : Math.ceil(file.size / 512),
+                dev: 1,
+                rdev: 0,
                 isDirectory: false,
                 isSymbolicLink: false,
                 atimeMs: file.lastModified,
@@ -153,6 +156,9 @@ export class OpfsFileSystem {
                 return {
                     mode: S_IFDIR | 0o755,
                     size: 4096,
+                    blocks: 8,
+                    dev: 1,
+                    rdev: 0,
                     isDirectory: true,
                     isSymbolicLink: false,
                     atimeMs: now,
@@ -227,10 +233,19 @@ export class OpfsFileSystem {
         const data = await this.readFile(path);
         return data.slice(offset, offset + length);
     }
+    async pwrite(path, offset, data) {
+        const content = await this.readFile(path);
+        const endPos = offset + data.length;
+        const newContent = new Uint8Array(Math.max(content.length, endPos));
+        newContent.set(content);
+        newContent.set(data, offset);
+        await this.writeFile(path, newContent);
+    }
 }
 /** Create an OPFS-backed filesystem, falling back to in-memory if OPFS is unavailable. */
 export async function createOpfsFileSystem() {
-    if (!("storage" in navigator) || typeof navigator.storage.getDirectory !== "function") {
+    if (!("storage" in navigator) ||
+        typeof navigator.storage.getDirectory !== "function") {
         return createInMemoryFileSystem();
     }
     return new OpfsFileSystem();
@@ -332,4 +347,4 @@ export async function createBrowserDriver(options = {}) {
     };
     return systemDriver;
 }
-export { createCommandExecutorStub, createFsStub, createNetworkStub, };
+export { createCommandExecutorStub, createFsStub, createNetworkStub };

package/dist/index.d.ts

@@ -1,8 +1,9 @@
-export { createBrowserDriver, createBrowserNetworkAdapter, createOpfsFileSystem, } from "./driver.js";
 export type { BrowserDriverOptions, BrowserRuntimeSystemOptions, } from "./driver.js";
-export { createBrowserRuntimeDriverFactory, } from "./runtime-driver.js";
-export type { BrowserRuntimeDriverFactoryOptions, } from "./runtime-driver.js";
-export { createInMemoryFileSystem } from "@secure-exec/core";
+export { createBrowserDriver, createBrowserNetworkAdapter, createOpfsFileSystem, } from "./driver.js";
 export { InMemoryFileSystem } from "./os-filesystem.js";
-export { BrowserWorkerAdapter } from "./worker-adapter.js";
+export type { ExecOptions, ExecResult, NodeRuntimeDriver, StdioChannel, StdioEvent, TimingMitigation, } from "./runtime.js";
+export { allowAll, allowAllChildProcess, allowAllEnv, allowAllFs, allowAllNetwork, createInMemoryFileSystem, } from "./runtime.js";
+export type { BrowserRuntimeDriverFactoryOptions } from "./runtime-driver.js";
+export { createBrowserRuntimeDriverFactory } from "./runtime-driver.js";
 export type { WorkerHandle } from "./worker-adapter.js";
+export { BrowserWorkerAdapter } from "./worker-adapter.js";

package/dist/index.js

@@ -1,5 +1,5 @@
 export { createBrowserDriver, createBrowserNetworkAdapter, createOpfsFileSystem, } from "./driver.js";
-export { createBrowserRuntimeDriverFactory, } from "./runtime-driver.js";
-export { createInMemoryFileSystem } from "@secure-exec/core";
 export { InMemoryFileSystem } from "./os-filesystem.js";
+export { allowAll, allowAllChildProcess, allowAllEnv, allowAllFs, allowAllNetwork, createInMemoryFileSystem, } from "./runtime.js";
+export { createBrowserRuntimeDriverFactory } from "./runtime-driver.js";
 export { BrowserWorkerAdapter } from "./worker-adapter.js";

package/dist/os-filesystem.d.ts

@@ -1,11 +1,10 @@
 /**
  * In-memory filesystem for browser environments.
  *
- * Expanded from the original secure-exec InMemoryFileSystem with POSIX
- * extensions (symlinks, hard links, chmod, chown, utimes, truncate)
- * needed by the kernel VFS interface.
+ * In-memory filesystem with POSIX extensions (symlinks, hard links, chmod,
+ * chown, utimes, truncate) needed by the kernel VFS interface.
  */
-import type { VirtualFileSystem, VirtualStat, VirtualDirEntry } from "@secure-exec/core";
+import type { VirtualDirEntry, VirtualFileSystem, VirtualStat } from "./runtime.js";
 export declare class InMemoryFileSystem implements VirtualFileSystem {
     private entries;
     constructor();
@@ -33,6 +32,7 @@ export declare class InMemoryFileSystem implements VirtualFileSystem {
     utimes(path: string, atime: number, mtime: number): Promise<void>;
     truncate(path: string, length: number): Promise<void>;
     pread(path: string, offset: number, length: number): Promise<Uint8Array>;
+    pwrite(path: string, offset: number, data: Uint8Array): Promise<void>;
     /**
      * Resolve symlinks to get the final path. Returns the normalized path
      * after following all symlinks.

package/dist/os-filesystem.js

@@ -1,9 +1,8 @@
 /**
  * In-memory filesystem for browser environments.
  *
- * Expanded from the original secure-exec InMemoryFileSystem with POSIX
- * extensions (symlinks, hard links, chmod, chown, utimes, truncate)
- * needed by the kernel VFS interface.
+ * In-memory filesystem with POSIX extensions (symlinks, hard links, chmod,
+ * chown, utimes, truncate) needed by the kernel VFS interface.
  */
 const S_IFREG = 0o100000;
 const S_IFDIR = 0o040000;
@@ -30,13 +29,13 @@ function normalizePath(path) {
             resolved.push(part);
         }
     }
-    return "/" + resolved.join("/") || "/";
+    return `/${resolved.join("/")}` || "/";
 }
 function dirname(path) {
     const parts = normalizePath(path).split("/").filter(Boolean);
     if (parts.length <= 1)
         return "/";
-    return "/" + parts.slice(0, -1).join("/");
+    return `/${parts.slice(0, -1).join("/")}`;
 }
 let nextIno = 1;
 export class InMemoryFileSystem {
@@ -67,7 +66,7 @@ export class InMemoryFileSystem {
         if (!dir || dir.type !== "dir") {
             throw this.enoent("scandir", path);
         }
-        const prefix = resolved === "/" ? "/" : resolved + "/";
+        const prefix = resolved === "/" ? "/" : `${resolved}/`;
         const names = new Map();
         for (const [entryPath, entry] of this.entries) {
             if (entryPath.startsWith(prefix)) {
@@ -87,9 +86,7 @@ export class InMemoryFileSystem {
         const normalized = normalizePath(path);
         // Ensure parent exists
         await this.mkdir(dirname(normalized), { recursive: true });
-        const data = typeof content === "string"
-            ? new TextEncoder().encode(content)
-            : content;
+        const data = typeof content === "string" ? new TextEncoder().encode(content) : content;
         const existing = this.entries.get(normalized);
         if (existing && existing.type === "file") {
             existing.data = data;
@@ -129,7 +126,7 @@ export class InMemoryFileSystem {
             const parts = normalized.split("/").filter(Boolean);
             let current = "";
             for (const part of parts) {
-                current += "/" + part;
+                current += `/${part}`;
                 if (!this.entries.has(current)) {
                     this.entries.set(current, this.newDir());
                 }
@@ -172,7 +169,7 @@ export class InMemoryFileSystem {
             throw this.enoent("rmdir", path);
         }
         // Check if empty
-        const prefix = resolved + "/";
+        const prefix = `${resolved}/`;
         for (const key of this.entries.keys()) {
             if (key.startsWith(prefix)) {
                 throw new Error(`ENOTEMPTY: directory not empty, rmdir '${path}'`);
@@ -199,7 +196,7 @@ export class InMemoryFileSystem {
             return;
         }
         // Move directory and all children
-        const prefix = oldResolved + "/";
+        const prefix = `${oldResolved}/`;
         const toMove = [];
         for (const [key, val] of this.entries) {
             if (key === oldResolved || key.startsWith(prefix)) {
@@ -210,9 +207,7 @@ export class InMemoryFileSystem {
             this.entries.delete(key);
         }
         for (const [key, val] of toMove) {
-            const newKey = key === oldResolved
-                ? newNorm
-                : newNorm + key.slice(oldResolved.length);
+            const newKey = key === oldResolved ? newNorm : newNorm + key.slice(oldResolved.length);
             this.entries.set(newKey, val);
         }
     }
@@ -270,8 +265,13 @@ export class InMemoryFileSystem {
         const entry = this.resolveEntry(path);
         if (!entry)
             throw this.enoent("chmod", path);
-        // Preserve file type bits, update permission bits
-        entry.mode = (entry.mode & 0o170000) | (mode & 0o7777);
+        const callerTypeBits = mode & 0o170000;
+        if (callerTypeBits !== 0) {
+            entry.mode = mode;
+        }
+        else {
+            entry.mode = (entry.mode & 0o170000) | (mode & 0o7777);
+        }
         entry.ctimeMs = Date.now();
     }
     async chown(path, uid, gid) {
@@ -316,6 +316,20 @@ export class InMemoryFileSystem {
             return new Uint8Array(0);
         return entry.data.slice(offset, Math.min(offset + length, entry.data.length));
     }
+    async pwrite(path, offset, data) {
+        const entry = this.resolveEntry(path);
+        if (!entry || entry.type !== "file") {
+            throw this.enoent("open", path);
+        }
+        const endPos = offset + data.length;
+        const newContent = new Uint8Array(Math.max(entry.data.length, endPos));
+        newContent.set(entry.data);
+        newContent.set(data, offset);
+        entry.data = newContent;
+        const now = Date.now();
+        entry.mtimeMs = now;
+        entry.ctimeMs = now;
+    }
     // --- Helpers ---
     /**
      * Resolve symlinks to get the final path. Returns the normalized path
@@ -332,7 +346,7 @@ export class InMemoryFileSystem {
         if (entry.type === "symlink") {
             const target = entry.target.startsWith("/")
                 ? entry.target
-                : dirname(normalized) + "/" + entry.target;
+                : `${dirname(normalized)}/${entry.target}`;
             return this.resolvePath(target, depth + 1);
         }
         return normalized;
@@ -358,9 +372,13 @@ export class InMemoryFileSystem {
         };
     }
     toStat(entry) {
+        const size = entry.type === "file" ? entry.data.length : 4096;
         return {
             mode: entry.mode,
-            size: entry.type === "file" ? entry.data.length : 4096,
+            size,
+            blocks: size === 0 ? 0 : Math.ceil(size / 512),
+            dev: 1,
+            rdev: 0,
             isDirectory: entry.type === "dir",
             isSymbolicLink: entry.type === "symlink",
             atimeMs: entry.atimeMs,

package/dist/runtime-driver.d.ts

@@ -1,25 +1,33 @@
-import type { NetworkAdapter, NodeRuntimeDriver, NodeRuntimeDriverFactory, RuntimeDriverOptions } from "@secure-exec/core";
-import type { ExecOptions, ExecResult, RunResult } from "@secure-exec/core";
+import type { ExecOptions, ExecResult, NetworkAdapter, NodeRuntimeDriver, NodeRuntimeDriverFactory, RunResult, RuntimeDriverOptions } from "./runtime.js";
 export interface BrowserRuntimeDriverFactoryOptions {
     workerUrl?: URL | string;
 }
 export declare class BrowserRuntimeDriver implements NodeRuntimeDriver {
-    private readonly options;
     private readonly worker;
     private readonly pending;
+    private readonly controlToken;
     private readonly defaultOnStdio?;
+    private readonly defaultTimingMitigation;
     private readonly networkAdapter;
+    private readonly syncBridge;
+    private readonly syncFilesystem;
     private readonly ready;
+    private readonly encoder;
     private nextId;
     private disposed;
     constructor(options: RuntimeDriverOptions, factoryOptions?: BrowserRuntimeDriverFactoryOptions);
     get network(): Pick<NetworkAdapter, "fetch" | "dnsLookup" | "httpRequest">;
     private handleWorkerError;
     private handleWorkerMessage;
+    private handleSyncRequest;
     private rejectAllPending;
+    private clearWorkerHandlers;
+    private resetSyncBridgeState;
+    private cleanup;
     private callWorker;
     run<T = unknown>(code: string, filePath?: string): Promise<RunResult<T>>;
     exec(code: string, options?: ExecOptions): Promise<ExecResult>;
+    dispatchExtensionRequest(namespace: string, payload: Uint8Array): Promise<Uint8Array>;
     dispose(): void;
     terminate(): Promise<void>;
 }