@secure-exec/core 0.0.0-main.bccb3a2

package/dist/state.d.ts

@@ -0,0 +1,40 @@
+import * as protocol from "./generated-protocol.js";
+export interface LiveGuestFilesystemStat {
+    mode: number;
+    size: number;
+    blocks: number;
+    dev: number;
+    rdev: number;
+    is_directory: boolean;
+    is_symbolic_link: boolean;
+    atime_ms: number;
+    mtime_ms: number;
+    ctime_ms: number;
+    birthtime_ms: number;
+    ino: number;
+    nlink: number;
+    uid: number;
+    gid: number;
+}
+export interface LiveSocketStateEntry {
+    process_id: string;
+    host?: string;
+    port?: number;
+    path?: string;
+}
+export interface LiveProcessSnapshotEntry {
+    process_id: string;
+    pid: number;
+    ppid: number;
+    pgid: number;
+    sid: number;
+    driver: string;
+    command: string;
+    args?: string[];
+    cwd: string;
+    status: "running" | "exited" | "stopped";
+    exit_code?: number;
+}
+export declare function fromGeneratedGuestFilesystemStat(stat: protocol.GuestFilesystemStat): LiveGuestFilesystemStat;
+export declare function fromGeneratedSocketStateEntry(entry: protocol.SocketStateEntry): LiveSocketStateEntry;
+export declare function fromGeneratedProcessSnapshotEntry(entry: protocol.ProcessSnapshotEntry): LiveProcessSnapshotEntry;

package/dist/state.js

@@ -0,0 +1,44 @@
+import { bigIntToSafeNumber } from "./numbers.js";
+import { fromGeneratedProcessSnapshotStatus } from "./protocol-maps.js";
+export function fromGeneratedGuestFilesystemStat(stat) {
+    return {
+        mode: stat.mode,
+        size: bigIntToSafeNumber(stat.size, "guest filesystem stat size"),
+        blocks: bigIntToSafeNumber(stat.blocks, "guest filesystem stat blocks"),
+        dev: bigIntToSafeNumber(stat.dev, "guest filesystem stat dev"),
+        rdev: bigIntToSafeNumber(stat.rdev, "guest filesystem stat rdev"),
+        is_directory: stat.isDirectory,
+        is_symbolic_link: stat.isSymbolicLink,
+        atime_ms: bigIntToSafeNumber(stat.atimeMs, "guest filesystem stat atime"),
+        mtime_ms: bigIntToSafeNumber(stat.mtimeMs, "guest filesystem stat mtime"),
+        ctime_ms: bigIntToSafeNumber(stat.ctimeMs, "guest filesystem stat ctime"),
+        birthtime_ms: bigIntToSafeNumber(stat.birthtimeMs, "guest filesystem stat birthtime"),
+        ino: bigIntToSafeNumber(stat.ino, "guest filesystem stat ino"),
+        nlink: bigIntToSafeNumber(stat.nlink, "guest filesystem stat nlink"),
+        uid: stat.uid,
+        gid: stat.gid,
+    };
+}
+export function fromGeneratedSocketStateEntry(entry) {
+    return {
+        process_id: entry.processId,
+        ...(entry.host !== null ? { host: entry.host } : {}),
+        ...(entry.port !== null ? { port: entry.port } : {}),
+        ...(entry.path !== null ? { path: entry.path } : {}),
+    };
+}
+export function fromGeneratedProcessSnapshotEntry(entry) {
+    return {
+        process_id: entry.processId,
+        pid: entry.pid,
+        ppid: entry.ppid,
+        pgid: entry.pgid,
+        sid: entry.sid,
+        driver: entry.driver,
+        command: entry.command,
+        args: [...entry.args],
+        cwd: entry.cwd,
+        status: fromGeneratedProcessSnapshotStatus(entry.status),
+        ...(entry.exitCode !== null ? { exit_code: entry.exitCode } : {}),
+    };
+}

package/dist/test-runtime.d.ts

@@ -0,0 +1,534 @@
+import { Sidecar } from "./kernel-proxy.js";
+export declare const AF_INET = 2;
+export declare const AF_UNIX = 1;
+export declare const SOCK_STREAM = 1;
+export declare const SOCK_DGRAM = 2;
+export declare const SIGTERM = 15;
+export type KernelBootTimingPhase = "filesystem_snapshot" | "sidecar_spawn" | "session_open" | "vm_create" | "vm_ready" | "vm_configure";
+export interface KernelBootTiming {
+    phase: KernelBootTimingPhase;
+    durationMs: number;
+}
+export type StdioChannel = "stdout" | "stderr";
+export type TimingMitigation = "off" | "freeze";
+export type PermissionMode = "allow" | "deny";
+export type PermissionDecision = PermissionMode;
+export interface VirtualDirEntry {
+    name: string;
+    isDirectory: boolean;
+    isSymbolicLink?: boolean;
+}
+export interface VirtualStat {
+    mode: number;
+    size: number;
+    blocks: number;
+    dev: number;
+    rdev: number;
+    isDirectory: boolean;
+    isSymbolicLink: boolean;
+    atimeMs: number;
+    mtimeMs: number;
+    ctimeMs: number;
+    birthtimeMs: number;
+    ino: number;
+    nlink: number;
+    uid: number;
+    gid: number;
+}
+export interface VirtualFileSystem {
+    readFile(path: string): Promise<Uint8Array>;
+    readTextFile(path: string): Promise<string>;
+    readDir(path: string): Promise<string[]>;
+    readDirWithTypes(path: string): Promise<VirtualDirEntry[]>;
+    writeFile(path: string, content: string | Uint8Array): Promise<void>;
+    createDir(path: string): Promise<void>;
+    mkdir(path: string, options?: {
+        recursive?: boolean;
+    }): Promise<void>;
+    exists(path: string): Promise<boolean>;
+    stat(path: string): Promise<VirtualStat>;
+    removeFile(path: string): Promise<void>;
+    removeDir(path: string): Promise<void>;
+    rename(oldPath: string, newPath: string): Promise<void>;
+    realpath(path: string): Promise<string>;
+    symlink(target: string, linkPath: string): Promise<void>;
+    readlink(path: string): Promise<string>;
+    lstat(path: string): Promise<VirtualStat>;
+    link(oldPath: string, newPath: string): Promise<void>;
+    chmod(path: string, mode: number): Promise<void>;
+    chown(path: string, uid: number, gid: number): Promise<void>;
+    utimes(path: string, atime: number, mtime: number): Promise<void>;
+    truncate(path: string, length: number): Promise<void>;
+    pread(path: string, offset: number, length: number): Promise<Uint8Array>;
+    pwrite(path: string, offset: number, data: Uint8Array): Promise<void>;
+}
+export interface NetworkAccessRequest {
+    url?: string;
+    host?: string;
+    port?: number;
+    protocol?: string;
+}
+export interface FsPermissionRule {
+    mode: PermissionMode;
+    operations?: string[];
+    paths?: string[];
+}
+export interface PatternPermissionRule {
+    mode: PermissionMode;
+    operations?: string[];
+    patterns?: string[];
+}
+export interface RulePermissions<TRule> {
+    default?: PermissionMode;
+    rules: TRule[];
+}
+export type FsPermissions = PermissionMode | RulePermissions<FsPermissionRule>;
+export type NetworkPermissions = PermissionMode | RulePermissions<PatternPermissionRule>;
+export type ChildProcessPermissions = PermissionMode | RulePermissions<PatternPermissionRule>;
+export type ProcessPermissions = PermissionMode | RulePermissions<PatternPermissionRule>;
+export type EnvPermissions = PermissionMode | RulePermissions<PatternPermissionRule>;
+export type ToolPermissions = PermissionMode | RulePermissions<PatternPermissionRule>;
+export interface ProcessInfo {
+    pid: number;
+    ppid: number;
+    pgid: number;
+    sid: number;
+    driver: string;
+    command: string;
+    args: string[];
+    cwd: string;
+    status: "running" | "exited";
+    exitCode: number | null;
+    startTime: number;
+    exitTime: number | null;
+}
+export interface ManagedProcess {
+    pid: number;
+    writeStdin(data: Uint8Array | string): void;
+    closeStdin(): void;
+    kill(signal?: number): void;
+    wait(): Promise<number>;
+    readonly exitCode: number | null;
+}
+export interface ShellHandle {
+    pid: number;
+    write(data: Uint8Array | string): void;
+    onData: ((data: Uint8Array) => void) | null;
+    resize(cols: number, rows: number): void;
+    kill(signal?: number): void;
+    wait(): Promise<number>;
+}
+export interface OpenShellOptions {
+    command?: string;
+    args?: string[];
+    env?: Record<string, string>;
+    cwd?: string;
+    cols?: number;
+    rows?: number;
+    onStderr?: (data: Uint8Array) => void;
+}
+export interface ConnectTerminalOptions extends OpenShellOptions {
+    onData?: (data: Uint8Array) => void;
+}
+export interface ExecOptions {
+    env?: Record<string, string>;
+    cwd?: string;
+    stdin?: string | Uint8Array;
+    timeout?: number;
+    onStdout?: (data: Uint8Array) => void;
+    onStderr?: (data: Uint8Array) => void;
+    captureStdio?: boolean;
+    filePath?: string;
+    cpuTimeLimitMs?: number;
+    timingMitigation?: TimingMitigation;
+}
+export interface ExecResult {
+    exitCode: number;
+    stdout: string;
+    stderr: string;
+}
+export interface RunResult<T = unknown> {
+    value?: T;
+    code: number;
+    errorMessage?: string;
+}
+export interface KernelSpawnOptions extends ExecOptions {
+    stdio?: "pipe" | "inherit";
+    stdinFd?: number;
+    stdoutFd?: number;
+    stderrFd?: number;
+    streamStdin?: boolean;
+}
+export type KernelExecOptions = ExecOptions;
+export type KernelExecResult = ExecResult;
+export type StatInfo = VirtualStat;
+export type DirEntry = VirtualDirEntry;
+export type StdioEvent = {
+    channel: StdioChannel;
+    message: string;
+};
+export type StdioHook = (event: StdioEvent) => void;
+export interface Permissions {
+    fs?: FsPermissions;
+    network?: NetworkPermissions;
+    childProcess?: ChildProcessPermissions;
+    process?: ProcessPermissions;
+    env?: EnvPermissions;
+    tool?: ToolPermissions;
+}
+/** A worked example shown alongside a registered host tool. */
+export interface HostToolExample {
+    /** What this example demonstrates. */
+    description: string;
+    /** Example input matching the tool's input schema. */
+    input: unknown;
+}
+/**
+ * A host-side tool that guest code can invoke as a shell command. The guest
+ * runs the tool by name and the invocation round-trips back to the host JS
+ * `handler`, whose return value is passed back to the guest. Tools never run
+ * inside the guest: they execute on the host, so they are the bridge for giving
+ * sandboxed guest code controlled, named capabilities (the kind AI agents call
+ * as tools).
+ */
+export interface HostToolDefinition {
+    /** Human-readable description of what the tool does. */
+    description: string;
+    /** JSON Schema describing the tool's input. */
+    inputSchema: object;
+    /** Abort the invocation after this many milliseconds. */
+    timeoutMs?: number;
+    /** Worked examples shown alongside the tool. */
+    examples?: HostToolExample[];
+    /**
+     * Extra command names the guest can use to invoke this tool, in addition to
+     * the key it is registered under.
+     */
+    commandAliases?: string[];
+    /**
+     * Host handler invoked when guest code runs the tool. Receives the parsed
+     * input and returns a JSON-serializable result delivered back to the guest.
+     */
+    handler: (input: unknown) => unknown | Promise<unknown>;
+}
+export interface ResourceBudgets {
+    maxOutputBytes?: number;
+    maxBridgeCalls?: number;
+    maxTimers?: number;
+    maxChildProcesses?: number;
+    maxHandles?: number;
+}
+export interface ProcessConfig {
+    cwd?: string;
+    env?: Record<string, string>;
+    argv?: string[];
+    stdinIsTTY?: boolean;
+    stdoutIsTTY?: boolean;
+    stderrIsTTY?: boolean;
+}
+export interface OSConfig {
+    homedir?: string;
+    tmpdir?: string;
+}
+export interface CommandExecutor {
+    spawn(command: string, args: string[], options?: KernelSpawnOptions): ManagedProcess;
+}
+export interface NetworkAdapter {
+    fetch(url: string, options?: {
+        method?: string;
+        headers?: Record<string, string>;
+        body?: unknown;
+    }): Promise<{
+        ok: boolean;
+        status: number;
+        statusText: string;
+        headers: Record<string, string>;
+        body: string;
+        url: string;
+        redirected: boolean;
+    }>;
+    dnsLookup(hostname: string): Promise<{
+        address?: string;
+        family?: number;
+        error?: string;
+        code?: string;
+    }>;
+    httpRequest(url: string, options?: {
+        method?: string;
+        headers?: Record<string, string>;
+        body?: unknown;
+    }): Promise<{
+        status: number;
+        statusText: string;
+        headers: Record<string, string>;
+        body: string;
+        url: string;
+    }>;
+}
+export interface SystemDriver {
+    filesystem?: VirtualFileSystem;
+    network?: NetworkAdapter;
+    commandExecutor?: CommandExecutor;
+    permissions?: Permissions;
+    runtime: {
+        process: ProcessConfig;
+        os: OSConfig;
+    };
+}
+export interface RuntimeDriverOptions {
+    system: SystemDriver;
+    runtime: {
+        process: ProcessConfig;
+        os: OSConfig;
+    };
+    memoryLimit?: number;
+    cpuTimeLimitMs?: number;
+    timingMitigation?: TimingMitigation;
+    onStdio?: StdioHook;
+    payloadLimits?: {
+        base64TransferBytes?: number;
+        jsonPayloadBytes?: number;
+    };
+    resourceBudgets?: ResourceBudgets;
+}
+export interface NodeRuntimeDriver {
+    exec(code: string, options?: ExecOptions): Promise<ExecResult>;
+    run<T = unknown>(code: string, filePath?: string): Promise<RunResult<T>>;
+    dispose(): void;
+    terminate?(): Promise<void>;
+    readonly network?: Pick<NetworkAdapter, "fetch" | "dnsLookup" | "httpRequest">;
+}
+export interface NodeRuntimeDriverFactory {
+    createRuntimeDriver(options: RuntimeDriverOptions): NodeRuntimeDriver;
+}
+export interface KernelInterface {
+    vfs: VirtualFileSystem;
+}
+export interface Kernel extends KernelInterface {
+    mount(driver: KernelRuntimeDriver): Promise<void>;
+    dispose(): Promise<void>;
+    exec(command: string, options?: KernelExecOptions): Promise<KernelExecResult>;
+    spawn(command: string, args: string[], options?: KernelSpawnOptions): ManagedProcess;
+    openShell(options?: OpenShellOptions): ShellHandle;
+    connectTerminal(options?: ConnectTerminalOptions): Promise<number>;
+    mountFs(path: string, fs: VirtualFileSystem, options?: {
+        readOnly?: boolean;
+    }): void;
+    unmountFs(path: string): void;
+    readFile(path: string): Promise<Uint8Array>;
+    writeFile(path: string, content: string | Uint8Array): Promise<void>;
+    mkdir(path: string): Promise<void>;
+    readdir(path: string): Promise<string[]>;
+    stat(path: string): Promise<VirtualStat>;
+    exists(path: string): Promise<boolean>;
+    removeFile(path: string): Promise<void>;
+    removeDir(path: string): Promise<void>;
+    rename(oldPath: string, newPath: string): Promise<void>;
+    vmFetch(request: {
+        port: number;
+        method: string;
+        path: string;
+        headersJson: string;
+        body?: string;
+    }): Promise<string>;
+    registerHostTools(tools: Record<string, HostToolDefinition>): Promise<void>;
+    readonly commands: ReadonlyMap<string, string>;
+    readonly processes: ReadonlyMap<number, ProcessInfo>;
+    readonly env: Record<string, string>;
+    readonly cwd: string;
+    readonly socketTable: {
+        hasHostNetworkAdapter(): boolean;
+        findListener(_request: unknown): unknown | null;
+        findBoundUdp(_request: unknown): unknown | null;
+    };
+    readonly processTable: {
+        getSignalState(_pid: number): {
+            handlers: Map<number, unknown>;
+        };
+    };
+    readonly timerTable: Record<string, never>;
+    readonly zombieTimerCount: number;
+}
+export interface BindingTree {
+    [key: string]: BindingFunction | BindingTree;
+}
+export type BindingFunction = (...args: unknown[]) => unknown;
+export interface ModuleAccessOptions {
+    cwd?: string;
+}
+export interface NodeDriverOptions {
+    filesystem?: VirtualFileSystem;
+    networkAdapter?: NetworkAdapter;
+    commandExecutor?: CommandExecutor;
+    permissions?: Permissions;
+    processConfig?: ProcessConfig;
+    osConfig?: OSConfig;
+    moduleAccess?: ModuleAccessOptions;
+}
+export interface DefaultNetworkAdapterOptions {
+    loopbackExemptPorts?: number[];
+}
+export interface NodeRuntimeOptions {
+    systemDriver?: SystemDriver;
+    runtimeDriverFactory?: NodeRuntimeDriverFactory;
+    permissions?: Partial<Permissions>;
+    memoryLimit?: number;
+    moduleAccessPaths?: string[];
+    bindings?: BindingTree;
+    loopbackExemptPorts?: number[];
+    moduleAccessCwd?: string;
+    packageRoots?: Array<{
+        hostPath: string;
+        vmPath: string;
+    }>;
+}
+export type NodeRuntimeDriverFactoryOptions = Record<string, never>;
+export type NodeExecutionDriverOptions = RuntimeDriverOptions;
+export interface KernelRuntimeDriver {
+    readonly kind: "node" | "wasmvm";
+    readonly name: string;
+    readonly commands: string[];
+    readonly commandDirs?: string[];
+    init?(kernel: KernelInterface): Promise<void> | void;
+    tryResolve?(command: string): boolean;
+    getGuestCommandPaths?(startIndex: number): ReadonlyMap<string, string>;
+    recordModuleExecution?(command: string): void;
+}
+export type DriverProcess = ManagedProcess;
+export type ProcessContext = Record<string, never>;
+export declare class KernelError extends Error {
+    readonly code: string;
+    constructor(code: string, message: string);
+}
+export declare class InMemoryFileSystem implements VirtualFileSystem {
+    private readonly entries;
+    constructor();
+    readFile(targetPath: string): Promise<Uint8Array>;
+    readTextFile(targetPath: string): Promise<string>;
+    readDir(targetPath: string): Promise<string[]>;
+    readDirWithTypes(targetPath: string): Promise<VirtualDirEntry[]>;
+    writeFile(targetPath: string, content: string | Uint8Array): Promise<void>;
+    createDir(targetPath: string): Promise<void>;
+    mkdir(targetPath: string, options?: {
+        recursive?: boolean;
+    }): Promise<void>;
+    exists(targetPath: string): Promise<boolean>;
+    stat(targetPath: string): Promise<VirtualStat>;
+    removeFile(targetPath: string): Promise<void>;
+    removeDir(targetPath: string): Promise<void>;
+    rename(oldPath: string, newPath: string): Promise<void>;
+    realpath(targetPath: string): Promise<string>;
+    symlink(target: string, linkPath: string): Promise<void>;
+    readlink(targetPath: string): Promise<string>;
+    lstat(targetPath: string): Promise<VirtualStat>;
+    link(oldPath: string, newPath: string): Promise<void>;
+    chmod(targetPath: string, mode: number): Promise<void>;
+    chown(targetPath: string, uid: number, gid: number): Promise<void>;
+    utimes(targetPath: string, atime: number, mtime: number): Promise<void>;
+    truncate(targetPath: string, length: number): Promise<void>;
+    pread(targetPath: string, offset: number, length: number): Promise<Uint8Array>;
+    pwrite(targetPath: string, offset: number, data: Uint8Array): Promise<void>;
+    private resolvePath;
+    private resolveEntry;
+    private newDirectory;
+    private toStat;
+}
+export declare function createInMemoryFileSystem(): InMemoryFileSystem;
+export declare class NodeFileSystem implements VirtualFileSystem {
+    readonly rootPath: string;
+    constructor(options: {
+        root: string;
+    });
+    private normalizeTarget;
+    private toStat;
+    readFile(targetPath: string): Promise<Uint8Array>;
+    readTextFile(targetPath: string): Promise<string>;
+    readDir(targetPath: string): Promise<string[]>;
+    readDirWithTypes(targetPath: string): Promise<VirtualDirEntry[]>;
+    writeFile(targetPath: string, content: string | Uint8Array): Promise<void>;
+    createDir(targetPath: string): Promise<void>;
+    mkdir(targetPath: string, options?: {
+        recursive?: boolean;
+    }): Promise<void>;
+    exists(targetPath: string): Promise<boolean>;
+    stat(targetPath: string): Promise<VirtualStat>;
+    removeFile(targetPath: string): Promise<void>;
+    removeDir(targetPath: string): Promise<void>;
+    rename(oldPath: string, newPath: string): Promise<void>;
+    realpath(targetPath: string): Promise<string>;
+    symlink(target: string, linkPath: string): Promise<void>;
+    readlink(targetPath: string): Promise<string>;
+    lstat(targetPath: string): Promise<VirtualStat>;
+    link(oldPath: string, newPath: string): Promise<void>;
+    chmod(targetPath: string, mode: number): Promise<void>;
+    chown(targetPath: string, uid: number, gid: number): Promise<void>;
+    utimes(targetPath: string, atime: number, mtime: number): Promise<void>;
+    truncate(targetPath: string, length: number): Promise<void>;
+    pread(targetPath: string, offset: number, length: number): Promise<Uint8Array>;
+    pwrite(targetPath: string, offset: number, data: Uint8Array): Promise<void>;
+}
+export declare const allowAllFs: FsPermissions;
+export declare const allowAllNetwork: NetworkPermissions;
+export declare const allowAllChildProcess: ChildProcessPermissions;
+export declare const allowAllProcess: ProcessPermissions;
+export declare const allowAllEnv: EnvPermissions;
+export declare const allowAll: Permissions;
+export declare function filterEnv(env: Record<string, string> | undefined, permissions?: Permissions): Record<string, string>;
+export declare function createProcessScopedFileSystem(filesystem: VirtualFileSystem): VirtualFileSystem;
+export declare function exists(filesystem: VirtualFileSystem, targetPath: string): Promise<boolean>;
+export declare function stat(filesystem: VirtualFileSystem, targetPath: string): Promise<VirtualStat>;
+export declare function rename(filesystem: VirtualFileSystem, oldPath: string, newPath: string): Promise<void>;
+export declare function readDirWithTypes(filesystem: VirtualFileSystem, targetPath: string): Promise<VirtualDirEntry[]>;
+export declare function mkdir(filesystem: VirtualFileSystem, targetPath: string, options?: {
+    recursive?: boolean;
+}): Promise<void>;
+export declare function createNodeHostCommandExecutor(): CommandExecutor;
+export declare function createKernelCommandExecutor(kernel: Kernel): CommandExecutor;
+export declare function createKernelVfsAdapter(kernelVfs: VirtualFileSystem): VirtualFileSystem;
+export declare function createHostFallbackVfs(base: VirtualFileSystem): VirtualFileSystem;
+export declare function isPrivateIp(host: string): boolean;
+export declare function createNodeHostNetworkAdapter(): NetworkAdapter;
+export declare function createDefaultNetworkAdapter(): NetworkAdapter;
+export declare function createNodeDriver(options?: NodeDriverOptions): SystemDriver;
+export declare class NodeExecutionDriver implements NodeRuntimeDriver {
+    private readonly options;
+    readonly network?: Pick<NetworkAdapter, "fetch" | "dnsLookup" | "httpRequest">;
+    constructor(options: RuntimeDriverOptions);
+    exec(): Promise<ExecResult>;
+    run<T = unknown>(): Promise<RunResult<T>>;
+    dispose(): void;
+    terminate(): Promise<void>;
+}
+export declare class NodeRuntime extends NodeExecutionDriver {
+}
+export declare function createNodeRuntimeDriverFactory(): NodeRuntimeDriverFactory;
+export declare class ModuleAccessFileSystem extends NodeFileSystem {
+}
+export declare const WASMVM_COMMANDS: readonly string[];
+export type PermissionTier = "full" | "read-write" | "read-only" | "isolated";
+export declare const DEFAULT_FIRST_PARTY_TIERS: Readonly<Record<string, PermissionTier>>;
+export interface WasmVmRuntimeOptions {
+    wasmBinaryPath?: string;
+    commandDirs?: string[];
+    permissions?: Record<string, PermissionTier>;
+}
+export declare function createWasmVmRuntime(options?: WasmVmRuntimeOptions): KernelRuntimeDriver;
+export declare function createNodeRuntime(): KernelRuntimeDriver;
+export declare function createKernel(options: {
+    filesystem: VirtualFileSystem;
+    permissions?: Permissions;
+    env?: Record<string, string>;
+    cwd?: string;
+    sidecar?: Sidecar;
+    onBootTiming?: (timing: KernelBootTiming) => void;
+    maxProcesses?: number;
+    hostNetworkAdapter?: unknown;
+    loopbackExemptPorts?: number[];
+    logger?: unknown;
+    mounts?: Array<{
+        path: string;
+        fs: VirtualFileSystem;
+        readOnly?: boolean;
+    }>;
+    syncFilesystemOnDispose?: boolean;
+}): Kernel;