@secure-exec/core 0.1.0-rc.1

package/dist/shared/console-formatter.js

@@ -0,0 +1,157 @@
+export const DEFAULT_CONSOLE_SERIALIZATION_BUDGET = {
+    maxDepth: 6,
+    maxKeys: 50,
+    maxArrayLength: 50,
+    maxOutputLength: 4096,
+};
+function normalizeBudget(budget) {
+    const defaults = {
+        maxDepth: 6,
+        maxKeys: 50,
+        maxArrayLength: 50,
+        maxOutputLength: 4096,
+    };
+    const clamp = (value, fallback) => {
+        if (!Number.isFinite(value))
+            return fallback;
+        const normalized = Math.floor(value);
+        return normalized > 0 ? normalized : fallback;
+    };
+    return {
+        maxDepth: clamp(budget.maxDepth, defaults.maxDepth),
+        maxKeys: clamp(budget.maxKeys, defaults.maxKeys),
+        maxArrayLength: clamp(budget.maxArrayLength, defaults.maxArrayLength),
+        maxOutputLength: clamp(budget.maxOutputLength, defaults.maxOutputLength),
+    };
+}
+function safeStringifyConsoleValueWithBudget(value, budget) {
+    const suffix = "...[Truncated]";
+    const clampOutput = (text) => {
+        if (text.length <= budget.maxOutputLength) {
+            return text;
+        }
+        if (budget.maxOutputLength <= suffix.length) {
+            return suffix.slice(0, budget.maxOutputLength);
+        }
+        return (text.slice(0, budget.maxOutputLength - suffix.length) + suffix);
+    };
+    if (value === null)
+        return "null";
+    if (value === undefined)
+        return "undefined";
+    const valueType = typeof value;
+    if (valueType !== "object") {
+        if (valueType === "bigint") {
+            return `${String(value)}n`;
+        }
+        return clampOutput(String(value));
+    }
+    const rootObject = value;
+    const skipFastPath = (Array.isArray(rootObject) &&
+        rootObject.length > budget.maxArrayLength) ||
+        (!Array.isArray(rootObject) &&
+            Object.keys(rootObject).length > budget.maxKeys);
+    if (!skipFastPath) {
+        try {
+            const quickSerialized = JSON.stringify(value);
+            if (quickSerialized !== undefined) {
+                return clampOutput(quickSerialized);
+            }
+        }
+        catch {
+            // Fall back to circular-safe and budget-aware serialization.
+        }
+    }
+    const seen = new WeakSet();
+    const depthByObject = new WeakMap();
+    const replacer = function (key, current) {
+        if (typeof current === "bigint") {
+            return `${String(current)}n`;
+        }
+        if (typeof current !== "object" || current === null) {
+            return current;
+        }
+        const currentObject = current;
+        if (seen.has(currentObject)) {
+            return "[Circular]";
+        }
+        seen.add(currentObject);
+        let depth = 0;
+        if (key !== "") {
+            const parent = this;
+            if (typeof parent === "object" && parent !== null) {
+                depth = (depthByObject.get(parent) ?? 0) + 1;
+            }
+        }
+        depthByObject.set(currentObject, depth);
+        if (depth > budget.maxDepth) {
+            return "[MaxDepth]";
+        }
+        if (Array.isArray(currentObject)) {
+            if (currentObject.length <= budget.maxArrayLength) {
+                return currentObject;
+            }
+            const trimmed = currentObject.slice(0, budget.maxArrayLength);
+            trimmed.push("[Truncated]");
+            return trimmed;
+        }
+        const keys = Object.keys(currentObject);
+        if (keys.length <= budget.maxKeys) {
+            return currentObject;
+        }
+        const trimmed = {};
+        for (let i = 0; i < budget.maxKeys; i += 1) {
+            const keyName = keys[i];
+            trimmed[keyName] = currentObject[keyName];
+        }
+        trimmed["[Truncated]"] = `${keys.length - budget.maxKeys} key(s)`;
+        return trimmed;
+    };
+    try {
+        const serialized = JSON.stringify(value, replacer);
+        if (serialized === undefined) {
+            return clampOutput(String(value));
+        }
+        return clampOutput(serialized);
+    }
+    catch {
+        return clampOutput(String(value));
+    }
+}
+/** Serialize a single value with circular reference detection and budget limits. */
+export function safeStringifyConsoleValue(value, rawBudget) {
+    return safeStringifyConsoleValueWithBudget(value, normalizeBudget(rawBudget));
+}
+/** Format an array of console arguments into a single space-separated string. */
+export function formatConsoleArgs(args, rawBudget) {
+    const budget = normalizeBudget(rawBudget);
+    const formatted = [];
+    for (let i = 0; i < args.length; i += 1) {
+        formatted.push(safeStringifyConsoleValueWithBudget(args[i], budget));
+    }
+    return formatted.join(" ");
+}
+/**
+ * Generate isolate-side JavaScript that installs a `globalThis.console` shim.
+ * The shim serializes arguments using the budget and forwards them to host
+ * bridge references (`_log` / `_error`) via `applySync`.
+ */
+export function getConsoleSetupCode(budget = DEFAULT_CONSOLE_SERIALIZATION_BUDGET) {
+    const normalizedBudget = normalizeBudget(budget);
+    return `
+	      // tsx/esbuild may emit __name(...) wrappers inside function source strings.
+	      const __name = (value) => value;
+	      const __consoleBudget = ${JSON.stringify(normalizedBudget)};
+	      const normalizeBudget = ${normalizeBudget.toString()};
+	      const safeStringifyConsoleValueWithBudget = ${safeStringifyConsoleValueWithBudget.toString()};
+      const safeStringifyConsoleValue = ${safeStringifyConsoleValue.toString()};
+      const formatConsoleArgs = ${formatConsoleArgs.toString()};
+
+      globalThis.console = {
+        log: (...args) => _log.applySync(undefined, [formatConsoleArgs(args, __consoleBudget)]),
+        error: (...args) => _error.applySync(undefined, [formatConsoleArgs(args, __consoleBudget)]),
+        warn: (...args) => _error.applySync(undefined, [formatConsoleArgs(args, __consoleBudget)]),
+        info: (...args) => _log.applySync(undefined, [formatConsoleArgs(args, __consoleBudget)]),
+      };
+    `;
+}

package/dist/shared/constants.d.ts

@@ -0,0 +1,3 @@
+/** Matches GNU `timeout` convention where 124 indicates execution timed out. */
+export declare const TIMEOUT_EXIT_CODE = 124;
+export declare const TIMEOUT_ERROR_MESSAGE = "CPU time limit exceeded";

package/dist/shared/constants.js

@@ -0,0 +1,3 @@
+/** Matches GNU `timeout` convention where 124 indicates execution timed out. */
+export const TIMEOUT_EXIT_CODE = 124;
+export const TIMEOUT_ERROR_MESSAGE = "CPU time limit exceeded";

package/dist/shared/errors.d.ts

@@ -0,0 +1,16 @@
+/** Node-compatible system error shape with code, errno, path, and syscall. */
+export interface SystemError extends Error {
+    code?: string;
+    errno?: number | string;
+    path?: string;
+    syscall?: string;
+}
+/** Build a system error with the given POSIX error code (ENOENT, EACCES, etc.). */
+export declare function createSystemError(code: string, message: string, details?: {
+    path?: string;
+    syscall?: string;
+}): SystemError;
+/** Create a permission-denied error matching Node's EACCES format. */
+export declare function createEaccesError(op: string, path?: string, reason?: string): SystemError;
+/** Create a "function not implemented" error for unsupported operations. */
+export declare function createEnosysError(op: string, path?: string): SystemError;

package/dist/shared/errors.js

@@ -0,0 +1,21 @@
+/** Build a system error with the given POSIX error code (ENOENT, EACCES, etc.). */
+export function createSystemError(code, message, details) {
+    const err = new Error(message);
+    err.code = code;
+    if (details?.path)
+        err.path = details.path;
+    if (details?.syscall)
+        err.syscall = details.syscall;
+    return err;
+}
+/** Create a permission-denied error matching Node's EACCES format. */
+export function createEaccesError(op, path, reason) {
+    const suffix = path ? ` '${path}'` : "";
+    const reasonSuffix = reason ? `: ${reason}` : "";
+    return createSystemError("EACCES", `EACCES: permission denied, ${op}${suffix}${reasonSuffix}`, { path, syscall: op });
+}
+/** Create a "function not implemented" error for unsupported operations. */
+export function createEnosysError(op, path) {
+    const suffix = path ? ` '${path}'` : "";
+    return createSystemError("ENOSYS", `ENOSYS: function not implemented, ${op}${suffix}`, { path, syscall: op });
+}

package/dist/shared/esm-utils.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Detect if code uses ESM syntax.
+ */
+export declare function isESM(code: string, filePath?: string): boolean;
+/**
+ * Transform dynamic import() calls to __dynamicImport() calls.
+ */
+export declare function transformDynamicImport(code: string): string;
+/**
+ * Extract static import specifiers from transformed code.
+ */
+export declare function extractDynamicImportSpecifiers(code: string): string[];
+/**
+ * Convert CJS module to ESM-compatible wrapper.
+ */
+/**
+ * Wrap CommonJS code in an ESM-compatible module that exports `module.exports`
+ * as the default export plus any statically-detectable named exports.
+ */
+export declare function wrapCJSForESM(code: string): string;
+export declare function wrapCJSForESMWithModulePath(code: string, modulePath: string): string;
+/**
+ * Scan CJS code for `module.exports.X =`, `exports.X =`, and
+ * `Object.defineProperty(exports, 'X', ...)` patterns to discover named exports
+ * that can be re-exported from the ESM wrapper.
+ */
+declare function extractCjsNamedExports(code: string): string[];
+export { extractCjsNamedExports };

package/dist/shared/esm-utils.js

@@ -0,0 +1,97 @@
+/**
+ * Detect if code uses ESM syntax.
+ */
+export function isESM(code, filePath) {
+    if (filePath?.endsWith(".mjs"))
+        return true;
+    if (filePath?.endsWith(".cjs"))
+        return false;
+    const hasImport = /^\s*import\s*(?:[\w{},*\s]+\s*from\s*)?['"][^'"]+['"]/m.test(code) ||
+        /^\s*import\s*\{[^}]*\}\s*from\s*['"][^'"]+['"]/m.test(code);
+    const hasExport = /^\s*export\s+(?:default|const|let|var|function|class|{)/m.test(code) ||
+        /^\s*export\s*\{/m.test(code);
+    return hasImport || hasExport;
+}
+/**
+ * Transform dynamic import() calls to __dynamicImport() calls.
+ */
+export function transformDynamicImport(code) {
+    return code.replace(/(?<![a-zA-Z_$])import\s*\(/g, "__dynamicImport(");
+}
+/**
+ * Extract static import specifiers from transformed code.
+ */
+export function extractDynamicImportSpecifiers(code) {
+    const regex = /__dynamicImport\s*\(\s*['"]([^'"]+)['"]\s*\)/g;
+    const specifiers = new Set();
+    for (const match of code.matchAll(regex)) {
+        specifiers.add(match[1]);
+    }
+    return Array.from(specifiers);
+}
+/**
+ * Convert CJS module to ESM-compatible wrapper.
+ */
+/**
+ * Wrap CommonJS code in an ESM-compatible module that exports `module.exports`
+ * as the default export plus any statically-detectable named exports.
+ */
+export function wrapCJSForESM(code) {
+    const modulePath = "/<cjs-module>.cjs";
+    return wrapCJSForESMWithModulePath(code, modulePath);
+}
+function getModuleDir(path) {
+    const normalized = path.replace(/\\/g, "/");
+    const lastSlash = normalized.lastIndexOf("/");
+    if (lastSlash <= 0) {
+        return "/";
+    }
+    return normalized.slice(0, lastSlash);
+}
+export function wrapCJSForESMWithModulePath(code, modulePath) {
+    const moduleDir = getModuleDir(modulePath);
+    const namedExports = extractCjsNamedExports(code)
+        .filter((name) => name !== "default" && name !== "__esModule")
+        .map((name) => {
+        const localName = `__cjs_named_${name}`;
+        return `const ${localName} = __cjs?.${name};\nexport { ${localName} as ${name} };`;
+    })
+        .join("\n");
+    return `
+	    const __filename = ${JSON.stringify(modulePath)};
+	    const __dirname = ${JSON.stringify(moduleDir)};
+	    const require = (name) => globalThis._requireFrom(name, __dirname);
+	    const module = { exports: {} };
+	    const exports = module.exports;
+	    ${code}
+	    const __cjs = module.exports;
+	    export default __cjs;
+	    export const __cjsModule = true;
+	    ${namedExports}
+	  `;
+}
+/**
+ * Scan CJS code for `module.exports.X =`, `exports.X =`, and
+ * `Object.defineProperty(exports, 'X', ...)` patterns to discover named exports
+ * that can be re-exported from the ESM wrapper.
+ */
+function extractCjsNamedExports(code) {
+    const names = new Set();
+    const add = (name) => {
+        if (!/^[A-Za-z_$][\w$]*$/.test(name)) {
+            return;
+        }
+        names.add(name);
+    };
+    for (const match of code.matchAll(/\bmodule\.exports\.([A-Za-z_$][\w$]*)\s*=/g)) {
+        add(match[1]);
+    }
+    for (const match of code.matchAll(/\bexports\.([A-Za-z_$][\w$]*)\s*=/g)) {
+        add(match[1]);
+    }
+    for (const match of code.matchAll(/\bObject\.defineProperty\(\s*(?:module\.)?exports\s*,\s*["']([^"']+)["']/g)) {
+        add(match[1]);
+    }
+    return Array.from(names).sort();
+}
+export { extractCjsNamedExports };

package/dist/shared/global-exposure.d.ts

@@ -0,0 +1,38 @@
+/**
+ * Classification for globals the runtime installs on the isolate's `globalThis`.
+ *
+ * - `hardened`: non-writable, non-configurable. Prevents sandbox code from
+ *   replacing bridge callbacks or lifecycle hooks.
+ * - `mutable-runtime-state`: writable per-execution state (module cache,
+ *   stdin data, CJS module/exports wrappers) that must be reset between runs.
+ */
+export type CustomGlobalClassification = "hardened" | "mutable-runtime-state";
+export interface CustomGlobalInventoryEntry {
+    name: string;
+    classification: CustomGlobalClassification;
+    rationale: string;
+}
+export declare const NODE_CUSTOM_GLOBAL_INVENTORY: readonly CustomGlobalInventoryEntry[];
+export declare const HARDENED_NODE_CUSTOM_GLOBALS: string[];
+export declare const MUTABLE_NODE_CUSTOM_GLOBALS: string[];
+interface ExposeGlobalOptions {
+    mutable?: boolean;
+    enumerable?: boolean;
+}
+/**
+ * Define a property on `target` using `Object.defineProperty`.
+ * By default the property is non-writable/non-configurable (hardened).
+ */
+export declare function exposeGlobalBinding(target: Record<string, unknown>, name: string, value: unknown, options?: ExposeGlobalOptions): void;
+/** Install a hardened (non-writable) global on `globalThis`. */
+export declare function exposeCustomGlobal(name: string, value: unknown): void;
+/** Install a writable global on `globalThis` for per-execution state. */
+export declare function exposeMutableRuntimeStateGlobal(name: string, value: unknown): void;
+/**
+ * Inline JavaScript source that provides `exposeCustomGlobal` and
+ * `exposeMutableRuntimeStateGlobal` inside the isolate's V8 context.
+ * Evaluated by the host after context creation so that bridge/runtime
+ * scripts can harden their own globals.
+ */
+export declare const ISOLATE_GLOBAL_EXPOSURE_HELPER_SOURCE = "(() => {\n  const exposeGlobalBinding = (name, value, mutable = false) => {\n    Object.defineProperty(globalThis, name, {\n      value,\n      writable: mutable,\n      configurable: mutable,\n      enumerable: true,\n    });\n  };\n  const exposeCustomGlobal = (name, value) => exposeGlobalBinding(name, value, false);\n  const exposeMutableRuntimeStateGlobal = (name, value) =>\n    exposeGlobalBinding(name, value, true);\n  return {\n    exposeCustomGlobal,\n    exposeMutableRuntimeStateGlobal,\n  };\n})()";
+export {};