@secure-exec/core 0.1.0-rc.1

package/dist/bridge/os.d.ts

@@ -0,0 +1,13 @@
+import type * as nodeOs from "os";
+export interface OSConfig {
+    platform?: string;
+    arch?: string;
+    type?: string;
+    release?: string;
+    version?: string;
+    homedir?: string;
+    tmpdir?: string;
+    hostname?: string;
+}
+declare const os: typeof nodeOs;
+export default os;

package/dist/bridge/os.js

@@ -0,0 +1,256 @@
+// OS module polyfill for isolated-vm
+// Provides Node.js os module emulation for sandbox compatibility
+import { exposeCustomGlobal } from "../shared/global-exposure.js";
+// Get config with defaults
+const config = {
+    platform: (typeof _osConfig !== "undefined" && _osConfig.platform) || "linux",
+    arch: (typeof _osConfig !== "undefined" && _osConfig.arch) || "x64",
+    type: (typeof _osConfig !== "undefined" && _osConfig.type) || "Linux",
+    release: (typeof _osConfig !== "undefined" && _osConfig.release) || "5.15.0",
+    version: (typeof _osConfig !== "undefined" && _osConfig.version) || "#1 SMP",
+    homedir: (typeof _osConfig !== "undefined" && _osConfig.homedir) || "/root",
+    tmpdir: (typeof _osConfig !== "undefined" && _osConfig.tmpdir) || "/tmp",
+    hostname: (typeof _osConfig !== "undefined" && _osConfig.hostname) || "sandbox",
+};
+// Signal constants (subset — sandbox only emulates Linux signals)
+const signals = {
+    SIGHUP: 1,
+    SIGINT: 2,
+    SIGQUIT: 3,
+    SIGILL: 4,
+    SIGTRAP: 5,
+    SIGABRT: 6,
+    SIGIOT: 6,
+    SIGBUS: 7,
+    SIGFPE: 8,
+    SIGKILL: 9,
+    SIGUSR1: 10,
+    SIGSEGV: 11,
+    SIGUSR2: 12,
+    SIGPIPE: 13,
+    SIGALRM: 14,
+    SIGTERM: 15,
+    SIGSTKFLT: 16,
+    SIGCHLD: 17,
+    SIGCONT: 18,
+    SIGSTOP: 19,
+    SIGTSTP: 20,
+    SIGTTIN: 21,
+    SIGTTOU: 22,
+    SIGURG: 23,
+    SIGXCPU: 24,
+    SIGXFSZ: 25,
+    SIGVTALRM: 26,
+    SIGPROF: 27,
+    SIGWINCH: 28,
+    SIGIO: 29,
+    SIGPOLL: 29,
+    SIGPWR: 30,
+    SIGSYS: 31,
+};
+// Errno constants
+const errno = {
+    E2BIG: 7,
+    EACCES: 13,
+    EADDRINUSE: 98,
+    EADDRNOTAVAIL: 99,
+    EAFNOSUPPORT: 97,
+    EAGAIN: 11,
+    EALREADY: 114,
+    EBADF: 9,
+    EBADMSG: 74,
+    EBUSY: 16,
+    ECANCELED: 125,
+    ECHILD: 10,
+    ECONNABORTED: 103,
+    ECONNREFUSED: 111,
+    ECONNRESET: 104,
+    EDEADLK: 35,
+    EDESTADDRREQ: 89,
+    EDOM: 33,
+    EDQUOT: 122,
+    EEXIST: 17,
+    EFAULT: 14,
+    EFBIG: 27,
+    EHOSTUNREACH: 113,
+    EIDRM: 43,
+    EILSEQ: 84,
+    EINPROGRESS: 115,
+    EINTR: 4,
+    EINVAL: 22,
+    EIO: 5,
+    EISCONN: 106,
+    EISDIR: 21,
+    ELOOP: 40,
+    EMFILE: 24,
+    EMLINK: 31,
+    EMSGSIZE: 90,
+    EMULTIHOP: 72,
+    ENAMETOOLONG: 36,
+    ENETDOWN: 100,
+    ENETRESET: 102,
+    ENETUNREACH: 101,
+    ENFILE: 23,
+    ENOBUFS: 105,
+    ENODATA: 61,
+    ENODEV: 19,
+    ENOENT: 2,
+    ENOEXEC: 8,
+    ENOLCK: 37,
+    ENOLINK: 67,
+    ENOMEM: 12,
+    ENOMSG: 42,
+    ENOPROTOOPT: 92,
+    ENOSPC: 28,
+    ENOSR: 63,
+    ENOSTR: 60,
+    ENOSYS: 38,
+    ENOTCONN: 107,
+    ENOTDIR: 20,
+    ENOTEMPTY: 39,
+    ENOTSOCK: 88,
+    ENOTSUP: 95,
+    ENOTTY: 25,
+    ENXIO: 6,
+    EOPNOTSUPP: 95,
+    EOVERFLOW: 75,
+    EPERM: 1,
+    EPIPE: 32,
+    EPROTO: 71,
+    EPROTONOSUPPORT: 93,
+    EPROTOTYPE: 91,
+    ERANGE: 34,
+    EROFS: 30,
+    ESPIPE: 29,
+    ESRCH: 3,
+    ESTALE: 116,
+    ETIME: 62,
+    ETIMEDOUT: 110,
+    ETXTBSY: 26,
+    EWOULDBLOCK: 11,
+    EXDEV: 18,
+};
+// Priority constants
+const priority = {
+    PRIORITY_LOW: 19,
+    PRIORITY_BELOW_NORMAL: 10,
+    PRIORITY_NORMAL: 0,
+    PRIORITY_ABOVE_NORMAL: -7,
+    PRIORITY_HIGH: -14,
+    PRIORITY_HIGHEST: -20,
+};
+// OS module implementation (polyfill — partial coverage of Node.js os types)
+const os = {
+    // Platform information
+    platform() {
+        return config.platform;
+    },
+    arch() {
+        return config.arch;
+    },
+    type() {
+        return config.type;
+    },
+    release() {
+        return config.release;
+    },
+    version() {
+        return config.version;
+    },
+    // Directory information
+    homedir() {
+        return config.homedir;
+    },
+    tmpdir() {
+        return config.tmpdir;
+    },
+    // System information
+    hostname() {
+        return config.hostname;
+    },
+    // User information
+    userInfo(_options) {
+        return {
+            username: "root",
+            uid: 0,
+            gid: 0,
+            shell: "/bin/bash",
+            homedir: config.homedir,
+        };
+    },
+    // CPU information
+    cpus() {
+        return [
+            {
+                model: "Virtual CPU",
+                speed: 2000,
+                times: {
+                    user: 100000,
+                    nice: 0,
+                    sys: 50000,
+                    idle: 800000,
+                    irq: 0,
+                },
+            },
+        ];
+    },
+    // Memory information
+    totalmem() {
+        return 1073741824; // 1GB
+    },
+    freemem() {
+        return 536870912; // 512MB
+    },
+    // System load
+    loadavg() {
+        return [0.1, 0.1, 0.1];
+    },
+    // System uptime
+    uptime() {
+        return 3600; // 1 hour
+    },
+    // Network interfaces (empty - not supported in sandbox)
+    networkInterfaces() {
+        return {};
+    },
+    // System endianness
+    endianness() {
+        return "LE";
+    },
+    // Line endings
+    EOL: "\n",
+    // Dev null path
+    devNull: "/dev/null",
+    // Machine type
+    machine() {
+        return config.arch;
+    },
+    // Constants (partial — Linux subset, no Windows WSA* or RTLD_DEEPBIND)
+    constants: {
+        signals: signals,
+        errno: errno,
+        priority,
+        dlopen: {
+            RTLD_LAZY: 1,
+            RTLD_NOW: 2,
+            RTLD_GLOBAL: 256,
+            RTLD_LOCAL: 0,
+        },
+        UV_UDP_REUSEADDR: 4,
+    },
+    // Priority getters/setters (stubs)
+    getPriority(_pid) {
+        return 0;
+    },
+    setPriority(pid, priority) {
+        void pid;
+        void priority;
+    },
+    // Parallelism hint
+    availableParallelism() {
+        return 1;
+    },
+};
+// Expose to global for require() to use.
+exposeCustomGlobal("_osModule", os);
+export default os;

package/dist/bridge/polyfills.d.ts

@@ -0,0 +1,2 @@
+import { TextEncoder, TextDecoder } from "text-encoding-utf-8";
+export { TextEncoder, TextDecoder };

package/dist/bridge/polyfills.js

@@ -0,0 +1,11 @@
+// Early polyfills - this file must be imported FIRST before any other modules
+// that might use TextEncoder/TextDecoder (like whatwg-url)
+import { TextEncoder, TextDecoder } from "text-encoding-utf-8";
+// Install on globalThis so other modules can use them
+if (typeof globalThis.TextEncoder === "undefined") {
+    globalThis.TextEncoder = TextEncoder;
+}
+if (typeof globalThis.TextDecoder === "undefined") {
+    globalThis.TextDecoder = TextDecoder;
+}
+export { TextEncoder, TextDecoder };

package/dist/bridge/process.d.ts

@@ -0,0 +1,86 @@
+import type * as nodeProcess from "process";
+import { TextEncoder, TextDecoder } from "./polyfills.js";
+/**
+ * Process configuration injected by the host before the bridge bundle loads.
+ * Values default to sensible Linux/x64 stubs when unset.
+ */
+export interface ProcessConfig {
+    platform?: string;
+    arch?: string;
+    version?: string;
+    cwd?: string;
+    env?: Record<string, string>;
+    argv?: string[];
+    execPath?: string;
+    pid?: number;
+    ppid?: number;
+    uid?: number;
+    gid?: number;
+    stdin?: string;
+    timingMitigation?: "off" | "freeze";
+    frozenTimeMs?: number;
+}
+/**
+ * Thrown by `process.exit()` to unwind the sandbox call stack. The host
+ * catches this to extract the exit code without killing the isolate.
+ */
+export declare class ProcessExitError extends Error {
+    code: number;
+    constructor(code: number);
+}
+declare const _default: typeof nodeProcess;
+export default _default;
+/**
+ * Timer handle that mimics Node.js Timeout (ref/unref/Symbol.toPrimitive).
+ * Timers with delay > 0 use the host's `_scheduleTimer` bridge to sleep
+ * without blocking the isolate's event loop.
+ */
+declare class TimerHandle {
+    _id: number;
+    _destroyed: boolean;
+    constructor(id: number);
+    ref(): this;
+    unref(): this;
+    hasRef(): boolean;
+    refresh(): this;
+    [Symbol.toPrimitive](): number;
+}
+export declare function setTimeout(callback: (...args: unknown[]) => void, delay?: number, ...args: unknown[]): TimerHandle;
+export declare function clearTimeout(timer: TimerHandle | number | undefined): void;
+export declare function setInterval(callback: (...args: unknown[]) => void, delay?: number, ...args: unknown[]): TimerHandle;
+export declare function clearInterval(timer: TimerHandle | number | undefined): void;
+export declare function setImmediate(callback: (...args: unknown[]) => void, ...args: unknown[]): TimerHandle;
+export declare function clearImmediate(id: TimerHandle | number | undefined): void;
+export declare const URL: {
+    new (url: string | URL, base?: string | URL): URL;
+    prototype: URL;
+    canParse(url: string | URL, base?: string | URL): boolean;
+    createObjectURL(obj: Blob | MediaSource): string;
+    parse(url: string | URL, base?: string | URL): URL | null;
+    revokeObjectURL(url: string): void;
+};
+export declare const URLSearchParams: {
+    new (init?: string[][] | Record<string, string> | string | URLSearchParams): URLSearchParams;
+    prototype: URLSearchParams;
+};
+export { TextEncoder, TextDecoder };
+export declare const Buffer: BufferConstructor;
+/**
+ * Crypto polyfill that delegates to the host for entropy. `getRandomValues`
+ * calls the host's `_cryptoRandomFill` bridge to get cryptographically secure
+ * random bytes. Subtle crypto operations are unsupported.
+ */
+export declare const cryptoPolyfill: {
+    getRandomValues<T extends ArrayBufferView>(array: T): T;
+    randomUUID(): string;
+    subtle: {
+        digest(): Promise<ArrayBuffer>;
+        encrypt(): Promise<ArrayBuffer>;
+        decrypt(): Promise<ArrayBuffer>;
+    };
+};
+/**
+ * Install all process/timer/URL/Buffer/crypto polyfills onto `globalThis`.
+ * Called once during bridge initialization before user code runs.
+ */
+export declare function setupGlobals(): void;