@secure-exec/core 0.1.0-rc.4 → 0.1.1-rc.1

package/dist/isolate-runtime/bridge-initial-globals.js

@@ -21,12 +21,17 @@
     return createRuntimeGlobalExposer(true);
   }
 
+  // isolate-runtime/src/common/global-access.ts
+  function setGlobalValue(name, value) {
+    Reflect.set(globalThis, name, value);
+  }
+
   // isolate-runtime/src/inject/bridge-initial-globals.ts
   var __runtimeExposeMutableGlobal = getRuntimeExposeMutableGlobal();
   var __bridgeSetupConfig = globalThis.__runtimeBridgeSetupConfig ?? {};
   var __initialCwd = typeof __bridgeSetupConfig.initialCwd === "string" ? __bridgeSetupConfig.initialCwd : "/";
-  var __jsonPayloadLimitBytes = typeof __bridgeSetupConfig.jsonPayloadLimitBytes === "number" && Number.isFinite(__bridgeSetupConfig.jsonPayloadLimitBytes) ? Math.max(0, Math.floor(__bridgeSetupConfig.jsonPayloadLimitBytes)) : 4 * 1024 * 1024;
-  var __payloadLimitErrorCode = typeof __bridgeSetupConfig.payloadLimitErrorCode === "string" && __bridgeSetupConfig.payloadLimitErrorCode.length > 0 ? __bridgeSetupConfig.payloadLimitErrorCode : "ERR_SANDBOX_PAYLOAD_TOO_LARGE";
+  globalThis.__runtimeJsonPayloadLimitBytes = typeof __bridgeSetupConfig.jsonPayloadLimitBytes === "number" && Number.isFinite(__bridgeSetupConfig.jsonPayloadLimitBytes) ? Math.max(0, Math.floor(__bridgeSetupConfig.jsonPayloadLimitBytes)) : 4 * 1024 * 1024;
+  globalThis.__runtimePayloadLimitErrorCode = typeof __bridgeSetupConfig.payloadLimitErrorCode === "string" && __bridgeSetupConfig.payloadLimitErrorCode.length > 0 ? __bridgeSetupConfig.payloadLimitErrorCode : "ERR_SANDBOX_PAYLOAD_TOO_LARGE";
   function __scEncode(value, seen) {
     if (value === null) return null;
     if (value === void 0) return { t: "undef" };
@@ -224,9 +229,11 @@
         );
       },
       deserialize: function(buffer) {
-        if (buffer.length > __jsonPayloadLimitBytes) {
+        const limit = globalThis.__runtimeJsonPayloadLimitBytes ?? 4 * 1024 * 1024;
+        const errorCode = globalThis.__runtimePayloadLimitErrorCode ?? "ERR_SANDBOX_PAYLOAD_TOO_LARGE";
+        if (buffer.length > limit) {
           throw new Error(
-            __payloadLimitErrorCode + ": v8.deserialize exceeds " + String(__jsonPayloadLimitBytes) + " bytes"
+            errorCode + ": v8.deserialize exceeds " + String(limit) + " bytes"
           );
         }
         const text = buffer.toString();
@@ -243,4 +250,136 @@
   }
   __runtimeExposeMutableGlobal("_pendingModules", {});
   __runtimeExposeMutableGlobal("_currentModule", { dirname: __initialCwd });
+  globalThis.__runtimeApplyConfig = function(config) {
+    if (typeof config.payloadLimitBytes === "number" && Number.isFinite(config.payloadLimitBytes)) {
+      globalThis.__runtimeJsonPayloadLimitBytes = Math.max(
+        0,
+        Math.floor(config.payloadLimitBytes)
+      );
+    }
+    if (typeof config.payloadLimitErrorCode === "string" && config.payloadLimitErrorCode.length > 0) {
+      globalThis.__runtimePayloadLimitErrorCode = config.payloadLimitErrorCode;
+    }
+    if (config.timingMitigation === "freeze") {
+      const frozenTimeMs = typeof config.frozenTimeMs === "number" && Number.isFinite(config.frozenTimeMs) ? config.frozenTimeMs : Date.now();
+      const frozenDateNow = () => frozenTimeMs;
+      try {
+        Object.defineProperty(Date, "now", {
+          value: frozenDateNow,
+          configurable: false,
+          writable: false
+        });
+      } catch {
+        Date.now = frozenDateNow;
+      }
+      const OrigDate = Date;
+      const FrozenDate = function Date2(...args) {
+        if (new.target) {
+          if (args.length === 0) {
+            return new OrigDate(frozenTimeMs);
+          }
+          return new OrigDate(...args);
+        }
+        return OrigDate();
+      };
+      Object.defineProperty(FrozenDate, "prototype", {
+        value: OrigDate.prototype,
+        writable: false,
+        configurable: false
+      });
+      FrozenDate.now = frozenDateNow;
+      FrozenDate.parse = OrigDate.parse;
+      FrozenDate.UTC = OrigDate.UTC;
+      Object.defineProperty(FrozenDate, "now", {
+        value: frozenDateNow,
+        configurable: false,
+        writable: false
+      });
+      try {
+        Object.defineProperty(globalThis, "Date", {
+          value: FrozenDate,
+          configurable: false,
+          writable: false
+        });
+      } catch {
+        globalThis.Date = FrozenDate;
+      }
+      const frozenPerformanceNow = () => 0;
+      const origPerf = globalThis.performance;
+      const frozenPerf = /* @__PURE__ */ Object.create(null);
+      if (typeof origPerf !== "undefined" && origPerf !== null) {
+        const src = origPerf;
+        for (const key of Object.getOwnPropertyNames(
+          Object.getPrototypeOf(origPerf) ?? origPerf
+        )) {
+          if (key !== "now") {
+            try {
+              const val = src[key];
+              if (typeof val === "function") {
+                frozenPerf[key] = val.bind(origPerf);
+              } else {
+                frozenPerf[key] = val;
+              }
+            } catch {
+            }
+          }
+        }
+      }
+      Object.defineProperty(frozenPerf, "now", {
+        value: frozenPerformanceNow,
+        configurable: false,
+        writable: false
+      });
+      Object.freeze(frozenPerf);
+      try {
+        Object.defineProperty(globalThis, "performance", {
+          value: frozenPerf,
+          configurable: false,
+          writable: false
+        });
+      } catch {
+        globalThis.performance = frozenPerf;
+      }
+      const OrigSAB = globalThis.SharedArrayBuffer;
+      if (typeof OrigSAB === "function") {
+        try {
+          const proto = OrigSAB.prototype;
+          if (proto) {
+            for (const key of [
+              "byteLength",
+              "slice",
+              "grow",
+              "maxByteLength",
+              "growable"
+            ]) {
+              try {
+                Object.defineProperty(proto, key, {
+                  get() {
+                    throw new TypeError(
+                      "SharedArrayBuffer is not available in sandbox"
+                    );
+                  },
+                  configurable: false
+                });
+              } catch {
+              }
+            }
+          }
+        } catch {
+        }
+      }
+      try {
+        Object.defineProperty(globalThis, "SharedArrayBuffer", {
+          value: void 0,
+          configurable: false,
+          writable: false,
+          enumerable: false
+        });
+      } catch {
+        Reflect.deleteProperty(globalThis, "SharedArrayBuffer");
+        setGlobalValue("SharedArrayBuffer", void 0);
+      }
+    }
+    delete globalThis.__runtimeApplyConfig;
+  };
 })();

package/dist/isolate-runtime/require-setup.js

@@ -276,7 +276,7 @@
   };
   __requireExposeCustomGlobal("require", __require);
   function _resolveFrom(moduleName2, fromDir2) {
-    const resolved2 = _resolveModule.applySyncPromise(void 0, [moduleName2, fromDir2]);
+    const resolved2 = _resolveModule(moduleName2, fromDir2);
     if (resolved2 === null) {
       const err = new Error("Cannot find module '" + moduleName2 + "'");
       err.code = "MODULE_NOT_FOUND";
@@ -549,7 +549,7 @@
     if (_unsupportedCoreModules.has(name)) {
       throw new Error(name + " is not supported in sandbox");
     }
-    const polyfillCode = _loadPolyfill.applySyncPromise(void 0, [name]);
+    const polyfillCode = _loadPolyfill(name);
     if (polyfillCode !== null) {
       if (__internalModuleCache[name]) return __internalModuleCache[name];
       const moduleObj = { exports: {} };
@@ -576,7 +576,7 @@
       _debugRequire("pending-hit", name, cacheKey);
       return _pendingModules[cacheKey].exports;
     }
-    const source = _loadFile.applySyncPromise(void 0, [resolved]);
+    const source = _loadFile(resolved);
     if (source === null) {
       const err = new Error("Cannot find module '" + resolved + "'");
       err.code = "MODULE_NOT_FOUND";

package/dist/isolate-runtime/setup-dynamic-import.js

@@ -34,11 +34,7 @@
     const request = String(specifier);
     const referrer = typeof fromPath === "string" && fromPath.length > 0 ? fromPath : __fallbackReferrer;
     const allowRequireFallback = request.endsWith(".cjs") || request.endsWith(".json");
-    const namespace = await globalThis._dynamicImport.apply(
-      void 0,
-      [request, referrer],
-      { result: { promise: true } }
-    );
+    const namespace = await globalThis._dynamicImport(request, referrer);
     if (namespace !== null) {
       return namespace;
     }

package/dist/isolate-runtime/setup-fs-facade.js

@@ -23,26 +23,65 @@
 
   // isolate-runtime/src/inject/setup-fs-facade.ts
   var __runtimeExposeCustomGlobal = getRuntimeExposeCustomGlobal();
-  var __fsFacade = {
-    readFile: globalThis._fsReadFile,
-    writeFile: globalThis._fsWriteFile,
-    readFileBinary: globalThis._fsReadFileBinary,
-    writeFileBinary: globalThis._fsWriteFileBinary,
-    readDir: globalThis._fsReadDir,
-    mkdir: globalThis._fsMkdir,
-    rmdir: globalThis._fsRmdir,
-    exists: globalThis._fsExists,
-    stat: globalThis._fsStat,
-    unlink: globalThis._fsUnlink,
-    rename: globalThis._fsRename,
-    chmod: globalThis._fsChmod,
-    chown: globalThis._fsChown,
-    link: globalThis._fsLink,
-    symlink: globalThis._fsSymlink,
-    readlink: globalThis._fsReadlink,
-    lstat: globalThis._fsLstat,
-    truncate: globalThis._fsTruncate,
-    utimes: globalThis._fsUtimes
-  };
+  var __fsFacade = {};
+  Object.defineProperties(__fsFacade, {
+    readFile: { get() {
+      return globalThis._fsReadFile;
+    }, enumerable: true },
+    writeFile: { get() {
+      return globalThis._fsWriteFile;
+    }, enumerable: true },
+    readFileBinary: { get() {
+      return globalThis._fsReadFileBinary;
+    }, enumerable: true },
+    writeFileBinary: { get() {
+      return globalThis._fsWriteFileBinary;
+    }, enumerable: true },
+    readDir: { get() {
+      return globalThis._fsReadDir;
+    }, enumerable: true },
+    mkdir: { get() {
+      return globalThis._fsMkdir;
+    }, enumerable: true },
+    rmdir: { get() {
+      return globalThis._fsRmdir;
+    }, enumerable: true },
+    exists: { get() {
+      return globalThis._fsExists;
+    }, enumerable: true },
+    stat: { get() {
+      return globalThis._fsStat;
+    }, enumerable: true },
+    unlink: { get() {
+      return globalThis._fsUnlink;
+    }, enumerable: true },
+    rename: { get() {
+      return globalThis._fsRename;
+    }, enumerable: true },
+    chmod: { get() {
+      return globalThis._fsChmod;
+    }, enumerable: true },
+    chown: { get() {
+      return globalThis._fsChown;
+    }, enumerable: true },
+    link: { get() {
+      return globalThis._fsLink;
+    }, enumerable: true },
+    symlink: { get() {
+      return globalThis._fsSymlink;
+    }, enumerable: true },
+    readlink: { get() {
+      return globalThis._fsReadlink;
+    }, enumerable: true },
+    lstat: { get() {
+      return globalThis._fsLstat;
+    }, enumerable: true },
+    truncate: { get() {
+      return globalThis._fsTruncate;
+    }, enumerable: true },
+    utimes: { get() {
+      return globalThis._fsUtimes;
+    }, enumerable: true }
+  });
   __runtimeExposeCustomGlobal("_fs", __fsFacade);
 })();

package/dist/module-resolver.js

@@ -9,12 +9,58 @@
  *
  * Everything else falls through to node-stdlib-browser polyfills or node_modules.
  */
-import stdLibBrowser from "node-stdlib-browser";
+/**
+ * Static set of Node.js stdlib module names that have browser polyfills
+ * available via node-stdlib-browser. Hardcoded to avoid importing
+ * node-stdlib-browser at runtime (its ESM entry crashes on missing
+ * mock/empty.js in published builds).
+ */
+const STDLIB_BROWSER_MODULES = new Set([
+    "assert",
+    "buffer",
+    "child_process",
+    "cluster",
+    "console",
+    "constants",
+    "crypto",
+    "dgram",
+    "dns",
+    "domain",
+    "events",
+    "fs",
+    "http",
+    "https",
+    "http2",
+    "module",
+    "net",
+    "os",
+    "path",
+    "punycode",
+    "process",
+    "querystring",
+    "readline",
+    "repl",
+    "stream",
+    "_stream_duplex",
+    "_stream_passthrough",
+    "_stream_readable",
+    "_stream_transform",
+    "_stream_writable",
+    "string_decoder",
+    "sys",
+    "timers/promises",
+    "timers",
+    "tls",
+    "tty",
+    "url",
+    "util",
+    "vm",
+    "zlib",
+]);
 /** Check if a module has a polyfill available via node-stdlib-browser. */
 function hasPolyfill(moduleName) {
     const name = moduleName.replace(/^node:/, "");
-    const polyfill = stdLibBrowser[name];
-    return polyfill !== undefined && polyfill !== null;
+    return STDLIB_BROWSER_MODULES.has(name);
 }
 /** Modules with full bridge implementations injected into the isolate. */
 const BRIDGE_MODULES = [

package/dist/shared/api-types.d.ts

@@ -23,6 +23,12 @@ export interface ProcessConfig {
     timingMitigation?: TimingMitigation;
     /** Internal frozen clock source used when timing mitigation is enabled */
     frozenTimeMs?: number;
+    /** Whether stdin is a TTY (PTY slave attached) */
+    stdinIsTTY?: boolean;
+    /** Whether stdout is a TTY (PTY slave attached) */
+    stdoutIsTTY?: boolean;
+    /** Whether stderr is a TTY (PTY slave attached) */
+    stderrIsTTY?: boolean;
 }
 export interface OSConfig {
     platform?: string;

package/dist/shared/bridge-contract.d.ts

@@ -3,10 +3,11 @@
  * host (Node.js) and the isolate (sandbox V8 context).
  *
  * Two categories:
- * - Host bridge globals: set by the host before bridge code runs (fs refs, timers, etc.)
+ * - Host bridge globals: set by the host before bridge code runs (fs fns, timers, etc.)
  * - Runtime bridge globals: installed by the bridge bundle itself (active handles, modules, etc.)
  *
- * The typed `Ref` aliases describe the isolated-vm calling convention for each global.
+ * Each type alias is a plain function signature. The Rust V8 runtime registers
+ * these as real JS functions on the global; bridge code calls them directly.
  */
 export type ValueOf<T> = T[keyof T];
 /** Globals injected by the host before the bridge bundle executes. */
@@ -47,6 +48,7 @@ export declare const HOST_BRIDGE_GLOBAL_KEYS: {
     readonly networkHttpRequestRaw: "_networkHttpRequestRaw";
     readonly networkHttpServerListenRaw: "_networkHttpServerListenRaw";
     readonly networkHttpServerCloseRaw: "_networkHttpServerCloseRaw";
+    readonly ptySetRawMode: "_ptySetRawMode";
     readonly processConfig: "_processConfig";
     readonly osConfig: "_osConfig";
     readonly log: "_log";
@@ -112,6 +114,7 @@ export declare const HOST_BRIDGE_GLOBAL_KEY_LIST: ValueOf<{
     readonly networkHttpRequestRaw: "_networkHttpRequestRaw";
     readonly networkHttpServerListenRaw: "_networkHttpServerListenRaw";
     readonly networkHttpServerCloseRaw: "_networkHttpServerCloseRaw";
+    readonly ptySetRawMode: "_ptySetRawMode";
     readonly processConfig: "_processConfig";
     readonly osConfig: "_osConfig";
     readonly log: "_log";
@@ -173,6 +176,7 @@ export declare const BRIDGE_GLOBAL_KEY_LIST: readonly (ValueOf<{
     readonly networkHttpRequestRaw: "_networkHttpRequestRaw";
     readonly networkHttpServerListenRaw: "_networkHttpServerListenRaw";
     readonly networkHttpServerCloseRaw: "_networkHttpServerCloseRaw";
+    readonly ptySetRawMode: "_ptySetRawMode";
     readonly processConfig: "_processConfig";
     readonly osConfig: "_osConfig";
     readonly log: "_log";
@@ -196,65 +200,52 @@ export declare const BRIDGE_GLOBAL_KEY_LIST: readonly (ValueOf<{
     readonly moduleCache: "_moduleCache";
     readonly processExitError: "ProcessExitError";
 }>)[];
-/** An isolated-vm Reference that resolves async via `{ result: { promise: true } }`. */
-export interface BridgeApplyRef<TArgs extends unknown[], TResult> {
-    apply(ctx: undefined, args: TArgs, options: {
-        result: {
-            promise: true;
-        };
-    }): Promise<TResult>;
-}
-/** An isolated-vm Reference called synchronously (blocks the isolate). */
-export interface BridgeApplySyncRef<TArgs extends unknown[], TResult> {
-    applySync(ctx: undefined, args: TArgs): TResult;
-}
-/**
- * An isolated-vm Reference that blocks the isolate while the host resolves
- * a Promise. Used for sync-looking APIs (require, readFileSync) that need
- * async host operations.
- */
-export interface BridgeApplySyncPromiseRef<TArgs extends unknown[], TResult> {
-    applySyncPromise(ctx: undefined, args: TArgs): TResult;
-}
-export type DynamicImportBridgeRef = BridgeApplyRef<[
-    string,
-    string
-], Record<string, unknown> | null>;
-export type LoadPolyfillBridgeRef = BridgeApplyRef<[string], string | null>;
-export type ResolveModuleBridgeRef = BridgeApplySyncPromiseRef<[
-    string,
-    string
-], string | null>;
-export type LoadFileBridgeRef = BridgeApplySyncPromiseRef<[string], string | null>;
+export type DynamicImportBridgeRef = (specifier: string, fromPath: string) => Promise<Record<string, unknown> | null>;
+export type LoadPolyfillBridgeRef = (moduleName: string) => string | null;
+export type ResolveModuleBridgeRef = (request: string, fromDir: string) => string | null;
+export type LoadFileBridgeRef = (path: string) => string | null;
 export type RequireFromBridgeFn = (request: string, dirname: string) => unknown;
 export type ModuleCacheBridgeRecord = Record<string, unknown>;
-export type ProcessLogBridgeRef = BridgeApplySyncRef<[string], void>;
-export type ProcessErrorBridgeRef = BridgeApplySyncRef<[string], void>;
-export type ScheduleTimerBridgeRef = BridgeApplyRef<[number], void>;
-export type CryptoRandomFillBridgeRef = BridgeApplySyncRef<[number], string>;
-export type CryptoRandomUuidBridgeRef = BridgeApplySyncRef<[], string>;
-export type FsReadFileBridgeRef = BridgeApplySyncPromiseRef<[string], string>;
-export type FsWriteFileBridgeRef = BridgeApplySyncPromiseRef<[string, string], void>;
-export type FsReadFileBinaryBridgeRef = BridgeApplySyncPromiseRef<[string], string>;
-export type FsWriteFileBinaryBridgeRef = BridgeApplySyncPromiseRef<[
-    string,
-    string
-], void>;
-export type FsReadDirBridgeRef = BridgeApplySyncPromiseRef<[string], string>;
-export type FsMkdirBridgeRef = BridgeApplySyncPromiseRef<[string, boolean], void>;
-export type FsRmdirBridgeRef = BridgeApplySyncPromiseRef<[string], void>;
-export type FsExistsBridgeRef = BridgeApplySyncPromiseRef<[string], boolean>;
-export type FsStatBridgeRef = BridgeApplySyncPromiseRef<[string], string>;
-export type FsUnlinkBridgeRef = BridgeApplySyncPromiseRef<[string], void>;
-export type FsRenameBridgeRef = BridgeApplySyncPromiseRef<[string, string], void>;
-export type FsChmodBridgeRef = BridgeApplySyncPromiseRef<[string, number], void>;
-export type FsChownBridgeRef = BridgeApplySyncPromiseRef<[string, number, number], void>;
-export type FsLinkBridgeRef = BridgeApplySyncPromiseRef<[string, string], void>;
-export type FsSymlinkBridgeRef = BridgeApplySyncPromiseRef<[string, string], void>;
-export type FsReadlinkBridgeRef = BridgeApplySyncPromiseRef<[string], string>;
-export type FsLstatBridgeRef = BridgeApplySyncPromiseRef<[string], string>;
-export type FsTruncateBridgeRef = BridgeApplySyncPromiseRef<[string, number], void>;
-export type FsUtimesBridgeRef = BridgeApplySyncPromiseRef<[string, number, number], void>;
+export type ProcessLogBridgeRef = (msg: string) => void;
+export type ProcessErrorBridgeRef = (msg: string) => void;
+export type ScheduleTimerBridgeRef = (delayMs: number) => Promise<void>;
+export type CryptoRandomFillBridgeRef = (byteLength: number) => Uint8Array;
+export type CryptoRandomUuidBridgeRef = () => string;
+export type FsReadFileBridgeRef = (path: string) => string;
+export type FsWriteFileBridgeRef = (path: string, content: string) => void;
+export type FsReadFileBinaryBridgeRef = (path: string) => Uint8Array;
+export type FsWriteFileBinaryBridgeRef = (path: string, content: Uint8Array) => void;
+export type FsReadDirEntry = {
+    name: string;
+    isDirectory: boolean;
+};
+export type FsReadDirBridgeRef = (path: string) => FsReadDirEntry[];
+export type FsMkdirBridgeRef = (path: string, recursive: boolean) => void;
+export type FsRmdirBridgeRef = (path: string) => void;
+export type FsExistsBridgeRef = (path: string) => boolean;
+export type FsStatResult = {
+    mode: number;
+    size: number;
+    isDirectory: boolean;
+    atimeMs: number;
+    mtimeMs: number;
+    ctimeMs: number;
+    birthtimeMs: number;
+};
+export type FsStatBridgeRef = (path: string) => FsStatResult;
+export type FsUnlinkBridgeRef = (path: string) => void;
+export type FsRenameBridgeRef = (oldPath: string, newPath: string) => void;
+export type FsChmodBridgeRef = (path: string, mode: number) => void;
+export type FsChownBridgeRef = (path: string, uid: number, gid: number) => void;
+export type FsLinkBridgeRef = (existingPath: string, newPath: string) => void;
+export type FsSymlinkBridgeRef = (target: string, path: string) => void;
+export type FsReadlinkBridgeRef = (path: string) => string;
+export type FsLstatResult = FsStatResult & {
+    isSymbolicLink: boolean;
+};
+export type FsLstatBridgeRef = (path: string) => FsLstatResult;
+export type FsTruncateBridgeRef = (path: string, length: number) => void;
+export type FsUtimesBridgeRef = (path: string, atime: number, mtime: number) => void;
 /** Combined filesystem bridge facade installed as `globalThis._fs` in the isolate. */
 export interface FsFacadeBridge {
     readFile: FsReadFileBridgeRef;
@@ -277,26 +268,52 @@ export interface FsFacadeBridge {
     truncate: FsTruncateBridgeRef;
     utimes: FsUtimesBridgeRef;
 }
-export type ChildProcessSpawnStartBridgeRef = BridgeApplySyncRef<[
-    string,
-    string,
-    string
-], number>;
-export type ChildProcessStdinWriteBridgeRef = BridgeApplySyncRef<[
-    number,
-    Uint8Array
-], void>;
-export type ChildProcessStdinCloseBridgeRef = BridgeApplySyncRef<[number], void>;
-export type ChildProcessKillBridgeRef = BridgeApplySyncRef<[number, number], void>;
-export type ChildProcessSpawnSyncBridgeRef = BridgeApplySyncPromiseRef<[
-    string,
-    string,
-    string
-], string>;
-export type NetworkFetchRawBridgeRef = BridgeApplyRef<[string, string], string>;
-export type NetworkDnsLookupRawBridgeRef = BridgeApplyRef<[string], string>;
-export type NetworkHttpRequestRawBridgeRef = BridgeApplyRef<[string, string], string>;
-export type NetworkHttpServerListenRawBridgeRef = BridgeApplyRef<[string], string>;
-export type NetworkHttpServerCloseRawBridgeRef = BridgeApplyRef<[number], void>;
+export type ChildProcessSpawnStartBridgeRef = (command: string, argsJson: string, optionsJson: string) => number;
+export type ChildProcessStdinWriteBridgeRef = (sessionId: number, data: Uint8Array) => void;
+export type ChildProcessStdinCloseBridgeRef = (sessionId: number) => void;
+export type ChildProcessKillBridgeRef = (sessionId: number, signal: number) => void;
+export type SpawnSyncBridgeResult = {
+    stdout: string;
+    stderr: string;
+    code: number;
+    maxBufferExceeded?: boolean;
+};
+export type ChildProcessSpawnSyncBridgeRef = (command: string, argsJson: string, optionsJson: string) => SpawnSyncBridgeResult;
+export type NetworkFetchResult = {
+    ok: boolean;
+    status: number;
+    statusText: string;
+    headers?: Record<string, string>;
+    url?: string;
+    redirected?: boolean;
+    body?: string;
+};
+export type NetworkFetchRawBridgeRef = (url: string, optionsJson: string) => Promise<NetworkFetchResult>;
+export type NetworkDnsLookupResult = {
+    error?: string;
+    code?: string;
+    address?: string;
+    family?: number;
+};
+export type NetworkDnsLookupRawBridgeRef = (hostname: string) => Promise<NetworkDnsLookupResult>;
+export type NetworkHttpRequestResult = {
+    headers?: Record<string, string>;
+    url?: string;
+    status?: number;
+    statusText?: string;
+    body?: string;
+    trailers?: Record<string, string>;
+};
+export type NetworkHttpRequestRawBridgeRef = (url: string, optionsJson: string) => Promise<NetworkHttpRequestResult>;
+export type NetworkHttpServerListenResult = {
+    address: {
+        address: string;
+        family: string;
+        port: number;
+    } | null;
+};
+export type NetworkHttpServerListenRawBridgeRef = (optionsJson: string) => Promise<NetworkHttpServerListenResult>;
+export type NetworkHttpServerCloseRawBridgeRef = (serverId: number) => Promise<void>;
+export type PtySetRawModeBridgeRef = (mode: boolean) => void;
 export type RegisterHandleBridgeFn = (id: string, description: string) => void;
 export type UnregisterHandleBridgeFn = (id: string) => void;

package/dist/shared/bridge-contract.js

@@ -3,10 +3,11 @@
  * host (Node.js) and the isolate (sandbox V8 context).
  *
  * Two categories:
- * - Host bridge globals: set by the host before bridge code runs (fs refs, timers, etc.)
+ * - Host bridge globals: set by the host before bridge code runs (fs fns, timers, etc.)
  * - Runtime bridge globals: installed by the bridge bundle itself (active handles, modules, etc.)
  *
- * The typed `Ref` aliases describe the isolated-vm calling convention for each global.
+ * Each type alias is a plain function signature. The Rust V8 runtime registers
+ * these as real JS functions on the global; bridge code calls them directly.
  */
 function valuesOf(object) {
     return Object.values(object);
@@ -49,6 +50,7 @@ export const HOST_BRIDGE_GLOBAL_KEYS = {
     networkHttpRequestRaw: "_networkHttpRequestRaw",
     networkHttpServerListenRaw: "_networkHttpServerListenRaw",
     networkHttpServerCloseRaw: "_networkHttpServerCloseRaw",
+    ptySetRawMode: "_ptySetRawMode",
     processConfig: "_processConfig",
     osConfig: "_osConfig",
     log: "_log",

package/dist/shared/console-formatter.js

@@ -148,10 +148,10 @@ export function getConsoleSetupCode(budget = DEFAULT_CONSOLE_SERIALIZATION_BUDGE
       const formatConsoleArgs = ${formatConsoleArgs.toString()};
 
       globalThis.console = {
-        log: (...args) => _log.applySync(undefined, [formatConsoleArgs(args, __consoleBudget)]),
-        error: (...args) => _error.applySync(undefined, [formatConsoleArgs(args, __consoleBudget)]),
-        warn: (...args) => _error.applySync(undefined, [formatConsoleArgs(args, __consoleBudget)]),
-        info: (...args) => _log.applySync(undefined, [formatConsoleArgs(args, __consoleBudget)]),
+        log: (...args) => _log(formatConsoleArgs(args, __consoleBudget)),
+        error: (...args) => _error(formatConsoleArgs(args, __consoleBudget)),
+        warn: (...args) => _error(formatConsoleArgs(args, __consoleBudget)),
+        info: (...args) => _log(formatConsoleArgs(args, __consoleBudget)),
       };
     `;
 }

package/dist/shared/global-exposure.js

@@ -275,6 +275,11 @@ export const NODE_CUSTOM_GLOBAL_INVENTORY = [
         classification: "hardened",
         rationale: "Host network bridge reference.",
     },
+    {
+        name: "_ptySetRawMode",
+        classification: "hardened",
+        rationale: "Host PTY bridge reference for stdin.setRawMode().",
+    },
     {
         name: "require",
         classification: "hardened",

package/dist/types.d.ts

@@ -162,6 +162,7 @@ export interface NetworkAdapter {
         method?: string;
         headers?: Record<string, string>;
         body?: string | null;
+        rejectUnauthorized?: boolean;
     }): Promise<{
         status: number;
         statusText: string;