@secure-exec/core 0.1.1-rc.2 → 0.2.0-rc.1

package/dist/shared/bridge-contract.js

@@ -1,13 +1,16 @@
 /**
+ * @deprecated Canonical source moved to @secure-exec/nodejs (US-002).
+ * This copy is retained for backward compatibility during phased migration.
+ * Will be removed in US-005 when kernel merges into core.
+ *
  * Bridge contract: typed declarations for the globals shared between the
  * host (Node.js) and the isolate (sandbox V8 context).
  *
  * Two categories:
- * - Host bridge globals: set by the host before bridge code runs (fs fns, timers, etc.)
+ * - Host bridge globals: set by the host before bridge code runs (fs refs, timers, etc.)
  * - Runtime bridge globals: installed by the bridge bundle itself (active handles, modules, etc.)
  *
- * Each type alias is a plain function signature. The Rust V8 runtime registers
- * these as real JS functions on the global; bridge code calls them directly.
+ * The typed `Ref` aliases describe the bridge calling convention for each global.
  */
 function valuesOf(object) {
     return Object.values(object);
@@ -21,6 +24,27 @@ export const HOST_BRIDGE_GLOBAL_KEYS = {
     scheduleTimer: "_scheduleTimer",
     cryptoRandomFill: "_cryptoRandomFill",
     cryptoRandomUuid: "_cryptoRandomUUID",
+    cryptoHashDigest: "_cryptoHashDigest",
+    cryptoHmacDigest: "_cryptoHmacDigest",
+    cryptoPbkdf2: "_cryptoPbkdf2",
+    cryptoScrypt: "_cryptoScrypt",
+    cryptoCipheriv: "_cryptoCipheriv",
+    cryptoDecipheriv: "_cryptoDecipheriv",
+    cryptoCipherivCreate: "_cryptoCipherivCreate",
+    cryptoCipherivUpdate: "_cryptoCipherivUpdate",
+    cryptoCipherivFinal: "_cryptoCipherivFinal",
+    cryptoSign: "_cryptoSign",
+    cryptoVerify: "_cryptoVerify",
+    cryptoAsymmetricOp: "_cryptoAsymmetricOp",
+    cryptoCreateKeyObject: "_cryptoCreateKeyObject",
+    cryptoGenerateKeyPairSync: "_cryptoGenerateKeyPairSync",
+    cryptoGenerateKeySync: "_cryptoGenerateKeySync",
+    cryptoGeneratePrimeSync: "_cryptoGeneratePrimeSync",
+    cryptoDiffieHellman: "_cryptoDiffieHellman",
+    cryptoDiffieHellmanGroup: "_cryptoDiffieHellmanGroup",
+    cryptoDiffieHellmanSessionCreate: "_cryptoDiffieHellmanSessionCreate",
+    cryptoDiffieHellmanSessionCall: "_cryptoDiffieHellmanSessionCall",
+    cryptoSubtle: "_cryptoSubtle",
     fsReadFile: "_fsReadFile",
     fsWriteFile: "_fsWriteFile",
     fsReadFileBinary: "_fsReadFileBinary",
@@ -50,6 +74,57 @@ export const HOST_BRIDGE_GLOBAL_KEYS = {
     networkHttpRequestRaw: "_networkHttpRequestRaw",
     networkHttpServerListenRaw: "_networkHttpServerListenRaw",
     networkHttpServerCloseRaw: "_networkHttpServerCloseRaw",
+    networkHttpServerRespondRaw: "_networkHttpServerRespondRaw",
+    networkHttpServerWaitRaw: "_networkHttpServerWaitRaw",
+    networkHttp2ServerListenRaw: "_networkHttp2ServerListenRaw",
+    networkHttp2ServerCloseRaw: "_networkHttp2ServerCloseRaw",
+    networkHttp2ServerWaitRaw: "_networkHttp2ServerWaitRaw",
+    networkHttp2SessionConnectRaw: "_networkHttp2SessionConnectRaw",
+    networkHttp2SessionRequestRaw: "_networkHttp2SessionRequestRaw",
+    networkHttp2SessionSettingsRaw: "_networkHttp2SessionSettingsRaw",
+    networkHttp2SessionSetLocalWindowSizeRaw: "_networkHttp2SessionSetLocalWindowSizeRaw",
+    networkHttp2SessionGoawayRaw: "_networkHttp2SessionGoawayRaw",
+    networkHttp2SessionCloseRaw: "_networkHttp2SessionCloseRaw",
+    networkHttp2SessionDestroyRaw: "_networkHttp2SessionDestroyRaw",
+    networkHttp2SessionWaitRaw: "_networkHttp2SessionWaitRaw",
+    networkHttp2ServerPollRaw: "_networkHttp2ServerPollRaw",
+    networkHttp2SessionPollRaw: "_networkHttp2SessionPollRaw",
+    networkHttp2StreamRespondRaw: "_networkHttp2StreamRespondRaw",
+    networkHttp2StreamPushStreamRaw: "_networkHttp2StreamPushStreamRaw",
+    networkHttp2StreamWriteRaw: "_networkHttp2StreamWriteRaw",
+    networkHttp2StreamEndRaw: "_networkHttp2StreamEndRaw",
+    networkHttp2StreamPauseRaw: "_networkHttp2StreamPauseRaw",
+    networkHttp2StreamResumeRaw: "_networkHttp2StreamResumeRaw",
+    networkHttp2StreamRespondWithFileRaw: "_networkHttp2StreamRespondWithFileRaw",
+    networkHttp2ServerRespondRaw: "_networkHttp2ServerRespondRaw",
+    upgradeSocketWriteRaw: "_upgradeSocketWriteRaw",
+    upgradeSocketEndRaw: "_upgradeSocketEndRaw",
+    upgradeSocketDestroyRaw: "_upgradeSocketDestroyRaw",
+    netSocketConnectRaw: "_netSocketConnectRaw",
+    netSocketWaitConnectRaw: "_netSocketWaitConnectRaw",
+    netSocketReadRaw: "_netSocketReadRaw",
+    netSocketSetNoDelayRaw: "_netSocketSetNoDelayRaw",
+    netSocketSetKeepAliveRaw: "_netSocketSetKeepAliveRaw",
+    netSocketWriteRaw: "_netSocketWriteRaw",
+    netSocketEndRaw: "_netSocketEndRaw",
+    netSocketDestroyRaw: "_netSocketDestroyRaw",
+    netSocketUpgradeTlsRaw: "_netSocketUpgradeTlsRaw",
+    netSocketGetTlsClientHelloRaw: "_netSocketGetTlsClientHelloRaw",
+    netSocketTlsQueryRaw: "_netSocketTlsQueryRaw",
+    tlsGetCiphersRaw: "_tlsGetCiphersRaw",
+    netServerListenRaw: "_netServerListenRaw",
+    netServerAcceptRaw: "_netServerAcceptRaw",
+    netServerCloseRaw: "_netServerCloseRaw",
+    dgramSocketCreateRaw: "_dgramSocketCreateRaw",
+    dgramSocketBindRaw: "_dgramSocketBindRaw",
+    dgramSocketRecvRaw: "_dgramSocketRecvRaw",
+    dgramSocketSendRaw: "_dgramSocketSendRaw",
+    dgramSocketCloseRaw: "_dgramSocketCloseRaw",
+    dgramSocketAddressRaw: "_dgramSocketAddressRaw",
+    dgramSocketSetBufferSizeRaw: "_dgramSocketSetBufferSizeRaw",
+    dgramSocketGetBufferSizeRaw: "_dgramSocketGetBufferSizeRaw",
+    resolveModuleSync: "_resolveModuleSync",
+    loadFileSync: "_loadFileSync",
     ptySetRawMode: "_ptySetRawMode",
     processConfig: "_processConfig",
     osConfig: "_osConfig",
@@ -70,7 +145,15 @@ export const RUNTIME_BRIDGE_GLOBAL_KEYS = {
     httpsModule: "_httpsModule",
     http2Module: "_http2Module",
     dnsModule: "_dnsModule",
+    dgramModule: "_dgramModule",
     httpServerDispatch: "_httpServerDispatch",
+    httpServerUpgradeDispatch: "_httpServerUpgradeDispatch",
+    httpServerConnectDispatch: "_httpServerConnectDispatch",
+    http2Dispatch: "_http2Dispatch",
+    timerDispatch: "_timerDispatch",
+    upgradeSocketData: "_upgradeSocketData",
+    upgradeSocketEnd: "_upgradeSocketEnd",
+    netSocketDispatch: "_netSocketDispatch",
     fsFacade: "_fs",
     requireFrom: "_requireFrom",
     moduleCache: "_moduleCache",

package/dist/shared/console-formatter.js

@@ -152,6 +152,10 @@ export function getConsoleSetupCode(budget = DEFAULT_CONSOLE_SERIALIZATION_BUDGE
         error: (...args) => _error(formatConsoleArgs(args, __consoleBudget)),
         warn: (...args) => _error(formatConsoleArgs(args, __consoleBudget)),
         info: (...args) => _log(formatConsoleArgs(args, __consoleBudget)),
+        debug: (...args) => _log(formatConsoleArgs(args, __consoleBudget)),
+        trace: (...args) => _error(formatConsoleArgs(args, __consoleBudget)),
+        dir: (...args) => _log(formatConsoleArgs(args, __consoleBudget)),
+        table: (...args) => _log(formatConsoleArgs(args, __consoleBudget)),
       };
     `;
 }

package/dist/shared/global-exposure.js

@@ -75,11 +75,61 @@ export const NODE_CUSTOM_GLOBAL_INVENTORY = [
         classification: "hardened",
         rationale: "Bridge-owned dns module handle for require resolution.",
     },
+    {
+        name: "_dgramModule",
+        classification: "hardened",
+        rationale: "Bridge-owned dgram module handle for require resolution.",
+    },
+    {
+        name: "_netModule",
+        classification: "hardened",
+        rationale: "Bridge-owned net module handle for require resolution.",
+    },
+    {
+        name: "_tlsModule",
+        classification: "hardened",
+        rationale: "Bridge-owned tls module handle for require resolution.",
+    },
+    {
+        name: "_netSocketDispatch",
+        classification: "hardened",
+        rationale: "Host-to-sandbox net socket event dispatch entrypoint.",
+    },
     {
         name: "_httpServerDispatch",
         classification: "hardened",
         rationale: "Host-to-sandbox HTTP server dispatch entrypoint.",
     },
+    {
+        name: "_httpServerUpgradeDispatch",
+        classification: "hardened",
+        rationale: "Host-to-sandbox HTTP upgrade dispatch entrypoint.",
+    },
+    {
+        name: "_httpServerConnectDispatch",
+        classification: "hardened",
+        rationale: "Host-to-sandbox HTTP CONNECT dispatch entrypoint.",
+    },
+    {
+        name: "_http2Dispatch",
+        classification: "hardened",
+        rationale: "Host-to-sandbox HTTP/2 event dispatch entrypoint.",
+    },
+    {
+        name: "_timerDispatch",
+        classification: "hardened",
+        rationale: "Host-to-sandbox timer callback dispatch entrypoint.",
+    },
+    {
+        name: "_upgradeSocketData",
+        classification: "hardened",
+        rationale: "Host-to-sandbox HTTP upgrade socket data dispatch entrypoint.",
+    },
+    {
+        name: "_upgradeSocketEnd",
+        classification: "hardened",
+        rationale: "Host-to-sandbox HTTP upgrade socket close dispatch entrypoint.",
+    },
     {
         name: "ProcessExitError",
         classification: "hardened",
@@ -110,6 +160,16 @@ export const NODE_CUSTOM_GLOBAL_INVENTORY = [
         classification: "hardened",
         rationale: "Host file-loading bridge reference.",
     },
+    {
+        name: "_resolveModuleSync",
+        classification: "hardened",
+        rationale: "Host synchronous module-resolution bridge reference.",
+    },
+    {
+        name: "_loadFileSync",
+        classification: "hardened",
+        rationale: "Host synchronous file-loading bridge reference.",
+    },
     {
         name: "_scheduleTimer",
         classification: "hardened",
@@ -125,6 +185,111 @@ export const NODE_CUSTOM_GLOBAL_INVENTORY = [
         classification: "hardened",
         rationale: "Host entropy bridge reference for crypto.randomUUID.",
     },
+    {
+        name: "_cryptoHashDigest",
+        classification: "hardened",
+        rationale: "Host crypto digest bridge reference.",
+    },
+    {
+        name: "_cryptoHmacDigest",
+        classification: "hardened",
+        rationale: "Host crypto HMAC bridge reference.",
+    },
+    {
+        name: "_cryptoPbkdf2",
+        classification: "hardened",
+        rationale: "Host crypto PBKDF2 bridge reference.",
+    },
+    {
+        name: "_cryptoScrypt",
+        classification: "hardened",
+        rationale: "Host crypto scrypt bridge reference.",
+    },
+    {
+        name: "_cryptoCipheriv",
+        classification: "hardened",
+        rationale: "Host crypto cipher bridge reference.",
+    },
+    {
+        name: "_cryptoDecipheriv",
+        classification: "hardened",
+        rationale: "Host crypto decipher bridge reference.",
+    },
+    {
+        name: "_cryptoCipherivCreate",
+        classification: "hardened",
+        rationale: "Host streaming cipher bridge reference.",
+    },
+    {
+        name: "_cryptoCipherivUpdate",
+        classification: "hardened",
+        rationale: "Host streaming cipher update bridge reference.",
+    },
+    {
+        name: "_cryptoCipherivFinal",
+        classification: "hardened",
+        rationale: "Host streaming cipher finalization bridge reference.",
+    },
+    {
+        name: "_cryptoSign",
+        classification: "hardened",
+        rationale: "Host crypto sign bridge reference.",
+    },
+    {
+        name: "_cryptoVerify",
+        classification: "hardened",
+        rationale: "Host crypto verify bridge reference.",
+    },
+    {
+        name: "_cryptoAsymmetricOp",
+        classification: "hardened",
+        rationale: "Host asymmetric crypto operation bridge reference.",
+    },
+    {
+        name: "_cryptoCreateKeyObject",
+        classification: "hardened",
+        rationale: "Host asymmetric key import bridge reference.",
+    },
+    {
+        name: "_cryptoGenerateKeyPairSync",
+        classification: "hardened",
+        rationale: "Host crypto key-pair generation bridge reference.",
+    },
+    {
+        name: "_cryptoGenerateKeySync",
+        classification: "hardened",
+        rationale: "Host symmetric crypto key generation bridge reference.",
+    },
+    {
+        name: "_cryptoGeneratePrimeSync",
+        classification: "hardened",
+        rationale: "Host prime generation bridge reference.",
+    },
+    {
+        name: "_cryptoDiffieHellman",
+        classification: "hardened",
+        rationale: "Host stateless Diffie-Hellman bridge reference.",
+    },
+    {
+        name: "_cryptoDiffieHellmanGroup",
+        classification: "hardened",
+        rationale: "Host Diffie-Hellman group bridge reference.",
+    },
+    {
+        name: "_cryptoDiffieHellmanSessionCreate",
+        classification: "hardened",
+        rationale: "Host Diffie-Hellman/ECDH session creation bridge reference.",
+    },
+    {
+        name: "_cryptoDiffieHellmanSessionCall",
+        classification: "hardened",
+        rationale: "Host Diffie-Hellman/ECDH session method bridge reference.",
+    },
+    {
+        name: "_cryptoSubtle",
+        classification: "hardened",
+        rationale: "Host WebCrypto subtle bridge reference.",
+    },
     {
         name: "_fsReadFile",
         classification: "hardened",
@@ -275,6 +440,181 @@ export const NODE_CUSTOM_GLOBAL_INVENTORY = [
         classification: "hardened",
         rationale: "Host network bridge reference.",
     },
+    {
+        name: "_networkHttpServerRespondRaw",
+        classification: "hardened",
+        rationale: "Host network bridge reference for sandbox HTTP server responses.",
+    },
+    {
+        name: "_networkHttpServerWaitRaw",
+        classification: "hardened",
+        rationale: "Host network bridge reference for sandbox HTTP server lifetime tracking.",
+    },
+    {
+        name: "_networkHttp2ServerListenRaw",
+        classification: "hardened",
+        rationale: "Host HTTP/2 server listen bridge reference.",
+    },
+    {
+        name: "_networkHttp2ServerCloseRaw",
+        classification: "hardened",
+        rationale: "Host HTTP/2 server close bridge reference.",
+    },
+    {
+        name: "_networkHttp2ServerWaitRaw",
+        classification: "hardened",
+        rationale: "Host HTTP/2 server lifetime bridge reference.",
+    },
+    {
+        name: "_networkHttp2SessionConnectRaw",
+        classification: "hardened",
+        rationale: "Host HTTP/2 session connect bridge reference.",
+    },
+    {
+        name: "_networkHttp2SessionRequestRaw",
+        classification: "hardened",
+        rationale: "Host HTTP/2 session request bridge reference.",
+    },
+    {
+        name: "_networkHttp2SessionSettingsRaw",
+        classification: "hardened",
+        rationale: "Host HTTP/2 session settings bridge reference.",
+    },
+    {
+        name: "_networkHttp2SessionGoawayRaw",
+        classification: "hardened",
+        rationale: "Host HTTP/2 session GOAWAY bridge reference.",
+    },
+    {
+        name: "_networkHttp2SessionCloseRaw",
+        classification: "hardened",
+        rationale: "Host HTTP/2 session close bridge reference.",
+    },
+    {
+        name: "_networkHttp2SessionDestroyRaw",
+        classification: "hardened",
+        rationale: "Host HTTP/2 session destroy bridge reference.",
+    },
+    {
+        name: "_networkHttp2SessionWaitRaw",
+        classification: "hardened",
+        rationale: "Host HTTP/2 session lifetime bridge reference.",
+    },
+    {
+        name: "_networkHttp2StreamRespondRaw",
+        classification: "hardened",
+        rationale: "Host HTTP/2 stream respond bridge reference.",
+    },
+    {
+        name: "_networkHttp2StreamPushStreamRaw",
+        classification: "hardened",
+        rationale: "Host HTTP/2 push stream bridge reference.",
+    },
+    {
+        name: "_networkHttp2StreamWriteRaw",
+        classification: "hardened",
+        rationale: "Host HTTP/2 stream write bridge reference.",
+    },
+    {
+        name: "_networkHttp2StreamEndRaw",
+        classification: "hardened",
+        rationale: "Host HTTP/2 stream end bridge reference.",
+    },
+    {
+        name: "_upgradeSocketWriteRaw",
+        classification: "hardened",
+        rationale: "Host HTTP upgrade socket write bridge reference.",
+    },
+    {
+        name: "_upgradeSocketEndRaw",
+        classification: "hardened",
+        rationale: "Host HTTP upgrade socket half-close bridge reference.",
+    },
+    {
+        name: "_upgradeSocketDestroyRaw",
+        classification: "hardened",
+        rationale: "Host HTTP upgrade socket destroy bridge reference.",
+    },
+    {
+        name: "_netSocketConnectRaw",
+        classification: "hardened",
+        rationale: "Host net socket connect bridge reference.",
+    },
+    {
+        name: "_netSocketWaitConnectRaw",
+        classification: "hardened",
+        rationale: "Host net socket connect-wait bridge reference.",
+    },
+    {
+        name: "_netSocketReadRaw",
+        classification: "hardened",
+        rationale: "Host net socket read bridge reference.",
+    },
+    {
+        name: "_netSocketSetNoDelayRaw",
+        classification: "hardened",
+        rationale: "Host net socket no-delay bridge reference.",
+    },
+    {
+        name: "_netSocketSetKeepAliveRaw",
+        classification: "hardened",
+        rationale: "Host net socket keepalive bridge reference.",
+    },
+    {
+        name: "_netSocketWriteRaw",
+        classification: "hardened",
+        rationale: "Host net socket write bridge reference.",
+    },
+    {
+        name: "_netSocketEndRaw",
+        classification: "hardened",
+        rationale: "Host net socket end bridge reference.",
+    },
+    {
+        name: "_netSocketDestroyRaw",
+        classification: "hardened",
+        rationale: "Host net socket destroy bridge reference.",
+    },
+    {
+        name: "_netSocketUpgradeTlsRaw",
+        classification: "hardened",
+        rationale: "Host net socket TLS-upgrade bridge reference.",
+    },
+    {
+        name: "_netSocketGetTlsClientHelloRaw",
+        classification: "hardened",
+        rationale: "Host loopback TLS client-hello bridge reference.",
+    },
+    {
+        name: "_netSocketTlsQueryRaw",
+        classification: "hardened",
+        rationale: "Host TLS socket query bridge reference.",
+    },
+    {
+        name: "_tlsGetCiphersRaw",
+        classification: "hardened",
+        rationale: "Host TLS cipher-list bridge reference.",
+    },
+    {
+        name: "_netServerListenRaw",
+        classification: "hardened",
+        rationale: "Host net server listen bridge reference.",
+    },
+    {
+        name: "_netServerAcceptRaw",
+        classification: "hardened",
+        rationale: "Host net server accept bridge reference.",
+    },
+    {
+        name: "_netServerCloseRaw",
+        classification: "hardened",
+        rationale: "Host net server close bridge reference.",
+    },
+    {
+        name: "_batchResolveModules",
+        classification: "hardened",
+        rationale: "Host bridge for batched module resolution to reduce IPC round-trips.",
+    },
     {
         name: "_ptySetRawMode",
         classification: "hardened",
@@ -380,6 +720,11 @@ export const NODE_CUSTOM_GLOBAL_INVENTORY = [
         classification: "hardened",
         rationale: "Blob API global stub — must not be replaceable by sandbox code.",
     },
+    {
+        name: "FormData",
+        classification: "hardened",
+        rationale: "FormData API global stub — must not be replaceable by sandbox code.",
+    },
 ];
 export const HARDENED_NODE_CUSTOM_GLOBALS = NODE_CUSTOM_GLOBAL_INVENTORY
     .filter((entry) => entry.classification === "hardened")

package/dist/shared/in-memory-fs.d.ts

@@ -1,29 +1,38 @@
-import type { VirtualFileSystem, VirtualStat } from "../types.js";
+import { InodeTable } from "../kernel/inode-table.js";
+import type { VirtualDirEntry, VirtualFileSystem, VirtualStat } from "../kernel/vfs.js";
 /**
- * A fully in-memory VirtualFileSystem backed by Maps.
+ * A fully in-memory VirtualFileSystem backed by inode-aware Maps.
  * Used as the default filesystem for the browser sandbox and for tests.
  * Paths are always POSIX-style (forward slashes, rooted at "/").
  */
 export declare class InMemoryFileSystem implements VirtualFileSystem {
+    private inodeTable;
     private files;
+    private fileContents;
     private dirs;
     private symlinks;
-    private modes;
-    private owners;
-    private timestamps;
-    private hardLinks;
+    constructor(inodeTable?: InodeTable);
+    setInodeTable(inodeTable: InodeTable): void;
+    getInodeForPath(path: string): number | null;
+    readFileByInode(ino: number): Uint8Array;
+    writeFileByInode(ino: number, content: Uint8Array): void;
+    preadByInode(ino: number, offset: number, length: number): Uint8Array;
+    statByInode(ino: number): VirtualStat;
+    deleteInodeData(ino: number): void;
     private listDirEntries;
     readFile(path: string): Promise<Uint8Array>;
     readTextFile(path: string): Promise<string>;
     readDir(path: string): Promise<string[]>;
-    readDirWithTypes(path: string): Promise<Array<{
-        name: string;
-        isDirectory: boolean;
-    }>>;
+    readDirWithTypes(path: string): Promise<VirtualDirEntry[]>;
     writeFile(path: string, content: string | Uint8Array): Promise<void>;
+    prepareOpenSync(path: string, flags: number): boolean;
     createDir(path: string): Promise<void>;
-    mkdir(path: string): Promise<void>;
+    mkdir(path: string, _options?: {
+        recursive?: boolean;
+    }): Promise<void>;
+    private resolveIfSymlink;
     private resolveSymlink;
+    private statForInode;
     private statEntry;
     exists(path: string): Promise<boolean>;
     stat(path: string): Promise<VirtualStat>;
@@ -37,6 +46,16 @@ export declare class InMemoryFileSystem implements VirtualFileSystem {
     chmod(path: string, mode: number): Promise<void>;
     chown(path: string, uid: number, gid: number): Promise<void>;
     utimes(path: string, atime: number, mtime: number): Promise<void>;
+    realpath(path: string): Promise<string>;
+    pread(path: string, offset: number, length: number): Promise<Uint8Array>;
     truncate(path: string, length: number): Promise<void>;
+    private reindexInodes;
+    private cloneInode;
+    private allocateFileInode;
+    private allocateDirectoryInode;
+    private updateFileMetadata;
+    private requirePathInode;
+    private requireFileInode;
+    private requireInode;
 }
 export declare function createInMemoryFileSystem(): InMemoryFileSystem;