@secure-exec/core 0.1.1-rc.2 → 0.2.0-rc.1

package/dist/isolate-runtime/set-commonjs-file-globals.js

@@ -1,6 +1,6 @@
 "use strict";
 (() => {
-  // isolate-runtime/src/common/global-exposure.ts
+  // ../core/isolate-runtime/src/common/global-exposure.ts
   function defineRuntimeGlobalBinding(name, value, mutable) {
     Object.defineProperty(globalThis, name, {
       value,
@@ -21,7 +21,7 @@
     return createRuntimeGlobalExposer(true);
   }
 
-  // isolate-runtime/src/inject/set-commonjs-file-globals.ts
+  // ../core/isolate-runtime/src/inject/set-commonjs-file-globals.ts
   var __runtimeExposeMutableGlobal = getRuntimeExposeMutableGlobal();
   var __commonJsFileConfig = globalThis.__runtimeCommonJsFileConfig ?? {};
   var __filePath = typeof __commonJsFileConfig.filePath === "string" ? __commonJsFileConfig.filePath : "/<entry>.js";

package/dist/isolate-runtime/set-stdin-data.js

@@ -1,6 +1,6 @@
 "use strict";
 (() => {
-  // isolate-runtime/src/inject/set-stdin-data.ts
+  // ../core/isolate-runtime/src/inject/set-stdin-data.ts
   if (typeof globalThis._stdinData !== "undefined") {
     globalThis._stdinData = globalThis.__runtimeStdinData;
     globalThis._stdinPosition = 0;

package/dist/isolate-runtime/setup-dynamic-import.js

@@ -1,11 +1,11 @@
 "use strict";
 (() => {
-  // isolate-runtime/src/common/global-access.ts
+  // ../core/isolate-runtime/src/common/global-access.ts
   function isObjectLike(value) {
     return value !== null && (typeof value === "object" || typeof value === "function");
   }
 
-  // isolate-runtime/src/common/global-exposure.ts
+  // ../core/isolate-runtime/src/common/global-exposure.ts
   function defineRuntimeGlobalBinding(name, value, mutable) {
     Object.defineProperty(globalThis, name, {
       value,
@@ -26,26 +26,57 @@
     return createRuntimeGlobalExposer(false);
   }
 
-  // isolate-runtime/src/inject/setup-dynamic-import.ts
+  // ../core/isolate-runtime/src/inject/setup-dynamic-import.ts
   var __runtimeExposeCustomGlobal = getRuntimeExposeCustomGlobal();
   var __dynamicImportConfig = globalThis.__runtimeDynamicImportConfig ?? {};
   var __fallbackReferrer = typeof __dynamicImportConfig.referrerPath === "string" && __dynamicImportConfig.referrerPath.length > 0 ? __dynamicImportConfig.referrerPath : "/";
-  var __dynamicImportHandler = async function(specifier, fromPath) {
+  var __dynamicImportCache = /* @__PURE__ */ new Map();
+  var __resolveDynamicImportPath = function(request, referrer) {
+    if (!request.startsWith("./") && !request.startsWith("../") && !request.startsWith("/")) {
+      return request;
+    }
+    const baseDir = referrer.endsWith("/") ? referrer : referrer.slice(0, referrer.lastIndexOf("/")) || "/";
+    const segments = baseDir.split("/").filter(Boolean);
+    for (const part of request.split("/")) {
+      if (part === "." || part.length === 0) continue;
+      if (part === "..") {
+        segments.pop();
+        continue;
+      }
+      segments.push(part);
+    }
+    return `/${segments.join("/")}`;
+  };
+  var __dynamicImportHandler = function(specifier, fromPath) {
     const request = String(specifier);
     const referrer = typeof fromPath === "string" && fromPath.length > 0 ? fromPath : __fallbackReferrer;
-    const allowRequireFallback = request.endsWith(".cjs") || request.endsWith(".json");
-    const namespace = await globalThis._dynamicImport(request, referrer);
-    if (namespace !== null) {
-      return namespace;
+    let resolved = null;
+    if (typeof globalThis._resolveModuleSync !== "undefined") {
+      resolved = globalThis._resolveModuleSync.applySync(
+        void 0,
+        [request, referrer, "import"]
+      );
     }
-    if (!allowRequireFallback) {
-      throw new Error("Cannot find module '" + request + "'");
+    const resolvedPath = typeof resolved === "string" && resolved.length > 0 ? resolved : __resolveDynamicImportPath(request, referrer);
+    const cacheKey = typeof resolved === "string" && resolved.length > 0 ? resolved : `${referrer}\0${request}`;
+    const cached = __dynamicImportCache.get(cacheKey);
+    if (cached) return Promise.resolve(cached);
+    if (typeof globalThis._requireFrom !== "function") {
+      throw new Error("Cannot load module: " + resolvedPath);
     }
-    const runtimeRequire = globalThis.require;
-    if (typeof runtimeRequire !== "function") {
-      throw new Error("Cannot find module '" + request + "'");
+    let mod;
+    try {
+      mod = globalThis._requireFrom(resolved ?? request, referrer);
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      if (error && typeof error === "object" && "code" in error && error.code === "MODULE_NOT_FOUND") {
+        throw new Error("Cannot load module: " + resolvedPath);
+      }
+      if (message.startsWith("Cannot find module ")) {
+        throw new Error("Cannot load module: " + resolvedPath);
+      }
+      throw error;
     }
-    const mod = runtimeRequire(request);
     const namespaceFallback = { default: mod };
     if (isObjectLike(mod)) {
       for (const key of Object.keys(mod)) {
@@ -54,7 +85,8 @@
         }
       }
     }
-    return namespaceFallback;
+    __dynamicImportCache.set(cacheKey, namespaceFallback);
+    return Promise.resolve(namespaceFallback);
   };
   __runtimeExposeCustomGlobal("__dynamicImport", __dynamicImportHandler);
 })();

package/dist/isolate-runtime/setup-fs-facade.js

@@ -1,6 +1,6 @@
 "use strict";
 (() => {
-  // isolate-runtime/src/common/global-exposure.ts
+  // ../core/isolate-runtime/src/common/global-exposure.ts
   function defineRuntimeGlobalBinding(name, value, mutable) {
     Object.defineProperty(globalThis, name, {
       value,
@@ -21,7 +21,7 @@
     return createRuntimeGlobalExposer(false);
   }
 
-  // isolate-runtime/src/inject/setup-fs-facade.ts
+  // ../core/isolate-runtime/src/inject/setup-fs-facade.ts
   var __runtimeExposeCustomGlobal = getRuntimeExposeCustomGlobal();
   var __fsFacade = {};
   Object.defineProperties(__fsFacade, {

package/dist/kernel/command-registry.d.ts

@@ -0,0 +1,44 @@
+/**
+ * Command registry.
+ *
+ * Maps command names to runtime drivers. When a process calls
+ * spawn("grep", ...), the registry resolves "grep" to the WasmVM driver.
+ * Also populates /bin in the VFS so shell PATH lookup succeeds.
+ */
+import type { RuntimeDriver } from "./types.js";
+import type { VirtualFileSystem } from "./vfs.js";
+export declare class CommandRegistry {
+    /** command name → RuntimeDriver */
+    private commands;
+    /** Warning log for command overrides. */
+    private warnings;
+    /**
+     * Register all commands from a driver.
+     * Last-mounted driver wins on conflicts (allows override with warning).
+     */
+    register(driver: RuntimeDriver): void;
+    /** Get recorded warnings (for testing). */
+    getWarnings(): readonly string[];
+    /**
+     * Register a single command to a driver.
+     * Used for on-demand dynamic registration (e.g. after tryResolve).
+     */
+    registerCommand(command: string, driver: RuntimeDriver): void;
+    /**
+     * Resolve a command name to a driver. Returns null if unknown.
+     * Supports path-based lookup: '/bin/ls' resolves to the driver for 'ls'.
+     */
+    resolve(command: string): RuntimeDriver | null;
+    /** List all registered commands. Returns command → driver name. */
+    list(): Map<string, string>;
+    /**
+     * Create a single /bin stub entry for a command.
+     * Used for on-demand registration after tryResolve discovers a new command.
+     */
+    populateBinEntry(vfs: VirtualFileSystem, command: string): Promise<void>;
+    /**
+     * Populate /bin in the VFS with stub entries for all registered commands.
+     * This enables brush-shell's PATH lookup to find commands.
+     */
+    populateBin(vfs: VirtualFileSystem): Promise<void>;
+}

package/dist/kernel/command-registry.js

@@ -0,0 +1,114 @@
+/**
+ * Command registry.
+ *
+ * Maps command names to runtime drivers. When a process calls
+ * spawn("grep", ...), the registry resolves "grep" to the WasmVM driver.
+ * Also populates /bin in the VFS so shell PATH lookup succeeds.
+ */
+export class CommandRegistry {
+    /** command name → RuntimeDriver */
+    commands = new Map();
+    /** Warning log for command overrides. */
+    warnings = [];
+    /**
+     * Register all commands from a driver.
+     * Last-mounted driver wins on conflicts (allows override with warning).
+     */
+    register(driver) {
+        for (const cmd of driver.commands) {
+            const existing = this.commands.get(cmd);
+            if (existing) {
+                const msg = `command "${cmd}" overridden: ${existing.name} → ${driver.name}`;
+                this.warnings.push(msg);
+                console.warn(`[CommandRegistry] ${msg}`);
+            }
+            this.commands.set(cmd, driver);
+        }
+    }
+    /** Get recorded warnings (for testing). */
+    getWarnings() {
+        return this.warnings;
+    }
+    /**
+     * Register a single command to a driver.
+     * Used for on-demand dynamic registration (e.g. after tryResolve).
+     */
+    registerCommand(command, driver) {
+        const existing = this.commands.get(command);
+        if (existing) {
+            const msg = `command "${command}" overridden: ${existing.name} → ${driver.name}`;
+            this.warnings.push(msg);
+            console.warn(`[CommandRegistry] ${msg}`);
+        }
+        this.commands.set(command, driver);
+    }
+    /**
+     * Resolve a command name to a driver. Returns null if unknown.
+     * Supports path-based lookup: '/bin/ls' resolves to the driver for 'ls'.
+     */
+    resolve(command) {
+        // Direct name lookup
+        const direct = this.commands.get(command);
+        if (direct)
+            return direct;
+        // Path-based: extract basename and retry
+        if (command.includes("/")) {
+            const basename = command.split("/").pop();
+            if (basename)
+                return this.commands.get(basename) ?? null;
+        }
+        return null;
+    }
+    /** List all registered commands. Returns command → driver name. */
+    list() {
+        const result = new Map();
+        for (const [cmd, driver] of this.commands) {
+            result.set(cmd, driver.name);
+        }
+        return result;
+    }
+    /**
+     * Create a single /bin stub entry for a command.
+     * Used for on-demand registration after tryResolve discovers a new command.
+     */
+    async populateBinEntry(vfs, command) {
+        if (!(await vfs.exists("/bin"))) {
+            await vfs.mkdir("/bin", { recursive: true });
+        }
+        const path = `/bin/${command}`;
+        if (!(await vfs.exists(path))) {
+            const stub = new TextEncoder().encode("#!/bin/sh\n# kernel command stub\n");
+            await vfs.writeFile(path, stub);
+            try {
+                await vfs.chmod(path, 0o755);
+            }
+            catch {
+                // chmod may not be supported by all VFS backends
+            }
+        }
+    }
+    /**
+     * Populate /bin in the VFS with stub entries for all registered commands.
+     * This enables brush-shell's PATH lookup to find commands.
+     */
+    async populateBin(vfs) {
+        // Ensure /bin exists
+        if (!(await vfs.exists("/bin"))) {
+            await vfs.mkdir("/bin", { recursive: true });
+        }
+        // Create a stub file for each command
+        const stub = new TextEncoder().encode("#!/bin/sh\n# kernel command stub\n");
+        for (const cmd of this.commands.keys()) {
+            const path = `/bin/${cmd}`;
+            if (!(await vfs.exists(path))) {
+                await vfs.writeFile(path, stub);
+                try {
+                    await vfs.chmod(path, 0o755);
+                }
+                catch {
+                    // chmod may not be supported by all VFS backends
+                }
+            }
+        }
+    }
+}

package/dist/kernel/device-layer.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Device layer.
+ *
+ * Intercepts device node paths (/dev/*) before they reach the VFS backend.
+ * Wraps a VirtualFileSystem and handles device-specific read/write semantics.
+ */
+import type { VirtualFileSystem } from "./vfs.js";
+/**
+ * Wrap a VFS with device node interception.
+ * Device paths are handled directly; all other paths pass through.
+ */
+export declare function createDeviceLayer(vfs: VirtualFileSystem): VirtualFileSystem;

package/dist/kernel/device-layer.js

@@ -0,0 +1,262 @@
+/**
+ * Device layer.
+ *
+ * Intercepts device node paths (/dev/*) before they reach the VFS backend.
+ * Wraps a VirtualFileSystem and handles device-specific read/write semantics.
+ */
+import { KernelError } from "./types.js";
+const DEVICE_PATHS = new Set([
+    "/dev/null",
+    "/dev/zero",
+    "/dev/stdin",
+    "/dev/stdout",
+    "/dev/stderr",
+    "/dev/urandom",
+    "/dev/random",
+    "/dev/tty",
+    "/dev/console",
+    "/dev/full",
+    "/dev/ptmx",
+]);
+const DEVICE_INO = {
+    "/dev/null": 0xffff_0001,
+    "/dev/zero": 0xffff_0002,
+    "/dev/stdin": 0xffff_0003,
+    "/dev/stdout": 0xffff_0004,
+    "/dev/stderr": 0xffff_0005,
+    "/dev/urandom": 0xffff_0006,
+    "/dev/random": 0xffff_0007,
+    "/dev/tty": 0xffff_0008,
+    "/dev/console": 0xffff_0009,
+    "/dev/full": 0xffff_000a,
+    "/dev/ptmx": 0xffff_000b,
+};
+/** Device pseudo-directories that contain dynamic entries. */
+const DEVICE_DIRS = new Set(["/dev/fd", "/dev/pts", "/dev/shm"]);
+function isDevicePath(path) {
+    return DEVICE_PATHS.has(path) || path.startsWith("/dev/fd/") || path.startsWith("/dev/pts/");
+}
+function isDeviceDir(path) {
+    return path === "/dev" || DEVICE_DIRS.has(path);
+}
+function deviceStat(path) {
+    const now = Date.now();
+    return {
+        mode: 0o666,
+        size: 0,
+        isDirectory: false,
+        isSymbolicLink: false,
+        atimeMs: now,
+        mtimeMs: now,
+        ctimeMs: now,
+        birthtimeMs: now,
+        ino: DEVICE_INO[path] ?? 0xffff_0000,
+        nlink: 1,
+        uid: 0,
+        gid: 0,
+    };
+}
+const DEV_DIR_ENTRIES = [
+    { name: "null", isDirectory: false },
+    { name: "zero", isDirectory: false },
+    { name: "stdin", isDirectory: false },
+    { name: "stdout", isDirectory: false },
+    { name: "stderr", isDirectory: false },
+    { name: "urandom", isDirectory: false },
+    { name: "random", isDirectory: false },
+    { name: "tty", isDirectory: false },
+    { name: "console", isDirectory: false },
+    { name: "full", isDirectory: false },
+    { name: "ptmx", isDirectory: false },
+    { name: "fd", isDirectory: true },
+    { name: "pts", isDirectory: true },
+    { name: "shm", isDirectory: true },
+];
+/**
+ * Wrap a VFS with device node interception.
+ * Device paths are handled directly; all other paths pass through.
+ */
+export function createDeviceLayer(vfs) {
+    const wrapped = {
+        prepareOpenSync(path, flags) {
+            if (isDevicePath(path) || isDeviceDir(path))
+                return false;
+            const syncVfs = vfs;
+            return syncVfs.prepareOpenSync?.(path, flags) ?? false;
+        },
+        async readFile(path) {
+            if (path === "/dev/null" || path === "/dev/full")
+                return new Uint8Array(0);
+            if (path === "/dev/zero")
+                return new Uint8Array(4096);
+            if (path === "/dev/urandom" || path === "/dev/random") {
+                const buf = new Uint8Array(4096);
+                if (typeof globalThis.crypto?.getRandomValues === "function") {
+                    globalThis.crypto.getRandomValues(buf);
+                }
+                else {
+                    for (let i = 0; i < buf.length; i++) {
+                        buf[i] = (Math.random() * 256) | 0;
+                    }
+                }
+                return buf;
+            }
+            if (path === "/dev/tty" || path === "/dev/console" || path === "/dev/ptmx")
+                return new Uint8Array(0);
+            return vfs.readFile(path);
+        },
+        async pread(path, offset, length) {
+            if (path === "/dev/null" || path === "/dev/full")
+                return new Uint8Array(0);
+            if (path === "/dev/zero")
+                return new Uint8Array(length);
+            if (path === "/dev/urandom" || path === "/dev/random") {
+                const buf = new Uint8Array(length);
+                if (typeof globalThis.crypto?.getRandomValues === "function") {
+                    globalThis.crypto.getRandomValues(buf);
+                }
+                else {
+                    for (let i = 0; i < buf.length; i++) {
+                        buf[i] = (Math.random() * 256) | 0;
+                    }
+                }
+                return buf;
+            }
+            if (path === "/dev/tty" || path === "/dev/console" || path === "/dev/ptmx")
+                return new Uint8Array(0);
+            return vfs.pread(path, offset, length);
+        },
+        async readTextFile(path) {
+            if (path === "/dev/null")
+                return "";
+            const bytes = await this.readFile(path);
+            return new TextDecoder().decode(bytes);
+        },
+        async readDir(path) {
+            if (path === "/dev") {
+                return DEV_DIR_ENTRIES.map((e) => e.name);
+            }
+            // /dev/fd and /dev/pts are dynamic — return empty at VFS level
+            if (DEVICE_DIRS.has(path))
+                return [];
+            return vfs.readDir(path);
+        },
+        async readDirWithTypes(path) {
+            if (path === "/dev") {
+                return DEV_DIR_ENTRIES;
+            }
+            if (DEVICE_DIRS.has(path))
+                return [];
+            return vfs.readDirWithTypes(path);
+        },
+        async writeFile(path, content) {
+            // /dev/full always returns ENOSPC on write (POSIX behavior)
+            if (path === "/dev/full")
+                throw new KernelError("ENOSPC", "No space left on device");
+            // Discard writes to sink devices
+            if (path === "/dev/null" || path === "/dev/zero" || path === "/dev/urandom"
+                || path === "/dev/random" || path === "/dev/tty" || path === "/dev/console"
+                || path === "/dev/ptmx")
+                return;
+            return vfs.writeFile(path, content);
+        },
+        async createDir(path) {
+            if (isDeviceDir(path))
+                return;
+            return vfs.createDir(path);
+        },
+        async mkdir(path, options) {
+            if (isDeviceDir(path))
+                return;
+            return vfs.mkdir(path, options);
+        },
+        async exists(path) {
+            if (isDevicePath(path) || isDeviceDir(path))
+                return true;
+            return vfs.exists(path);
+        },
+        async stat(path) {
+            if (isDevicePath(path))
+                return deviceStat(path);
+            if (isDeviceDir(path)) {
+                const now = Date.now();
+                return {
+                    mode: 0o755,
+                    size: 0,
+                    isDirectory: true,
+                    isSymbolicLink: false,
+                    atimeMs: now,
+                    mtimeMs: now,
+                    ctimeMs: now,
+                    birthtimeMs: now,
+                    ino: DEVICE_INO[path] ?? 0xffff_0000,
+                    nlink: 2,
+                    uid: 0,
+                    gid: 0,
+                };
+            }
+            return vfs.stat(path);
+        },
+        async removeFile(path) {
+            if (isDevicePath(path))
+                throw new KernelError("EPERM", "cannot remove device");
+            return vfs.removeFile(path);
+        },
+        async removeDir(path) {
+            if (isDeviceDir(path))
+                throw new KernelError("EPERM", `cannot remove ${path}`);
+            return vfs.removeDir(path);
+        },
+        async rename(oldPath, newPath) {
+            if (isDevicePath(oldPath) || isDevicePath(newPath)) {
+                throw new KernelError("EPERM", "cannot rename device");
+            }
+            return vfs.rename(oldPath, newPath);
+        },
+        async realpath(path) {
+            if (isDevicePath(path) || isDeviceDir(path))
+                return path;
+            return vfs.realpath(path);
+        },
+        // Passthrough for POSIX extensions
+        async symlink(target, linkPath) {
+            return vfs.symlink(target, linkPath);
+        },
+        async readlink(path) {
+            return vfs.readlink(path);
+        },
+        async lstat(path) {
+            if (isDevicePath(path))
+                return deviceStat(path);
+            if (isDeviceDir(path))
+                return this.stat(path);
+            return vfs.lstat(path);
+        },
+        async link(oldPath, newPath) {
+            if (isDevicePath(oldPath))
+                throw new KernelError("EPERM", "cannot link device");
+            return vfs.link(oldPath, newPath);
+        },
+        async chmod(path, mode) {
+            if (isDevicePath(path))
+                return;
+            return vfs.chmod(path, mode);
+        },
+        async chown(path, uid, gid) {
+            if (isDevicePath(path))
+                return;
+            return vfs.chown(path, uid, gid);
+        },
+        async utimes(path, atime, mtime) {
+            if (isDevicePath(path))
+                return;
+            return vfs.utimes(path, atime, mtime);
+        },
+        async truncate(path, length) {
+            if (isDevicePath(path))
+                return;
+            return vfs.truncate(path, length);
+        },
+    };
+    return wrapped;
+}

package/dist/kernel/dns-cache.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Kernel DNS cache shared across runtimes.
+ *
+ * Runtimes call kernel DNS cache before falling through to the host
+ * adapter. Entries expire after their TTL.
+ */
+import type { DnsResult } from "./host-adapter.js";
+export interface DnsCacheOptions {
+    /** Default TTL in milliseconds when none is specified. Default: 30000 (30s). */
+    defaultTtlMs?: number;
+}
+export declare class DnsCache {
+    private cache;
+    private defaultTtlMs;
+    constructor(options?: DnsCacheOptions);
+    /**
+     * Look up a cached DNS result. Returns null on miss or expired entry.
+     */
+    lookup(hostname: string, rrtype: string): DnsResult | null;
+    /**
+     * Store a DNS result with TTL.
+     * @param ttlMs TTL in milliseconds. Uses defaultTtlMs if not provided.
+     */
+    store(hostname: string, rrtype: string, result: DnsResult, ttlMs?: number): void;
+    /** Flush all cached entries. */
+    flush(): void;
+    /** Number of entries (including possibly expired). */
+    get size(): number;
+}

package/dist/kernel/dns-cache.js

@@ -0,0 +1,52 @@
+/**
+ * Kernel DNS cache shared across runtimes.
+ *
+ * Runtimes call kernel DNS cache before falling through to the host
+ * adapter. Entries expire after their TTL.
+ */
+export class DnsCache {
+    cache = new Map();
+    defaultTtlMs;
+    constructor(options) {
+        this.defaultTtlMs = options?.defaultTtlMs ?? 30_000;
+    }
+    /**
+     * Look up a cached DNS result. Returns null on miss or expired entry.
+     */
+    lookup(hostname, rrtype) {
+        const key = cacheKey(hostname, rrtype);
+        const entry = this.cache.get(key);
+        if (!entry)
+            return null;
+        // Expired — remove and return miss
+        if (Date.now() >= entry.expiresAt) {
+            this.cache.delete(key);
+            return null;
+        }
+        return entry.result;
+    }
+    /**
+     * Store a DNS result with TTL.
+     * @param ttlMs TTL in milliseconds. Uses defaultTtlMs if not provided.
+     */
+    store(hostname, rrtype, result, ttlMs) {
+        const key = cacheKey(hostname, rrtype);
+        const ttl = ttlMs ?? this.defaultTtlMs;
+        this.cache.set(key, {
+            result,
+            expiresAt: Date.now() + ttl,
+        });
+    }
+    /** Flush all cached entries. */
+    flush() {
+        this.cache.clear();
+    }
+    /** Number of entries (including possibly expired). */
+    get size() {
+        return this.cache.size;
+    }
+}
+/** Canonical cache key: "hostname:rrtype" */
+function cacheKey(hostname, rrtype) {
+    return `${hostname}:${rrtype}`;
+}