@secure-exec/core 0.1.1-rc.2 → 0.2.0-rc.1

package/dist/kernel/fd-table.d.ts

@@ -0,0 +1,84 @@
+/**
+ * Per-PID file descriptor table.
+ *
+ * Each process gets its own FD number space. Multiple FDs can share the
+ * same FileDescription (via dup/dup2), which shares the cursor position.
+ * Standard FDs 0-2 are pre-allocated per process.
+ */
+import type { FDEntry, FDStat, FileDescription } from "./types.js";
+/** Maximum open FDs per process before allocations are rejected (EMFILE). */
+export declare const MAX_FDS_PER_PROCESS = 256;
+/** Allocator function that creates a FileDescription with a unique ID. */
+export type DescriptionAllocator = (path: string, flags: number) => FileDescription;
+/**
+ * FD table for a single process.
+ *
+ * Manages FD allocation, dup/dup2, and shared cursor via FileDescription.
+ */
+export declare class ProcessFDTable {
+    private entries;
+    private nextFd;
+    private allocDesc;
+    constructor(allocDesc: DescriptionAllocator);
+    /** Pre-allocate stdin, stdout, stderr */
+    initStdio(stdinDesc: FileDescription, stdoutDesc: FileDescription, stderrDesc: FileDescription): void;
+    /** Pre-allocate stdin, stdout, stderr with custom filetypes (for pipe wiring). */
+    initStdioWithTypes(stdinDesc: FileDescription, stdinType: number, stdoutDesc: FileDescription, stdoutType: number, stderrDesc: FileDescription, stderrType: number): void;
+    /** Open a new FD for the given path and flags */
+    open(path: string, flags: number, filetype?: number): number;
+    /** Open a new FD pointing to an existing FileDescription (for pipes, inherited FDs) */
+    openWith(description: FileDescription, filetype: number, targetFd?: number): number;
+    get(fd: number): FDEntry | undefined;
+    /** Close an FD. Decrements the refcount on the shared FileDescription. */
+    close(fd: number): boolean;
+    /** Duplicate an FD — new FD shares the same FileDescription (cursor). cloexec cleared on new FD (POSIX). */
+    dup(fd: number): number;
+    /** Duplicate FD to lowest available >= minFd (F_DUPFD). cloexec cleared on new FD. */
+    dupMinFd(fd: number, minFd: number): number;
+    /** Duplicate oldFd to newFd. Closes newFd first if open. cloexec cleared on new FD (POSIX). */
+    dup2(oldFd: number, newFd: number): void;
+    stat(fd: number): FDStat;
+    /** Create a copy of this table for a child process (FD inheritance). Skips cloexec FDs. */
+    fork(): ProcessFDTable;
+    /** Close all FDs, decrementing all refcounts. */
+    closeAll(): void;
+    /** Iterate all FD entries (for cleanup inspection). */
+    [Symbol.iterator](): IterableIterator<FDEntry>;
+    private allocateFd;
+}
+/**
+ * Kernel-level FD table manager.
+ * Owns per-PID FD tables and coordinates shared FileDescriptions.
+ */
+export declare class FDTableManager {
+    private tables;
+    private nextDescriptionId;
+    /** Per-instance allocator bound to this manager's ID counter. */
+    private allocDesc;
+    /** Create a new FD table for a process with standard FDs. */
+    create(pid: number): ProcessFDTable;
+    /**
+     * Create a new FD table with custom stdio FileDescriptions.
+     * Used for pipe wiring: pass a pipe read/write end as stdin/stdout/stderr.
+     * Null entries fall back to default device nodes.
+     */
+    createWithStdio(pid: number, stdinOverride: {
+        description: FileDescription;
+        filetype: number;
+    } | null, stdoutOverride: {
+        description: FileDescription;
+        filetype: number;
+    } | null, stderrOverride: {
+        description: FileDescription;
+        filetype: number;
+    } | null): ProcessFDTable;
+    /** Create a child FD table by forking the parent's. */
+    fork(parentPid: number, childPid: number): ProcessFDTable;
+    get(pid: number): ProcessFDTable | undefined;
+    /** Check whether a PID has an FD table. */
+    has(pid: number): boolean;
+    /** Number of active FD tables. */
+    get size(): number;
+    /** Remove and close all FDs for a process. */
+    remove(pid: number): void;
+}

package/dist/kernel/fd-table.js

@@ -0,0 +1,278 @@
+/**
+ * Per-PID file descriptor table.
+ *
+ * Each process gets its own FD number space. Multiple FDs can share the
+ * same FileDescription (via dup/dup2), which shares the cursor position.
+ * Standard FDs 0-2 are pre-allocated per process.
+ */
+import { FILETYPE_REGULAR_FILE, FILETYPE_CHARACTER_DEVICE, O_RDONLY, O_WRONLY, O_CLOEXEC, KernelError, } from "./types.js";
+/** Maximum open FDs per process before allocations are rejected (EMFILE). */
+export const MAX_FDS_PER_PROCESS = 256;
+/**
+ * FD table for a single process.
+ *
+ * Manages FD allocation, dup/dup2, and shared cursor via FileDescription.
+ */
+export class ProcessFDTable {
+    entries = new Map();
+    nextFd = 3; // 0, 1, 2 reserved
+    allocDesc;
+    constructor(allocDesc) {
+        this.allocDesc = allocDesc;
+    }
+    /** Pre-allocate stdin, stdout, stderr */
+    initStdio(stdinDesc, stdoutDesc, stderrDesc) {
+        this.entries.set(0, {
+            fd: 0,
+            description: stdinDesc,
+            rights: 0n,
+            filetype: FILETYPE_CHARACTER_DEVICE,
+            cloexec: false,
+        });
+        this.entries.set(1, {
+            fd: 1,
+            description: stdoutDesc,
+            rights: 0n,
+            filetype: FILETYPE_CHARACTER_DEVICE,
+            cloexec: false,
+        });
+        this.entries.set(2, {
+            fd: 2,
+            description: stderrDesc,
+            rights: 0n,
+            filetype: FILETYPE_CHARACTER_DEVICE,
+            cloexec: false,
+        });
+    }
+    /** Pre-allocate stdin, stdout, stderr with custom filetypes (for pipe wiring). */
+    initStdioWithTypes(stdinDesc, stdinType, stdoutDesc, stdoutType, stderrDesc, stderrType) {
+        // Shared descriptions (from pipes) get refCount bumped
+        stdinDesc.refCount++;
+        stdoutDesc.refCount++;
+        stderrDesc.refCount++;
+        this.entries.set(0, { fd: 0, description: stdinDesc, rights: 0n, filetype: stdinType, cloexec: false });
+        this.entries.set(1, { fd: 1, description: stdoutDesc, rights: 0n, filetype: stdoutType, cloexec: false });
+        this.entries.set(2, { fd: 2, description: stderrDesc, rights: 0n, filetype: stderrType, cloexec: false });
+    }
+    /** Open a new FD for the given path and flags */
+    open(path, flags, filetype) {
+        const fd = this.allocateFd();
+        const cloexec = (flags & O_CLOEXEC) !== 0;
+        const storedFlags = flags & ~O_CLOEXEC;
+        const description = this.allocDesc(path, storedFlags);
+        this.entries.set(fd, {
+            fd,
+            description,
+            rights: 0n,
+            filetype: filetype ?? FILETYPE_REGULAR_FILE,
+            cloexec,
+        });
+        return fd;
+    }
+    /** Open a new FD pointing to an existing FileDescription (for pipes, inherited FDs) */
+    openWith(description, filetype, targetFd) {
+        const fd = targetFd ?? this.allocateFd();
+        description.refCount++;
+        this.entries.set(fd, {
+            fd,
+            description,
+            rights: 0n,
+            filetype,
+            cloexec: false,
+        });
+        return fd;
+    }
+    get(fd) {
+        return this.entries.get(fd);
+    }
+    /** Close an FD. Decrements the refcount on the shared FileDescription. */
+    close(fd) {
+        const entry = this.entries.get(fd);
+        if (!entry)
+            return false;
+        entry.description.refCount--;
+        this.entries.delete(fd);
+        return true;
+    }
+    /** Duplicate an FD — new FD shares the same FileDescription (cursor). cloexec cleared on new FD (POSIX). */
+    dup(fd) {
+        const entry = this.entries.get(fd);
+        if (!entry)
+            throw new KernelError("EBADF", `bad file descriptor ${fd}`);
+        const newFd = this.allocateFd();
+        entry.description.refCount++;
+        this.entries.set(newFd, {
+            fd: newFd,
+            description: entry.description,
+            rights: entry.rights,
+            filetype: entry.filetype,
+            cloexec: false,
+        });
+        return newFd;
+    }
+    /** Duplicate FD to lowest available >= minFd (F_DUPFD). cloexec cleared on new FD. */
+    dupMinFd(fd, minFd) {
+        const entry = this.entries.get(fd);
+        if (!entry)
+            throw new KernelError("EBADF", `bad file descriptor ${fd}`);
+        if (this.entries.size >= MAX_FDS_PER_PROCESS) {
+            throw new KernelError("EMFILE", "too many open files");
+        }
+        let newFd = minFd;
+        while (this.entries.has(newFd))
+            newFd++;
+        entry.description.refCount++;
+        this.entries.set(newFd, {
+            fd: newFd,
+            description: entry.description,
+            rights: entry.rights,
+            filetype: entry.filetype,
+            cloexec: false,
+        });
+        return newFd;
+    }
+    /** Duplicate oldFd to newFd. Closes newFd first if open. cloexec cleared on new FD (POSIX). */
+    dup2(oldFd, newFd) {
+        const entry = this.entries.get(oldFd);
+        if (!entry)
+            throw new KernelError("EBADF", `bad file descriptor ${oldFd}`);
+        if (oldFd === newFd)
+            return;
+        // Close newFd if already open
+        if (this.entries.has(newFd)) {
+            this.close(newFd);
+        }
+        entry.description.refCount++;
+        this.entries.set(newFd, {
+            fd: newFd,
+            description: entry.description,
+            rights: entry.rights,
+            filetype: entry.filetype,
+            cloexec: false,
+        });
+    }
+    stat(fd) {
+        const entry = this.entries.get(fd);
+        if (!entry)
+            throw new KernelError("EBADF", `bad file descriptor ${fd}`);
+        return {
+            filetype: entry.filetype,
+            flags: entry.description.flags,
+            rights: entry.rights,
+        };
+    }
+    /** Create a copy of this table for a child process (FD inheritance). Skips cloexec FDs. */
+    fork() {
+        const child = new ProcessFDTable(this.allocDesc);
+        child.nextFd = this.nextFd;
+        for (const [fd, entry] of this.entries) {
+            if (entry.cloexec)
+                continue;
+            entry.description.refCount++;
+            child.entries.set(fd, {
+                fd,
+                description: entry.description,
+                rights: entry.rights,
+                filetype: entry.filetype,
+                cloexec: false,
+            });
+        }
+        return child;
+    }
+    /** Close all FDs, decrementing all refcounts. */
+    closeAll() {
+        for (const [fd] of this.entries) {
+            this.close(fd);
+        }
+    }
+    /** Iterate all FD entries (for cleanup inspection). */
+    *[Symbol.iterator]() {
+        yield* this.entries.values();
+    }
+    allocateFd() {
+        // Enforce per-process FD limit
+        if (this.entries.size >= MAX_FDS_PER_PROCESS) {
+            throw new KernelError("EMFILE", "too many open files");
+        }
+        // Find lowest available FD >= nextFd hint
+        while (this.entries.has(this.nextFd)) {
+            this.nextFd++;
+        }
+        return this.nextFd++;
+    }
+}
+/**
+ * Kernel-level FD table manager.
+ * Owns per-PID FD tables and coordinates shared FileDescriptions.
+ */
+export class FDTableManager {
+    tables = new Map();
+    nextDescriptionId = 1;
+    /** Per-instance allocator bound to this manager's ID counter. */
+    allocDesc = (path, flags) => ({
+        id: this.nextDescriptionId++,
+        path,
+        cursor: 0n,
+        flags,
+        refCount: 1,
+    });
+    /** Create a new FD table for a process with standard FDs. */
+    create(pid) {
+        const table = new ProcessFDTable(this.allocDesc);
+        table.initStdio(this.allocDesc("/dev/stdin", O_RDONLY), this.allocDesc("/dev/stdout", O_WRONLY), this.allocDesc("/dev/stderr", O_WRONLY));
+        this.tables.set(pid, table);
+        return table;
+    }
+    /**
+     * Create a new FD table with custom stdio FileDescriptions.
+     * Used for pipe wiring: pass a pipe read/write end as stdin/stdout/stderr.
+     * Null entries fall back to default device nodes.
+     */
+    createWithStdio(pid, stdinOverride, stdoutOverride, stderrOverride) {
+        const table = new ProcessFDTable(this.allocDesc);
+        const stdinDesc = stdinOverride
+            ? stdinOverride.description
+            : this.allocDesc("/dev/stdin", O_RDONLY);
+        const stdinType = stdinOverride?.filetype ?? FILETYPE_CHARACTER_DEVICE;
+        const stdoutDesc = stdoutOverride
+            ? stdoutOverride.description
+            : this.allocDesc("/dev/stdout", O_WRONLY);
+        const stdoutType = stdoutOverride?.filetype ?? FILETYPE_CHARACTER_DEVICE;
+        const stderrDesc = stderrOverride
+            ? stderrOverride.description
+            : this.allocDesc("/dev/stderr", O_WRONLY);
+        const stderrType = stderrOverride?.filetype ?? FILETYPE_CHARACTER_DEVICE;
+        table.initStdioWithTypes(stdinDesc, stdinType, stdoutDesc, stdoutType, stderrDesc, stderrType);
+        this.tables.set(pid, table);
+        return table;
+    }
+    /** Create a child FD table by forking the parent's. */
+    fork(parentPid, childPid) {
+        const parentTable = this.tables.get(parentPid);
+        if (!parentTable) {
+            return this.create(childPid);
+        }
+        const childTable = parentTable.fork();
+        this.tables.set(childPid, childTable);
+        return childTable;
+    }
+    get(pid) {
+        return this.tables.get(pid);
+    }
+    /** Check whether a PID has an FD table. */
+    has(pid) {
+        return this.tables.has(pid);
+    }
+    /** Number of active FD tables. */
+    get size() {
+        return this.tables.size;
+    }
+    /** Remove and close all FDs for a process. */
+    remove(pid) {
+        const table = this.tables.get(pid);
+        if (table) {
+            table.closeAll();
+            this.tables.delete(pid);
+        }
+    }
+}

package/dist/kernel/file-lock.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Advisory file lock manager (flock semantics).
+ *
+ * Locks are per-path (inode proxy). Multiple FDs sharing the same
+ * FileDescription (via dup) share the same lock. Locks are released
+ * when the description's refCount drops to zero (all FDs closed).
+ */
+export declare const LOCK_SH = 1;
+export declare const LOCK_EX = 2;
+export declare const LOCK_UN = 8;
+export declare const LOCK_NB = 4;
+export declare class FileLockManager {
+    /** path -> lock state */
+    private locks;
+    /** descriptionId -> path (for cleanup) */
+    private descToPath;
+    /**
+     * Acquire, upgrade/downgrade, or release a lock.
+     *
+     * @param path      Resolved file path (inode proxy)
+     * @param descId    FileDescription id (shared across dup'd FDs)
+     * @param operation LOCK_SH | LOCK_EX | LOCK_UN, optionally | LOCK_NB
+     */
+    flock(path: string, descId: number, operation: number): Promise<void>;
+    /** Release the lock held by a specific description on a path. */
+    private unlock;
+    /** Release all locks held by a specific description (called on FD close when refCount drops to 0). */
+    releaseByDescription(descId: number): void;
+    /** Check if a description holds any lock. */
+    hasLock(descId: number): boolean;
+    private getOrCreate;
+    private tryAcquire;
+    private cleanupState;
+}

package/dist/kernel/file-lock.js

@@ -0,0 +1,123 @@
+/**
+ * Advisory file lock manager (flock semantics).
+ *
+ * Locks are per-path (inode proxy). Multiple FDs sharing the same
+ * FileDescription (via dup) share the same lock. Locks are released
+ * when the description's refCount drops to zero (all FDs closed).
+ */
+import { KernelError } from "./types.js";
+import { WaitQueue } from "./wait.js";
+// flock operation flags (POSIX)
+export const LOCK_SH = 1;
+export const LOCK_EX = 2;
+export const LOCK_UN = 8;
+export const LOCK_NB = 4;
+const FLOCK_WAIT_TIMEOUT_MS = 30_000;
+export class FileLockManager {
+    /** path -> lock state */
+    locks = new Map();
+    /** descriptionId -> path (for cleanup) */
+    descToPath = new Map();
+    /**
+     * Acquire, upgrade/downgrade, or release a lock.
+     *
+     * @param path      Resolved file path (inode proxy)
+     * @param descId    FileDescription id (shared across dup'd FDs)
+     * @param operation LOCK_SH | LOCK_EX | LOCK_UN, optionally | LOCK_NB
+     */
+    async flock(path, descId, operation) {
+        const op = operation & ~LOCK_NB;
+        const nonBlocking = (operation & LOCK_NB) !== 0;
+        if (op === LOCK_UN) {
+            this.unlock(path, descId);
+            return;
+        }
+        while (true) {
+            const state = this.getOrCreate(path);
+            if (this.tryAcquire(path, state, descId, op)) {
+                return;
+            }
+            if (nonBlocking) {
+                throw new KernelError("EAGAIN", "resource temporarily unavailable");
+            }
+            // Bound each wait so callers can re-check lock state without hanging forever.
+            const handle = state.waiters.enqueue(FLOCK_WAIT_TIMEOUT_MS);
+            try {
+                await handle.wait();
+            }
+            finally {
+                state.waiters.remove(handle);
+                this.cleanupState(path, state);
+            }
+        }
+    }
+    /** Release the lock held by a specific description on a path. */
+    unlock(path, descId) {
+        const state = this.locks.get(path);
+        if (!state)
+            return;
+        const idx = state.holders.findIndex(h => h.descriptionId === descId);
+        if (idx >= 0) {
+            state.holders.splice(idx, 1);
+            this.descToPath.delete(descId);
+            state.waiters.wakeOne();
+        }
+        this.cleanupState(path, state);
+    }
+    /** Release all locks held by a specific description (called on FD close when refCount drops to 0). */
+    releaseByDescription(descId) {
+        const path = this.descToPath.get(descId);
+        if (path === undefined)
+            return;
+        this.unlock(path, descId);
+    }
+    /** Check if a description holds any lock. */
+    hasLock(descId) {
+        return this.descToPath.has(descId);
+    }
+    getOrCreate(path) {
+        let state = this.locks.get(path);
+        if (!state) {
+            state = { holders: [], waiters: new WaitQueue() };
+            this.locks.set(path, state);
+        }
+        return state;
+    }
+    tryAcquire(path, state, descId, op) {
+        const existingIdx = state.holders.findIndex(h => h.descriptionId === descId);
+        if (op === LOCK_SH) {
+            const conflict = state.holders.some(h => h.type === "ex" && h.descriptionId !== descId);
+            if (conflict) {
+                return false;
+            }
+            if (existingIdx >= 0) {
+                state.holders[existingIdx].type = "sh";
+            }
+            else {
+                state.holders.push({ descriptionId: descId, type: "sh" });
+                this.descToPath.set(descId, path);
+            }
+            return true;
+        }
+        if (op === LOCK_EX) {
+            const conflict = state.holders.some(h => h.descriptionId !== descId);
+            if (conflict) {
+                return false;
+            }
+            if (existingIdx >= 0) {
+                state.holders[existingIdx].type = "ex";
+            }
+            else {
+                state.holders.push({ descriptionId: descId, type: "ex" });
+                this.descToPath.set(descId, path);
+            }
+            return true;
+        }
+        throw new KernelError("EINVAL", `unsupported flock operation ${op}`);
+    }
+    cleanupState(path, state) {
+        if (state.holders.length === 0 && state.waiters.pending === 0) {
+            this.locks.delete(path);
+        }
+    }
+}

package/dist/kernel/host-adapter.d.ts

@@ -0,0 +1,50 @@
+/**
+ * Host adapter interfaces for kernel network delegation.
+ *
+ * The kernel uses these interfaces to delegate external I/O to the host
+ * without knowing the host implementation. Node.js driver implements
+ * using node:net / node:dgram; browser driver may use WebSocket proxy.
+ */
+/** A connected TCP socket on the host. */
+export interface HostSocket {
+    write(data: Uint8Array): Promise<void>;
+    /** Returns data or null for EOF. */
+    read(): Promise<Uint8Array | null>;
+    close(): Promise<void>;
+    /** Forward kernel socket options to host socket. */
+    setOption(level: number, optname: number, optval: number): void;
+    /** TCP half-close / full shutdown. */
+    shutdown(how: "read" | "write" | "both"): void;
+}
+/** A TCP listener on the host. */
+export interface HostListener {
+    /** Accept the next incoming connection. */
+    accept(): Promise<HostSocket>;
+    close(): Promise<void>;
+    /** Actual bound port (useful when binding port 0 for ephemeral ports). */
+    readonly port: number;
+}
+/** A UDP socket on the host. */
+export interface HostUdpSocket {
+    recv(): Promise<{
+        data: Uint8Array;
+        remoteAddr: {
+            host: string;
+            port: number;
+        };
+    }>;
+    close(): Promise<void>;
+}
+/** DNS lookup result. */
+export interface DnsResult {
+    address: string;
+    family: 4 | 6;
+}
+/** Host adapter that the kernel delegates external network I/O to. */
+export interface HostNetworkAdapter {
+    tcpConnect(host: string, port: number): Promise<HostSocket>;
+    tcpListen(host: string, port: number): Promise<HostListener>;
+    udpBind(host: string, port: number): Promise<HostUdpSocket>;
+    udpSend(socket: HostUdpSocket, data: Uint8Array, host: string, port: number): Promise<void>;
+    dnsLookup(hostname: string, rrtype: string): Promise<DnsResult>;
+}

package/dist/kernel/host-adapter.js

@@ -0,0 +1,8 @@
+/**
+ * Host adapter interfaces for kernel network delegation.
+ *
+ * The kernel uses these interfaces to delegate external I/O to the host
+ * without knowing the host implementation. Node.js driver implements
+ * using node:net / node:dgram; browser driver may use WebSocket proxy.
+ */
+export {};

package/dist/kernel/index.d.ts

@@ -0,0 +1,36 @@
+/**
+ * @secure-exec/kernel
+ *
+ * OS kernel providing VFS, FD table, process table, device layer,
+ * pipes, command registry, and permissions. All runtimes share the
+ * same kernel instance.
+ */
+export { createKernel } from "./kernel.js";
+export type { Kernel, KernelOptions, KernelInterface, ExecOptions, ExecResult, SpawnOptions, ManagedProcess, RuntimeDriver, ProcessContext, DriverProcess, ProcessEntry, ProcessInfo, FDStat, FileDescription, FDEntry, Pipe, Permissions, PermissionDecision, PermissionCheck, FsAccessRequest, NetworkAccessRequest, ChildProcessAccessRequest, EnvAccessRequest, KernelErrorCode, SignalDisposition, SignalHandler, ProcessSignalState, Termios, TermiosCC, OpenShellOptions, ShellHandle, ConnectTerminalOptions, } from "./types.js";
+export { KernelError, defaultTermios } from "./types.js";
+export type { VirtualFileSystem, VirtualDirEntry, VirtualStat, } from "./vfs.js";
+export { FDTableManager, ProcessFDTable } from "./fd-table.js";
+export { ProcessTable } from "./process-table.js";
+export { createDeviceLayer } from "./device-layer.js";
+export { createProcLayer, createProcessScopedFileSystem, resolveProcSelfPath, } from "./proc-layer.js";
+export { PipeManager } from "./pipe-manager.js";
+export { PtyManager } from "./pty.js";
+export type { LineDisciplineConfig } from "./pty.js";
+export { CommandRegistry } from "./command-registry.js";
+export { FileLockManager, LOCK_SH, LOCK_EX, LOCK_UN, LOCK_NB } from "./file-lock.js";
+export { WaitHandle, WaitQueue } from "./wait.js";
+export { InodeTable } from "./inode-table.js";
+export type { Inode } from "./inode-table.js";
+export { TimerTable } from "./timer-table.js";
+export type { KernelTimer, TimerTableOptions } from "./timer-table.js";
+export { DnsCache } from "./dns-cache.js";
+export type { DnsCacheOptions } from "./dns-cache.js";
+export { UserManager } from "./user.js";
+export type { UserConfig } from "./user.js";
+export { SocketTable } from "./socket-table.js";
+export type { KernelSocket, SocketState, SockAddr, InetAddr, UnixAddr, UdpDatagram, } from "./socket-table.js";
+export { AF_INET, AF_INET6, AF_UNIX, SOCK_STREAM, SOCK_DGRAM, SOL_SOCKET, IPPROTO_TCP, SO_REUSEADDR, SO_KEEPALIVE, SO_RCVBUF, SO_SNDBUF, TCP_NODELAY, MSG_PEEK, MSG_DONTWAIT, MSG_NOSIGNAL, MAX_DATAGRAM_SIZE, MAX_UDP_QUEUE_DEPTH, S_IFSOCK, isInetAddr, isUnixAddr, addrKey, optKey, } from "./socket-table.js";
+export type { HostNetworkAdapter, HostSocket, HostListener, HostUdpSocket, DnsResult, } from "./host-adapter.js";
+export { wrapFileSystem, filterEnv, checkChildProcess, allowAll, allowAllFs, allowAllNetwork, allowAllChildProcess, allowAllEnv, } from "./permissions.js";
+export { O_RDONLY, O_WRONLY, O_RDWR, O_CREAT, O_EXCL, O_TRUNC, O_APPEND, O_CLOEXEC, F_DUPFD, F_GETFD, F_SETFD, F_GETFL, F_DUPFD_CLOEXEC, FD_CLOEXEC, SEEK_SET, SEEK_CUR, SEEK_END, FILETYPE_UNKNOWN, FILETYPE_CHARACTER_DEVICE, FILETYPE_DIRECTORY, FILETYPE_REGULAR_FILE, FILETYPE_SYMBOLIC_LINK, FILETYPE_PIPE, SIGHUP, SIGINT, SIGQUIT, SIGKILL, SIGPIPE, SIGALRM, SIGTERM, SIGCHLD, SIGCONT, SIGSTOP, SIGTSTP, SIGWINCH, SA_RESTART, SA_RESETHAND, SA_NOCLDSTOP, SIG_BLOCK, SIG_UNBLOCK, SIG_SETMASK, WNOHANG, } from "./types.js";
+export { encodeExitStatus, encodeSignalStatus, WIFEXITED, WEXITSTATUS, WIFSIGNALED, WTERMSIG, } from "./wstatus.js";

package/dist/kernel/index.js

@@ -0,0 +1,34 @@
+/**
+ * @secure-exec/kernel
+ *
+ * OS kernel providing VFS, FD table, process table, device layer,
+ * pipes, command registry, and permissions. All runtimes share the
+ * same kernel instance.
+ */
+// Kernel factory
+export { createKernel } from "./kernel.js";
+// Structured kernel error and termios defaults
+export { KernelError, defaultTermios } from "./types.js";
+// Kernel components (for direct use / testing)
+export { FDTableManager, ProcessFDTable } from "./fd-table.js";
+export { ProcessTable } from "./process-table.js";
+export { createDeviceLayer } from "./device-layer.js";
+export { createProcLayer, createProcessScopedFileSystem, resolveProcSelfPath, } from "./proc-layer.js";
+export { PipeManager } from "./pipe-manager.js";
+export { PtyManager } from "./pty.js";
+export { CommandRegistry } from "./command-registry.js";
+export { FileLockManager, LOCK_SH, LOCK_EX, LOCK_UN, LOCK_NB } from "./file-lock.js";
+export { WaitHandle, WaitQueue } from "./wait.js";
+export { InodeTable } from "./inode-table.js";
+export { TimerTable } from "./timer-table.js";
+export { DnsCache } from "./dns-cache.js";
+export { UserManager } from "./user.js";
+// Socket table
+export { SocketTable } from "./socket-table.js";
+export { AF_INET, AF_INET6, AF_UNIX, SOCK_STREAM, SOCK_DGRAM, SOL_SOCKET, IPPROTO_TCP, SO_REUSEADDR, SO_KEEPALIVE, SO_RCVBUF, SO_SNDBUF, TCP_NODELAY, MSG_PEEK, MSG_DONTWAIT, MSG_NOSIGNAL, MAX_DATAGRAM_SIZE, MAX_UDP_QUEUE_DEPTH, S_IFSOCK, isInetAddr, isUnixAddr, addrKey, optKey, } from "./socket-table.js";
+// Permissions
+export { wrapFileSystem, filterEnv, checkChildProcess, allowAll, allowAllFs, allowAllNetwork, allowAllChildProcess, allowAllEnv, } from "./permissions.js";
+// Constants
+export { O_RDONLY, O_WRONLY, O_RDWR, O_CREAT, O_EXCL, O_TRUNC, O_APPEND, O_CLOEXEC, F_DUPFD, F_GETFD, F_SETFD, F_GETFL, F_DUPFD_CLOEXEC, FD_CLOEXEC, SEEK_SET, SEEK_CUR, SEEK_END, FILETYPE_UNKNOWN, FILETYPE_CHARACTER_DEVICE, FILETYPE_DIRECTORY, FILETYPE_REGULAR_FILE, FILETYPE_SYMBOLIC_LINK, FILETYPE_PIPE, SIGHUP, SIGINT, SIGQUIT, SIGKILL, SIGPIPE, SIGALRM, SIGTERM, SIGCHLD, SIGCONT, SIGSTOP, SIGTSTP, SIGWINCH, SA_RESTART, SA_RESETHAND, SA_NOCLDSTOP, SIG_BLOCK, SIG_UNBLOCK, SIG_SETMASK, WNOHANG, } from "./types.js";
+// POSIX wstatus encoding/decoding
+export { encodeExitStatus, encodeSignalStatus, WIFEXITED, WEXITSTATUS, WIFSIGNALED, WTERMSIG, } from "./wstatus.js";