@secure-exec/core 0.1.1-rc.3 → 0.2.0-rc.1

package/dist/shared/console-formatter.js

@@ -148,10 +148,14 @@ export function getConsoleSetupCode(budget = DEFAULT_CONSOLE_SERIALIZATION_BUDGE
       const formatConsoleArgs = ${formatConsoleArgs.toString()};
 
       globalThis.console = {
-        log: (...args) => _log.applySync(undefined, [formatConsoleArgs(args, __consoleBudget)]),
-        error: (...args) => _error.applySync(undefined, [formatConsoleArgs(args, __consoleBudget)]),
-        warn: (...args) => _error.applySync(undefined, [formatConsoleArgs(args, __consoleBudget)]),
-        info: (...args) => _log.applySync(undefined, [formatConsoleArgs(args, __consoleBudget)]),
+        log: (...args) => _log(formatConsoleArgs(args, __consoleBudget)),
+        error: (...args) => _error(formatConsoleArgs(args, __consoleBudget)),
+        warn: (...args) => _error(formatConsoleArgs(args, __consoleBudget)),
+        info: (...args) => _log(formatConsoleArgs(args, __consoleBudget)),
+        debug: (...args) => _log(formatConsoleArgs(args, __consoleBudget)),
+        trace: (...args) => _error(formatConsoleArgs(args, __consoleBudget)),
+        dir: (...args) => _log(formatConsoleArgs(args, __consoleBudget)),
+        table: (...args) => _log(formatConsoleArgs(args, __consoleBudget)),
       };
     `;
 }

package/dist/shared/global-exposure.js

@@ -75,6 +75,26 @@ export const NODE_CUSTOM_GLOBAL_INVENTORY = [
         classification: "hardened",
         rationale: "Bridge-owned dns module handle for require resolution.",
     },
+    {
+        name: "_dgramModule",
+        classification: "hardened",
+        rationale: "Bridge-owned dgram module handle for require resolution.",
+    },
+    {
+        name: "_netModule",
+        classification: "hardened",
+        rationale: "Bridge-owned net module handle for require resolution.",
+    },
+    {
+        name: "_tlsModule",
+        classification: "hardened",
+        rationale: "Bridge-owned tls module handle for require resolution.",
+    },
+    {
+        name: "_netSocketDispatch",
+        classification: "hardened",
+        rationale: "Host-to-sandbox net socket event dispatch entrypoint.",
+    },
     {
         name: "_httpServerDispatch",
         classification: "hardened",
@@ -83,17 +103,32 @@ export const NODE_CUSTOM_GLOBAL_INVENTORY = [
     {
         name: "_httpServerUpgradeDispatch",
         classification: "hardened",
-        rationale: "Host-to-sandbox HTTP server upgrade dispatch entrypoint.",
+        rationale: "Host-to-sandbox HTTP upgrade dispatch entrypoint.",
+    },
+    {
+        name: "_httpServerConnectDispatch",
+        classification: "hardened",
+        rationale: "Host-to-sandbox HTTP CONNECT dispatch entrypoint.",
+    },
+    {
+        name: "_http2Dispatch",
+        classification: "hardened",
+        rationale: "Host-to-sandbox HTTP/2 event dispatch entrypoint.",
+    },
+    {
+        name: "_timerDispatch",
+        classification: "hardened",
+        rationale: "Host-to-sandbox timer callback dispatch entrypoint.",
     },
     {
         name: "_upgradeSocketData",
         classification: "hardened",
-        rationale: "Host-to-sandbox upgrade socket data push entrypoint.",
+        rationale: "Host-to-sandbox HTTP upgrade socket data dispatch entrypoint.",
     },
     {
         name: "_upgradeSocketEnd",
         classification: "hardened",
-        rationale: "Host-to-sandbox upgrade socket end push entrypoint.",
+        rationale: "Host-to-sandbox HTTP upgrade socket close dispatch entrypoint.",
     },
     {
         name: "ProcessExitError",
@@ -125,6 +160,16 @@ export const NODE_CUSTOM_GLOBAL_INVENTORY = [
         classification: "hardened",
         rationale: "Host file-loading bridge reference.",
     },
+    {
+        name: "_resolveModuleSync",
+        classification: "hardened",
+        rationale: "Host synchronous module-resolution bridge reference.",
+    },
+    {
+        name: "_loadFileSync",
+        classification: "hardened",
+        rationale: "Host synchronous file-loading bridge reference.",
+    },
     {
         name: "_scheduleTimer",
         classification: "hardened",
@@ -143,67 +188,107 @@ export const NODE_CUSTOM_GLOBAL_INVENTORY = [
     {
         name: "_cryptoHashDigest",
         classification: "hardened",
-        rationale: "Host crypto bridge reference for createHash digest computation.",
+        rationale: "Host crypto digest bridge reference.",
     },
     {
         name: "_cryptoHmacDigest",
         classification: "hardened",
-        rationale: "Host crypto bridge reference for createHmac digest computation.",
+        rationale: "Host crypto HMAC bridge reference.",
     },
     {
         name: "_cryptoPbkdf2",
         classification: "hardened",
-        rationale: "Host crypto bridge reference for pbkdf2 key derivation.",
+        rationale: "Host crypto PBKDF2 bridge reference.",
     },
     {
         name: "_cryptoScrypt",
         classification: "hardened",
-        rationale: "Host crypto bridge reference for scrypt key derivation.",
+        rationale: "Host crypto scrypt bridge reference.",
     },
     {
         name: "_cryptoCipheriv",
         classification: "hardened",
-        rationale: "Host crypto bridge reference for createCipheriv encryption.",
+        rationale: "Host crypto cipher bridge reference.",
     },
     {
         name: "_cryptoDecipheriv",
         classification: "hardened",
-        rationale: "Host crypto bridge reference for createDecipheriv decryption.",
+        rationale: "Host crypto decipher bridge reference.",
     },
     {
         name: "_cryptoCipherivCreate",
         classification: "hardened",
-        rationale: "Host crypto bridge reference for stateful cipher/decipher creation.",
+        rationale: "Host streaming cipher bridge reference.",
     },
     {
         name: "_cryptoCipherivUpdate",
         classification: "hardened",
-        rationale: "Host crypto bridge reference for stateful cipher/decipher update.",
+        rationale: "Host streaming cipher update bridge reference.",
     },
     {
         name: "_cryptoCipherivFinal",
         classification: "hardened",
-        rationale: "Host crypto bridge reference for stateful cipher/decipher final.",
+        rationale: "Host streaming cipher finalization bridge reference.",
     },
     {
         name: "_cryptoSign",
         classification: "hardened",
-        rationale: "Host crypto bridge reference for sign operations.",
+        rationale: "Host crypto sign bridge reference.",
     },
     {
         name: "_cryptoVerify",
         classification: "hardened",
-        rationale: "Host crypto bridge reference for verify operations.",
+        rationale: "Host crypto verify bridge reference.",
+    },
+    {
+        name: "_cryptoAsymmetricOp",
+        classification: "hardened",
+        rationale: "Host asymmetric crypto operation bridge reference.",
+    },
+    {
+        name: "_cryptoCreateKeyObject",
+        classification: "hardened",
+        rationale: "Host asymmetric key import bridge reference.",
     },
     {
         name: "_cryptoGenerateKeyPairSync",
         classification: "hardened",
-        rationale: "Host crypto bridge reference for generateKeyPairSync.",
+        rationale: "Host crypto key-pair generation bridge reference.",
+    },
+    {
+        name: "_cryptoGenerateKeySync",
+        classification: "hardened",
+        rationale: "Host symmetric crypto key generation bridge reference.",
+    },
+    {
+        name: "_cryptoGeneratePrimeSync",
+        classification: "hardened",
+        rationale: "Host prime generation bridge reference.",
+    },
+    {
+        name: "_cryptoDiffieHellman",
+        classification: "hardened",
+        rationale: "Host stateless Diffie-Hellman bridge reference.",
+    },
+    {
+        name: "_cryptoDiffieHellmanGroup",
+        classification: "hardened",
+        rationale: "Host Diffie-Hellman group bridge reference.",
+    },
+    {
+        name: "_cryptoDiffieHellmanSessionCreate",
+        classification: "hardened",
+        rationale: "Host Diffie-Hellman/ECDH session creation bridge reference.",
+    },
+    {
+        name: "_cryptoDiffieHellmanSessionCall",
+        classification: "hardened",
+        rationale: "Host Diffie-Hellman/ECDH session method bridge reference.",
     },
     {
         name: "_cryptoSubtle",
         classification: "hardened",
-        rationale: "Host crypto bridge reference for Web Crypto subtle operations.",
+        rationale: "Host WebCrypto subtle bridge reference.",
     },
     {
         name: "_fsReadFile",
@@ -355,20 +440,180 @@ export const NODE_CUSTOM_GLOBAL_INVENTORY = [
         classification: "hardened",
         rationale: "Host network bridge reference.",
     },
+    {
+        name: "_networkHttpServerRespondRaw",
+        classification: "hardened",
+        rationale: "Host network bridge reference for sandbox HTTP server responses.",
+    },
+    {
+        name: "_networkHttpServerWaitRaw",
+        classification: "hardened",
+        rationale: "Host network bridge reference for sandbox HTTP server lifetime tracking.",
+    },
+    {
+        name: "_networkHttp2ServerListenRaw",
+        classification: "hardened",
+        rationale: "Host HTTP/2 server listen bridge reference.",
+    },
+    {
+        name: "_networkHttp2ServerCloseRaw",
+        classification: "hardened",
+        rationale: "Host HTTP/2 server close bridge reference.",
+    },
+    {
+        name: "_networkHttp2ServerWaitRaw",
+        classification: "hardened",
+        rationale: "Host HTTP/2 server lifetime bridge reference.",
+    },
+    {
+        name: "_networkHttp2SessionConnectRaw",
+        classification: "hardened",
+        rationale: "Host HTTP/2 session connect bridge reference.",
+    },
+    {
+        name: "_networkHttp2SessionRequestRaw",
+        classification: "hardened",
+        rationale: "Host HTTP/2 session request bridge reference.",
+    },
+    {
+        name: "_networkHttp2SessionSettingsRaw",
+        classification: "hardened",
+        rationale: "Host HTTP/2 session settings bridge reference.",
+    },
+    {
+        name: "_networkHttp2SessionGoawayRaw",
+        classification: "hardened",
+        rationale: "Host HTTP/2 session GOAWAY bridge reference.",
+    },
+    {
+        name: "_networkHttp2SessionCloseRaw",
+        classification: "hardened",
+        rationale: "Host HTTP/2 session close bridge reference.",
+    },
+    {
+        name: "_networkHttp2SessionDestroyRaw",
+        classification: "hardened",
+        rationale: "Host HTTP/2 session destroy bridge reference.",
+    },
+    {
+        name: "_networkHttp2SessionWaitRaw",
+        classification: "hardened",
+        rationale: "Host HTTP/2 session lifetime bridge reference.",
+    },
+    {
+        name: "_networkHttp2StreamRespondRaw",
+        classification: "hardened",
+        rationale: "Host HTTP/2 stream respond bridge reference.",
+    },
+    {
+        name: "_networkHttp2StreamPushStreamRaw",
+        classification: "hardened",
+        rationale: "Host HTTP/2 push stream bridge reference.",
+    },
+    {
+        name: "_networkHttp2StreamWriteRaw",
+        classification: "hardened",
+        rationale: "Host HTTP/2 stream write bridge reference.",
+    },
+    {
+        name: "_networkHttp2StreamEndRaw",
+        classification: "hardened",
+        rationale: "Host HTTP/2 stream end bridge reference.",
+    },
     {
         name: "_upgradeSocketWriteRaw",
         classification: "hardened",
-        rationale: "Host upgrade socket write bridge reference.",
+        rationale: "Host HTTP upgrade socket write bridge reference.",
     },
     {
         name: "_upgradeSocketEndRaw",
         classification: "hardened",
-        rationale: "Host upgrade socket end bridge reference.",
+        rationale: "Host HTTP upgrade socket half-close bridge reference.",
     },
     {
         name: "_upgradeSocketDestroyRaw",
         classification: "hardened",
-        rationale: "Host upgrade socket destroy bridge reference.",
+        rationale: "Host HTTP upgrade socket destroy bridge reference.",
+    },
+    {
+        name: "_netSocketConnectRaw",
+        classification: "hardened",
+        rationale: "Host net socket connect bridge reference.",
+    },
+    {
+        name: "_netSocketWaitConnectRaw",
+        classification: "hardened",
+        rationale: "Host net socket connect-wait bridge reference.",
+    },
+    {
+        name: "_netSocketReadRaw",
+        classification: "hardened",
+        rationale: "Host net socket read bridge reference.",
+    },
+    {
+        name: "_netSocketSetNoDelayRaw",
+        classification: "hardened",
+        rationale: "Host net socket no-delay bridge reference.",
+    },
+    {
+        name: "_netSocketSetKeepAliveRaw",
+        classification: "hardened",
+        rationale: "Host net socket keepalive bridge reference.",
+    },
+    {
+        name: "_netSocketWriteRaw",
+        classification: "hardened",
+        rationale: "Host net socket write bridge reference.",
+    },
+    {
+        name: "_netSocketEndRaw",
+        classification: "hardened",
+        rationale: "Host net socket end bridge reference.",
+    },
+    {
+        name: "_netSocketDestroyRaw",
+        classification: "hardened",
+        rationale: "Host net socket destroy bridge reference.",
+    },
+    {
+        name: "_netSocketUpgradeTlsRaw",
+        classification: "hardened",
+        rationale: "Host net socket TLS-upgrade bridge reference.",
+    },
+    {
+        name: "_netSocketGetTlsClientHelloRaw",
+        classification: "hardened",
+        rationale: "Host loopback TLS client-hello bridge reference.",
+    },
+    {
+        name: "_netSocketTlsQueryRaw",
+        classification: "hardened",
+        rationale: "Host TLS socket query bridge reference.",
+    },
+    {
+        name: "_tlsGetCiphersRaw",
+        classification: "hardened",
+        rationale: "Host TLS cipher-list bridge reference.",
+    },
+    {
+        name: "_netServerListenRaw",
+        classification: "hardened",
+        rationale: "Host net server listen bridge reference.",
+    },
+    {
+        name: "_netServerAcceptRaw",
+        classification: "hardened",
+        rationale: "Host net server accept bridge reference.",
+    },
+    {
+        name: "_netServerCloseRaw",
+        classification: "hardened",
+        rationale: "Host net server close bridge reference.",
+    },
+    {
+        name: "_batchResolveModules",
+        classification: "hardened",
+        rationale: "Host bridge for batched module resolution to reduce IPC round-trips.",
     },
     {
         name: "_ptySetRawMode",
@@ -475,6 +720,11 @@ export const NODE_CUSTOM_GLOBAL_INVENTORY = [
         classification: "hardened",
         rationale: "Blob API global stub — must not be replaceable by sandbox code.",
     },
+    {
+        name: "FormData",
+        classification: "hardened",
+        rationale: "FormData API global stub — must not be replaceable by sandbox code.",
+    },
 ];
 export const HARDENED_NODE_CUSTOM_GLOBALS = NODE_CUSTOM_GLOBAL_INVENTORY
     .filter((entry) => entry.classification === "hardened")

package/dist/shared/in-memory-fs.d.ts

@@ -1,29 +1,38 @@
-import type { VirtualFileSystem, VirtualStat } from "../types.js";
+import { InodeTable } from "../kernel/inode-table.js";
+import type { VirtualDirEntry, VirtualFileSystem, VirtualStat } from "../kernel/vfs.js";
 /**
- * A fully in-memory VirtualFileSystem backed by Maps.
+ * A fully in-memory VirtualFileSystem backed by inode-aware Maps.
  * Used as the default filesystem for the browser sandbox and for tests.
  * Paths are always POSIX-style (forward slashes, rooted at "/").
  */
 export declare class InMemoryFileSystem implements VirtualFileSystem {
+    private inodeTable;
     private files;
+    private fileContents;
     private dirs;
     private symlinks;
-    private modes;
-    private owners;
-    private timestamps;
-    private hardLinks;
+    constructor(inodeTable?: InodeTable);
+    setInodeTable(inodeTable: InodeTable): void;
+    getInodeForPath(path: string): number | null;
+    readFileByInode(ino: number): Uint8Array;
+    writeFileByInode(ino: number, content: Uint8Array): void;
+    preadByInode(ino: number, offset: number, length: number): Uint8Array;
+    statByInode(ino: number): VirtualStat;
+    deleteInodeData(ino: number): void;
     private listDirEntries;
     readFile(path: string): Promise<Uint8Array>;
     readTextFile(path: string): Promise<string>;
     readDir(path: string): Promise<string[]>;
-    readDirWithTypes(path: string): Promise<Array<{
-        name: string;
-        isDirectory: boolean;
-    }>>;
+    readDirWithTypes(path: string): Promise<VirtualDirEntry[]>;
     writeFile(path: string, content: string | Uint8Array): Promise<void>;
+    prepareOpenSync(path: string, flags: number): boolean;
     createDir(path: string): Promise<void>;
-    mkdir(path: string): Promise<void>;
+    mkdir(path: string, _options?: {
+        recursive?: boolean;
+    }): Promise<void>;
+    private resolveIfSymlink;
     private resolveSymlink;
+    private statForInode;
     private statEntry;
     exists(path: string): Promise<boolean>;
     stat(path: string): Promise<VirtualStat>;
@@ -37,6 +46,16 @@ export declare class InMemoryFileSystem implements VirtualFileSystem {
     chmod(path: string, mode: number): Promise<void>;
     chown(path: string, uid: number, gid: number): Promise<void>;
     utimes(path: string, atime: number, mtime: number): Promise<void>;
+    realpath(path: string): Promise<string>;
+    pread(path: string, offset: number, length: number): Promise<Uint8Array>;
     truncate(path: string, length: number): Promise<void>;
+    private reindexInodes;
+    private cloneInode;
+    private allocateFileInode;
+    private allocateDirectoryInode;
+    private updateFileMetadata;
+    private requirePathInode;
+    private requireFileInode;
+    private requireInode;
 }
 export declare function createInMemoryFileSystem(): InMemoryFileSystem;