@secure-exec/core 0.1.1-rc.3 → 0.2.0-rc.1

package/dist/shared/in-memory-fs.js

@@ -1,6 +1,9 @@
+import { InodeTable } from "../kernel/inode-table.js";
+import { KernelError, O_CREAT, O_EXCL, O_TRUNC } from "../kernel/types.js";
 const S_IFREG = 0o100000;
 const S_IFDIR = 0o040000;
 const S_IFLNK = 0o120000;
+const S_IFSOCK = 0o140000;
 function normalizePath(path) {
     if (!path)
         return "/";
@@ -22,53 +25,127 @@ function dirname(path) {
     return `/${parts.slice(0, -1).join("/")}`;
 }
 /**
- * A fully in-memory VirtualFileSystem backed by Maps.
+ * A fully in-memory VirtualFileSystem backed by inode-aware Maps.
  * Used as the default filesystem for the browser sandbox and for tests.
  * Paths are always POSIX-style (forward slashes, rooted at "/").
  */
 export class InMemoryFileSystem {
+    inodeTable;
     files = new Map();
-    dirs = new Set(["/"]);
+    fileContents = new Map();
+    dirs = new Map();
     symlinks = new Map();
-    modes = new Map();
-    owners = new Map();
-    timestamps = new Map();
-    hardLinks = new Map(); // newPath → originalPath
+    constructor(inodeTable = new InodeTable()) {
+        this.inodeTable = inodeTable;
+        this.dirs.set("/", this.allocateDirectoryInode().ino);
+    }
+    // Rebind the filesystem to the kernel's shared inode table.
+    setInodeTable(inodeTable) {
+        if (this.inodeTable === inodeTable)
+            return;
+        const oldTable = this.inodeTable;
+        this.inodeTable = inodeTable;
+        this.reindexInodes(oldTable);
+    }
+    getInodeForPath(path) {
+        const normalized = normalizePath(path);
+        const resolved = this.resolveSymlink(normalized);
+        return this.files.get(resolved) ?? this.dirs.get(resolved) ?? null;
+    }
+    readFileByInode(ino) {
+        const data = this.fileContents.get(ino);
+        if (!data) {
+            throw new Error(`ENOENT: inode ${ino} has no file data`);
+        }
+        this.requireInode(ino).atime = new Date();
+        return data;
+    }
+    writeFileByInode(ino, content) {
+        this.requireFileInode(ino);
+        this.fileContents.set(ino, content);
+        this.updateFileMetadata(ino, content.byteLength);
+    }
+    preadByInode(ino, offset, length) {
+        const data = this.readFileByInode(ino);
+        return data.slice(offset, offset + length);
+    }
+    statByInode(ino) {
+        return this.statForInode(this.requireInode(ino));
+    }
+    deleteInodeData(ino) {
+        this.fileContents.delete(ino);
+    }
     listDirEntries(path) {
         const normalized = normalizePath(path);
-        if (!this.dirs.has(normalized)) {
+        const dirIno = this.dirs.get(normalized);
+        if (dirIno === undefined) {
             throw new Error(`ENOENT: no such file or directory, scandir '${normalized}'`);
         }
         const prefix = normalized === "/" ? "/" : `${normalized}/`;
         const entries = new Map();
-        for (const filePath of this.files.keys()) {
-            if (filePath.startsWith(prefix)) {
-                const rest = filePath.slice(prefix.length);
-                if (rest && !rest.includes("/")) {
-                    entries.set(rest, false);
-                }
+        const parentPath = normalized === "/" ? "/" : dirname(normalized);
+        const parentIno = this.dirs.get(parentPath) ?? dirIno;
+        entries.set(".", {
+            name: ".",
+            isDirectory: true,
+            isSymbolicLink: false,
+            ino: dirIno,
+        });
+        entries.set("..", {
+            name: "..",
+            isDirectory: true,
+            isSymbolicLink: false,
+            ino: parentIno,
+        });
+        for (const [filePath, ino] of this.files.entries()) {
+            if (!filePath.startsWith(prefix))
+                continue;
+            const rest = filePath.slice(prefix.length);
+            if (rest && !rest.includes("/")) {
+                entries.set(rest, {
+                    name: rest,
+                    isDirectory: false,
+                    isSymbolicLink: false,
+                    ino,
+                });
             }
         }
-        for (const dirPath of this.dirs.values()) {
-            if (dirPath.startsWith(prefix)) {
-                const rest = dirPath.slice(prefix.length);
-                if (rest && !rest.includes("/")) {
-                    entries.set(rest, true);
-                }
+        for (const [dirPath, ino] of this.dirs.entries()) {
+            if (!dirPath.startsWith(prefix))
+                continue;
+            const rest = dirPath.slice(prefix.length);
+            if (rest && !rest.includes("/")) {
+                entries.set(rest, {
+                    name: rest,
+                    isDirectory: true,
+                    isSymbolicLink: false,
+                    ino,
+                });
             }
         }
-        return Array.from(entries.entries()).map(([name, isDirectory]) => ({
-            name,
-            isDirectory,
-        }));
+        for (const linkPath of this.symlinks.keys()) {
+            if (!linkPath.startsWith(prefix))
+                continue;
+            const rest = linkPath.slice(prefix.length);
+            if (rest && !rest.includes("/")) {
+                entries.set(rest, {
+                    name: rest,
+                    isDirectory: false,
+                    isSymbolicLink: true,
+                    ino: 0,
+                });
+            }
+        }
+        return Array.from(entries.values());
     }
     async readFile(path) {
         const normalized = normalizePath(path);
-        const data = this.files.get(normalized);
-        if (!data) {
+        const resolved = this.resolveSymlink(normalized);
+        const ino = this.files.get(resolved);
+        if (ino === undefined) {
             throw new Error(`ENOENT: no such file or directory, open '${normalized}'`);
         }
-        return data;
+        return this.readFileByInode(ino);
     }
     async readTextFile(path) {
         const data = await this.readFile(path);
@@ -84,7 +161,56 @@ export class InMemoryFileSystem {
         const normalized = normalizePath(path);
         await this.mkdir(dirname(normalized));
         const data = typeof content === "string" ? new TextEncoder().encode(content) : content;
-        this.files.set(normalized, data);
+        const resolved = this.resolveIfSymlink(normalized) ?? normalized;
+        const existing = this.files.get(resolved);
+        if (existing !== undefined) {
+            this.writeFileByInode(existing, data);
+            return;
+        }
+        const inode = this.allocateFileInode();
+        this.files.set(resolved, inode.ino);
+        this.fileContents.set(inode.ino, data);
+        this.updateFileMetadata(inode.ino, data.byteLength);
+    }
+    prepareOpenSync(path, flags) {
+        const normalized = normalizePath(path);
+        const resolved = this.resolveIfSymlink(normalized) ?? normalized;
+        const hasCreate = (flags & O_CREAT) !== 0;
+        const hasExcl = (flags & O_EXCL) !== 0;
+        const hasTrunc = (flags & O_TRUNC) !== 0;
+        const fileIno = this.files.get(resolved);
+        const exists = fileIno !== undefined || this.dirs.has(resolved) || this.symlinks.has(normalized);
+        if (hasCreate && hasExcl && exists) {
+            throw new KernelError("EEXIST", `file already exists, open '${normalized}'`);
+        }
+        let created = false;
+        if (fileIno === undefined && hasCreate) {
+            const parts = splitPath(dirname(resolved));
+            let current = "";
+            for (const part of parts) {
+                current += `/${part}`;
+                if (!this.dirs.has(current)) {
+                    this.dirs.set(current, this.allocateDirectoryInode().ino);
+                }
+            }
+            const inode = this.allocateFileInode();
+            this.files.set(resolved, inode.ino);
+            this.fileContents.set(inode.ino, new Uint8Array(0));
+            this.updateFileMetadata(inode.ino, 0);
+            created = true;
+        }
+        if (hasTrunc) {
+            if (this.dirs.has(resolved)) {
+                throw new KernelError("EISDIR", `illegal operation on a directory, open '${normalized}'`);
+            }
+            const truncateIno = this.files.get(resolved);
+            if (truncateIno === undefined) {
+                throw new KernelError("ENOENT", `no such file or directory, open '${normalized}'`);
+            }
+            this.fileContents.set(truncateIno, new Uint8Array(0));
+            this.updateFileMetadata(truncateIno, 0);
+        }
+        return created;
     }
     async createDir(path) {
         const normalized = normalizePath(path);
@@ -92,59 +218,60 @@ export class InMemoryFileSystem {
         if (!this.dirs.has(parent)) {
             throw new Error(`ENOENT: no such file or directory, mkdir '${normalized}'`);
         }
-        this.dirs.add(normalized);
+        if (!this.dirs.has(normalized)) {
+            this.dirs.set(normalized, this.allocateDirectoryInode().ino);
+        }
     }
-    async mkdir(path) {
+    async mkdir(path, _options) {
         const parts = splitPath(path);
         let current = "";
         for (const part of parts) {
             current += `/${part}`;
             if (!this.dirs.has(current)) {
-                this.dirs.add(current);
+                this.dirs.set(current, this.allocateDirectoryInode().ino);
             }
         }
     }
+    resolveIfSymlink(normalized) {
+        return this.symlinks.has(normalized) ? this.resolveSymlink(normalized) : null;
+    }
     resolveSymlink(normalized, maxDepth = 16) {
         let current = normalized;
         for (let i = 0; i < maxDepth; i++) {
             const target = this.symlinks.get(current);
             if (!target)
                 return current;
-            current = target.startsWith("/") ? normalizePath(target) : normalizePath(`${dirname(current)}/${target}`);
+            current = target.startsWith("/")
+                ? normalizePath(target)
+                : normalizePath(`${dirname(current)}/${target}`);
         }
         throw new Error(`ELOOP: too many levels of symbolic links, stat '${normalized}'`);
     }
+    statForInode(inode) {
+        const isDirectory = (inode.mode & 0o170000) === S_IFDIR;
+        return {
+            mode: inode.mode,
+            size: isDirectory ? 4096 : inode.size,
+            isDirectory,
+            isSymbolicLink: false,
+            atimeMs: inode.atime.getTime(),
+            mtimeMs: inode.mtime.getTime(),
+            ctimeMs: inode.ctime.getTime(),
+            birthtimeMs: inode.birthtime.getTime(),
+            ino: inode.ino,
+            nlink: inode.nlink,
+            uid: inode.uid,
+            gid: inode.gid,
+        };
+    }
     statEntry(normalized) {
-        const now = Date.now();
-        const ts = this.timestamps.get(normalized);
-        const owner = this.owners.get(normalized);
-        const customMode = this.modes.get(normalized);
-        const atimeMs = ts?.atimeMs ?? now;
-        const mtimeMs = ts?.mtimeMs ?? now;
-        const file = this.files.get(normalized);
-        if (file) {
-            return {
-                mode: customMode ?? (S_IFREG | 0o644),
-                size: file.byteLength,
-                isDirectory: false,
-                isSymbolicLink: false,
-                atimeMs,
-                mtimeMs,
-                ctimeMs: now,
-                birthtimeMs: now,
-            };
+        const fileIno = this.files.get(normalized);
+        if (fileIno !== undefined) {
+            return this.statByInode(fileIno);
         }
-        if (this.dirs.has(normalized)) {
-            return {
-                mode: customMode ?? (S_IFDIR | 0o755),
-                size: 4096,
-                isDirectory: true,
-                isSymbolicLink: false,
-                atimeMs,
-                mtimeMs,
-                ctimeMs: now,
-                birthtimeMs: now,
-            };
+        const dirIno = this.dirs.get(normalized);
+        if (dirIno !== undefined) {
+            return this.statByInode(dirIno);
         }
         throw new Error(`ENOENT: no such file or directory, stat '${normalized}'`);
     }
@@ -152,8 +279,8 @@ export class InMemoryFileSystem {
         const normalized = normalizePath(path);
         if (this.symlinks.has(normalized)) {
             try {
-                this.resolveSymlink(normalized);
-                return true;
+                const resolved = this.resolveSymlink(normalized);
+                return this.files.has(resolved) || this.dirs.has(resolved);
             }
             catch {
                 return false;
@@ -168,9 +295,20 @@ export class InMemoryFileSystem {
     }
     async removeFile(path) {
         const normalized = normalizePath(path);
-        if (!this.files.delete(normalized)) {
+        if (this.symlinks.delete(normalized)) {
+            return;
+        }
+        const resolved = this.resolveSymlink(normalized);
+        const ino = this.files.get(resolved);
+        if (ino === undefined) {
             throw new Error(`ENOENT: no such file or directory, unlink '${normalized}'`);
         }
+        this.files.delete(resolved);
+        this.inodeTable.decrementLinks(ino);
+        if (this.inodeTable.shouldDelete(ino)) {
+            this.deleteInodeData(ino);
+            this.inodeTable.delete(ino);
+        }
     }
     async removeDir(path) {
         const normalized = normalizePath(path);
@@ -186,12 +324,22 @@ export class InMemoryFileSystem {
                 throw new Error(`ENOTEMPTY: directory not empty, rmdir '${normalized}'`);
             }
         }
-        for (const dirPath of this.dirs.values()) {
+        for (const dirPath of this.dirs.keys()) {
             if (dirPath !== normalized && dirPath.startsWith(prefix)) {
                 throw new Error(`ENOTEMPTY: directory not empty, rmdir '${normalized}'`);
             }
         }
+        for (const linkPath of this.symlinks.keys()) {
+            if (linkPath.startsWith(prefix)) {
+                throw new Error(`ENOTEMPTY: directory not empty, rmdir '${normalized}'`);
+            }
+        }
+        const ino = this.dirs.get(normalized);
         this.dirs.delete(normalized);
+        this.inodeTable.decrementLinks(ino);
+        if (this.inodeTable.shouldDelete(ino)) {
+            this.inodeTable.delete(ino);
+        }
     }
     async rename(oldPath, newPath) {
         const oldNormalized = normalizePath(oldPath);
@@ -206,9 +354,23 @@ export class InMemoryFileSystem {
             if (this.dirs.has(newNormalized)) {
                 throw new Error(`EISDIR: illegal operation on a directory, rename '${oldNormalized}' -> '${newNormalized}'`);
             }
-            const content = this.files.get(oldNormalized);
-            this.files.set(newNormalized, content);
+            if (this.files.has(newNormalized) || this.symlinks.has(newNormalized)) {
+                throw new Error(`EEXIST: file already exists, rename '${oldNormalized}' -> '${newNormalized}'`);
+            }
+            const ino = this.files.get(oldNormalized);
             this.files.delete(oldNormalized);
+            this.files.set(newNormalized, ino);
+            return;
+        }
+        if (this.symlinks.has(oldNormalized)) {
+            if (this.files.has(newNormalized) ||
+                this.dirs.has(newNormalized) ||
+                this.symlinks.has(newNormalized)) {
+                throw new Error(`EEXIST: file already exists, rename '${oldNormalized}' -> '${newNormalized}'`);
+            }
+            const target = this.symlinks.get(oldNormalized);
+            this.symlinks.delete(oldNormalized);
+            this.symlinks.set(newNormalized, target);
             return;
         }
         if (!this.dirs.has(oldNormalized)) {
@@ -220,34 +382,42 @@ export class InMemoryFileSystem {
         if (newNormalized.startsWith(`${oldNormalized}/`)) {
             throw new Error(`EINVAL: invalid argument, rename '${oldNormalized}' -> '${newNormalized}'`);
         }
-        if (this.dirs.has(newNormalized) || this.files.has(newNormalized)) {
+        if (this.dirs.has(newNormalized) ||
+            this.files.has(newNormalized) ||
+            this.symlinks.has(newNormalized)) {
             throw new Error(`EEXIST: file already exists, rename '${oldNormalized}' -> '${newNormalized}'`);
         }
         const sourcePrefix = `${oldNormalized}/`;
         const targetPrefix = `${newNormalized}/`;
-        const dirPaths = Array.from(this.dirs.values())
-            .filter((path) => path === oldNormalized || path.startsWith(sourcePrefix))
-            .sort((a, b) => a.length - b.length);
-        const filePaths = Array.from(this.files.keys()).filter((path) => path.startsWith(sourcePrefix));
-        for (const path of dirPaths) {
+        const dirEntries = Array.from(this.dirs.entries())
+            .filter(([path]) => path === oldNormalized || path.startsWith(sourcePrefix))
+            .sort(([a], [b]) => a.length - b.length);
+        const fileEntries = Array.from(this.files.entries()).filter(([path]) => path.startsWith(sourcePrefix));
+        const symlinkEntries = Array.from(this.symlinks.entries()).filter(([path]) => path.startsWith(sourcePrefix));
+        for (const [path] of dirEntries)
             this.dirs.delete(path);
-        }
-        for (const path of filePaths) {
-            const content = this.files.get(path);
+        for (const [path] of fileEntries)
             this.files.delete(path);
-            this.files.set(`${targetPrefix}${path.slice(sourcePrefix.length)}`, content);
+        for (const [path] of symlinkEntries)
+            this.symlinks.delete(path);
+        for (const [path, ino] of dirEntries) {
+            const nextPath = path === oldNormalized
+                ? newNormalized
+                : `${targetPrefix}${path.slice(sourcePrefix.length)}`;
+            this.dirs.set(nextPath, ino);
         }
-        this.dirs.add(newNormalized);
-        for (const path of dirPaths) {
-            if (path === oldNormalized) {
-                continue;
-            }
-            this.dirs.add(`${targetPrefix}${path.slice(sourcePrefix.length)}`);
+        for (const [path, ino] of fileEntries) {
+            this.files.set(`${targetPrefix}${path.slice(sourcePrefix.length)}`, ino);
+        }
+        for (const [path, target] of symlinkEntries) {
+            this.symlinks.set(`${targetPrefix}${path.slice(sourcePrefix.length)}`, target);
         }
     }
     async symlink(target, linkPath) {
         const normalized = normalizePath(linkPath);
-        if (this.files.has(normalized) || this.dirs.has(normalized) || this.symlinks.has(normalized)) {
+        if (this.files.has(normalized) ||
+            this.dirs.has(normalized) ||
+            this.symlinks.has(normalized)) {
             throw new Error(`EEXIST: file already exists, symlink '${target}' -> '${normalized}'`);
         }
         await this.mkdir(dirname(normalized));
@@ -275,6 +445,10 @@ export class InMemoryFileSystem {
                 mtimeMs: now,
                 ctimeMs: now,
                 birthtimeMs: now,
+                ino: 0,
+                nlink: 1,
+                uid: 0,
+                gid: 0,
             };
         }
         return this.statEntry(normalized);
@@ -282,58 +456,158 @@ export class InMemoryFileSystem {
     async link(oldPath, newPath) {
         const oldNormalized = normalizePath(oldPath);
         const newNormalized = normalizePath(newPath);
-        const file = this.files.get(oldNormalized);
-        if (!file) {
+        const resolved = this.resolveSymlink(oldNormalized);
+        const ino = this.files.get(resolved);
+        if (ino === undefined) {
             throw new Error(`ENOENT: no such file or directory, link '${oldNormalized}' -> '${newNormalized}'`);
         }
-        if (this.files.has(newNormalized) || this.dirs.has(newNormalized)) {
+        if (this.files.has(newNormalized) ||
+            this.dirs.has(newNormalized) ||
+            this.symlinks.has(newNormalized)) {
             throw new Error(`EEXIST: file already exists, link '${oldNormalized}' -> '${newNormalized}'`);
         }
         await this.mkdir(dirname(newNormalized));
-        this.files.set(newNormalized, file);
-        this.hardLinks.set(newNormalized, oldNormalized);
+        this.files.set(newNormalized, ino);
+        this.inodeTable.incrementLinks(ino);
     }
     async chmod(path, mode) {
-        const normalized = normalizePath(path);
-        const resolved = this.resolveSymlink(normalized);
-        if (!this.files.has(resolved) && !this.dirs.has(resolved)) {
-            throw new Error(`ENOENT: no such file or directory, chmod '${normalized}'`);
+        const inode = this.requirePathInode(path, "chmod");
+        const callerTypeBits = mode & 0o170000;
+        if (callerTypeBits !== 0) {
+            inode.mode = mode;
+        }
+        else {
+            const existingTypeBits = inode.mode & 0o170000;
+            inode.mode = existingTypeBits | (mode & 0o7777);
         }
-        const existing = this.modes.get(resolved);
-        const typeBits = existing ? (existing & 0o170000) : (this.files.has(resolved) ? S_IFREG : S_IFDIR);
-        this.modes.set(resolved, typeBits | (mode & 0o7777));
+        inode.ctime = new Date();
     }
     async chown(path, uid, gid) {
+        const inode = this.requirePathInode(path, "chown");
+        inode.uid = uid;
+        inode.gid = gid;
+        inode.ctime = new Date();
+    }
+    async utimes(path, atime, mtime) {
+        const inode = this.requirePathInode(path, "utimes");
+        inode.atime = new Date(atime * 1000);
+        inode.mtime = new Date(mtime * 1000);
+        inode.ctime = new Date();
+    }
+    async realpath(path) {
         const normalized = normalizePath(path);
         const resolved = this.resolveSymlink(normalized);
         if (!this.files.has(resolved) && !this.dirs.has(resolved)) {
-            throw new Error(`ENOENT: no such file or directory, chown '${normalized}'`);
+            throw new Error(`ENOENT: no such file or directory, realpath '${normalized}'`);
         }
-        this.owners.set(resolved, { uid, gid });
+        return resolved;
     }
-    async utimes(path, atime, mtime) {
+    async pread(path, offset, length) {
         const normalized = normalizePath(path);
         const resolved = this.resolveSymlink(normalized);
-        if (!this.files.has(resolved) && !this.dirs.has(resolved)) {
-            throw new Error(`ENOENT: no such file or directory, utimes '${normalized}'`);
+        const ino = this.files.get(resolved);
+        if (ino === undefined) {
+            throw new Error(`ENOENT: no such file or directory, open '${normalized}'`);
         }
-        this.timestamps.set(resolved, { atimeMs: atime * 1000, mtimeMs: mtime * 1000 });
+        return this.preadByInode(ino, offset, length);
     }
     async truncate(path, length) {
         const normalized = normalizePath(path);
         const resolved = this.resolveSymlink(normalized);
-        const file = this.files.get(resolved);
-        if (!file) {
+        const ino = this.files.get(resolved);
+        if (ino === undefined) {
             throw new Error(`ENOENT: no such file or directory, truncate '${normalized}'`);
         }
-        if (length >= file.byteLength) {
-            const padded = new Uint8Array(length);
-            padded.set(file);
-            this.files.set(resolved, padded);
+        const file = this.readFileByInode(ino);
+        const next = length >= file.byteLength
+            ? (() => {
+                const padded = new Uint8Array(length);
+                padded.set(file);
+                return padded;
+            })()
+            : file.slice(0, length);
+        this.fileContents.set(ino, next);
+        this.updateFileMetadata(ino, next.byteLength);
+    }
+    reindexInodes(oldTable) {
+        const oldContents = new Map(this.fileContents);
+        const oldFiles = new Map(this.files);
+        const oldDirs = Array.from(this.dirs.entries()).sort(([a], [b]) => a.length - b.length);
+        const inoMap = new Map();
+        this.files = new Map();
+        this.fileContents = new Map();
+        this.dirs = new Map();
+        for (const [dirPath, oldIno] of oldDirs) {
+            const ino = this.cloneInode(oldIno, oldTable, S_IFDIR | 0o755).ino;
+            this.dirs.set(dirPath, ino);
+        }
+        if (!this.dirs.has("/")) {
+            this.dirs.set("/", this.allocateDirectoryInode().ino);
+        }
+        for (const [path, oldIno] of oldFiles) {
+            const mapped = inoMap.get(oldIno) ?? (() => {
+                const inode = this.cloneInode(oldIno, oldTable, S_IFREG | 0o644);
+                inoMap.set(oldIno, inode.ino);
+                return inode.ino;
+            })();
+            this.files.set(path, mapped);
+            const content = oldContents.get(oldIno);
+            if (content) {
+                this.fileContents.set(mapped, content);
+                this.requireInode(mapped).size = content.byteLength;
+            }
         }
-        else {
-            this.files.set(resolved, file.slice(0, length));
+    }
+    cloneInode(oldIno, oldTable, fallbackMode) {
+        const source = oldTable.get(oldIno);
+        const inode = this.inodeTable.allocate(source?.mode ?? fallbackMode, source?.uid ?? 0, source?.gid ?? 0);
+        inode.nlink = source?.nlink ?? 1;
+        inode.openRefCount = 0;
+        inode.size = source?.size ?? 0;
+        inode.atime = source?.atime ? new Date(source.atime) : new Date();
+        inode.mtime = source?.mtime ? new Date(source.mtime) : new Date();
+        inode.ctime = source?.ctime ? new Date(source.ctime) : new Date();
+        inode.birthtime = source?.birthtime ? new Date(source.birthtime) : new Date();
+        return inode;
+    }
+    allocateFileInode() {
+        return this.inodeTable.allocate(S_IFREG | 0o644, 0, 0);
+    }
+    allocateDirectoryInode() {
+        const inode = this.inodeTable.allocate(S_IFDIR | 0o755, 0, 0);
+        inode.size = 4096;
+        return inode;
+    }
+    updateFileMetadata(ino, size) {
+        const inode = this.requireFileInode(ino);
+        const now = new Date();
+        inode.size = size;
+        inode.atime = now;
+        inode.mtime = now;
+        inode.ctime = now;
+    }
+    requirePathInode(path, op) {
+        const normalized = normalizePath(path);
+        const resolved = this.resolveSymlink(normalized);
+        const ino = this.files.get(resolved) ?? this.dirs.get(resolved);
+        if (ino === undefined) {
+            throw new Error(`ENOENT: no such file or directory, ${op} '${normalized}'`);
+        }
+        return this.requireInode(ino);
+    }
+    requireFileInode(ino) {
+        const inode = this.requireInode(ino);
+        if ((inode.mode & 0o170000) !== S_IFREG && (inode.mode & 0o170000) !== S_IFSOCK) {
+            throw new Error(`EINVAL: inode ${ino} is not a regular file`);
+        }
+        return inode;
+    }
+    requireInode(ino) {
+        const inode = this.inodeTable.get(ino);
+        if (!inode) {
+            throw new Error(`ENOENT: inode ${ino} not found`);
         }
+        return inode;
     }
 }
 export function createInMemoryFileSystem() {

package/dist/shared/permissions.d.ts

@@ -5,7 +5,9 @@
  * checks that throw EACCES on denial. When no permission callback is provided
  * for a category, guarded operations in that category are denied by default.
  */
-import type { CommandExecutor, EnvAccessRequest, NetworkAdapter, Permissions, VirtualFileSystem } from "../types.js";
+import type { EnvAccessRequest, Permissions } from "../kernel/types.js";
+import type { VirtualFileSystem } from "../kernel/vfs.js";
+import type { CommandExecutor, NetworkAdapter } from "../types.js";
 export declare const allowAllFs: Pick<Permissions, "fs">;
 export declare const allowAllNetwork: Pick<Permissions, "network">;
 export declare const allowAllChildProcess: Pick<Permissions, "childProcess">;
@@ -16,11 +18,7 @@ export declare const allowAll: Permissions;
  * Throws EACCES if the permission callback denies or is absent.
  */
 export declare function wrapFileSystem(fs: VirtualFileSystem, permissions?: Permissions): VirtualFileSystem;
-/**
- * Wrap a NetworkAdapter so externally-originating operations (`listen`, `fetch`,
- * `dns`, `http`) pass through the network permission check.
- * `httpServerClose` is forwarded as-is.
- */
+/** Wrap a NetworkAdapter so external client operations pass through the network permission check. */
 export declare function wrapNetworkAdapter(adapter: NetworkAdapter, permissions?: Permissions): NetworkAdapter;
 /** Wrap a CommandExecutor so spawn passes through the childProcess permission check. */
 export declare function wrapCommandExecutor(executor: CommandExecutor, permissions?: Permissions): CommandExecutor;