@secure-exec/core 0.1.1-rc.3 → 0.2.0-rc.1

package/dist/kernel/index.d.ts

@@ -0,0 +1,36 @@
+/**
+ * @secure-exec/kernel
+ *
+ * OS kernel providing VFS, FD table, process table, device layer,
+ * pipes, command registry, and permissions. All runtimes share the
+ * same kernel instance.
+ */
+export { createKernel } from "./kernel.js";
+export type { Kernel, KernelOptions, KernelInterface, ExecOptions, ExecResult, SpawnOptions, ManagedProcess, RuntimeDriver, ProcessContext, DriverProcess, ProcessEntry, ProcessInfo, FDStat, FileDescription, FDEntry, Pipe, Permissions, PermissionDecision, PermissionCheck, FsAccessRequest, NetworkAccessRequest, ChildProcessAccessRequest, EnvAccessRequest, KernelErrorCode, SignalDisposition, SignalHandler, ProcessSignalState, Termios, TermiosCC, OpenShellOptions, ShellHandle, ConnectTerminalOptions, } from "./types.js";
+export { KernelError, defaultTermios } from "./types.js";
+export type { VirtualFileSystem, VirtualDirEntry, VirtualStat, } from "./vfs.js";
+export { FDTableManager, ProcessFDTable } from "./fd-table.js";
+export { ProcessTable } from "./process-table.js";
+export { createDeviceLayer } from "./device-layer.js";
+export { createProcLayer, createProcessScopedFileSystem, resolveProcSelfPath, } from "./proc-layer.js";
+export { PipeManager } from "./pipe-manager.js";
+export { PtyManager } from "./pty.js";
+export type { LineDisciplineConfig } from "./pty.js";
+export { CommandRegistry } from "./command-registry.js";
+export { FileLockManager, LOCK_SH, LOCK_EX, LOCK_UN, LOCK_NB } from "./file-lock.js";
+export { WaitHandle, WaitQueue } from "./wait.js";
+export { InodeTable } from "./inode-table.js";
+export type { Inode } from "./inode-table.js";
+export { TimerTable } from "./timer-table.js";
+export type { KernelTimer, TimerTableOptions } from "./timer-table.js";
+export { DnsCache } from "./dns-cache.js";
+export type { DnsCacheOptions } from "./dns-cache.js";
+export { UserManager } from "./user.js";
+export type { UserConfig } from "./user.js";
+export { SocketTable } from "./socket-table.js";
+export type { KernelSocket, SocketState, SockAddr, InetAddr, UnixAddr, UdpDatagram, } from "./socket-table.js";
+export { AF_INET, AF_INET6, AF_UNIX, SOCK_STREAM, SOCK_DGRAM, SOL_SOCKET, IPPROTO_TCP, SO_REUSEADDR, SO_KEEPALIVE, SO_RCVBUF, SO_SNDBUF, TCP_NODELAY, MSG_PEEK, MSG_DONTWAIT, MSG_NOSIGNAL, MAX_DATAGRAM_SIZE, MAX_UDP_QUEUE_DEPTH, S_IFSOCK, isInetAddr, isUnixAddr, addrKey, optKey, } from "./socket-table.js";
+export type { HostNetworkAdapter, HostSocket, HostListener, HostUdpSocket, DnsResult, } from "./host-adapter.js";
+export { wrapFileSystem, filterEnv, checkChildProcess, allowAll, allowAllFs, allowAllNetwork, allowAllChildProcess, allowAllEnv, } from "./permissions.js";
+export { O_RDONLY, O_WRONLY, O_RDWR, O_CREAT, O_EXCL, O_TRUNC, O_APPEND, O_CLOEXEC, F_DUPFD, F_GETFD, F_SETFD, F_GETFL, F_DUPFD_CLOEXEC, FD_CLOEXEC, SEEK_SET, SEEK_CUR, SEEK_END, FILETYPE_UNKNOWN, FILETYPE_CHARACTER_DEVICE, FILETYPE_DIRECTORY, FILETYPE_REGULAR_FILE, FILETYPE_SYMBOLIC_LINK, FILETYPE_PIPE, SIGHUP, SIGINT, SIGQUIT, SIGKILL, SIGPIPE, SIGALRM, SIGTERM, SIGCHLD, SIGCONT, SIGSTOP, SIGTSTP, SIGWINCH, SA_RESTART, SA_RESETHAND, SA_NOCLDSTOP, SIG_BLOCK, SIG_UNBLOCK, SIG_SETMASK, WNOHANG, } from "./types.js";
+export { encodeExitStatus, encodeSignalStatus, WIFEXITED, WEXITSTATUS, WIFSIGNALED, WTERMSIG, } from "./wstatus.js";

package/dist/kernel/index.js

@@ -0,0 +1,34 @@
+/**
+ * @secure-exec/kernel
+ *
+ * OS kernel providing VFS, FD table, process table, device layer,
+ * pipes, command registry, and permissions. All runtimes share the
+ * same kernel instance.
+ */
+// Kernel factory
+export { createKernel } from "./kernel.js";
+// Structured kernel error and termios defaults
+export { KernelError, defaultTermios } from "./types.js";
+// Kernel components (for direct use / testing)
+export { FDTableManager, ProcessFDTable } from "./fd-table.js";
+export { ProcessTable } from "./process-table.js";
+export { createDeviceLayer } from "./device-layer.js";
+export { createProcLayer, createProcessScopedFileSystem, resolveProcSelfPath, } from "./proc-layer.js";
+export { PipeManager } from "./pipe-manager.js";
+export { PtyManager } from "./pty.js";
+export { CommandRegistry } from "./command-registry.js";
+export { FileLockManager, LOCK_SH, LOCK_EX, LOCK_UN, LOCK_NB } from "./file-lock.js";
+export { WaitHandle, WaitQueue } from "./wait.js";
+export { InodeTable } from "./inode-table.js";
+export { TimerTable } from "./timer-table.js";
+export { DnsCache } from "./dns-cache.js";
+export { UserManager } from "./user.js";
+// Socket table
+export { SocketTable } from "./socket-table.js";
+export { AF_INET, AF_INET6, AF_UNIX, SOCK_STREAM, SOCK_DGRAM, SOL_SOCKET, IPPROTO_TCP, SO_REUSEADDR, SO_KEEPALIVE, SO_RCVBUF, SO_SNDBUF, TCP_NODELAY, MSG_PEEK, MSG_DONTWAIT, MSG_NOSIGNAL, MAX_DATAGRAM_SIZE, MAX_UDP_QUEUE_DEPTH, S_IFSOCK, isInetAddr, isUnixAddr, addrKey, optKey, } from "./socket-table.js";
+// Permissions
+export { wrapFileSystem, filterEnv, checkChildProcess, allowAll, allowAllFs, allowAllNetwork, allowAllChildProcess, allowAllEnv, } from "./permissions.js";
+// Constants
+export { O_RDONLY, O_WRONLY, O_RDWR, O_CREAT, O_EXCL, O_TRUNC, O_APPEND, O_CLOEXEC, F_DUPFD, F_GETFD, F_SETFD, F_GETFL, F_DUPFD_CLOEXEC, FD_CLOEXEC, SEEK_SET, SEEK_CUR, SEEK_END, FILETYPE_UNKNOWN, FILETYPE_CHARACTER_DEVICE, FILETYPE_DIRECTORY, FILETYPE_REGULAR_FILE, FILETYPE_SYMBOLIC_LINK, FILETYPE_PIPE, SIGHUP, SIGINT, SIGQUIT, SIGKILL, SIGPIPE, SIGALRM, SIGTERM, SIGCHLD, SIGCONT, SIGSTOP, SIGTSTP, SIGWINCH, SA_RESTART, SA_RESETHAND, SA_NOCLDSTOP, SIG_BLOCK, SIG_UNBLOCK, SIG_SETMASK, WNOHANG, } from "./types.js";
+// POSIX wstatus encoding/decoding
+export { encodeExitStatus, encodeSignalStatus, WIFEXITED, WEXITSTATUS, WIFSIGNALED, WTERMSIG, } from "./wstatus.js";

package/dist/kernel/inode-table.d.ts

@@ -0,0 +1,43 @@
+/**
+ * Inode table with refcounting and deferred unlink.
+ *
+ * Provides a POSIX-style inode layer: hard link counts (nlink),
+ * open FD reference counting (openRefCount), and deferred deletion
+ * when nlink reaches 0 but FDs are still open.
+ */
+export interface Inode {
+    readonly ino: number;
+    nlink: number;
+    openRefCount: number;
+    mode: number;
+    uid: number;
+    gid: number;
+    size: number;
+    atime: Date;
+    mtime: Date;
+    ctime: Date;
+    birthtime: Date;
+}
+export declare class InodeTable {
+    private inodes;
+    private nextIno;
+    /** Allocate a new inode with the given mode, uid, gid. Returns the inode. */
+    allocate(mode: number, uid: number, gid: number): Inode;
+    /** Look up an inode by number. */
+    get(ino: number): Inode | null;
+    /** Increment hard link count (new directory entry pointing to this inode). */
+    incrementLinks(ino: number): void;
+    /** Decrement hard link count (directory entry removed). */
+    decrementLinks(ino: number): void;
+    /** Increment open FD reference count. */
+    incrementOpenRefs(ino: number): void;
+    /** Decrement open FD reference count. */
+    decrementOpenRefs(ino: number): void;
+    /** True when nlink=0 AND openRefCount=0 — inode data can be freed. */
+    shouldDelete(ino: number): boolean;
+    /** Remove the inode from the table. Called after shouldDelete returns true. */
+    delete(ino: number): void;
+    /** Number of inodes in the table. */
+    get size(): number;
+    private requireInode;
+}

package/dist/kernel/inode-table.js

@@ -0,0 +1,85 @@
+/**
+ * Inode table with refcounting and deferred unlink.
+ *
+ * Provides a POSIX-style inode layer: hard link counts (nlink),
+ * open FD reference counting (openRefCount), and deferred deletion
+ * when nlink reaches 0 but FDs are still open.
+ */
+import { KernelError } from "./types.js";
+export class InodeTable {
+    inodes = new Map();
+    nextIno = 1;
+    /** Allocate a new inode with the given mode, uid, gid. Returns the inode. */
+    allocate(mode, uid, gid) {
+        const now = new Date();
+        const inode = {
+            ino: this.nextIno++,
+            nlink: 1,
+            openRefCount: 0,
+            mode,
+            uid,
+            gid,
+            size: 0,
+            atime: now,
+            mtime: now,
+            ctime: now,
+            birthtime: now,
+        };
+        this.inodes.set(inode.ino, inode);
+        return inode;
+    }
+    /** Look up an inode by number. */
+    get(ino) {
+        return this.inodes.get(ino) ?? null;
+    }
+    /** Increment hard link count (new directory entry pointing to this inode). */
+    incrementLinks(ino) {
+        const inode = this.requireInode(ino);
+        inode.nlink++;
+        inode.ctime = new Date();
+    }
+    /** Decrement hard link count (directory entry removed). */
+    decrementLinks(ino) {
+        const inode = this.requireInode(ino);
+        if (inode.nlink <= 0) {
+            throw new KernelError("EINVAL", `inode ${ino} nlink already 0`);
+        }
+        inode.nlink--;
+        inode.ctime = new Date();
+    }
+    /** Increment open FD reference count. */
+    incrementOpenRefs(ino) {
+        const inode = this.requireInode(ino);
+        inode.openRefCount++;
+    }
+    /** Decrement open FD reference count. */
+    decrementOpenRefs(ino) {
+        const inode = this.requireInode(ino);
+        if (inode.openRefCount <= 0) {
+            throw new KernelError("EINVAL", `inode ${ino} openRefCount already 0`);
+        }
+        inode.openRefCount--;
+    }
+    /** True when nlink=0 AND openRefCount=0 — inode data can be freed. */
+    shouldDelete(ino) {
+        const inode = this.inodes.get(ino);
+        if (!inode)
+            return false;
+        return inode.nlink === 0 && inode.openRefCount === 0;
+    }
+    /** Remove the inode from the table. Called after shouldDelete returns true. */
+    delete(ino) {
+        this.inodes.delete(ino);
+    }
+    /** Number of inodes in the table. */
+    get size() {
+        return this.inodes.size;
+    }
+    requireInode(ino) {
+        const inode = this.inodes.get(ino);
+        if (!inode) {
+            throw new KernelError("ENOENT", `inode ${ino} not found`);
+        }
+        return inode;
+    }
+}

package/dist/kernel/kernel.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Kernel implementation.
+ *
+ * The kernel is the OS. It owns VFS, FD table, process table, device layer,
+ * pipe manager, command registry, and permissions. Runtimes are execution
+ * engines that make "syscalls" to the kernel.
+ */
+import type { Kernel, KernelOptions } from "./types.js";
+export declare function createKernel(options: KernelOptions): Kernel;