@secure-exec/core 0.1.1-rc.3 → 0.2.0-rc.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (102) hide show
  1. package/dist/esm-compiler.d.ts +5 -1
  2. package/dist/esm-compiler.js +5 -1
  3. package/dist/fs-helpers.d.ts +1 -1
  4. package/dist/generated/isolate-runtime.d.ts +15 -15
  5. package/dist/generated/isolate-runtime.js +15 -15
  6. package/dist/index.d.ts +24 -5
  7. package/dist/index.js +23 -3
  8. package/dist/isolate-runtime/apply-custom-global-policy.js +3 -3
  9. package/dist/isolate-runtime/apply-timing-mitigation-freeze.js +2 -2
  10. package/dist/isolate-runtime/apply-timing-mitigation-off.js +2 -2
  11. package/dist/isolate-runtime/bridge-attach.js +2 -2
  12. package/dist/isolate-runtime/bridge-initial-globals.js +145 -6
  13. package/dist/isolate-runtime/eval-script-result.js +1 -1
  14. package/dist/isolate-runtime/global-exposure-helpers.js +2 -2
  15. package/dist/isolate-runtime/init-commonjs-module-globals.js +2 -2
  16. package/dist/isolate-runtime/override-process-cwd.js +1 -1
  17. package/dist/isolate-runtime/override-process-env.js +1 -1
  18. package/dist/isolate-runtime/require-setup.js +2868 -494
  19. package/dist/isolate-runtime/set-commonjs-file-globals.js +2 -2
  20. package/dist/isolate-runtime/set-stdin-data.js +1 -1
  21. package/dist/isolate-runtime/setup-dynamic-import.js +78 -19
  22. package/dist/isolate-runtime/setup-fs-facade.js +62 -23
  23. package/dist/kernel/command-registry.d.ts +44 -0
  24. package/dist/kernel/command-registry.js +114 -0
  25. package/dist/kernel/device-layer.d.ts +12 -0
  26. package/dist/kernel/device-layer.js +262 -0
  27. package/dist/kernel/dns-cache.d.ts +29 -0
  28. package/dist/kernel/dns-cache.js +52 -0
  29. package/dist/kernel/fd-table.d.ts +84 -0
  30. package/dist/kernel/fd-table.js +278 -0
  31. package/dist/kernel/file-lock.d.ts +34 -0
  32. package/dist/kernel/file-lock.js +122 -0
  33. package/dist/kernel/host-adapter.d.ts +50 -0
  34. package/dist/kernel/host-adapter.js +8 -0
  35. package/dist/kernel/index.d.ts +36 -0
  36. package/dist/kernel/index.js +34 -0
  37. package/dist/kernel/inode-table.d.ts +43 -0
  38. package/dist/kernel/inode-table.js +85 -0
  39. package/dist/kernel/kernel.d.ts +9 -0
  40. package/dist/kernel/kernel.js +1393 -0
  41. package/dist/kernel/permissions.d.ts +27 -0
  42. package/dist/kernel/permissions.js +118 -0
  43. package/dist/kernel/pipe-manager.d.ts +64 -0
  44. package/dist/kernel/pipe-manager.js +267 -0
  45. package/dist/kernel/proc-layer.d.ts +11 -0
  46. package/dist/kernel/proc-layer.js +501 -0
  47. package/dist/kernel/process-table.d.ts +124 -0
  48. package/dist/kernel/process-table.js +631 -0
  49. package/dist/kernel/pty.d.ts +108 -0
  50. package/dist/kernel/pty.js +541 -0
  51. package/dist/kernel/socket-table.d.ts +312 -0
  52. package/dist/kernel/socket-table.js +1188 -0
  53. package/dist/kernel/timer-table.d.ts +54 -0
  54. package/dist/kernel/timer-table.js +108 -0
  55. package/dist/kernel/types.d.ts +500 -0
  56. package/dist/kernel/types.js +89 -0
  57. package/dist/kernel/user.d.ts +29 -0
  58. package/dist/kernel/user.js +35 -0
  59. package/dist/kernel/vfs.d.ts +54 -0
  60. package/dist/kernel/vfs.js +8 -0
  61. package/dist/kernel/wait.d.ts +45 -0
  62. package/dist/kernel/wait.js +112 -0
  63. package/dist/kernel/wstatus.d.ts +21 -0
  64. package/dist/kernel/wstatus.js +33 -0
  65. package/dist/module-resolver.d.ts +4 -0
  66. package/dist/module-resolver.js +4 -0
  67. package/dist/package-bundler.d.ts +6 -1
  68. package/dist/runtime-driver.d.ts +3 -1
  69. package/dist/shared/bridge-contract.d.ts +349 -22
  70. package/dist/shared/bridge-contract.js +62 -5
  71. package/dist/shared/console-formatter.js +8 -4
  72. package/dist/shared/global-exposure.js +364 -19
  73. package/dist/shared/in-memory-fs.d.ts +33 -11
  74. package/dist/shared/in-memory-fs.js +439 -130
  75. package/dist/shared/permissions.d.ts +4 -6
  76. package/dist/shared/permissions.js +19 -39
  77. package/dist/types.d.ts +8 -159
  78. package/dist/types.js +5 -0
  79. package/package.json +12 -22
  80. package/dist/bridge/active-handles.d.ts +0 -22
  81. package/dist/bridge/active-handles.js +0 -55
  82. package/dist/bridge/child-process.d.ts +0 -99
  83. package/dist/bridge/child-process.js +0 -670
  84. package/dist/bridge/fs.d.ts +0 -281
  85. package/dist/bridge/fs.js +0 -2235
  86. package/dist/bridge/index.d.ts +0 -10
  87. package/dist/bridge/index.js +0 -41
  88. package/dist/bridge/module.d.ts +0 -75
  89. package/dist/bridge/module.js +0 -308
  90. package/dist/bridge/network.d.ts +0 -350
  91. package/dist/bridge/network.js +0 -2050
  92. package/dist/bridge/os.d.ts +0 -13
  93. package/dist/bridge/os.js +0 -256
  94. package/dist/bridge/polyfills.d.ts +0 -2
  95. package/dist/bridge/polyfills.js +0 -11
  96. package/dist/bridge/process.d.ts +0 -89
  97. package/dist/bridge/process.js +0 -1015
  98. package/dist/bridge.js +0 -12496
  99. package/dist/python-runtime.d.ts +0 -16
  100. package/dist/python-runtime.js +0 -45
  101. package/dist/runtime.d.ts +0 -31
  102. package/dist/runtime.js +0 -69
package/dist/shared/bridge-contract.js CHANGED
@@ -1,4 +1,8 @@
1
1
  /**
2
+ * @deprecated Canonical source moved to @secure-exec/nodejs (US-002).
3
+ * This copy is retained for backward compatibility during phased migration.
4
+ * Will be removed in US-005 when kernel merges into core.
5
+ *
2
6
  * Bridge contract: typed declarations for the globals shared between the
3
7
  * host (Node.js) and the isolate (sandbox V8 context).
4
8
  *
@@ -6,7 +10,7 @@
6
10
  * - Host bridge globals: set by the host before bridge code runs (fs refs, timers, etc.)
7
11
  * - Runtime bridge globals: installed by the bridge bundle itself (active handles, modules, etc.)
8
12
  *
9
- * The typed `Ref` aliases describe the isolated-vm calling convention for each global.
13
+ * The typed `Ref` aliases describe the bridge calling convention for each global.
10
14
  */
11
15
  function valuesOf(object) {
12
16
  return Object.values(object);
@@ -16,9 +20,7 @@ export const HOST_BRIDGE_GLOBAL_KEYS = {
16
20
  dynamicImport: "_dynamicImport",
17
21
  loadPolyfill: "_loadPolyfill",
18
22
  resolveModule: "_resolveModule",
19
- resolveModuleSync: "_resolveModuleSync",
20
23
  loadFile: "_loadFile",
21
- loadFileSync: "_loadFileSync",
22
24
  scheduleTimer: "_scheduleTimer",
23
25
  cryptoRandomFill: "_cryptoRandomFill",
24
26
  cryptoRandomUuid: "_cryptoRandomUUID",
@@ -33,7 +35,15 @@ export const HOST_BRIDGE_GLOBAL_KEYS = {
33
35
  cryptoCipherivFinal: "_cryptoCipherivFinal",
34
36
  cryptoSign: "_cryptoSign",
35
37
  cryptoVerify: "_cryptoVerify",
38
+ cryptoAsymmetricOp: "_cryptoAsymmetricOp",
39
+ cryptoCreateKeyObject: "_cryptoCreateKeyObject",
36
40
  cryptoGenerateKeyPairSync: "_cryptoGenerateKeyPairSync",
41
+ cryptoGenerateKeySync: "_cryptoGenerateKeySync",
42
+ cryptoGeneratePrimeSync: "_cryptoGeneratePrimeSync",
43
+ cryptoDiffieHellman: "_cryptoDiffieHellman",
44
+ cryptoDiffieHellmanGroup: "_cryptoDiffieHellmanGroup",
45
+ cryptoDiffieHellmanSessionCreate: "_cryptoDiffieHellmanSessionCreate",
46
+ cryptoDiffieHellmanSessionCall: "_cryptoDiffieHellmanSessionCall",
37
47
  cryptoSubtle: "_cryptoSubtle",
38
48
  fsReadFile: "_fsReadFile",
39
49
  fsWriteFile: "_fsWriteFile",
@@ -64,15 +74,60 @@ export const HOST_BRIDGE_GLOBAL_KEYS = {
64
74
  networkHttpRequestRaw: "_networkHttpRequestRaw",
65
75
  networkHttpServerListenRaw: "_networkHttpServerListenRaw",
66
76
  networkHttpServerCloseRaw: "_networkHttpServerCloseRaw",
77
+ networkHttpServerRespondRaw: "_networkHttpServerRespondRaw",
78
+ networkHttpServerWaitRaw: "_networkHttpServerWaitRaw",
79
+ networkHttp2ServerListenRaw: "_networkHttp2ServerListenRaw",
80
+ networkHttp2ServerCloseRaw: "_networkHttp2ServerCloseRaw",
81
+ networkHttp2ServerWaitRaw: "_networkHttp2ServerWaitRaw",
82
+ networkHttp2SessionConnectRaw: "_networkHttp2SessionConnectRaw",
83
+ networkHttp2SessionRequestRaw: "_networkHttp2SessionRequestRaw",
84
+ networkHttp2SessionSettingsRaw: "_networkHttp2SessionSettingsRaw",
85
+ networkHttp2SessionSetLocalWindowSizeRaw: "_networkHttp2SessionSetLocalWindowSizeRaw",
86
+ networkHttp2SessionGoawayRaw: "_networkHttp2SessionGoawayRaw",
87
+ networkHttp2SessionCloseRaw: "_networkHttp2SessionCloseRaw",
88
+ networkHttp2SessionDestroyRaw: "_networkHttp2SessionDestroyRaw",
89
+ networkHttp2SessionWaitRaw: "_networkHttp2SessionWaitRaw",
90
+ networkHttp2ServerPollRaw: "_networkHttp2ServerPollRaw",
91
+ networkHttp2SessionPollRaw: "_networkHttp2SessionPollRaw",
92
+ networkHttp2StreamRespondRaw: "_networkHttp2StreamRespondRaw",
93
+ networkHttp2StreamPushStreamRaw: "_networkHttp2StreamPushStreamRaw",
94
+ networkHttp2StreamWriteRaw: "_networkHttp2StreamWriteRaw",
95
+ networkHttp2StreamEndRaw: "_networkHttp2StreamEndRaw",
96
+ networkHttp2StreamCloseRaw: "_networkHttp2StreamCloseRaw",
97
+ networkHttp2StreamPauseRaw: "_networkHttp2StreamPauseRaw",
98
+ networkHttp2StreamResumeRaw: "_networkHttp2StreamResumeRaw",
99
+ networkHttp2StreamRespondWithFileRaw: "_networkHttp2StreamRespondWithFileRaw",
100
+ networkHttp2ServerRespondRaw: "_networkHttp2ServerRespondRaw",
67
101
  upgradeSocketWriteRaw: "_upgradeSocketWriteRaw",
68
102
  upgradeSocketEndRaw: "_upgradeSocketEndRaw",
69
103
  upgradeSocketDestroyRaw: "_upgradeSocketDestroyRaw",
70
104
  netSocketConnectRaw: "_netSocketConnectRaw",
105
+ netSocketWaitConnectRaw: "_netSocketWaitConnectRaw",
106
+ netSocketReadRaw: "_netSocketReadRaw",
107
+ netSocketSetNoDelayRaw: "_netSocketSetNoDelayRaw",
108
+ netSocketSetKeepAliveRaw: "_netSocketSetKeepAliveRaw",
71
109
  netSocketWriteRaw: "_netSocketWriteRaw",
72
110
  netSocketEndRaw: "_netSocketEndRaw",
73
111
  netSocketDestroyRaw: "_netSocketDestroyRaw",
74
112
  netSocketUpgradeTlsRaw: "_netSocketUpgradeTlsRaw",
113
+ netSocketGetTlsClientHelloRaw: "_netSocketGetTlsClientHelloRaw",
114
+ netSocketTlsQueryRaw: "_netSocketTlsQueryRaw",
115
+ tlsGetCiphersRaw: "_tlsGetCiphersRaw",
116
+ netServerListenRaw: "_netServerListenRaw",
117
+ netServerAcceptRaw: "_netServerAcceptRaw",
118
+ netServerCloseRaw: "_netServerCloseRaw",
119
+ dgramSocketCreateRaw: "_dgramSocketCreateRaw",
120
+ dgramSocketBindRaw: "_dgramSocketBindRaw",
121
+ dgramSocketRecvRaw: "_dgramSocketRecvRaw",
122
+ dgramSocketSendRaw: "_dgramSocketSendRaw",
123
+ dgramSocketCloseRaw: "_dgramSocketCloseRaw",
124
+ dgramSocketAddressRaw: "_dgramSocketAddressRaw",
125
+ dgramSocketSetBufferSizeRaw: "_dgramSocketSetBufferSizeRaw",
126
+ dgramSocketGetBufferSizeRaw: "_dgramSocketGetBufferSizeRaw",
127
+ resolveModuleSync: "_resolveModuleSync",
128
+ loadFileSync: "_loadFileSync",
75
129
  ptySetRawMode: "_ptySetRawMode",
130
+ kernelStdinRead: "_kernelStdinRead",
76
131
  processConfig: "_processConfig",
77
132
  osConfig: "_osConfig",
78
133
  log: "_log",
@@ -92,12 +147,14 @@ export const RUNTIME_BRIDGE_GLOBAL_KEYS = {
92
147
  httpsModule: "_httpsModule",
93
148
  http2Module: "_http2Module",
94
149
  dnsModule: "_dnsModule",
150
+ dgramModule: "_dgramModule",
95
151
  httpServerDispatch: "_httpServerDispatch",
96
152
  httpServerUpgradeDispatch: "_httpServerUpgradeDispatch",
153
+ httpServerConnectDispatch: "_httpServerConnectDispatch",
154
+ http2Dispatch: "_http2Dispatch",
155
+ timerDispatch: "_timerDispatch",
97
156
  upgradeSocketData: "_upgradeSocketData",
98
157
  upgradeSocketEnd: "_upgradeSocketEnd",
99
- netModule: "_netModule",
100
- tlsModule: "_tlsModule",
101
158
  netSocketDispatch: "_netSocketDispatch",
102
159
  fsFacade: "_fs",
103
160
  requireFrom: "_requireFrom",
package/dist/shared/console-formatter.js CHANGED
@@ -148,10 +148,14 @@ export function getConsoleSetupCode(budget = DEFAULT_CONSOLE_SERIALIZATION_BUDGE
148
148
  const formatConsoleArgs = ${formatConsoleArgs.toString()};
149
149
 
150
150
  globalThis.console = {
151
- log: (...args) => _log.applySync(undefined, [formatConsoleArgs(args, __consoleBudget)]),
152
- error: (...args) => _error.applySync(undefined, [formatConsoleArgs(args, __consoleBudget)]),
153
- warn: (...args) => _error.applySync(undefined, [formatConsoleArgs(args, __consoleBudget)]),
154
- info: (...args) => _log.applySync(undefined, [formatConsoleArgs(args, __consoleBudget)]),
151
+ log: (...args) => _log(formatConsoleArgs(args, __consoleBudget)),
152
+ error: (...args) => _error(formatConsoleArgs(args, __consoleBudget)),
153
+ warn: (...args) => _error(formatConsoleArgs(args, __consoleBudget)),
154
+ info: (...args) => _log(formatConsoleArgs(args, __consoleBudget)),
155
+ debug: (...args) => _log(formatConsoleArgs(args, __consoleBudget)),
156
+ trace: (...args) => _error(formatConsoleArgs(args, __consoleBudget)),
157
+ dir: (...args) => _log(formatConsoleArgs(args, __consoleBudget)),
158
+ table: (...args) => _log(formatConsoleArgs(args, __consoleBudget)),
155
159
  };
156
160
  `;
157
161
  }
package/dist/shared/global-exposure.js CHANGED
@@ -75,6 +75,26 @@ export const NODE_CUSTOM_GLOBAL_INVENTORY = [
75
75
  classification: "hardened",
76
76
  rationale: "Bridge-owned dns module handle for require resolution.",
77
77
  },
78
+ {
79
+ name: "_dgramModule",
80
+ classification: "hardened",
81
+ rationale: "Bridge-owned dgram module handle for require resolution.",
82
+ },
83
+ {
84
+ name: "_netModule",
85
+ classification: "hardened",
86
+ rationale: "Bridge-owned net module handle for require resolution.",
87
+ },
88
+ {
89
+ name: "_tlsModule",
90
+ classification: "hardened",
91
+ rationale: "Bridge-owned tls module handle for require resolution.",
92
+ },
93
+ {
94
+ name: "_netSocketDispatch",
95
+ classification: "hardened",
96
+ rationale: "Host-to-sandbox net socket event dispatch entrypoint.",
97
+ },
78
98
  {
79
99
  name: "_httpServerDispatch",
80
100
  classification: "hardened",
@@ -83,17 +103,32 @@ export const NODE_CUSTOM_GLOBAL_INVENTORY = [
83
103
  {
84
104
  name: "_httpServerUpgradeDispatch",
85
105
  classification: "hardened",
86
- rationale: "Host-to-sandbox HTTP server upgrade dispatch entrypoint.",
106
+ rationale: "Host-to-sandbox HTTP upgrade dispatch entrypoint.",
107
+ },
108
+ {
109
+ name: "_httpServerConnectDispatch",
110
+ classification: "hardened",
111
+ rationale: "Host-to-sandbox HTTP CONNECT dispatch entrypoint.",
112
+ },
113
+ {
114
+ name: "_http2Dispatch",
115
+ classification: "hardened",
116
+ rationale: "Host-to-sandbox HTTP/2 event dispatch entrypoint.",
117
+ },
118
+ {
119
+ name: "_timerDispatch",
120
+ classification: "hardened",
121
+ rationale: "Host-to-sandbox timer callback dispatch entrypoint.",
87
122
  },
88
123
  {
89
124
  name: "_upgradeSocketData",
90
125
  classification: "hardened",
91
- rationale: "Host-to-sandbox upgrade socket data push entrypoint.",
126
+ rationale: "Host-to-sandbox HTTP upgrade socket data dispatch entrypoint.",
92
127
  },
93
128
  {
94
129
  name: "_upgradeSocketEnd",
95
130
  classification: "hardened",
96
- rationale: "Host-to-sandbox upgrade socket end push entrypoint.",
131
+ rationale: "Host-to-sandbox HTTP upgrade socket close dispatch entrypoint.",
97
132
  },
98
133
  {
99
134
  name: "ProcessExitError",
@@ -125,6 +160,16 @@ export const NODE_CUSTOM_GLOBAL_INVENTORY = [
125
160
  classification: "hardened",
126
161
  rationale: "Host file-loading bridge reference.",
127
162
  },
163
+ {
164
+ name: "_resolveModuleSync",
165
+ classification: "hardened",
166
+ rationale: "Host synchronous module-resolution bridge reference.",
167
+ },
168
+ {
169
+ name: "_loadFileSync",
170
+ classification: "hardened",
171
+ rationale: "Host synchronous file-loading bridge reference.",
172
+ },
128
173
  {
129
174
  name: "_scheduleTimer",
130
175
  classification: "hardened",
@@ -143,67 +188,107 @@ export const NODE_CUSTOM_GLOBAL_INVENTORY = [
143
188
  {
144
189
  name: "_cryptoHashDigest",
145
190
  classification: "hardened",
146
- rationale: "Host crypto bridge reference for createHash digest computation.",
191
+ rationale: "Host crypto digest bridge reference.",
147
192
  },
148
193
  {
149
194
  name: "_cryptoHmacDigest",
150
195
  classification: "hardened",
151
- rationale: "Host crypto bridge reference for createHmac digest computation.",
196
+ rationale: "Host crypto HMAC bridge reference.",
152
197
  },
153
198
  {
154
199
  name: "_cryptoPbkdf2",
155
200
  classification: "hardened",
156
- rationale: "Host crypto bridge reference for pbkdf2 key derivation.",
201
+ rationale: "Host crypto PBKDF2 bridge reference.",
157
202
  },
158
203
  {
159
204
  name: "_cryptoScrypt",
160
205
  classification: "hardened",
161
- rationale: "Host crypto bridge reference for scrypt key derivation.",
206
+ rationale: "Host crypto scrypt bridge reference.",
162
207
  },
163
208
  {
164
209
  name: "_cryptoCipheriv",
165
210
  classification: "hardened",
166
- rationale: "Host crypto bridge reference for createCipheriv encryption.",
211
+ rationale: "Host crypto cipher bridge reference.",
167
212
  },
168
213
  {
169
214
  name: "_cryptoDecipheriv",
170
215
  classification: "hardened",
171
- rationale: "Host crypto bridge reference for createDecipheriv decryption.",
216
+ rationale: "Host crypto decipher bridge reference.",
172
217
  },
173
218
  {
174
219
  name: "_cryptoCipherivCreate",
175
220
  classification: "hardened",
176
- rationale: "Host crypto bridge reference for stateful cipher/decipher creation.",
221
+ rationale: "Host streaming cipher bridge reference.",
177
222
  },
178
223
  {
179
224
  name: "_cryptoCipherivUpdate",
180
225
  classification: "hardened",
181
- rationale: "Host crypto bridge reference for stateful cipher/decipher update.",
226
+ rationale: "Host streaming cipher update bridge reference.",
182
227
  },
183
228
  {
184
229
  name: "_cryptoCipherivFinal",
185
230
  classification: "hardened",
186
- rationale: "Host crypto bridge reference for stateful cipher/decipher final.",
231
+ rationale: "Host streaming cipher finalization bridge reference.",
187
232
  },
188
233
  {
189
234
  name: "_cryptoSign",
190
235
  classification: "hardened",
191
- rationale: "Host crypto bridge reference for sign operations.",
236
+ rationale: "Host crypto sign bridge reference.",
192
237
  },
193
238
  {
194
239
  name: "_cryptoVerify",
195
240
  classification: "hardened",
196
- rationale: "Host crypto bridge reference for verify operations.",
241
+ rationale: "Host crypto verify bridge reference.",
242
+ },
243
+ {
244
+ name: "_cryptoAsymmetricOp",
245
+ classification: "hardened",
246
+ rationale: "Host asymmetric crypto operation bridge reference.",
247
+ },
248
+ {
249
+ name: "_cryptoCreateKeyObject",
250
+ classification: "hardened",
251
+ rationale: "Host asymmetric key import bridge reference.",
197
252
  },
198
253
  {
199
254
  name: "_cryptoGenerateKeyPairSync",
200
255
  classification: "hardened",
201
- rationale: "Host crypto bridge reference for generateKeyPairSync.",
256
+ rationale: "Host crypto key-pair generation bridge reference.",
257
+ },
258
+ {
259
+ name: "_cryptoGenerateKeySync",
260
+ classification: "hardened",
261
+ rationale: "Host symmetric crypto key generation bridge reference.",
262
+ },
263
+ {
264
+ name: "_cryptoGeneratePrimeSync",
265
+ classification: "hardened",
266
+ rationale: "Host prime generation bridge reference.",
267
+ },
268
+ {
269
+ name: "_cryptoDiffieHellman",
270
+ classification: "hardened",
271
+ rationale: "Host stateless Diffie-Hellman bridge reference.",
272
+ },
273
+ {
274
+ name: "_cryptoDiffieHellmanGroup",
275
+ classification: "hardened",
276
+ rationale: "Host Diffie-Hellman group bridge reference.",
277
+ },
278
+ {
279
+ name: "_cryptoDiffieHellmanSessionCreate",
280
+ classification: "hardened",
281
+ rationale: "Host Diffie-Hellman/ECDH session creation bridge reference.",
282
+ },
283
+ {
284
+ name: "_cryptoDiffieHellmanSessionCall",
285
+ classification: "hardened",
286
+ rationale: "Host Diffie-Hellman/ECDH session method bridge reference.",
202
287
  },
203
288
  {
204
289
  name: "_cryptoSubtle",
205
290
  classification: "hardened",
206
- rationale: "Host crypto bridge reference for Web Crypto subtle operations.",
291
+ rationale: "Host WebCrypto subtle bridge reference.",
207
292
  },
208
293
  {
209
294
  name: "_fsReadFile",
@@ -355,20 +440,260 @@ export const NODE_CUSTOM_GLOBAL_INVENTORY = [
355
440
  classification: "hardened",
356
441
  rationale: "Host network bridge reference.",
357
442
  },
443
+ {
444
+ name: "_networkHttpServerRespondRaw",
445
+ classification: "hardened",
446
+ rationale: "Host network bridge reference for sandbox HTTP server responses.",
447
+ },
448
+ {
449
+ name: "_networkHttpServerWaitRaw",
450
+ classification: "hardened",
451
+ rationale: "Host network bridge reference for sandbox HTTP server lifetime tracking.",
452
+ },
453
+ {
454
+ name: "_networkHttp2ServerListenRaw",
455
+ classification: "hardened",
456
+ rationale: "Host HTTP/2 server listen bridge reference.",
457
+ },
458
+ {
459
+ name: "_networkHttp2ServerCloseRaw",
460
+ classification: "hardened",
461
+ rationale: "Host HTTP/2 server close bridge reference.",
462
+ },
463
+ {
464
+ name: "_networkHttp2ServerWaitRaw",
465
+ classification: "hardened",
466
+ rationale: "Host HTTP/2 server lifetime bridge reference.",
467
+ },
468
+ {
469
+ name: "_networkHttp2SessionConnectRaw",
470
+ classification: "hardened",
471
+ rationale: "Host HTTP/2 session connect bridge reference.",
472
+ },
473
+ {
474
+ name: "_networkHttp2SessionRequestRaw",
475
+ classification: "hardened",
476
+ rationale: "Host HTTP/2 session request bridge reference.",
477
+ },
478
+ {
479
+ name: "_networkHttp2SessionSettingsRaw",
480
+ classification: "hardened",
481
+ rationale: "Host HTTP/2 session settings bridge reference.",
482
+ },
483
+ {
484
+ name: "_networkHttp2SessionSetLocalWindowSizeRaw",
485
+ classification: "hardened",
486
+ rationale: "Host HTTP/2 session local-window bridge reference.",
487
+ },
488
+ {
489
+ name: "_networkHttp2SessionGoawayRaw",
490
+ classification: "hardened",
491
+ rationale: "Host HTTP/2 session GOAWAY bridge reference.",
492
+ },
493
+ {
494
+ name: "_networkHttp2SessionCloseRaw",
495
+ classification: "hardened",
496
+ rationale: "Host HTTP/2 session close bridge reference.",
497
+ },
498
+ {
499
+ name: "_networkHttp2SessionDestroyRaw",
500
+ classification: "hardened",
501
+ rationale: "Host HTTP/2 session destroy bridge reference.",
502
+ },
503
+ {
504
+ name: "_networkHttp2SessionWaitRaw",
505
+ classification: "hardened",
506
+ rationale: "Host HTTP/2 session lifetime bridge reference.",
507
+ },
508
+ {
509
+ name: "_networkHttp2ServerPollRaw",
510
+ classification: "hardened",
511
+ rationale: "Host HTTP/2 server event-poll bridge reference.",
512
+ },
513
+ {
514
+ name: "_networkHttp2SessionPollRaw",
515
+ classification: "hardened",
516
+ rationale: "Host HTTP/2 session event-poll bridge reference.",
517
+ },
518
+ {
519
+ name: "_networkHttp2StreamRespondRaw",
520
+ classification: "hardened",
521
+ rationale: "Host HTTP/2 stream respond bridge reference.",
522
+ },
523
+ {
524
+ name: "_networkHttp2StreamPushStreamRaw",
525
+ classification: "hardened",
526
+ rationale: "Host HTTP/2 push stream bridge reference.",
527
+ },
528
+ {
529
+ name: "_networkHttp2StreamWriteRaw",
530
+ classification: "hardened",
531
+ rationale: "Host HTTP/2 stream write bridge reference.",
532
+ },
533
+ {
534
+ name: "_networkHttp2StreamEndRaw",
535
+ classification: "hardened",
536
+ rationale: "Host HTTP/2 stream end bridge reference.",
537
+ },
538
+ {
539
+ name: "_networkHttp2StreamCloseRaw",
540
+ classification: "hardened",
541
+ rationale: "Host HTTP/2 stream close bridge reference.",
542
+ },
543
+ {
544
+ name: "_networkHttp2StreamPauseRaw",
545
+ classification: "hardened",
546
+ rationale: "Host HTTP/2 stream pause bridge reference.",
547
+ },
548
+ {
549
+ name: "_networkHttp2StreamResumeRaw",
550
+ classification: "hardened",
551
+ rationale: "Host HTTP/2 stream resume bridge reference.",
552
+ },
553
+ {
554
+ name: "_networkHttp2StreamRespondWithFileRaw",
555
+ classification: "hardened",
556
+ rationale: "Host HTTP/2 stream respondWithFile bridge reference.",
557
+ },
558
+ {
559
+ name: "_networkHttp2ServerRespondRaw",
560
+ classification: "hardened",
561
+ rationale: "Host HTTP/2 server-response bridge reference.",
562
+ },
358
563
  {
359
564
  name: "_upgradeSocketWriteRaw",
360
565
  classification: "hardened",
361
- rationale: "Host upgrade socket write bridge reference.",
566
+ rationale: "Host HTTP upgrade socket write bridge reference.",
362
567
  },
363
568
  {
364
569
  name: "_upgradeSocketEndRaw",
365
570
  classification: "hardened",
366
- rationale: "Host upgrade socket end bridge reference.",
571
+ rationale: "Host HTTP upgrade socket half-close bridge reference.",
367
572
  },
368
573
  {
369
574
  name: "_upgradeSocketDestroyRaw",
370
575
  classification: "hardened",
371
- rationale: "Host upgrade socket destroy bridge reference.",
576
+ rationale: "Host HTTP upgrade socket destroy bridge reference.",
577
+ },
578
+ {
579
+ name: "_netSocketConnectRaw",
580
+ classification: "hardened",
581
+ rationale: "Host net socket connect bridge reference.",
582
+ },
583
+ {
584
+ name: "_netSocketWaitConnectRaw",
585
+ classification: "hardened",
586
+ rationale: "Host net socket connect-wait bridge reference.",
587
+ },
588
+ {
589
+ name: "_netSocketReadRaw",
590
+ classification: "hardened",
591
+ rationale: "Host net socket read bridge reference.",
592
+ },
593
+ {
594
+ name: "_netSocketSetNoDelayRaw",
595
+ classification: "hardened",
596
+ rationale: "Host net socket no-delay bridge reference.",
597
+ },
598
+ {
599
+ name: "_netSocketSetKeepAliveRaw",
600
+ classification: "hardened",
601
+ rationale: "Host net socket keepalive bridge reference.",
602
+ },
603
+ {
604
+ name: "_netSocketWriteRaw",
605
+ classification: "hardened",
606
+ rationale: "Host net socket write bridge reference.",
607
+ },
608
+ {
609
+ name: "_netSocketEndRaw",
610
+ classification: "hardened",
611
+ rationale: "Host net socket end bridge reference.",
612
+ },
613
+ {
614
+ name: "_netSocketDestroyRaw",
615
+ classification: "hardened",
616
+ rationale: "Host net socket destroy bridge reference.",
617
+ },
618
+ {
619
+ name: "_netSocketUpgradeTlsRaw",
620
+ classification: "hardened",
621
+ rationale: "Host net socket TLS-upgrade bridge reference.",
622
+ },
623
+ {
624
+ name: "_netSocketGetTlsClientHelloRaw",
625
+ classification: "hardened",
626
+ rationale: "Host loopback TLS client-hello bridge reference.",
627
+ },
628
+ {
629
+ name: "_netSocketTlsQueryRaw",
630
+ classification: "hardened",
631
+ rationale: "Host TLS socket query bridge reference.",
632
+ },
633
+ {
634
+ name: "_tlsGetCiphersRaw",
635
+ classification: "hardened",
636
+ rationale: "Host TLS cipher-list bridge reference.",
637
+ },
638
+ {
639
+ name: "_netServerListenRaw",
640
+ classification: "hardened",
641
+ rationale: "Host net server listen bridge reference.",
642
+ },
643
+ {
644
+ name: "_netServerAcceptRaw",
645
+ classification: "hardened",
646
+ rationale: "Host net server accept bridge reference.",
647
+ },
648
+ {
649
+ name: "_netServerCloseRaw",
650
+ classification: "hardened",
651
+ rationale: "Host net server close bridge reference.",
652
+ },
653
+ {
654
+ name: "_dgramSocketCreateRaw",
655
+ classification: "hardened",
656
+ rationale: "Host dgram socket create bridge reference.",
657
+ },
658
+ {
659
+ name: "_dgramSocketBindRaw",
660
+ classification: "hardened",
661
+ rationale: "Host dgram socket bind bridge reference.",
662
+ },
663
+ {
664
+ name: "_dgramSocketRecvRaw",
665
+ classification: "hardened",
666
+ rationale: "Host dgram socket receive bridge reference.",
667
+ },
668
+ {
669
+ name: "_dgramSocketSendRaw",
670
+ classification: "hardened",
671
+ rationale: "Host dgram socket send bridge reference.",
672
+ },
673
+ {
674
+ name: "_dgramSocketCloseRaw",
675
+ classification: "hardened",
676
+ rationale: "Host dgram socket close bridge reference.",
677
+ },
678
+ {
679
+ name: "_dgramSocketAddressRaw",
680
+ classification: "hardened",
681
+ rationale: "Host dgram socket address bridge reference.",
682
+ },
683
+ {
684
+ name: "_dgramSocketSetBufferSizeRaw",
685
+ classification: "hardened",
686
+ rationale: "Host dgram socket buffer-size setter bridge reference.",
687
+ },
688
+ {
689
+ name: "_dgramSocketGetBufferSizeRaw",
690
+ classification: "hardened",
691
+ rationale: "Host dgram socket buffer-size getter bridge reference.",
692
+ },
693
+ {
694
+ name: "_batchResolveModules",
695
+ classification: "hardened",
696
+ rationale: "Host bridge for batched module resolution to reduce IPC round-trips.",
372
697
  },
373
698
  {
374
699
  name: "_ptySetRawMode",
@@ -470,11 +795,31 @@ export const NODE_CUSTOM_GLOBAL_INVENTORY = [
470
795
  classification: "hardened",
471
796
  rationale: "Network Response API global — must not be replaceable by sandbox code.",
472
797
  },
798
+ {
799
+ name: "DOMException",
800
+ classification: "hardened",
801
+ rationale: "DOMException global stub for undici/bootstrap compatibility.",
802
+ },
803
+ {
804
+ name: "__importMetaResolve",
805
+ classification: "hardened",
806
+ rationale: "Internal import.meta.resolve helper for transformed ESM modules.",
807
+ },
473
808
  {
474
809
  name: "Blob",
475
810
  classification: "hardened",
476
811
  rationale: "Blob API global stub — must not be replaceable by sandbox code.",
477
812
  },
813
+ {
814
+ name: "File",
815
+ classification: "hardened",
816
+ rationale: "File API global stub — must not be replaceable by sandbox code.",
817
+ },
818
+ {
819
+ name: "FormData",
820
+ classification: "hardened",
821
+ rationale: "FormData API global stub — must not be replaceable by sandbox code.",
822
+ },
478
823
  ];
479
824
  export const HARDENED_NODE_CUSTOM_GLOBALS = NODE_CUSTOM_GLOBAL_INVENTORY
480
825
  .filter((entry) => entry.classification === "hardened")