@secure-exec/core 0.2.1-rc.1 → 0.3.0-rc.1

package/dist/kernel/device-layer.d.ts

@@ -1,12 +0,0 @@
-/**
- * Device layer.
- *
- * Intercepts device node paths (/dev/*) before they reach the VFS backend.
- * Wraps a VirtualFileSystem and handles device-specific read/write semantics.
- */
-import type { VirtualFileSystem } from "./vfs.js";
-/**
- * Wrap a VFS with device node interception.
- * Device paths are handled directly; all other paths pass through.
- */
-export declare function createDeviceLayer(vfs: VirtualFileSystem): VirtualFileSystem;

package/dist/kernel/device-layer.js

@@ -1,271 +0,0 @@
-/**
- * Device layer.
- *
- * Intercepts device node paths (/dev/*) before they reach the VFS backend.
- * Wraps a VirtualFileSystem and handles device-specific read/write semantics.
- */
-import { KernelError } from "./types.js";
-const DEVICE_PATHS = new Set([
-    "/dev/null",
-    "/dev/zero",
-    "/dev/stdin",
-    "/dev/stdout",
-    "/dev/stderr",
-    "/dev/urandom",
-    "/dev/random",
-    "/dev/tty",
-    "/dev/console",
-    "/dev/full",
-    "/dev/ptmx",
-]);
-const DEVICE_INO = {
-    "/dev/null": 0xffff_0001,
-    "/dev/zero": 0xffff_0002,
-    "/dev/stdin": 0xffff_0003,
-    "/dev/stdout": 0xffff_0004,
-    "/dev/stderr": 0xffff_0005,
-    "/dev/urandom": 0xffff_0006,
-    "/dev/random": 0xffff_0007,
-    "/dev/tty": 0xffff_0008,
-    "/dev/console": 0xffff_0009,
-    "/dev/full": 0xffff_000a,
-    "/dev/ptmx": 0xffff_000b,
-};
-/** Device pseudo-directories that contain dynamic entries. */
-const DEVICE_DIRS = new Set(["/dev/fd", "/dev/pts", "/dev/shm"]);
-function isDevicePath(path) {
-    return DEVICE_PATHS.has(path) || path.startsWith("/dev/fd/") || path.startsWith("/dev/pts/");
-}
-function isDeviceDir(path) {
-    return path === "/dev" || DEVICE_DIRS.has(path);
-}
-function deviceStat(path) {
-    const now = Date.now();
-    return {
-        mode: 0o666,
-        size: 0,
-        isDirectory: false,
-        isSymbolicLink: false,
-        atimeMs: now,
-        mtimeMs: now,
-        ctimeMs: now,
-        birthtimeMs: now,
-        ino: DEVICE_INO[path] ?? 0xffff_0000,
-        nlink: 1,
-        uid: 0,
-        gid: 0,
-    };
-}
-const DEV_DIR_ENTRIES = [
-    { name: "null", isDirectory: false },
-    { name: "zero", isDirectory: false },
-    { name: "stdin", isDirectory: false },
-    { name: "stdout", isDirectory: false },
-    { name: "stderr", isDirectory: false },
-    { name: "urandom", isDirectory: false },
-    { name: "random", isDirectory: false },
-    { name: "tty", isDirectory: false },
-    { name: "console", isDirectory: false },
-    { name: "full", isDirectory: false },
-    { name: "ptmx", isDirectory: false },
-    { name: "fd", isDirectory: true },
-    { name: "pts", isDirectory: true },
-    { name: "shm", isDirectory: true },
-];
-/**
- * Wrap a VFS with device node interception.
- * Device paths are handled directly; all other paths pass through.
- */
-export function createDeviceLayer(vfs) {
-    const wrapped = {
-        prepareOpenSync(path, flags) {
-            if (isDevicePath(path) || isDeviceDir(path))
-                return false;
-            const syncVfs = vfs;
-            return syncVfs.prepareOpenSync?.(path, flags) ?? false;
-        },
-        async readFile(path) {
-            if (path === "/dev/null" || path === "/dev/full")
-                return new Uint8Array(0);
-            if (path === "/dev/zero")
-                return new Uint8Array(4096);
-            if (path === "/dev/urandom" || path === "/dev/random") {
-                const buf = new Uint8Array(4096);
-                if (typeof globalThis.crypto?.getRandomValues === "function") {
-                    globalThis.crypto.getRandomValues(buf);
-                }
-                else {
-                    for (let i = 0; i < buf.length; i++) {
-                        buf[i] = (Math.random() * 256) | 0;
-                    }
-                }
-                return buf;
-            }
-            if (path === "/dev/tty" || path === "/dev/console" || path === "/dev/ptmx")
-                return new Uint8Array(0);
-            return vfs.readFile(path);
-        },
-        async pread(path, offset, length) {
-            if (path === "/dev/null" || path === "/dev/full")
-                return new Uint8Array(0);
-            if (path === "/dev/zero")
-                return new Uint8Array(length);
-            if (path === "/dev/urandom" || path === "/dev/random") {
-                const buf = new Uint8Array(length);
-                if (typeof globalThis.crypto?.getRandomValues === "function") {
-                    globalThis.crypto.getRandomValues(buf);
-                }
-                else {
-                    for (let i = 0; i < buf.length; i++) {
-                        buf[i] = (Math.random() * 256) | 0;
-                    }
-                }
-                return buf;
-            }
-            if (path === "/dev/tty" || path === "/dev/console" || path === "/dev/ptmx")
-                return new Uint8Array(0);
-            return vfs.pread(path, offset, length);
-        },
-        async readTextFile(path) {
-            if (path === "/dev/null")
-                return "";
-            const bytes = await this.readFile(path);
-            return new TextDecoder().decode(bytes);
-        },
-        async readDir(path) {
-            if (path === "/dev") {
-                return DEV_DIR_ENTRIES.map((e) => e.name);
-            }
-            // /dev/fd and /dev/pts are dynamic — return empty at VFS level
-            if (DEVICE_DIRS.has(path))
-                return [];
-            return vfs.readDir(path);
-        },
-        async readDirWithTypes(path) {
-            if (path === "/dev") {
-                return DEV_DIR_ENTRIES;
-            }
-            if (DEVICE_DIRS.has(path))
-                return [];
-            return vfs.readDirWithTypes(path);
-        },
-        async writeFile(path, content) {
-            // /dev/full always returns ENOSPC on write (POSIX behavior)
-            if (path === "/dev/full")
-                throw new KernelError("ENOSPC", "No space left on device");
-            // Discard writes to sink devices
-            if (path === "/dev/null" || path === "/dev/zero" || path === "/dev/urandom"
-                || path === "/dev/random" || path === "/dev/tty" || path === "/dev/console"
-                || path === "/dev/ptmx")
-                return;
-            return vfs.writeFile(path, content);
-        },
-        async pwrite(path, offset, data) {
-            if (path === "/dev/full")
-                throw new KernelError("ENOSPC", "No space left on device");
-            if (path === "/dev/null" || path === "/dev/zero" || path === "/dev/urandom"
-                || path === "/dev/random" || path === "/dev/tty" || path === "/dev/console"
-                || path === "/dev/ptmx")
-                return;
-            return vfs.pwrite(path, offset, data);
-        },
-        async createDir(path) {
-            if (isDeviceDir(path))
-                return;
-            return vfs.createDir(path);
-        },
-        async mkdir(path, options) {
-            if (isDeviceDir(path))
-                return;
-            return vfs.mkdir(path, options);
-        },
-        async exists(path) {
-            if (isDevicePath(path) || isDeviceDir(path))
-                return true;
-            return vfs.exists(path);
-        },
-        async stat(path) {
-            if (isDevicePath(path))
-                return deviceStat(path);
-            if (isDeviceDir(path)) {
-                const now = Date.now();
-                return {
-                    mode: 0o755,
-                    size: 0,
-                    isDirectory: true,
-                    isSymbolicLink: false,
-                    atimeMs: now,
-                    mtimeMs: now,
-                    ctimeMs: now,
-                    birthtimeMs: now,
-                    ino: DEVICE_INO[path] ?? 0xffff_0000,
-                    nlink: 2,
-                    uid: 0,
-                    gid: 0,
-                };
-            }
-            return vfs.stat(path);
-        },
-        async removeFile(path) {
-            if (isDevicePath(path))
-                throw new KernelError("EPERM", "cannot remove device");
-            return vfs.removeFile(path);
-        },
-        async removeDir(path) {
-            if (isDeviceDir(path))
-                throw new KernelError("EPERM", `cannot remove ${path}`);
-            return vfs.removeDir(path);
-        },
-        async rename(oldPath, newPath) {
-            if (isDevicePath(oldPath) || isDevicePath(newPath)) {
-                throw new KernelError("EPERM", "cannot rename device");
-            }
-            return vfs.rename(oldPath, newPath);
-        },
-        async realpath(path) {
-            if (isDevicePath(path) || isDeviceDir(path))
-                return path;
-            return vfs.realpath(path);
-        },
-        // Passthrough for POSIX extensions
-        async symlink(target, linkPath) {
-            return vfs.symlink(target, linkPath);
-        },
-        async readlink(path) {
-            return vfs.readlink(path);
-        },
-        async lstat(path) {
-            if (isDevicePath(path))
-                return deviceStat(path);
-            if (isDeviceDir(path))
-                return this.stat(path);
-            return vfs.lstat(path);
-        },
-        async link(oldPath, newPath) {
-            if (isDevicePath(oldPath))
-                throw new KernelError("EPERM", "cannot link device");
-            return vfs.link(oldPath, newPath);
-        },
-        async chmod(path, mode) {
-            if (isDevicePath(path))
-                return;
-            return vfs.chmod(path, mode);
-        },
-        async chown(path, uid, gid) {
-            if (isDevicePath(path))
-                return;
-            return vfs.chown(path, uid, gid);
-        },
-        async utimes(path, atime, mtime) {
-            if (isDevicePath(path))
-                return;
-            return vfs.utimes(path, atime, mtime);
-        },
-        async truncate(path, length) {
-            if (isDevicePath(path))
-                return;
-            return vfs.truncate(path, length);
-        },
-    };
-    return wrapped;
-}

package/dist/kernel/dns-cache.d.ts

@@ -1,29 +0,0 @@
-/**
- * Kernel DNS cache shared across runtimes.
- *
- * Runtimes call kernel DNS cache before falling through to the host
- * adapter. Entries expire after their TTL.
- */
-import type { DnsResult } from "./host-adapter.js";
-export interface DnsCacheOptions {
-    /** Default TTL in milliseconds when none is specified. Default: 30000 (30s). */
-    defaultTtlMs?: number;
-}
-export declare class DnsCache {
-    private cache;
-    private defaultTtlMs;
-    constructor(options?: DnsCacheOptions);
-    /**
-     * Look up a cached DNS result. Returns null on miss or expired entry.
-     */
-    lookup(hostname: string, rrtype: string): DnsResult | null;
-    /**
-     * Store a DNS result with TTL.
-     * @param ttlMs TTL in milliseconds. Uses defaultTtlMs if not provided.
-     */
-    store(hostname: string, rrtype: string, result: DnsResult, ttlMs?: number): void;
-    /** Flush all cached entries. */
-    flush(): void;
-    /** Number of entries (including possibly expired). */
-    get size(): number;
-}

package/dist/kernel/dns-cache.js

@@ -1,52 +0,0 @@
-/**
- * Kernel DNS cache shared across runtimes.
- *
- * Runtimes call kernel DNS cache before falling through to the host
- * adapter. Entries expire after their TTL.
- */
-export class DnsCache {
-    cache = new Map();
-    defaultTtlMs;
-    constructor(options) {
-        this.defaultTtlMs = options?.defaultTtlMs ?? 30_000;
-    }
-    /**
-     * Look up a cached DNS result. Returns null on miss or expired entry.
-     */
-    lookup(hostname, rrtype) {
-        const key = cacheKey(hostname, rrtype);
-        const entry = this.cache.get(key);
-        if (!entry)
-            return null;
-        // Expired — remove and return miss
-        if (Date.now() >= entry.expiresAt) {
-            this.cache.delete(key);
-            return null;
-        }
-        return entry.result;
-    }
-    /**
-     * Store a DNS result with TTL.
-     * @param ttlMs TTL in milliseconds. Uses defaultTtlMs if not provided.
-     */
-    store(hostname, rrtype, result, ttlMs) {
-        const key = cacheKey(hostname, rrtype);
-        const ttl = ttlMs ?? this.defaultTtlMs;
-        this.cache.set(key, {
-            result,
-            expiresAt: Date.now() + ttl,
-        });
-    }
-    /** Flush all cached entries. */
-    flush() {
-        this.cache.clear();
-    }
-    /** Number of entries (including possibly expired). */
-    get size() {
-        return this.cache.size;
-    }
-}
-/** Canonical cache key: "hostname:rrtype" */
-function cacheKey(hostname, rrtype) {
-    return `${hostname}:${rrtype}`;
-}

package/dist/kernel/fd-table.d.ts

@@ -1,84 +0,0 @@
-/**
- * Per-PID file descriptor table.
- *
- * Each process gets its own FD number space. Multiple FDs can share the
- * same FileDescription (via dup/dup2), which shares the cursor position.
- * Standard FDs 0-2 are pre-allocated per process.
- */
-import type { FDEntry, FDStat, FileDescription } from "./types.js";
-/** Maximum open FDs per process before allocations are rejected (EMFILE). */
-export declare const MAX_FDS_PER_PROCESS = 256;
-/** Allocator function that creates a FileDescription with a unique ID. */
-export type DescriptionAllocator = (path: string, flags: number) => FileDescription;
-/**
- * FD table for a single process.
- *
- * Manages FD allocation, dup/dup2, and shared cursor via FileDescription.
- */
-export declare class ProcessFDTable {
-    private entries;
-    private nextFd;
-    private allocDesc;
-    constructor(allocDesc: DescriptionAllocator);
-    /** Pre-allocate stdin, stdout, stderr */
-    initStdio(stdinDesc: FileDescription, stdoutDesc: FileDescription, stderrDesc: FileDescription): void;
-    /** Pre-allocate stdin, stdout, stderr with custom filetypes (for pipe wiring). */
-    initStdioWithTypes(stdinDesc: FileDescription, stdinType: number, stdoutDesc: FileDescription, stdoutType: number, stderrDesc: FileDescription, stderrType: number): void;
-    /** Open a new FD for the given path and flags */
-    open(path: string, flags: number, filetype?: number): number;
-    /** Open a new FD pointing to an existing FileDescription (for pipes, inherited FDs) */
-    openWith(description: FileDescription, filetype: number, targetFd?: number): number;
-    get(fd: number): FDEntry | undefined;
-    /** Close an FD. Decrements the refcount on the shared FileDescription. */
-    close(fd: number): boolean;
-    /** Duplicate an FD — new FD shares the same FileDescription (cursor). cloexec cleared on new FD (POSIX). */
-    dup(fd: number): number;
-    /** Duplicate FD to lowest available >= minFd (F_DUPFD). cloexec cleared on new FD. */
-    dupMinFd(fd: number, minFd: number): number;
-    /** Duplicate oldFd to newFd. Closes newFd first if open. cloexec cleared on new FD (POSIX). */
-    dup2(oldFd: number, newFd: number): void;
-    stat(fd: number): FDStat;
-    /** Create a copy of this table for a child process (FD inheritance). Skips cloexec FDs. */
-    fork(): ProcessFDTable;
-    /** Close all FDs, decrementing all refcounts. */
-    closeAll(): void;
-    /** Iterate all FD entries (for cleanup inspection). */
-    [Symbol.iterator](): IterableIterator<FDEntry>;
-    private allocateFd;
-}
-/**
- * Kernel-level FD table manager.
- * Owns per-PID FD tables and coordinates shared FileDescriptions.
- */
-export declare class FDTableManager {
-    private tables;
-    private nextDescriptionId;
-    /** Per-instance allocator bound to this manager's ID counter. */
-    private allocDesc;
-    /** Create a new FD table for a process with standard FDs. */
-    create(pid: number): ProcessFDTable;
-    /**
-     * Create a new FD table with custom stdio FileDescriptions.
-     * Used for pipe wiring: pass a pipe read/write end as stdin/stdout/stderr.
-     * Null entries fall back to default device nodes.
-     */
-    createWithStdio(pid: number, stdinOverride: {
-        description: FileDescription;
-        filetype: number;
-    } | null, stdoutOverride: {
-        description: FileDescription;
-        filetype: number;
-    } | null, stderrOverride: {
-        description: FileDescription;
-        filetype: number;
-    } | null): ProcessFDTable;
-    /** Create a child FD table by forking the parent's. */
-    fork(parentPid: number, childPid: number): ProcessFDTable;
-    get(pid: number): ProcessFDTable | undefined;
-    /** Check whether a PID has an FD table. */
-    has(pid: number): boolean;
-    /** Number of active FD tables. */
-    get size(): number;
-    /** Remove and close all FDs for a process. */
-    remove(pid: number): void;
-}